npm - @utdk/isolate - Versions diffs - 0.1.0-dev.646adf4 - Mend

@utdk/isolate 0.1.0-dev.646adf4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/.turbo/turbo-build.log +4 -0
package/LICENSE +373 -0
package/README.md +126 -0
package/__tests__/bridge.test.ts +214 -0
package/__tests__/isolate.test.ts +275 -0
package/__tests__/sandbox.test.ts +126 -0
package/dist/__tests__/bridge.test.d.ts +1 -0
package/dist/__tests__/bridge.test.js +168 -0
package/dist/__tests__/bridge.test.js.map +1 -0
package/dist/__tests__/isolate.test.d.ts +11 -0
package/dist/__tests__/isolate.test.js +218 -0
package/dist/__tests__/isolate.test.js.map +1 -0
package/dist/__tests__/sandbox.test.d.ts +1 -0
package/dist/__tests__/sandbox.test.js +104 -0
package/dist/__tests__/sandbox.test.js.map +1 -0
package/dist/src/bridge.d.ts +71 -0
package/dist/src/bridge.js +151 -0
package/dist/src/bridge.js.map +1 -0
package/dist/src/index.d.ts +5 -0
package/dist/src/index.js +5 -0
package/dist/src/index.js.map +1 -0
package/dist/src/isolate.d.ts +97 -0
package/dist/src/isolate.js +174 -0
package/dist/src/isolate.js.map +1 -0
package/dist/src/sandbox.d.ts +40 -0
package/dist/src/sandbox.js +116 -0
package/dist/src/sandbox.js.map +1 -0
package/dist/src/types.d.ts +63 -0
package/dist/src/types.js +10 -0
package/dist/src/types.js.map +1 -0
package/package.json +37 -0
package/src/bridge.ts +219 -0
package/src/index.ts +11 -0
package/src/isolate.ts +202 -0
package/src/sandbox.ts +139 -0
package/src/types.ts +73 -0
package/tsconfig.json +13 -0

package/dist/__tests__/bridge.test.js ADDED Viewed

@@ -0,0 +1,168 @@
+import { describe, it, expect, vi } from "vitest";
+import { resolveAuthProvider, resolveOperation, extractAuthConfigs, loadProviderClient, createBridge, } from "../src/bridge.js";
+// ---------------------------------------------------------------------------
+// resolveAuthProvider
+// ---------------------------------------------------------------------------
+describe("resolveAuthProvider", () => {
+    it("returns undefined when credentials are empty", () => {
+        const auth = resolveAuthProvider({});
+        expect(auth).toBeUndefined();
+    });
+    it("resolves BearerToken from api_key config with Bearer pattern", async () => {
+        const configs = [
+            {
+                auth_type: "api_key",
+                api_key: "Bearer ${GITHUB_TOKEN}",
+                var_name: "Authorization",
+                location: "header",
+            },
+        ];
+        const auth = resolveAuthProvider({ GITHUB_TOKEN: "ghs_test123" }, configs);
+        expect(auth).toBeDefined();
+        const headers = {};
+        await auth.authenticate(headers);
+        expect(headers["Authorization"]).toBe("Bearer ghs_test123");
+    });
+    it("resolves ApiKey from raw ${VAR_NAME} api_key pattern", async () => {
+        const configs = [
+            {
+                auth_type: "api_key",
+                api_key: "${DD_API_KEY}",
+                var_name: "DD-API-Key",
+                location: "header",
+            },
+        ];
+        const auth = resolveAuthProvider({ DD_API_KEY: "dd_secret" }, configs);
+        expect(auth).toBeDefined();
+        const headers = {};
+        await auth.authenticate(headers);
+        expect(headers["DD-API-Key"]).toBe("dd_secret");
+    });
+    it("resolves BearerToken from oauth2 ACCESS_TOKEN credential", async () => {
+        const configs = [
+            { auth_type: "oauth2", flow: "authorization_code" },
+        ];
+        const auth = resolveAuthProvider({ SPOTIFY_ACCESS_TOKEN: "eyJaccess" }, configs);
+        expect(auth).toBeDefined();
+        const headers = {};
+        await auth.authenticate(headers);
+        expect(headers["Authorization"]).toBe("Bearer eyJaccess");
+    });
+    it("falls back to BearerToken with first credential when auth config is empty", async () => {
+        const auth = resolveAuthProvider({ SOME_TOKEN: "fallback-token" });
+        expect(auth).toBeDefined();
+        const headers = {};
+        await auth.authenticate(headers);
+        expect(headers["Authorization"]).toBe("Bearer fallback-token");
+    });
+    it("credential value is never written to process.env", () => {
+        const originalEnv = { ...process.env };
+        resolveAuthProvider({ SECRET_KEY: "my-secret" });
+        // Verify process.env was not modified
+        expect(process.env).toEqual(originalEnv);
+    });
+});
+// ---------------------------------------------------------------------------
+// resolveOperation
+// ---------------------------------------------------------------------------
+describe("resolveOperation", () => {
+    it("resolves a simple top-level function", () => {
+        const fn = vi.fn();
+        const client = { getUser: fn };
+        const op = resolveOperation(client, "getUser");
+        expect(op).toBe(fn);
+    });
+    it("resolves a nested dot-notation path", () => {
+        const fn = vi.fn();
+        const client = { users: { getByUsername: fn } };
+        const op = resolveOperation(client, "users.getByUsername");
+        expect(op).toBe(fn);
+    });
+    it("resolves a deeply nested path", () => {
+        const fn = vi.fn();
+        const client = { a: { b: { c: fn } } };
+        const op = resolveOperation(client, "a.b.c");
+        expect(op).toBe(fn);
+    });
+    it("throws TypeError when intermediate segment is missing", () => {
+        const client = { users: {} };
+        expect(() => resolveOperation(client, "users.missing.fn")).toThrow(TypeError);
+    });
+    it("throws TypeError when operation is not a function", () => {
+        const client = { count: 42 };
+        expect(() => resolveOperation(client, "count")).toThrow(TypeError);
+    });
+});
+// ---------------------------------------------------------------------------
+// extractAuthConfigs
+// ---------------------------------------------------------------------------
+describe("extractAuthConfigs", () => {
+    it("returns empty array when module has no packageJson export", () => {
+        const mod = {};
+        expect(extractAuthConfigs(mod)).toEqual([]);
+    });
+    it("returns empty array when packageJson has no utdk field", () => {
+        const mod = { packageJson: { name: "@utdk/test" } };
+        expect(extractAuthConfigs(mod)).toEqual([]);
+    });
+    it("extracts auth array from packageJson.utdk.auth", () => {
+        const authConfig = [
+            { auth_type: "api_key", api_key: "Bearer ${TOKEN}", var_name: "Authorization" },
+        ];
+        const mod = {
+            packageJson: {
+                name: "@utdk/test",
+                utdk: { auth: authConfig },
+            },
+        };
+        expect(extractAuthConfigs(mod)).toEqual(authConfig);
+    });
+});
+// ---------------------------------------------------------------------------
+// loadProviderClient
+// ---------------------------------------------------------------------------
+describe("loadProviderClient", () => {
+    it("calls the create*Client factory with auth option", async () => {
+        const mockClient = { users: { getByUsername: vi.fn() } };
+        const createMockClient = vi.fn().mockResolvedValue(mockClient);
+        const mod = { createMockClient };
+        const auth = { authenticate: vi.fn() };
+        const result = await loadProviderClient(mod, auth);
+        expect(createMockClient).toHaveBeenCalledWith({ auth });
+        expect(result).toBe(mockClient);
+    });
+    it("calls the factory with empty options when no auth is provided", async () => {
+        const mockClient = {};
+        const createNoAuthClient = vi.fn().mockResolvedValue(mockClient);
+        const mod = { createNoAuthClient };
+        await loadProviderClient(mod, undefined);
+        expect(createNoAuthClient).toHaveBeenCalledWith({});
+    });
+    it("throws when no create*Client export is found", async () => {
+        const mod = { someOtherExport: "value" };
+        await expect(loadProviderClient(mod, undefined)).rejects.toThrow(/does not export a create\*Client function/);
+    });
+});
+// ---------------------------------------------------------------------------
+// createBridge
+// ---------------------------------------------------------------------------
+describe("createBridge", () => {
+    it("returns an object with a call method", () => {
+        const op = vi.fn().mockResolvedValue({ id: 1 });
+        const bridge = createBridge({ operation: op });
+        expect(typeof bridge.call).toBe("function");
+    });
+    it("delegates call to the underlying operation", async () => {
+        const op = vi.fn().mockResolvedValue({ login: "octocat" });
+        const bridge = createBridge({ operation: op });
+        const result = await bridge.call({ username: "octocat" });
+        expect(op).toHaveBeenCalledWith({ username: "octocat" });
+        expect(result).toEqual({ login: "octocat" });
+    });
+    it("propagates errors from the operation", async () => {
+        const op = vi.fn().mockRejectedValue(new Error("API error"));
+        const bridge = createBridge({ operation: op });
+        await expect(bridge.call({})).rejects.toThrow("API error");
+    });
+});
+//# sourceMappingURL=bridge.test.js.map

package/dist/__tests__/bridge.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"bridge.test.js","sourceRoot":"","sources":["../../__tests__/bridge.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,YAAY,GACb,MAAM,kBAAkB,CAAC;AAG1B,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,IAAI,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,OAAO,GAAqB;YAChC;gBACE,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,wBAAwB;gBACjC,QAAQ,EAAE,eAAe;gBACzB,QAAQ,EAAE,QAAQ;aACU;SAC/B,CAAC;QACF,MAAM,IAAI,GAAG,mBAAmB,CAAC,EAAE,YAAY,EAAE,aAAa,EAAE,EAAE,OAAO,CAAC,CAAC;QAC3E,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAE3B,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,IAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,OAAO,GAAqB;YAChC;gBACE,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,eAAe;gBACxB,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,QAAQ;aACU;SAC/B,CAAC;QACF,MAAM,IAAI,GAAG,mBAAmB,CAAC,EAAE,UAAU,EAAE,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAE3B,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,IAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,OAAO,GAAqB;YAChC,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,oBAAoB,EAAE;SACpD,CAAC;QACF,MAAM,IAAI,GAAG,mBAAmB,CAC9B,EAAE,oBAAoB,EAAE,WAAW,EAAE,EACrC,OAAO,CACR,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAE3B,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,IAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;QACzF,MAAM,IAAI,GAAG,mBAAmB,CAAC,EAAE,UAAU,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAE3B,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,IAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,WAAW,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QACvC,mBAAmB,CAAC,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;QACjD,sCAAsC;QACtC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC/B,MAAM,EAAE,GAAG,gBAAgB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAC/C,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,EAAE,CAAC;QAChD,MAAM,EAAE,GAAG,gBAAgB,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QAC3D,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;QACvC,MAAM,EAAE,GAAG,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,EAAE,CAAC,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,GAAG,GAAG,EAAE,WAAW,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,CAAC;QACpD,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,UAAU,GAAqB;YACnC,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,eAAe,EAAE;SAChF,CAAC;QACF,MAAM,GAAG,GAAG;YACV,WAAW,EAAE;gBACX,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE;aAC3B;SACF,CAAC;QACF,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,UAAU,GAAG,EAAE,KAAK,EAAE,EAAE,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC;QACzD,MAAM,gBAAgB,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,EAAE,gBAAgB,EAAE,CAAC;QAEjC,MAAM,IAAI,GAAG,EAAE,YAAY,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAEnD,MAAM,CAAC,gBAAgB,CAAC,CAAC,oBAAoB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,UAAU,GAAG,EAAE,CAAC;QACtB,MAAM,kBAAkB,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,EAAE,kBAAkB,EAAE,CAAC;QAEnC,MAAM,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,kBAAkB,CAAC,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,GAAG,GAAG,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC;QACzC,MAAM,MAAM,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC9D,2CAA2C,CAC5C,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;QAC/C,MAAM,CAAC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;QAE/C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;QAE1D,MAAM,CAAC,EAAE,CAAC,CAAC,oBAAoB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;QACzD,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC;QAE/C,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/isolate.test.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Integration tests for the Isolate runtime.
+ *
+ * These tests exercise the full execute() path using mock provider modules.
+ * Real network calls are avoided — all provider operations are vi.fn() mocks.
+ *
+ * Provider simulation:
+ *   - `@utdk/github`  → Bearer token auth, users.getByUsername operation
+ *   - `@utdk/spotify` → OAuth2 pre-resolved token, tracks.search operation
+ */
+export {};

package/dist/__tests__/isolate.test.js ADDED Viewed

@@ -0,0 +1,218 @@
+/**
+ * Integration tests for the Isolate runtime.
+ *
+ * These tests exercise the full execute() path using mock provider modules.
+ * Real network calls are avoided — all provider operations are vi.fn() mocks.
+ *
+ * Provider simulation:
+ *   - `@utdk/github`  → Bearer token auth, users.getByUsername operation
+ *   - `@utdk/spotify` → OAuth2 pre-resolved token, tracks.search operation
+ */
+import vm from "node:vm";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { createBridge, resolveAuthProvider } from "../src/bridge.js";
+import { IsolateTimeoutError } from "../src/index.js";
+import { createSandboxContext } from "../src/sandbox.js";
+// Reusable sandbox script (same one the Isolate uses internally)
+const SANDBOX_SCRIPT = new vm.Script("__bridge__.call(__args__)");
+afterEach(() => {
+    vi.restoreAllMocks();
+});
+// ---------------------------------------------------------------------------
+// Sandbox execution via bridge
+// ---------------------------------------------------------------------------
+describe("sandbox script invokes bridge.call", () => {
+    it("passes args to the operation and returns the result", async () => {
+        const operationFn = vi.fn().mockResolvedValue({ id: "track-123", name: "Bohemian Rhapsody" });
+        const bridge = createBridge({ operation: operationFn });
+        const args = { q: "Bohemian Rhapsody", limit: 1 };
+        const context = createSandboxContext({
+            extraGlobals: { __bridge__: bridge, __args__: args },
+        });
+        const result = await SANDBOX_SCRIPT.runInContext(context);
+        expect(operationFn).toHaveBeenCalledWith(args);
+        expect(result).toEqual({ id: "track-123", name: "Bohemian Rhapsody" });
+    });
+    it("propagates errors thrown by the bridge", async () => {
+        const operationFn = vi.fn().mockRejectedValue(new Error("API error 429"));
+        const bridge = createBridge({ operation: operationFn });
+        const context = createSandboxContext({
+            extraGlobals: { __bridge__: bridge, __args__: {} },
+        });
+        await expect(SANDBOX_SCRIPT.runInContext(context)).rejects.toThrow("API error 429");
+    });
+});
+// ---------------------------------------------------------------------------
+// Sandbox isolation
+// ---------------------------------------------------------------------------
+describe("sandbox isolation", () => {
+    it("process is not accessible inside the sandbox", () => {
+        const ctx = createSandboxContext();
+        const result = vm.runInContext("typeof process", ctx);
+        expect(result).toBe("undefined");
+    });
+    it("process.env is not accessible inside the sandbox", () => {
+        const ctx = createSandboxContext();
+        const result = vm.runInContext("try { typeof process.env } catch (e) { 'threw' }", ctx);
+        expect(["threw", "undefined"]).toContain(result);
+    });
+    it("require is not accessible inside the sandbox", () => {
+        const ctx = createSandboxContext();
+        expect(vm.runInContext("typeof require", ctx)).toBe("undefined");
+    });
+    it("global is not accessible inside the sandbox", () => {
+        const ctx = createSandboxContext();
+        expect(vm.runInContext("typeof global", ctx)).toBe("undefined");
+    });
+    it("credentials are NOT injected as standalone sandbox globals", () => {
+        // Credentials must only flow through the bridge, never as top-level globals.
+        const ctx = createSandboxContext({
+            extraGlobals: {
+                __bridge__: { call: vi.fn().mockResolvedValue({}) },
+                __args__: {},
+                // GITHUB_TOKEN intentionally NOT added
+            },
+        });
+        expect(vm.runInContext("typeof GITHUB_TOKEN", ctx)).toBe("undefined");
+        expect(vm.runInContext("typeof SPOTIFY_ACCESS_TOKEN", ctx)).toBe("undefined");
+    });
+    it("state from one execution context does not leak to the next", () => {
+        const ctx1 = createSandboxContext();
+        const ctx2 = createSandboxContext();
+        vm.runInContext("var leakyVar = 'should-not-escape'", ctx1);
+        expect(vm.runInContext("typeof leakyVar", ctx2)).toBe("undefined");
+    });
+});
+// ---------------------------------------------------------------------------
+// Timeout enforcement
+// ---------------------------------------------------------------------------
+describe("timeout enforcement", () => {
+    it("rejects with TimeoutError when execution stalls", async () => {
+        const neverResolves = new Promise(() => { });
+        const bridge = { call: vi.fn().mockReturnValue(neverResolves) };
+        const ctx = createSandboxContext({
+            extraGlobals: { __bridge__: bridge, __args__: {} },
+        });
+        const resultPromise = SANDBOX_SCRIPT.runInContext(ctx);
+        const timeoutMs = 50;
+        const timeoutPromise = new Promise((_, reject) => {
+            setTimeout(() => reject(new IsolateTimeoutError(timeoutMs)), timeoutMs);
+        });
+        await expect(Promise.race([resultPromise, timeoutPromise])).rejects.toMatchObject({
+            name: "TimeoutError",
+        });
+    }, 1_000);
+    it("TimeoutError message includes the configured timeout value", () => {
+        const err = new IsolateTimeoutError(5_000);
+        expect(err.message).toContain("5000ms");
+        expect(err.name).toBe("TimeoutError");
+    });
+});
+// ---------------------------------------------------------------------------
+// Credential injection — github simulation
+// ---------------------------------------------------------------------------
+describe("credential injection — github provider simulation", () => {
+    it("bearer token is injected via auth provider, NOT process.env", async () => {
+        const authConfigs = [
+            {
+                auth_type: "api_key",
+                api_key: "Bearer ${GITHUB_TOKEN}",
+                var_name: "Authorization",
+            },
+        ];
+        const credentials = { GITHUB_TOKEN: "ghs_injected_by_gateway" };
+        const auth = resolveAuthProvider(credentials, authConfigs);
+        const headers = {};
+        await auth.authenticate(headers);
+        expect(headers["Authorization"]).toBe("Bearer ghs_injected_by_gateway");
+        // process.env must NOT have been touched
+        expect(process.env["GITHUB_TOKEN"]).toBeUndefined();
+    });
+    it("executes github-like operation via sandbox bridge", async () => {
+        const mockUser = { login: "octocat", id: 1, type: "User" };
+        const getUserFn = vi.fn().mockResolvedValue(mockUser);
+        // Simulate how the client would be structured after createGithubClient()
+        const bridge = createBridge({
+            operation: (args) => getUserFn(args),
+        });
+        const context = createSandboxContext({
+            extraGlobals: { __bridge__: bridge, __args__: { username: "octocat" } },
+        });
+        const result = await SANDBOX_SCRIPT.runInContext(context);
+        expect(getUserFn).toHaveBeenCalledWith({ username: "octocat" });
+        expect(result).toEqual(mockUser);
+    });
+});
+// ---------------------------------------------------------------------------
+// Credential injection — spotify simulation
+// ---------------------------------------------------------------------------
+describe("credential injection — spotify provider simulation", () => {
+    it("pre-resolved OAuth2 token is injected as BearerToken, NOT via process.env", async () => {
+        const authConfigs = [
+            { auth_type: "oauth2", flow: "authorization_code" },
+        ];
+        // Gateway pre-resolves the OAuth2 exchange and provides the access token directly
+        const credentials = { SPOTIFY_ACCESS_TOKEN: "eyJspotify_access_token" };
+        const auth = resolveAuthProvider(credentials, authConfigs);
+        const headers = {};
+        await auth.authenticate(headers);
+        expect(headers["Authorization"]).toBe("Bearer eyJspotify_access_token");
+        expect(process.env["SPOTIFY_ACCESS_TOKEN"]).toBeUndefined();
+        expect(process.env["SPOTIFY_CLIENT_SECRET"]).toBeUndefined();
+    });
+    it("executes spotify-like search operation via sandbox bridge", async () => {
+        const mockTracks = {
+            tracks: { items: [{ name: "Bohemian Rhapsody", id: "abc" }] },
+        };
+        const searchFn = vi.fn().mockResolvedValue(mockTracks);
+        const bridge = createBridge({ operation: searchFn });
+        const context = createSandboxContext({
+            extraGlobals: {
+                __bridge__: bridge,
+                __args__: { q: "Bohemian Rhapsody", type: "track", limit: 1 },
+            },
+        });
+        const result = await SANDBOX_SCRIPT.runInContext(context);
+        expect(searchFn).toHaveBeenCalledWith({
+            q: "Bohemian Rhapsody",
+            type: "track",
+            limit: 1,
+        });
+        expect(result).toEqual(mockTracks);
+    });
+});
+// ---------------------------------------------------------------------------
+// Performance overhead measurement
+// ---------------------------------------------------------------------------
+describe("performance overhead", () => {
+    it("sandbox overhead is within acceptable bounds (<200ms for trivial calls)", async () => {
+        const operationFn = vi.fn().mockResolvedValue({ ok: true });
+        const bridge = createBridge({ operation: operationFn });
+        const args = { test: true };
+        const ITERATIONS = 5;
+        const sandboxDurations = [];
+        const directDurations = [];
+        for (let i = 0; i < ITERATIONS; i++) {
+            // Sandbox path
+            const ctx = createSandboxContext({
+                extraGlobals: { __bridge__: bridge, __args__: args },
+            });
+            const sandboxStart = performance.now();
+            await SANDBOX_SCRIPT.runInContext(ctx);
+            sandboxDurations.push(performance.now() - sandboxStart);
+            // Direct call baseline
+            const directStart = performance.now();
+            await operationFn(args);
+            directDurations.push(performance.now() - directStart);
+        }
+        const avgSandbox = sandboxDurations.reduce((a, b) => a + b, 0) / ITERATIONS;
+        const avgDirect = directDurations.reduce((a, b) => a + b, 0) / ITERATIONS;
+        const overhead = avgSandbox - avgDirect;
+        console.log(`[perf] avg sandbox: ${avgSandbox.toFixed(2)}ms, ` +
+            `avg direct: ${avgDirect.toFixed(2)}ms, ` +
+            `overhead: ${overhead.toFixed(2)}ms`);
+        // Context creation + vm.Script execution overhead should be well under 200ms
+        expect(avgSandbox).toBeLessThan(200);
+    });
+});
+//# sourceMappingURL=isolate.test.js.map

package/dist/__tests__/isolate.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"isolate.test.js","sourceRoot":"","sources":["../../__tests__/isolate.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAGzD,iEAAiE;AACjE,MAAM,cAAc,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC;AAElE,SAAS,CAAC,GAAG,EAAE;IACb,EAAE,CAAC,eAAe,EAAE,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,mBAAmB,EAAE,CAAC,CAAC;QAC9F,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,mBAAmB,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QAElD,MAAM,OAAO,GAAG,oBAAoB,CAAC;YACnC,YAAY,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE;SACrD,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAO,cAAc,CAAC,YAAY,CAAC,OAAO,CAAsB,CAAC;QAEhF,MAAM,CAAC,WAAW,CAAC,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,mBAAmB,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;QAExD,MAAM,OAAO,GAAG,oBAAoB,CAAC;YACnC,YAAY,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;SACnD,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,cAAc,CAAC,YAAY,CAAC,OAAO,CAAqB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC1G,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAC5B,kDAAkD,EAClD,GAAG,CACJ,CAAC;QACF,MAAM,CAAC,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;QACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;QACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,6EAA6E;QAC7E,MAAM,GAAG,GAAG,oBAAoB,CAAC;YAC/B,YAAY,EAAE;gBACZ,UAAU,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,CAAC,EAAE;gBACnD,QAAQ,EAAE,EAAE;gBACZ,uCAAuC;aACxC;SACF,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtE,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;QAEpC,EAAE,CAAC,YAAY,CAAC,oCAAoC,EAAE,IAAI,CAAC,CAAC;QAE5D,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,aAAa,GAAG,IAAI,OAAO,CAAQ,GAAG,EAAE,GAAiB,CAAC,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,aAAa,CAAC,EAAE,CAAC;QAEhE,MAAM,GAAG,GAAG,oBAAoB,CAAC;YAC/B,YAAY,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;SACnD,CAAC,CAAC;QAEH,MAAM,aAAa,GAAG,cAAc,CAAC,YAAY,CAAC,GAAG,CAAqB,CAAC;QAC3E,MAAM,SAAS,GAAG,EAAE,CAAC;QAErB,MAAM,cAAc,GAAG,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;YACtD,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,mBAAmB,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;YAChF,IAAI,EAAE,cAAc;SACrB,CAAC,CAAC;IACL,CAAC,EAAE,KAAK,CAAC,CAAC;IAEV,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,GAAG,GAAG,IAAI,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,2CAA2C;AAC3C,8EAA8E;AAE9E,QAAQ,CAAC,mDAAmD,EAAE,GAAG,EAAE;IACjE,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,MAAM,WAAW,GAAqB;YACpC;gBACE,SAAS,EAAE,SAAS;gBACpB,OAAO,EAAE,wBAAwB;gBACjC,QAAQ,EAAE,eAAe;aAC1B;SACF,CAAC;QACF,MAAM,WAAW,GAAG,EAAE,YAAY,EAAE,yBAAyB,EAAE,CAAC;QAChE,MAAM,IAAI,GAAG,mBAAmB,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAE3D,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,IAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAElC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QACxE,yCAAyC;QACzC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,QAAQ,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC3D,MAAM,SAAS,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAEtD,yEAAyE;QACzE,MAAM,MAAM,GAAG,YAAY,CAAC;YAC1B,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC;SACrC,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,oBAAoB,CAAC;YACnC,YAAY,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE;SACxE,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAO,cAAc,CAAC,YAAY,CAAC,OAAO,CAAsB,CAAC;QAEhF,MAAM,CAAC,SAAS,CAAC,CAAC,oBAAoB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,4CAA4C;AAC5C,8EAA8E;AAE9E,QAAQ,CAAC,oDAAoD,EAAE,GAAG,EAAE;IAClE,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;QACzF,MAAM,WAAW,GAAqB;YACpC,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,oBAAoB,EAAE;SACpD,CAAC;QACF,kFAAkF;QAClF,MAAM,WAAW,GAAG,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,CAAC;QACxE,MAAM,IAAI,GAAG,mBAAmB,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAE3D,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,IAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAElC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QACxE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC5D,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,UAAU,GAAG;YACjB,MAAM,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE;SAC9D,CAAC;QACF,MAAM,QAAQ,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;QAErD,MAAM,OAAO,GAAG,oBAAoB,CAAC;YACnC,YAAY,EAAE;gBACZ,UAAU,EAAE,MAAM;gBAClB,QAAQ,EAAE,EAAE,CAAC,EAAE,mBAAmB,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE;aAC9D;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAO,cAAc,CAAC,YAAY,CAAC,OAAO,CAAsB,CAAC;QAEhF,MAAM,CAAC,QAAQ,CAAC,CAAC,oBAAoB,CAAC;YACpC,CAAC,EAAE,mBAAmB;YACtB,IAAI,EAAE,OAAO;YACb,KAAK,EAAE,CAAC;SACT,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,mCAAmC;AACnC,8EAA8E;AAE9E,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,yEAAyE,EAAE,KAAK,IAAI,EAAE;QACvF,MAAM,WAAW,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QAE5B,MAAM,UAAU,GAAG,CAAC,CAAC;QACrB,MAAM,gBAAgB,GAAa,EAAE,CAAC;QACtC,MAAM,eAAe,GAAa,EAAE,CAAC;QAErC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;YACpC,eAAe;YACf,MAAM,GAAG,GAAG,oBAAoB,CAAC;gBAC/B,YAAY,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE;aACrD,CAAC,CAAC;YACH,MAAM,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;YACvC,MAAO,cAAc,CAAC,YAAY,CAAC,GAAG,CAAsB,CAAC;YAC7D,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,YAAY,CAAC,CAAC;YAExD,uBAAuB;YACvB,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;YACtC,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;YACxB,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,UAAU,CAAC;QAC5E,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,UAAU,CAAC;QAC1E,MAAM,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;QAExC,OAAO,CAAC,GAAG,CACT,uBAAuB,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;YAClD,eAAe,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;YACzC,aAAa,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CACrC,CAAC;QAEF,6EAA6E;QAC7E,MAAM,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/sandbox.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/__tests__/sandbox.test.js ADDED Viewed

@@ -0,0 +1,104 @@
+import vm from "node:vm";
+import { describe, it, expect } from "vitest";
+import { createSandboxContext } from "../src/sandbox.js";
+describe("createSandboxContext", () => {
+    it("creates a valid vm context", () => {
+        const ctx = createSandboxContext();
+        expect(vm.isContext(ctx)).toBe(true);
+    });
+    describe("isolation — blocked host APIs", () => {
+        it("does not expose process", () => {
+            const ctx = createSandboxContext();
+            const result = vm.runInContext("typeof process", ctx);
+            expect(result).toBe("undefined");
+        });
+        it("does not expose process.env (guard against prototype chain leakage)", () => {
+            const ctx = createSandboxContext();
+            // If `process` is undefined, accessing .env should throw or be undefined
+            const result = vm.runInContext("try { typeof process.env } catch (e) { 'threw' }", ctx);
+            // Either 'threw' (TypeError: Cannot read properties of undefined) or 'undefined'
+            expect(["threw", "undefined"]).toContain(result);
+        });
+        it("does not expose require", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof require", ctx)).toBe("undefined");
+        });
+        it("does not expose global", () => {
+            const ctx = createSandboxContext();
+            // `global` is Node.js-specific; not in context
+            expect(vm.runInContext("typeof global", ctx)).toBe("undefined");
+        });
+        it("does not expose Buffer", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof Buffer", ctx)).toBe("undefined");
+        });
+        it("does not expose __dirname", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof __dirname", ctx)).toBe("undefined");
+        });
+        it("does not expose __filename", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof __filename", ctx)).toBe("undefined");
+        });
+    });
+    describe("safe globals — accessible inside sandbox", () => {
+        it("exposes JSON", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("JSON.stringify({ a: 1 })", ctx)).toBe('{"a":1}');
+        });
+        it("exposes Math", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("Math.max(2, 3)", ctx)).toBe(3);
+        });
+        it("exposes Date", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof new Date()", ctx)).toBe("object");
+        });
+        it("exposes URL", () => {
+            const ctx = createSandboxContext();
+            const href = vm.runInContext('new URL("https://example.com").href', ctx);
+            expect(href).toBe("https://example.com/");
+        });
+        it("exposes Promise", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof Promise.resolve", ctx)).toBe("function");
+        });
+        it("exposes setTimeout", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof setTimeout", ctx)).toBe("function");
+        });
+        it("exposes TextEncoder / TextDecoder", () => {
+            const ctx = createSandboxContext();
+            expect(vm.runInContext("typeof TextEncoder", ctx)).toBe("function");
+            expect(vm.runInContext("typeof TextDecoder", ctx)).toBe("function");
+        });
+    });
+    describe("extraGlobals", () => {
+        it("injects arbitrary globals into the context", () => {
+            const ctx = createSandboxContext({
+                extraGlobals: { __answer__: 42 },
+            });
+            expect(vm.runInContext("__answer__", ctx)).toBe(42);
+        });
+        it("injected bridge object is callable from the sandbox", () => {
+            const bridge = { call: (args) => ({ echo: args }) };
+            const ctx = createSandboxContext({
+                extraGlobals: {
+                    __bridge__: bridge,
+                    __args__: { x: 1 },
+                },
+            });
+            const result = vm.runInContext("__bridge__.call(__args__)", ctx);
+            expect(result.echo).toEqual({ x: 1 });
+        });
+    });
+    describe("context isolation between calls", () => {
+        it("state written in one context does not leak to another", () => {
+            const ctx1 = createSandboxContext();
+            const ctx2 = createSandboxContext();
+            vm.runInContext("var secret = 'ctx1-secret'", ctx1);
+            expect(vm.runInContext("typeof secret", ctx2)).toBe("undefined");
+        });
+    });
+});
+//# sourceMappingURL=sandbox.test.js.map

package/dist/__tests__/sandbox.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sandbox.test.js","sourceRoot":"","sources":["../../__tests__/sandbox.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEzD,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;QACnC,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,+BAA+B,EAAE,GAAG,EAAE;QAC7C,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;YACtD,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;YAC7E,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,yEAAyE;YACzE,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAC5B,kDAAkD,EAClD,GAAG,CACJ,CAAC;YACF,iFAAiF;YACjF,MAAM,CAAC,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;YAChC,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,+CAA+C;YAC/C,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;YAChC,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACnC,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;QACxD,EAAE,CAAC,cAAc,EAAE,GAAG,EAAE;YACtB,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,cAAc,EAAE,GAAG,EAAE;YACtB,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,cAAc,EAAE,GAAG,EAAE;YACtB,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,aAAa,EAAE,GAAG,EAAE;YACrB,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;YACzE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iBAAiB,EAAE,GAAG,EAAE;YACzB,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;YAC5B,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACpE,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,MAAM,GAAG,GAAG,oBAAoB,CAAC;gBAC/B,YAAY,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;aACjC,CAAC,CAAC;YACH,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;YAC7D,MAAM,MAAM,GAAG,EAAE,IAAI,EAAE,CAAC,IAAa,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7D,MAAM,GAAG,GAAG,oBAAoB,CAAC;gBAC/B,YAAY,EAAE;oBACZ,UAAU,EAAE,MAAM;oBAClB,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE;iBACnB;aACF,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,2BAA2B,EAAE,GAAG,CAAsB,CAAC;YACtF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC/C,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;YAC/D,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,oBAAoB,EAAE,CAAC;YAEpC,EAAE,CAAC,YAAY,CAAC,4BAA4B,EAAE,IAAI,CAAC,CAAC;YAEpD,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/bridge.d.ts ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * Credential bridge for the Isolate runtime.
+ *
+ * The bridge is the ONLY channel through which credentials and provider
+ * operations enter the sandboxed vm context. It is created in the host context
+ * (where Node.js module loading works normally) and exposed as `__bridge__`
+ * inside the sandbox.
+ *
+ * Design:
+ *   - The provider module is dynamically imported in the HOST context, so it
+ *     can resolve its own dependencies normally.
+ *   - Credentials are mapped to an `AuthProvider` from `@utdk/common`, which
+ *     injects them into HTTP request headers at call time.
+ *   - The operation function is resolved via dot-notation path on the client.
+ *   - The sandbox script calls `await __bridge__.call(args)` — it never
+ *     touches `process.env` or any host filesystem API.
+ */
+import { type AuthProvider } from "@utdk/common";
+import type { UtdkAuthConfig } from "./types.js";
+/**
+ * Resolves an `AuthProvider` from a flat credentials map and the provider's
+ * `utdk.auth` config array (from its `package.json`).
+ *
+ * Supported patterns:
+ *   api_key   – Bearer header:  `api_key: "Bearer ${TOKEN_NAME}"`
+ *   api_key   – Raw header:     `api_key: "${TOKEN_NAME}"`
+ *   oauth2    – Pre-resolved:   looks for `PROVIDER_ACCESS_TOKEN` key
+ *
+ * Falls back to `BearerToken(firstValue)` when the auth config is absent or
+ * the pattern is not recognised.
+ */
+export declare function resolveAuthProvider(credentials: Record<string, string>, authConfigs?: UtdkAuthConfig[]): AuthProvider | undefined;
+/**
+ * Extracts the `utdk.auth` array from a provider module's package.json.
+ * Returns an empty array if the module does not export a `packageJson`
+ * property or if the config is absent.
+ */
+export declare function extractAuthConfigs(providerModule: Record<string, unknown>): UtdkAuthConfig[];
+/**
+ * Resolves a dot-notation operation path on a client object.
+ *
+ * @example
+ * resolveOperation(client, 'users.getByUsername')
+ * // → client.users.getByUsername (as a bound function)
+ */
+export declare function resolveOperation(client: unknown, operationPath: string): (...args: unknown[]) => Promise<unknown>;
+export interface BridgeOptions {
+    /** The resolved operation function (from host context) */
+    operation: (...args: unknown[]) => Promise<unknown>;
+}
+/**
+ * Creates a bridge object that is safe to expose inside a vm context.
+ *
+ * The bridge has a single method, `call(args)`, which invokes the pre-resolved
+ * provider operation with the given arguments. Credentials are already baked
+ * into the operation via the auth provider — the sandbox script never sees
+ * them.
+ */
+export declare function createBridge(options: BridgeOptions): {
+    call: (args: Record<string, unknown>) => Promise<unknown>;
+};
+/**
+ * Locates and invokes the `create*Client` factory in a provider module.
+ *
+ * Provider modules export a `create<Name>Client(options?)` function that
+ * returns a `Promise<Client>`. This helper finds it and calls it with the
+ * supplied auth provider.
+ *
+ * @throws if no factory function matching `create*Client` is found.
+ */
+export declare function loadProviderClient(providerModule: Record<string, unknown>, auth: AuthProvider | undefined): Promise<unknown>;