@secure-exec/nodejs 0.2.0-rc.1

package/dist/bridge/process.js

@@ -0,0 +1,1382 @@
+// Process module polyfill for the sandbox
+// Provides Node.js process object and global polyfills for sandbox compatibility
+// Re-export TextEncoder/TextDecoder from polyfills (polyfills.ts is imported first in index.ts)
+import { TextEncoder, TextDecoder } from "./polyfills.js";
+import { URL, URLSearchParams, installWhatwgUrlGlobals, } from "./whatwg-url.js";
+// Use buffer package for spec-compliant Buffer implementation
+import { Buffer as BufferPolyfill } from "buffer";
+import { exposeCustomGlobal, exposeMutableRuntimeStateGlobal, } from "@secure-exec/core/internal/shared/global-exposure";
+import { bridgeDispatchSync } from "./dispatch.js";
+// Get config with defaults
+const config = {
+    platform: (typeof _processConfig !== "undefined" && _processConfig.platform) ||
+        "linux",
+    arch: (typeof _processConfig !== "undefined" && _processConfig.arch) || "x64",
+    version: (typeof _processConfig !== "undefined" && _processConfig.version) ||
+        "v22.0.0",
+    cwd: (typeof _processConfig !== "undefined" && _processConfig.cwd) || "/root",
+    env: (typeof _processConfig !== "undefined" && _processConfig.env) || {},
+    argv: (typeof _processConfig !== "undefined" && _processConfig.argv) || [
+        "node",
+        "script.js",
+    ],
+    execPath: (typeof _processConfig !== "undefined" && _processConfig.execPath) ||
+        "/usr/bin/node",
+    pid: (typeof _processConfig !== "undefined" && _processConfig.pid) || 1,
+    ppid: (typeof _processConfig !== "undefined" && _processConfig.ppid) || 0,
+    uid: (typeof _processConfig !== "undefined" && _processConfig.uid) || 0,
+    gid: (typeof _processConfig !== "undefined" && _processConfig.gid) || 0,
+    timingMitigation: (typeof _processConfig !== "undefined" && _processConfig.timingMitigation) ||
+        "off",
+    frozenTimeMs: typeof _processConfig !== "undefined" ? _processConfig.frozenTimeMs : undefined,
+};
+/** Get the current timestamp, returning a frozen value when timing mitigation is active. */
+function getNowMs() {
+    if (config.timingMitigation === "freeze" &&
+        typeof config.frozenTimeMs === "number") {
+        return config.frozenTimeMs;
+    }
+    return typeof performance !== "undefined" && performance.now
+        ? performance.now()
+        : Date.now();
+}
+// Start time for uptime calculation
+const _processStartTime = getNowMs();
+const BUFFER_MAX_LENGTH = typeof BufferPolyfill.kMaxLength ===
+    "number"
+    ? BufferPolyfill.kMaxLength
+    : 2147483647;
+const BUFFER_MAX_STRING_LENGTH = typeof BufferPolyfill.kStringMaxLength ===
+    "number"
+    ? BufferPolyfill.kStringMaxLength
+    : 536870888;
+const BUFFER_CONSTANTS = Object.freeze({
+    MAX_LENGTH: BUFFER_MAX_LENGTH,
+    MAX_STRING_LENGTH: BUFFER_MAX_STRING_LENGTH,
+});
+const bufferPolyfillMutable = BufferPolyfill;
+if (typeof bufferPolyfillMutable.kMaxLength !== "number") {
+    bufferPolyfillMutable.kMaxLength = BUFFER_MAX_LENGTH;
+}
+if (typeof bufferPolyfillMutable.kStringMaxLength !== "number") {
+    bufferPolyfillMutable.kStringMaxLength = BUFFER_MAX_STRING_LENGTH;
+}
+if (typeof bufferPolyfillMutable.constants !== "object" ||
+    bufferPolyfillMutable.constants === null) {
+    bufferPolyfillMutable.constants = {
+        MAX_LENGTH: BUFFER_MAX_LENGTH,
+        MAX_STRING_LENGTH: BUFFER_MAX_STRING_LENGTH,
+    };
+}
+// Shim encoding-specific slice/write methods on Buffer.prototype.
+// Node.js exposes these via internal V8 bindings (e.g. utf8Slice, latin1Write).
+// Packages like ssh2 call them directly for performance.
+const bufferProto = BufferPolyfill.prototype;
+if (typeof bufferProto.utf8Slice !== "function") {
+    const encodings = ["utf8", "latin1", "ascii", "hex", "base64", "ucs2", "utf16le"];
+    for (const enc of encodings) {
+        if (typeof bufferProto[enc + "Slice"] !== "function") {
+            bufferProto[enc + "Slice"] = function (start, end) {
+                return this.toString(enc, start, end);
+            };
+        }
+        if (typeof bufferProto[enc + "Write"] !== "function") {
+            bufferProto[enc + "Write"] = function (string, offset, length) {
+                return this.write(string, offset ?? 0, length ?? (this.length - (offset ?? 0)), enc);
+            };
+        }
+    }
+}
+const bufferCtorMutable = BufferPolyfill;
+if (typeof bufferCtorMutable.allocUnsafe === "function" &&
+    !bufferCtorMutable.allocUnsafe._secureExecPatched) {
+    const originalAllocUnsafe = bufferCtorMutable.allocUnsafe;
+    bufferCtorMutable.allocUnsafe = function patchedAllocUnsafe(size) {
+        try {
+            return originalAllocUnsafe.call(this, size);
+        }
+        catch (error) {
+            if (error instanceof RangeError &&
+                typeof size === "number" &&
+                size > BUFFER_MAX_LENGTH) {
+                throw new Error("Array buffer allocation failed");
+            }
+            throw error;
+        }
+    };
+    bufferCtorMutable.allocUnsafe._secureExecPatched = true;
+}
+// Exit code tracking
+let _exitCode = 0;
+let _exited = false;
+/**
+ * Thrown by `process.exit()` to unwind the sandbox call stack. The host
+ * catches this to extract the exit code without killing the isolate.
+ */
+export class ProcessExitError extends Error {
+    code;
+    constructor(code) {
+        super("process.exit(" + code + ")");
+        this.name = "ProcessExitError";
+        this.code = code;
+    }
+}
+// Make available globally
+exposeCustomGlobal("ProcessExitError", ProcessExitError);
+// Signal name → number mapping (POSIX standard)
+const _signalNumbers = {
+    SIGHUP: 1, SIGINT: 2, SIGQUIT: 3, SIGILL: 4, SIGTRAP: 5, SIGABRT: 6,
+    SIGBUS: 7, SIGFPE: 8, SIGKILL: 9, SIGUSR1: 10, SIGSEGV: 11, SIGUSR2: 12,
+    SIGPIPE: 13, SIGALRM: 14, SIGTERM: 15, SIGCHLD: 17, SIGCONT: 18,
+    SIGSTOP: 19, SIGTSTP: 20, SIGTTIN: 21, SIGTTOU: 22, SIGURG: 23,
+    SIGXCPU: 24, SIGXFSZ: 25, SIGVTALRM: 26, SIGPROF: 27, SIGWINCH: 28,
+    SIGIO: 29, SIGPWR: 30, SIGSYS: 31,
+};
+function _resolveSignal(signal) {
+    if (signal === undefined || signal === null)
+        return 15; // default SIGTERM
+    if (typeof signal === "number")
+        return signal;
+    const num = _signalNumbers[signal];
+    if (num !== undefined)
+        return num;
+    throw new Error("Unknown signal: " + signal);
+}
+const _processListeners = {};
+const _processOnceListeners = {};
+let _processMaxListeners = 10;
+const _processMaxListenersWarned = new Set();
+function _addListener(event, listener, once = false) {
+    const target = once ? _processOnceListeners : _processListeners;
+    if (!target[event]) {
+        target[event] = [];
+    }
+    target[event].push(listener);
+    // Warn when exceeding maxListeners (Node.js behavior: warn, don't crash)
+    if (_processMaxListeners > 0 && !_processMaxListenersWarned.has(event)) {
+        const total = (_processListeners[event]?.length ?? 0) + (_processOnceListeners[event]?.length ?? 0);
+        if (total > _processMaxListeners) {
+            _processMaxListenersWarned.add(event);
+            const warning = `MaxListenersExceededWarning: Possible EventEmitter memory leak detected. ${total} ${event} listeners added to [process]. MaxListeners is ${_processMaxListeners}. Use emitter.setMaxListeners() to increase limit`;
+            // Use console.error to emit warning without recursion risk
+            if (typeof _error !== "undefined") {
+                _error.applySync(undefined, [warning]);
+            }
+        }
+    }
+    return process;
+}
+function _removeListener(event, listener) {
+    if (_processListeners[event]) {
+        const idx = _processListeners[event].indexOf(listener);
+        if (idx !== -1)
+            _processListeners[event].splice(idx, 1);
+    }
+    if (_processOnceListeners[event]) {
+        const idx = _processOnceListeners[event].indexOf(listener);
+        if (idx !== -1)
+            _processOnceListeners[event].splice(idx, 1);
+    }
+    return process;
+}
+function _emit(event, ...args) {
+    let handled = false;
+    // Regular listeners
+    if (_processListeners[event]) {
+        for (const listener of _processListeners[event]) {
+            listener(...args);
+            handled = true;
+        }
+    }
+    // Once listeners (remove after calling)
+    if (_processOnceListeners[event]) {
+        const listeners = _processOnceListeners[event].slice();
+        _processOnceListeners[event] = [];
+        for (const listener of listeners) {
+            listener(...args);
+            handled = true;
+        }
+    }
+    return handled;
+}
+function _getStdinIsTTY() {
+    return (typeof __runtimeTtyConfig !== "undefined" && __runtimeTtyConfig.stdinIsTTY) || false;
+}
+function _getStdoutIsTTY() {
+    return (typeof __runtimeTtyConfig !== "undefined" && __runtimeTtyConfig.stdoutIsTTY) || false;
+}
+function _getStderrIsTTY() {
+    return (typeof __runtimeTtyConfig !== "undefined" && __runtimeTtyConfig.stderrIsTTY) || false;
+}
+// Stdout stream
+const _stdout = {
+    write(data) {
+        if (typeof _log !== "undefined") {
+            _log.applySync(undefined, [String(data).replace(/\n$/, "")]);
+        }
+        return true;
+    },
+    end() {
+        return this;
+    },
+    on() {
+        return this;
+    },
+    once() {
+        return this;
+    },
+    emit() {
+        return false;
+    },
+    writable: true,
+    get isTTY() { return _getStdoutIsTTY(); },
+    columns: 80,
+    rows: 24,
+};
+// Stderr stream
+const _stderr = {
+    write(data) {
+        if (typeof _error !== "undefined") {
+            _error.applySync(undefined, [String(data).replace(/\n$/, "")]);
+        }
+        return true;
+    },
+    end() {
+        return this;
+    },
+    on() {
+        return this;
+    },
+    once() {
+        return this;
+    },
+    emit() {
+        return false;
+    },
+    writable: true,
+    get isTTY() { return _getStderrIsTTY(); },
+    columns: 80,
+    rows: 24,
+};
+const _stdinListeners = {};
+const _stdinOnceListeners = {};
+// Initialize stdin state as globals for external access
+exposeMutableRuntimeStateGlobal("_stdinData", (typeof _processConfig !== "undefined" && _processConfig.stdin) || "");
+exposeMutableRuntimeStateGlobal("_stdinPosition", 0);
+exposeMutableRuntimeStateGlobal("_stdinEnded", false);
+exposeMutableRuntimeStateGlobal("_stdinFlowMode", false);
+// Getters for the globals
+function getStdinData() { return globalThis._stdinData; }
+function setStdinDataValue(v) { globalThis._stdinData = v; }
+function getStdinPosition() { return globalThis._stdinPosition; }
+function setStdinPosition(v) { globalThis._stdinPosition = v; }
+function getStdinEnded() { return globalThis._stdinEnded; }
+function setStdinEnded(v) { globalThis._stdinEnded = v; }
+function getStdinFlowMode() { return globalThis._stdinFlowMode; }
+function setStdinFlowMode(v) { globalThis._stdinFlowMode = v; }
+function _emitStdinData() {
+    if (getStdinEnded() || !getStdinData())
+        return;
+    // In flowing mode, emit all remaining data
+    if (getStdinFlowMode() && getStdinPosition() < getStdinData().length) {
+        const chunk = getStdinData().slice(getStdinPosition());
+        setStdinPosition(getStdinData().length);
+        // Emit data event
+        const dataListeners = [...(_stdinListeners["data"] || []), ...(_stdinOnceListeners["data"] || [])];
+        _stdinOnceListeners["data"] = [];
+        for (const listener of dataListeners) {
+            listener(chunk);
+        }
+        // Emit end after all data
+        setStdinEnded(true);
+        const endListeners = [...(_stdinListeners["end"] || []), ...(_stdinOnceListeners["end"] || [])];
+        _stdinOnceListeners["end"] = [];
+        for (const listener of endListeners) {
+            listener();
+        }
+        // Emit close
+        const closeListeners = [...(_stdinListeners["close"] || []), ...(_stdinOnceListeners["close"] || [])];
+        _stdinOnceListeners["close"] = [];
+        for (const listener of closeListeners) {
+            listener();
+        }
+    }
+}
+const _stdin = {
+    readable: true,
+    paused: true,
+    encoding: null,
+    read(size) {
+        if (getStdinPosition() >= getStdinData().length)
+            return null;
+        const chunk = size ? getStdinData().slice(getStdinPosition(), getStdinPosition() + size) : getStdinData().slice(getStdinPosition());
+        setStdinPosition(getStdinPosition() + chunk.length);
+        return chunk;
+    },
+    on(event, listener) {
+        if (!_stdinListeners[event])
+            _stdinListeners[event] = [];
+        _stdinListeners[event].push(listener);
+        // When 'end' listener is added and we have data, emit everything synchronously
+        // This works because typical patterns register 'data' then 'end' listeners
+        if (event === "end" && getStdinData() && !getStdinEnded()) {
+            setStdinFlowMode(true);
+            // Emit synchronously - all listeners should be registered by now
+            _emitStdinData();
+        }
+        return this;
+    },
+    once(event, listener) {
+        if (!_stdinOnceListeners[event])
+            _stdinOnceListeners[event] = [];
+        _stdinOnceListeners[event].push(listener);
+        return this;
+    },
+    off(event, listener) {
+        if (_stdinListeners[event]) {
+            const idx = _stdinListeners[event].indexOf(listener);
+            if (idx !== -1)
+                _stdinListeners[event].splice(idx, 1);
+        }
+        return this;
+    },
+    removeListener(event, listener) {
+        return this.off(event, listener);
+    },
+    emit(event, ...args) {
+        const listeners = [...(_stdinListeners[event] || []), ...(_stdinOnceListeners[event] || [])];
+        _stdinOnceListeners[event] = [];
+        for (const listener of listeners) {
+            listener(args[0]);
+        }
+        return listeners.length > 0;
+    },
+    pause() {
+        this.paused = true;
+        setStdinFlowMode(false);
+        return this;
+    },
+    resume() {
+        this.paused = false;
+        setStdinFlowMode(true);
+        _emitStdinData();
+        return this;
+    },
+    setEncoding(enc) {
+        this.encoding = enc;
+        return this;
+    },
+    setRawMode(mode) {
+        if (!_getStdinIsTTY()) {
+            throw new Error("setRawMode is not supported when stdin is not a TTY");
+        }
+        if (typeof _ptySetRawMode !== "undefined") {
+            _ptySetRawMode.applySync(undefined, [mode]);
+        }
+        return this;
+    },
+    get isTTY() { return _getStdinIsTTY(); },
+    // For readline compatibility
+    [Symbol.asyncIterator]: async function* () {
+        const lines = getStdinData().split("\n");
+        for (const line of lines) {
+            if (line)
+                yield line;
+        }
+    },
+};
+// hrtime function with bigint method
+function hrtime(prev) {
+    const now = getNowMs();
+    const seconds = Math.floor(now / 1000);
+    const nanoseconds = Math.floor((now % 1000) * 1e6);
+    if (prev) {
+        let diffSec = seconds - prev[0];
+        let diffNano = nanoseconds - prev[1];
+        if (diffNano < 0) {
+            diffSec -= 1;
+            diffNano += 1e9;
+        }
+        return [diffSec, diffNano];
+    }
+    return [seconds, nanoseconds];
+}
+hrtime.bigint = function () {
+    const now = getNowMs();
+    return BigInt(Math.floor(now * 1e6));
+};
+// Internal state
+let _cwd = config.cwd;
+let _umask = 0o022;
+// The process object — typed loosely as a polyfill, cast to typeof nodeProcess on export
+const process = {
+    // Static properties
+    platform: config.platform,
+    arch: config.arch,
+    version: config.version,
+    versions: {
+        node: config.version.replace(/^v/, ""),
+        v8: "11.3.244.8",
+        uv: "1.44.2",
+        zlib: "1.2.13",
+        brotli: "1.0.9",
+        ares: "1.19.0",
+        modules: "108",
+        nghttp2: "1.52.0",
+        napi: "8",
+        llhttp: "8.1.0",
+        openssl: "3.0.8",
+        cldr: "42.0",
+        icu: "72.1",
+        tz: "2022g",
+        unicode: "15.0",
+    },
+    pid: config.pid,
+    ppid: config.ppid,
+    execPath: config.execPath,
+    execArgv: [],
+    argv: config.argv,
+    argv0: config.argv[0] || "node",
+    title: "node",
+    env: config.env,
+    // Config stubs
+    config: {
+        target_defaults: {
+            cflags: [],
+            default_configuration: "Release",
+            defines: [],
+            include_dirs: [],
+            libraries: [],
+        },
+        variables: {
+            node_prefix: "/usr",
+            node_shared_libuv: false,
+        },
+    },
+    release: {
+        name: "node",
+        sourceUrl: "https://nodejs.org/download/release/v20.0.0/node-v20.0.0.tar.gz",
+        headersUrl: "https://nodejs.org/download/release/v20.0.0/node-v20.0.0-headers.tar.gz",
+    },
+    // Feature flags
+    features: {
+        inspector: false,
+        debug: false,
+        uv: true,
+        ipv6: true,
+        tls_alpn: true,
+        tls_sni: true,
+        tls_ocsp: true,
+        tls: true,
+    },
+    // Methods
+    cwd() {
+        return _cwd;
+    },
+    chdir(dir) {
+        // Validate directory exists in VFS before setting cwd
+        let statJson;
+        try {
+            statJson = _fs.stat.applySyncPromise(undefined, [dir]);
+        }
+        catch {
+            const err = new Error(`ENOENT: no such file or directory, chdir '${dir}'`);
+            err.code = "ENOENT";
+            err.errno = -2;
+            err.syscall = "chdir";
+            err.path = dir;
+            throw err;
+        }
+        const parsed = JSON.parse(statJson);
+        if (!parsed.isDirectory) {
+            const err = new Error(`ENOTDIR: not a directory, chdir '${dir}'`);
+            err.code = "ENOTDIR";
+            err.errno = -20;
+            err.syscall = "chdir";
+            err.path = dir;
+            throw err;
+        }
+        _cwd = dir;
+    },
+    get exitCode() {
+        return _exitCode;
+    },
+    set exitCode(code) {
+        _exitCode = code ?? 0;
+    },
+    exit(code) {
+        const exitCode = code !== undefined ? code : _exitCode;
+        _exitCode = exitCode;
+        _exited = true;
+        // Fire exit event
+        try {
+            _emit("exit", exitCode);
+        }
+        catch (_e) {
+            // Ignore errors in exit handlers
+        }
+        // Throw to stop execution
+        throw new ProcessExitError(exitCode);
+    },
+    abort() {
+        return process.exit(1);
+    },
+    nextTick(callback, ...args) {
+        if (typeof queueMicrotask === "function") {
+            queueMicrotask(() => callback(...args));
+        }
+        else {
+            Promise.resolve().then(() => callback(...args));
+        }
+    },
+    hrtime: hrtime,
+    getuid() {
+        return config.uid;
+    },
+    getgid() {
+        return config.gid;
+    },
+    geteuid() {
+        return config.uid;
+    },
+    getegid() {
+        return config.gid;
+    },
+    getgroups() {
+        return [config.gid];
+    },
+    setuid() { },
+    setgid() { },
+    seteuid() { },
+    setegid() { },
+    setgroups() { },
+    umask(mask) {
+        const oldMask = _umask;
+        if (mask !== undefined) {
+            _umask = mask;
+        }
+        return oldMask;
+    },
+    uptime() {
+        return (getNowMs() - _processStartTime) / 1000;
+    },
+    memoryUsage() {
+        return {
+            rss: 50 * 1024 * 1024,
+            heapTotal: 20 * 1024 * 1024,
+            heapUsed: 10 * 1024 * 1024,
+            external: 1 * 1024 * 1024,
+            arrayBuffers: 500 * 1024,
+        };
+    },
+    cpuUsage(prev) {
+        const usage = {
+            user: 1000000,
+            system: 500000,
+        };
+        if (prev) {
+            return {
+                user: usage.user - prev.user,
+                system: usage.system - prev.system,
+            };
+        }
+        return usage;
+    },
+    resourceUsage() {
+        return {
+            userCPUTime: 1000000,
+            systemCPUTime: 500000,
+            maxRSS: 50 * 1024,
+            sharedMemorySize: 0,
+            unsharedDataSize: 0,
+            unsharedStackSize: 0,
+            minorPageFault: 0,
+            majorPageFault: 0,
+            swappedOut: 0,
+            fsRead: 0,
+            fsWrite: 0,
+            ipcSent: 0,
+            ipcReceived: 0,
+            signalsCount: 0,
+            voluntaryContextSwitches: 0,
+            involuntaryContextSwitches: 0,
+        };
+    },
+    kill(pid, signal) {
+        if (pid !== process.pid) {
+            const err = new Error("Operation not permitted");
+            err.code = "EPERM";
+            err.errno = -1;
+            err.syscall = "kill";
+            throw err;
+        }
+        // Resolve signal name to number (default SIGTERM)
+        const sigNum = _resolveSignal(signal);
+        // Self-kill - exit with 128 + signal number (POSIX convention)
+        return process.exit(128 + sigNum);
+    },
+    // EventEmitter methods
+    on(event, listener) {
+        return _addListener(event, listener);
+    },
+    once(event, listener) {
+        return _addListener(event, listener, true);
+    },
+    removeListener(event, listener) {
+        return _removeListener(event, listener);
+    },
+    // off is an alias for removeListener (assigned below to be same reference)
+    off: null,
+    removeAllListeners(event) {
+        if (event) {
+            delete _processListeners[event];
+            delete _processOnceListeners[event];
+        }
+        else {
+            Object.keys(_processListeners).forEach((k) => delete _processListeners[k]);
+            Object.keys(_processOnceListeners).forEach((k) => delete _processOnceListeners[k]);
+        }
+        return process;
+    },
+    addListener(event, listener) {
+        return _addListener(event, listener);
+    },
+    emit(event, ...args) {
+        return _emit(event, ...args);
+    },
+    listeners(event) {
+        return [
+            ...(_processListeners[event] || []),
+            ...(_processOnceListeners[event] || []),
+        ];
+    },
+    listenerCount(event) {
+        return ((_processListeners[event] || []).length +
+            (_processOnceListeners[event] || []).length);
+    },
+    prependListener(event, listener) {
+        if (!_processListeners[event]) {
+            _processListeners[event] = [];
+        }
+        _processListeners[event].unshift(listener);
+        return process;
+    },
+    prependOnceListener(event, listener) {
+        if (!_processOnceListeners[event]) {
+            _processOnceListeners[event] = [];
+        }
+        _processOnceListeners[event].unshift(listener);
+        return process;
+    },
+    eventNames() {
+        return [
+            ...new Set([
+                ...Object.keys(_processListeners),
+                ...Object.keys(_processOnceListeners),
+            ]),
+        ];
+    },
+    setMaxListeners(n) {
+        _processMaxListeners = n;
+        return process;
+    },
+    getMaxListeners() {
+        return _processMaxListeners;
+    },
+    rawListeners(event) {
+        return process.listeners(event);
+    },
+    // Stdio streams
+    stdout: _stdout,
+    stderr: _stderr,
+    stdin: _stdin,
+    // Process state
+    connected: false,
+    // Module info (will be set by createRequire)
+    mainModule: undefined,
+    // No-op methods for compatibility
+    emitWarning(warning) {
+        const msg = typeof warning === "string" ? warning : warning.message;
+        _emit("warning", { message: msg, name: "Warning" });
+    },
+    binding(_name) {
+        throw new Error("process.binding is not supported in sandbox");
+    },
+    _linkedBinding(_name) {
+        throw new Error("process._linkedBinding is not supported in sandbox");
+    },
+    dlopen() {
+        throw new Error("process.dlopen is not supported");
+    },
+    hasUncaughtExceptionCaptureCallback() {
+        return false;
+    },
+    setUncaughtExceptionCaptureCallback() { },
+    // Send for IPC (no-op)
+    send() {
+        return false;
+    },
+    disconnect() { },
+    // Report
+    report: {
+        directory: "",
+        filename: "",
+        compact: false,
+        signal: "SIGUSR2",
+        reportOnFatalError: false,
+        reportOnSignal: false,
+        reportOnUncaughtException: false,
+        getReport() {
+            return {};
+        },
+        writeReport() {
+            return "";
+        },
+    },
+    // Debug port
+    debugPort: 9229,
+    // Internal state
+    _cwd: config.cwd,
+    _umask: 0o022,
+};
+// Make process.off === process.removeListener (same function reference)
+process.off = process.removeListener;
+// Add memoryUsage.rss
+process.memoryUsage.rss =
+    function () {
+        return 50 * 1024 * 1024;
+    };
+// Match Node.js Object.prototype.toString.call(process) === '[object process]'
+Object.defineProperty(process, Symbol.toStringTag, {
+    value: "process",
+    writable: false,
+    configurable: true,
+    enumerable: false,
+});
+export default process;
+// ============================================================================
+// Global polyfills
+// ============================================================================
+const TIMER_DISPATCH = {
+    create: "kernelTimerCreate",
+    arm: "kernelTimerArm",
+    clear: "kernelTimerClear",
+};
+// queueMicrotask fallback
+const _queueMicrotask = typeof queueMicrotask === "function"
+    ? queueMicrotask
+    : function (fn) {
+        Promise.resolve().then(fn);
+    };
+function normalizeTimerDelay(delay) {
+    const numericDelay = Number(delay ?? 0);
+    if (!Number.isFinite(numericDelay) || numericDelay <= 0) {
+        return 0;
+    }
+    return Math.floor(numericDelay);
+}
+function getTimerId(timer) {
+    if (timer && typeof timer === "object" && timer._id !== undefined) {
+        return timer._id;
+    }
+    if (typeof timer === "number") {
+        return timer;
+    }
+    return undefined;
+}
+function createKernelTimer(delayMs, repeat) {
+    try {
+        return bridgeDispatchSync(TIMER_DISPATCH.create, delayMs, repeat);
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.includes("EAGAIN")) {
+            throw new Error("ERR_RESOURCE_BUDGET_EXCEEDED: maximum number of timers exceeded");
+        }
+        throw error;
+    }
+}
+function armKernelTimer(timerId) {
+    bridgeDispatchSync(TIMER_DISPATCH.arm, timerId);
+}
+/**
+ * Timer handle that mimics Node.js Timeout (ref/unref/Symbol.toPrimitive).
+ * Timers with delay > 0 use the host's `_scheduleTimer` bridge to sleep
+ * without blocking the isolate's event loop.
+ */
+class TimerHandle {
+    _id;
+    _destroyed;
+    constructor(id) {
+        this._id = id;
+        this._destroyed = false;
+    }
+    ref() {
+        return this;
+    }
+    unref() {
+        return this;
+    }
+    hasRef() {
+        return true;
+    }
+    refresh() {
+        return this;
+    }
+    [Symbol.toPrimitive]() {
+        return this._id;
+    }
+}
+const _timerEntries = new Map();
+function timerDispatch(_eventType, payload) {
+    const timerId = typeof payload === "number"
+        ? payload
+        : Number(payload?.timerId);
+    if (!Number.isFinite(timerId))
+        return;
+    const entry = _timerEntries.get(timerId);
+    if (!entry)
+        return;
+    if (!entry.repeat) {
+        entry.handle._destroyed = true;
+        _timerEntries.delete(timerId);
+    }
+    try {
+        entry.callback(...entry.args);
+    }
+    catch (_e) {
+        // Ignore timer callback errors
+    }
+    if (entry.repeat && _timerEntries.has(timerId)) {
+        armKernelTimer(timerId);
+    }
+}
+export function setTimeout(callback, delay, ...args) {
+    const actualDelay = normalizeTimerDelay(delay);
+    const id = createKernelTimer(actualDelay, false);
+    const handle = new TimerHandle(id);
+    _timerEntries.set(id, {
+        handle,
+        callback,
+        args,
+        repeat: false,
+    });
+    armKernelTimer(id);
+    return handle;
+}
+export function clearTimeout(timer) {
+    const id = getTimerId(timer);
+    if (id === undefined)
+        return;
+    const entry = _timerEntries.get(id);
+    if (entry) {
+        entry.handle._destroyed = true;
+        _timerEntries.delete(id);
+    }
+    bridgeDispatchSync(TIMER_DISPATCH.clear, id);
+}
+export function setInterval(callback, delay, ...args) {
+    const actualDelay = Math.max(1, normalizeTimerDelay(delay));
+    const id = createKernelTimer(actualDelay, true);
+    const handle = new TimerHandle(id);
+    _timerEntries.set(id, {
+        handle,
+        callback,
+        args,
+        repeat: true,
+    });
+    armKernelTimer(id);
+    return handle;
+}
+export function clearInterval(timer) {
+    clearTimeout(timer);
+}
+exposeCustomGlobal("_timerDispatch", timerDispatch);
+export function setImmediate(callback, ...args) {
+    return setTimeout(callback, 0, ...args);
+}
+export function clearImmediate(id) {
+    clearTimeout(id);
+}
+// TextEncoder and TextDecoder - re-export from polyfills
+export { URL, URLSearchParams };
+export { TextEncoder, TextDecoder };
+// Buffer - use buffer package polyfill
+export const Buffer = BufferPolyfill;
+function throwUnsupportedCryptoApi(api) {
+    throw new Error(`crypto.${api} is not supported in sandbox`);
+}
+const kCryptoKeyToken = Symbol("secureExecCryptoKey");
+const kCryptoToken = Symbol("secureExecCrypto");
+const kSubtleToken = Symbol("secureExecSubtle");
+const ERR_INVALID_THIS = "ERR_INVALID_THIS";
+const ERR_ILLEGAL_CONSTRUCTOR = "ERR_ILLEGAL_CONSTRUCTOR";
+function createNodeTypeError(message, code) {
+    const error = new TypeError(message);
+    error.code = code;
+    return error;
+}
+function createDomLikeError(name, code, message) {
+    const error = new Error(message);
+    error.name = name;
+    error.code = code;
+    return error;
+}
+function assertCryptoReceiver(receiver) {
+    if (!(receiver instanceof SandboxCrypto) || receiver._token !== kCryptoToken) {
+        throw createNodeTypeError("Value of \"this\" must be of type Crypto", ERR_INVALID_THIS);
+    }
+}
+function assertSubtleReceiver(receiver) {
+    if (!(receiver instanceof SandboxSubtleCrypto) ||
+        receiver._token !== kSubtleToken) {
+        throw createNodeTypeError("Value of \"this\" must be of type SubtleCrypto", ERR_INVALID_THIS);
+    }
+}
+function isIntegerTypedArray(value) {
+    if (!ArrayBuffer.isView(value) || value instanceof DataView) {
+        return false;
+    }
+    return (value instanceof Int8Array ||
+        value instanceof Int16Array ||
+        value instanceof Int32Array ||
+        value instanceof Uint8Array ||
+        value instanceof Uint16Array ||
+        value instanceof Uint32Array ||
+        value instanceof Uint8ClampedArray ||
+        value instanceof BigInt64Array ||
+        value instanceof BigUint64Array ||
+        BufferPolyfill.isBuffer(value));
+}
+function toBase64(data) {
+    if (typeof data === "string") {
+        return BufferPolyfill.from(data).toString("base64");
+    }
+    if (data instanceof ArrayBuffer) {
+        return BufferPolyfill.from(new Uint8Array(data)).toString("base64");
+    }
+    if (ArrayBuffer.isView(data)) {
+        return BufferPolyfill.from(new Uint8Array(data.buffer, data.byteOffset, data.byteLength)).toString("base64");
+    }
+    return BufferPolyfill.from(data).toString("base64");
+}
+function toArrayBuffer(data) {
+    const buf = BufferPolyfill.from(data, "base64");
+    return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
+}
+function normalizeAlgorithm(algorithm) {
+    if (typeof algorithm === "string") {
+        return { name: algorithm };
+    }
+    return (algorithm ?? {});
+}
+function normalizeBridgeAlgorithm(algorithm) {
+    const normalized = { ...normalizeAlgorithm(algorithm) };
+    const hash = normalized.hash;
+    const publicExponent = normalized.publicExponent;
+    const iv = normalized.iv;
+    const additionalData = normalized.additionalData;
+    const salt = normalized.salt;
+    const info = normalized.info;
+    const context = normalized.context;
+    const label = normalized.label;
+    const publicKey = normalized.public;
+    if (hash) {
+        normalized.hash = normalizeAlgorithm(hash);
+    }
+    if (publicExponent && ArrayBuffer.isView(publicExponent)) {
+        normalized.publicExponent = BufferPolyfill.from(new Uint8Array(publicExponent.buffer, publicExponent.byteOffset, publicExponent.byteLength)).toString("base64");
+    }
+    if (iv) {
+        normalized.iv = toBase64(iv);
+    }
+    if (additionalData) {
+        normalized.additionalData = toBase64(additionalData);
+    }
+    if (salt) {
+        normalized.salt = toBase64(salt);
+    }
+    if (info) {
+        normalized.info = toBase64(info);
+    }
+    if (context) {
+        normalized.context = toBase64(context);
+    }
+    if (label) {
+        normalized.label = toBase64(label);
+    }
+    if (publicKey &&
+        typeof publicKey === "object" &&
+        "_keyData" in publicKey) {
+        normalized.public = publicKey._keyData;
+    }
+    return normalized;
+}
+class SandboxCryptoKey {
+    type;
+    extractable;
+    algorithm;
+    usages;
+    _keyData;
+    _pem;
+    _jwk;
+    _raw;
+    _sourceKeyObjectData;
+    [kCryptoKeyToken];
+    constructor(keyData, token) {
+        if (token !== kCryptoKeyToken || !keyData) {
+            throw createNodeTypeError("Illegal constructor", ERR_ILLEGAL_CONSTRUCTOR);
+        }
+        this.type = keyData.type;
+        this.extractable = keyData.extractable;
+        this.algorithm = keyData.algorithm;
+        this.usages = keyData.usages;
+        this._keyData = keyData;
+        this._pem = keyData._pem;
+        this._jwk = keyData._jwk;
+        this._raw = keyData._raw;
+        this._sourceKeyObjectData = keyData._sourceKeyObjectData;
+        this[kCryptoKeyToken] = true;
+    }
+}
+Object.defineProperty(SandboxCryptoKey.prototype, Symbol.toStringTag, {
+    value: "CryptoKey",
+    configurable: true,
+});
+Object.defineProperty(SandboxCryptoKey, Symbol.hasInstance, {
+    value(candidate) {
+        return Boolean(candidate &&
+            typeof candidate === "object" &&
+            (candidate[kCryptoKeyToken] === true ||
+                ("_keyData" in candidate &&
+                    candidate[Symbol.toStringTag] === "CryptoKey")));
+    },
+    configurable: true,
+});
+function createCryptoKey(keyData) {
+    const globalCryptoKey = globalThis.CryptoKey;
+    if (typeof globalCryptoKey === "function" &&
+        globalCryptoKey.prototype &&
+        globalCryptoKey.prototype !== SandboxCryptoKey.prototype) {
+        const key = Object.create(globalCryptoKey.prototype);
+        key.type = keyData.type;
+        key.extractable = keyData.extractable;
+        key.algorithm = keyData.algorithm;
+        key.usages = keyData.usages;
+        key._keyData = keyData;
+        key._pem = keyData._pem;
+        key._jwk = keyData._jwk;
+        key._raw = keyData._raw;
+        key._sourceKeyObjectData = keyData._sourceKeyObjectData;
+        return key;
+    }
+    return new SandboxCryptoKey(keyData, kCryptoKeyToken);
+}
+function subtleCall(request) {
+    if (typeof _cryptoSubtle === "undefined") {
+        throw new Error("crypto.subtle is not supported in sandbox");
+    }
+    return _cryptoSubtle.applySync(undefined, [JSON.stringify(request)]);
+}
+class SandboxSubtleCrypto {
+    _token;
+    constructor(token) {
+        if (token !== kSubtleToken) {
+            throw createNodeTypeError("Illegal constructor", ERR_ILLEGAL_CONSTRUCTOR);
+        }
+        this._token = token;
+    }
+    digest(algorithm, data) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "digest",
+                algorithm: normalizeAlgorithm(algorithm).name,
+                data: toBase64(data),
+            }));
+            return toArrayBuffer(result.data);
+        });
+    }
+    generateKey(algorithm, extractable, keyUsages) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "generateKey",
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                extractable,
+                usages: Array.from(keyUsages),
+            }));
+            if ("publicKey" in result && "privateKey" in result) {
+                return {
+                    publicKey: createCryptoKey(result.publicKey),
+                    privateKey: createCryptoKey(result.privateKey),
+                };
+            }
+            return createCryptoKey(result.key);
+        });
+    }
+    importKey(format, keyData, algorithm, extractable, keyUsages) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "importKey",
+                format,
+                keyData: format === "jwk" ? keyData : toBase64(keyData),
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                extractable,
+                usages: Array.from(keyUsages),
+            }));
+            return createCryptoKey(result.key);
+        });
+    }
+    exportKey(format, key) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "exportKey",
+                format,
+                key: key._keyData,
+            }));
+            if (format === "jwk") {
+                return result.jwk;
+            }
+            return toArrayBuffer(result.data ?? "");
+        });
+    }
+    encrypt(algorithm, key, data) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "encrypt",
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                key: key._keyData,
+                data: toBase64(data),
+            }));
+            return toArrayBuffer(result.data);
+        });
+    }
+    decrypt(algorithm, key, data) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "decrypt",
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                key: key._keyData,
+                data: toBase64(data),
+            }));
+            return toArrayBuffer(result.data);
+        });
+    }
+    sign(algorithm, key, data) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "sign",
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                key: key._keyData,
+                data: toBase64(data),
+            }));
+            return toArrayBuffer(result.data);
+        });
+    }
+    verify(algorithm, key, signature, data) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "verify",
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                key: key._keyData,
+                signature: toBase64(signature),
+                data: toBase64(data),
+            }));
+            return result.result;
+        });
+    }
+    deriveBits(algorithm, baseKey, length) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "deriveBits",
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                baseKey: baseKey._keyData,
+                length,
+            }));
+            return toArrayBuffer(result.data);
+        });
+    }
+    deriveKey(algorithm, baseKey, derivedKeyAlgorithm, extractable, keyUsages) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "deriveKey",
+                algorithm: normalizeBridgeAlgorithm(algorithm),
+                baseKey: baseKey._keyData,
+                derivedKeyAlgorithm: normalizeBridgeAlgorithm(derivedKeyAlgorithm),
+                extractable,
+                usages: Array.from(keyUsages),
+            }));
+            return createCryptoKey(result.key);
+        });
+    }
+    wrapKey(format, key, wrappingKey, wrapAlgorithm) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "wrapKey",
+                format,
+                key: key._keyData,
+                wrappingKey: wrappingKey._keyData,
+                wrapAlgorithm: normalizeBridgeAlgorithm(wrapAlgorithm),
+            }));
+            return toArrayBuffer(result.data);
+        });
+    }
+    unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgorithm, unwrappedKeyAlgorithm, extractable, keyUsages) {
+        assertSubtleReceiver(this);
+        return Promise.resolve().then(() => {
+            const result = JSON.parse(subtleCall({
+                op: "unwrapKey",
+                format,
+                wrappedKey: toBase64(wrappedKey),
+                unwrappingKey: unwrappingKey._keyData,
+                unwrapAlgorithm: normalizeBridgeAlgorithm(unwrapAlgorithm),
+                unwrappedKeyAlgorithm: normalizeBridgeAlgorithm(unwrappedKeyAlgorithm),
+                extractable,
+                usages: Array.from(keyUsages),
+            }));
+            return createCryptoKey(result.key);
+        });
+    }
+}
+const subtleCrypto = new SandboxSubtleCrypto(kSubtleToken);
+class SandboxCrypto {
+    _token;
+    constructor(token) {
+        if (token !== kCryptoToken) {
+            throw createNodeTypeError("Illegal constructor", ERR_ILLEGAL_CONSTRUCTOR);
+        }
+        this._token = token;
+    }
+    get subtle() {
+        assertCryptoReceiver(this);
+        return subtleCrypto;
+    }
+    getRandomValues(array) {
+        assertCryptoReceiver(this);
+        if (!isIntegerTypedArray(array)) {
+            throw createDomLikeError("TypeMismatchError", 17, "The data argument must be an integer-type TypedArray");
+        }
+        if (typeof _cryptoRandomFill === "undefined") {
+            throwUnsupportedCryptoApi("getRandomValues");
+        }
+        if (array.byteLength > 65536) {
+            throw createDomLikeError("QuotaExceededError", 22, `The ArrayBufferView's byte length (${array.byteLength}) exceeds the number of bytes of entropy available via this API (65536)`);
+        }
+        const bytes = new Uint8Array(array.buffer, array.byteOffset, array.byteLength);
+        try {
+            const base64 = _cryptoRandomFill.applySync(undefined, [bytes.byteLength]);
+            const hostBytes = BufferPolyfill.from(base64, "base64");
+            if (hostBytes.byteLength !== bytes.byteLength) {
+                throw new Error("invalid host entropy size");
+            }
+            bytes.set(hostBytes);
+            return array;
+        }
+        catch {
+            throwUnsupportedCryptoApi("getRandomValues");
+        }
+    }
+    randomUUID() {
+        assertCryptoReceiver(this);
+        if (typeof _cryptoRandomUUID === "undefined") {
+            throwUnsupportedCryptoApi("randomUUID");
+        }
+        try {
+            const uuid = _cryptoRandomUUID.applySync(undefined, []);
+            if (typeof uuid !== "string") {
+                throw new Error("invalid host uuid");
+            }
+            return uuid;
+        }
+        catch {
+            throwUnsupportedCryptoApi("randomUUID");
+        }
+    }
+}
+const cryptoPolyfillInstance = new SandboxCrypto(kCryptoToken);
+/**
+ * Crypto polyfill that delegates to the host for entropy. `getRandomValues`
+ * calls the host's `_cryptoRandomFill` bridge to get cryptographically secure
+ * random bytes. Subtle crypto operations route through the host WebCrypto bridge.
+ */
+export const cryptoPolyfill = cryptoPolyfillInstance;
+/**
+ * Install all process/timer/URL/Buffer/crypto polyfills onto `globalThis`.
+ * Called once during bridge initialization before user code runs.
+ */
+export function setupGlobals() {
+    const g = globalThis;
+    // Process - simple assignment is sufficient since we use external: ["process"]
+    // in polyfills.ts, which prevents node-stdlib-browser's process shim from being
+    // bundled and overwriting our process object.
+    g.process = process;
+    // Timers
+    g.setTimeout = setTimeout;
+    g.clearTimeout = clearTimeout;
+    g.setInterval = setInterval;
+    g.clearInterval = clearInterval;
+    g.setImmediate = setImmediate;
+    g.clearImmediate = clearImmediate;
+    // queueMicrotask
+    if (typeof g.queueMicrotask === "undefined") {
+        g.queueMicrotask = _queueMicrotask;
+    }
+    // URL globals must override bootstrap fallbacks and stay non-enumerable.
+    installWhatwgUrlGlobals(g);
+    // TextEncoder/TextDecoder
+    if (typeof g.TextEncoder === "undefined") {
+        g.TextEncoder = TextEncoder;
+    }
+    if (typeof g.TextDecoder === "undefined") {
+        g.TextDecoder = TextDecoder;
+    }
+    // Buffer
+    if (typeof g.Buffer === "undefined") {
+        g.Buffer = Buffer;
+    }
+    const globalBuffer = g.Buffer;
+    if (typeof globalBuffer.kMaxLength !== "number") {
+        globalBuffer.kMaxLength = BUFFER_MAX_LENGTH;
+    }
+    if (typeof globalBuffer.kStringMaxLength !== "number") {
+        globalBuffer.kStringMaxLength = BUFFER_MAX_STRING_LENGTH;
+    }
+    if (typeof globalBuffer.constants !== "object" ||
+        globalBuffer.constants === null) {
+        globalBuffer.constants = BUFFER_CONSTANTS;
+    }
+    // Crypto
+    if (typeof g.Crypto === "undefined") {
+        g.Crypto = SandboxCrypto;
+    }
+    if (typeof g.SubtleCrypto === "undefined") {
+        g.SubtleCrypto = SandboxSubtleCrypto;
+    }
+    if (typeof g.CryptoKey === "undefined") {
+        g.CryptoKey = SandboxCryptoKey;
+    }
+    if (typeof g.crypto === "undefined") {
+        g.crypto = cryptoPolyfill;
+    }
+    else {
+        const cryptoObj = g.crypto;
+        if (typeof cryptoObj.getRandomValues === "undefined") {
+            cryptoObj.getRandomValues = cryptoPolyfill.getRandomValues;
+        }
+        if (typeof cryptoObj.randomUUID === "undefined") {
+            cryptoObj.randomUUID = cryptoPolyfill.randomUUID;
+        }
+        if (typeof cryptoObj.subtle === "undefined") {
+            cryptoObj.subtle = cryptoPolyfill.subtle;
+        }
+    }
+}