@secure-exec/nodejs 0.2.0-rc.1 → 0.2.0-rc.2

package/dist/kernel-runtime.js

@@ -11,8 +11,41 @@ import { existsSync, readFileSync } from 'node:fs';
 import * as fsPromises from 'node:fs/promises';
 import { dirname, join, resolve } from 'node:path';
 import { NodeExecutionDriver } from './execution-driver.js';
-import { createNodeDriver } from './driver.js';
+import { createDefaultNetworkAdapter, createNodeDriver } from './driver.js';
 import { allowAllChildProcess, allowAllFs, createProcessScopedFileSystem, } from '@secure-exec/core';
+const allowKernelProcSelfRead = {
+    fs: (request) => {
+        const rawPath = typeof request?.path === 'string' ? request.path : '';
+        const normalized = rawPath.length > 1 && rawPath.endsWith('/')
+            ? rawPath.slice(0, -1)
+            : rawPath || '/';
+        switch (request?.op) {
+            case 'read':
+            case 'readdir':
+            case 'readlink':
+            case 'stat':
+            case 'exists':
+                break;
+            default:
+                return {
+                    allow: false,
+                    reason: 'kernel procfs metadata is read-only',
+                };
+        }
+        if (normalized === '/proc' ||
+            normalized === '/proc/self' ||
+            normalized.startsWith('/proc/self/') ||
+            normalized === '/proc/sys' ||
+            normalized === '/proc/sys/kernel' ||
+            normalized === '/proc/sys/kernel/hostname') {
+            return { allow: true };
+        }
+        return {
+            allow: false,
+            reason: 'kernel-mounted Node only allows read-only /proc/self metadata by default',
+        };
+    },
+};
 /**
  * Create a Node.js RuntimeDriver that can be mounted into the kernel.
  */
@@ -288,7 +321,10 @@ class NodeRuntimeDriver {
     _activeDrivers = new Map();
     constructor(options) {
         this._memoryLimit = options?.memoryLimit ?? 128;
-        this._permissions = options?.permissions ?? { ...allowAllChildProcess };
+        this._permissions = options?.permissions ?? {
+            ...allowAllChildProcess,
+            ...allowKernelProcSelfRead,
+        };
         this._bindings = options?.bindings;
     }
     async init(kernel) {
@@ -309,6 +345,16 @@ class NodeRuntimeDriver {
                 resolve(code);
             };
         });
+        let killedSignal = null;
+        let killExitReported = false;
+        const reportKilledExit = (signal) => {
+            if (killExitReported)
+                return;
+            killExitReported = true;
+            const exitCode = 128 + signal;
+            resolveExit(exitCode);
+            proc.onExit?.(exitCode);
+        };
         // Stdin buffering — writeStdin collects data, closeStdin resolves the promise
         const stdinChunks = [];
         let stdinResolve = null;
@@ -349,17 +395,31 @@ class NodeRuntimeDriver {
                     stdinResolve = null;
                 }
             },
-            kill: (_signal) => {
+            kill: (signal) => {
+                if (exitResolved)
+                    return;
+                const normalizedSignal = signal > 0 ? signal : 15;
+                killedSignal = normalizedSignal;
                 const driver = this._activeDrivers.get(ctx.pid);
-                if (driver) {
-                    driver.dispose();
-                    this._activeDrivers.delete(ctx.pid);
+                if (!driver) {
+                    reportKilledExit(normalizedSignal);
+                    return;
                 }
+                this._activeDrivers.delete(ctx.pid);
+                void driver
+                    .terminate()
+                    .catch(() => {
+                    // Best effort: disposal still clears local resource tracking.
+                    driver.dispose();
+                })
+                    .finally(() => {
+                    reportKilledExit(normalizedSignal);
+                });
             },
             wait: () => exitPromise,
         };
         // Launch async — spawn() returns synchronously per RuntimeDriver contract
-        this._executeAsync(command, args, ctx, proc, resolveExit, stdinPromise);
+        this._executeAsync(command, args, ctx, proc, resolveExit, stdinPromise, () => killedSignal);
         return proc;
     }
     async dispose() {
@@ -375,13 +435,16 @@ class NodeRuntimeDriver {
     // -------------------------------------------------------------------------
     // Async execution
     // -------------------------------------------------------------------------
-    async _executeAsync(command, args, ctx, proc, resolveExit, stdinPromise) {
+    async _executeAsync(command, args, ctx, proc, resolveExit, stdinPromise, getKilledSignal) {
         const kernel = this._kernel;
         try {
             // Resolve the code to execute
             const { code, filePath } = await this._resolveEntry(command, args, kernel);
             // Wait for stdin data (resolves immediately if no writeStdin called)
             const stdinData = await stdinPromise;
+            if (getKilledSignal() !== null) {
+                return;
+            }
             // Build kernel-backed system driver
             const commandExecutor = createKernelCommandExecutor(kernel, ctx.pid);
             let filesystem = createProcessScopedFileSystem(createKernelVfsAdapter(kernel.vfs), ctx.pid);
@@ -397,6 +460,10 @@ class NodeRuntimeDriver {
             const stderrIsTTY = ctx.stderrIsTTY ?? false;
             const systemDriver = createNodeDriver({
                 filesystem,
+                moduleAccess: { cwd: ctx.cwd },
+                networkAdapter: kernel.socketTable.hasHostNetworkAdapter()
+                    ? createDefaultNetworkAdapter()
+                    : undefined,
                 commandExecutor,
                 permissions,
                 processConfig: {
@@ -407,16 +474,35 @@ class NodeRuntimeDriver {
                     stdoutIsTTY,
                     stderrIsTTY,
                 },
+                osConfig: {
+                    homedir: ctx.env.HOME || '/root',
+                    tmpdir: ctx.env.TMPDIR || '/tmp',
+                },
             });
             // Wire PTY raw mode callback when stdin is a terminal
             const onPtySetRawMode = stdinIsTTY
                 ? (mode) => {
-                    kernel.ptySetDiscipline(ctx.pid, 0, {
-                        canonical: !mode,
+                    kernel.tcsetattr(ctx.pid, 0, {
+                        icanon: !mode,
                         echo: !mode,
+                        isig: !mode,
+                        icrnl: !mode,
                     });
                 }
                 : undefined;
+            const liveStdinSource = stdinIsTTY
+                ? {
+                    async read() {
+                        try {
+                            const chunk = await kernel.fdRead(ctx.pid, 0, 4096);
+                            return chunk.length === 0 ? null : chunk;
+                        }
+                        catch {
+                            return null;
+                        }
+                    },
+                }
+                : undefined;
             // Create a per-process isolate with kernel socket routing
             const executionDriver = new NodeExecutionDriver({
                 system: systemDriver,
@@ -428,8 +514,20 @@ class NodeRuntimeDriver {
                 processTable: kernel.processTable,
                 timerTable: kernel.timerTable,
                 pid: ctx.pid,
+                liveStdinSource,
             });
             this._activeDrivers.set(ctx.pid, executionDriver);
+            const killedSignal = getKilledSignal();
+            if (killedSignal !== null) {
+                this._activeDrivers.delete(ctx.pid);
+                try {
+                    await executionDriver.terminate();
+                }
+                catch {
+                    executionDriver.dispose();
+                }
+                return;
+            }
             // Execute with stdout/stderr capture and stdin data
             const result = await executionDriver.exec(code, {
                 filePath,
@@ -437,7 +535,7 @@ class NodeRuntimeDriver {
                 cwd: ctx.cwd,
                 stdin: stdinData,
                 onStdio: (event) => {
-                    const data = new TextEncoder().encode(event.message + '\n');
+                    const data = new TextEncoder().encode(event.message);
                     if (event.channel === 'stdout') {
                         ctx.onStdout?.(data);
                         proc.onStdout?.(data);

package/dist/module-access.d.ts

@@ -20,6 +20,7 @@ export interface ModuleAccessOptions {
  */
 export declare class ModuleAccessFileSystem implements VirtualFileSystem {
     private readonly baseFileSystem?;
+    private readonly configuredNodeModulesRoot;
     private readonly hostNodeModulesRoot;
     private readonly overlayAllowedRoots;
     constructor(baseFileSystem: VirtualFileSystem | undefined, options: ModuleAccessOptions);
@@ -29,6 +30,8 @@ export declare class ModuleAccessFileSystem implements VirtualFileSystem {
     private isReadOnlyProjectionPath;
     private shouldMergeBase;
     private overlayHostPathFor;
+    private isProjectedHostPath;
+    private getOverlayHostPathCandidate;
     prepareOpenSync(pathValue: string, flags: number): boolean;
     /** Translate a sandbox path to the corresponding host path (for sync module resolution). */
     toHostPath(sandboxPath: string): string | null;

package/dist/module-access.js

@@ -69,16 +69,39 @@ function isNativeAddonPath(pathValue) {
 function collectOverlayAllowedRoots(hostNodeModulesRoot) {
     const roots = new Set([hostNodeModulesRoot]);
     const symlinkScanRoots = [hostNodeModulesRoot, path.join(hostNodeModulesRoot, ".pnpm", "node_modules")];
+    const scannedSymlinkDirs = new Set();
+    const findNearestNodeModulesAncestor = (targetPath) => {
+        let current = path.resolve(targetPath);
+        while (true) {
+            if (path.basename(current) === "node_modules") {
+                return current;
+            }
+            const parent = path.dirname(current);
+            if (parent === current) {
+                return null;
+            }
+            current = parent;
+        }
+    };
     const addSymlinkTarget = (entryPath) => {
         try {
             const target = fsSync.realpathSync(entryPath);
             roots.add(target);
+            const packageNodeModulesRoot = findNearestNodeModulesAncestor(target);
+            if (packageNodeModulesRoot) {
+                roots.add(packageNodeModulesRoot);
+                scanDirForSymlinks(packageNodeModulesRoot);
+            }
         }
         catch {
             // Ignore broken symlinks.
         }
     };
     const scanDirForSymlinks = (scanRoot) => {
+        if (scannedSymlinkDirs.has(scanRoot)) {
+            return;
+        }
+        scannedSymlinkDirs.add(scanRoot);
         let entries = [];
         try {
             entries = fsSync.readdirSync(scanRoot, { withFileTypes: true });
@@ -122,6 +145,7 @@ function collectOverlayAllowedRoots(hostNodeModulesRoot) {
  */
 export class ModuleAccessFileSystem {
     baseFileSystem;
+    configuredNodeModulesRoot;
     hostNodeModulesRoot;
     overlayAllowedRoots;
     constructor(baseFileSystem, options) {
@@ -132,6 +156,7 @@ export class ModuleAccessFileSystem {
         }
         const cwd = path.resolve(cwdInput);
         const nodeModulesPath = path.join(cwd, "node_modules");
+        this.configuredNodeModulesRoot = nodeModulesPath;
         try {
             this.hostNodeModulesRoot = fsSync.realpathSync(nodeModulesPath);
             this.overlayAllowedRoots = collectOverlayAllowedRoots(this.hostNodeModulesRoot);
@@ -164,7 +189,8 @@ export class ModuleAccessFileSystem {
         return entries;
     }
     isReadOnlyProjectionPath(virtualPath) {
-        return startsWithPath(virtualPath, SANDBOX_NODE_MODULES_ROOT);
+        return (startsWithPath(virtualPath, SANDBOX_NODE_MODULES_ROOT) ||
+            this.isProjectedHostPath(virtualPath));
     }
     shouldMergeBase(pathValue) {
         return (pathValue === "/" ||
@@ -189,6 +215,30 @@ export class ModuleAccessFileSystem {
         }
         return path.join(this.hostNodeModulesRoot, ...relative.split("/"));
     }
+    isProjectedHostPath(pathValue) {
+        if (!path.isAbsolute(pathValue)) {
+            return false;
+        }
+        const resolved = path.resolve(pathValue);
+        if (isWithinPath(resolved, this.configuredNodeModulesRoot)) {
+            return true;
+        }
+        if (this.hostNodeModulesRoot &&
+            isWithinPath(resolved, this.hostNodeModulesRoot)) {
+            return true;
+        }
+        return this.overlayAllowedRoots.some((root) => isWithinPath(resolved, root));
+    }
+    getOverlayHostPathCandidate(pathValue) {
+        const overlayPath = this.overlayHostPathFor(pathValue);
+        if (overlayPath) {
+            return overlayPath;
+        }
+        if (!this.isProjectedHostPath(pathValue)) {
+            return null;
+        }
+        return path.resolve(pathValue);
+    }
     prepareOpenSync(pathValue, flags) {
         const virtualPath = normalizeOverlayPath(pathValue);
         if (this.isReadOnlyProjectionPath(virtualPath)) {
@@ -213,7 +263,7 @@ export class ModuleAccessFileSystem {
         if (isNativeAddonPath(virtualPath)) {
             throw createModuleAccessError(MODULE_ACCESS_NATIVE_ADDON, `native addon '${virtualPath}' is not supported for module overlay`);
         }
-        const hostPath = this.overlayHostPathFor(virtualPath);
+        const hostPath = this.getOverlayHostPathCandidate(virtualPath);
         if (!hostPath) {
             return null;
         }

package/dist/module-resolver.js

@@ -1,7 +1,7 @@
 import { normalizeBuiltinSpecifier, getPathDir, } from "./builtin-modules.js";
 import { resolveModule } from "./package-bundler.js";
-import { isESM } from "@secure-exec/core/internal/shared/esm-utils";
 import { parseJsonWithLimit } from "./isolate-bootstrap.js";
+import { sourceHasModuleSyntax } from "./module-source.js";
 export async function getNearestPackageType(deps, filePath) {
     let currentDir = getPathDir(filePath);
     const visitedDirs = [];
@@ -72,7 +72,7 @@ export async function getModuleFormat(deps, filePath, sourceCode) {
         else if (packageType === "commonjs") {
             format = "cjs";
         }
-        else if (sourceCode && isESM(sourceCode, filePath)) {
+        else if (sourceCode && await sourceHasModuleSyntax(sourceCode, filePath)) {
             // Some package managers/projected filesystems omit package.json.
             // Fall back to syntax-based detection for plain .js modules.
             format = "esm";
@@ -90,7 +90,7 @@ export async function getModuleFormat(deps, filePath, sourceCode) {
 export async function shouldRunAsESM(deps, code, filePath) {
     // Keep heuristic mode for string-only snippets without file metadata.
     if (!filePath) {
-        return isESM(code);
+        return sourceHasModuleSyntax(code);
     }
     return (await getModuleFormat(deps, filePath)) === "esm";
 }

package/dist/module-source.d.ts

@@ -0,0 +1,5 @@
+export declare function sourceHasModuleSyntax(source: string, filePath?: string): Promise<boolean>;
+export declare function transformSourceForRequireSync(source: string, filePath: string): string;
+export declare function transformSourceForRequire(source: string, filePath: string): Promise<string>;
+export declare function transformSourceForImport(source: string, filePath: string): Promise<string>;
+export declare function transformSourceForImportSync(source: string, filePath: string, formatPath?: string): string;

package/dist/module-source.js

@@ -0,0 +1,224 @@
+import { existsSync, readFileSync } from "node:fs";
+import { dirname as pathDirname, join as pathJoin } from "node:path";
+import { pathToFileURL } from "node:url";
+import { transform, transformSync } from "esbuild";
+import { initSync as initCjsLexerSync, parse as parseCjsExports } from "cjs-module-lexer";
+import { init, initSync, parse } from "es-module-lexer";
+const REQUIRE_TRANSFORM_MARKER = "/*__secure_exec_require_esm__*/";
+const IMPORT_META_URL_HELPER = "__secureExecImportMetaUrl__";
+const IMPORT_META_RESOLVE_HELPER = "__secureExecImportMetaResolve__";
+const UNICODE_SET_REGEX_MARKER = "/v";
+const CJS_IMPORT_DEFAULT_HELPER = "__secureExecImportedCjsModule__";
+function isJavaScriptLikePath(filePath) {
+    return filePath === undefined || /\.[cm]?[jt]sx?$/.test(filePath);
+}
+function normalizeJavaScriptSource(source) {
+    const bomPrefix = source.charCodeAt(0) === 0xfeff ? "\uFEFF" : "";
+    const shebangOffset = bomPrefix.length;
+    if (!source.startsWith("#!", shebangOffset)) {
+        return source;
+    }
+    return (bomPrefix +
+        "//" +
+        source.slice(shebangOffset + 2));
+}
+function parseSourceSyntax(source, filePath) {
+    const [imports, , , hasModuleSyntax] = parse(source, filePath);
+    const hasDynamicImport = imports.some((specifier) => specifier.d >= 0);
+    const hasImportMeta = imports.some((specifier) => specifier.d === -2);
+    return { hasModuleSyntax, hasDynamicImport, hasImportMeta };
+}
+function isValidIdentifier(value) {
+    return /^[$A-Z_][0-9A-Z_$]*$/i.test(value);
+}
+function getNearestPackageTypeSync(filePath) {
+    let currentDir = pathDirname(filePath);
+    while (true) {
+        const packageJsonPath = pathJoin(currentDir, "package.json");
+        if (existsSync(packageJsonPath)) {
+            try {
+                const pkgJson = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+                return pkgJson.type === "module" || pkgJson.type === "commonjs"
+                    ? pkgJson.type
+                    : null;
+            }
+            catch {
+                return null;
+            }
+        }
+        const parentDir = pathDirname(currentDir);
+        if (parentDir === currentDir) {
+            return null;
+        }
+        currentDir = parentDir;
+    }
+}
+function isCommonJsModuleForImportSync(source, formatPath) {
+    if (!isJavaScriptLikePath(formatPath)) {
+        return false;
+    }
+    if (formatPath.endsWith(".cjs")) {
+        return true;
+    }
+    if (formatPath.endsWith(".mjs")) {
+        return false;
+    }
+    if (formatPath.endsWith(".js")) {
+        const packageType = getNearestPackageTypeSync(formatPath);
+        if (packageType === "module") {
+            return false;
+        }
+        if (packageType === "commonjs") {
+            return true;
+        }
+        initSync();
+        return !parseSourceSyntax(source, formatPath).hasModuleSyntax;
+    }
+    return false;
+}
+function buildCommonJsImportWrapper(source, filePath) {
+    initCjsLexerSync();
+    const { exports } = parseCjsExports(source);
+    const namedExports = Array.from(new Set(exports.filter((name) => name !== "default" &&
+        name !== "__esModule" &&
+        isValidIdentifier(name))));
+    const lines = [
+        `const ${CJS_IMPORT_DEFAULT_HELPER} = globalThis._requireFrom(${JSON.stringify(filePath)}, "/");`,
+        `export default ${CJS_IMPORT_DEFAULT_HELPER};`,
+        ...namedExports.map((name) => `export const ${name} = ${CJS_IMPORT_DEFAULT_HELPER} == null ? undefined : ${CJS_IMPORT_DEFAULT_HELPER}[${JSON.stringify(name)}];`),
+    ];
+    return lines.join("\n");
+}
+function getRequireTransformOptions(filePath, syntax) {
+    const requiresEsmWrapper = syntax.hasModuleSyntax || syntax.hasImportMeta;
+    const bannerLines = requiresEsmWrapper ? [REQUIRE_TRANSFORM_MARKER] : [];
+    if (syntax.hasImportMeta) {
+        bannerLines.push(`const ${IMPORT_META_URL_HELPER} = require("node:url").pathToFileURL(__secureExecFilename).href;`);
+    }
+    return {
+        banner: bannerLines.length > 0 ? bannerLines.join("\n") : undefined,
+        define: syntax.hasImportMeta
+            ? {
+                "import.meta.url": IMPORT_META_URL_HELPER,
+            }
+            : undefined,
+        format: "cjs",
+        loader: "js",
+        platform: "node",
+        sourcefile: filePath,
+        supported: {
+            "dynamic-import": false,
+        },
+        target: "node22",
+    };
+}
+function getImportTransformOptions(filePath, syntax) {
+    const bannerLines = [];
+    if (syntax.hasImportMeta) {
+        bannerLines.push(`const ${IMPORT_META_URL_HELPER} = ${JSON.stringify(pathToFileURL(filePath).href)};`, `const ${IMPORT_META_RESOLVE_HELPER} = (specifier) => globalThis.__importMetaResolve(specifier, ${JSON.stringify(filePath)});`);
+    }
+    return {
+        banner: bannerLines.length > 0 ? bannerLines.join("\n") : undefined,
+        define: syntax.hasImportMeta
+            ? {
+                "import.meta.url": IMPORT_META_URL_HELPER,
+                "import.meta.resolve": IMPORT_META_RESOLVE_HELPER,
+            }
+            : undefined,
+        format: "esm",
+        loader: "js",
+        platform: "node",
+        sourcefile: filePath,
+        target: "es2020",
+    };
+}
+export async function sourceHasModuleSyntax(source, filePath) {
+    const normalizedSource = normalizeJavaScriptSource(source);
+    if (filePath?.endsWith(".mjs")) {
+        return true;
+    }
+    if (filePath?.endsWith(".cjs")) {
+        return false;
+    }
+    await init;
+    return parseSourceSyntax(normalizedSource, filePath).hasModuleSyntax;
+}
+export function transformSourceForRequireSync(source, filePath) {
+    if (!isJavaScriptLikePath(filePath)) {
+        return source;
+    }
+    const normalizedSource = normalizeJavaScriptSource(source);
+    initSync();
+    const syntax = parseSourceSyntax(normalizedSource, filePath);
+    if (!(syntax.hasModuleSyntax || syntax.hasDynamicImport || syntax.hasImportMeta)) {
+        return normalizedSource;
+    }
+    try {
+        return transformSync(normalizedSource, getRequireTransformOptions(filePath, syntax)).code;
+    }
+    catch {
+        return normalizedSource;
+    }
+}
+export async function transformSourceForRequire(source, filePath) {
+    if (!isJavaScriptLikePath(filePath)) {
+        return source;
+    }
+    const normalizedSource = normalizeJavaScriptSource(source);
+    await init;
+    const syntax = parseSourceSyntax(normalizedSource, filePath);
+    if (!(syntax.hasModuleSyntax || syntax.hasDynamicImport || syntax.hasImportMeta)) {
+        return normalizedSource;
+    }
+    try {
+        return (await transform(normalizedSource, getRequireTransformOptions(filePath, syntax))).code;
+    }
+    catch {
+        return normalizedSource;
+    }
+}
+export async function transformSourceForImport(source, filePath) {
+    if (!isJavaScriptLikePath(filePath)) {
+        return source;
+    }
+    const normalizedSource = normalizeJavaScriptSource(source);
+    await init;
+    const syntax = parseSourceSyntax(normalizedSource, filePath);
+    const needsTransform = normalizedSource.includes(UNICODE_SET_REGEX_MARKER) || syntax.hasImportMeta;
+    if (!(syntax.hasModuleSyntax || syntax.hasDynamicImport || syntax.hasImportMeta)) {
+        return normalizedSource;
+    }
+    if (!needsTransform) {
+        return normalizedSource;
+    }
+    try {
+        return (await transform(normalizedSource, getImportTransformOptions(filePath, syntax))).code;
+    }
+    catch {
+        return normalizedSource;
+    }
+}
+export function transformSourceForImportSync(source, filePath, formatPath = filePath) {
+    if (!isJavaScriptLikePath(filePath)) {
+        return source;
+    }
+    const normalizedSource = normalizeJavaScriptSource(source);
+    if (isCommonJsModuleForImportSync(normalizedSource, formatPath)) {
+        return buildCommonJsImportWrapper(normalizedSource, filePath);
+    }
+    initSync();
+    const syntax = parseSourceSyntax(normalizedSource, filePath);
+    const needsTransform = normalizedSource.includes(UNICODE_SET_REGEX_MARKER) || syntax.hasImportMeta;
+    if (!(syntax.hasModuleSyntax || syntax.hasDynamicImport || syntax.hasImportMeta)) {
+        return normalizedSource;
+    }
+    if (!needsTransform) {
+        return normalizedSource;
+    }
+    try {
+        return transformSync(normalizedSource, getImportTransformOptions(filePath, syntax)).code;
+    }
+    catch {
+        return normalizedSource;
+    }
+}

package/dist/polyfills.js

@@ -1,7 +1,25 @@
 import * as esbuild from "esbuild";
 import stdLibBrowser from "node-stdlib-browser";
+import { fileURLToPath } from "node:url";
 // Cache bundled polyfills
 const polyfillCache = new Map();
+function resolveCustomPolyfillSource(fileName) {
+    return fileURLToPath(new URL(`../src/polyfills/${fileName}`, import.meta.url));
+}
+const WEB_STREAMS_PONYFILL_PATH = fileURLToPath(new URL("../../../node_modules/.pnpm/node_modules/web-streams-polyfill/dist/ponyfill.js", import.meta.url));
+const CUSTOM_POLYFILL_ENTRY_POINTS = new Map([
+    ["crypto", resolveCustomPolyfillSource("crypto.js")],
+    ["stream/web", resolveCustomPolyfillSource("stream-web.js")],
+    ["util/types", resolveCustomPolyfillSource("util-types.js")],
+    ["internal/webstreams/util", resolveCustomPolyfillSource("internal-webstreams-util.js")],
+    ["internal/webstreams/adapters", resolveCustomPolyfillSource("internal-webstreams-adapters.js")],
+    ["internal/webstreams/readablestream", resolveCustomPolyfillSource("internal-webstreams-readablestream.js")],
+    ["internal/webstreams/writablestream", resolveCustomPolyfillSource("internal-webstreams-writablestream.js")],
+    ["internal/webstreams/transformstream", resolveCustomPolyfillSource("internal-webstreams-transformstream.js")],
+    ["internal/worker/js_transferable", resolveCustomPolyfillSource("internal-worker-js-transferable.js")],
+    ["internal/test/binding", resolveCustomPolyfillSource("internal-test-binding.js")],
+    ["internal/mime", resolveCustomPolyfillSource("internal-mime.js")],
+]);
 // node-stdlib-browser provides the mapping from Node.js stdlib to polyfill paths
 // e.g., { path: "/path/to/path-browserify/index.js", fs: null, ... }
 // We use this mapping instead of maintaining our own
@@ -13,7 +31,8 @@ export async function bundlePolyfill(moduleName) {
     if (cached)
         return cached;
     // Get the polyfill entry point from node-stdlib-browser
-    const entryPoint = stdLibBrowser[moduleName];
+    const entryPoint = CUSTOM_POLYFILL_ENTRY_POINTS.get(moduleName) ??
+        stdLibBrowser[moduleName];
     if (!entryPoint) {
         throw new Error(`No polyfill available for module: ${moduleName}`);
     }
@@ -26,6 +45,10 @@ export async function bundlePolyfill(moduleName) {
             alias[`node:${name}`] = path;
         }
     }
+    if (typeof stdLibBrowser.crypto === "string") {
+        alias.__secure_exec_crypto_browserify__ = stdLibBrowser.crypto;
+    }
+    alias["web-streams-polyfill/dist/ponyfill.js"] = WEB_STREAMS_PONYFILL_PATH;
     // Bundle using esbuild with CommonJS format
     // This ensures proper module.exports handling for all module types including JSON
     const result = await esbuild.build({
@@ -84,6 +107,9 @@ export function getAvailableStdlib() {
 export function hasPolyfill(moduleName) {
     // Strip node: prefix
     const name = moduleName.replace(/^node:/, "");
+    if (CUSTOM_POLYFILL_ENTRY_POINTS.has(name)) {
+        return true;
+    }
     const polyfill = stdLibBrowser[name];
     return polyfill !== undefined && polyfill !== null;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@secure-exec/nodejs",
-  "version": "0.2.0-rc.1",
+  "version": "0.2.0-rc.2",
   "type": "module",
   "license": "Apache-2.0",
   "main": "./dist/index.js",
@@ -97,10 +97,12 @@
     }
   },
   "dependencies": {
+    "cjs-module-lexer": "^2.1.0",
+    "es-module-lexer": "^1.7.0",
     "esbuild": "^0.27.1",
     "node-stdlib-browser": "^1.3.1",
-    "@secure-exec/core": "0.2.0-rc.1",
-    "@secure-exec/v8": "0.2.0-rc.1"
+    "@secure-exec/core": "0.2.0-rc.2",
+    "@secure-exec/v8": "0.2.0-rc.2"
   },
   "devDependencies": {
     "@types/node": "^22.10.2",