prd.json

{
  "project": "secure-exec",
  "branchName": "ralph/kernel-hardening",
  "description": "Kernel Hardening & Documentation \u2014 fix critical bugs, replace fake tests, add missing coverage, write docs, implement PTY/process groups/positional I/O, harden bridge host protections, and improve compatibility, and split secure-exec into core + runtime-specific packages",
  "userStories": [
    {
      "id": "US-001",
      "title": "Fix FD table memory leak on process exit",
      "description": "As a developer, I need FD tables to be cleaned up when processes exit so the kernel doesn't leak memory indefinitely.",
      "acceptanceCriteria": [
        "In kernel's onExit handler, call fdTableManager.remove(pid) after processTable.markExited(pid, exitCode)",
        "Test: spawn N processes, all exit, fdTableManager internal map size === 0 (excluding init process)",
        "Test: pipe read/write FileDescriptions are freed after both endpoints' processes exit",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 1,
      "passes": true,
      "notes": "P0 \u2014 packages/kernel/src/process-table.ts, fd-table.ts. fdTableManager.remove(pid) exists at fd-table.ts:274 but is never called."
    },
    {
      "id": "US-002",
      "title": "Return EIO for SharedArrayBuffer 1MB overflow in WasmVM",
      "description": "As a developer, I need large file reads to fail with a clear error instead of silently truncating data.",
      "acceptanceCriteria": [
        "When kernel fdRead returns >1MB, WasmVM worker returns EIO (errno 76) instead of truncated data",
        "Test: write 2MB file to VFS, attempt fdRead from WasmVM, verify error (not truncated data)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 2,
      "passes": true,
      "notes": "P0 \u2014 packages/runtime/wasmvm/src/syscall-rpc.ts. 1MB SharedArrayBuffer for all response data."
    },
    {
      "id": "US-003",
      "title": "Replace fake Node driver security test with real boundary tests",
      "description": "As a developer, I need security tests that actually prove host filesystem access is blocked, not just that the VFS is empty.",
      "acceptanceCriteria": [
        "Old negative assertion ('not.toContain root:x:0:0') removed",
        "New test: fs.readFileSync('/etc/passwd') \u2192 error.code === 'ENOENT'",
        "New test: symlink /tmp/escape \u2192 /etc/passwd, read /tmp/escape \u2192 ENOENT",
        "New test: fs.readFileSync('../../etc/passwd') from cwd /app \u2192 ENOENT",
        "All assertions unconditional",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 3,
      "passes": true,
      "notes": "P1 \u2014 packages/runtime/node/test/driver.test.ts \u2014 'cannot access host filesystem directly'"
    },
    {
      "id": "US-004",
      "title": "Replace fake child_process routing test with spy driver",
      "description": "As a developer, I need the child_process routing test to prove routing actually happened, not just that a mock returned canned output.",
      "acceptanceCriteria": [
        "Spy driver records: { command: 'echo', args: ['hello'], callerPid: <node-pid> }",
        "Assert spy.calls.length === 1",
        "Assert spy.calls[0].command === 'echo'",
        "Assert output contains mock response",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 4,
      "passes": true,
      "notes": "P1 \u2014 packages/runtime/node/test/driver.test.ts \u2014 'child_process.spawn routes through kernel'"
    },
    {
      "id": "US-005",
      "title": "Replace placeholder fork bomb test with honest concurrent spawn test",
      "description": "As a developer, I need the process spawning test to honestly reflect what it tests and verify PID uniqueness.",
      "acceptanceCriteria": [
        "Test renamed to 'concurrent child process spawning' (or similar honest name)",
        "Test spawns 10+ child processes, verifies each gets unique PID from kernel process table",
        "All assertions unconditional",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 5,
      "passes": true,
      "notes": "P1 \u2014 packages/runtime/node/test/driver.test.ts \u2014 'cannot spawn unlimited processes'"
    },
    {
      "id": "US-006",
      "title": "Fix stdin tests to verify full stdin\u2192process\u2192stdout pipeline",
      "description": "As a developer, I need stdin tests that prove the full pipeline works, not just kernel\u2192driver delivery.",
      "acceptanceCriteria": [
        "MockRuntimeDriver supports echoStdin config \u2014 writeStdin data immediately emitted as stdout",
        "Test: writeStdin + closeStdin \u2192 stdout contains written data",
        "Test: multiple writeStdin calls \u2192 stdout contains all chunks concatenated",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 6,
      "passes": true,
      "notes": "P1 \u2014 packages/kernel/test/kernel-integration.test.ts \u2014 stdin streaming tests"
    },
    {
      "id": "US-007",
      "title": "Add fdSeek test coverage for all seek modes",
      "description": "As a developer, I need fdSeek tested for SEEK_SET, SEEK_CUR, SEEK_END, and pipe rejection.",
      "acceptanceCriteria": [
        "Test: write 'hello world', open, fdSeek(0, SEEK_SET), read returns 'hello world'",
        "Test: read 5 bytes, fdSeek(0, SEEK_SET), read 5 bytes \u2192 both return 'hello'",
        "Test: fdSeek(0, SEEK_END), read \u2192 returns empty (EOF)",
        "Test: fdSeek on pipe FD \u2192 throws ESPIPE or similar error",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 7,
      "passes": true,
      "notes": "P2 \u2014 packages/kernel/src/types.ts:167-172 (KernelInterface.fdSeek). Zero test coverage."
    },
    {
      "id": "US-008",
      "title": "Add permission wrapper deny scenario tests",
      "description": "As a developer, I need tests proving the permission system blocks operations when configured restrictively.",
      "acceptanceCriteria": [
        "Test: createKernel with permissions: { fs: false }, attempt writeFile \u2192 throws EACCES",
        "Test: createKernel with permissions: { fs: (req) => req.path.startsWith('/tmp') }, write /tmp \u2192 succeeds, write /etc \u2192 EACCES",
        "Test: createKernel with permissions: { childProcess: false }, attempt spawn \u2192 throws or blocked",
        "Test: verify env filtering works (filterEnv with restricted keys)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 8,
      "passes": true,
      "notes": "P2 \u2014 packages/kernel/src/permissions.ts. Zero test coverage for deny scenarios."
    },
    {
      "id": "US-009",
      "title": "Add stdio FD override wiring tests",
      "description": "As a developer, I need tests verifying that stdinFd/stdoutFd/stderrFd overrides during spawn correctly wire the FD table.",
      "acceptanceCriteria": [
        "Test: spawn with stdinFd: pipeReadEnd \u2192 child's FD 0 points to pipe read description",
        "Test: spawn with stdoutFd: pipeWriteEnd \u2192 child's FD 1 points to pipe write description",
        "Test: spawn with all three overrides \u2192 FD table has correct descriptions for 0, 1, 2",
        "Test: parent FD table unchanged after child spawn with overrides",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 9,
      "passes": true,
      "notes": "P2 \u2014 packages/kernel/src/kernel.ts:432-476. Complex wiring, completely untested in isolation."
    },
    {
      "id": "US-010",
      "title": "Add concurrent PID stress test (100 processes)",
      "description": "As a developer, I need stress tests to verify PID uniqueness and exit code capture under high concurrency.",
      "acceptanceCriteria": [
        "Test: spawn 100 processes concurrently, collect all PIDs, verify all unique",
        "Test: spawn 100 processes, wait all, verify all exit codes captured correctly",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 10,
      "passes": true,
      "notes": "P2 \u2014 packages/kernel/test/kernel-integration.test.ts. Current test only spawns 10."
    },
    {
      "id": "US-011",
      "title": "Add pipe refcount edge case tests (multi-writer EOF)",
      "description": "As a developer, I need tests verifying pipe EOF only triggers when ALL write-end holders close.",
      "acceptanceCriteria": [
        "Test: create pipe, dup write end (two references), close one \u2192 reader still blocks (not EOF)",
        "Test: close second write end \u2192 reader gets EOF",
        "Test: write through both references \u2192 reader receives both writes",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 11,
      "passes": true,
      "notes": "P2 \u2014 packages/kernel/src/pipe-manager.ts"
    },
    {
      "id": "US-012",
      "title": "Add process exit FD cleanup chain verification tests",
      "description": "As a developer, I need tests proving the full cleanup chain: process exits \u2192 FD table removed \u2192 refcounts decremented \u2192 pipe ends freed.",
      "acceptanceCriteria": [
        "Test: spawn process with open FD to pipe write end, process exits \u2192 pipe read end gets EOF",
        "Test: spawn process, open 10 FDs, process exits \u2192 FDTableManager has no entry for that PID",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 12,
      "passes": true,
      "notes": "P2 \u2014 depends on US-001 FD leak fix being in place"
    },
    {
      "id": "US-013",
      "title": "Clear zombie cleanup timers on kernel dispose",
      "description": "As a developer, I need zombie cleanup timers cleared when the kernel is disposed to avoid post-dispose timer firings.",
      "acceptanceCriteria": [
        "Store timer IDs during zombie scheduling, clear them in terminateAll() or new dispose() method",
        "Test: spawn process, let it exit (becomes zombie), immediately dispose kernel \u2192 no timer warnings",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 13,
      "passes": true,
      "notes": "P2 \u2014 packages/kernel/src/process-table.ts:78-79. 60s setTimeout may fire after dispose."
    },
    {
      "id": "US-014",
      "title": "Ensure WASM binary availability in CI",
      "description": "As a developer, I need CI to fail if the WASM binary is missing so critical WasmVM tests don't silently skip.",
      "acceptanceCriteria": [
        "CI pipeline builds wasmvm/target/wasm32-wasip1/release/multicall.wasm before test runs, OR add CI-only test asserting hasWasmBinary === true",
        "Document in CLAUDE.md how to build the WASM binary locally",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 14,
      "passes": true,
      "notes": "P2 \u2014 tests gated behind skipIf(!hasWasmBinary) silently skip in CI"
    },
    {
      "id": "US-015",
      "title": "Replace WasmVM error string matching with structured error codes",
      "description": "As a developer, I need kernel errors to include a structured code field so WasmVM errno mapping doesn't rely on brittle string matching.",
      "acceptanceCriteria": [
        "Kernel errors include structured code field (e.g., { code: 'EBADF', message: '...' })",
        "WasmVM kernel-worker maps error.code \u2192 WASI errno instead of string matching",
        "Fallback to string matching only if code field is missing",
        "Test: throw error with code 'ENOENT' \u2192 worker maps to errno 44",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 15,
      "passes": true,
      "notes": "P2 \u2014 packages/runtime/wasmvm/src/kernel-worker.ts. mapErrorToErrno() uses msg.includes('EBADF')."
    },
    {
      "id": "US-016",
      "title": "Write kernel quickstart guide",
      "description": "As a user, I need a quickstart guide to get started with the kernel (install, create kernel, mount drivers, exec, spawn, VFS, cleanup).",
      "acceptanceCriteria": [
        "File docs/kernel/quickstart.mdx created",
        "Covers: install packages, create kernel with VFS, mount WasmVM and Node drivers, kernel.exec(), kernel.spawn() with streaming, cross-runtime example, VFS file read/write, kernel.dispose()",
        "Follows Mintlify MDX style (50-70% code, short prose, working examples)",
        "Typecheck passes"
      ],
      "priority": 16,
      "passes": true,
      "notes": "P3 \u2014 code-heavy style matching sandbox-agent/docs"
    },
    {
      "id": "US-017",
      "title": "Write kernel API reference",
      "description": "As a user, I need a complete API reference for all kernel types, methods, and interfaces.",
      "acceptanceCriteria": [
        "File docs/kernel/api-reference.mdx created",
        "Covers: createKernel(options), Kernel methods, ExecOptions/ExecResult, SpawnOptions/ManagedProcess, RuntimeDriver/DriverProcess, KernelInterface syscalls, ProcessContext, Permission types",
        "Follows Mintlify MDX style",
        "Typecheck passes"
      ],
      "priority": 17,
      "passes": true,
      "notes": "P3 \u2014 full type reference for kernel package"
    },
    {
      "id": "US-018",
      "title": "Write cross-runtime integration guide",
      "description": "As a user, I need a guide explaining how to use multiple runtimes together through the kernel.",
      "acceptanceCriteria": [
        "File docs/kernel/cross-runtime.mdx created",
        "Covers: mount order and command resolution table, child_process routing, cross-runtime pipes, VFS sharing, npm run scripts round-trip, error/exit code propagation, stdin streaming",
        "Follows Mintlify MDX style",
        "Typecheck passes"
      ],
      "priority": 18,
      "passes": true,
      "notes": "P3"
    },
    {
      "id": "US-019",
      "title": "Write custom RuntimeDriver guide",
      "description": "As a user, I need a guide for implementing a custom RuntimeDriver with the kernel.",
      "acceptanceCriteria": [
        "File docs/kernel/custom-runtime.mdx created",
        "Covers: RuntimeDriver interface contract, minimal echo driver example, KernelInterface syscalls, ProcessContext/DriverProcess lifecycle, stdio routing, command registration, testing patterns",
        "Follows Mintlify MDX style",
        "Typecheck passes"
      ],
      "priority": 19,
      "passes": true,
      "notes": "P3"
    },
    {
      "id": "US-020",
      "title": "Add kernel group to docs.json navigation",
      "description": "As a user, I need the kernel docs visible in the sidebar navigation.",
      "acceptanceCriteria": [
        "docs.json has new 'Kernel' group between 'Features' and 'Reference'",
        "Group includes quickstart, api-reference, cross-runtime, custom-runtime pages",
        "Typecheck passes"
      ],
      "priority": 20,
      "passes": true,
      "notes": "P3 \u2014 update existing docs/docs.json"
    },
    {
      "id": "US-021",
      "title": "Add process group and session ID tracking to kernel",
      "description": "As a developer, I need pgid/sid tracking and setpgid/setsid/getpgid/getsid syscalls for job control support.",
      "acceptanceCriteria": [
        "ProcessEntry has pgid and sid fields, defaulting to parent's values",
        "setpgid(pid, pgid) works: process can create new group or join existing group",
        "setsid(pid) creates new session: sid=pid, pgid=pid",
        "kill(-pgid, signal) delivers signal to all processes in group",
        "getpgid(pid) and getsid(pid) return correct values",
        "Child inherits parent's pgid and sid by default",
        "Test: create process group, spawn 3 children in it, kill(-pgid, SIGTERM) \u2192 all 3 receive signal",
        "Test: setsid creates new session, process becomes session leader",
        "Test: setpgid with invalid pgid \u2192 EPERM",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 21,
      "passes": true,
      "notes": "P4 \u2014 packages/kernel/src/process-table.ts. Prerequisite for PTY/interactive shell."
    },
    {
      "id": "US-022",
      "title": "Create PTY device layer \u2014 master/slave pair and bidirectional I/O",
      "description": "As a developer, I need a PtyManager that allocates PTY master/slave FD pairs with bidirectional data flow.",
      "acceptanceCriteria": [
        "openpty(pid) returns master FD, slave FD, and /dev/pts/N path",
        "Writing to master \u2192 readable from slave (input direction)",
        "Writing to slave \u2192 readable from master (output direction)",
        "isatty(slaveFd) returns true, isatty(pipeFd) returns false",
        "Multiple PTY pairs can coexist (separate /dev/pts/0, /dev/pts/1, etc.)",
        "Master close \u2192 slave reads get EIO (terminal hangup)",
        "Slave close \u2192 master reads get EIO",
        "Test: open PTY, write 'hello\\n' to master, read from slave \u2192 'hello\\n'",
        "Test: open PTY, write 'hello\\n' to slave, read from master \u2192 'hello\\n'",
        "Test: isatty on slave FD returns true",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 22,
      "passes": true,
      "notes": "P4 \u2014 new packages/kernel/src/pty.ts. Core infrastructure; line discipline in next story."
    },
    {
      "id": "US-023",
      "title": "Add PTY line discipline \u2014 canonical mode, raw mode, echo, and signal generation",
      "description": "As a developer, I need the PTY to support canonical/raw modes, echo, and signal character handling.",
      "acceptanceCriteria": [
        "Canonical mode: input buffered until newline, backspace erases last char",
        "Raw mode: bytes pass through immediately with no buffering",
        "Echo mode: input bytes echoed back through master for display",
        "^C in canonical mode \u2192 SIGINT delivered to foreground process group",
        "^Z \u2192 SIGTSTP, ^\\ \u2192 SIGQUIT, ^D at start of line \u2192 EOF",
        "Test: raw mode \u2014 write single byte to master, immediately readable from slave",
        "Test: canonical mode \u2014 write 'ab\\x7fc\\n' \u2192 slave reads 'ac\\n'",
        "Test: ^C on master \u2192 SIGINT to foreground pgid",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 23,
      "passes": true,
      "notes": "P4 \u2014 extends pty.ts from US-022. Depends on US-021 for process group signal delivery."
    },
    {
      "id": "US-024",
      "title": "Add termios support (terminal attributes)",
      "description": "As a developer, I need tcgetattr/tcsetattr/tcsetpgrp/tcgetpgrp syscalls so processes can configure terminal behavior.",
      "acceptanceCriteria": [
        "Default termios: canonical mode on, echo on, isig on, standard control characters",
        "tcsetattr with icanon: false switches to raw mode \u2014 immediate byte delivery",
        "tcsetattr with echo: false disables echo",
        "tcsetpgrp sets foreground process group \u2014 ^C delivers SIGINT to that group only",
        "Programs can read current termios via tcgetattr",
        "Test: spawn on PTY in canonical mode, verify line buffering",
        "Test: switch to raw mode via tcsetattr, verify immediate byte delivery",
        "Test: disable echo, verify master doesn't receive echo bytes",
        "Test: tcsetpgrp changes which group receives ^C",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 24,
      "passes": true,
      "notes": "P4 \u2014 new packages/kernel/src/termios.ts. Wire into KernelInterface and WasmVM host imports. Depends on US-022/023."
    },
    {
      "id": "US-025",
      "title": "Add kernel.openShell() interactive shell integration",
      "description": "As a developer, I need a convenience method that wires PTY + process groups + termios for interactive shell use.",
      "acceptanceCriteria": [
        "kernel.openShell() returns handle with write/onData/resize/kill/wait",
        "Shell process sees isatty(0) === true",
        "Writing 'echo hello\\n' to handle \u2192 onData receives 'hello\\n' (plus prompt/echo)",
        "Writing ^C \u2192 shell receives SIGINT (doesn't exit, just cancels current line)",
        "Writing ^D on empty line \u2192 shell exits (EOF)",
        "resize() \u2192 SIGWINCH delivered to foreground process group",
        "Test: open shell, write 'echo hello\\n', verify output contains 'hello'",
        "Test: open shell, write ^C, verify shell still running",
        "Test: open shell, write ^D, verify shell exits",
        "Test: resize, verify SIGWINCH delivered",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 25,
      "passes": true,
      "notes": "P4 \u2014 packages/kernel/src/kernel.ts. Depends on US-021 (process groups), US-022/023 (PTY), US-024 (termios)."
    },
    {
      "id": "US-026",
      "title": "Create kernel.connectTerminal() and CLI interactive shell",
      "description": "As a developer, I need a reusable connectTerminal() method and a CLI entry point so I can get an interactive shell inside the kernel from any Node program or from the command line.",
      "acceptanceCriteria": [
        "kernel.connectTerminal(options?) exported \u2014 wires openShell() to process.stdin/stdout/resize, returns Promise<number> (exit code)",
        "connectTerminal sets raw mode, forwards stdin, forwards stdout, handles resize, restores terminal on exit",
        "connectTerminal accepts same options as openShell (command, args, env, cols, rows) plus onData override",
        "Script at scripts/shell.ts uses kernel.connectTerminal() as a one-liner CLI entry point",
        "Running the script drops into an interactive shell inside the kernel",
        "process.stdin set to raw mode \u2014 arrow keys, tab, backspace pass through correctly",
        "^C sends SIGINT (cancels command, does not exit shell)",
        "^D on empty line exits the shell",
        "Window resize triggers shell.resize() with current terminal dimensions",
        "node -e \"console.log(42)\" works interactively (cross-runtime via kernel)",
        "Shell exit restores terminal to normal mode and exits with shell exit code",
        "Accepts --wasm-path and --no-node flags",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 26,
      "passes": true,
      "notes": "P4 \u2014 depends on US-025 (kernel.openShell). kernel.connectTerminal() is the reusable API; scripts/shell.ts is the CLI wrapper that calls it."
    },
    {
      "id": "US-027",
      "title": "Implement /dev/fd pseudo-directory",
      "description": "As a developer, I need /dev/fd/N paths to work so bash process substitution and heredoc patterns function correctly.",
      "acceptanceCriteria": [
        "readFile('/dev/fd/0') reads from the process's stdin FD",
        "readFile('/dev/fd/N') where N is an open file FD \u2192 returns file content at current cursor",
        "stat('/dev/fd/N') returns stat for the underlying file",
        "readDir('/dev/fd') lists open FD numbers as directory entries",
        "open('/dev/fd/N') equivalent to dup(N)",
        "Reading /dev/fd/N where N is not open \u2192 EBADF",
        "Test: open file as FD 5, read via /dev/fd/5 \u2192 same content",
        "Test: create pipe, write to write end, read via /dev/fd/<readEnd> \u2192 pipe data",
        "Test: readDir('/dev/fd') lists 0, 1, 2 at minimum",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 27,
      "passes": true,
      "notes": "P4 \u2014 packages/kernel/src/device-layer.ts. Requires PID context in device layer operations."
    },
    {
      "id": "US-028",
      "title": "Implement fdPread and fdPwrite (positional I/O)",
      "description": "As a developer, I need positional read/write that operates at a given offset without moving the FD cursor.",
      "acceptanceCriteria": [
        "fdPread(pid, fd, length, offset) reads at offset without changing FD cursor",
        "fdPwrite(pid, fd, data, offset) writes at offset without changing FD cursor",
        "After pread/pwrite, subsequent fdRead/fdWrite continues from original cursor position",
        "fdPread on pipe \u2192 ESPIPE",
        "fdPwrite on pipe \u2192 ESPIPE",
        "Test: write 'hello world', fdPread(0, 5) \u2192 'hello', then fdRead \u2192 'hello world' (cursor at 0)",
        "Test: fdPread(6, 5) \u2192 'world', cursor unchanged",
        "Test: fdPwrite at offset 6, fdRead from 0 \u2192 written bytes visible at offset 6",
        "Test: fdPread on pipe FD \u2192 ESPIPE",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 28,
      "passes": true,
      "notes": "P4 \u2014 packages/kernel/src/fd-table.ts, kernel.ts, wasmvm kernel-worker. Wire into existing WasmVM stubs."
    },
    {
      "id": "US-029",
      "title": "Write PTY and interactive shell documentation",
      "description": "As a user, I need docs for PTY support, openShell(), terminal configuration, and process group job control.",
      "acceptanceCriteria": [
        "File docs/kernel/interactive-shell.mdx created",
        "Covers: what PTY enables, kernel.openShell() quickstart, wiring to terminal UI, process groups/job control, termios config, resize/SIGWINCH, full Node.js CLI example",
        "Follows Mintlify MDX style",
        "Typecheck passes"
      ],
      "priority": 29,
      "passes": true,
      "notes": "P5 \u2014 depends on US-025 (openShell implementation)"
    },
    {
      "id": "US-030",
      "title": "Update kernel API reference for new P4 syscalls",
      "description": "As a user, I need the API reference updated with openpty, termios, process group, and positional I/O syscalls.",
      "acceptanceCriteria": [
        "docs/kernel/api-reference.mdx updated with: kernel.openShell(), openpty(pid), tcgetattr/tcsetattr/tcsetpgrp/tcgetpgrp, setpgid/setsid/getpgid/getsid, fdPread/fdPwrite",
        "Device layer notes for /dev/fd, /dev/ptmx, /dev/pts/*",
        "Termios type reference added",
        "Typecheck passes"
      ],
      "priority": 30,
      "passes": true,
      "notes": "P5 \u2014 update existing docs/kernel/api-reference.mdx. Depends on US-017 and P4 stories."
    },
    {
      "id": "US-031",
      "title": "Add global host resource budgets to bridge path",
      "description": "As a developer, I need configurable caps on output bytes, bridge calls, timers, and child processes to prevent host resource exhaustion.",
      "acceptanceCriteria": [
        "ResourceBudget config added to NodeRuntimeOptions: maxOutputBytes, maxBridgeCalls, maxTimers, maxChildProcesses",
        "Exceeding maxOutputBytes \u2192 subsequent writes silently dropped or error returned",
        "Exceeding maxChildProcesses \u2192 child_process.spawn() returns error",
        "Exceeding maxTimers \u2192 setInterval/setTimeout throws, existing timers continue",
        "Exceeding maxBridgeCalls \u2192 bridge returns error, isolate can catch",
        "Kernel: maxProcesses option added to KernelOptions",
        "Test: set maxOutputBytes=100, write 200 bytes \u2192 only first 100 captured",
        "Test: set maxChildProcesses=3, spawn 5 \u2192 first 3 succeed, last 2 error",
        "Test: set maxTimers=5, create 10 intervals \u2192 first 5 succeed, rest throw",
        "Test: kernel maxProcesses=10, spawn 15 \u2192 first 10 succeed, rest throw EAGAIN",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 31,
      "passes": true,
      "notes": "P6 \u2014 packages/secure-exec/src/node/execution-driver.ts, bridge/process.ts, shared/permissions.ts"
    },
    {
      "id": "US-032",
      "title": "Enforce maxBuffer on child-process output buffering",
      "description": "As a developer, I need execSync/spawnSync to enforce maxBuffer to prevent host memory exhaustion from unbounded output.",
      "acceptanceCriteria": [
        "execSync with default maxBuffer (1MB): output >1MB \u2192 throws ERR_CHILD_PROCESS_STDIO_MAXBUFFER",
        "execSync with maxBuffer: 100 \u2014 output >100 bytes \u2192 throws",
        "spawnSync respects maxBuffer on stdout and stderr independently",
        "Async exec(cmd, cb) enforces maxBuffer, kills child on exceed",
        "Test: execSync producing 2MB output with maxBuffer=1MB \u2192 throws correct error code",
        "Test: spawnSync with small maxBuffer \u2192 truncated with correct error",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 32,
      "passes": true,
      "notes": "P6 \u2014 packages/secure-exec/src/bridge/child-process.ts (710 lines, @ts-nocheck). Lines ~348-357."
    },
    {
      "id": "US-033",
      "title": "Add missing fs APIs: cp, mkdtemp, opendir",
      "description": "As a developer, I need cp (recursive copy), mkdtemp (temp directory), and opendir (async Dir iterator) in the bridge for Node.js compatibility.",
      "acceptanceCriteria": [
        "fs.cp/cpSync recursively copies directories with { recursive: true }",
        "fs.mkdtemp/mkdtempSync('/tmp/prefix-') creates unique directory with random suffix",
        "fs.opendir returns async iterable of Dirent objects",
        "All APIs match Node.js signatures",
        "Available on fs, fs/promises, and callback forms where applicable",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 33,
      "passes": true,
      "notes": "P6 \u2014 packages/secure-exec/src/bridge/fs.ts. First batch of 8 missing fs APIs."
    },
    {
      "id": "US-034",
      "title": "Add missing fs APIs: glob, statfs, readv, fdatasync, fsync",
      "description": "As a developer, I need glob, statfs, readv, fdatasync, and fsync in the bridge for Node.js compatibility.",
      "acceptanceCriteria": [
        "fs.glob/globSync('**/*.js') returns matching file paths",
        "fs.statfs/statfsSync returns object with bsize, blocks, bfree, bavail, type fields",
        "fs.readv/readvSync reads into multiple buffers sequentially",
        "fs.fdatasync/fdatasyncSync and fs.fsync/fsyncSync resolve without error (no-op for in-memory VFS)",
        "All APIs match Node.js signatures",
        "Available on fs, fs/promises, and callback forms where applicable",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 34,
      "passes": true,
      "notes": "P6 \u2014 packages/secure-exec/src/bridge/fs.ts. Second batch of missing fs APIs."
    },
    {
      "id": "US-035",
      "title": "Wire deferred fs APIs (chmod, chown, link, symlink, readlink, truncate, utimes) through bridge",
      "description": "As a developer, I need the fs APIs that currently throw 'not supported' to delegate to the VFS instead.",
      "acceptanceCriteria": [
        "fs.chmodSync('/tmp/f', 0o755) succeeds (delegates to VFS)",
        "fs.symlinkSync creates symlink, fs.readlinkSync returns target",
        "fs.linkSync creates hard link",
        "fs.truncateSync truncates file",
        "fs.utimesSync updates timestamps",
        "fs.chownSync updates ownership",
        "fs.watch still throws with clear message ('not supported \u2014 use polling')",
        "All available in sync, async callback, and promises forms",
        "Permissions checks applied (denied when permissions.fs blocks)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 35,
      "passes": true,
      "notes": "P6 \u2014 packages/secure-exec/src/bridge/fs.ts. Remove 'not supported' throws, wire to VFS."
    },
    {
      "id": "US-036",
      "title": "Add Express project-matrix fixture",
      "description": "As a developer, I need an Express fixture to catch compatibility regressions for the most common Node.js framework.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/projects/express-pass/ created with package.json and index.js",
        "Express app with 2-3 routes, makes requests, verifies responses, prints deterministic stdout, exits 0",
        "Fixture passes in host Node (node index.js \u2192 exit 0, expected stdout)",
        "Fixture passes through kernel project-matrix (e2e-project-matrix.test.ts)",
        "Fixture passes through secure-exec project-matrix (project-matrix.test.ts)",
        "Stdout parity between host and sandbox",
        "No sandbox-aware branches in fixture code",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 36,
      "passes": true,
      "notes": "P6 \u2014 packages/secure-exec/tests/projects/. Must be sandbox-blind."
    },
    {
      "id": "US-037",
      "title": "Add Fastify project-matrix fixture",
      "description": "As a developer, I need a Fastify fixture to catch compatibility issues in async middleware, schema validation, and structured logging.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/projects/fastify-pass/ created with package.json and index.js",
        "Fastify app with routes, async handlers, makes requests, verifies responses, exits 0",
        "Fixture passes host parity, sandbox-blind, passes both project matrices",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 37,
      "passes": true,
      "notes": "P6 \u2014 same pattern as Express fixture (US-035)"
    },
    {
      "id": "US-038",
      "title": "Add pnpm and bun package manager layout fixtures",
      "description": "As a developer, I need fixtures testing pnpm symlink-based and bun hardlink-based node_modules layouts.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/projects/pnpm-layout-pass/ \u2014 require('left-pad') resolves through symlinked .pnpm/ structure",
        "packages/secure-exec/tests/projects/bun-layout-pass/ \u2014 require('left-pad') resolves through bun's layout",
        "Both pass host parity comparison",
        "Both pass through kernel and secure-exec project matrices",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 38,
      "passes": true,
      "notes": "P6 \u2014 Yarn PnP out of scope (needs .pnp.cjs loader hook support)"
    },
    {
      "id": "US-039",
      "title": "Remove @ts-nocheck from polyfills.ts and os.ts",
      "description": "As a developer, I need type safety restored on these security-critical bridge files.",
      "acceptanceCriteria": [
        "@ts-nocheck removed from packages/secure-exec/src/bridge/polyfills.ts",
        "@ts-nocheck removed from packages/secure-exec/src/bridge/os.ts",
        "Zero type errors from tsc --noEmit",
        "No runtime behavior changes \u2014 existing tests still pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 39,
      "passes": true,
      "notes": "P6 \u2014 only add type annotations and casts, do NOT change runtime behavior"
    },
    {
      "id": "US-040",
      "title": "Remove @ts-nocheck from child-process.ts",
      "description": "As a developer, I need type safety restored on the 710-line child-process bridge file.",
      "acceptanceCriteria": [
        "@ts-nocheck removed from packages/secure-exec/src/bridge/child-process.ts",
        "Zero type errors from tsc --noEmit",
        "No runtime behavior changes \u2014 existing tests still pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 40,
      "passes": true,
      "notes": "P6 \u2014 largest bridge file (710 lines). Only type annotations/casts, no behavior changes."
    },
    {
      "id": "US-041",
      "title": "Remove @ts-nocheck from process.ts and network.ts",
      "description": "As a developer, I need type safety restored on the remaining bridge files.",
      "acceptanceCriteria": [
        "@ts-nocheck removed from packages/secure-exec/src/bridge/process.ts",
        "@ts-nocheck removed from packages/secure-exec/src/bridge/network.ts",
        "Zero type errors from tsc --noEmit",
        "No runtime behavior changes \u2014 existing tests still pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 41,
      "passes": true,
      "notes": "P6 \u2014 final two @ts-nocheck files"
    },
    {
      "id": "US-042",
      "title": "Fix v8.serialize/deserialize to use structured clone semantics",
      "description": "As a developer, I need v8.serialize to handle Map, Set, RegExp, Date, circular refs, BigInt, etc. instead of using JSON.",
      "acceptanceCriteria": [
        "v8.serialize(new Map([['a', 1]])) \u2192 roundtrips to Map { 'a' => 1 }",
        "v8.serialize(new Set([1, 2])) \u2192 roundtrips to Set { 1, 2 }",
        "v8.serialize(/foo/gi) \u2192 roundtrips to /foo/gi",
        "v8.serialize(new Date(0)) \u2192 roundtrips to Date(0)",
        "Circular references survive roundtrip",
        "undefined, NaN, Infinity, -Infinity, BigInt preserved",
        "ArrayBuffer and typed arrays preserved",
        "Test: roundtrip each type above",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 42,
      "passes": true,
      "notes": "P7 \u2014 packages/secure-exec/isolate-runtime/src/inject/bridge-initial-globals.ts. Currently uses JSON.stringify/parse."
    },
    {
      "id": "US-043",
      "title": "Implement HTTP Agent pooling, upgrade, and trailer APIs",
      "description": "As a developer, I need http.Agent connection pooling, HTTP upgrade (WebSocket), trailer headers, and socket events for compatibility with ws, got, axios.",
      "acceptanceCriteria": [
        "new http.Agent({ keepAlive: true, maxSockets: 5 }) limits concurrent connections",
        "Request with Connection: upgrade and 101 response \u2192 upgrade event fires",
        "Response with trailer headers \u2192 response.trailers populated",
        "request.on('socket', cb) fires with socket-like object",
        "Test: Agent with maxSockets=1, two concurrent requests \u2192 second waits for first",
        "Test: upgrade request \u2192 upgrade event fires with response and socket",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 43,
      "passes": true,
      "notes": "P7 \u2014 packages/secure-exec/src/bridge/network.ts"
    },
    {
      "id": "US-044",
      "title": "Create codemod example project",
      "description": "As a user, I need an example showing how to use secure-exec for safe code transformations.",
      "acceptanceCriteria": [
        "examples/codemod/ created with package.json and src/index.ts",
        "Example reads source file, writes to sandbox VFS, executes codemod, reads result, prints diff",
        "pnpm --filter codemod-example start runs successfully",
        "Sandbox prevents codemod from accessing host filesystem",
        "Typecheck passes"
      ],
      "priority": 44,
      "passes": true,
      "notes": "P7 \u2014 demonstrates primary use case: running untrusted/generated code safely"
    },
    {
      "id": "US-045",
      "title": "Split NodeExecutionDriver into focused modules",
      "description": "As a developer, I need the 1756-line monolith broken into isolate-bootstrap, module-resolver, esm-compiler, bridge-setup, and execution-lifecycle modules.",
      "acceptanceCriteria": [
        "execution-driver.ts reduced to <300 lines (facade + wiring)",
        "Extracted modules: isolate-bootstrap.ts, module-resolver.ts, esm-compiler.ts, bridge-setup.ts, execution-lifecycle.ts",
        "Each module has a clear single responsibility",
        "All existing tests pass without modification",
        "No runtime behavior changes \u2014 pure extraction refactor",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 45,
      "passes": true,
      "notes": "P8 \u2014 packages/secure-exec/src/node/execution-driver.ts. Pure extraction, no behavior changes."
    },
    {
      "id": "US-046",
      "title": "Add O(1) ESM module reverse lookup",
      "description": "As a developer, I need reverse lookup to use a Map instead of scanning, to avoid quadratic behavior on large import graphs.",
      "acceptanceCriteria": [
        "Reverse lookup uses Map.get() not Array.find() or iteration",
        "Performance: 1000-module import graph resolves in <10ms",
        "All existing ESM tests pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 46,
      "passes": true,
      "notes": "P8 \u2014 packages/secure-exec/src/node/execution-driver.ts (or extracted module-resolver.ts after US-044)"
    },
    {
      "id": "US-047",
      "title": "Add resolver memoization (negative/positive caches)",
      "description": "As a developer, I need require/import resolution to cache results and avoid repeated miss probes.",
      "acceptanceCriteria": [
        "Same require('nonexistent') called twice \u2192 only one VFS probe",
        "Same require('express') called twice \u2192 only one resolution walk",
        "package.json in same directory read once, reused for subsequent resolves",
        "Caches are per-execution (cleared on dispose)",
        "All existing module resolution tests pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 47,
      "passes": true,
      "notes": "P8 \u2014 packages/secure-exec/src/package-bundler.ts, shared/require-setup.ts, node/execution-driver.ts"
    },
    {
      "id": "US-048",
      "title": "Fix zombie timer cleanup tests to actually verify timer clearing",
      "description": "As a developer, I need the zombie timer cleanup tests to verify timers are actually cleared, not just that dispose() doesn't throw.",
      "acceptanceCriteria": [
        "ProcessTable exposes zombieTimerCount getter (or equivalent) for test observability",
        "Test: spawn process, let it exit \u2192 zombieTimerCount > 0 (timer was scheduled)",
        "Test: call kernel.dispose() \u2192 zombieTimerCount === 0 (timer was cleared)",
        "Test: with vi.useFakeTimers(), advance 60s after dispose \u2192 no callbacks fire, no errors",
        "Tests would FAIL if timers are not actually cleared during dispose",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 48,
      "passes": true,
      "notes": "P9 \u2014 US-013 implementation was pass-vacuous. Tests only checked dispose() didn't throw. packages/kernel/test/kernel-integration.test.ts and packages/kernel/src/process-table.ts"
    },
    {
      "id": "US-049",
      "title": "Fix pnpm layout fixture with real pnpm symlink structure",
      "description": "As a developer, I need the pnpm fixture to have a real pnpm-installed node_modules layout so it actually tests symlink-based module resolution.",
      "acceptanceCriteria": [
        "pnpm-lock.yaml exists in packages/secure-exec/tests/projects/pnpm-layout-pass/",
        "node_modules/.pnpm/ directory exists with real symlink structure",
        "node_modules/left-pad is a symlink (not a regular directory)",
        "fixture.json specifies packageManager: pnpm",
        "require(\"left-pad\") resolves through the symlink chain in index.js",
        "Fixture passes host parity comparison (node index.js \u2192 exit 0)",
        "Fixture passes through kernel and secure-exec project matrices",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 49,
      "passes": true,
      "notes": "P9 \u2014 US-038 pnpm fixture was a stub with no .pnpm/ structure or pnpm-lock.yaml. packages/secure-exec/tests/projects/pnpm-layout-pass/"
    },
    {
      "id": "US-050",
      "title": "Fix bun layout fixture with real bun-installed structure",
      "description": "As a developer, I need the bun fixture to have a real bun-installed node_modules layout and correct fixture.json metadata.",
      "acceptanceCriteria": [
        "bun.lockb exists in packages/secure-exec/tests/projects/bun-layout-pass/",
        "fixture.json specifies packageManager: bun (was incorrectly set to npm)",
        "node_modules/left-pad installed via bun layout",
        "require(\"left-pad\") resolves correctly in index.js",
        "Fixture passes host parity comparison (node index.js \u2192 exit 0)",
        "Fixture passes through kernel and secure-exec project matrices",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 50,
      "passes": true,
      "notes": "P9 \u2014 US-038 bun fixture was misnamed. fixture.json said npm, no bun.lockb. packages/secure-exec/tests/projects/bun-layout-pass/"
    },
    {
      "id": "US-051",
      "title": "Express and Fastify fixtures should use real HTTP servers",
      "description": "As a developer, I need the framework fixtures to start real HTTP servers and make real requests so the network stack is exercised.",
      "acceptanceCriteria": [
        "Express fixture starts server on port 0 (auto-assign), makes real http.get requests, verifies response status and body",
        "Fastify fixture starts server on port 0, makes real http.get requests, verifies response status and body",
        "Both fixtures close server and exit cleanly after tests",
        "Both still sandbox-blind (no sandbox-specific code)",
        "Both still pass host parity comparison",
        "Both pass through kernel and secure-exec project matrices",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 51,
      "passes": true,
      "notes": "P9 \u2014 US-036/037 used EventEmitter mock dispatchers instead of real HTTP. packages/secure-exec/tests/projects/express-pass/ and fastify-pass/"
    },
    {
      "id": "US-052",
      "title": "Create @secure-exec/core package and move shared types + utilities",
      "description": "As a developer, I need a core package that owns the shared types, constants, and utilities so runtime-specific packages can depend on it without pulling in each other.",
      "acceptanceCriteria": [
        "Create packages/secure-exec-core/ with package.json (name: @secure-exec/core, deps: buffer, sucrase, text-encoding-utf-8, whatwg-url)",
        "Create tsconfig.json extending root tsconfig",
        "Extract TIMEOUT_ERROR_MESSAGE and TIMEOUT_EXIT_CODE from isolate.ts into core src/shared/constants.ts",
        "Move types.ts and runtime-driver.ts to core/src/",
        "Move all shared/* files (api-types, bridge-contract, permissions, in-memory-fs, console-formatter, esm-utils, errors, global-exposure, require-setup) to core/src/shared/",
        "Add @secure-exec/core workspace dependency to secure-exec package.json",
        "Add @secure-exec/core to turbo.json pipeline (core builds before secure-exec)",
        "Update secure-exec barrel (src/index.ts) to re-export moved types/utilities from @secure-exec/core",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 52,
      "passes": true,
      "notes": "Phase 1a of package-split spec (docs-internal/specs/package-split.md). Shared files have zero isolated-vm imports. Leave bridge/, generated/, isolate-runtime/, facades, and module resolution for subsequent stories."
    },
    {
      "id": "US-053",
      "title": "Move bridge guest code, generated artifacts, and build scripts to core",
      "description": "As a developer, I need the bridge guest polyfills and generated build artifacts in core so both Node and Browser runtimes can consume them.",
      "acceptanceCriteria": [
        "Move bridge/ directory (all guest-side polyfill files, zero ivm imports) to core/src/bridge/",
        "Move generated/ directory (isolate-runtime.ts, polyfills.ts) to core/src/generated/",
        "Move isolate-runtime/ source TypeScript directory to core/src/isolate-runtime/",
        "Move scripts/build-polyfills.mjs and scripts/build-isolate-runtime.mjs to core/scripts/",
        "Update core build pipeline to run build:polyfills and build:isolate-runtime before tsc",
        "Remove these build steps from secure-exec build pipeline",
        "Update secure-exec barrel to re-export any generated code exports from core",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 53,
      "passes": true,
      "notes": "Phase 1b. Bridge guest code has zero ivm imports \u2014 Node injects via context.eval(), Browser imports directly. Generated code is used by both Node and Browser."
    },
    {
      "id": "US-054",
      "title": "Move runtime facades and module resolution to core",
      "description": "As a developer, I need the NodeRuntime facade and module resolution logic in core since they are runtime-agnostic.",
      "acceptanceCriteria": [
        "Move runtime.ts (NodeRuntime facade) to core \u2014 export both Runtime and NodeRuntime",
        "Move python-runtime.ts to core",
        "Move fs-helpers.ts to core",
        "Move esm-compiler.ts (the ivm-free top-level one, NOT node/esm-compiler.ts) to core",
        "Move module-resolver.ts to core",
        "Move package-bundler.ts to core",
        "Move bridge-setup.ts (the generated code loader at src/bridge-setup.ts, NOT node/bridge-setup.ts) to core",
        "Update cross-references within moved files to use core-local paths",
        "Update secure-exec barrel re-exports",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 54,
      "passes": true,
      "notes": "Phase 1c. runtime.ts has zero ivm imports \u2014 it accepts any NodeRuntimeDriverFactory and delegates. Both Node (createNodeRuntimeDriverFactory) and Browser (createBrowserRuntimeDriverFactory) plug into it."
    },
    {
      "id": "US-055",
      "title": "Configure @secure-exec/core subpath exports for internal modules",
      "description": "As a developer, I need core to expose internal modules via subpath exports so runtime packages can import them without making them public API.",
      "acceptanceCriteria": [
        "Add exports map to core package.json with internal/* subpaths (e.g. @secure-exec/core/internal/bridge-loader, @secure-exec/core/internal/generated/isolate-runtime, @secure-exec/core/internal/package-bundler, @secure-exec/core/internal/shared/*)",
        "Verify all existing imports from \"secure-exec\" continue to work unchanged",
        "Verify tests that import from ../../src/shared/ or similar internal paths still resolve (update to @secure-exec/core subpaths if needed)",
        "Typecheck passes",
        "All tests pass"
      ],
      "priority": 55,
      "passes": true,
      "notes": "Phase 1d \u2014 final core story. The internal/ prefix signals these are not stable public API. Runtime packages use them but external consumers should not."
    },
    {
      "id": "US-056",
      "title": "Create @secure-exec/node package and move V8 execution engine",
      "description": "As a developer, I need V8-specific execution code in its own package so consumers who do not use Node/V8 do not pull in isolated-vm.",
      "acceptanceCriteria": [
        "Create packages/secure-exec-node/ with package.json (name: @secure-exec/node, deps: @secure-exec/core, isolated-vm, esbuild, node-stdlib-browser)",
        "Create tsconfig.json extending root config",
        "Move execution.ts (V8 execution loop with ExecutionRuntime) to node package",
        "Move isolate.ts (createIsolate, deadline/timeout utilities) to node package",
        "Move bridge-loader.ts (esbuild bridge compilation) to node package",
        "Move polyfills.ts (esbuild stdlib bundling) to node package",
        "Update imports to use @secure-exec/core for shared types/utilities",
        "Add @secure-exec/node to turbo.json pipeline (depends on core)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 56,
      "passes": true,
      "notes": "Phase 2a. execution.ts ExecutionRuntime interface uses ivm.Isolate, ivm.Context, ivm.Module, ivm.Reference throughout \u2014 fully V8-specific."
    },
    {
      "id": "US-057",
      "title": "Move node/ directory and bridge compilation to @secure-exec/node",
      "description": "As a developer, I need all node/-scoped files (execution-driver, bridge-setup, esm-compiler, driver, etc.) in the node package.",
      "acceptanceCriteria": [
        "Move node/execution-driver.ts, node/bridge-setup.ts, node/esm-compiler.ts, node/driver.ts, node/execution-lifecycle.ts, node/isolate-bootstrap.ts, node/module-access.ts, node/module-resolver.ts to @secure-exec/node",
        "Set up build:bridge step in node package that compiles core bridge source into IIFE",
        "Update internal cross-references to use @secure-exec/core subpath imports where needed",
        "Update secure-exec barrel to re-export NodeExecutionDriver, createNodeDriver, createNodeRuntimeDriverFactory, NodeFileSystem, createDefaultNetworkAdapter from @secure-exec/node",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 57,
      "passes": true,
      "notes": "Phase 2b. The build:bridge step should use option 3 from spec: core exports getRawBridgeCode() and node imports it. node/bridge-setup.ts is the ivm.Reference wiring file (~780 lines)."
    },
    {
      "id": "US-058",
      "title": "Update kernel adapter to depend on @secure-exec/node",
      "description": "As a developer, I need the kernel adapter to import from the split packages to avoid pulling in pyodide/browser code.",
      "acceptanceCriteria": [
        "Update packages/runtime/node/package.json: replace secure-exec dependency with @secure-exec/node + @secure-exec/core",
        "Update imports in packages/runtime/node/src/driver.ts: NodeExecutionDriver, createNodeDriver from @secure-exec/node; types and permissions from @secure-exec/core",
        "Verify packages/runtime/node/ no longer transitively depends on pyodide or browser code",
        "Typecheck passes",
        "All Node tests pass"
      ],
      "priority": 58,
      "passes": true,
      "notes": "Phase 2c. This is the primary motivating consumer \u2014 the kernel adapter should not need to pull in the full secure-exec bundle."
    },
    {
      "id": "US-059",
      "title": "Create @secure-exec/browser package and move browser code",
      "description": "As a developer, I need browser Web Worker code in its own package so Node consumers do not pull it in.",
      "acceptanceCriteria": [
        "Create packages/secure-exec-browser/ with package.json (name: @secure-exec/browser, deps: @secure-exec/core)",
        "Move browser/runtime-driver.ts, browser/driver.ts, browser/worker.ts, browser/worker-protocol.ts to new package",
        "Update worker.ts imports from relative paths (../bridge/index.js, ../generated/*, ../shared/*) to @secure-exec/core subpath imports",
        "Update secure-exec barrel ./browser subpath to re-export from @secure-exec/browser + @secure-exec/core",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 59,
      "passes": true,
      "notes": "Phase 3. Browser worker has its own execution loop (eval + sucrase), never imports isolated-vm. Worker is expected to be bundled \u2014 cross-package imports are transparent to bundlers."
    },
    {
      "id": "US-060",
      "title": "Create @secure-exec/python package and move Pyodide code",
      "description": "As a developer, I need Pyodide code in its own package so non-Python consumers do not pull in pyodide.",
      "acceptanceCriteria": [
        "Create packages/secure-exec-python/ with package.json (name: @secure-exec/python, deps: @secure-exec/core, pyodide)",
        "Move python/driver.ts to new package",
        "Update import of TIMEOUT_ERROR_MESSAGE and TIMEOUT_EXIT_CODE to use @secure-exec/core (shared/constants.ts)",
        "Update secure-exec barrel to re-export createPyodideRuntimeDriverFactory and PyodideRuntimeDriver from @secure-exec/python",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 60,
      "passes": true,
      "notes": "Phase 4. Smallest extraction \u2014 just one file. python-runtime.ts facade already moved to core in US-054."
    },
    {
      "id": "US-061",
      "title": "Clean up secure-exec barrel and update docs and contracts",
      "description": "As a developer, I need the barrel package to be a thin re-export layer and docs/contracts to reflect the new package structure.",
      "acceptanceCriteria": [
        "Verify secure-exec/src/ contains only barrel re-export files (index.ts, browser-runtime.ts) and no source logic",
        "Verify secure-exec/tests/ still runs all test suites successfully",
        "Update docs/quickstart.mdx if core setup flow changed",
        "Update docs/api-reference.mdx with new package import paths",
        "Update docs/runtimes/node.mdx with @secure-exec/node references",
        "Update docs/runtimes/python.mdx with @secure-exec/python references",
        "Update docs-internal/arch/overview.md with new package map showing core/node/browser/python split",
        "Review and update contracts: node-runtime, isolate-runtime-source-architecture, runtime-driver-test-suite-structure",
        "Typecheck passes",
        "All tests pass"
      ],
      "priority": 61,
      "passes": true,
      "notes": "Phase 5. The barrel re-exports everything \u2014 existing \"import from secure-exec\" statements require zero changes. Tests stay centralized per runtime-driver-test-suite-structure contract."
    },
    {
      "id": "US-062",
      "title": "Replace injection policy grep tests with behavioral tests",
      "description": "As a developer, I need isolate-runtime-injection-policy.test.ts to test actual runtime behavior instead of grepping source code.",
      "acceptanceCriteria": [
        "Delete or rewrite all 4 tests in isolate-runtime-injection-policy.test.ts",
        "New tests must execute code through the injection boundary, not regex source files",
        "Test: template-literal eval is actually blocked at runtime (not just absent from source)",
        "Test: bridge setup loaders produce correct isolate runtime source",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 62,
      "passes": true,
      "notes": "Audit F1. All 4 existing tests are source-code greps masquerading as security tests. Zero behavioral verification."
    },
    {
      "id": "US-063",
      "title": "Fix fake option acceptance tests across all runtimes",
      "description": "As a developer, I need driver option tests to verify options actually take effect, not just check driver.name.",
      "acceptanceCriteria": [
        "Fix wasmvm 'accepts custom wasmBinaryPath' test: pass bogus path, spawn, verify error references the path",
        "Fix node 'accepts custom memoryLimit' test: set low limit, allocate beyond it, verify OOM or at minimum verify option is stored/used",
        "Fix python 'accepts custom cpuTimeLimitMs' test: verify the option is actually propagated to the worker",
        "Fix wasmvm 'WASMVM_COMMANDS is exported and frozen' test: add Object.isFrozen() assertion",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 63,
      "passes": true,
      "notes": "Audit F2-F5. These tests only assert driver.name after setting options, proving nothing about enforcement."
    },
    {
      "id": "US-064",
      "title": "Fix wasmvm proc_spawn routing test with spy driver",
      "description": "As a developer, I need the proc_spawn routing test to prove routing actually happens via a spy driver.",
      "acceptanceCriteria": [
        "Rewrite 'proc_spawn routes through kernel.spawn()' test in wasmvm/test/driver.test.ts",
        "Mount a spy driver for a secondary command alongside wasmvm",
        "Run a shell pipeline that invokes the spy command (e.g., echo hello | spycommand)",
        "Verify spy driver received the spawn call with correct args",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 64,
      "passes": true,
      "notes": "Audit F6. Current test just runs 'echo hello' with no spy. Compare to node driver test which correctly uses spy driver."
    },
    {
      "id": "US-065",
      "title": "Fix /dev/null write, ESRCH signal, and minor assertion gaps",
      "description": "As a developer, I need small fake/weak test assertions fixed across kernel tests.",
      "acceptanceCriteria": [
        "Fix /dev/null write test: write data, read back, verify still returns empty",
        "Fix ESRCH signal test: call kernel.kill(99999, 15), verify it throws with ESRCH code",
        "Fix worker-adapter exit/error handler tests: use sentinel values that would fail if handler never fires (not Error fallback that passes regardless)",
        "Fix fd-table stdio test: assert FILETYPE_CHARACTER_DEVICE and correct flags for FDs 0, 1, 2",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 65,
      "passes": true,
      "notes": "Audit F7, F9, W5, W6. Small fixes across multiple test files."
    },
    {
      "id": "US-066",
      "title": "Tighten resource budget assertions and fix negative-only security tests",
      "description": "As a developer, I need resource budget tests to catch real enforcement failures and security tests to make positive assertions.",
      "acceptanceCriteria": [
        "Fix 'silently drops output bytes beyond the limit': assert <= budget + small overhead (not 2x budget)",
        "Fix 'applies to stderr as well': same tightening",
        "Fix 'bridge returns error when budget exceeded': assert exact error count, not just > 0",
        "Fix Python 'cannot access host filesystem' test: add positive assertion expect(stdout).toContain('blocked:') alongside the negative assertion",
        "Fix 'child_process cannot escape to host shell' test: run command that produces different output in sandbox vs host",
        "Fix wasmvm 'pipe read/write freed after process exits' test: add FD table state assertions",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 66,
      "passes": true,
      "notes": "Audit W3, W4, W10, W11. Loose assertions that allow broken enforcement to pass."
    },
    {
      "id": "US-067",
      "title": "Fix high-volume log drop tests and add real network isolation test",
      "description": "As a developer, I need log drop tests to verify output was produced before being dropped, and network tests to verify real isolation.",
      "acceptanceCriteria": [
        "Fix 'drops high-volume logs' tests in test-suite/node/runtime.ts and runtime-driver/node/index.test.ts: attach onStdio hook, verify some events arrive but count is bounded below total",
        "Fix 'executes scripts without runtime-managed stdout buffers': verify the script actually produced output via hook",
        "Add network isolation test: attempt fetch to a real URL from sandbox, verify it is blocked by default (not just data: URI)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 67,
      "passes": true,
      "notes": "Audit W7, W9. Log tests only check code===0 without verifying output was produced/dropped. Network test uses only data: URIs."
    },
    {
      "id": "US-068",
      "title": "Add sandbox escape security tests",
      "description": "As a developer, I need tests proving that known sandbox escape techniques are blocked.",
      "acceptanceCriteria": [
        "Test: process.binding() is blocked or undefined inside sandbox",
        "Test: process.dlopen() is blocked inside sandbox",
        "Test: constructor.constructor('return this')() does not return host global",
        "Test: Object.prototype.__proto__ manipulation inside sandbox does not affect host objects",
        "Test: require('v8').runInDebugContext is blocked or undefined",
        "All tests must execute real code inside the sandbox and verify the escape fails",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 68,
      "passes": true,
      "notes": "Audit M1, M2. Critical gap for a project named 'secure-exec'."
    },
    {
      "id": "US-069",
      "title": "Add global freeze verification and path traversal tests",
      "description": "As a developer, I need systematic verification that bridge globals are frozen and path traversal attacks are blocked.",
      "acceptanceCriteria": [
        "Test: iterate over all host bridge globals and verify they cannot be overwritten (not just _cryptoRandomFill)",
        "Test: verify bridge globals are non-configurable (Object.getOwnPropertyDescriptor check)",
        "Test: fs.readFileSync('../../../etc/passwd') from sandbox returns EACCES (not file-not-found)",
        "Test: fs.readFileSync('/proc/self/environ') from sandbox returns EACCES",
        "Test: fs.readFileSync with path containing null bytes is rejected",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 69,
      "passes": true,
      "notes": "Audit M3, M4. Only _cryptoRandomFill is tested for freeze. No path traversal attack tests exist."
    },
    {
      "id": "US-070",
      "title": "Add env variable leakage tests for Node runtime",
      "description": "As a developer, I need tests verifying that host environment variables do not leak into sandboxed Node processes.",
      "acceptanceCriteria": [
        "Test: sandboxed code cannot read process.env.PATH from host (should be undefined or filtered)",
        "Test: sandboxed code cannot read process.env.HOME from host",
        "Test: setting env override in exec options only exposes those specific vars",
        "Test: with allowAllEnv permission, verify host env IS accessible (positive control)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 70,
      "passes": true,
      "notes": "Audit M6. Python has env filtering tests; Node has zero coverage for env leakage."
    },
    {
      "id": "US-071",
      "title": "Add memoryLimit and cpuTimeLimitMs enforcement tests",
      "description": "As a developer, I need tests proving that resource limits actually terminate runaway processes.",
      "acceptanceCriteria": [
        "Test: set memoryLimit to low value (e.g., 32MB), allocate large array inside sandbox, verify OOM termination (non-zero exit code)",
        "Test: set cpuTimeLimitMs to 200ms for Node, run infinite while(true) loop, verify killed within ~500ms (with tolerance)",
        "Test: cpuTimeLimitMs does not kill a fast-completing script that finishes well under the limit",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 71,
      "passes": true,
      "notes": "Audit M7, M8. Both options are accepted by constructors but never tested for enforcement."
    },
    {
      "id": "US-072",
      "title": "Add resource exhaustion and unbounded buffering tests",
      "description": "As a developer, I need tests for resource exhaustion scenarios that CLAUDE.md flags as critical risks.",
      "acceptanceCriteria": [
        "Test: pipe write without read - write large data to a pipe with no reader, verify backpressure or bounded buffer (not unbounded growth)",
        "Test: FD exhaustion - open many FDs inside sandbox, verify enforcement or graceful error at some limit",
        "Test: PTY write without read - send large data to PTY master with no slave reader, verify bounded behavior",
        "If unbounded buffering IS the current behavior, document it as a known issue and add a guard/limit",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 72,
      "passes": true,
      "notes": "Audit M10, M11. CLAUDE.md flags 'host memory buildup and CPU amplification as critical risks'. Zero tests for this."
    },
    {
      "id": "US-073",
      "title": "Add ring buffer cross-thread and wraparound tests",
      "description": "As a developer, I need ring buffer tests that exercise real cross-thread communication and buffer wraparound.",
      "acceptanceCriteria": [
        "Test: spawn a worker thread, share SAB ring buffer, writer in one thread sends data, reader in other thread receives it correctly",
        "Test: write more data than buffer capacity to exercise wraparound - verify all data arrives intact",
        "Test: interleaved read/write at buffer boundary - verify no data corruption",
        "Test: zero-length read buffer returns 0 bytes without error",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 73,
      "passes": true,
      "notes": "Audit M13, M14. All current ring buffer tests run single-threaded. Core value prop (blocking cross-thread pipe) is untested."
    },
    {
      "id": "US-074",
      "title": "Add kernel user.ts unit tests",
      "description": "As a developer, I need the UserManager class to have test coverage for uid/gid configuration and getpwuid.",
      "acceptanceCriteria": [
        "Test: default uid/gid values",
        "Test: custom uid/gid configuration",
        "Test: getpwuid returns correct passwd-format string",
        "Test: root uid (0) handling",
        "Test: unknown uid returns appropriate error/default",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 74,
      "passes": true,
      "notes": "Audit U1. packages/kernel/src/user.ts has ZERO test coverage."
    },
    {
      "id": "US-075",
      "title": "Add pipe partial read and VFS snapshot tests",
      "description": "As a developer, I need tests for pipe chunk-splitting logic and VFS state transfer.",
      "acceptanceCriteria": [
        "Test: write 100 bytes to pipe, read only 10 bytes, verify correct 10 bytes returned and remaining 90 still available",
        "Test: multiple partial reads that drain a pipe incrementally",
        "Test: VFS.snapshot() captures current filesystem state",
        "Test: VFS.fromSnapshot() restores from snapshot correctly",
        "Test: VFS.applySnapshot() merges snapshot into existing VFS",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 75,
      "passes": true,
      "notes": "Audit M15, M16. drainBuffer chunk-splitting has zero coverage. VFS snapshot/restore used for thread transfer but untested."
    },
    {
      "id": "US-076",
      "title": "Add kill(), concurrent exec, and waitpid edge case tests",
      "description": "As a developer, I need tests for DriverProcess.kill(), parallel exec(), and waitpid edge cases.",
      "acceptanceCriteria": [
        "Test: call kill() on a running DriverProcess, verify it terminates within timeout",
        "Test: kill() on an already-exited process is a no-op (no throw)",
        "Test: run 3+ concurrent exec() calls on same NodeRuntime, verify all complete with correct results and no state leakage",
        "Test: waitpid for non-existent PID throws ECHILD or equivalent",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 76,
      "passes": true,
      "notes": "Audit M12, M19, M26. kill() exists on every DriverProcess but is never tested. No concurrent exec test exists."
    },
    {
      "id": "US-077",
      "title": "Add process cleanup and timer disposal tests",
      "description": "As a developer, I need tests verifying resource cleanup when processes crash or runtimes dispose.",
      "acceptanceCriteria": [
        "Test: process that crashes unexpectedly has its worker/isolate cleaned up (no leaked workers)",
        "Test: sandbox code that creates setInterval - after runtime dispose, interval does not fire",
        "Test: when WASM process exits, piped stdout/stderr FDs are closed and readers receive EOF",
        "Test: double-dispose on NodeRuntime does not throw",
        "Test: double-dispose on PythonRuntime does not throw (if pyodide available)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 77,
      "passes": true,
      "notes": "Audit M22, M23, M24, M25. No tests for cleanup after crash, timer leaks, or pipe EOF propagation."
    },
    {
      "id": "US-078",
      "title": "Add device layer behavior tests",
      "description": "As a developer, I need complete behavior coverage for device special files.",
      "acceptanceCriteria": [
        "Test: /dev/urandom returns different data on two consecutive reads (not just non-zero)",
        "Test: /dev/zero write is silently discarded (write then verify no state change)",
        "Test: /dev/stdin, /dev/stdout, /dev/stderr read/write produce expected behavior or errors",
        "Test: rename/link of device paths throws EPERM",
        "Test: truncate('/dev/null') succeeds as no-op",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 78,
      "passes": true,
      "notes": "Audit M27-M30. Device paths exist and behavior is implemented but untested."
    },
    {
      "id": "US-079",
      "title": "Add write-side fs permission and custom checker tests",
      "description": "As a developer, I need permission tests that cover write operations and custom deny checkers.",
      "acceptanceCriteria": [
        "Test: writeFile is denied when fs permission checker is missing",
        "Test: createDir is denied when fs permission checker is missing",
        "Test: removeFile is denied when fs permission checker is missing",
        "Test: custom fs checker returning { allow: false, reason: 'policy' } produces EACCES with reason in error",
        "Test: permission checker receives cwd parameter in request",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 79,
      "passes": true,
      "notes": "Audit M32, M33, M34. Only readFile/readTextFile permission denial is tested. Write-side and custom checkers have zero coverage."
    },
    {
      "id": "US-080",
      "title": "Add @xterm/headless devDependency and create TerminalHarness utility",
      "description": "As a developer, I need a TerminalHarness test helper that wires openShell() to a headless xterm Terminal so I can assert on exact screen state in tests.",
      "acceptanceCriteria": [
        "pnpm -F @secure-exec/kernel add -D @xterm/headless succeeds and package.json updated",
        "packages/kernel/test/terminal-harness.ts exports TerminalHarness class",
        "TerminalHarness constructor accepts a Kernel and optional OpenShellOptions, creates headless Terminal at fixed 80x24",
        "type(input) sends input through PTY, waits until no new bytes received for 50ms, then resolves; rejects if called while previous type() is in-flight",
        "screenshotTrimmed() returns viewport rows only (not scrollback) from xterm buffer, trailing whitespace trimmed per line, trailing empty lines dropped, joined with newline",
        "line(row) returns single trimmed row from screen buffer (0-indexed)",
        "waitFor(text, occurrence?, timeoutMs?) polls screen buffer every 20ms until text found; throws descriptive error on timeout (includes expected text, timeout, and actual screen content); checks shell.exitCode in poll loop and throws immediately if shell died",
        "exit() sends ^D on empty line and awaits shell exit, returns exit code",
        "dispose() kills shell and disposes terminal; safe to call multiple times; tests must call in afterEach or use try/finally to prevent resource leaks",
        "Typecheck passes"
      ],
      "priority": 80,
      "passes": true,
      "notes": "Phase 1 of terminal-e2e-testing.md spec. TerminalHarness is the foundation for all subsequent terminal tests. Adversarial review identified: must define concrete settlement window for type(), detect shell crash in poll loops, and prevent resource leaks on test failure."
    },
    {
      "id": "US-081",
      "title": "Add kernel PTY terminal tests: initial state, echo, command output",
      "description": "As a developer, I need terminal-level tests for basic PTY plumbing using MockRuntimeDriver to verify echo, output placement, and screen rendering.",
      "acceptanceCriteria": [
        "packages/kernel/test/shell-terminal.test.ts created with file-level comment documenting exact-match assertion constraint",
        "Test: clean initial state \u2014 shell opens, screen is empty or shows prompt",
        "Test: echo on input \u2014 typed text appears on screen via PTY echo",
        "Test: command output on correct line \u2014 mock echo-back appears below the input line",
        "Test: output preservation \u2014 multiple commands, all previous output stays visible",
        "All output assertions use exact-match on screenshotTrimmed() (no toContain, no substring checks)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 81,
      "passes": true,
      "notes": "Phase 1 of terminal-e2e-testing.md spec. Uses MockRuntimeDriver \u2014 no WASM binary required."
    },
    {
      "id": "US-082",
      "title": "Add kernel PTY terminal tests: signals, backspace, line wrapping",
      "description": "As a developer, I need terminal-level tests for PTY signal handling, line editing, and wrapping behavior using MockRuntimeDriver.",
      "acceptanceCriteria": [
        "Test: ^C sends SIGINT \u2014 screen shows ^C, shell stays alive, can type more",
        "Test: ^D exits cleanly \u2014 shell exits with code 0, no extra output",
        "Test: backspace erases character \u2014 'helo' + BS + 'lo\\n' \u2192 screen shows 'hello'",
        "Test: long line wrapping \u2014 input exceeding cols wraps to next row",
        "Test: resize(cols, rows) triggers SIGWINCH \u2014 shell stays alive, prompt returns on new dimensions",
        "Test: echo disabled \u2014 type input with echo off, verify typed text does NOT appear on screen (password input scenario)",
        "All output assertions use exact-match on screenshotTrimmed()",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 82,
      "passes": true,
      "notes": "Phase 1 of terminal-e2e-testing.md spec. Completes the kernel-level terminal test suite. Adversarial review added: SIGWINCH resize and echo-disabled tests \u2014 both have low-level coverage but no terminal-screen verification."
    },
    {
      "id": "US-083",
      "title": "Add WasmVM terminal tests: echo, ls, output preservation",
      "description": "As a developer, I need terminal-level tests for real brush-shell commands to verify interactive output through the full WasmVM stack.",
      "acceptanceCriteria": [
        "pnpm -F @anthropic-ai/wasmvm add -D @xterm/headless succeeds and package.json updated",
        "packages/runtime/wasmvm/test/shell-terminal.test.ts created, gated with skipUnlessWasmBuilt()",
        "TerminalHarness imported or duplicated in wasmvm test directory",
        "Test: echo prints output \u2014 'echo hello' \u2192 'hello' on next line, prompt returns",
        "Test: ls / shows listing \u2014 directory entries rendered correctly",
        "Test: output preserved across commands \u2014 'echo AAA' then 'echo BBB' \u2014 both visible",
        "Test: cd changes directory \u2014 'cd /tmp' then 'pwd' \u2192 '/tmp' on screen",
        "Test: export sets env var \u2014 'export FOO=bar' then 'echo $FOO' \u2192 'bar' on screen",
        "Expected prompt format captured as constant at top of test file",
        "All output assertions use exact-match on screenshotTrimmed()",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 83,
      "passes": true,
      "notes": "Phase 2 of terminal-e2e-testing.md spec. Requires WASM binary built. Adversarial review added: cd and export builtins \u2014 state persistence across commands is an interactive-only behavior. cd and ls tests are .todo due to pre-existing WASI path resolution / proc_spawn issues."
    },
    {
      "id": "US-114",
      "title": "Add cross-PID authorization to KernelInterface",
      "description": "As a developer, I need the kernel to prevent a mounted driver from accessing file descriptors, killing processes, or manipulating process groups belonging to other drivers' PIDs.",
      "acceptanceCriteria": [
        "KernelInterface methods (fdRead, fdWrite, fdClose, kill, setpgid, etc.) validate that the calling driver owns the target PID",
        "Test: driver A cannot fdRead/fdWrite FDs belonging to driver B's process",
        "Test: driver A cannot kill or setpgid on driver B's process",
        "Test: driver A CAN access its own process's FDs and signals normally",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 84,
      "passes": true,
      "notes": "CRITICAL \u2014 kernel.ts:451-749. Single shared KernelInterface given to all drivers; pid parameter trusted without validation. Any driver can read/write FDs, kill, or manipulate process groups of any other driver's processes."
    },
    {
      "id": "US-115",
      "title": "Fix exec() timeout \u2014 kill process and clear timer",
      "description": "As a developer, I need exec() to kill the spawned process and clear the timeout timer when execution times out, preventing zombie processes and leaked timers.",
      "acceptanceCriteria": [
        "When exec() timeout fires, the spawned process is killed (SIGTERM then SIGKILL)",
        "stdout/stderr callbacks are detached after timeout to stop accumulation",
        "setTimeout timer is cleared when process exits normally before timeout",
        "Test: exec with 100ms timeout on a long-running command \u2014 process is killed, no resource leak",
        "Test: exec with timeout where process exits early \u2014 timer is cleared",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 85,
      "passes": true,
      "notes": "CRITICAL \u2014 kernel.ts:162-175. Timed-out process keeps running, stdout/stderr keep accumulating, timer never cleared on normal exit."
    },
    {
      "id": "US-116",
      "title": "Cap cryptoRandomFill host allocation size",
      "description": "As a developer, I need the host-side crypto.getRandomValues bridge to reject requests for excessively large byte arrays to prevent OOM.",
      "acceptanceCriteria": [
        "Host-side cryptoRandomFillRef validates byteLength <= 65536 (or similar reasonable cap matching Web Crypto API spec)",
        "Requests exceeding the cap throw a RangeError matching Node.js behavior",
        "Test: crypto.getRandomValues(new Uint8Array(65536)) succeeds",
        "Test: crypto.getRandomValues(new Uint8Array(65537)) throws RangeError",
        "Test: crypto.getRandomValues(new Uint8Array(2_000_000_000)) throws, does not allocate on host",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 86,
      "passes": true,
      "notes": "CRITICAL \u2014 bridge-setup.ts:216-219. Buffer.allocUnsafe(byteLength) with no validation; sandbox can OOM host with single call."
    },
    {
      "id": "US-117",
      "title": "Clean up host timers on isolate recycling/disposal",
      "description": "As a developer, I need all host-side setTimeout callbacks created by the bridge to be tracked and cleared when the isolate is recycled or disposed.",
      "acceptanceCriteria": [
        "Bridge tracks all host-side timer IDs created via scheduleTimerRef",
        "On isolate recycling (timeout) or disposal, all tracked host timers are cleared via clearTimeout",
        "Test: create 100 timers with 60s delay, trigger timeout \u2014 all host timers cleared, no leaked callbacks",
        "Test: normal execution with timers \u2014 timers cleared on dispose",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 87,
      "passes": true,
      "notes": "CRITICAL \u2014 bridge-setup.ts:202-207. Host setTimeout callbacks survive isolate recycling, holding dead isolate references. 100k timers at 24h delay = permanent host leak."
    },
    {
      "id": "US-118",
      "title": "Harden fetch/Headers/Request/Response/Blob globals as non-writable",
      "description": "As a developer, I need the network globals installed in the sandbox to be non-writable and non-configurable so sandbox code cannot intercept outbound requests.",
      "acceptanceCriteria": [
        "fetch, Headers, Request, Response, Blob are installed via exposeCustomGlobal() (writable: false, configurable: false)",
        "Test: sandbox code attempting globalThis.fetch = ... throws TypeError",
        "Test: Object.defineProperty(globalThis, 'fetch', ...) throws TypeError",
        "Test: fetch still works normally after hardening",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 88,
      "passes": true,
      "notes": "CRITICAL \u2014 network.ts:1655-1662. Currently installed via simple property assignment (writable, configurable). Sandbox code can replace fetch and intercept all outbound requests."
    },
    {
      "id": "US-119",
      "title": "Cap PTY canonical-mode line buffer size",
      "description": "As a developer, I need the PTY canonical-mode line buffer to have a size cap to prevent unbounded memory growth from input without newlines.",
      "acceptanceCriteria": [
        "lineBuffer in canonical mode is capped (e.g., 4096 bytes matching POSIX MAX_CANON)",
        "Writes exceeding the cap are rejected or the oldest bytes are discarded",
        "Test: write 10,000 bytes without newline to PTY master in canonical mode \u2014 buffer does not exceed cap",
        "Test: normal canonical mode operation (type line, press enter) still works correctly",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 89,
      "passes": true,
      "notes": "HIGH \u2014 pty.ts:412. lineBuffer is number[] (16 bytes/element on V8), grows without limit until newline. 100M bytes = ~1.6GB."
    },
    {
      "id": "US-120",
      "title": "Register openShell controller PID and clean up on exit",
      "description": "As a developer, I need the openShell controller PID to be registered in the process table and its FD table cleaned up when the shell exits.",
      "acceptanceCriteria": [
        "openShell() registers the controller PID in the process table",
        "When the shell process exits, the controller PID's FD table is cleaned up via fdTableManager.remove()",
        "PTY master FD is closed when the shell exits",
        "Test: open shell, exit shell, verify controller PID's FD table is removed",
        "Test: repeated openShell/exit cycles do not leak FD tables or PID numbers",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 90,
      "passes": true,
      "notes": "HIGH \u2014 kernel.ts:200-201. Controller PID never registered; FD table, master FD, and PID number leak on every shell open/close cycle."
    },
    {
      "id": "US-121",
      "title": "Implement fdWrite to VFS for regular files",
      "description": "As a developer, I need fdWrite on regular file FDs to actually write data to the VFS instead of silently discarding it.",
      "acceptanceCriteria": [
        "fdWrite on a regular file FD writes data to VFS at the current cursor position",
        "Cursor position advances by the number of bytes written",
        "Test: open file, fdWrite data, fdRead back \u2014 data matches",
        "Test: fdWrite at offset, fdPread at same offset \u2014 data matches",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 91,
      "passes": true,
      "notes": "HIGH \u2014 kernel.ts:509. fdWrite to regular files returns data.length without writing to VFS. Silent data loss."
    },
    {
      "id": "US-122",
      "title": "Return EPIPE on pipe write after read-end close",
      "description": "As a developer, I need pipe writes to fail with EPIPE when the read end has been closed, matching POSIX semantics.",
      "acceptanceCriteria": [
        "PipeManager.write() checks state.closed.read before buffering data",
        "If read end is closed, write throws KernelError with code EPIPE",
        "Test: close pipe read end, write to write end \u2014 throws EPIPE",
        "Test: normal pipe write with open read end still succeeds",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 92,
      "passes": true,
      "notes": "HIGH \u2014 pipe-manager.ts:82-103. Write after read-end close silently succeeds, buffers up to 64KB then EAGAIN. Should be EPIPE."
    },
    {
      "id": "US-123",
      "title": "Resolve PTY read waiter on same-end close",
      "description": "As a developer, I need pending PTY reads to be resolved (with EOF/null) when the same end that's reading is closed.",
      "acceptanceCriteria": [
        "Closing the slave end resolves any pending inputWaiters with null (EOF)",
        "Closing the master end resolves any pending outputWaiters with null (EOF)",
        "Test: start slave read, close slave \u2014 read resolves with null, no hang",
        "Test: start master read, close master \u2014 read resolves with null, no hang",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 93,
      "passes": true,
      "notes": "HIGH \u2014 pty.ts:185-202. Closing same end as pending read leaves promise unresolved forever."
    },
    {
      "id": "US-124",
      "title": "Clean up child processes and HTTP servers on isolate disposal/timeout",
      "description": "As a developer, I need spawned child processes and HTTP servers to be terminated when the isolate is recycled or disposed.",
      "acceptanceCriteria": [
        "Bridge tracks all spawned child process host handles",
        "On isolate recycling or disposal, all tracked child processes are killed",
        "activeHttpServerIds is NOT cleared at start of exec(); servers from previous exec are still tracked",
        "On recycleIsolate(), all tracked HTTP servers are closed",
        "Test: spawn child process, trigger timeout \u2014 child process is killed",
        "Test: start HTTP server in exec(), call exec() again \u2014 previous server is closed",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 94,
      "passes": true,
      "notes": "HIGH \u2014 bridge-setup.ts:394,427-472 and execution.ts:142. Child processes survive isolate recycling; activeHttpServerIds cleared on each exec() losing tracking."
    },
    {
      "id": "US-125",
      "title": "Fix output byte budget enforcement and add default spawnSync maxBuffer",
      "description": "As a developer, I need the output byte budget to reject messages that would exceed the limit (not just check previous total) and spawnSync to have a default maxBuffer.",
      "acceptanceCriteria": [
        "logRef checks if (budgetState.outputBytes + bytes > maxOutputBytes) before emitting, not just if previous total >= limit",
        "spawnSync applies a default maxBuffer (e.g., 10MB) when caller does not specify one",
        "exec() bridge-side stops accumulating stdout/stderr after maxBuffer kill",
        "Test: set maxOutputBytes=1024, console.log 1MB string \u2014 message is NOT emitted",
        "Test: spawnSync without maxBuffer on high-output command \u2014 output capped at default",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 95,
      "passes": true,
      "notes": "HIGH \u2014 bridge-setup.ts:89-107, 495-559 and child-process.ts:346-398. Budget check is before accumulation (off-by-one allows 1 massive message); spawnSync has no default maxBuffer; exec keeps buffering after kill."
    },
    {
      "id": "US-126",
      "title": "Add bridge-side FD table limit and event listener cap",
      "description": "As a developer, I need the bridge-side FD table and event listener arrays to have size limits preventing resource exhaustion from sandbox code.",
      "acceptanceCriteria": [
        "Bridge FD table enforces a max open files limit (e.g., 1024), throws EMFILE when exceeded",
        "Event emitter implementations enforce maxListeners (default 10, configurable via setMaxListeners)",
        "Exceeding maxListeners emits a warning but does not crash (matching Node.js behavior)",
        "Test: open 1025 files in bridge \u2014 throws EMFILE",
        "Test: add 1000 listeners \u2014 warning emitted, no crash",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 96,
      "passes": true,
      "notes": "HIGH \u2014 fs.ts:13-14 and multiple bridge files. FD table and listener arrays grow unboundedly."
    },
    {
      "id": "US-127",
      "title": "Validate process.chdir and prevent setInterval(0) CPU spin",
      "description": "As a developer, I need process.chdir to validate the target directory exists in VFS and setInterval with delay 0 to use a minimum delay preventing infinite microtask loops.",
      "acceptanceCriteria": [
        "process.chdir(dir) validates dir exists in the VFS before setting _cwd",
        "process.chdir to non-existent path throws ENOENT",
        "setInterval with delay <= 0 uses a minimum effective delay (e.g., 1ms) to prevent microtask spin",
        "Test: chdir to non-existent path \u2014 throws ENOENT",
        "Test: setInterval(() => counter++, 0) with 100ms timeout \u2014 counter is bounded, not infinite",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 97,
      "passes": true,
      "notes": "HIGH \u2014 process.ts:554-556 and process.ts:983-1034. chdir accepts any path without validation; setInterval(0) creates infinite microtask loop blocking event loop."
    },
    {
      "id": "US-128",
      "title": "Add network response and readDir payload size limits",
      "description": "As a developer, I need the host-side bridge to enforce size limits on network response bodies and readDir results before transferring to the isolate.",
      "acceptanceCriteria": [
        "Network fetch/httpRequest response body is capped (e.g., to isolateJsonPayloadLimitBytes)",
        "readDirRef result is capped to a reasonable entry count or JSON size",
        "Responses exceeding the cap return a truncated result or error",
        "Test: fetch a response > payload limit \u2014 error or truncation, no OOM",
        "Test: readDir on directory with 100k entries \u2014 handled safely",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 98,
      "passes": true,
      "notes": "MEDIUM \u2014 bridge-setup.ts:268-273,585. Network responses and readDir results transferred without size limits."
    },
    {
      "id": "US-129",
      "title": "Prevent module-level ID counter collisions across managers",
      "description": "As a developer, I need FD description IDs, pipe IDs, and PTY IDs to use non-overlapping ranges or per-instance counters to prevent collisions in long-running kernels.",
      "acceptanceCriteria": [
        "ID counters are either per-kernel-instance or use sufficiently separated ranges with overflow guards",
        "Test: create 100 FD descriptions, 100 pipes, 100 PTYs \u2014 all IDs unique, no range overlap",
        "Test: isPipe() and isPty() return false for FD description IDs and vice versa",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 99,
      "passes": true,
      "notes": "MEDIUM \u2014 fd-table.ts:25, pipe-manager.ts:31-32, pty.ts:58-59. Module-level counters shared across instances; after ~100k file opens, FD desc IDs collide with pipe ID range."
    },
    {
      "id": "US-130",
      "title": "Normalize paths in permission wrapper and fix realpathSync",
      "description": "As a developer, I need the permission wrapper to normalize paths before checking permissions, and realpathSync to resolve symlinks via the VFS.",
      "acceptanceCriteria": [
        "Permission wrapper normalizes paths (resolves .., ., double slashes) before checking",
        "Path traversal like /allowed/../etc/passwd is correctly denied",
        "realpathSync calls through to VFS to resolve symlinks",
        "Test: permission check on path with .. traversal \u2014 denied",
        "Test: realpathSync on symlink \u2014 returns resolved target path",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 100,
      "passes": true,
      "notes": "MEDIUM \u2014 permissions.ts:37-74 and fs.ts:2320-2334. Permission wrapper passes raw paths; realpathSync just normalizes slashes without resolving symlinks."
    },
    {
      "id": "US-131",
      "title": "Cap WriteStream buffering and add globCollect recursion depth limit",
      "description": "As a developer, I need WriteStream to limit buffered data and _globCollect to limit recursion depth to prevent memory exhaustion and stack overflow.",
      "acceptanceCriteria": [
        "WriteStream._chunks is capped at a reasonable total size (e.g., 256MB), emits error event when exceeded",
        "_globCollect enforces a max recursion depth (e.g., 100 levels), stops traversal beyond limit",
        "Test: write > cap to WriteStream without end() \u2014 error event emitted",
        "Test: glob on directory tree > depth limit \u2014 returns results up to limit, no stack overflow",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 101,
      "passes": true,
      "notes": "MEDIUM \u2014 fs.ts:454-573 and fs.ts:872-915. WriteStream accumulates all data until end(); globCollect has no recursion depth limit."
    },
    {
      "id": "US-132",
      "title": "Isolate module cache across warm executions",
      "description": "As a developer, I need module caches to be cleared between executions to prevent cache poisoning from a previous execution affecting later ones.",
      "acceptanceCriteria": [
        "__unsafeCreateContext clears all module caches (esmModuleCache, moduleFormatCache, packageTypeCache, resolutionCache, dynamicImportCache, dynamicImportPending)",
        "Test: first execution poisons module cache, second execution gets clean modules",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 102,
      "passes": true,
      "notes": "MEDIUM \u2014 execution-driver.ts:108-129. __unsafeCreateContext resets budgetState but NOT module caches. Previous execution's modules leak into next context."
    },
    {
      "id": "US-133",
      "title": "Add setpgid cross-session check and terminateAll SIGKILL escalation",
      "description": "As a developer, I need setpgid to enforce same-session restriction per POSIX, and terminateAll to escalate to SIGKILL for processes that ignore SIGTERM.",
      "acceptanceCriteria": [
        "setpgid rejects joining a process group in a different session with EPERM",
        "terminateAll sends SIGTERM, waits briefly, then sends SIGKILL to remaining processes",
        "Test: process in session A calls setpgid to join group in session B \u2014 EPERM",
        "Test: terminateAll with a process that ignores SIGTERM \u2014 escalated to SIGKILL",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 103,
      "passes": true,
      "notes": "MEDIUM \u2014 process-table.ts:164-185,267-275. setpgid allows cross-session group joining; terminateAll waits 1s with no SIGKILL escalation."
    },
    {
      "id": "US-134",
      "title": "Optimize fdRead to avoid reading entire file for partial reads",
      "description": "As a developer, I need fdRead to read only the requested range from the VFS instead of loading the entire file for every read operation.",
      "acceptanceCriteria": [
        "fdRead uses a range-based or cursor-aware VFS read instead of reading the entire file",
        "Small reads on large files do not allocate the full file size",
        "Test: create 1MB file, fdRead 1 byte at offset 0 \u2014 completes quickly without excessive allocation",
        "Test: sequential fdRead calls advance cursor correctly",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 104,
      "passes": true,
      "notes": "MEDIUM \u2014 kernel.ts:487-494. Every fdRead calls vfs.readFile (full file), slices to range. 1-byte read of 1GB file allocates 1GB."
    },
    {
      "id": "US-135",
      "title": "Add command registry protection and fix device layer edge cases",
      "description": "As a developer, I need the command registry to warn on override of built-in commands, and the device layer to handle /dev/zero writes, /dev/fd parsing, and device realpath correctly.",
      "acceptanceCriteria": [
        "CommandRegistry logs a warning when a driver overrides an existing command",
        "/dev/zero and /dev/urandom writes are intercepted (no-op) instead of passing to VFS",
        "realpath on device paths (/dev/null, /dev/zero, etc.) returns the device path",
        "/dev/fd/N parsing rejects malformed paths (non-integer, negative)",
        "Test: override 'sh' command \u2014 warning logged",
        "Test: write to /dev/zero \u2014 no data stored in VFS",
        "Test: realpath('/dev/null') returns '/dev/null'",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 105,
      "passes": true,
      "notes": "LOW \u2014 command-registry.ts:22, device-layer.ts:89-95,173-175, kernel.ts:458-465."
    },
    {
      "id": "US-136",
      "title": "Sanitize error messages to prevent host path leakage",
      "description": "As a developer, I need error messages from module access checks and HTTP server handlers to not leak host filesystem paths to sandbox code.",
      "acceptanceCriteria": [
        "Module access errors do not include canonical host paths or hostNodeModulesRoot in error messages",
        "HTTP server 500 error responses use a generic message, not error.message from handler",
        "Test: module access error message does not contain host-specific path components",
        "Test: HTTP handler throws Error('secret path /host/dir') \u2014 response body is generic",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 106,
      "passes": true,
      "notes": "LOW \u2014 module-access.ts:253-256 and driver.ts:244-251. Error messages include canonical paths and host roots."
    },
    {
      "id": "US-137",
      "title": "Fix bridge misc: ChildProcess.pid uniqueness, signal handling, v8.deserialize ordering",
      "description": "As a developer, I need ChildProcess PIDs to be unique, process.kill to handle all signals, and v8.deserialize to check size before allocation.",
      "acceptanceCriteria": [
        "ChildProcess.pid uses a monotonic counter instead of Math.random() for uniqueness",
        "process.kill(process.pid, signal) handles SIGINT and other signals, not just SIGTERM",
        "v8.deserialize checks buffer size BEFORE calling buffer.toString()",
        "Test: spawn 100 child processes \u2014 all PIDs unique",
        "Test: process.kill(process.pid, 'SIGINT') \u2014 handled (not silently ignored)",
        "Test: v8.deserialize with buffer > limit \u2014 rejects without full string allocation",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 107,
      "passes": true,
      "notes": "LOW \u2014 child-process.ts:121, process.ts:677-689, bridge-initial-globals.ts:239-248."
    },
    {
      "id": "US-138",
      "title": "Add PTY ONLCR output flag control and kill() signal range validation",
      "description": "As a developer, I need PTY output processing (ONLCR) to be controllable via termios flags, and kill() to validate signal numbers.",
      "acceptanceCriteria": [
        "PTY processOutput respects an opost/onlcr flag in discipline settings",
        "When ONLCR is disabled, raw \\n bytes pass through without CR insertion",
        "kill() validates signal range (1-64) and treats signal 0 as existence check",
        "Test: disable ONLCR, write \\n to PTY \u2014 raw \\n in output (no \\r\\n)",
        "Test: kill(pid, 0) returns without error if process exists, ESRCH if not",
        "Test: kill(pid, -1) or kill(pid, 100) throws EINVAL",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 108,
      "passes": true,
      "notes": "LOW \u2014 pty.ts:326-348 and process-table.ts:144-162. ONLCR always applied; kill() forwards arbitrary signal values."
    },
    {
      "id": "US-104",
      "title": "Fix connectTerminal() raw mode setup outside try block",
      "description": "As a developer, I need connectTerminal() to set raw mode inside the try block so terminal state is always restored on exception.",
      "acceptanceCriteria": [
        "stdin.setRawMode(true) is called inside the try block, not before it",
        "stdin.on('data') listener is added inside the try block",
        "If openShell() or any setup throws, terminal is not left in raw mode",
        "All existing connectTerminal tests still pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 109,
      "passes": true,
      "notes": "HIGH \u2014 found during PTY review. Current code sets raw mode at line ~267 but try starts at ~291. If anything between those lines throws, finally block never runs and terminal is permanently in raw mode."
    },
    {
      "id": "US-105",
      "title": "Fix openShell() read pump lifecycle \u2014 track and cancel on exit",
      "description": "As a developer, I need the openShell() read pump to be tracked and cleanly cancelled when the shell exits, instead of running fire-and-forget.",
      "acceptanceCriteria": [
        "Read pump promise is tracked (not fire-and-forget)",
        "Pump exits promptly when shell exits (not only when PTY master closes)",
        "Pump errors are logged or propagated, not silently swallowed",
        "ShellHandle.wait() does not resolve while pump is still delivering data",
        "All existing openShell and shell-terminal tests still pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 110,
      "passes": true,
      "notes": "MEDIUM \u2014 found during PTY review. readPump() is called without await at kernel.ts:~233. Errors are silently caught. Pump outlives shell.wait() resolution."
    },
    {
      "id": "US-106",
      "title": "Fix PTY echo buffer overflow \u2014 queue or error instead of silent drop",
      "description": "As a developer, I need PTY echo to either queue or return an error when the output buffer is full, instead of silently dropping echo bytes.",
      "acceptanceCriteria": [
        "When output buffer is full, echo bytes are not silently dropped",
        "Chosen strategy documented: either queue echo (backpressure), throw EAGAIN, or document best-effort with test",
        "Test: fill output buffer to MAX_PTY_BUFFER_BYTES, write input with echo enabled, verify defined behavior (not silent drop)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 111,
      "passes": true,
      "notes": "MEDIUM \u2014 found during PTY review. pty.ts:~444-447 silently drops echo when output buffer full. User types but sees nothing \u2014 violates 'what you type is what you see' principle."
    },
    {
      "id": "US-107",
      "title": "Validate tcsetpgrp target PGID exists",
      "description": "As a developer, I need tcsetpgrp() to validate that the target PGID refers to an existing process group, so that signal delivery doesn't silently fail.",
      "acceptanceCriteria": [
        "tcsetpgrp(pid, fd, pgid) throws ESRCH or EPERM if pgid does not match any running process's pgid",
        "Setting foregroundPgid to a valid group still works as before",
        "Test: tcsetpgrp with non-existent pgid throws appropriate error",
        "Test: tcsetpgrp with valid pgid succeeds",
        "All existing tcsetpgrp tests still pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 112,
      "passes": true,
      "notes": "MEDIUM \u2014 found during PTY review. kernel.ts:~691-696 and pty.ts:~274-279 accept any number. Setting foregroundPgid to non-existent group causes ^C to silently fail (caught by try/catch)."
    },
    {
      "id": "US-108",
      "title": "Add adversarial PTY stress tests",
      "description": "As a developer, I need tests that exercise PTY under adversarial conditions to verify bounded behavior under hostile workloads.",
      "acceptanceCriteria": [
        "Test: rapid sequential writes (100+ chunks) to PTY master with no slave reader \u2014 verify EAGAIN and bounded memory",
        "Test: single large write (1MB+) to PTY \u2014 verify immediate EAGAIN, no partial buffering",
        "Test: multiple PTY pairs simultaneously filled to buffer limit \u2014 verify isolation between pairs",
        "Test: canonical mode line buffer under sustained input without newline \u2014 verify bounded behavior",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 113,
      "passes": true,
      "notes": "MEDIUM \u2014 test-audit.md M11 flags this as HIGH priority. Current tests only fill buffer to exact limit and check one extra byte. No realistic adversarial patterns."
    },
    {
      "id": "US-109",
      "title": "Add test for stale foregroundPgid after group leader exit",
      "description": "As a developer, I need a test verifying that signal delivery behaves correctly when the foreground process group leader exits.",
      "acceptanceCriteria": [
        "Test: set foregroundPgid to a process group, exit the group leader, send ^C \u2014 verify defined behavior (error or no-op, not crash)",
        "Test: set foregroundPgid, exit leader, set new foregroundPgid to valid group \u2014 verify recovery works",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 114,
      "passes": true,
      "notes": "LOW \u2014 found during PTY review. PTY foregroundPgid goes stale when process exits. Protected by try/catch in kernel constructor wiring but untested."
    },
    {
      "id": "US-110",
      "title": "Add PTY echo buffer exhaustion test",
      "description": "As a developer, I need a test that exercises the echo path when the PTY output buffer is full.",
      "acceptanceCriteria": [
        "Test: fill PTY output buffer to MAX_PTY_BUFFER_BYTES, then write input with echo enabled \u2014 verify behavior matches US-106 fix",
        "Test: drain buffer after echo exhaustion, verify echo resumes correctly",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 115,
      "passes": true,
      "notes": "LOW \u2014 depends on US-106 (echo overflow fix). Tests the specific interaction between buffer fullness and echo."
    },
    {
      "id": "US-111",
      "title": "Add waitFor() occurrence parameter and type() settlement edge case tests",
      "description": "As a developer, I need tests exercising untested TerminalHarness API paths.",
      "acceptanceCriteria": [
        "Test: waitFor with occurrence=2 \u2014 verify it waits for second appearance of text",
        "Test: waitFor with occurrence=3 on text that appears only twice \u2014 verify timeout",
        "Test: type() on command that produces no output \u2014 verify settlement resolves after SETTLE_MS",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 116,
      "passes": true,
      "notes": "LOW \u2014 found during PTY review. waitFor() occurrence param and type() edge cases have zero coverage despite being part of TerminalHarness API."
    },
    {
      "id": "US-112",
      "title": "Add concurrent openShell() session test",
      "description": "As a developer, I need a test verifying that multiple concurrent openShell() sessions are fully isolated.",
      "acceptanceCriteria": [
        "Test: open two shells concurrently, write different commands to each, verify output isolation \u2014 data from shell A never appears in shell B",
        "Test: exit one shell while the other is still running \u2014 verify surviving shell is unaffected",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 117,
      "passes": true,
      "notes": "LOW \u2014 found during PTY review. Multi-PTY isolation is tested at raw PTY level but not through openShell() integration path."
    },
    {
      "id": "US-113",
      "title": "Add PTY signal callback error handling",
      "description": "As a developer, I need the PTY onSignal callback to handle errors gracefully instead of being fire-and-forget.",
      "acceptanceCriteria": [
        "onSignal callback errors are caught and do not crash the PTY or break the line discipline",
        "After a failed signal delivery, subsequent PTY operations (read, write, echo) still work",
        "Test: configure onSignal to throw, send ^C, verify PTY continues working",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 118,
      "passes": true,
      "notes": "LOW \u2014 found during PTY review. pty.ts:~374 calls onSignal?.() with no error handling. Currently protected by kernel try/catch wiring but fragile if wiring changes."
    },
    {
      "id": "US-084",
      "title": "Add WasmVM terminal tests: cat, pipe, bad command",
      "description": "As a developer, I need terminal-level tests for VFS file reading, pipes, and error output in the interactive shell.",
      "acceptanceCriteria": [
        "Test: cat reads VFS file \u2014 write file to VFS, cat it, content appears on screen",
        "Test: pipe works \u2014 'echo foo | cat' \u2192 'foo' on screen",
        "Test: exit code on bad command \u2014 'nonexistent' \u2192 error message on screen",
        "Test: stderr output appears on screen \u2014 command that writes to stderr shows error text",
        "Test: redirection \u2014 'echo hello > /tmp/out' then 'cat /tmp/out' \u2192 'hello' on screen",
        "Test: multi-line input \u2014 backslash continuation 'echo hello \\\\' + newline + 'world' \u2192 'hello world' on screen",
        "All output assertions use exact-match on screenshotTrimmed()",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 119,
      "passes": true,
      "notes": "Phase 2 of terminal-e2e-testing.md spec. Completes the WasmVM terminal test suite (excluding cross-runtime). Adversarial review added: stderr rendering, redirection operators, and multi-line input \u2014 all interactive-only behaviors with zero coverage."
    },
    {
      "id": "US-085",
      "title": "Add cross-runtime terminal tests: node -e and python3 -c from brush-shell",
      "description": "As a developer, I need terminal-level tests verifying that cross-runtime spawning from brush-shell produces correct interactive output.",
      "acceptanceCriteria": [
        "Test: 'node -e \"console.log(42)\"' \u2192 '42' appears on screen (requires Node runtime mounted)",
        "Test: 'python3 -c \"print(99)\"' \u2192 '99' appears on screen (requires Python runtime mounted)",
        "Test: ^C during cross-runtime child process \u2014 send SIGINT while 'node -e' is running, verify shell survives and prompt returns",
        "Tests mount all three runtimes (WasmVM + Node + Python) into the same kernel",
        "Tests gated with appropriate skip guards for WASM binary and runtime availability",
        "All output assertions use exact-match on screenshotTrimmed()",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 120,
      "passes": true,
      "notes": "Phase 3 of terminal-e2e-testing.md spec. Known risk: cross-runtime stdout routing through proc_spawn \u2192 kernel \u2192 PTY has known issues \u2014 if tests fail, fix is in spawn/stdio wiring, not test infrastructure. Adversarial review added: ^C during cross-runtime spawn \u2014 signal must reach correct process and shell must survive."
    },
    {
      "title": "Add yarn support to project-matrix fixture preparation",
      "description": "As a developer, I need the project-matrix test to support yarn as a packageManager so yarn layout fixtures can be tested.",
      "acceptanceCriteria": [
        "project-matrix.test.ts recognizes packageManager: 'yarn' in fixture.json",
        "Fixture prep runs 'yarn install' (classic) or 'yarn install --immutable' (berry) based on .yarnrc.yml presence",
        "Cache key includes yarn.lock contents",
        "e2e-project-matrix.test.ts also supports yarn fixtures",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "Prerequisite for yarn layout fixtures. Currently only pnpm/npm/bun are handled in fixture prep.",
      "id": "US-086",
      "priority": 121
    },
    {
      "title": "Add npm flat layout fixture",
      "description": "As a developer, I need a fixture that tests npm's flat hoisted node_modules layout to verify module resolution works with standard npm installs.",
      "acceptanceCriteria": [
        "Create tests/projects/npm-layout-pass/ with fixture.json setting packageManager to 'npm'",
        "package.json has a dependency (e.g., left-pad) matching pnpm/bun layout fixtures for comparison",
        "package-lock.json is committed (lockfileVersion 3)",
        "Entry file requires the dependency and prints output",
        "Fixture passes project-matrix parity test (host === sandbox output)",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "npm uses flat hoisting - all deps directly in node_modules/ as real directories (no symlinks, no hardlinks).",
      "id": "US-087",
      "priority": 122
    },
    {
      "title": "Add yarn classic layout fixture",
      "description": "As a developer, I need a fixture that tests yarn v1 classic hoisted layout.",
      "acceptanceCriteria": [
        "Create tests/projects/yarn-classic-layout-pass/ with fixture.json setting packageManager to 'yarn'",
        "package.json has left-pad dependency matching other layout fixtures",
        "yarn.lock is committed",
        "No .yarnrc.yml (signals classic mode)",
        "Entry file requires the dependency and prints output",
        "Fixture passes project-matrix parity test (host === sandbox output)",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "Yarn classic (v1) uses a hoisted layout similar to npm but with different lockfile format. Depends on US-086 for yarn support.",
      "id": "US-088",
      "priority": 123
    },
    {
      "title": "Add yarn berry node-modules linker fixture",
      "description": "As a developer, I need a fixture testing yarn berry (v2+) with nodeLinker: node-modules to verify the newer yarn format works.",
      "acceptanceCriteria": [
        "Create tests/projects/yarn-berry-layout-pass/ with fixture.json setting packageManager to 'yarn'",
        "Include .yarnrc.yml with nodeLinker: node-modules",
        "package.json has left-pad dependency",
        "yarn.lock (v2+ format) is committed",
        "Entry file requires the dependency and prints output",
        "Fixture passes project-matrix parity test (host === sandbox output)",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "Yarn berry with node-modules linker still creates node_modules/ but uses a different internal structure than classic. Depends on US-086.",
      "id": "US-089",
      "priority": 124
    },
    {
      "title": "Add workspace/monorepo layout fixture",
      "description": "As a developer, I need a fixture testing monorepo workspace layouts where packages are symlinked between workspace members.",
      "acceptanceCriteria": [
        "Create tests/projects/workspace-layout-pass/ with a monorepo structure",
        "Root package.json has workspaces field pointing to packages/*",
        "At least 2 workspace packages: packages/app (entry) and packages/lib (dependency)",
        "packages/app depends on packages/lib via workspace: protocol or file: reference",
        "Entry in packages/app requires packages/lib and prints output",
        "Fixture passes project-matrix parity test",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "Workspace layouts use symlinks between workspace members. Increasingly common (turborepo, nx, etc). Use pnpm or npm workspaces.",
      "id": "US-090",
      "priority": 125
    },
    {
      "title": "Add peer dependency resolution fixture",
      "description": "As a developer, I need a fixture testing that peer dependencies resolve correctly in the sandbox.",
      "acceptanceCriteria": [
        "Create tests/projects/peer-deps-pass/ with fixture.json",
        "package.json has a dependency that declares a peerDependency (e.g., a plugin that peers on its host)",
        "Both the host package and plugin are installed",
        "Entry file requires the plugin, which internally requires its peer, and prints output proving both loaded",
        "Fixture passes project-matrix parity test",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "Peer deps are resolved differently by each package manager. Tests that the sandbox module resolver handles the hoisting/symlink correctly.",
      "id": "US-091",
      "priority": 126
    },
    {
      "title": "Add conditional exports (package.json exports field) fixture",
      "description": "As a developer, I need a fixture testing that the exports field in package.json is resolved correctly in the sandbox.",
      "acceptanceCriteria": [
        "Create tests/projects/conditional-exports-pass/ with fixture.json",
        "Include a local vendored package that uses the exports field with multiple conditions (require, import, default)",
        "Entry file requires the package via subpath (e.g., require('pkg/feature')) and prints output",
        "Entry file also tests the main export (require('pkg'))",
        "Fixture passes project-matrix parity test",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "The exports field is a major source of module resolution bugs. Tests subpath exports and condition matching.",
      "id": "US-092",
      "priority": 127
    },
    {
      "title": "Add transitive dependency chain fixture",
      "description": "As a developer, I need a fixture testing deep transitive dependency chains to verify the resolver follows the full chain correctly.",
      "acceptanceCriteria": [
        "Create tests/projects/transitive-deps-pass/ with fixture.json",
        "Install a package with a deep transitive chain (at least 3 levels: A -> B -> C)",
        "Entry file requires the top-level package and exercises functionality that touches the transitive deps",
        "Print output proving all levels loaded correctly",
        "Fixture passes project-matrix parity test",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "Verifies the resolver does not break on deep chains, especially with different hoisting strategies across package managers.",
      "id": "US-093",
      "priority": 128
    },
    {
      "title": "Add optional dependency fixture",
      "description": "As a developer, I need a fixture testing that missing optional dependencies are handled gracefully in the sandbox.",
      "acceptanceCriteria": [
        "Create tests/projects/optional-deps-pass/ with fixture.json",
        "package.json has an optionalDependency that is intentionally NOT installed (or a platform-specific optional dep)",
        "Entry file attempts to require the optional dep with try/catch, prints 'available' or 'missing' accordingly",
        "Fixture passes project-matrix parity test (both host and sandbox should show same availability)",
        "Typecheck passes",
        "Tests pass"
      ],
      "passes": true,
      "notes": "Optional deps are common in the ecosystem (e.g., fsevents on macOS). Sandbox must handle missing optional deps identically to host.",
      "id": "US-094",
      "priority": 129
    },
    {
      "id": "US-139",
      "title": "Add ICRNL (CR-to-NL) input conversion to PTY line discipline",
      "description": "As a developer, I need the PTY to convert carriage return (0x0d) to newline (0x0a) in the line discipline so that Enter key works correctly when the host terminal is in raw mode (connectTerminal).",
      "acceptanceCriteria": [
        "In packages/kernel/src/pty.ts processInput(), convert byte 0x0d to 0x0a before line discipline processing (before the signal/canonical/echo checks)",
        "Add shell-terminal or PTY test: writing 'hello\\r' to PTY master in canonical mode delivers 'hello\\n' to slave input buffer",
        "Add test: CR input echoes as CR+LF (cursor moves to next line, not just carriage return)",
        "Existing PTY and shell-terminal tests still pass",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 130,
      "passes": true,
      "notes": "Root cause: host terminal in raw mode sends CR (0x0d) for Enter, but processInput() only treats LF (0x0a) as newline. Without ICRNL, CR is buffered as a regular character and its echo moves cursor to line start without flushing. This is the POSIX ICRNL flag."
    },
    {
      "id": "US-140",
      "title": "Fix VFS initialization for interactive shell \u2014 ls IO error",
      "description": "As a developer, I need ls and other directory-reading commands to work in the interactive shell so that the dev-shell is usable for testing.",
      "acceptanceCriteria": [
        "Investigate why ls from brush-shell produces 'ls-error-unknown-io-error' \u2014 trace the VFS RPC path from WASM worker through kernel",
        "Fix the root cause: ensure the VFS has a properly initialized root directory and cwd before the shell starts, or fix the RPC/VFS stat/readdir path",
        "Add or update shell-terminal test: run ls in a directory with known contents (after mkdir+touch) and verify output contains expected entries",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 131,
      "passes": true,
      "notes": "The InMemoryFileSystem starts nearly empty. brush-shell's ls command goes through WASM -> SharedArrayBuffer RPC -> kernel VFS readdir/stat. The IO error likely comes from missing VFS state, broken RPC handling, or fd_readdir WASI implementation issues. The 'could not retrieve pid for child process' warning is a separate brush-shell issue (proc_spawn return value parsing)."
    },
    {
      "id": "US-141",
      "title": "Fix exit builtin handling in interactive shell",
      "description": "As a developer, I need the exit command to properly terminate the interactive shell session so that connectTerminal() returns.",
      "acceptanceCriteria": [
        "Investigate why typing 'exit' in the interactive shell doesn't cause it to exit \u2014 trace the path from brush-shell exit builtin through WASI proc_exit, worker exit message, to process wait() resolution",
        "Fix the root cause in the kernel worker, process table, PTY cleanup, or exit propagation path",
        "Add or update shell-terminal test: writing 'exit\\n' to the shell causes the shell process wait() to resolve with exit code 0",
        "Verify Ctrl+D on empty line also exits (delivers EOF which should cause shell to exit)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 132,
      "passes": true,
      "notes": "brush-shell's exit builtin should call WASI proc_exit. The WasiPolyfill should throw WasiProcExit, caught by the kernel worker which sends an exit message. The parent's wait() should then resolve. Something in this chain is broken \u2014 possibly the exit message isn't sent, or the PTY master read pump blocks cleanup."
    },
    {
      "id": "US-095",
      "title": "Add controllable isTTY and setRawMode under PTY",
      "description": "As a developer, I need process.stdout.isTTY to return true when the sandbox process has a PTY slave as its stdio, and process.stdin.setRawMode() to configure the PTY line discipline.",
      "acceptanceCriteria": [
        "When sandbox process is spawned with PTY slave FDs, process.stdout.isTTY and process.stdin.isTTY return true",
        "When sandbox process is spawned without PTY (default), isTTY remains false (no behavior change for existing tests)",
        "process.stdin.setRawMode(true) configures PTY line discipline: disables canonical mode, disables echo",
        "process.stdin.setRawMode(false) restores canonical mode and echo defaults",
        "setRawMode() throws when isTTY is false (no PTY attached)",
        "Test: spawn sandbox process on PTY, verify isTTY === true inside sandbox",
        "Test: spawn sandbox process without PTY, verify isTTY === false",
        "Test: setRawMode(true) then type characters \u2014 no echo, immediate byte delivery",
        "Test: setRawMode(false) restores echo and line buffering",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 133,
      "passes": true,
      "notes": "CLI E2E Phase 0 \u2014 bridge prerequisite. Gap #2, #5, #6 from cli-tool-e2e.md spec. Files: packages/secure-exec/src/bridge/process.ts, packages/secure-exec/src/node/execution-driver.ts"
    },
    {
      "id": "US-096",
      "title": "Verify HTTPS client and Stream Transform/PassThrough in bridge",
      "description": "As a developer, I need HTTPS with TLS and stream Transform/PassThrough working through the bridge so CLI tools can make LLM API calls and parse SSE streams.",
      "acceptanceCriteria": [
        "HTTPS request to a local server with self-signed cert succeeds through bridge (with rejectUnauthorized: false)",
        "HTTPS request with valid cert chain succeeds through bridge",
        "stream.Transform pipes data correctly: write chunks in, transformed chunks out",
        "stream.PassThrough pipes data through unchanged",
        "SSE parsing pattern works: Transform that splits on 'data: ' lines, emits parsed events",
        "Test: create HTTPS server with self-signed cert, fetch from sandbox, verify response body",
        "Test: create stream.Transform that uppercases, pipe data through, verify output",
        "Test: create stream.PassThrough, pipe 'data: {...}\\n\\n' chunks, verify passthrough",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 134,
      "passes": true,
      "notes": "CLI E2E Phase 0 \u2014 bridge prerequisite. Gap #1, #3 from cli-tool-e2e.md spec. Required for Pi, Claude Code (Anthropic SSE), and OpenCode SDK (OpenAI SSE)."
    },
    {
      "id": "US-097",
      "title": "Create shared mock LLM server and Pi headless CLI tool tests",
      "description": "As a developer, I need a mock LLM server utility serving both Anthropic Messages API and OpenAI Chat Completions SSE, plus Pi headless E2E tests proving Pi boots and produces output inside the sandbox.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/cli-tools/mock-llm-server.ts created \u2014 exports createMockLlmServer(cannedResponse)",
        "Mock server handles POST /messages with Anthropic Messages SSE format (content_block_start, content_block_delta, content_block_stop, message_stop)",
        "Mock server handles POST /chat/completions with OpenAI Chat Completions SSE format (chat.completion.chunk with delta, finish_reason, [DONE])",
        "Mock server returns 404 for unknown routes",
        "@mariozechner/pi-coding-agent added as devDependency to packages/secure-exec",
        "packages/secure-exec/tests/cli-tools/pi-headless.test.ts created",
        "Test: Pi boots in print mode \u2014 'pi --print \"say hello\"' exits with code 0",
        "Test: Pi produces output \u2014 stdout contains the canned LLM response",
        "Test: Pi reads a file \u2014 seed VFS with file, Pi's read tool accesses it",
        "Test: Pi writes a file \u2014 file exists in VFS after Pi's write tool runs",
        "Test: Pi runs bash command \u2014 Pi's bash tool executes ls via child_process",
        "Test: Pi JSON output mode \u2014 'pi --json \"say hello\"' produces valid JSON",
        "Tests gated with skipUnless(hasPiInstalled()) or equivalent",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 135,
      "passes": true,
      "notes": "CLI E2E Phase 1. Mock LLM server is shared infrastructure for all subsequent CLI tool tests. Pi is tested first because it's pure JS with simplest dependency tree. API tokens (ANTHROPIC_API_KEY, OPENAI_API_KEY) available at ~/misc/env.txt \u2014 source it before running tests that need real or mock-pointed API keys."
    },
    {
      "id": "US-098",
      "title": "Pi interactive PTY CLI tool tests",
      "description": "As a developer, I need Pi's TUI to render correctly through PTY + headless xterm inside the sandbox, verifying interactive mode works end-to-end.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/cli-tools/pi-interactive.test.ts created",
        "Spawn Pi inside openShell() with PTY, process.stdout.isTTY must be true in sandbox",
        "Test: Pi TUI renders \u2014 screen shows Pi's prompt/editor UI after boot",
        "Test: input appears on screen \u2014 type 'hello', text appears in editor area",
        "Test: submit prompt renders response \u2014 type prompt + Enter, LLM response renders on screen",
        "Test: ^C interrupts \u2014 send SIGINT during response streaming, Pi stays alive",
        "Test: exit cleanly \u2014 /exit or ^D, Pi exits, PTY closes",
        "Tests use TerminalHarness with waitFor() for timing-sensitive assertions",
        "Tests gated with skipUnless(hasPiInstalled()) and isTTY support available",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 136,
      "passes": true,
      "notes": "CLI E2E Phase 2. Depends on US-080 (TerminalHarness), US-095 (isTTY). Pi uses custom pi-tui with differential rendering and synchronized output sequences (CSI ?2026h/l). API tokens (ANTHROPIC_API_KEY, OPENAI_API_KEY) available at ~/misc/env.txt \u2014 source it before running tests that need real or mock-pointed API keys."
    },
    {
      "id": "US-099",
      "title": "OpenCode headless binary spawn tests (Strategy A)",
      "description": "As a developer, I need tests proving that the opencode binary can be spawned from inside the sandbox via child_process.spawn and produce correct output.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/cli-tools/opencode-headless.test.ts created",
        "opencode.json config fixture created with mock server baseURL",
        "Test: OpenCode boots in run mode \u2014 'opencode run \"say hello\"' exits with code 0",
        "Test: OpenCode produces output \u2014 stdout contains the canned LLM response",
        "Test: OpenCode text format \u2014 'opencode run --format text \"say hello\"' produces plain text",
        "Test: OpenCode JSON format \u2014 'opencode run --format json \"say hello\"' produces valid JSON",
        "Test: Environment forwarding \u2014 API key and base URL reach the binary",
        "Test: OpenCode reads sandbox file \u2014 seed VFS, prompt asks to read it",
        "Test: OpenCode writes sandbox file \u2014 file exists in VFS after write",
        "Test: SIGINT stops execution \u2014 send SIGINT during run, process terminates cleanly",
        "Test: Exit code on error \u2014 bad API key \u2192 non-zero exit",
        "Tests gated with skipUnless(hasOpenCodeBinary()) \u2014 skips if opencode not on PATH",
        "XDG_DATA_HOME set to temp directory for test-isolated SQLite storage",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 137,
      "passes": true,
      "notes": "CLI E2E Phase 3, Strategy A. OpenCode is a Bun binary, NOT a Node.js package \u2014 tests the child_process.spawn bridge for complex host binaries. Hardest CLI tool, tested before Claude Code to front-load risk. API tokens (ANTHROPIC_API_KEY, OPENAI_API_KEY) available at ~/misc/env.txt \u2014 source it before running tests that need real or mock-pointed API keys."
    },
    {
      "id": "US-100",
      "title": "OpenCode SDK client tests inside sandbox (Strategy B)",
      "description": "As a developer, I need tests proving that @opencode-ai/sdk running inside the sandbox can communicate with opencode serve on the host via HTTP/SSE.",
      "acceptanceCriteria": [
        "@opencode-ai/sdk added as devDependency to packages/secure-exec",
        "Tests added to packages/secure-exec/tests/cli-tools/opencode-headless.test.ts (Strategy B describe block)",
        "opencode serve started as background fixture in beforeAll, health-checked, killed in afterAll",
        "Unique port per test run to avoid conflicts",
        "Test: SDK client connects \u2014 create client, call health/status endpoint",
        "Test: SDK sends prompt \u2014 send prompt via SDK, receive streamed response",
        "Test: SDK session management \u2014 create session, send message, list messages",
        "Test: SSE streaming works \u2014 response streams incrementally, not all-at-once",
        "Test: SDK error handling \u2014 invalid session ID \u2192 proper error response",
        "Tests gated with skipUnless(hasOpenCodeBinary())",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 138,
      "passes": true,
      "notes": "CLI E2E Phase 3, Strategy B. Tests HTTP/SSE client bridge by running @opencode-ai/sdk inside the sandbox talking to opencode serve on host. Depends on US-096 (SSE/streams). API tokens (ANTHROPIC_API_KEY, OPENAI_API_KEY) available at ~/misc/env.txt \u2014 source it before running tests that need real or mock-pointed API keys."
    },
    {
      "id": "US-101",
      "title": "OpenCode interactive PTY tests",
      "description": "As a developer, I need OpenCode's OpenTUI to render correctly through PTY + headless xterm, verifying interactive mode works for the Bun binary.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/cli-tools/opencode-interactive.test.ts created",
        "Spawn opencode binary inside openShell() with PTY",
        "Test: OpenCode TUI renders \u2014 screen shows OpenTUI interface after boot",
        "Test: Input area works \u2014 type prompt text, appears in input area",
        "Test: Submit shows response \u2014 enter prompt, streaming response renders on screen",
        "Test: ^C interrupts \u2014 send SIGINT during streaming, OpenCode stays alive",
        "Test: Exit cleanly \u2014 :q or ^C, OpenCode exits, PTY closes",
        "Tests use TerminalHarness with waitFor() \u2014 use content-based assertions (not strict exact-match) due to OpenTUI rendering differences",
        "Tests gated with skipUnless(hasOpenCodeBinary())",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 139,
      "passes": true,
      "notes": "CLI E2E Phase 4. Depends on US-080 (TerminalHarness), US-095 (isTTY). OpenCode uses OpenTUI (TypeScript + Zig) with SolidJS \u2014 may render non-standard ANSI sequences. Use waitFor() with content assertions, tighten after empirical capture. API tokens (ANTHROPIC_API_KEY, OPENAI_API_KEY) available at ~/misc/env.txt \u2014 source it before running tests that need real or mock-pointed API keys."
    },
    {
      "id": "US-102",
      "title": "Claude Code headless CLI tool tests",
      "description": "As a developer, I need Claude Code to boot and produce output in -p mode inside the sandbox, verifying the most complex in-VM CLI tool works end-to-end.",
      "acceptanceCriteria": [
        "@anthropic-ai/claude-code added as devDependency to packages/secure-exec (or use @anthropic-ai/claude-agent-sdk if npm package has native binary issues)",
        "packages/secure-exec/tests/cli-tools/claude-headless.test.ts created",
        "Test: Claude boots in headless mode \u2014 'claude -p \"say hello\"' exits with code 0",
        "Test: Claude produces text output \u2014 stdout contains canned LLM response",
        "Test: Claude JSON output \u2014 '--output-format json' produces valid JSON with result field",
        "Test: Claude stream-json output \u2014 '--output-format stream-json' produces valid NDJSON",
        "Test: Claude reads a file \u2014 seed VFS, ask Claude to read it via Read tool",
        "Test: Claude writes a file \u2014 ask Claude to create a file, file exists in VFS after",
        "Test: Claude runs bash \u2014 ask Claude to run 'echo hello' via Bash tool",
        "Test: Claude exit codes \u2014 bad API key \u2192 non-zero exit, good prompt \u2192 exit 0",
        "Tests gated with skipUnless(hasClaudeInstalled()) or equivalent",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 140,
      "passes": true,
      "notes": "CLI E2E Phase 5. Claude Code is the most complex in-VM tool \u2014 Node.js with native binary, Ink TUI, known spawn stall issue (anthropics/claude-code#771). Consider @anthropic-ai/claude-agent-sdk as fallback entry point. API tokens (ANTHROPIC_API_KEY, OPENAI_API_KEY) available at ~/misc/env.txt \u2014 source it before running tests that need real or mock-pointed API keys."
    },
    {
      "id": "US-103",
      "title": "Claude Code interactive PTY tests",
      "description": "As a developer, I need Claude Code's Ink-based TUI to render correctly through PTY + headless xterm inside the sandbox.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/cli-tools/claude-interactive.test.ts created",
        "Spawn Claude inside openShell() with PTY, isTTY must be true",
        "Test: Claude TUI renders \u2014 screen shows Ink-based UI after boot",
        "Test: Input area works \u2014 type prompt text, appears in input area",
        "Test: Submit shows response \u2014 enter prompt, streaming response renders on screen",
        "Test: ^C interrupts response \u2014 send SIGINT during streaming, Claude stays alive",
        "Test: Color output renders \u2014 ANSI color codes render correctly in xterm buffer",
        "Test: Exit cleanly \u2014 /exit or ^C twice, Claude exits",
        "Tests use TerminalHarness with waitFor() for timing-sensitive assertions",
        "Tests gated with skipUnless(hasClaudeInstalled())",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 141,
      "passes": true,
      "notes": "CLI E2E Phase 6 \u2014 final phase. Depends on US-080 (TerminalHarness), US-095 (isTTY). Claude Code uses Ink (React-based TUI) with cursor movement, screen clearing, and color codes. Known spawn stall risk. API tokens (ANTHROPIC_API_KEY, OPENAI_API_KEY) available at ~/misc/env.txt \u2014 source it before running tests that need real or mock-pointed API keys."
    },
    {
      "id": "US-142",
      "title": "Sandbox Python runtime \u2014 block import js host escape",
      "description": "As a developer, I need the Python/Pyodide runtime to prevent sandbox code from reaching the host via import js, which currently gives full Node.js API access through the worker_threads Worker.",
      "acceptanceCriteria": [
        "Pyodide worker runs in a subprocess (not worker_threads) OR js/pyodide_js modules are intercepted and blocked before user code executes",
        "Test: Python code running 'import js; js.globalThis' throws ImportError or returns a restricted proxy",
        "Test: Python code running 'import js; js.globalThis.require(\"node:child_process\")' is blocked",
        "Test: getattr/exec-based bypass attempts to reach js module are also blocked",
        "Test: normal Python stdlib (math, json, re, collections) still works",
        "The existing micropip/loadPackage regex check is removed or supplemented with real isolation",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 142,
      "passes": true,
      "notes": "Audit C1 \u2014 CRITICAL. Pyodide runs in worker_threads with eval: true, giving full Node.js access. The regex check for micropip/loadPackage is trivially bypassable via getattr, exec, or string concatenation. This is the most severe finding \u2014 Python runtime has zero isolation."
    },
    {
      "id": "US-143",
      "title": "Add assertPayloadByteLength to text file reads",
      "description": "As a developer, I need the text file read bridge path (readFileRef) to enforce payload size limits matching the binary read path, preventing host OOM from arbitrarily large text files.",
      "acceptanceCriteria": [
        "readFileRef in execution-driver.ts calls assertPayloadByteLength before returning data (matching readFileBinaryRef behavior)",
        "Test: reading a text file larger than the payload limit throws or truncates",
        "Test: reading a normal-sized text file still works",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 143,
      "passes": true,
      "notes": "Audit C3 \u2014 CRITICAL. execution-driver.ts:1030-1032. Binary read path (readFileBinaryRef) correctly calls assertPayloadByteLength, text read path does not. With ModuleAccessFileSystem projecting host node_modules, sandbox code can read arbitrarily large text files into host memory."
    },
    {
      "id": "US-144",
      "title": "Restrict Browser Worker global APIs \u2014 block fetch, WebSocket, importScripts, indexedDB",
      "description": "As a developer, I need the browser Worker sandbox to delete or wrap dangerous Web APIs before eval so sandbox code cannot bypass permission checks or hijack the control channel.",
      "acceptanceCriteria": [
        "Before user code eval: delete or override fetch, XMLHttpRequest, WebSocket, importScripts, indexedDB, caches, BroadcastChannel",
        "self.onmessage is set as non-configurable after bridge setup",
        "self.postMessage is wrapped to prevent forged responses to the host",
        "Test: sandbox code calling fetch() throws ReferenceError or is routed through permission-checked bridge",
        "Test: sandbox code calling importScripts() throws",
        "Test: sandbox code calling new WebSocket() throws",
        "Test: sandbox code overwriting self.onmessage throws TypeError",
        "Test: normal bridge-provided APIs still work",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 144,
      "passes": true,
      "notes": "Audit C4 \u2014 CRITICAL (partial gap). US-118 hardened fetch/Headers/Request/Response/Blob as non-writable, but does not delete native fetch or block XMLHttpRequest, WebSocket, importScripts, indexedDB, caches, BroadcastChannel. self.onmessage is writable so sandbox code can hijack the control channel."
    },
    {
      "id": "US-145",
      "title": "Add concurrent host timer cap",
      "description": "As a developer, I need a configurable maximum on concurrent host-side timers (setTimeout/setInterval) created by sandbox code to prevent event loop exhaustion.",
      "acceptanceCriteria": [
        "Bridge tracks count of active host-side timers",
        "Configurable max (default 10000) \u2014 exceeding the cap throws or silently drops",
        "Cleared timers decrement the count",
        "Test: sandbox code creating maxTimers+1 timers \u2014 last one is rejected",
        "Test: create maxTimers, clear half, create more \u2014 works up to cap",
        "Test: normal code with <100 timers works fine",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 145,
      "passes": true,
      "notes": "Audit H3 (partial gap). US-117 handles cleanup on disposal but does not cap concurrent active timers. Sandbox code can create millions of pending host timers exhausting event loop and memory. Also covers audit M4 (isolate-side timer maps)."
    },
    {
      "id": "US-146",
      "title": "Cap active handle map size",
      "description": "As a developer, I need the ActiveHandles map to have a size limit preventing unbounded growth from spawning thousands of child processes or registering thousands of handles.",
      "acceptanceCriteria": [
        "ActiveHandles map enforces a configurable max size (default 10000)",
        "Exceeding the cap throws an error (EAGAIN or similar)",
        "Handles removed on cleanup decrement the count",
        "Test: register maxHandles+1 handles \u2014 last one throws",
        "Test: register handles, remove some, register more \u2014 works up to cap",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 146,
      "passes": true,
      "notes": "Audit H4 (partial gap). US-126 caps FD table and event listeners but not the active-handles.ts map. Spawning thousands of child processes or timers grows the map without bound."
    },
    {
      "id": "US-147",
      "title": "Filter dangerous env vars from child process spawn",
      "description": "As a developer, I need child_process.spawn to filter dangerous environment variables (LD_PRELOAD, NODE_OPTIONS, LD_LIBRARY_PATH) from the env passed by sandbox code.",
      "acceptanceCriteria": [
        "Child process spawn re-filters env through filterEnv (or strips known dangerous keys: LD_PRELOAD, NODE_OPTIONS, LD_LIBRARY_PATH, DYLD_INSERT_LIBRARIES)",
        "Test: sandbox code passes LD_PRELOAD in spawn env \u2014 key is stripped from actual child env",
        "Test: sandbox code passes NODE_OPTIONS in spawn env \u2014 key is stripped",
        "Test: sandbox code passes normal env vars (PATH, HOME) \u2014 passed through correctly",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 147,
      "passes": true,
      "notes": "Audit H5 \u2014 HIGH. execution-driver.ts:1162-1164. filterEnv is applied to process.env at init time but NOT to the env option passed from sandbox code to child_process.spawn. Combined with M8 (process.env mutations), sandbox code can inject LD_PRELOAD into spawned processes."
    },
    {
      "id": "US-148",
      "title": "Add SSRF protection \u2014 block private IPs and validate redirects",
      "description": "As a developer, I need the network adapter to block requests to private/internal IP ranges and either disable redirect following or re-validate redirected URLs.",
      "acceptanceCriteria": [
        "Network adapter blocks requests to private IP ranges (10.x, 172.16-31.x, 192.168.x, 169.254.x, 127.x, ::1, fc00::/7, fe80::/10)",
        "Redirect responses (301/302/307/308) either: disabled by default, or re-validated against permission checks and private IP blocklist",
        "Test: fetch('http://169.254.169.254/latest/meta-data/') is blocked",
        "Test: fetch to URL that 302-redirects to a private IP is blocked",
        "Test: fetch to a public URL still works",
        "Test: DNS rebinding protection \u2014 URL resolving to private IP after initial check is blocked (or documented as known limitation)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 148,
      "passes": true,
      "notes": "Audit H6 \u2014 HIGH. permissions.ts:228-234, node/driver.ts:241-278. Permission checks validate the original URL but fetch follows redirects by default. A URL that 302-redirects to http://169.254.169.254/ passes the check."
    },
    {
      "id": "US-149",
      "title": "Fix timing mitigation \u2014 make Date.now non-configurable and patch Date constructor",
      "description": "As a developer, I need the timing mitigation to use writable:false + configurable:false for Date.now and also patch the Date constructor so sandbox code cannot trivially restore high-resolution timing.",
      "acceptanceCriteria": [
        "Date.now is frozen with Object.defineProperty using writable: false, configurable: false",
        "new Date().getTime() returns the same degraded timing as Date.now()",
        "performance.now() is also degraded or removed when timing mitigation is active",
        "Test: sandbox code doing Date.now = () => performance.now() throws TypeError",
        "Test: Object.defineProperty(Date, 'now', ...) throws TypeError",
        "Test: new Date().getTime() returns degraded value matching Date.now()",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 149,
      "passes": true,
      "notes": "Audit M2 \u2014 MEDIUM. apply-timing-mitigation-freeze.ts:13-17. Date.now is set with writable: true, configurable: true. Sandbox code can restore it trivially."
    },
    {
      "id": "US-150",
      "title": "Add permission check to httpServerClose",
      "description": "As a developer, I need httpServerClose to validate that the requesting sandbox owns the server being closed, preventing cross-sandbox server termination.",
      "acceptanceCriteria": [
        "httpServerClose checks that the server ID belongs to the calling sandbox/execution context",
        "Test: sandbox A creates server, sandbox B attempts to close it \u2014 denied",
        "Test: sandbox A creates server, sandbox A closes it \u2014 succeeds",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 150,
      "passes": true,
      "notes": "Audit M6 \u2014 MEDIUM. permissions.ts:223-226. httpServerClose is forwarded without permission check. Could allow closing other sandboxes' servers if server IDs are guessable."
    },
    {
      "id": "US-151",
      "title": "Harden Browser permission callback deserialization",
      "description": "As a developer, I need permission callbacks in the browser worker to be deserialized safely, not via new Function() which is a code injection vector.",
      "acceptanceCriteria": [
        "Permission callbacks are transferred via structured clone or postMessage, not serialized as strings and revived with new Function()",
        "OR: if string serialization is kept, input is validated against a strict whitelist/AST check before eval",
        "Test: permission callback with injected code in the string does not execute arbitrary code",
        "Test: normal permission callbacks (allow/deny) still work correctly",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 151,
      "passes": true,
      "notes": "Audit M7 \u2014 MEDIUM. browser/worker.ts:79-88. Permission callbacks are serialized as strings and revived with new Function('return (' + source + ')')(). If permission string is ever influenced by untrusted input, this is code injection."
    },
    {
      "id": "US-152",
      "title": "Prevent process.env mutations from reaching child processes",
      "description": "As a developer, I need process.env in the sandbox to be isolated so that mutations (e.g. setting LD_PRELOAD) do not propagate to child processes spawned with default env.",
      "acceptanceCriteria": [
        "process.env in sandbox is a copy \u2014 mutations do not affect the host process.env",
        "Child processes spawned without explicit env option get the filtered init-time env, not the mutated sandbox env",
        "Test: sandbox sets process.env.LD_PRELOAD, spawns child with default env \u2014 LD_PRELOAD is NOT in child env",
        "Test: sandbox sets process.env.FOO, reads process.env.FOO \u2014 sees the value (sandbox-local mutation works)",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 152,
      "passes": true,
      "notes": "Audit M8 \u2014 MEDIUM. process.ts:519-520, child-process.ts:447-448. process.env mutations are unrestricted and combined with H5, process.env.LD_PRELOAD then execSync('cmd') passes the injected variable. Related to US-147."
    },
    {
      "id": "US-153",
      "title": "Harden SharedArrayBuffer deletion fallback",
      "description": "As a developer, I need the SharedArrayBuffer timing mitigation to use a robust removal approach that cannot be circumvented by sandbox code restoring it from a saved reference.",
      "acceptanceCriteria": [
        "SharedArrayBuffer is deleted from globalThis with configurable: false or replaced with a throwing proxy",
        "Test: sandbox code that saved a reference to SharedArrayBuffer before freeze \u2014 reference is non-functional or throws",
        "Test: globalThis.SharedArrayBuffer is undefined after mitigation",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 153,
      "passes": true,
      "notes": "Audit L2 \u2014 LOW. apply-timing-mitigation-freeze.ts:42-44. Current deletion is a simple delete which may not work if SAB was already captured by sandbox code."
    },
    {
      "id": "US-154",
      "title": "Make process.binding() throw instead of returning stubs",
      "description": "As a developer, I need process.binding() to throw an error instead of returning stubs, as stubs can give sandbox code a false sense of access to internal Node.js bindings.",
      "acceptanceCriteria": [
        "process.binding() throws Error('process.binding is not supported in sandbox')",
        "process._linkedBinding() also throws",
        "Test: sandbox code calling process.binding('fs') throws",
        "Test: sandbox code calling process.binding('buffer') throws",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 154,
      "passes": true,
      "notes": "Audit L3 \u2014 LOW. process.ts:760-784. Current stubs return mock objects. While not directly exploitable, they obscure the sandbox boundary."
    },
    {
      "id": "US-155",
      "title": "Cap ClientRequest._body and ServerResponse._chunks buffering",
      "description": "As a developer, I need the bridge network request body and response chunks buffers to have size limits preventing host memory exhaustion.",
      "acceptanceCriteria": [
        "ClientRequest._body string concatenation is capped at a configurable limit (e.g., 50MB)",
        "ServerResponseBridge._chunks array is capped at a configurable total byte size",
        "Exceeding either cap throws an error or silently truncates",
        "Test: sandbox code writing >50MB request body \u2014 error thrown",
        "Test: sandbox code writing >50MB response chunks \u2014 error thrown",
        "Test: normal-sized requests/responses work fine",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 155,
      "passes": true,
      "notes": "Audit L4 + L7 \u2014 LOW. network.ts:649 (ClientRequest._body unbounded string concat) and network.ts:923 (ServerResponseBridge._chunks unbounded array). Both grow without limit from sandbox code."
    },
    {
      "id": "US-156",
      "title": "Add rate limiting to Browser and Python worker stdio messages",
      "description": "As a developer, I need the browser and Python worker stdio message channels to have rate limits preventing message flooding that could exhaust host memory or event loop.",
      "acceptanceCriteria": [
        "Browser worker postMessage for stdout/stderr is rate-limited or batched",
        "Python worker stdout/stderr messages are rate-limited or batched",
        "Test: sandbox code producing 1M stdout lines per second \u2014 host does not OOM, messages are batched or dropped",
        "Test: normal output volume works without delay",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 156,
      "passes": true,
      "notes": "Audit L5 \u2014 LOW. browser/worker.ts:56, python/driver.ts:198-208. Neither worker rate-limits stdout/stderr messages, allowing sandbox code to flood the host message channel."
    },
    {
      "id": "US-157",
      "title": "Block module cache poisoning within single execution",
      "description": "As a developer, I need require.cache and internal module caches to be non-writable from sandbox code so a module cannot poison the cache for other modules in the same execution.",
      "acceptanceCriteria": [
        "require.cache is frozen or replaced with a Proxy that rejects writes from sandbox code",
        "_moduleCache is not directly accessible from sandbox code",
        "Test: sandbox code doing require.cache['crypto'] = fakeModule \u2014 throws or is ignored",
        "Test: sandbox code doing delete require.cache['crypto'] \u2014 throws or is ignored",
        "Test: normal require() still works and caches correctly",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 157,
      "passes": true,
      "notes": "Audit M3 \u2014 MEDIUM (partial gap from US-132). US-132 isolates caches across warm executions but does not prevent poisoning within a single execution. bridge-initial-globals.ts:22 exposes mutable _moduleCache and require.cache."
    },
    {
      "id": "US-158",
      "title": "Allow loopback fetch for sandbox-spawned HTTP servers (SSRF exemption)",
      "description": "As a developer, I need sandbox code that starts an HTTP server via the bridge to be able to fetch from its own localhost/loopback address without being blocked by SSRF protection.",
      "acceptanceCriteria": [
        "SSRF protection tracks bridged HTTP servers and their bound ports",
        "Fetch to 127.0.0.1 or localhost on a port owned by the same sandbox is allowed",
        "Fetch to 127.0.0.1 on a port NOT owned by the sandbox is still blocked",
        "Fetch to other private IPs (10.x, 192.168.x, 169.254.x) remains blocked",
        "Test: sandbox creates http.createServer, binds port 0, fetches own endpoint \u2014 succeeds",
        "Test: sandbox fetches localhost on arbitrary port not owned by sandbox \u2014 blocked",
        "Test: coerces 0.0.0.0 listen to loopback for strict sandboxing",
        "Test: http.Agent with maxSockets=1 serializes concurrent requests through bridged server",
        "Test: upgrade request fires upgrade event with response and socket on bridged server",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 158,
      "passes": true,
      "notes": "Test failures: 5 NodeRuntime HTTP/SSRF tests fail because SSRF protection blocks all loopback fetch including to the sandbox's own bridged HTTP servers. Relates to US-148 (SSRF protection) but is about carving out a safe exemption, not weakening protection."
    },
    {
      "id": "US-159",
      "title": "Fix Express and Fastify exit code 1 in secure-exec project matrix",
      "description": "As a developer, I need the Express and Fastify project-matrix fixtures to pass in the no-kernel secure-exec matrix (not just the kernel matrix).",
      "acceptanceCriteria": [
        "Investigate why express-pass and fastify-pass fixtures exit with code 1 in secure-exec",
        "Fix the root cause (may be missing bridge API, incorrect server lifecycle, or network issue)",
        "runs fixture express-pass in host node and secure-exec \u2014 parity passes",
        "runs fixture fastify-pass in host node and secure-exec \u2014 parity passes",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 159,
      "passes": true,
      "notes": "Pre-existing test failures. express-pass and fastify-pass fixtures exit code 1 in secure-exec but exit 0 in host node. Separate from the SSRF loopback issue (US-158). Fixtures are in packages/secure-exec/tests/projects/. Relates to US-035, US-036, US-049."
    },
    {
      "id": "US-160",
      "title": "Implement kernel shell I/O redirection operators (< > >>)",
      "description": "As a developer, I need the kernel shell (brush-shell) to support I/O redirection so exec() can handle commands with < > >> operators that read from and write to VFS files.",
      "acceptanceCriteria": [
        "exec('cat < /tmp/in.txt') reads from VFS file and produces stdout",
        "exec('echo hello >> /tmp/out.txt') appends to existing VFS file",
        "exec('echo first > /tmp/out.txt') creates/truncates VFS file",
        "Piped output preserves data across redirection (e.g., cmd | cmd > file)",
        "exec('node -e ... < /tmp/in.txt') reads redirected file via kernel VFS",
        "FD inheritance wires redirected FDs correctly to child process stdin/stdout/stderr",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 160,
      "passes": true,
      "notes": "Test failures: 4 FD inheritance tests fail with timeouts or missing features. Shell I/O redirection requires brush-shell to parse < > >> operators, open VFS files via kernel fdOpen, and wire the FDs to the spawned child process via stdinFd/stdoutFd overrides."
    },
    {
      "id": "US-161",
      "title": "Add Next.js project-matrix fixture",
      "description": "As a developer, I need a Next.js fixture to catch compatibility regressions for the most common React meta-framework, covering SSR, API routes, and the build pipeline.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/projects/nextjs-pass/ created with package.json and source files",
        "Next.js app with at least one page and one API route",
        "Fixture runs next build, prints deterministic stdout, exits 0",
        "Fixture passes in host Node (node entrypoint \u2192 exit 0, expected stdout)",
        "Fixture passes through secure-exec project-matrix (project-matrix.test.ts)",
        "Fixture passes through kernel project-matrix (e2e-project-matrix.test.ts)",
        "Stdout parity between host and sandbox",
        "No sandbox-aware branches in fixture code",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 161,
      "passes": true,
      "notes": "Same pattern as Express (US-036) and Fastify (US-037) fixtures. Next.js exercises SSR, webpack/turbopack compilation, fs access for pages, and dynamic imports \u2014 all stress points for the sandbox."
    },
    {
      "id": "US-162",
      "title": "Add Vite project-matrix fixture",
      "description": "As a developer, I need a Vite fixture to catch compatibility regressions for the most common frontend build tool, covering ESM resolution, plugin loading, and the build pipeline.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/projects/vite-pass/ created with package.json and source files",
        "Vite project with a minimal app and at least one plugin (e.g. @vitejs/plugin-react)",
        "Fixture runs vite build, prints deterministic stdout, exits 0",
        "Fixture passes in host Node (node entrypoint \u2192 exit 0, expected stdout)",
        "Fixture passes through secure-exec project-matrix (project-matrix.test.ts)",
        "Fixture passes through kernel project-matrix (e2e-project-matrix.test.ts)",
        "Stdout parity between host and sandbox",
        "No sandbox-aware branches in fixture code",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 162,
      "passes": true,
      "notes": "Vite exercises ESM-first module resolution, esbuild/rollup compilation, worker threads for plugins, and native addon optional deps \u2014 all stress points for the sandbox."
    },
    {
      "id": "US-163",
      "title": "Add Astro project-matrix fixture",
      "description": "As a developer, I need an Astro fixture to catch compatibility regressions for Astro's island architecture, covering static build, component hydration, and the Vite-based build pipeline.",
      "acceptanceCriteria": [
        "packages/secure-exec/tests/projects/astro-pass/ created with package.json and source files",
        "Astro project with at least one page and one interactive island component",
        "Fixture runs astro build, prints deterministic stdout, exits 0",
        "Fixture passes in host Node (node entrypoint \u2192 exit 0, expected stdout)",
        "Fixture passes through secure-exec project-matrix (project-matrix.test.ts)",
        "Fixture passes through kernel project-matrix (e2e-project-matrix.test.ts)",
        "Stdout parity between host and sandbox",
        "No sandbox-aware branches in fixture code",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 163,
      "passes": true,
      "notes": "Astro exercises Vite internals, .astro file compilation, partial hydration, and multi-framework component rendering \u2014 all stress points for the sandbox. Depends on Vite compatibility (US-162)."
    },
    {
      "id": "US-164",
      "title": "Fix secure-exec npm import crash caused by node-stdlib-browser runtime import",
      "description": "As a developer, I need import { NodeRuntime } from 'secure-exec' to work on Node.js without crashing on a missing mock/empty.js file from node-stdlib-browser.",
      "acceptanceCriteria": [
        "Replace runtime import of node-stdlib-browser in module-resolver.ts with a static hardcoded list of stdlib module names",
        "Comment out @secure-exec/browser and @secure-exec/python re-exports in secure-exec/src/index.ts with TODO markers",
        "Move @secure-exec/browser and @secure-exec/python to optionalDependencies in packages/secure-exec/package.json",
        "import { NodeRuntime, createNodeDriver } from 'secure-exec' works without error on Node.js",
        "import { NodeRuntime, createBrowserDriver } from 'secure-exec/browser' still works as subpath import",
        "import { PythonRuntime } from 'secure-exec/python' still works as subpath import",
        "node-stdlib-browser is no longer imported at runtime anywhere in @secure-exec/core",
        "Typecheck passes",
        "Tests pass"
      ],
      "priority": 164,
      "passes": true,
      "notes": "CRITICAL \u2014 published 0.1.0-rc.3 is broken. node-stdlib-browser@1.3.1 ESM entry calls require.resolve('./mock/empty.js') which doesn't exist in the published package. Import chain: secure-exec \u2192 @secure-exec/browser or /python \u2192 @secure-exec/core \u2192 module-resolver.ts \u2192 node-stdlib-browser \u2192 CRASH. Files: packages/secure-exec-core/src/module-resolver.ts, packages/secure-exec/src/index.ts, packages/secure-exec/package.json."
    }
  ]
}