feat: US-105 - Add assertPayloadByteLength to text file reads

Author: NathanFlurry

packages/secure-exec-node/src/bridge-setup.ts

@@ -267,7 +267,13 @@ export async function setupRequire(
 		// Create individual References for each fs operation
 		const readFileRef = new ivm.Reference(async (path: string) => {
 			checkBridgeBudget(deps);
-			return fs.readTextFile(path);
+			const text = await fs.readTextFile(path);
+			assertTextPayloadSize(
+				`fs.readFile ${path}`,
+				text,
+				fsJsonPayloadLimit,
+			);
+			return text;
 		});
 		const writeFileRef = new ivm.Reference(
 			async (path: string, content: string) => {

packages/secure-exec/tests/runtime-driver/node/payload-limits.test.ts

@@ -393,6 +393,44 @@ describe("NodeRuntime payload limits", () => {
 		expect(capture.stdout()).toBe("hello\n");
 	});
 
+	it("rejects oversized text file reads", async () => {
+		const fs = createInMemoryFileSystem();
+		const oversizedText = "x".repeat(DEFAULT_ISOLATE_JSON_PAYLOAD_BYTES + 1);
+		await fs.mkdir("/data");
+		await fs.writeFile("/data/too-large.txt", oversizedText);
+
+		proc = createTestNodeRuntime({ filesystem: fs, permissions: allowAllFs });
+		const result = await proc.exec(`
+      const fs = require('fs');
+      fs.readFileSync('/data/too-large.txt', 'utf8');
+    `);
+
+		expect(result.code).toBe(1);
+		expect(result.errorMessage).toContain(PAYLOAD_LIMIT_ERROR_CODE);
+		expect(result.errorMessage).toContain("fs.readFile");
+	});
+
+	it("allows normal-sized text file reads", async () => {
+		const fs = createInMemoryFileSystem();
+		await fs.mkdir("/data");
+		await fs.writeFile("/data/normal.txt", "hello world");
+
+		const capture = createConsoleCapture();
+		proc = createTestNodeRuntime({
+			filesystem: fs,
+			permissions: allowAllFs,
+			onStdio: capture.onStdio,
+		});
+		const result = await proc.exec(`
+      const fs = require('fs');
+      const content = fs.readFileSync('/data/normal.txt', 'utf8');
+      console.log(content);
+    `);
+
+		expect(result.code).toBe(0);
+		expect(capture.stdout()).toBe("hello world\n");
+	});
+
 	it("rejects out-of-range payload limit configuration", () => {
 		expect(
 			() => createTestNodeRuntime({ payloadLimits: { jsonPayloadBytes: 0 } }),

scripts/ralph/prd.json

@@ -2023,7 +2023,7 @@
         "Tests pass"
       ],
       "priority": 120,
-      "passes": false,
+      "passes": true,
       "notes": "Audit C3 — CRITICAL. execution-driver.ts:1030-1032. Binary read path (readFileBinaryRef) correctly calls assertPayloadByteLength, text read path does not. With ModuleAccessFileSystem projecting host node_modules, sandbox code can read arbitrarily large text files into host memory."
     },
     {

scripts/ralph/progress.txt

@@ -1527,3 +1527,15 @@ PRD: ralph/kernel-hardening (46 stories)
   - `deps.processConfig.env` is the init-time filtered env (already filtered by `filterEnv()` in execution-driver.ts) — safe to use as fallback
   - When `options.env` is undefined, `stripDangerousEnv(undefined)` returns undefined — the fallback must happen BEFORE the strip call
 ---
+
+## 2026-03-18 - US-105
+- What was implemented: Added assertTextPayloadSize guard to readFileRef (text file read bridge path), matching the existing guard in readFileBinaryRef
+- The text read path was missing payload size validation, allowing sandbox code to read arbitrarily large text files into host memory via readFileSync('path', 'utf8')
+- Files changed:
+  - packages/secure-exec-node/src/bridge-setup.ts — added assertTextPayloadSize call with fsJsonPayloadLimit before returning text
+  - packages/secure-exec/tests/runtime-driver/node/payload-limits.test.ts — added 2 tests: oversized text file read rejection and normal-sized text file read preservation
+- **Learnings for future iterations:**
+  - Text file reads use fsJsonPayloadLimit (4MB default) not base64Limit — text is passed directly, not base64-encoded
+  - assertTextPayloadSize is the convenience wrapper for text (handles UTF-8 byte length calculation)
+  - readFileRef returns string from readTextFile; readFileBinaryRef returns base64-encoded Buffer — different limits and guards needed
+---