npm - @secure-exec/core - Versions diffs - 0.2.1 → 0.3.0-rc.2 - Mend

@secure-exec/core 0.2.1 → 0.3.0-rc.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (248) hide show

package/README.md +5 -5
package/dist/binary.d.ts +4 -0
package/dist/binary.js +25 -0
package/dist/bytes.d.ts +2 -0
package/dist/bytes.js +6 -0
package/dist/callbacks.d.ts +41 -0
package/dist/callbacks.js +94 -0
package/dist/cargo.d.ts +2 -0
package/dist/cargo.js +142 -0
package/dist/correlation.d.ts +10 -0
package/dist/correlation.js +49 -0
package/dist/descriptors.d.ts +34 -0
package/dist/descriptors.js +37 -0
package/dist/event-buffer.d.ts +90 -0
package/dist/event-buffer.js +313 -0
package/dist/ext.d.ts +7 -0
package/dist/ext.js +13 -0
package/dist/filesystem.d.ts +41 -0
package/dist/filesystem.js +70 -0
package/dist/frame-payload-codec.d.ts +8 -0
package/dist/frame-payload-codec.js +14 -0
package/dist/frame-rpc.d.ts +38 -0
package/dist/frame-rpc.js +73 -0
package/dist/frame-stream.d.ts +27 -0
package/dist/frame-stream.js +99 -0
package/dist/framing.d.ts +7 -0
package/dist/framing.js +22 -0
package/dist/generated/AcpLimitsConfig.d.ts +4 -0
package/dist/generated/AcpLimitsConfig.js +2 -0
package/dist/generated/CreateVmConfig.d.ts +19 -0
package/dist/generated/FsPermissionRule.d.ts +6 -0
package/dist/generated/FsPermissionRuleSet.d.ts +6 -0
package/dist/generated/FsPermissionRuleSet.js +1 -0
package/dist/generated/FsPermissionScope.d.ts +3 -0
package/dist/generated/FsPermissionScope.js +1 -0
package/dist/generated/HttpLimitsConfig.d.ts +3 -0
package/dist/generated/HttpLimitsConfig.js +2 -0
package/dist/generated/JsModuleResolution.d.ts +1 -0
package/dist/generated/JsModuleResolution.js +2 -0
package/dist/generated/JsRuntimeConfig.d.ts +26 -0
package/dist/generated/JsRuntimeConfig.js +1 -0
package/dist/generated/JsRuntimeLimitsConfig.d.ts +7 -0
package/dist/generated/JsRuntimeLimitsConfig.js +2 -0
package/dist/generated/JsRuntimePlatform.d.ts +1 -0
package/dist/generated/JsRuntimePlatform.js +2 -0
package/dist/generated/MountPluginDescriptor.d.ts +4 -0
package/dist/generated/MountPluginDescriptor.js +2 -0
package/dist/generated/NativeRootFilesystemConfig.d.ts +5 -0
package/dist/generated/NativeRootFilesystemConfig.js +1 -0
package/dist/generated/PatternPermissionRule.d.ts +6 -0
package/dist/generated/PatternPermissionRule.js +1 -0
package/dist/generated/PatternPermissionRuleSet.d.ts +6 -0
package/dist/generated/PatternPermissionRuleSet.js +1 -0
package/dist/generated/PatternPermissionScope.d.ts +3 -0
package/dist/generated/PatternPermissionScope.js +1 -0
package/dist/generated/PermissionMode.d.ts +1 -0
package/dist/generated/PermissionMode.js +2 -0
package/dist/generated/PermissionsPolicy.d.ts +10 -0
package/dist/generated/PermissionsPolicy.js +1 -0
package/dist/generated/PluginLimitsConfig.d.ts +4 -0
package/dist/generated/PluginLimitsConfig.js +2 -0
package/dist/generated/PythonLimitsConfig.d.ts +5 -0
package/dist/generated/PythonLimitsConfig.js +2 -0
package/dist/generated/ResourceLimitsConfig.d.ts +22 -0
package/dist/generated/ResourceLimitsConfig.js +2 -0
package/dist/generated/RootFilesystemConfig.d.ts +9 -0
package/dist/generated/RootFilesystemConfig.js +1 -0
package/dist/generated/RootFilesystemEntry.d.ts +13 -0
package/dist/generated/RootFilesystemEntry.js +1 -0
package/dist/generated/RootFilesystemEntryEncoding.d.ts +1 -0
package/dist/generated/RootFilesystemEntryEncoding.js +2 -0
package/dist/generated/RootFilesystemEntryKind.d.ts +1 -0
package/dist/generated/RootFilesystemEntryKind.js +2 -0
package/dist/generated/RootFilesystemLowerDescriptor.d.ts +7 -0
package/dist/generated/RootFilesystemLowerDescriptor.js +1 -0
package/dist/generated/RootFilesystemMode.d.ts +1 -0
package/dist/generated/RootFilesystemMode.js +2 -0
package/dist/generated/ToolLimitsConfig.d.ts +10 -0
package/dist/generated/ToolLimitsConfig.js +2 -0
package/dist/generated/VmDnsConfig.d.ts +6 -0
package/dist/generated/VmDnsConfig.js +2 -0
package/dist/generated/VmLimitsConfig.d.ts +18 -0
package/dist/generated/VmLimitsConfig.js +1 -0
package/dist/generated/VmListenPolicyConfig.d.ts +5 -0
package/dist/generated/VmListenPolicyConfig.js +2 -0
package/dist/generated/WasmLimitsConfig.d.ts +5 -0
package/dist/generated/WasmLimitsConfig.js +2 -0
package/dist/generated-protocol.d.ts +1037 -0
package/dist/generated-protocol.js +2887 -0
package/dist/index.d.ts +24 -62
package/dist/index.js +24 -53
package/dist/json.d.ts +2 -0
package/dist/json.js +20 -0
package/dist/kernel-proxy.d.ts +149 -0
package/dist/kernel-proxy.js +1733 -0
package/dist/native-client.d.ts +41 -0
package/dist/native-client.js +124 -0
package/dist/node-runtime.d.ts +490 -0
package/dist/node-runtime.js +585 -0
package/dist/numbers.d.ts +1 -0
package/dist/numbers.js +8 -0
package/dist/ownership.d.ts +18 -0
package/dist/ownership.js +77 -0
package/dist/permissions.d.ts +29 -0
package/dist/permissions.js +68 -0
package/dist/process.d.ts +35 -0
package/dist/process.js +125 -0
package/dist/protocol-client.d.ts +46 -0
package/dist/protocol-client.js +180 -0
package/dist/protocol-frames.d.ts +68 -0
package/dist/protocol-frames.js +139 -0
package/dist/protocol-maps.d.ts +28 -0
package/dist/protocol-maps.js +217 -0
package/dist/protocol-schema.d.ts +10 -0
package/dist/protocol-schema.js +11 -0
package/dist/request-payloads.d.ts +137 -0
package/dist/request-payloads.js +210 -0
package/dist/response-payloads.d.ts +107 -0
package/dist/response-payloads.js +161 -0
package/dist/sidecar-client.d.ts +242 -0
package/dist/sidecar-client.js +797 -0
package/dist/state.d.ts +40 -0
package/dist/state.js +44 -0
package/dist/test-runtime.d.ts +526 -0
package/dist/test-runtime.js +2119 -0
package/dist/vm-config.d.ts +31 -0
package/dist/vm-config.js +1 -0
package/fixtures/alpine-defaults.json +520 -0
package/fixtures/base-filesystem.json +528 -0
package/package.json +193 -115
package/LICENSE +0 -191
package/dist/bridge-setup.d.ts +0 -6
package/dist/bridge-setup.js +0 -9
package/dist/esm-compiler.d.ts +0 -18
package/dist/esm-compiler.js +0 -72
package/dist/fs-helpers.d.ts +0 -23
package/dist/fs-helpers.js +0 -41
package/dist/generated/isolate-runtime.d.ts +0 -19
package/dist/generated/isolate-runtime.js +0 -21
package/dist/generated/polyfills.d.ts +0 -82
package/dist/generated/polyfills.js +0 -82
package/dist/isolate-runtime/apply-custom-global-policy.js +0 -53
package/dist/isolate-runtime/apply-timing-mitigation-freeze.js +0 -130
package/dist/isolate-runtime/apply-timing-mitigation-off.js +0 -14
package/dist/isolate-runtime/bridge-attach.js +0 -29
package/dist/isolate-runtime/bridge-initial-globals.js +0 -385
package/dist/isolate-runtime/eval-script-result.js +0 -8
package/dist/isolate-runtime/global-exposure-helpers.js +0 -36
package/dist/isolate-runtime/init-commonjs-module-globals.js +0 -28
package/dist/isolate-runtime/override-process-cwd.js +0 -8
package/dist/isolate-runtime/override-process-env.js +0 -8
package/dist/isolate-runtime/require-setup.js +0 -4153
package/dist/isolate-runtime/set-commonjs-file-globals.js +0 -36
package/dist/isolate-runtime/set-stdin-data.js +0 -10
package/dist/isolate-runtime/setup-dynamic-import.js +0 -123
package/dist/isolate-runtime/setup-fs-facade.js +0 -87
package/dist/kernel/command-registry.d.ts +0 -44
package/dist/kernel/command-registry.js +0 -114
package/dist/kernel/device-backend.d.ts +0 -14
package/dist/kernel/device-backend.js +0 -251
package/dist/kernel/device-layer.d.ts +0 -12
package/dist/kernel/device-layer.js +0 -271
package/dist/kernel/dns-cache.d.ts +0 -29
package/dist/kernel/dns-cache.js +0 -52
package/dist/kernel/fd-table.d.ts +0 -84
package/dist/kernel/fd-table.js +0 -278
package/dist/kernel/file-lock.d.ts +0 -34
package/dist/kernel/file-lock.js +0 -122
package/dist/kernel/host-adapter.d.ts +0 -50
package/dist/kernel/host-adapter.js +0 -8
package/dist/kernel/index.d.ts +0 -36
package/dist/kernel/index.js +0 -34
package/dist/kernel/kernel.d.ts +0 -9
package/dist/kernel/kernel.js +0 -1415
package/dist/kernel/mount-table.d.ts +0 -75
package/dist/kernel/mount-table.js +0 -353
package/dist/kernel/permissions.d.ts +0 -36
package/dist/kernel/permissions.js +0 -150
package/dist/kernel/pipe-manager.d.ts +0 -64
package/dist/kernel/pipe-manager.js +0 -267
package/dist/kernel/proc-backend.d.ts +0 -30
package/dist/kernel/proc-backend.js +0 -428
package/dist/kernel/proc-layer.d.ts +0 -11
package/dist/kernel/proc-layer.js +0 -507
package/dist/kernel/process-table.d.ts +0 -126
package/dist/kernel/process-table.js +0 -651
package/dist/kernel/pty.d.ts +0 -109
package/dist/kernel/pty.js +0 -552
package/dist/kernel/socket-table.d.ts +0 -312
package/dist/kernel/socket-table.js +0 -1188
package/dist/kernel/timer-table.d.ts +0 -54
package/dist/kernel/timer-table.js +0 -108
package/dist/kernel/types.d.ts +0 -541
package/dist/kernel/types.js +0 -98
package/dist/kernel/user.d.ts +0 -29
package/dist/kernel/user.js +0 -35
package/dist/kernel/vfs.d.ts +0 -82
package/dist/kernel/vfs.js +0 -25
package/dist/kernel/wait.d.ts +0 -45
package/dist/kernel/wait.js +0 -112
package/dist/kernel/wstatus.d.ts +0 -21
package/dist/kernel/wstatus.js +0 -33
package/dist/module-resolver.d.ts +0 -29
package/dist/module-resolver.js +0 -314
package/dist/package-bundler.d.ts +0 -41
package/dist/package-bundler.js +0 -497
package/dist/runtime-driver.d.ts +0 -66
package/dist/shared/api-types.d.ts +0 -83
package/dist/shared/bridge-contract.d.ts +0 -772
package/dist/shared/bridge-contract.js +0 -169
package/dist/shared/console-formatter.d.ts +0 -22
package/dist/shared/console-formatter.js +0 -161
package/dist/shared/constants.d.ts +0 -3
package/dist/shared/constants.js +0 -3
package/dist/shared/errors.d.ts +0 -16
package/dist/shared/errors.js +0 -21
package/dist/shared/esm-utils.d.ts +0 -28
package/dist/shared/esm-utils.js +0 -97
package/dist/shared/global-exposure.d.ts +0 -38
package/dist/shared/global-exposure.js +0 -876
package/dist/shared/in-memory-fs.d.ts +0 -16
package/dist/shared/in-memory-fs.js +0 -115
package/dist/shared/permissions.d.ts +0 -36
package/dist/shared/permissions.js +0 -314
package/dist/shared/require-setup.d.ts +0 -6
package/dist/shared/require-setup.js +0 -9
package/dist/test/block-store-conformance.d.ts +0 -34
package/dist/test/block-store-conformance.js +0 -251
package/dist/test/metadata-store-conformance.d.ts +0 -37
package/dist/test/metadata-store-conformance.js +0 -646
package/dist/test/vfs-conformance.d.ts +0 -65
package/dist/test/vfs-conformance.js +0 -842
package/dist/types.d.ts +0 -98
package/dist/types.js +0 -6
package/dist/vfs/chunked-vfs.d.ts +0 -66
package/dist/vfs/chunked-vfs.js +0 -1290
package/dist/vfs/host-block-store.d.ts +0 -19
package/dist/vfs/host-block-store.js +0 -97
package/dist/vfs/memory-block-store.d.ts +0 -16
package/dist/vfs/memory-block-store.js +0 -45
package/dist/vfs/memory-metadata.d.ts +0 -75
package/dist/vfs/memory-metadata.js +0 -528
package/dist/vfs/sqlite-metadata.d.ts +0 -91
package/dist/vfs/sqlite-metadata.js +0 -582
package/dist/vfs/types.d.ts +0 -210
package/dist/vfs/types.js +0 -8
/package/dist/{runtime-driver.js → generated/CreateVmConfig.js} +0 -0
/package/dist/{shared/api-types.js → generated/FsPermissionRule.js} +0 -0

package/dist/kernel/process-table.js DELETED Viewed

@@ -1,651 +0,0 @@
-/**
- * Process table.
- *
- * Universal process tracking across all runtimes. Owns PID allocation,
- * parent-child relationships, waitpid, and signal routing. A WasmVM
- * shell can waitpid on a Node child process.
- */
-import { KernelError, SIGCHLD, SIGALRM, SIGCONT, SIGSTOP, SIGTSTP, SIGKILL, SIGWINCH, WNOHANG, SA_RESETHAND, SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK, noopKernelLogger } from "./types.js";
-import { WaitQueue } from "./wait.js";
-import { encodeExitStatus, encodeSignalStatus } from "./wstatus.js";
-const ZOMBIE_TTL_MS = 60_000;
-export class ProcessTable {
-    entries = new Map();
-    nextPid = 1;
-    waiters = new Map();
-    zombieTimers = new Map();
-    /** Pending alarm timers per PID: { timer, scheduledAt (ms epoch) }. */
-    alarmTimers = new Map();
-    log;
-    /** Called when a process exits, before waiters are notified. */
-    onProcessExit = null;
-    /** Called when a zombie process is reaped (removed from the table). */
-    onProcessReap = null;
-    constructor(logger) {
-        this.log = logger ?? noopKernelLogger;
-    }
-    /** Atomically allocate the next PID. */
-    allocatePid() {
-        return this.nextPid++;
-    }
-    /** Register a process with a pre-allocated PID. */
-    register(pid, driver, command, args, ctx, driverProcess) {
-        // Inherit pgid/sid/umask from parent, or default to own pid / 0o022
-        const parent = ctx.ppid ? this.entries.get(ctx.ppid) : undefined;
-        const pgid = parent?.pgid ?? pid;
-        const sid = parent?.sid ?? pid;
-        const umask = parent?.umask ?? 0o022;
-        const entry = {
-            pid,
-            ppid: ctx.ppid,
-            pgid,
-            sid,
-            driver,
-            command,
-            args,
-            status: "running",
-            exitCode: null,
-            exitReason: null,
-            termSignal: 0,
-            startTime: Date.now(),
-            exitTime: null,
-            env: { ...ctx.env },
-            cwd: ctx.cwd,
-            umask,
-            activeHandles: new Map(),
-            handleLimit: 0,
-            signalState: {
-                handlers: new Map(),
-                blockedSignals: new Set(),
-                pendingSignals: new Set(),
-                signalWaiters: new WaitQueue(),
-                deliverySeq: 0,
-                lastDeliveredSignal: null,
-                lastDeliveredFlags: 0,
-            },
-            driverProcess,
-        };
-        this.entries.set(pid, entry);
-        this.log.debug({ pid, ppid: ctx.ppid, pgid, sid, driver, command, args }, "process registered");
-        // Wire up exit callback to mark process as exited
-        driverProcess.onExit = (code) => {
-            this.markExited(pid, code);
-        };
-        return entry;
-    }
-    get(pid) {
-        return this.entries.get(pid);
-    }
-    /** Count pending zombie cleanup timers (test observability). */
-    get zombieTimerCount() {
-        return this.zombieTimers.size;
-    }
-    /** Count running (non-exited) processes. */
-    runningCount() {
-        let count = 0;
-        for (const entry of this.entries.values()) {
-            if (entry.status === "running")
-                count++;
-        }
-        return count;
-    }
-    /** Mark a process as exited with the given code. Notifies waiters. */
-    markExited(pid, exitCode) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            return;
-        if (entry.status === "exited")
-            return;
-        this.log.debug({
-            pid, exitCode, command: entry.command,
-            termSignal: entry.termSignal,
-            reason: entry.termSignal > 0 ? "signal" : "normal",
-        }, "process exited");
-        entry.status = "exited";
-        entry.exitCode = exitCode;
-        entry.exitReason = entry.termSignal > 0 ? "signal" : "normal";
-        entry.exitTime = Date.now();
-        // Encode POSIX wstatus
-        const wstatus = entry.termSignal > 0
-            ? encodeSignalStatus(entry.termSignal)
-            : encodeExitStatus(exitCode);
-        // Cancel pending alarm
-        this.cancelAlarm(pid);
-        // Clear all active handles
-        entry.activeHandles.clear();
-        // Clean up process resources (FD table, pipe ends)
-        this.onProcessExit?.(pid);
-        // Deliver SIGCHLD to parent via signal handler system
-        if (entry.ppid > 0) {
-            const parent = this.entries.get(entry.ppid);
-            if (parent && parent.status === "running") {
-                this.deliverSignal(parent, SIGCHLD);
-            }
-        }
-        // Notify waiters
-        const waiters = this.waiters.get(pid);
-        if (waiters) {
-            for (const resolve of waiters) {
-                resolve({ pid, status: wstatus, termSignal: entry.termSignal });
-            }
-            this.waiters.delete(pid);
-        }
-        // Schedule zombie cleanup (tracked for cancellation on dispose)
-        const timer = setTimeout(() => {
-            this.zombieTimers.delete(pid);
-            this.reap(pid);
-        }, ZOMBIE_TTL_MS);
-        this.zombieTimers.set(pid, timer);
-    }
-    /**
-     * Wait for a process to exit.
-     * If already exited, resolves immediately. Otherwise blocks until exit.
-     * With WNOHANG option, returns null immediately if process is still running.
-     */
-    waitpid(pid, options) {
-        const entry = this.entries.get(pid);
-        if (!entry) {
-            return Promise.reject(new Error(`ESRCH: no such process ${pid}`));
-        }
-        if (entry.status === "exited") {
-            const wstatus = entry.termSignal > 0
-                ? encodeSignalStatus(entry.termSignal)
-                : encodeExitStatus(entry.exitCode);
-            return Promise.resolve({ pid, status: wstatus, termSignal: entry.termSignal });
-        }
-        // WNOHANG: return null immediately if process is still running
-        if (options && (options & WNOHANG)) {
-            return Promise.resolve(null);
-        }
-        return new Promise((resolve) => {
-            let waiters = this.waiters.get(pid);
-            if (!waiters) {
-                waiters = [];
-                this.waiters.set(pid, waiters);
-            }
-            waiters.push(resolve);
-        });
-    }
-    /**
-     * Send a signal to a process or process group.
-     * If pid > 0, signal a single process.
-     * If pid < 0, signal all processes in process group abs(pid).
-     */
-    kill(pid, signal) {
-        // Validate signal range (POSIX: 0 = existence check, 1-64 = real signals)
-        if (signal < 0 || signal > 64) {
-            throw new KernelError("EINVAL", `invalid signal ${signal}`);
-        }
-        this.log.debug({ pid, signal }, "kill");
-        if (pid < 0) {
-            // Process group kill
-            const pgid = -pid;
-            let found = false;
-            for (const entry of this.entries.values()) {
-                if (entry.pgid === pgid && entry.status !== "exited") {
-                    found = true;
-                    if (signal !== 0) {
-                        this.deliverSignal(entry, signal);
-                    }
-                }
-            }
-            if (!found)
-                throw new KernelError("ESRCH", `no such process group ${pgid}`);
-            return;
-        }
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        if (entry.status === "exited")
-            return;
-        // Signal 0: existence check only — don't deliver
-        if (signal === 0)
-            return;
-        this.deliverSignal(entry, signal);
-    }
-    /**
-     * Deliver a signal to a process, respecting handlers, blocking, and coalescing.
-     *
-     * SIGKILL and SIGSTOP cannot be caught, blocked, or ignored (POSIX).
-     * Blocked signals are queued in pendingSignals; standard signals (1-31) coalesce.
-     * If a handler is registered, it is invoked with sa_mask temporarily blocked.
-     */
-    deliverSignal(entry, signal) {
-        const { signalState } = entry;
-        this.log.trace({ pid: entry.pid, signal, command: entry.command }, "deliver signal");
-        // SIGKILL and SIGSTOP always use default action — cannot be caught/blocked/ignored
-        if (signal === SIGKILL || signal === SIGSTOP) {
-            this.applyDefaultAction(entry, signal);
-            return;
-        }
-        // SIGCONT always resumes a stopped process, even if blocked or caught (POSIX)
-        if (signal === SIGCONT) {
-            this.cont(entry.pid);
-            // If blocked, queue for handler delivery later; otherwise dispatch
-            if (signalState.blockedSignals.has(signal)) {
-                signalState.pendingSignals.add(signal);
-                return;
-            }
-            this.dispatchSignal(entry, signal);
-            return;
-        }
-        // If signal is blocked, queue it (standard signals 1-31 coalesce via Set)
-        if (signalState.blockedSignals.has(signal)) {
-            signalState.pendingSignals.add(signal);
-            return;
-        }
-        this.dispatchSignal(entry, signal);
-    }
-    /**
-     * Dispatch a signal to a process — check handler, then apply.
-     * Called for unblocked signals and when delivering pending signals.
-     */
-    dispatchSignal(entry, signal) {
-        const { signalState } = entry;
-        const registration = signalState.handlers.get(signal);
-        if (!registration) {
-            // No handler registered — apply default action
-            if (signal !== SIGCHLD) {
-                this.recordSignalDelivery(signalState, signal, 0);
-            }
-            this.applyDefaultAction(entry, signal);
-            return;
-        }
-        const { handler, mask, flags } = registration;
-        if (handler === "ignore")
-            return;
-        if (handler === "default") {
-            if (signal !== SIGCHLD) {
-                this.recordSignalDelivery(signalState, signal, 0);
-            }
-            this.applyDefaultAction(entry, signal);
-            return;
-        }
-        this.recordSignalDelivery(signalState, signal, flags);
-        // User-defined handler: temporarily block sa_mask + the signal itself during execution
-        const savedBlocked = new Set(signalState.blockedSignals);
-        for (const s of mask)
-            signalState.blockedSignals.add(s);
-        signalState.blockedSignals.add(signal);
-        try {
-            handler(signal);
-        }
-        finally {
-            // Restore previous blocked set
-            signalState.blockedSignals = savedBlocked;
-        }
-        // Reset one-shot handlers before any pending re-delivery.
-        if ((flags & SA_RESETHAND) !== 0) {
-            signalState.handlers.set(signal, {
-                handler: "default",
-                mask: new Set(),
-                flags: 0,
-            });
-        }
-        // Deliver any signals that were pending and are now unblocked
-        this.deliverPendingSignals(entry);
-    }
-    /** Wake signal-aware waiters after a signal has been dispatched. */
-    recordSignalDelivery(signalState, signal, flags) {
-        signalState.lastDeliveredSignal = signal;
-        signalState.lastDeliveredFlags = flags;
-        signalState.deliverySeq++;
-        signalState.signalWaiters.wakeAll();
-    }
-    /** Apply the kernel default action for a signal. */
-    applyDefaultAction(entry, signal) {
-        if (signal === SIGTSTP || signal === SIGSTOP) {
-            this.log.debug({ pid: entry.pid, signal, action: "stop" }, "signal default action");
-            this.stop(entry.pid);
-            entry.driverProcess.kill(signal);
-        }
-        else if (signal === SIGCONT) {
-            this.log.debug({ pid: entry.pid, signal, action: "continue" }, "signal default action");
-            this.cont(entry.pid);
-            entry.driverProcess.kill(signal);
-        }
-        else if (signal === SIGCHLD || signal === SIGWINCH) {
-            // Default action: ignore (POSIX — SIGCHLD and SIGWINCH don't terminate)
-            return;
-        }
-        else {
-            this.log.debug({ pid: entry.pid, signal, action: "terminate", command: entry.command }, "signal default action");
-            entry.termSignal = signal;
-            entry.driverProcess.kill(signal);
-        }
-    }
-    /** Deliver pending signals that are no longer blocked (lowest signal number first). */
-    deliverPendingSignals(entry) {
-        const { signalState } = entry;
-        if (signalState.pendingSignals.size === 0)
-            return;
-        // Deliver in ascending signal number order
-        const pending = [...signalState.pendingSignals].sort((a, b) => a - b);
-        for (const sig of pending) {
-            // Check both: not blocked AND still pending (recursive delivery may have handled it)
-            if (!signalState.blockedSignals.has(sig) && signalState.pendingSignals.has(sig)) {
-                signalState.pendingSignals.delete(sig);
-                this.dispatchSignal(entry, sig);
-                if (entry.status === "exited")
-                    break;
-            }
-        }
-    }
-    /**
-     * Schedule SIGALRM delivery after `seconds`. Returns previous alarm remaining (0 if none).
-     * alarm(pid, 0) cancels any pending alarm. A new alarm replaces the previous one.
-     */
-    alarm(pid, seconds) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        // Calculate remaining time from any existing alarm
-        let remaining = 0;
-        const existing = this.alarmTimers.get(pid);
-        if (existing) {
-            const elapsed = (Date.now() - existing.scheduledAt) / 1000;
-            remaining = Math.max(0, Math.ceil(existing.seconds - elapsed));
-            clearTimeout(existing.timer);
-            this.alarmTimers.delete(pid);
-        }
-        if (seconds === 0)
-            return remaining;
-        // Schedule new alarm
-        const scheduledAt = Date.now();
-        const timer = setTimeout(() => {
-            this.alarmTimers.delete(pid);
-            const e = this.entries.get(pid);
-            if (!e || e.status !== "running")
-                return;
-            // Deliver through signal handler system
-            this.deliverSignal(e, SIGALRM);
-        }, seconds * 1000);
-        this.alarmTimers.set(pid, { timer, scheduledAt, seconds });
-        return remaining;
-    }
-    // -----------------------------------------------------------------------
-    // Signal handlers (sigaction / sigprocmask)
-    // -----------------------------------------------------------------------
-    /**
-     * Register a signal handler (POSIX sigaction).
-     * Returns the previous handler for the signal, or undefined if none was set.
-     * SIGKILL and SIGSTOP cannot be caught or ignored.
-     */
-    sigaction(pid, signal, handler) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        if (signal < 1 || signal > 64)
-            throw new KernelError("EINVAL", `invalid signal ${signal}`);
-        if (signal === SIGKILL || signal === SIGSTOP) {
-            throw new KernelError("EINVAL", `cannot catch or ignore signal ${signal}`);
-        }
-        const prev = entry.signalState.handlers.get(signal);
-        entry.signalState.handlers.set(signal, handler);
-        return prev;
-    }
-    /**
-     * Modify the blocked signal mask (POSIX sigprocmask).
-     * Returns the previous blocked set.
-     * SIGKILL and SIGSTOP cannot be blocked.
-     */
-    sigprocmask(pid, how, set) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        const { signalState } = entry;
-        const prevBlocked = new Set(signalState.blockedSignals);
-        // Filter out uncatchable signals
-        const filtered = new Set(set);
-        filtered.delete(SIGKILL);
-        filtered.delete(SIGSTOP);
-        if (how === SIG_BLOCK) {
-            for (const s of filtered)
-                signalState.blockedSignals.add(s);
-        }
-        else if (how === SIG_UNBLOCK) {
-            for (const s of filtered)
-                signalState.blockedSignals.delete(s);
-        }
-        else if (how === SIG_SETMASK) {
-            signalState.blockedSignals = filtered;
-        }
-        else {
-            throw new KernelError("EINVAL", `invalid sigprocmask how: ${how}`);
-        }
-        // Deliver any pending signals that are now unblocked
-        this.deliverPendingSignals(entry);
-        return prevBlocked;
-    }
-    /** Get the signal state for a process (read-only view). */
-    getSignalState(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        return entry.signalState;
-    }
-    /** Suspend a process (SIGTSTP/SIGSTOP). Sets status to 'stopped'. */
-    stop(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        if (entry.status !== "running")
-            return;
-        entry.status = "stopped";
-    }
-    /** Resume a stopped process (SIGCONT). Sets status back to 'running'. */
-    cont(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        if (entry.status !== "stopped")
-            return;
-        entry.status = "running";
-    }
-    /** Cancel a pending alarm for a process. */
-    cancelAlarm(pid) {
-        const existing = this.alarmTimers.get(pid);
-        if (existing) {
-            clearTimeout(existing.timer);
-            this.alarmTimers.delete(pid);
-        }
-    }
-    /** Set process group ID. Process can join existing group or create new one. */
-    setpgid(pid, pgid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        // pgid 0 means "use own PID as pgid"
-        const targetPgid = pgid === 0 ? pid : pgid;
-        // Can only join an existing group or create own group
-        if (targetPgid !== pid) {
-            let groupExists = false;
-            for (const e of this.entries.values()) {
-                if (e.pgid === targetPgid && e.status !== "exited") {
-                    // Reject cross-session group joining (POSIX)
-                    if (e.sid !== entry.sid) {
-                        throw new KernelError("EPERM", `cannot join process group in different session`);
-                    }
-                    groupExists = true;
-                    break;
-                }
-            }
-            if (!groupExists)
-                throw new KernelError("EPERM", `no such process group ${targetPgid}`);
-        }
-        entry.pgid = targetPgid;
-    }
-    /** Get process group ID. */
-    getpgid(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        return entry.pgid;
-    }
-    /** Create a new session. Process becomes session leader and process group leader. */
-    setsid(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        // Process must not already be a process group leader
-        if (entry.pgid === pid) {
-            throw new KernelError("EPERM", `process ${pid} is already a process group leader`);
-        }
-        entry.sid = pid;
-        entry.pgid = pid;
-        return pid;
-    }
-    /** Get session ID. */
-    getsid(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        return entry.sid;
-    }
-    /** Get the parent PID for a process. */
-    getppid(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        return entry.ppid;
-    }
-    /**
-     * Send a signal to a process group, skipping session leaders.
-     * Returns count of processes actually signaled.
-     * Used for PTY-originated SIGINT where the session leader (shell)
-     * cannot handle signals gracefully (WasmVM worker.terminate()).
-     */
-    killGroupExcludeLeaders(pgid, signal) {
-        if (signal < 0 || signal > 64) {
-            throw new KernelError("EINVAL", `invalid signal ${signal}`);
-        }
-        let count = 0;
-        for (const entry of this.entries.values()) {
-            if (entry.pgid === pgid && entry.status !== "exited") {
-                if (entry.pid === entry.sid)
-                    continue; // Skip session leaders
-                if (signal !== 0) {
-                    this.deliverSignal(entry, signal);
-                }
-                count++;
-            }
-        }
-        return count;
-    }
-    /** Check if any running process belongs to the given process group. */
-    hasProcessGroup(pgid) {
-        for (const entry of this.entries.values()) {
-            if (entry.pgid === pgid && entry.status !== "exited")
-                return true;
-        }
-        return false;
-    }
-    /** Get a read-only view of process info for all processes. */
-    listProcesses() {
-        const result = new Map();
-        for (const [pid, entry] of this.entries) {
-            result.set(pid, {
-                pid: entry.pid,
-                ppid: entry.ppid,
-                pgid: entry.pgid,
-                sid: entry.sid,
-                driver: entry.driver,
-                command: entry.command,
-                args: entry.args,
-                cwd: entry.cwd,
-                status: entry.status,
-                exitCode: entry.exitCode,
-                startTime: entry.startTime,
-                exitTime: entry.exitTime,
-            });
-        }
-        return result;
-    }
-    /** Remove a zombie process. */
-    reap(pid) {
-        const entry = this.entries.get(pid);
-        if (entry?.status === "exited") {
-            this.onProcessReap?.(pid);
-            this.entries.delete(pid);
-        }
-    }
-    // -----------------------------------------------------------------------
-    // Handle tracking
-    // -----------------------------------------------------------------------
-    /** Register an active handle for a process. Throws EAGAIN if budget exceeded. */
-    registerHandle(pid, id, description) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        if (entry.handleLimit > 0 && entry.activeHandles.size >= entry.handleLimit) {
-            throw new KernelError("EAGAIN", `handle limit (${entry.handleLimit}) exceeded for process ${pid}`);
-        }
-        entry.activeHandles.set(id, description);
-    }
-    /** Unregister an active handle. Throws EBADF if handle not found. */
-    unregisterHandle(pid, id) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        if (!entry.activeHandles.delete(id)) {
-            throw new KernelError("EBADF", `no such handle ${id} for process ${pid}`);
-        }
-    }
-    /** Set the maximum number of active handles for a process. 0 = unlimited. */
-    setHandleLimit(pid, limit) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        entry.handleLimit = limit;
-    }
-    /** Get the active handles for a process (read-only copy). */
-    getHandles(pid) {
-        const entry = this.entries.get(pid);
-        if (!entry)
-            throw new KernelError("ESRCH", `no such process ${pid}`);
-        return new Map(entry.activeHandles);
-    }
-    /** Terminate all running processes and clear pending timers. */
-    async terminateAll() {
-        // Clear all zombie cleanup timers to prevent post-dispose firings
-        for (const timer of this.zombieTimers.values()) {
-            clearTimeout(timer);
-        }
-        this.zombieTimers.clear();
-        // Clear all pending alarm timers
-        for (const { timer } of this.alarmTimers.values()) {
-            clearTimeout(timer);
-        }
-        this.alarmTimers.clear();
-        const running = [...this.entries.values()].filter((e) => e.status !== "exited");
-        for (const entry of running) {
-            try {
-                entry.driverProcess.kill(15); // SIGTERM
-            }
-            catch {
-                // Best effort
-            }
-        }
-        // Wait briefly for graceful exits
-        await Promise.allSettled(running.map((e) => Promise.race([
-            e.driverProcess.wait(),
-            new Promise((r) => setTimeout(r, 1000)),
-        ])));
-        // Escalate to SIGKILL for processes that survived SIGTERM
-        const survivors = running.filter((e) => e.status !== "exited");
-        for (const entry of survivors) {
-            try {
-                entry.driverProcess.kill(9); // SIGKILL
-            }
-            catch {
-                // Best effort
-            }
-        }
-        if (survivors.length > 0) {
-            await Promise.allSettled(survivors.map((e) => Promise.race([
-                e.driverProcess.wait(),
-                new Promise((r) => setTimeout(r, 500)),
-            ])));
-        }
-    }
-}