toiljs 0.0.59 → 0.0.61

package/src/devserver/server.ts

@@ -0,0 +1,393 @@
+/**
+ * The toiljs WASM dev server: a uWebSockets.js front (via @dacely/hyper-express,
+ * the same stack as `toiljs/backend`) that dispatches HTTP requests into the
+ * ToilScript-compiled server wasm exactly like the production edge does, and
+ * proxies everything the server does not claim to an internal Vite dev server,
+ * so dev keeps 100% of Vite's behavior (HMR, transforms, toolbar endpoints,
+ * public assets, SPA fallback).
+ *
+ * Request flow:
+ *
+ *   browser ── uWS :port ──► wasm `handle()` (fresh instance, envelope ABI)
+ *                 │                │
+ *                 │                └─ "unhandled" marker (no route matched)
+ *                 ▼                                   │
+ *           Vite dev server (loopback) ◄──────────────┘
+ *
+ * Dev intentionally skips the edge's metering, gas, pooling and snapshot-reset
+ * machinery; the ABI (envelope layout, `handle(ofs, len) -> i64`, host import
+ * surface, trap isolation) is identical so a server that runs here runs there.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+import { type Request, type Response, Server } from '@dacely/hyper-express';
+import pc from 'picocolors';
+
+import type { EmailBackendConfig } from 'toiljs/shared';
+
+import { DaemonHost, daemonEmulationEnabled } from './daemon/index.js';
+import type { ResolvedDaemonConfig } from './daemon/host.js';
+import { configureDbPersistence } from './db/index.js';
+import { initEmailService } from './email/index.js';
+import { applyCacheRule, lookupCache } from './http/cache.js';
+import { type EnvelopeRequest, METHOD_CODES } from './http/envelope.js';
+import { proxyToVite, type ViteTarget, wireWebsocketProxy } from './http/proxy.js';
+import { WasmServerModule } from './runtime/module.js';
+import {
+    assembleSsr,
+    buildSsrRoutes,
+    type DevSsrTemplate,
+    pathnameOf,
+    type SsrResult,
+} from './ssr.js';
+
+const DEFAULT_MAX_BODY_LENGTH = 1024 * 1024 * 8;
+
+/**
+ * Paths that are Vite's own by construction; skipping the wasm round-trip for
+ * them keeps the hot path of module serving untouched. Everything else is
+ * offered to the server first (it answers or yields via the unhandled marker).
+ */
+const VITE_PREFIXES = ['/@', '/node_modules/', '/__toil/'];
+
+/** Minimal type map for `respond_file` bodies when the guest set no content-type. */
+const MIME: Readonly<Record<string, string>> = {
+    '.html': 'text/html; charset=utf-8',
+    '.js': 'text/javascript; charset=utf-8',
+    '.mjs': 'text/javascript; charset=utf-8',
+    '.css': 'text/css; charset=utf-8',
+    '.json': 'application/json; charset=utf-8',
+    '.txt': 'text/plain; charset=utf-8',
+    '.svg': 'image/svg+xml',
+    '.png': 'image/png',
+    '.jpg': 'image/jpeg',
+    '.jpeg': 'image/jpeg',
+    '.webp': 'image/webp',
+    '.avif': 'image/avif',
+    '.gif': 'image/gif',
+    '.ico': 'image/x-icon',
+    '.wasm': 'application/wasm',
+    '.woff2': 'font/woff2',
+};
+
+/** Options for {@link startDevServer}. */
+export interface DevServerOptions {
+    /** Project root; `respond_file` paths resolve against it (and may not escape it). */
+    readonly root: string;
+    /** Public listening port (the one the browser opens). */
+    readonly port: number;
+    /** Bind host. Default `127.0.0.1`. */
+    readonly host?: string;
+    /** Absolute path to the ToilScript server wasm (toilconfig `targets.release.outFile`). */
+    readonly wasmFile: string;
+    /**
+     * Absolute path to the cold daemon artifact (`release-cold.wasm`). When present and the cold
+     * artifact declares a daemon surface, the dev daemon emulator drives its `@scheduled` tasks
+     * (per `nodeMode`). Omit for a project with no `@daemon` (the file is never built).
+     */
+    readonly coldWasmFile?: string;
+    /** Which layer the dev process emulates (gates the daemon emulator). Default `all`. */
+    readonly nodeMode?: string;
+    /** Daemon (L4) config mirror (drives the dev scheduler's budgets/caps). */
+    readonly daemon?: ResolvedDaemonConfig;
+    /** The internal Vite dev server to proxy unclaimed traffic to. */
+    readonly vite: ViteTarget;
+    /** Max request body bytes. Default 8 MB. */
+    readonly maxBodyLength?: number;
+    /**
+     * The `toil.config.ts` `server.email` section (non-secret). When set (and the
+     * API key is in `.env.secrets`), `EmailService.send` really sends in dev;
+     * otherwise it stays a log-only mock. See `./email`.
+     */
+    readonly email?: EmailBackendConfig;
+    /**
+     * Edge-SSR templates (one per `ssr = true` route), extracted at dev startup
+     * against the live dev shell. When a GET/HEAD matches a route the dev server
+     * runs the guest `render`, splices the values, and serves the SSR HTML (same
+     * path as the prod edge). Omit / empty for a project with no SSR route.
+     */
+    readonly ssrTemplates?: readonly DevSsrTemplate[];
+}
+
+/** A running dev server. */
+export interface RunningDevServer {
+    readonly port: number;
+    readonly host: string;
+    /** Gracefully shuts the front server down (the Vite server is owned by the caller). */
+    close(): Promise<void>;
+}
+
+/** True for requests that belong to Vite by construction (never offered to the wasm). */
+function isViteInternal(url: string): boolean {
+    return VITE_PREFIXES.some((p) => url.startsWith(p));
+}
+
+/** Resolves a guest `respond_file` path inside `root`, refusing traversal outside it. */
+function resolveSendfile(root: string, file: string): string | null {
+    const resolved = path.resolve(root, file);
+    if (resolved !== root && !resolved.startsWith(root + path.sep)) return null;
+    if (!fs.existsSync(resolved) || !fs.statSync(resolved).isFile()) return null;
+    return resolved;
+}
+
+/** Builds the envelope request for one incoming HTTP request. */
+async function toEnvelopeRequest(request: Request): Promise<EnvelopeRequest> {
+    const hasBody = request.method !== 'GET' && request.method !== 'HEAD';
+    const body = hasBody ? new Uint8Array(await request.buffer()) : new Uint8Array(0);
+    // Dev parity for `client_ip`: the edge keys on the unspoofable socket peer,
+    // but the dev server has no DPDK socket, so best-effort from a proxy's
+    // `x-forwarded-for`, else localhost, so `ctx.clientIp()` returns a value.
+    const xff = request.headers['x-forwarded-for'];
+    const clientIp =
+        typeof xff === 'string' && xff.length > 0 ? xff.split(',')[0]!.trim() : '127.0.0.1';
+    return {
+        method: request.method,
+        // `url` keeps the query string; the guest's RouteContext parses it off the path.
+        path: request.url,
+        headers: Object.entries(request.headers),
+        body,
+        clientIp,
+    };
+}
+
+/** Sends a shaped wasm response, mirroring the edge's response defaults. */
+function sendWasmResponse(
+    response: Response,
+    root: string,
+    result: {
+        status: number;
+        headers: readonly (readonly [string, string])[];
+        body: Uint8Array;
+        sendfile: string | null;
+    },
+): void {
+    response.status(result.status);
+    let hasContentType = false;
+    for (const [name, value] of result.headers) {
+        if (name.toLowerCase() === 'content-type') hasContentType = true;
+        response.header(name, value);
+    }
+    response.header('server', 'toil-dev');
+
+    if (result.sendfile !== null) {
+        const file = resolveSendfile(root, result.sendfile);
+        if (file === null) {
+            response.status(404).send('not found\n');
+            return;
+        }
+        if (!hasContentType) {
+            // The edge defaults file bodies to application/octet-stream; in dev we
+            // guess from the extension so a guest-served asset renders in the browser.
+            response.header(
+                'content-type',
+                MIME[path.extname(file).toLowerCase()] ?? 'application/octet-stream',
+            );
+        }
+        response.sendFile(file);
+        return;
+    }
+
+    if (!hasContentType) response.header('content-type', 'text/plain; charset=utf-8');
+    response.send(Buffer.from(result.body.buffer, result.body.byteOffset, result.body.length));
+}
+
+/** Sends a spliced edge-SSR response (the full server-rendered HTML document). */
+function sendSsr(response: Response, out: SsrResult, headOnly: boolean): void {
+    response.status(out.status);
+    let hasContentType = false;
+    for (const [name, value] of out.headers) {
+        if (name.toLowerCase() === 'content-type') hasContentType = true;
+        response.header(name, value);
+    }
+    if (!hasContentType) response.header('content-type', 'text/html; charset=utf-8');
+    response.header('server', 'toil-dev');
+    if (headOnly) {
+        response.send('');
+        return;
+    }
+    response.send(Buffer.from(out.html.buffer, out.html.byteOffset, out.html.length));
+}
+
+/**
+ * Starts the front server. The caller owns the Vite dev server (start it on a
+ * loopback port first) and the toilscript rebuild watcher; this watches only
+ * the wasm artifact and hot-swaps the compiled module when it changes.
+ */
+export async function startDevServer(options: DevServerOptions): Promise<RunningDevServer> {
+    const host = options.host ?? '127.0.0.1';
+    const root = path.resolve(options.root);
+
+    // Wire the email service from toil.config `server.email` + `.env.secrets`
+    // (TOIL_EMAIL_*). Configured -> real sends; otherwise the import stays a
+    // log-only mock. A partial-but-invalid config logs why it stayed off.
+    const emailInit = initEmailService(root, options.email);
+    if (emailInit.service !== null) {
+        process.stdout.write(pc.dim(`  ✉ email enabled: ${emailInit.note}`) + '\n');
+    } else if (emailInit.note !== null) {
+        process.stdout.write(pc.yellow('  ! ') + pc.dim(`email off: ${emailInit.note}`) + '\n');
+    }
+
+    const module = new WasmServerModule(options.wasmFile);
+
+    // Edge-SSR routes (extracted against the live dev shell at startup). When a
+    // GET/HEAD matches one, the dev server runs the guest `render`, splices the
+    // values into the template, and serves the SSR HTML (prod-edge parity).
+    const ssrRoutes = buildSsrRoutes(options.ssrTemplates ?? []);
+    if (ssrRoutes.length > 0) {
+        process.stdout.write(
+            pc.dim(`  edge SSR: ${String(ssrRoutes.length)} route(s) served server-side`) + '\n',
+        );
+    }
+
+    // Persist dev DB data under the project's .toil/ so records, events, and their
+    // schema_versions survive restarts (delete .toil/devdata.json to reset). Only
+    // the running dev server persists; tests that construct WasmServerModule
+    // directly stay purely in-memory.
+    configureDbPersistence(path.join(root, '.toil', 'devdata.json'));
+
+    let warnedMissing = false;
+    let loadedOnce = false;
+    const refresh = (): void => {
+        try {
+            if (module.refresh() && loadedOnce) {
+                process.stdout.write(pc.green('  ✓ ') + pc.dim('server module reloaded') + '\n');
+            }
+            loadedOnce ||= module.available;
+        } catch (e) {
+            process.stdout.write(pc.red(`  ✗ server wasm failed to load: ${String(e)}`) + '\n');
+        }
+        if (!module.available && !warnedMissing) {
+            warnedMissing = true;
+            process.stdout.write(
+                pc.yellow('  ! ') +
+                    pc.dim(`server wasm not found at ${options.wasmFile}; serving client only`) +
+                    '\n',
+            );
+        }
+    };
+    refresh();
+
+    const app = new Server({
+        max_body_length: options.maxBodyLength ?? DEFAULT_MAX_BODY_LENGTH,
+        max_body_buffer: 1024 * 32,
+        fast_abort: true,
+    });
+
+    app.set_error_handler((_request: Request, response: Response, error: Error) => {
+        if (response.completed) return;
+        response.atomic(() => {
+            response.status(500).send(`internal error: ${error.message}\n`);
+        });
+    });
+
+    wireWebsocketProxy(app, options.vite);
+
+    // Dev DAEMON (L4) emulation: load `release-cold.wasm` once, run `daemon_start()`, and drive
+    // its `@scheduled` tasks. Only when `nodeMode` is daemon/all and a cold artifact path is given;
+    // the host stays idle until the cold artifact appears (a `@daemon` build). It has no request to
+    // hang a refresh off, so it polls its own mtime-watch on a low-frequency timer (section 9.3).
+    const nodeMode = options.nodeMode ?? 'all';
+    let daemonHost: DaemonHost | null = null;
+    let daemonTimer: NodeJS.Timeout | null = null;
+    if (options.coldWasmFile !== undefined && daemonEmulationEnabled(nodeMode) && options.daemon) {
+        daemonHost = new DaemonHost(options.coldWasmFile, options.daemon, nodeMode);
+        const pollDaemon = (): void => {
+            try {
+                daemonHost?.refresh();
+            } catch (e) {
+                process.stdout.write(pc.red(`  ✗ daemon reload failed: ${String(e)}`) + '\n');
+            }
+        };
+        pollDaemon();
+        daemonTimer = setInterval(pollDaemon, 500);
+        daemonTimer.unref?.();
+    }
+
+    app.any('/*', async (request: Request, response: Response) => {
+        response.removeHeader('uWebSockets');
+
+        const dispatchable =
+            !isViteInternal(request.url) && METHOD_CODES[request.method] !== undefined;
+        if (dispatchable) refresh();
+
+        if (dispatchable && module.available) {
+            const envelopeReq = await toEnvelopeRequest(request);
+            // Honor the tenant cache directive locally, same rules as the
+            // edge: serve an identical request from the per-process cache,
+            // else dispatch and apply/strip the directive on the response.
+            const cacheHost = request.headers.host ?? 'dev';
+            const hasAuth =
+                request.headers.cookie !== undefined || request.headers.authorization !== undefined;
+            const cached = lookupCache(cacheHost, request.method, request.url, envelopeReq.body);
+            if (cached !== null) {
+                sendWasmResponse(response, root, cached);
+                return;
+            }
+            try {
+                const result = module.dispatch(envelopeReq);
+                if (!result.unhandled) {
+                    const finalized = applyCacheRule(
+                        cacheHost,
+                        request.method,
+                        request.url,
+                        envelopeReq.body,
+                        hasAuth,
+                        result,
+                    );
+                    sendWasmResponse(response, root, finalized);
+                    return;
+                }
+            } catch (e) {
+                // A trap (ToilScript abort, OOB, malformed envelope) is isolated to
+                // this request, exactly like the edge poisoning one instance.
+                process.stdout.write(
+                    pc.red(`  ✗ ${request.method} ${request.path} server error: ${String(e)}`) +
+                        '\n',
+                );
+                response.status(500).send('internal error\n');
+                return;
+            }
+
+            // Edge SSR: handle() did not claim this path; if it matches an
+            // `ssr = true` route, run the guest `render`, splice the values, and
+            // serve the server-rendered HTML. A fail-safe envelope (no renderer
+            // matched / malformed) returns null, so we fall through to Vite (the
+            // route then client-renders, same as before).
+            if (
+                (request.method === 'GET' || request.method === 'HEAD') &&
+                ssrRoutes.length > 0
+            ) {
+                const route = ssrRoutes.find((r) => r.test(pathnameOf(request.url)));
+                if (route) {
+                    try {
+                        const out = assembleSsr(route, module.dispatchRender(envelopeReq));
+                        if (out !== null) {
+                            sendSsr(response, out, request.method === 'HEAD');
+                            return;
+                        }
+                    } catch (e) {
+                        process.stdout.write(
+                            pc.red(`  ✗ SSR ${request.path}: ${String(e)}`) + '\n',
+                        );
+                    }
+                }
+            }
+        }
+
+        await proxyToVite(request, response, options.vite);
+    });
+
+    await app.listen(options.port, host);
+
+    return {
+        port: options.port,
+        host,
+        close: async (): Promise<void> => {
+            if (daemonTimer !== null) clearInterval(daemonTimer);
+            daemonHost?.close();
+            await app.shutdown();
+        },
+    };
+}

package/src/devserver/ssr.ts

@@ -0,0 +1,166 @@
+/**
+ * Dev-server edge SSR: splice the guest `render` values into a route's
+ * template-with-holes and serve real server-rendered HTML, mirroring the
+ * production edge (`toil-backend/src/host/template/assemble.rs`).
+ *
+ * The templates are extracted once at dev startup against the LIVE (Vite-
+ * transformed) dev shell (see `compiler/template-build.ts extractDevSsrTemplates`)
+ * so the served markup boots the dev client and hydrates in place. At request
+ * time the dev server runs the real `render` export (`WasmServerModule.
+ * dispatchRender`), this module decodes the values envelope and splices each
+ * value at its manifest-fixed offset. The hash-coherence guard the prod edge
+ * enforces is skipped in dev: the guest and the template are built together
+ * here, so there is no deploy skew to catch — only fail-safe envelopes (status
+ * >= 500 or no slots) fall back to client rendering.
+ */
+
+/** One SSR route's spliceable template + its slot insertion points. */
+export interface DevSsrTemplate {
+    pattern: string;
+    name: string;
+    tmpl: Uint8Array;
+    entries: { id: number; offset: number }[];
+}
+
+/** A matchable SSR route. */
+export interface SsrRoute {
+    /** Matches a request pathname (no query) to this route's template. */
+    test: (pathname: string) => boolean;
+    tmpl: Uint8Array;
+    entries: { id: number; offset: number }[];
+}
+
+/** The pathname of a request URL (strip the query string). */
+export function pathnameOf(url: string): string {
+    const q = url.indexOf('?');
+    return q < 0 ? url : url.slice(0, q);
+}
+
+/** Compile a route pattern (`/hello`, `/u/:name`, `/blog/[id]`, `/files/[...path]`,
+ * `/*`) to a pathname matcher. Dynamic segments match one path segment; catch-all
+ * (`[...x]` / `*`) matches the rest. Trailing slashes are ignored. */
+function patternToTest(pattern: string): (pathname: string) => boolean {
+    const norm = (p: string): string => (p.length > 1 && p.endsWith('/') ? p.slice(0, -1) : p);
+    let re = '';
+    // Tokenise into literal runs and dynamic/catch-all holes.
+    let i = 0;
+    while (i < pattern.length) {
+        const ch = pattern[i];
+        if (ch === ':') {
+            // `:name` — one segment.
+            i++;
+            while (i < pattern.length && /[A-Za-z0-9_]/.test(pattern[i])) i++;
+            re += '[^/]+';
+        } else if (ch === '*') {
+            re += '.*';
+            i++;
+        } else if (ch === '[') {
+            const end = pattern.indexOf(']', i);
+            const inner = end < 0 ? '' : pattern.slice(i + 1, end);
+            re += inner.startsWith('...') ? '.*' : '[^/]+';
+            i = end < 0 ? pattern.length : end + 1;
+        } else {
+            // Literal char, regex-escaped.
+            re += ch.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            i++;
+        }
+    }
+    const compiled = new RegExp(`^${re}$`);
+    return (pathname: string): boolean => compiled.test(norm(pathname));
+}
+
+/** Build matchable SSR routes from the extracted dev templates. */
+export function buildSsrRoutes(templates: readonly DevSsrTemplate[]): SsrRoute[] {
+    return templates.map((t) => ({ test: patternToTest(t.pattern), tmpl: t.tmpl, entries: t.entries }));
+}
+
+/** A decoded guest values envelope. */
+interface DecodedValues {
+    status: number;
+    headers: [string, string][];
+    /** Slot value bytes keyed by numeric slot id. */
+    values: Map<number, Uint8Array>;
+}
+
+/** Decode the guest values envelope (mirrors the prod host `decode_values`). All
+ * fields little-endian, no padding. Returns null on a malformed/short buffer. */
+function decodeValues(buf: Uint8Array): DecodedValues | null {
+    const dv = new DataView(buf.buffer, buf.byteOffset, buf.byteLength);
+    let o = 0;
+    const need = (n: number): boolean => o + n <= buf.byteLength;
+    try {
+        if (!need(2 + 32 + 2)) return null;
+        const status = dv.getUint16(o, true);
+        o += 2;
+        o += 32; // template hash (coherence is built together in dev; not checked)
+        const nHeaders = dv.getUint16(o, true);
+        o += 2;
+        const headers: [string, string][] = [];
+        const dec = new TextDecoder();
+        for (let i = 0; i < nHeaders; i++) {
+            if (!need(4)) return null;
+            const nameLen = dv.getUint16(o, true);
+            const valLen = dv.getUint16(o + 2, true);
+            o += 4;
+            if (!need(nameLen + valLen)) return null;
+            const name = dec.decode(buf.subarray(o, o + nameLen));
+            o += nameLen;
+            const val = dec.decode(buf.subarray(o, o + valLen));
+            o += valLen;
+            headers.push([name, val]);
+        }
+        if (!need(2)) return null;
+        const nSlots = dv.getUint16(o, true);
+        o += 2;
+        const values = new Map<number, Uint8Array>();
+        for (let i = 0; i < nSlots; i++) {
+            if (!need(2 + 1 + 4)) return null;
+            const id = dv.getUint16(o, true);
+            o += 2;
+            o += 1; // kind (the splice is kind-agnostic; the guest pre-escaped/stamped)
+            const len = dv.getUint32(o, true);
+            o += 4;
+            if (!need(len)) return null;
+            values.set(id, buf.subarray(o, o + len));
+            o += len;
+        }
+        return { status, headers, values };
+    } catch {
+        return null;
+    }
+}
+
+/** Splice ascending-offset inserts into the template (mirrors the host `assemble`). */
+function splice(tmpl: Uint8Array, inserts: { offset: number; value: Uint8Array }[]): Uint8Array {
+    const parts: Uint8Array[] = [];
+    let prev = 0;
+    for (const ins of inserts) {
+        if (ins.offset > prev) parts.push(tmpl.subarray(prev, ins.offset));
+        if (ins.value.length > 0) parts.push(ins.value);
+        prev = ins.offset;
+    }
+    if (tmpl.length > prev) parts.push(tmpl.subarray(prev));
+    return Buffer.concat(parts.map((p) => Buffer.from(p.buffer, p.byteOffset, p.byteLength)));
+}
+
+/** A spliced SSR response. */
+export interface SsrResult {
+    status: number;
+    headers: [string, string][];
+    html: Uint8Array;
+}
+
+/**
+ * Decode the guest envelope and splice it into `route`'s template. Returns null
+ * to fall back to client rendering: a fail-safe envelope (status >= 500, e.g. no
+ * renderer matched), no slots, or a decode error.
+ */
+export function assembleSsr(route: SsrRoute, envelope: Uint8Array): SsrResult | null {
+    const decoded = decodeValues(envelope);
+    if (decoded === null) return null;
+    if (decoded.status >= 500 || decoded.values.size === 0) return null;
+    const inserts = route.entries
+        .map((e) => ({ offset: e.offset, value: decoded.values.get(e.id) ?? new Uint8Array(0) }))
+        .sort((a, b) => a.offset - b.offset);
+    return { status: decoded.status, headers: decoded.headers, html: splice(route.tmpl, inserts) };
+}

package/src/devserver/wasm/sections.ts

@@ -0,0 +1,59 @@
+/**
+ * Shared, bounds-checked wasm custom-section walker. Factored out of
+ * `db/catalog.ts` so the three Toil section parsers (`toildb.catalog`,
+ * `toilstream.catalog`, `toildaemon.catalog`, `toil.surface`) share ONE
+ * magic-skipping loop instead of drifting copies.
+ *
+ * Every input is a tenant-built, possibly mid-rebuild wasm, so the walker must
+ * never read past the buffer: a truncated/garbage section table returns `null`
+ * (treated by callers as "no section"). Mirrors the host-side walker
+ * (`toil-backend` custom-section reader) and the toilscript-side test walker.
+ */
+
+/** Read a LEB128 from `buf` at `pos`; throws on overrun so a truncated module
+ *  can never over-read (the caller catches and treats it as "no section"). */
+export function leb(buf: Buffer, pos: number): [number, number] {
+    let result = 0;
+    let shift = 0;
+    let p = pos;
+    for (;;) {
+        if (p >= buf.length) throw new RangeError('leb128 past end of buffer');
+        const b = buf[p++];
+        result |= (b & 0x7f) << shift;
+        if ((b & 0x80) === 0) break;
+        shift += 7;
+        if (shift > 35) throw new RangeError('leb128 too long');
+    }
+    return [result >>> 0, p];
+}
+
+/** The bytes of the named wasm custom section, or `null` if absent. Bounds-checked
+ *  so a truncated/garbage module can never read past the buffer. */
+export function customSection(wasm: Buffer, want: string): Buffer | null {
+    if (
+        wasm.length < 8 ||
+        wasm[0] !== 0x00 ||
+        wasm[1] !== 0x61 ||
+        wasm[2] !== 0x73 ||
+        wasm[3] !== 0x6d
+    )
+        return null;
+    let pos = 8; // skip the 8-byte magic + version header
+    while (pos < wasm.length) {
+        const id = wasm[pos++];
+        let size: number;
+        [size, pos] = leb(wasm, pos);
+        const end = pos + size;
+        if (end > wasm.length || end < pos) return null; // truncated section table
+        if (id === 0) {
+            const [nameLen, namePos] = leb(wasm, pos);
+            if (
+                namePos + nameLen <= end &&
+                wasm.toString('latin1', namePos, namePos + nameLen) === want
+            )
+                return wasm.subarray(namePos + nameLen, end);
+        }
+        pos = end;
+    }
+    return null;
+}