@secure-exec/core 0.2.1 → 0.3.0-rc.2

package/dist/shared/in-memory-fs.d.ts

@@ -1,16 +0,0 @@
-/**
- * Factory for creating an in-memory VirtualFileSystem backed by ChunkedVFS.
- *
- * Replaces the old monolithic InMemoryFileSystem with
- * ChunkedVFS(InMemoryMetadataStore + InMemoryBlockStore).
- */
-import type { VirtualFileSystem } from "../kernel/vfs.js";
-/**
- * Create an in-memory VirtualFileSystem using the chunked storage architecture.
- *
- * The returned VFS stores all data in memory via InMemoryMetadataStore and
- * InMemoryBlockStore, composed through ChunkedVFS. It also includes a
- * synchronous `prepareOpenSync` method used by the kernel for O_CREAT/O_EXCL/O_TRUNC
- * handling during fdOpen.
- */
-export declare function createInMemoryFileSystem(): VirtualFileSystem;

package/dist/shared/in-memory-fs.js

@@ -1,115 +0,0 @@
-/**
- * Factory for creating an in-memory VirtualFileSystem backed by ChunkedVFS.
- *
- * Replaces the old monolithic InMemoryFileSystem with
- * ChunkedVFS(InMemoryMetadataStore + InMemoryBlockStore).
- */
-import { KernelError, O_CREAT, O_EXCL, O_TRUNC } from "../kernel/types.js";
-import { createChunkedVfs } from "../vfs/chunked-vfs.js";
-import { InMemoryMetadataStore } from "../vfs/memory-metadata.js";
-import { InMemoryBlockStore } from "../vfs/memory-block-store.js";
-/**
- * Create an in-memory VirtualFileSystem using the chunked storage architecture.
- *
- * The returned VFS stores all data in memory via InMemoryMetadataStore and
- * InMemoryBlockStore, composed through ChunkedVFS. It also includes a
- * synchronous `prepareOpenSync` method used by the kernel for O_CREAT/O_EXCL/O_TRUNC
- * handling during fdOpen.
- */
-export function createInMemoryFileSystem() {
-    const metadata = new InMemoryMetadataStore();
-    const blocks = new InMemoryBlockStore();
-    const vfs = createChunkedVfs({ metadata, blocks });
-    // The kernel's fdOpen calls prepareOpenSync synchronously for O_CREAT,
-    // O_EXCL, and O_TRUNC flags. Since InMemoryMetadataStore is backed by
-    // synchronous Maps, we use its synchronous accessor methods directly.
-    function prepareOpenSync(path, flags) {
-        const hasCreate = (flags & O_CREAT) !== 0;
-        const hasExcl = (flags & O_EXCL) !== 0;
-        const hasTrunc = (flags & O_TRUNC) !== 0;
-        // Check if path exists via synchronous resolution.
-        let resolvedIno;
-        try {
-            resolvedIno = metadata.resolvePathSync(path);
-        }
-        catch {
-            // ENOENT is expected when the file doesn't exist yet.
-        }
-        const exists = resolvedIno !== undefined;
-        if (hasCreate && hasExcl && exists) {
-            throw new KernelError("EEXIST", `file already exists, open '${path}'`);
-        }
-        let created = false;
-        if (!exists && hasCreate) {
-            // Create parent directories and the file synchronously.
-            const parts = path.replace(/\/+/g, "/").replace(/\/$/, "").split("/").filter(Boolean);
-            let parentIno = 1; // root
-            for (let i = 0; i < parts.length - 1; i++) {
-                const childIno = metadata.lookupSync(parentIno, parts[i]);
-                if (childIno === null) {
-                    const newIno = metadata.createInodeSync({
-                        type: "directory",
-                        mode: 0o755,
-                        uid: 0,
-                        gid: 0,
-                    });
-                    metadata.updateInodeSync(newIno, { nlink: 2 });
-                    metadata.createDentrySync(parentIno, parts[i], newIno, "directory");
-                    // Increment parent nlink for subdirectory
-                    const parentMeta = metadata.getInodeSync(parentIno);
-                    if (parentMeta) {
-                        metadata.updateInodeSync(parentIno, { nlink: parentMeta.nlink + 1 });
-                    }
-                    parentIno = newIno;
-                }
-                else {
-                    parentIno = childIno;
-                }
-            }
-            // Create the file inode.
-            const fileName = parts[parts.length - 1];
-            if (fileName) {
-                const fileIno = metadata.createInodeSync({
-                    type: "file",
-                    mode: 0o644,
-                    uid: 0,
-                    gid: 0,
-                });
-                metadata.updateInodeSync(fileIno, {
-                    nlink: 1,
-                    size: 0,
-                    storageMode: "inline",
-                    inlineContent: new Uint8Array(0),
-                });
-                try {
-                    metadata.createDentrySync(parentIno, fileName, fileIno, "file");
-                    created = true;
-                }
-                catch {
-                    // EEXIST from race condition, ignore.
-                }
-            }
-        }
-        if (hasTrunc && resolvedIno !== undefined) {
-            // Check that the target is a file, not a directory.
-            const meta = metadata.getInodeSync(resolvedIno);
-            if (meta && meta.type === "directory") {
-                throw new KernelError("EISDIR", `illegal operation on a directory, open '${path}'`);
-            }
-            // Truncate file to 0 bytes.
-            metadata.updateInodeSync(resolvedIno, {
-                size: 0,
-                storageMode: "inline",
-                inlineContent: new Uint8Array(0),
-            });
-            // Delete any existing chunks synchronously.
-            const keys = metadata.deleteAllChunksSync(resolvedIno);
-            if (keys.length > 0) {
-                // Fire-and-forget async block deletion. Blocks are in memory so this resolves immediately.
-                void blocks.deleteMany(keys);
-            }
-        }
-        return created;
-    }
-    return Object.assign(vfs, { prepareOpenSync });
-}

package/dist/shared/permissions.d.ts

@@ -1,36 +0,0 @@
-/**
- * Permission enforcement layer.
- *
- * Wraps filesystem, network, and command-executor adapters with permission
- * checks that throw EACCES on denial. When no permission callback is provided
- * for a category, guarded operations in that category are denied by default.
- */
-import type { EnvAccessRequest, Permissions } from "../kernel/types.js";
-import type { VirtualFileSystem } from "../kernel/vfs.js";
-import type { CommandExecutor, NetworkAdapter } from "../types.js";
-export declare const allowAllFs: Pick<Permissions, "fs">;
-export declare const allowAllNetwork: Pick<Permissions, "network">;
-export declare const allowAllChildProcess: Pick<Permissions, "childProcess">;
-export declare const allowAllEnv: Pick<Permissions, "env">;
-export declare const allowAll: Permissions;
-/**
- * Wrap a VirtualFileSystem so every operation passes through the fs permission check.
- * Throws EACCES if the permission callback denies or is absent.
- */
-export declare function wrapFileSystem(fs: VirtualFileSystem, permissions?: Permissions): VirtualFileSystem;
-/** Wrap a NetworkAdapter so external client operations pass through the network permission check. */
-export declare function wrapNetworkAdapter(adapter: NetworkAdapter, permissions?: Permissions): NetworkAdapter;
-/** Wrap a CommandExecutor so spawn passes through the childProcess permission check. */
-export declare function wrapCommandExecutor(executor: CommandExecutor, permissions?: Permissions): CommandExecutor;
-export declare function envAccessAllowed(permissions: Permissions | undefined, request: EnvAccessRequest): void;
-/** Create a stub VFS where every operation throws ENOSYS (no filesystem configured). */
-export declare function createFsStub(): VirtualFileSystem;
-/** Create a stub network adapter where every operation throws ENOSYS. */
-export declare function createNetworkStub(): NetworkAdapter;
-/** Create a stub executor where spawn throws ENOSYS. */
-export declare function createCommandExecutorStub(): CommandExecutor;
-/**
- * Filter an env record through the env permission check, returning only
- * allowed key-value pairs. Returns empty object if no permissions configured.
- */
-export declare function filterEnv(env: Record<string, string> | undefined, permissions?: Permissions): Record<string, string>;

package/dist/shared/permissions.js

@@ -1,314 +0,0 @@
-/**
- * Permission enforcement layer.
- *
- * Wraps filesystem, network, and command-executor adapters with permission
- * checks that throw EACCES on denial. When no permission callback is provided
- * for a category, guarded operations in that category are denied by default.
- */
-import { createEaccesError, createEnosysError } from "./errors.js";
-/** Normalize a filesystem path: collapse //, resolve . and .., strip trailing /. */
-function normalizeFsPath(path) {
-    // Collapse repeated slashes
-    let p = path.replace(/\/+/g, "/");
-    // Resolve . and .. segments
-    const parts = p.split("/");
-    const resolved = [];
-    for (const seg of parts) {
-        if (seg === ".")
-            continue;
-        if (seg === "..") {
-            // Don't pop past root
-            if (resolved.length > 1)
-                resolved.pop();
-        }
-        else {
-            resolved.push(seg);
-        }
-    }
-    p = resolved.join("/") || "/";
-    // Strip trailing slash (except root)
-    if (p.length > 1 && p.endsWith("/")) {
-        p = p.slice(0, -1);
-    }
-    return p;
-}
-/** Run the permission check; throw the deny error if no checker exists or it denies. */
-function checkPermission(check, request, onDenied) {
-    if (!check) {
-        throw onDenied(request);
-    }
-    const decision = check(request);
-    if (!decision?.allow) {
-        throw onDenied(request, decision?.reason);
-    }
-}
-// Permission callbacks must be self-contained (no closures) because they are
-// serialized via `.toString()` for transfer to the browser Web Worker.
-export const allowAllFs = {
-    fs: () => ({ allow: true }),
-};
-export const allowAllNetwork = {
-    network: () => ({ allow: true }),
-};
-export const allowAllChildProcess = {
-    childProcess: () => ({ allow: true }),
-};
-export const allowAllEnv = {
-    env: () => ({ allow: true }),
-};
-export const allowAll = {
-    ...allowAllFs,
-    ...allowAllNetwork,
-    ...allowAllChildProcess,
-    ...allowAllEnv,
-};
-function fsOpToSyscall(op) {
-    switch (op) {
-        case "read":
-            return "open";
-        case "write":
-            return "write";
-        case "mkdir":
-        case "createDir":
-            return "mkdir";
-        case "readdir":
-            return "scandir";
-        case "stat":
-            return "stat";
-        case "rm":
-            return "unlink";
-        case "rename":
-            return "rename";
-        case "exists":
-            return "access";
-        case "chmod":
-            return "chmod";
-        case "chown":
-            return "chown";
-        case "link":
-            return "link";
-        case "symlink":
-            return "symlink";
-        case "readlink":
-            return "readlink";
-        case "truncate":
-            return "open";
-        case "utimes":
-            return "utimes";
-        default:
-            return "open";
-    }
-}
-/**
- * Wrap a VirtualFileSystem so every operation passes through the fs permission check.
- * Throws EACCES if the permission callback denies or is absent.
- */
-export function wrapFileSystem(fs, permissions) {
-    /** Check fs permission with normalized path to prevent traversal bypasses. */
-    function checkFs(op, path, reason) {
-        checkPermission(permissions?.fs, { op, path: normalizeFsPath(path) }, (req, r) => createEaccesError(fsOpToSyscall(req.op), req.path, r));
-    }
-    return {
-        readFile: async (path) => {
-            checkFs("read", path);
-            return fs.readFile(path);
-        },
-        readTextFile: async (path) => {
-            checkFs("read", path);
-            return fs.readTextFile(path);
-        },
-        readDir: async (path) => {
-            checkFs("readdir", path);
-            return fs.readDir(path);
-        },
-        readDirWithTypes: async (path) => {
-            checkFs("readdir", path);
-            return fs.readDirWithTypes(path);
-        },
-        writeFile: async (path, content) => {
-            checkFs("write", path);
-            return fs.writeFile(path, content);
-        },
-        createDir: async (path) => {
-            checkFs("createDir", path);
-            return fs.createDir(path);
-        },
-        mkdir: async (path, options) => {
-            checkFs("mkdir", path);
-            return fs.mkdir(path, options);
-        },
-        exists: async (path) => {
-            checkFs("exists", path);
-            return fs.exists(path);
-        },
-        stat: async (path) => {
-            checkFs("stat", path);
-            return fs.stat(path);
-        },
-        removeFile: async (path) => {
-            checkFs("rm", path);
-            return fs.removeFile(path);
-        },
-        removeDir: async (path) => {
-            checkFs("rm", path);
-            return fs.removeDir(path);
-        },
-        rename: async (oldPath, newPath) => {
-            checkFs("rename", oldPath);
-            checkFs("rename", newPath);
-            return fs.rename(oldPath, newPath);
-        },
-        symlink: async (target, linkPath) => {
-            checkFs("symlink", linkPath);
-            return fs.symlink(target, linkPath);
-        },
-        readlink: async (path) => {
-            checkFs("readlink", path);
-            return fs.readlink(path);
-        },
-        lstat: async (path) => {
-            checkFs("stat", path);
-            return fs.lstat(path);
-        },
-        link: async (oldPath, newPath) => {
-            checkFs("link", newPath);
-            return fs.link(oldPath, newPath);
-        },
-        chmod: async (path, mode) => {
-            checkFs("chmod", path);
-            return fs.chmod(path, mode);
-        },
-        chown: async (path, uid, gid) => {
-            checkFs("chown", path);
-            return fs.chown(path, uid, gid);
-        },
-        utimes: async (path, atime, mtime) => {
-            checkFs("utimes", path);
-            return fs.utimes(path, atime, mtime);
-        },
-        truncate: async (path, length) => {
-            checkFs("truncate", path);
-            return fs.truncate(path, length);
-        },
-        realpath: async (path) => {
-            checkFs("read", path);
-            return fs.realpath(path);
-        },
-        pread: async (path, offset, length) => {
-            checkFs("read", path);
-            return fs.pread(path, offset, length);
-        },
-        pwrite: async (path, offset, data) => {
-            checkFs("write", path);
-            return fs.pwrite(path, offset, data);
-        },
-    };
-}
-/** Wrap a NetworkAdapter so external client operations pass through the network permission check. */
-export function wrapNetworkAdapter(adapter, permissions) {
-    const loopbackAwareAdapter = adapter;
-    const wrapped = {
-        fetch: async (url, options) => {
-            checkPermission(permissions?.network, { op: "fetch", url, method: options?.method }, (req, reason) => createEaccesError("connect", req.url, reason));
-            return adapter.fetch(url, options);
-        },
-        dnsLookup: async (hostname) => {
-            checkPermission(permissions?.network, { op: "dns", hostname }, (req, reason) => createEaccesError("connect", req.hostname, reason));
-            return adapter.dnsLookup(hostname);
-        },
-        httpRequest: async (url, options) => {
-            checkPermission(permissions?.network, { op: "http", url, method: options?.method }, (req, reason) => createEaccesError("connect", req.url, reason));
-            return adapter.httpRequest(url, options);
-        },
-        // Forward upgrade socket methods for bidirectional WebSocket relay
-        upgradeSocketWrite: adapter.upgradeSocketWrite?.bind(adapter),
-        upgradeSocketEnd: adapter.upgradeSocketEnd?.bind(adapter),
-        upgradeSocketDestroy: adapter.upgradeSocketDestroy?.bind(adapter),
-        setUpgradeSocketCallbacks: adapter.setUpgradeSocketCallbacks?.bind(adapter),
-    };
-    if (typeof loopbackAwareAdapter.__setLoopbackPortChecker === "function") {
-        wrapped.__setLoopbackPortChecker = (checker) => loopbackAwareAdapter.__setLoopbackPortChecker(checker);
-    }
-    return wrapped;
-}
-/** Wrap a CommandExecutor so spawn passes through the childProcess permission check. */
-export function wrapCommandExecutor(executor, permissions) {
-    return {
-        spawn: (command, args, options) => {
-            checkPermission(permissions?.childProcess, { command, args, cwd: options.cwd, env: options.env }, (req, reason) => createEaccesError("spawn", req.command, reason));
-            return executor.spawn(command, args, options);
-        },
-    };
-}
-export function envAccessAllowed(permissions, request) {
-    checkPermission(permissions?.env, request, (req, reason) => createEaccesError("access", req.key, reason));
-}
-/** Create a stub VFS where every operation throws ENOSYS (no filesystem configured). */
-export function createFsStub() {
-    const stub = (op, path) => {
-        throw createEnosysError(op, path);
-    };
-    return {
-        readFile: async (path) => stub("open", path),
-        readTextFile: async (path) => stub("open", path),
-        readDir: async (path) => stub("scandir", path),
-        readDirWithTypes: async (path) => stub("scandir", path),
-        writeFile: async (path) => stub("write", path),
-        createDir: async (path) => stub("mkdir", path),
-        mkdir: async (path) => stub("mkdir", path),
-        exists: async (path) => stub("access", path),
-        stat: async (path) => stub("stat", path),
-        removeFile: async (path) => stub("unlink", path),
-        removeDir: async (path) => stub("rmdir", path),
-        rename: async (oldPath, newPath) => stub("rename", `${oldPath}->${newPath}`),
-        symlink: async (_target, linkPath) => stub("symlink", linkPath),
-        readlink: async (path) => stub("readlink", path),
-        lstat: async (path) => stub("stat", path),
-        link: async (_oldPath, newPath) => stub("link", newPath),
-        chmod: async (path) => stub("chmod", path),
-        chown: async (path) => stub("chown", path),
-        utimes: async (path) => stub("utimes", path),
-        truncate: async (path) => stub("open", path),
-        realpath: async (path) => stub("realpath", path),
-        pread: async (path) => stub("open", path),
-        pwrite: async (path) => stub("open", path),
-    };
-}
-/** Create a stub network adapter where every operation throws ENOSYS. */
-export function createNetworkStub() {
-    const stub = (op, path) => {
-        throw createEnosysError(op, path);
-    };
-    return {
-        fetch: async (url) => stub("connect", url),
-        dnsLookup: async (hostname) => stub("connect", hostname),
-        httpRequest: async (url) => stub("connect", url),
-    };
-}
-/** Create a stub executor where spawn throws ENOSYS. */
-export function createCommandExecutorStub() {
-    return {
-        spawn: () => {
-            throw createEnosysError("spawn");
-        },
-    };
-}
-/**
- * Filter an env record through the env permission check, returning only
- * allowed key-value pairs. Returns empty object if no permissions configured.
- */
-export function filterEnv(env, permissions) {
-    if (!env)
-        return {};
-    if (!permissions?.env)
-        return {};
-    const result = {};
-    for (const [key, value] of Object.entries(env)) {
-        const request = { op: "read", key, value };
-        const decision = permissions.env(request);
-        if (decision?.allow) {
-            result[key] = value;
-        }
-    }
-    return result;
-}

package/dist/shared/require-setup.d.ts

@@ -1,6 +0,0 @@
-/**
- * Get the isolate-side script that installs the global `require()` function,
- * `_requireFrom()`, and require helpers (for example `require.resolve` and
- * `require.cache` wiring to the pre-initialized `_moduleCache`).
- */
-export declare function getRequireSetupCode(): string;

package/dist/shared/require-setup.js

@@ -1,9 +0,0 @@
-import { getIsolateRuntimeSource } from "../generated/isolate-runtime.js";
-/**
- * Get the isolate-side script that installs the global `require()` function,
- * `_requireFrom()`, and require helpers (for example `require.resolve` and
- * `require.cache` wiring to the pre-initialized `_moduleCache`).
- */
-export function getRequireSetupCode() {
-    return getIsolateRuntimeSource("requireSetup");
-}

package/dist/test/block-store-conformance.d.ts

@@ -1,34 +0,0 @@
-/**
- * Shared FsBlockStore conformance test suite.
- *
- * Every FsBlockStore implementation must pass the tests in this suite.
- * Optional test groups are gated on capability flags declared in the config.
- *
- * Usage:
- *
- * ```typescript
- * import { defineBlockStoreTests } from "@secure-exec/core/test/block-store-conformance";
- *
- * defineBlockStoreTests({
- *   name: "InMemoryBlockStore",
- *   createStore: () => new InMemoryBlockStore(),
- *   capabilities: { copy: true },
- * });
- * ```
- */
-import type { FsBlockStore } from "../vfs/types.js";
-export interface BlockStoreConformanceCapabilities {
-    /** Whether the store implements the optional copy() method. */
-    copy: boolean;
-}
-export interface BlockStoreConformanceConfig {
-    /** Human-readable name shown in the describe block. */
-    name: string;
-    /** Create a fresh block store instance for each test. */
-    createStore: () => Promise<FsBlockStore> | FsBlockStore;
-    /** Optional teardown called after each test. */
-    cleanup?: () => Promise<void>;
-    /** Which optional capabilities the store supports. */
-    capabilities: BlockStoreConformanceCapabilities;
-}
-export declare function defineBlockStoreTests(config: BlockStoreConformanceConfig): void;