fix: generate valid MDX in conformance reports (remove icon, use Accordion, escape braces)

Author: NathanFlurry

docs/docs.json

@@ -60,20 +60,24 @@
           "features/typescript",
           "features/permissions",
           "features/filesystem",
-          "features/virtual-filesystem",
           "features/networking",
           "features/module-loading",
           "features/output-capture",
           "features/resource-limits",
           "features/child-processes",
-          "process-isolation"
+          "features/virtual-filesystem",
+		  {
+			  "group": "Advanced",
+			  "pages": [
+				  "features/process-isolation"
+			  ]
+		  }
         ]
       },
       {
         "group": "Reference",
         "pages": [
           "api-reference",
-          "nodejs-compatibility",
           "benchmarks",
 		  {
 			"group": "Comparison",
@@ -85,6 +89,10 @@
 		  {
 			"group": "Advanced",
 			"pages": [
+			  "nodejs-compatibility",
+			  "nodejs-conformance-report",
+			  "posix-compatibility",
+			  "posix-conformance-report",
 			  "cost-evaluation",
 			  "architecture",
 			  "security-model"

docs/process-isolation.mdx docs/features/process-isolation.mdxdocs/process-isolation.mdx renamed to docs/features/process-isolation.mdx

@@ -1,6 +1,7 @@
 ---
 title: Process Isolation
 description: Configure V8 process topology to control crash blast radius and resource partitioning.
+icon: castle
 ---
 
 <Warning>Process isolation depends on `@secure-exec/v8`, which is experimental. APIs and behavior may change without notice.</Warning>

docs/features/virtual-filesystem.mdx

@@ -1,5 +1,5 @@
 ---
-title: Custom Virtual Filesystem
+title: Virtual Filesystem
 description: Implement your own VirtualFileSystem to control how sandboxed code reads and writes files.
 icon: "hard-drive"
 ---

docs/nodejs-compatibility.mdx

@@ -1,7 +1,6 @@
 ---
 title: Node.js Compatibility
 description: Target Node.js version and standard-library compatibility matrix for secure-exec.
-icon: "list-check"
 ---
 
 ## Target Node Version

docs/nodejs-conformance-report.mdx

@@ -1,7 +1,6 @@
 ---
 title: Node.js Conformance Report
 description: Node.js v22 test/parallel/ conformance results for the secure-exec sandbox.
-icon: "chart-bar"
 ---
 
 {/* AUTO-GENERATED — do not edit. Run: pnpm tsx scripts/generate-node-conformance-report.ts */}
@@ -279,7 +278,7 @@ icon: "chart-bar"
 - `test-debugger-*.js` — debugger protocol requires inspector which is Tier 5 (Unsupported)
 - `test-quic-*.js` — QUIC protocol depends on tls which is Tier 4 (Deferred)
 
-<details><summary>179 individual tests</summary>
+<Accordion title="179 individual tests">
 
 | Test | Reason |
 | --- | --- |
@@ -463,7 +462,7 @@ icon: "chart-bar"
 | `test-buffer-resizable.js` | requires 'test' module (node:test) which is not available in sandbox |
 | `test-stream-consumers.js` | stream/consumers submodule not available in stream polyfill |
 
-</details>
+</Accordion>
 
 ### unsupported-api (79 entries)
 
@@ -473,7 +472,7 @@ icon: "chart-bar"
 - `test-shadow-*.js` — ShadowRealm is experimental and not supported in sandbox
 - `test-compile-*.js` — V8 compile cache/code cache features not available in sandbox
 
-<details><summary>76 individual tests</summary>
+<Accordion title="76 individual tests">
 
 | Test | Reason |
 | --- | --- |
@@ -489,14 +488,14 @@ icon: "chart-bar"
 | `test-fs-options-immutable.js` | hangs — fs.watch() with frozen options waits for events that never arrive (VFS has no inotify) |
 | `test-fs-promises-watch.js` | hangs — fs.promises.watch() waits forever for filesystem events (VFS has no watcher) |
 | `test-fs-watch-file-enoent-after-deletion.js` | hangs — fs.watchFile() waits for stat changes that never arrive (VFS has no inotify) |
-| `test-fs-watch-recursive-add-file-to-existing-subfolder.js` | hangs — fs.watch({recursive}) waits for filesystem events that never arrive (VFS has no inotify) |
-| `test-fs-watch-recursive-add-file-to-new-folder.js` | hangs — fs.watch({recursive}) waits for filesystem events that never arrive (VFS has no inotify) |
-| `test-fs-watch-recursive-add-file.js` | hangs — fs.watch({recursive}) waits for filesystem events that never arrive (VFS has no inotify) |
-| `test-fs-watch-recursive-assert-leaks.js` | hangs — fs.watch({recursive}) waits for filesystem events that never arrive (VFS has no inotify) |
-| `test-fs-watch-recursive-delete.js` | hangs — fs.watch({recursive}) waits for filesystem events that never arrive (VFS has no inotify) |
-| `test-fs-watch-recursive-linux-parallel-remove.js` | hangs — fs.watch({recursive}) waits for filesystem events that never arrive (VFS has no inotify) |
+| `test-fs-watch-recursive-add-file-to-existing-subfolder.js` | hangs — fs.watch(\{recursive\}) waits for filesystem events that never arrive (VFS has no inotify) |
+| `test-fs-watch-recursive-add-file-to-new-folder.js` | hangs — fs.watch(\{recursive\}) waits for filesystem events that never arrive (VFS has no inotify) |
+| `test-fs-watch-recursive-add-file.js` | hangs — fs.watch(\{recursive\}) waits for filesystem events that never arrive (VFS has no inotify) |
+| `test-fs-watch-recursive-assert-leaks.js` | hangs — fs.watch(\{recursive\}) waits for filesystem events that never arrive (VFS has no inotify) |
+| `test-fs-watch-recursive-delete.js` | hangs — fs.watch(\{recursive\}) waits for filesystem events that never arrive (VFS has no inotify) |
+| `test-fs-watch-recursive-linux-parallel-remove.js` | hangs — fs.watch(\{recursive\}) waits for filesystem events that never arrive (VFS has no inotify) |
 | `test-fs-watch-recursive-sync-write.js` | hangs — fs.watch() with recursive option waits forever for events |
-| `test-fs-watch-recursive-update-file.js` | hangs — fs.watch({recursive}) waits for filesystem events that never arrive (VFS has no inotify) |
+| `test-fs-watch-recursive-update-file.js` | hangs — fs.watch(\{recursive\}) waits for filesystem events that never arrive (VFS has no inotify) |
 | `test-fs-watch-stop-async.js` | uses fs.watch/watchFile — inotify not available in VFS |
 | `test-fs-watch-stop-sync.js` | uses fs.watch/watchFile — inotify not available in VFS |
 | `test-fs-watch.js` | hangs — fs.watch() waits for filesystem events that never arrive (VFS has no inotify) |
@@ -544,7 +543,7 @@ icon: "chart-bar"
 | `test-util-types-exists.js` | require('util/types') subpath import not supported by sandbox module system |
 | `test-websocket.js` | WebSocket global is not defined in sandbox — Node.js 22 added WebSocket as a global but the sandbox does not expose it |
 | `test-webstream-readable-from.js` | ReadableStream.from() static method not implemented in sandbox WebStreams polyfill — added in Node.js 20 and not available globally in sandbox |
-| `test-webstreams-clone-unref.js` | structuredClone({ transfer: [stream] }) for ReadableStream/WritableStream not supported in sandbox — transferable stream structured clone not implemented |
+| `test-webstreams-clone-unref.js` | structuredClone(\{ transfer: [stream] \}) for ReadableStream/WritableStream not supported in sandbox — transferable stream structured clone not implemented |
 | `test-zlib-brotli-16GB.js` | getDefaultHighWaterMark() not exported from readable-stream v3 polyfill — test also relies on native zlib BrotliDecompress buffering behavior with _readableState internals |
 | `test-buffer-constructor-outside-node-modules.js` | ReferenceError: document is not defined — test uses browser DOM API not available in sandbox |
 | `test-child-process-fork.js` | child_process.fork is not supported in sandbox |
@@ -554,7 +553,7 @@ icon: "chart-bar"
 | `test-fs-watchfile-ref-unref.js` | fs.watchFile not supported in sandbox |
 | `test-fs-write-stream-file-handle-2.js` | fs.promises.open (FileHandle API) not implemented |
 
-</details>
+</Accordion>
 
 ### requires-v8-flags (239 entries)
 
@@ -566,7 +565,7 @@ icon: "chart-bar"
 
 - `test-permission-*.js` — spawns child Node.js process via process.execPath — sandbox does not provide a real node binary
 
-<details><summary>172 individual tests</summary>
+<Accordion title="172 individual tests">
 
 | Test | Reason |
 | --- | --- |
@@ -743,17 +742,17 @@ icon: "chart-bar"
 | `test-webstorage.js` | spawns child Node.js process via process.execPath — sandbox does not provide a real node binary |
 | `test-windows-failed-heap-allocation.js` | spawns child Node.js process via process.execPath — sandbox does not provide a real node binary |
 
-</details>
+</Accordion>
 
 ### security-constraint (1 entries)
 
-<details><summary>1 individual test</summary>
+<Accordion title="1 individual test">
 
 | Test | Reason |
 | --- | --- |
 | `test-process-binding-internalbinding-allowlist.js` | process.binding is not supported in sandbox (security constraint) |
 
-</details>
+</Accordion>
 
 ### test-infra (22 entries)
 
@@ -762,7 +761,7 @@ icon: "chart-bar"
 - `test-runner-*.js` — Node.js test runner infrastructure — not runtime behavior
 - `test-eslint-*.js` — ESLint integration tests — Node.js CI tooling, not runtime
 
-<details><summary>20 individual tests</summary>
+<Accordion title="20 individual tests">
 
 | Test | Reason |
 | --- | --- |
@@ -787,23 +786,23 @@ icon: "chart-bar"
 | `test-worker-messaging-errors-handler.js` | passes in sandbox — overrides glob pattern |
 | `test-worker-messaging-errors-invalid.js` | passes in sandbox — overrides glob pattern |
 
-</details>
+</Accordion>
 
 ### native-addon (3 entries)
 
-<details><summary>3 individual tests</summary>
+<Accordion title="3 individual tests">
 
 | Test | Reason |
 | --- | --- |
 | `test-http-parser-timeout-reset.js` | uses process.binding() or native addons — not available in sandbox |
 | `test-internal-process-binding.js` | uses process.binding() or native addons — not available in sandbox |
 | `test-process-binding-util.js` | uses process.binding() or native addons — not available in sandbox |
 
-</details>
+</Accordion>
 
 ### vacuous-skip (34 entries)
 
-<details><summary>34 individual tests</summary>
+<Accordion title="34 individual tests">
 
 | Test | Reason |
 | --- | --- |
@@ -842,4 +841,4 @@ icon: "chart-bar"
 | `test-fs-utimes-y2K38.js` | vacuous pass — test self-skips because child_process.spawnSync(touch) fails in sandbox |
 | `test-tick-processor-arguments.js` | vacuous pass — test self-skips because common.enoughTestMem is undefined in sandbox shim |
 
-</details>
+</Accordion>

docs/posix-compatibility.md

@@ -1,12 +1,14 @@
-# POSIX Compatibility
+---
+title: POSIX Compatibility
+---
 
 > **This is a living document.** Update it when kernel, WasmVM, Node bridge, or Python bridge behavior changes for any POSIX-relevant feature.
 
-> **Looking for automated test results?** See the [POSIX Conformance Report](posix-conformance-report.mdx) for os-test suite results with per-suite pass rates and exclusion details.
+> **Looking for automated test results?** See the [POSIX Conformance Report](posix-conformance-report) for os-test suite results with per-suite pass rates and exclusion details.
 
 This document tracks how closely the secure-exec kernel, runtimes, and bridges conform to POSIX and Linux behavior. The goal is full POSIX compliance 1:1 — every syscall, signal, and shell behavior should match a real Linux system unless an architectural constraint makes it impossible.
 
-For command-level support (ls, grep, awk, etc.), see [WasmVM Supported Commands](wasmvm/supported-commands.md). For Node.js API compatibility (fs, http, crypto modules), see [Node.js Compatibility](nodejs-compatibility.mdx). For Python API compatibility, see [Python Compatibility](python-compatibility.mdx).
+For command-level support (ls, grep, awk, etc.), see [WasmVM Supported Commands](wasmvm/supported-commands.md). For Node.js API compatibility (fs, http, crypto modules), see [Node.js Compatibility](nodejs-compatibility). For Python API compatibility, see [Python Compatibility](python-compatibility).
 
 ---
 

docs/posix-conformance-report.mdx

@@ -1,7 +1,6 @@
 ---
 title: POSIX Conformance Report
 description: os-test POSIX.1-2024 conformance results for WasmVM.
-icon: "chart-bar"
 ---
 
 {/* AUTO-GENERATED — do not edit. Run scripts/generate-posix-report.ts */}
@@ -15,7 +14,7 @@ icon: "chart-bar"
 | Passing | 3347 (99.9%) |
 | Expected fail | 3 |
 | Skip | 0 |
-| Native parity | 98.4% |
+| Native verified | undefined of 3347 passing tests verified against native output (NaN%) |
 | Last updated | 2026-03-23 |
 
 ## Per-Suite Results
@@ -47,5 +46,5 @@ WASI Preview 1 lacks the required syscall.
 
 | Test | Reason | Issue |
 | --- | --- | --- |
-| `basic/sys_statvfs/fstatvfs` | fstatvfs() not part of WASI — no filesystem statistics interface | [#34](https://github.com/rivet-dev/secure-exec/issues/34) |
-| `basic/sys_statvfs/statvfs` | statvfs() not part of WASI — no filesystem statistics interface | [#34](https://github.com/rivet-dev/secure-exec/issues/34) |
+| `basic/sys_statvfs/fstatvfs` | fstatvfs() not part of WASI — no filesystem statistics interface | [#48](https://github.com/rivet-dev/secure-exec/issues/48) |
+| `basic/sys_statvfs/statvfs` | statvfs() not part of WASI — no filesystem statistics interface | [#48](https://github.com/rivet-dev/secure-exec/issues/48) |

docs/runtimes/node.mdx

@@ -63,7 +63,7 @@ const runtime = new NodeRuntime({
   These exports are also available from `@secure-exec/nodejs`.
 </Note>
 
-By default, all runtimes share a single V8 child process. You can pass a dedicated `V8Runtime` handle via `createNodeRuntimeDriverFactory({ v8Runtime })` to control crash blast radius and resource partitioning. See [Process Isolation](/process-isolation) for topology options and trade-offs.
+By default, all runtimes share a single V8 child process. You can pass a dedicated `V8Runtime` handle via `createNodeRuntimeDriverFactory({ v8Runtime })` to control crash blast radius and resource partitioning. See [Process Isolation](/features/process-isolation) for topology options and trade-offs.
 
 ## exec vs run
 

scripts/generate-node-conformance-report.ts

@@ -233,14 +233,17 @@ const lines: string[] = [];
 function line(s = "") {
 	lines.push(s);
 }
+/** Escape curly braces for MDX (they're interpreted as JSX expressions). */
+function esc(s: string): string {
+	return s.replace(/\{/g, "\\{").replace(/\}/g, "\\}");
+}
 
 // Frontmatter
 line("---");
 line("title: Node.js Conformance Report");
 line(
 	"description: Node.js v22 test/parallel/ conformance results for the secure-exec sandbox.",
 );
-line('icon: "chart-bar"');
 line("---");
 line();
 line(
@@ -348,23 +351,23 @@ for (const cat of categoryOrder) {
 		line("**Glob patterns:**");
 		line();
 		for (const { key, entry } of globs) {
-			line(`- \`${key}\` — ${entry.reason}`);
+			line(`- \`${key}\` — ${esc(entry.reason)}`);
 		}
 		line();
 	}
 
 	if (individual.length > 0 && individual.length <= 200) {
 		line(
-			`<details><summary>${individual.length} individual test${individual.length === 1 ? "" : "s"}</summary>`,
+			`<Accordion title="${individual.length} individual test${individual.length === 1 ? "" : "s"}">`,
 		);
 		line();
 		line("| Test | Reason |");
 		line("| --- | --- |");
 		for (const { key, entry } of individual) {
-			line(`| \`${key}\` | ${entry.reason} |`);
+			line(`| \`${key}\` | ${esc(entry.reason)} |`);
 		}
 		line();
-		line("</details>");
+		line("</Accordion>");
 		line();
 	} else if (individual.length > 200) {
 		line(

scripts/generate-posix-report.ts

@@ -90,7 +90,6 @@ function line(s = '') {
 line('---');
 line('title: POSIX Conformance Report');
 line('description: os-test POSIX.1-2024 conformance results for WasmVM.');
-line('icon: "chart-bar"');
 line('---');
 line();
 line('{/* AUTO-GENERATED — do not edit. Run scripts/generate-posix-report.ts */}');