@secure-exec/core 0.2.1-rc.1 → 0.3.0-rc.1

package/dist/shared/bridge-contract.js

@@ -1,169 +0,0 @@
-/**
- * @deprecated Canonical source moved to @secure-exec/nodejs (US-002).
- * This copy is retained for backward compatibility during phased migration.
- * Will be removed in US-005 when kernel merges into core.
- *
- * Bridge contract: typed declarations for the globals shared between the
- * host (Node.js) and the isolate (sandbox V8 context).
- *
- * Two categories:
- * - Host bridge globals: set by the host before bridge code runs (fs refs, timers, etc.)
- * - Runtime bridge globals: installed by the bridge bundle itself (active handles, modules, etc.)
- *
- * The typed `Ref` aliases describe the bridge calling convention for each global.
- */
-function valuesOf(object) {
-    return Object.values(object);
-}
-/** Globals injected by the host before the bridge bundle executes. */
-export const HOST_BRIDGE_GLOBAL_KEYS = {
-    dynamicImport: "_dynamicImport",
-    loadPolyfill: "_loadPolyfill",
-    resolveModule: "_resolveModule",
-    loadFile: "_loadFile",
-    scheduleTimer: "_scheduleTimer",
-    cryptoRandomFill: "_cryptoRandomFill",
-    cryptoRandomUuid: "_cryptoRandomUUID",
-    cryptoHashDigest: "_cryptoHashDigest",
-    cryptoHmacDigest: "_cryptoHmacDigest",
-    cryptoPbkdf2: "_cryptoPbkdf2",
-    cryptoScrypt: "_cryptoScrypt",
-    cryptoCipheriv: "_cryptoCipheriv",
-    cryptoDecipheriv: "_cryptoDecipheriv",
-    cryptoCipherivCreate: "_cryptoCipherivCreate",
-    cryptoCipherivUpdate: "_cryptoCipherivUpdate",
-    cryptoCipherivFinal: "_cryptoCipherivFinal",
-    cryptoSign: "_cryptoSign",
-    cryptoVerify: "_cryptoVerify",
-    cryptoAsymmetricOp: "_cryptoAsymmetricOp",
-    cryptoCreateKeyObject: "_cryptoCreateKeyObject",
-    cryptoGenerateKeyPairSync: "_cryptoGenerateKeyPairSync",
-    cryptoGenerateKeySync: "_cryptoGenerateKeySync",
-    cryptoGeneratePrimeSync: "_cryptoGeneratePrimeSync",
-    cryptoDiffieHellman: "_cryptoDiffieHellman",
-    cryptoDiffieHellmanGroup: "_cryptoDiffieHellmanGroup",
-    cryptoDiffieHellmanSessionCreate: "_cryptoDiffieHellmanSessionCreate",
-    cryptoDiffieHellmanSessionCall: "_cryptoDiffieHellmanSessionCall",
-    cryptoSubtle: "_cryptoSubtle",
-    fsReadFile: "_fsReadFile",
-    fsWriteFile: "_fsWriteFile",
-    fsReadFileBinary: "_fsReadFileBinary",
-    fsWriteFileBinary: "_fsWriteFileBinary",
-    fsReadDir: "_fsReadDir",
-    fsMkdir: "_fsMkdir",
-    fsRmdir: "_fsRmdir",
-    fsExists: "_fsExists",
-    fsStat: "_fsStat",
-    fsUnlink: "_fsUnlink",
-    fsRename: "_fsRename",
-    fsChmod: "_fsChmod",
-    fsChown: "_fsChown",
-    fsLink: "_fsLink",
-    fsSymlink: "_fsSymlink",
-    fsReadlink: "_fsReadlink",
-    fsLstat: "_fsLstat",
-    fsTruncate: "_fsTruncate",
-    fsUtimes: "_fsUtimes",
-    childProcessSpawnStart: "_childProcessSpawnStart",
-    childProcessStdinWrite: "_childProcessStdinWrite",
-    childProcessStdinClose: "_childProcessStdinClose",
-    childProcessKill: "_childProcessKill",
-    childProcessSpawnSync: "_childProcessSpawnSync",
-    networkFetchRaw: "_networkFetchRaw",
-    networkDnsLookupRaw: "_networkDnsLookupRaw",
-    networkHttpRequestRaw: "_networkHttpRequestRaw",
-    networkHttpServerListenRaw: "_networkHttpServerListenRaw",
-    networkHttpServerCloseRaw: "_networkHttpServerCloseRaw",
-    networkHttpServerRespondRaw: "_networkHttpServerRespondRaw",
-    networkHttpServerWaitRaw: "_networkHttpServerWaitRaw",
-    networkHttp2ServerListenRaw: "_networkHttp2ServerListenRaw",
-    networkHttp2ServerCloseRaw: "_networkHttp2ServerCloseRaw",
-    networkHttp2ServerWaitRaw: "_networkHttp2ServerWaitRaw",
-    networkHttp2SessionConnectRaw: "_networkHttp2SessionConnectRaw",
-    networkHttp2SessionRequestRaw: "_networkHttp2SessionRequestRaw",
-    networkHttp2SessionSettingsRaw: "_networkHttp2SessionSettingsRaw",
-    networkHttp2SessionSetLocalWindowSizeRaw: "_networkHttp2SessionSetLocalWindowSizeRaw",
-    networkHttp2SessionGoawayRaw: "_networkHttp2SessionGoawayRaw",
-    networkHttp2SessionCloseRaw: "_networkHttp2SessionCloseRaw",
-    networkHttp2SessionDestroyRaw: "_networkHttp2SessionDestroyRaw",
-    networkHttp2SessionWaitRaw: "_networkHttp2SessionWaitRaw",
-    networkHttp2ServerPollRaw: "_networkHttp2ServerPollRaw",
-    networkHttp2SessionPollRaw: "_networkHttp2SessionPollRaw",
-    networkHttp2StreamRespondRaw: "_networkHttp2StreamRespondRaw",
-    networkHttp2StreamPushStreamRaw: "_networkHttp2StreamPushStreamRaw",
-    networkHttp2StreamWriteRaw: "_networkHttp2StreamWriteRaw",
-    networkHttp2StreamEndRaw: "_networkHttp2StreamEndRaw",
-    networkHttp2StreamCloseRaw: "_networkHttp2StreamCloseRaw",
-    networkHttp2StreamPauseRaw: "_networkHttp2StreamPauseRaw",
-    networkHttp2StreamResumeRaw: "_networkHttp2StreamResumeRaw",
-    networkHttp2StreamRespondWithFileRaw: "_networkHttp2StreamRespondWithFileRaw",
-    networkHttp2ServerRespondRaw: "_networkHttp2ServerRespondRaw",
-    upgradeSocketWriteRaw: "_upgradeSocketWriteRaw",
-    upgradeSocketEndRaw: "_upgradeSocketEndRaw",
-    upgradeSocketDestroyRaw: "_upgradeSocketDestroyRaw",
-    netSocketConnectRaw: "_netSocketConnectRaw",
-    netSocketWaitConnectRaw: "_netSocketWaitConnectRaw",
-    netSocketReadRaw: "_netSocketReadRaw",
-    netSocketSetNoDelayRaw: "_netSocketSetNoDelayRaw",
-    netSocketSetKeepAliveRaw: "_netSocketSetKeepAliveRaw",
-    netSocketWriteRaw: "_netSocketWriteRaw",
-    netSocketEndRaw: "_netSocketEndRaw",
-    netSocketDestroyRaw: "_netSocketDestroyRaw",
-    netSocketUpgradeTlsRaw: "_netSocketUpgradeTlsRaw",
-    netSocketGetTlsClientHelloRaw: "_netSocketGetTlsClientHelloRaw",
-    netSocketTlsQueryRaw: "_netSocketTlsQueryRaw",
-    tlsGetCiphersRaw: "_tlsGetCiphersRaw",
-    netServerListenRaw: "_netServerListenRaw",
-    netServerAcceptRaw: "_netServerAcceptRaw",
-    netServerCloseRaw: "_netServerCloseRaw",
-    dgramSocketCreateRaw: "_dgramSocketCreateRaw",
-    dgramSocketBindRaw: "_dgramSocketBindRaw",
-    dgramSocketRecvRaw: "_dgramSocketRecvRaw",
-    dgramSocketSendRaw: "_dgramSocketSendRaw",
-    dgramSocketCloseRaw: "_dgramSocketCloseRaw",
-    dgramSocketAddressRaw: "_dgramSocketAddressRaw",
-    dgramSocketSetBufferSizeRaw: "_dgramSocketSetBufferSizeRaw",
-    dgramSocketGetBufferSizeRaw: "_dgramSocketGetBufferSizeRaw",
-    resolveModuleSync: "_resolveModuleSync",
-    loadFileSync: "_loadFileSync",
-    ptySetRawMode: "_ptySetRawMode",
-    kernelStdinRead: "_kernelStdinRead",
-    processConfig: "_processConfig",
-    osConfig: "_osConfig",
-    log: "_log",
-    error: "_error",
-};
-/** Globals exposed by the bridge bundle and runtime scripts inside the isolate. */
-export const RUNTIME_BRIDGE_GLOBAL_KEYS = {
-    registerHandle: "_registerHandle",
-    unregisterHandle: "_unregisterHandle",
-    waitForActiveHandles: "_waitForActiveHandles",
-    getActiveHandles: "_getActiveHandles",
-    childProcessDispatch: "_childProcessDispatch",
-    childProcessModule: "_childProcessModule",
-    moduleModule: "_moduleModule",
-    osModule: "_osModule",
-    httpModule: "_httpModule",
-    httpsModule: "_httpsModule",
-    http2Module: "_http2Module",
-    dnsModule: "_dnsModule",
-    dgramModule: "_dgramModule",
-    httpServerDispatch: "_httpServerDispatch",
-    httpServerUpgradeDispatch: "_httpServerUpgradeDispatch",
-    httpServerConnectDispatch: "_httpServerConnectDispatch",
-    http2Dispatch: "_http2Dispatch",
-    timerDispatch: "_timerDispatch",
-    upgradeSocketData: "_upgradeSocketData",
-    upgradeSocketEnd: "_upgradeSocketEnd",
-    netSocketDispatch: "_netSocketDispatch",
-    fsFacade: "_fs",
-    requireFrom: "_requireFrom",
-    moduleCache: "_moduleCache",
-    processExitError: "ProcessExitError",
-};
-export const HOST_BRIDGE_GLOBAL_KEY_LIST = valuesOf(HOST_BRIDGE_GLOBAL_KEYS);
-export const RUNTIME_BRIDGE_GLOBAL_KEY_LIST = valuesOf(RUNTIME_BRIDGE_GLOBAL_KEYS);
-export const BRIDGE_GLOBAL_KEY_LIST = [
-    ...HOST_BRIDGE_GLOBAL_KEY_LIST,
-    ...RUNTIME_BRIDGE_GLOBAL_KEY_LIST,
-];

package/dist/shared/console-formatter.d.ts

@@ -1,22 +0,0 @@
-/**
- * Controls how deeply and widely console.log arguments are serialized.
- * Prevents CPU amplification and memory buildup from deeply-nested or
- * massive objects being logged inside the sandbox.
- */
-export interface ConsoleSerializationBudget {
-    maxDepth: number;
-    maxKeys: number;
-    maxArrayLength: number;
-    maxOutputLength: number;
-}
-export declare const DEFAULT_CONSOLE_SERIALIZATION_BUDGET: ConsoleSerializationBudget;
-/** Serialize a single value with circular reference detection and budget limits. */
-export declare function safeStringifyConsoleValue(value: unknown, rawBudget: ConsoleSerializationBudget): string;
-/** Format an array of console arguments into a single space-separated string. */
-export declare function formatConsoleArgs(args: unknown[], rawBudget: ConsoleSerializationBudget): string;
-/**
- * Generate isolate-side JavaScript that installs a `globalThis.console` shim.
- * The shim serializes arguments using the budget and forwards them to host
- * bridge references (`_log` / `_error`) via `applySync`.
- */
-export declare function getConsoleSetupCode(budget?: ConsoleSerializationBudget): string;

package/dist/shared/console-formatter.js

@@ -1,161 +0,0 @@
-export const DEFAULT_CONSOLE_SERIALIZATION_BUDGET = {
-    maxDepth: 6,
-    maxKeys: 50,
-    maxArrayLength: 50,
-    maxOutputLength: 4096,
-};
-function normalizeBudget(budget) {
-    const defaults = {
-        maxDepth: 6,
-        maxKeys: 50,
-        maxArrayLength: 50,
-        maxOutputLength: 4096,
-    };
-    const clamp = (value, fallback) => {
-        if (!Number.isFinite(value))
-            return fallback;
-        const normalized = Math.floor(value);
-        return normalized > 0 ? normalized : fallback;
-    };
-    return {
-        maxDepth: clamp(budget.maxDepth, defaults.maxDepth),
-        maxKeys: clamp(budget.maxKeys, defaults.maxKeys),
-        maxArrayLength: clamp(budget.maxArrayLength, defaults.maxArrayLength),
-        maxOutputLength: clamp(budget.maxOutputLength, defaults.maxOutputLength),
-    };
-}
-function safeStringifyConsoleValueWithBudget(value, budget) {
-    const suffix = "...[Truncated]";
-    const clampOutput = (text) => {
-        if (text.length <= budget.maxOutputLength) {
-            return text;
-        }
-        if (budget.maxOutputLength <= suffix.length) {
-            return suffix.slice(0, budget.maxOutputLength);
-        }
-        return (text.slice(0, budget.maxOutputLength - suffix.length) + suffix);
-    };
-    if (value === null)
-        return "null";
-    if (value === undefined)
-        return "undefined";
-    const valueType = typeof value;
-    if (valueType !== "object") {
-        if (valueType === "bigint") {
-            return `${String(value)}n`;
-        }
-        return clampOutput(String(value));
-    }
-    const rootObject = value;
-    const skipFastPath = (Array.isArray(rootObject) &&
-        rootObject.length > budget.maxArrayLength) ||
-        (!Array.isArray(rootObject) &&
-            Object.keys(rootObject).length > budget.maxKeys);
-    if (!skipFastPath) {
-        try {
-            const quickSerialized = JSON.stringify(value);
-            if (quickSerialized !== undefined) {
-                return clampOutput(quickSerialized);
-            }
-        }
-        catch {
-            // Fall back to circular-safe and budget-aware serialization.
-        }
-    }
-    const seen = new WeakSet();
-    const depthByObject = new WeakMap();
-    const replacer = function (key, current) {
-        if (typeof current === "bigint") {
-            return `${String(current)}n`;
-        }
-        if (typeof current !== "object" || current === null) {
-            return current;
-        }
-        const currentObject = current;
-        if (seen.has(currentObject)) {
-            return "[Circular]";
-        }
-        seen.add(currentObject);
-        let depth = 0;
-        if (key !== "") {
-            const parent = this;
-            if (typeof parent === "object" && parent !== null) {
-                depth = (depthByObject.get(parent) ?? 0) + 1;
-            }
-        }
-        depthByObject.set(currentObject, depth);
-        if (depth > budget.maxDepth) {
-            return "[MaxDepth]";
-        }
-        if (Array.isArray(currentObject)) {
-            if (currentObject.length <= budget.maxArrayLength) {
-                return currentObject;
-            }
-            const trimmed = currentObject.slice(0, budget.maxArrayLength);
-            trimmed.push("[Truncated]");
-            return trimmed;
-        }
-        const keys = Object.keys(currentObject);
-        if (keys.length <= budget.maxKeys) {
-            return currentObject;
-        }
-        const trimmed = {};
-        for (let i = 0; i < budget.maxKeys; i += 1) {
-            const keyName = keys[i];
-            trimmed[keyName] = currentObject[keyName];
-        }
-        trimmed["[Truncated]"] = `${keys.length - budget.maxKeys} key(s)`;
-        return trimmed;
-    };
-    try {
-        const serialized = JSON.stringify(value, replacer);
-        if (serialized === undefined) {
-            return clampOutput(String(value));
-        }
-        return clampOutput(serialized);
-    }
-    catch {
-        return clampOutput(String(value));
-    }
-}
-/** Serialize a single value with circular reference detection and budget limits. */
-export function safeStringifyConsoleValue(value, rawBudget) {
-    return safeStringifyConsoleValueWithBudget(value, normalizeBudget(rawBudget));
-}
-/** Format an array of console arguments into a single space-separated string. */
-export function formatConsoleArgs(args, rawBudget) {
-    const budget = normalizeBudget(rawBudget);
-    const formatted = [];
-    for (let i = 0; i < args.length; i += 1) {
-        formatted.push(safeStringifyConsoleValueWithBudget(args[i], budget));
-    }
-    return formatted.join(" ");
-}
-/**
- * Generate isolate-side JavaScript that installs a `globalThis.console` shim.
- * The shim serializes arguments using the budget and forwards them to host
- * bridge references (`_log` / `_error`) via `applySync`.
- */
-export function getConsoleSetupCode(budget = DEFAULT_CONSOLE_SERIALIZATION_BUDGET) {
-    const normalizedBudget = normalizeBudget(budget);
-    return `
-	      // tsx/esbuild may emit __name(...) wrappers inside function source strings.
-	      const __name = (value) => value;
-	      const __consoleBudget = ${JSON.stringify(normalizedBudget)};
-	      const normalizeBudget = ${normalizeBudget.toString()};
-	      const safeStringifyConsoleValueWithBudget = ${safeStringifyConsoleValueWithBudget.toString()};
-      const safeStringifyConsoleValue = ${safeStringifyConsoleValue.toString()};
-      const formatConsoleArgs = ${formatConsoleArgs.toString()};
-
-      globalThis.console = {
-        log: (...args) => _log(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-        error: (...args) => _error(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-        warn: (...args) => _error(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-        info: (...args) => _log(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-        debug: (...args) => _log(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-        trace: (...args) => _error(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-        dir: (...args) => _log(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-        table: (...args) => _log(formatConsoleArgs(args, __consoleBudget) + "\\n"),
-      };
-    `;
-}

package/dist/shared/constants.d.ts

@@ -1,3 +0,0 @@
-/** Matches GNU `timeout` convention where 124 indicates execution timed out. */
-export declare const TIMEOUT_EXIT_CODE = 124;
-export declare const TIMEOUT_ERROR_MESSAGE = "CPU time limit exceeded";

package/dist/shared/constants.js

@@ -1,3 +0,0 @@
-/** Matches GNU `timeout` convention where 124 indicates execution timed out. */
-export const TIMEOUT_EXIT_CODE = 124;
-export const TIMEOUT_ERROR_MESSAGE = "CPU time limit exceeded";

package/dist/shared/errors.d.ts

@@ -1,16 +0,0 @@
-/** Node-compatible system error shape with code, errno, path, and syscall. */
-export interface SystemError extends Error {
-    code?: string;
-    errno?: number | string;
-    path?: string;
-    syscall?: string;
-}
-/** Build a system error with the given POSIX error code (ENOENT, EACCES, etc.). */
-export declare function createSystemError(code: string, message: string, details?: {
-    path?: string;
-    syscall?: string;
-}): SystemError;
-/** Create a permission-denied error matching Node's EACCES format. */
-export declare function createEaccesError(op: string, path?: string, reason?: string): SystemError;
-/** Create a "function not implemented" error for unsupported operations. */
-export declare function createEnosysError(op: string, path?: string): SystemError;

package/dist/shared/errors.js

@@ -1,21 +0,0 @@
-/** Build a system error with the given POSIX error code (ENOENT, EACCES, etc.). */
-export function createSystemError(code, message, details) {
-    const err = new Error(message);
-    err.code = code;
-    if (details?.path)
-        err.path = details.path;
-    if (details?.syscall)
-        err.syscall = details.syscall;
-    return err;
-}
-/** Create a permission-denied error matching Node's EACCES format. */
-export function createEaccesError(op, path, reason) {
-    const suffix = path ? ` '${path}'` : "";
-    const reasonSuffix = reason ? `: ${reason}` : "";
-    return createSystemError("EACCES", `EACCES: permission denied, ${op}${suffix}${reasonSuffix}`, { path, syscall: op });
-}
-/** Create a "function not implemented" error for unsupported operations. */
-export function createEnosysError(op, path) {
-    const suffix = path ? ` '${path}'` : "";
-    return createSystemError("ENOSYS", `ENOSYS: function not implemented, ${op}${suffix}`, { path, syscall: op });
-}

package/dist/shared/esm-utils.d.ts

@@ -1,28 +0,0 @@
-/**
- * Detect if code uses ESM syntax.
- */
-export declare function isESM(code: string, filePath?: string): boolean;
-/**
- * Transform dynamic import() calls to __dynamicImport() calls.
- */
-export declare function transformDynamicImport(code: string): string;
-/**
- * Extract static import specifiers from transformed code.
- */
-export declare function extractDynamicImportSpecifiers(code: string): string[];
-/**
- * Convert CJS module to ESM-compatible wrapper.
- */
-/**
- * Wrap CommonJS code in an ESM-compatible module that exports `module.exports`
- * as the default export plus any statically-detectable named exports.
- */
-export declare function wrapCJSForESM(code: string): string;
-export declare function wrapCJSForESMWithModulePath(code: string, modulePath: string): string;
-/**
- * Scan CJS code for `module.exports.X =`, `exports.X =`, and
- * `Object.defineProperty(exports, 'X', ...)` patterns to discover named exports
- * that can be re-exported from the ESM wrapper.
- */
-declare function extractCjsNamedExports(code: string): string[];
-export { extractCjsNamedExports };

package/dist/shared/esm-utils.js

@@ -1,97 +0,0 @@
-/**
- * Detect if code uses ESM syntax.
- */
-export function isESM(code, filePath) {
-    if (filePath?.endsWith(".mjs"))
-        return true;
-    if (filePath?.endsWith(".cjs"))
-        return false;
-    const hasImport = /^\s*import\s*(?:[\w{},*\s]+\s*from\s*)?['"][^'"]+['"]/m.test(code) ||
-        /^\s*import\s*\{[^}]*\}\s*from\s*['"][^'"]+['"]/m.test(code);
-    const hasExport = /^\s*export\s+(?:default|const|let|var|function|class|{)/m.test(code) ||
-        /^\s*export\s*\{/m.test(code);
-    return hasImport || hasExport;
-}
-/**
- * Transform dynamic import() calls to __dynamicImport() calls.
- */
-export function transformDynamicImport(code) {
-    return code.replace(/(?<![a-zA-Z_$])import\s*\(/g, "__dynamicImport(");
-}
-/**
- * Extract static import specifiers from transformed code.
- */
-export function extractDynamicImportSpecifiers(code) {
-    const regex = /__dynamicImport\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
-    const specifiers = new Set();
-    for (const match of code.matchAll(regex)) {
-        specifiers.add(match[1]);
-    }
-    return Array.from(specifiers);
-}
-/**
- * Convert CJS module to ESM-compatible wrapper.
- */
-/**
- * Wrap CommonJS code in an ESM-compatible module that exports `module.exports`
- * as the default export plus any statically-detectable named exports.
- */
-export function wrapCJSForESM(code) {
-    const modulePath = "/<cjs-module>.cjs";
-    return wrapCJSForESMWithModulePath(code, modulePath);
-}
-function getModuleDir(path) {
-    const normalized = path.replace(/\\/g, "/");
-    const lastSlash = normalized.lastIndexOf("/");
-    if (lastSlash <= 0) {
-        return "/";
-    }
-    return normalized.slice(0, lastSlash);
-}
-export function wrapCJSForESMWithModulePath(code, modulePath) {
-    const moduleDir = getModuleDir(modulePath);
-    const namedExports = extractCjsNamedExports(code)
-        .filter((name) => name !== "default" && name !== "__esModule")
-        .map((name) => {
-        const localName = `__cjs_named_${name}`;
-        return `const ${localName} = __cjs?.${name};\nexport { ${localName} as ${name} };`;
-    })
-        .join("\n");
-    return `
-	    const __filename = ${JSON.stringify(modulePath)};
-	    const __dirname = ${JSON.stringify(moduleDir)};
-	    const require = (name) => globalThis._requireFrom(name, __dirname);
-	    const module = { exports: {} };
-	    const exports = module.exports;
-	    ${code}
-	    const __cjs = module.exports;
-	    export default __cjs;
-	    export const __cjsModule = true;
-	    ${namedExports}
-	  `;
-}
-/**
- * Scan CJS code for `module.exports.X =`, `exports.X =`, and
- * `Object.defineProperty(exports, 'X', ...)` patterns to discover named exports
- * that can be re-exported from the ESM wrapper.
- */
-function extractCjsNamedExports(code) {
-    const names = new Set();
-    const add = (name) => {
-        if (!/^[A-Za-z_$][\w$]*$/.test(name)) {
-            return;
-        }
-        names.add(name);
-    };
-    for (const match of code.matchAll(/\bmodule\.exports\.([A-Za-z_$][\w$]*)\s*=/g)) {
-        add(match[1]);
-    }
-    for (const match of code.matchAll(/\bexports\.([A-Za-z_$][\w$]*)\s*=/g)) {
-        add(match[1]);
-    }
-    for (const match of code.matchAll(/\bObject\.defineProperty\(\s*(?:module\.)?exports\s*,\s*["']([^"']+)["']/g)) {
-        add(match[1]);
-    }
-    return Array.from(names).sort();
-}
-export { extractCjsNamedExports };

package/dist/shared/global-exposure.d.ts

@@ -1,38 +0,0 @@
-/**
- * Classification for globals the runtime installs on the isolate's `globalThis`.
- *
- * - `hardened`: non-writable, non-configurable. Prevents sandbox code from
- *   replacing bridge callbacks or lifecycle hooks.
- * - `mutable-runtime-state`: writable per-execution state (module cache,
- *   stdin data, CJS module/exports wrappers) that must be reset between runs.
- */
-export type CustomGlobalClassification = "hardened" | "mutable-runtime-state";
-export interface CustomGlobalInventoryEntry {
-    name: string;
-    classification: CustomGlobalClassification;
-    rationale: string;
-}
-export declare const NODE_CUSTOM_GLOBAL_INVENTORY: readonly CustomGlobalInventoryEntry[];
-export declare const HARDENED_NODE_CUSTOM_GLOBALS: string[];
-export declare const MUTABLE_NODE_CUSTOM_GLOBALS: string[];
-interface ExposeGlobalOptions {
-    mutable?: boolean;
-    enumerable?: boolean;
-}
-/**
- * Define a property on `target` using `Object.defineProperty`.
- * By default the property is non-writable/non-configurable (hardened).
- */
-export declare function exposeGlobalBinding(target: Record<string, unknown>, name: string, value: unknown, options?: ExposeGlobalOptions): void;
-/** Install a hardened (non-writable) global on `globalThis`. */
-export declare function exposeCustomGlobal(name: string, value: unknown): void;
-/** Install a writable global on `globalThis` for per-execution state. */
-export declare function exposeMutableRuntimeStateGlobal(name: string, value: unknown): void;
-/**
- * Inline JavaScript source that provides `exposeCustomGlobal` and
- * `exposeMutableRuntimeStateGlobal` inside the isolate's V8 context.
- * Evaluated by the host after context creation so that bridge/runtime
- * scripts can harden their own globals.
- */
-export declare const ISOLATE_GLOBAL_EXPOSURE_HELPER_SOURCE = "(() => {\n  const exposeGlobalBinding = (name, value, mutable = false) => {\n    Object.defineProperty(globalThis, name, {\n      value,\n      writable: mutable,\n      configurable: mutable,\n      enumerable: true,\n    });\n  };\n  const exposeCustomGlobal = (name, value) => exposeGlobalBinding(name, value, false);\n  const exposeMutableRuntimeStateGlobal = (name, value) =>\n    exposeGlobalBinding(name, value, true);\n  return {\n    exposeCustomGlobal,\n    exposeMutableRuntimeStateGlobal,\n  };\n})()";
-export {};