Harden LLRT runtime boundary#15
Merged
Merged
Conversation
Rationale: LLRT is the intended default executor, but the native wrapper still allowed dynamic imports of host capability modules and the request bridge exposed more header surface than necessary. This tightens the sandbox boundary before downstream adoption. Rejected: Publishing native packages directly from the local macOS workspace; the existing GitHub release workflow is the safer path because it builds each platform artifact on its matching runner. Risk: This disables LLRT module loading for call_json and hides response headers from sandbox code unless explicitly allowed. Callers that depended on arbitrary dynamic imports or implicit response headers must opt into a different executor/header allowlist. Tested: mise exec -- task ci; pnpm --filter @robinbraemer/llrt run create:native-packages && pnpm --filter @robinbraemer/llrt run verify:native-artifacts; cargo check --manifest-path packages/llrt/native/Cargo.toml; cargo fmt --manifest-path packages/llrt/native/Cargo.toml; focused LLRT/codemode vitest red-green runs.
Rationale: CI refreshes the pinned LLRT checkout before native target builds, which erased the local vm.rs hardening patch. Track the patch in the package and apply it idempotently after checkout so native release builds use the same hardened source. Risk: prepare:llrt-source now fails if the patch no longer applies to the pinned upstream revision, which is intentional because the native runtime hardening would otherwise silently disappear. Tested: git -C packages/llrt/vendor/llrt apply --reverse packages/llrt/patches/disable-default-module-loading.patch && pnpm --filter @robinbraemer/llrt run prepare:llrt-source && git -C packages/llrt/vendor/llrt diff --check && LLRT_TARGET=aarch64-apple-darwin pnpm --filter @robinbraemer/llrt run build:native:target; mise exec -- task ci.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Verification
Release handoff
After merge, publish a GitHub Release from the merged commit. The existing release workflows build the LLRT native artifacts on the matching platform runners and publish @robinbraemer/llrt@0.1.1, its optional native packages, and @robinbraemer/codemode@0.3.1. Do not publish the native packages from a local macOS workspace.
Downstream
Once npm has @robinbraemer/codemode@0.3.1 and @robinbraemer/llrt@0.1.1, update the CNAP PR dependency catalog/lockfile and rerun CNAP preflight.