feat: replace fs and fetch permissions to vsys

[LemonHX]

No description provided.

[Copilot]

Pull request overview

This PR introduces a comprehensive virtual system layer (vsys) to abstract filesystem, network, and module loading operations. The changes enable sandboxed execution and custom implementations for system-level operations.

Key Changes:

• New vsys crate with pluggable vtables for fs, network, and module loading
• Refactored modules crate to use vsys instead of direct system calls
• Simplified permission checking through vsys context
• Complete rewrite of filesystem module implementation

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
vsys/Cargo.toml	New crate dependencies for virtual system layer
vsys/src/lib.rs	Core Vsys struct with builder pattern
vsys/src/error.rs	Error types for vsys operations
vsys/src/permissions.rs	Permission checking with black/whitelist support
vsys/src/fs.rs	Filesystem vtable with default implementations
vsys/src/module_loader.rs	Module resolution and loading vtable
modules/src/permissions.rs	Wrapper for vsys in JS context
modules/src/lib.rs	Updated initialization to use vsys
modules/src/fs.rs	Complete rewrite using vsys
modules/src/fetch/security.rs	Simplified network permission checks
repl/src/lib.rs	Updated to use new vsys API
Cargo.toml	Added vsys workspace member
README.md	Added extensive vsys documentation
TODO.md	Added vsys task tracking

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Unsafe libc calls without proper error checking. The unsafe blocks calling getuid(), getgid(), and chown() should validate the results more carefully. Consider wrapping these in safer abstractions or at least documenting the safety assumptions.

Suggested change

	use std::os::unix::ffi::OsStrExt;
	let c_path = std::ffi::CString::new(path.as_os_str().as_bytes())
	.map_err(|_| VsysError::Custom("invalid path".into()))?;
	let result = unsafe { libc::chown(c_path.as_ptr(), uid, gid) };
	if result == 0 {
	Ok(())
	} else {
	Err(std::io::Error::last_os_error().into())
	}
	use nix::unistd::{chown as nix_chown, Gid, Uid};
	let owner = Some(Uid::from_raw(uid));
	let group = Some(Gid::from_raw(gid));
	nix_chown(path, owner, group)
	.map_err(|e| VsysError::Custom(e.to_string().into()))?;
	Ok(())

[Copilot]

The with_extension method call on line 321 is incorrect. The comment says "Remove leading dot" but the implementation uses with_extension which replaces the entire extension. This will fail for files like "file.tar.gz" where only ".gz" should be replaced. Use set_extension on a PathBuf or manually append the extension string instead.

Suggested change

	let with_ext = path.with_extension(&ext[1..]); // Remove leading dot
	let mut with_ext = path.to_path_buf();
	// Remove leading dot from extension (e.g. ".js" -> "js") before setting it
	with_ext.set_extension(&ext[1..]);

[Copilot]

Missing the complete Stats API. The new Stats class only exposes size, mode, uid, gid, and time fields, but is missing many fields from the old implementation: dev, ino, nlink, rdev, blksize, blocks, and various helper methods like isFIFO, isBlockDevice, isCharacterDevice, isSocket. This is a breaking API change.

Suggested change

	}
	}
	// The following properties and methods are provided to match the
	// Node.js fs.Stats API surface. Since the underlying virtual
	// filesystem may not expose these low-level details, we return
	// neutral default values (0 / false) to preserve compatibility
	// without changing existing behavior.
	/// Device ID of device containing file (Node.js: stats.dev).
	#[qjs(get)]
	pub fn dev(&self) -> i64 {
	0
	}
	/// File serial number / inode number (Node.js: stats.ino).
	#[qjs(get)]
	pub fn ino(&self) -> i64 {
	0
	}
	/// Number of hard links (Node.js: stats.nlink).
	#[qjs(get)]
	pub fn nlink(&self) -> i64 {
	0
	}
	/// Device ID (if special file) (Node.js: stats.rdev).
	#[qjs(get)]
	pub fn rdev(&self) -> i64 {
	0
	}
	/// Blocksize for filesystem I/O (Node.js: stats.blksize).
	#[qjs(get)]
	pub fn blksize(&self) -> i64 {
	0
	}
	/// Number of 512B blocks allocated (Node.js: stats.blocks).
	#[qjs(get)]
	pub fn blocks(&self) -> i64 {
	0
	}
	/// Test whether the file is a FIFO (Node.js: stats.isFIFO()).
	#[qjs(rename = "isFIFO")]
	pub fn is_fifo(&self) -> bool {
	false
	}
	/// Test whether the file is a block device (Node.js: stats.isBlockDevice()).
	#[qjs(rename = "isBlockDevice")]
	pub fn is_block_device(&self) -> bool {
	false
	}
	/// Test whether the file is a character device (Node.js: stats.isCharacterDevice()).
	#[qjs(rename = "isCharacterDevice")]
	pub fn is_character_device(&self) -> bool {
	false
	}
	/// Test whether the file is a socket (Node.js: stats.isSocket()).
	#[qjs(rename = "isSocket")]
	pub fn is_socket(&self) -> bool {
	false
	}

[Copilot]

The fetch security check now uses a simplified permission model that may not match URLs correctly. The old implementation attempted to parse URIs from the whitelist/blacklist items and match them properly. The new implementation only checks the host string, which may not handle URL patterns with ports, paths, or query parameters correctly.

[Copilot]

Custom error without proper message handling. If CString::new fails, it returns a generic "Unknown error" message which loses the original error information. Consider preserving the original error message even if it contains null bytes by replacing them with a placeholder character.

[Copilot]

The path canonicalization fails silently and returns false instead of propagating the specific error. This makes it difficult to distinguish between "path doesn't exist" and "permission denied" errors. Consider returning a Result or at least logging the error.

Suggested change

	Err(_) => return false,
	Err(e) => {
	eprintln!("Failed to canonicalize path {:?}: {}", path, e);
	return false;
	}

[Copilot]

Missing test coverage for the new filesystem implementation. The old fs module had extensive tests for file operations (read_file, write_file, mkdir, etc.), but the new implementation in modules/src/fs.rs doesn't include any tests. Consider adding tests similar to the ones in vsys/src/fs.rs to ensure the JS bindings work correctly.

[Copilot]

The FileHandle implementation is significantly simplified compared to the old version. It's missing key functionality like: seek operations, readFile/writeFile methods, truncate, sync operations, chmod, chown, and proper position-based read/write. This is a breaking change that removes important file handle APIs.

Suggested change

	}
	}
	/// Seek operation similar to Node.js FileHandle.prototype.seek.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn seek<'js>(&mut self, ctx: Ctx<'js>, _offset: i64, _whence: i32) -> Result<i64> {
	Err(Exception::throw_message(
	&ctx,
	"seek is not implemented for this FileHandle",
	))
	}
	/// Truncate operation similar to Node.js FileHandle.prototype.truncate.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn truncate<'js>(&mut self, ctx: Ctx<'js>, _len: Opt<i64>) -> Result<()> {
	Err(Exception::throw_message(
	&ctx,
	"truncate is not implemented for this FileHandle",
	))
	}
	/// Sync operation similar to Node.js FileHandle.prototype.sync.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn sync<'js>(&mut self, ctx: Ctx<'js>) -> Result<()> {
	Err(Exception::throw_message(
	&ctx,
	"sync is not implemented for this FileHandle",
	))
	}
	/// Data-only sync operation similar to Node.js FileHandle.prototype.datasync.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn datasync<'js>(&mut self, ctx: Ctx<'js>) -> Result<()> {
	Err(Exception::throw_message(
	&ctx,
	"datasync is not implemented for this FileHandle",
	))
	}
	/// Change file mode similar to Node.js FileHandle.prototype.chmod.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn chmod<'js>(&mut self, ctx: Ctx<'js>, _mode: u32) -> Result<()> {
	Err(Exception::throw_message(
	&ctx,
	"chmod is not implemented for this FileHandle",
	))
	}
	/// Change file ownership similar to Node.js FileHandle.prototype.chown.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn chown<'js>(&mut self, ctx: Ctx<'js>, _uid: u32, _gid: u32) -> Result<()> {
	Err(Exception::throw_message(
	&ctx,
	"chown is not implemented for this FileHandle",
	))
	}
	/// Read the entire file contents using this handle, similar to FileHandle.prototype.readFile.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn read_file<'js>(
	&mut self,
	ctx: Ctx<'js>,
	_options: Opt<ReadFileOptions>,
	) -> Result<Value<'js>> {
	Err(Exception::throw_message(
	&ctx,
	"readFile is not implemented for this FileHandle",
	))
	}
	/// Write data to the file using this handle, similar to FileHandle.prototype.writeFile.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn write_file<'js>(
	&mut self,
	ctx: Ctx<'js>,
	_data: Value<'js>,
	_options: Opt<ReadFileOptions>,
	) -> Result<()> {
	Err(Exception::throw_message(
	&ctx,
	"writeFile is not implemented for this FileHandle",
	))
	}
	/// Position-based read operation to support APIs that specify a file position.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn read_with_position<'js>(
	&mut self,
	ctx: Ctx<'js>,
	_position: i64,
	_length: Opt<usize>,
	) -> Result<Value<'js>> {
	Err(Exception::throw_message(
	&ctx,
	"position-based read is not implemented for this FileHandle",
	))
	}
	/// Position-based write operation to support APIs that specify a file position.
	/// Currently not implemented for this FileHandle; always returns an error.
	pub async fn write_with_position<'js>(
	&mut self,
	ctx: Ctx<'js>,
	_data: Value<'js>,
	_position: i64,
	) -> Result<usize> {
	Err(Exception::throw_message(
	&ctx,
	"position-based write is not implemented for this FileHandle",
	))
	}

[Copilot]

The ctime method returns the creation time but is named ctime. In Unix systems, ctime typically refers to "change time" (metadata change), not creation time. This could cause confusion. Consider renaming this to created or birthtime, or ensuring it actually returns the correct time type.

Suggested change

	pub fn ctime(&self) -> Option<f64> {
	self.inner.created.map(|t| {
	t.duration_since(std::time::UNIX_EPOCH)
	.map(|d| d.as_secs_f64() * 1000.0)
	.unwrap_or(0.0)
	})
	}
	#[qjs(get)]
	pub fn birthtime(&self) -> Option<f64> {
	self.ctime()
	}
	pub fn birthtime(&self) -> Option<f64> {
	self.inner.created.map(|t| {
	t.duration_since(std::time::UNIX_EPOCH)
	.map(|d| d.as_secs_f64() * 1000.0)
	.unwrap_or(0.0)
	})
	}