@secure-exec/core 0.3.0-rc.2 → 0.3.0

package/dist/node-runtime.d.ts

@@ -36,8 +36,10 @@ export interface NodeRuntimeCreateOptions {
     permissions?: Permissions;
     /**
      * Override the directory containing the WASM command binaries (the source of
-     * the guest `sh`). Defaults to the in-repo build output, or the
-     * `SECURE_EXEC_WASM_COMMANDS_DIR` environment variable when set.
+     * the guest `sh`). When unset, resolution falls back through the
+     * `SECURE_EXEC_WASM_COMMANDS_DIR` environment variable, the in-repo build
+     * output (developer checkouts), then the commands vendored into the installed
+     * `@secure-exec/core` package (published installs).
      */
     commandsDir?: string;
     /**

package/dist/node-runtime.js

@@ -17,17 +17,53 @@
  * isolation boundary — no host escapes, no real Node.js builtins for guest
  * work.
  */
+import { existsSync } from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { createInMemoryFileSystem, createKernel, createNodeRuntime, createWasmVmRuntime, NodeFileSystem, } from "./test-runtime.js";
-/** Repository root, used to locate the bundled WASM command binaries. */
+/** Repository root, used to locate the in-repo WASM command build output. */
 const REPO_ROOT = fileURLToPath(new URL("../../..", import.meta.url));
 /**
- * Directory containing the WASM coreutils/shell command binaries that provide
- * the guest `sh` the kernel needs to drive `exec()`. Built from the in-repo
- * Rust command sources.
+ * In-repo build output for the WASM coreutils/shell command binaries, produced
+ * by the Rust command build (`make -C registry/native wasm`). Only present in a
+ * developer checkout; preferred when it exists so local edits are picked up
+ * without re-vendoring.
  */
-const DEFAULT_COMMANDS_DIR = path.join(REPO_ROOT, "registry/native/target/wasm32-wasip1/release/commands");
+const REPO_COMMANDS_DIR = path.join(REPO_ROOT, "registry/native/target/wasm32-wasip1/release/commands");
+/**
+ * Commands vendored into the published `@secure-exec/core` package by
+ * `scripts/copy-wasm-commands.mjs` (listed in `files` as `commands`). This is
+ * the directory a real `npm install secure-exec` resolves: from the compiled
+ * `dist/node-runtime.js` it sits at `<package>/commands`. This is the analogue
+ * of how the sidecar binary ships inside `@secure-exec/sidecar`.
+ */
+const BUNDLED_COMMANDS_DIR = fileURLToPath(new URL("../commands", import.meta.url));
+/**
+ * Resolve the directory holding the WASM command binaries (the source of the
+ * guest `sh` the kernel needs to spawn any process). Precedence:
+ *
+ *   1. explicit `commandsDir` option,
+ *   2. `SECURE_EXEC_WASM_COMMANDS_DIR` env var,
+ *   3. the in-repo build output (developer checkout), when present,
+ *   4. the commands vendored into the installed package (published installs).
+ *
+ * The in-repo path wins over the bundled copy so local development picks up
+ * freshly built commands without re-vendoring. A fresh `npm install` has no
+ * in-repo path, so it falls through to the bundled copy.
+ */
+function resolveCommandsDir(explicit) {
+    if (explicit !== undefined) {
+        return explicit;
+    }
+    const fromEnv = process.env.SECURE_EXEC_WASM_COMMANDS_DIR;
+    if (fromEnv) {
+        return fromEnv;
+    }
+    if (existsSync(REPO_COMMANDS_DIR)) {
+        return REPO_COMMANDS_DIR;
+    }
+    return BUNDLED_COMMANDS_DIR;
+}
 /**
  * Secure-by-default permission policy applied when the caller passes no
  * `permissions`. Outward-facing capabilities are denied: there is **no network
@@ -67,9 +103,7 @@ export class NodeRuntime {
      * shell and Node runtimes, and waits for the VM to report ready.
      */
     static async create(options = {}) {
-        const commandsDir = options.commandsDir ??
-            process.env.SECURE_EXEC_WASM_COMMANDS_DIR ??
-            DEFAULT_COMMANDS_DIR;
+        const commandsDir = resolveCommandsDir(options.commandsDir);
         // Seed caller-provided files into the VM's in-memory filesystem before
         // boot so they are part of the root filesystem snapshot the guest sees
         // (e.g. projected npm packages or fixtures). The host filesystem is

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@secure-exec/core",
-	"version": "0.3.0-rc.2",
+	"version": "0.3.0",
 	"type": "module",
 	"license": "Apache-2.0",
 	"main": "./dist/index.js",
@@ -8,6 +8,7 @@
 	"files": [
 		"dist",
 		"fixtures",
+		"commands",
 		"README.md"
 	],
 	"exports": {
@@ -178,12 +179,14 @@
 	"scripts": {
 		"build:protocol": "pnpm --dir ../build-tools build:protocol",
 		"build:vm-config": "cargo test -p secure-exec-vm-config --quiet",
+		"copy-commands": "node scripts/copy-wasm-commands.mjs",
 		"check-types": "pnpm run build:protocol && pnpm run build:vm-config && tsc --noEmit",
-		"build": "pnpm run build:protocol && pnpm run build:vm-config && tsc",
+		"build": "pnpm run build:protocol && pnpm run build:vm-config && tsc && pnpm run copy-commands",
+		"prepack": "node scripts/copy-wasm-commands.mjs --require",
 		"test": "vitest run"
 	},
 	"dependencies": {
-		"@secure-exec/sidecar": "0.3.0-rc.2",
+		"@secure-exec/sidecar": "0.3.0",
 		"@rivetkit/bare-ts": "^0.6.2"
 	},
 	"devDependencies": {