feat: US-002 - Fix crypto key generation (generateKeyPair for ed25519/ed448, generateKey symmetric)

Author: NathanFlurry

.agent/contracts/node-bridge.md

@@ -160,3 +160,11 @@ The bridge global key registry consumed by host runtime setup, bridge modules, a
 #### Scenario: Native V8 bridge registries stay aligned with async and sync lifecycle hooks
 - **WHEN** bridge modules depend on a host bridge global via async `.apply(..., { result: { promise: true } })` or sync `.applySync(...)` semantics
 - **THEN** the native V8 bridge function registries MUST expose a matching callable shape for that global (or an equivalent tested shim), and automated verification MUST cover the registry alignment
+
+### Requirement: Dispatch-Multiplexed Bridge Errors Preserve Structured Metadata
+Bridge globals routed through the `_loadPolyfill` dispatch multiplexer SHALL preserve host error metadata needed for Node-compatible assertions.
+
+#### Scenario: Host bridge throws typed crypto validation error
+- **WHEN** a dispatch-multiplexed bridge handler throws a host error with `name` and `code` (for example `TypeError` + `ERR_INVALID_ARG_VALUE`)
+- **THEN** the sandbox-visible error MUST preserve that `name` and `code`
+- **AND** the bridge MUST NOT collapse the error to a plain `Error` with only a message

docs-internal/arch/overview.md

@@ -1,5 +1,133 @@
 # Architecture Overview
 
+## Architectural Model: Inverted VM
+
+Traditional virtual machines (Firecracker, QEMU) place the OS **inside** the VM — a hypervisor
+virtualizes hardware, and a guest kernel (Linux) runs on top:
+
+```
+Traditional:  VM contains OS
+
+  ┌────────────────────┐
+  │  Hypervisor / VM   │  (Firecracker, QEMU, KVM)
+  │                    │
+  │  ┌──────────────┐  │
+  │  │   Guest OS   │  │  (Linux kernel)
+  │  │              │  │
+  │  │  ┌────────┐  │  │
+  │  │  │  Apps  │  │  │  (ELF binaries)
+  │  │  └────────┘  │  │
+  │  └──────────────┘  │
+  └────────────────────┘
+```
+
+Secure Exec inverts this: the OS is the **outer** layer, and execution engines (V8, WASM) are
+plugged **into** it. The kernel runs in the host process and mediates all I/O. There is no
+hypervisor — the isolation boundary is the V8 isolate and WASM sandbox, not hardware virtualization:
+
+```
+Secure Exec:  OS contains VMs
+
+  ┌──────────────────────────────────────────────┐
+  │  Virtual OS  (packages/core/kernel/)          │
+  │  VFS, process table, FD table,                │
+  │  sockets, pipes, signals, permissions         │
+  │                                               │
+  │  ┌─────────────────┐  ┌───────────────────┐   │
+  │  │   V8 Isolate    │  │   WASM Runtime    │   │
+  │  │   (Node.js)     │  │   (V8 WebAssembly)│   │
+  │  │                 │  │                   │   │
+  │  │   JS scripts    │  │   POSIX binaries  │   │
+  │  └─────────────────┘  └───────────────────┘   │
+  └──────────────────────────────────────────────┘
+```
+
+### Comparison: Containers vs MicroVMs vs Secure Exec
+
+```
+Container (Docker)
+
+  ┌───────────────────────────────────────────┐
+  │  Host Linux Kernel (shared)               │
+  │                                           │
+  │  ┌─────────────────┐  ┌────────────────┐  │
+  │  │ Namespace +     │  │ Namespace +    │  │
+  │  │ cgroup jail     │  │ cgroup jail    │  │
+  │  │                 │  │                │  │
+  │  │  ┌───────────┐  │  │  ┌──────────┐  │  │
+  │  │  │   App 1   │  │  │  │  App 2   │  │  │
+  │  │  │  ELF bins  │  │  │  │ ELF bins │  │  │
+  │  │  └───────────┘  │  │  └──────────┘  │  │
+  │  └─────────────────┘  └────────────────┘  │
+  └───────────────────────────────────────────┘
+  Kernel is shared. Kernel vuln = all containers escape.
+
+
+MicroVM (Firecracker)
+
+  ┌───────────────────────────────────────────┐
+  │  Host Linux Kernel                        │
+  │                                           │
+  │  ┌─────────────────┐  ┌────────────────┐  │
+  │  │ KVM / VT-x      │  │ KVM / VT-x     │  │
+  │  │ (hypervisor)     │  │ (hypervisor)   │  │
+  │  │                  │  │                │  │
+  │  │  ┌────────────┐  │  │  ┌──────────┐  │  │
+  │  │  │ Guest      │  │  │  │ Guest    │  │  │
+  │  │  │ Linux      │  │  │  │ Linux    │  │  │
+  │  │  │ Kernel     │  │  │  │ Kernel   │  │  │
+  │  │  │            │  │  │  │          │  │  │
+  │  │  │  ┌──────┐  │  │  │  │ ┌──────┐ │  │  │
+  │  │  │  │ App  │  │  │  │  │ │ App  │ │  │  │
+  │  │  │  └──────┘  │  │  │  │ └──────┘ │  │  │
+  │  │  └────────────┘  │  │  └──────────┘  │  │
+  │  └─────────────────┘  └────────────────┘  │
+  └───────────────────────────────────────────┘
+  Each VM has its own kernel. Hypervisor vuln = escape.
+
+
+Secure Exec
+
+  ┌───────────────────────────────────────────┐
+  │  Host Process (Node.js / Browser)         │
+  │                                           │
+  │  ┌─────────────────┐  ┌────────────────┐  │
+  │  │ Virtual OS       │  │ Virtual OS     │  │
+  │  │ (SEOS kernel)    │  │ (SEOS kernel)  │  │
+  │  │                  │  │                │  │
+  │  │  ┌────────────┐  │  │  ┌──────────┐  │  │
+  │  │  │ V8 / WASM  │  │  │  │ V8 / WASM│  │  │
+  │  │  │            │  │  │  │          │  │  │
+  │  │  │  JS / WASM │  │  │  │ JS / WASM│  │  │
+  │  │  │  programs  │  │  │  │ programs │  │  │
+  │  │  └────────────┘  │  │  └──────────┘  │  │
+  │  └─────────────────┘  └────────────────┘  │
+  └───────────────────────────────────────────┘
+  Each instance has its own kernel. V8/WASM vuln = escape.
+```
+
+|                    | Container            | MicroVM               | Secure Exec           |
+|--------------------|----------------------|-----------------------|-----------------------|
+| **Isolation**      | Namespaces + cgroups  | Hardware (VT-x/KVM)   | V8 isolate + WASM     |
+| **Kernel**         | Shared host kernel    | Dedicated guest kernel| Virtual POSIX kernel  |
+| **Attack surface** | Host kernel syscalls  | Hypervisor interface   | JS/WASM sandbox       |
+| **Boot time**      | ~100ms               | ~125ms                | <5ms                  |
+| **Overhead**       | Near-native           | ~3-5% CPU/memory      | V8/WASM overhead      |
+| **Runs in browser**| No                   | No                    | Yes                   |
+| **Guest format**   | ELF binaries          | ELF binaries          | JS scripts + WASM     |
+| **Escape risk**    | Kernel vuln = escape  | Hypervisor vuln = escape | V8 vuln = escape   |
+
+Key architectural differences:
+- **Containers** share the host kernel — a kernel vulnerability lets every container escape. The kernel is the trust boundary and the attack surface simultaneously.
+- **MicroVMs** run a dedicated guest kernel inside hardware virtualization. Stronger isolation (hypervisor boundary), but 100ms+ boot time and no browser support.
+- **Secure Exec** provides its own virtual kernel in userspace. No shared kernel attack surface (the virtual kernel is per-instance), no hardware requirements, millisecond boot. The tradeoff is that isolation depends on V8/WASM sandbox correctness rather than hardware enforcement.
+
+The WASI extensions (`native/wasmvm/crates/wasi-ext/`) bridge WASM syscalls into the OS kernel.
+The Node.js bridge (`packages/nodejs/src/bridge/`) does the same for V8 isolate code. Both are
+thin translation layers — the real implementation lives in the kernel.
+
+## Package Map
+
 ```
   Kernel-first API (createKernel + mount + exec)
   packages/core/

docs-internal/todo.md

@@ -12,6 +12,10 @@ Priority order is:
 
 ---
 
+## Rename
+
+- [ ] Rename `wasmvm` back to `seos` (Secure Exec OS) across the codebase (packages, directories, imports, docs)
+
 docs-internal/proposal-kernel-consolidation.md
 docs-internal/specs/custom-bindings.md
 docs-internal/specs/cli-tool-e2e.md

docs/nodejs-conformance-report.mdx

@@ -12,18 +12,18 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 | Node.js version | 22.14.0 |
 | Source | v22.14.0 (test/parallel/) |
 | Total tests | 3532 |
-| Passing (genuine) | 730 (20.7%) |
+| Passing (genuine) | 737 (20.9%) |
 | Passing (vacuous self-skip) | 34 |
-| Passing (total) | 764 (21.6%) |
-| Expected fail | 2697 |
+| Passing (total) | 771 (21.8%) |
+| Expected fail | 2690 |
 | Skip | 71 |
 | Last updated | 2026-03-25 |
 
 ## Failure Categories
 
 | Category | Tests |
 | --- | --- |
-| implementation-gap | 1396 |
+| implementation-gap | 1389 |
 | unsupported-module | 737 |
 | requires-v8-flags | 239 |
 | requires-exec-path | 200 |
@@ -70,7 +70,7 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 | constants | 1 | 0 | 1 | 0 | 0.0% |
 | corepack | 1 | 0 | 1 | 0 | 0.0% |
 | coverage | 1 | 0 | 1 | 0 | 0.0% |
-| crypto | 99 | 42 (13 vacuous) | 57 | 0 | 42.4% |
+| crypto | 99 | 49 (13 vacuous) | 50 | 0 | 49.5% |
 | cwd | 3 | 0 | 3 | 0 | 0.0% |
 | data | 1 | 0 | 1 | 0 | 0.0% |
 | datetime | 1 | 0 | 1 | 0 | 0.0% |
@@ -245,11 +245,11 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 | wrap | 4 | 0 | 4 | 0 | 0.0% |
 | x509 | 1 | 0 | 1 | 0 | 0.0% |
 | zlib | 53 | 17 | 33 | 3 | 34.0% |
-| **Total** | **3532** | **764** | **2697** | **71** | **22.1%** |
+| **Total** | **3532** | **771** | **2690** | **71** | **22.3%** |
 
 ## Expectations Detail
 
-### implementation-gap (715 entries)
+### implementation-gap (708 entries)
 
 **Glob patterns:**
 
@@ -260,7 +260,7 @@ description: Node.js v22 test/parallel/ conformance results for the secure-exec
 - `test-https-*.js` — https depends on tls — most tests fail on missing TLS fixture files or crypto API gaps
 - `test-http2-*.js` — http2 module bridged via kernel — most tests fail on API gaps, missing fixtures, or protocol handling
 
-*709 individual tests — see expectations.json for full list.*
+*702 individual tests — see expectations.json for full list.*
 
 ### unsupported-module (190 entries)