@secure-exec/nodejs 0.2.0-rc.1

package/dist/module-resolver.js

@@ -0,0 +1,150 @@
+import { normalizeBuiltinSpecifier, getPathDir, } from "./builtin-modules.js";
+import { resolveModule } from "./package-bundler.js";
+import { isESM } from "@secure-exec/core/internal/shared/esm-utils";
+import { parseJsonWithLimit } from "./isolate-bootstrap.js";
+export async function getNearestPackageType(deps, filePath) {
+    let currentDir = getPathDir(filePath);
+    const visitedDirs = [];
+    while (true) {
+        if (deps.packageTypeCache.has(currentDir)) {
+            return deps.packageTypeCache.get(currentDir) ?? null;
+        }
+        visitedDirs.push(currentDir);
+        const packageJsonPath = currentDir === "/" ? "/package.json" : `${currentDir}/package.json`;
+        let hasPackageJson = false;
+        try {
+            hasPackageJson = await deps.filesystem.exists(packageJsonPath);
+        }
+        catch (error) {
+            const err = error;
+            if (err?.code !== "EACCES" && err?.code !== "EPERM") {
+                throw err;
+            }
+        }
+        if (hasPackageJson) {
+            try {
+                const packageJsonText = await deps.filesystem.readTextFile(packageJsonPath);
+                const pkgJson = parseJsonWithLimit(`package.json ${packageJsonPath}`, packageJsonText, deps.isolateJsonPayloadLimitBytes);
+                const packageType = pkgJson.type === "module" || pkgJson.type === "commonjs"
+                    ? pkgJson.type
+                    : null;
+                for (const dir of visitedDirs) {
+                    deps.packageTypeCache.set(dir, packageType);
+                }
+                return packageType;
+            }
+            catch {
+                for (const dir of visitedDirs) {
+                    deps.packageTypeCache.set(dir, null);
+                }
+                return null;
+            }
+        }
+        if (currentDir === "/") {
+            for (const dir of visitedDirs) {
+                deps.packageTypeCache.set(dir, null);
+            }
+            return null;
+        }
+        currentDir = getPathDir(currentDir);
+    }
+}
+export async function getModuleFormat(deps, filePath, sourceCode) {
+    const cached = deps.moduleFormatCache.get(filePath);
+    if (cached) {
+        return cached;
+    }
+    let format;
+    if (filePath.endsWith(".mjs")) {
+        format = "esm";
+    }
+    else if (filePath.endsWith(".cjs")) {
+        format = "cjs";
+    }
+    else if (filePath.endsWith(".json")) {
+        format = "json";
+    }
+    else if (filePath.endsWith(".js")) {
+        const packageType = await getNearestPackageType(deps, filePath);
+        if (packageType === "module") {
+            format = "esm";
+        }
+        else if (packageType === "commonjs") {
+            format = "cjs";
+        }
+        else if (sourceCode && isESM(sourceCode, filePath)) {
+            // Some package managers/projected filesystems omit package.json.
+            // Fall back to syntax-based detection for plain .js modules.
+            format = "esm";
+        }
+        else {
+            format = "cjs";
+        }
+    }
+    else {
+        format = "cjs";
+    }
+    deps.moduleFormatCache.set(filePath, format);
+    return format;
+}
+export async function shouldRunAsESM(deps, code, filePath) {
+    // Keep heuristic mode for string-only snippets without file metadata.
+    if (!filePath) {
+        return isESM(code);
+    }
+    return (await getModuleFormat(deps, filePath)) === "esm";
+}
+export async function resolveReferrerDirectory(deps, referrerPath) {
+    if (referrerPath === "" || referrerPath === "/") {
+        return "/";
+    }
+    // Dynamic import hooks may pass either a module file path or a module
+    // directory path. Prefer filesystem metadata so we do not strip one level
+    // when the referrer is already a directory.
+    if (deps.filesystem) {
+        try {
+            const statInfo = await deps.filesystem.stat(referrerPath);
+            if (statInfo.isDirectory) {
+                return referrerPath;
+            }
+        }
+        catch {
+            // Fall back to string-based path handling below.
+        }
+    }
+    if (referrerPath.endsWith("/")) {
+        return referrerPath.slice(0, -1) || "/";
+    }
+    const lastSlash = referrerPath.lastIndexOf("/");
+    if (lastSlash <= 0) {
+        return "/";
+    }
+    return referrerPath.slice(0, lastSlash);
+}
+export async function resolveESMPath(deps, specifier, referrerPath) {
+    // Handle built-ins and bridged modules first.
+    const builtinSpecifier = normalizeBuiltinSpecifier(specifier);
+    if (builtinSpecifier) {
+        return builtinSpecifier;
+    }
+    const referrerDir = await resolveReferrerDirectory(deps, referrerPath);
+    // Preserve direct path imports before falling back to node_modules
+    // resolution so missing relative modules report the resolved sandbox path.
+    if (specifier.startsWith("/")) {
+        return specifier;
+    }
+    if (specifier.startsWith("./") || specifier.startsWith("../")) {
+        const parts = referrerDir.split("/").filter(Boolean);
+        for (const part of specifier.split("/")) {
+            if (part === "..") {
+                parts.pop();
+                continue;
+            }
+            if (part !== ".") {
+                parts.push(part);
+            }
+        }
+        return `/${parts.join("/")}`;
+    }
+    return resolveModule(specifier, referrerDir, deps.filesystem, "import", deps.resolutionCache);
+}

package/dist/os-filesystem.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Node.js filesystem adapter for kernel integration.
+ *
+ * Implements VirtualFileSystem by delegating to node:fs/promises.
+ * When the kernel uses a HostNodeFileSystem, file operations go to the
+ * real host filesystem (sandboxed by the root path).
+ */
+import type { VirtualFileSystem, VirtualStat, VirtualDirEntry } from "@secure-exec/core";
+export interface HostNodeFileSystemOptions {
+    /** Root directory on the host — all paths are relative to this. */
+    root?: string;
+}
+export declare class HostNodeFileSystem implements VirtualFileSystem {
+    private root;
+    constructor(options?: HostNodeFileSystemOptions);
+    private resolve;
+    prepareOpenSync(p: string, flags: number): boolean;
+    readFile(p: string): Promise<Uint8Array>;
+    readTextFile(p: string): Promise<string>;
+    readDir(p: string): Promise<string[]>;
+    readDirWithTypes(p: string): Promise<VirtualDirEntry[]>;
+    writeFile(p: string, content: string | Uint8Array): Promise<void>;
+    createDir(p: string): Promise<void>;
+    mkdir(p: string, options?: {
+        recursive?: boolean;
+    }): Promise<void>;
+    exists(p: string): Promise<boolean>;
+    stat(p: string): Promise<VirtualStat>;
+    removeFile(p: string): Promise<void>;
+    removeDir(p: string): Promise<void>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    realpath(p: string): Promise<string>;
+    symlink(target: string, linkPath: string): Promise<void>;
+    readlink(p: string): Promise<string>;
+    lstat(p: string): Promise<VirtualStat>;
+    link(oldPath: string, newPath: string): Promise<void>;
+    chmod(p: string, mode: number): Promise<void>;
+    chown(p: string, uid: number, gid: number): Promise<void>;
+    utimes(p: string, atime: number, mtime: number): Promise<void>;
+    truncate(p: string, length: number): Promise<void>;
+    pread(p: string, offset: number, length: number): Promise<Uint8Array>;
+}

package/dist/os-filesystem.js

@@ -0,0 +1,161 @@
+/**
+ * Node.js filesystem adapter for kernel integration.
+ *
+ * Implements VirtualFileSystem by delegating to node:fs/promises.
+ * When the kernel uses a HostNodeFileSystem, file operations go to the
+ * real host filesystem (sandboxed by the root path).
+ */
+import * as fs from "node:fs/promises";
+import * as fsSync from "node:fs";
+import * as path from "node:path";
+import { KernelError, O_CREAT, O_EXCL, O_TRUNC } from "@secure-exec/core";
+export class HostNodeFileSystem {
+    root;
+    constructor(options) {
+        this.root = options?.root ?? "/";
+    }
+    resolve(p) {
+        // Map virtual path to host path under root
+        const normalized = path.posix.normalize(p);
+        return path.join(this.root, normalized);
+    }
+    prepareOpenSync(p, flags) {
+        const hostPath = this.resolve(p);
+        const hasCreate = (flags & O_CREAT) !== 0;
+        const hasExcl = (flags & O_EXCL) !== 0;
+        const hasTrunc = (flags & O_TRUNC) !== 0;
+        const exists = fsSync.existsSync(hostPath);
+        if (hasCreate && hasExcl && exists) {
+            throw new KernelError("EEXIST", `file already exists, open '${p}'`);
+        }
+        let created = false;
+        if (!exists && hasCreate) {
+            fsSync.mkdirSync(path.dirname(hostPath), { recursive: true });
+            fsSync.writeFileSync(hostPath, new Uint8Array(0));
+            created = true;
+        }
+        if (hasTrunc) {
+            try {
+                fsSync.truncateSync(hostPath, 0);
+            }
+            catch (error) {
+                const err = error;
+                if (err.code === "ENOENT") {
+                    throw new KernelError("ENOENT", `no such file or directory, open '${p}'`);
+                }
+                if (err.code === "EISDIR") {
+                    throw new KernelError("EISDIR", `illegal operation on a directory, open '${p}'`);
+                }
+                throw error;
+            }
+        }
+        return created;
+    }
+    async readFile(p) {
+        return new Uint8Array(await fs.readFile(this.resolve(p)));
+    }
+    async readTextFile(p) {
+        return fs.readFile(this.resolve(p), "utf-8");
+    }
+    async readDir(p) {
+        return fs.readdir(this.resolve(p));
+    }
+    async readDirWithTypes(p) {
+        const entries = await fs.readdir(this.resolve(p), {
+            withFileTypes: true,
+        });
+        return entries.map((e) => ({
+            name: e.name,
+            isDirectory: e.isDirectory(),
+            isSymbolicLink: e.isSymbolicLink(),
+        }));
+    }
+    async writeFile(p, content) {
+        const hostPath = this.resolve(p);
+        await fs.mkdir(path.dirname(hostPath), { recursive: true });
+        await fs.writeFile(hostPath, content);
+    }
+    async createDir(p) {
+        await fs.mkdir(this.resolve(p));
+    }
+    async mkdir(p, options) {
+        await fs.mkdir(this.resolve(p), { recursive: options?.recursive ?? true });
+    }
+    async exists(p) {
+        try {
+            await fs.access(this.resolve(p));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async stat(p) {
+        const s = await fs.stat(this.resolve(p));
+        return toVirtualStat(s);
+    }
+    async removeFile(p) {
+        await fs.unlink(this.resolve(p));
+    }
+    async removeDir(p) {
+        await fs.rmdir(this.resolve(p));
+    }
+    async rename(oldPath, newPath) {
+        await fs.rename(this.resolve(oldPath), this.resolve(newPath));
+    }
+    async realpath(p) {
+        return fs.realpath(this.resolve(p));
+    }
+    async symlink(target, linkPath) {
+        await fs.symlink(target, this.resolve(linkPath));
+    }
+    async readlink(p) {
+        return fs.readlink(this.resolve(p));
+    }
+    async lstat(p) {
+        const s = await fs.lstat(this.resolve(p));
+        return toVirtualStat(s);
+    }
+    async link(oldPath, newPath) {
+        await fs.link(this.resolve(oldPath), this.resolve(newPath));
+    }
+    async chmod(p, mode) {
+        await fs.chmod(this.resolve(p), mode);
+    }
+    async chown(p, uid, gid) {
+        await fs.chown(this.resolve(p), uid, gid);
+    }
+    async utimes(p, atime, mtime) {
+        await fs.utimes(this.resolve(p), atime / 1000, mtime / 1000);
+    }
+    async truncate(p, length) {
+        await fs.truncate(this.resolve(p), length);
+    }
+    async pread(p, offset, length) {
+        const handle = await fs.open(this.resolve(p), "r");
+        try {
+            const buf = new Uint8Array(length);
+            const { bytesRead } = await handle.read(buf, 0, length, offset);
+            return bytesRead < length ? buf.slice(0, bytesRead) : buf;
+        }
+        finally {
+            await handle.close();
+        }
+    }
+}
+function toVirtualStat(s) {
+    return {
+        mode: s.mode,
+        size: s.size,
+        isDirectory: s.isDirectory(),
+        isSymbolicLink: s.isSymbolicLink(),
+        atimeMs: s.atimeMs,
+        mtimeMs: s.mtimeMs,
+        ctimeMs: s.ctimeMs,
+        birthtimeMs: s.birthtimeMs,
+        ino: s.ino,
+        nlink: s.nlink,
+        uid: s.uid,
+        gid: s.gid,
+    };
+}

package/dist/package-bundler.d.ts

@@ -0,0 +1,36 @@
+import type { VirtualFileSystem } from "@secure-exec/core";
+type ResolveMode = "require" | "import";
+interface PackageJson {
+    main?: string;
+    type?: "module" | "commonjs";
+    exports?: unknown;
+    imports?: unknown;
+}
+/** Caches for module resolution to avoid redundant VFS probes. */
+export interface ResolutionCache {
+    /** Top-level resolution results keyed by `request\0fromDir\0mode` */
+    resolveResults: Map<string, string | null>;
+    /** Parsed package.json content by path */
+    packageJsonResults: Map<string, PackageJson | null>;
+    /** File existence by path */
+    existsResults: Map<string, boolean>;
+    /** Stat results by path (null = ENOENT) */
+    statResults: Map<string, {
+        isDirectory: boolean;
+    } | null>;
+}
+export declare function createResolutionCache(): ResolutionCache;
+/**
+ * Resolve a module request to an absolute path in the virtual filesystem
+ */
+export declare function resolveModule(request: string, fromDir: string, fs: VirtualFileSystem, mode?: ResolveMode, cache?: ResolutionCache): Promise<string | null>;
+/**
+ * Load a file's content from the virtual filesystem
+ */
+export declare function loadFile(path: string, fs: VirtualFileSystem): Promise<string | null>;
+/**
+ * Legacy function - bundle a package from node_modules (simple approach)
+ * This is kept for backwards compatibility but the new dynamic resolution is preferred
+ */
+export declare function bundlePackage(packageName: string, fs: VirtualFileSystem): Promise<string | null>;
+export {};