vfs: add process vfs-mount and vfs-unmount events

Add security monitoring events that are emitted when a VFS is mounted
or unmounted. Applications can listen to these events to detect
unauthorized VFS usage or enforce security policies.

Events include:
- mountPoint: The path where the VFS is mounted
- overlay: Whether overlay mode is enabled
- readonly: Whether the VFS is read-only

Author: mcollina

doc/api/vfs.md

@@ -914,6 +914,32 @@ This is particularly dangerous because:
 * Only specific targeted files are affected
 * Other operations appear to work normally
 
+### Monitoring VFS mounts
+
+To help detect unauthorized VFS usage, the `process` object emits events when
+a VFS is mounted or unmounted:
+
+```cjs
+process.on('vfs-mount', (info) => {
+  console.log(`VFS mounted at ${info.mountPoint}`);
+  console.log(`  overlay: ${info.overlay}`);
+  console.log(`  readonly: ${info.readonly}`);
+});
+
+process.on('vfs-unmount', (info) => {
+  console.log(`VFS unmounted from ${info.mountPoint}`);
+});
+```
+
+The event object contains:
+
+* `mountPoint` {string} The path where the VFS is mounted.
+* `overlay` {boolean} Whether overlay mode is enabled.
+* `readonly` {boolean} Whether the VFS is read-only.
+
+Applications can use these events to log VFS activity, alert on suspicious
+mounts (such as mounting over system paths), or enforce security policies.
+
 ### Recommendations
 
 * **Audit dependencies**: Be cautious of third-party modules that use VFS, as

lib/internal/vfs/file_system.js

@@ -233,13 +233,30 @@ class VirtualFileSystem {
     if (this[kVirtualCwdEnabled]) {
       this._hookProcessCwd();
     }
+
+    // Emit mount event for security monitoring
+    process.emit('vfs-mount', {
+      mountPoint: this[kMountPoint],
+      overlay: this[kOverlay],
+      readonly: this[kProvider].readonly,
+    });
+
     return this;
   }
 
   /**
    * Unmounts the VFS.
    */
   unmount() {
+    // Emit unmount event before clearing state (only if currently mounted)
+    if (this[kMounted]) {
+      process.emit('vfs-unmount', {
+        mountPoint: this[kMountPoint],
+        overlay: this[kOverlay],
+        readonly: this[kProvider].readonly,
+      });
+    }
+
     this._unhookProcessCwd();
     if (this[kModuleHooks]) {
       loadModuleHooks();

test/parallel/test-vfs-mount-events.js

@@ -0,0 +1,141 @@
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const vfs = require('node:vfs');
+
+// Test vfs-mount event
+{
+  const mountEvents = [];
+  const mountListener = common.mustCall((info) => {
+    mountEvents.push(info);
+  });
+
+  process.on('vfs-mount', mountListener);
+
+  const myVfs = vfs.create();
+  myVfs.writeFileSync('/test.txt', 'hello');
+  myVfs.mount('/virtual');
+
+  assert.strictEqual(mountEvents.length, 1);
+  assert.strictEqual(mountEvents[0].mountPoint, '/virtual');
+  assert.strictEqual(mountEvents[0].overlay, false);
+  assert.strictEqual(mountEvents[0].readonly, false);
+
+  myVfs.unmount();
+  process.removeListener('vfs-mount', mountListener);
+}
+
+// Test vfs-unmount event
+{
+  const unmountEvents = [];
+  const unmountListener = common.mustCall((info) => {
+    unmountEvents.push(info);
+  });
+
+  process.on('vfs-unmount', unmountListener);
+
+  const myVfs = vfs.create();
+  myVfs.writeFileSync('/test.txt', 'hello');
+  myVfs.mount('/virtual');
+  myVfs.unmount();
+
+  assert.strictEqual(unmountEvents.length, 1);
+  assert.strictEqual(unmountEvents[0].mountPoint, '/virtual');
+  assert.strictEqual(unmountEvents[0].overlay, false);
+  assert.strictEqual(unmountEvents[0].readonly, false);
+
+  process.removeListener('vfs-unmount', unmountListener);
+}
+
+// Test events with overlay mode
+{
+  const mountEvents = [];
+  const unmountEvents = [];
+
+  const mountListener = common.mustCall((info) => {
+    mountEvents.push(info);
+  });
+  const unmountListener = common.mustCall((info) => {
+    unmountEvents.push(info);
+  });
+
+  process.on('vfs-mount', mountListener);
+  process.on('vfs-unmount', unmountListener);
+
+  const myVfs = vfs.create({ overlay: true });
+  myVfs.writeFileSync('/test.txt', 'hello');
+  myVfs.mount('/');
+
+  assert.strictEqual(mountEvents.length, 1);
+  assert.strictEqual(mountEvents[0].mountPoint, '/');
+  assert.strictEqual(mountEvents[0].overlay, true);
+
+  myVfs.unmount();
+
+  assert.strictEqual(unmountEvents.length, 1);
+  assert.strictEqual(unmountEvents[0].overlay, true);
+
+  process.removeListener('vfs-mount', mountListener);
+  process.removeListener('vfs-unmount', unmountListener);
+}
+
+// Test events with readonly mode
+{
+  const mountEvents = [];
+
+  const mountListener = common.mustCall((info) => {
+    mountEvents.push(info);
+  });
+
+  process.on('vfs-mount', mountListener);
+
+  const myVfs = vfs.create();
+  myVfs.writeFileSync('/test.txt', 'hello');
+  myVfs.provider.setReadOnly();
+  myVfs.mount('/virtual');
+
+  assert.strictEqual(mountEvents.length, 1);
+  assert.strictEqual(mountEvents[0].readonly, true);
+
+  myVfs.unmount();
+  process.removeListener('vfs-mount', mountListener);
+}
+
+// Test that unmount on non-mounted VFS does not emit event
+{
+  const unmountEvents = [];
+  const unmountListener = (info) => {
+    unmountEvents.push(info);
+  };
+
+  process.on('vfs-unmount', unmountListener);
+
+  const myVfs = vfs.create();
+  myVfs.unmount(); // Unmount without mounting first
+
+  assert.strictEqual(unmountEvents.length, 0);
+
+  process.removeListener('vfs-unmount', unmountListener);
+}
+
+// Test using declaration triggers unmount event
+{
+  const unmountEvents = [];
+  const unmountListener = common.mustCall((info) => {
+    unmountEvents.push(info);
+  });
+
+  process.on('vfs-unmount', unmountListener);
+
+  {
+    using myVfs = vfs.create();
+    myVfs.writeFileSync('/test.txt', 'hello');
+    myVfs.mount('/virtual');
+  } // VFS is automatically unmounted here via Symbol.dispose
+
+  assert.strictEqual(unmountEvents.length, 1);
+  assert.strictEqual(unmountEvents[0].mountPoint, '/virtual');
+
+  process.removeListener('vfs-unmount', unmountListener);
+}