chore: update progress for US-182

NathanFlurry · NathanFlurry · commit 3424d66b7807 · 2026-03-19T11:17:59.000-07:00
diff --git a/progress.txt b/progress.txt
@@ -3,6 +3,7 @@ Started: 2026-03-17
 PRD: ralph/kernel-hardening (46 stories)
 
 ## Codebase Patterns
+- Timing mitigation Date.now/performance.now use getter/setter (not writable:false) — setter is no-op for Node.js compat; configurable:false blocks re-definition
 - Claude binary at ~/.claude/local/claude — not on PATH by default; skip helpers must check this fallback location
 - Claude Code --output-format stream-json requires --verbose flag; uses ANTHROPIC_BASE_URL natively (no fetch interceptor)
 - Python WORKER_SOURCE is String.raw — use array.join("\n") for multiline Python code; f-strings with escaped quotes break
@@ -2284,3 +2285,19 @@ PRD: ralph/kernel-hardening (46 stories)
   - SandboxHmac must handle SandboxKeyObject as key (check key._pem) — jwa passes KeyObject directly to crypto.createHmac()
   - createSecretKey creates a KeyObject with type='secret' — needed for HS256/HS384/HS512 algorithm validation in jsonwebtoken
 ---
+
+## 2026-03-18 - US-182
+- What was implemented: Added bcryptjs project-matrix fixture; fixed Date.now timing mitigation to use getter/setter instead of writable:false
+- Files changed:
+  - packages/secure-exec/tests/projects/bcryptjs-pass/ — new fixture (fixture.json, package.json, src/index.js, pnpm-lock.yaml)
+  - packages/secure-exec-core/isolate-runtime/src/inject/apply-timing-mitigation-freeze.ts — changed Date.now freeze from writable:false to getter/setter (no-op setter) for Node.js compat
+  - packages/secure-exec-core/src/generated/isolate-runtime.ts — regenerated from build
+  - packages/secure-exec/tests/runtime-driver/node/index.test.ts — updated "Date.now cannot be overridden" test to expect assignThrew:false (setter is silently ignored)
+  - docs/nodejs-compatibility.mdx — added bcryptjs to Tested Packages table
+- **Learnings for future iterations:**
+  - bcryptjs does `Date.now = Date.now || function()...` which assigns to Date.now even when it already exists; writable:false causes TypeError in strict mode
+  - Fix: use getter/setter pattern (get returns frozen fn, set is no-op) instead of writable:false — silently ignores writes while keeping Date.now frozen
+  - Object.defineProperty with configurable:false still blocks re-definition, so security is maintained
+  - Must rebuild core (`pnpm turbo run build --filter=@secure-exec/core`) after changing isolate-runtime source files
+  - Generated isolate-runtime.ts must be committed alongside source changes
+---
diff --git a/scripts/ralph/prd.json b/scripts/ralph/prd.json
@@ -3140,7 +3140,7 @@
         "Tests pass (project-matrix)"
       ],
       "priority": 182,
-      "passes": false,
+      "passes": true,
       "notes": "bcryptjs is pure JS bcrypt. Tests computation-heavy pure JS workload."
     },
     {

Original file line number	Diff line number	Diff line change
`@@ -3140,7 +3140,7 @@`
`3140`	`3140`	`"Tests pass (project-matrix)"`
`3141`	`3141`	`],`
`3142`	`3142`	`"priority": 182,`
`3143`		`- "passes": false,`
	`3143`	`+ "passes": true,`
`3144`	`3144`	`"notes": "bcryptjs is pure JS bcrypt. Tests computation-heavy pure JS workload."`
`3145`	`3145`	`},`
`3146`	`3146`	`{`