typescript-virtual-container 1.5.11 → 1.6.0

package/dist/Honeypot/index.js

@@ -32,6 +32,15 @@ export class HoneyPot {
         clientDisconnects: 0,
         shellFreezes: 0,
         shellThaws: 0,
+        keysAdded: 0,
+        keysRemoved: 0,
+        snapshotsRestored: 0,
+        snapshotsImported: 0,
+        mounts: 0,
+        unmounts: 0,
+        symlinksCreated: 0,
+        nodesRemoved: 0,
+        authLockouts: 0,
     };
     maxLogSize;
     /** Reference kept so VFS events can ping the shell's idle manager. */
@@ -114,6 +123,33 @@ export class HoneyPot {
         vfs.on("mirror:flush", () => {
             this.log("VirtualFileSystem", "mirror:flush", {});
         });
+        vfs.on("snapshot:restore", (data) => {
+            this.stats.snapshotsRestored++;
+            this.log("VirtualFileSystem", "snapshot:restore", data);
+        });
+        vfs.on("snapshot:import", (data) => {
+            this.stats.snapshotsImported++;
+            this.log("VirtualFileSystem", "snapshot:import", data);
+        });
+        vfs.on("mount", (data) => {
+            this.stats.mounts++;
+            this._shell?.pingIdle();
+            this.log("VirtualFileSystem", "mount", data);
+        });
+        vfs.on("unmount", (data) => {
+            this.stats.unmounts++;
+            this.log("VirtualFileSystem", "unmount", data);
+        });
+        vfs.on("symlink:create", (data) => {
+            this.stats.symlinksCreated++;
+            this._shell?.pingIdle();
+            this.log("VirtualFileSystem", "symlink:create", data);
+        });
+        vfs.on("node:remove", (data) => {
+            this.stats.nodesRemoved++;
+            this._shell?.pingIdle();
+            this.log("VirtualFileSystem", "node:remove", data);
+        });
     }
     /**
      * Attaches to VirtualUserManager events.
@@ -137,6 +173,14 @@ export class HoneyPot {
             this.stats.sessionEnds++;
             this.log("VirtualUserManager", "session:unregister", data);
         });
+        users.on("key:add", (data) => {
+            this.stats.keysAdded++;
+            this.log("VirtualUserManager", "key:add", data);
+        });
+        users.on("key:remove", (data) => {
+            this.stats.keysRemoved++;
+            this.log("VirtualUserManager", "key:remove", data);
+        });
     }
     /**
      * Attaches to SshMimic events.
@@ -158,6 +202,10 @@ export class HoneyPot {
             this.stats.authFailures++;
             this.log("SshMimic", "auth:failure", data);
         });
+        ssh.on("auth:lockout", (data) => {
+            this.stats.authLockouts++;
+            this.log("SshMimic", "auth:lockout", data);
+        });
         ssh.on("client:connect", () => {
             this.stats.clientConnects++;
             this.log("SshMimic", "client:connect", {});
@@ -259,6 +307,15 @@ export class HoneyPot {
             clientDisconnects: 0,
             shellFreezes: 0,
             shellThaws: 0,
+            keysAdded: 0,
+            keysRemoved: 0,
+            snapshotsRestored: 0,
+            snapshotsImported: 0,
+            mounts: 0,
+            unmounts: 0,
+            symlinksCreated: 0,
+            nodesRemoved: 0,
+            authLockouts: 0,
         };
     }
     /**

package/dist/SSHMimic/exec.d.ts

@@ -1,3 +1,7 @@
 import type { ExecStream } from "../types/streams";
 import type { VirtualShell } from "../VirtualShell";
+/**
+ * Handles SSH exec channel requests. Runs the given command in a non-interactive
+ * shell session and writes stdout/stderr to the stream, then signals exit.
+ */
 export declare function runExec(stream: ExecStream, cmd: string, authUser: string, hostname: string, shell: VirtualShell): void;

package/dist/SSHMimic/exec.js

@@ -5,6 +5,10 @@ function toTtyLines(text) {
         .replace(/\r/g, "\n")
         .replace(/\n/g, "\r\n");
 }
+/**
+ * Handles SSH exec channel requests. Runs the given command in a non-interactive
+ * shell session and writes stdout/stderr to the stream, then signals exit.
+ */
 export function runExec(stream, cmd, authUser, hostname, shell) {
     Promise.resolve(runCommand(cmd, authUser, hostname, "exec", userHome(authUser), shell, undefined, makeDefaultEnv(authUser, hostname)))
         .then((result) => {

package/dist/SSHMimic/executor.d.ts

@@ -1,5 +1,14 @@
 import type { CommandMode, CommandResult, ShellEnv } from "../types/commands";
 import type { Pipeline, Statement } from "../types/pipeline";
 import type { VirtualShell } from "../VirtualShell";
+/**
+ * Executes a list of shell statements sequentially, respecting `&&`, `||`, and `;`
+ * operators. Accumulates stdout across statements and tracks cwd changes.
+ */
 export declare function executeStatements(statements: Statement[], authUser: string, hostname: string, mode: CommandMode, cwd: string, shell: VirtualShell, env: ShellEnv): Promise<CommandResult>;
-export declare function executePipeline(pipeline: Pipeline, authUser: string, hostname: string, mode: CommandMode, cwd: string, shell: VirtualShell, env?: ShellEnv): Promise<CommandResult>;
+/**
+ * Executes a shell pipeline of commands connected by pipes. Handles redirections,
+ * input/output files, and stderr redirects. Delegates to the single-command or
+ * chained-pipeline executor based on command count.
+ */
+export declare function executePipeline(pipeline: Pipeline, authUser: string, hostname: string, mode: CommandMode, cwd: string, shell: VirtualShell, env?: ShellEnv, abortController?: AbortController): Promise<CommandResult>;

package/dist/SSHMimic/executor.js

@@ -1,6 +1,10 @@
 import { runCommandDirect } from "../commands";
 import { resolvePath } from "../commands/helpers";
 // ── Script executor (handles &&/||/;) ────────────────────────────────────────
+/**
+ * Executes a list of shell statements sequentially, respecting `&&`, `||`, and `;`
+ * operators. Accumulates stdout across statements and tracks cwd changes.
+ */
 export async function executeStatements(statements, authUser, hostname, mode, cwd, shell, env) {
     let last = { exitCode: 0 };
     const accumulatedStdout = [];
@@ -9,9 +13,9 @@ export async function executeStatements(statements, authUser, hostname, mode, cw
     while (i < statements.length) {
         const stmt = statements[i];
         if (stmt.background) {
-            // Fire-and-forget: do not await. The MAX_CALL_DEPTH guard in runtime.ts
-            // prevents runaway recursion (fork bombs, etc.).
-            void executePipeline(stmt.pipeline, authUser, hostname, mode, currentCwd, shell, env);
+            // Background job: fire with AbortController so kill can cancel it.
+            const ac = new AbortController();
+            executePipeline(stmt.pipeline, authUser, hostname, "background", currentCwd, shell, env, ac);
             last = { exitCode: 0 };
             env.lastExitCode = 0;
             i++;
@@ -58,18 +62,23 @@ export async function executeStatements(statements, authUser, hostname, mode, cw
     return { ...last, stdout: merged || last.stdout, nextCwd: currentCwd !== cwd ? currentCwd : undefined };
 }
 // ── Pipeline executor ─────────────────────────────────────────────────────────
-export async function executePipeline(pipeline, authUser, hostname, mode, cwd, shell, env) {
+/**
+ * Executes a shell pipeline of commands connected by pipes. Handles redirections,
+ * input/output files, and stderr redirects. Delegates to the single-command or
+ * chained-pipeline executor based on command count.
+ */
+export async function executePipeline(pipeline, authUser, hostname, mode, cwd, shell, env, abortController) {
     if (!pipeline.isValid)
         return { stderr: pipeline.error || "Syntax error", exitCode: 1 };
     if (pipeline.commands.length === 0)
         return { exitCode: 0 };
     const shellEnv = env ?? { vars: {}, lastExitCode: 0 };
     if (pipeline.commands.length === 1) {
-        return executeSingleCommandWithRedirections(pipeline.commands[0], authUser, hostname, mode, cwd, shell, shellEnv);
+        return executeSingleCommandWithRedirections(pipeline.commands[0], authUser, hostname, mode, cwd, shell, shellEnv, abortController);
     }
     return executePipelineChain(pipeline.commands, authUser, hostname, mode, cwd, shell, shellEnv);
 }
-async function executeSingleCommandWithRedirections(cmd, authUser, hostname, mode, cwd, shell, env) {
+async function executeSingleCommandWithRedirections(cmd, authUser, hostname, mode, cwd, shell, env, abortController) {
     let stdin;
     if (cmd.inputFile) {
         const inputPath = resolvePath(cwd, cmd.inputFile);
@@ -83,7 +92,8 @@ async function executeSingleCommandWithRedirections(cmd, authUser, hostname, mod
             };
         }
     }
-    const result = await runCommandDirect(cmd.name, cmd.args, authUser, hostname, mode, cwd, shell, stdin, env);
+    const isBackground = mode === "background";
+    const result = await runCommandDirect(cmd.name, cmd.args, authUser, hostname, mode, cwd, shell, stdin, env, isBackground, abortController);
     if (cmd.outputFile) {
         const outputPath = resolvePath(cwd, cmd.outputFile);
         const output = result.stdout || "";
@@ -149,7 +159,7 @@ async function executePipelineChain(commands, authUser, hostname, mode, cwd, she
                 } })();
                 shell.writeFileAsUser(authUser, sp, cmd.stderrAppend ? ex + effectiveResult.stderr : effectiveResult.stderr);
             }
-            catch { }
+            catch { /* best-effort stderr write */ }
         }
         if (i === commands.length - 1 && cmd.outputFile) {
             const outputPath = resolvePath(cwd, cmd.outputFile);

package/dist/SSHMimic/hostKey.d.ts

@@ -1 +1,6 @@
+/**
+ * Loads an existing PEM-encoded RSA host key from `.ssh-mimic/host_rsa` under
+ * the given base directory, or generates a new 2048-bit key pair and persists
+ * it to disk. Returns the private key in PEM format.
+ */
 export declare function loadOrCreateHostKey(baseDir?: string): string;

package/dist/SSHMimic/hostKey.js

@@ -1,6 +1,11 @@
 import { generateKeyPairSync } from "node:crypto";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, resolve } from "node:path";
+/**
+ * Loads an existing PEM-encoded RSA host key from `.ssh-mimic/host_rsa` under
+ * the given base directory, or generates a new 2048-bit key pair and persists
+ * it to disk. Returns the private key in PEM format.
+ */
 export function loadOrCreateHostKey(baseDir = process.cwd()) {
     const hostKeyPath = resolve(baseDir, ".ssh-mimic", "host_rsa");
     if (existsSync(hostKeyPath)) {

package/dist/SSHMimic/loginBanner.d.ts

@@ -1,6 +1,13 @@
 import type { ShellProperties } from "../VirtualShell";
+/**
+ * Tracks the timestamp and origin of the user's last login for the login banner.
+ */
 export interface LoginBannerState {
     at: string;
     from: string;
 }
+/**
+ * Builds the SSH login banner displaying OS info, warranty notice, and the
+ * last login timestamp and origin.
+ */
 export declare function buildLoginBanner(hostname: string, properties: ShellProperties, lastLogin: LoginBannerState | null): string;

package/dist/SSHMimic/loginBanner.js

@@ -1,4 +1,8 @@
 import { formatLoginDate } from "./loginFormat";
+/**
+ * Builds the SSH login banner displaying OS info, warranty notice, and the
+ * last login timestamp and origin.
+ */
 export function buildLoginBanner(hostname, properties, lastLogin) {
     const lines = [
         `Linux ${hostname} ${properties.kernel} ${properties.arch}`,

package/dist/SSHMimic/loginFormat.d.ts

@@ -1 +1,5 @@
+/**
+ * Formats a Date object into the SSH last-login display format:
+ * e.g. "Mon Jan 02 15:04:05 2024"
+ */
 export declare function formatLoginDate(date: Date): string;

package/dist/SSHMimic/loginFormat.js

@@ -1,3 +1,7 @@
+/**
+ * Formats a Date object into the SSH last-login display format:
+ * e.g. "Mon Jan 02 15:04:05 2024"
+ */
 export function formatLoginDate(date) {
     const weekday = date.toLocaleString("en-US", { weekday: "short" });
     const month = date.toLocaleString("en-US", { month: "short" });

package/dist/SSHMimic/prompt.d.ts

@@ -1,2 +1,11 @@
+/**
+ * Expands a PS1 template string by replacing escape sequences (\\u, \\h, \\w,
+ * \\$, etc.) with the corresponding user, host, and directory values.
+ */
 export declare function expandPs1(ps1: string, user: string, host: string, cwd: string, readlineMode?: boolean): string;
+/**
+ * Builds the complete shell prompt string. If a PS1 template is provided it is
+ * expanded via expandPs1; otherwise a traditional `[user@host cwd]$` prompt
+ * with ANSI color codes is returned.
+ */
 export declare function buildPrompt(user: string, host: string, cwdName: string, ps1?: string, fullCwd?: string, readlineMode?: boolean): string;

package/dist/SSHMimic/prompt.js

@@ -1,3 +1,7 @@
+/**
+ * Expands a PS1 template string by replacing escape sequences (\\u, \\h, \\w,
+ * \\$, etc.) with the corresponding user, host, and directory values.
+ */
 export function expandPs1(ps1, user, host, cwd, readlineMode = false) {
     const home = user === "root" ? "/root" : `/home/${user}`;
     const withTilde = cwd === home ? "~"
@@ -16,6 +20,11 @@ export function expandPs1(ps1, user, host, cwd, readlineMode = false) {
         .replace(/\\n/g, "\n")
         .replace(/\\\\/g, "\\");
 }
+/**
+ * Builds the complete shell prompt string. If a PS1 template is provided it is
+ * expanded via expandPs1; otherwise a traditional `[user@host cwd]$` prompt
+ * with ANSI color codes is returned.
+ */
 export function buildPrompt(user, host, cwdName, ps1, fullCwd, readlineMode = false) {
     if (ps1)
         return expandPs1(ps1, user, host, fullCwd ?? cwdName, readlineMode);

package/dist/SSHMimic/scp.d.ts

@@ -18,6 +18,10 @@
  * Acknowledgement byte: \0 = ok, \1 = warning, \2 = error.
  */
 import type { VirtualShell } from "../VirtualShell";
+/**
+ * Minimal stream interface representing an SSH channel for SCP transfers.
+ * Mirrors the ssh2 ServerChannel subset used by the SCP protocol.
+ */
 interface ScpStream {
     write(data: Buffer | string): boolean;
     on(event: "data", listener: (chunk: Buffer) => void): this;
@@ -28,7 +32,21 @@ interface ScpStream {
     exit(code: number): void;
     end(): void;
 }
+/**
+ * Handles SCP sink mode (receiving files from the client). Parses the SCP wire
+ * protocol control messages (C, D, E, T) and writes file data into the virtual
+ * filesystem.
+ */
 export declare function runScpSink(stream: ScpStream, destArg: string, authUser: string, shell: VirtualShell, recursive: boolean): void;
+/**
+ * Handles SCP source mode (sending files to the client). Traverses the virtual
+ * filesystem and streams file contents using the SCP wire protocol control
+ * messages (C, D, E) in response to client acknowledgements.
+ */
 export declare function runScpSource(stream: ScpStream, srcArg: string, _authUser: string, shell: VirtualShell, recursive: boolean): void;
+/**
+ * Handles SCP protocol transfer by parsing the exec arguments to determine
+ * sink (upload) or source (download) mode and delegating accordingly.
+ */
 export declare function handleScp(stream: ScpStream, rawArgs: string[], authUser: string, shell: VirtualShell): void;
 export {};

package/dist/SSHMimic/scp.js

@@ -39,6 +39,11 @@ function parseArgs(args) {
     };
 }
 // ── Sink mode (upload: client → server) ──────────────────────────────────────
+/**
+ * Handles SCP sink mode (receiving files from the client). Parses the SCP wire
+ * protocol control messages (C, D, E, T) and writes file data into the virtual
+ * filesystem.
+ */
 export function runScpSink(stream, destArg, authUser, shell, recursive) {
     // Buffered reader that handles arbitrary chunk boundaries
     let buf = Buffer.alloc(0);
@@ -166,6 +171,11 @@ export function runScpSink(stream, destArg, authUser, shell, recursive) {
     });
 }
 // ── Source mode (download: server → client) ───────────────────────────────────
+/**
+ * Handles SCP source mode (sending files to the client). Traverses the virtual
+ * filesystem and streams file contents using the SCP wire protocol control
+ * messages (C, D, E) in response to client acknowledgements.
+ */
 export function runScpSource(stream, srcArg, _authUser, shell, recursive) {
     const srcPath = resolvePath("/", srcArg);
     if (!shell.vfs.exists(srcPath)) {
@@ -266,6 +276,10 @@ export function runScpSource(stream, srcArg, _authUser, shell, recursive) {
     // (processAcks will call sendNext on first ack)
 }
 // ── Entry point ───────────────────────────────────────────────────────────────
+/**
+ * Handles SCP protocol transfer by parsing the exec arguments to determine
+ * sink (upload) or source (download) mode and delegating accordingly.
+ */
 export function handleScp(stream, rawArgs, authUser, shell) {
     const { sink, source, recursive, target } = parseArgs(rawArgs);
     if (!sink && !source) {

package/dist/VirtualFileSystem/binaryPack.d.ts

@@ -7,13 +7,15 @@
  *
  *   File header:
  *     [4]  magic  = 0x56 0x46 0x53 0x21  ("VFS!")
- *     [1]  version = 0x01
+ *     [1]  version = 0x02
  *
  *   Node (recursive):
  *     [1]  type    = 0x01 (file) | 0x02 (directory)
  *     [2]  name length (uint16)
  *     [N]  name bytes (utf8)
  *     [4]  mode (uint32)
+ *     [4]  uid (uint32)
+ *     [4]  gid (uint32)
  *     [8]  createdAt ms (float64)
  *     [8]  updatedAt ms (float64)
  *
@@ -49,7 +51,9 @@ export declare function forkDirTree(base: InternalDirectoryNode): InternalDirect
  */
 export declare function decodeVfs(buf: Buffer): InternalDirectoryNode;
 /**
- * Returns true if `buf` looks like a VFS binary snapshot (starts with magic bytes).
- * Used to auto-detect format when loading from disk.
+ * Checks whether `buf` starts with the VFS binary magic bytes, indicating a valid
+ * binary snapshot produced by {@link encodeVfs}.
+ * @param buf - The buffer to inspect.
+ * @returns `true` if the buffer begins with the VFS magic header (`"VFS!"`).
  */
 export declare function isBinarySnapshot(buf: Buffer): boolean;

package/dist/VirtualFileSystem/binaryPack.js

@@ -7,13 +7,15 @@
  *
  *   File header:
  *     [4]  magic  = 0x56 0x46 0x53 0x21  ("VFS!")
- *     [1]  version = 0x01
+ *     [1]  version = 0x02
  *
  *   Node (recursive):
  *     [1]  type    = 0x01 (file) | 0x02 (directory)
  *     [2]  name length (uint16)
  *     [N]  name bytes (utf8)
  *     [4]  mode (uint32)
+ *     [4]  uid (uint32)
+ *     [4]  gid (uint32)
  *     [8]  createdAt ms (float64)
  *     [8]  updatedAt ms (float64)
  *
@@ -31,7 +33,7 @@
  *   Binary pack :  ~1.00 MB + ~40 bytes/node header  → ~27% smaller, no string parsing
  */
 const MAGIC = Buffer.from([0x56, 0x46, 0x53, 0x21]); // "VFS!"
-const VERSION = 0x01;
+const VERSION = 0x02;
 const TYPE_FILE = 0x01;
 const TYPE_DIR = 0x02;
 // ── Encoder ───────────────────────────────────────────────────────────────────
@@ -79,6 +81,8 @@ function encodeNode(enc, node) {
         enc.writeUint8(TYPE_FILE);
         enc.writeString(f.name);
         enc.writeUint32(f.mode);
+        enc.writeUint32(f.uid);
+        enc.writeUint32(f.gid);
         enc.writeFloat64(f.createdAt);
         enc.writeFloat64(f.updatedAt);
         enc.writeUint8(f.compressed ? 0x01 : 0x00);
@@ -90,6 +94,8 @@ function encodeNode(enc, node) {
         enc.writeUint8(TYPE_FILE);
         enc.writeString(s.name);
         enc.writeUint32(s.mode);
+        enc.writeUint32(s.uid);
+        enc.writeUint32(s.gid);
         enc.writeFloat64(s.createdAt);
         enc.writeFloat64(s.updatedAt);
         enc.writeUint8(0x00); // not compressed
@@ -100,6 +106,8 @@ function encodeNode(enc, node) {
         enc.writeUint8(TYPE_DIR);
         enc.writeString(d.name);
         enc.writeUint32(d.mode);
+        enc.writeUint32(d.uid);
+        enc.writeUint32(d.gid);
         enc.writeFloat64(d.createdAt);
         enc.writeFloat64(d.updatedAt);
         const children = Object.values(d.children);
@@ -160,10 +168,12 @@ class Decoder {
         return this.buf.length - this.pos;
     }
 }
-function decodeNode(dec) {
+function decodeNode(dec, includeUidGid) {
     const type = dec.readUint8();
     const name = internName(dec.readString());
     const mode = dec.readUint32();
+    const uid = includeUidGid ? dec.readUint32() : 0;
+    const gid = includeUidGid ? dec.readUint32() : 0;
     const createdAt = dec.readFloat64();
     const updatedAt = dec.readFloat64();
     if (type === TYPE_FILE) {
@@ -173,6 +183,8 @@ function decodeNode(dec) {
             type: "file",
             name,
             mode,
+            uid,
+            gid,
             createdAt,
             updatedAt,
             compressed,
@@ -183,13 +195,15 @@ function decodeNode(dec) {
         const count = dec.readUint32();
         const children = Object.create(null);
         for (let i = 0; i < count; i++) {
-            const child = decodeNode(dec);
+            const child = decodeNode(dec, includeUidGid);
             children[child.name] = child;
         }
         return {
             type: "directory",
             name,
             mode,
+            uid,
+            gid,
             createdAt,
             updatedAt,
             children,
@@ -227,6 +241,8 @@ export function forkDirTree(base) {
         type: "directory",
         name: base.name,
         mode: base.mode,
+        uid: base.uid,
+        gid: base.gid,
         createdAt: base.createdAt,
         updatedAt: base.updatedAt,
         children,
@@ -246,18 +262,24 @@ export function decodeVfs(buf) {
         throw new Error("[VFS binary] Invalid magic — not a VFS binary snapshot");
     }
     const dec = new Decoder(buf);
-    // skip magic (4) + version (1)
-    for (let i = 0; i < 5; i++)
-        dec.readUint8();
-    const root = decodeNode(dec);
+    // skip magic (4)
+    dec.readUint8();
+    dec.readUint8();
+    dec.readUint8();
+    dec.readUint8();
+    const version = dec.readUint8();
+    const includeUidGid = version >= 0x02;
+    const root = decodeNode(dec, includeUidGid);
     if (root.type !== "directory") {
         throw new Error("[VFS binary] Root node must be a directory");
     }
     return root;
 }
 /**
- * Returns true if `buf` looks like a VFS binary snapshot (starts with magic bytes).
- * Used to auto-detect format when loading from disk.
+ * Checks whether `buf` starts with the VFS binary magic bytes, indicating a valid
+ * binary snapshot produced by {@link encodeVfs}.
+ * @param buf - The buffer to inspect.
+ * @returns `true` if the buffer begins with the VFS magic header (`"VFS!"`).
  */
 export function isBinarySnapshot(buf) {
     return buf.length >= 4 && buf.slice(0, 4).equals(MAGIC);

package/dist/VirtualFileSystem/index.d.ts

@@ -88,6 +88,12 @@ declare class VirtualFileSystem extends EventEmitter {
     private readonly mounts;
     /** Sorted mounts cache (longest-path-first). Rebuilt lazily on mount/unmount. */
     private _sortedMounts;
+    /** Read hooks: path prefix → callback invoked before reading any file under that prefix. */
+    private readonly readHooks;
+    /** Sorted read hook prefixes (longest-first) for matching. */
+    private _sortedReadHooks;
+    /** Re-entrancy guard for read hooks — prevents infinite loop when hook triggers another read. */
+    private _inReadHook;
     /** True when running in a browser environment (no host FS access). */
     private static readonly isBrowser;
     constructor(options?: VfsOptions);
@@ -225,6 +231,15 @@ declare class VirtualFileSystem extends EventEmitter {
         hostPath: string;
         readOnly: boolean;
     }>;
+    /**
+     * Register a callback that is invoked before any read under `prefix`.
+     * Used by /proc to refresh dynamic content on every access.
+     */
+    onBeforeRead(prefix: string, cb: () => void): void;
+    /** Remove a previously registered read hook. */
+    offBeforeRead(prefix: string): void;
+    /** Invoke any matching read hook for `normalizedPath`. */
+    private _triggerReadHook;
     /**
      * If `targetPath` is inside a mount, return `{ hostPath, readOnly, relPath }`.
      * `relPath` is the path relative to the mount's host directory.
@@ -248,6 +263,20 @@ declare class VirtualFileSystem extends EventEmitter {
     exists(targetPath: string): boolean;
     /** Updates mode bits on a node. */
     chmod(targetPath: string, mode: number): void;
+    /** Changes ownership (uid/gid) of a file or directory. */
+    chown(targetPath: string, uid: number, gid: number): void;
+    /** Returns the uid and gid of a node. */
+    getOwner(targetPath: string): {
+        uid: number;
+        gid: number;
+    };
+    /**
+     * POSIX-style access check: does `uid`/`gid` have `want` permission on `targetPath`?
+     * `want` is a bitmask of R_OK (4), W_OK (2), X_OK (1).
+     * Root (uid === 0) is granted everything except X_OK without at least one x bit set.
+     * Returns true when access is granted.
+     */
+    checkAccess(targetPath: string, uid: number, gid: number, want: number): boolean;
     /** Returns metadata for a file or directory. */
     stat(targetPath: string): VfsNodeStats;
     /**