vfs: fix bugs from analysis review

P0 fixes:
- setup.js: use fileURLToPath() instead of path.pathname for file: URLs
- file_handle.js: enforce read/write permissions and exclusive flags
- memory.js: prevent auto-creation of parent dirs in openSync
- memory.js: validate destination before removing source in renameSync

P1 fixes:
- memory.js: convert numeric O_* flags to string equivalents
- dir.js: add callback support to read() and close()
- watcher.js: fix unwatchFile leak by clearing internal listeners set
- provider.js: pass options.flag through writeFile/appendFile
- memory.js: implement recursive readdir
- watcher.js: poll children for directory watch, rescan for new files
- streams.js: support fd and start options in read/write streams

P2 fixes:
- provider.js: check R_OK/W_OK/X_OK permission bits in access()
- provider.js: check COPYFILE_EXCL in copyFile()
- stats.js: add createZeroStats() without S_IFREG for watchFile
- errors.js: add createEACCES error factory

Author: mcollina

lib/internal/vfs/dir.js

@@ -42,15 +42,29 @@ class VirtualDir {
     return this.#entries[this.#index++];
   }
 
-  async read() {
+  async read(callback) {
+    if (typeof callback === 'function') {
+      try {
+        const result = this.readSync();
+        process.nextTick(callback, null, result);
+      } catch (err) {
+        process.nextTick(callback, err);
+      }
+      return;
+    }
     return this.readSync();
   }
 
   closeSync() {
     this.#closed = true;
   }
 
-  async close() {
+  async close(callback) {
+    if (typeof callback === 'function') {
+      this.closeSync();
+      process.nextTick(callback, null);
+      return;
+    }
     this.closeSync();
   }
 

lib/internal/vfs/errors.js

@@ -18,6 +18,7 @@ const {
   UV_EROFS,
   UV_EINVAL,
   UV_ELOOP,
+  UV_EACCES,
 } = internalBinding('uv');
 
 /**
@@ -162,6 +163,22 @@ function createELOOP(syscall, path) {
   return err;
 }
 
+/**
+ * Creates an EACCES error for permission denied.
+ * @param {string} syscall The system call name
+ * @param {string} path The path
+ * @returns {Error}
+ */
+function createEACCES(syscall, path) {
+  const err = new UVException({
+    errno: UV_EACCES,
+    syscall,
+    path,
+  });
+  ErrorCaptureStackTrace(err, createEACCES);
+  return err;
+}
+
 module.exports = {
   createENOENT,
   createENOTDIR,
@@ -172,4 +189,5 @@ module.exports = {
   createEROFS,
   createEINVAL,
   createELOOP,
+  createEACCES,
 };

lib/internal/vfs/file_handle.js

@@ -277,18 +277,48 @@ class MemoryFileHandle extends VirtualFileHandle {
     this.#getStats = getStats;
 
     // Handle different open modes
-    if (flags === 'w' || flags === 'w+') {
+    if (flags === 'w' || flags === 'w+' ||
+        flags === 'wx' || flags === 'wx+') {
       // Write mode: truncate
       this.#content = Buffer.alloc(0);
       if (entry) {
         entry.content = this.#content;
       }
-    } else if (flags === 'a' || flags === 'a+') {
+    } else if (flags === 'a' || flags === 'a+' ||
+               flags === 'ax' || flags === 'ax+') {
       // Append mode: position at end
       this.position = this.#content.length;
     }
   }
 
+  /**
+   * Throws EBADF if the handle was not opened for writing.
+   */
+  #checkWritable() {
+    if (this.flags === 'r') {
+      throw createEBADF('write');
+    }
+  }
+
+  /**
+   * Throws EBADF if the handle was not opened for reading.
+   */
+  #checkReadable() {
+    const f = this.flags;
+    if (f === 'w' || f === 'a' || f === 'wx' || f === 'ax') {
+      throw createEBADF('read');
+    }
+  }
+
+  /**
+   * Returns true if this handle was opened in append mode.
+   * @returns {boolean}
+   */
+  #isAppend() {
+    const f = this.flags;
+    return f === 'a' || f === 'a+' || f === 'ax' || f === 'ax+';
+  }
+
   /**
    * Gets the current content synchronously.
    * For dynamic content providers, this gets fresh content from the entry.
@@ -325,6 +355,7 @@ class MemoryFileHandle extends VirtualFileHandle {
    */
   readSync(buffer, offset, length, position) {
     this.#checkClosed();
+    this.#checkReadable();
 
     // Get content (resolves dynamic content providers)
     const content = this.content;
@@ -369,8 +400,12 @@ class MemoryFileHandle extends VirtualFileHandle {
    */
   writeSync(buffer, offset, length, position) {
     this.#checkClosed();
+    this.#checkWritable();
 
-    const writePos = position !== null && position !== undefined ? position : this.position;
+    // In append mode, always write at the end
+    const writePos = this.#isAppend() ?
+      this.#content.length :
+      (position !== null && position !== undefined ? position : this.position);
     const data = buffer.subarray(offset, offset + length);
 
     // Expand content if needed
@@ -417,6 +452,7 @@ class MemoryFileHandle extends VirtualFileHandle {
    */
   readFileSync(options) {
     this.#checkClosed();
+    this.#checkReadable();
 
     // Get content (resolves dynamic content providers)
     const content = this.content;
@@ -434,6 +470,7 @@ class MemoryFileHandle extends VirtualFileHandle {
    */
   async readFile(options) {
     this.#checkClosed();
+    this.#checkReadable();
 
     // Get content asynchronously (supports async content providers)
     const content = await this.getContentAsync();
@@ -452,6 +489,7 @@ class MemoryFileHandle extends VirtualFileHandle {
    */
   writeFileSync(data, options) {
     this.#checkClosed();
+    this.#checkWritable();
 
     const buffer = typeof data === 'string' ? Buffer.from(data, options?.encoding) : data;
 
@@ -512,6 +550,7 @@ class MemoryFileHandle extends VirtualFileHandle {
    */
   truncateSync(len = 0) {
     this.#checkClosed();
+    this.#checkWritable();
 
     if (len < this.#content.length) {
       this.#content = this.#content.subarray(0, len);

lib/internal/vfs/provider.js

@@ -6,8 +6,19 @@ const {
 
 const {
   createEROFS,
+  createEEXIST,
+  createEACCES,
 } = require('internal/vfs/errors');
 
+const {
+  fs: {
+    R_OK,
+    W_OK,
+    X_OK,
+    COPYFILE_EXCL,
+  },
+} = internalBinding('constants');
+
 /**
  * Base class for VFS providers.
  * Providers implement the essential primitives that the VFS delegates to.
@@ -267,7 +278,8 @@ class VirtualProvider {
     if (this.readonly) {
       throw createEROFS('open', path);
     }
-    const handle = await this.open(path, 'w', options?.mode);
+    const flag = options?.flag ?? 'w';
+    const handle = await this.open(path, flag, options?.mode);
     try {
       await handle.writeFile(data, options);
     } finally {
@@ -285,7 +297,8 @@ class VirtualProvider {
     if (this.readonly) {
       throw createEROFS('open', path);
     }
-    const handle = this.openSync(path, 'w', options?.mode);
+    const flag = options?.flag ?? 'w';
+    const handle = this.openSync(path, flag, options?.mode);
     try {
       handle.writeFileSync(data, options);
     } finally {
@@ -304,7 +317,8 @@ class VirtualProvider {
     if (this.readonly) {
       throw createEROFS('open', path);
     }
-    const handle = await this.open(path, 'a', options?.mode);
+    const flag = options?.flag ?? 'a';
+    const handle = await this.open(path, flag, options?.mode);
     try {
       await handle.writeFile(data, options);
     } finally {
@@ -322,7 +336,8 @@ class VirtualProvider {
     if (this.readonly) {
       throw createEROFS('open', path);
     }
-    const handle = this.openSync(path, 'a', options?.mode);
+    const flag = options?.flag ?? 'a';
+    const handle = this.openSync(path, flag, options?.mode);
     try {
       handle.writeFileSync(data, options);
     } finally {
@@ -369,6 +384,11 @@ class VirtualProvider {
     if (this.readonly) {
       throw createEROFS('copyfile', dest);
     }
+    if ((mode & COPYFILE_EXCL) !== 0) {
+      if (await this.exists(dest)) {
+        throw createEEXIST('copyfile', dest);
+      }
+    }
     const content = await this.readFile(src);
     await this.writeFile(dest, content);
   }
@@ -383,6 +403,11 @@ class VirtualProvider {
     if (this.readonly) {
       throw createEROFS('copyfile', dest);
     }
+    if ((mode & COPYFILE_EXCL) !== 0) {
+      if (this.existsSync(dest)) {
+        throw createEEXIST('copyfile', dest);
+      }
+    }
     const content = this.readFileSync(src);
     this.writeFileSync(dest, content);
   }
@@ -420,8 +445,8 @@ class VirtualProvider {
    * @returns {Promise<void>}
    */
   async access(path, mode) {
-    // Default: just check if the path exists
-    await this.stat(path);
+    const stats = await this.stat(path);
+    this.#checkAccessMode(path, stats, mode);
   }
 
   /**
@@ -430,8 +455,30 @@ class VirtualProvider {
    * @param {number} [mode] Access mode
    */
   accessSync(path, mode) {
-    // Default: just check if the path exists
-    this.statSync(path);
+    const stats = this.statSync(path);
+    this.#checkAccessMode(path, stats, mode);
+  }
+
+  /**
+   * Checks access mode bits against file stats.
+   * @param {string} path The path (for error messages)
+   * @param {Stats} stats The file stats
+   * @param {number} mode The requested access mode
+   */
+  #checkAccessMode(path, stats, mode) {
+    if (mode == null || mode === 0) return; // F_OK = 0, existence-only check
+
+    const fileMode = stats.mode & 0o777; // Permission bits
+    // Check owner permissions (simplified: treat VFS user as owner)
+    if ((mode & R_OK) !== 0 && (fileMode & 0o400) === 0) {
+      throw createEACCES('access', path);
+    }
+    if ((mode & W_OK) !== 0 && (fileMode & 0o200) === 0) {
+      throw createEACCES('access', path);
+    }
+    if ((mode & X_OK) !== 0 && (fileMode & 0o100) === 0) {
+      throw createEACCES('access', path);
+    }
   }
 
   // === HARD LINK OPERATIONS (optional) ===