feat: US-181 - Add jsonwebtoken project-matrix fixture

Author: NathanFlurry

docs/nodejs-compatibility.mdx

@@ -78,6 +78,7 @@ The [project-matrix test suite](https://github.com/rivet-dev/secure-exec/tree/ma
 | [pg](https://npmjs.com/package/pg) | Database | PostgreSQL client, Pool/Client classes, type parsers |
 | [drizzle-orm](https://npmjs.com/package/drizzle-orm) | Database | ORM schema definition, query building, ESM module graph |
 | [ws](https://npmjs.com/package/ws) | Networking | WebSocket client/server, HTTP upgrade, events |
+| [jsonwebtoken](https://npmjs.com/package/jsonwebtoken) | Crypto | JWT signing (HS256), verification, decode |
 | [zod](https://npmjs.com/package/zod) | Validation | Schema definition, parsing, safe parse, transforms |
 | [rivetkit](https://npmjs.com/package/rivetkit) | SDK | Local vendor package resolution |
 | crypto (builtin) | Crypto | `crypto.randomBytes`, `randomUUID`, `getRandomValues` |

packages/secure-exec-core/isolate-runtime/src/inject/require-setup.ts

@@ -341,6 +341,9 @@
               this._algorithm = algorithm;
               if (typeof key === 'string') {
                 this._key = Buffer.from(key, 'utf8');
+              } else if (key && typeof key === 'object' && key._pem !== undefined) {
+                // SandboxKeyObject — extract underlying key material
+                this._key = Buffer.from(key._pem, 'utf8');
               } else {
                 this._key = Buffer.from(key);
               }
@@ -769,20 +772,37 @@
 
             result.createPublicKey = function createPublicKey(key) {
               if (typeof key === 'string') {
+                if (key.indexOf('-----BEGIN') === -1) {
+                  throw new TypeError('error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE');
+                }
                 return new SandboxKeyObject('public', key);
               }
               if (key && typeof key === 'object' && key._pem) {
                 return new SandboxKeyObject('public', key._pem);
               }
+              if (key && typeof key === 'object' && key.type === 'private') {
+                // Node.js createPublicKey accepts private KeyObjects and extracts public key
+                return new SandboxKeyObject('public', key._pem);
+              }
               if (key && typeof key === 'object' && key.key) {
                 var keyData = typeof key.key === 'string' ? key.key : key.key.toString('utf8');
                 return new SandboxKeyObject('public', keyData);
               }
+              if (Buffer.isBuffer(key)) {
+                var keyStr = key.toString('utf8');
+                if (keyStr.indexOf('-----BEGIN') === -1) {
+                  throw new TypeError('error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE');
+                }
+                return new SandboxKeyObject('public', keyStr);
+              }
               return new SandboxKeyObject('public', String(key));
             };
 
             result.createPrivateKey = function createPrivateKey(key) {
               if (typeof key === 'string') {
+                if (key.indexOf('-----BEGIN') === -1) {
+                  throw new TypeError('error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE');
+                }
                 return new SandboxKeyObject('private', key);
               }
               if (key && typeof key === 'object' && key._pem) {
@@ -792,9 +812,26 @@
                 var keyData = typeof key.key === 'string' ? key.key : key.key.toString('utf8');
                 return new SandboxKeyObject('private', keyData);
               }
+              if (Buffer.isBuffer(key)) {
+                var keyStr = key.toString('utf8');
+                if (keyStr.indexOf('-----BEGIN') === -1) {
+                  throw new TypeError('error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE');
+                }
+                return new SandboxKeyObject('private', keyStr);
+              }
               return new SandboxKeyObject('private', String(key));
             };
 
+            result.createSecretKey = function createSecretKey(key) {
+              if (typeof key === 'string') {
+                return new SandboxKeyObject('secret', key);
+              }
+              if (Buffer.isBuffer(key) || (key instanceof Uint8Array)) {
+                return new SandboxKeyObject('secret', Buffer.from(key).toString('utf8'));
+              }
+              return new SandboxKeyObject('secret', String(key));
+            };
+
             result.KeyObject = SandboxKeyObject;
           }
 

packages/secure-exec-core/src/generated/isolate-runtime.ts

@@ -0,0 +1,4 @@
+{
+	"entry": "src/index.js",
+	"expectation": "pass"
+}

packages/secure-exec/tests/projects/jsonwebtoken-pass/fixture.json

@@ -0,0 +1,8 @@
+{
+	"name": "project-matrix-jsonwebtoken-pass",
+	"private": true,
+	"type": "commonjs",
+	"dependencies": {
+		"jsonwebtoken": "9.0.2"
+	}
+}

packages/secure-exec/tests/projects/jsonwebtoken-pass/package.json

@@ -0,0 +1,32 @@
+"use strict";
+
+const jwt = require("jsonwebtoken");
+
+const secret = "test-secret-key-for-fixture";
+
+// Sign a JWT with HS256 (default algorithm)
+const payload = { sub: "user-123", name: "Alice", admin: true };
+const token = jwt.sign(payload, secret, { algorithm: "HS256", noTimestamp: true });
+
+// Verify the token
+const decoded = jwt.verify(token, secret);
+
+// Decode without verification
+const unverified = jwt.decode(token, { complete: true });
+
+// Verify with wrong secret fails
+let verifyError = null;
+try {
+	jwt.verify(token, "wrong-secret");
+} catch (err) {
+	verifyError = { name: err.name, message: err.message };
+}
+
+const result = {
+	token,
+	decoded: { sub: decoded.sub, name: decoded.name, admin: decoded.admin },
+	header: unverified.header,
+	verifyError,
+};
+
+console.log(JSON.stringify(result));

packages/secure-exec/tests/projects/jsonwebtoken-pass/src/index.js

@@ -863,6 +863,73 @@ export function runNodeCryptoSuite(context: NodeSuiteContext): void {
 		expect((result.exports as any).valid).toBe(false);
 	});
 
+	it("createSecretKey produces KeyObject with type 'secret'", async () => {
+		const runtime = await context.createRuntime();
+		const result = await runtime.run(`
+			const crypto = require('crypto');
+			const key = crypto.createSecretKey(Buffer.from('my-secret'));
+			module.exports = {
+				type: key.type,
+				hasExport: typeof key.export === 'function',
+			};
+		`);
+		expect(result.code).toBe(0);
+		expect(result.errorMessage).toBeUndefined();
+		const exports = result.exports as any;
+		expect(exports.type).toBe("secret");
+		expect(exports.hasExport).toBe(true);
+	});
+
+	it("createPrivateKey rejects non-PEM strings", async () => {
+		const runtime = await context.createRuntime();
+		const result = await runtime.run(`
+			const crypto = require('crypto');
+			let threw = false;
+			try {
+				crypto.createPrivateKey('not-a-pem-key');
+			} catch (e) {
+				threw = true;
+			}
+			module.exports = { threw };
+		`);
+		expect(result.code).toBe(0);
+		expect(result.errorMessage).toBeUndefined();
+		expect((result.exports as any).threw).toBe(true);
+	});
+
+	it("createPublicKey rejects non-PEM strings", async () => {
+		const runtime = await context.createRuntime();
+		const result = await runtime.run(`
+			const crypto = require('crypto');
+			let threw = false;
+			try {
+				crypto.createPublicKey('not-a-pem-key');
+			} catch (e) {
+				threw = true;
+			}
+			module.exports = { threw };
+		`);
+		expect(result.code).toBe(0);
+		expect(result.errorMessage).toBeUndefined();
+		expect((result.exports as any).threw).toBe(true);
+	});
+
+	it("HMAC with KeyObject secret produces correct digest", async () => {
+		const runtime = await context.createRuntime();
+		const result = await runtime.run(`
+			const crypto = require('crypto');
+			const key = crypto.createSecretKey(Buffer.from('hmac-key'));
+			const hmac = crypto.createHmac('sha256', key);
+			hmac.update('test data');
+			const hex = hmac.digest('hex');
+			module.exports = { hex, length: hex.length };
+		`);
+		expect(result.code).toBe(0);
+		expect(result.errorMessage).toBeUndefined();
+		const exports = result.exports as any;
+		expect(exports.length).toBe(64);
+	});
+
 	// crypto.subtle (Web Crypto API) tests
 
 	it("subtle.digest('SHA-256', data) matches createHash output", async () => {

packages/secure-exec/tests/test-suite/node/crypto.ts

@@ -116,6 +116,9 @@ PRD: ralph/kernel-hardening (46 stories)
 - Sandbox Server class needs `setTimeout`, `keepAliveTimeout`, `requestTimeout` properties for framework compatibility — added as no-ops
 - Moving a module from Unsupported (Tier 5) to Deferred (Tier 4) requires changes in: module-resolver.ts, require-setup.ts, node-stdlib.md contract, and adding BUILTIN_NAMED_EXPORTS entry
 - `declare module` for untyped npm packages must live in a `.d.ts` file (not `.ts`) — TypeScript treats it as augmentation in `.ts` files and fails with TS2665
+- Sandbox createPrivateKey/createPublicKey must validate PEM format (throw for non-PEM strings) — libraries like jsonwebtoken rely on the throw to fall through to createSecretKey
+- Sandbox createSecretKey creates SandboxKeyObject with type='secret' — needed by libraries checking key.type for symmetric algorithm validation
+- SandboxHmac must handle SandboxKeyObject as key (check key._pem property) — libraries pass KeyObject directly to crypto.createHmac()
 - Host httpRequest adapter must use `http` or `https` transport based on URL protocol — always using `https` breaks localhost HTTP requests from sandbox
 - To test sandbox http.request() client behavior, create an external nodeHttp server in the test code and have the sandbox request to it
 - NodeExecutionDriver split into 5 modules in src/node/: isolate-bootstrap.ts (types+utilities), module-resolver.ts, esm-compiler.ts, bridge-setup.ts, execution-lifecycle.ts; facade is execution-driver.ts (<300 lines)
@@ -2265,3 +2268,19 @@ PRD: ralph/kernel-hardening (46 stories)
   - Follow pg-pass/ssh2-pass pattern for packages needing external services: test module loading, API shape, and data-processing features without real connections
   - ClientRequest in sandbox bridge lacks destroy() method — ws calls req.destroy() on failed upgrades, causing "stream.destroy is not a function" error
 ---
+
+## 2026-03-18 - US-181
+- What was implemented: Added jsonwebtoken project-matrix fixture and fixed sandbox crypto key validation
+- Files changed:
+  - packages/secure-exec/tests/projects/jsonwebtoken-pass/package.json — new fixture package
+  - packages/secure-exec/tests/projects/jsonwebtoken-pass/fixture.json — fixture metadata
+  - packages/secure-exec/tests/projects/jsonwebtoken-pass/src/index.js — JWT sign/verify/decode test
+  - packages/secure-exec-core/isolate-runtime/src/inject/require-setup.ts — added createSecretKey, fixed createPrivateKey and createPublicKey to validate PEM format, updated SandboxHmac to handle SandboxKeyObject keys
+  - packages/secure-exec/tests/test-suite/node/crypto.ts — added 4 tests: createSecretKey, createPrivateKey/createPublicKey PEM validation, HMAC with KeyObject
+  - docs/nodejs-compatibility.mdx — added jsonwebtoken to Tested Packages table
+- **Learnings for future iterations:**
+  - jsonwebtoken 9.0.2 uses createPrivateKey/createSecretKey/createPublicKey to normalize key material before signing — sandbox must implement all three
+  - Sandbox createPrivateKey/createPublicKey must validate PEM format (check for '-----BEGIN') and throw for non-PEM strings — otherwise libraries that try createPrivateKey first and fall back to createSecretKey in catch blocks never reach the fallback
+  - SandboxHmac must handle SandboxKeyObject as key (check key._pem) — jwa passes KeyObject directly to crypto.createHmac()
+  - createSecretKey creates a KeyObject with type='secret' — needed for HS256/HS384/HS512 algorithm validation in jsonwebtoken
+---

progress.txt

@@ -3123,7 +3123,7 @@
         "Tests pass (project-matrix)"
       ],
       "priority": 181,
-      "passes": false,
+      "passes": true,
       "notes": "Depends on crypto.createHmac (US-168). May need to be ordered after crypto stories."
     },
     {