execboxis a Node.js 22+ npm workspace that publishes the@execbox/*package family.- Core source lives under
packages/*/src, tests live underpackages/*/__tests__, runnable examples live underexamples/, and the public docs site lives underdocs/. - The workspace currently contains
@execbox/core,@execbox/quickjs,@execbox/remote, and@execbox/isolated-vm. - Keep changes aligned with existing package boundaries. Prefer changing the owning package instead of introducing cross-package shortcuts.
- Install dependencies:
npm ci - Lint:
npm run lint - Type-check:
npm run typecheck - Test default workspace lanes:
npm test - Build published packages:
npm run build - Validate published package metadata and type resolution:
npm run package:check - Build docs site:
npm run docs:build - Run security-focused suites:
npm run test:security - Run isolated-vm tests only when needed:
npm run test:isolated-vm - Run the full isolated-vm verification lane:
npm run verify:isolated-vm
- Do not edit generated
dist/output underpackages/*/dist; build artifacts are produced from source. - Preserve the existing ESM + TypeScript workspace structure and root script orchestration.
- When you change exported APIs in
packages/*/src, keep JSDoc in sync. Public functions, constants, types, and classes should always ship with JSDoc, and ESLint requires JSDoc coverage for exported package symbols. - Prefer inline type imports where possible; the ESLint config enforces
@typescript-eslint/consistent-type-imports. - Update examples or docs when you change public package behavior, developer workflow, or recommended runtime choices.
- For most code changes, run
npm run format:check,npm run lint,npm run typecheck,npm test, andnpm run build. - If you change package exports, manifest fields, or published type-resolution behavior, also run
npm run package:check. - If you change the public API of
@execbox/core,@execbox/core/mcp,@execbox/core/protocol,@execbox/quickjs,@execbox/quickjs/runner,@execbox/quickjs/runner/protocol-endpoint,@execbox/remote,@execbox/isolated-vm, or@execbox/isolated-vm/runner, also runnpm run api:check. - If you change docs site content, navigation, or VitePress config, also run
npm run docs:build. - If you touch execution boundaries, timeout handling, abort propagation, schema validation, or log/memory controls, also run
npm run test:security. - If you touch
@execbox/isolated-vmor codepaths guarded byVITEST_INCLUDE_ISOLATED_VM, runnpm run test:isolated-vmornpm run verify:isolated-vm.
- The provider and tool surface is the real capability boundary. Treat additions to provider exposure as security-relevant changes.
- Preserve JSON-only boundaries, schema validation, bounded logs, timeout handling, memory controls, and abort propagation semantics.
- Do not describe in-process runtimes as a hard security boundary for hostile or multi-tenant code. The current project security model is documented in
docs/security.md.
- Use Conventional Commits for git commit messages, for example
docs: add agent and contributor guidesorfix(worker): handle timeout classification. - Published package releases are managed with Changesets and GitHub Actions.
- Add a
.changeset/*.mdentry when a change affects published package behavior, public APIs, or release notes for one or more@execbox/*packages. - If you intentionally change a checked-in API report for
@execbox/core,@execbox/core/mcp,@execbox/core/protocol,@execbox/quickjs,@execbox/quickjs/runner,@execbox/quickjs/runner/protocol-endpoint,@execbox/remote,@execbox/isolated-vm, or@execbox/isolated-vm/runner, update it withnpm run api:updatein the same change as the code and changeset. - Skip a changeset for docs-only, examples-only, CI-only, or internal maintenance changes that do not affect published package behavior.
- Start with
README.mdfor the package map. - Use
docs/getting-started.mdfor install and example expectations. - Use
docs/security.mdanddocs/architecture/README.mdbefore changing execution boundaries or runtime claims. - For the human-oriented contribution workflow, see
CONTRIBUTING.md.