npm - @agent-vm/agent-vm - Versions diffs - 0.0.78 → 0.0.79 - Mend

@agent-vm/agent-vm 0.0.78 → 0.0.79

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/dist/shared/managed-vm-process.js ADDED Viewed

@@ -0,0 +1,248 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFile);
+export function isProcessAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (error) {
+        if (typeof error === 'object' && error !== null && 'code' in error) {
+            if (error.code === 'EPERM') {
+                return true;
+            }
+            if (error.code === 'ESRCH') {
+                return false;
+            }
+        }
+        throw error;
+    }
+}
+export async function readProcessCommand(pid) {
+    try {
+        const { stdout } = await execFileAsync('ps', ['-p', String(pid), '-o', 'command=']);
+        const command = stdout.trim();
+        return command.length > 0 ? command : null;
+    }
+    catch (error) {
+        if (typeof error === 'object' && error !== null && 'code' in error && error.code === 1) {
+            return null;
+        }
+        throw error;
+    }
+}
+export async function readProcessIdentity(pid) {
+    try {
+        // `lstart` and `command` are separated by whitespace by default. Use a
+        // custom delimiter via two separate columns so we can split safely.
+        // macOS + Linux both support `-o lstart=,command=`.
+        const { stdout } = await execFileAsync('ps', [
+            '-p',
+            String(pid),
+            '-o',
+            'lstart=',
+            '-o',
+            'command=',
+        ]);
+        const trimmed = stdout.trim();
+        if (trimmed.length === 0) {
+            return null;
+        }
+        return parseProcessIdentityOutput(trimmed);
+    }
+    catch (error) {
+        if (typeof error === 'object' && error !== null && 'code' in error && error.code === 1) {
+            return null;
+        }
+        throw error;
+    }
+}
+export function parseProcessIdentityOutput(line) {
+    const splitIndex = findLstartCommandBoundary(line.trim());
+    if (splitIndex === null) {
+        return null;
+    }
+    const lstart = line.slice(0, splitIndex).trim();
+    const command = line.slice(splitIndex).trim();
+    if (lstart.length === 0 || command.length === 0) {
+        return null;
+    }
+    return { command, lstart };
+}
+function findLstartCommandBoundary(line) {
+    // `lstart` is "Day Mon DD HH:MM:SS YYYY" — exactly five
+    // whitespace-separated tokens. Find the end of the fifth token; everything
+    // after is `command`.
+    let tokenCount = 0;
+    let inToken = false;
+    for (let index = 0; index < line.length; index += 1) {
+        const character = line[index];
+        const isSpace = character === ' ' || character === '\t';
+        if (!isSpace && !inToken) {
+            inToken = true;
+        }
+        else if (isSpace && inToken) {
+            inToken = false;
+            tokenCount += 1;
+            if (tokenCount === 5) {
+                return index;
+            }
+        }
+    }
+    return null;
+}
+// Gateway VMs and Tool VMs are both backed by the same Gondolin runtime
+// (qemu-system on the QEMU backend or krun on the libkrun backend). Cleanup
+// flows MUST verify the recorded host PID still maps to one of these process
+// commands before signaling, so a recycled PID belonging to an unrelated
+// program is never killed by mistake.
+export function isManagedVmProcess(command) {
+    return /\b(qemu-system|krun)\b/u.test(command);
+}
+export function processIdentityMatches(recorded, current) {
+    return recorded.lstart === current.lstart && recorded.command === current.command;
+}
+export function killProcess(pid, signal) {
+    try {
+        process.kill(pid, signal);
+    }
+    catch (error) {
+        if (typeof error === 'object' && error !== null && 'code' in error && error.code === 'ESRCH') {
+            return;
+        }
+        if (typeof error === 'object' && error !== null && 'code' in error && error.code === 'EPERM') {
+            throw new Error(`Permission denied while sending ${signal} to managed VM pid ${pid}. The process is still running and may require elevated privileges to terminate.`, { cause: error });
+        }
+        throw error;
+    }
+}
+export function isNoSuchProcessError(error) {
+    return typeof error === 'object' && error !== null && 'code' in error && error.code === 'ESRCH';
+}
+export async function sleep(delayMs) {
+    await new Promise((resolve) => setTimeout(resolve, delayMs));
+}
+export async function waitForExit(options) {
+    const deadline = Date.now() + options.timeoutMs;
+    while (Date.now() < deadline) {
+        if (!options.processIsAlive(options.pid)) {
+            return true;
+        }
+        // oxlint-disable-next-line no-await-in-loop -- polling loop must wait between liveness checks
+        await options.sleep(100);
+    }
+    return !options.processIsAlive(options.pid);
+}
+// Re-verify the recorded process identity (lstart + command) immediately before
+// sending a signal. Returns `null` if the process is gone (signal not needed),
+// otherwise either resolves to the matching identity or throws to refuse the
+// signal because PID was reused by an unrelated process.
+async function verifyIdentityBeforeSignal(options) {
+    if (options.recordedIdentity !== undefined && options.readProcessIdentity !== undefined) {
+        const currentIdentity = await options.readProcessIdentity(options.pid);
+        if (currentIdentity === null) {
+            return { proceed: false };
+        }
+        if (!processIdentityMatches(options.recordedIdentity, currentIdentity)) {
+            throw new Error(`${options.contextLabel} refusing ${options.currentSignalLabel} to pid ${options.pid}: process identity changed (recorded ${JSON.stringify(options.recordedIdentity)}, current ${JSON.stringify(currentIdentity)}). PID was likely reused.`);
+        }
+        if (!isManagedVmProcess(currentIdentity.command)) {
+            throw new Error(`${options.contextLabel} refusing ${options.currentSignalLabel} to pid ${options.pid}: current command is not a managed VM process: ${currentIdentity.command}.`);
+        }
+        return { proceed: true };
+    }
+    // No recorded identity (legacy record) → fall back to the looser command-
+    // only check at the SIGTERM point. Subsequent signals trust the first
+    // check. This is the pre-identity behavior.
+    const command = await options.readProcessCommand(options.pid);
+    if (command === null) {
+        return { proceed: false };
+    }
+    if (!isManagedVmProcess(command)) {
+        throw new Error(`${options.contextLabel} points at unexpected live process ${options.pid}: ${command}.`);
+    }
+    return { proceed: true };
+}
+// Generic "kill an orphaned managed VM process" with a SIGTERM→2s→SIGKILL→2s
+// bounded sequence (total ≤ 4 s). The caller is responsible for owning the
+// runtime record (read + fence-check + delete after this returns).
+//
+// Strong PID identity defense: if `recordedIdentity` is supplied, the live
+// process identity (ps `lstart` + `command`) is re-read IMMEDIATELY before
+// each signal and must match exactly. This makes PID reuse during the
+// read-record → signal window detectable; we refuse rather than killing the
+// wrong process.
+//
+// Returns the PID that was signalled, or null if it was already dead before
+// the first signal landed.
+//
+// Throws if:
+//   - the recorded PID is alive but its identity does not match (PID reused)
+//   - the recorded PID is alive but its command is NOT a managed VM process
+//   - the process survives both SIGTERM and SIGKILL (a stuck D-state QEMU)
+export async function killOrphanedManagedVmProcess(options) {
+    const { contextLabel, dependencies, pid, recordedIdentity } = options;
+    if (!dependencies.isProcessAlive(pid)) {
+        return null;
+    }
+    const beforeTerm = await verifyIdentityBeforeSignal({
+        contextLabel,
+        currentSignalLabel: 'SIGTERM',
+        pid,
+        readProcessCommand: dependencies.readProcessCommand,
+        ...(dependencies.readProcessIdentity !== undefined
+            ? { readProcessIdentity: dependencies.readProcessIdentity }
+            : {}),
+        ...(recordedIdentity !== undefined ? { recordedIdentity } : {}),
+    });
+    if (!beforeTerm.proceed) {
+        return null;
+    }
+    try {
+        dependencies.killProcess(pid, 'SIGTERM');
+    }
+    catch (error) {
+        if (!isNoSuchProcessError(error)) {
+            throw error;
+        }
+    }
+    if (await waitForExit({
+        pid,
+        processIsAlive: dependencies.isProcessAlive,
+        sleep: dependencies.sleep,
+        timeoutMs: 2_000,
+    })) {
+        return pid;
+    }
+    const beforeKill = await verifyIdentityBeforeSignal({
+        contextLabel,
+        currentSignalLabel: 'SIGKILL',
+        pid,
+        readProcessCommand: dependencies.readProcessCommand,
+        ...(dependencies.readProcessIdentity !== undefined
+            ? { readProcessIdentity: dependencies.readProcessIdentity }
+            : {}),
+        ...(recordedIdentity !== undefined ? { recordedIdentity } : {}),
+    });
+    if (!beforeKill.proceed) {
+        return pid;
+    }
+    try {
+        dependencies.killProcess(pid, 'SIGKILL');
+    }
+    catch (error) {
+        if (!isNoSuchProcessError(error)) {
+            throw error;
+        }
+    }
+    if (await waitForExit({
+        pid,
+        processIsAlive: dependencies.isProcessAlive,
+        sleep: dependencies.sleep,
+        timeoutMs: 2_000,
+    })) {
+        return pid;
+    }
+    throw new Error(`Failed to terminate orphaned managed VM process ${pid} (${contextLabel}).`);
+}
+//# sourceMappingURL=managed-vm-process.js.map

package/dist/shared/managed-vm-process.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"managed-vm-process.js","sourceRoot":"","sources":["../../src/shared/managed-vm-process.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,UAAU,cAAc,CAAC,GAAW;IACzC,IAAI,CAAC;QACJ,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACb,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,IAAI,KAAK,EAAE,CAAC;YACpE,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACb,CAAC;YACD,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACd,CAAC;QACF,CAAC;QACD,MAAM,KAAK,CAAC;IACb,CAAC;AACF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IACnD,IAAI,CAAC;QACJ,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;QACpF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACxF,OAAO,IAAI,CAAC;QACb,CAAC;QACD,MAAM,KAAK,CAAC;IACb,CAAC;AACF,CAAC;AAcD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAW;IACpD,IAAI,CAAC;QACJ,uEAAuE;QACvE,oEAAoE;QACpE,oDAAoD;QACpD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE;YAC5C,IAAI;YACJ,MAAM,CAAC,GAAG,CAAC;YACX,IAAI;YACJ,SAAS;YACT,IAAI;YACJ,UAAU;SACV,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACb,CAAC;QACD,OAAO,0BAA0B,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACxF,OAAO,IAAI,CAAC;QACb,CAAC;QACD,MAAM,KAAK,CAAC;IACb,CAAC;AACF,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,IAAY;IACtD,MAAM,UAAU,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1D,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC;IACb,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC;IACb,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC9C,wDAAwD;IACxD,2EAA2E;IAC3E,sBAAsB;IACtB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACrD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,OAAO,GAAG,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,IAAI,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YAC1B,OAAO,GAAG,IAAI,CAAC;QAChB,CAAC;aAAM,IAAI,OAAO,IAAI,OAAO,EAAE,CAAC;YAC/B,OAAO,GAAG,KAAK,CAAC;YAChB,UAAU,IAAI,CAAC,CAAC;YAChB,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;gBACtB,OAAO,KAAK,CAAC;YACd,CAAC;QACF,CAAC;IACF,CAAC;IACD,OAAO,IAAI,CAAC;AACb,CAAC;AAED,wEAAwE;AACxE,4EAA4E;AAC5E,6EAA6E;AAC7E,yEAAyE;AACzE,sCAAsC;AACtC,MAAM,UAAU,kBAAkB,CAAC,OAAe;IACjD,OAAO,yBAAyB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,sBAAsB,CACrC,QAAyB,EACzB,OAAwB;IAExB,OAAO,QAAQ,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC;AACnF,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,MAAsB;IAC9D,IAAI,CAAC;QACJ,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC9F,OAAO;QACR,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC9F,MAAM,IAAI,KAAK,CACd,mCAAmC,MAAM,sBAAsB,GAAG,kFAAkF,EACpJ,EAAE,KAAK,EAAE,KAAK,EAAE,CAChB,CAAC;QACH,CAAC;QACD,MAAM,KAAK,CAAC;IACb,CAAC;AACF,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,KAAc;IAClD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,CAAC;AACjG,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,OAAe;IAC1C,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAKjC;IACA,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC;IAChD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACb,CAAC;QACD,8FAA8F;QAC9F,MAAM,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;AAC7C,CAAC;AAUD,gFAAgF;AAChF,+EAA+E;AAC/E,6EAA6E;AAC7E,yDAAyD;AACzD,KAAK,UAAU,0BAA0B,CAAC,OAOzC;IACA,IAAI,OAAO,CAAC,gBAAgB,KAAK,SAAS,IAAI,OAAO,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;QACzF,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvE,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;YAC9B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,gBAAgB,EAAE,eAAe,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CACd,GAAG,OAAO,CAAC,YAAY,aAAa,OAAO,CAAC,kBAAkB,WAAW,OAAO,CAAC,GAAG,wCAAwC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,gBAAgB,CAAC,aAAa,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,2BAA2B,CAC3O,CAAC;QACH,CAAC;QACD,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CACd,GAAG,OAAO,CAAC,YAAY,aAAa,OAAO,CAAC,kBAAkB,WAAW,OAAO,CAAC,GAAG,kDAAkD,eAAe,CAAC,OAAO,GAAG,CAChK,CAAC;QACH,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC1B,CAAC;IACD,0EAA0E;IAC1E,sEAAsE;IACtE,4CAA4C;IAC5C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,kBAAkB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9D,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC3B,CAAC;IACD,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACd,GAAG,OAAO,CAAC,YAAY,sCAAsC,OAAO,CAAC,GAAG,KAAK,OAAO,GAAG,CACvF,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,6EAA6E;AAC7E,2EAA2E;AAC3E,mEAAmE;AACnE,EAAE;AACF,2EAA2E;AAC3E,2EAA2E;AAC3E,sEAAsE;AACtE,4EAA4E;AAC5E,iBAAiB;AACjB,EAAE;AACF,4EAA4E;AAC5E,2BAA2B;AAC3B,EAAE;AACF,aAAa;AACb,6EAA6E;AAC7E,4EAA4E;AAC5E,2EAA2E;AAC3E,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,OAKlD;IACA,MAAM,EAAE,YAAY,EAAE,YAAY,EAAE,GAAG,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC;IACtE,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC;IACb,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,0BAA0B,CAAC;QACnD,YAAY;QACZ,kBAAkB,EAAE,SAAS;QAC7B,GAAG;QACH,kBAAkB,EAAE,YAAY,CAAC,kBAAkB;QACnD,GAAG,CAAC,YAAY,CAAC,mBAAmB,KAAK,SAAS;YACjD,CAAC,CAAC,EAAE,mBAAmB,EAAE,YAAY,CAAC,mBAAmB,EAAE;YAC3D,CAAC,CAAC,EAAE,CAAC;QACN,GAAG,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC,CAAC;IACH,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC;IACb,CAAC;IAED,IAAI,CAAC;QACJ,YAAY,CAAC,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC;IACD,IACC,MAAM,WAAW,CAAC;QACjB,GAAG;QACH,cAAc,EAAE,YAAY,CAAC,cAAc;QAC3C,KAAK,EAAE,YAAY,CAAC,KAAK;QACzB,SAAS,EAAE,KAAK;KAChB,CAAC,EACD,CAAC;QACF,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,0BAA0B,CAAC;QACnD,YAAY;QACZ,kBAAkB,EAAE,SAAS;QAC7B,GAAG;QACH,kBAAkB,EAAE,YAAY,CAAC,kBAAkB;QACnD,GAAG,CAAC,YAAY,CAAC,mBAAmB,KAAK,SAAS;YACjD,CAAC,CAAC,EAAE,mBAAmB,EAAE,YAAY,CAAC,mBAAmB,EAAE;YAC3D,CAAC,CAAC,EAAE,CAAC;QACN,GAAG,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC,CAAC;IACH,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACJ,YAAY,CAAC,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,MAAM,KAAK,CAAC;QACb,CAAC;IACF,CAAC;IACD,IACC,MAAM,WAAW,CAAC;QACjB,GAAG;QACH,cAAc,EAAE,YAAY,CAAC,cAAc;QAC3C,KAAK,EAAE,YAAY,CAAC,KAAK;QACzB,SAAS,EAAE,KAAK;KAChB,CAAC,EACD,CAAC;QACF,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,mDAAmD,GAAG,KAAK,YAAY,IAAI,CAAC,CAAC;AAC9F,CAAC"}

package/dist/shared/port-owner.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+export interface PortOwner {
+    readonly command: string;
+    readonly pid: number;
+}
+export interface ExecFileOutput {
+    readonly stderr: string;
+    readonly stdout: string;
+}
+export type ExecFileFunction = (file: string, args: readonly string[]) => Promise<ExecFileOutput>;
+export interface ReadTcpListenPortOwnerDependencies {
+    readonly execFile?: ExecFileFunction;
+}
+export declare class PortOwnerDependencyError extends Error {
+    constructor(message: string, options?: ErrorOptions);
+}
+export declare function parseLsofPortOwnerOutput(output: string): PortOwner | null;
+export declare function readTcpListenPortOwner(port: number, dependencies?: ReadTcpListenPortOwnerDependencies): Promise<PortOwner | null>;
+//# sourceMappingURL=port-owner.d.ts.map

package/dist/shared/port-owner.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"port-owner.d.ts","sourceRoot":"","sources":["../../src/shared/port-owner.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,SAAS;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,cAAc;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,MAAM,gBAAgB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,MAAM,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;AAElG,MAAM,WAAW,kCAAkC;IAClD,QAAQ,CAAC,QAAQ,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED,qBAAa,wBAAyB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,YAAY;CAI1D;AAUD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAmBzE;AAED,wBAAsB,sBAAsB,CAC3C,IAAI,EAAE,MAAM,EACZ,YAAY,GAAE,kCAAuC,GACnD,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAwB3B"}

package/dist/shared/port-owner.js ADDED Viewed

@@ -0,0 +1,60 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFile);
+export class PortOwnerDependencyError extends Error {
+    constructor(message, options) {
+        super(message, options);
+        this.name = 'PortOwnerDependencyError';
+    }
+}
+function errorCode(error) {
+    if (typeof error !== 'object' || error === null || !('code' in error)) {
+        return undefined;
+    }
+    const code = error.code;
+    return typeof code === 'string' || typeof code === 'number' ? code : undefined;
+}
+export function parseLsofPortOwnerOutput(output) {
+    const lines = output
+        .split('\n')
+        .map((line) => line.trim())
+        .filter((line) => line.length > 0);
+    const pidLine = lines.find((line) => line.startsWith('p'));
+    const commandLine = lines.find((line) => line.startsWith('c'));
+    if (!pidLine || !commandLine) {
+        return null;
+    }
+    const pid = Number.parseInt(pidLine.slice(1), 10);
+    if (!Number.isInteger(pid) || pid <= 0) {
+        return null;
+    }
+    const command = commandLine.slice(1);
+    if (command.length === 0) {
+        return null;
+    }
+    return { command, pid };
+}
+export async function readTcpListenPortOwner(port, dependencies = {}) {
+    const runExecFile = dependencies.execFile ?? execFileAsync;
+    try {
+        const { stdout } = await runExecFile('lsof', [
+            '-nP',
+            `-iTCP:${String(port)}`,
+            '-sTCP:LISTEN',
+            '-F',
+            'pc',
+        ]);
+        return parseLsofPortOwnerOutput(stdout);
+    }
+    catch (error) {
+        const code = errorCode(error);
+        if (code === 1) {
+            return null;
+        }
+        if (code === 'ENOENT') {
+            throw new PortOwnerDependencyError(`Tool VM/gateway recovery requires 'lsof' on PATH to verify TCP listener ownership for port ${String(port)}.`, { cause: error });
+        }
+        throw error;
+    }
+}
+//# sourceMappingURL=port-owner.js.map

package/dist/shared/port-owner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"port-owner.js","sourceRoot":"","sources":["../../src/shared/port-owner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAkB1C,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IAClD,YAAmB,OAAe,EAAE,OAAsB;QACzD,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACxC,CAAC;CACD;AAED,SAAS,SAAS,CAAC,KAAc;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,CAAC,MAAM,IAAI,KAAK,CAAC,EAAE,CAAC;QACvE,OAAO,SAAS,CAAC;IAClB,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACxB,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAAc;IACtD,MAAM,KAAK,GAAG,MAAM;SAClB,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACb,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACb,CAAC;IACD,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACb,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC3C,IAAY,EACZ,eAAmD,EAAE;IAErD,MAAM,WAAW,GAAG,YAAY,CAAC,QAAQ,IAAI,aAAa,CAAC;IAC3D,IAAI,CAAC;QACJ,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE;YAC5C,KAAK;YACL,SAAS,MAAM,CAAC,IAAI,CAAC,EAAE;YACvB,cAAc;YACd,IAAI;YACJ,IAAI;SACJ,CAAC,CAAC;QACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACb,CAAC;QACD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACvB,MAAM,IAAI,wBAAwB,CACjC,8FAA8F,MAAM,CAAC,IAAI,CAAC,GAAG,EAC7G,EAAE,KAAK,EAAE,KAAK,EAAE,CAChB,CAAC;QACH,CAAC;QACD,MAAM,KAAK,CAAC;IACb,CAAC;AACF,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@agent-vm/agent-vm",
-  "version": "0.0.78",
+  "version": "0.0.79",
   "description": "Controller CLI and HTTP server for sandboxed VM coding agents.",
   "homepage": "https://github.com/ShravanSunder/agent-vm#readme",
   "bugs": {
@@ -40,16 +40,16 @@
     "jsonc-parser": "^3.3.1",
     "tasuku": "^2.3.0",
     "zod": "^4.4.3",
-    "@agent-vm/agent-vm-worker": "0.0.78",
-    "@agent-vm/gondolin-adapter": "0.0.78",
-    "@agent-vm/gateway-interface": "0.0.78",
-    "@agent-vm/openclaw-gateway": "0.0.78",
-    "@agent-vm/openclaw-mcp-portal-plugin": "0.0.78",
-    "@agent-vm/secret-management": "0.0.78",
-    "@agent-vm/worker-gateway": "0.0.78",
-    "@agent-vm/config-contracts": "0.0.78",
-    "@agent-vm/mcp-portal": "0.0.78",
-    "@agent-vm/openclaw-agent-vm-plugin": "0.0.78"
+    "@agent-vm/agent-vm-worker": "0.0.79",
+    "@agent-vm/config-contracts": "0.0.79",
+    "@agent-vm/gateway-interface": "0.0.79",
+    "@agent-vm/gondolin-adapter": "0.0.79",
+    "@agent-vm/mcp-portal": "0.0.79",
+    "@agent-vm/openclaw-gateway": "0.0.79",
+    "@agent-vm/openclaw-mcp-portal-plugin": "0.0.79",
+    "@agent-vm/secret-management": "0.0.79",
+    "@agent-vm/worker-gateway": "0.0.79",
+    "@agent-vm/openclaw-agent-vm-plugin": "0.0.79"
   },
   "scripts": {
     "build": "rm -rf dist && tsc -p tsconfig.build.json",