typescript-virtual-container 1.2.3 → 1.2.5

package/README.md

@@ -1,6 +1,6 @@
 # `typescript-virtual-container`
 
-> Scalable SSH/SFTP server with a virtual filesystem and typed programmatic API for testing, automation, and interactive shell scripting in TypeScript/JavaScript.
+> Pure in-memory SSH/SFTP server with a virtual filesystem and typed programmatic API for testing, automation, honeypots, and interactive shell scripting in TypeScript/JavaScript.
 
 [![npm version](https://badge.fury.io/js/typescript-virtual-container.svg)](https://www.npmjs.com/package/typescript-virtual-container)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -17,6 +17,14 @@
 - [Quick Start](#quick-start)
 - [Architecture Overview](#architecture-overview)
 - [API Reference](#api-reference)
+  - [VirtualSshServer](#virtualsshserver)
+  - [VirtualSftpServer](#virtualsftpserver)
+  - [VirtualShell](#virtualshell)
+  - [VirtualFileSystem](#virtualfilesystem)
+  - [VirtualUserManager](#virtualusermanager)
+  - [HoneyPot](#honeypot)
+  - [SshClient](#sshclient-programmatic-api)
+  - [Key Types](#key-types)
 - [Usage Examples](#usage-examples)
 - [Built-in Commands](#built-in-commands)
 - [Configuration](#configuration)
@@ -24,7 +32,6 @@
 - [Types & TypeScript](#types--typescript)
 - [FAQ](#faq)
 - [Troubleshooting](#troubleshooting)
-- [Migration Guide](#migration-guide)
 - [Contributing](#contributing)
 - [Security](#security)
 - [Support](#support)
@@ -32,43 +39,55 @@
 - [Roadmap](#roadmap)
 - [Changelog](#changelog)
 
+---
+
 ## Overview
 
 `typescript-virtual-container` is a lightweight, fully-typed SSH/SFTP runtime written in TypeScript that provides:
 
+- **Pure in-memory filesystem**: No disk I/O at runtime. All state lives in a fast recursive in-memory tree. Use JSON snapshots for optional persistence.
 - **SSH + SFTP Protocol Support**: Serve SSH shell/exec sessions and SFTP file operations on configurable ports.
-- **Virtual Filesystem**: Fast developer workflow backed by a mirror directory under `.vfs/mirror`, with optional gzip compression and programmatic access.
-- **User Management**: Create, authenticate, and manage virtual users with strict password hashing (scrypt) and sudo-like privilege elevation.
+- **Password & public-key authentication**: Register SSH public keys per user alongside (or instead of) password auth.
+- **Rate limiting / brute-force protection**: Configurable per-IP lockout after N failed auth attempts.
+- **User Management**: Create, authenticate, and manage virtual users with scrypt password hashing, sudo-like privilege elevation, and optional per-user disk quotas.
 - **Programmatic Shell API**: Execute shell commands and query filesystem state directly from TypeScript without SSH overhead.
 - **Event-Driven Architecture**: All core classes extend `EventEmitter` for lifecycle and operation tracking. Listen to auth events, filesystem operations, session lifecycle, and command execution for auditing and integration.
 - **Security Auditing**: Built-in `HoneyPot` utility for comprehensive activity logging, event tracking, statistics collection, and anomaly detection across all components.
-- **Built-in Commands**: `ls`, `cd`, `pwd`, `cat`, `mkdir`, `touch`, `rm`, `tree`, `whoami`, `hostname`, `who`, `sudo`, `su`, `adduser`, `deluser`, `nano` (text editor), `curl`, `wget`, and a growing set of additional commands. Not everything is implemented yet, and shell compatibility is still being expanded.
+- **40+ Built-in Commands**: `ls`, `cd`, `cat`, `cp`, `mv`, `ln`, `find`, `grep`, `wc`, `head`, `tail`, `chmod`, `mkdir`, `touch`, `rm`, `tree`, `nano`, `curl`, `wget`, `sudo`, `su`, `adduser`, `deluser`, and more. Shell compatibility is still being expanded.
 - **Full TypeScript Support**: Complete JSDoc coverage, exported types, and first-class async/await for all operations.
 
+---
+
 ## What This Is / What This Is Not
 
 ### What This Is
 
-- A virtual shell runtime written in TypeScript.
-- A virtual environment with its own virtual filesystem, user management, and command runtime.
+- A virtual shell runtime written in TypeScript with a **pure in-memory filesystem**.
+- A virtual environment with its own filesystem, user management, and command runtime.
 - A practical tool for deterministic testing, automation pipelines, and SSH-like workflows without running real containers.
+- A honeypot framework for capturing and auditing attacker behavior.
 
 ### What This Is Not
 
 - Not a fully isolated container runtime.
-- Not a security sandbox.
+- Not a security sandbox — the VFS does not sandbox host filesystem access by spawned child processes (e.g. `wget`, `curl` delegate to the host binary).
 - Not a kernel-level isolation boundary (unlike Docker/VM-based isolation).
 
 This project emulates shell behavior for developer workflows. It is designed for realism and productivity, not hard security isolation.
 
+---
+
 ## Why This Package
 
 This package is designed for teams that need a realistic SSH-like runtime without spinning up real containers or VMs.
 
-- **Deterministic test environments**: Repeatable state for CI pipelines and integration tests.
+- **Zero disk footprint by default**: The VFS operates entirely in memory. Opt into JSON snapshot persistence when you need it.
+- **Deterministic test environments**: Repeatable state for CI pipelines and integration tests. Build a fixture snapshot once, hydrate for each test.
 - **Low operational overhead**: No Docker daemon, no kernel namespaces, no privileged setup.
 - **Fast feedback loops**: Programmatic API for command execution and filesystem assertions.
-- **Developer-friendly internals**: Typed APIs, clear boundaries, and composable building blocks.
+- **Developer-friendly internals**: Typed APIs, clear boundaries, composable building blocks, and full JSDoc.
+
+---
 
 ## Installation
 
@@ -86,12 +105,23 @@ bun add typescript-virtual-container
 
 ```bash
 git clone https://github.com/itsrealfortune/typescript-virtual-container/
-cd virtual-env-js
+cd typescript-virtual-container
 bun install
-bun format  # Format code per Biome
-bun check   # Lint and typecheck
+bun format   # Format code per Biome
+bun check    # Lint and typecheck
+bun run build
 ```
 
+### Standalone (zero install)
+
+To quickly try a standalone demo:
+
+```bash
+curl -s https://raw.githubusercontent.com/itsrealfortune/typescript-virtual-container/refs/heads/main/standalone.js -o standalone.js && node standalone.js && rm -f standalone.js
+```
+
+---
+
 ## Compatibility
 
 - **Node.js**: Recommended `>=18`
@@ -101,6 +131,8 @@ bun check   # Lint and typecheck
 
 The virtual filesystem and shell behavior are intentionally portable and do not depend on host-specific POSIX syscalls.
 
+---
+
 ## Quick Start
 
 ### Running an SSH Server
@@ -108,23 +140,21 @@ The virtual filesystem and shell behavior are intentionally portable and do not
 ```typescript
 import { VirtualSshServer } from "typescript-virtual-container";
 
-// Create server on port 2222
-const ssh = new VirtualSshServer({ 
-	port: 2222, 
-	hostname: "my-container" 
+const ssh = new VirtualSshServer({
+  port: 2222,
+  hostname: "my-container",
 });
 
-// Start server
 await ssh.start();
 console.log("SSH server listening on :2222");
 
-// Connect externally via SSH
-// ssh root@localhost -p 2222  (password: "root")
+// Connect externally:
+// ssh root@localhost -p 2222
+// root has no password by default — login is allowed without verification.
 
-// Graceful shutdown
 process.on("SIGTERM", () => {
-	ssh.stop();
-	process.exit(0);
+  ssh.stop();
+  process.exit(0);
 });
 ```
 
@@ -135,17 +165,8 @@ import { VirtualSftpServer, VirtualShell, VirtualSshServer } from "typescript-vi
 
 const shell = new VirtualShell("my-container");
 
-const ssh = new VirtualSshServer({
-	port: 2222,
-	hostname: "my-container",
-	shell,
-});
-
-const sftp = new VirtualSftpServer({
-	port: 2223,
-	hostname: "my-container",
-	shell,
-});
+const ssh  = new VirtualSshServer({ port: 2222, hostname: "my-container", shell });
+const sftp = new VirtualSftpServer({ port: 2223, hostname: "my-container", shell });
 
 await ssh.start();
 await sftp.start();
@@ -156,18 +177,16 @@ console.log("SSH on :2222, SFTP on :2223");
 ### Using the Programmatic Client API
 
 ```typescript
-import { VirtualSshServer, SshClient, VirtualShell } from "typescript-virtual-container";
+import { SshClient, VirtualShell, VirtualSshServer } from "typescript-virtual-container";
 
 const shell = new VirtualShell("typescript-vm");
-const ssh = new VirtualSshServer({ port: 2222, shell });
+const ssh   = new VirtualSshServer({ port: 2222, shell });
 await ssh.start();
 
-// Create authenticated client for specific user
 const client = new SshClient(shell, "root");
 
-// Execute commands programmatically
 const list = await client.ls("/home");
-console.log("stdout:", list.stdout);  // Directory listing
+console.log("stdout:", list.stdout);
 
 const result = await client.pwd();
 console.log("Current dir:", result.stdout);
@@ -183,109 +202,100 @@ await client.writeFile("output.txt", "Hello, World!");
 ssh.stop();
 ```
 
-## Architecture Overview
-
-<!-- ### Core Components
+---
 
-```
-┌─────────────────────────────────────────────┐
-│       SSH Server (SshMimic)                 │
-│  Listens on :port, handles auth & sessions │
-└──────────────┬──────────────────────────────┘
-							 │
-			 ┌───────┴────────┬──────────────┐
-			 │                │              │
-┌──────┴──────┐  ┌─────┴─────┐  ┌────┴─────┐
-│ VirtualFileSystem   │ VirtualUserManager  │  Command Runtime
-│ In-mem FS w/ persist      │ Auth & Sudoers    │  Shell/Exec Mode
-└──────────────┘  └──────────┘  └──────────┘
-			 ▲
-│              Backed by disk
-│              .vfs/mirror
-└──────────────────────────────────┘
-``` -->
+## Architecture Overview
 
 ### Execution Modes
 
-1. **SSH Shell Mode**: Interactive terminal session over SSH with readline, prompt, TTY resizing.
-2. **SSH Exec Mode**: Non-interactive command execution (e.g., `ssh user@host "ls -la"`).
+1. **SSH Shell Mode**: Interactive terminal session over SSH with readline, prompt, history, TTY resizing.
+2. **SSH Exec Mode**: Non-interactive command execution (e.g. `ssh user@host "ls -la"`).
 3. **SFTP Mode**: Remote file operations (`readdir`, `stat`, `readFile`, `writeFile`, `mkdir`, `rename`, etc.) with home-directory confinement.
-4. **Programmatic Mode**: Direct TypeScript API via `SshClient`, no SSH protocol overhead.
-
-### Persistence
-
-- Filesystem state is stored under `.vfs/mirror` inside the configured `basePath`
-- Users/passwords stored in virtual paths `/virtual-env-js/.auth/htpasswd` and `/virtual-env-js/.auth/sudoers`
-- `restoreMirror()` and `flushMirror()` are lightweight compatibility hooks for initialization boundaries
+4. **Programmatic Mode**: Direct TypeScript API via `SshClient` — no SSH protocol overhead.
+
+```
+┌──────────────────────────────────────────────────────────────────────────┐
+│  SshMimic (VirtualSshServer)             SftpMimic (VirtualSftpServer)  │
+│  password auth · publickey auth          SFTP protocol handlers          │
+│  per-IP rate limiting / lockout          home-dir confinement            │
+└─────────────────────────┬────────────────────────────────────────────────┘
+                          │
+               ┌──────────▼──────────┐
+               │    VirtualShell     │
+               │  pipeline parser    │
+               │  command executor   │
+               │  session manager    │
+               └──┬──────────────┬───┘
+                  │              │
+     ┌────────────▼───┐    ┌─────▼───────────────┐
+     │VirtualFileSystem│   │ VirtualUserManager   │
+     │ in-memory tree  │   │ scrypt · sudoers     │
+     │ gzip · symlinks │   │ publickey auth       │
+     │ snapshot I/O    │   │ quotas · sessions    │
+     │ mode:memory|fs  │   └─────────────────────-┘
+     └─────────────────┘
+                  │
+     ┌────────────▼────────────┐
+     │        HoneyPot         │
+     │ audit log · stats       │
+     │ anomaly detection       │
+     └─────────────────────────┘
+```
 
 ---
 
 ## API Reference
 
-### SshMimic (SSH Server)
+### `VirtualSshServer`
 
-Main SSH server class, exported as `VirtualSshServer` in the package entrypoint. It wires the virtual shell runtime into ssh2 sessions and manages authentication/session handlers.
+Main SSH server class. Wires the virtual shell runtime into `ssh2` sessions and manages authentication and session handlers.
 
 #### Constructor
 
 ```typescript
-new SshMimic(options: {
-	port: number;           // TCP port to bind on localhost
-	hostname?: string;      // Virtual hostname (default: "typescript-vm")
-	shell?: VirtualShell;   // Optional preconfigured shell instance
+new VirtualSshServer({
+  port: number;               // TCP port to bind
+  hostname?: string;          // Virtual hostname (default: "typescript-vm")
+  shell?: VirtualShell;       // Optional shared shell instance (share state with SFTP)
+  maxAuthAttempts?: number;   // Max failed auth per IP before lockout (default: 5)
+  lockoutDurationMs?: number; // Lockout duration in ms (default: 60_000)
 })
 ```
 
-- `hostname` controls the SSH ident label and the default hostname used by a generated shell.
-- If `shell` is omitted, the server creates `new VirtualShell(hostname)` for you.
+If `shell` is omitted, the server creates `new VirtualShell(hostname)` internally.
 
 **Example:**
 
 ```typescript
-const virtualShell = new VirtualShell("my-lab", {
-	kernel: "1.0.0+itsrealfortune+1-amd64",
-	os: "Fortune GNU/Linux x64",
-	arch: "x86_64",
-}, "./data");
-const ssh = new SshMimic({
-	port: 2222,
-	hostname: "my-lab",
-	shell: virtualShell
+const shell = new VirtualShell("my-lab", {
+  kernel: "1.0.0+itsrealfortune+1-amd64",
+  os: "Fortune GNU/Linux x64",
+  arch: "x86_64",
 });
-```
-
-#### Methods
 
-##### `async start(): Promise<number>`
-
-Initializes virtual filesystem, user manager, and starts listening for SSH connections.
-
-- **Returns**: Bound port number
-- **Throws**: Error if port not available or initialization fails
-
-```typescript
-const port = await ssh.start();
-console.log(`Listening on ${port}`);
+const ssh = new VirtualSshServer({ port: 2222, hostname: "my-lab", shell });
 ```
 
-##### `stop(): void`
+#### Methods
 
-Cleanly closes server and all active connections.
-
-```typescript
-ssh.stop();
-```
+| Method | Description |
+|--------|-------------|
+| `start(): Promise<number>` | Initialize VFS, users, start listening. Returns bound port. |
+| `stop(): void` | Gracefully close server and all active connections. |
+| `clearLockout(ip: string): void` | Manually lift a rate-limit lockout for an IP. |
+| `getVfs(): VirtualFileSystem \| null` | Access VFS instance (null before start). |
+| `getUsers(): VirtualUserManager \| null` | Access user manager (null before start). |
+| `getHostname(): string` | Returns configured hostname. |
 
 #### Events
 
-`SshMimic` extends `EventEmitter` and emits the following events:
-
 | Event | Data | Description |
 |-------|------|-------------|
 | `start` | `{ port: number }` | Server started and listening |
 | `stop` | — | Server stopped |
-| `auth:success` | `{ username: string; remoteAddress: string }` | User authenticated |
-| `auth:failure` | `{ username: string; remoteAddress: string }` | Auth failed for user |
+| `auth:success` | `{ username, remoteAddress, method? }` | User authenticated |
+| `auth:failure` | `{ username, remoteAddress, reason?, method? }` | Auth failed |
+| `auth:lockout` | `{ ip, until: Date }` | IP locked out after too many failures |
 | `client:connect` | — | New SSH client connected |
 | `client:disconnect` | `{ user: string }` | SSH client disconnected |
 
@@ -293,925 +303,557 @@ ssh.stop();
 
 ```typescript
 ssh.on("auth:success", ({ username, remoteAddress }) => {
-	console.log(`[SSH] User ${username} authenticated from ${remoteAddress}`);
+  console.log(`[SSH] ${username} authenticated from ${remoteAddress}`);
 });
 
-ssh.on("auth:failure", ({ username }) => {
-	console.log(`[SSH] Auth failed for user ${username}`);
+ssh.on("auth:lockout", ({ ip, until }) => {
+  console.warn(`[SSH] ${ip} locked until ${until}`);
 });
 ```
 
-##### `getVfs(): VirtualFileSystem | null`
-
-Returns the virtual filesystem instance. Null if server not started.
-
-```typescript
-const vfs = ssh.getVfs();
-if (vfs) {
-	const content = vfs.readFile("/etc/hosts");
-}
-```
-
-##### `getUsers(): VirtualUserManager | null`
-
-Returns the user manager instance. Null if server not started.
-
-```typescript
-const users = ssh.getUsers();
-const sessions = users.listActiveSessions();
-```
-
-##### `getHostname(): string`
-
-Returns configured server hostname.
-
-```typescript
-console.log(`Server name: ${ssh.getHostname()}`);
-```
-
 ---
 
-### SftpMimic (SFTP Server)
+### `VirtualSftpServer`
 
-SFTP server class, exported as `VirtualSftpServer` in the package entrypoint. It can run with a shared `VirtualShell` (recommended) or with explicit `vfs + users` dependencies.
+SFTP server class. Can share a `VirtualShell` with `VirtualSshServer` (recommended) or accept explicit `vfs` + `users` dependencies.
 
 #### Constructor
 
 ```typescript
-new SftpMimic(options: {
-	port: number;
-	hostname?: string;
-	shell?: VirtualShell;
-	vfs?: VirtualFileSystem;
-	users?: VirtualUserManager;
+new VirtualSftpServer({
+  port: number;
+  hostname?: string;
+  shell?: VirtualShell;          // share state with SSH server
+  vfs?: VirtualFileSystem;       // explicit if no shell
+  users?: VirtualUserManager;    // explicit if no shell
 })
 ```
 
-- If `shell` is provided, SFTP reuses the same users/filesystem state as SSH.
-- If `shell` is omitted, pass `vfs` and `users` explicitly.
-
 #### Methods
 
-##### `async start(): Promise<number>`
-
-Starts the SFTP server and returns the bound port (useful with `port: 0`).
-
-```typescript
-const sftp = new SftpMimic({ port: 0, shell });
-const boundPort = await sftp.start();
-console.log(`SFTP listening on ${boundPort}`);
-```
-
-##### `stop(): void`
-
-Stops the SFTP server.
-
-```typescript
-sftp.stop();
-```
+| Method | Description |
+|--------|-------------|
+| `start(): Promise<number>` | Start SFTP server, returns bound port. |
+| `stop(): void` | Stop SFTP server. |
 
 #### Behavior Notes
 
 - Supports `password` and `keyboard-interactive` authentication.
 - Resolves relative SFTP paths from `/home/<user>`.
-- Confines all SFTP operations to `/home/<user>` and blocks traversal attempts outside the user home.
+- Confines all SFTP operations to `/home/<user>` — blocks traversal attempts.
 - Unsupported operations (`READLINK`, `SYMLINK`) return `OP_UNSUPPORTED`.
 
 #### Events
 
-`SftpMimic` extends `EventEmitter` and emits the following events:
-
-| Event | Data | Description |
-|-------|------|-------------|
-| `start` | `{ port: number }` | SFTP server started and listening |
-| `stop` | — | SFTP server stopped |
-| `auth:success` | `{ username: string; remoteAddress: string }` | User authenticated for SFTP |
-| `auth:failure` | `{ username: string; remoteAddress: string }` | SFTP auth failed for user |
-| `client:connect` | — | New SFTP client connected |
-| `client:disconnect` | `{ user: string }` | SFTP client disconnected |
-
-**Example:**
-
-```typescript
-sftp.on("auth:success", ({ username }) => {
-	console.log(`[SFTP] User ${username} authenticated`);
-});
-```
-
----
-
-### SshClient (Programmatic Shell API)
-
-Execute shell commands against a `VirtualShell` instance without SSH overhead. Maintains connection state (current working directory) across calls.
-
-#### Constructor
-
-```typescript
-new SshClient(shell: VirtualShell, username: string)
-```
-
-- **shell**: Parent virtual shell instance
-- **username**: User to authenticate as (no password required)
-
-**Example:**
-
-```typescript
-const shell = new VirtualShell("typescript-vm");
-const client = new SshClient(shell, "alice");
-```
-
-#### Methods
-
-##### `async exec(command: string): Promise<CommandResult>`
-
-Raw command execution. Returns structured output.
-
-```typescript
-const result = await client.exec("echo hello && exit 42");
-console.log(result.stdout);      // "hello"
-console.log(result.exitCode);    // 42
-```
-
-##### `async ls(path?: string): Promise<CommandResult>`
-
-Lists directory contents. Defaults to current directory.
-
-```typescript
-const result = await client.ls("/tmp");
-// result.stdout contains formatted listing
-```
-
-##### `async pwd(): Promise<CommandResult>`
-
-Prints current working directory.
-
-```typescript
-const result = await client.pwd();
-console.log("cwd:", result.stdout);  // "/home/alice"
-```
-
-##### `async cd(path: string): Promise<CommandResult>`
-
-Changes working directory. Updates internal state on success.
-
-```typescript
-const result = await client.cd("/var/log");
-// Internal cwd now "/var/log"
-
-const result2 = await client.ls();  // Listed from /var/log
-```
-
-##### `async cat(path: string): Promise<CommandResult>`
-
-Reads file content via command.
-
-```typescript
-const result = await client.cat("/etc/hostname");
-console.log(result.stdout);
-```
-
-##### `async mkdir(path: string, recursive?: boolean): Promise<CommandResult>`
-
-Creates directory. Set `recursive=true` for `-p` flag.
-
-```typescript
-await client.mkdir("/tmp/nested/dirs", true);
-```
-
-##### `async touch(path: string): Promise<CommandResult>`
-
-Creates empty file.
-
-```typescript
-await client.touch("/tmp/marker.txt");
-```
-
-##### `async rm(path: string, recursive?: boolean): Promise<CommandResult>`
-
-Removes file or directory. Set `recursive=true` for `-r` flag.
-
-```typescript
-await client.rm("/tmp/old", true);  // rm -r /tmp/old
-```
-
-##### `async readFile(path: string): Promise<CommandResult>`
-
-Reads file content directly from VFS (programmatic, no shell).
-
-```typescript
-const result = await client.readFile("/etc/hostname");
-console.log(result.stdout);  // File content
-if (result.exitCode !== 0) console.error(result.stderr);
-```
-
-##### `async writeFile(path: string, content: string): Promise<CommandResult>`
-
-Writes file content directly to VFS (programmatic, no shell).
-
-```typescript
-await client.writeFile("/tmp/config.txt", "port=8080\nhost=localhost");
-```
-
-##### `async tree(path?: string): Promise<CommandResult>`
-
-Renders ASCII directory tree.
-
-```typescript
-const result = await client.tree("/home");
-console.log(result.stdout);
-```
-
-##### `async whoami(): Promise<CommandResult>`
-
-Shows authenticated user.
-
-```typescript
-const result = await client.whoami();
-console.log(result.stdout);  // "alice" (or user passed to constructor)
-```
-
-##### `async hostname(): Promise<CommandResult>`
-
-Shows server hostname.
-
-```typescript
-const result = await client.hostname();
-```
-
-##### `async who(): Promise<CommandResult>`
-
-Lists active user sessions.
-
-```typescript
-const result = await client.who();
-console.log(result.stdout);  // Active sessions
-```
-
-##### `getCwd(): string`
-
-Returns current working directory (local state, no I/O).
-
-```typescript
-await client.cd("/tmp");
-console.log(client.getCwd());  // "/tmp"
-```
-
-##### `getUsername(): string`
-
-Returns authenticated username (local state, no I/O).
-
-```typescript
-console.log(client.getUsername());  // Username from constructor
-```
-
----
-
-### VirtualShell
-
-Encapsulates shell execution primitives used by the SSH runtime for command dispatch, interactive sessions, and the programmatic client.
-
-#### ShellProperties
-
-```typescript
-interface ShellProperties {
-	kernel: string;
-	os: "Fortune GNU/Linux x64";
-	arch: "x86_64";
-}
-
-const defaultShellProperties: ShellProperties;
-```
-
-- `kernel` is displayed in shell/system information output.
-- `os` and `arch` are fixed labels used by the shell runtime.
-
-#### Constructor
-
-```typescript
-new VirtualShell(
-	hostname: string,
-	properties?: ShellProperties,
-	basePath?: string,
-)
-```
-
-- **hostname**: Hostname injected into command context and prompt behavior.
-- **properties**: Optional shell metadata. Defaults to `defaultShellProperties`.
-- **basePath**: Optional directory used to resolve `.vfs/mirror` and auth storage (defaults to `.`).
-
-**Example:**
-
-```typescript
-const shell = new VirtualShell("typescript-vm", {
-	kernel: "1.0.0+itsrealfortune+1-amd64",
-	os: "Fortune GNU/Linux x64",
-	arch: "x86_64",
-}, "./data");
-```
-
-#### Methods
-
-##### `addCommand(name: string, params: string[], callback: (ctx: CommandContext) => CommandResult | Promise<CommandResult>): void`
-
-Registers a custom command at runtime.
-
-```typescript
-shell.addCommand("hello", [], () => ({ stdout: "hello", exitCode: 0 }));
-```
-
-##### `executeCommand(rawInput: string, authUser: string, cwd: string): void`
-
-Runs one command input in shell mode for a given user and working directory.
-
-```typescript
-shell.executeCommand("ls -la", "root", "/home/root");
-```
-
-##### `startInteractiveSession(stream: ShellStream, authUser: string, sessionId: string | null, remoteAddress: string, terminalSize: { cols: number; rows: number }): void`
-
-Starts an interactive shell session over a shell stream.
-
-```typescript
-shell.startInteractiveSession(
-	stream,
-	"root",
-	sessionId,
-	"127.0.0.1",
-	{ cols: 120, rows: 30 },
-);
-```
-
-#### Events
-
-`VirtualShell` extends `EventEmitter` and emits the following events:
-
-| Event | Data | Description |
-|-------|------|-------------|
-| `initialized` | — | Shell initialization complete |
-| `command` | `{ command: string; user: string; cwd: string }` | Command executed |
-| `session:start` | `{ user: string; sessionId: string \| null; remoteAddress: string }` | Interactive session started |
-
-**Example:**
-
-```typescript
-shell.on("command", ({ command, user, cwd }) => {
-	console.log(`[SHELL] User ${user} executed: ${command} (cwd: ${cwd})`);
-});
-
-shell.on("session:start", ({ user, remoteAddress }) => {
-	console.log(`[SHELL] Session started for ${user} from ${remoteAddress}`);
-});
-```
-
----
-
-### VirtualFileSystem
-
-Virtual filesystem abstraction backed by a mirror directory on disk, with optional gzip compression per file.
-
-#### Constructor
-
-```typescript
-new VirtualFileSystem(baseDir?: string)
-```
-
-- **baseDir**: Directory used for the `.vfs/mirror` root (default: current working directory)
-
-```typescript
-const vfs = new VirtualFileSystem("./container-data");
-// Mirror root at ./container-data/.vfs/mirror
-```
-
-#### Methods
-
-#### Events
-
-`VirtualFileSystem` extends `EventEmitter` and emits the following events:
-
-| Event | Data | Description |
-|-------|------|-------------|
-| `file:read` | `{ path: string; size: number }` | File read |
-| `file:write` | `{ path: string; size: number }` | File written |
-| `dir:create` | `{ path: string; mode: number }` | Directory created |
-| `mirror:flush` | — | Mirror persisted to disk |
-
-**Example:**
-
-```typescript
-vfs.on("file:write", ({ path, size }) => {
-	console.log(`[VFS] File written: ${path} (${size} bytes)`);
-});
-
-vfs.on("dir:create", ({ path, mode }) => {
-	console.log(`[VFS] Directory created: ${path} (mode: ${mode.toString(8)})`);
-});
-```
-
-##### `async restoreMirror(): Promise<void>`
-
-Ensures mirror directory structure exists and is ready for operations.
-
-```typescript
-await vfs.restoreMirror();
-```
-
-##### `async flushMirror(): Promise<void>`
-
-Compatibility hook to finalize mirror boundary operations.
-
-```typescript
-// After file modifications...
-await vfs.flushMirror();
-```
-
-##### `mkdir(path: string, mode?: number): void`
-
-Creates directory and any missing parents. Throws if parent is a file.
-
-```typescript
-vfs.mkdir("/home/user/.ssh", 0o700);
-```
-
-##### `writeFile(path: string, content: string | Buffer, options?: WriteFileOptions): void`
-
-Writes file content. Creates parent directories if missing.
-
-- **options.mode**: POSIX file mode (default: 0o644)
-- **options.compress**: Store as gzip (default: false)
-
-```typescript
-vfs.writeFile("/etc/app.conf", "debug=true\n", { compress: true });
-```
-
-##### `readFile(path: string): string`
-
-Reads file as UTF-8 string. Transparently decompresses if needed.
-
-```typescript
-const content = vfs.readFile("/etc/app.conf");
-```
-
-##### `exists(path: string): boolean`
-
-Checks node existence (file or directory).
-
-```typescript
-if (!vfs.exists("/var/log")) {
-	vfs.mkdir("/var/log");
-}
-```
-
-##### `stat(path: string): VfsNodeStats`
-
-Returns metadata (type, size, dates, mode, etc.).
-
-```typescript
-const stats = vfs.stat("/etc/hostname");
-if (stats.type === "file") {
-	console.log(`File size: ${stats.size} bytes`);
-}
-```
-
-##### `list(dirPath?: string): string[]`
-
-Lists child names in directory (sorted). Throws if path not a directory.
-
-```typescript
-const files = vfs.list("/home");
-// ["alice", "bob", "root"]
-```
-
-##### `tree(dirPath?: string): string`
-
-Renders ASCII tree view of directory hierarchy.
-
-```typescript
-console.log(vfs.tree("/home"));
-```
-
-##### `chmod(path: string, mode: number): void`
-
-Updates file/dir permissions.
-
-```typescript
-vfs.chmod("/tmp/script.sh", 0o755);
-```
-
-##### `remove(path: string, options?: RemoveOptions): void`
-
-Removes file or directory. Throws if directory not empty unless `recursive: true`.
-
-```typescript
-vfs.remove("/tmp/old", { recursive: true });
-```
-
-##### `move(fromPath: string, toPath: string): void`
-
-Renames or moves node. Throws if destination exists.
-
-```typescript
-vfs.move("/var/tmp", "/var/backup");
-```
-
-##### `compressFile(path: string): void`
-
-Gzip-compresses file content and marks as compressed.
-
-```typescript
-vfs.compressFile("/var/log/app.log");
-```
-
-##### `decompressFile(path: string): void`
-
-Decompresses file content (inverse of `compressFile`).
-
-```typescript
-vfs.decompressFile("/var/log/app.log");
-```
-
-**Example:**
-
-```typescript
-vfs.on("file:write", ({ path, size }) => {
-	console.log(`[VFS] File written: ${path} (${size} bytes)`);
-});
-
-vfs.on("dir:create", ({ path, mode }) => {
-	console.log(`[VFS] Directory created: ${path} (mode: ${mode.toString(8)})`);
-});
-```
+| Event | Data | Description |
+|-------|------|-------------|
+| `start` | `{ port: number }` | SFTP server started |
+| `stop` | — | SFTP server stopped |
+| `auth:success` | `{ username, remoteAddress }` | User authenticated |
+| `auth:failure` | `{ username, remoteAddress }` | Auth failed |
+| `client:connect` | — | New SFTP client connected |
+| `client:disconnect` | `{ user: string }` | SFTP client disconnected |
 
 ---
 
-### VirtualUserManager
+### `VirtualShell`
 
-User authentication, password hashing (scrypt), sudo privilege management, and session tracking.
+Coordinates the virtual filesystem, user manager, and command runtime. Used by both SSH servers and the programmatic `SshClient`.
 
 #### Constructor
 
 ```typescript
-new VirtualUserManager(vfs: VirtualFileSystem, defaultRootPassword?: string, autoSudoForNewUsers?: boolean)
+new VirtualShell(
+  hostname: string,
+  properties?: ShellProperties,
+  vfsOptions?: VfsOptions,
+)
 ```
 
-- **vfs**: Virtual filesystem (for auth data persistence)
-- **defaultRootPassword**: Root password used when root is created (default: "root")
-- **autoSudoForNewUsers**: When true, new users are added to sudoers automatically (default: `true` unless `SSH_MIMIC_AUTO_SUDO_NEW_USERS` disables it)
+- **hostname**: Injected into command context and prompt.
+- **properties**: Optional shell metadata shown in `uname`-like output. Defaults to `defaultShellProperties`.
+- **vfsOptions**: Optional VFS persistence options — see [VirtualFileSystem](#virtualfilesystem).
 
 ```typescript
-const users = new VirtualUserManager(vfs, "SecureRootPass123");
+interface ShellProperties {
+  kernel: string;  // e.g. "1.0.0+itsrealfortune+1-amd64"
+  os: string;      // e.g. "Fortune GNU/Linux x64"
+  arch: string;    // e.g. "x86_64"
+}
 ```
 
-#### Methods
-
-##### `async initialize(): Promise<void>`
-
-Loads users/sudoers from disk, ensures root exists, and initializes sessions.
+**Example:**
 
 ```typescript
-await users.initialize();
+const shell = new VirtualShell("typescript-vm", {
+  kernel: "1.0.0+itsrealfortune+1-amd64",
+  os: "Fortune GNU/Linux x64",
+  arch: "x86_64",
+}, {
+  mode: "fs",
+  snapshotPath: "./data",
+});
 ```
 
-##### `verifyPassword(username: string, password: string): boolean`
-
-Checks plaintext password against hashed record.
-
-```typescript
-if (users.verifyPassword("alice", "password123")) {
-	console.log("Auth OK");
-}
-```
+#### Methods
 
-##### `async addUser(username: string, password: string): Promise<void>`
+| Method | Description |
+|--------|-------------|
+| `ensureInitialized(): Promise<void>` | Await this before using the shell programmatically. |
+| `addCommand(name, params, callback)` | Register a custom shell command. |
+| `executeCommand(rawInput, authUser, cwd)` | Run a raw command string. |
+| `startInteractiveSession(stream, authUser, sessionId, remoteAddress, terminalSize)` | Start an SSH interactive session. |
+| `writeFileAsUser(authUser, path, content)` | Write a file with quota enforcement. |
+| `getVfs(): VirtualFileSystem \| null` | Access the VFS instance. |
+| `getUsers(): VirtualUserManager \| null` | Access the user manager. |
+| `getHostname(): string` | Returns the configured hostname. |
 
-Creates new user with home directory.
+**Custom command example:**
 
 ```typescript
-await users.addUser("bob", "bob_password");
-// ~/bob created, added to sudoers
+shell.addCommand("greet", ["[name]"], ({ args, authUser }) => {
+  const name = args[0] ?? authUser;
+  return { stdout: `Hello, ${name}!`, exitCode: 0 };
+});
+// Inside the shell: greet world → Hello, world!
 ```
 
-##### `async deleteUser(username: string): Promise<void>`
+#### Events
 
-Removes user. Cannot delete root.
+| Event | Data | Description |
+|-------|------|-------------|
+| `initialized` | — | Shell initialization complete |
+| `command` | `{ command, user, cwd }` | A command was executed |
+| `session:start` | `{ user, sessionId, remoteAddress }` | Interactive session started |
 
-```typescript
-await users.deleteUser("bob");
-```
+---
 
-##### `isSudoer(username: string): boolean`
+### `VirtualFileSystem`
 
-Checks sudo access.
+Pure in-memory virtual filesystem. All state lives in a recursive `Map`-based tree — no host filesystem access at runtime.
 
+Two persistence modes are available via the `VfsOptions` constructor argument:
 
 ```typescript
-if (users.isSudoer("alice")) {
-	console.log("alice can use sudo");
-}
-```
-
-##### `async addSudoer(username: string): Promise<void>`
-
-Grants sudo privileges to user.
+// Default — pure in-memory, zero disk I/O
+const vfs = new VirtualFileSystem();
+const vfs = new VirtualFileSystem({ mode: "memory" });
 
-```typescript
-await users.addSudoer("charlie");
+// FS mode — JSON snapshot auto-saved to disk on flushMirror()
+const vfs = new VirtualFileSystem({
+  mode: "fs",
+  snapshotPath: "./data",  // writes ./data/vfs-snapshot.json
+});
+await vfs.restoreMirror(); // load from disk (silent no-op if no file yet)
+// ... use vfs ...
+await vfs.flushMirror();   // persist to disk
 ```
 
-##### `async removeSudoer(username: string): Promise<void>`
+Both modes expose exactly the same API. The tree always lives in memory; `"fs"` mode adds a JSON round-trip on `restoreMirror` / `flushMirror`.
 
-Revokes sudo privileges. Cannot remove root.
+#### Constructor
 
 ```typescript
-await users.removeSudoer("charlie");
+interface VfsOptions {
+  mode?: "memory" | "fs";  // default: "memory"
+  snapshotPath?: string;   // required when mode is "fs"
+}
+
+new VirtualFileSystem(options?: VfsOptions)
 ```
 
-##### `async setQuotaBytes(username: string, maxBytes: number): Promise<void>`
+#### Methods
 
-Sets an optional per-user quota (bytes) for writes under `/home/<username>`.
+| Method | Description |
+|--------|-------------|
+| `mkdir(path, mode?)` | Create directory and any missing parents. |
+| `writeFile(path, content, options?)` | Write file (creates parent dirs). `options.compress` stores as gzip; `options.mode` sets POSIX mode bits. |
+| `readFile(path): string` | Read file as UTF-8. Transparently decompresses gzip files. |
+| `readFileRaw(path): Buffer` | Read file as Buffer (decompresses if needed). |
+| `exists(path): boolean` | Test whether a file or directory exists. |
+| `stat(path): VfsNodeStats` | Returns file/directory metadata. |
+| `list(path?): string[]` | List direct children of a directory (sorted). |
+| `tree(path?): string` | Render ASCII directory tree. |
+| `move(from, to)` | Move or rename a node. Throws if destination exists. |
+| `remove(path, options?)` | Delete file or directory. `options.recursive` required for non-empty dirs. |
+| `chmod(path, mode)` | Update POSIX mode bits. |
+| `compressFile(path)` | Gzip-compress file content in place. |
+| `decompressFile(path)` | Gunzip file content in place. |
+| `symlink(target, linkPath)` | Create a symbolic link (mode `0o120777`). |
+| `isSymlink(path): boolean` | Returns true if the path is a symlink node. |
+| `resolveSymlink(path, maxDepth?): string` | Resolve symlink chain to real path (default max 8 hops). |
+| `getUsageBytes(path?): number` | Total stored bytes under a path. |
+| `getMode(): VfsPersistenceMode` | Returns `"memory"` or `"fs"`. |
+| `getSnapshotPath(): string \| null` | Snapshot file path in `"fs"` mode, or null. |
+| `toSnapshot(): VfsSnapshot` | Export the whole tree as a JSON-serialisable snapshot. |
+| `importSnapshot(snapshot)` | Replace current state from a snapshot (preserves mode). |
+| `restoreMirror(): Promise<void>` | Load from disk (`"fs"` mode) / no-op (`"memory"` mode). |
+| `flushMirror(): Promise<void>` | Save to disk (`"fs"` mode) / emit `mirror:flush` (`"memory"` mode). |
+| `VirtualFileSystem.fromSnapshot(snapshot)` | **Static.** Create a new memory-mode instance from a snapshot. |
 
-```typescript
-await users.setQuotaBytes("alice", 5 * 1024 * 1024); // 5 MB
-```
+#### Events
 
-##### `async clearQuota(username: string): Promise<void>`
+| Event | Data | Description |
+|-------|------|-------------|
+| `file:write` | `{ path, size }` | File written |
+| `file:read` | `{ path, size }` | File read |
+| `dir:create` | `{ path, mode }` | Directory created |
+| `node:remove` | `{ path }` | File or directory deleted |
+| `symlink:create` | `{ link, target }` | Symlink created |
+| `snapshot:import` | — | `importSnapshot()` called |
+| `snapshot:restore` | `{ path }` | Restored from disk (fs mode) |
+| `mirror:flush` | `{ path? }` | Flushed (path present in fs mode) |
 
-Removes quota limit for a user.
+**Example:**
 
 ```typescript
-await users.clearQuota("alice");
-```
+vfs.on("file:write", ({ path, size }) => {
+  console.log(`[VFS] Written: ${path} (${size} bytes)`);
+});
 
-##### `getQuotaBytes(username: string): number | null`
+vfs.on("dir:create", ({ path, mode }) => {
+  console.log(`[VFS] Dir created: ${path} (mode: ${mode.toString(8)})`);
+});
+```
 
-Returns configured quota in bytes, or `null` if unlimited.
+#### Memory mode — manual snapshot persistence
 
 ```typescript
-console.log(users.getQuotaBytes("alice"));
-```
+import { VirtualFileSystem } from "typescript-virtual-container";
+import { writeFileSync, readFileSync } from "node:fs";
 
-##### `getUsageBytes(username: string): number`
+const vfs = new VirtualFileSystem(); // mode: "memory"
+vfs.writeFile("/etc/config.json", JSON.stringify({ debug: true }));
 
-Returns current stored usage in bytes under `/home/<username>`.
+// Export to disk manually
+writeFileSync("vfs-snapshot.json", JSON.stringify(vfs.toSnapshot()));
 
-```typescript
-console.log(users.getUsageBytes("alice"));
+// Restore into a new instance
+const snapshot = JSON.parse(readFileSync("vfs-snapshot.json", "utf8"));
+const restored = VirtualFileSystem.fromSnapshot(snapshot);
+console.log(restored.readFile("/etc/config.json")); // {"debug":true}
 ```
 
-##### `assertWriteWithinQuota(username: string, targetPath: string, nextContent: string | Buffer): void`
-
-Validates a write operation against quota rules; throws when projected usage exceeds quota.
+#### FS mode — automatic persistence across restarts
 
 ```typescript
-users.assertWriteWithinQuota("alice", "/home/alice/data.txt", "payload");
-```
+import { VirtualShell, VirtualSshServer } from "typescript-virtual-container";
 
-##### `registerSession(username: string, remoteAddress: string): VirtualActiveSession`
-
-Creates active session (called on SSH auth). Returns session descriptor with UUID, tty, start time.
+const shell = new VirtualShell("my-vm", undefined, {
+  mode: "fs",
+  snapshotPath: "./vfs-data",
+});
 
-```typescript
-const session = users.registerSession("alice", "192.168.1.100");
-console.log(session.id);  // UUID
+const ssh = new VirtualSshServer({ port: 2222, shell });
+await ssh.start();
+// VFS is restored from ./vfs-data/vfs-snapshot.json on start (if it exists).
+// flushMirror() is called after each write, persisting state to disk automatically.
 ```
 
-##### `unregisterSession(sessionId: string | null): void`
-
-Closes session. Safe to call with null.
+---
 
-```typescript
-users.unregisterSession(sessionId);
-```
+### `VirtualUserManager`
 
-##### `updateSession(sessionId: string | null, username: string, remoteAddress: string): void`
+Manages virtual users, password hashing (scrypt), sudo privileges, per-user storage quotas, SSH public keys, and active session tracking.
 
-Updates session metadata (used for su/sudo).
+#### Constructor
 
 ```typescript
-users.updateSession(sessionId, "root", "192.168.1.100");
+new VirtualUserManager(
+  vfs: VirtualFileSystem,
+  autoSudoForNewUsers?: boolean,  // default: true
+)
 ```
 
-##### `listActiveSessions(): VirtualActiveSession[]`
+- Auth data is stored inside the VFS at protected paths under `/virtual-env-js/.auth/`.
+- `autoSudoForNewUsers`: when true, newly created users are automatically added to sudoers.
 
-Returns snapshot of active sessions (sorted by start time).
+#### Methods
 
-```typescript
-const sessions = users.listActiveSessions();
-sessions.forEach(s => {
-	console.log(`${s.username}@${s.remoteAddress} on ${s.tty}`);
-});
-```
+| Method | Description |
+|--------|-------------|
+| `initialize(): Promise<void>` | Load users/sudoers from VFS, ensure root exists. Call once on startup. |
+| `verifyPassword(username, password): boolean` | Check plaintext password against stored hash. |
+| `hasPassword(username): boolean` | Returns true if a password is set for the user. |
+| `hashPassword(password): string` | Hash a password using the configured algorithm. |
+| `addUser(username, password): Promise<void>` | Create user with home directory. |
+| `deleteUser(username): Promise<void>` | Delete user. Cannot delete root. |
+| `isSudoer(username): boolean` | Check if user has sudo privileges. |
+| `addSudoer(username): Promise<void>` | Grant sudo privileges. |
+| `removeSudoer(username): Promise<void>` | Revoke sudo privileges. Cannot remove root. |
+| `setQuotaBytes(username, maxBytes): Promise<void>` | Set per-user write quota (bytes under `/home/<user>`). |
+| `clearQuota(username): Promise<void>` | Remove quota limit. |
+| `getQuotaBytes(username): number \| null` | Returns quota in bytes, or null if unlimited. |
+| `getUsageBytes(username): number` | Returns current usage in bytes under `/home/<user>`. |
+| `assertWriteWithinQuota(username, path, content)` | Throws if the write would exceed the user's quota. |
+| `addAuthorizedKey(username, algo, data)` | Register an SSH public key for the user. |
+| `getAuthorizedKeys(username)` | Returns the list of authorized keys for a user. |
+| `removeAuthorizedKeys(username)` | Revoke all authorized keys for a user. |
+| `registerSession(username, remoteAddress): VirtualActiveSession` | Start session tracking, returns session descriptor. |
+| `unregisterSession(sessionId): void` | End session. Safe to call with null. |
+| `updateSession(sessionId, username, remoteAddress): void` | Update session metadata (used by `su`/`sudo`). |
+| `listActiveSessions(): VirtualActiveSession[]` | Returns all active sessions sorted by start time. |
 
 #### Events
 
-`VirtualUserManager` extends `EventEmitter` and emits the following events:
-
 | Event | Data | Description |
 |-------|------|-------------|
-| `initialized` | — | User manager initialization complete, root user ready |
-| `user:add` | `{ username: string }` | New user created |
-| `user:delete` | `{ username: string }` | User deleted |
-| `session:register` | `{ sessionId: string; username: string; remoteAddress: string }` | Session registered (user logged in) |
-| `session:unregister` | `{ sessionId: string; username: string }` | Session unregistered (user logged out) |
+| `initialized` | — | User manager ready, root account ensured |
+| `user:add` | `{ username }` | New user created |
+| `user:delete` | `{ username }` | User deleted |
+| `key:add` | `{ username, algo }` | Public key added |
+| `key:remove` | `{ username }` | Public keys removed |
+| `session:register` | `{ sessionId, username, remoteAddress }` | Session started |
+| `session:unregister` | `{ sessionId, username }` | Session ended |
 
 **Example:**
 
 ```typescript
 users.on("user:add", ({ username }) => {
-	console.log(`[USERS] User created: ${username}`);
+  console.log(`[USERS] Created: ${username}`);
 });
 
 users.on("session:register", ({ sessionId, username, remoteAddress }) => {
-	console.log(`[USERS] Session ${sessionId}: ${username} from ${remoteAddress}`);
-});
-
-users.on("session:unregister", ({ sessionId, username }) => {
-	console.log(`[USERS] Session ${sessionId} (${username}) closed`);
+  console.log(`[USERS] Session ${sessionId}: ${username} from ${remoteAddress}`);
 });
 ```
 
 ---
 
-### HoneyPot (Auditing & Event Tracking)
+### `HoneyPot`
 
-Comprehensive security auditing and event tracking utility. Attaches to all core components (VirtualShell, VirtualFileSystem, VirtualUserManager, SshMimic, SftpMimic) to log activity, track statistics, and detect anomalies.
+Comprehensive security auditing and event tracking utility. Attaches listeners to all core components to log activity, track statistics, and detect anomalies.
 
 #### Constructor
 
 ```typescript
-new HoneyPot(maxLogSize?: number)
-```
-
-- **maxLogSize**: Maximum audit log entries to retain (default: 10000)
-
-```typescript
-const honeypot = new HoneyPot(5000);  // Keep last 5000 audit entries
+new HoneyPot(maxLogSize?: number)  // default: 10000
 ```
 
 #### Methods
 
-##### `attach(shell: VirtualShell, vfs: VirtualFileSystem, users: VirtualUserManager, ssh?: SshMimic, sftp?: SftpMimic): void`
-
-Attaches honeypot listeners to all provided event emitters. This wires up all audit tracking across the entire virtual environment.
-
-```typescript
-honeypot.attach(shell, vfs, users, ssh, sftp);
-// All components now emit events to honeypot
+| Method | Description |
+|--------|-------------|
+| `attach(shell, vfs, users, ssh?, sftp?)` | Subscribe to all event sources. |
+| `getAuditLog(type?, source?): AuditLogEntry[]` | Full log, optionally filtered by event type and/or source component. |
+| `getStats(): Readonly<HoneyPotStats>` | Aggregated activity counters. |
+| `getRecent(limit?): AuditLogEntry[]` | Most recent entries in reverse chronological order. |
+| `detectAnomalies()` | Analyze patterns — returns `{ type, severity, message }[]`. |
+| `reset()` | Clear audit log and reset all stat counters. |
+| `exportJson(): string` | Serialise full log + stats to a JSON string. |
+
+#### HoneyPotStats fields
+
+```typescript
+interface HoneyPotStats {
+  authAttempts: number;
+  authSuccesses: number;
+  authFailures: number;
+  commands: number;
+  fileWrites: number;
+  fileReads: number;
+  sessionStarts: number;
+  sessionEnds: number;
+  userCreated: number;
+  userDeleted: number;
+  clientConnects: number;
+  clientDisconnects: number;
+}
 ```
 
-##### `getAuditLog(type?: string, source?: string): AuditLogEntry[]`
-
-Returns audit log entries with optional filtering by event type or source component.
+#### Audit Log Entry
 
 ```typescript
-// All entries
-const allLogs = honeypot.getAuditLog();
-
-// Only auth events
-const authLogs = honeypot.getAuditLog("auth:failure");
-
-// Only SshMimic events
-const sshLogs = honeypot.getAuditLog(undefined, "SshMimic");
-
-// Combine filters
-const sshAuthLogs = honeypot.getAuditLog("auth:success", "SshMimic");
+interface AuditLogEntry {
+  timestamp: string;                // ISO-8601
+  type: string;                     // e.g. "auth:failure", "file:write"
+  source: string;                   // e.g. "SshMimic", "VirtualFileSystem"
+  details: Record<string, unknown>; // event-specific payload
+}
 ```
 
-##### `getStats(): Readonly<HoneyPotStats>`
-
-Returns current activity statistics snapshot.
+#### Example
 
 ```typescript
-const stats = honeypot.getStats();
-console.log(`Auth attempts: ${stats.authAttempts}`);
-console.log(`Auth successes: ${stats.authSuccesses}`);
-console.log(`Auth failures: ${stats.authFailures}`);
-console.log(`Commands executed: ${stats.commands}`);
-console.log(`File writes: ${stats.fileWrites}`);
-console.log(`File reads: ${stats.fileReads}`);
-console.log(`Sessions started: ${stats.sessionStarts}`);
-console.log(`Sessions ended: ${stats.sessionEnds}`);
-console.log(`Users created: ${stats.userCreated}`);
-console.log(`Users deleted: ${stats.userDeleted}`);
-console.log(`Client connects: ${stats.clientConnects}`);
-console.log(`Client disconnects: ${stats.clientDisconnects}`);
-```
+import { HoneyPot, VirtualShell, VirtualSshServer } from "typescript-virtual-container";
 
-##### `getRecent(limit?: number): AuditLogEntry[]`
+const shell = new VirtualShell("honeypot");
+const ssh   = new VirtualSshServer({ port: 2222, shell });
+const hp    = new HoneyPot(50_000);
 
-Returns most recent audit entries in reverse chronological order.
-
-```typescript
-const last50 = honeypot.getRecent(50);
-last50.forEach(entry => {
-	console.log(`${entry.timestamp} | ${entry.source} | ${entry.type}`);
-	console.log(`Details:`, entry.details);
-});
-```
+await ssh.start();
+hp.attach(shell, shell.vfs, shell.users, ssh);
 
-##### `detectAnomalies(): Array<{ type: string; severity: "low" | "medium" | "high"; message: string }>`
+// Filter audit log
+const failures = hp.getAuditLog("auth:failure");
+failures.forEach(e => console.log(e.details.username, e.details.remoteAddress));
 
-Analyzes activity patterns and detects potential security issues.
+// Detect anomalies
+hp.detectAnomalies().forEach(a =>
+  console.log(`[${a.severity.toUpperCase()}] ${a.type}: ${a.message}`)
+);
 
-```typescript
-const anomalies = honeypot.detectAnomalies();
-anomalies.forEach(anomaly => {
-	console.log(`[${anomaly.severity.toUpperCase()}] ${anomaly.type}`);
-	console.log(`  ${anomaly.message}`);
+// Export on shutdown
+process.on("SIGINT", () => {
+  require("fs").writeFileSync("audit.json", hp.exportJson());
+  process.exit(0);
 });
 ```
 
-Detects:
+**`detectAnomalies` detects:**
 - High authentication failure rates
 - Excessive authentication failures
 - Unusual command execution volume
 - Unusual file write volume
 
-##### `reset(): void`
+---
+
+### `SshClient` (Programmatic API)
+
+Execute shell commands against a `VirtualShell` without SSH protocol overhead. Maintains working-directory state across calls.
 
-Clears audit log and resets all statistics counters.
+#### Constructor
 
 ```typescript
-honeypot.reset();  // Fresh start
+new SshClient(shell: VirtualShell, username: string)
 ```
 
-#### Audit Log Entry Structure
+No password required — the client authenticates by username only.
+
+#### Methods
+
+| Method | Description |
+|--------|-------------|
+| `exec(command): Promise<CommandResult>` | Run arbitrary raw command string. |
+| `ls(path?)` | List directory (default: cwd). |
+| `pwd()` | Print current working directory. |
+| `cd(path)` | Change directory. Updates internal cwd state on success. |
+| `cat(path)` | Read file content via `cat` command. |
+| `readFile(path)` | Read file directly from VFS (programmatic, no shell parse). |
+| `writeFile(path, content)` | Write file directly to VFS (programmatic). |
+| `mkdir(path, recursive?)` | Create directory. `recursive=true` adds `-p`. |
+| `touch(path)` | Create empty file. |
+| `rm(path, recursive?)` | Remove file or directory. `recursive=true` adds `-r`. |
+| `tree(path?)` | Render ASCII directory tree. |
+| `whoami()` | Print current user. |
+| `hostname()` | Print server hostname. |
+| `who()` | List active sessions. |
+| `getCwd(): string` | Returns current working directory (local, no I/O). |
+| `getUsername(): string` | Returns authenticated username. |
+
+**Example:**
 
 ```typescript
-interface AuditLogEntry {
-	timestamp: string;              // ISO-8601 timestamp
-	type: string;                   // Event type (e.g., "auth:success", "file:write")
-	source: string;                 // Event source component
-	details: Record<string, unknown>; // Event-specific data
-}
-```
+const shell  = new VirtualShell("typescript-vm");
+const client = new SshClient(shell, "alice");
+
+await client.mkdir("/home/alice/projects", true);
+await client.cd("/home/alice/projects");
 
-#### Example Usage
+console.log(client.getCwd());  // /home/alice/projects
 
-See [Example 8: Security Auditing with HoneyPot](#example-8-security-auditing-with-honeypot) in Usage Examples.
+await client.writeFile("notes.txt", "Work in progress");
+const list = await client.ls();
+console.log(list.stdout);  // notes.txt
+
+const read = await client.readFile("notes.txt");
+console.log(read.stdout);  // Work in progress
+```
 
 ---
 
 ### Key Types
 
-#### CommandResult
+#### `CommandResult`
 
-Response from command execution (shell or programmatic).
+Returned by all command executions (shell or programmatic).
 
 ```typescript
 interface CommandResult {
-	stdout?: string;          // Standard output
-	stderr?: string;          // Standard error
-	exitCode?: number;        // Exit code (default: 0)
-	nextCwd?: string;         // Updated cwd (used by cd command)
-	clearScreen?: boolean;    // Request terminal clear
-	closeSession?: boolean;   // Request session close
-	switchUser?: string;      // User change request (su/sudo)
-	openEditor?: NanoEditorSession;  // Text editor launch
-	openHtop?: boolean;       // System monitor launch
-	sudoChallenge?: SudoChallenge;   // Sudo password challenge
+  stdout?: string;           // Standard output
+  stderr?: string;           // Standard error
+  exitCode?: number;         // Exit code (default: 0)
+  nextCwd?: string;          // Updated cwd (set by cd command)
+  clearScreen?: boolean;     // Request terminal clear
+  closeSession?: boolean;    // Request session close
+  switchUser?: string;       // User switch (su/sudo)
+  openEditor?: NanoEditorSession;  // Nano editor launch
+  openHtop?: boolean;        // htop launch
+  sudoChallenge?: SudoChallenge;   // Sudo password challenge
 }
 ```
 
-#### VfsNodeStats
-
-File/directory metadata.
+#### `VfsNodeStats`
 
 ```typescript
 type VfsNodeStats = VfsFileNode | VfsDirectoryNode;
 
 interface VfsFileNode {
-	type: "file";
-	name: string;
-	path: string;
-	mode: number;          // POSIX mode bits
-	size: number;          // Byte length
-	compressed: boolean;   // Is gzip compressed?
-	createdAt: Date;
-	updatedAt: Date;
+  type: "file";
+  name: string;
+  path: string;
+  mode: number;          // POSIX mode bits
+  size: number;          // Byte length (compressed size when compressed=true)
+  compressed: boolean;
+  createdAt: Date;
+  updatedAt: Date;
 }
 
 interface VfsDirectoryNode {
-	type: "directory";
-	name: string;
-	path: string;
-	mode: number;
-	childrenCount: number;
-	createdAt: Date;
-	updatedAt: Date;
+  type: "directory";
+  name: string;
+  path: string;
+  mode: number;
+  childrenCount: number;
+  createdAt: Date;
+  updatedAt: Date;
 }
 ```
 
-#### VirtualActiveSession
-
-Active SSH/programmatic session descriptor.
+#### `VirtualActiveSession`
 
 ```typescript
 interface VirtualActiveSession {
-	id: string;            // UUID
-	username: string;
-	tty: string;           // e.g., "pts/0"
-	remoteAddress: string; // Client IP or label
-	startedAt: string;     // ISO-8601 timestamp
+  id: string;             // UUID
+  username: string;
+  tty: string;            // e.g. "pts/0"
+  remoteAddress: string;  // Client IP or label
+  startedAt: string;      // ISO-8601
+}
+```
+
+#### `VfsSnapshot`
+
+```typescript
+interface VfsSnapshot {
+  root: VfsSnapshotDirectoryNode;
+}
+// VfsSnapshotNode = VfsSnapshotFileNode | VfsSnapshotDirectoryNode
+// File nodes store content as base64 in contentBase64.
+```
+
+#### `ShellModule`
+
+Contract for custom command plugins:
+
+```typescript
+interface ShellModule {
+  name: string;
+  params: string[];
+  aliases?: string[];
+  run: (ctx: CommandContext) => CommandResult | Promise<CommandResult>;
+}
+
+interface CommandContext {
+  authUser: string;
+  hostname: string;
+  activeSessions: VirtualActiveSession[];
+  rawInput: string;
+  mode: "shell" | "exec";
+  args: string[];
+  stdin?: string;
+  cwd: string;
+  shell: VirtualShell;
 }
 ```
 
@@ -1221,72 +863,52 @@ interface VirtualActiveSession {
 
 ### Example 1: Basic SSH Server
 
-Minimal server startup that accepts SSH connections:
-
 ```typescript
 import { VirtualSshServer } from "typescript-virtual-container";
 
-const ssh = new VirtualSshServer({
-	port: 2222,
-	hostname: "lab-environment"
-});
-
+const ssh = new VirtualSshServer({ port: 2222, hostname: "lab-environment" });
 await ssh.start();
-console.log("SSH server ready. Connect via: ssh root@localhost -p 2222");
+console.log("SSH server ready. Connect: ssh root@localhost -p 2222");
 
-// Keep running (e.g., in cloud deployment)
-process.on("SIGINT", () => {
-	ssh.stop();
-	process.exit(0);
-});
+process.on("SIGINT", () => { ssh.stop(); process.exit(0); });
 ```
 
-**External SSH connection:**
-
 ```bash
 ssh root@localhost -p 2222
-# Password: root
 # $ whoami
 # root
-# $
 ```
 
 ---
 
 ### Example 2: Programmatic File Operations
 
-Create, read, modify files without SSH:
-
 ```typescript
-import { VirtualSshServer, SshClient, VirtualShell } from "typescript-virtual-container";
+import { SshClient, VirtualShell, VirtualSshServer } from "typescript-virtual-container";
 
-const shell = new VirtualShell("typescript-vm");
-const ssh = new VirtualSshServer({ port: 2222, shell });
+const shell  = new VirtualShell("typescript-vm");
+const ssh    = new VirtualSshServer({ port: 2222, shell });
 await ssh.start();
 
 const client = new SshClient(shell, "root");
 
-// Create structure
 await client.mkdir("/app/config", true);
 await client.mkdir("/app/logs", true);
 
-// Write config
 await client.writeFile("/app/config/settings.json", JSON.stringify({
-	environment: "dev",
-	port: 8080,
-	debug: true
+  environment: "dev",
+  port: 8080,
+  debug: true,
 }, null, 2));
 
-// Read it back
 const result = await client.readFile("/app/config/settings.json");
 console.log("Config:", result.stdout);
 
-// List directory
 const list = await client.ls("/app");
 console.log(list.stdout);
 
-// Verify tree
-console.log(await client.tree("/app"));
+const tree = await client.tree("/app");
+console.log(tree.stdout);
 
 ssh.stop();
 ```
@@ -1295,360 +917,340 @@ ssh.stop();
 
 ### Example 3: Multi-User Environment
 
-Create users, manage permissions, session tracking:
-
 ```typescript
-import { VirtualSshServer, SshClient, VirtualShell } from "typescript-virtual-container";
+import { SshClient, VirtualShell, VirtualSshServer } from "typescript-virtual-container";
 
 const shell = new VirtualShell("typescript-vm");
-const ssh = new VirtualSshServer({ port: 2222, shell });
+const ssh   = new VirtualSshServer({ port: 2222, shell });
 await ssh.start();
 
 const users = ssh.getUsers()!;
 
-// Create users
 await users.addUser("alice", "alice123");
 await users.addUser("bob", "bob456");
-console.log("Created users: alice, bob");
 
-// Grant sudo to alice only
+// Alice has sudo; Bob does not
 await users.removeSudoer("bob");
-await users.addSudoer("alice");
 
-// Alice: High privilege
+// Set a 5 MB quota for bob
+await users.setQuotaBytes("bob", 5 * 1024 * 1024);
+
 const alice = new SshClient(shell, "alice");
 await alice.writeFile("/etc/important.conf", "secret=yes");
 
-// Bob: Regular user
 const bob = new SshClient(shell, "bob");
 const result = await bob.cat("/etc/important.conf");
-console.log("Bob read file:", result.stderr);
+console.log("Bob read file:", result.stderr); // permission denied
 
 ssh.stop();
 ```
 
 ---
 
-### Example 4: Persistent State
+### Example 4: Persistent State across Restarts
 
-Save filesystem state between runs:
+#### Memory mode (manual)
 
 ```typescript
-import { VirtualSshServer, VirtualShell } from "typescript-virtual-container";
+import { VirtualFileSystem } from "typescript-virtual-container";
+import { writeFileSync, readFileSync } from "node:fs";
 
-// First run: Initialize
-const shell1 = new VirtualShell("typescript-vm", undefined, "./container");
-const ssh1 = new VirtualSshServer({ 
-	port: 2222,
-	shell: shell1 
-});
-await ssh1.start();
-const vfs1 = ssh1.getVfs()!;
+const vfs = new VirtualFileSystem();
+vfs.writeFile("/data/report.txt", "Baseline data");
+
+// Persist
+writeFileSync("snapshot.json", JSON.stringify(vfs.toSnapshot()));
 
-vfs1.mkdir("/data", 0o777);
-vfs1.writeFile("/data/report.txt", "Baseline data");
-await vfs1.flushMirror();
-ssh1.stop();
+// Later, in a new process
+const snapshot = JSON.parse(readFileSync("snapshot.json", "utf8"));
+const restored = VirtualFileSystem.fromSnapshot(snapshot);
+console.log(restored.readFile("/data/report.txt")); // Baseline data
+```
+
+#### FS mode (automatic)
 
-console.log("State available under ./container/.vfs/mirror");
+```typescript
+import { VirtualShell, VirtualSshServer } from "typescript-virtual-container";
 
-// Later: Reload and continue
-const shell2 = new VirtualShell("typescript-vm", undefined, "./container");
-const ssh2 = new VirtualSshServer({ 
-	port: 2223,
-	shell: shell2 
+const shell = new VirtualShell("my-vm", undefined, {
+  mode: "fs",
+  snapshotPath: "./container-data",
 });
-await ssh2.start();
-const vfs2 = ssh2.getVfs()!;
-await vfs2.restoreMirror();
 
-const content = vfs2.readFile("/data/report.txt");
-console.log("Restored:", content);
+const ssh = new VirtualSshServer({ port: 2222, shell });
+await ssh.start();
+// Snapshot is auto-restored on start and auto-written on each flushMirror() call.
 
-ssh2.stop();
+process.on("SIGTERM", () => { ssh.stop(); process.exit(0); });
 ```
 
 ---
 
-### Example 5: CI/CD Automation
-
-Simulate filesystem changes and verify outcomes:
+### Example 5: Public-key authentication
 
 ```typescript
-import { VirtualSshServer, SshClient, VirtualShell } from "typescript-virtual-container";
-
-async function testDeployment() {
-	const shell = new VirtualShell("typescript-vm");
-	const ssh = new VirtualSshServer({ port: 2222, shell });
-	await ssh.start();
+import { VirtualShell, VirtualSshServer } from "typescript-virtual-container";
+import { readFileSync } from "node:fs";
 
-	const client = new SshClient(shell, "root");
+const shell = new VirtualShell("secure-vm");
+await shell.ensureInitialized();
 
-	// Pre-deployment: Set up base structure
-	await client.mkdir("/srv/app", true);
-	await client.writeFile("/srv/app/package.json", '{"name":"myapp"}');
+await shell.users.addUser("alice", "fallback-password");
 
-	// Simulate deployment: Write new version
-	await client.writeFile("/srv/app/app.js", 'console.log("v2.0");');
+// Parse from ~/.ssh/id_ed25519.pub
+const pubLine = readFileSync(`${process.env.HOME}/.ssh/id_ed25519.pub`, "utf8").trim();
+const [algo, b64] = pubLine.split(" ");
+shell.users.addAuthorizedKey("alice", algo, Buffer.from(b64, "base64"));
 
-	// Verify deployment: Read and validate
-	const appContent = await client.readFile("/srv/app/app.js");
-	if (appContent.stdout.includes("v2.0")) {
-		console.log("✓ Deployment verified");
-	} else {
-		console.error("✗ Deployment failed");
-	}
-
-	ssh.stop();
-}
-
-testDeployment().catch(console.error);
+const ssh = new VirtualSshServer({ port: 2222, shell });
+await ssh.start();
+// ssh -i ~/.ssh/id_ed25519 alice@localhost -p 2222
 ```
 
 ---
 
-### Example 6: Complex Navigation
-
-Simulate shell workflows:
+### Example 6: Rate Limiting
 
 ```typescript
-import { VirtualSshServer, SshClient, VirtualShell } from "typescript-virtual-container";
+const ssh = new VirtualSshServer({
+  port: 2222,
+  maxAuthAttempts: 3,         // lock after 3 consecutive failures
+  lockoutDurationMs: 300_000, // 5-minute lockout
+});
 
-const shell = new VirtualShell("typescript-vm");
-const ssh = new VirtualSshServer({ port: 2222, shell });
-await ssh.start();
+ssh.on("auth:lockout", ({ ip, until }) => {
+  console.warn(`[SSH] ${ip} locked until ${until}`);
+});
 
-const client = new SshClient(shell, "root");
+ssh.on("auth:failure", ({ username, remoteAddress }) => {
+  console.warn(`[SSH] Failed login: ${username} from ${remoteAddress}`);
+});
 
-// Create nested structure
-await client.mkdir("/home/user/projects/myapp/src", true);
-await client.cd("/home/user/projects");
+// Manually lift a lockout (e.g. in an admin endpoint)
+ssh.clearLockout("192.168.1.100");
+```
 
-console.log(client.getCwd());  // "/home/user/projects"
+---
 
-// Navigate deeper
-await client.cd("myapp/src");
-console.log(client.getCwd());  // "/home/user/projects/myapp/src"
+### Example 7: CI/CD Automation & Assertions
 
-// Create files in new location
-await client.writeFile("main.ts", "export function main() {}");
-await client.writeFile("utils.ts", "export function util() {}");
+```typescript
+import { SshClient, VirtualShell, VirtualSshServer } from "typescript-virtual-container";
 
-// List current
-const srcFiles = await client.ls();
-console.log(srcFiles.stdout);  // main.ts, utils.ts
+async function testDeployment() {
+  const shell = new VirtualShell("typescript-vm");
+  const ssh   = new VirtualSshServer({ port: 2222, shell });
+  await ssh.start();
 
-// Navigate up (relative paths)
-await client.cd("..");
-console.log(client.getCwd());  // "/home/user/projects/myapp"
+  const client = new SshClient(shell, "root");
 
-const appTree = await client.tree();
-console.log(appTree.stdout);
+  await client.mkdir("/srv/app", true);
+  await client.writeFile("/srv/app/package.json", '{"name":"myapp","version":"1.0.0"}');
 
-ssh.stop();
+  // Simulate deployment
+  await client.writeFile("/srv/app/app.js", 'console.log("v2.0");');
+
+  const appContent = await client.readFile("/srv/app/app.js");
+  if (appContent.stdout.includes("v2.0")) {
+    console.log("✓ Deployment verified");
+  } else {
+    throw new Error("✗ Deployment failed");
+  }
+
+  ssh.stop();
+}
+
+testDeployment().catch(console.error);
 ```
 
 ---
 
-### Example 7: Error Handling
-
-Graceful error handling in programmatic workflows:
+### Example 8: Snapshot-Based Test Fixtures
 
 ```typescript
-import { VirtualSshServer, SshClient, VirtualShell } from "typescript-virtual-container";
+import { VirtualFileSystem } from "typescript-virtual-container";
+import type { VfsSnapshot } from "typescript-virtual-container";
 
-const shell = new VirtualShell("typescript-vm");
-const ssh = new VirtualSshServer({ port: 2222, shell });
-await ssh.start();
+function buildFixture(): VfsSnapshot {
+  const vfs = new VirtualFileSystem();
+  vfs.mkdir("/app/config");
+  vfs.writeFile("/app/config/settings.json", JSON.stringify({ env: "test" }));
+  vfs.writeFile("/app/README.md", "# My App");
+  return vfs.toSnapshot();
+}
 
-const client = new SshClient(shell, "root");
+const FIXTURE = buildFixture();
 
-// Try read non-existent file
-const result = await client.readFile("/etc/nonexistent.conf");
-if (result.exitCode !== 0) {
-	console.error("Read error:", result.stderr);
-}
+// Each test gets a clean, isolated VFS from the same fixture
+test("reads config file", () => {
+  const vfs = VirtualFileSystem.fromSnapshot(FIXTURE);
+  const content = JSON.parse(vfs.readFile("/app/config/settings.json"));
+  expect(content.env).toBe("test");
+});
+```
 
-// Try change to non-existent directory
-const cdResult = await client.cd("/invalid/path");
-if (cdResult.exitCode !== 0) {
-	console.error("Invalid path");
-}
+---
 
-// Try remove root
-const rmResult = await client.rm("/", true);
-console.log("Remove root:", rmResult.stderr);  // Error
+### Example 9: Symlinks
 
-ssh.stop();
+```typescript
+const vfs = new VirtualFileSystem();
+vfs.mkdir("/usr/local/bin");
+vfs.writeFile("/opt/myapp/bin/app", "#!/bin/sh\necho hello");
+vfs.symlink("/opt/myapp/bin/app", "/usr/local/bin/app");
+
+console.log(vfs.isSymlink("/usr/local/bin/app"));     // true
+console.log(vfs.resolveSymlink("/usr/local/bin/app")); // /opt/myapp/bin/app
 ```
 
 ---
 
-### Example 8: Security Auditing with HoneyPot
-
-Track all system activity, detect anomalies, and maintain security audit logs:
+### Example 10: Security Auditing with HoneyPot
 
 ```typescript
 import {
-	VirtualSshServer,
-	VirtualShell,
-	SshClient,
-	HoneyPot,
+  HoneyPot,
+  SshClient,
+  VirtualShell,
+  VirtualSshServer,
 } from "typescript-virtual-container";
 
 const shell = new VirtualShell("typescript-vm");
-const ssh = new VirtualSshServer({ port: 2222, shell });
+const ssh   = new VirtualSshServer({ port: 2222, shell });
 await ssh.start();
 
 const users = ssh.getUsers()!;
-const vfs = ssh.getVfs()!;
+const vfs   = ssh.getVfs()!;
 
-// Initialize honeypot with 5000-entry log limit
-const honeypot = new HoneyPot(5000);
-honeypot.attach(shell, vfs, users, ssh);
+const hp = new HoneyPot(5000);
+hp.attach(shell, vfs, users, ssh);
 
-// Create users
 await users.addUser("alice", "alice123");
 await users.addUser("bob", "bob456");
 
-// Simulate activity
 const alice = new SshClient(shell, "alice");
 await alice.mkdir("/home/alice/projects", true);
 await alice.writeFile("/home/alice/projects/app.txt", "My application");
 await alice.ls("/home/alice/projects");
 
 const bob = new SshClient(shell, "bob");
-// Bob tries invalid operations
-await bob.readFile("/etc/shadow");  // Will fail
-await bob.writeFile("/etc/passwd", "hacked");  // Will fail
-
-// Collect stats
-const stats = honeypot.getStats();
-console.log("\n=== Activity Summary ===");
-console.log(`Auth attempts: ${stats.authAttempts}`);
-console.log(`Auth successes: ${stats.authSuccesses}`);
-console.log(`Auth failures: ${stats.authFailures}`);
-console.log(`Commands executed: ${stats.commands}`);
-console.log(`File writes: ${stats.fileWrites}`);
-console.log(`File reads: ${stats.fileReads}`);
-console.log(`Sessions active: ${stats.sessionStarts}`);
-console.log(`Users created: ${stats.userCreated}`);
-
-// Get recent events
-console.log("\n=== Last 5 Events ===");
-honeypot.getRecent(5).forEach((entry) => {
-	console.log(`[${entry.timestamp}] ${entry.source} -> ${entry.type}`);
-	console.log(`  Details: ${JSON.stringify(entry.details, null, 2)}`);
-});
+await bob.readFile("/etc/shadow");      // will fail
+await bob.writeFile("/etc/passwd", ""); // will fail
+
+// Stats
+const stats = hp.getStats();
+console.log(`Auth attempts:  ${stats.authAttempts}`);
+console.log(`Commands run:   ${stats.commands}`);
+console.log(`File writes:    ${stats.fileWrites}`);
+
+// Recent events
+hp.getRecent(5).forEach(e =>
+  console.log(`[${e.timestamp}] ${e.source} → ${e.type}`)
+);
 
-// Detect anomalies
-console.log("\n=== Security Analysis ===");
-const anomalies = honeypot.detectAnomalies();
-if (anomalies.length > 0) {
-	anomalies.forEach((anomaly) => {
-		console.log(
-			`[${anomaly.severity.toUpperCase()}] ${anomaly.type}: ${anomaly.message}`,
-		);
-	});
-} else {
-	console.log("No anomalies detected");
-}
+// Anomaly detection
+hp.detectAnomalies().forEach(a =>
+  console.log(`[${a.severity.toUpperCase()}] ${a.type}: ${a.message}`)
+);
 
-// Filter audit log by event type
-console.log("\n=== Auth Failures ===");
-const authFailures = honeypot.getAuditLog("auth:failure");
-authFailures.forEach((entry) => {
-	console.log(
-		`  ${entry.details.username} from ${entry.details.remoteAddress}`,
-	);
-});
+// Filter by type and source
+const authFailures = hp.getAuditLog("auth:failure");
+const sshEvents    = hp.getAuditLog(undefined, "SshMimic");
+console.log(`Auth failures: ${authFailures.length}`);
+console.log(`SSH events:    ${sshEvents.length}`);
+
+ssh.stop();
+```
+
+---
 
-// Filter by source component
-console.log("\n=== All SSH Events ===");
-const sshEvents = honeypot.getAuditLog(undefined, "SshMimic");
-console.log(`  Total SSH events: ${sshEvents.length}`);
+### Example 11: Error Handling
 
-// Export full audit log (for external storage/analysis)
-const fullAuditLog = honeypot.getAuditLog();
-console.log(`\nTotal audit entries: ${fullAuditLog.length}`);
+```typescript
+import { SshClient, VirtualShell, VirtualSshServer } from "typescript-virtual-container";
+
+const shell  = new VirtualShell("typescript-vm");
+const ssh    = new VirtualSshServer({ port: 2222, shell });
+await ssh.start();
+
+const client = new SshClient(shell, "root");
+
+const r1 = await client.readFile("/etc/nonexistent.conf");
+if (r1.exitCode !== 0) console.error("Read error:", r1.stderr);
 
-// Optional: Reset for next test phase
-// honeypot.reset();
+const r2 = await client.cd("/invalid/path");
+if (r2.exitCode !== 0) console.error("cd failed");
+
+const r3 = await client.rm("/", true);
+console.log("Remove root:", r3.stderr); // Cannot remove root directory.
 
 ssh.stop();
 ```
 
-**Output example:**
+---
+
+### Example 12: Concurrent Clients
 
-```
-[AUDIT] 2026-04-16T10:30:45.123Z | SshMimic | start { port: 2222 }
-[AUDIT] 2026-04-16T10:30:46.234Z | VirtualUserManager | user:add { username: 'alice' }
-[AUDIT] 2026-04-16T10:30:47.345Z | VirtualUserManager | user:add { username: 'bob' }
-[AUDIT] 2026-04-16T10:30:48.456Z | VirtualShell | command { command: 'mkdir /home/alice/projects', user: 'alice', cwd: '/home/alice' }
-[AUDIT] 2026-04-16T10:30:49.567Z | VirtualFileSystem | dir:create { path: '/home/alice/projects', mode: 16877 }
-[AUDIT] 2026-04-16T10:30:50.678Z | VirtualShell | command { command: 'writeFile /home/alice/projects/app.txt', user: 'alice', cwd: '/home/alice' }
-
-=== Activity Summary ===
-Auth attempts: 2
-Auth successes: 2
-Auth failures: 0
-Commands executed: 8
-File writes: 1
-File reads: 2
-Sessions active: 2
-Users created: 2
-
-=== Last 5 Events ===
-[2026-04-16T10:30:50.678Z] VirtualShell -> command
-  Details: { command: 'ls /home/alice/projects', user: 'alice', cwd: '/home/alice/projects' }
-
-=== Security Analysis ===
-No anomalies detected
-
-=== All SSH Events ===
-  Total SSH events: 4
+```typescript
+const shell   = new VirtualShell("typescript-vm");
+const client1 = new SshClient(shell, "alice");
+const client2 = new SshClient(shell, "bob");
+
+const [r1, r2] = await Promise.all([
+  client1.writeFile("/tmp/alice.txt", "Alice's data"),
+  client2.writeFile("/tmp/bob.txt",   "Bob's data"),
+]);
 ```
 
 ---
 
 ## Built-in Commands
 
-The following commands are currently registered and available in both SSH shell mode and via `SshClient.exec()`. Some flags and edge-case behavior are still being expanded for shell compatibility.
-
-| Command | Purpose | Notes |
-|---------|---------|-------|
-| `adduser <name> <pass>` | Create user | Root only |
-| `cat <path>` | Read file | Displays content |
-| `cd <path>` | Change directory | Updates client cwd |
-| `clear` | Clear screen | No args |
-| `curl <url>` | Fetch URL | Mock implementation |
-| `deluser <name>` | Delete user | Root only, not root |
-| `echo <text...>` | Print text | Supports shell-like argument output |
-| `env` | List environment variables | Shell environment view |
-| `exit [code]` | Close session | Optional exit code |
-| `export NAME=VALUE` | Set/export environment variable | Persists in shell env |
-| `grep <pattern> [path]` | Search for text | Simplified grep behavior |
-| `help` | List commands | No args |
-| `hostname` | Server hostname | No args |
-| `htop` | System monitor | Mock display |
-| `pwd` | Print working directory | No args |
-| `ls [path]` | List directory | Defaults to `.` |
-| `mkdir [-p] <path>` | Create directory | `-p` for parents |
-| `nano <path>` | Text editor | Interactive mode |
-| `neofetch` | Show system summary | Mock display |
-| `touch <path>` | Create empty file | Updates timestamps |
-| `rm [-r] <path>` | Remove file/dir | `-r` for recursive |
-| `set` | Show shell options/variables | Simplified behavior |
-| `sh <script>` | Run shell script | Simplified execution model |
-| `su <user>` | Switch user | Requires password/sudo |
-| `sudo [-i] <cmd>` | Elevation | Requires sudoer status |
-| `tree [path]` | ASCII tree view | Defaults to `.` |
-| `unset <name>` | Remove environment variable | Shell environment update |
-| `wget <url>` | Download | Mock implementation |
-| `who` | Active sessions | No args |
-| `whoami` | Current user | No args |
-
-Commands can be added via the VirtualShell addCommand() method for custom behavior.
+All commands are available in SSH shell mode and via `SshClient.exec()`.
+
+| Command | Flags | Description |
+|---------|-------|-------------|
+| `adduser <name> <pass>` | | Create user (root only) |
+| `cat <path>` | | Print file contents |
+| `cd <path>` | | Change directory |
+| `chmod <mode> <file>` | | Change file permissions (octal) |
+| `clear` | | Clear terminal screen |
+| `cp <src> <dest>` | `-r` | Copy file or directory |
+| `curl <url>` | | Fetch URL (delegates to host binary) |
+| `deluser <name>` | | Delete user (root only, not root) |
+| `echo <text...>` | | Print text |
+| `env` | | List environment variables |
+| `exit [code]` | | Close session |
+| `export NAME=VALUE` | | Set/export shell variable |
+| `find [path]` | `-name <pat>` `-type f\|d` | Search for files |
+| `grep <pattern> [files]` | `-i` `-v` `-n` `-r` | Search file content |
+| `head [files]` | `-n <N>` | First N lines (default 10) |
+| `help` | | List all commands |
+| `hostname` | | Print hostname |
+| `htop` | | System monitor (mock) |
+| `ln <target> <link>` | `-s` | Create hard or symbolic link |
+| `ls [path]` | `-l` | List directory |
+| `mkdir <path>` | `-p` | Create directory |
+| `mv <src> <dest>` | | Move or rename |
+| `nano <path>` | | Interactive text editor |
+| `neofetch` | | System summary (mock) |
+| `passwd [user]` | | Change password |
+| `pwd` | | Print working directory |
+| `rm <path>` | `-r` | Remove file or directory |
+| `set` | | Show shell variables |
+| `sh <script>` | | Run shell script |
+| `su [user]` | | Switch user |
+| `sudo <cmd>` | `-i` | Run as root |
+| `tail [files]` | `-n <N>` | Last N lines (default 10) |
+| `touch <path>` | | Create/update file |
+| `tree [path]` | | ASCII directory tree |
+| `unset <name>` | | Remove shell variable |
+| `wc [files]` | `-l` `-w` `-c` | Line/word/byte count |
+| `wget <url>` | | Download file (delegates to host binary) |
+| `who` | | List active sessions |
+| `whoami` | | Print current user |
+
+Custom commands can be added via `shell.addCommand()`.
 
 ---
 
@@ -1656,28 +1258,46 @@ Commands can be added via the VirtualShell addCommand() method for custom behavi
 
 ### Environment Variables
 
-- **`SSH_MIMIC_HOSTNAME`**: Override server hostname at startup (default: "typescript-vm")
-- **`SSH_MIMIC_ROOT_PASSWORD`**: Set root password. If unset, a random ephemeral password is generated at startup and logged once.
-- **`SSH_MIMIC_AUTO_SUDO_NEW_USERS`**: Control whether new users are added to sudoers automatically (default: enabled). Set to `0`, `false`, `no`, or `off` to disable.
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SSH_MIMIC_FAST_PASSWORD_HASH` | `""` | Use SHA-256 instead of scrypt (faster, less secure — dev only). Set to `1` or `true`. |
+| `SSH_MIMIC_AUTO_SUDO_NEW_USERS` | `"true"` | Auto-grant sudo to new users. Set to `0`, `false`, `no`, or `off` to disable. |
+| `DEV_MODE` | `""` | Enable performance logging. |
+| `RENDER_PERF` | `""` | Enable render performance logging. |
 
 **Example:**
 
 ```bash
-export SSH_MIMIC_HOSTNAME=production-lab
-export SSH_MIMIC_ROOT_PASSWORD=SecurePass123
+export SSH_MIMIC_FAST_PASSWORD_HASH=1
 export SSH_MIMIC_AUTO_SUDO_NEW_USERS=false
-npm run start
+node server.js
 ```
 
-### Runtime Options
+### Runtime Options Summary
 
 ```typescript
-const shell = new VirtualShell("my-container", undefined, "./data");
-const ssh = new VirtualSshServer({
-	port: 2222,                    // Required
-	hostname: "my-container",      // Optional
-	shell                          // Optional, prebuilt shell instance
-});
+// VirtualShell
+new VirtualShell(
+  hostname,
+  properties?,          // kernel, os, arch strings
+  vfsOptions?,          // { mode: "memory"|"fs", snapshotPath?: string }
+)
+
+// VirtualSshServer
+new VirtualSshServer({
+  port,
+  hostname?,
+  shell?,
+  maxAuthAttempts?,     // default: 5
+  lockoutDurationMs?,   // default: 60_000
+})
+
+// VirtualSftpServer
+new VirtualSftpServer({
+  port,
+  hostname?,
+  shell?,               // or: vfs + users separately
+})
 ```
 
 ---
@@ -1686,43 +1306,41 @@ const ssh = new VirtualSshServer({
 
 ### Benchmarking
 
-Use the built-in benchmark script to measure initialization and command throughput under concurrent shell loads:
+Use the built-in benchmark script:
 
 ```bash
 bun ./benchmark-virtualshell.ts
 ```
 
 The benchmark reports:
-
-- shell initialization time by concurrency level
-- command execution time across all active shells
+- Shell initialization time by concurrency level
+- Command execution time across active shells
 - RSS memory growth during the run
 
-Recent baseline runs show strong startup behavior up to 100 concurrent shells, and the runtime is designed to scale up to **1000 environments very easily** for testing and automation workloads.
+Recent baselines show strong startup behavior up to 100 concurrent shells. The runtime is designed to scale easily to **1000+ parallel environments** for testing and automation workloads.
 
 ### Concurrency
 
-- SSH server handles multiple concurrent connections (event-driven)
-- Programmatic `SshClient` is synchronous (executes sequentially per instance)
-- Create multiple client instances for parallel operations
-- Horizontal shell instantiation (`new VirtualShell(...)`) is intended for high-volume scenarios, including large test matrices and multi-tenant simulation batches
+- SSH server is event-driven and handles multiple concurrent connections.
+- `SshClient` is sequential per instance — create multiple instances for parallel operations.
+- Each `VirtualShell` instance is fully independent (separate VFS, users, state).
 
-### Scalability Notes
+### Performance Tips
 
-- Use a dedicated `basePath` per isolated environment to parallelize safely
-- Reuse long-lived shell instances when you need low-latency command bursts
-- Keep performance logging enabled in development (`DEV_MODE=1` or `RENDER_PERF=1`) to locate hotspots quickly
+- Use `SSH_MIMIC_FAST_PASSWORD_HASH=1` in test environments to skip scrypt overhead.
+- Reuse long-lived shell instances for low-latency command bursts.
+- Keep `DEV_MODE=1` enabled only during development (adds logging overhead).
 
-**Example:**
+**Parallel clients example:**
 
 ```typescript
-const shell = new VirtualShell("typescript-vm");
+const shell   = new VirtualShell("typescript-vm");
 const client1 = new SshClient(shell, "alice");
 const client2 = new SshClient(shell, "bob");
 
-const [result1, result2] = await Promise.all([
-	client1.writeFile("/tmp/alice.txt", "..."),
-	client2.writeFile("/tmp/bob.txt", "...")
+const [r1, r2] = await Promise.all([
+  client1.writeFile("/tmp/alice.txt", "..."),
+  client2.writeFile("/tmp/bob.txt",   "..."),
 ]);
 ```
 
@@ -1734,145 +1352,167 @@ Full TypeScript support with exported types:
 
 ```typescript
 import type {
-	CommandResult,
-	VirtualActiveSession,
-	VfsNodeStats,
-	VfsFileNode,
-	VfsDirectoryNode,
-	SudoChallenge
+  // Persistence
+  VfsOptions,
+  VfsPersistenceMode,
+  // Filesystem
+  VfsSnapshot,
+  VfsNodeStats,
+  VfsFileNode,
+  VfsDirectoryNode,
+  WriteFileOptions,
+  RemoveOptions,
+  // Commands
+  CommandContext,
+  CommandResult,
+  CommandMode,
+  CommandOutcome,
+  ShellModule,
+  SudoChallenge,
+  NanoEditorSession,
+  // Audit
+  AuditLogEntry,
+  HoneyPotStats,
+  // Streams
+  ShellStream,
+  ExecStream,
 } from "typescript-virtual-container";
-
-async function processResult(r: CommandResult) {
-	if (r.exitCode === 0 && r.stdout) {
-		console.log("Success:", r.stdout);
-	} else if (r.stderr) {
-		console.error("Error:", r.stderr);
-	}
-}
 ```
 
 ---
 
 ## FAQ
 
-### Is this a real container runtime?
+**Is this a real container runtime?**
+No. It emulates SSH sessions, users, and filesystem behavior in a virtual runtime. Ideal for testing, simulations, and automation where full OS isolation is not required.
 
-No. It emulates SSH sessions, users, and filesystem behavior in a virtual runtime. It is ideal for testing, simulations, and automation workflows where full OS isolation is not required.
+**Can I use this in production?**
+You can use it in production-like automation contexts (sandboxed command runners, test harnesses, training environments, honeypots). It is not a security boundary like a real container/VM. Shell command fidelity is still being expanded.
 
-### Can I use this in production?
+**Does the VFS touch the host filesystem?**
+In the default `"memory"` mode: no, all data lives in memory. In `"fs"` mode, it reads/writes a single JSON file (`vfs-snapshot.json`) inside the configured `snapshotPath` directory. No other host paths are accessed.
 
-You can use it in production-like automation contexts (sandboxed command runners, test harnesses, training environments), but it is not a security boundary like a real container/VM. And at the moment, all commands are not implemented with full fidelity, so it may not be suitable for all production use cases.
+**Does data persist between restarts?**
+Only if you explicitly use `"fs"` mode or call `toSnapshot()` / `fromSnapshot()` manually. Memory mode is ephemeral.
 
-### Does data persist between restarts?
+**Can I run multiple isolated shells?**
+Yes. Each `new VirtualShell(...)` creates a completely independent VFS and user manager.
 
-Yes, when using a stable `basePath`. Files are stored under `.vfs/mirror`.
+**Are custom commands shared between shell instances?**
+No. Custom commands registered with `shell.addCommand()` are instance-local.
 
-### Is networking fully implemented for curl/wget?
+**Is networking fully implemented for curl/wget?**
+`curl` and `wget` delegate to the host binaries. They are intended for realistic workflows, not full GNU tooling parity.
 
-`curl` and `wget` are command-layer implementations intended for realistic workflows, not full parity with GNU tooling.
+**Can I create custom commands?**
+Yes — use `shell.addCommand()` or implement the `ShellModule` interface directly.
 
-### Can I create custom commands?
+**Is SFTP fully supported?**
+Core SFTP operations (open, read, write, stat, mkdir, remove, rename) are implemented. Some optional operations (extended attributes, symlinks) return `OP_UNSUPPORTED`.
 
-Yes. Commands are modular and can be extended in the command runtime layer to fit project-specific use cases.
+**Can I use this for honeypot deployments?**
+Yes — that is one of its primary use-cases. Use `HoneyPot.attach()` to capture all activity, configure `maxAuthAttempts` to throttle scanners, and export audit logs on shutdown.
 
 ---
 
 ## Troubleshooting
 
-### Port Already in Use
-
-```
-Error: listen EADDRINUSE :::2222
-```
-
-**Solution**: Use a different port
-
+**`Error: listen EADDRINUSE :::2222`**
+The port is already in use. Use a different port or stop the existing process.
 ```typescript
 const ssh = new VirtualSshServer({ port: 3333 });
 ```
 
-### SSH Authentication Failed
-
-**Causes**: Server not started, wrong password, SSH client not found
-
-**Solution**:
-
-```typescript
-process.env.SSH_MIMIC_ROOT_PASSWORD = "your-password";
-await ssh.start();
-```
+**SSH authentication always fails**
+- Check the password (root has no password by default — any login is accepted).
+- If you set a password, verify it with `users.verifyPassword(username, password)`.
+- Check if the IP is rate-limited: call `ssh.clearLockout(ip)`.
 
-### File Not Found Errors
+**Auth always fails with "lockout"**
+Call `ssh.clearLockout(ip)` or increase `maxAuthAttempts`. In tests, use `maxAuthAttempts: Infinity`.
 
-**Cause**: Directory doesn't exist
+**`Error: Too many levels of symbolic links`**
+A symlink chain exceeds 8 hops. Check for circular links or pass a larger `maxDepth` to `resolveSymlink()`.
 
-**Solution**: Create directories first
+**`Command 'xyz' not found` (exit code 127)**
+The command is not registered. Register it with `shell.addCommand()` or use `SshClient.exec()` with a handler.
 
+**File not found errors**
+Create the parent directory first:
 ```typescript
-const vfs = ssh.getVfs();
 vfs.mkdir("/home/alice", 0o755);
+vfs.writeFile("/home/alice/file.txt", "content");
 ```
 
-### Filesystem State Not Persisted
-
-**Cause**: `flushMirror()` not called
-
-**Solution**:
-
+**`snapshotPath` is required error**
+You set `mode: "fs"` without providing `snapshotPath`:
 ```typescript
-await ssh.getVfs().flushMirror();
+new VirtualFileSystem({ mode: "fs", snapshotPath: "./data" });
 ```
 
 ---
 
 ## Contributing
 
-1. Fork repository
-2. Create feature branch: `git checkout -b feat/my-feature`
-3. Make changes and add tests
-4. Format & lint: `bun format && bun check`
-5. Push and open PR
+1. Fork the repository.
+2. Create a feature branch: `git checkout -b feat/my-feature`
+3. Make changes and add tests.
+4. Format and lint: `bun format && bun check`
+5. Push and open a PR.
 
-**Code Quality**:
-- Biome formatting (opinionated)
-- Full TypeScript (no `any`)
-- JSDoc comments on public API
-- Async/await (no callbacks)
+**Code quality standards:**
+- Biome formatting (opinionated, enforced by CI)
+- Full TypeScript — no `any`
+- JSDoc comments on all public API surface
+- Async/await throughout — no callbacks
+- Tests for new commands and VFS behavior
 
 ---
 
 ## Security
 
-- Passwords are hashed with `scrypt` in the virtual auth store.
-- Root account is always protected and cannot be deleted.
-- Sudo privileges are explicit and persisted in sudoers data.
-- Protect the root password in production by setting `SSH_MIMIC_ROOT_PASSWORD`; otherwise startup logs a generated ephemeral password.
-- Disable `SSH_MIMIC_AUTO_SUDO_NEW_USERS` when you want newly created users to stay unprivileged by default.
-- This project is not intended to provide kernel-level or process-level isolation.
+- Passwords are hashed with `scrypt` by default (N=32768, r=8, p=1), with a random per-user salt.
+- Root account always exists and cannot be deleted.
+- Sudo privileges are explicit and stored in the VFS under `/virtual-env-js/.auth/sudoers`.
+- Per-IP rate limiting prevents automated brute-force attacks on the SSH server.
+- This project does **not** provide kernel-level or process-level isolation.
+- Do **not** expose a running instance to the public internet without understanding the risks — the virtual shell allows arbitrary command execution within the virtual environment.
 
-If you discover a vulnerability, avoid public disclosure in issues and contact maintainers privately first.
+If you discover a vulnerability, avoid public disclosure in GitHub Issues. Contact maintainers privately first — see `SECURITY.md`.
 
 ---
 
 ## Support
 
 - Open an issue for bugs, regressions, or feature requests.
-- Include Node/Bun version, package version, and a minimal reproduction.
-- For API questions, include the exact command sequence and expected vs actual result.
+- Include your Node.js/Bun version, package version, and a minimal reproduction.
+- For API questions, include the exact call sequence plus expected vs. actual behavior.
 
 ---
 
 ## License
 
-MIT License. See LICENSE file for details.
+MIT — see [LICENSE](./LICENSE).
 
 ---
 
 ## Roadmap
 
 - [x] Custom command plugin API
-- [x] Optional per-user quotas for virtual filesystem usage
-- [x] Improved shell compatibility for complex piping and redirection
-- [ ] Snapshot diff tooling for test assertions
+- [x] Optional per-user storage quotas
+- [x] Improved shell compatibility (pipelines, redirections)
+- [x] Pure in-memory VFS with snapshot import/export
+- [x] Symlinks (`ln -s`, `isSymlink`, `resolveSymlink`)
+- [x] SSH public-key authentication
+- [x] Per-IP rate limiting and lockout
+- [x] New commands: `cp`, `mv`, `ln`, `find`, `wc`, `head`, `tail`, `chmod`
 - [x] Structured event hooks (session open/close, file write, sudo challenge)
-- [ ] WebSocket-based remote shell client (experimental)
+- [ ] Snapshot diff tooling for test assertions
+- [ ] WebSocket-based remote shell client (experimental)
+- [ ] Shell scripting: `if`/`for`/`while` constructs
+
+---
+
+## Changelog
+
+See [CHANGELOG.md](./CHANGELOG.md).