feat: Windows WHP support, deterministic VM dispose, npm audit fixes

[simongdavies]

Windows platform support:

• Justfile: [windows] recipes for build-hyperlight, resolve-hyperlight-dir, start-debug
• Justfile: runtime-cflags forward-slash fix for clang cross-compilation
• build-binary.js: .cmd launcher, platform-aware post-build output
• plugins: O_NOFOLLOW fallback (Windows lacks O_NOFOLLOW, relies on lstat pre-check)
• agent/index.ts: pathToFileURL for ESM plugin imports on Windows
• build.rs: forward-slash CFLAGS for clang on Windows
• code-validator/guest: win32-x64-msvc NAPI target
• .gitattributes: enforce LF line endings across platforms

VM resource management:

• sandbox/tool.js: invalidateSandbox() now calls dispose() on LoadedJSSandbox and JSSandbox for deterministic VM cleanup instead of relying on V8 GC
• Updated hyperlight-js dep to include dispose() API

Error handling:

• agent/event-handler.ts: suppress duplicate 'Tool execution failed' messages
• sandbox/tool.js: MMIO error detection in compilation and runtime paths
• agent/index.ts: surrogate pool env vars (HYPERLIGHT_INITIAL/MAX_SURROGATES)

Test fixes (Windows compatibility):

• tests: symlink EPERM skip for Windows (path-jail, fs-read, fs-write)
• tests/dts-sync: rmSync instead of shell rm -rf
• tests/pattern-loader: unique tmpdir per test to avoid Windows EBUSY locks

CI:

• pr-validate.yml: Windows WHP matrix
• publish.yml: Windows build support

Security:

• npm audit fix across all workspaces (picomatch, brace-expansion)
• plugin-system/manager.ts: simplified ternary

[Copilot]

Pull request overview

This PR adds/extends Windows (WHP) support across build/test/CI and runtime, improves deterministic VM cleanup, and applies dependency + tooling updates (including audit-related bumps).

Changes:

• Add Windows-friendly build/test workflows and scripts (Justfile recipes, CI matrix, binary launcher updates, cross-platform npm scripts).
• Improve sandbox lifecycle/error handling (deterministic dispose() on invalidate; MMIO/unmapped-address error detection; suppress duplicate tool failure messages).
• Update plugins/tests for Windows compatibility (symlink-test EPERM handling, tempdir isolation, rmSync cleanup) and bump audited dependencies.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/pattern-loader.test.ts	Use per-test temp dirs under os.tmpdir() and tolerate Windows file-lock cleanup failures.
tests/path-jail.test.ts	Skip symlink test when Windows symlink creation lacks privileges (EPERM).
tests/fs-write.test.ts	Skip symlink-related tests on Windows when symlink creation fails with EPERM.
tests/fs-read.test.ts	Skip symlink-related tests on Windows when symlink creation fails with EPERM.
tests/dts-sync.test.ts	Replace shell rm -rf with rmSync for cross-platform temp cleanup.
src/sandbox/tool.js	Deterministic VM disposal on invalidate + expanded MMIO/unmapped-address detection.
src/plugin-system/manager.ts	Simplify plugin source selection ternary.
src/code-validator/guest/package.json	Add Windows N-API build target.
src/code-validator/guest/package-lock.json	Bump audited dependency (picomatch).
src/code-validator/guest/index.js	Formatting/quoting normalization and Windows triple mapping consistency.
src/code-validator/guest/host/build.rs	Normalize CFLAGS path separators for Windows/clang builds.
src/agent/index.ts	Windows ESM plugin import via pathToFileURL; set surrogate pool env defaults on Windows.
src/agent/event-handler.ts	Suppress duplicate “tool failed” output when handler already displayed an error.
scripts/update-module-hashes.ts	Formatting-only refactor to consistent quoting.
scripts/generate-native-dts.ts	Formatting-only refactor for readability.
scripts/generate-host-modules-dts.ts	Formatting-only refactor for readability.
scripts/generate-ha-modules-dts.ts	Minor formatting around trailing-empty-line trimming.
scripts/check-native-runtime.js	Formatting-only refactor and clearer path construction.
scripts/build-modules.js	Formatting-only refactor; no functional flow change intended.
scripts/build-binary.js	Add Windows .cmd launcher + platform-aware output/instructions; formatting cleanups.
plugins/fs-write/index.ts	Allow Windows by falling back when O_NOFOLLOW is absent (symlink handling approach changed).
plugins/fs-read/index.ts	Allow Windows by falling back when O_NOFOLLOW is absent (symlink handling approach changed).
package.json	Replace POSIX-shell prepare/postinstall scripts with Node-based equivalents for Windows.
package-lock.json	Bump audited dependencies (brace-expansion, picomatch).
builtin-modules/src/types/ha-modules.d.ts	Update generated ha:* typings (notably PPTX shape APIs/types).
builtin-modules/pptx.json	Update builtin module source hash.
builtin-modules/pptx-tables.json	Update builtin module source hash.
builtin-modules/pptx-charts.json	Update builtin module source hash.
builtin-modules/ooxml-core.json	Update builtin module source hash.
README.md	Document Windows WHP as a supported prerequisite.
Justfile	Add Windows recipes for resolving/building hyperlight + debug start; normalize runtime CFLAGS slashes.
.github/workflows/publish.yml	Adjust job name to use matrix.build.
.github/workflows/pr-validate.yml	Add Windows WHP build/test matrix entries and artifact naming updates.
.gitattributes	Enforce LF line endings and mark common binaries as binary.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated no new comments.