Skip to main content

Package Structure

PackageContents
secure-execMain package — createKernel, createNodeRuntime, NodeRuntime, system drivers, filesystem, network, and permissions
@secure-exec/coreKernel, types, VFS, permission helpers, shared utilities
@secure-exec/nodejsNode.js runtime driver, bridge, execution driver, system driver factory
@secure-exec/pythonPython/Pyodide runtime driver
@secure-exec/typescriptSandboxed TypeScript compiler tools

Kernel

createKernel(options)

Exported from secure-exec Creates a kernel that manages a virtual filesystem, process table, file descriptor table, pipes, PTYs, and permissions. Mount runtime drivers to execute code. 
createKernel(options: KernelOptions): Kernel
KernelOptions
OptionTypeDescription
filesystemVirtualFileSystemVirtual filesystem for the kernel. Required.
permissionsPermissionsAccess control rules. Deny-by-default.
envRecord<string, string>Environment variables.
cwdstringWorking directory. Default "/root".
maxProcessesnumberMaximum concurrent processes.
Kernel methods
MethodReturnsDescription
mount(driver)Promise<void>Mount a runtime driver.
exec(command, options?)Promise<KernelExecResult>Execute a command string through the shell.
spawn(command, args, options?)ManagedProcessSpawn a process directly (no shell).
openShell(options?)ShellHandleOpen an interactive shell on a PTY.
connectTerminal(options?)Promise<number>Wire a shell to process.stdin/stdout.
readFile(path)Promise<Uint8Array>Read a file from VFS.
writeFile(path, content)Promise<void>Write a file to VFS.
mkdir(path)Promise<void>Create a directory.
readdir(path)Promise<string[]>List directory entries.
stat(path)Promise<VirtualStat>Get file metadata.
exists(path)Promise<boolean>Check if a path exists.
dispose()Promise<void>Dispose the kernel and all mounted drivers.
KernelExecResult 
{ exitCode: number; stdout: string; stderr: string }

createNodeRuntime(options?)

Exported from secure-exec Creates a Node.js runtime driver that can be mounted into a kernel via kernel.mount(). 
createNodeRuntime(options?: {
  memoryLimit?: number;
  moduleAccessPaths?: string[];
  permissions?: Partial<Permissions>;
}): RuntimeDriver
OptionTypeDescription
memoryLimitnumberMemory limit in MB for each V8 isolate. Default 128.
moduleAccessPathsstring[]Host filesystem paths for module resolution.
permissionsPartial<Permissions>Bridge permissions for isolate processes.

Runtimes

NodeRuntime

Exported from secure-exec Convenience class for direct JavaScript code execution in a V8 isolate. For the kernel-first approach, use createKernel() + createNodeRuntime() instead. 
new NodeRuntime(options: NodeRuntimeOptions)
NodeRuntimeOptions
OptionTypeDescription
systemDriverSystemDriverHost capabilities (filesystem, network, permissions). Required.
runtimeDriverFactoryNodeRuntimeDriverFactoryCreates the isolate execution environment. Required.
memoryLimitnumberIsolate memory cap in MB.
cpuTimeLimitMsnumberCPU time budget in ms.
timingMitigation"off" | "freeze"Timing side-channel mitigation. Default "freeze".
onStdioStdioHookDefault console output hook.
payloadLimits{ base64TransferBytes?: number; jsonPayloadBytes?: number }Bridge payload size limits.
Methods
MethodReturnsDescription
exec(code, options?)Promise<ExecResult>Execute code without a return value.
run<T>(code, filePath?)Promise<RunResult<T>>Execute code and return the module namespace/default export object.
network{ fetch, dnsLookup, httpRequest }Network access from the host side.
dispose()voidRelease resources synchronously.
terminate()Promise<void>Terminate the runtime.

TypeScript Tools (@secure-exec/typescript)

createTypeScriptTools(options)

Creates sandboxed TypeScript project/source helpers backed by a dedicated compiler runtime. 
createTypeScriptTools(options: TypeScriptToolsOptions)
TypeScriptToolsOptions
OptionTypeDescription
systemDriverSystemDriverCompiler runtime capabilities and filesystem view.
runtimeDriverFactoryNodeRuntimeDriverFactoryCreates the compiler sandbox runtime.
memoryLimitnumberCompiler sandbox isolate memory cap in MB. Default 512.
cpuTimeLimitMsnumberCompiler sandbox CPU time budget in ms.
compilerSpecifierstringModule specifier used to load the TypeScript compiler. Default "/root/node_modules/typescript/lib/typescript.js".
Methods
MethodReturnsDescription
typecheckProject(options?)Promise<TypeCheckResult>Type-check a filesystem-backed TypeScript project using tsconfig discovery or configFilePath.
compileProject(options?)Promise<ProjectCompileResult>Compile a filesystem-backed project and write emitted files through the configured filesystem like tsc.
typecheckSource(options)Promise<TypeCheckResult>Type-check one TypeScript source string without mutating the filesystem.
compileSource(options)Promise<SourceCompileResult>Compile one TypeScript source string and return JavaScript text.

System Driver Factories

createNodeDriver(options?)

Exported from secure-exec Creates a system driver for Node.js environments. Used with NodeRuntime. 
createNodeDriver(options?: NodeDriverOptions): SystemDriver
NodeDriverOptions
OptionTypeDescription
filesystemVirtualFileSystemCustom filesystem. Default: host fs with module overlay.
moduleAccessModuleAccessOptionsNode modules overlay config.
networkAdapterNetworkAdapterNetwork implementation.
commandExecutorCommandExecutorChild process executor.
permissionsPermissionsAccess control rules. Deny-by-default.
useDefaultNetworkbooleanEnable default Node.js network adapter.
processConfigProcessConfigProcess metadata (cwd, env, argv, etc.).
osConfigOSConfigOS metadata (platform, arch, homedir, etc.).

Filesystem

createInMemoryFileSystem()

Exported from secure-exec Creates a fully in-memory filesystem backed by Maps. 
createInMemoryFileSystem(): InMemoryFileSystem

NodeFileSystem

Exported from secure-exec Thin wrapper around Node.js fs/promises. 
new NodeFileSystem()

VirtualFileSystem interface

MethodReturnsDescription
readFile(path)Promise<Uint8Array>Read file as bytes.
readTextFile(path)Promise<string>Read file as text.
readDir(path)Promise<string[]>List directory entries.
readDirWithTypes(path)Promise<DirEntry[]>List entries with type info.
writeFile(path, content)Promise<void>Write file.
createDir(path)Promise<void>Create directory.
mkdir(path)Promise<void>Create directory (alias).
exists(path)Promise<boolean>Check if path exists.
stat(path)Promise<StatInfo>Get file metadata.
removeFile(path)Promise<void>Delete a file.
removeDir(path)Promise<void>Delete a directory.
rename(old, new)Promise<void>Rename a file or directory.

Network

createDefaultNetworkAdapter()

Exported from secure-exec Creates a network adapter with real fetch, DNS, and HTTP support (Node.js only). 
createDefaultNetworkAdapter(): NetworkAdapter

NetworkAdapter interface

MethodReturnsDescription
fetch(url, options?)Promise<FetchResponse>HTTP fetch.
dnsLookup(hostname)Promise<DnsResult>DNS resolution.
httpRequest(url, options?)Promise<HttpResponse>Low-level HTTP request.
httpServerListen?(options)Promise<{ address }>Start a loopback HTTP server.
httpServerClose?(serverId)Promise<void>Close a loopback HTTP server.

Permissions

Exported from secure-exec

Pre-built helpers

ExportDescription
allowAllAllow all operations.
allowAllFsAllow all filesystem operations.
allowAllNetworkAllow all network operations.
allowAllChildProcessAllow all child process spawning.
allowAllEnvAllow all environment variable access.

Permissions type

type Permissions = {
  fs?: PermissionCheck<FsAccessRequest>;
  network?: PermissionCheck<NetworkAccessRequest>;
  childProcess?: PermissionCheck<ChildProcessAccessRequest>;
  env?: PermissionCheck<EnvAccessRequest>;
};
Each field accepts a PermissionCheck, which is either a boolean or a function (request) => boolean | Promise<boolean>.

Execution Types

ExecOptions (NodeRuntime)

OptionTypeDescription
filePathstringScript filename for error messages.
envRecord<string, string>Override environment variables.
cwdstringWorking directory.
stdinstringStdin data.
cpuTimeLimitMsnumberCPU budget override.
timingMitigation"off" | "freeze"Timing mitigation override.
onStdioStdioHookPer-execution stdio hook.

ExecResult (NodeRuntime)

{ code: number; errorMessage?: string }

RunResult<T>

{ code: number; errorMessage?: string; exports?: T }

StdioHook

type StdioHook = (event: { channel: "stdout" | "stderr"; message: string }) => void;

ProjectCompilerOptions

{
  cwd?: string;
  configFilePath?: string;
}

SourceCompilerOptions

{
  sourceText: string;
  filePath?: string;
  cwd?: string;
  configFilePath?: string;
  compilerOptions?: Record<string, unknown>;
}

TypeCheckResult

{
  success: boolean;
  diagnostics: TypeScriptDiagnostic[];
}

ProjectCompileResult

{
  success: boolean;
  diagnostics: TypeScriptDiagnostic[];
  emitSkipped: boolean;
  emittedFiles: string[];
}

SourceCompileResult

{
  success: boolean;
  diagnostics: TypeScriptDiagnostic[];
  outputText?: string;
  sourceMapText?: string;
}

TypeScriptDiagnostic

{
  code: number;
  category: "error" | "warning" | "suggestion" | "message";
  message: string;
  filePath?: string;
  line?: number;
  column?: number;
}

Configuration Types

ProcessConfig

FieldTypeDefault
platformstring
archstring
versionstring
cwdstring"/root"
envRecord<string, string>
argvstring[]
execPathstring
pidnumber
ppidnumber
uidnumber
gidnumber
stdinstring
timingMitigation"off" | "freeze"
frozenTimeMsnumber

OSConfig

FieldTypeDefault
platformstring
archstring
typestring
releasestring
versionstring
homedirstring"/root"
tmpdirstring"/tmp"
hostnamestring

SystemDriver

Used internally by NodeRuntime. For the kernel-first approach, use createKernel() instead. 
type SystemDriver = {
  filesystem?: VirtualFileSystem;
  network?: NetworkAdapter;
  commandExecutor?: CommandExecutor;
  permissions?: Permissions;
  runtime: DriverRuntimeConfig;
};

CommandExecutor interface

MethodReturnsDescription
spawn(command, args, options?)SpawnedProcessSpawn a child process.