Expand description
M3-B Phase B — JavaScript runtime adapter (skeleton).
This module is the integration boundary between crates/pdf-xfa’s
flatten pipeline and a sandboxed JavaScript runtime. Phase B ships
the boundary plus a NullRuntime stub. The rquickjs-backed runtime
is gated behind the xfa-js-sandboxed Cargo feature and registers
no host bindings — Phase C adds the first useful set per
benchmarks/runs/M3B_HOST_BINDINGS_MINIMUM_SET.md.
The default behaviour of crate::dynamic::apply_dynamic_scripts
and flatten_xfa_to_pdf is unchanged: with the feature off and
mode BestEffortStatic, the runtime is never invoked. Adding the
adapter is intentionally behaviour-neutral.
See benchmarks/runs/M3B_RUNTIME_SECURITY_MODEL.md for the 18
invariants the adapter must respect (S-1..S-18).
Re-exports§
pub use host::HostBindings;pub use host::MutationLogEntry;pub use host::MAX_INSTANCES_PER_SUBFORM;pub use host::MAX_ITEMS_PER_LISTBOX;pub use host::MAX_MUTATIONS_PER_DOC;pub use host::MAX_RESOLVE_CALLS_PER_SCRIPT;pub use host::MAX_RESOLVE_RESULTS;pub use host::MAX_SOM_DEPTH;pub use null::NullRuntime;pub use rquickjs_backend::QuickJsRuntime;
Modules§
- host
- Phase C host bindings for the sandboxed JavaScript runtime.
- null
- NullRuntime — always-available stub backend.
- rquickjs_
backend - M3-B Phase B — rquickjs backend for
super::XfaJsRuntime.
Structs§
- Runtime
Metadata - Cumulative metadata for a single document’s flatten. The runtime
adapter accumulates counters across calls; the dispatch site reads
them via
XfaJsRuntime::take_metadatawhen the document is done. - Runtime
Outcome - Outcome of evaluating one script body inside the sandbox.
Enums§
- Sandbox
Error - Errors the runtime adapter can emit. Every variant is recoverable at the dispatch site — the parent flatten never aborts because of a sandbox error (S-17 fail-open).
Constants§
- DEFAULT_
MEMORY_ BUDGET_ BYTES - Default per-document memory budget enforced by the rquickjs backend (S-10).
- DEFAULT_
TIME_ BUDGET_ MS - Default per-script wall-clock budget enforced by the rquickjs backend (S-9). Exposed as a constant so tests can reason about it without depending on the runtime backend module.
- MAX_
SCRIPT_ BODY_ BYTES - Hard cap on script body size (S-11). Bodies above this length are rejected before any parse attempt.
- SANDBOX_
ACTIVITY_ ALLOWLIST - The activities for which the sandboxed runtime accepts dispatch.
Other activities (
click,preSubmit,mouseEnter, …) skip the runtime entirely at thecrate::dynamic::apply_dynamic_scripts_with_modeboundary because they do not fire during static flatten (S-14).
Traits§
- XfaJs
Runtime - The host-side adapter the dispatch path calls. A minimal contract chosen so that swapping backends (rquickjs ↔ boa ↔ external sandbox) is one Cargo feature flag away.
Functions§
- activity_
allowed_ for_ sandbox - True when
activityis inSANDBOX_ACTIVITY_ALLOWLIST.