@secure-exec/nodejs 0.2.0-rc.1

package/dist/bridge/os.d.ts

@@ -0,0 +1,13 @@
+import type * as nodeOs from "os";
+export interface OSConfig {
+    platform?: string;
+    arch?: string;
+    type?: string;
+    release?: string;
+    version?: string;
+    homedir?: string;
+    tmpdir?: string;
+    hostname?: string;
+}
+declare const os: typeof nodeOs;
+export default os;

package/dist/bridge/os.js

@@ -0,0 +1,256 @@
+// OS module polyfill for the sandbox
+// Provides Node.js os module emulation for sandbox compatibility
+import { exposeCustomGlobal } from "@secure-exec/core/internal/shared/global-exposure";
+// Get config with defaults
+const config = {
+    platform: (typeof _osConfig !== "undefined" && _osConfig.platform) || "linux",
+    arch: (typeof _osConfig !== "undefined" && _osConfig.arch) || "x64",
+    type: (typeof _osConfig !== "undefined" && _osConfig.type) || "Linux",
+    release: (typeof _osConfig !== "undefined" && _osConfig.release) || "5.15.0",
+    version: (typeof _osConfig !== "undefined" && _osConfig.version) || "#1 SMP",
+    homedir: (typeof _osConfig !== "undefined" && _osConfig.homedir) || "/root",
+    tmpdir: (typeof _osConfig !== "undefined" && _osConfig.tmpdir) || "/tmp",
+    hostname: (typeof _osConfig !== "undefined" && _osConfig.hostname) || "sandbox",
+};
+// Signal constants (subset — sandbox only emulates Linux signals)
+const signals = {
+    SIGHUP: 1,
+    SIGINT: 2,
+    SIGQUIT: 3,
+    SIGILL: 4,
+    SIGTRAP: 5,
+    SIGABRT: 6,
+    SIGIOT: 6,
+    SIGBUS: 7,
+    SIGFPE: 8,
+    SIGKILL: 9,
+    SIGUSR1: 10,
+    SIGSEGV: 11,
+    SIGUSR2: 12,
+    SIGPIPE: 13,
+    SIGALRM: 14,
+    SIGTERM: 15,
+    SIGSTKFLT: 16,
+    SIGCHLD: 17,
+    SIGCONT: 18,
+    SIGSTOP: 19,
+    SIGTSTP: 20,
+    SIGTTIN: 21,
+    SIGTTOU: 22,
+    SIGURG: 23,
+    SIGXCPU: 24,
+    SIGXFSZ: 25,
+    SIGVTALRM: 26,
+    SIGPROF: 27,
+    SIGWINCH: 28,
+    SIGIO: 29,
+    SIGPOLL: 29,
+    SIGPWR: 30,
+    SIGSYS: 31,
+};
+// Errno constants
+const errno = {
+    E2BIG: 7,
+    EACCES: 13,
+    EADDRINUSE: 98,
+    EADDRNOTAVAIL: 99,
+    EAFNOSUPPORT: 97,
+    EAGAIN: 11,
+    EALREADY: 114,
+    EBADF: 9,
+    EBADMSG: 74,
+    EBUSY: 16,
+    ECANCELED: 125,
+    ECHILD: 10,
+    ECONNABORTED: 103,
+    ECONNREFUSED: 111,
+    ECONNRESET: 104,
+    EDEADLK: 35,
+    EDESTADDRREQ: 89,
+    EDOM: 33,
+    EDQUOT: 122,
+    EEXIST: 17,
+    EFAULT: 14,
+    EFBIG: 27,
+    EHOSTUNREACH: 113,
+    EIDRM: 43,
+    EILSEQ: 84,
+    EINPROGRESS: 115,
+    EINTR: 4,
+    EINVAL: 22,
+    EIO: 5,
+    EISCONN: 106,
+    EISDIR: 21,
+    ELOOP: 40,
+    EMFILE: 24,
+    EMLINK: 31,
+    EMSGSIZE: 90,
+    EMULTIHOP: 72,
+    ENAMETOOLONG: 36,
+    ENETDOWN: 100,
+    ENETRESET: 102,
+    ENETUNREACH: 101,
+    ENFILE: 23,
+    ENOBUFS: 105,
+    ENODATA: 61,
+    ENODEV: 19,
+    ENOENT: 2,
+    ENOEXEC: 8,
+    ENOLCK: 37,
+    ENOLINK: 67,
+    ENOMEM: 12,
+    ENOMSG: 42,
+    ENOPROTOOPT: 92,
+    ENOSPC: 28,
+    ENOSR: 63,
+    ENOSTR: 60,
+    ENOSYS: 38,
+    ENOTCONN: 107,
+    ENOTDIR: 20,
+    ENOTEMPTY: 39,
+    ENOTSOCK: 88,
+    ENOTSUP: 95,
+    ENOTTY: 25,
+    ENXIO: 6,
+    EOPNOTSUPP: 95,
+    EOVERFLOW: 75,
+    EPERM: 1,
+    EPIPE: 32,
+    EPROTO: 71,
+    EPROTONOSUPPORT: 93,
+    EPROTOTYPE: 91,
+    ERANGE: 34,
+    EROFS: 30,
+    ESPIPE: 29,
+    ESRCH: 3,
+    ESTALE: 116,
+    ETIME: 62,
+    ETIMEDOUT: 110,
+    ETXTBSY: 26,
+    EWOULDBLOCK: 11,
+    EXDEV: 18,
+};
+// Priority constants
+const priority = {
+    PRIORITY_LOW: 19,
+    PRIORITY_BELOW_NORMAL: 10,
+    PRIORITY_NORMAL: 0,
+    PRIORITY_ABOVE_NORMAL: -7,
+    PRIORITY_HIGH: -14,
+    PRIORITY_HIGHEST: -20,
+};
+// OS module implementation (polyfill — partial coverage of Node.js os types)
+const os = {
+    // Platform information
+    platform() {
+        return config.platform;
+    },
+    arch() {
+        return config.arch;
+    },
+    type() {
+        return config.type;
+    },
+    release() {
+        return config.release;
+    },
+    version() {
+        return config.version;
+    },
+    // Directory information
+    homedir() {
+        return config.homedir;
+    },
+    tmpdir() {
+        return config.tmpdir;
+    },
+    // System information
+    hostname() {
+        return config.hostname;
+    },
+    // User information
+    userInfo(_options) {
+        return {
+            username: "root",
+            uid: 0,
+            gid: 0,
+            shell: "/bin/bash",
+            homedir: config.homedir,
+        };
+    },
+    // CPU information
+    cpus() {
+        return [
+            {
+                model: "Virtual CPU",
+                speed: 2000,
+                times: {
+                    user: 100000,
+                    nice: 0,
+                    sys: 50000,
+                    idle: 800000,
+                    irq: 0,
+                },
+            },
+        ];
+    },
+    // Memory information
+    totalmem() {
+        return 1073741824; // 1GB
+    },
+    freemem() {
+        return 536870912; // 512MB
+    },
+    // System load
+    loadavg() {
+        return [0.1, 0.1, 0.1];
+    },
+    // System uptime
+    uptime() {
+        return 3600; // 1 hour
+    },
+    // Network interfaces (empty - not supported in sandbox)
+    networkInterfaces() {
+        return {};
+    },
+    // System endianness
+    endianness() {
+        return "LE";
+    },
+    // Line endings
+    EOL: "\n",
+    // Dev null path
+    devNull: "/dev/null",
+    // Machine type
+    machine() {
+        return config.arch;
+    },
+    // Constants (partial — Linux subset, no Windows WSA* or RTLD_DEEPBIND)
+    constants: {
+        signals: signals,
+        errno: errno,
+        priority,
+        dlopen: {
+            RTLD_LAZY: 1,
+            RTLD_NOW: 2,
+            RTLD_GLOBAL: 256,
+            RTLD_LOCAL: 0,
+        },
+        UV_UDP_REUSEADDR: 4,
+    },
+    // Priority getters/setters (stubs)
+    getPriority(_pid) {
+        return 0;
+    },
+    setPriority(pid, priority) {
+        void pid;
+        void priority;
+    },
+    // Parallelism hint
+    availableParallelism() {
+        return 1;
+    },
+};
+// Expose to global for require() to use.
+exposeCustomGlobal("_osModule", os);
+export default os;

package/dist/bridge/polyfills.d.ts

@@ -0,0 +1,9 @@
+declare const TextEncoder: {
+    new (): TextEncoder;
+    prototype: TextEncoder;
+};
+declare const TextDecoder: {
+    new (label?: string, options?: TextDecoderOptions): TextDecoder;
+    prototype: TextDecoder;
+};
+export { TextEncoder, TextDecoder };

package/dist/bridge/polyfills.js

@@ -0,0 +1,67 @@
+// Early polyfills - this file must be imported FIRST before any other modules
+// that might use TextEncoder/TextDecoder (like whatwg-url)
+import { TextDecoder as PolyfillTextDecoder, } from "text-encoding-utf-8";
+function encodeUtf8ScalarValue(codePoint, bytes) {
+    if (codePoint <= 0x7f) {
+        bytes.push(codePoint);
+        return;
+    }
+    if (codePoint <= 0x7ff) {
+        bytes.push(0xc0 | (codePoint >> 6), 0x80 | (codePoint & 0x3f));
+        return;
+    }
+    if (codePoint <= 0xffff) {
+        bytes.push(0xe0 | (codePoint >> 12), 0x80 | ((codePoint >> 6) & 0x3f), 0x80 | (codePoint & 0x3f));
+        return;
+    }
+    bytes.push(0xf0 | (codePoint >> 18), 0x80 | ((codePoint >> 12) & 0x3f), 0x80 | ((codePoint >> 6) & 0x3f), 0x80 | (codePoint & 0x3f));
+}
+function encodeUtf8(input = "") {
+    const value = String(input);
+    const bytes = [];
+    for (let index = 0; index < value.length; index += 1) {
+        const codeUnit = value.charCodeAt(index);
+        if (codeUnit >= 0xd800 && codeUnit <= 0xdbff) {
+            const nextIndex = index + 1;
+            if (nextIndex < value.length) {
+                const nextCodeUnit = value.charCodeAt(nextIndex);
+                if (nextCodeUnit >= 0xdc00 && nextCodeUnit <= 0xdfff) {
+                    const codePoint = 0x10000 + ((codeUnit - 0xd800) << 10) + (nextCodeUnit - 0xdc00);
+                    encodeUtf8ScalarValue(codePoint, bytes);
+                    index = nextIndex;
+                    continue;
+                }
+            }
+            encodeUtf8ScalarValue(0xfffd, bytes);
+            continue;
+        }
+        if (codeUnit >= 0xdc00 && codeUnit <= 0xdfff) {
+            encodeUtf8ScalarValue(0xfffd, bytes);
+            continue;
+        }
+        encodeUtf8ScalarValue(codeUnit, bytes);
+    }
+    return new Uint8Array(bytes);
+}
+class PatchedTextEncoder {
+    encode(input = "") {
+        return encodeUtf8(input);
+    }
+    get encoding() {
+        return "utf-8";
+    }
+}
+const TextEncoder = typeof globalThis.TextEncoder === "function"
+    ? globalThis.TextEncoder
+    : PatchedTextEncoder;
+const TextDecoder = typeof globalThis.TextDecoder === "function"
+    ? globalThis.TextDecoder
+    : PolyfillTextDecoder;
+// Install on globalThis so other modules can use them
+if (typeof globalThis.TextEncoder === "undefined") {
+    globalThis.TextEncoder = TextEncoder;
+}
+if (typeof globalThis.TextDecoder === "undefined") {
+    globalThis.TextDecoder = TextDecoder;
+}
+export { TextEncoder, TextDecoder };

package/dist/bridge/process.d.ts

@@ -0,0 +1,121 @@
+import type * as nodeProcess from "process";
+import { TextEncoder, TextDecoder } from "./polyfills.js";
+import { URL, URLSearchParams } from "./whatwg-url.js";
+/**
+ * Process configuration injected by the host before the bridge bundle loads.
+ * Values default to sensible Linux/x64 stubs when unset.
+ */
+export interface ProcessConfig {
+    platform?: string;
+    arch?: string;
+    version?: string;
+    cwd?: string;
+    env?: Record<string, string>;
+    argv?: string[];
+    execPath?: string;
+    pid?: number;
+    ppid?: number;
+    uid?: number;
+    gid?: number;
+    stdin?: string;
+    timingMitigation?: "off" | "freeze";
+    frozenTimeMs?: number;
+    stdinIsTTY?: boolean;
+    stdoutIsTTY?: boolean;
+    stderrIsTTY?: boolean;
+}
+/**
+ * Thrown by `process.exit()` to unwind the sandbox call stack. The host
+ * catches this to extract the exit code without killing the isolate.
+ */
+export declare class ProcessExitError extends Error {
+    code: number;
+    constructor(code: number);
+}
+declare const _default: typeof nodeProcess;
+export default _default;
+/**
+ * Timer handle that mimics Node.js Timeout (ref/unref/Symbol.toPrimitive).
+ * Timers with delay > 0 use the host's `_scheduleTimer` bridge to sleep
+ * without blocking the isolate's event loop.
+ */
+declare class TimerHandle {
+    _id: number;
+    _destroyed: boolean;
+    constructor(id: number);
+    ref(): this;
+    unref(): this;
+    hasRef(): boolean;
+    refresh(): this;
+    [Symbol.toPrimitive](): number;
+}
+export declare function setTimeout(callback: (...args: unknown[]) => void, delay?: number, ...args: unknown[]): TimerHandle;
+export declare function clearTimeout(timer: TimerHandle | number | undefined): void;
+export declare function setInterval(callback: (...args: unknown[]) => void, delay?: number, ...args: unknown[]): TimerHandle;
+export declare function clearInterval(timer: TimerHandle | number | undefined): void;
+export declare function setImmediate(callback: (...args: unknown[]) => void, ...args: unknown[]): TimerHandle;
+export declare function clearImmediate(id: TimerHandle | number | undefined): void;
+export { URL, URLSearchParams };
+export { TextEncoder, TextDecoder };
+export declare const Buffer: BufferConstructor;
+interface SandboxCryptoKeyData {
+    type: "public" | "private" | "secret";
+    extractable: boolean;
+    algorithm: Record<string, unknown>;
+    usages: string[];
+    _pem?: string;
+    _jwk?: Record<string, unknown>;
+    _raw?: string;
+    _sourceKeyObjectData?: Record<string, unknown>;
+}
+declare const kCryptoKeyToken: unique symbol;
+declare class SandboxCryptoKey {
+    readonly type: "public" | "private" | "secret";
+    readonly extractable: boolean;
+    readonly algorithm: Record<string, unknown>;
+    readonly usages: string[];
+    readonly _keyData: SandboxCryptoKeyData;
+    readonly _pem?: string;
+    readonly _jwk?: Record<string, unknown>;
+    readonly _raw?: string;
+    readonly _sourceKeyObjectData?: Record<string, unknown>;
+    readonly [kCryptoKeyToken]: true;
+    constructor(keyData?: SandboxCryptoKeyData, token?: symbol);
+}
+declare class SandboxSubtleCrypto {
+    readonly _token: symbol;
+    constructor(token?: symbol);
+    digest(algorithm: unknown, data: BufferSource): Promise<ArrayBuffer>;
+    generateKey(algorithm: unknown, extractable: boolean, keyUsages: Iterable<string>): Promise<SandboxCryptoKey | {
+        publicKey: SandboxCryptoKey;
+        privateKey: SandboxCryptoKey;
+    }>;
+    importKey(format: string, keyData: BufferSource | JsonWebKey, algorithm: unknown, extractable: boolean, keyUsages: Iterable<string>): Promise<SandboxCryptoKey>;
+    exportKey(format: string, key: SandboxCryptoKey): Promise<ArrayBuffer | JsonWebKey>;
+    encrypt(algorithm: unknown, key: SandboxCryptoKey, data: BufferSource): Promise<ArrayBuffer>;
+    decrypt(algorithm: unknown, key: SandboxCryptoKey, data: BufferSource): Promise<ArrayBuffer>;
+    sign(algorithm: unknown, key: SandboxCryptoKey, data: BufferSource): Promise<ArrayBuffer>;
+    verify(algorithm: unknown, key: SandboxCryptoKey, signature: BufferSource, data: BufferSource): Promise<boolean>;
+    deriveBits(algorithm: unknown, baseKey: SandboxCryptoKey, length: number): Promise<ArrayBuffer>;
+    deriveKey(algorithm: unknown, baseKey: SandboxCryptoKey, derivedKeyAlgorithm: unknown, extractable: boolean, keyUsages: Iterable<string>): Promise<SandboxCryptoKey>;
+    wrapKey(format: string, key: SandboxCryptoKey, wrappingKey: SandboxCryptoKey, wrapAlgorithm: unknown): Promise<ArrayBuffer>;
+    unwrapKey(format: string, wrappedKey: BufferSource, unwrappingKey: SandboxCryptoKey, unwrapAlgorithm: unknown, unwrappedKeyAlgorithm: unknown, extractable: boolean, keyUsages: Iterable<string>): Promise<SandboxCryptoKey>;
+}
+declare class SandboxCrypto {
+    readonly _token: symbol;
+    constructor(token?: symbol);
+    get subtle(): SandboxSubtleCrypto;
+    getRandomValues<T extends ArrayBufferView>(array: T): T;
+    randomUUID(): string;
+}
+/**
+ * Crypto polyfill that delegates to the host for entropy. `getRandomValues`
+ * calls the host's `_cryptoRandomFill` bridge to get cryptographically secure
+ * random bytes. Subtle crypto operations route through the host WebCrypto bridge.
+ */
+export declare const cryptoPolyfill: SandboxCrypto;
+/**
+ * Install all process/timer/URL/Buffer/crypto polyfills onto `globalThis`.
+ * Called once during bridge initialization before user code runs.
+ */
+export declare function setupGlobals(): void;