refactor: rename system and runtime driver contracts #8
NathanFlurryAnnotations
10 errors
|
tests/module-access.test.ts > moduleAccess overlay > rejects native addon artifacts in overlay:
packages/secure-exec/tests/module-access.test.ts#L323
AssertionError: expected 'Cannot find module \'native-addon-pkg…' to contain 'ERR_MODULE_ACCESS_NATIVE_ADDON'
Expected: "ERR_MODULE_ACCESS_NATIVE_ADDON"
Received: "Cannot find module 'native-addon-pkg'"
❯ tests/module-access.test.ts:323:31
|
|
tests/module-access.test.ts > moduleAccess overlay > fails closed when overlay path escapes cwd/node_modules:
packages/secure-exec/tests/module-access.test.ts#L296
AssertionError: expected 'Cannot find module \'escape-pkg\'' to contain 'ERR_MODULE_ACCESS_OUT_OF_SCOPE'
Expected: "ERR_MODULE_ACCESS_OUT_OF_SCOPE"
Received: "Cannot find module 'escape-pkg'"
❯ tests/module-access.test.ts:296:31
|
|
tests/module-access.test.ts > moduleAccess overlay > keeps projected node_modules read-only:
packages/secure-exec/tests/module-access.test.ts#L251
AssertionError: expected 'ENOENT: no such file or directory, wr…' to contain 'EACCES: permission denied'
- Expected
+ Received
- EACCES: permission denied
+ ENOENT: no such file or directory, write '/app/node_modules/read-only-pkg/index.js'
+
❯ tests/module-access.test.ts:251:28
|
|
tests/module-access.test.ts > moduleAccess overlay > loads overlay packages when base filesystem is mounted elsewhere:
packages/secure-exec/tests/module-access.test.ts#L214
AssertionError: expected 1 to be +0 // Object.is equality
- Expected
+ Received
- 0
+ 1
❯ tests/module-access.test.ts:214:23
|
|
tests/module-access.test.ts > moduleAccess overlay > loads dependency-of-dependency chains (A -> B -> C):
packages/secure-exec/tests/module-access.test.ts#L178
AssertionError: expected 1 to be +0 // Object.is equality
- Expected
+ Received
- 0
+ 1
❯ tests/module-access.test.ts:178:23
|
|
tests/module-access.test.ts > moduleAccess overlay > loads third-party packages from overlay without base filesystem:
packages/secure-exec/tests/module-access.test.ts#L135
AssertionError: expected 1 to be +0 // Object.is equality
- Expected
+ Received
- 0
+ 1
❯ tests/module-access.test.ts:135:23
|
|
tests/module-access-compat.test.ts > moduleAccess compatibility fixture > matches host Node output for overlay-backed package loading:
packages/secure-exec/tests/module-access-compat.test.ts#L109
AssertionError: expected 1 to be +0 // Object.is equality
- Expected
+ Received
- 0
+ 1
❯ tests/module-access-compat.test.ts:109:31
|
|
tests/isolate-runtime-injection-policy.test.ts > isolate runtime injection policy > browser worker no longer injects fs module code via code strings:
packages/secure-exec/tests/isolate-runtime-injection-policy.test.ts#L36
AssertionError: expected '// Browser runtime is temporarily dis…' to contain 'getIsolateRuntimeSource("globalExposu…'
- Expected
+ Received
- getIsolateRuntimeSource("globalExposureHelpers")
+ // Browser runtime is temporarily disabled during the driver boundary refactor.
+
+ const DISABLED_MESSAGE =
+ "Browser runtime support is temporarily disabled. See change driver-owned-node-runtime.";
+
+ self.onmessage = (event: MessageEvent<{ id: number }>) => {
+ self.postMessage({
+ id: event.data?.id ?? -1,
+ ok: false,
+ error: {
+ message: DISABLED_MESSAGE,
+ },
+ });
+ };
+
❯ tests/isolate-runtime-injection-policy.test.ts:36:24
|
|
tests/isolate-runtime-injection-policy.test.ts > isolate runtime injection policy > avoids template-literal isolate eval snippets in Node runtime loader:
packages/secure-exec/tests/isolate-runtime-injection-policy.test.ts#L13
AssertionError: expected 'import { createNetworkStub, filterEnv…' to contain 'getIsolateRuntimeSource("globalExposu…'
- Expected
+ Received
- getIsolateRuntimeSource("globalExposureHelpers")
+ import { createNetworkStub, filterEnv } from "./shared/permissions.js";
+ import type {
+ NetworkAdapter,
+ RuntimeDriver,
+ RuntimeDriverFactory,
+ SystemDriver,
+ } from "./types.js";
+ import type {
+ StdioHook,
+ ExecOptions,
+ ExecResult,
+ RunResult,
+ TimingMitigation,
+ } from "./shared/api-types.js";
+
+ // Re-export types
+ export type {
+ CommandExecutor,
+ NetworkAdapter,
+ Permissions,
+ RuntimeDriver,
+ RuntimeDriverFactory,
+ SystemDriver,
+ VirtualFileSystem,
+ } from "./types.js";
+ export type { DirEntry, StatInfo } from "./fs-helpers.js";
+ export type {
+ StdioChannel,
+ StdioEvent,
+ StdioHook,
+ ExecOptions,
+ ExecResult,
+ OSConfig,
+ ProcessConfig,
+ RunResult,
+ TimingMitigation,
+ } from "./shared/api-types.js";
+ export {
+ createDefaultNetworkAdapter,
+ createNodeDriver,
+ createNodeRuntimeDriverFactory,
+ NodeExecutionDriver,
+ NodeFileSystem,
+ } from "./node/driver.js";
+ export type {
+ ModuleAccessOptions,
+ NodeRuntimeDriverFactoryOptions,
+ } from "./node/driver.js";
+ export { createInMemoryFileSystem } from "./shared/in-memory-fs.js";
+ export {
+ allowAll,
+ allowAllChildProcess,
+ allowAllEnv,
+ allowAllFs,
+ allowAllNetwork,
+ } from "./shared/permissions.js";
+
+ const DEFAULT_SANDBOX_CWD = "/root";
+ const DEFAULT_SANDBOX_HOME = "/root";
+ const DEFAULT_SANDBOX_TMPDIR = "/tmp";
+
+ export interface NodeRuntimeOptions {
+ systemDriver: SystemDriver;
+ runtimeDriverFactory: RuntimeDriverFactory;
+ memoryLimit?: number;
+ cpuTimeLimitMs?: number;
+ timingMitigation?: TimingMitigation;
+ onStdio?: StdioHook;
+ payloadLimits?: {
+ base64TransferBytes?: number;
+ jsonPayloadBytes?: number;
+ };
+ }
+
+ type UnsafeRuntimeDriver = RuntimeDriver & {
+ unsafeIsolate?: unknown;
+ createUnsafeContext?(options?: {
+ env?: Record<string, string>;
+ cwd?: string;
+ filePath?: string;
+ }): Promise<unknown>;
+ };
+
+ export class NodeRuntime {
+ private readonly runtimeDriver: UnsafeRuntimeDriver;
+
+ constructor(options: NodeRuntimeOptions) {
+ const { systemDriver, runtimeDriverFactory } = options;
+
+ const processConfig = {
+ ...(systemDriver.runtime.process ?? {}),
+ };
+ processConfig.cwd ??= DEFAULT_SANDBOX_CWD;
+ processConfig.env = filterEnv(processConfig.env, systemDriver.permissions);
+
+ const osConfig = {
+ ...(systemDriver.runtime.os ?? {}),
+ };
+ osConfig.homedir ??= DEFAULT_SANDBOX_HOME;
+ osConfig.tmpdir ??= DEFAULT_SANDBOX_TMPDIR;
+
+ this.runtimeDriver = runtimeDriverFactory.createRuntimeDriver({
+ system: systemDriver,
+ runtime: {
+ process: processConfig,
+ os: osConfig,
+ },
+ memoryLimit: options.memoryLimit,
+ cpuTimeLimitMs: options.cpuTimeLimitMs,
+ timingMitigation: options.timingMitigation,
+ onStdio: options.onStdio,
+ payloadLimits: options.payloadLimits,
+ }) as UnsafeRuntimeDriver;
+ }
+
+ get network(): Pick<NetworkAdapter, "fetch" | "dnsLookup" | "httpRequest"> {
+ const adapter = this.runtimeDriver.network ?? createNetworkStub();
+ return {
+ fetch: (url, options) => adapter.fetch(url, options),
+ dnsLookup: (hostname) => adapter.dnsLookup(hostname),
+ httpRequest: (url, options) => adapter.httpRequest(url, options),
+ };
+ }
+
+ get __unsafeIsoalte(): unknown {
+ if (this.runtimeDriver.unsafeIsolate === undefined) {
+ throw new Error("Driver runtime does not expose unsafe isolate access");
+ }
+ return this.runtimeDriver.unsafeIsolate;
+ }
+
+ async __unsafeCreateContext(options: {
+ env?: Record<string, string>;
+ cwd?: string;
+ filePath?: string;
+ } = {}): Promise<unknown> {
+ if (!this.runtimeDriver.createUnsafeContext) {
+ throw new Error("Driver runtime does not expose unsafe context creation");
+ }
+ return this.runtimeDriver.createUnsafeContext(options);
+ }
+
+ async run<T = unknown>(code
|
|
tests/bridge-contract.test.ts > bridge contract registry > uses shared host bridge key constants for jail wiring:
packages/secure-exec/tests/bridge-contract.test.ts#L28
AssertionError: expected 'import { createNetworkStub, filterEnv…' to contain 'HOST_BRIDGE_GLOBAL_KEYS.dynamicImport'
- Expected
+ Received
- HOST_BRIDGE_GLOBAL_KEYS.dynamicImport
+ import { createNetworkStub, filterEnv } from "./shared/permissions.js";
+ import type {
+ NetworkAdapter,
+ RuntimeDriver,
+ RuntimeDriverFactory,
+ SystemDriver,
+ } from "./types.js";
+ import type {
+ StdioHook,
+ ExecOptions,
+ ExecResult,
+ RunResult,
+ TimingMitigation,
+ } from "./shared/api-types.js";
+
+ // Re-export types
+ export type {
+ CommandExecutor,
+ NetworkAdapter,
+ Permissions,
+ RuntimeDriver,
+ RuntimeDriverFactory,
+ SystemDriver,
+ VirtualFileSystem,
+ } from "./types.js";
+ export type { DirEntry, StatInfo } from "./fs-helpers.js";
+ export type {
+ StdioChannel,
+ StdioEvent,
+ StdioHook,
+ ExecOptions,
+ ExecResult,
+ OSConfig,
+ ProcessConfig,
+ RunResult,
+ TimingMitigation,
+ } from "./shared/api-types.js";
+ export {
+ createDefaultNetworkAdapter,
+ createNodeDriver,
+ createNodeRuntimeDriverFactory,
+ NodeExecutionDriver,
+ NodeFileSystem,
+ } from "./node/driver.js";
+ export type {
+ ModuleAccessOptions,
+ NodeRuntimeDriverFactoryOptions,
+ } from "./node/driver.js";
+ export { createInMemoryFileSystem } from "./shared/in-memory-fs.js";
+ export {
+ allowAll,
+ allowAllChildProcess,
+ allowAllEnv,
+ allowAllFs,
+ allowAllNetwork,
+ } from "./shared/permissions.js";
+
+ const DEFAULT_SANDBOX_CWD = "/root";
+ const DEFAULT_SANDBOX_HOME = "/root";
+ const DEFAULT_SANDBOX_TMPDIR = "/tmp";
+
+ export interface NodeRuntimeOptions {
+ systemDriver: SystemDriver;
+ runtimeDriverFactory: RuntimeDriverFactory;
+ memoryLimit?: number;
+ cpuTimeLimitMs?: number;
+ timingMitigation?: TimingMitigation;
+ onStdio?: StdioHook;
+ payloadLimits?: {
+ base64TransferBytes?: number;
+ jsonPayloadBytes?: number;
+ };
+ }
+
+ type UnsafeRuntimeDriver = RuntimeDriver & {
+ unsafeIsolate?: unknown;
+ createUnsafeContext?(options?: {
+ env?: Record<string, string>;
+ cwd?: string;
+ filePath?: string;
+ }): Promise<unknown>;
+ };
+
+ export class NodeRuntime {
+ private readonly runtimeDriver: UnsafeRuntimeDriver;
+
+ constructor(options: NodeRuntimeOptions) {
+ const { systemDriver, runtimeDriverFactory } = options;
+
+ const processConfig = {
+ ...(systemDriver.runtime.process ?? {}),
+ };
+ processConfig.cwd ??= DEFAULT_SANDBOX_CWD;
+ processConfig.env = filterEnv(processConfig.env, systemDriver.permissions);
+
+ const osConfig = {
+ ...(systemDriver.runtime.os ?? {}),
+ };
+ osConfig.homedir ??= DEFAULT_SANDBOX_HOME;
+ osConfig.tmpdir ??= DEFAULT_SANDBOX_TMPDIR;
+
+ this.runtimeDriver = runtimeDriverFactory.createRuntimeDriver({
+ system: systemDriver,
+ runtime: {
+ process: processConfig,
+ os: osConfig,
+ },
+ memoryLimit: options.memoryLimit,
+ cpuTimeLimitMs: options.cpuTimeLimitMs,
+ timingMitigation: options.timingMitigation,
+ onStdio: options.onStdio,
+ payloadLimits: options.payloadLimits,
+ }) as UnsafeRuntimeDriver;
+ }
+
+ get network(): Pick<NetworkAdapter, "fetch" | "dnsLookup" | "httpRequest"> {
+ const adapter = this.runtimeDriver.network ?? createNetworkStub();
+ return {
+ fetch: (url, options) => adapter.fetch(url, options),
+ dnsLookup: (hostname) => adapter.dnsLookup(hostname),
+ httpRequest: (url, options) => adapter.httpRequest(url, options),
+ };
+ }
+
+ get __unsafeIsoalte(): unknown {
+ if (this.runtimeDriver.unsafeIsolate === undefined) {
+ throw new Error("Driver runtime does not expose unsafe isolate access");
+ }
+ return this.runtimeDriver.unsafeIsolate;
+ }
+
+ async __unsafeCreateContext(options: {
+ env?: Record<string, string>;
+ cwd?: string;
+ filePath?: string;
+ } = {}): Promise<unknown> {
+ if (!this.runtimeDriver.createUnsafeContext) {
+ throw new Error("Driver runtime does not expose unsafe context creation");
+ }
+ return this.runtimeDriver.createUnsafeContext(options);
+ }
+
+ async run<T = unknown>(code: string, file
|