@secure-exec/core 0.2.1 → 0.3.0-rc.2

package/dist/test-runtime.js

@@ -0,0 +1,2119 @@
+import { execFileSync } from "node:child_process";
+import * as fsSync from "node:fs";
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import * as posixPath from "node:path/posix";
+import { fileURLToPath } from "node:url";
+import { NATIVE_SIDECAR_FRAME_TIMEOUT_MS, NativeSidecarKernelProxy, NativeSidecarProcessClient, serializeMountConfigForSidecar, } from "./kernel-proxy.js";
+import { resolvePublishedSidecarBinary } from "./binary.js";
+import { findCargoBinary, resolveCargoBinary } from "./cargo.js";
+export const AF_INET = 2;
+export const AF_UNIX = 1;
+export const SOCK_STREAM = 1;
+export const SOCK_DGRAM = 2;
+export const SIGTERM = 15;
+const S_IFREG = 0o100000;
+const S_IFDIR = 0o040000;
+const S_IFLNK = 0o120000;
+const MAX_SYMLINK_DEPTH = 40;
+const KERNEL_COMMAND_STUB = "#!/bin/sh\n# kernel command stub\n";
+const NODE_RUNTIME_BOOTSTRAP_COMMANDS = ["node", "npm", "npx"];
+const KERNEL_POSIX_BOOTSTRAP_DIRS = [
+    "/dev",
+    "/proc",
+    "/tmp",
+    "/bin",
+    "/lib",
+    "/sbin",
+    "/boot",
+    "/etc",
+    "/root",
+    "/run",
+    "/srv",
+    "/sys",
+    "/opt",
+    "/mnt",
+    "/media",
+    "/home",
+    "/home/user",
+    "/usr",
+    "/usr/bin",
+    "/usr/games",
+    "/usr/include",
+    "/usr/lib",
+    "/usr/libexec",
+    "/usr/man",
+    "/usr/local",
+    "/usr/local/bin",
+    "/usr/sbin",
+    "/usr/share",
+    "/usr/share/man",
+    "/var",
+    "/var/cache",
+    "/var/empty",
+    "/var/lib",
+    "/var/lock",
+    "/var/log",
+    "/var/run",
+    "/var/spool",
+    "/var/tmp",
+];
+const REPO_ROOT = fileURLToPath(new URL("../../..", import.meta.url));
+const SIDECAR_BINARY = path.join(REPO_ROOT, "target/debug/secure-exec-sidecar");
+const SIDECAR_BUILD_INPUTS = [
+    path.join(REPO_ROOT, "Cargo.toml"),
+    path.join(REPO_ROOT, "Cargo.lock"),
+    path.join(REPO_ROOT, "crates/bridge"),
+    path.join(REPO_ROOT, "crates/execution"),
+    path.join(REPO_ROOT, "crates/kernel"),
+    path.join(REPO_ROOT, "crates/sidecar"),
+];
+let ensuredSidecarBinary = null;
+export class KernelError extends Error {
+    code;
+    constructor(code, message) {
+        super(message.startsWith(`${code}:`) ? message : `${code}: ${message}`);
+        this.name = "KernelError";
+        this.code = code;
+    }
+}
+function normalizePath(inputPath) {
+    if (!inputPath)
+        return "/";
+    let normalized = inputPath.startsWith("/") ? inputPath : `/${inputPath}`;
+    normalized = normalized.replace(/\/+/g, "/");
+    if (normalized.length > 1 && normalized.endsWith("/")) {
+        normalized = normalized.slice(0, -1);
+    }
+    const parts = normalized.split("/");
+    const resolved = [];
+    for (const part of parts) {
+        if (part === "" || part === ".")
+            continue;
+        if (part === "..") {
+            resolved.pop();
+            continue;
+        }
+        resolved.push(part);
+    }
+    return resolved.length === 0 ? "/" : `/${resolved.join("/")}`;
+}
+function dirnameVirtual(inputPath) {
+    const normalized = normalizePath(inputPath);
+    if (normalized === "/")
+        return "/";
+    const parts = normalized.split("/").filter(Boolean);
+    return parts.length <= 1 ? "/" : `/${parts.slice(0, -1).join("/")}`;
+}
+let nextInode = 1;
+export class InMemoryFileSystem {
+    entries = new Map();
+    constructor() {
+        this.entries.set("/", this.newDirectory());
+    }
+    async readFile(targetPath) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry || entry.type !== "file") {
+            throw errnoError("ENOENT", `open '${targetPath}'`);
+        }
+        entry.atimeMs = Date.now();
+        return entry.data;
+    }
+    async readTextFile(targetPath) {
+        return new TextDecoder().decode(await this.readFile(targetPath));
+    }
+    async readDir(targetPath) {
+        return (await this.readDirWithTypes(targetPath)).map((entry) => entry.name);
+    }
+    async readDirWithTypes(targetPath) {
+        const resolved = this.resolvePath(targetPath);
+        const entry = this.entries.get(resolved);
+        if (!entry || entry.type !== "dir") {
+            throw errnoError("ENOENT", `scandir '${targetPath}'`);
+        }
+        const prefix = resolved === "/" ? "/" : `${resolved}/`;
+        const output = new Map();
+        for (const [entryPath, candidate] of this.entries) {
+            if (!entryPath.startsWith(prefix))
+                continue;
+            const rest = entryPath.slice(prefix.length);
+            if (!rest || rest.includes("/"))
+                continue;
+            output.set(rest, {
+                name: rest,
+                isDirectory: candidate.type === "dir",
+                isSymbolicLink: candidate.type === "symlink",
+            });
+        }
+        return [...output.values()];
+    }
+    async writeFile(targetPath, content) {
+        const normalized = normalizePath(targetPath);
+        await this.mkdir(dirnameVirtual(normalized), { recursive: true });
+        const data = typeof content === "string" ? new TextEncoder().encode(content) : content;
+        const existing = this.entries.get(normalized);
+        if (existing?.type === "file") {
+            existing.data = data;
+            existing.mtimeMs = Date.now();
+            existing.ctimeMs = Date.now();
+            return;
+        }
+        const now = Date.now();
+        this.entries.set(normalized, {
+            type: "file",
+            data,
+            mode: S_IFREG | 0o644,
+            uid: 0,
+            gid: 0,
+            nlink: 1,
+            ino: nextInode++,
+            atimeMs: now,
+            mtimeMs: now,
+            ctimeMs: now,
+            birthtimeMs: now,
+        });
+    }
+    async createDir(targetPath) {
+        const normalized = normalizePath(targetPath);
+        if (!this.entries.has(dirnameVirtual(normalized))) {
+            throw errnoError("ENOENT", `mkdir '${targetPath}'`);
+        }
+        if (!this.entries.has(normalized)) {
+            this.entries.set(normalized, this.newDirectory());
+        }
+    }
+    async mkdir(targetPath, options) {
+        const normalized = normalizePath(targetPath);
+        if (options?.recursive === false) {
+            return this.createDir(normalized);
+        }
+        let current = "";
+        for (const part of normalized.split("/").filter(Boolean)) {
+            current += `/${part}`;
+            if (!this.entries.has(current)) {
+                this.entries.set(current, this.newDirectory());
+            }
+        }
+    }
+    async exists(targetPath) {
+        try {
+            return this.entries.has(this.resolvePath(targetPath));
+        }
+        catch {
+            return false;
+        }
+    }
+    async stat(targetPath) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry)
+            throw errnoError("ENOENT", `stat '${targetPath}'`);
+        return this.toStat(entry);
+    }
+    async removeFile(targetPath) {
+        const resolved = this.resolvePath(targetPath);
+        const entry = this.entries.get(resolved);
+        if (!entry || entry.type === "dir") {
+            throw errnoError("ENOENT", `unlink '${targetPath}'`);
+        }
+        this.entries.delete(resolved);
+    }
+    async removeDir(targetPath) {
+        const resolved = this.resolvePath(targetPath);
+        if (resolved === "/") {
+            throw errnoError("EPERM", "operation not permitted");
+        }
+        const entry = this.entries.get(resolved);
+        if (!entry || entry.type !== "dir") {
+            throw errnoError("ENOENT", `rmdir '${targetPath}'`);
+        }
+        const prefix = `${resolved}/`;
+        for (const key of this.entries.keys()) {
+            if (key.startsWith(prefix)) {
+                throw errnoError("ENOTEMPTY", `directory not empty '${targetPath}'`);
+            }
+        }
+        this.entries.delete(resolved);
+    }
+    async rename(oldPath, newPath) {
+        const oldResolved = this.resolvePath(oldPath);
+        const newResolved = normalizePath(newPath);
+        const entry = this.entries.get(oldResolved);
+        if (!entry)
+            throw errnoError("ENOENT", `rename '${oldPath}'`);
+        if (!this.entries.has(dirnameVirtual(newResolved))) {
+            throw errnoError("ENOENT", `rename '${newPath}'`);
+        }
+        if (entry.type !== "dir") {
+            this.entries.set(newResolved, entry);
+            this.entries.delete(oldResolved);
+            return;
+        }
+        const prefix = `${oldResolved}/`;
+        const moved = [];
+        for (const candidate of this.entries) {
+            if (candidate[0] === oldResolved || candidate[0].startsWith(prefix)) {
+                moved.push(candidate);
+            }
+        }
+        for (const [candidatePath] of moved) {
+            this.entries.delete(candidatePath);
+        }
+        for (const [candidatePath, candidate] of moved) {
+            const nextPath = candidatePath === oldResolved
+                ? newResolved
+                : `${newResolved}${candidatePath.slice(oldResolved.length)}`;
+            this.entries.set(nextPath, candidate);
+        }
+    }
+    async realpath(targetPath) {
+        return this.resolvePath(targetPath);
+    }
+    async symlink(target, linkPath) {
+        const normalized = normalizePath(linkPath);
+        if (this.entries.has(normalized)) {
+            throw errnoError("EEXIST", `symlink '${linkPath}'`);
+        }
+        const now = Date.now();
+        this.entries.set(normalized, {
+            type: "symlink",
+            target,
+            mode: S_IFLNK | 0o777,
+            uid: 0,
+            gid: 0,
+            nlink: 1,
+            ino: nextInode++,
+            atimeMs: now,
+            mtimeMs: now,
+            ctimeMs: now,
+            birthtimeMs: now,
+        });
+    }
+    async readlink(targetPath) {
+        const normalized = normalizePath(targetPath);
+        const entry = this.entries.get(normalized);
+        if (!entry || entry.type !== "symlink") {
+            throw errnoError("ENOENT", `readlink '${targetPath}'`);
+        }
+        return entry.target;
+    }
+    async lstat(targetPath) {
+        const entry = this.entries.get(normalizePath(targetPath));
+        if (!entry)
+            throw errnoError("ENOENT", `lstat '${targetPath}'`);
+        return this.toStat(entry);
+    }
+    async link(oldPath, newPath) {
+        const entry = this.resolveEntry(oldPath);
+        if (!entry || entry.type !== "file") {
+            throw errnoError("ENOENT", `link '${oldPath}'`);
+        }
+        const normalized = normalizePath(newPath);
+        if (this.entries.has(normalized)) {
+            throw errnoError("EEXIST", `link '${newPath}'`);
+        }
+        entry.nlink += 1;
+        this.entries.set(normalized, entry);
+    }
+    async chmod(targetPath, mode) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry)
+            throw errnoError("ENOENT", `chmod '${targetPath}'`);
+        const typeBits = mode & 0o170000;
+        entry.mode =
+            typeBits === 0 ? (entry.mode & 0o170000) | (mode & 0o7777) : mode;
+        entry.ctimeMs = Date.now();
+    }
+    async chown(targetPath, uid, gid) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry)
+            throw errnoError("ENOENT", `chown '${targetPath}'`);
+        entry.uid = uid;
+        entry.gid = gid;
+        entry.ctimeMs = Date.now();
+    }
+    async utimes(targetPath, atime, mtime) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry)
+            throw errnoError("ENOENT", `utimes '${targetPath}'`);
+        entry.atimeMs = atime;
+        entry.mtimeMs = mtime;
+        entry.ctimeMs = Date.now();
+    }
+    async truncate(targetPath, length) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry || entry.type !== "file") {
+            throw errnoError("ENOENT", `truncate '${targetPath}'`);
+        }
+        if (length < entry.data.length) {
+            entry.data = entry.data.slice(0, length);
+        }
+        else if (length > entry.data.length) {
+            const expanded = new Uint8Array(length);
+            expanded.set(entry.data);
+            entry.data = expanded;
+        }
+        entry.mtimeMs = Date.now();
+        entry.ctimeMs = Date.now();
+    }
+    async pread(targetPath, offset, length) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry || entry.type !== "file") {
+            throw errnoError("ENOENT", `open '${targetPath}'`);
+        }
+        if (offset >= entry.data.length)
+            return new Uint8Array(0);
+        return entry.data.slice(offset, Math.min(offset + length, entry.data.length));
+    }
+    async pwrite(targetPath, offset, data) {
+        const entry = this.resolveEntry(targetPath);
+        if (!entry || entry.type !== "file") {
+            throw errnoError("ENOENT", `open '${targetPath}'`);
+        }
+        const nextSize = Math.max(entry.data.length, offset + data.length);
+        const updated = new Uint8Array(nextSize);
+        updated.set(entry.data);
+        updated.set(data, offset);
+        entry.data = updated;
+        entry.mtimeMs = Date.now();
+        entry.ctimeMs = Date.now();
+    }
+    resolvePath(targetPath, depth = 0) {
+        if (depth > MAX_SYMLINK_DEPTH) {
+            throw errnoError("ELOOP", `too many symbolic links '${targetPath}'`);
+        }
+        const normalized = normalizePath(targetPath);
+        const entry = this.entries.get(normalized);
+        if (!entry)
+            return normalized;
+        if (entry.type === "symlink") {
+            const target = entry.target.startsWith("/")
+                ? entry.target
+                : `${dirnameVirtual(normalized)}/${entry.target}`;
+            return this.resolvePath(target, depth + 1);
+        }
+        return normalized;
+    }
+    resolveEntry(targetPath) {
+        return this.entries.get(this.resolvePath(targetPath));
+    }
+    newDirectory() {
+        const now = Date.now();
+        return {
+            type: "dir",
+            mode: S_IFDIR | 0o755,
+            uid: 0,
+            gid: 0,
+            nlink: 2,
+            ino: nextInode++,
+            atimeMs: now,
+            mtimeMs: now,
+            ctimeMs: now,
+            birthtimeMs: now,
+        };
+    }
+    toStat(entry) {
+        const size = entry.type === "file" ? entry.data.length : 4096;
+        return {
+            mode: entry.mode,
+            size,
+            blocks: size === 0 ? 0 : Math.ceil(size / 512),
+            dev: 1,
+            rdev: 0,
+            isDirectory: entry.type === "dir",
+            isSymbolicLink: entry.type === "symlink",
+            atimeMs: entry.atimeMs,
+            mtimeMs: entry.mtimeMs,
+            ctimeMs: entry.ctimeMs,
+            birthtimeMs: entry.birthtimeMs,
+            ino: entry.ino,
+            nlink: entry.nlink,
+            uid: entry.uid,
+            gid: entry.gid,
+        };
+    }
+}
+export function createInMemoryFileSystem() {
+    return new InMemoryFileSystem();
+}
+export class NodeFileSystem {
+    rootPath;
+    constructor(options) {
+        this.rootPath = fsSync.realpathSync(options.root);
+    }
+    normalizeTarget(targetPath) {
+        const normalized = normalizePath(targetPath).replace(/^\/+/, "");
+        const resolved = path.resolve(this.rootPath, normalized);
+        if (resolved !== this.rootPath &&
+            !resolved.startsWith(`${this.rootPath}${path.sep}`)) {
+            throw errnoError("EACCES", `path escapes root '${targetPath}'`);
+        }
+        return resolved;
+    }
+    toStat(stat) {
+        const posixStat = stat;
+        return {
+            mode: stat.mode,
+            size: stat.size,
+            blocks: posixStat.blocks ?? (stat.size === 0 ? 0 : Math.ceil(stat.size / 512)),
+            dev: posixStat.dev ?? 1,
+            rdev: posixStat.rdev ?? 0,
+            isDirectory: stat.isDirectory(),
+            isSymbolicLink: stat.isSymbolicLink(),
+            atimeMs: Math.trunc(stat.atimeMs),
+            mtimeMs: Math.trunc(stat.mtimeMs),
+            ctimeMs: Math.trunc(stat.ctimeMs),
+            birthtimeMs: Math.trunc(stat.birthtimeMs),
+            ino: stat.ino,
+            nlink: stat.nlink,
+            uid: stat.uid,
+            gid: stat.gid,
+        };
+    }
+    async readFile(targetPath) {
+        return new Uint8Array(await fs.readFile(this.normalizeTarget(targetPath)));
+    }
+    async readTextFile(targetPath) {
+        return fs.readFile(this.normalizeTarget(targetPath), "utf8");
+    }
+    async readDir(targetPath) {
+        return fs.readdir(this.normalizeTarget(targetPath));
+    }
+    async readDirWithTypes(targetPath) {
+        const entries = await fs.readdir(this.normalizeTarget(targetPath), {
+            withFileTypes: true,
+        });
+        return entries.map((entry) => ({
+            name: entry.name,
+            isDirectory: entry.isDirectory(),
+            isSymbolicLink: entry.isSymbolicLink(),
+        }));
+    }
+    async writeFile(targetPath, content) {
+        const resolved = this.normalizeTarget(targetPath);
+        await fs.mkdir(path.dirname(resolved), { recursive: true });
+        await fs.writeFile(resolved, content);
+    }
+    async createDir(targetPath) {
+        await fs.mkdir(this.normalizeTarget(targetPath));
+    }
+    async mkdir(targetPath, options) {
+        await fs.mkdir(this.normalizeTarget(targetPath), {
+            recursive: options?.recursive ?? true,
+        });
+    }
+    async exists(targetPath) {
+        try {
+            await fs.access(this.normalizeTarget(targetPath));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async stat(targetPath) {
+        return this.toStat(await fs.stat(this.normalizeTarget(targetPath)));
+    }
+    async removeFile(targetPath) {
+        await fs.unlink(this.normalizeTarget(targetPath));
+    }
+    async removeDir(targetPath) {
+        await fs.rmdir(this.normalizeTarget(targetPath));
+    }
+    async rename(oldPath, newPath) {
+        const nextPath = this.normalizeTarget(newPath);
+        await fs.mkdir(path.dirname(nextPath), { recursive: true });
+        await fs.rename(this.normalizeTarget(oldPath), nextPath);
+    }
+    async realpath(targetPath) {
+        const real = await fs.realpath(this.normalizeTarget(targetPath));
+        const relative = path.relative(this.rootPath, real);
+        return relative ? `/${relative.split(path.sep).join("/")}` : "/";
+    }
+    async symlink(target, linkPath) {
+        const resolvedLink = this.normalizeTarget(linkPath);
+        await fs.mkdir(path.dirname(resolvedLink), { recursive: true });
+        await fs.symlink(target, resolvedLink);
+    }
+    async readlink(targetPath) {
+        return fs.readlink(this.normalizeTarget(targetPath));
+    }
+    async lstat(targetPath) {
+        return this.toStat(await fs.lstat(this.normalizeTarget(targetPath)));
+    }
+    async link(oldPath, newPath) {
+        await fs.link(this.normalizeTarget(oldPath), this.normalizeTarget(newPath));
+    }
+    async chmod(targetPath, mode) {
+        await fs.chmod(this.normalizeTarget(targetPath), mode);
+    }
+    async chown(targetPath, uid, gid) {
+        await fs.chown(this.normalizeTarget(targetPath), uid, gid);
+    }
+    async utimes(targetPath, atime, mtime) {
+        await fs.utimes(this.normalizeTarget(targetPath), atime / 1000, mtime / 1000);
+    }
+    async truncate(targetPath, length) {
+        await fs.truncate(this.normalizeTarget(targetPath), length);
+    }
+    async pread(targetPath, offset, length) {
+        const handle = await fs.open(this.normalizeTarget(targetPath), "r");
+        try {
+            const buffer = Buffer.alloc(length);
+            const { bytesRead } = await handle.read(buffer, 0, length, offset);
+            return new Uint8Array(buffer.buffer, buffer.byteOffset, bytesRead);
+        }
+        finally {
+            await handle.close();
+        }
+    }
+    async pwrite(targetPath, offset, data) {
+        const handle = await fs.open(this.normalizeTarget(targetPath), "r+");
+        try {
+            await handle.write(data, 0, data.length, offset);
+        }
+        finally {
+            await handle.close();
+        }
+    }
+}
+function permissionAllows(mode) {
+    return mode !== "deny";
+}
+function globMatches(pattern, value) {
+    const escaped = pattern.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+    const expression = escaped.replace(/\*/g, ".*");
+    return new RegExp(`^${expression}$`).test(value);
+}
+function envPolicyAllows(policy, name) {
+    if (policy === undefined) {
+        return true;
+    }
+    if (typeof policy === "string") {
+        return permissionAllows(policy);
+    }
+    let mode = policy.default ?? "deny";
+    for (const rule of policy.rules) {
+        const operationsMatch = !rule.operations ||
+            rule.operations.length === 0 ||
+            rule.operations.includes("read");
+        const patternsMatch = !rule.patterns ||
+            rule.patterns.length === 0 ||
+            rule.patterns.some((pattern) => globMatches(pattern, name));
+        if (operationsMatch && patternsMatch) {
+            mode = rule.mode;
+        }
+    }
+    return permissionAllows(mode);
+}
+export const allowAllFs = "allow";
+export const allowAllNetwork = "allow";
+export const allowAllChildProcess = "allow";
+export const allowAllProcess = "allow";
+export const allowAllEnv = "allow";
+export const allowAll = {
+    fs: allowAllFs,
+    network: allowAllNetwork,
+    childProcess: allowAllChildProcess,
+    process: allowAllProcess,
+    env: allowAllEnv,
+};
+function normalizeFsPermissionScope(scope) {
+    if (scope === undefined || typeof scope === "string") {
+        return scope;
+    }
+    return {
+        ...scope,
+        rules: scope.rules.map((rule) => ({
+            mode: rule.mode,
+            operations: rule.operations ?? [],
+            paths: rule.paths ?? [],
+        })),
+    };
+}
+function normalizePatternPermissionScope(scope) {
+    if (scope === undefined || typeof scope === "string") {
+        return scope;
+    }
+    return {
+        ...scope,
+        rules: scope.rules.map((rule) => ({
+            mode: rule.mode,
+            operations: rule.operations ?? [],
+            patterns: rule.patterns ?? [],
+        })),
+    };
+}
+function normalizePermissionsPolicy(permissions) {
+    if (!permissions) {
+        return undefined;
+    }
+    return {
+        fs: normalizeFsPermissionScope(permissions.fs),
+        network: normalizePatternPermissionScope(permissions.network),
+        childProcess: normalizePatternPermissionScope(permissions.childProcess),
+        process: normalizePatternPermissionScope(permissions.process),
+        env: normalizePatternPermissionScope(permissions.env),
+        tool: normalizePatternPermissionScope(permissions.tool),
+    };
+}
+export function filterEnv(env, permissions) {
+    const input = env ?? {};
+    if (!permissions?.env)
+        return { ...input };
+    const output = {};
+    for (const [name, value] of Object.entries(input)) {
+        if (envPolicyAllows(permissions.env, name)) {
+            output[name] = value;
+        }
+    }
+    return output;
+}
+export function createProcessScopedFileSystem(filesystem) {
+    return filesystem;
+}
+export async function exists(filesystem, targetPath) {
+    return filesystem.exists(targetPath);
+}
+export async function stat(filesystem, targetPath) {
+    return filesystem.stat(targetPath);
+}
+export async function rename(filesystem, oldPath, newPath) {
+    return filesystem.rename(oldPath, newPath);
+}
+export async function readDirWithTypes(filesystem, targetPath) {
+    return filesystem.readDirWithTypes(targetPath);
+}
+export async function mkdir(filesystem, targetPath, options) {
+    return filesystem.mkdir(targetPath, options);
+}
+export function createNodeHostCommandExecutor() {
+    return {
+        spawn() {
+            throw new Error("createNodeHostCommandExecutor is not supported on the native runtime path");
+        },
+    };
+}
+export function createKernelCommandExecutor(kernel) {
+    return {
+        spawn(command, args, options) {
+            return kernel.spawn(command, args, options);
+        },
+    };
+}
+export function createKernelVfsAdapter(kernelVfs) {
+    return kernelVfs;
+}
+export function createHostFallbackVfs(base) {
+    return base;
+}
+export function isPrivateIp(host) {
+    return (host === "localhost" ||
+        host === "127.0.0.1" ||
+        host.startsWith("10.") ||
+        host.startsWith("192.168.") ||
+        /^172\.(1[6-9]|2\d|3[0-1])\./.test(host));
+}
+export function createNodeHostNetworkAdapter() {
+    return createDefaultNetworkAdapter();
+}
+export function createDefaultNetworkAdapter() {
+    return {
+        async fetch(url, options) {
+            const response = await globalThis.fetch(url, {
+                method: options?.method ?? "GET",
+                headers: options?.headers,
+                body: options?.body,
+            });
+            const headers = {};
+            response.headers.forEach((value, key) => {
+                headers[key] = value;
+            });
+            return {
+                ok: response.ok,
+                status: response.status,
+                statusText: response.statusText,
+                headers,
+                body: await response.text(),
+                url: response.url,
+                redirected: response.redirected,
+            };
+        },
+        async dnsLookup(hostname) {
+            return { address: hostname, family: hostname.includes(":") ? 6 : 4 };
+        },
+        async httpRequest(url, options) {
+            const response = await globalThis.fetch(url, {
+                method: options?.method ?? "GET",
+                headers: options?.headers,
+                body: options?.body,
+            });
+            const headers = {};
+            response.headers.forEach((value, key) => {
+                headers[key] = value;
+            });
+            return {
+                status: response.status,
+                statusText: response.statusText,
+                headers,
+                body: await response.text(),
+                url: response.url,
+            };
+        },
+    };
+}
+export function createNodeDriver(options = {}) {
+    return {
+        filesystem: options.filesystem,
+        network: options.networkAdapter,
+        commandExecutor: options.commandExecutor,
+        permissions: options.permissions,
+        runtime: {
+            process: options.processConfig ?? {},
+            os: options.osConfig ?? {},
+        },
+    };
+}
+export class NodeExecutionDriver {
+    options;
+    network;
+    constructor(options) {
+        this.options = options;
+        this.network = options.system.network;
+    }
+    async exec() {
+        throw new Error("NodeExecutionDriver is not available after the native runtime migration");
+    }
+    async run() {
+        throw new Error("NodeExecutionDriver is not available after the native runtime migration");
+    }
+    dispose() {
+        void this.options;
+    }
+    async terminate() { }
+}
+export class NodeRuntime extends NodeExecutionDriver {
+}
+export function createNodeRuntimeDriverFactory() {
+    return {
+        createRuntimeDriver(options) {
+            return new NodeRuntime(options);
+        },
+    };
+}
+export class ModuleAccessFileSystem extends NodeFileSystem {
+}
+export const WASMVM_COMMANDS = Object.freeze([
+    "sh",
+    "bash",
+    "grep",
+    "egrep",
+    "fgrep",
+    "rg",
+    "sed",
+    "awk",
+    "jq",
+    "yq",
+    "find",
+    "fd",
+    "cat",
+    "chmod",
+    "column",
+    "cp",
+    "dd",
+    "diff",
+    "du",
+    "expr",
+    "file",
+    "head",
+    "ln",
+    "logname",
+    "ls",
+    "mkdir",
+    "mktemp",
+    "mv",
+    "pathchk",
+    "rev",
+    "rm",
+    "sleep",
+    "sort",
+    "split",
+    "stat",
+    "strings",
+    "tac",
+    "tail",
+    "test",
+    "[",
+    "touch",
+    "tree",
+    "tsort",
+    "whoami",
+    "gzip",
+    "gunzip",
+    "zcat",
+    "tar",
+    "zip",
+    "unzip",
+    "sqlite3",
+    "curl",
+    "wget",
+    "make",
+    "git",
+    "git-remote-http",
+    "git-remote-https",
+    "env",
+    "envsubst",
+    "nice",
+    "nohup",
+    "stdbuf",
+    "timeout",
+    "xargs",
+    "base32",
+    "base64",
+    "basenc",
+    "basename",
+    "comm",
+    "cut",
+    "dircolors",
+    "dirname",
+    "echo",
+    "expand",
+    "factor",
+    "false",
+    "fmt",
+    "fold",
+    "join",
+    "nl",
+    "numfmt",
+    "od",
+    "paste",
+    "printenv",
+    "printf",
+    "ptx",
+    "seq",
+    "shuf",
+    "tr",
+    "true",
+    "unexpand",
+    "uniq",
+    "wc",
+    "yes",
+    "b2sum",
+    "cksum",
+    "md5sum",
+    "sha1sum",
+    "sha224sum",
+    "sha256sum",
+    "sha384sum",
+    "sha512sum",
+    "sum",
+    "link",
+    "pwd",
+    "readlink",
+    "realpath",
+    "rmdir",
+    "shred",
+    "tee",
+    "truncate",
+    "unlink",
+    "arch",
+    "date",
+    "nproc",
+    "uname",
+    "dir",
+    "vdir",
+    "hostname",
+    "hostid",
+    "more",
+    "sync",
+    "tty",
+    "chcon",
+    "runcon",
+    "chgrp",
+    "chown",
+    "chroot",
+    "df",
+    "groups",
+    "id",
+    "install",
+    "kill",
+    "mkfifo",
+    "mknod",
+    "pinky",
+    "who",
+    "users",
+    "uptime",
+    "stty",
+    "codex",
+    "codex-exec",
+]);
+export const DEFAULT_FIRST_PARTY_TIERS = Object.freeze({
+    sh: "full",
+    bash: "full",
+    env: "full",
+    timeout: "full",
+    xargs: "full",
+    nice: "full",
+    nohup: "full",
+    stdbuf: "full",
+    make: "full",
+    codex: "full",
+    "codex-exec": "full",
+    git: "full",
+    "git-remote-http": "full",
+    "git-remote-https": "full",
+    grep: "read-only",
+    egrep: "read-only",
+    fgrep: "read-only",
+    rg: "read-only",
+    cat: "read-only",
+    head: "read-only",
+    tail: "read-only",
+    wc: "read-only",
+    sort: "read-only",
+    uniq: "read-only",
+    diff: "read-only",
+    find: "read-only",
+    fd: "read-only",
+    tree: "read-only",
+    file: "read-only",
+    du: "read-only",
+    ls: "read-only",
+    dir: "read-only",
+    vdir: "read-only",
+    strings: "read-only",
+    stat: "read-only",
+    rev: "read-only",
+    column: "read-only",
+    cut: "read-only",
+    tr: "read-only",
+    paste: "read-only",
+    join: "read-only",
+    fold: "read-only",
+    expand: "read-only",
+    nl: "read-only",
+    od: "read-only",
+    comm: "read-only",
+    basename: "read-only",
+    dirname: "read-only",
+    realpath: "read-only",
+    readlink: "read-only",
+    pwd: "read-only",
+    echo: "read-only",
+    envsubst: "read-only",
+    printf: "read-only",
+    true: "read-only",
+    false: "read-only",
+    yes: "read-only",
+    seq: "read-only",
+    test: "read-only",
+    "[": "read-only",
+    expr: "read-only",
+    factor: "read-only",
+    date: "read-only",
+    uname: "read-only",
+    nproc: "read-only",
+    whoami: "read-only",
+    id: "read-only",
+    groups: "read-only",
+    base64: "read-only",
+    md5sum: "read-only",
+    sha256sum: "read-only",
+    tac: "read-only",
+    tsort: "read-only",
+    curl: "full",
+    wget: "full",
+    sqlite3: "read-write",
+});
+class NativeRuntimeDescriptor {
+    kind;
+    name;
+    commands;
+    commandDirs;
+    constructor(kind, name, commands, commandDirs) {
+        this.kind = kind;
+        this.name = name;
+        this.commands = commands;
+        this.commandDirs = commandDirs;
+    }
+}
+function normalizeCommandLookup(command) {
+    return path.posix.basename(command);
+}
+function isWasmBinaryFile(filePath) {
+    try {
+        const header = fsSync.readFileSync(filePath, { encoding: null });
+        return (header.length >= 4 &&
+            header[0] === 0x00 &&
+            header[1] === 0x61 &&
+            header[2] === 0x73 &&
+            header[3] === 0x6d);
+    }
+    catch {
+        return false;
+    }
+}
+function discoverWasmCommandEntries(commandDirs) {
+    const discovered = [];
+    const seen = new Set();
+    commandDirs.forEach((commandDir, dirOffset) => {
+        let entries;
+        try {
+            entries = fsSync
+                .readdirSync(commandDir)
+                .sort((left, right) => left.localeCompare(right));
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (entry.startsWith("."))
+                continue;
+            if (seen.has(entry))
+                continue;
+            const fullPath = path.join(commandDir, entry);
+            if (isWasmBinaryFile(fullPath)) {
+                seen.add(entry);
+                discovered.push({
+                    name: entry,
+                    hostPath: fullPath,
+                    dirOffset,
+                });
+                continue;
+            }
+            try {
+                const realPath = fsSync.realpathSync(fullPath);
+                if (isWasmBinaryFile(realPath)) {
+                    seen.add(entry);
+                    discovered.push({
+                        name: entry,
+                        hostPath: fullPath,
+                        dirOffset,
+                    });
+                }
+            }
+            catch { }
+        }
+    });
+    return discovered;
+}
+class WasmVmRuntimeDescriptor {
+    kind = "wasmvm";
+    name = "wasmvm";
+    commands = [];
+    commandDirs;
+    _commandPaths = new Map();
+    _moduleCache = new Map();
+    commandDirOffsets = new Map();
+    constructor(options) {
+        this.commandDirs =
+            options.commandDirs && options.commandDirs.length > 0
+                ? [...options.commandDirs]
+                : undefined;
+        if (options.commandDirs && options.commandDirs.length > 0) {
+            this.refreshDiscovery();
+            return;
+        }
+        this.commands.push(...WASMVM_COMMANDS);
+        if (options.wasmBinaryPath) {
+            console.warn("createWasmVmRuntime({ wasmBinaryPath }) is deprecated; use commandDirs instead.");
+        }
+    }
+    init(_kernel) {
+        if (this.commandDirs && this.commandDirs.length > 0) {
+            this.refreshDiscovery();
+        }
+    }
+    tryResolve(command) {
+        if (!this.commandDirs || this.commandDirs.length === 0) {
+            return false;
+        }
+        const normalized = normalizeCommandLookup(command);
+        if (this._commandPaths.has(normalized)) {
+            return true;
+        }
+        this.refreshDiscovery();
+        return this._commandPaths.has(normalized);
+    }
+    getGuestCommandPaths(startIndex) {
+        const guestPaths = new Map();
+        for (const [name] of this._commandPaths) {
+            const dirOffset = this.commandDirOffsets.get(name);
+            if (dirOffset === undefined) {
+                continue;
+            }
+            guestPaths.set(name, `/__secure_exec/commands/${startIndex + dirOffset}/${name}`);
+        }
+        return guestPaths;
+    }
+    recordModuleExecution(command) {
+        const normalized = normalizeCommandLookup(command);
+        if (this._commandPaths.has(normalized) ||
+            (!this.commandDirs || this.commandDirs.length === 0) &&
+                this.commands.includes(normalized)) {
+            this._moduleCache.set(normalized, true);
+        }
+    }
+    refreshDiscovery() {
+        if (!this.commandDirs || this.commandDirs.length === 0) {
+            return;
+        }
+        const discovered = discoverWasmCommandEntries(this.commandDirs);
+        this.commands.length = 0;
+        this._commandPaths.clear();
+        this.commandDirOffsets.clear();
+        for (const entry of discovered) {
+            this.commands.push(entry.name);
+            this._commandPaths.set(entry.name, entry.hostPath);
+            this.commandDirOffsets.set(entry.name, entry.dirOffset);
+        }
+    }
+}
+export function createWasmVmRuntime(options = {}) {
+    return new WasmVmRuntimeDescriptor(options);
+}
+export function createNodeRuntime() {
+    return new NativeRuntimeDescriptor("node", "node", ["node", "npm", "npx"]);
+}
+function latestMtimeMs(targetPath) {
+    try {
+        const stats = fsSync.statSync(targetPath);
+        if (!stats.isDirectory()) {
+            return stats.mtimeMs;
+        }
+        let latest = stats.mtimeMs;
+        for (const entry of fsSync.readdirSync(targetPath)) {
+            latest = Math.max(latest, latestMtimeMs(path.join(targetPath, entry)));
+        }
+        return latest;
+    }
+    catch {
+        return 0;
+    }
+}
+function sidecarBinaryNeedsBuild() {
+    if (!fsSync.existsSync(SIDECAR_BINARY)) {
+        return true;
+    }
+    const binaryMtime = latestMtimeMs(SIDECAR_BINARY);
+    return SIDECAR_BUILD_INPUTS.some((inputPath) => latestMtimeMs(inputPath) > binaryMtime);
+}
+function ensureNativeSidecarBinary() {
+    // A published install has no in-repo Cargo workspace to build from: resolve
+    // the prebuilt platform binary (or the SECURE_EXEC_SIDECAR_BIN override).
+    if (process.env.SECURE_EXEC_SIDECAR_BIN ||
+        !fsSync.existsSync(path.join(REPO_ROOT, "Cargo.toml"))) {
+        return resolvePublishedSidecarBinary();
+    }
+    if (ensuredSidecarBinary &&
+        fsSync.existsSync(ensuredSidecarBinary) &&
+        !sidecarBinaryNeedsBuild()) {
+        return ensuredSidecarBinary;
+    }
+    if (sidecarBinaryNeedsBuild()) {
+        const cargoBinary = findCargoBinary();
+        if (cargoBinary) {
+            execFileSync(cargoBinary, ["build", "-q", "-p", "secure-exec-sidecar"], {
+                cwd: REPO_ROOT,
+                stdio: "pipe",
+            });
+        }
+        else if (!fsSync.existsSync(SIDECAR_BINARY)) {
+            execFileSync(resolveCargoBinary(), ["build", "-q", "-p", "secure-exec-sidecar"], {
+                cwd: REPO_ROOT,
+                stdio: "pipe",
+            });
+        }
+    }
+    ensuredSidecarBinary = SIDECAR_BINARY;
+    return ensuredSidecarBinary;
+}
+function createBootstrapEntries(commandNames) {
+    const entries = [
+        {
+            path: "/",
+            kind: "directory",
+            mode: 0o755,
+            uid: 0,
+            gid: 0,
+        },
+        ...KERNEL_POSIX_BOOTSTRAP_DIRS.map((entryPath) => ({
+            path: entryPath,
+            kind: "directory",
+            mode: 0o755,
+            uid: 0,
+            gid: 0,
+        })),
+        {
+            path: "/usr/bin/env",
+            kind: "file",
+            mode: 0o644,
+            uid: 0,
+            gid: 0,
+            content: "",
+            encoding: "utf8",
+        },
+    ];
+    for (const command of [...new Set(commandNames)].sort((left, right) => left.localeCompare(right))) {
+        entries.push({
+            path: `/bin/${command}`,
+            kind: "file",
+            mode: 0o755,
+            uid: 0,
+            gid: 0,
+            content: KERNEL_COMMAND_STUB,
+            encoding: "utf8",
+        });
+    }
+    return entries;
+}
+function mergeRootFilesystemEntries(baseEntries, overrideEntries) {
+    const merged = new Map();
+    for (const entry of baseEntries) {
+        merged.set(entry.path, entry);
+    }
+    for (const entry of overrideEntries) {
+        merged.set(entry.path, entry);
+    }
+    return [...merged.values()];
+}
+async function snapshotFilesystemEntries(filesystem, targetPath = "/", output = [], options) {
+    const passthroughDirectories = options?.passthroughDirectories;
+    const passthroughDirectory = passthroughDirectories?.has(targetPath) ?? false;
+    const statInfo = targetPath === "/" || passthroughDirectory
+        ? await filesystem.stat(targetPath)
+        : await filesystem.lstat(targetPath);
+    if (statInfo.isSymbolicLink) {
+        output.push({
+            path: targetPath,
+            kind: "symlink",
+            mode: statInfo.mode,
+            uid: statInfo.uid,
+            gid: statInfo.gid,
+            target: await filesystem.readlink(targetPath),
+        });
+        return output;
+    }
+    if (statInfo.isDirectory) {
+        output.push({
+            path: targetPath,
+            kind: "directory",
+            mode: statInfo.mode,
+            uid: statInfo.uid,
+            gid: statInfo.gid,
+        });
+        if (passthroughDirectory) {
+            return output;
+        }
+        const children = (await filesystem.readDirWithTypes(targetPath))
+            .map((entry) => entry.name)
+            .filter((name) => name !== "." && name !== "..")
+            .sort((left, right) => left.localeCompare(right));
+        for (const child of children) {
+            const childPath = targetPath === "/"
+                ? posixPath.join("/", child)
+                : posixPath.join(targetPath, child);
+            await snapshotFilesystemEntries(filesystem, childPath, output, options);
+        }
+        return output;
+    }
+    output.push({
+        path: targetPath,
+        kind: "file",
+        mode: statInfo.mode,
+        uid: statInfo.uid,
+        gid: statInfo.gid,
+        content: Buffer.from(await filesystem.readFile(targetPath)).toString("base64"),
+        encoding: "base64",
+    });
+    return output;
+}
+async function materializeSnapshotEntriesIntoVm(client, session, vm, entries) {
+    for (const entry of entries) {
+        if (entry.path === "/") {
+            continue;
+        }
+        if (entry.kind === "directory") {
+            await client.mkdir(session, vm, entry.path, { recursive: true });
+        }
+        else if (entry.kind === "file") {
+            await client.writeFile(session, vm, entry.path, decodeRootFilesystemEntryContent(entry));
+        }
+        else {
+            await client.symlink(session, vm, entry.target ?? "", entry.path);
+            continue;
+        }
+        if (typeof entry.mode === "number") {
+            await client.chmod(session, vm, entry.path, entry.mode);
+        }
+        if (typeof entry.uid === "number" && typeof entry.gid === "number") {
+            await client.chown(session, vm, entry.path, entry.uid, entry.gid);
+        }
+    }
+}
+function decodeRootFilesystemEntryContent(entry) {
+    const content = entry.content ?? "";
+    if (entry.encoding === "base64") {
+        return new Uint8Array(Buffer.from(content, "base64"));
+    }
+    return new TextEncoder().encode(content);
+}
+const NODE_FILESYSTEM_ROOT_PASSTHROUGH_DIRS = ["node_modules"];
+function planNodeFilesystemPassthroughMounts(filesystem, existingMounts) {
+    if (!(filesystem instanceof NodeFileSystem)) {
+        return {
+            mounts: [],
+            passthroughDirectories: new Set(),
+        };
+    }
+    const passthroughDirectories = new Set();
+    const existingGuestPaths = new Set(existingMounts.map((mount) => mount.path));
+    const mounts = [];
+    for (const directoryName of NODE_FILESYSTEM_ROOT_PASSTHROUGH_DIRS) {
+        const guestPath = normalizePath(`/${directoryName}`);
+        const hostPath = path.join(filesystem.rootPath, directoryName);
+        let statInfo;
+        try {
+            statInfo = fsSync.statSync(hostPath);
+        }
+        catch {
+            continue;
+        }
+        if (!statInfo.isDirectory()) {
+            continue;
+        }
+        passthroughDirectories.add(guestPath);
+        if (existingGuestPaths.has(guestPath)) {
+            continue;
+        }
+        mounts.push({
+            path: guestPath,
+            fs: new NodeFileSystem({ root: hostPath }),
+            readOnly: true,
+        });
+    }
+    return {
+        mounts,
+        passthroughDirectories,
+    };
+}
+function collectGuestCommandPaths(commandDirs, startIndex = 0) {
+    const guestPaths = new Map();
+    for (const entry of discoverWasmCommandEntries(commandDirs)) {
+        if (!guestPaths.has(entry.name)) {
+            guestPaths.set(entry.name, `/__secure_exec/commands/${startIndex + entry.dirOffset}/${entry.name}`);
+        }
+    }
+    return guestPaths;
+}
+async function ensureCommandStubs(proxy, commands) {
+    const rootView = proxy.createRootView();
+    for (const command of commands) {
+        const stubPath = `/bin/${command}`;
+        await rootView.writeFile(stubPath, KERNEL_COMMAND_STUB);
+        await rootView.chmod(stubPath, 0o755);
+    }
+}
+class DeferredFileSystem {
+    getFilesystem;
+    constructor(getFilesystem) {
+        this.getFilesystem = getFilesystem;
+    }
+    filesystem() {
+        const filesystem = this.getFilesystem();
+        if (!filesystem) {
+            throw new Error("kernel filesystem is not ready; mount a runtime first");
+        }
+        return filesystem;
+    }
+    readFile(path) {
+        return this.filesystem().readFile(path);
+    }
+    readTextFile(path) {
+        return this.filesystem().readTextFile(path);
+    }
+    readDir(path) {
+        return this.filesystem().readDir(path);
+    }
+    readDirWithTypes(path) {
+        return this.filesystem().readDirWithTypes(path);
+    }
+    writeFile(path, content) {
+        return this.filesystem().writeFile(path, content);
+    }
+    createDir(path) {
+        return this.filesystem().createDir(path);
+    }
+    mkdir(path, options) {
+        return this.filesystem().mkdir(path, options);
+    }
+    exists(path) {
+        return this.filesystem().exists(path);
+    }
+    stat(path) {
+        return this.filesystem().stat(path);
+    }
+    removeFile(path) {
+        return this.filesystem().removeFile(path);
+    }
+    removeDir(path) {
+        return this.filesystem().removeDir(path);
+    }
+    rename(oldPath, newPath) {
+        return this.filesystem().rename(oldPath, newPath);
+    }
+    realpath(path) {
+        return this.filesystem().realpath(path);
+    }
+    symlink(target, linkPath) {
+        return this.filesystem().symlink(target, linkPath);
+    }
+    readlink(path) {
+        return this.filesystem().readlink(path);
+    }
+    lstat(path) {
+        return this.filesystem().lstat(path);
+    }
+    link(oldPath, newPath) {
+        return this.filesystem().link(oldPath, newPath);
+    }
+    chmod(path, mode) {
+        return this.filesystem().chmod(path, mode);
+    }
+    chown(path, uid, gid) {
+        return this.filesystem().chown(path, uid, gid);
+    }
+    utimes(path, atime, mtime) {
+        return this.filesystem().utimes(path, atime, mtime);
+    }
+    truncate(path, length) {
+        return this.filesystem().truncate(path, length);
+    }
+    pread(path, offset, length) {
+        return this.filesystem().pread(path, offset, length);
+    }
+    pwrite(path, offset, data) {
+        return this.filesystem().pwrite(path, offset, data);
+    }
+}
+const VIRTUAL_FILESYSTEM_METHOD_NAMES = [
+    "readFile",
+    "readTextFile",
+    "readDir",
+    "readDirWithTypes",
+    "writeFile",
+    "createDir",
+    "mkdir",
+    "exists",
+    "stat",
+    "removeFile",
+    "removeDir",
+    "rename",
+    "realpath",
+    "symlink",
+    "readlink",
+    "lstat",
+    "link",
+    "chmod",
+    "chown",
+    "utimes",
+    "truncate",
+    "pread",
+    "pwrite",
+];
+const LIVE_FILESYSTEM_SYNC_CHUNK_SIZE = 512 * 1024;
+function topLevelSyncRoot(targetPath) {
+    const normalized = normalizePath(targetPath);
+    const [first] = normalized.split("/").filter(Boolean);
+    return first ? `/${first}` : "/";
+}
+function collectLiveFilesystemSyncRoots(entries) {
+    const roots = new Set();
+    for (const entry of entries) {
+        if (entry.path === "/") {
+            continue;
+        }
+        roots.add(topLevelSyncRoot(entry.path));
+    }
+    return [...roots].sort((left, right) => left.localeCompare(right));
+}
+async function callBoundFilesystemMethod(methods, method, ...args) {
+    const delegate = methods[method];
+    if (!delegate) {
+        throw new Error(`filesystem method ${method} is unavailable`);
+    }
+    return (await delegate(...args));
+}
+async function ensureBoundParentDirectory(methods, targetPath) {
+    const parent = dirnameVirtual(targetPath);
+    if (parent === targetPath) {
+        return;
+    }
+    await callBoundFilesystemMethod(methods, "mkdir", parent, { recursive: true });
+}
+async function syncLiveFilesystemToBoundMethods(live, methods, paths) {
+    for (const targetPath of [...new Set(paths.map(normalizePath))].sort((left, right) => left.localeCompare(right))) {
+        if (!(await live.exists(targetPath).catch(() => false))) {
+            continue;
+        }
+        await syncLiveFilesystemPathToBoundMethods(live, methods, targetPath);
+    }
+}
+async function syncLiveFilesystemPathToBoundMethods(live, methods, targetPath) {
+    const stat = targetPath === "/" ? await live.stat(targetPath) : await live.lstat(targetPath);
+    if (stat.isSymbolicLink) {
+        await ensureBoundParentDirectory(methods, targetPath);
+        await callBoundFilesystemMethod(methods, "removeFile", targetPath).catch(() => { });
+        await callBoundFilesystemMethod(methods, "symlink", await live.readlink(targetPath), targetPath);
+        return;
+    }
+    if (stat.isDirectory) {
+        await callBoundFilesystemMethod(methods, "mkdir", targetPath, {
+            recursive: true,
+        });
+        const children = (await live.readDirWithTypes(targetPath))
+            .map((entry) => entry.name)
+            .filter((name) => name !== "." && name !== "..")
+            .sort((left, right) => left.localeCompare(right));
+        for (const child of children) {
+            await syncLiveFilesystemPathToBoundMethods(live, methods, targetPath === "/" ? posixPath.join("/", child) : posixPath.join(targetPath, child));
+        }
+        return;
+    }
+    await ensureBoundParentDirectory(methods, targetPath);
+    await callBoundFilesystemMethod(methods, "writeFile", targetPath, new Uint8Array(0));
+    for (let offset = 0; offset < stat.size; offset += LIVE_FILESYSTEM_SYNC_CHUNK_SIZE) {
+        const chunk = await live.pread(targetPath, offset, Math.min(LIVE_FILESYSTEM_SYNC_CHUNK_SIZE, stat.size - offset));
+        if (chunk.length === 0) {
+            break;
+        }
+        await callBoundFilesystemMethod(methods, "pwrite", targetPath, offset, chunk);
+    }
+}
+function bindLiveFilesystem(target, getFilesystem) {
+    const fallback = {};
+    for (const method of VIRTUAL_FILESYSTEM_METHOD_NAMES) {
+        const candidate = target[method];
+        if (typeof candidate === "function") {
+            fallback[method] = candidate.bind(target);
+        }
+    }
+    for (const method of VIRTUAL_FILESYSTEM_METHOD_NAMES) {
+        target[method] = (...args) => {
+            const filesystem = getFilesystem();
+            const delegate = filesystem
+                ? filesystem[method].bind(filesystem)
+                : fallback[method];
+            if (!delegate) {
+                throw new Error(`kernel filesystem is not ready; mount a runtime before calling ${method}()`);
+            }
+            return delegate(...args);
+        };
+    }
+    return {
+        async syncFromLive(paths) {
+            const filesystem = getFilesystem();
+            if (!filesystem) {
+                return;
+            }
+            await syncLiveFilesystemToBoundMethods(filesystem, fallback, paths);
+        },
+        restore() {
+            for (const [method, delegate] of Object.entries(fallback)) {
+                target[method] = delegate;
+            }
+        },
+    };
+}
+class NativeKernel {
+    options;
+    env;
+    cwd;
+    commands = new Map();
+    processes = new Map();
+    socketTable;
+    processTable;
+    timerTable = {};
+    vfs;
+    client = null;
+    session = null;
+    vm = null;
+    proxy = null;
+    rootFilesystem = null;
+    readyPromise = null;
+    liveFilesystemBinding;
+    liveFilesystemSyncRoots = [];
+    pendingLocalMounts = [];
+    mountedCommandDirs = [];
+    mountedRuntimeDrivers = [];
+    runtimeDriverCommandDirStarts = new Map();
+    loopbackExemptPorts;
+    // Host tools registered with the VM, keyed by the callback key the sidecar
+    // sends back on a host_callback request (the tool name). Installed lazily on
+    // the first registerHostTools call.
+    hostToolHandlers = new Map();
+    hostToolRequestHandlerInstalled = false;
+    constructor(options) {
+        this.options = options;
+        this.env = { ...(options.env ?? {}) };
+        this.cwd = options.cwd ?? "/home/user";
+        this.socketTable = {
+            hasHostNetworkAdapter: () => Boolean(options.hostNetworkAdapter),
+            findListener: (request) => this.proxy?.findListener(request) ?? null,
+            findBoundUdp: (request) => this.proxy?.findBoundUdp(request) ?? null,
+        };
+        this.processTable = {
+            getSignalState: (pid) => this.proxy?.getSignalState(pid) ?? {
+                handlers: new Map(),
+            },
+        };
+        this.loopbackExemptPorts = [...(options.loopbackExemptPorts ?? [])];
+        for (const mount of options.mounts ?? []) {
+            this.pendingLocalMounts.push({
+                path: normalizePath(mount.path),
+                fs: mount.fs,
+                readOnly: mount.readOnly ?? false,
+            });
+        }
+        this.vfs = new DeferredFileSystem(() => this.rootFilesystem);
+        this.liveFilesystemBinding = bindLiveFilesystem(this.options.filesystem, () => this.rootFilesystem);
+    }
+    get zombieTimerCount() {
+        return this.proxy?.zombieTimerCount ?? 0;
+    }
+    async mount(driver) {
+        await this.ensureReady();
+        if (!this.proxy || !this.client || !this.session || !this.vm) {
+            throw new Error("kernel is not ready");
+        }
+        await driver.init?.(this);
+        if (driver.kind === "node") {
+            for (const command of driver.commands) {
+                this.commands.set(command, "node");
+            }
+            this.mountedRuntimeDrivers.push(driver);
+            await ensureCommandStubs(this.proxy, driver.commands);
+            return;
+        }
+        const commandDirs = driver.commandDirs ?? [];
+        if (commandDirs.length === 0) {
+            for (const command of driver.commands) {
+                this.commands.set(command, "wasmvm");
+            }
+            this.mountedRuntimeDrivers.push(driver);
+            await ensureCommandStubs(this.proxy, driver.commands);
+            return;
+        }
+        const startIndex = this.mountedCommandDirs.length;
+        const newGuestPaths = driver.getGuestCommandPaths?.(startIndex) ??
+            collectGuestCommandPaths(commandDirs, startIndex);
+        const allCommandDirs = [...this.mountedCommandDirs, ...commandDirs];
+        const sidecarMounts = allCommandDirs.map((commandDir, index) => serializeMountConfigForSidecar({
+            path: `/__secure_exec/commands/${index}`,
+            readOnly: true,
+            plugin: {
+                id: "host_dir",
+                config: {
+                    hostPath: commandDir,
+                    readOnly: true,
+                },
+            },
+        }));
+        const localMounts = this.pendingLocalMounts.map((mount) => mount.fs instanceof NodeFileSystem
+            ? serializeMountConfigForSidecar({
+                path: mount.path,
+                readOnly: mount.readOnly,
+                plugin: {
+                    id: "host_dir",
+                    config: {
+                        hostPath: mount.fs.rootPath,
+                        readOnly: mount.readOnly,
+                    },
+                },
+            })
+            : serializeMountConfigForSidecar({
+                path: mount.path,
+                driver: mount.fs,
+                readOnly: mount.readOnly,
+            }));
+        await this.client.configureVm(this.session, this.vm, {
+            mounts: [...localMounts, ...sidecarMounts],
+            loopbackExemptPorts: this.loopbackExemptPorts,
+        });
+        this.proxy.registerCommandGuestPaths(newGuestPaths);
+        this.mountedCommandDirs.push(...commandDirs);
+        this.mountedRuntimeDrivers.push(driver);
+        this.runtimeDriverCommandDirStarts.set(driver, startIndex);
+        for (const command of newGuestPaths.keys()) {
+            this.commands.set(command, "wasmvm");
+        }
+        await ensureCommandStubs(this.proxy, newGuestPaths.keys());
+    }
+    async dispose() {
+        await this.readyPromise?.catch(() => { });
+        let syncError;
+        if (this.options.syncFilesystemOnDispose !== false &&
+            this.rootFilesystem &&
+            !(this.options.filesystem instanceof NodeFileSystem)) {
+            try {
+                await this.liveFilesystemBinding.syncFromLive(this.liveFilesystemSyncRoots);
+            }
+            catch (error) {
+                syncError = error;
+            }
+        }
+        try {
+            await this.proxy?.dispose().catch(() => { });
+        }
+        finally {
+            this.proxy = null;
+            this.rootFilesystem = null;
+            this.client = null;
+            this.session = null;
+            this.vm = null;
+            this.liveFilesystemBinding.restore();
+        }
+        if (syncError) {
+            throw syncError;
+        }
+    }
+    async exec(command, options) {
+        await this.ensureReady();
+        if (!this.proxy) {
+            throw new Error("kernel is not ready");
+        }
+        return this.proxy.exec(command, options);
+    }
+    spawn(command, args, options) {
+        if (!this.proxy) {
+            throw new Error("kernel is not ready; await kernel.mount(...) first");
+        }
+        const normalized = normalizeCommandLookup(command);
+        const knownCommand = this.commands.has(command) || this.commands.has(normalized);
+        if (!knownCommand && !this.tryResolveMountedCommand(command)) {
+            throw new Error(`ENOENT: command not found: ${command}`);
+        }
+        const proc = this.proxy.spawn(command, args, options);
+        const syncProcessSnapshot = () => {
+            const snapshot = this.proxy?.processes.get(proc.pid);
+            if (!snapshot) {
+                return;
+            }
+            this.processes.set(proc.pid, {
+                ...snapshot,
+                args: [...snapshot.args],
+            });
+        };
+        syncProcessSnapshot();
+        return {
+            pid: proc.pid,
+            writeStdin(data) {
+                proc.writeStdin(data);
+            },
+            closeStdin() {
+                proc.closeStdin();
+            },
+            kill(signal) {
+                proc.kill(signal);
+                syncProcessSnapshot();
+            },
+            async wait() {
+                const exitCode = await proc.wait();
+                syncProcessSnapshot();
+                return exitCode;
+            },
+            get exitCode() {
+                return proc.exitCode;
+            },
+        };
+    }
+    openShell(options) {
+        if (!this.proxy) {
+            throw new Error("kernel is not ready; await kernel.mount(...) first");
+        }
+        return this.proxy.openShell(options);
+    }
+    async connectTerminal(options) {
+        await this.ensureReady();
+        if (!this.proxy) {
+            throw new Error("kernel is not ready");
+        }
+        return this.proxy.connectTerminal(options);
+    }
+    mountFs(mountPath, filesystem, options) {
+        if (!this.proxy) {
+            this.pendingLocalMounts.push({
+                path: normalizePath(mountPath),
+                fs: filesystem,
+                readOnly: options?.readOnly ?? false,
+            });
+            return;
+        }
+        this.proxy.mountFs(mountPath, filesystem, options);
+    }
+    unmountFs(mountPath) {
+        this.proxy?.unmountFs(mountPath);
+    }
+    async readFile(targetPath) {
+        await this.ensureReady();
+        return this.proxy.readFile(targetPath);
+    }
+    async vmFetch(request) {
+        await this.ensureReady();
+        return this.proxy.vmFetch(request);
+    }
+    async registerHostTools(tools) {
+        await this.ensureReady();
+        if (!this.client || !this.session || !this.vm) {
+            throw new Error("kernel is not ready");
+        }
+        // Install the dispatcher once. It routes every host_callback request the
+        // sidecar emits to the matching registered handler and replies with a
+        // host_callback_result frame.
+        if (!this.hostToolRequestHandlerInstalled) {
+            this.client.setSidecarRequestHandler((request) => this.dispatchHostToolRequest(request));
+            this.hostToolRequestHandlerInstalled = true;
+        }
+        for (const [name, tool] of Object.entries(tools)) {
+            this.hostToolHandlers.set(name, tool.handler);
+            const definition = {
+                description: tool.description,
+                inputSchema: tool.inputSchema,
+                ...(tool.timeoutMs !== undefined ? { timeoutMs: tool.timeoutMs } : {}),
+                ...(tool.examples && tool.examples.length > 0
+                    ? {
+                        examples: tool.examples.map((example) => ({
+                            description: example.description,
+                            input: example.input,
+                        })),
+                    }
+                    : {}),
+            };
+            // Register each tool as its own single-tool toolkit so the guest can
+            // invoke it directly by name (or by any caller-provided alias). The
+            // sidecar exposes the toolkit name as a guest command; the single
+            // callback carries the tool's schema and gates the `tool` permission.
+            await this.client.registerHostCallbacks(this.session, this.vm, {
+                name,
+                description: tool.description,
+                commandAliases: [name, ...(tool.commandAliases ?? [])],
+                callbacks: { [name]: definition },
+            });
+            this.commands.set(name, "wasmvm");
+            for (const alias of tool.commandAliases ?? []) {
+                this.commands.set(alias, "wasmvm");
+            }
+        }
+    }
+    async dispatchHostToolRequest(request) {
+        const { payload } = request;
+        if (payload.type !== "host_callback") {
+            throw new Error(`unsupported sidecar request for host tools: ${payload.type}`);
+        }
+        // Callback keys arrive as `${toolkit}:${tool}` for toolkit invocations and
+        // as the bare command name otherwise. The toolkit name and tool name are
+        // the same here, so the registered tool name is the segment after the last
+        // colon (or the whole key when no colon is present).
+        const callbackKey = payload.callback_key;
+        const toolName = callbackKey.includes(":")
+            ? callbackKey.slice(callbackKey.lastIndexOf(":") + 1)
+            : callbackKey;
+        const handler = this.hostToolHandlers.get(toolName) ??
+            this.hostToolHandlers.get(callbackKey);
+        if (!handler) {
+            return {
+                type: "host_callback_result",
+                invocation_id: payload.invocation_id,
+                error: `no host tool registered for ${callbackKey}`,
+            };
+        }
+        try {
+            const result = await handler(payload.input);
+            return {
+                type: "host_callback_result",
+                invocation_id: payload.invocation_id,
+                result: result === undefined ? null : result,
+            };
+        }
+        catch (error) {
+            return {
+                type: "host_callback_result",
+                invocation_id: payload.invocation_id,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    async writeFile(targetPath, content) {
+        await this.ensureReady();
+        return this.proxy.writeFile(targetPath, content);
+    }
+    async mkdir(targetPath) {
+        await this.ensureReady();
+        return this.proxy.mkdir(targetPath);
+    }
+    async readdir(targetPath) {
+        await this.ensureReady();
+        return this.proxy.readdir(targetPath);
+    }
+    async stat(targetPath) {
+        await this.ensureReady();
+        return this.proxy.stat(targetPath);
+    }
+    async exists(targetPath) {
+        await this.ensureReady();
+        return this.proxy.exists(targetPath);
+    }
+    async removeFile(targetPath) {
+        await this.ensureReady();
+        return this.proxy.removeFile(targetPath);
+    }
+    async removeDir(targetPath) {
+        await this.ensureReady();
+        return this.proxy.removeDir(targetPath);
+    }
+    async rename(oldPath, newPath) {
+        await this.ensureReady();
+        return this.proxy.rename(oldPath, newPath);
+    }
+    tryResolveMountedCommand(command) {
+        const normalized = normalizeCommandLookup(command);
+        for (const driver of this.mountedRuntimeDrivers) {
+            if (!driver.tryResolve?.(command)) {
+                continue;
+            }
+            this.commands.set(normalized, driver.kind);
+            if (driver.kind === "wasmvm" && this.proxy) {
+                const startIndex = this.runtimeDriverCommandDirStarts.get(driver);
+                if (startIndex !== undefined) {
+                    const guestPaths = driver.getGuestCommandPaths?.(startIndex);
+                    if (guestPaths?.has(normalized)) {
+                        this.proxy.registerCommandGuestPaths(new Map([[normalized, guestPaths.get(normalized)]]));
+                    }
+                }
+            }
+            return true;
+        }
+        return false;
+    }
+    recordModuleExecution(command) {
+        for (const driver of this.mountedRuntimeDrivers) {
+            driver.recordModuleExecution?.(command);
+        }
+    }
+    async ensureReady() {
+        if (!this.readyPromise) {
+            this.readyPromise = this.initialize();
+        }
+        return this.readyPromise;
+    }
+    async initialize() {
+        const createVmEnv = { ...this.env };
+        const requestedPermissions = this.options.permissions;
+        const bootstrapPermissions = requestedPermissions
+            ? normalizePermissionsPolicy(allowAll)
+            : undefined;
+        if (this.loopbackExemptPorts.length > 0) {
+            createVmEnv.SECURE_EXEC_LOOPBACK_EXEMPT_PORTS = JSON.stringify(this.loopbackExemptPorts);
+        }
+        const rootPassthroughPlan = planNodeFilesystemPassthroughMounts(this.options.filesystem, this.pendingLocalMounts);
+        const snapshotEntries = await snapshotFilesystemEntries(this.options.filesystem, "/", [], {
+            passthroughDirectories: rootPassthroughPlan.passthroughDirectories,
+        });
+        this.liveFilesystemSyncRoots =
+            collectLiveFilesystemSyncRoots(snapshotEntries);
+        const rootFilesystem = {
+            mode: "ephemeral",
+            disableDefaultBaseLayer: true,
+            lowers: [
+                {
+                    kind: "snapshot",
+                    entries: mergeRootFilesystemEntries(createBootstrapEntries([...NODE_RUNTIME_BOOTSTRAP_COMMANDS]), snapshotEntries).map((entry) => ({
+                        ...entry,
+                        executable: entry.executable ?? false,
+                    })),
+                },
+            ],
+            bootstrapEntries: [],
+        };
+        const client = NativeSidecarProcessClient.spawn({
+            cwd: REPO_ROOT,
+            command: ensureNativeSidecarBinary(),
+            args: [],
+            frameTimeoutMs: NATIVE_SIDECAR_FRAME_TIMEOUT_MS,
+        });
+        const session = await client.authenticateAndOpenSession();
+        const vm = await client.createVm(session, {
+            runtime: "java_script",
+            config: {
+                env: createVmEnv,
+                rootFilesystem,
+                ...(bootstrapPermissions ? { permissions: bootstrapPermissions } : {}),
+                loopbackExemptPorts: this.loopbackExemptPorts,
+            },
+        });
+        await client.waitForEvent({
+            type: "vm_lifecycle",
+            ownership: {
+                scope: "vm",
+                connection_id: session.connectionId,
+                session_id: session.sessionId,
+                vm_id: vm.vmId,
+            },
+            state: "ready",
+        }, 10_000);
+        if (requestedPermissions && snapshotEntries.length > 1) {
+            await materializeSnapshotEntriesIntoVm(client, session, vm, snapshotEntries);
+        }
+        if (rootPassthroughPlan.mounts.length > 0) {
+            this.pendingLocalMounts.push(...rootPassthroughPlan.mounts);
+        }
+        if (this.pendingLocalMounts.length > 0 ||
+            this.loopbackExemptPorts.length > 0 ||
+            requestedPermissions) {
+            await client.configureVm(session, vm, {
+                mounts: this.pendingLocalMounts.map((mount) => mount.fs instanceof NodeFileSystem
+                    ? serializeMountConfigForSidecar({
+                        path: mount.path,
+                        readOnly: mount.readOnly,
+                        plugin: {
+                            id: "host_dir",
+                            config: {
+                                hostPath: mount.fs.rootPath,
+                                readOnly: mount.readOnly,
+                            },
+                        },
+                    })
+                    : serializeMountConfigForSidecar({
+                        path: mount.path,
+                        driver: mount.fs,
+                        readOnly: mount.readOnly,
+                    })),
+                permissions: requestedPermissions,
+                loopbackExemptPorts: this.loopbackExemptPorts,
+            });
+        }
+        const proxy = new NativeSidecarKernelProxy({
+            client,
+            session,
+            vm,
+            env: this.env,
+            cwd: this.cwd,
+            defaultExecCwd: this.options.cwd === undefined ? "/home/user" : this.cwd,
+            localMounts: this.pendingLocalMounts,
+            commandGuestPaths: new Map(),
+            onWasmCommandResolved: (command) => {
+                this.recordModuleExecution(command);
+            },
+        });
+        this.client = client;
+        this.session = session;
+        this.vm = vm;
+        this.proxy = proxy;
+        this.rootFilesystem = proxy.createRootView();
+    }
+}
+export function createKernel(options) {
+    return new NativeKernel(options);
+}
+function errnoError(code, message) {
+    return new KernelError(code, `${code}: ${message}`);
+}