chore: update progress for US-111

Author: NathanFlurry

scripts/ralph/prd.json

@@ -2124,7 +2124,7 @@
         "Tests pass"
       ],
       "priority": 126,
-      "passes": false,
+      "passes": true,
       "notes": "Audit M2 — MEDIUM. apply-timing-mitigation-freeze.ts:13-17. Date.now is set with writable: true, configurable: true. Sandbox code can restore it trivially."
     },
     {

scripts/ralph/progress.txt

@@ -107,6 +107,7 @@ PRD: ralph/kernel-hardening (46 stories)
 - Source policy tests (isolate-runtime-injection-policy, bridge-registry-policy) read specific source files by path — update them when moving code between files
 - esmModuleCache has a sibling esmModuleReverseCache (Map<ivm.Module, string>) for O(1) module→path lookup — both must be updated together and cleared together in execution.ts
 - Network adapter SSRF: isPrivateIp() + assertNotPrivateHost() in driver.ts; fetch uses redirect:'manual' with per-hop re-validation; httpRequest has pre-flight check only (no auto-redirect); data:/blob: URLs skip SSRF check
+- V8 isolate native `performance` object has non-configurable `now` — must replace entire global with frozen proxy; after build:isolate-runtime, also run core tsc to update dist .js
 
 ---
 
@@ -1613,3 +1614,17 @@ PRD: ralph/kernel-hardening (46 stories)
   - Testing handle cap directly via _registerHandle/_unregisterHandle globals from sandbox code is simpler and more reliable than testing through child_process.spawn (which has async lifecycle)
   - The 5 failures in tests/runtime-driver/node/index.test.ts (ECONNREFUSED + upgrade) are pre-existing and unrelated
 ---
+
+## 2026-03-18 - US-111
+- What was implemented: Hardened timing mitigation — Date.now frozen as non-configurable/non-writable, Date constructor patched to return frozen time for no-arg `new Date()`, performance global replaced with frozen proxy object
+- Files changed:
+  - packages/secure-exec-core/isolate-runtime/src/inject/apply-timing-mitigation-freeze.ts — Date.now: configurable/writable→false; new Date constructor wrapper with frozen no-arg time; performance: replaced native with Object.create(null) + Object.freeze + non-configurable global property
+  - packages/secure-exec-core/src/generated/isolate-runtime.ts — auto-regenerated by build:isolate-runtime
+  - packages/secure-exec/tests/runtime-driver/node/index.test.ts — added 3 tests: Date.now override blocked (strict mode assignment + defineProperty), new Date().getTime() matches frozen Date.now(), performance.now override blocked
+- **Learnings for future iterations:**
+  - V8 isolate's native `performance` object has non-configurable `now` property — Object.defineProperty in-place fails silently to catch block; must replace the entire global with a frozen proxy
+  - `Object.defineProperty(globalThis, "performance", { configurable: false })` works in isolated-vm — the global proxy supports non-configurable data properties
+  - Assignment to non-writable property silently fails in sloppy mode, throws TypeError only in strict mode — security tests must use `'use strict'` to verify TypeError
+  - `build:isolate-runtime` generates the `.ts` source, but `@secure-exec/core` tsc must run to compile to dist `.js` — tests resolve through compiled dist, not raw .ts
+  - Date constructor replacement: must use Object.defineProperty for prototype (direct assignment fails with TS2540), forward parse/UTC, lock Date.now on replacement too
+---