toiljs 0.0.26 → 0.0.28

package/server/runtime/handlers/ToilHandler.ts

@@ -12,11 +12,12 @@ import { Response } from '../response';
 export class ToilHandler {
     /**
      * Override to declare your routes. The default implementation
-     * returns a generic 404 so a handler that hasn't been wired up
-     * still produces a valid envelope.
+     * returns an unhandled-marked 404 so a handler that hasn't been
+     * wired up still produces a valid envelope, and the host knows it
+     * may serve the path itself.
      */
     public handle(_req: Request): Response {
-        return Response.notFound();
+        return Response.unhandled();
     }
 
     /**

package/server/runtime/index.ts

@@ -15,7 +15,7 @@
  */
 
 export { Header, Method, Request } from './request';
-export { Response } from './response';
+export { Response, TOIL_UNHANDLED_HEADER } from './response';
 export { ToilHandler } from './handlers/ToilHandler';
 export { Server, ServerEnvironment } from './env/Server';
 

package/server/runtime/response.ts

@@ -6,6 +6,16 @@
 
 import { Header } from './request';
 
+/**
+ * Marker header on the runtime's fallback 404 (no route matched, no handler
+ * wired). The host can use it to fall through to another layer, the dev
+ * server hands such requests to Vite (client routes, assets), and strips the
+ * marker before anything reaches the browser. A deliberate
+ * `Response.notFound()` does not carry it. Mirrored as `UNHANDLED_HEADER` in
+ * `src/devserver/module.ts`.
+ */
+export const TOIL_UNHANDLED_HEADER: string = 'x-toil-unhandled';
+
 export class Response {
     status: u16;
     headers: Array<Header>;
@@ -63,6 +73,19 @@ export class Response {
         return Response.text('not found\n', 404);
     }
 
+    /**
+     * The "this server has no answer for that path" 404: a `notFound()`
+     * carrying {@link TOIL_UNHANDLED_HEADER} so the host may serve the path
+     * itself (static files, the client app). Returned by the framework when
+     * dispatch misses; handlers that mean "looked it up, does not exist"
+     * should return `notFound()` instead.
+     */
+    public static unhandled(): Response {
+        const r = Response.notFound();
+        r.setHeader(TOIL_UNHANDLED_HEADER, '1');
+        return r;
+    }
+
     public static badRequest(msg: string = 'bad request'): Response {
         return Response.text(msg + '\n', 400);
     }

package/server/runtime/rest/RestHandler.ts

@@ -11,10 +11,10 @@ import { ToilHandler } from '../handlers/ToilHandler';
 import { Rest } from './Rest';
 
 export class RestHandler extends ToilHandler {
-    /** Dispatches to the registered `@rest` controllers; returns 404 when none match. */
+    /** Dispatches to the registered `@rest` controllers; an unhandled-marked 404 when none match. */
     handle(req: Request): Response {
         const hit = Rest.dispatch(req);
         if (hit != null) return hit;
-        return Response.notFound();
+        return Response.unhandled();
     }
 }

package/src/compiler/index.ts

@@ -1,11 +1,13 @@
 import { spawn } from 'node:child_process';
 import fs from 'node:fs';
 import { createRequire } from 'node:module';
+import net from 'node:net';
 import path from 'node:path';
 
 import pc from 'picocolors';
-import { build as viteBuild, createServer, type ViteDevServer } from 'vite';
+import { build as viteBuild, createServer, mergeConfig, type ViteDevServer } from 'vite';
 import { startBackend, type RunningBackend } from 'toiljs/backend';
+import { startDevServer } from 'toiljs/devserver';
 
 import { loadConfig } from './config.js';
 import { generate } from './generate.js';
@@ -140,11 +142,14 @@ async function buildServer(root: string): Promise<void> {
 /**
  * Watches the server source dirs and rebuilds the server (toilscript) on change, so editing a
  * `@data`/`@rest` file under `toiljs dev` regenerates `shared/server.ts` - which Vite then HMRs
- * into the client - the server-side equivalent of Vite's client HMR. Client-only edits never touch
- * these dirs, so they only trigger Vite, never a server rebuild. Rebuilds are debounced and never
- * overlap. A no-op for client-only projects.
+ * into the client - and the dev server hot-swaps the recompiled wasm: the server-side equivalent
+ * of Vite's client HMR. Client-only edits never touch these dirs, so they only trigger Vite,
+ * never a server rebuild. Rebuilds are debounced and never overlap. Rides Vite's chokidar
+ * watcher instead of a separate `fs.watch`: the native recursive watcher silently stops
+ * delivering events on Linux after editors replace files via rename, which left hot reload
+ * working exactly once. A no-op for client-only projects.
  */
-function watchServer(root: string): void {
+function watchServer(root: string, watcher: ViteDevServer['watcher']): void {
     const dirs = serverDirs(root);
     if (dirs.length === 0) return;
 
@@ -172,20 +177,47 @@ function watchServer(root: string): void {
     };
 
     let timer: ReturnType<typeof setTimeout> | undefined;
-    const onChange = (file: string | null): void => {
-        if (!file || !file.endsWith('.ts') || file.endsWith('.d.ts')) return;
+    const isServerSource = (file: string): boolean =>
+        file.endsWith('.ts') &&
+        !file.endsWith('.d.ts') &&
+        dirs.some((dir) => file === dir || file.startsWith(dir + path.sep));
+    watcher.add(dirs);
+    watcher.on('all', (_event, file) => {
+        if (!isServerSource(file)) return;
         if (timer) clearTimeout(timer);
         timer = setTimeout(rebuild, 150); // debounce bursts (save-all, formatters)
-    };
-    for (const dir of dirs) {
-        try {
-            fs.watch(dir, { recursive: true }, (_event, file) =>
-                onChange(typeof file === 'string' ? file : null),
-            );
-        } catch {
-            // Recursive watch unsupported here: hot server rebuild is unavailable, dev still runs.
-        }
+    });
+}
+
+/** The server wasm artifact path from the toilconfig `release` target (toilscript's output). */
+function serverWasmFile(root: string): string {
+    let outFile = 'build/server/release.wasm';
+    try {
+        const cfg = JSON.parse(fs.readFileSync(path.join(root, 'toilconfig.json'), 'utf8')) as {
+            targets?: Record<string, { outFile?: string }>;
+        };
+        outFile = cfg.targets?.release?.outFile ?? outFile;
+    } catch {
+        // No readable toilconfig: caller already gated on its existence; keep the default.
     }
+    return path.resolve(root, outFile);
+}
+
+/** An OS-assigned free loopback port (for the internal Vite server behind the dev front). */
+async function freeLoopbackPort(): Promise<number> {
+    return new Promise((resolve, reject) => {
+        const probe = net.createServer();
+        probe.once('error', reject);
+        probe.listen(0, '127.0.0.1', () => {
+            const address = probe.address();
+            if (address === null || typeof address === 'string') {
+                probe.close();
+                reject(new Error('could not allocate a loopback port'));
+                return;
+            }
+            probe.close(() => resolve(address.port));
+        });
+    });
 }
 
 export interface ToilCommandOptions {
@@ -197,7 +229,16 @@ export interface ToilCommandOptions {
     readonly serverOnly?: boolean;
 }
 
-/** Starts the Vite dev server (HMR + transforms) for the client app. Returns the running server. */
+/**
+ * Starts the dev server. Client-only projects get the plain Vite dev server on
+ * the configured port, unchanged. Projects with a server target
+ * (toilconfig.json) get the WASM dev server in front: a uWebSockets.js server
+ * on the configured port that dispatches requests into the ToilScript server
+ * wasm (same envelope ABI as the production edge) and transparently proxies
+ * everything the server does not claim, HMR websocket included, to a Vite dev
+ * server on an internal loopback port. Vite keeps 100% of its dev behavior;
+ * it just stops being the public listener. Returns the running Vite server.
+ */
 export async function dev(opts: ToilCommandOptions = {}): Promise<ViteDevServer> {
     const cfg = await loadConfig(opts);
     // Server first: build it (regenerating shared/server.ts) before the client dev server starts.
@@ -206,11 +247,45 @@ export async function dev(opts: ToilCommandOptions = {}): Promise<ViteDevServer>
     await buildServer(cfg.root);
     if (hasServer) process.stdout.write(pc.green('  ✓ ') + pc.dim('server built') + '\n');
     generate(cfg);
-    const server = await createServer(await createViteConfig(cfg));
+
+    if (!hasServer) {
+        const server = await createServer(await createViteConfig(cfg));
+        await server.listen();
+        server.printUrls();
+        return server;
+    }
+
+    // Vite moves to an internal loopback port; the WASM dev server takes the public one.
+    const vitePort = await freeLoopbackPort();
+    const viteConfig = mergeConfig(await createViteConfig(cfg), {
+        server: { port: vitePort, host: '127.0.0.1', strictPort: true },
+    });
+    const server = await createServer(viteConfig);
     await server.listen();
-    server.printUrls();
-    // Rebuild the server on server-file changes; Vite HMRs the regenerated shared/server.ts.
-    if (hasServer) watchServer(cfg.root);
+
+    const front = await startDevServer({
+        root: cfg.root,
+        port: cfg.port,
+        wasmFile: serverWasmFile(cfg.root),
+        vite: { host: '127.0.0.1', port: vitePort },
+    });
+    server.httpServer?.once('close', () => {
+        void front.close();
+    });
+    process.stdout.write(
+        '\n  ' +
+            pc.green('➜') +
+            '  ' +
+            pc.bold('Local') +
+            ':   ' +
+            pc.cyan(`http://localhost:${pc.bold(String(front.port))}/`) +
+            pc.dim('  (wasm server + vite)') +
+            '\n',
+    );
+
+    // Rebuild the server on server-file changes; Vite HMRs the regenerated shared/server.ts
+    // and the dev server hot-swaps the recompiled wasm module.
+    watchServer(cfg.root, server.watcher);
     return server;
 }
 

package/src/devserver/crypto.ts

@@ -0,0 +1,421 @@
+/**
+ * Dev-server mock of the `env.crypto.*` host functions, mirroring the
+ * production edge (`toil-backend/src/wasm/host/import_functions/crypto`) and the
+ * toilscript std ABI (`std/assembly/crypto/algorithms.ts`). Backed by Node's
+ * `crypto`. The dev server intentionally skips the edge's metering, so these
+ * charge nothing; results must still be byte-identical to the edge for the
+ * common algorithms.
+ *
+ * Variable-length results use the same two-step pull as the edge: the op
+ * returns the length and stashes the bytes; the guest then calls `take_result`.
+ *
+ * Dev-only limitations: raw-format import of asymmetric keys (EC/Ed25519/
+ * X25519) returns the "unsupported" code (-3) here because Node can't import a
+ * bare key without DER; use pkcs8/spki in the dev server. The production edge
+ * supports raw too. These are catchable guest-side errors, never crashes.
+ */
+
+import * as nodeCrypto from 'node:crypto';
+
+import type { MemoryRef } from './host.js';
+
+// --- ABI id tables (must match the std + Rust backend) ----------------------
+const ALG = {
+    SHA1: 1, SHA256: 2, SHA384: 3, SHA512: 4, SHA3_256: 5, SHA3_384: 6, SHA3_512: 7,
+    AES_GCM: 10, AES_CBC: 11, AES_CTR: 12, AES_KW: 13, HMAC: 20,
+    ECDSA: 32, ED25519: 33, ECDH: 50, X25519: 51, HKDF: 52, PBKDF2: 53,
+} as const;
+const FMT = { RAW: 0, PKCS8: 1, SPKI: 2, JWK: 3 } as const;
+
+// Recoverable error codes (negative returns).
+const ERR_GENERIC = -1;
+const ERR_UNSUPPORTED = -3;
+const ERR_INVALID_PARAMS = -4;
+const ERR_OPERATION_FAILED = -5;
+const ERR_NOT_EXTRACTABLE = -7;
+
+const MAX_OUTPUT = 1024 * 1024;
+
+interface KeyEntry {
+    /** Raw bytes for symmetric/MAC/KDF keys. */
+    raw: Buffer | null;
+    /** Node KeyObject for asymmetric keys. */
+    keyObject: nodeCrypto.KeyObject | null;
+    alg: number;
+    hash: number;
+    extractable: boolean;
+    isPrivate: boolean;
+}
+
+export interface CryptoState {
+    keys: Map<number, KeyEntry>;
+    nextHandle: number;
+    lastResult: Buffer | null;
+}
+
+export function freshCryptoState(): CryptoState {
+    return { keys: new Map(), nextHandle: 1, lastResult: null };
+}
+
+function memBuf(ref: MemoryRef): Buffer {
+    if (!ref.memory) throw new Error('crypto host import called before memory was bound');
+    return Buffer.from(ref.memory.buffer);
+}
+
+function readBytes(ref: MemoryRef, ptr: number, len: number): Buffer {
+    const m = memBuf(ref);
+    if (ptr < 0 || len < 0 || ptr + len > m.length)
+        throw new Error(`crypto read out of bounds: ptr=${String(ptr)} len=${String(len)}`);
+    // Copy out so later writes/grows can't alias the input.
+    return Buffer.from(m.subarray(ptr, ptr + len));
+}
+
+function writeBytes(ref: MemoryRef, ptr: number, bytes: Buffer | Uint8Array): void {
+    const m = memBuf(ref);
+    if (ptr < 0 || ptr + bytes.length > m.length)
+        throw new Error(`crypto write out of bounds: ptr=${String(ptr)} len=${String(bytes.length)}`);
+    m.set(bytes, ptr);
+}
+
+/** Little-endian reader over a packed params buffer (mirrors the Rust ParamReader). */
+class ParamReader {
+    private pos = 0;
+    constructor(private readonly buf: Buffer) {}
+    /** Bounds-check before a read so a malformed buffer throws a controlled
+     *  error (trap-equivalent, caught by the dispatcher) rather than a raw
+     *  Node RangeError. */
+    private need(n: number): void {
+        if (n < 0 || this.pos + n > this.buf.length)
+            throw new Error('crypto: malformed params buffer (truncated)');
+    }
+    readI32(): number {
+        this.need(4);
+        const v = this.buf.readInt32LE(this.pos);
+        this.pos += 4;
+        return v;
+    }
+    readU32(): number {
+        this.need(4);
+        const v = this.buf.readUInt32LE(this.pos);
+        this.pos += 4;
+        return v;
+    }
+    readBlob(): Buffer {
+        const n = this.readU32();
+        this.need(n);
+        const s = Buffer.from(this.buf.subarray(this.pos, this.pos + n));
+        this.pos += n;
+        return s;
+    }
+}
+
+function hashName(id: number): string {
+    switch (id) {
+        case ALG.SHA1: return 'sha1';
+        case ALG.SHA256: return 'sha256';
+        case ALG.SHA384: return 'sha384';
+        case ALG.SHA512: return 'sha512';
+        case ALG.SHA3_256: return 'sha3-256';
+        case ALG.SHA3_384: return 'sha3-384';
+        case ALG.SHA3_512: return 'sha3-512';
+        default: throw new Error(`crypto: bad hash id ${String(id)}`);
+    }
+}
+
+function stash(state: CryptoState, bytes: Buffer): number {
+    state.lastResult = bytes;
+    return bytes.length;
+}
+
+/**
+ * Build the `env.crypto.*` import functions. `state.crypto` holds the per-
+ * dispatch keystore + result scratch.
+ */
+export function buildCryptoImports(
+    ref: MemoryRef,
+    cs: CryptoState,
+): Record<string, (...args: number[]) => number | void> {
+    return {
+        'crypto.fill_random': (outPtr: number, len: number): void => {
+            if (len < 0 || len > MAX_OUTPUT) throw new Error('crypto.fill_random: bad length');
+            writeBytes(ref, outPtr, nodeCrypto.randomBytes(len));
+        },
+
+        'crypto.random_uuid': (outPtr: number): void => {
+            writeBytes(ref, outPtr, nodeCrypto.randomBytes(16));
+        },
+
+        'crypto.take_result': (outPtr: number, outLen: number): number => {
+            const r = cs.lastResult;
+            if (!r || r.length !== outLen)
+                throw new Error('crypto.take_result: length mismatch');
+            writeBytes(ref, outPtr, r);
+            cs.lastResult = null;
+            return r.length;
+        },
+
+        'crypto.digest': (alg: number, dataPtr: number, dataLen: number): number => {
+            const data = readBytes(ref, dataPtr, dataLen);
+            try {
+                return stash(cs, nodeCrypto.createHash(hashName(alg)).update(data).digest());
+            } catch {
+                return ERR_UNSUPPORTED;
+            }
+        },
+
+        'crypto.import_key': (
+            format: number,
+            keyPtr: number,
+            keyLen: number,
+            paramsPtr: number,
+            paramsLen: number,
+            extractable: number,
+            _usages: number,
+        ): number => {
+            const key = readBytes(ref, keyPtr, keyLen);
+            const pr = new ParamReader(readBytes(ref, paramsPtr, paramsLen));
+            const alg = pr.readI32();
+            const hash = pr.readI32();
+            return importKey(cs, format, alg, hash, pr, key, extractable !== 0);
+        },
+
+        'crypto.export_key': (format: number, handle: number): number => {
+            const e = cs.keys.get(handle);
+            if (!e) throw new Error('crypto.export_key: invalid handle');
+            if (!e.extractable) return ERR_NOT_EXTRACTABLE;
+            try {
+                if (e.raw && format === FMT.RAW) return stash(cs, e.raw);
+                if (e.keyObject) {
+                    if (format === FMT.PKCS8 && e.isPrivate)
+                        return stash(cs, e.keyObject.export({ format: 'der', type: 'pkcs8' }) as Buffer);
+                    if (format === FMT.SPKI && !e.isPrivate)
+                        return stash(cs, e.keyObject.export({ format: 'der', type: 'spki' }) as Buffer);
+                }
+                return ERR_UNSUPPORTED;
+            } catch {
+                return ERR_OPERATION_FAILED;
+            }
+        },
+
+        'crypto.encrypt': (h: number, pp: number, pl: number, dp: number, dl: number): number =>
+            aesOp(cs, ref, true, h, pp, pl, dp, dl),
+        'crypto.decrypt': (h: number, pp: number, pl: number, dp: number, dl: number): number =>
+            aesOp(cs, ref, false, h, pp, pl, dp, dl),
+
+        'crypto.sign': (h: number, pp: number, pl: number, dp: number, dl: number): number =>
+            signOp(cs, ref, h, pp, pl, dp, dl),
+
+        'crypto.verify': (
+            h: number, pp: number, pl: number, sp: number, sl: number, dp: number, dl: number,
+        ): number => verifyOp(cs, ref, h, pp, pl, sp, sl, dp, dl),
+
+        'crypto.derive_bits': (h: number, pp: number, pl: number, lengthBits: number): number =>
+            deriveBitsOp(cs, ref, h, pp, pl, lengthBits),
+    };
+}
+
+function importKey(
+    cs: CryptoState,
+    format: number,
+    alg: number,
+    hash: number,
+    pr: ParamReader,
+    key: Buffer,
+    extractable: boolean,
+): number {
+    const newEntry = (e: Omit<KeyEntry, 'extractable'>): number => {
+        const handle = cs.nextHandle++;
+        cs.keys.set(handle, { ...e, extractable });
+        return handle;
+    };
+
+    try {
+        // Symmetric / MAC / KDF: raw bytes.
+        if (
+            alg === ALG.AES_GCM || alg === ALG.AES_CBC || alg === ALG.AES_CTR ||
+            alg === ALG.AES_KW || alg === ALG.HMAC || alg === ALG.PBKDF2 || alg === ALG.HKDF
+        ) {
+            if (format !== FMT.RAW) return ERR_UNSUPPORTED;
+            return newEntry({ raw: key, keyObject: null, alg, hash, isPrivate: false });
+        }
+
+        // Asymmetric: pkcs8 (private) / spki (public). raw not supported in dev.
+        const isPrivate = format === FMT.PKCS8;
+        if (format === FMT.PKCS8) {
+            const ko = nodeCrypto.createPrivateKey({ key, format: 'der', type: 'pkcs8' });
+            return newEntry({ raw: null, keyObject: ko, alg, hash, isPrivate });
+        }
+        if (format === FMT.SPKI) {
+            const ko = nodeCrypto.createPublicKey({ key, format: 'der', type: 'spki' });
+            return newEntry({ raw: null, keyObject: ko, alg, hash, isPrivate });
+        }
+        return ERR_UNSUPPORTED;
+    } catch {
+        return ERR_INVALID_PARAMS;
+    }
+}
+
+function aesAlgName(keyLen: number, mode: 'gcm' | 'cbc' | 'ctr'): string {
+    const bits = keyLen === 16 ? 128 : keyLen === 32 ? 256 : 0;
+    if (!bits) throw new Error('crypto: bad AES key length');
+    return `aes-${String(bits)}-${mode}`;
+}
+
+function aesOp(
+    cs: CryptoState, ref: MemoryRef, encrypt: boolean,
+    handle: number, pp: number, pl: number, dp: number, dl: number,
+): number {
+    const e = cs.keys.get(handle);
+    if (!e || !e.raw) throw new Error('crypto: invalid AES key handle');
+    const pr = new ParamReader(readBytes(ref, pp, pl));
+    const alg = pr.readI32();
+    pr.readI32(); // hash (unused)
+    const data = readBytes(ref, dp, dl);
+    try {
+        if (alg === ALG.AES_GCM) {
+            const iv = pr.readBlob();
+            const tagBits = pr.readI32();
+            const aad = pr.readBlob();
+            if (tagBits !== 0 && tagBits !== 128) return ERR_INVALID_PARAMS;
+            if (encrypt) {
+                const c = nodeCrypto.createCipheriv(
+                    aesAlgName(e.raw.length, 'gcm'), e.raw, iv,
+                ) as nodeCrypto.CipherGCM;
+                if (aad.length) c.setAAD(aad);
+                const ct = Buffer.concat([c.update(data), c.final()]);
+                return stash(cs, Buffer.concat([ct, c.getAuthTag()]));
+            }
+            // Ciphertext must be at least the 16-byte tag; shorter input can
+            // never authenticate.
+            if (data.length < 16) return ERR_OPERATION_FAILED;
+            const d = nodeCrypto.createDecipheriv(
+                aesAlgName(e.raw.length, 'gcm'), e.raw, iv,
+            ) as nodeCrypto.DecipherGCM;
+            if (aad.length) d.setAAD(aad);
+            const tag = data.subarray(data.length - 16);
+            const ct = data.subarray(0, data.length - 16);
+            d.setAuthTag(tag);
+            return stash(cs, Buffer.concat([d.update(ct), d.final()]));
+        }
+        if (alg === ALG.AES_CBC) {
+            const iv = pr.readBlob();
+            const c = encrypt
+                ? nodeCrypto.createCipheriv(aesAlgName(e.raw.length, 'cbc'), e.raw, iv)
+                : nodeCrypto.createDecipheriv(aesAlgName(e.raw.length, 'cbc'), e.raw, iv);
+            return stash(cs, Buffer.concat([c.update(data), c.final()]));
+        }
+        if (alg === ALG.AES_CTR) {
+            const counter = pr.readBlob();
+            const c = encrypt
+                ? nodeCrypto.createCipheriv(aesAlgName(e.raw.length, 'ctr'), e.raw, counter)
+                : nodeCrypto.createDecipheriv(aesAlgName(e.raw.length, 'ctr'), e.raw, counter);
+            return stash(cs, Buffer.concat([c.update(data), c.final()]));
+        }
+        return ERR_UNSUPPORTED;
+    } catch {
+        return ERR_OPERATION_FAILED;
+    }
+}
+
+function signOp(
+    cs: CryptoState, ref: MemoryRef,
+    handle: number, pp: number, pl: number, dp: number, dl: number,
+): number {
+    const e = cs.keys.get(handle);
+    if (!e) throw new Error('crypto.sign: invalid handle');
+    const pr = new ParamReader(readBytes(ref, pp, pl));
+    const alg = pr.readI32();
+    const hash = pr.readI32();
+    const data = readBytes(ref, dp, dl);
+    try {
+        if (e.alg === ALG.HMAC && e.raw) {
+            return stash(cs, nodeCrypto.createHmac(hashName(e.hash), e.raw).update(data).digest());
+        }
+        if (e.alg === ALG.ECDSA && e.keyObject) {
+            const sig = nodeCrypto.sign(hashName(hash), data, {
+                key: e.keyObject,
+                dsaEncoding: 'ieee-p1363',
+            });
+            return stash(cs, sig);
+        }
+        if (e.alg === ALG.ED25519 && e.keyObject) {
+            return stash(cs, nodeCrypto.sign(null, data, e.keyObject));
+        }
+        void alg;
+        return ERR_UNSUPPORTED;
+    } catch {
+        return ERR_OPERATION_FAILED;
+    }
+}
+
+function verifyOp(
+    cs: CryptoState, ref: MemoryRef,
+    handle: number, pp: number, pl: number, sp: number, sl: number, dp: number, dl: number,
+): number {
+    const e = cs.keys.get(handle);
+    if (!e) throw new Error('crypto.verify: invalid handle');
+    const pr = new ParamReader(readBytes(ref, pp, pl));
+    pr.readI32(); // alg
+    const hash = pr.readI32();
+    const sig = readBytes(ref, sp, sl);
+    const data = readBytes(ref, dp, dl);
+    try {
+        if (e.alg === ALG.HMAC && e.raw) {
+            const mac = nodeCrypto.createHmac(hashName(e.hash), e.raw).update(data).digest();
+            return mac.length === sig.length && nodeCrypto.timingSafeEqual(mac, sig) ? 1 : 0;
+        }
+        if (e.alg === ALG.ECDSA && e.keyObject) {
+            const ok = nodeCrypto.verify(hashName(hash), data, {
+                key: e.keyObject,
+                dsaEncoding: 'ieee-p1363',
+            }, sig);
+            return ok ? 1 : 0;
+        }
+        if (e.alg === ALG.ED25519 && e.keyObject) {
+            return nodeCrypto.verify(null, data, e.keyObject, sig) ? 1 : 0;
+        }
+        return ERR_UNSUPPORTED;
+    } catch {
+        return ERR_GENERIC;
+    }
+}
+
+function deriveBitsOp(
+    cs: CryptoState, ref: MemoryRef,
+    handle: number, pp: number, pl: number, lengthBits: number,
+): number {
+    if (lengthBits < 0 || lengthBits % 8 !== 0) return ERR_INVALID_PARAMS;
+    const outLen = lengthBits / 8;
+    if (outLen > MAX_OUTPUT) return ERR_INVALID_PARAMS;
+    const e = cs.keys.get(handle);
+    if (!e) throw new Error('crypto.derive_bits: invalid handle');
+    const pr = new ParamReader(readBytes(ref, pp, pl));
+    const alg = pr.readI32();
+    const hash = pr.readI32();
+    try {
+        if (alg === ALG.PBKDF2 && e.raw) {
+            const iterations = pr.readU32();
+            const salt = pr.readBlob();
+            return stash(cs, nodeCrypto.pbkdf2Sync(e.raw, salt, iterations, outLen, hashName(hash)));
+        }
+        if (alg === ALG.HKDF && e.raw) {
+            const salt = pr.readBlob();
+            const info = pr.readBlob();
+            const okm = nodeCrypto.hkdfSync(hashName(hash), e.raw, salt, info, outLen);
+            return stash(cs, Buffer.from(okm));
+        }
+        if ((alg === ALG.ECDH || alg === ALG.X25519) && e.keyObject) {
+            const peerHandle = pr.readI32();
+            const peer = cs.keys.get(peerHandle);
+            if (!peer || !peer.keyObject) throw new Error('crypto.derive_bits: invalid peer handle');
+            const shared = nodeCrypto.diffieHellman({
+                privateKey: e.keyObject,
+                publicKey: peer.keyObject,
+            });
+            return stash(cs, Buffer.from(shared.subarray(0, Math.min(outLen, shared.length))));
+        }
+        return ERR_UNSUPPORTED;
+    } catch {
+        return ERR_OPERATION_FAILED;
+    }
+}