fix(browser-playground): await async operations and inline permission callbacks for worker serialization

Author: NathanFlurry

.gitignore

@@ -7,3 +7,5 @@ scratch/
 .ralph/
 packages/sandboxed-node/.cache/
 packages/secure-exec/src/generated/
+packages/playground/secure-exec-worker.js
+packages/playground/vendor/

README.md

@@ -15,3 +15,7 @@ TODO:
 - **Driver-based**: Provide a driver to map filesystem, network, and child_process.
 - **Permissions**: Gate syscalls with custom allow/deny functions.
 - **Opt-in system features**: Disable network/child_process/FS by omission.
+
+## Examples
+
+- Browser playground: `pnpm -C packages/playground dev`

openspec/changes/add-browser-playground-example/proposal.md

@@ -0,0 +1,23 @@
+## Why
+
+The repository exposes a browser runtime, but there is no straightforward browser-facing example that lets contributors interactively try it. We also now have Python runtime support, and the fastest way to make both surfaces legible is a small in-browser playground that shows code entry, execution, and streamed output in one place.
+
+## What Changes
+
+- Add a simple browser playground example under `examples/` with a Monaco editor, a language switcher, and an output panel.
+- Run TypeScript through the browser `NodeRuntime` path so the example demonstrates the existing browser runtime directly.
+- Run Python through Pyodide in the browser so the example can expose both languages in one page while keeping the implementation lightweight.
+- Reuse the sandbox-agent inspector dark theme tokens and interaction styling so the example matches the existing visual language.
+- Add lightweight local tooling to build the browser runtime worker bundle used by the example and serve the repo root for local testing.
+
+## Capabilities
+
+### New Capabilities
+
+- `browser-examples`: Interactive browser example requirements for repository-supported playgrounds.
+
+## Impact
+
+- Affected code: new example files under `packages/playground/`.
+- Affected docs: example-specific README and a short root README reference.
+- Affected validation: targeted worker bundle build and a browser smoke test for TypeScript and Python execution.

openspec/changes/add-browser-playground-example/specs/browser-examples/spec.md

@@ -0,0 +1,30 @@
+## ADDED Requirements
+
+### Requirement: Repository Browser Playground Example
+The repository SHALL provide a simple browser playground example that lets contributors edit code, execute it in-browser, and inspect output without additional application scaffolding.
+
+#### Scenario: Playground exposes an editor, run controls, and output
+- **WHEN** a contributor opens the browser playground example
+- **THEN** the page MUST provide a code editor, a language selector, a run action, and a visible output surface
+
+#### Scenario: Playground uses the repository dark theme
+- **WHEN** the browser playground example renders
+- **THEN** it MUST use the sandbox-agent inspector dark theme tokens and overall visual treatment rather than a default browser theme
+
+### Requirement: Playground Supports TypeScript And Python
+The browser playground example SHALL support both TypeScript and Python execution paths in one interface.
+
+#### Scenario: TypeScript executes through secure-exec browser runtime
+- **WHEN** a contributor runs TypeScript in the playground
+- **THEN** the example MUST execute the code through the repository's browser runtime support and show streamed output plus final execution status
+
+#### Scenario: Python executes in-browser
+- **WHEN** a contributor runs Python in the playground
+- **THEN** the example MUST execute the code in-browser and show stdout, stderr, and final execution status in the same output surface
+
+### Requirement: Playground Remains Runnable From The Repository
+The browser playground example SHALL include repository-local instructions and helper tooling so contributors can run it without creating a separate app.
+
+#### Scenario: Contributor starts the example locally
+- **WHEN** a contributor follows the example README
+- **THEN** the repository MUST provide a documented local command that builds any required worker asset and serves the example from the repo

openspec/changes/add-browser-playground-example/tasks.md

@@ -0,0 +1,15 @@
+## 1. OpenSpec
+
+- [x] 1.1 Add a new `browser-examples` capability delta defining the browser playground requirements.
+
+## 2. Example App
+
+- [x] 2.1 Add `packages/playground/` with a browser page, Monaco editor wiring, language switcher, and output panel using the inspector dark theme.
+- [x] 2.2 Run TypeScript code through `secure-exec` browser runtime execution and surface streamed stdout/stderr plus exit state.
+- [x] 2.3 Run Python code through an in-browser Pyodide runner and surface stdout/stderr plus exit state.
+- [x] 2.4 Add local helper scripts to bundle the browser runtime worker and serve the repo root for the example.
+
+## 3. Documentation And Validation
+
+- [x] 3.1 Add example usage instructions and a discoverability note in repository docs.
+- [x] 3.2 Run targeted validation for the example worker build and a browser smoke check covering both TypeScript and Python execution.

packages/playground/README.md

@@ -0,0 +1,25 @@
+# Browser Playground Example
+
+This example provides a small in-browser playground with:
+
+- Monaco for editing code
+- `secure-exec` browser runtime for TypeScript execution
+- Pyodide for Python execution
+- the sandbox-agent inspector dark theme
+
+Run it from the repo:
+
+```bash
+pnpm -C packages/playground dev
+```
+
+Then open:
+
+```text
+http://localhost:4173/
+```
+
+Notes:
+
+- `pnpm run setup-vendor` symlinks Monaco, TypeScript, and Pyodide from `node_modules` into `vendor/` (runs automatically before `dev` and `build`).
+- The dev server sets COOP/COEP headers required for SharedArrayBuffer and serves all assets from the local filesystem.

packages/playground/backend/server.ts

@@ -0,0 +1,156 @@
+/**
+ * Static dev server for the browser playground.
+ *
+ * SharedArrayBuffer (required by the secure-exec web worker) needs COOP/COEP
+ * headers. Once COEP is "require-corp", every subresource must be same-origin
+ * or carry Cross-Origin-Resource-Policy. Vendor assets (Monaco, Pyodide,
+ * TypeScript) are installed as npm packages and symlinked into vendor/ by
+ * `scripts/setup-vendor.ts`, so everything is served from the local filesystem.
+ */
+import { createReadStream } from "node:fs";
+import { realpath, stat } from "node:fs/promises";
+import {
+	createServer,
+	type OutgoingHttpHeaders,
+	type Server,
+	type ServerResponse,
+} from "node:http";
+import { extname, join, normalize, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const DEFAULT_PORT = Number(process.env.PORT ?? "4173");
+const playgroundDir = resolve(fileURLToPath(new URL("..", import.meta.url)));
+const secureExecDir = resolve(playgroundDir, "../secure-exec");
+
+/* Map URL prefixes to filesystem directories outside playgroundDir */
+const PATH_ALIASES: Array<{ prefix: string; dir: string }> = [
+	{ prefix: "/secure-exec/", dir: secureExecDir },
+];
+
+const mimeTypes = new Map<string, string>([
+	[".css", "text/css; charset=utf-8"],
+	[".data", "application/octet-stream"],
+	[".html", "text/html; charset=utf-8"],
+	[".js", "text/javascript; charset=utf-8"],
+	[".json", "application/json; charset=utf-8"],
+	[".mjs", "text/javascript; charset=utf-8"],
+	[".svg", "image/svg+xml"],
+	[".wasm", "application/wasm"],
+	[".zip", "application/zip"],
+]);
+
+function getFilePath(urlPath: string): string | null {
+	const pathname = decodeURIComponent(urlPath.split("?")[0] ?? "/");
+	const relativePath = pathname === "/" ? "/frontend/index.html" : pathname;
+
+	/* Check path aliases for sibling packages (e.g. secure-exec dist) */
+	for (const alias of PATH_ALIASES) {
+		if (relativePath.startsWith(alias.prefix)) {
+			const rest = relativePath.slice(alias.prefix.length);
+			const safePath = normalize(rest).replace(/^(\.\.[/\\])+/, "");
+			const absolutePath = resolve(alias.dir, safePath);
+			if (!absolutePath.startsWith(alias.dir)) return null;
+			return absolutePath;
+		}
+	}
+
+	const safePath = normalize(relativePath).replace(/^(\.\.[/\\])+/, "");
+	const absolutePath = resolve(playgroundDir, `.${safePath}`);
+	if (!absolutePath.startsWith(playgroundDir)) {
+		return null;
+	}
+	return absolutePath;
+}
+
+function getRedirectLocation(urlPath: string): string | null {
+	const [pathname, search = ""] = urlPath.split("?");
+	if (pathname === "/" || pathname.endsWith("/")) {
+		return null;
+	}
+	return `${pathname}/${search ? `?${search}` : ""}`;
+}
+
+const COEP_HEADERS = {
+	"Cross-Origin-Embedder-Policy": "require-corp",
+	"Cross-Origin-Opener-Policy": "same-origin",
+} as const;
+
+function writeHeaders(response: ServerResponse, status: number, extras: OutgoingHttpHeaders = {}): void {
+	response.writeHead(status, {
+		"Cache-Control": "no-store",
+		...COEP_HEADERS,
+		...extras,
+	});
+}
+
+export function createBrowserPlaygroundServer(): Server {
+	return createServer(async (_request, response) => {
+		const requestUrl = _request.url ?? "/";
+
+		const filePath = getFilePath(requestUrl);
+		if (!filePath) {
+			writeHeaders(response, 403);
+			response.end("Forbidden");
+			return;
+		}
+
+		/* Resolve symlinks (vendor/ entries point into node_modules) */
+		let resolvedPath: string;
+		try {
+			resolvedPath = await realpath(filePath);
+		} catch {
+			writeHeaders(response, 404);
+			response.end("Not found");
+			return;
+		}
+
+		let finalPath = resolvedPath;
+		try {
+			const fileStat = await stat(resolvedPath);
+			if (fileStat.isDirectory()) {
+				const redirectLocation = getRedirectLocation(requestUrl);
+				if (redirectLocation) {
+					writeHeaders(response, 308, { Location: redirectLocation });
+					response.end();
+					return;
+				}
+				finalPath = join(resolvedPath, "index.html");
+			}
+		} catch {
+			writeHeaders(response, 404);
+			response.end("Not found");
+			return;
+		}
+
+		try {
+			const fileStat = await stat(finalPath);
+			if (!fileStat.isFile()) {
+				writeHeaders(response, 404);
+				response.end("Not found");
+				return;
+			}
+
+			const mimeType = mimeTypes.get(extname(finalPath)) ?? "application/octet-stream";
+			writeHeaders(response, 200, {
+				"Content-Length": String(fileStat.size),
+				"Content-Type": mimeType,
+			});
+			createReadStream(finalPath).pipe(response);
+		} catch {
+			writeHeaders(response, 500);
+			response.end("Failed to read file");
+		}
+	});
+}
+
+export function startBrowserPlaygroundServer(port = DEFAULT_PORT): Server {
+	const server = createBrowserPlaygroundServer();
+	server.listen(port, () => {
+		console.log(`Browser playground: http://localhost:${port}/`);
+	});
+	return server;
+}
+
+if (process.argv[1] && resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+	startBrowserPlaygroundServer();
+}