Skip to content

docs: model js-exec surface in threat model, align WASM policy docs; ci: coverage report#295

Closed
MauricioPerera wants to merge 2 commits into
vercel-labs:mainfrom
MauricioPerera:quick-wins
Closed

docs: model js-exec surface in threat model, align WASM policy docs; ci: coverage report#295
MauricioPerera wants to merge 2 commits into
vercel-labs:mainfrom
MauricioPerera:quick-wins

Conversation

@MauricioPerera

Copy link
Copy Markdown

Summary

Documentation and CI improvements surfaced by an external review of the repo:

  • THREAT_MODEL.md
    • Add §4.11 JavaScript Execution Surface (When Enabled), modeling the opt-in js-exec/QuickJS surface analogously to Python's §4.7: how it is enabled (javascript: true or invokeTool), the SharedArrayBuffer host bridge (VFS, sandbox-re-entrant exec, gated fetch, invokeTool), the virtual child_process shim, what the isolation rests on (QuickJS WASM + worker + WorkerDefenseInDepth + 64MB cap + timeout), and the residual risk (MEDIUM).
    • Qualify the §3.5 child_process row: the literal "no code path" claim now notes the virtual shim that exists inside QuickJS when javascript is enabled (re-enters the sandbox, not the host OS), pointing to §4.11.
    • Make the architectural invariant behind §4.2/§4.3 explicit — no bash→host-JS code path — including that it is guarded by the check-banned-patterns linter and that those residuals would become critical if it ever broke.
  • CLAUDE.md: align the WASM policy with reality — "no new WASM dependencies without approval", with sql.js, quickjs-emscripten, and the vendored CPython WASM listed as the approved exceptions (previously it said "No WASM dependencies allowed" while two additional WASM runtimes ship in the repo).
  • README (packages/just-bash): document that node is an alias of the js-exec runtime (not a real Node.js), and list tar, yq, xan (plus js-exec/node) among the commands unavailable in browser builds, matching the __BROWSER__ gate in registry.ts.
  • CI: add coverage.yml, a non-gating workflow that runs the existing (currently unused in CI) test:coverage script and uploads the report as an artifact (if: always(), no thresholds). Setup mirrors unit-tests.yml (LFS, pnpm, Node 20).

All doc statements were verified against the code before writing. No production code is touched.

Notes for reviewers

  • The coverage workflow was validated structurally (YAML parse + action versions matching unit-tests.yml); it hasn't been executed in a CI run from this fork.
  • Happy to split this into separate PRs (threat model / docs / CI) if preferred.

🤖 Generated with Claude Code

@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

@MauricioPerera is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

@socket-security

socket-security Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgithub/​actions/​upload-artifact@​ea165f8d65b6e75b540449e92b4886f43607fa028610010010080

View full report

- THREAT_MODEL.md: model the opt-in js-exec/QuickJS surface (new 4.11), qualify the child_process claim in 3.5 (virtual shim), and state the no-bash-to-host-JS architectural invariant guarding 4.2/4.3
- CLAUDE.md: align WASM policy with reality (sql.js, quickjs-emscripten, vendored CPython as approved exceptions)
- README: document node as a js-exec alias; list tar/yq/xan (and js-exec/node) as unavailable in browser builds
- CI: add coverage.yml (non-gating coverage report artifact)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
test:coverage uses the default vitest config, which pulls in the python3
WASM tests without the wasm pool setup and fails
(python3.worker-protocol-abuse.test.ts expects BRIDGE_STDOUT). The
existing test:coverage:unit script runs coverage over vitest.unit.config.ts,
matching what CI already validates in unit-tests.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@MauricioPerera

Copy link
Copy Markdown
Author

FYI for reviewers: since Actions runs here are awaiting first-contributor approval, I ran the full suite against this exact branch on my fork — all 8 checks green (lint, typecheck, unit tests on Node 20/22/24, comparison, WASM, and the new coverage workflow): MauricioPerera#1

One fix landed during that validation: the coverage workflow originally called test:coverage (default vitest config, which pulls the python3 WASM tests in without the wasm pool setup and fails); it now calls the existing test:coverage:unit (fe7ef7d).

MauricioPerera added a commit to MauricioPerera/just-bash that referenced this pull request Jul 10, 2026
@cramforce

Copy link
Copy Markdown
Contributor

Thanks. I'm not interested in new workflows as they increase surface. The docs changes look fine but not mandatory

@cramforce cramforce closed this Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants