typescript-virtual-container 0.1.0 → 1.0.3

package/.github/workflows/create-pull-request.yml

@@ -3,11 +3,10 @@ name: Auto Create Pull Request
 on:
   push:
     branches:
-      - 'dev'
 
 jobs:
   create-pull-request:
-    if: github.ref == 'refs/heads/dev'
+    if: github.ref != 'refs/heads/main'
     runs-on: ubuntu-latest
     steps:
       - name: Validate pull request token
@@ -26,18 +25,21 @@ jobs:
           script: |
             const owner = context.repo.owner;
             const repo = context.repo.repo;
-            const head = `${owner}:dev`;
+            const sourceBranch = context.ref.startsWith('refs/heads/')
+              ? context.ref.slice('refs/heads/'.length)
+              : context.ref;
+            const head = `${owner}:${sourceBranch}`;
             const base = 'main';
 
-            // Check if there are commits between main and dev
+            // Check if there are commits between main and the current branch
             const { data: comparison } = await github.rest.repos.compareCommits({
               owner,
               repo,
               base: 'main',
-              head: 'dev',
+              head: sourceBranch,
             }).catch(err => {
               if (err.status === 404 && err.message.includes('No commits')) {
-                core.info('No commits between main and dev - skipping PR creation');
+                core.info('No commits between main and ' + sourceBranch + ' - skipping PR creation');
                 return { data: { ahead_by: 0 } };
               }
               throw err;
@@ -64,13 +66,13 @@ jobs:
             const { data: pullRequest } = await github.rest.pulls.create({
               owner,
               repo,
-              head: 'dev',
+              head: sourceBranch,
               base,
-              title: 'chore: auto PR from dev to main',
+              title: `chore: auto PR from ${sourceBranch} to main`,
               body: [
                 'This pull request was created automatically by GitHub Actions.',
                 '',
-                `- source branch: \`dev\``,
+                `- source branch: \`${sourceBranch}\``,
                 `- target branch: \`main\``,
                 `- triggered by commit \`${context.sha}\``,
               ].join('\n'),

package/.github/workflows/test-battery.yml

@@ -3,16 +3,13 @@ name: Test battery
 on:
   pull_request:
     branches:
-      - main
-      - dev
 
 permissions:
   contents: read
 
 jobs:
-  typecheck:
+  setup:
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -25,12 +22,36 @@ jobs:
       - name: Install dependencies
         run: bun install
 
+      - name: Cache dependencies
+        uses: actions/cache@v3
+        with:
+          path: node_modules
+          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lockb') }}
+
+  typecheck:
+    needs: setup
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+        with:
+          bun-version: latest
+
+      - name: Restore dependencies
+        uses: actions/cache@v3
+        with:
+          path: node_modules
+          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lockb') }}
+
       - name: Run typecheck
         run: bun check
 
   lint:
+    needs: setup
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -40,8 +61,11 @@ jobs:
         with:
           bun-version: latest
 
-      - name: Install dependencies
-        run: bun install
+      - name: Restore dependencies
+        uses: actions/cache@v3
+        with:
+          path: node_modules
+          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lockb') }}
 
       - name: Run lint
         run: bun lint
@@ -51,7 +75,6 @@ jobs:
       - typecheck
       - lint
     runs-on: ubuntu-latest
-
     steps:
       - name: Test battery passed
         run: echo "Typecheck, lint and tests succeeded."

package/CHANGELOG.md

@@ -6,6 +6,8 @@ The format is based on Keep a Changelog.
 
 ## [Unreleased]
 
+## [1.0.2] - 2026-04-14
+
 ### Added
 
 - Governance and community files:
@@ -14,6 +16,39 @@ The format is based on Keep a Changelog.
   - SECURITY.md
   - CODE_OF_CONDUCT.md
   - GitHub issue and PR templates
+- Security hardening for virtual auth storage and shell access:
+  - Non-root commands now block access to `/virtual-env-js/.auth/**`.
+  - Auth files are persisted with restrictive modes (`0700` for `.auth`, `0600` for `htpasswd` and `sudoers`).
+  - Root password no longer falls back to a fixed default when `SSH_MIMIC_ROOT_PASSWORD` is unset; startup generates an ephemeral password instead.
+- New environment toggle `SSH_MIMIC_AUTO_SUDO_NEW_USERS` to control whether newly created users are added to sudoers by default.
+- README and security docs now describe the new auth hardening and configuration flags.
+- Added tests covering `.auth` path protection and auto-sudo behavior.
+
+## [1.0.1] - 2026-04-14
+
+### Added
+
+- `ls -l` / `ls --long` support with long listing format (permissions, size, updated time).
+- Host-command mirroring for network tools:
+  - `curl` now runs through host `curl` via `child_process`.
+  - `wget` now runs through host `wget` via `child_process`.
+- Temporary host download flow for `wget` using `/tmp` before import into VFS.
+- Terminal line normalization utility for command help and diagnostics rendering.
+
+### Changed
+
+- `curl` behavior is now aligned with the host binary output and exit codes.
+- `curl -o` writes host command output to the virtual filesystem target path.
+- `wget` writes downloaded payloads to VFS after host-side transfer, preserving command semantics.
+- URL fetch helper now accepts host-only inputs by normalizing missing protocol to `http://`.
+- Auto pull-request GitHub workflow now targets any non-`main` branch instead of only `dev`.
+- Auto PR metadata now uses the dynamic source branch name in PR head/title/body.
+- Test workflow trigger scope was generalized by removing hardcoded branch filters.
+
+### Fixed
+
+- Resolved large horizontal spacing artifacts in SSH terminal output by normalizing TTY line endings (`\r\n`) in both interactive shell and exec paths.
+- Reduced excessive whitespace in help output rendering (`curl --help`, `wget --help`) by normalizing tabs and over-padded spacing.
 
 ## [1.0.0] - 2026-04-14
 

package/README.md

@@ -1040,13 +1040,15 @@ The following commands are available in both SSH shell mode and via `SshClient.e
 ### Environment Variables
 
 - **`SSH_MIMIC_HOSTNAME`**: Override server hostname at startup (default: "typescript-vm")
-- **`SSH_MIMIC_ROOT_PASSWORD`**: Set root password (default: "root")
+- **`SSH_MIMIC_ROOT_PASSWORD`**: Set root password. If unset, a random ephemeral password is generated at startup and logged once.
+- **`SSH_MIMIC_AUTO_SUDO_NEW_USERS`**: Control whether new users are added to sudoers automatically (default: enabled). Set to `0`, `false`, `no`, or `off` to disable.
 
 **Example:**
 
 ```bash
 export SSH_MIMIC_HOSTNAME=production-lab
 export SSH_MIMIC_ROOT_PASSWORD=SecurePass123
+export SSH_MIMIC_AUTO_SUDO_NEW_USERS=false
 npm run start
 ```
 
@@ -1231,6 +1233,8 @@ const ssh = new VirtualMachine({ port: 2222, hostname: "hostname" });
 - Passwords are hashed with `scrypt` in the virtual auth store.
 - Root account is always protected and cannot be deleted.
 - Sudo privileges are explicit and persisted in sudoers data.
+- Protect the root password in production by setting `SSH_MIMIC_ROOT_PASSWORD`; otherwise startup logs a generated ephemeral password.
+- Disable `SSH_MIMIC_AUTO_SUDO_NEW_USERS` when you want newly created users to stay unprivileged by default.
 - This project is not intended to provide kernel-level or process-level isolation.
 
 If you discover a vulnerability, avoid public disclosure in issues and contact maintainers privately first.

package/biome.json

@@ -1,4 +1,11 @@
 {
+    "assist": {
+        "actions": {
+            "source": {
+                "organizeImports": "off"
+            }
+        }
+    },
     "linter": {
         "rules": {
             "suspicious": {
@@ -10,11 +17,5 @@
                 "noNonNullAssertion": "off"
             }
         }
-    },
-    "assist": {
-        "source": {
-            "autoImport": "on",
-            "importModuleSpecifierPreference": "relative"
-        }
     }
 }

package/package.json

@@ -3,7 +3,7 @@
   "description": "In-memory SSH server with virtual filesystem and typed programmatic API",
   "module": "src/index.ts",
   "type": "module",
-  "version": "0.1.0",
+  "version": "1.0.3",
   "license": "MIT",
   "keywords": [
     "ssh",

package/src/SSHMimic/commands/cat.ts

@@ -1,16 +1,17 @@
 import type { ShellModule } from "../../types/commands";
-import { resolveReadablePath } from "./helpers";
+import { assertPathAccess, resolveReadablePath } from "./helpers";
 
 export const catCommand: ShellModule = {
 	name: "cat",
 	params: ["<file>"],
-	run: ({ vfs, cwd, args }) => {
+	run: ({ authUser, vfs, cwd, args }) => {
 		const fileArg = args[0];
 		if (!fileArg) {
 			return { stderr: "cat: missing file operand", exitCode: 1 };
 		}
 
 		const target = resolveReadablePath(vfs, cwd, fileArg);
+		assertPathAccess(authUser, target, "cat");
 		return { stdout: vfs.readFile(target), exitCode: 0 };
 	},
 };

package/src/SSHMimic/commands/cd.ts

@@ -1,11 +1,12 @@
 import type { ShellModule } from "../../types/commands";
-import { resolvePath } from "./helpers";
+import { assertPathAccess, resolvePath } from "./helpers";
 
 export const cdCommand: ShellModule = {
 	name: "cd",
 	params: ["[path]"],
-	run: ({ vfs, cwd, args, mode }) => {
+	run: ({ authUser, vfs, cwd, args, mode }) => {
 		const target = resolvePath(cwd, args[0] ?? "/virtual-env-js");
+		assertPathAccess(authUser, target, "cd");
 		const stats = vfs.stat(target);
 		if (stats.type !== "directory") {
 			return { stderr: `cd: not a directory: ${target}`, exitCode: 1 };

package/src/SSHMimic/commands/curl.ts

@@ -1,27 +1,158 @@
+import { spawn } from "node:child_process";
 import type { ShellModule } from "../../types/commands";
-import { fetchResource, parseOutputPath, resolvePath } from "./helpers";
+import {
+	assertPathAccess,
+	normalizeTerminalOutput,
+	resolvePath,
+} from "./helpers";
+
+function parseCurlOutputPath(args: string[]): {
+	outputPath: string | null;
+	inputArgs: string[];
+} {
+	const filtered: string[] = [];
+	let outputPath: string | null = null;
+
+	for (let index = 0; index < args.length; index += 1) {
+		const arg = args[index]!;
+
+		if (arg === "-o" || arg === "--output") {
+			outputPath = args[index + 1] ?? null;
+			index += 1;
+			continue;
+		}
+
+		if (arg.startsWith("-o=")) {
+			outputPath = arg.slice(3);
+			continue;
+		}
+
+		if (arg.startsWith("--output=")) {
+			outputPath = arg.slice("--output=".length);
+			continue;
+		}
+
+		filtered.push(arg);
+	}
+
+	return { outputPath, inputArgs: filtered };
+}
+
+function runHostCurl(args: string[]): Promise<{
+	stdout: string;
+	stderr: string;
+	exitCode: number;
+}> {
+	return new Promise((resolve) => {
+		let childProcess: ReturnType<typeof spawn>;
+
+		try {
+			childProcess = spawn("curl", args, {
+				stdio: ["ignore", "pipe", "pipe"],
+			});
+		} catch (error) {
+			resolve({
+				stdout: "",
+				stderr: `curl: ${error instanceof Error ? error.message : String(error)}`,
+				exitCode: 1,
+			});
+			return;
+		}
+
+		let stdout = "";
+		let stderr = "";
+		const stdoutStream = childProcess.stdout;
+		const stderrStream = childProcess.stderr;
+
+		if (!stdoutStream || !stderrStream) {
+			resolve({
+				stdout: "",
+				stderr: "curl: failed to capture process output",
+				exitCode: 1,
+			});
+			return;
+		}
+
+		stdoutStream.setEncoding("utf8");
+		stderrStream.setEncoding("utf8");
+
+		stdoutStream.on("data", (chunk: string) => {
+			stdout += chunk;
+		});
+
+		stderrStream.on("data", (chunk: string) => {
+			stderr += chunk;
+		});
+
+		childProcess.on("error", (error) => {
+			const errorCode =
+				error instanceof Error && "code" in error
+					? String((error as NodeJS.ErrnoException).code ?? "")
+					: "";
+			resolve({
+				stdout: "",
+				stderr: `curl: ${error.message}`,
+				exitCode: errorCode === "ENOENT" ? 127 : 1,
+			});
+		});
+
+		childProcess.on("close", (code) => {
+			resolve({
+				stdout,
+				stderr,
+				exitCode: code ?? 1,
+			});
+		});
+	});
+}
 
 export const curlCommand: ShellModule = {
 	name: "curl",
 	params: ["[-o file] <url>"],
-	run: async ({ vfs, cwd, args }) => {
-		const { outputPath, inputArgs } = parseOutputPath(args);
+	run: async ({ authUser, vfs, cwd, args }) => {
+		const { outputPath, inputArgs } = parseCurlOutputPath(args);
 		const url = inputArgs[0];
+		const isHelpLike = inputArgs.some(
+			(arg) =>
+				arg === "-h" || arg === "--help" || arg === "-V" || arg === "--version",
+		);
 
 		if (!url) {
 			return { stderr: "curl: missing URL", exitCode: 1 };
 		}
 
-		const result = await fetchResource(url);
-		if (result.status >= 400) {
-			return { stderr: `curl: HTTP ${result.status}`, exitCode: 22 };
+		const passthroughArgs = outputPath ? [...inputArgs, "-o", "-"] : inputArgs;
+		const result = await runHostCurl(passthroughArgs);
+
+		if (result.exitCode !== 0) {
+			return {
+				stderr: normalizeTerminalOutput(
+					result.stderr || `curl: exited with code ${result.exitCode}`,
+				),
+				exitCode: result.exitCode,
+			};
 		}
 
 		if (outputPath) {
-			vfs.writeFile(resolvePath(cwd, outputPath), result.text);
-			return { exitCode: 0 };
+			const target = resolvePath(cwd, outputPath);
+			assertPathAccess(authUser, target, "curl");
+			vfs.writeFile(target, result.stdout);
+			return {
+				stderr: result.stderr
+					? normalizeTerminalOutput(result.stderr)
+					: undefined,
+				exitCode: 0,
+			};
 		}
 
-		return { stdout: result.text, exitCode: 0 };
+		return {
+			stdout: isHelpLike
+				? normalizeTerminalOutput(result.stdout)
+				: result.stdout,
+			stderr: result.stderr
+				? normalizeTerminalOutput(result.stderr)
+				: undefined,
+			exitCode: 0,
+		};
 	},
 };

package/src/SSHMimic/commands/helpers.ts

@@ -1,6 +1,30 @@
 import * as path from "node:path";
 import type VirtualFileSystem from "../../VirtualFileSystem";
 
+const PROTECTED_PREFIXES = ["/virtual-env-js/.auth"] as const;
+
+function normalizeFetchUrl(input: string): string {
+	if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(input)) {
+		return input;
+	}
+
+	return `http://${input}`;
+}
+
+export function normalizeTerminalOutput(text: string): string {
+	return text
+		.replace(/\r\n/g, "\n")
+		.replace(/\r/g, "\n")
+		.replace(/\t/g, "  ")
+		.split("\n")
+		.map((line) =>
+			line.replace(/^[ \u00A0]{8,}/, "  ").replace(/[ \u00A0]{3,}/g, "  "),
+		)
+		.join("\n")
+		.replace(/\n{3,}/g, "\n\n")
+		.trimEnd();
+}
+
 export function resolvePath(cwd: string, inputPath: string): string {
 	if (!inputPath || inputPath.trim() === "") {
 		return cwd;
@@ -10,6 +34,30 @@ export function resolvePath(cwd: string, inputPath: string): string {
 		: path.posix.normalize(path.posix.join(cwd, inputPath));
 }
 
+function isProtectedPath(targetPath: string): boolean {
+	const normalized = targetPath.startsWith("/")
+		? path.posix.normalize(targetPath)
+		: path.posix.normalize(`/${targetPath}`);
+
+	return PROTECTED_PREFIXES.some(
+		(prefix) => normalized === prefix || normalized.startsWith(`${prefix}/`),
+	);
+}
+
+export function assertPathAccess(
+	authUser: string,
+	targetPath: string,
+	operation: string,
+): void {
+	if (authUser === "root") {
+		return;
+	}
+
+	if (isProtectedPath(targetPath)) {
+		throw new Error(`${operation}: permission denied: ${targetPath}`);
+	}
+}
+
 export function parseOutputPath(args: string[]): {
 	outputPath: string | null;
 	inputArgs: string[];
@@ -56,7 +104,7 @@ export function stripUrlFilename(url: string): string {
 export async function fetchResource(
 	url: string,
 ): Promise<{ text: string; status: number; contentType: string | null }> {
-	const response = await fetch(url);
+	const response = await fetch(normalizeFetchUrl(url));
 	const contentType = response.headers.get("content-type");
 	return {
 		text: await response.text(),

package/src/SSHMimic/commands/ls.ts

@@ -1,14 +1,49 @@
 import type { ShellModule } from "../../types/commands";
-import { joinListWithType, resolvePath } from "./helpers";
+import { assertPathAccess, joinListWithType, resolvePath } from "./helpers";
+
+function formatPermissions(mode: number, isDirectory: boolean): string {
+	const fileType = isDirectory ? "d" : "-";
+	const permissionBits = [
+		[0o400, "r"],
+		[0o200, "w"],
+		[0o100, "x"],
+		[0o040, "r"],
+		[0o020, "w"],
+		[0o010, "x"],
+		[0o004, "r"],
+		[0o002, "w"],
+		[0o001, "x"],
+	] as const;
+	const permissions = permissionBits
+		.map(([bit, symbol]) => (mode & bit ? symbol : "-"))
+		.join("");
+
+	return `${fileType}${permissions}`;
+}
+
+function formatDate(date: Date): string {
+	return date.toISOString().replace("T", " ").slice(0, 16);
+}
 
 export const lsCommand: ShellModule = {
 	name: "ls",
 	params: ["[path]"],
-	run: ({ vfs, cwd, args }) => {
+	run: ({ authUser, vfs, cwd, args }) => {
+		const longFormat = args.includes("-l") || args.includes("--long");
 		const targetArg = args.find((arg) => !arg.startsWith("-"));
 		const target = resolvePath(cwd, targetArg ?? cwd);
+		assertPathAccess(authUser, target, "ls");
 		const items = vfs.list(target).filter((name) => !name.startsWith("."));
-		const rendered = joinListWithType(target, items, (p) => vfs.stat(p));
+		const rendered = longFormat
+			? items
+					.map((name) => {
+						const childPath = resolvePath(target, name);
+						const stat = vfs.stat(childPath);
+						const size = stat.type === "file" ? stat.size : stat.childrenCount;
+						return `${formatPermissions(stat.mode, stat.type === "directory")} 1 ${size} ${formatDate(stat.updatedAt)} ${name}${stat.type === "directory" ? "/" : ""}`;
+					})
+					.join("\n")
+			: joinListWithType(target, items, (p) => vfs.stat(p));
 		return { stdout: rendered, exitCode: 0 };
 	},
 };

package/src/SSHMimic/commands/mkdir.ts

@@ -1,16 +1,18 @@
 import type { ShellModule } from "../../types/commands";
-import { resolvePath } from "./helpers";
+import { assertPathAccess, resolvePath } from "./helpers";
 
 export const mkdirCommand: ShellModule = {
 	name: "mkdir",
 	params: ["<dir>"],
-	run: ({ vfs, cwd, args }) => {
+	run: ({ authUser, vfs, cwd, args }) => {
 		if (args.length === 0) {
 			return { stderr: "mkdir: missing operand", exitCode: 1 };
 		}
 
 		for (const dir of args) {
-			vfs.mkdir(resolvePath(cwd, dir));
+			const target = resolvePath(cwd, dir);
+			assertPathAccess(authUser, target, "mkdir");
+			vfs.mkdir(target);
 		}
 		return { exitCode: 0 };
 	},

package/src/SSHMimic/commands/nano.ts

@@ -1,17 +1,18 @@
 import * as path from "node:path";
 import type { ShellModule } from "../../types/commands";
-import { resolvePath } from "./helpers";
+import { assertPathAccess, resolvePath } from "./helpers";
 
 export const nanoCommand: ShellModule = {
 	name: "nano",
 	params: ["<file>"],
-	run: ({ vfs, cwd, args }) => {
+	run: ({ authUser, vfs, cwd, args }) => {
 		const fileArg = args[0];
 		if (!fileArg) {
 			return { stderr: "nano: missing file operand", exitCode: 1 };
 		}
 
 		const targetPath = resolvePath(cwd, fileArg);
+		assertPathAccess(authUser, targetPath, "nano");
 		const initialContent = vfs.exists(targetPath)
 			? vfs.readFile(targetPath)
 			: "";

package/src/SSHMimic/commands/rm.ts

@@ -1,10 +1,10 @@
 import type { ShellModule } from "../../types/commands";
-import { resolvePath } from "./helpers";
+import { assertPathAccess, resolvePath } from "./helpers";
 
 export const rmCommand: ShellModule = {
 	name: "rm",
 	params: ["[-r|-rf] <path>"],
-	run: ({ vfs, cwd, args }) => {
+	run: ({ authUser, vfs, cwd, args }) => {
 		if (args.length === 0) {
 			return { stderr: "rm: missing operand", exitCode: 1 };
 		}
@@ -18,7 +18,9 @@ export const rmCommand: ShellModule = {
 		}
 
 		for (const target of targets) {
-			vfs.remove(resolvePath(cwd, target), { recursive });
+			const resolvedTarget = resolvePath(cwd, target);
+			assertPathAccess(authUser, resolvedTarget, "rm");
+			vfs.remove(resolvedTarget, { recursive });
 		}
 
 		return { exitCode: 0 };

package/src/SSHMimic/commands/touch.ts

@@ -1,16 +1,17 @@
 import type { ShellModule } from "../../types/commands";
-import { resolvePath } from "./helpers";
+import { assertPathAccess, resolvePath } from "./helpers";
 
 export const touchCommand: ShellModule = {
 	name: "touch",
 	params: ["<file>"],
-	run: ({ vfs, cwd, args }) => {
+	run: ({ authUser, vfs, cwd, args }) => {
 		if (args.length === 0) {
 			return { stderr: "touch: missing file operand", exitCode: 1 };
 		}
 
 		for (const file of args) {
 			const target = resolvePath(cwd, file);
+			assertPathAccess(authUser, target, "touch");
 			if (!vfs.exists(target)) {
 				vfs.writeFile(target, "");
 			}

package/src/SSHMimic/commands/tree.ts

@@ -1,11 +1,12 @@
 import type { ShellModule } from "../../types/commands";
-import { resolvePath } from "./helpers";
+import { assertPathAccess, resolvePath } from "./helpers";
 
 export const treeCommand: ShellModule = {
 	name: "tree",
 	params: ["[path]"],
-	run: ({ vfs, cwd, args }) => {
+	run: ({ authUser, vfs, cwd, args }) => {
 		const target = resolvePath(cwd, args[0] ?? cwd);
+		assertPathAccess(authUser, target, "tree");
 		return { stdout: vfs.tree(target), exitCode: 0 };
 	},
 };

package/src/SSHMimic/commands/wget.ts

@@ -1,33 +1,137 @@
+import { spawn } from "node:child_process";
+import { mkdtemp, readFile, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
 import type { ShellModule } from "../../types/commands";
 import {
-	fetchResource,
+	assertPathAccess,
+	normalizeTerminalOutput,
 	parseOutputPath,
 	resolvePath,
 	stripUrlFilename,
 } from "./helpers";
 
+function runHostWget(args: string[]): Promise<{
+	stdout: string;
+	stderr: string;
+	exitCode: number;
+}> {
+	return new Promise((resolve) => {
+		let childProcess: ReturnType<typeof spawn>;
+
+		try {
+			childProcess = spawn("wget", args, {
+				stdio: ["ignore", "pipe", "pipe"],
+			});
+		} catch (error) {
+			resolve({
+				stdout: "",
+				stderr: `wget: ${error instanceof Error ? error.message : String(error)}`,
+				exitCode: 1,
+			});
+			return;
+		}
+
+		let stdout = "";
+		let stderr = "";
+		const stdoutStream = childProcess.stdout;
+		const stderrStream = childProcess.stderr;
+
+		if (!stdoutStream || !stderrStream) {
+			resolve({
+				stdout: "",
+				stderr: "wget: failed to capture process output",
+				exitCode: 1,
+			});
+			return;
+		}
+
+		stdoutStream.setEncoding("utf8");
+		stderrStream.setEncoding("utf8");
+
+		stdoutStream.on("data", (chunk: string) => {
+			stdout += chunk;
+		});
+
+		stderrStream.on("data", (chunk: string) => {
+			stderr += chunk;
+		});
+
+		childProcess.on("error", (error) => {
+			const errorCode =
+				error instanceof Error && "code" in error
+					? String((error as NodeJS.ErrnoException).code ?? "")
+					: "";
+			resolve({
+				stdout: "",
+				stderr: `wget: ${error.message}`,
+				exitCode: errorCode === "ENOENT" ? 127 : 1,
+			});
+		});
+
+		childProcess.on("close", (code) => {
+			resolve({
+				stdout,
+				stderr,
+				exitCode: code ?? 1,
+			});
+		});
+	});
+}
+
 export const wgetCommand: ShellModule = {
 	name: "wget",
 	params: ["[url]"],
-	run: async ({ vfs, cwd, args }) => {
+	run: async ({ authUser, vfs, cwd, args }) => {
 		const { outputPath, inputArgs } = parseOutputPath(args);
 		const url = inputArgs[0];
+		const isHelpLike = inputArgs.some(
+			(arg) =>
+				arg === "-h" || arg === "--help" || arg === "-V" || arg === "--version",
+		);
 
 		if (!url) {
 			return { stderr: "wget: missing URL", exitCode: 1 };
 		}
 
-		const result = await fetchResource(url);
-		if (result.status >= 400) {
-			return { stderr: `wget: HTTP ${result.status}`, exitCode: 8 };
+		if (isHelpLike) {
+			const result = await runHostWget(inputArgs);
+			return {
+				stdout: normalizeTerminalOutput(result.stdout),
+				stderr: result.stderr
+					? normalizeTerminalOutput(result.stderr)
+					: undefined,
+				exitCode: result.exitCode,
+			};
 		}
 
-		const target = resolvePath(cwd, outputPath ?? stripUrlFilename(url));
-		vfs.writeFile(target, result.text);
+		const tempDir = await mkdtemp(join(tmpdir(), "virtual-env-js-wget-"));
+		const tempFile = join(tempDir, "download");
+
+		try {
+			const hostArgs = [...inputArgs, "-O", tempFile];
+			const result = await runHostWget(hostArgs);
 
-		return {
-			stdout: `saved ${target}`,
-			exitCode: 0,
-		};
+			if (result.exitCode !== 0) {
+				return {
+					stderr: normalizeTerminalOutput(
+						result.stderr || `wget: exited with code ${result.exitCode}`,
+					),
+					exitCode: result.exitCode,
+				};
+			}
+
+			const content = await readFile(tempFile, "utf8");
+			const target = resolvePath(cwd, outputPath ?? stripUrlFilename(url));
+			assertPathAccess(authUser, target, "wget");
+			vfs.writeFile(target, content);
+
+			return {
+				stdout: `saved ${target}`,
+				exitCode: 0,
+			};
+		} finally {
+			await rm(tempDir, { recursive: true, force: true });
+		}
 	},
 };

package/src/SSHMimic/exec.ts

@@ -3,6 +3,13 @@ import type VirtualFileSystem from "../VirtualFileSystem";
 import { runCommand } from "./commands";
 import type { VirtualUserManager } from "./users";
 
+function toTtyLines(text: string): string {
+	return text
+		.replace(/\r\n/g, "\n")
+		.replace(/\r/g, "\n")
+		.replace(/\n/g, "\r\n");
+}
+
 export function runExec(
 	stream: ExecStream,
 	cmd: string,
@@ -23,11 +30,11 @@ export function runExec(
 		),
 	).then((result) => {
 		if (result.stdout) {
-			stream.write(`${result.stdout}\n`);
+			stream.write(`${toTtyLines(result.stdout)}\r\n`);
 		}
 
 		if (result.stderr) {
-			stream.stderr.write(`${result.stderr}\n`);
+			stream.stderr.write(`${toTtyLines(result.stderr)}\r\n`);
 		}
 
 		stream.exit(result.exitCode ?? 0);

package/src/SSHMimic/index.ts

@@ -1,3 +1,4 @@
+import { randomBytes } from "node:crypto";
 import { Server as SshServer } from "ssh2";
 import VirtualFileSystem from "../VirtualFileSystem";
 import { runExec } from "./exec";
@@ -5,6 +6,28 @@ import { loadOrCreateHostKey } from "./hostKey";
 import { startShell } from "./shell";
 import { VirtualUserManager } from "./users";
 
+function resolveRootPassword(): string {
+	const configured = process.env.SSH_MIMIC_ROOT_PASSWORD;
+	if (configured && configured.trim().length > 0) {
+		return configured;
+	}
+
+	const generated = randomBytes(18).toString("base64url");
+	console.warn(
+		`[ssh-mimic] SSH_MIMIC_ROOT_PASSWORD missing; generated ephemeral root password: ${generated}`,
+	);
+	return generated;
+}
+
+function resolveAutoSudoForNewUsers(): boolean {
+	const configured = process.env.SSH_MIMIC_AUTO_SUDO_NEW_USERS;
+	if (!configured) {
+		return true;
+	}
+
+	return !["0", "false", "no", "off"].includes(configured.toLowerCase());
+}
+
 /**
  * SSH server wrapper that exposes virtual shell and exec sessions.
  *
@@ -52,7 +75,8 @@ class SshMimic {
 		await this.vfs.restoreMirror();
 		this.users = new VirtualUserManager(
 			this.vfs,
-			process.env.SSH_MIMIC_ROOT_PASSWORD ?? "root",
+			resolveRootPassword(),
+			resolveAutoSudoForNewUsers(),
 		);
 		await this.users.initialize();
 

package/src/SSHMimic/shell.ts

@@ -33,6 +33,13 @@ interface TerminalSize {
 	rows: number;
 }
 
+function toTtyLines(text: string): string {
+	return text
+		.replace(/\r\n/g, "\n")
+		.replace(/\r/g, "\n")
+		.replace(/\n/g, "\r\n");
+}
+
 export function startShell(
 	stream: ShellStream,
 	authUser: string,
@@ -198,11 +205,11 @@ export function startShell(
 		}
 
 		if (result.stdout) {
-			stream.write(`${result.stdout}\r\n`);
+			stream.write(`${toTtyLines(result.stdout)}\r\n`);
 		}
 
 		if (result.stderr) {
-			stream.write(`${result.stderr}\r\n`);
+			stream.write(`${toTtyLines(result.stderr)}\r\n`);
 		}
 
 		if (result.switchUser) {
@@ -671,11 +678,11 @@ export function startShell(
 					}
 
 					if (result.stdout) {
-						stream.write(`${result.stdout}\r\n`);
+						stream.write(`${toTtyLines(result.stdout)}\r\n`);
 					}
 
 					if (result.stderr) {
-						stream.write(`${result.stderr}\r\n`);
+						stream.write(`${toTtyLines(result.stderr)}\r\n`);
 					}
 
 					if (result.closeSession) {

package/src/SSHMimic/users.ts

@@ -31,6 +31,7 @@ export interface VirtualActiveSession {
 export class VirtualUserManager {
 	private readonly usersPath = "/virtual-env-js/.auth/htpasswd";
 	private readonly sudoersPath = "/virtual-env-js/.auth/sudoers";
+	private readonly authDirPath = "/virtual-env-js/.auth";
 	private readonly users = new Map<string, VirtualUserRecord>();
 	private readonly sudoers = new Set<string>();
 	private readonly activeSessions = new Map<string, VirtualActiveSession>();
@@ -45,6 +46,7 @@ export class VirtualUserManager {
 	constructor(
 		private readonly vfs: VirtualFileSystem,
 		private readonly defaultRootPassword: string = "root",
+		private readonly autoSudoForNewUsers: boolean = true,
 	) {}
 
 	/**
@@ -54,12 +56,7 @@ export class VirtualUserManager {
 		this.loadFromVfs();
 		this.loadSudoersFromVfs();
 
-		if (!this.users.has("root")) {
-			this.users.set(
-				"root",
-				this.createRecord("root", this.defaultRootPassword),
-			);
-		}
+		this.users.set("root", this.createRecord("root", this.defaultRootPassword));
 
 		this.sudoers.add("root");
 
@@ -97,7 +94,9 @@ export class VirtualUserManager {
 		}
 
 		this.users.set(username, this.createRecord(username, password));
-		this.sudoers.add(username);
+		if (this.autoSudoForNewUsers) {
+			this.sudoers.add(username);
+		}
 		const homePath = `/home/${username}`;
 		if (!this.vfs.exists(homePath)) {
 			this.vfs.mkdir(homePath, 0o755);
@@ -290,6 +289,10 @@ export class VirtualUserManager {
 	}
 
 	private async persist(): Promise<void> {
+		if (!this.vfs.exists(this.authDirPath)) {
+			this.vfs.mkdir(this.authDirPath, 0o700);
+		}
+
 		const content = Array.from(this.users.values())
 			.sort((left, right) => left.username.localeCompare(right.username))
 			.map((record) =>
@@ -300,11 +303,13 @@ export class VirtualUserManager {
 		this.vfs.writeFile(
 			this.usersPath,
 			content.length > 0 ? `${content}\n` : "",
+			{ mode: 0o600 },
 		);
 		const sudoersContent = Array.from(this.sudoers.values()).sort().join("\n");
 		this.vfs.writeFile(
 			this.sudoersPath,
 			sudoersContent.length > 0 ? `${sudoersContent}\n` : "",
+			{ mode: 0o600 },
 		);
 		await this.vfs.flushMirror();
 	}
@@ -326,6 +331,10 @@ export class VirtualUserManager {
 		if (!username || username.trim() === "") {
 			throw new Error("invalid username");
 		}
+
+		if (!/^[a-z_][a-z0-9_-]{0,31}$/i.test(username)) {
+			throw new Error("invalid username");
+		}
 	}
 
 	private validatePassword(password: string): void {

package/src/index.ts

@@ -10,7 +10,7 @@ export type {
 	CommandResult,
 	NanoEditorSession,
 	ShellModule,
-	SudoChallenge
+	SudoChallenge,
 } from "./types/commands";
 export type { ExecStream, ShellStream } from "./types/streams";
 export type {
@@ -25,10 +25,12 @@ export type {
 	VfsSnapshotDirectoryNode,
 	VfsSnapshotFileNode,
 	VfsSnapshotNode,
-	WriteFileOptions
+	WriteFileOptions,
 } from "./types/vfs";
 
 export {
-	SshClient, VirtualFileSystem, SshMimic as VirtualMachine, VirtualUserManager
+	SshClient,
+	VirtualFileSystem,
+	SshMimic as VirtualMachine,
+	VirtualUserManager,
 };
-

package/tests/helpers.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, test } from "bun:test";
+import { assertPathAccess } from "../src/SSHMimic/commands/helpers";
+
+describe("assertPathAccess", () => {
+	test("blocks non-root access to auth store", () => {
+		expect(() =>
+			assertPathAccess("alice", "/virtual-env-js/.auth/htpasswd", "cat"),
+		).toThrow("cat: permission denied: /virtual-env-js/.auth/htpasswd");
+	});
+
+	test("allows root access to auth store", () => {
+		expect(() =>
+			assertPathAccess("root", "/virtual-env-js/.auth/htpasswd", "cat"),
+		).not.toThrow();
+	});
+
+	test("allows non-root access outside protected paths", () => {
+		expect(() =>
+			assertPathAccess("alice", "/home/alice/README.txt", "cat"),
+		).not.toThrow();
+	});
+});

package/tests/users.test.ts

@@ -0,0 +1,41 @@
+import { describe, expect, test } from "bun:test";
+import { mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { VirtualUserManager } from "../src/SSHMimic/users";
+import VirtualFileSystem from "../src/VirtualFileSystem";
+
+async function withTempVfs(
+	run: (vfs: VirtualFileSystem) => Promise<void>,
+): Promise<void> {
+	const tempDir = await mkdtemp(join(tmpdir(), "virtual-env-js-test-"));
+	try {
+		const vfs = new VirtualFileSystem(tempDir);
+		await vfs.restoreMirror();
+		await run(vfs);
+	} finally {
+		await rm(tempDir, { recursive: true, force: true });
+	}
+}
+
+describe("VirtualUserManager auto sudo", () => {
+	test("adds new users to sudoers by default", async () => {
+		await withTempVfs(async (vfs) => {
+			const users = new VirtualUserManager(vfs, "root-pass");
+			await users.initialize();
+			await users.addUser("alice", "alice-pass");
+
+			expect(users.isSudoer("alice")).toBe(true);
+		});
+	});
+
+	test("does not auto-add sudoers when disabled", async () => {
+		await withTempVfs(async (vfs) => {
+			const users = new VirtualUserManager(vfs, "root-pass", false);
+			await users.initialize();
+			await users.addUser("bob", "bob-pass");
+
+			expect(users.isSudoer("bob")).toBe(false);
+		});
+	});
+});

package/tsconfig.json

@@ -26,6 +26,6 @@
     "noUnusedParameters": false,
     "noPropertyAccessFromIndexSignature": false,
 
-    "types": ["node"]
+    "types": ["node", "bun"]
   }
 }