test: group security suites by folder (#35)

Author: aallam

docs/architecture/README.md

@@ -94,7 +94,7 @@ Key implications:
 
 - The provider/tool surface is the capability boundary, not the JavaScript syntax itself.
 - Fresh runtimes, schema validation, JSON-only boundaries, timeouts, memory limits, and bounded logs are defense-in-depth features.
-- In-process execution still shares the host process. Use a separate process, container, VM, or similar boundary when the code source is hostile or multi-tenant.
+- In-process and worker-hosted execution still share the host process. Use `@execbox/remote` behind a separate process, container, VM, or similar boundary when the code source is hostile or multi-tenant.
 - Wrapping third-party MCP servers is a separate dependency-trust decision from letting end users author guest code.
 
 ## Architecture In One Paragraph

docs/architecture/execbox-executors.md

@@ -114,7 +114,7 @@ If all shells are busy and the pool is already at `maxSize`, the next `acquire()
 
 - Successful executions return the shell to the pool.
 - Normal guest/runtime/tool failures also return the shell, because they do not imply a poisoned host shell.
-- `timeout` and `internal_error` results evict the shell, because those outcomes mean the worker/child or transport state may no longer be trustworthy.
+- `timeout` and `internal_error` results evict the shell, because those outcomes mean the worker or transport state may no longer be trustworthy.
 - Idle pooled shells are evicted after `idleTimeoutMs`, down to `minSize`.
 - `dispose()` tears down the executor-owned pool and any idle shells it still owns.
 

docs/architecture/index.md

@@ -55,5 +55,5 @@ Key implications:
 
 - The provider/tool surface is the capability boundary, not the JavaScript syntax itself.
 - Fresh runtimes, schema validation, JSON-only boundaries, timeouts, memory limits, and bounded logs are defense-in-depth features.
-- In-process execution still shares the host process. Use a separate process, container, VM, or similar boundary when the code source is hostile or multi-tenant.
+- In-process and worker-hosted execution still share the host process. Use `@execbox/remote` behind a separate process, container, VM, or similar boundary when the code source is hostile or multi-tenant.
 - Wrapping third-party MCP servers is a separate dependency-trust decision from letting end users author guest code.

package.json

@@ -34,7 +34,7 @@
     "package:check": "npm_config_cache=$PWD/.npm-cache CI=1 npm run build",
     "test": "vitest run",
     "test:dist-smoke": "node --import tsx scripts/test-dist-smoke.ts",
-    "test:security": "node ./node_modules/vitest/vitest.mjs run packages/core/__tests__/security/isJsonSerializable.test.ts packages/core/__tests__/core/createToolCallDispatcher.test.ts packages/core/__tests__/protocol/hostSession.test.ts packages/quickjs/__tests__/protocolEndpoint.test.ts packages/quickjs/__tests__/remoteEndpoint.test.ts && node ./node_modules/vitest/vitest.mjs run packages/core/__tests__/mcp/penetration.test.ts packages/remote/__tests__/penetration.test.ts packages/quickjs/__tests__/hostedPenetration.test.ts && node ./node_modules/vitest/vitest.mjs run packages/quickjs/__tests__/workerHostLifecycle.test.ts",
+    "test:security": "vitest run packages/*/__tests__/security",
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit && node --import tsx scripts/check-workspace-entrypoints.ts"
   },

…__/core/createToolCallDispatcher.test.ts …ecurity/createToolCallDispatcher.test.tspackages/core/__tests__/core/createToolCallDispatcher.test.ts renamed to packages/core/__tests__/security/createToolCallDispatcher.test.ts packages/core/__tests__/core/createToolCallDispatcher.test.ts renamed to packages/core/__tests__/security/createToolCallDispatcher.test.ts

@@ -1,6 +1,6 @@
 import { QuickJsExecutor } from "@execbox/quickjs";
 
-import { runWrappedMcpPenetrationSuite } from "../../test-support/runWrappedMcpPenetrationSuite";
+import { runWrappedMcpPenetrationSuite } from "../../../test-support/runWrappedMcpPenetrationSuite";
 
 runWrappedMcpPenetrationSuite(
   "QuickJS wrapped MCP penetration tests",

…s/core/__tests__/mcp/penetration.test.ts …tests__/security/mcp/penetration.test.tspackages/core/__tests__/mcp/penetration.test.ts renamed to packages/core/__tests__/security/mcp/penetration.test.ts packages/core/__tests__/mcp/penetration.test.ts renamed to packages/core/__tests__/security/mcp/penetration.test.ts

@@ -1,7 +1,7 @@
 const SOURCE_MODE_EXEC_ARGV = ["--conditions=source", "--import", "tsx"];
 
 /**
- * Returns the extra Node flags needed to launch transport-backed child entries
+ * Returns the extra Node flags needed to launch transport-backed worker entries
  * directly from source during local development and tests.
  */
 export function getNodeTransportExecArgv(

…e/__tests__/protocol/hostSession.test.ts …__/security/protocol/hostSession.test.tspackages/core/__tests__/protocol/hostSession.test.ts renamed to packages/core/__tests__/security/protocol/hostSession.test.ts packages/core/__tests__/protocol/hostSession.test.ts renamed to packages/core/__tests__/security/protocol/hostSession.test.ts

@@ -1,5 +1,5 @@
-import { QuickJsExecutor } from "../src/index";
-import { runWrappedMcpPenetrationSuite } from "../../core/test-support/runWrappedMcpPenetrationSuite";
+import { runWrappedMcpPenetrationSuite } from "../../../core/test-support/runWrappedMcpPenetrationSuite";
+import { QuickJsExecutor } from "../../src/index";
 
 runWrappedMcpPenetrationSuite(
   "QuickJsExecutor worker host wrapped MCP",

packages/core/src/protocol/nodeBootstrap.ts

@@ -2,7 +2,7 @@ import { describe, expect, it } from "vitest";
 
 import type { DispatcherMessage, RunnerMessage } from "@execbox/core/protocol";
 
-import { attachQuickJsProtocolEndpoint } from "../src/runner/protocolEndpoint";
+import { attachQuickJsProtocolEndpoint } from "../../src/runner/protocolEndpoint";
 
 const runtimeOptions = {
   maxLogChars: 64_000,