Skip to content

feat: V8 process isolation (part 1)#19

Merged
NathanFlurry merged 142 commits intomainfrom
nathan/v8-process-isolation-pt1
Mar 20, 2026
Merged

feat: V8 process isolation (part 1)#19
NathanFlurry merged 142 commits intomainfrom
nathan/v8-process-isolation-pt1

Conversation

@NathanFlurry
Copy link
Member

@NathanFlurry NathanFlurry commented Mar 20, 2026

Summary

Standalone V8 process isolation runtime for secure-exec — full implementation from scaffold to context snapshots.

  • Rust V8 runtime (crates/v8-runtime/): IPC message types, length-prefixed framing, V8 platform/isolate lifecycle, UDS listener with socket security, connection auth, session management, V8 context hardening, sync/async bridge calls, CJS/ESM execution, session event loop, streaming event dispatch, timeout enforcement, structured error serialization, FD hygiene
  • TypeScript IPC client (packages/secure-exec-v8/): @secure-exec/v8 package with IPC client, process spawning/lifecycle, session abstraction, binary header codec, V8 serialization pipeline
  • Runtime integration: NodeExecutionDriver updated to use V8 runtime via v8Runtime option, bridge contract updated to remove ivm.Reference types, isolated-vm dependency removed
  • IPC performance: binary header + V8 serialization (replacing MessagePack), code caching, bridge code caching on Rust side, buffer management improvements, poll(2) accept loop, JSON double-serialization removal, per-session buffering, batched module resolution, pre-allocated serialization buffers
  • V8 context snapshots: snapshot creation/restore, thread-safe LRU cache, WarmSnapshot IPC message, eager warm-up on module load, snapshot security tests
  • Platform packages: prebuilt binary npm packages per platform, Docker build for linux-x64, Rust CI workflow
  • Docs & tests: process isolation docs page, security model updates, integration/crash-isolation/IPC-security/snapshot tests, context snapshot benchmarks
  • Release: v0.1.1-rc.1 and v0.1.1-rc.2 with ESM/CJS compat fixes

Companion to #15 (ralph/v8-runtime). This PR covers the full US-001 through US-073 implementation scope.

Test plan

  • pnpm test passes for @secure-exec/v8 package (IPC binary, round-trip, crash isolation, IPC security, process isolation, snapshot security, context snapshot behavior)
  • pnpm test passes for secure-exec package (bridge registry, console formatter, context snapshot behavior, payload limits, bridge hardening)
  • Rust crate builds: cd crates/v8-runtime && cargo build
  • Platform binary postinstall works on supported targets
  • Context snapshot benchmarks show improvement (see results/context_snapshot_comparison.md)

🤖 Generated with Claude Code

@NathanFlurry
feat: US-001 - Scaffold Rust crate with dependencies and module stubs
6e27a95
@NathanFlurry
chore: update progress for US-001
c242e41
@NathanFlurry
feat: US-002 - Define IPC message types as Rust structs with serde
f95d4dc
@NathanFlurry
chore: update progress for US-002
9bed461
@NathanFlurry
feat: US-003 - Implement length-prefixed MessagePack framing
cd58d50
@NathanFlurry
chore: update progress for US-003
0b62a3f
@NathanFlurry
feat: US-004 - Implement V8 platform init and isolate lifecycle
2ebfd07
@NathanFlurry
chore: update progress for US-004
5daa785
@NathanFlurry
feat: US-005 - Implement UDS listener with socket path security
0e244f9
@NathanFlurry
chore: update progress for US-005
3645a6e
@NathanFlurry
feat: US-006 - Implement connection authentication handshake
47acd04
@NathanFlurry
chore: update progress for US-006
555bc3b
@NathanFlurry
feat: US-007 - Implement session management (create/destroy)
d91dbab
@NathanFlurry
chore: update progress for US-007
689310e
@NathanFlurry
feat: US-008 - Implement InjectGlobals and V8 context hardening
2a592fc
@NathanFlurry
chore: update progress for US-008
2b75e54
@NathanFlurry
feat: US-009 - Implement sync-blocking bridge call host functions
30ba7db
@NathanFlurry
chore: update progress for US-009
079a514
@NathanFlurry
feat: US-010 - Implement async promise-returning bridge calls
1fd5257
@NathanFlurry
chore: update progress for US-010
9bb1341
@NathanFlurry
feat: US-011 - Implement CJS script compilation and execution
d92663d
@NathanFlurry
chore: update progress for US-011
502fada
@NathanFlurry
feat: US-012 - Implement ESM module loading with ResolveModuleCallback
d96f1f2
@NathanFlurry
chore: update progress for US-012
ac9ff04
@NathanFlurry
feat: US-013 - Implement session event loop
5531874
@NathanFlurry
feat: US-014 - Implement streaming event dispatch (child process, HTTP)
794cf8b
@NathanFlurry
chore: update progress for US-014
b2ee81a
@NathanFlurry
feat: US-015 - Implement timeout enforcement with timer thread
183bf3b
@NathanFlurry
chore: update progress for US-015
1cbe81e
NathanFlurry and others added 27 commits March 20, 2026 01:09
@NathanFlurry @claude
feat: US-069 - Fix IPC binary frame length guards and fnv1aHash (Type…
5720d40 
…Script)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-070 - Fix IPC binary frame length guards (Rust)
bb5480d 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-071 - Add bounded IPC channels with backpressure
a1e283e 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
chore: update progress for US-071
4e2b19a 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-072 - Fix auth token comparison and socket directory security
4dac616 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
chore: update progress for US-072
40c9741 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry
feat: US-073 - Fix call_id overflow and accept error handling
1e5a0d4
@NathanFlurry
chore: update progress for US-059
f7c0b26
@NathanFlurry
feat: US-061 - Split composeBridgeCode into static and post-restore p…
12f22e4 
…arts
@NathanFlurry
chore: update progress for US-061
2acf5ef
@NathanFlurry @claude
feat: US-062 - Add stub bridge context and registration for snapshot …
653e53a 
…creation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
chore: update progress for US-062
74f8d8b 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-063 - Implement context snapshot creation with fully-initial…
a034aef 
…ized bridge

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
chore: update progress for US-063
111b249 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-064 - Implement context restore with bridge function replace…
1b4d704 
…ment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
chore: update progress for US-064
1c073c8 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-065 - Wire post-restore init script through IPC
83b690a 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
chore: update progress for US-065
09e6e2b 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-066 - Add context snapshot tests
826fdd3 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
chore: update progress for US-066
132f9e1 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry @claude
feat: US-067 - Verify context snapshot benchmark improvement (after)
b046837 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@NathanFlurry
feat: Docker build linux-x64 + release script platform package support
edab14b 
- Add Dockerfile.linux-x64-gnu for building secure-exec-v8 binary
- Stub unsupported platform packages with postinstall error
- Release script: include platform packages, sync optionalDeps versions
- Release workflow: Docker build + platform package publishing
- Add --no-git-checks flag for RC releases from non-main branches
@NathanFlurry
release: v0.1.1-rc.1
e55d5dd
@NathanFlurry
fix: use --no-frozen-lockfile in release workflow for optional platfo…
4d5a835 
…rm deps
@NathanFlurry
fix: rename postinstall.js to .cjs for ESM package compat
e819e75
@NathanFlurry
fix: add default export condition for CJS resolution compat
4067420
@NathanFlurry
release: v0.1.1-rc.2
2e06f8a
@NathanFlurry NathanFlurry force-pushed the nathan/v8-process-isolation-pt1 branch from 4495883 to 2e06f8a Compare March 20, 2026 08:09
@NathanFlurry NathanFlurry merged commit 78e0a52 into main Mar 20, 2026
3 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NathanFlurry