@secure-exec/core 0.2.1 → 0.3.0-rc.2

package/dist/kernel/mount-table.d.ts

@@ -1,75 +0,0 @@
-/**
- * Mount Table.
- *
- * Linux-style VFS mount table that routes paths to mounted filesystem backends
- * by longest-prefix matching. Replaces the hardcoded layer composition
- * (DeviceLayer wraps ProcLayer wraps base FS) with a unified routing table.
- */
-import type { VirtualDirEntry, VirtualDirStatEntry, VirtualFileSystem, VirtualStat } from "./vfs.js";
-export interface MountOptions {
-    readOnly?: boolean;
-}
-export interface MountEntry {
-    path: string;
-    readOnly: boolean;
-}
-export declare class MountTable implements VirtualFileSystem {
-    /**
-     * Mounts sorted by path length descending so longest-prefix match is first hit.
-     */
-    private mounts;
-    constructor(rootFs: VirtualFileSystem);
-    /**
-     * Mount a filesystem at the given path.
-     * Auto-creates the mount point directory in the parent filesystem if needed.
-     */
-    mount(path: string, fs: VirtualFileSystem, options?: MountOptions): void;
-    /**
-     * Unmount the filesystem at the given path.
-     */
-    unmount(path: string): void;
-    /**
-     * List all current mounts.
-     */
-    getMounts(): ReadonlyArray<MountEntry>;
-    private resolve;
-    private assertWritable;
-    readFile(path: string): Promise<Uint8Array>;
-    readTextFile(path: string): Promise<string>;
-    readDir(path: string): Promise<string[]>;
-    readDirWithTypes(path: string): Promise<VirtualDirEntry[]>;
-    exists(path: string): Promise<boolean>;
-    stat(path: string): Promise<VirtualStat>;
-    lstat(path: string): Promise<VirtualStat>;
-    realpath(path: string): Promise<string>;
-    readlink(path: string): Promise<string>;
-    pread(path: string, offset: number, length: number): Promise<Uint8Array>;
-    pwrite(path: string, offset: number, data: Uint8Array): Promise<void>;
-    writeFile(path: string, content: string | Uint8Array): Promise<void>;
-    createDir(path: string): Promise<void>;
-    mkdir(path: string, options?: {
-        recursive?: boolean;
-    }): Promise<void>;
-    removeFile(path: string): Promise<void>;
-    removeDir(path: string): Promise<void>;
-    symlink(target: string, linkPath: string): Promise<void>;
-    link(oldPath: string, newPath: string): Promise<void>;
-    rename(oldPath: string, newPath: string): Promise<void>;
-    chmod(path: string, mode: number): Promise<void>;
-    chown(path: string, uid: number, gid: number): Promise<void>;
-    utimes(path: string, atime: number, mtime: number): Promise<void>;
-    truncate(path: string, length: number): Promise<void>;
-    fsync(path: string): Promise<void>;
-    copy(srcPath: string, dstPath: string): Promise<void>;
-    readDirStat(path: string): Promise<VirtualDirStatEntry[]>;
-    /**
-     * Get basenames of child mount points under a directory.
-     * For example, if mounts exist at /dev and /proc, calling with "/" returns ["dev", "proc"].
-     */
-    private getChildMountBasenames;
-    /**
-     * Synchronous open preparation (O_CREAT, O_EXCL, O_TRUNC).
-     * Delegates to the underlying backend's prepareOpenSync if it exists.
-     */
-    prepareOpenSync(path: string, flags: number): boolean;
-}

package/dist/kernel/mount-table.js

@@ -1,353 +0,0 @@
-/**
- * Mount Table.
- *
- * Linux-style VFS mount table that routes paths to mounted filesystem backends
- * by longest-prefix matching. Replaces the hardcoded layer composition
- * (DeviceLayer wraps ProcLayer wraps base FS) with a unified routing table.
- */
-import { KernelError } from "./types.js";
-/**
- * Normalize a path: collapse //, ., .., strip trailing /.
- */
-function normalizePath(path) {
-    if (!path || path === "/")
-        return "/";
-    const parts = path.split("/");
-    const stack = [];
-    for (const part of parts) {
-        if (part === "" || part === ".")
-            continue;
-        if (part === "..") {
-            stack.pop();
-        }
-        else {
-            stack.push(part);
-        }
-    }
-    return `/${stack.join("/")}`;
-}
-/**
- * Get parent directory path.
- */
-function parentPath(p) {
-    if (p === "/")
-        return "/";
-    const idx = p.lastIndexOf("/");
-    if (idx <= 0)
-        return "/";
-    return p.slice(0, idx);
-}
-/**
- * Get basename of a path.
- */
-function basename(p) {
-    const idx = p.lastIndexOf("/");
-    return p.slice(idx + 1);
-}
-export class MountTable {
-    /**
-     * Mounts sorted by path length descending so longest-prefix match is first hit.
-     */
-    mounts;
-    constructor(rootFs) {
-        this.mounts = [{ path: "/", fs: rootFs, readOnly: false }];
-    }
-    /**
-     * Mount a filesystem at the given path.
-     * Auto-creates the mount point directory in the parent filesystem if needed.
-     */
-    mount(path, fs, options) {
-        const normalized = normalizePath(path);
-        if (normalized === "/") {
-            throw new KernelError("EINVAL", "cannot mount over root");
-        }
-        // Check if already mounted
-        if (this.mounts.some((m) => m.path === normalized)) {
-            throw new KernelError("EEXIST", `already mounted at ${normalized}`);
-        }
-        // Auto-create mount point directory in the parent filesystem.
-        // Resolve *before* inserting the new mount so the path goes to the current owner.
-        const { mount: parentMount, relativePath } = this.resolve(normalized);
-        void parentMount.fs
-            .mkdir(relativePath || "/", { recursive: true })
-            .catch(() => {
-            /* directory may already exist */
-        });
-        const entry = {
-            path: normalized,
-            fs,
-            readOnly: options?.readOnly ?? false,
-        };
-        this.mounts.push(entry);
-        // Sort by path length descending for longest-prefix-first matching
-        this.mounts.sort((a, b) => b.path.length - a.path.length);
-    }
-    /**
-     * Unmount the filesystem at the given path.
-     */
-    unmount(path) {
-        const normalized = normalizePath(path);
-        if (normalized === "/") {
-            throw new KernelError("EINVAL", "cannot unmount root");
-        }
-        const idx = this.mounts.findIndex((m) => m.path === normalized);
-        if (idx === -1) {
-            throw new KernelError("EINVAL", `not a mount point: ${normalized}`);
-        }
-        this.mounts.splice(idx, 1);
-    }
-    /**
-     * List all current mounts.
-     */
-    getMounts() {
-        return this.mounts.map((m) => ({
-            path: m.path,
-            readOnly: m.readOnly,
-        }));
-    }
-    // -----------------------------------------------------------------------
-    // Path resolution
-    // -----------------------------------------------------------------------
-    resolve(fullPath) {
-        const normalized = normalizePath(fullPath);
-        for (const mount of this.mounts) {
-            if (mount.path === "/") {
-                // Root mount: forward path as-is
-                return { mount, relativePath: normalized };
-            }
-            if (normalized === mount.path ||
-                normalized.startsWith(`${mount.path}/`)) {
-                const rel = normalized === mount.path
-                    ? ""
-                    : normalized.slice(mount.path.length + 1);
-                return { mount, relativePath: rel };
-            }
-        }
-        // Should never happen since root mount always matches
-        throw new KernelError("ENOENT", `no mount for path: ${fullPath}`);
-    }
-    assertWritable(mount, path) {
-        if (mount.readOnly) {
-            throw new KernelError("EROFS", `read-only filesystem: ${path}`);
-        }
-    }
-    // -----------------------------------------------------------------------
-    // Read operations
-    // -----------------------------------------------------------------------
-    async readFile(path) {
-        const { mount, relativePath } = this.resolve(path);
-        return mount.fs.readFile(relativePath);
-    }
-    async readTextFile(path) {
-        const { mount, relativePath } = this.resolve(path);
-        return mount.fs.readTextFile(relativePath);
-    }
-    async readDir(path) {
-        const { mount, relativePath } = this.resolve(path);
-        const entries = await mount.fs.readDir(relativePath);
-        // Merge mount point basenames for child mounts
-        const normalized = normalizePath(path);
-        const mountBasenames = this.getChildMountBasenames(normalized);
-        if (mountBasenames.length === 0)
-            return entries;
-        const entrySet = new Set(entries);
-        for (const name of mountBasenames) {
-            entrySet.add(name);
-        }
-        return [...entrySet];
-    }
-    async readDirWithTypes(path) {
-        const { mount, relativePath } = this.resolve(path);
-        const entries = await mount.fs.readDirWithTypes(relativePath);
-        // Merge mount point basenames as directory entries
-        const normalized = normalizePath(path);
-        const mountBasenames = this.getChildMountBasenames(normalized);
-        if (mountBasenames.length === 0)
-            return entries;
-        const nameSet = new Set(entries.map((e) => e.name));
-        for (const name of mountBasenames) {
-            if (!nameSet.has(name)) {
-                entries.push({
-                    name,
-                    isDirectory: true,
-                    isSymbolicLink: false,
-                });
-            }
-        }
-        return entries;
-    }
-    async exists(path) {
-        const { mount, relativePath } = this.resolve(path);
-        return mount.fs.exists(relativePath);
-    }
-    async stat(path) {
-        const { mount, relativePath } = this.resolve(path);
-        return mount.fs.stat(relativePath);
-    }
-    async lstat(path) {
-        const { mount, relativePath } = this.resolve(path);
-        return mount.fs.lstat(relativePath);
-    }
-    async realpath(path) {
-        const { mount, relativePath } = this.resolve(path);
-        const resolved = await mount.fs.realpath(relativePath);
-        if (mount.path === "/")
-            return resolved;
-        // Re-prefix the mount path for non-root mounts
-        return `${mount.path}/${resolved}`;
-    }
-    async readlink(path) {
-        const { mount, relativePath } = this.resolve(path);
-        return mount.fs.readlink(relativePath);
-    }
-    async pread(path, offset, length) {
-        const { mount, relativePath } = this.resolve(path);
-        return mount.fs.pread(relativePath, offset, length);
-    }
-    async pwrite(path, offset, data) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.pwrite(relativePath, offset, data);
-    }
-    // -----------------------------------------------------------------------
-    // Write operations (check readOnly before forwarding)
-    // -----------------------------------------------------------------------
-    async writeFile(path, content) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.writeFile(relativePath, content);
-    }
-    async createDir(path) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.createDir(relativePath);
-    }
-    async mkdir(path, options) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.mkdir(relativePath, options);
-    }
-    async removeFile(path) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.removeFile(relativePath);
-    }
-    async removeDir(path) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.removeDir(relativePath);
-    }
-    async symlink(target, linkPath) {
-        const { mount, relativePath } = this.resolve(linkPath);
-        this.assertWritable(mount, linkPath);
-        return mount.fs.symlink(target, relativePath);
-    }
-    async link(oldPath, newPath) {
-        const oldResolved = this.resolve(oldPath);
-        const newResolved = this.resolve(newPath);
-        if (oldResolved.mount !== newResolved.mount) {
-            throw new KernelError("EXDEV", `link across mounts: ${oldPath} -> ${newPath}`);
-        }
-        this.assertWritable(oldResolved.mount, oldPath);
-        return oldResolved.mount.fs.link(oldResolved.relativePath, newResolved.relativePath);
-    }
-    async rename(oldPath, newPath) {
-        const oldResolved = this.resolve(oldPath);
-        const newResolved = this.resolve(newPath);
-        if (oldResolved.mount !== newResolved.mount) {
-            throw new KernelError("EXDEV", `rename across mounts: ${oldPath} -> ${newPath}`);
-        }
-        this.assertWritable(oldResolved.mount, oldPath);
-        return oldResolved.mount.fs.rename(oldResolved.relativePath, newResolved.relativePath);
-    }
-    async chmod(path, mode) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.chmod(relativePath, mode);
-    }
-    async chown(path, uid, gid) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.chown(relativePath, uid, gid);
-    }
-    async utimes(path, atime, mtime) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.utimes(relativePath, atime, mtime);
-    }
-    async truncate(path, length) {
-        const { mount, relativePath } = this.resolve(path);
-        this.assertWritable(mount, path);
-        return mount.fs.truncate(relativePath, length);
-    }
-    async fsync(path) {
-        const { mount, relativePath } = this.resolve(path);
-        await mount.fs.fsync?.(relativePath);
-    }
-    async copy(srcPath, dstPath) {
-        const srcResolved = this.resolve(srcPath);
-        const dstResolved = this.resolve(dstPath);
-        if (srcResolved.mount !== dstResolved.mount) {
-            throw new KernelError("EXDEV", `copy across mounts: ${srcPath} -> ${dstPath}`);
-        }
-        this.assertWritable(srcResolved.mount, dstPath);
-        if (srcResolved.mount.fs.copy) {
-            return srcResolved.mount.fs.copy(srcResolved.relativePath, dstResolved.relativePath);
-        }
-        // Fallback: readFile + writeFile.
-        const content = await srcResolved.mount.fs.readFile(srcResolved.relativePath);
-        await srcResolved.mount.fs.writeFile(dstResolved.relativePath, content);
-    }
-    async readDirStat(path) {
-        const { mount, relativePath } = this.resolve(path);
-        if (mount.fs.readDirStat) {
-            return mount.fs.readDirStat(relativePath);
-        }
-        // Fallback: readDirWithTypes + stat for each entry.
-        const entries = await mount.fs.readDirWithTypes(relativePath);
-        const normalized = normalizePath(path);
-        const results = [];
-        for (const entry of entries) {
-            const entryPath = normalized === "/" ? `/${entry.name}` : `${normalized}/${entry.name}`;
-            const stat = await mount.fs.stat(entryPath);
-            results.push({ ...entry, stat });
-        }
-        return results;
-    }
-    // -----------------------------------------------------------------------
-    // Helpers
-    // -----------------------------------------------------------------------
-    /**
-     * Get basenames of child mount points under a directory.
-     * For example, if mounts exist at /dev and /proc, calling with "/" returns ["dev", "proc"].
-     */
-    getChildMountBasenames(dirPath) {
-        const names = [];
-        for (const mount of this.mounts) {
-            if (mount.path === "/")
-                continue;
-            const mountParent = parentPath(mount.path);
-            if (mountParent === dirPath) {
-                names.push(basename(mount.path));
-            }
-        }
-        return names;
-    }
-    /**
-     * Synchronous open preparation (O_CREAT, O_EXCL, O_TRUNC).
-     * Delegates to the underlying backend's prepareOpenSync if it exists.
-     */
-    prepareOpenSync(path, flags) {
-        const { mount, relativePath } = this.resolve(path);
-        if (flags & ~0 && mount.readOnly) {
-            // Check for write flags (O_CREAT=0o100, O_TRUNC=0o1000)
-            const O_CREAT = 0o100;
-            const O_TRUNC = 0o1000;
-            if ((flags & O_CREAT) || (flags & O_TRUNC)) {
-                this.assertWritable(mount, path);
-            }
-        }
-        const backend = mount.fs;
-        return backend.prepareOpenSync?.(relativePath, flags) ?? false;
-    }
-}

package/dist/kernel/permissions.d.ts

@@ -1,36 +0,0 @@
-/**
- * Permission enforcement layer.
- *
- * Deny-by-default access control. Wraps VFS and other kernel operations
- * with permission checks that throw on denial.
- */
-import type { Permissions } from "./types.js";
-import type { VirtualFileSystem } from "./vfs.js";
-/**
- * Normalize a filesystem path for permission checks.
- *
- * Resolves `.` and `..` components and collapses repeated slashes so that
- * permission callbacks always see the canonical path. Without this,
- * `/home/user/project/../../../etc/passwd` would pass a naive
- * `startsWith('/home/user/project')` check.
- */
-export declare function normalizeFsPath(p: string): string;
-/**
- * Wrap a VFS with permission checks on every operation.
- */
-export declare function wrapFileSystem(fs: VirtualFileSystem, permissions?: Permissions): VirtualFileSystem;
-/**
- * Filter an env record through the env permission check.
- * Returns only allowed key-value pairs.
- */
-export declare function filterEnv(env: Record<string, string> | undefined, permissions?: Permissions): Record<string, string>;
-/**
- * Check childProcess permission before spawning.
- * No-op when no permissions or no childProcess check is configured.
- */
-export declare function checkChildProcess(permissions: Permissions | undefined, command: string, args: string[], cwd?: string): void;
-export declare const allowAllFs: Pick<Permissions, "fs">;
-export declare const allowAllNetwork: Pick<Permissions, "network">;
-export declare const allowAllChildProcess: Pick<Permissions, "childProcess">;
-export declare const allowAllEnv: Pick<Permissions, "env">;
-export declare const allowAll: Permissions;

package/dist/kernel/permissions.js

@@ -1,150 +0,0 @@
-/**
- * Permission enforcement layer.
- *
- * Deny-by-default access control. Wraps VFS and other kernel operations
- * with permission checks that throw on denial.
- */
-import { KernelError } from "./types.js";
-function checkPermission(check, request, errorFactory) {
-    if (!check)
-        throw errorFactory(request);
-    const decision = check(request);
-    if (!decision?.allow)
-        throw errorFactory(request, decision?.reason);
-}
-function fsError(op, path, reason) {
-    const msg = reason
-        ? `permission denied, ${op} '${path ?? ""}': ${reason}`
-        : `permission denied, ${op} '${path ?? ""}'`;
-    return new KernelError("EACCES", msg);
-}
-/**
- * Normalize a filesystem path for permission checks.
- *
- * Resolves `.` and `..` components and collapses repeated slashes so that
- * permission callbacks always see the canonical path. Without this,
- * `/home/user/project/../../../etc/passwd` would pass a naive
- * `startsWith('/home/user/project')` check.
- */
-export function normalizeFsPath(p) {
-    // Collapse repeated slashes
-    let cleaned = p.replace(/\/+/g, "/");
-    if (cleaned.length > 1 && cleaned.endsWith("/")) {
-        cleaned = cleaned.slice(0, -1);
-    }
-    const isAbsolute = cleaned.startsWith("/");
-    const parts = cleaned.split("/");
-    const resolved = [];
-    for (const seg of parts) {
-        if (seg === "" || seg === ".")
-            continue;
-        if (seg === "..") {
-            if (resolved.length > 0)
-                resolved.pop();
-        }
-        else {
-            resolved.push(seg);
-        }
-    }
-    const result = (isAbsolute ? "/" : "") + resolved.join("/");
-    return result || (isAbsolute ? "/" : ".");
-}
-/**
- * Wrap a VFS with permission checks on every operation.
- */
-export function wrapFileSystem(fs, permissions) {
-    const check = (op, path) => {
-        checkPermission(permissions?.fs, { op, path: normalizeFsPath(path) }, (req, reason) => fsError(op, req.path, reason));
-    };
-    const wrapped = {
-        prepareOpenSync: (path, flags) => {
-            if ((flags & 0o100) !== 0 || (flags & 0o1000) !== 0) {
-                check("write", path);
-            }
-            const syncFs = fs;
-            return syncFs.prepareOpenSync?.(path, flags) ?? false;
-        },
-        readFile: async (path) => { check("read", path); return fs.readFile(path); },
-        readTextFile: async (path) => { check("read", path); return fs.readTextFile(path); },
-        readDir: async (path) => { check("readdir", path); return fs.readDir(path); },
-        readDirWithTypes: async (path) => { check("readdir", path); return fs.readDirWithTypes(path); },
-        writeFile: async (path, content) => { check("write", path); return fs.writeFile(path, content); },
-        createDir: async (path) => { check("createDir", path); return fs.createDir(path); },
-        mkdir: async (path, options) => { check("mkdir", path); return fs.mkdir(path, options); },
-        exists: async (path) => { check("exists", path); return fs.exists(path); },
-        stat: async (path) => { check("stat", path); return fs.stat(path); },
-        removeFile: async (path) => { check("rm", path); return fs.removeFile(path); },
-        removeDir: async (path) => { check("rm", path); return fs.removeDir(path); },
-        rename: async (oldPath, newPath) => {
-            check("rename", oldPath);
-            check("rename", newPath);
-            return fs.rename(oldPath, newPath);
-        },
-        realpath: async (path) => { check("read", path); return fs.realpath(path); },
-        symlink: async (target, linkPath) => { check("symlink", linkPath); return fs.symlink(target, linkPath); },
-        readlink: async (path) => { check("readlink", path); return fs.readlink(path); },
-        lstat: async (path) => { check("stat", path); return fs.lstat(path); },
-        link: async (oldPath, newPath) => { check("link", newPath); return fs.link(oldPath, newPath); },
-        chmod: async (path, mode) => { check("chmod", path); return fs.chmod(path, mode); },
-        chown: async (path, uid, gid) => { check("chown", path); return fs.chown(path, uid, gid); },
-        utimes: async (path, atime, mtime) => { check("utimes", path); return fs.utimes(path, atime, mtime); },
-        truncate: async (path, length) => { check("truncate", path); return fs.truncate(path, length); },
-        pread: async (path, offset, length) => { check("read", path); return fs.pread(path, offset, length); },
-        pwrite: async (path, offset, data) => { check("write", path); return fs.pwrite(path, offset, data); },
-    };
-    return wrapped;
-}
-/**
- * Filter an env record through the env permission check.
- * Returns only allowed key-value pairs.
- */
-export function filterEnv(env, permissions) {
-    if (!env)
-        return {};
-    if (!permissions?.env)
-        return {};
-    const result = {};
-    for (const [key, value] of Object.entries(env)) {
-        const request = { op: "read", key, value };
-        const decision = permissions.env(request);
-        if (decision?.allow) {
-            result[key] = value;
-        }
-    }
-    return result;
-}
-/**
- * Check childProcess permission before spawning.
- * No-op when no permissions or no childProcess check is configured.
- */
-export function checkChildProcess(permissions, command, args, cwd) {
-    if (!permissions?.childProcess)
-        return;
-    const request = { command, args, cwd };
-    const decision = permissions.childProcess(request);
-    if (!decision?.allow) {
-        const msg = decision?.reason
-            ? `permission denied, spawn '${command}': ${decision.reason}`
-            : `permission denied, spawn '${command}'`;
-        throw new KernelError("EACCES", msg);
-    }
-}
-// Permission presets
-export const allowAllFs = {
-    fs: () => ({ allow: true }),
-};
-export const allowAllNetwork = {
-    network: () => ({ allow: true }),
-};
-export const allowAllChildProcess = {
-    childProcess: () => ({ allow: true }),
-};
-export const allowAllEnv = {
-    env: () => ({ allow: true }),
-};
-export const allowAll = {
-    ...allowAllFs,
-    ...allowAllNetwork,
-    ...allowAllChildProcess,
-    ...allowAllEnv,
-};

package/dist/kernel/pipe-manager.d.ts

@@ -1,64 +0,0 @@
-/**
- * Pipe manager.
- *
- * Creates and manages pipes for inter-process communication.
- * Supports cross-runtime pipes: data flows through kernel-managed buffers.
- * SharedArrayBuffer ring buffers are deferred — this uses buffered pipes.
- */
-import type { FileDescription } from "./types.js";
-import { FILETYPE_PIPE } from "./types.js";
-import type { ProcessFDTable } from "./fd-table.js";
-export interface PipeEnd {
-    description: FileDescription;
-    filetype: typeof FILETYPE_PIPE;
-}
-/** Maximum buffered bytes per pipe before writers block or O_NONBLOCK returns EAGAIN. */
-export declare const MAX_PIPE_BUFFER_BYTES = 65536;
-export declare class PipeManager {
-    private pipes;
-    /** Map description ID → pipe ID for routing reads/writes */
-    private descToPipe;
-    private nextPipeId;
-    private nextDescId;
-    /** Called before EPIPE when a write hits a closed read end. Receives writer PID. */
-    onBrokenPipe: ((pid: number) => void) | null;
-    /**
-     * Create a pipe. Returns two FileDescriptions:
-     * one for reading and one for writing.
-     */
-    createPipe(): {
-        read: PipeEnd;
-        write: PipeEnd;
-    };
-    /** Write data to a pipe's write end. Delivers SIGPIPE via onBrokenPipe when read end is closed. */
-    write(descriptionId: number, data: Uint8Array, writerPid?: number): number | Promise<number>;
-    /** Read data from a pipe's read end. Returns null on EOF. */
-    read(descriptionId: number, length: number): Promise<Uint8Array | null>;
-    /** Close one end of a pipe. */
-    close(descriptionId: number): void;
-    /** Check if a description ID belongs to a pipe */
-    isPipe(descriptionId: number): boolean;
-    /** Query poll state for a pipe end (used by poll/select syscalls). */
-    pollState(descriptionId: number): {
-        readable: boolean;
-        writable: boolean;
-        hangup: boolean;
-    } | null;
-    /** Get the pipe ID for a description, or undefined if not a pipe */
-    pipeIdFor(descriptionId: number): number | undefined;
-    /** Wait for a pipe poll state change (data, capacity, or hangup). */
-    waitForPoll(descriptionId: number, timeoutMs?: number): Promise<void>;
-    /**
-     * Create pipe FDs in the given FD table.
-     * Returns the FD numbers for {read, write}.
-     */
-    createPipeFDs(fdTable: ProcessFDTable): {
-        readFd: number;
-        writeFd: number;
-    };
-    private bufferSize;
-    private drainBuffer;
-    private writeBlocking;
-    private writeAvailable;
-    private assertWriteOpen;
-}