From a00453561748427e0e2c85dece46fd1a6751f578 Mon Sep 17 00:00:00 2001
From: Chengzhong Wu <cwu631@bloomberg.net>
Date: Wed, 3 Dec 2025 11:00:50 +0000
Subject: [PATCH 1/3] build: add temporal to linux GHA build

PR-URL: https://github.com/nodejs/node/pull/60942
Refs: https://github.com/nodejs/node/pull/60897
Refs: https://github.com/nodejs/node/issues/58730
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
---
 .github/workflows/test-linux.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-linux.yml b/.github/workflows/test-linux.yml
index b603484cbbaf4c..97705028c92dc7 100644
--- a/.github/workflows/test-linux.yml
+++ b/.github/workflows/test-linux.yml
@@ -35,6 +35,7 @@ env:
   CC: sccache clang-19
   CXX: sccache clang++-19
   SCCACHE_GHA_ENABLED: 'true'
+  RUSTC_VERSION: '1.82'
 
 permissions:
   contents: read
@@ -56,6 +57,10 @@ jobs:
         uses: ./node/.github/actions/install-clang
         with:
           clang-version: ${{ env.CLANG_VERSION }}
+      - name: Install Rust ${{ env.RUSTC_VERSION }}
+        run: |
+          rustup override set "$RUSTC_VERSION"
+          rustup --version
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
         with:
@@ -68,7 +73,7 @@ jobs:
       - name: Environment Information
         run: npx envinfo
       - name: Build
-        run: make -C node build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn"
+        run: make -C node build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn --v8-enable-temporal-support"
       - name: Test
         run: make -C node run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
       - name: Re-run test in a folder whose name contains unusual chars

From 253b16fe14678bee22e524c239386358f6f3ea80 Mon Sep 17 00:00:00 2001
From: Chengzhong Wu <cwu631@bloomberg.net>
Date: Wed, 3 Dec 2025 14:06:10 +0000
Subject: [PATCH 2/3] doc: add note about rust toolchain version requirement

PR-URL: https://github.com/nodejs/node/pull/60942
Refs: https://github.com/nodejs/node/pull/60897
Refs: https://github.com/nodejs/node/issues/58730
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
---
 BUILDING.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/BUILDING.md b/BUILDING.md
index 2ffb3410ae5a2d..7f1a9893c70b20 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -1044,6 +1044,16 @@ configure option:
 ./configure --openssl-conf-name=<some_conf_name>
 ```
 
+## Building Node.js with Temporal support
+
+Node.js supports the [Temporal](https://github.com/tc39/proposal-temporal) APIs, when
+linking statically or dynamically with a version [temporal\_rs](https://github.com/boa-dev/temporal).
+
+To build Node.js with Temporal support, a Rust toolchain is required:
+
+* rustc >= 1.82 (with LLVM >= 19)
+* cargo >= 1.82
+
 ## Building Node.js with FIPS-compliant OpenSSL
 
 Node.js supports FIPS when statically or dynamically linked with OpenSSL 3 via

From cbe02339b6c93b68b28bc380882ef7ed8add98b8 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Fri, 5 Dec 2025 08:58:29 -0300
Subject: [PATCH 3/3] test: improve config-file permission test coverage

Refs: https://github.com/nodejs/node/pull/60746#pullrequestreview-3470430664
PR-URL: https://github.com/nodejs/node/pull/60929
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
---
 .../permission/config-fs-read-only.json       |   7 ++
 test/parallel/test-permission-config-file.mjs | 102 +++++++++++-------
 2 files changed, 70 insertions(+), 39 deletions(-)
 create mode 100644 test/fixtures/permission/config-fs-read-only.json

diff --git a/test/fixtures/permission/config-fs-read-only.json b/test/fixtures/permission/config-fs-read-only.json
new file mode 100644
index 00000000000000..cc80513565f2d8
--- /dev/null
+++ b/test/fixtures/permission/config-fs-read-only.json
@@ -0,0 +1,7 @@
+{
+    "permission": {
+        "allow-fs-read": [
+            "*"
+        ]
+    }
+}
\ No newline at end of file
diff --git a/test/parallel/test-permission-config-file.mjs b/test/parallel/test-permission-config-file.mjs
index 9ca50284435707..595c4b6f91bcf5 100644
--- a/test/parallel/test-permission-config-file.mjs
+++ b/test/parallel/test-permission-config-file.mjs
@@ -5,7 +5,8 @@ import { describe, it } from 'node:test';
 
 describe('Permission model config file support', () => {
   it('should load filesystem read/write permissions from config file', async () => {
-    const configPath = fixtures.path('permission/config-fs-read-write.json');
+    const readWriteConfigPath = fixtures.path('permission/config-fs-read-write.json');
+    const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');
     const readTestPath = fixtures.path('permission/fs-read-test.js');
     const writeTestPath = fixtures.path('permission/fs-write-test.js');
 
@@ -13,7 +14,7 @@ describe('Permission model config file support', () => {
       const result = await spawnPromisified(process.execPath, [
         '--permission',
         '--experimental-config-file',
-        configPath,
+        readOnlyConfigPath,
         readTestPath,
       ]);
       assert.strictEqual(result.code, 0);
@@ -23,40 +24,78 @@ describe('Permission model config file support', () => {
       const result = await spawnPromisified(process.execPath, [
         '--permission',
         '--experimental-config-file',
-        configPath,
+        readWriteConfigPath,
         writeTestPath,
       ]);
       assert.strictEqual(result.code, 0);
     }
+
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        readOnlyConfigPath,
+        writeTestPath,
+      ]);
+      assert.strictEqual(result.code, 1);
+      assert.match(result.stderr, /Access to this API has been restricted\. Use --allow-fs-write to manage permissions/);
+    }
   });
 
   it('should load child process and worker permissions from config file', async () => {
     const configPath = fixtures.path('permission/config-child-worker.json');
+    const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');
     const childTestPath = fixtures.path('permission/child-process-test.js');
 
-    const result = await spawnPromisified(process.execPath, [
-      '--permission',
-      '--experimental-config-file',
-      configPath,
-      '--allow-fs-read=*',
-      childTestPath,
-    ]);
-    assert.strictEqual(result.code, 0);
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        configPath,
+        childTestPath,
+      ]);
+      assert.strictEqual(result.code, 0);
+    }
+
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        readOnlyConfigPath,
+        childTestPath,
+      ]);
+      assert.strictEqual(result.code, 1, result.stderr);
+      assert.match(result.stderr, /Access to this API has been restricted\. Use --allow-child-process to manage permissions/);
+    }
   });
 
   it('should load network and inspector permissions from config file', async () => {
     const configPath = fixtures.path('permission/config-net-inspector.json');
+    const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');
 
-    const result = await spawnPromisified(process.execPath, [
-      '--permission',
-      '--experimental-config-file',
-      configPath,
-      '--allow-fs-read=*',
-      '-p',
-      'process.permission.has("net") && process.permission.has("inspector")',
-    ]);
-    assert.match(result.stdout, /true/);
-    assert.strictEqual(result.code, 0);
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        configPath,
+        '-p',
+        'process.permission.has("net") && process.permission.has("inspector")',
+      ]);
+      assert.match(result.stdout, /true/);
+      assert.strictEqual(result.code, 0);
+    }
+
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        readOnlyConfigPath,
+        '-p',
+        'process.permission.has("net") + process.permission.has("inspector")',
+      ]);
+      assert.match(result.stdout, /0/);
+      assert.strictEqual(result.code, 0);
+    }
   });
 
   it('should load addons and wasi permissions from config file', async () => {
@@ -74,32 +113,17 @@ describe('Permission model config file support', () => {
     assert.strictEqual(result.code, 0);
   });
 
-  it('should deny operations when permissions are not in config file', async () => {
-    const configPath = fixtures.path('permission/config-fs-read-write.json');
-
-    const result = await spawnPromisified(process.execPath, [
-      '--permission',
-      '--experimental-config-file',
-      configPath,
-      '--allow-fs-read=*',
-      '-p',
-      'process.permission.has("child")',
-    ]);
-    assert.match(result.stdout, /false/);
-    assert.strictEqual(result.code, 0);
-  });
-
   it('should combine config file permissions with CLI flags', async () => {
-    const configPath = fixtures.path('permission/config-fs-read-write.json');
+    const configPath = fixtures.path('permission/config-fs-read-only.json');
 
     const result = await spawnPromisified(process.execPath, [
       '--permission',
       '--experimental-config-file',
       configPath,
       '--allow-child-process',
-      '--allow-fs-read=*',
+      '--allow-fs-write=*',
       '-p',
-      'process.permission.has("child") && process.permission.has("fs.read")',
+      'process.permission.has("child") && process.permission.has("fs.read") && process.permission.has("fs.write")',
     ]);
     assert.match(result.stdout, /true/);
     assert.strictEqual(result.code, 0);