feat: transfer and adapt come lavamoat-node docs, fill in runtime page, minor edits to index

Author: naugtur

src/content/docs/about/runtime-environment.md

@@ -5,4 +5,51 @@ sidebar:
   order: 3
 ---
 
-Not gonna ask ChatGPT to write this
+## Runtime protections
+
+You can use lavamoat to prevent malicious code introduced into a package from running.
+
+The LavaMoat runtime reduces the supply chain risk by:
+
+1. Preventing modification of JavaScript's built-in data types (`Object`, `String`, `Number`, `Array`, etc.)
+2. Providing granular control over access to the global platform API (`document`, `process`, `WebSocket`, etc.)
+
+
+Both are provided by [SES][SesGithub] containers. Platform API access is granted by a policy file that LavaMoat can generate and allow the project to selectively customize. All details of policy file structure are documented in the [Policy file explained][PolicyDoc] doc.
+
+#### Hardened Javascript (SES)
+
+[SES][SesGithub] is the sandbox used in LavaMoat. See SES's [secure computing guide][SesComputingGuide] to learn more about the risks of untrusted javascript.
+
+SES provides `Compartment` and `lockdown` which LavaMoat uses to provide two distinct protections:
+
+- `lockdown` hardens the runtime environment, preventing the JavaScript intrinsics from being tampered with. It therefore stops prototype poisoning attacks from affecting the security of `Compartment` and the rest of the application
+- `Compartment` is used internally to allow isolating each dependency and awarding it access to only the globals and imports allowed by the policy.
+
+#### Scuttling
+
+Since LavaMoat is selectively giving copies of global references to confined parts of the application, there no longer is a need for the actual global references to exist.
+
+We apply a step we call "Scuttling" early on in the initialization of the app to destroy all the global references we can possibly destroy after we've captured them. So even if the app code accidentally gives a dependency some powers that lead to it reaching the globalThis - there's not much left there to use.
+
+### LavaMoat runtime protection in Node.js
+
+Run your server or app building code with protections via [LavaMoat Node][lavamoat-node]
+
+TODO: mention endomoat maybe
+
+### LavaMoat runtime protection in the browser
+
+LavaMoat is designed to work in the browser in tandem with a strict Content Security Policy. As a result, the confinement provided by Compartments is not created at runtime, but inserted into the JavaScript bundle at build time, thus avoiding the use of `eval` or `new Function` which are prohibited under CSP.
+
+As a result, to secure your code in the browser, you need to use one of the supported bundlers.
+
+[LavaMoat plugin for Webpack5][lavamoat-webpack] (beta)
+
+[LavaMoat for Browserify][lavamoat-browserify]
+
+
+
+[lavamoat-node] /guides/lavamoat-node
+[lavamoat-browserify] /guides/browserify
+[lavamoat-webpack] /guides/webpack

src/content/docs/guide/allow-scripts.md

@@ -11,6 +11,7 @@ description: 'A user guide for @lavamoat/allow-scripts'
 - One of the following package managers:
   - [npm](https://www.npmjs.com/) v8.0.0+
   - [Yarn](https://yarnpkg.com/) v1.22.0+
+  - [Yarn Berry](https://yarnpkg.com/) v3 or above
 
 ## Install
 

src/content/docs/guide/getting-started.md

@@ -17,3 +17,21 @@ LavaMoat is distributed as a [Node.js](https://nodejs.org) command-line tool. Yo
 Don't have Node.js installed? [Download and install Node.js from the official site.](https://nodejs.org/en/download)
 
 :::
+
+
+## How to secure your app against supply-chain attacks
+
+1. Control dependency lifecycle scripts (eg. "postinstall") via [@lavamoat/allow-scripts][lavamoat-allowscripts]
+2. run your server or build process in [lavamoat-node][lavamoat-node]
+3. build your ui with our [Webpack5 plugin (beta)][lavamoat-webpack] or use LavaMoat for [Browserify][lavamoat-browserify]
+
+:::tip
+
+Even starting with adding just step 1 - the `allow-scripts`, is a great improvement to your supply chain security. Majority of supply-chain attacks are delivered via lifecycle scripts.
+
+:::
+
+[lavamoat-allowscripts] /guides/allow-scripts
+[lavamoat-node] /guides/lavamoat-node
+[lavamoat-browserify] /guides/browserify
+[lavamoat-webpack] /guides/webpack

src/content/docs/guide/lavamoat-node.md

@@ -0,0 +1,166 @@
+---
+title: "User's Guide: lavamoat node runtime"
+description: 'A user guide for running LavaMoat-protected NodeJS applications'
+---
+
+`lavamoat` is a Node.js runtime where modules are defined in [SES][ses-github-ext] Compartments. It aims to reduce the risk of malicious code in the app dependency graph, known as "software supply chain attacks".
+
+:::caution
+
+This runtime does not support ESM modules. A new runtime that's ESM-first is a work in progress.
+
+:::
+
+## LavaMoat Runtime
+
+LavaMoat differs from the standard node runtime in that it:
+
+1. Uses `lockdown()` from [SES][ses-github-ext] to prevent tampering with the execution environment.
+   Thanks to lockdown, prototype-pollution attacks are neutralized. It's also a prerequisite to code isolation.
+2. Uses SES Compartments to isolate each package's execution.
+   Packages don't share references to anything unless explicitly passed in or allowed by policy. Custom `require` and linking implementation is provided for the purpose of loading allowed dependencies.
+3. Enforces the app-specified LavaMoat policy.
+   The policy specifies what execution environment each package should run with, which means: what global/built-in APIs should it be exposed to, and what other packages can it require.
+
+The result is a runtime that should work just as before, but provides some protection against supply chain attacks.
+
+## Install
+
+:::tip[Protect your installation]
+Before you use lavamoat runtime protections, make sure you've set up allow-scripts and install dependencies using that setup.
+:::
+
+Use one of:
+
+```
+npm i lavamoat
+yarn add lavamoat
+```
+
+## Usage
+
+### Recommended usage
+
+1. Install
+2. Run your application once with `lavamoat app.js --autopolicy`
+3. Inspect the `./lavamoat/node/policy.json` file it generated
+4. Run your application with `lavamoat app.js`
+5. If you find you need to change the policy in step 2 or 3 create a `./lavamoat/node/policy-override.json` file and introduce changes there. You can both expand and trim the permissions.
+
+For more information on the lavamoat policy file, check [Policy file explained][policy-file] in documentation.
+
+:::tip[Policy maintenance]
+
+You can regenerate the main policy file on updates (and review for unexpected new permissions) while the modifications you needed to make remain in a separate overrides file. It makes reviewing and maintaining both files easier.
+
+:::
+
+### All options
+
+```
+lavamoat <entryPath> [Options]
+
+Positionals:
+  entryPath  the path to the entry file for your application. same as node.js
+                                                                        [string]
+
+Options:
+      --version                             Show version number        [boolean]
+      --help                                Show help                  [boolean]
+  -p, --policy, --policyPath                Pass in policy. Accepts a filepath
+                                            string to the existing policy. When
+                                            used in conjunction with
+                                            --autopolicy, specifies where to
+                                            write the policy. Default:
+                                            ./lavamoat/node/policy.json
+                                 [string] [default: "lavamoat/node/policy.json"]
+  -o, --policyOverride, --override,         Pass in override policy. Accepts a
+  --policyOverridePath                      filepath string to the existing
+                                            override policy. Default:
+                                            ./lavamoat/node/policy-override.json
+                        [string] [default: "lavamoat/node/policy-override.json"]
+      --policyDebug, --pd, --policydebug,   Pass in debug policy. Accepts a
+      --policyDebugPath                     filepath string to the existing
+                                            debug policy. Default:
+                                            ./lavamoat/node/policy-debug.json
+                           [string] [default: "lavamoat/node/policy-debug.json"]
+  -a, --writeAutoPolicy, --autopolicy       Generate a "policy.json" and
+                                            "policy-override.json" in the
+                                            current working         directory.
+                                            Overwrites any existing policy
+                                            files. The override policy is for
+                                            making manual policy changes and
+                                            always takes precedence over the
+                                            automatically generated policy.
+                                                      [boolean] [default: false]
+      --writeAutoPolicyAndRun, --ar,        parse + generate a LavaMoat policy
+      --autorun                             file then execute with the new
+                                            policy.   [boolean] [default: false]
+      --writeAutoPolicyDebug, --dp,         when writeAutoPolicy is enabled,
+      --debugpolicy                         write policy debug info to specified
+                                            or default path
+                                                      [boolean] [default: false]
+      --projectRoot                         specify the director from where
+                                            packages should be resolved
+            [string] [default: "/home/naugtur/work/metamask/metamask-extension"]
+  -d, --debugMode, --debug                  Disable some protections and extra
+                                            logging for easier debugging.
+                                                      [boolean] [default: false]
+      --statsMode, --stats                  enable writing and logging of stats
+                                                      [boolean] [default: false]
+
+```
+
+## Examples
+
+### Run with Policy in default location
+
+This uses the existing policy and policy-override files to run your app.
+
+```bash
+lavamoat index.js
+```
+
+Automatically searches for policy files inside `./lavamoat/node/`.
+
+### Policy Override with Relative Path
+
+This uses the override policy specified at `./policies/policy-override.json`.
+
+```
+$ lavamoat index.js --override './policies/policy-override.json'
+```
+
+## Troubleshooting
+
+- Having trouble reading thrown Errors? try running with the `--debugMode` flag. **Warning:** not safe for production runs.
+
+- Got a dependency that wont quite work under LavaMoat? try [patch-package](https://www.npmjs.com/package/patch-package)
+
+For more details go to the [troubleshooting section][troubleshooting]
+
+## Programmatic usage
+
+Programmatic usage is almost identical to the commandline and its arguments.
+
+```js
+const { runLava } = require('lavamoat')
+
+runLava({
+  entryPath: './app.js',
+  // Optional:
+  writeAutoPolicy: false,
+  writeAutoPolicyDebug: false,
+  writeAutoPolicyAndRun: false,
+  policyPath: 'path to file',
+  policyDebugPath: 'path to file',
+  policyOverridePath: 'path to file',
+  projectRoot: process.cwd(),
+  debugMode: false,
+  statsMode: false,
+})
+```
+
+[ses-github-ext]: https://github.com/endojs/endo/tree/master/packages/ses
+[policy-file]: ./policy
+[troubleshooting]: ./troubleshooting