You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- wrapNetworkAdapter creates a new object — any new NetworkAdapter methods MUST be explicitly forwarded through wrapNetworkAdapter or they'll be undefined at bridge-setup
134
134
- UpgradeSocket.emit must use .call(this) — libraries like ws use `this[Symbol(...)]` in event callbacks requiring proper `this` binding
135
135
- Server-side HTTP upgrade relay: driver.ts adds server.on('upgrade') → applySync dispatches to sandbox → sandbox Server._emit('upgrade') → ws handles handshake → UpgradeSocket relays data bidirectionally through bridge
136
+
- Net bridge Socket follows child_process dispatch pattern: host→sandbox via applySync with try/catch for post-disposal safety
137
+
- Moving a module from DEFERRED to BRIDGE requires 10+ file changes: module-resolver.ts, require-setup.ts, bridge-contract.ts, global-exposure.ts, permissions.ts, types.ts, bridge-setup.ts, driver.ts, plus new bridge/*.ts file
138
+
- crypto.subtle.deriveBits (PBKDF2/HKDF) needed for pg SCRAM-SHA-256 auth — implement both in SandboxSubtle (require-setup.ts) and host dispatcher (bridge-setup.ts)
- What was implemented: TCP net bridge for sandbox, enabling pg library to connect through the sandbox to real Postgres
2504
+
- Also implemented: crypto.subtle.deriveBits (PBKDF2, HKDF) and deriveKey for SCRAM-SHA-256 authentication
2505
+
- Files changed:
2506
+
- packages/secure-exec-core/src/bridge/net.ts — NEW: TCP Socket class with EventEmitter interface, host dispatch handler, isIP/isIPv4/isIPv6 utilities
2507
+
- packages/secure-exec-core/src/bridge/index.ts — import and export net bridge
2508
+
- packages/secure-exec-core/src/module-resolver.ts — moved net from DEFERRED to BRIDGE, added BUILTIN_NAMED_EXPORTS
2509
+
- packages/secure-exec-core/src/shared/bridge-contract.ts — added host/runtime bridge globals for TCP socket
2510
+
- packages/secure-exec-core/src/shared/global-exposure.ts — added custom global inventory entries
2511
+
- packages/secure-exec-core/src/shared/permissions.ts — added TCP socket forwarding in wrapNetworkAdapter, connect op in stub
2512
+
- packages/secure-exec-core/src/types.ts — added NetworkAdapter TCP methods, "connect" to NetworkAccessRequest.op
2513
+
- packages/secure-exec-core/isolate-runtime/src/inject/require-setup.ts — removed net from deferred set, added bridge require handler, added SandboxSubtle.deriveBits/deriveKey
2514
+
- packages/secure-exec-node/src/bridge-setup.ts — wired TCP socket bridge globals, lazy dispatch ref with try/catch for post-disposal events, added deriveBits/deriveKey to cryptoSubtle dispatcher
2515
+
- packages/secure-exec-node/src/driver.ts — implemented real TCP socket management in createDefaultNetworkAdapter
2516
+
- packages/secure-exec/tests/e2e-docker/pg-connect/fixture.json — changed expectation from fail to pass
2517
+
- **Learnings for future iterations:**
2518
+
- Net bridge follows child_process dispatch pattern: host pushes events (data/connect/end/close/error) via applySync to sandbox dispatch function
2519
+
- Socket events (end/close) can fire after isolate disposal — wrap dispatch callbacks in try/catch to silently drop late events
2520
+
- pg uses crypto.subtle.deriveBits with PBKDF2 for SCRAM-SHA-256 auth — must implement both bridge-side (SandboxSubtle) and host-side (cryptoSubtleRef dispatcher)
2521
+
- HKDF implementation requires manual HKDF-Extract (HMAC(salt, ikm)) then HKDF-Expand (iterated HMAC with counter byte)
2522
+
- Moving a module from DEFERRED to BRIDGE requires changes in: module-resolver.ts (BRIDGE_MODULES, DEFERRED_CORE_MODULES, BUILTIN_NAMED_EXPORTS), require-setup.ts (deferred set, bridge require handler), bridge-contract.ts, global-exposure.ts, permissions.ts, types.ts, bridge-setup.ts, driver.ts
2523
+
- createDefaultNetworkAdapter tracks TCP sockets in a Map<number, net.Socket> keyed by sandbox socketId
0 commit comments