Skip to content

Runtime isolation hardening + test quality#1437

Merged
NathanFlurry merged 1 commit intomainfrom
ralph/runtime-isolation-hardening
Apr 6, 2026
Merged

Runtime isolation hardening + test quality#1437
NathanFlurry merged 1 commit intomainfrom
ralph/runtime-isolation-hardening

Conversation

@NathanFlurry
Copy link
Copy Markdown
Member

@NathanFlurry NathanFlurry commented Apr 6, 2026

Summary

  • Ported all Node.js builtin polyfills through the Rust kernel sidecar (fs, child_process, net, dns, etc.)
  • Enforced WASM runtime memory limits, fuel budgets, and permission tiers
  • Added Pyodide process memory and execution timeout limits
  • Symlink TOCTOU protection and prewarm timeout for WASM modules
  • Made WASI conditional based on permission tier
  • Fixed adapter package resolution for pnpm workspaces (software deps now resolve correctly)
  • Updated tools quickstart to work end-to-end
  • Updated CLAUDE.md with test structure standards and package naming

Test plan

  • cargo test --workspace passes
  • pnpm test passes across all packages
  • Quickstart examples: hello-world, filesystem, cron, network, processes, bash all pass
  • createSession("pi") with software: [pi] creates and closes cleanly

🤖 Generated with Claude Code

@NathanFlurry NathanFlurry force-pushed the ralph/runtime-isolation-hardening branch from 3e253ce to 583f6a7 Compare April 6, 2026 18:09
@NathanFlurry
feat: runtime isolation hardening + test quality
a47f554 
- Port Node.js builtin polyfills through Rust kernel sidecar (fs, child_process, net, dns, etc.)
- Enforce WASM runtime memory limits, fuel budgets, and permission tiers
- Add Pyodide process memory and execution timeout limits
- Symlink TOCTOU protection and prewarm timeout for WASM modules
- Implement overlay filesystem (whiteouts, opaque dirs, copy-up)
- Add process reparenting, job control signals, /proc filesystem
- Implement select/poll, pipe manager, PTY improvements
- Add shebang parsing, umask, missing errno checks
- Fix adapter package resolution for pnpm workspaces
- Add pnpm .pnpm store mount discovery for moduleAccess
- Fix tools quickstart, update sessions quickstart with software: [pi]
- Update CLAUDE.md with test structure standards and package naming
@NathanFlurry NathanFlurry force-pushed the ralph/runtime-isolation-hardening branch from 583f6a7 to a47f554 Compare April 6, 2026 18:15
@NathanFlurry NathanFlurry merged commit 0063cdc into main Apr 6, 2026
1 of 2 checks passed
@NathanFlurry NathanFlurry deleted the ralph/runtime-isolation-hardening branch April 6, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NathanFlurry