feat: US-004 - Implement crypto.subtle WebCrypto bridge (basic operations)

Author: NathanFlurry

.agent/contracts/node-bridge.md

@@ -94,6 +94,19 @@ Bridge-provided randomness for global `crypto` APIs MUST delegate to host `node:
 - **WHEN** host `node:crypto` randomness primitives are unavailable or fail
 - **THEN** the bridge MUST throw a deterministic error matching the unsupported API format (`"<module>.<api> is not supported in sandbox"`) for the invoked randomness API and MUST NOT fall back to non-cryptographic randomness
 
+### Requirement: Global WebCrypto Surface Matches The `crypto.webcrypto` Bridge
+The bridge SHALL expose a single WebCrypto surface so global `crypto` APIs and `require('crypto').webcrypto` share the same object graph and constructor semantics.
+
+#### Scenario: Sandboxed code compares global and module WebCrypto objects
+- **WHEN** sandboxed code reads both `globalThis.crypto` and `require('crypto').webcrypto`
+- **THEN** those references MUST point at the same WebCrypto object
+- **AND** `crypto.subtle` MUST expose the same `SubtleCrypto` instance through both paths
+
+#### Scenario: WebCrypto constructors stay non-user-constructible
+- **WHEN** sandboxed code calls `new Crypto()`, `new SubtleCrypto()`, or `new CryptoKey()`
+- **THEN** the bridge MUST throw a Node-compatible illegal-constructor `TypeError`
+- **AND** prototype method receiver validation MUST reject detached calls with `ERR_INVALID_THIS`
+
 ### Requirement: Diffie-Hellman And ECDH Bridge Uses Host Node Crypto Objects
 Bridge-provided `crypto` Diffie-Hellman and ECDH APIs SHALL delegate to host `node:crypto` objects so constructor validation, session state, encodings, and shared-secret derivation match Node.js semantics.
 

docs/nodejs-conformance-report.mdx

@@ -12,18 +12,18 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 | Node.js version | 22.14.0 |
 | Source | v22.14.0 (test/parallel/) |
 | Total tests | 3532 |
-| Passing (genuine) | 738 (20.9%) |
+| Passing (genuine) | 741 (21.0%) |
 | Passing (vacuous self-skip) | 34 |
-| Passing (total) | 772 (21.9%) |
-| Expected fail | 2689 |
+| Passing (total) | 775 (21.9%) |
+| Expected fail | 2686 |
 | Skip | 71 |
 | Last updated | 2026-03-25 |
 
 ## Failure Categories
 
 | Category | Tests |
 | --- | --- |
-| implementation-gap | 1388 |
+| implementation-gap | 1385 |
 | unsupported-module | 737 |
 | requires-v8-flags | 239 |
 | requires-exec-path | 200 |
@@ -116,7 +116,7 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 | freeze | 1 | 0 | 1 | 0 | 0.0% |
 | fs | 232 | 69 (8 vacuous) | 129 | 34 | 34.8% |
 | gc | 3 | 0 | 3 | 0 | 0.0% |
-| global | 11 | 2 | 9 | 0 | 18.2% |
+| global | 11 | 3 | 8 | 0 | 27.3% |
 | h2 | 1 | 0 | 1 | 0 | 0.0% |
 | h2leak | 1 | 0 | 1 | 0 | 0.0% |
 | handle | 2 | 1 | 1 | 0 | 50.0% |
@@ -234,7 +234,7 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 | vm | 79 | 11 | 67 | 1 | 14.1% |
 | warn | 2 | 0 | 2 | 0 | 0.0% |
 | weakref | 1 | 1 | 0 | 0 | 100.0% |
-| webcrypto | 28 | 15 | 13 | 0 | 53.6% |
+| webcrypto | 28 | 17 | 11 | 0 | 60.7% |
 | websocket | 2 | 1 | 1 | 0 | 50.0% |
 | webstorage | 1 | 0 | 1 | 0 | 0.0% |
 | webstream | 4 | 0 | 4 | 0 | 0.0% |
@@ -245,11 +245,11 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 | wrap | 4 | 0 | 4 | 0 | 0.0% |
 | x509 | 1 | 0 | 1 | 0 | 0.0% |
 | zlib | 53 | 17 | 33 | 3 | 34.0% |
-| **Total** | **3532** | **772** | **2689** | **71** | **22.3%** |
+| **Total** | **3532** | **775** | **2686** | **71** | **22.4%** |
 
 ## Expectations Detail
 
-### implementation-gap (707 entries)
+### implementation-gap (704 entries)
 
 **Glob patterns:**
 
@@ -260,7 +260,7 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 - `test-https-*.js` — https depends on tls — most tests fail on missing TLS fixture files or crypto API gaps
 - `test-http2-*.js` — http2 module bridged via kernel — most tests fail on API gaps, missing fixtures, or protocol handling
 
-*701 individual tests — see expectations.json for full list.*
+*698 individual tests — see expectations.json for full list.*
 
 ### unsupported-module (190 entries)
 

packages/core/isolate-runtime/src/inject/require-setup.ts

@@ -1859,8 +1859,17 @@
               });
             };
 
-            result.subtle = SandboxSubtle;
-            result.webcrypto = { subtle: SandboxSubtle, getRandomValues: result.randomFillSync };
+            if (
+              globalThis.crypto &&
+              globalThis.crypto.subtle &&
+              typeof globalThis.crypto.subtle.importKey === 'function'
+            ) {
+              result.subtle = globalThis.crypto.subtle;
+              result.webcrypto = globalThis.crypto;
+            } else {
+              result.subtle = SandboxSubtle;
+              result.webcrypto = { subtle: SandboxSubtle, getRandomValues: result.randomFillSync };
+            }
           }
 
           // Enumeration functions: getCurves, getCiphers, getHashes.