Skip to main content

Package Structure

secure-exec is split into focused packages. The umbrella secure-exec package re-exports everything for convenience.
PackageContents
@secure-exec/coreShared types, utilities, bridge guest code, NodeRuntime, PythonRuntime classes
@secure-exec/nodeNode.js V8 isolate runtime driver, createNodeDriver, createNodeRuntimeDriverFactory
@secure-exec/browserBrowser Web Worker runtime driver, createBrowserDriver, createBrowserRuntimeDriverFactory
@secure-exec/pythonPyodide runtime driver, createPyodideRuntimeDriverFactory
@secure-exec/typescriptSandboxed TypeScript compiler tools
secure-execUmbrella barrel — re-exports all of the above

Runtimes

NodeRuntime

Package: @secure-exec/core (also re-exported from secure-exec) Sandboxed JavaScript runtime using a V8 isolate. 
new NodeRuntime(options: NodeRuntimeOptions)
NodeRuntimeOptions
OptionTypeDescription
systemDriverSystemDriverHost capabilities (filesystem, network, permissions). Required.
runtimeDriverFactoryNodeRuntimeDriverFactoryCreates the isolate execution environment. Required.
memoryLimitnumberIsolate memory cap in MB.
cpuTimeLimitMsnumberCPU time budget in ms.
timingMitigation"off" | "freeze"Timing side-channel mitigation. Default "freeze".
onStdioStdioHookDefault console output hook.
payloadLimits{ base64TransferBytes?: number; jsonPayloadBytes?: number }Bridge payload size limits.
Methods
MethodReturnsDescription
exec(code, options?)Promise<ExecResult>Execute code without a return value.
run<T>(code, filePath?)Promise<RunResult<T>>Execute code and return the module namespace/default export object.
network{ fetch, dnsLookup, httpRequest }Network access from the host side.
dispose()voidRelease resources synchronously.
terminate()Promise<void>Terminate the runtime.

TypeScript Tools (@secure-exec/typescript)

createTypeScriptTools(options)

Creates sandboxed TypeScript project/source helpers backed by a dedicated compiler runtime. 
createTypeScriptTools(options: TypeScriptToolsOptions)
TypeScriptToolsOptions
OptionTypeDescription
systemDriverSystemDriverCompiler runtime capabilities and filesystem view.
runtimeDriverFactoryNodeRuntimeDriverFactoryCreates the compiler sandbox runtime.
memoryLimitnumberCompiler sandbox isolate memory cap in MB. Default 512.
cpuTimeLimitMsnumberCompiler sandbox CPU time budget in ms.
compilerSpecifierstringModule specifier used to load the TypeScript compiler. Default "typescript".
Methods
MethodReturnsDescription
typecheckProject(options?)Promise<TypeCheckResult>Type-check a filesystem-backed TypeScript project using tsconfig discovery or configFilePath.
compileProject(options?)Promise<ProjectCompileResult>Compile a filesystem-backed project and write emitted files through the configured filesystem like tsc.
typecheckSource(options)Promise<TypeCheckResult>Type-check one TypeScript source string without mutating the filesystem.
compileSource(options)Promise<SourceCompileResult>Compile one TypeScript source string and return JavaScript text.

PythonRuntime

Package: @secure-exec/core (also re-exported from secure-exec) Sandboxed Python runtime using Pyodide in a Worker thread. 
new PythonRuntime(options: PythonRuntimeOptions)
PythonRuntimeOptions
OptionTypeDescription
systemDriverSystemDriverHost capabilities. Required.
runtimeDriverFactoryPythonRuntimeDriverFactoryCreates the Pyodide worker. Required.
cpuTimeLimitMsnumberCPU time budget in ms.
onStdioStdioHookDefault console output hook.
Methods
MethodReturnsDescription
exec(code, options?)Promise<ExecResult>Execute Python code without a return value.
run<T>(code, options?)Promise<PythonRunResult<T>>Execute Python code and return a value.
dispose()voidRelease resources synchronously.
terminate()Promise<void>Terminate the runtime.

System Driver Factories

createNodeDriver(options?)

Package: @secure-exec/node (also re-exported from secure-exec) Creates a system driver for Node.js environments. 
createNodeDriver(options?: NodeDriverOptions): SystemDriver
NodeDriverOptions
OptionTypeDescription
filesystemVirtualFileSystemCustom filesystem. Default: host fs with module overlay.
moduleAccessModuleAccessOptionsNode modules overlay config.
networkAdapterNetworkAdapterNetwork implementation.
commandExecutorCommandExecutorChild process executor.
permissionsPermissionsAccess control rules. Deny-by-default.
useDefaultNetworkbooleanEnable default Node.js network adapter.
processConfigProcessConfigProcess metadata (cwd, env, argv, etc.).
osConfigOSConfigOS metadata (platform, arch, homedir, etc.).

createBrowserDriver(options?)

Package: @secure-exec/browser (also re-exported from secure-exec) Creates a system driver for browser environments. Returns a promise because OPFS initialization is async. 
createBrowserDriver(options?: BrowserDriverOptions): Promise<SystemDriver>
BrowserDriverOptions
OptionTypeDescription
filesystem"opfs" | "memory"Filesystem backend. Default: "opfs".
permissionsPermissionsAccess control rules. Deny-by-default.
useDefaultNetworkbooleanEnable browser fetch network adapter.

Runtime Driver Factories

createNodeRuntimeDriverFactory(options?)

Package: @secure-exec/node (also re-exported from secure-exec) Creates a factory for Node.js V8 isolate runtime drivers. 
createNodeRuntimeDriverFactory(options?: {
  createIsolate?(memoryLimit: number): unknown;
}): NodeRuntimeDriverFactory

createBrowserRuntimeDriverFactory(options?)

Package: @secure-exec/browser (also re-exported from secure-exec) Creates a factory for browser Worker-based runtime drivers. 
createBrowserRuntimeDriverFactory(options?: {
  workerUrl?: URL | string;
}): NodeRuntimeDriverFactory

createPyodideRuntimeDriverFactory()

Package: @secure-exec/python (also re-exported from secure-exec) Creates a factory for Pyodide-based Python runtime drivers. 
createPyodideRuntimeDriverFactory(): PythonRuntimeDriverFactory

Filesystem

createInMemoryFileSystem()

Package: @secure-exec/core (also re-exported from secure-exec) Creates a fully in-memory filesystem backed by Maps. 
createInMemoryFileSystem(): InMemoryFileSystem

createOpfsFileSystem()

Package: @secure-exec/browser (also re-exported from secure-exec) Creates an OPFS-backed filesystem (browser only). 
createOpfsFileSystem(): Promise<VirtualFileSystem>

NodeFileSystem

Thin wrapper around Node.js fs/promises. 
new NodeFileSystem()

VirtualFileSystem interface

MethodReturnsDescription
readFile(path)Promise<Uint8Array>Read file as bytes.
readTextFile(path)Promise<string>Read file as text.
readDir(path)Promise<string[]>List directory entries.
readDirWithTypes(path)Promise<DirEntry[]>List entries with type info.
writeFile(path, content)Promise<void>Write file.
createDir(path)Promise<void>Create directory.
mkdir(path)Promise<void>Create directory (alias).
exists(path)Promise<boolean>Check if path exists.
stat(path)Promise<StatInfo>Get file metadata.
removeFile(path)Promise<void>Delete a file.
removeDir(path)Promise<void>Delete a directory.
rename(old, new)Promise<void>Rename a file or directory.

Network

createDefaultNetworkAdapter()

Package: @secure-exec/node (also re-exported from secure-exec) Creates a network adapter with real fetch, DNS, and HTTP support (Node.js only). 
createDefaultNetworkAdapter(): NetworkAdapter

createBrowserNetworkAdapter()

Package: @secure-exec/browser (also re-exported from secure-exec) Creates a fetch-only network adapter for browser environments. No DNS support. 
createBrowserNetworkAdapter(): NetworkAdapter

NetworkAdapter interface

MethodReturnsDescription
fetch(url, options?)Promise<FetchResponse>HTTP fetch.
dnsLookup(hostname)Promise<DnsResult>DNS resolution.
httpRequest(url, options?)Promise<HttpResponse>Low-level HTTP request.
httpServerListen?(options)Promise<{ address }>Start a loopback HTTP server.
httpServerClose?(serverId)Promise<void>Close a loopback HTTP server.

Permissions

Package: @secure-exec/core (also re-exported from secure-exec)

Pre-built helpers

ExportDescription
allowAllAllow all operations.
allowAllFsAllow all filesystem operations.
allowAllNetworkAllow all network operations.
allowAllChildProcessAllow all child process spawning.
allowAllEnvAllow all environment variable access.

Permissions type

type Permissions = {
  fs?: PermissionCheck<FsAccessRequest>;
  network?: PermissionCheck<NetworkAccessRequest>;
  childProcess?: PermissionCheck<ChildProcessAccessRequest>;
  env?: PermissionCheck<EnvAccessRequest>;
};
Each field accepts a PermissionCheck, which is either a boolean or a function (request) => boolean | Promise<boolean>.

Execution Types

ExecOptions

OptionTypeDescription
filePathstringScript filename for error messages.
envRecord<string, string>Override environment variables.
cwdstringWorking directory.
stdinstringStdin data.
cpuTimeLimitMsnumberCPU budget override.
timingMitigation"off" | "freeze"Timing mitigation override.
onStdioStdioHookPer-execution stdio hook.

ExecResult

{ code: number; errorMessage?: string }

RunResult<T>

{ code: number; errorMessage?: string; exports?: T }

PythonRunResult<T>

{ code: number; errorMessage?: string; value?: T; globals?: Record<string, unknown> }

PythonRunOptions

Extends ExecOptions with:
OptionTypeDescription
globalsstring[]Python globals to return.

StdioHook

type StdioHook = (event: { channel: "stdout" | "stderr"; message: string }) => void;

ProjectCompilerOptions

{
  cwd?: string;
  configFilePath?: string;
}

SourceCompilerOptions

{
  sourceText: string;
  filePath?: string;
  cwd?: string;
  configFilePath?: string;
  compilerOptions?: Record<string, unknown>;
}

TypeCheckResult

{
  success: boolean;
  diagnostics: TypeScriptDiagnostic[];
}

ProjectCompileResult

{
  success: boolean;
  diagnostics: TypeScriptDiagnostic[];
  emitSkipped: boolean;
  emittedFiles: string[];
}

SourceCompileResult

{
  success: boolean;
  diagnostics: TypeScriptDiagnostic[];
  outputText?: string;
  sourceMapText?: string;
}

TypeScriptDiagnostic

{
  code: number;
  category: "error" | "warning" | "suggestion" | "message";
  message: string;
  filePath?: string;
  line?: number;
  column?: number;
}

Configuration Types

ProcessConfig

FieldTypeDefault
platformstring
archstring
versionstring
cwdstring"/root"
envRecord<string, string>
argvstring[]
execPathstring
pidnumber
ppidnumber
uidnumber
gidnumber
stdinstring
timingMitigation"off" | "freeze"
frozenTimeMsnumber

OSConfig

FieldTypeDefault
platformstring
archstring
typestring
releasestring
versionstring
homedirstring"/root"
tmpdirstring"/tmp"
hostnamestring

SystemDriver

type SystemDriver = {
  filesystem?: VirtualFileSystem;
  network?: NetworkAdapter;
  commandExecutor?: CommandExecutor;
  permissions?: Permissions;
  runtime: DriverRuntimeConfig;
};

CommandExecutor interface

MethodReturnsDescription
spawn(command, args, options?)SpawnedProcessSpawn a child process.