Create a unique top level scope that can be used for each module entr…

components/Scope.ts

@@ -7,6 +7,7 @@ import type { Resources } from '../resources/Resources.ts';
 import type { FileAndURLPathConfig } from './Component.ts';
 import { FilesOption } from './deriveGlobOptions.ts';
 import { requestRestart } from './requestRestart.ts';
+import { scopedImport } from '../security/jsLoader.ts';
 
 export class MissingDefaultFilesOptionError extends Error {
 	constructor() {
@@ -290,4 +291,17 @@ export class Scope extends EventEmitter {
 			await Promise.all(this.#pendingInitialLoads);
 		}
 	}
+
+	/**
+	 * The compartment that is used for this scope and any imports that it makes
+	 */
+	compartment: Promise<any>;
+	/**
+	 * Import a file into the scope's sandbox.
+	 * @param filePath - The path of the file to import.
+	 * @returns A promise that resolves with the imported module or value.
+	 */
+	async import(filePath: string): Promise<unknown> {
+		return scopedImport(filePath, this);
+	}
 }

components/componentLoader.ts

@@ -17,7 +17,7 @@
 import harperLogger from '../utility/logging/harper_logger.js';
 import * as dataLoader from '../resources/dataLoader.ts';
 import { watchDir, getWorkerIndex } from '../server/threads/manageThreads.js';
-import { secureImport } from '../security/jsLoader.ts';
+import { scopedImport } from '../security/jsLoader.ts';
 import { server } from '../server/Server.ts';
 import { Resources } from '../resources/Resources.ts';
 import { table } from '../resources/databases.ts';
@@ -74,7 +74,7 @@
 	});
 }
 
 export const TRUSTED_RESOURCE_PLUGINS = {
 	REST, // for backwards compatibility with older configs
 	rest: REST,
 	graphql: graphqlQueryHandler,
@@ -298,7 +298,7 @@
 					const plugin = TRUSTED_RESOURCE_PLUGINS[componentName];
 					extensionModule =
 						typeof plugin === 'string'
-							? await secureImport(plugin.startsWith('@/') ? join(PACKAGE_ROOT, plugin.slice(1)) : plugin)
+							? await scopedImport(plugin.startsWith('@/') ? join(PACKAGE_ROOT, plugin.slice(1)) : plugin)
 							: plugin;
 				}
 
@@ -434,9 +434,7 @@
 			});
 		}
 		if (config.extensionModule || config.pluginModule) {
-			const extensionModule = await secureImport(
-				join(componentDirectory, config.extensionModule || config.pluginModule)
-			);
+			const extensionModule = await import(join(componentDirectory, config.extensionModule || config.pluginModule));
 			loadedPaths.set(resolvedFolder, extensionModule);
 			return extensionModule;
 		}

package.json

@@ -84,7 +84,7 @@
 		"@aws-sdk/client-s3": "3.946.0",
 		"@aws-sdk/lib-storage": "3.946.0",
 		"@datadog/pprof": "^5.11.1",
-		"@endo/static-module-record": "^1.0.4",
+		"@endo/static-module-record": "^1.1.2",
 		"@fastify/autoload": "5.10.0",
 		"@fastify/compress": "~6.5.0",
 		"@fastify/cors": "~9.0.1",
@@ -149,7 +149,7 @@
 		"recursive-iterator": "3.3.0",
 		"semver": "7.7.3",
 		"send": "^1.2.0",
-		"ses": "1.13.0",
+		"ses": "^1.14.0",
 		"stream-chain": "2.2.5",
 		"stream-json": "1.9.1",
 		"systeminformation": "5.27.11",

resources/jsResource.ts

@@ -1,5 +1,4 @@
 import { Scope } from '../components/Scope.ts';
-import { secureImport } from '../security/jsLoader.ts';
 import { dirname } from 'path';
 
 function isResource(value: unknown) {
@@ -50,7 +49,7 @@ export async function handleApplication(scope: Scope) {
 		}
 
 		try {
-			const resourceModule = await secureImport(entryEvent.absolutePath);
+			const resourceModule = await scope.import(entryEvent.absolutePath, scope);
 			const root = dirname(entryEvent.urlPath).replace(/\\/g, '/').replace(/^\/$/, '');
 			if (isResource(resourceModule.default)) {
 				// register the resource