@agent-vm/gondolin-adapter 0.0.92 → 0.0.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.d.ts +2 -1
  2. package/dist/index.d.ts.map +1 -1
  3. package/dist/index.js +81 -3
  4. package/dist/index.js.map +1 -1
  5. package/package.json +2 -2
package/dist/index.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { BuildConfig, BuildConfig as BuildConfig$1, CreateHttpHooksResult, EnableIngressOptions, EnableSshOptions, ExecOptions, ExecProcess, ExecResult, IngressRoute as IngressRoute$1, ShadowPredicate, ShadowProviderOptions, VMOptions, VirtualProvider, VmFs, getDefaultBuildConfig } from "@earendil-works/gondolin";
1
+ import { BuildConfig, BuildConfig as BuildConfig$1, CreateHttpHooksResult, EnableIngressOptions, EnableSshOptions, ExecOptions, ExecProcess, ExecResult, HttpHooks, IngressRoute as IngressRoute$1, ShadowPredicate, ShadowProviderOptions, VMOptions, VirtualProvider, VmFs, getDefaultBuildConfig } from "@earendil-works/gondolin";
2
2
  import { MediatedSecretSpec } from "@agent-vm/secret-management";
3
3
 
4
4
  //#region src/build-pipeline.d.ts
@@ -154,6 +154,7 @@ interface ManagedVmDependencies {
154
154
  createVm(vmOptions: VMOptions): Promise<ManagedVmInstance>;
155
155
  createHttpHooks(options: {
156
156
  readonly allowedHosts: readonly string[];
157
+ readonly isIpAllowed?: HttpHooks['isIpAllowed'];
157
158
  readonly secrets: Record<string, MediatedSecretSpec>;
158
159
  readonly onRequest?: (request: Request) => Promise<Request | Response | void>;
159
160
  readonly onResponse?: (response: Response) => Promise<Response | void>;
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/build-pipeline.ts","../src/gondolin-package.ts","../src/host-network-defaults.ts","../src/mount-policy.ts","../src/pinned-realfs.ts","../src/policy-compiler.ts","../src/vm-adapter.ts","../src/volume-manager.ts","../src/write-file-atomically.ts"],"mappings":";;;;UAaiB,iBAAA;EAAA,SACP,WAAA,EAAa,aAAA;EAAA,SACb,QAAA;EAFwB;;EAAA,SAKxB,SAAA;EAAA,SACA,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,MAAA,GAAS,WAAA;AAAA;AAAA,UAGF,WAAA;EAChB,KAAA,CAAM,KAAA,WAAgB,UAAA;AAAA;AAAA,UAGN,gBAAA;EAAA,SACP,KAAA;EAAA,SACA,WAAA;EAAA,SACA,SAAA;AAAA;AAAA,cAGG,wBAAA;AAAA,UAOH,yBAAA;EAAA,SACA,WAAA,IACR,WAAA,EAAa,aAAA,EACb,eAAA,UACA,SAAA,WACA,OAAA,WACA,OAAA,eACI,OAAA;EAAA,SACI,eAAA;AAAA;AAAA,iBA2CY,mBAAA,CAAoB,mBAAA,WAA8B,OAAA;AAAA,iBA8ExD,uBAAA,CACf,WAAA,EAAa,aAAA,EACb,eAAA,WACA,gBAAA;AAAA,iBAUqB,gCAAA,CAAiC,OAAA;EAAA,SAC7C,WAAA,EAAa,aAAA;EAAA,SACb,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,eAAA;AAAA,IACN,OAAA;EAAA,SACM,WAAA;EAAA,SACA,sBAAA;AAAA;AAAA,iBAmBY,UAAA,CACrB,OAAA,EAAS,iBAAA,EACT,YAAA,GAAc,yBAAA,GACZ,OAAA,CAAQ,gBAAA;;;iBChMK,sBAAA,CAAuB,WAAA;AAAA,iBAevB,8BAAA,CAAA;AAAA,iBAIM,0BAAA,CAAA,GAA8B,OAAA;AAAA,UAOnC,uCAAA;EAAA,SACP,eAAA;AAAA;AAAA,iBAQY,gCAAA,CACrB,OAAA,GAAS,uCAAA,GACP,OAAA;;;UCtDc,yBAAA;EAAA,SACP,gBAAA;EAAA,SACA,cAAA;AAAA;AAAA,UAGO,+BAAA;EAAA,SACP,0BAAA,KAA+B,KAAA;EAAA,SAC/B,qBAAA,KAA0B,KAAA;AAAA;;;;;;;iBASpB,4BAAA,CACf,YAAA,GAAc,+BAAA,GACZ,yBAAA;;;UCNc,mBAAA;EAAA,SACP,cAAA;EAAA,SACA,4BAAA;AAAA;AAAA,UAGO,wBAAA;EAAA,SACP,WAAA,EAAa,QAAA,CAAS,MAAA;EAAA,SACtB,aAAA,EAAe,mBAAA;AAAA;AAAA,iBAYT,qBAAA,CAAsB,SAAA,UAAmB,OAAA;AAAA,iBA8BzC,qBAAA,CACf,SAAA,UACA,MAAA,EAAQ,mBAAA,EACR,OAAA;EAAA,SAAoB,OAAA;AAAA;AAAA,iBA4BC,0BAAA,CACrB,MAAA,EAAQ,wBAAA,EACR,OAAA;EAAA,SAAoB,QAAA;EAAA,SAA2B,OAAA;AAAA,IAC7C,OAAA;;;UC7Fc,gBAAA;EAAA,SACP,QAAA;EAAA,SACA,QAAA;EAAA,SACA,EAAA;EAAA,SACA,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,UAGO,iCAAA;EAAA,SACP,IAAA,EAAM,gBAAA;EAAA,SACN,oBAAA,GAAuB,QAAA,aAAqB,eAAA;AAAA;AAAA,iBActC,aAAA,CAAc,QAAA,WAAmB,gBAAA;AAAA,iBAgCjC,qBAAA,CAAsB,IAAA,EAAM,gBAAA;AAAA,iBAI5B,sBAAA,CAAuB,IAAA,EAAM,gBAAA;AAAA,iBAqB7B,0BAAA,CACf,OAAA,EAAS,iCAAA,GACP,eAAA;;;UCxFc,aAAA;EAAA,SACP,IAAA;EAAA,SACA,OAAA;EAAA,SACA,KAAA;AAAA;AAAA,iBAGM,iBAAA,CAAkB,WAAA;AAAA,iBAIlB,YAAA,CAAa,MAAA;AAAA,iBAmBb,aAAA,CAAc,OAAA,EAAS,aAAA;;;cCI1B,4BAAA;AAAA,cACA,wCAAA;AAAA,cACA,2DAAA;AAAA,cACA,qDAAA;AAAA,cACA,uDAAA;AAAA,cAEA,kCAAA;;;;;;;KAQD,gBAAA;AAAA,KACA,kBAAA,GAAqB,WAAA;AAAA,KACrB,kBAAA,GAAqB,WAAA;AAAA,KACrB,iBAAA,GAAoB,UAAA;AAAA,KACpB,WAAA,GAAc,IAAA;AAAA,KAEd,YAAA,GAAe,cAAA;AAAA,UAEV,SAAA;EAAA,SACP,IAAA;EAAA,SACA,OAAA;EAAA,SACA,YAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,aAAA;EAAA,SACP,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,iBAAA;EAAA,SACP,EAAA,EAAI,WAAA;EAAA,SACJ,EAAA;EACT,IAAA,CAAK,OAAA,qBAA4B,OAAA,GAAU,kBAAA,GAAqB,kBAAA;EAChE,SAAA,CAAU,OAAA,GAAU,gBAAA,GAAmB,OAAA,CAAQ,SAAA;EAC/C,aAAA,CAAc,OAAA,GAAU,oBAAA,GAAuB,OAAA,CAAQ,aAAA;EACvD,UAAA;EACA,gBAAA,CAAiB,MAAA,WAAiB,YAAA;EAClC,KAAA,IAAS,OAAA;AAAA;AAAA,UAGO,qBAAA;EAChB,4BAAA,SAAqC,yBAAA;EACrC,QAAA,CAAS,SAAA,EAAW,SAAA,GAAY,OAAA,CAAQ,iBAAA;EACxC,eAAA,CAAgB,OAAA;IAAA,SACN,YAAA;IAAA,SACA,OAAA,EAAS,MAAA,SAAe,kBAAA;IAAA,SACxB,SAAA,IAAa,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,OAAA,GAAU,QAAA;IAAA,SACpD,UAAA,IAAc,QAAA,EAAU,QAAA,KAAa,OAAA,CAAQ,QAAA;EAAA,IACnD,IAAA,CAAK,qBAAA;EACT,qBAAA,CAAsB,IAAA,EAAM,gBAAA;EAC5B,0BAAA,CAA2B,IAAA,EAAM,gBAAA,GAAmB,eAAA;EACpD,oBAAA,CAAqB,QAAA,WAAmB,eAAA;EACxC,sBAAA,CAAuB,QAAA,EAAU,eAAA,GAAkB,eAAA;EACnD,oBAAA,IAAwB,eAAA;EACxB,oBAAA,CAAqB,QAAA,EAAU,eAAA,EAAiB,OAAA,EAAS,qBAAA,GAAwB,eAAA;EACjF,yBAAA,CAA0B,KAAA,sBAA2B,eAAA;AAAA;AAAA,UAGrC,YAAA;EAAA,SACP,IAAA;EAAA,SACA,QAAA;EAAA,SACA,cAAA,GAAiB,gBAAA;EAAA,SACjB,YAAA;IAAA,SACC,IAAA;IAAA,SACA,KAAA;EAAA;AAAA;AAAA,UAIM,eAAA;EAAA,SACP,SAAA;EAAA,SACA,MAAA;EAAA,SACA,IAAA;EAAA,SACA,UAAA;EAAA,SACA,iBAAA;EAAA,SACA,YAAA;EAAA,SACA,OAAA,EAAS,MAAA,SAAe,kBAAA;EAAA,SACxB,SAAA,EAAW,MAAA,SAAe,YAAA;EAAA,SAC1B,QAAA,GAAW,MAAA;EAAA,SACX,GAAA,GAAM,MAAA;EAAA,SACN,YAAA;EAAA,SACA,SAAA,IAAa,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,OAAA,GAAU,QAAA;EAAA,SACpD,UAAA,IAAc,QAAA,EAAU,QAAA,KAAa,OAAA,CAAQ,QAAA;AAAA;AAAA,UAGtC,SAAA;EAAA,SACP,EAAA,EAAI,WAAA;EAAA,SACJ,EAAA;EACT,IAAA,CAAK,OAAA,EAAS,gBAAA,EAAkB,OAAA,GAAU,kBAAA,GAAqB,kBAAA;EAC/D,SAAA,CAAU,OAAA,GAAU,gBAAA,GAAmB,OAAA,CAAQ,SAAA;EAC/C,aAAA,CAAc,OAAA,GAAU,oBAAA,GAAuB,OAAA,CAAQ,aAAA;EACvD,UAAA;EACA,aAAA,IAAiB,iBAAA;EACjB,gBAAA,CAAiB,MAAA,WAAiB,YAAA;EAClC,KAAA,IAAS,OAAA;AAAA;AAAA,iBA4MY,eAAA,CACrB,OAAA,EAAS,eAAA,EACT,YAAA,GAAc,qBAAA,GACZ,OAAA,CAAQ,SAAA;;;UChVM,iBAAA;EAAA,SACP,SAAA;AAAA;AAAA,UAGO,cAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA;AAAA;AAAA,iBAGY,eAAA,CACrB,SAAA,UACA,aAAA,UACA,UAAA,WACE,OAAA;AAAA,iBAMmB,iBAAA,CACrB,SAAA,UACA,aAAA,UACA,OAAA,EAAS,QAAA,CAAS,MAAA,SAAe,iBAAA,KAC/B,OAAA,CAAQ,MAAA,SAAe,cAAA;;;iBCxBJ,mBAAA,CACrB,QAAA,UACA,OAAA,UACA,OAAA;EAAA,SACU,IAAA;AAAA,IAER,OAAA"}
1
+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/build-pipeline.ts","../src/gondolin-package.ts","../src/host-network-defaults.ts","../src/mount-policy.ts","../src/pinned-realfs.ts","../src/policy-compiler.ts","../src/vm-adapter.ts","../src/volume-manager.ts","../src/write-file-atomically.ts"],"mappings":";;;;UAaiB,iBAAA;EAAA,SACP,WAAA,EAAa,aAAA;EAAA,SACb,QAAA;EAFwB;;EAAA,SAKxB,SAAA;EAAA,SACA,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,MAAA,GAAS,WAAA;AAAA;AAAA,UAGF,WAAA;EAChB,KAAA,CAAM,KAAA,WAAgB,UAAA;AAAA;AAAA,UAGN,gBAAA;EAAA,SACP,KAAA;EAAA,SACA,WAAA;EAAA,SACA,SAAA;AAAA;AAAA,cAGG,wBAAA;AAAA,UAOH,yBAAA;EAAA,SACA,WAAA,IACR,WAAA,EAAa,aAAA,EACb,eAAA,UACA,SAAA,WACA,OAAA,WACA,OAAA,eACI,OAAA;EAAA,SACI,eAAA;AAAA;AAAA,iBA2CY,mBAAA,CAAoB,mBAAA,WAA8B,OAAA;AAAA,iBA8ExD,uBAAA,CACf,WAAA,EAAa,aAAA,EACb,eAAA,WACA,gBAAA;AAAA,iBAUqB,gCAAA,CAAiC,OAAA;EAAA,SAC7C,WAAA,EAAa,aAAA;EAAA,SACb,SAAA;EAAA,SACA,gBAAA;EAAA,SACA,eAAA;AAAA,IACN,OAAA;EAAA,SACM,WAAA;EAAA,SACA,sBAAA;AAAA;AAAA,iBAmBY,UAAA,CACrB,OAAA,EAAS,iBAAA,EACT,YAAA,GAAc,yBAAA,GACZ,OAAA,CAAQ,gBAAA;;;iBChMK,sBAAA,CAAuB,WAAA;AAAA,iBAevB,8BAAA,CAAA;AAAA,iBAIM,0BAAA,CAAA,GAA8B,OAAA;AAAA,UAOnC,uCAAA;EAAA,SACP,eAAA;AAAA;AAAA,iBAQY,gCAAA,CACrB,OAAA,GAAS,uCAAA,GACP,OAAA;;;UCtDc,yBAAA;EAAA,SACP,gBAAA;EAAA,SACA,cAAA;AAAA;AAAA,UAGO,+BAAA;EAAA,SACP,0BAAA,KAA+B,KAAA;EAAA,SAC/B,qBAAA,KAA0B,KAAA;AAAA;;;;;;;iBASpB,4BAAA,CACf,YAAA,GAAc,+BAAA,GACZ,yBAAA;;;UCNc,mBAAA;EAAA,SACP,cAAA;EAAA,SACA,4BAAA;AAAA;AAAA,UAGO,wBAAA;EAAA,SACP,WAAA,EAAa,QAAA,CAAS,MAAA;EAAA,SACtB,aAAA,EAAe,mBAAA;AAAA;AAAA,iBAYT,qBAAA,CAAsB,SAAA,UAAmB,OAAA;AAAA,iBA8BzC,qBAAA,CACf,SAAA,UACA,MAAA,EAAQ,mBAAA,EACR,OAAA;EAAA,SAAoB,OAAA;AAAA;AAAA,iBA4BC,0BAAA,CACrB,MAAA,EAAQ,wBAAA,EACR,OAAA;EAAA,SAAoB,QAAA;EAAA,SAA2B,OAAA;AAAA,IAC7C,OAAA;;;UC7Fc,gBAAA;EAAA,SACP,QAAA;EAAA,SACA,QAAA;EAAA,SACA,EAAA;EAAA,SACA,MAAA;EAAA,SACA,KAAA;AAAA;AAAA,UAGO,iCAAA;EAAA,SACP,IAAA,EAAM,gBAAA;EAAA,SACN,oBAAA,GAAuB,QAAA,aAAqB,eAAA;AAAA;AAAA,iBActC,aAAA,CAAc,QAAA,WAAmB,gBAAA;AAAA,iBAgCjC,qBAAA,CAAsB,IAAA,EAAM,gBAAA;AAAA,iBAI5B,sBAAA,CAAuB,IAAA,EAAM,gBAAA;AAAA,iBAqB7B,0BAAA,CACf,OAAA,EAAS,iCAAA,GACP,eAAA;;;UCxFc,aAAA;EAAA,SACP,IAAA;EAAA,SACA,OAAA;EAAA,SACA,KAAA;AAAA;AAAA,iBAGM,iBAAA,CAAkB,WAAA;AAAA,iBAIlB,YAAA,CAAa,MAAA;AAAA,iBAmBb,aAAA,CAAc,OAAA,EAAS,aAAA;;;cCO1B,4BAAA;AAAA,cACA,wCAAA;AAAA,cACA,2DAAA;AAAA,cACA,qDAAA;AAAA,cACA,uDAAA;AAAA,cAEA,kCAAA;;;;;;;KAQD,gBAAA;AAAA,KACA,kBAAA,GAAqB,WAAA;AAAA,KACrB,kBAAA,GAAqB,WAAA;AAAA,KACrB,iBAAA,GAAoB,UAAA;AAAA,KACpB,WAAA,GAAc,IAAA;AAAA,KAEd,YAAA,GAAe,cAAA;AAAA,UAEV,SAAA;EAAA,SACP,IAAA;EAAA,SACA,OAAA;EAAA,SACA,YAAA;EAAA,SACA,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,aAAA;EAAA,SACP,IAAA;EAAA,SACA,IAAA;AAAA;AAAA,UAGO,iBAAA;EAAA,SACP,EAAA,EAAI,WAAA;EAAA,SACJ,EAAA;EACT,IAAA,CAAK,OAAA,qBAA4B,OAAA,GAAU,kBAAA,GAAqB,kBAAA;EAChE,SAAA,CAAU,OAAA,GAAU,gBAAA,GAAmB,OAAA,CAAQ,SAAA;EAC/C,aAAA,CAAc,OAAA,GAAU,oBAAA,GAAuB,OAAA,CAAQ,aAAA;EACvD,UAAA;EACA,gBAAA,CAAiB,MAAA,WAAiB,YAAA;EAClC,KAAA,IAAS,OAAA;AAAA;AAAA,UAGO,qBAAA;EAChB,4BAAA,SAAqC,yBAAA;EACrC,QAAA,CAAS,SAAA,EAAW,SAAA,GAAY,OAAA,CAAQ,iBAAA;EACxC,eAAA,CAAgB,OAAA;IAAA,SACN,YAAA;IAAA,SACA,WAAA,GAAc,SAAA;IAAA,SACd,OAAA,EAAS,MAAA,SAAe,kBAAA;IAAA,SACxB,SAAA,IAAa,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,OAAA,GAAU,QAAA;IAAA,SACpD,UAAA,IAAc,QAAA,EAAU,QAAA,KAAa,OAAA,CAAQ,QAAA;EAAA,IACnD,IAAA,CAAK,qBAAA;EACT,qBAAA,CAAsB,IAAA,EAAM,gBAAA;EAC5B,0BAAA,CAA2B,IAAA,EAAM,gBAAA,GAAmB,eAAA;EACpD,oBAAA,CAAqB,QAAA,WAAmB,eAAA;EACxC,sBAAA,CAAuB,QAAA,EAAU,eAAA,GAAkB,eAAA;EACnD,oBAAA,IAAwB,eAAA;EACxB,oBAAA,CAAqB,QAAA,EAAU,eAAA,EAAiB,OAAA,EAAS,qBAAA,GAAwB,eAAA;EACjF,yBAAA,CAA0B,KAAA,sBAA2B,eAAA;AAAA;AAAA,UAGrC,YAAA;EAAA,SACP,IAAA;EAAA,SACA,QAAA;EAAA,SACA,cAAA,GAAiB,gBAAA;EAAA,SACjB,YAAA;IAAA,SACC,IAAA;IAAA,SACA,KAAA;EAAA;AAAA;AAAA,UAIM,eAAA;EAAA,SACP,SAAA;EAAA,SACA,MAAA;EAAA,SACA,IAAA;EAAA,SACA,UAAA;EAAA,SACA,iBAAA;EAAA,SACA,YAAA;EAAA,SACA,OAAA,EAAS,MAAA,SAAe,kBAAA;EAAA,SACxB,SAAA,EAAW,MAAA,SAAe,YAAA;EAAA,SAC1B,QAAA,GAAW,MAAA;EAAA,SACX,GAAA,GAAM,MAAA;EAAA,SACN,YAAA;EAAA,SACA,SAAA,IAAa,OAAA,EAAS,OAAA,KAAY,OAAA,CAAQ,OAAA,GAAU,QAAA;EAAA,SACpD,UAAA,IAAc,QAAA,EAAU,QAAA,KAAa,OAAA,CAAQ,QAAA;AAAA;AAAA,UAGtC,SAAA;EAAA,SACP,EAAA,EAAI,WAAA;EAAA,SACJ,EAAA;EACT,IAAA,CAAK,OAAA,EAAS,gBAAA,EAAkB,OAAA,GAAU,kBAAA,GAAqB,kBAAA;EAC/D,SAAA,CAAU,OAAA,GAAU,gBAAA,GAAmB,OAAA,CAAQ,SAAA;EAC/C,aAAA,CAAc,OAAA,GAAU,oBAAA,GAAuB,OAAA,CAAQ,aAAA;EACvD,UAAA;EACA,aAAA,IAAiB,iBAAA;EACjB,gBAAA,CAAiB,MAAA,WAAiB,YAAA;EAClC,KAAA,IAAS,OAAA;AAAA;AAAA,iBAoWY,eAAA,CACrB,OAAA,EAAS,eAAA,EACT,YAAA,GAAc,qBAAA,GACZ,OAAA,CAAQ,SAAA;;;UC5eM,iBAAA;EAAA,SACP,SAAA;AAAA;AAAA,UAGO,cAAA;EAAA,SACP,OAAA;EAAA,SACA,SAAA;AAAA;AAAA,iBAGY,eAAA,CACrB,SAAA,UACA,aAAA,UACA,UAAA,WACE,OAAA;AAAA,iBAMmB,iBAAA,CACrB,SAAA,UACA,aAAA,UACA,OAAA,EAAS,QAAA,CAAS,MAAA,SAAe,iBAAA,KAC/B,OAAA,CAAQ,MAAA,SAAe,cAAA;;;iBCxBJ,mBAAA,CACrB,QAAA,UACA,OAAA,UACA,OAAA;EAAA,SACU,IAAA;AAAA,IAER,OAAA"}
package/dist/index.js CHANGED
@@ -4,7 +4,8 @@ import fs from "node:fs/promises";
4
4
  import path from "node:path";
5
5
  import { z } from "zod";
6
6
  import * as dns from "node:dns";
7
- import * as net from "node:net";
7
+ import * as net$1 from "node:net";
8
+ import net from "node:net";
8
9
  import fs$1 from "node:fs";
9
10
  import { MemoryProvider, ReadonlyProvider, RealFSProvider, ShadowProvider, VM, createHttpHooks, createShadowPathPredicate, getDefaultBuildConfig } from "@earendil-works/gondolin";
10
11
  //#region src/rootfs-init-extra.ts
@@ -260,7 +261,7 @@ async function resolveGondolinMinimumZigVersion(options = {}) {
260
261
  */
261
262
  function configureHostNetworkDefaults(dependencies = {}) {
262
263
  const setDefaultResultOrder = "setDefaultResultOrder" in dependencies ? dependencies.setDefaultResultOrder : dns.setDefaultResultOrder;
263
- const setDefaultAutoSelectFamily = "setDefaultAutoSelectFamily" in dependencies ? dependencies.setDefaultAutoSelectFamily : net.setDefaultAutoSelectFamily;
264
+ const setDefaultAutoSelectFamily = "setDefaultAutoSelectFamily" in dependencies ? dependencies.setDefaultAutoSelectFamily : net$1.setDefaultAutoSelectFamily;
264
265
  let dnsResultOrder = "unavailable";
265
266
  if (typeof setDefaultResultOrder === "function") {
266
267
  setDefaultResultOrder("ipv4first");
@@ -428,6 +429,10 @@ function createDefaultDependencies() {
428
429
  createVm: async (vmOptions) => await VM.create(vmOptions),
429
430
  createHttpHooks: (hookOptions) => createHttpHooks({
430
431
  allowedHosts: [...hookOptions.allowedHosts],
432
+ ...hookOptions.isIpAllowed ? {
433
+ blockInternalRanges: false,
434
+ isIpAllowed: hookOptions.isIpAllowed
435
+ } : {},
431
436
  secrets: Object.fromEntries(Object.entries(hookOptions.secrets).map(([secretName, secretSpec]) => [secretName, {
432
437
  hosts: [...secretSpec.hosts],
433
438
  value: secretSpec.value
@@ -508,14 +513,87 @@ function resolveManagedVmIngressOptions(ingressOptions = {}) {
508
513
  if (ingressOptions.upstreamResponseTimeoutMs !== void 0) resolvedOptions.upstreamResponseTimeoutMs = ingressOptions.upstreamResponseTimeoutMs;
509
514
  return resolvedOptions;
510
515
  }
516
+ function normalizePolicyHostname(hostname) {
517
+ return hostname.toLowerCase();
518
+ }
519
+ function parseTcpHostEndpoint(endpoint) {
520
+ if (endpoint.startsWith("[")) {
521
+ const closingBracketIndex = endpoint.indexOf("]");
522
+ if (closingBracketIndex > 1) {
523
+ const portValue = Number.parseInt(endpoint.slice(closingBracketIndex + 2), 10);
524
+ if (!Number.isFinite(portValue)) return;
525
+ return {
526
+ hostname: normalizePolicyHostname(endpoint.slice(1, closingBracketIndex)),
527
+ port: portValue
528
+ };
529
+ }
530
+ }
531
+ const portSeparatorIndex = endpoint.lastIndexOf(":");
532
+ if (portSeparatorIndex <= 0) return;
533
+ const portValue = Number.parseInt(endpoint.slice(portSeparatorIndex + 1), 10);
534
+ if (!Number.isFinite(portValue)) return;
535
+ return {
536
+ hostname: normalizePolicyHostname(endpoint.slice(0, portSeparatorIndex)),
537
+ port: portValue
538
+ };
539
+ }
540
+ function ipv4AddressIsInternal(ipAddress) {
541
+ const octets = ipAddress.split(".").map((segment) => Number.parseInt(segment, 10));
542
+ if (octets.length !== 4 || octets.some((octet) => !Number.isInteger(octet))) return false;
543
+ const firstOctet = octets[0];
544
+ const secondOctet = octets[1];
545
+ if (firstOctet === void 0 || secondOctet === void 0) return false;
546
+ return firstOctet === 10 || firstOctet === 127 || firstOctet === 169 && secondOctet === 254 || firstOctet === 172 && secondOctet >= 16 && secondOctet <= 31 || firstOctet === 192 && secondOctet === 168 || firstOctet === 100 && secondOctet >= 64 && secondOctet <= 127;
547
+ }
548
+ function ipAddressIsInternal(ipAddress) {
549
+ if (net.isIP(ipAddress) === 4) return ipv4AddressIsInternal(ipAddress);
550
+ const normalizedIpAddress = ipAddress.toLowerCase();
551
+ if (normalizedIpAddress.startsWith("::ffff:")) return ipv4AddressIsInternal(normalizedIpAddress.slice(7));
552
+ return normalizedIpAddress === "::1" || normalizedIpAddress.startsWith("fc") || normalizedIpAddress.startsWith("fd") || normalizedIpAddress.startsWith("fe80:");
553
+ }
554
+ function endpointHostnameIsInternal(hostname) {
555
+ const normalizedHostname = normalizePolicyHostname(hostname);
556
+ return normalizedHostname === "localhost" || normalizedHostname === "host.docker.internal" || ipAddressIsInternal(normalizedHostname);
557
+ }
558
+ function deriveInternalTcpHostRules(tcpHosts) {
559
+ if (!tcpHosts) return [];
560
+ const rules = [];
561
+ for (const [tcpHostKey, tcpHostTarget] of Object.entries(tcpHosts)) {
562
+ const exposedEndpoint = parseTcpHostEndpoint(tcpHostKey);
563
+ const targetEndpoint = parseTcpHostEndpoint(tcpHostTarget);
564
+ if (!exposedEndpoint || !targetEndpoint || !endpointHostnameIsInternal(targetEndpoint.hostname)) continue;
565
+ if (!rules.some((rule) => rule.hostname === exposedEndpoint.hostname && rule.port === exposedEndpoint.port)) rules.push(exposedEndpoint);
566
+ }
567
+ return rules;
568
+ }
569
+ function mergeUniqueHosts(hosts, additionalHosts) {
570
+ const mergedHosts = [...hosts];
571
+ for (const host of additionalHosts) if (!mergedHosts.includes(host)) mergedHosts.push(host);
572
+ return mergedHosts;
573
+ }
574
+ function createInternalTcpHostPolicy(rules) {
575
+ if (rules.length === 0) return;
576
+ const ruleHostnames = new Set(rules.map((rule) => rule.hostname));
577
+ return (info) => {
578
+ const hostname = normalizePolicyHostname(info.hostname);
579
+ const exactRuleMatched = rules.some((rule) => rule.hostname === hostname && rule.port === info.port);
580
+ if (ruleHostnames.has(hostname)) return exactRuleMatched;
581
+ if (ipAddressIsInternal(info.ip)) return false;
582
+ return true;
583
+ };
584
+ }
511
585
  async function createManagedVm(options, dependencies = createDefaultDependencies()) {
512
586
  dependencies.configureHostNetworkDefaults?.();
513
587
  const hasTcpHosts = options.tcpHosts && Object.keys(options.tcpHosts).length > 0;
588
+ const internalTcpHostRules = deriveInternalTcpHostRules(options.tcpHosts);
589
+ const allowedHosts = mergeUniqueHosts(options.allowedHosts, internalTcpHostRules.map((rule) => rule.hostname));
590
+ const isIpAllowed = createInternalTcpHostPolicy(internalTcpHostRules);
514
591
  const pinnedRealFsRoots = collectPinnedRealFsRoots(options.vfsMounts);
515
592
  let vmInstance;
516
593
  try {
517
594
  const hookBundle = dependencies.createHttpHooks({
518
- allowedHosts: options.allowedHosts,
595
+ allowedHosts,
596
+ ...isIpAllowed ? { isIpAllowed } : {},
519
597
  secrets: options.secrets,
520
598
  ...options.onRequest ? { onRequest: options.onRequest } : {},
521
599
  ...options.onResponse ? { onResponse: options.onResponse } : {}
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["fs"],"sources":["../src/rootfs-init-extra.ts","../src/build-pipeline.ts","../src/gondolin-package.ts","../src/host-network-defaults.ts","../src/mount-policy.ts","../src/pinned-realfs.ts","../src/policy-compiler.ts","../src/vm-adapter.ts","../src/volume-manager.ts","../src/write-file-atomically.ts"],"sourcesContent":["import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type { BuildConfig } from '@earendil-works/gondolin';\n\nexport const agentVmRootfsInitExtraScript = `# Generated by agent-vm.\n# Gondolin mounts devtmpfs over /dev at boot, so Docker-image /dev symlinks are hidden.\nmkdir -p /dev\nln -sfn /proc/self/fd /dev/fd 2>/dev/null || true\nln -sfn /proc/self/fd/0 /dev/stdin 2>/dev/null || true\nln -sfn /proc/self/fd/1 /dev/stdout 2>/dev/null || true\nln -sfn /proc/self/fd/2 /dev/stderr 2>/dev/null || true\nif [ ! -e /dev/ptmx ] && [ -e /dev/pts/ptmx ]; then\n ln -sfn pts/ptmx /dev/ptmx 2>/dev/null || true\nfi\n`;\n\ninterface PrepareRootfsInitExtraOptions {\n\treadonly buildConfig: BuildConfig;\n\treadonly imagePath: string;\n\treadonly rootfsInitExtraContent: string;\n}\n\ninterface ResolveRootfsInitExtraOptions {\n\treadonly buildConfig: BuildConfig;\n\treadonly configDir?: string;\n}\n\nexport interface ResolvedRootfsInitExtra {\n\treadonly content: string;\n\treadonly fingerprintInput: {\n\t\treadonly agentVmRootfsInitExtra: string;\n\t\treadonly deploymentRootfsInitExtra?: string;\n\t};\n}\n\nfunction resolveBuildConfigPath(filePath: string, configDir: string | undefined): string {\n\treturn path.isAbsolute(filePath) ? filePath : path.resolve(configDir ?? process.cwd(), filePath);\n}\n\nasync function readExistingRootfsInitExtra(\n\tbuildConfig: BuildConfig,\n\tconfigDir: string | undefined,\n): Promise<string | undefined> {\n\tconst existingRootfsInitExtra = buildConfig.init?.rootfsInitExtra;\n\tif (!existingRootfsInitExtra) {\n\t\treturn undefined;\n\t}\n\n\tconst resolvedRootfsInitExtra = resolveBuildConfigPath(existingRootfsInitExtra, configDir);\n\ttry {\n\t\treturn await fs.readFile(resolvedRootfsInitExtra, 'utf8');\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to read Gondolin rootfs init extra '${resolvedRootfsInitExtra}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nfunction composeRootfsInitExtra(existingRootfsInitExtra: string | undefined): string {\n\treturn existingRootfsInitExtra\n\t\t? `${agentVmRootfsInitExtraScript.trimEnd()}\\n\\n${existingRootfsInitExtra}`\n\t\t: agentVmRootfsInitExtraScript;\n}\n\nexport async function resolveRootfsInitExtra(\n\toptions: ResolveRootfsInitExtraOptions,\n): Promise<ResolvedRootfsInitExtra> {\n\tconst existingRootfsInitExtra = await readExistingRootfsInitExtra(\n\t\toptions.buildConfig,\n\t\toptions.configDir,\n\t);\n\n\treturn {\n\t\tcontent: composeRootfsInitExtra(existingRootfsInitExtra),\n\t\tfingerprintInput: {\n\t\t\tagentVmRootfsInitExtra: agentVmRootfsInitExtraScript,\n\t\t\t...(existingRootfsInitExtra === undefined\n\t\t\t\t? {}\n\t\t\t\t: { deploymentRootfsInitExtra: existingRootfsInitExtra }),\n\t\t},\n\t};\n}\n\nexport async function prepareBuildConfigWithAgentVmRootfsInitExtra(\n\toptions: PrepareRootfsInitExtraOptions,\n): Promise<BuildConfig> {\n\tconst rootfsInitExtraPath = path.join(options.imagePath, 'agent-vm-rootfs-init-extra.sh');\n\n\tawait fs.writeFile(rootfsInitExtraPath, options.rootfsInitExtraContent, {\n\t\tencoding: 'utf8',\n\t\tmode: 0o755,\n\t});\n\n\treturn {\n\t\t...options.buildConfig,\n\t\tinit: {\n\t\t\t...options.buildConfig.init,\n\t\t\trootfsInitExtra: rootfsInitExtraPath,\n\t\t},\n\t};\n}\n","import crypto from 'node:crypto';\nimport fs from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type { BuildConfig, BuildOptions } from '@earendil-works/gondolin';\n\nimport {\n\tprepareBuildConfigWithAgentVmRootfsInitExtra,\n\tresolveRootfsInitExtra,\n} from './rootfs-init-extra.js';\n\nexport type { BuildConfig } from '@earendil-works/gondolin';\n\nexport interface BuildImageOptions {\n\treadonly buildConfig: BuildConfig;\n\treadonly cacheDir: string;\n\t/** Directory to resolve relative paths in buildConfig (e.g. postBuild.copy.src).\n\t * Defaults to process.cwd() if not provided. */\n\treadonly configDir?: string;\n\treadonly fullReset?: boolean;\n\treadonly fingerprintInput?: unknown;\n\treadonly output?: BuildOutput;\n}\n\nexport interface BuildOutput {\n\twrite(chunk: string | Uint8Array): boolean;\n}\n\nexport interface BuildImageResult {\n\treadonly built: boolean;\n\treadonly fingerprint: string;\n\treadonly imagePath: string;\n}\n\nexport const buildImageAssetFileNames = [\n\t'manifest.json',\n\t'rootfs.ext4',\n\t'initramfs.cpio.lz4',\n\t'vmlinuz-virt',\n] as const;\n\ninterface BuildPipelineDependencies {\n\treadonly buildAssets?: (\n\t\tbuildConfig: BuildConfig,\n\t\toutputDirectory: string,\n\t\tconfigDir?: string,\n\t\tworkDir?: string,\n\t\tverbose?: boolean,\n\t) => Promise<unknown>;\n\treadonly gondolinVersion?: string;\n}\n\nconst inFlightImageBuilds = new Map<string, Promise<BuildImageResult>>();\nconst gondolinWorkDirectoryName = '.agent-vm-gondolin-work';\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null;\n}\n\nfunction stableSerialize(value: unknown): string {\n\tif (Array.isArray(value)) {\n\t\treturn `[${value.map((entry) => stableSerialize(entry)).join(',')}]`;\n\t}\n\n\tif (isRecord(value)) {\n\t\tconst objectEntries = Object.entries(value)\n\t\t\t.filter(([, entryValue]) => entryValue !== undefined)\n\t\t\t.toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));\n\t\treturn `{${objectEntries\n\t\t\t.map(([entryKey, entryValue]) => `${JSON.stringify(entryKey)}:${stableSerialize(entryValue)}`)\n\t\t\t.join(',')}}`;\n\t}\n\n\treturn JSON.stringify(value);\n}\n\nfunction isMissingPathError(error: unknown): boolean {\n\treturn typeof error === 'object' && error !== null && 'code' in error && error.code === 'ENOENT';\n}\n\nasync function pathExists(filePath: string): Promise<boolean> {\n\ttry {\n\t\tawait fs.access(filePath);\n\t\treturn true;\n\t} catch (error) {\n\t\tif (!isMissingPathError(error)) {\n\t\t\tthrow error;\n\t\t}\n\t\treturn false;\n\t}\n}\n\nexport async function hasBuiltImageAssets(outputDirectoryPath: string): Promise<boolean> {\n\tfor (const fileName of buildImageAssetFileNames) {\n\t\t// oxlint-disable-next-line no-await-in-loop -- each missing file points at the same image generation\n\t\tif (!(await pathExists(path.join(outputDirectoryPath, fileName)))) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn true;\n}\n\nasync function loadBuildAssets(): Promise<\n\t(\n\t\tbuildConfig: BuildConfig,\n\t\toutputDirectory: string,\n\t\tconfigDir?: string,\n\t\tworkDir?: string,\n\t\tverbose?: boolean,\n\t) => Promise<unknown>\n> {\n\tconst gondolinModule = await import('@earendil-works/gondolin');\n\treturn async (\n\t\tbuildConfig: BuildConfig,\n\t\toutputDirectory: string,\n\t\tconfigDir?: string,\n\t\tworkDir?: string,\n\t\tverbose?: boolean,\n\t): Promise<unknown> =>\n\t\tawait gondolinModule.buildAssets(buildConfig, {\n\t\t\toutputDir: outputDirectory,\n\t\t\tverbose: verbose ?? false,\n\t\t\t...(configDir ? { configDir } : {}),\n\t\t\t...(workDir ? { workDir } : {}),\n\t\t} satisfies BuildOptions);\n}\n\nfunction createRedirectedWrite(output: BuildOutput): typeof process.stderr.write {\n\treturn ((\n\t\tchunk: string | Uint8Array,\n\t\tencodingOrCallback?: BufferEncoding | ((error?: Error | null) => void),\n\t\tcallback?: (error?: Error | null) => void,\n\t): boolean => {\n\t\tconst writeCallback = typeof encodingOrCallback === 'function' ? encodingOrCallback : callback;\n\t\tconst wrote = output.write(chunk);\n\t\twriteCallback?.();\n\t\treturn wrote;\n\t}) as typeof process.stderr.write;\n}\n\nasync function withCapturedBuildOutput<TResult>(\n\toutput: BuildOutput | undefined,\n\tfn: () => Promise<TResult>,\n): Promise<TResult> {\n\tif (!output) {\n\t\treturn await fn();\n\t}\n\n\tconst originalStderrWrite = process.stderr.write.bind(process.stderr);\n\tconst originalStdoutWrite = process.stdout.write.bind(process.stdout);\n\tconst originalCi = process.env.CI;\n\tconst redirectedWrite = createRedirectedWrite(output);\n\n\tprocess.stderr.write = redirectedWrite;\n\tprocess.stdout.write = redirectedWrite;\n\tprocess.env.CI = 'true';\n\n\ttry {\n\t\treturn await fn();\n\t} finally {\n\t\tprocess.stderr.write = originalStderrWrite;\n\t\tprocess.stdout.write = originalStdoutWrite;\n\t\tif (originalCi === undefined) {\n\t\t\tdelete process.env.CI;\n\t\t} else {\n\t\t\tprocess.env.CI = originalCi;\n\t\t}\n\t}\n}\n\nexport function computeBuildFingerprint(\n\tbuildConfig: BuildConfig,\n\tgondolinVersion: string = 'unknown',\n\tfingerprintInput?: unknown,\n): string {\n\tconst payload =\n\t\tfingerprintInput === undefined\n\t\t\t? `${stableSerialize(buildConfig)}|${gondolinVersion}`\n\t\t\t: `${stableSerialize(buildConfig)}|${gondolinVersion}|${stableSerialize(fingerprintInput)}`;\n\n\treturn crypto.createHash('sha256').update(payload).digest('hex').slice(0, 16);\n}\n\nexport async function computeEffectiveBuildFingerprint(options: {\n\treadonly buildConfig: BuildConfig;\n\treadonly configDir?: string;\n\treadonly fingerprintInput?: unknown;\n\treadonly gondolinVersion?: string;\n}): Promise<{\n\treadonly fingerprint: string;\n\treadonly rootfsInitExtraContent: string;\n}> {\n\tconst resolvedRootfsInitExtra = await resolveRootfsInitExtra({\n\t\tbuildConfig: options.buildConfig,\n\t\t...(options.configDir ? { configDir: options.configDir } : {}),\n\t});\n\tconst fingerprint = computeBuildFingerprint(options.buildConfig, options.gondolinVersion, {\n\t\tagentVmRootfsInitExtra: resolvedRootfsInitExtra.fingerprintInput,\n\t\t...(options.fingerprintInput === undefined\n\t\t\t? {}\n\t\t\t: { callerFingerprintInput: options.fingerprintInput }),\n\t});\n\n\treturn {\n\t\tfingerprint,\n\t\trootfsInitExtraContent: resolvedRootfsInitExtra.content,\n\t};\n}\n\nexport async function buildImage(\n\toptions: BuildImageOptions,\n\tdependencies: BuildPipelineDependencies = {},\n): Promise<BuildImageResult> {\n\tconst effectiveBuildFingerprint = await computeEffectiveBuildFingerprint({\n\t\tbuildConfig: options.buildConfig,\n\t\t...(options.configDir ? { configDir: options.configDir } : {}),\n\t\t...(options.fingerprintInput === undefined\n\t\t\t? {}\n\t\t\t: { fingerprintInput: options.fingerprintInput }),\n\t\t...(dependencies.gondolinVersion ? { gondolinVersion: dependencies.gondolinVersion } : {}),\n\t});\n\tconst fingerprint = effectiveBuildFingerprint.fingerprint;\n\tconst imagePath = path.join(options.cacheDir, fingerprint);\n\tconst buildImageForFingerprint = async (): Promise<BuildImageResult> => {\n\t\tif (options.fullReset) {\n\t\t\tawait fs.rm(imagePath, { recursive: true, force: true });\n\t\t}\n\n\t\tif (await hasBuiltImageAssets(imagePath)) {\n\t\t\treturn {\n\t\t\t\tbuilt: false,\n\t\t\t\tfingerprint,\n\t\t\t\timagePath,\n\t\t\t};\n\t\t}\n\n\t\tawait fs.mkdir(imagePath, { recursive: true });\n\t\tconst buildAssetsImplementation = dependencies.buildAssets ?? (await loadBuildAssets());\n\t\tconst effectiveBuildConfig = await prepareBuildConfigWithAgentVmRootfsInitExtra({\n\t\t\tbuildConfig: options.buildConfig,\n\t\t\timagePath,\n\t\t\trootfsInitExtraContent: effectiveBuildFingerprint.rootfsInitExtraContent,\n\t\t});\n\t\tconst gondolinWorkDir = path.join(imagePath, gondolinWorkDirectoryName);\n\t\tawait fs.rm(gondolinWorkDir, { recursive: true, force: true });\n\t\ttry {\n\t\t\tawait withCapturedBuildOutput(options.output, async () => {\n\t\t\t\tawait buildAssetsImplementation(\n\t\t\t\t\teffectiveBuildConfig,\n\t\t\t\t\timagePath,\n\t\t\t\t\toptions.configDir,\n\t\t\t\t\tgondolinWorkDir,\n\t\t\t\t\toptions.output !== undefined,\n\t\t\t\t);\n\t\t\t});\n\t\t} finally {\n\t\t\tawait fs.rm(gondolinWorkDir, { recursive: true, force: true });\n\t\t}\n\n\t\tif (!(await hasBuiltImageAssets(imagePath))) {\n\t\t\tthrow new Error(`Expected Gondolin assets to be written to ${imagePath}.`);\n\t\t}\n\n\t\treturn {\n\t\t\tbuilt: true,\n\t\t\tfingerprint,\n\t\t\timagePath,\n\t\t};\n\t};\n\n\tif (options.output) {\n\t\treturn await buildImageForFingerprint();\n\t}\n\n\tconst inFlightKey = path.resolve(imagePath);\n\tconst existingBuild = inFlightImageBuilds.get(inFlightKey);\n\tif (existingBuild) {\n\t\treturn await existingBuild;\n\t}\n\tconst buildPromise = buildImageForFingerprint();\n\tinFlightImageBuilds.set(inFlightKey, buildPromise);\n\ttry {\n\t\treturn await buildPromise;\n\t} finally {\n\t\tif (inFlightImageBuilds.get(inFlightKey) === buildPromise) {\n\t\t\tinFlightImageBuilds.delete(inFlightKey);\n\t\t}\n\t}\n}\n","import fs from 'node:fs/promises';\nimport { createRequire } from 'node:module';\nimport path from 'node:path';\n\nimport { z } from 'zod';\n\nconst requireFromHere = createRequire(import.meta.url);\n\nconst gondolinPackageJsonSchema = z.object({\n\tversion: z.string().min(1),\n});\n\nfunction isMissingFileError(error: unknown): boolean {\n\treturn typeof error === 'object' && error !== null && 'code' in error && error.code === 'ENOENT';\n}\n\nfunction getErrorMessage(error: unknown): string {\n\treturn error instanceof Error ? error.message : String(error);\n}\n\nexport function parseMinimumZigVersion(rawContents: string): string {\n\tconst match = rawContents.match(/\\.minimum_zig_version\\s*=\\s*\"([^\"]*)\"/u);\n\tif (!match) {\n\t\tthrow new Error(\n\t\t\t'minimum_zig_version declaration not found. Expected a line like `.minimum_zig_version = \"0.15.2\"`.',\n\t\t);\n\t}\n\n\tconst version = match[1];\n\tif (!version) {\n\t\tthrow new Error('minimum_zig_version is empty.');\n\t}\n\treturn version;\n}\n\nexport function resolveGondolinPackageJsonPath(): string {\n\treturn requireFromHere.resolve('@earendil-works/gondolin/package.json');\n}\n\nexport async function resolveGondolinPackageSpec(): Promise<string> {\n\tconst packageJsonPath = resolveGondolinPackageJsonPath();\n\tconst parsed: unknown = JSON.parse(await fs.readFile(packageJsonPath, 'utf8'));\n\tconst packageJson = gondolinPackageJsonSchema.parse(parsed);\n\treturn `@earendil-works/gondolin@${packageJson.version}`;\n}\n\nexport interface ResolveGondolinMinimumZigVersionOptions {\n\treadonly buildZigZonPath?: string;\n}\n\nasync function resolveDefaultBuildZigZonPath(): Promise<string> {\n\tconst packageJsonPath = resolveGondolinPackageJsonPath();\n\treturn path.join(path.dirname(packageJsonPath), 'dist', 'guest', 'build.zig.zon');\n}\n\nexport async function resolveGondolinMinimumZigVersion(\n\toptions: ResolveGondolinMinimumZigVersionOptions = {},\n): Promise<string> {\n\tconst zonPath = options.buildZigZonPath ?? (await resolveDefaultBuildZigZonPath());\n\tlet rawContents: string;\n\ttry {\n\t\trawContents = await fs.readFile(zonPath, 'utf8');\n\t} catch (error) {\n\t\tif (isMissingFileError(error)) {\n\t\t\tthrow new Error(`Missing Gondolin build.zig.zon at '${zonPath}'.`, { cause: error });\n\t\t}\n\t\tthrow new Error(\n\t\t\t`Failed to read Gondolin build.zig.zon at '${zonPath}': ${getErrorMessage(error)}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n\n\ttry {\n\t\treturn parseMinimumZigVersion(rawContents);\n\t} catch (error) {\n\t\tthrow new Error(\n\t\t\t`Failed to parse Gondolin build.zig.zon at '${zonPath}': ${getErrorMessage(error)}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n","import * as dns from 'node:dns';\nimport * as net from 'node:net';\n\nexport interface HostNetworkDefaultsResult {\n\treadonly autoSelectFamily: false | 'unavailable';\n\treadonly dnsResultOrder: 'ipv4first' | 'unavailable';\n}\n\nexport interface HostNetworkDefaultsDependencies {\n\treadonly setDefaultAutoSelectFamily?: ((value: boolean) => void) | undefined;\n\treadonly setDefaultResultOrder?: ((order: 'ipv4first') => void) | undefined;\n}\n\n/**\n * Gondolin raw tcpHosts passthrough sockets are opened by the host-side Node\n * process, not by guest Node processes. VM NODE_OPTIONS cannot affect those\n * sockets, so host processes that create Gondolin VMs also force deterministic\n * IPv4-first behavior before network state is constructed.\n */\nexport function configureHostNetworkDefaults(\n\tdependencies: HostNetworkDefaultsDependencies = {},\n): HostNetworkDefaultsResult {\n\tconst setDefaultResultOrder =\n\t\t'setDefaultResultOrder' in dependencies\n\t\t\t? dependencies.setDefaultResultOrder\n\t\t\t: dns.setDefaultResultOrder;\n\tconst setDefaultAutoSelectFamily =\n\t\t'setDefaultAutoSelectFamily' in dependencies\n\t\t\t? dependencies.setDefaultAutoSelectFamily\n\t\t\t: net.setDefaultAutoSelectFamily;\n\n\tlet dnsResultOrder: HostNetworkDefaultsResult['dnsResultOrder'] = 'unavailable';\n\tif (typeof setDefaultResultOrder === 'function') {\n\t\tsetDefaultResultOrder('ipv4first');\n\t\tdnsResultOrder = 'ipv4first';\n\t}\n\n\tlet autoSelectFamily: HostNetworkDefaultsResult['autoSelectFamily'] = 'unavailable';\n\tif (typeof setDefaultAutoSelectFamily === 'function') {\n\t\tsetDefaultAutoSelectFamily(false);\n\t\tautoSelectFamily = false;\n\t}\n\n\treturn {\n\t\tautoSelectFamily,\n\t\tdnsResultOrder,\n\t};\n}\n","import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nconst AUTH_GUEST_PATH_PREFIXES = [\n\t'/home/agent/.aws',\n\t'/home/agent/.claude',\n\t'/home/agent/.codex',\n\t'/home/agent/.gemini',\n\t'/home/openclaw/.aws',\n\t'/home/openclaw/.claude',\n\t'/home/openclaw/.codex',\n\t'/home/openclaw/.gemini',\n\t'/home/openclaw/.openclaw',\n] as const;\n\nexport interface WritableMountPolicy {\n\treadonly allowAuthWrite: boolean;\n\treadonly writableAllowedGuestPrefixes: readonly string[];\n}\n\nexport interface RuntimeMountPolicyConfig {\n\treadonly extraMounts: Readonly<Record<string, string>>;\n\treadonly mountControls: WritableMountPolicy;\n}\n\nfunction resolveAuthHostPrefixes(hostHome: string): readonly string[] {\n\treturn [\n\t\tpath.join(hostHome, '.aws'),\n\t\tpath.join(hostHome, '.claude'),\n\t\tpath.join(hostHome, '.codex'),\n\t\tpath.join(hostHome, '.gemini'),\n\t];\n}\n\nexport function resolveGuestMountPath(guestPath: string, workDir: string): string {\n\tif (path.isAbsolute(guestPath)) {\n\t\treturn path.resolve(guestPath);\n\t}\n\n\treturn path.resolve(workDir, guestPath);\n}\n\nfunction isPathWithinPrefix(candidatePath: string, prefixPath: string): boolean {\n\tconst relativePath = path.relative(prefixPath, candidatePath);\n\treturn relativePath === '' || (!relativePath.startsWith('..') && !path.isAbsolute(relativePath));\n}\n\nasync function normalizeHostPath(hostPath: string): Promise<string> {\n\tconst resolvedHostPath = path.resolve(hostPath);\n\n\ttry {\n\t\treturn await fs.realpath(resolvedHostPath);\n\t} catch {\n\t\treturn resolvedHostPath;\n\t}\n}\n\nfunction pathsOverlap(candidatePath: string, protectedPath: string): boolean {\n\treturn (\n\t\tisPathWithinPrefix(candidatePath, protectedPath) ||\n\t\tisPathWithinPrefix(protectedPath, candidatePath)\n\t);\n}\n\nexport function validateWritableMount(\n\tguestPath: string,\n\tpolicy: WritableMountPolicy,\n\toptions: { readonly workDir: string },\n): void {\n\tconst resolvedGuestPath = resolveGuestMountPath(guestPath, options.workDir);\n\tconst resolvedAllowedPrefixes = policy.writableAllowedGuestPrefixes.map((allowedPrefix) =>\n\t\tresolveGuestMountPath(allowedPrefix, options.workDir),\n\t);\n\n\tconst isAllowedGuestPath = resolvedAllowedPrefixes.some((allowedPrefix) =>\n\t\tisPathWithinPrefix(resolvedGuestPath, allowedPrefix),\n\t);\n\tif (!isAllowedGuestPath) {\n\t\tthrow new Error(\n\t\t\t`Writable mount guest path '${resolvedGuestPath}' is outside writable allowlist [${resolvedAllowedPrefixes.join(', ')}].`,\n\t\t);\n\t}\n\n\tif (!policy.allowAuthWrite) {\n\t\tconst targetsProtectedGuestPath = AUTH_GUEST_PATH_PREFIXES.some((authPrefix) =>\n\t\t\tisPathWithinPrefix(resolvedGuestPath, authPrefix),\n\t\t);\n\t\tif (targetsProtectedGuestPath) {\n\t\t\tthrow new Error(\n\t\t\t\t`Writable mount guest path '${resolvedGuestPath}' targets an auth mount path. Set mountControls.allowAuthWrite=true to permit auth writes.`,\n\t\t\t);\n\t\t}\n\t}\n}\n\nexport async function validateRuntimeMountPolicy(\n\tconfig: RuntimeMountPolicyConfig,\n\toptions: { readonly hostHome: string; readonly workDir: string },\n): Promise<void> {\n\tconst mountEntries = Object.entries(config.extraMounts);\n\tfor (const [guestPath] of mountEntries) {\n\t\tvalidateWritableMount(guestPath, config.mountControls, options);\n\t}\n\n\tif (config.mountControls.allowAuthWrite) {\n\t\treturn;\n\t}\n\n\tconst absoluteHostMountEntries = mountEntries.filter(([, hostPath]) => path.isAbsolute(hostPath));\n\tconst [protectedHostPaths, writableHostPaths] = await Promise.all([\n\t\tPromise.all(\n\t\t\tresolveAuthHostPrefixes(options.hostHome).map(\n\t\t\t\tasync (authHostPrefix) => await normalizeHostPath(authHostPrefix),\n\t\t\t),\n\t\t),\n\t\tPromise.all(\n\t\t\tabsoluteHostMountEntries.map(async ([, hostPath]) => await normalizeHostPath(hostPath)),\n\t\t),\n\t]);\n\n\tfor (const resolvedWritableHostPath of writableHostPaths) {\n\t\tconst overlapsProtectedHostPath = protectedHostPaths.some((authHostPrefix) =>\n\t\t\tpathsOverlap(resolvedWritableHostPath, authHostPrefix),\n\t\t);\n\n\t\tif (overlapsProtectedHostPath) {\n\t\t\tthrow new Error(\n\t\t\t\t`Writable host path '${resolvedWritableHostPath}' targets an auth host directory. Set mountControls.allowAuthWrite=true to permit auth writes.`,\n\t\t\t);\n\t\t}\n\t}\n}\n","import fs from 'node:fs';\nimport path from 'node:path';\n\nimport type { VirtualProvider } from '@earendil-works/gondolin';\n\nexport interface PinnedRealFsRoot {\n\treadonly hostPath: string;\n\treadonly realPath: string;\n\treadonly fd: number;\n\treadonly device: number;\n\treadonly inode: number;\n}\n\nexport interface CreatePinnedRealFsProviderOptions {\n\treadonly root: PinnedRealFsRoot;\n\treadonly createRealFsProvider: (hostPath: string) => VirtualProvider;\n}\n\nfunction formatRootIdentity(root: PinnedRealFsRoot): string {\n\treturn `${root.device}:${root.inode}`;\n}\n\nfunction openDirectoryNoFollow(candidatePath: string): number {\n\treturn fs.openSync(\n\t\tcandidatePath,\n\t\tfs.constants.O_RDONLY | fs.constants.O_DIRECTORY | fs.constants.O_NOFOLLOW,\n\t);\n}\n\nexport function pinRealFsRoot(hostPath: string): PinnedRealFsRoot {\n\tif (!hostPath || !path.isAbsolute(hostPath)) {\n\t\tthrow new Error(`Pinned RealFS root must be a non-empty absolute path: ${hostPath}`);\n\t}\n\n\tconst resolvedHostPath = path.resolve(hostPath);\n\tconst fd = openDirectoryNoFollow(resolvedHostPath);\n\ttry {\n\t\tconst stats = fs.fstatSync(fd);\n\t\tif (!stats.isDirectory()) {\n\t\t\tthrow new Error(`Pinned RealFS root is not a directory: ${resolvedHostPath}`);\n\t\t}\n\t\tconst realPath = fs.realpathSync(resolvedHostPath);\n\t\tconst realPathStats = fs.statSync(realPath);\n\t\tif (realPathStats.dev !== stats.dev || realPathStats.ino !== stats.ino) {\n\t\t\tthrow new Error(\n\t\t\t\t`Pinned RealFS root changed while opening: ${resolvedHostPath} opened ${stats.dev}:${stats.ino} but resolved to ${realPathStats.dev}:${realPathStats.ino}`,\n\t\t\t);\n\t\t}\n\t\treturn {\n\t\t\tdevice: stats.dev,\n\t\t\tfd,\n\t\t\thostPath: resolvedHostPath,\n\t\t\tinode: stats.ino,\n\t\t\trealPath,\n\t\t};\n\t} catch (error) {\n\t\tfs.closeSync(fd);\n\t\tthrow error;\n\t}\n}\n\nexport function closePinnedRealFsRoot(root: PinnedRealFsRoot): void {\n\tfs.closeSync(root.fd);\n}\n\nexport function assertPinnedRealFsRoot(root: PinnedRealFsRoot): void {\n\tconst pinnedStats = fs.fstatSync(root.fd);\n\tconst currentStats = fs.statSync(root.realPath);\n\tif (\n\t\tpinnedStats.dev !== root.device ||\n\t\tpinnedStats.ino !== root.inode ||\n\t\tcurrentStats.dev !== root.device ||\n\t\tcurrentStats.ino !== root.inode\n\t) {\n\t\tthrow new Error(\n\t\t\t`Pinned RealFS root changed before mount access: ${root.realPath} expected ${formatRootIdentity(root)} got ${currentStats.dev}:${currentStats.ino}`,\n\t\t);\n\t}\n}\n\ntype ProviderMethod = (...args: unknown[]) => unknown;\n\n/* oxlint-disable typescript-eslint/no-unsafe-type-assertion -- Reflect.get()\n loses the method signature from Gondolin's VirtualProvider union. The proxy\n keeps the same provider object and only wraps callable properties with the\n pinned-root assertion. */\nexport function createPinnedRealFsProvider(\n\toptions: CreatePinnedRealFsProviderOptions,\n): VirtualProvider {\n\tassertPinnedRealFsRoot(options.root);\n\tconst provider = options.createRealFsProvider(options.root.realPath);\n\n\treturn new Proxy(provider, {\n\t\tget(target: VirtualProvider, property: string | symbol, receiver: unknown): unknown {\n\t\t\tconst value = Reflect.get(target, property, receiver) as unknown;\n\t\t\tif (typeof value !== 'function') {\n\t\t\t\treturn value;\n\t\t\t}\n\n\t\t\treturn (...methodArguments: readonly unknown[]): unknown => {\n\t\t\t\tassertPinnedRealFsRoot(options.root);\n\t\t\t\treturn Reflect.apply(value as ProviderMethod, target, methodArguments);\n\t\t\t};\n\t\t},\n\t});\n}\n/* oxlint-enable typescript-eslint/no-unsafe-type-assertion */\n","export interface PolicySources {\n\treadonly base: readonly string[];\n\treadonly profile: readonly string[];\n\treadonly extra: readonly string[];\n}\n\nexport function normalizeHostname(rawHostname: string): string {\n\treturn rawHostname.trim().toLowerCase().replace(/\\.+$/u, '');\n}\n\nexport function dedupeStable(values: readonly string[]): string[] {\n\tconst seenHostnames = new Set<string>();\n\tconst normalizedValues: string[] = [];\n\n\tfor (const value of values) {\n\t\tconst normalizedValue = normalizeHostname(value);\n\t\tif (normalizedValue.length === 0 || normalizedValue.startsWith('#')) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (!seenHostnames.has(normalizedValue)) {\n\t\t\tseenHostnames.add(normalizedValue);\n\t\t\tnormalizedValues.push(normalizedValue);\n\t\t}\n\t}\n\n\treturn normalizedValues;\n}\n\nexport function compilePolicy(sources: PolicySources): string[] {\n\treturn dedupeStable([...sources.base, ...sources.profile, ...sources.extra]);\n}\n","import type { MediatedSecretSpec } from '@agent-vm/secret-management';\nimport {\n\tMemoryProvider,\n\tReadonlyProvider,\n\tRealFSProvider,\n\tShadowProvider,\n\tVM,\n\tcreateHttpHooks,\n\tcreateShadowPathPredicate,\n\ttype CreateHttpHooksResult,\n\ttype EnableIngressOptions,\n\ttype EnableSshOptions,\n\ttype ExecOptions as GondolinExecOptions,\n\ttype ExecProcess as GondolinExecProcess,\n\ttype ExecResult as GondolinExecResult,\n\ttype IngressRoute as GondolinIngressRoute,\n\ttype ShadowPredicate,\n\ttype ShadowProviderOptions,\n\ttype VMOptions,\n\ttype VmFs as GondolinVmFs,\n\ttype VirtualProvider,\n} from '@earendil-works/gondolin';\n\nimport {\n\tconfigureHostNetworkDefaults,\n\ttype HostNetworkDefaultsResult,\n} from './host-network-defaults.js';\nimport {\n\tclosePinnedRealFsRoot,\n\tcreatePinnedRealFsProvider,\n\ttype PinnedRealFsRoot,\n} from './pinned-realfs.js';\n\nexport const SYNTHETIC_DNS_IPV4_BENCHMARK = '198.18.0.1';\nexport const SYNTHETIC_DNS_IPV6_IPV4_MAPPED_BENCHMARK = '::ffff:198.18.0.1';\nexport const MANAGED_VM_DEFAULT_INGRESS_MAX_BUFFERED_RESPONSE_BODY_BYTES = 512 * 1024 * 1024;\nexport const MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_HEADER_TIMEOUT_MS = 120_000;\nexport const MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_RESPONSE_TIMEOUT_MS = 120_000;\n\nexport const MANAGED_VM_DEFAULT_INGRESS_OPTIONS = {\n\tallowWebSockets: true,\n\tbufferResponseBody: false,\n\tmaxBufferedResponseBodyBytes: MANAGED_VM_DEFAULT_INGRESS_MAX_BUFFERED_RESPONSE_BODY_BYTES,\n\tupstreamHeaderTimeoutMs: MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_HEADER_TIMEOUT_MS,\n\tupstreamResponseTimeoutMs: MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_RESPONSE_TIMEOUT_MS,\n} satisfies EnableIngressOptions;\n\nexport type ManagedExecInput = string | readonly string[];\nexport type ManagedExecOptions = GondolinExecOptions;\nexport type ManagedExecProcess = GondolinExecProcess;\nexport type ManagedExecResult = GondolinExecResult;\nexport type ManagedVmFs = GondolinVmFs;\n\nexport type IngressRoute = GondolinIngressRoute;\n\nexport interface SshAccess {\n\treadonly host: string;\n\treadonly command?: string;\n\treadonly identityFile?: string;\n\treadonly port: number;\n\treadonly user?: string;\n}\n\nexport interface IngressAccess {\n\treadonly host: string;\n\treadonly port: number;\n}\n\nexport interface ManagedVmInstance {\n\treadonly fs: ManagedVmFs;\n\treadonly id: string;\n\texec(command: string | string[], options?: ManagedExecOptions): ManagedExecProcess;\n\tenableSsh(options?: EnableSshOptions): Promise<SshAccess>;\n\tenableIngress(options?: EnableIngressOptions): Promise<IngressAccess>;\n\tgetHostPid?(): number | null;\n\tsetIngressRoutes(routes: readonly IngressRoute[]): void;\n\tclose(): Promise<void>;\n}\n\nexport interface ManagedVmDependencies {\n\tconfigureHostNetworkDefaults?: () => HostNetworkDefaultsResult;\n\tcreateVm(vmOptions: VMOptions): Promise<ManagedVmInstance>;\n\tcreateHttpHooks(options: {\n\t\treadonly allowedHosts: readonly string[];\n\t\treadonly secrets: Record<string, MediatedSecretSpec>;\n\t\treadonly onRequest?: (request: Request) => Promise<Request | Response | void>;\n\t\treadonly onResponse?: (response: Response) => Promise<Response | void>;\n\t}): Pick<CreateHttpHooksResult, 'env' | 'httpHooks'>;\n\tclosePinnedRealFsRoot(root: PinnedRealFsRoot): void;\n\tcreatePinnedRealFsProvider(root: PinnedRealFsRoot): VirtualProvider;\n\tcreateRealFsProvider(hostPath: string): VirtualProvider;\n\tcreateReadonlyProvider(provider: VirtualProvider): VirtualProvider;\n\tcreateMemoryProvider(): VirtualProvider;\n\tcreateShadowProvider(provider: VirtualProvider, options: ShadowProviderOptions): VirtualProvider;\n\tcreateShadowPathPredicate(paths: readonly string[]): ShadowPredicate;\n}\n\nexport interface VfsMountSpec {\n\treadonly kind: 'realfs' | 'realfs-readonly' | 'memory' | 'shadow';\n\treadonly hostPath?: string;\n\treadonly pinnedHostRoot?: PinnedRealFsRoot;\n\treadonly shadowConfig?: {\n\t\treadonly deny: readonly string[];\n\t\treadonly tmpfs: readonly string[];\n\t};\n}\n\nexport interface CreateVmOptions {\n\treadonly imagePath: string;\n\treadonly memory: string;\n\treadonly cpus: number;\n\treadonly rootfsMode: 'readonly' | 'memory' | 'cow';\n\treadonly runtimeRootfsSize?: string;\n\treadonly allowedHosts: readonly string[];\n\treadonly secrets: Record<string, MediatedSecretSpec>;\n\treadonly vfsMounts: Record<string, VfsMountSpec>;\n\treadonly tcpHosts?: Record<string, string>;\n\treadonly env?: Record<string, string>;\n\treadonly sessionLabel?: string;\n\treadonly onRequest?: (request: Request) => Promise<Request | Response | void>;\n\treadonly onResponse?: (response: Response) => Promise<Response | void>;\n}\n\nexport interface ManagedVm {\n\treadonly fs: ManagedVmFs;\n\treadonly id: string;\n\texec(command: ManagedExecInput, options?: ManagedExecOptions): ManagedExecProcess;\n\tenableSsh(options?: EnableSshOptions): Promise<SshAccess>;\n\tenableIngress(options?: EnableIngressOptions): Promise<IngressAccess>;\n\tgetHostPid(): number | null;\n\tgetVmInstance(): ManagedVmInstance;\n\tsetIngressRoutes(routes: readonly IngressRoute[]): void;\n\tclose(): Promise<void>;\n}\n\n/* oxlint-disable typescript-eslint/no-unsafe-type-assertion -- VM.create() returns\n Gondolin's concrete VM class; this adapter exposes only the narrower\n ManagedVmInstance interface used by agent-vm. */\nfunction createDefaultDependencies(): ManagedVmDependencies {\n\tconst createDefaultRealFsProvider = (hostPath: string): VirtualProvider =>\n\t\tnew RealFSProvider(hostPath);\n\treturn {\n\t\tconfigureHostNetworkDefaults,\n\t\tcreateVm: async (vmOptions: VMOptions): Promise<ManagedVmInstance> =>\n\t\t\t(await VM.create(vmOptions)) as unknown as ManagedVmInstance,\n\t\tcreateHttpHooks: (hookOptions) =>\n\t\t\tcreateHttpHooks({\n\t\t\t\tallowedHosts: [...hookOptions.allowedHosts],\n\t\t\t\tsecrets: Object.fromEntries(\n\t\t\t\t\tObject.entries(hookOptions.secrets).map(([secretName, secretSpec]) => [\n\t\t\t\t\t\tsecretName,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\thosts: [...secretSpec.hosts],\n\t\t\t\t\t\t\tvalue: secretSpec.value,\n\t\t\t\t\t\t},\n\t\t\t\t\t]),\n\t\t\t\t),\n\t\t\t\t...(hookOptions.onRequest ? { onRequest: hookOptions.onRequest } : {}),\n\t\t\t\t...(hookOptions.onResponse ? { onResponse: hookOptions.onResponse } : {}),\n\t\t\t}),\n\t\tclosePinnedRealFsRoot,\n\t\tcreatePinnedRealFsProvider: (root: PinnedRealFsRoot): VirtualProvider =>\n\t\t\tcreatePinnedRealFsProvider({\n\t\t\t\tcreateRealFsProvider: createDefaultRealFsProvider,\n\t\t\t\troot,\n\t\t\t}),\n\t\tcreateRealFsProvider: createDefaultRealFsProvider,\n\t\tcreateReadonlyProvider: (provider: VirtualProvider): VirtualProvider =>\n\t\t\tnew ReadonlyProvider(provider),\n\t\tcreateMemoryProvider: (): VirtualProvider => new MemoryProvider(),\n\t\tcreateShadowProvider: (\n\t\t\tprovider: VirtualProvider,\n\t\t\tshadowOptions: ShadowProviderOptions,\n\t\t): VirtualProvider => new ShadowProvider(provider, shadowOptions),\n\t\tcreateShadowPathPredicate: (paths: readonly string[]): ShadowPredicate =>\n\t\t\tcreateShadowPathPredicate([...paths]),\n\t};\n}\n/* oxlint-enable typescript-eslint/no-unsafe-type-assertion */\n\nfunction normalizeShadowPath(pathValue: string): string {\n\tconst trimmedPath = pathValue.trim();\n\tif (trimmedPath.startsWith('/')) {\n\t\treturn trimmedPath;\n\t}\n\n\tconst relativePath = trimmedPath.startsWith('./') ? trimmedPath.slice('./'.length) : trimmedPath;\n\treturn `/${relativePath}`;\n}\n\nfunction createRealFsProviderForSpec(\n\tmountSpec: VfsMountSpec,\n\tdependencies: ManagedVmDependencies,\n\tmountKind: string,\n): VirtualProvider {\n\tif (mountSpec.pinnedHostRoot) {\n\t\treturn dependencies.createPinnedRealFsProvider(mountSpec.pinnedHostRoot);\n\t}\n\tif (mountSpec.hostPath) {\n\t\treturn dependencies.createRealFsProvider(mountSpec.hostPath);\n\t}\n\n\tthrow new Error(`${mountKind} mounts require hostPath or pinnedHostRoot`);\n}\n\nfunction createProviderFromSpec(\n\tmountSpec: VfsMountSpec,\n\tdependencies: ManagedVmDependencies,\n): VirtualProvider {\n\tswitch (mountSpec.kind) {\n\t\tcase 'memory':\n\t\t\treturn dependencies.createMemoryProvider();\n\t\tcase 'realfs': {\n\t\t\treturn createRealFsProviderForSpec(mountSpec, dependencies, 'realfs');\n\t\t}\n\t\tcase 'realfs-readonly': {\n\t\t\treturn dependencies.createReadonlyProvider(\n\t\t\t\tcreateRealFsProviderForSpec(mountSpec, dependencies, 'realfs-readonly'),\n\t\t\t);\n\t\t}\n\t\tcase 'shadow': {\n\t\t\tconst baseProvider =\n\t\t\t\tmountSpec.hostPath || mountSpec.pinnedHostRoot\n\t\t\t\t\t? createRealFsProviderForSpec(mountSpec, dependencies, 'shadow')\n\t\t\t\t\t: dependencies.createMemoryProvider();\n\n\t\t\tlet shadowProvider = baseProvider;\n\t\t\tconst shadowConfig = mountSpec.shadowConfig;\n\n\t\t\tif (shadowConfig?.deny.length) {\n\t\t\t\tshadowProvider = dependencies.createShadowProvider(shadowProvider, {\n\t\t\t\t\tshouldShadow: dependencies.createShadowPathPredicate(\n\t\t\t\t\t\tshadowConfig.deny.map((shadowPath) => normalizeShadowPath(shadowPath)),\n\t\t\t\t\t),\n\t\t\t\t\twriteMode: 'deny',\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (shadowConfig?.tmpfs.length) {\n\t\t\t\tshadowProvider = dependencies.createShadowProvider(shadowProvider, {\n\t\t\t\t\tshouldShadow: dependencies.createShadowPathPredicate(\n\t\t\t\t\t\tshadowConfig.tmpfs.map((shadowPath) => normalizeShadowPath(shadowPath)),\n\t\t\t\t\t),\n\t\t\t\t\twriteMode: 'tmpfs',\n\t\t\t\t});\n\t\t\t}\n\n\t\t\treturn shadowProvider;\n\t\t}\n\t\tdefault: {\n\t\t\tthrow new Error(`Unsupported VFS mount kind: ${String(mountSpec.kind)}`);\n\t\t}\n\t}\n}\n\nfunction createVfsMounts(\n\tvfsMounts: Record<string, VfsMountSpec>,\n\tdependencies: ManagedVmDependencies,\n): Record<string, VirtualProvider> {\n\tconst mountMap: Record<string, VirtualProvider> = {};\n\n\tfor (const [guestPath, mountSpec] of Object.entries(vfsMounts)) {\n\t\tmountMap[guestPath] = createProviderFromSpec(mountSpec, dependencies);\n\t}\n\n\treturn mountMap;\n}\n\nfunction collectPinnedRealFsRoots(\n\tvfsMounts: Record<string, VfsMountSpec>,\n): readonly PinnedRealFsRoot[] {\n\tconst roots = new Map<number, PinnedRealFsRoot>();\n\tfor (const mountSpec of Object.values(vfsMounts)) {\n\t\tif (mountSpec.pinnedHostRoot) {\n\t\t\troots.set(mountSpec.pinnedHostRoot.fd, mountSpec.pinnedHostRoot);\n\t\t}\n\t}\n\treturn [...roots.values()];\n}\n\nfunction closePinnedRealFsRoots(\n\troots: readonly PinnedRealFsRoot[],\n\tdependencies: ManagedVmDependencies,\n): void {\n\tfor (const root of roots) {\n\t\tdependencies.closePinnedRealFsRoot(root);\n\t}\n}\n\nfunction closePinnedRealFsRootsAfterFailure(\n\troots: readonly PinnedRealFsRoot[],\n\tdependencies: ManagedVmDependencies,\n): void {\n\ttry {\n\t\tclosePinnedRealFsRoots(roots, dependencies);\n\t} catch {\n\t\t// Preserve the VM creation failure; leaked-fd risk is lower than hiding\n\t\t// the root cause of a failed lease.\n\t}\n}\n\nfunction resolveManagedVmIngressOptions(\n\tingressOptions: EnableIngressOptions = {},\n): EnableIngressOptions {\n\tconst resolvedOptions: EnableIngressOptions = {\n\t\t...MANAGED_VM_DEFAULT_INGRESS_OPTIONS,\n\t};\n\n\tif (ingressOptions.listenHost !== undefined) {\n\t\tresolvedOptions.listenHost = ingressOptions.listenHost;\n\t}\n\tif (ingressOptions.listenPort !== undefined) {\n\t\tresolvedOptions.listenPort = ingressOptions.listenPort;\n\t}\n\tif (ingressOptions.allowWebSockets !== undefined) {\n\t\tresolvedOptions.allowWebSockets = ingressOptions.allowWebSockets;\n\t}\n\tif (ingressOptions.hooks !== undefined) {\n\t\tresolvedOptions.hooks = ingressOptions.hooks;\n\t}\n\tif (ingressOptions.bufferResponseBody !== undefined) {\n\t\tresolvedOptions.bufferResponseBody = ingressOptions.bufferResponseBody;\n\t}\n\tif (ingressOptions.maxBufferedResponseBodyBytes !== undefined) {\n\t\tresolvedOptions.maxBufferedResponseBodyBytes = ingressOptions.maxBufferedResponseBodyBytes;\n\t}\n\tif (ingressOptions.upstreamHeaderTimeoutMs !== undefined) {\n\t\tresolvedOptions.upstreamHeaderTimeoutMs = ingressOptions.upstreamHeaderTimeoutMs;\n\t}\n\tif (ingressOptions.upstreamResponseTimeoutMs !== undefined) {\n\t\tresolvedOptions.upstreamResponseTimeoutMs = ingressOptions.upstreamResponseTimeoutMs;\n\t}\n\n\treturn resolvedOptions;\n}\n\nexport async function createManagedVm(\n\toptions: CreateVmOptions,\n\tdependencies: ManagedVmDependencies = createDefaultDependencies(),\n): Promise<ManagedVm> {\n\tdependencies.configureHostNetworkDefaults?.();\n\tconst hasTcpHosts = options.tcpHosts && Object.keys(options.tcpHosts).length > 0;\n\tconst pinnedRealFsRoots = collectPinnedRealFsRoots(options.vfsMounts);\n\tlet vmInstance: ManagedVmInstance;\n\ttry {\n\t\tconst hookBundle = dependencies.createHttpHooks({\n\t\t\tallowedHosts: options.allowedHosts,\n\t\t\tsecrets: options.secrets,\n\t\t\t...(options.onRequest ? { onRequest: options.onRequest } : {}),\n\t\t\t...(options.onResponse ? { onResponse: options.onResponse } : {}),\n\t\t});\n\t\tvmInstance = await dependencies.createVm({\n\t\t\t...(options.imagePath.length > 0 ? { sandbox: { imagePath: options.imagePath } } : {}),\n\t\t\t...(options.sessionLabel ? { sessionLabel: options.sessionLabel } : {}),\n\t\t\trootfs: {\n\t\t\t\tmode: options.rootfsMode,\n\t\t\t\t...(options.runtimeRootfsSize === undefined ? {} : { size: options.runtimeRootfsSize }),\n\t\t\t},\n\t\t\tmemory: options.memory,\n\t\t\tcpus: options.cpus,\n\t\t\tenv: {\n\t\t\t\t...hookBundle.env,\n\t\t\t\t...options.env,\n\t\t\t},\n\t\t\thttpHooks: hookBundle.httpHooks,\n\t\t\tvfs: {\n\t\t\t\tfuseMount: '/data',\n\t\t\t\tmounts: createVfsMounts(options.vfsMounts, dependencies),\n\t\t\t},\n\t\t\t...(hasTcpHosts\n\t\t\t\t? {\n\t\t\t\t\t\tdns: {\n\t\t\t\t\t\t\tmode: 'synthetic',\n\t\t\t\t\t\t\tsyntheticIPv4: SYNTHETIC_DNS_IPV4_BENCHMARK,\n\t\t\t\t\t\t\tsyntheticIPv6: SYNTHETIC_DNS_IPV6_IPV4_MAPPED_BENCHMARK,\n\t\t\t\t\t\t\tsyntheticHostMapping: 'per-host',\n\t\t\t\t\t\t},\n\t\t\t\t\t\ttcp: {\n\t\t\t\t\t\t\thosts: options.tcpHosts,\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t: {}),\n\t\t});\n\t} catch (error) {\n\t\tclosePinnedRealFsRootsAfterFailure(pinnedRealFsRoots, dependencies);\n\t\tthrow error;\n\t}\n\n\treturn {\n\t\tfs: vmInstance.fs,\n\t\tid: vmInstance.id,\n\t\texec(command: ManagedExecInput, execOptions?: ManagedExecOptions): ManagedExecProcess {\n\t\t\tconst normalizedCommand = typeof command === 'string' ? command : [...command];\n\t\t\treturn vmInstance.exec(normalizedCommand, execOptions);\n\t\t},\n\t\tasync enableSsh(sshOptions?: EnableSshOptions): Promise<SshAccess> {\n\t\t\treturn await vmInstance.enableSsh(sshOptions);\n\t\t},\n\t\tasync enableIngress(ingressOptions?: EnableIngressOptions): Promise<IngressAccess> {\n\t\t\treturn await vmInstance.enableIngress(resolveManagedVmIngressOptions(ingressOptions));\n\t\t},\n\t\tgetHostPid(): number | null {\n\t\t\treturn vmInstance.getHostPid?.() ?? null;\n\t\t},\n\t\tgetVmInstance(): ManagedVmInstance {\n\t\t\treturn vmInstance;\n\t\t},\n\t\tsetIngressRoutes(routes: readonly IngressRoute[]): void {\n\t\t\tvmInstance.setIngressRoutes(routes);\n\t\t},\n\t\tasync close(): Promise<void> {\n\t\t\tlet closeError: unknown;\n\t\t\ttry {\n\t\t\t\tawait vmInstance.close();\n\t\t\t} catch (error) {\n\t\t\t\tcloseError = error;\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tclosePinnedRealFsRoots(pinnedRealFsRoots, dependencies);\n\t\t\t} catch (error) {\n\t\t\t\tcloseError ??= error;\n\t\t\t}\n\t\t\tif (closeError !== undefined) {\n\t\t\t\tthrow closeError;\n\t\t\t}\n\t\t},\n\t};\n}\n","import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nexport interface VolumeConfigEntry {\n\treadonly guestPath: string;\n}\n\nexport interface ResolvedVolume {\n\treadonly hostDir: string;\n\treadonly guestPath: string;\n}\n\nexport async function ensureVolumeDir(\n\tcacheBase: string,\n\tworkspaceHash: string,\n\tvolumeName: string,\n): Promise<string> {\n\tconst volumeDirectory = path.join(cacheBase, workspaceHash, volumeName);\n\tawait fs.mkdir(volumeDirectory, { recursive: true });\n\treturn volumeDirectory;\n}\n\nexport async function resolveVolumeDirs(\n\tcacheBase: string,\n\tworkspaceHash: string,\n\tvolumes: Readonly<Record<string, VolumeConfigEntry>>,\n): Promise<Record<string, ResolvedVolume>> {\n\tconst resolvedVolumeEntries = await Promise.all(\n\t\tObject.entries(volumes).map(\n\t\t\tasync ([volumeName, volumeConfig]) =>\n\t\t\t\t[\n\t\t\t\t\tvolumeName,\n\t\t\t\t\t{\n\t\t\t\t\t\tguestPath: volumeConfig.guestPath,\n\t\t\t\t\t\thostDir: await ensureVolumeDir(cacheBase, workspaceHash, volumeName),\n\t\t\t\t\t},\n\t\t\t\t] satisfies readonly [string, ResolvedVolume],\n\t\t),\n\t);\n\n\treturn Object.fromEntries(resolvedVolumeEntries);\n}\n","import fs from 'node:fs/promises';\n\nexport async function writeFileAtomically(\n\tfilePath: string,\n\tcontent: string,\n\toptions: {\n\t\treadonly mode?: number;\n\t} = {},\n): Promise<void> {\n\tconst temporaryFilePath = `${filePath}.${process.pid}.${Date.now()}.tmp`;\n\tawait fs.writeFile(temporaryFilePath, content, {\n\t\tencoding: 'utf8',\n\t\t...(options.mode ? { mode: options.mode } : {}),\n\t});\n\ttry {\n\t\tawait fs.rename(temporaryFilePath, filePath);\n\t} catch (renameError) {\n\t\ttry {\n\t\t\tawait fs.rm(temporaryFilePath, { force: true });\n\t\t} catch (cleanupError) {\n\t\t\tthrow new Error(\n\t\t\t\t`Failed to replace '${filePath}' (${renameError instanceof Error ? renameError.message : JSON.stringify(renameError)}) and failed to remove temporary file '${temporaryFilePath}': ${cleanupError instanceof Error ? cleanupError.message : JSON.stringify(cleanupError)}`,\n\t\t\t\t{ cause: cleanupError },\n\t\t\t);\n\t\t}\n\t\tthrow renameError;\n\t}\n}\n"],"mappings":";;;;;;;;;;AAKA,MAAa,+BAA+B;;;;;;;;;;;AA+B5C,SAAS,uBAAuB,UAAkB,WAAuC;CACxF,OAAO,KAAK,WAAW,SAAS,GAAG,WAAW,KAAK,QAAQ,aAAa,QAAQ,KAAK,EAAE,SAAS;;AAGjG,eAAe,4BACd,aACA,WAC8B;CAC9B,MAAM,0BAA0B,YAAY,MAAM;CAClD,IAAI,CAAC,yBACJ;CAGD,MAAM,0BAA0B,uBAAuB,yBAAyB,UAAU;CAC1F,IAAI;EACH,OAAO,MAAM,GAAG,SAAS,yBAAyB,OAAO;UACjD,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;EACtE,MAAM,IAAI,MACT,8CAA8C,wBAAwB,KAAK,WAC3E,EAAE,OAAO,OAAO,CAChB;;;AAIH,SAAS,uBAAuB,yBAAqD;CACpF,OAAO,0BACJ,GAAG,6BAA6B,SAAS,CAAC,MAAM,4BAChD;;AAGJ,eAAsB,uBACrB,SACmC;CACnC,MAAM,0BAA0B,MAAM,4BACrC,QAAQ,aACR,QAAQ,UACR;CAED,OAAO;EACN,SAAS,uBAAuB,wBAAwB;EACxD,kBAAkB;GACjB,wBAAwB;GACxB,GAAI,4BAA4B,KAAA,IAC7B,EAAE,GACF,EAAE,2BAA2B,yBAAyB;GACzD;EACD;;AAGF,eAAsB,6CACrB,SACuB;CACvB,MAAM,sBAAsB,KAAK,KAAK,QAAQ,WAAW,gCAAgC;CAEzF,MAAM,GAAG,UAAU,qBAAqB,QAAQ,wBAAwB;EACvE,UAAU;EACV,MAAM;EACN,CAAC;CAEF,OAAO;EACN,GAAG,QAAQ;EACX,MAAM;GACL,GAAG,QAAQ,YAAY;GACvB,iBAAiB;GACjB;EACD;;;;ACpEF,MAAa,2BAA2B;CACvC;CACA;CACA;CACA;CACA;AAaD,MAAM,sCAAsB,IAAI,KAAwC;AACxE,MAAM,4BAA4B;AAElC,SAAS,SAAS,OAAkD;CACnE,OAAO,OAAO,UAAU,YAAY,UAAU;;AAG/C,SAAS,gBAAgB,OAAwB;CAChD,IAAI,MAAM,QAAQ,MAAM,EACvB,OAAO,IAAI,MAAM,KAAK,UAAU,gBAAgB,MAAM,CAAC,CAAC,KAAK,IAAI,CAAC;CAGnE,IAAI,SAAS,MAAM,EAIlB,OAAO,IAHe,OAAO,QAAQ,MAAM,CACzC,QAAQ,GAAG,gBAAgB,eAAe,KAAA,EAAU,CACpD,UAAU,CAAC,UAAU,CAAC,cAAc,QAAQ,cAAc,SAAS,CAC7C,CACtB,KAAK,CAAC,UAAU,gBAAgB,GAAG,KAAK,UAAU,SAAS,CAAC,GAAG,gBAAgB,WAAW,GAAG,CAC7F,KAAK,IAAI,CAAC;CAGb,OAAO,KAAK,UAAU,MAAM;;AAG7B,SAAS,mBAAmB,OAAyB;CACpD,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,UAAU,SAAS,MAAM,SAAS;;AAGzF,eAAe,WAAW,UAAoC;CAC7D,IAAI;EACH,MAAM,GAAG,OAAO,SAAS;EACzB,OAAO;UACC,OAAO;EACf,IAAI,CAAC,mBAAmB,MAAM,EAC7B,MAAM;EAEP,OAAO;;;AAIT,eAAsB,oBAAoB,qBAA+C;CACxF,KAAK,MAAM,YAAY,0BAEtB,IAAI,CAAE,MAAM,WAAW,KAAK,KAAK,qBAAqB,SAAS,CAAC,EAC/D,OAAO;CAGT,OAAO;;AAGR,eAAe,kBAQb;CACD,MAAM,iBAAiB,MAAM,OAAO;CACpC,OAAO,OACN,aACA,iBACA,WACA,SACA,YAEA,MAAM,eAAe,YAAY,aAAa;EAC7C,WAAW;EACX,SAAS,WAAW;EACpB,GAAI,YAAY,EAAE,WAAW,GAAG,EAAE;EAClC,GAAI,UAAU,EAAE,SAAS,GAAG,EAAE;EAC9B,CAAwB;;AAG3B,SAAS,sBAAsB,QAAkD;CAChF,SACC,OACA,oBACA,aACa;EACb,MAAM,gBAAgB,OAAO,uBAAuB,aAAa,qBAAqB;EACtF,MAAM,QAAQ,OAAO,MAAM,MAAM;EACjC,iBAAiB;EACjB,OAAO;;;AAIT,eAAe,wBACd,QACA,IACmB;CACnB,IAAI,CAAC,QACJ,OAAO,MAAM,IAAI;CAGlB,MAAM,sBAAsB,QAAQ,OAAO,MAAM,KAAK,QAAQ,OAAO;CACrE,MAAM,sBAAsB,QAAQ,OAAO,MAAM,KAAK,QAAQ,OAAO;CACrE,MAAM,aAAa,QAAQ,IAAI;CAC/B,MAAM,kBAAkB,sBAAsB,OAAO;CAErD,QAAQ,OAAO,QAAQ;CACvB,QAAQ,OAAO,QAAQ;CACvB,QAAQ,IAAI,KAAK;CAEjB,IAAI;EACH,OAAO,MAAM,IAAI;WACR;EACT,QAAQ,OAAO,QAAQ;EACvB,QAAQ,OAAO,QAAQ;EACvB,IAAI,eAAe,KAAA,GAClB,OAAO,QAAQ,IAAI;OAEnB,QAAQ,IAAI,KAAK;;;AAKpB,SAAgB,wBACf,aACA,kBAA0B,WAC1B,kBACS;CACT,MAAM,UACL,qBAAqB,KAAA,IAClB,GAAG,gBAAgB,YAAY,CAAC,GAAG,oBACnC,GAAG,gBAAgB,YAAY,CAAC,GAAG,gBAAgB,GAAG,gBAAgB,iBAAiB;CAE3F,OAAO,OAAO,WAAW,SAAS,CAAC,OAAO,QAAQ,CAAC,OAAO,MAAM,CAAC,MAAM,GAAG,GAAG;;AAG9E,eAAsB,iCAAiC,SAQpD;CACF,MAAM,0BAA0B,MAAM,uBAAuB;EAC5D,aAAa,QAAQ;EACrB,GAAI,QAAQ,YAAY,EAAE,WAAW,QAAQ,WAAW,GAAG,EAAE;EAC7D,CAAC;CAQF,OAAO;EACN,aARmB,wBAAwB,QAAQ,aAAa,QAAQ,iBAAiB;GACzF,wBAAwB,wBAAwB;GAChD,GAAI,QAAQ,qBAAqB,KAAA,IAC9B,EAAE,GACF,EAAE,wBAAwB,QAAQ,kBAAkB;GACvD,CAGW;EACX,wBAAwB,wBAAwB;EAChD;;AAGF,eAAsB,WACrB,SACA,eAA0C,EAAE,EAChB;CAC5B,MAAM,4BAA4B,MAAM,iCAAiC;EACxE,aAAa,QAAQ;EACrB,GAAI,QAAQ,YAAY,EAAE,WAAW,QAAQ,WAAW,GAAG,EAAE;EAC7D,GAAI,QAAQ,qBAAqB,KAAA,IAC9B,EAAE,GACF,EAAE,kBAAkB,QAAQ,kBAAkB;EACjD,GAAI,aAAa,kBAAkB,EAAE,iBAAiB,aAAa,iBAAiB,GAAG,EAAE;EACzF,CAAC;CACF,MAAM,cAAc,0BAA0B;CAC9C,MAAM,YAAY,KAAK,KAAK,QAAQ,UAAU,YAAY;CAC1D,MAAM,2BAA2B,YAAuC;EACvE,IAAI,QAAQ,WACX,MAAM,GAAG,GAAG,WAAW;GAAE,WAAW;GAAM,OAAO;GAAM,CAAC;EAGzD,IAAI,MAAM,oBAAoB,UAAU,EACvC,OAAO;GACN,OAAO;GACP;GACA;GACA;EAGF,MAAM,GAAG,MAAM,WAAW,EAAE,WAAW,MAAM,CAAC;EAC9C,MAAM,4BAA4B,aAAa,eAAgB,MAAM,iBAAiB;EACtF,MAAM,uBAAuB,MAAM,6CAA6C;GAC/E,aAAa,QAAQ;GACrB;GACA,wBAAwB,0BAA0B;GAClD,CAAC;EACF,MAAM,kBAAkB,KAAK,KAAK,WAAW,0BAA0B;EACvE,MAAM,GAAG,GAAG,iBAAiB;GAAE,WAAW;GAAM,OAAO;GAAM,CAAC;EAC9D,IAAI;GACH,MAAM,wBAAwB,QAAQ,QAAQ,YAAY;IACzD,MAAM,0BACL,sBACA,WACA,QAAQ,WACR,iBACA,QAAQ,WAAW,KAAA,EACnB;KACA;YACO;GACT,MAAM,GAAG,GAAG,iBAAiB;IAAE,WAAW;IAAM,OAAO;IAAM,CAAC;;EAG/D,IAAI,CAAE,MAAM,oBAAoB,UAAU,EACzC,MAAM,IAAI,MAAM,6CAA6C,UAAU,GAAG;EAG3E,OAAO;GACN,OAAO;GACP;GACA;GACA;;CAGF,IAAI,QAAQ,QACX,OAAO,MAAM,0BAA0B;CAGxC,MAAM,cAAc,KAAK,QAAQ,UAAU;CAC3C,MAAM,gBAAgB,oBAAoB,IAAI,YAAY;CAC1D,IAAI,eACH,OAAO,MAAM;CAEd,MAAM,eAAe,0BAA0B;CAC/C,oBAAoB,IAAI,aAAa,aAAa;CAClD,IAAI;EACH,OAAO,MAAM;WACJ;EACT,IAAI,oBAAoB,IAAI,YAAY,KAAK,cAC5C,oBAAoB,OAAO,YAAY;;;;;ACvR1C,MAAM,kBAAkB,cAAc,OAAO,KAAK,IAAI;AAEtD,MAAM,4BAA4B,EAAE,OAAO,EAC1C,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE,EAC1B,CAAC;AAEF,SAAS,mBAAmB,OAAyB;CACpD,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,UAAU,SAAS,MAAM,SAAS;;AAGzF,SAAS,gBAAgB,OAAwB;CAChD,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;;AAG9D,SAAgB,uBAAuB,aAA6B;CACnE,MAAM,QAAQ,YAAY,MAAM,yCAAyC;CACzE,IAAI,CAAC,OACJ,MAAM,IAAI,MACT,uGACA;CAGF,MAAM,UAAU,MAAM;CACtB,IAAI,CAAC,SACJ,MAAM,IAAI,MAAM,gCAAgC;CAEjD,OAAO;;AAGR,SAAgB,iCAAyC;CACxD,OAAO,gBAAgB,QAAQ,wCAAwC;;AAGxE,eAAsB,6BAA8C;CACnE,MAAM,kBAAkB,gCAAgC;CACxD,MAAM,SAAkB,KAAK,MAAM,MAAM,GAAG,SAAS,iBAAiB,OAAO,CAAC;CAE9E,OAAO,4BADa,0BAA0B,MAAM,OACN,CAAC;;AAOhD,eAAe,gCAAiD;CAC/D,MAAM,kBAAkB,gCAAgC;CACxD,OAAO,KAAK,KAAK,KAAK,QAAQ,gBAAgB,EAAE,QAAQ,SAAS,gBAAgB;;AAGlF,eAAsB,iCACrB,UAAmD,EAAE,EACnC;CAClB,MAAM,UAAU,QAAQ,mBAAoB,MAAM,+BAA+B;CACjF,IAAI;CACJ,IAAI;EACH,cAAc,MAAM,GAAG,SAAS,SAAS,OAAO;UACxC,OAAO;EACf,IAAI,mBAAmB,MAAM,EAC5B,MAAM,IAAI,MAAM,sCAAsC,QAAQ,KAAK,EAAE,OAAO,OAAO,CAAC;EAErF,MAAM,IAAI,MACT,6CAA6C,QAAQ,KAAK,gBAAgB,MAAM,IAChF,EAAE,OAAO,OAAO,CAChB;;CAGF,IAAI;EACH,OAAO,uBAAuB,YAAY;UAClC,OAAO;EACf,MAAM,IAAI,MACT,8CAA8C,QAAQ,KAAK,gBAAgB,MAAM,IACjF,EAAE,OAAO,OAAO,CAChB;;;;;;;;;;;AC3DH,SAAgB,6BACf,eAAgD,EAAE,EACtB;CAC5B,MAAM,wBACL,2BAA2B,eACxB,aAAa,wBACb,IAAI;CACR,MAAM,6BACL,gCAAgC,eAC7B,aAAa,6BACb,IAAI;CAER,IAAI,iBAA8D;CAClE,IAAI,OAAO,0BAA0B,YAAY;EAChD,sBAAsB,YAAY;EAClC,iBAAiB;;CAGlB,IAAI,mBAAkE;CACtE,IAAI,OAAO,+BAA+B,YAAY;EACrD,2BAA2B,MAAM;EACjC,mBAAmB;;CAGpB,OAAO;EACN;EACA;EACA;;;;AC3CF,MAAM,2BAA2B;CAChC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAYD,SAAS,wBAAwB,UAAqC;CACrE,OAAO;EACN,KAAK,KAAK,UAAU,OAAO;EAC3B,KAAK,KAAK,UAAU,UAAU;EAC9B,KAAK,KAAK,UAAU,SAAS;EAC7B,KAAK,KAAK,UAAU,UAAU;EAC9B;;AAGF,SAAgB,sBAAsB,WAAmB,SAAyB;CACjF,IAAI,KAAK,WAAW,UAAU,EAC7B,OAAO,KAAK,QAAQ,UAAU;CAG/B,OAAO,KAAK,QAAQ,SAAS,UAAU;;AAGxC,SAAS,mBAAmB,eAAuB,YAA6B;CAC/E,MAAM,eAAe,KAAK,SAAS,YAAY,cAAc;CAC7D,OAAO,iBAAiB,MAAO,CAAC,aAAa,WAAW,KAAK,IAAI,CAAC,KAAK,WAAW,aAAa;;AAGhG,eAAe,kBAAkB,UAAmC;CACnE,MAAM,mBAAmB,KAAK,QAAQ,SAAS;CAE/C,IAAI;EACH,OAAO,MAAM,GAAG,SAAS,iBAAiB;SACnC;EACP,OAAO;;;AAIT,SAAS,aAAa,eAAuB,eAAgC;CAC5E,OACC,mBAAmB,eAAe,cAAc,IAChD,mBAAmB,eAAe,cAAc;;AAIlD,SAAgB,sBACf,WACA,QACA,SACO;CACP,MAAM,oBAAoB,sBAAsB,WAAW,QAAQ,QAAQ;CAC3E,MAAM,0BAA0B,OAAO,6BAA6B,KAAK,kBACxE,sBAAsB,eAAe,QAAQ,QAAQ,CACrD;CAKD,IAAI,CAHuB,wBAAwB,MAAM,kBACxD,mBAAmB,mBAAmB,cAAc,CAE9B,EACtB,MAAM,IAAI,MACT,8BAA8B,kBAAkB,mCAAmC,wBAAwB,KAAK,KAAK,CAAC,IACtH;CAGF,IAAI,CAAC,OAAO;MACuB,yBAAyB,MAAM,eAChE,mBAAmB,mBAAmB,WAAW,CAErB,EAC5B,MAAM,IAAI,MACT,8BAA8B,kBAAkB,4FAChD;;;AAKJ,eAAsB,2BACrB,QACA,SACgB;CAChB,MAAM,eAAe,OAAO,QAAQ,OAAO,YAAY;CACvD,KAAK,MAAM,CAAC,cAAc,cACzB,sBAAsB,WAAW,OAAO,eAAe,QAAQ;CAGhE,IAAI,OAAO,cAAc,gBACxB;CAGD,MAAM,2BAA2B,aAAa,QAAQ,GAAG,cAAc,KAAK,WAAW,SAAS,CAAC;CACjG,MAAM,CAAC,oBAAoB,qBAAqB,MAAM,QAAQ,IAAI,CACjE,QAAQ,IACP,wBAAwB,QAAQ,SAAS,CAAC,IACzC,OAAO,mBAAmB,MAAM,kBAAkB,eAAe,CACjE,CACD,EACD,QAAQ,IACP,yBAAyB,IAAI,OAAO,GAAG,cAAc,MAAM,kBAAkB,SAAS,CAAC,CACvF,CACD,CAAC;CAEF,KAAK,MAAM,4BAA4B,mBAKtC,IAJkC,mBAAmB,MAAM,mBAC1D,aAAa,0BAA0B,eAAe,CAG1B,EAC5B,MAAM,IAAI,MACT,uBAAuB,yBAAyB,gGAChD;;;;AC9GJ,SAAS,mBAAmB,MAAgC;CAC3D,OAAO,GAAG,KAAK,OAAO,GAAG,KAAK;;AAG/B,SAAS,sBAAsB,eAA+B;CAC7D,OAAOA,KAAG,SACT,eACAA,KAAG,UAAU,WAAWA,KAAG,UAAU,cAAcA,KAAG,UAAU,WAChE;;AAGF,SAAgB,cAAc,UAAoC;CACjE,IAAI,CAAC,YAAY,CAAC,KAAK,WAAW,SAAS,EAC1C,MAAM,IAAI,MAAM,yDAAyD,WAAW;CAGrF,MAAM,mBAAmB,KAAK,QAAQ,SAAS;CAC/C,MAAM,KAAK,sBAAsB,iBAAiB;CAClD,IAAI;EACH,MAAM,QAAQA,KAAG,UAAU,GAAG;EAC9B,IAAI,CAAC,MAAM,aAAa,EACvB,MAAM,IAAI,MAAM,0CAA0C,mBAAmB;EAE9E,MAAM,WAAWA,KAAG,aAAa,iBAAiB;EAClD,MAAM,gBAAgBA,KAAG,SAAS,SAAS;EAC3C,IAAI,cAAc,QAAQ,MAAM,OAAO,cAAc,QAAQ,MAAM,KAClE,MAAM,IAAI,MACT,6CAA6C,iBAAiB,UAAU,MAAM,IAAI,GAAG,MAAM,IAAI,mBAAmB,cAAc,IAAI,GAAG,cAAc,MACrJ;EAEF,OAAO;GACN,QAAQ,MAAM;GACd;GACA,UAAU;GACV,OAAO,MAAM;GACb;GACA;UACO,OAAO;EACf,KAAG,UAAU,GAAG;EAChB,MAAM;;;AAIR,SAAgB,sBAAsB,MAA8B;CACnE,KAAG,UAAU,KAAK,GAAG;;AAGtB,SAAgB,uBAAuB,MAA8B;CACpE,MAAM,cAAcA,KAAG,UAAU,KAAK,GAAG;CACzC,MAAM,eAAeA,KAAG,SAAS,KAAK,SAAS;CAC/C,IACC,YAAY,QAAQ,KAAK,UACzB,YAAY,QAAQ,KAAK,SACzB,aAAa,QAAQ,KAAK,UAC1B,aAAa,QAAQ,KAAK,OAE1B,MAAM,IAAI,MACT,mDAAmD,KAAK,SAAS,YAAY,mBAAmB,KAAK,CAAC,OAAO,aAAa,IAAI,GAAG,aAAa,MAC9I;;AAUH,SAAgB,2BACf,SACkB;CAClB,uBAAuB,QAAQ,KAAK;CACpC,MAAM,WAAW,QAAQ,qBAAqB,QAAQ,KAAK,SAAS;CAEpE,OAAO,IAAI,MAAM,UAAU,EAC1B,IAAI,QAAyB,UAA2B,UAA4B;EACnF,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,SAAS;EACrD,IAAI,OAAO,UAAU,YACpB,OAAO;EAGR,QAAQ,GAAG,oBAAiD;GAC3D,uBAAuB,QAAQ,KAAK;GACpC,OAAO,QAAQ,MAAM,OAAyB,QAAQ,gBAAgB;;IAGxE,CAAC;;;;AClGH,SAAgB,kBAAkB,aAA6B;CAC9D,OAAO,YAAY,MAAM,CAAC,aAAa,CAAC,QAAQ,SAAS,GAAG;;AAG7D,SAAgB,aAAa,QAAqC;CACjE,MAAM,gCAAgB,IAAI,KAAa;CACvC,MAAM,mBAA6B,EAAE;CAErC,KAAK,MAAM,SAAS,QAAQ;EAC3B,MAAM,kBAAkB,kBAAkB,MAAM;EAChD,IAAI,gBAAgB,WAAW,KAAK,gBAAgB,WAAW,IAAI,EAClE;EAGD,IAAI,CAAC,cAAc,IAAI,gBAAgB,EAAE;GACxC,cAAc,IAAI,gBAAgB;GAClC,iBAAiB,KAAK,gBAAgB;;;CAIxC,OAAO;;AAGR,SAAgB,cAAc,SAAkC;CAC/D,OAAO,aAAa;EAAC,GAAG,QAAQ;EAAM,GAAG,QAAQ;EAAS,GAAG,QAAQ;EAAM,CAAC;;;;ACG7E,MAAa,+BAA+B;AAC5C,MAAa,2CAA2C;AACxD,MAAa,8DAA8D,MAAM,OAAO;AACxF,MAAa,wDAAwD;AACrE,MAAa,0DAA0D;AAEvE,MAAa,qCAAqC;CACjD,iBAAiB;CACjB,oBAAoB;CACpB,8BAA8B;CAC9B,yBAAyB;CACzB,2BAA2B;CAC3B;AA6FD,SAAS,4BAAmD;CAC3D,MAAM,+BAA+B,aACpC,IAAI,eAAe,SAAS;CAC7B,OAAO;EACN;EACA,UAAU,OAAO,cACf,MAAM,GAAG,OAAO,UAAU;EAC5B,kBAAkB,gBACjB,gBAAgB;GACf,cAAc,CAAC,GAAG,YAAY,aAAa;GAC3C,SAAS,OAAO,YACf,OAAO,QAAQ,YAAY,QAAQ,CAAC,KAAK,CAAC,YAAY,gBAAgB,CACrE,YACA;IACC,OAAO,CAAC,GAAG,WAAW,MAAM;IAC5B,OAAO,WAAW;IAClB,CACD,CAAC,CACF;GACD,GAAI,YAAY,YAAY,EAAE,WAAW,YAAY,WAAW,GAAG,EAAE;GACrE,GAAI,YAAY,aAAa,EAAE,YAAY,YAAY,YAAY,GAAG,EAAE;GACxE,CAAC;EACH;EACA,6BAA6B,SAC5B,2BAA2B;GAC1B,sBAAsB;GACtB;GACA,CAAC;EACH,sBAAsB;EACtB,yBAAyB,aACxB,IAAI,iBAAiB,SAAS;EAC/B,4BAA6C,IAAI,gBAAgB;EACjE,uBACC,UACA,kBACqB,IAAI,eAAe,UAAU,cAAc;EACjE,4BAA4B,UAC3B,0BAA0B,CAAC,GAAG,MAAM,CAAC;EACtC;;AAIF,SAAS,oBAAoB,WAA2B;CACvD,MAAM,cAAc,UAAU,MAAM;CACpC,IAAI,YAAY,WAAW,IAAI,EAC9B,OAAO;CAIR,OAAO,IADc,YAAY,WAAW,KAAK,GAAG,YAAY,MAAM,EAAY,GAAG;;AAItF,SAAS,4BACR,WACA,cACA,WACkB;CAClB,IAAI,UAAU,gBACb,OAAO,aAAa,2BAA2B,UAAU,eAAe;CAEzE,IAAI,UAAU,UACb,OAAO,aAAa,qBAAqB,UAAU,SAAS;CAG7D,MAAM,IAAI,MAAM,GAAG,UAAU,4CAA4C;;AAG1E,SAAS,uBACR,WACA,cACkB;CAClB,QAAQ,UAAU,MAAlB;EACC,KAAK,UACJ,OAAO,aAAa,sBAAsB;EAC3C,KAAK,UACJ,OAAO,4BAA4B,WAAW,cAAc,SAAS;EAEtE,KAAK,mBACJ,OAAO,aAAa,uBACnB,4BAA4B,WAAW,cAAc,kBAAkB,CACvE;EAEF,KAAK,UAAU;GAMd,IAAI,iBAJH,UAAU,YAAY,UAAU,iBAC7B,4BAA4B,WAAW,cAAc,SAAS,GAC9D,aAAa,sBAAsB;GAGvC,MAAM,eAAe,UAAU;GAE/B,IAAI,cAAc,KAAK,QACtB,iBAAiB,aAAa,qBAAqB,gBAAgB;IAClE,cAAc,aAAa,0BAC1B,aAAa,KAAK,KAAK,eAAe,oBAAoB,WAAW,CAAC,CACtE;IACD,WAAW;IACX,CAAC;GAGH,IAAI,cAAc,MAAM,QACvB,iBAAiB,aAAa,qBAAqB,gBAAgB;IAClE,cAAc,aAAa,0BAC1B,aAAa,MAAM,KAAK,eAAe,oBAAoB,WAAW,CAAC,CACvE;IACD,WAAW;IACX,CAAC;GAGH,OAAO;;EAER,SACC,MAAM,IAAI,MAAM,+BAA+B,OAAO,UAAU,KAAK,GAAG;;;AAK3E,SAAS,gBACR,WACA,cACkC;CAClC,MAAM,WAA4C,EAAE;CAEpD,KAAK,MAAM,CAAC,WAAW,cAAc,OAAO,QAAQ,UAAU,EAC7D,SAAS,aAAa,uBAAuB,WAAW,aAAa;CAGtE,OAAO;;AAGR,SAAS,yBACR,WAC8B;CAC9B,MAAM,wBAAQ,IAAI,KAA+B;CACjD,KAAK,MAAM,aAAa,OAAO,OAAO,UAAU,EAC/C,IAAI,UAAU,gBACb,MAAM,IAAI,UAAU,eAAe,IAAI,UAAU,eAAe;CAGlE,OAAO,CAAC,GAAG,MAAM,QAAQ,CAAC;;AAG3B,SAAS,uBACR,OACA,cACO;CACP,KAAK,MAAM,QAAQ,OAClB,aAAa,sBAAsB,KAAK;;AAI1C,SAAS,mCACR,OACA,cACO;CACP,IAAI;EACH,uBAAuB,OAAO,aAAa;SACpC;;AAMT,SAAS,+BACR,iBAAuC,EAAE,EAClB;CACvB,MAAM,kBAAwC,EAC7C,GAAG,oCACH;CAED,IAAI,eAAe,eAAe,KAAA,GACjC,gBAAgB,aAAa,eAAe;CAE7C,IAAI,eAAe,eAAe,KAAA,GACjC,gBAAgB,aAAa,eAAe;CAE7C,IAAI,eAAe,oBAAoB,KAAA,GACtC,gBAAgB,kBAAkB,eAAe;CAElD,IAAI,eAAe,UAAU,KAAA,GAC5B,gBAAgB,QAAQ,eAAe;CAExC,IAAI,eAAe,uBAAuB,KAAA,GACzC,gBAAgB,qBAAqB,eAAe;CAErD,IAAI,eAAe,iCAAiC,KAAA,GACnD,gBAAgB,+BAA+B,eAAe;CAE/D,IAAI,eAAe,4BAA4B,KAAA,GAC9C,gBAAgB,0BAA0B,eAAe;CAE1D,IAAI,eAAe,8BAA8B,KAAA,GAChD,gBAAgB,4BAA4B,eAAe;CAG5D,OAAO;;AAGR,eAAsB,gBACrB,SACA,eAAsC,2BAA2B,EAC5C;CACrB,aAAa,gCAAgC;CAC7C,MAAM,cAAc,QAAQ,YAAY,OAAO,KAAK,QAAQ,SAAS,CAAC,SAAS;CAC/E,MAAM,oBAAoB,yBAAyB,QAAQ,UAAU;CACrE,IAAI;CACJ,IAAI;EACH,MAAM,aAAa,aAAa,gBAAgB;GAC/C,cAAc,QAAQ;GACtB,SAAS,QAAQ;GACjB,GAAI,QAAQ,YAAY,EAAE,WAAW,QAAQ,WAAW,GAAG,EAAE;GAC7D,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,YAAY,GAAG,EAAE;GAChE,CAAC;EACF,aAAa,MAAM,aAAa,SAAS;GACxC,GAAI,QAAQ,UAAU,SAAS,IAAI,EAAE,SAAS,EAAE,WAAW,QAAQ,WAAW,EAAE,GAAG,EAAE;GACrF,GAAI,QAAQ,eAAe,EAAE,cAAc,QAAQ,cAAc,GAAG,EAAE;GACtE,QAAQ;IACP,MAAM,QAAQ;IACd,GAAI,QAAQ,sBAAsB,KAAA,IAAY,EAAE,GAAG,EAAE,MAAM,QAAQ,mBAAmB;IACtF;GACD,QAAQ,QAAQ;GAChB,MAAM,QAAQ;GACd,KAAK;IACJ,GAAG,WAAW;IACd,GAAG,QAAQ;IACX;GACD,WAAW,WAAW;GACtB,KAAK;IACJ,WAAW;IACX,QAAQ,gBAAgB,QAAQ,WAAW,aAAa;IACxD;GACD,GAAI,cACD;IACA,KAAK;KACJ,MAAM;KACN,eAAe;KACf,eAAe;KACf,sBAAsB;KACtB;IACD,KAAK,EACJ,OAAO,QAAQ,UACf;IACD,GACA,EAAE;GACL,CAAC;UACM,OAAO;EACf,mCAAmC,mBAAmB,aAAa;EACnE,MAAM;;CAGP,OAAO;EACN,IAAI,WAAW;EACf,IAAI,WAAW;EACf,KAAK,SAA2B,aAAsD;GACrF,MAAM,oBAAoB,OAAO,YAAY,WAAW,UAAU,CAAC,GAAG,QAAQ;GAC9E,OAAO,WAAW,KAAK,mBAAmB,YAAY;;EAEvD,MAAM,UAAU,YAAmD;GAClE,OAAO,MAAM,WAAW,UAAU,WAAW;;EAE9C,MAAM,cAAc,gBAA+D;GAClF,OAAO,MAAM,WAAW,cAAc,+BAA+B,eAAe,CAAC;;EAEtF,aAA4B;GAC3B,OAAO,WAAW,cAAc,IAAI;;EAErC,gBAAmC;GAClC,OAAO;;EAER,iBAAiB,QAAuC;GACvD,WAAW,iBAAiB,OAAO;;EAEpC,MAAM,QAAuB;GAC5B,IAAI;GACJ,IAAI;IACH,MAAM,WAAW,OAAO;YAChB,OAAO;IACf,aAAa;;GAEd,IAAI;IACH,uBAAuB,mBAAmB,aAAa;YAC/C,OAAO;IACf,eAAe;;GAEhB,IAAI,eAAe,KAAA,GAClB,MAAM;;EAGR;;;;AC9ZF,eAAsB,gBACrB,WACA,eACA,YACkB;CAClB,MAAM,kBAAkB,KAAK,KAAK,WAAW,eAAe,WAAW;CACvE,MAAM,GAAG,MAAM,iBAAiB,EAAE,WAAW,MAAM,CAAC;CACpD,OAAO;;AAGR,eAAsB,kBACrB,WACA,eACA,SAC0C;CAC1C,MAAM,wBAAwB,MAAM,QAAQ,IAC3C,OAAO,QAAQ,QAAQ,CAAC,IACvB,OAAO,CAAC,YAAY,kBACnB,CACC,YACA;EACC,WAAW,aAAa;EACxB,SAAS,MAAM,gBAAgB,WAAW,eAAe,WAAW;EACpE,CACD,CACF,CACD;CAED,OAAO,OAAO,YAAY,sBAAsB;;;;ACtCjD,eAAsB,oBACrB,UACA,SACA,UAEI,EAAE,EACU;CAChB,MAAM,oBAAoB,GAAG,SAAS,GAAG,QAAQ,IAAI,GAAG,KAAK,KAAK,CAAC;CACnE,MAAM,GAAG,UAAU,mBAAmB,SAAS;EAC9C,UAAU;EACV,GAAI,QAAQ,OAAO,EAAE,MAAM,QAAQ,MAAM,GAAG,EAAE;EAC9C,CAAC;CACF,IAAI;EACH,MAAM,GAAG,OAAO,mBAAmB,SAAS;UACpC,aAAa;EACrB,IAAI;GACH,MAAM,GAAG,GAAG,mBAAmB,EAAE,OAAO,MAAM,CAAC;WACvC,cAAc;GACtB,MAAM,IAAI,MACT,sBAAsB,SAAS,KAAK,uBAAuB,QAAQ,YAAY,UAAU,KAAK,UAAU,YAAY,CAAC,yCAAyC,kBAAkB,KAAK,wBAAwB,QAAQ,aAAa,UAAU,KAAK,UAAU,aAAa,IACxQ,EAAE,OAAO,cAAc,CACvB;;EAEF,MAAM"}
1
+ {"version":3,"file":"index.js","names":["net","fs"],"sources":["../src/rootfs-init-extra.ts","../src/build-pipeline.ts","../src/gondolin-package.ts","../src/host-network-defaults.ts","../src/mount-policy.ts","../src/pinned-realfs.ts","../src/policy-compiler.ts","../src/vm-adapter.ts","../src/volume-manager.ts","../src/write-file-atomically.ts"],"sourcesContent":["import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type { BuildConfig } from '@earendil-works/gondolin';\n\nexport const agentVmRootfsInitExtraScript = `# Generated by agent-vm.\n# Gondolin mounts devtmpfs over /dev at boot, so Docker-image /dev symlinks are hidden.\nmkdir -p /dev\nln -sfn /proc/self/fd /dev/fd 2>/dev/null || true\nln -sfn /proc/self/fd/0 /dev/stdin 2>/dev/null || true\nln -sfn /proc/self/fd/1 /dev/stdout 2>/dev/null || true\nln -sfn /proc/self/fd/2 /dev/stderr 2>/dev/null || true\nif [ ! -e /dev/ptmx ] && [ -e /dev/pts/ptmx ]; then\n ln -sfn pts/ptmx /dev/ptmx 2>/dev/null || true\nfi\n`;\n\ninterface PrepareRootfsInitExtraOptions {\n\treadonly buildConfig: BuildConfig;\n\treadonly imagePath: string;\n\treadonly rootfsInitExtraContent: string;\n}\n\ninterface ResolveRootfsInitExtraOptions {\n\treadonly buildConfig: BuildConfig;\n\treadonly configDir?: string;\n}\n\nexport interface ResolvedRootfsInitExtra {\n\treadonly content: string;\n\treadonly fingerprintInput: {\n\t\treadonly agentVmRootfsInitExtra: string;\n\t\treadonly deploymentRootfsInitExtra?: string;\n\t};\n}\n\nfunction resolveBuildConfigPath(filePath: string, configDir: string | undefined): string {\n\treturn path.isAbsolute(filePath) ? filePath : path.resolve(configDir ?? process.cwd(), filePath);\n}\n\nasync function readExistingRootfsInitExtra(\n\tbuildConfig: BuildConfig,\n\tconfigDir: string | undefined,\n): Promise<string | undefined> {\n\tconst existingRootfsInitExtra = buildConfig.init?.rootfsInitExtra;\n\tif (!existingRootfsInitExtra) {\n\t\treturn undefined;\n\t}\n\n\tconst resolvedRootfsInitExtra = resolveBuildConfigPath(existingRootfsInitExtra, configDir);\n\ttry {\n\t\treturn await fs.readFile(resolvedRootfsInitExtra, 'utf8');\n\t} catch (error) {\n\t\tconst message = error instanceof Error ? error.message : String(error);\n\t\tthrow new Error(\n\t\t\t`Failed to read Gondolin rootfs init extra '${resolvedRootfsInitExtra}': ${message}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n\nfunction composeRootfsInitExtra(existingRootfsInitExtra: string | undefined): string {\n\treturn existingRootfsInitExtra\n\t\t? `${agentVmRootfsInitExtraScript.trimEnd()}\\n\\n${existingRootfsInitExtra}`\n\t\t: agentVmRootfsInitExtraScript;\n}\n\nexport async function resolveRootfsInitExtra(\n\toptions: ResolveRootfsInitExtraOptions,\n): Promise<ResolvedRootfsInitExtra> {\n\tconst existingRootfsInitExtra = await readExistingRootfsInitExtra(\n\t\toptions.buildConfig,\n\t\toptions.configDir,\n\t);\n\n\treturn {\n\t\tcontent: composeRootfsInitExtra(existingRootfsInitExtra),\n\t\tfingerprintInput: {\n\t\t\tagentVmRootfsInitExtra: agentVmRootfsInitExtraScript,\n\t\t\t...(existingRootfsInitExtra === undefined\n\t\t\t\t? {}\n\t\t\t\t: { deploymentRootfsInitExtra: existingRootfsInitExtra }),\n\t\t},\n\t};\n}\n\nexport async function prepareBuildConfigWithAgentVmRootfsInitExtra(\n\toptions: PrepareRootfsInitExtraOptions,\n): Promise<BuildConfig> {\n\tconst rootfsInitExtraPath = path.join(options.imagePath, 'agent-vm-rootfs-init-extra.sh');\n\n\tawait fs.writeFile(rootfsInitExtraPath, options.rootfsInitExtraContent, {\n\t\tencoding: 'utf8',\n\t\tmode: 0o755,\n\t});\n\n\treturn {\n\t\t...options.buildConfig,\n\t\tinit: {\n\t\t\t...options.buildConfig.init,\n\t\t\trootfsInitExtra: rootfsInitExtraPath,\n\t\t},\n\t};\n}\n","import crypto from 'node:crypto';\nimport fs from 'node:fs/promises';\nimport path from 'node:path';\n\nimport type { BuildConfig, BuildOptions } from '@earendil-works/gondolin';\n\nimport {\n\tprepareBuildConfigWithAgentVmRootfsInitExtra,\n\tresolveRootfsInitExtra,\n} from './rootfs-init-extra.js';\n\nexport type { BuildConfig } from '@earendil-works/gondolin';\n\nexport interface BuildImageOptions {\n\treadonly buildConfig: BuildConfig;\n\treadonly cacheDir: string;\n\t/** Directory to resolve relative paths in buildConfig (e.g. postBuild.copy.src).\n\t * Defaults to process.cwd() if not provided. */\n\treadonly configDir?: string;\n\treadonly fullReset?: boolean;\n\treadonly fingerprintInput?: unknown;\n\treadonly output?: BuildOutput;\n}\n\nexport interface BuildOutput {\n\twrite(chunk: string | Uint8Array): boolean;\n}\n\nexport interface BuildImageResult {\n\treadonly built: boolean;\n\treadonly fingerprint: string;\n\treadonly imagePath: string;\n}\n\nexport const buildImageAssetFileNames = [\n\t'manifest.json',\n\t'rootfs.ext4',\n\t'initramfs.cpio.lz4',\n\t'vmlinuz-virt',\n] as const;\n\ninterface BuildPipelineDependencies {\n\treadonly buildAssets?: (\n\t\tbuildConfig: BuildConfig,\n\t\toutputDirectory: string,\n\t\tconfigDir?: string,\n\t\tworkDir?: string,\n\t\tverbose?: boolean,\n\t) => Promise<unknown>;\n\treadonly gondolinVersion?: string;\n}\n\nconst inFlightImageBuilds = new Map<string, Promise<BuildImageResult>>();\nconst gondolinWorkDirectoryName = '.agent-vm-gondolin-work';\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === 'object' && value !== null;\n}\n\nfunction stableSerialize(value: unknown): string {\n\tif (Array.isArray(value)) {\n\t\treturn `[${value.map((entry) => stableSerialize(entry)).join(',')}]`;\n\t}\n\n\tif (isRecord(value)) {\n\t\tconst objectEntries = Object.entries(value)\n\t\t\t.filter(([, entryValue]) => entryValue !== undefined)\n\t\t\t.toSorted(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey));\n\t\treturn `{${objectEntries\n\t\t\t.map(([entryKey, entryValue]) => `${JSON.stringify(entryKey)}:${stableSerialize(entryValue)}`)\n\t\t\t.join(',')}}`;\n\t}\n\n\treturn JSON.stringify(value);\n}\n\nfunction isMissingPathError(error: unknown): boolean {\n\treturn typeof error === 'object' && error !== null && 'code' in error && error.code === 'ENOENT';\n}\n\nasync function pathExists(filePath: string): Promise<boolean> {\n\ttry {\n\t\tawait fs.access(filePath);\n\t\treturn true;\n\t} catch (error) {\n\t\tif (!isMissingPathError(error)) {\n\t\t\tthrow error;\n\t\t}\n\t\treturn false;\n\t}\n}\n\nexport async function hasBuiltImageAssets(outputDirectoryPath: string): Promise<boolean> {\n\tfor (const fileName of buildImageAssetFileNames) {\n\t\t// oxlint-disable-next-line no-await-in-loop -- each missing file points at the same image generation\n\t\tif (!(await pathExists(path.join(outputDirectoryPath, fileName)))) {\n\t\t\treturn false;\n\t\t}\n\t}\n\treturn true;\n}\n\nasync function loadBuildAssets(): Promise<\n\t(\n\t\tbuildConfig: BuildConfig,\n\t\toutputDirectory: string,\n\t\tconfigDir?: string,\n\t\tworkDir?: string,\n\t\tverbose?: boolean,\n\t) => Promise<unknown>\n> {\n\tconst gondolinModule = await import('@earendil-works/gondolin');\n\treturn async (\n\t\tbuildConfig: BuildConfig,\n\t\toutputDirectory: string,\n\t\tconfigDir?: string,\n\t\tworkDir?: string,\n\t\tverbose?: boolean,\n\t): Promise<unknown> =>\n\t\tawait gondolinModule.buildAssets(buildConfig, {\n\t\t\toutputDir: outputDirectory,\n\t\t\tverbose: verbose ?? false,\n\t\t\t...(configDir ? { configDir } : {}),\n\t\t\t...(workDir ? { workDir } : {}),\n\t\t} satisfies BuildOptions);\n}\n\nfunction createRedirectedWrite(output: BuildOutput): typeof process.stderr.write {\n\treturn ((\n\t\tchunk: string | Uint8Array,\n\t\tencodingOrCallback?: BufferEncoding | ((error?: Error | null) => void),\n\t\tcallback?: (error?: Error | null) => void,\n\t): boolean => {\n\t\tconst writeCallback = typeof encodingOrCallback === 'function' ? encodingOrCallback : callback;\n\t\tconst wrote = output.write(chunk);\n\t\twriteCallback?.();\n\t\treturn wrote;\n\t}) as typeof process.stderr.write;\n}\n\nasync function withCapturedBuildOutput<TResult>(\n\toutput: BuildOutput | undefined,\n\tfn: () => Promise<TResult>,\n): Promise<TResult> {\n\tif (!output) {\n\t\treturn await fn();\n\t}\n\n\tconst originalStderrWrite = process.stderr.write.bind(process.stderr);\n\tconst originalStdoutWrite = process.stdout.write.bind(process.stdout);\n\tconst originalCi = process.env.CI;\n\tconst redirectedWrite = createRedirectedWrite(output);\n\n\tprocess.stderr.write = redirectedWrite;\n\tprocess.stdout.write = redirectedWrite;\n\tprocess.env.CI = 'true';\n\n\ttry {\n\t\treturn await fn();\n\t} finally {\n\t\tprocess.stderr.write = originalStderrWrite;\n\t\tprocess.stdout.write = originalStdoutWrite;\n\t\tif (originalCi === undefined) {\n\t\t\tdelete process.env.CI;\n\t\t} else {\n\t\t\tprocess.env.CI = originalCi;\n\t\t}\n\t}\n}\n\nexport function computeBuildFingerprint(\n\tbuildConfig: BuildConfig,\n\tgondolinVersion: string = 'unknown',\n\tfingerprintInput?: unknown,\n): string {\n\tconst payload =\n\t\tfingerprintInput === undefined\n\t\t\t? `${stableSerialize(buildConfig)}|${gondolinVersion}`\n\t\t\t: `${stableSerialize(buildConfig)}|${gondolinVersion}|${stableSerialize(fingerprintInput)}`;\n\n\treturn crypto.createHash('sha256').update(payload).digest('hex').slice(0, 16);\n}\n\nexport async function computeEffectiveBuildFingerprint(options: {\n\treadonly buildConfig: BuildConfig;\n\treadonly configDir?: string;\n\treadonly fingerprintInput?: unknown;\n\treadonly gondolinVersion?: string;\n}): Promise<{\n\treadonly fingerprint: string;\n\treadonly rootfsInitExtraContent: string;\n}> {\n\tconst resolvedRootfsInitExtra = await resolveRootfsInitExtra({\n\t\tbuildConfig: options.buildConfig,\n\t\t...(options.configDir ? { configDir: options.configDir } : {}),\n\t});\n\tconst fingerprint = computeBuildFingerprint(options.buildConfig, options.gondolinVersion, {\n\t\tagentVmRootfsInitExtra: resolvedRootfsInitExtra.fingerprintInput,\n\t\t...(options.fingerprintInput === undefined\n\t\t\t? {}\n\t\t\t: { callerFingerprintInput: options.fingerprintInput }),\n\t});\n\n\treturn {\n\t\tfingerprint,\n\t\trootfsInitExtraContent: resolvedRootfsInitExtra.content,\n\t};\n}\n\nexport async function buildImage(\n\toptions: BuildImageOptions,\n\tdependencies: BuildPipelineDependencies = {},\n): Promise<BuildImageResult> {\n\tconst effectiveBuildFingerprint = await computeEffectiveBuildFingerprint({\n\t\tbuildConfig: options.buildConfig,\n\t\t...(options.configDir ? { configDir: options.configDir } : {}),\n\t\t...(options.fingerprintInput === undefined\n\t\t\t? {}\n\t\t\t: { fingerprintInput: options.fingerprintInput }),\n\t\t...(dependencies.gondolinVersion ? { gondolinVersion: dependencies.gondolinVersion } : {}),\n\t});\n\tconst fingerprint = effectiveBuildFingerprint.fingerprint;\n\tconst imagePath = path.join(options.cacheDir, fingerprint);\n\tconst buildImageForFingerprint = async (): Promise<BuildImageResult> => {\n\t\tif (options.fullReset) {\n\t\t\tawait fs.rm(imagePath, { recursive: true, force: true });\n\t\t}\n\n\t\tif (await hasBuiltImageAssets(imagePath)) {\n\t\t\treturn {\n\t\t\t\tbuilt: false,\n\t\t\t\tfingerprint,\n\t\t\t\timagePath,\n\t\t\t};\n\t\t}\n\n\t\tawait fs.mkdir(imagePath, { recursive: true });\n\t\tconst buildAssetsImplementation = dependencies.buildAssets ?? (await loadBuildAssets());\n\t\tconst effectiveBuildConfig = await prepareBuildConfigWithAgentVmRootfsInitExtra({\n\t\t\tbuildConfig: options.buildConfig,\n\t\t\timagePath,\n\t\t\trootfsInitExtraContent: effectiveBuildFingerprint.rootfsInitExtraContent,\n\t\t});\n\t\tconst gondolinWorkDir = path.join(imagePath, gondolinWorkDirectoryName);\n\t\tawait fs.rm(gondolinWorkDir, { recursive: true, force: true });\n\t\ttry {\n\t\t\tawait withCapturedBuildOutput(options.output, async () => {\n\t\t\t\tawait buildAssetsImplementation(\n\t\t\t\t\teffectiveBuildConfig,\n\t\t\t\t\timagePath,\n\t\t\t\t\toptions.configDir,\n\t\t\t\t\tgondolinWorkDir,\n\t\t\t\t\toptions.output !== undefined,\n\t\t\t\t);\n\t\t\t});\n\t\t} finally {\n\t\t\tawait fs.rm(gondolinWorkDir, { recursive: true, force: true });\n\t\t}\n\n\t\tif (!(await hasBuiltImageAssets(imagePath))) {\n\t\t\tthrow new Error(`Expected Gondolin assets to be written to ${imagePath}.`);\n\t\t}\n\n\t\treturn {\n\t\t\tbuilt: true,\n\t\t\tfingerprint,\n\t\t\timagePath,\n\t\t};\n\t};\n\n\tif (options.output) {\n\t\treturn await buildImageForFingerprint();\n\t}\n\n\tconst inFlightKey = path.resolve(imagePath);\n\tconst existingBuild = inFlightImageBuilds.get(inFlightKey);\n\tif (existingBuild) {\n\t\treturn await existingBuild;\n\t}\n\tconst buildPromise = buildImageForFingerprint();\n\tinFlightImageBuilds.set(inFlightKey, buildPromise);\n\ttry {\n\t\treturn await buildPromise;\n\t} finally {\n\t\tif (inFlightImageBuilds.get(inFlightKey) === buildPromise) {\n\t\t\tinFlightImageBuilds.delete(inFlightKey);\n\t\t}\n\t}\n}\n","import fs from 'node:fs/promises';\nimport { createRequire } from 'node:module';\nimport path from 'node:path';\n\nimport { z } from 'zod';\n\nconst requireFromHere = createRequire(import.meta.url);\n\nconst gondolinPackageJsonSchema = z.object({\n\tversion: z.string().min(1),\n});\n\nfunction isMissingFileError(error: unknown): boolean {\n\treturn typeof error === 'object' && error !== null && 'code' in error && error.code === 'ENOENT';\n}\n\nfunction getErrorMessage(error: unknown): string {\n\treturn error instanceof Error ? error.message : String(error);\n}\n\nexport function parseMinimumZigVersion(rawContents: string): string {\n\tconst match = rawContents.match(/\\.minimum_zig_version\\s*=\\s*\"([^\"]*)\"/u);\n\tif (!match) {\n\t\tthrow new Error(\n\t\t\t'minimum_zig_version declaration not found. Expected a line like `.minimum_zig_version = \"0.15.2\"`.',\n\t\t);\n\t}\n\n\tconst version = match[1];\n\tif (!version) {\n\t\tthrow new Error('minimum_zig_version is empty.');\n\t}\n\treturn version;\n}\n\nexport function resolveGondolinPackageJsonPath(): string {\n\treturn requireFromHere.resolve('@earendil-works/gondolin/package.json');\n}\n\nexport async function resolveGondolinPackageSpec(): Promise<string> {\n\tconst packageJsonPath = resolveGondolinPackageJsonPath();\n\tconst parsed: unknown = JSON.parse(await fs.readFile(packageJsonPath, 'utf8'));\n\tconst packageJson = gondolinPackageJsonSchema.parse(parsed);\n\treturn `@earendil-works/gondolin@${packageJson.version}`;\n}\n\nexport interface ResolveGondolinMinimumZigVersionOptions {\n\treadonly buildZigZonPath?: string;\n}\n\nasync function resolveDefaultBuildZigZonPath(): Promise<string> {\n\tconst packageJsonPath = resolveGondolinPackageJsonPath();\n\treturn path.join(path.dirname(packageJsonPath), 'dist', 'guest', 'build.zig.zon');\n}\n\nexport async function resolveGondolinMinimumZigVersion(\n\toptions: ResolveGondolinMinimumZigVersionOptions = {},\n): Promise<string> {\n\tconst zonPath = options.buildZigZonPath ?? (await resolveDefaultBuildZigZonPath());\n\tlet rawContents: string;\n\ttry {\n\t\trawContents = await fs.readFile(zonPath, 'utf8');\n\t} catch (error) {\n\t\tif (isMissingFileError(error)) {\n\t\t\tthrow new Error(`Missing Gondolin build.zig.zon at '${zonPath}'.`, { cause: error });\n\t\t}\n\t\tthrow new Error(\n\t\t\t`Failed to read Gondolin build.zig.zon at '${zonPath}': ${getErrorMessage(error)}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n\n\ttry {\n\t\treturn parseMinimumZigVersion(rawContents);\n\t} catch (error) {\n\t\tthrow new Error(\n\t\t\t`Failed to parse Gondolin build.zig.zon at '${zonPath}': ${getErrorMessage(error)}`,\n\t\t\t{ cause: error },\n\t\t);\n\t}\n}\n","import * as dns from 'node:dns';\nimport * as net from 'node:net';\n\nexport interface HostNetworkDefaultsResult {\n\treadonly autoSelectFamily: false | 'unavailable';\n\treadonly dnsResultOrder: 'ipv4first' | 'unavailable';\n}\n\nexport interface HostNetworkDefaultsDependencies {\n\treadonly setDefaultAutoSelectFamily?: ((value: boolean) => void) | undefined;\n\treadonly setDefaultResultOrder?: ((order: 'ipv4first') => void) | undefined;\n}\n\n/**\n * Gondolin raw tcpHosts passthrough sockets are opened by the host-side Node\n * process, not by guest Node processes. VM NODE_OPTIONS cannot affect those\n * sockets, so host processes that create Gondolin VMs also force deterministic\n * IPv4-first behavior before network state is constructed.\n */\nexport function configureHostNetworkDefaults(\n\tdependencies: HostNetworkDefaultsDependencies = {},\n): HostNetworkDefaultsResult {\n\tconst setDefaultResultOrder =\n\t\t'setDefaultResultOrder' in dependencies\n\t\t\t? dependencies.setDefaultResultOrder\n\t\t\t: dns.setDefaultResultOrder;\n\tconst setDefaultAutoSelectFamily =\n\t\t'setDefaultAutoSelectFamily' in dependencies\n\t\t\t? dependencies.setDefaultAutoSelectFamily\n\t\t\t: net.setDefaultAutoSelectFamily;\n\n\tlet dnsResultOrder: HostNetworkDefaultsResult['dnsResultOrder'] = 'unavailable';\n\tif (typeof setDefaultResultOrder === 'function') {\n\t\tsetDefaultResultOrder('ipv4first');\n\t\tdnsResultOrder = 'ipv4first';\n\t}\n\n\tlet autoSelectFamily: HostNetworkDefaultsResult['autoSelectFamily'] = 'unavailable';\n\tif (typeof setDefaultAutoSelectFamily === 'function') {\n\t\tsetDefaultAutoSelectFamily(false);\n\t\tautoSelectFamily = false;\n\t}\n\n\treturn {\n\t\tautoSelectFamily,\n\t\tdnsResultOrder,\n\t};\n}\n","import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nconst AUTH_GUEST_PATH_PREFIXES = [\n\t'/home/agent/.aws',\n\t'/home/agent/.claude',\n\t'/home/agent/.codex',\n\t'/home/agent/.gemini',\n\t'/home/openclaw/.aws',\n\t'/home/openclaw/.claude',\n\t'/home/openclaw/.codex',\n\t'/home/openclaw/.gemini',\n\t'/home/openclaw/.openclaw',\n] as const;\n\nexport interface WritableMountPolicy {\n\treadonly allowAuthWrite: boolean;\n\treadonly writableAllowedGuestPrefixes: readonly string[];\n}\n\nexport interface RuntimeMountPolicyConfig {\n\treadonly extraMounts: Readonly<Record<string, string>>;\n\treadonly mountControls: WritableMountPolicy;\n}\n\nfunction resolveAuthHostPrefixes(hostHome: string): readonly string[] {\n\treturn [\n\t\tpath.join(hostHome, '.aws'),\n\t\tpath.join(hostHome, '.claude'),\n\t\tpath.join(hostHome, '.codex'),\n\t\tpath.join(hostHome, '.gemini'),\n\t];\n}\n\nexport function resolveGuestMountPath(guestPath: string, workDir: string): string {\n\tif (path.isAbsolute(guestPath)) {\n\t\treturn path.resolve(guestPath);\n\t}\n\n\treturn path.resolve(workDir, guestPath);\n}\n\nfunction isPathWithinPrefix(candidatePath: string, prefixPath: string): boolean {\n\tconst relativePath = path.relative(prefixPath, candidatePath);\n\treturn relativePath === '' || (!relativePath.startsWith('..') && !path.isAbsolute(relativePath));\n}\n\nasync function normalizeHostPath(hostPath: string): Promise<string> {\n\tconst resolvedHostPath = path.resolve(hostPath);\n\n\ttry {\n\t\treturn await fs.realpath(resolvedHostPath);\n\t} catch {\n\t\treturn resolvedHostPath;\n\t}\n}\n\nfunction pathsOverlap(candidatePath: string, protectedPath: string): boolean {\n\treturn (\n\t\tisPathWithinPrefix(candidatePath, protectedPath) ||\n\t\tisPathWithinPrefix(protectedPath, candidatePath)\n\t);\n}\n\nexport function validateWritableMount(\n\tguestPath: string,\n\tpolicy: WritableMountPolicy,\n\toptions: { readonly workDir: string },\n): void {\n\tconst resolvedGuestPath = resolveGuestMountPath(guestPath, options.workDir);\n\tconst resolvedAllowedPrefixes = policy.writableAllowedGuestPrefixes.map((allowedPrefix) =>\n\t\tresolveGuestMountPath(allowedPrefix, options.workDir),\n\t);\n\n\tconst isAllowedGuestPath = resolvedAllowedPrefixes.some((allowedPrefix) =>\n\t\tisPathWithinPrefix(resolvedGuestPath, allowedPrefix),\n\t);\n\tif (!isAllowedGuestPath) {\n\t\tthrow new Error(\n\t\t\t`Writable mount guest path '${resolvedGuestPath}' is outside writable allowlist [${resolvedAllowedPrefixes.join(', ')}].`,\n\t\t);\n\t}\n\n\tif (!policy.allowAuthWrite) {\n\t\tconst targetsProtectedGuestPath = AUTH_GUEST_PATH_PREFIXES.some((authPrefix) =>\n\t\t\tisPathWithinPrefix(resolvedGuestPath, authPrefix),\n\t\t);\n\t\tif (targetsProtectedGuestPath) {\n\t\t\tthrow new Error(\n\t\t\t\t`Writable mount guest path '${resolvedGuestPath}' targets an auth mount path. Set mountControls.allowAuthWrite=true to permit auth writes.`,\n\t\t\t);\n\t\t}\n\t}\n}\n\nexport async function validateRuntimeMountPolicy(\n\tconfig: RuntimeMountPolicyConfig,\n\toptions: { readonly hostHome: string; readonly workDir: string },\n): Promise<void> {\n\tconst mountEntries = Object.entries(config.extraMounts);\n\tfor (const [guestPath] of mountEntries) {\n\t\tvalidateWritableMount(guestPath, config.mountControls, options);\n\t}\n\n\tif (config.mountControls.allowAuthWrite) {\n\t\treturn;\n\t}\n\n\tconst absoluteHostMountEntries = mountEntries.filter(([, hostPath]) => path.isAbsolute(hostPath));\n\tconst [protectedHostPaths, writableHostPaths] = await Promise.all([\n\t\tPromise.all(\n\t\t\tresolveAuthHostPrefixes(options.hostHome).map(\n\t\t\t\tasync (authHostPrefix) => await normalizeHostPath(authHostPrefix),\n\t\t\t),\n\t\t),\n\t\tPromise.all(\n\t\t\tabsoluteHostMountEntries.map(async ([, hostPath]) => await normalizeHostPath(hostPath)),\n\t\t),\n\t]);\n\n\tfor (const resolvedWritableHostPath of writableHostPaths) {\n\t\tconst overlapsProtectedHostPath = protectedHostPaths.some((authHostPrefix) =>\n\t\t\tpathsOverlap(resolvedWritableHostPath, authHostPrefix),\n\t\t);\n\n\t\tif (overlapsProtectedHostPath) {\n\t\t\tthrow new Error(\n\t\t\t\t`Writable host path '${resolvedWritableHostPath}' targets an auth host directory. Set mountControls.allowAuthWrite=true to permit auth writes.`,\n\t\t\t);\n\t\t}\n\t}\n}\n","import fs from 'node:fs';\nimport path from 'node:path';\n\nimport type { VirtualProvider } from '@earendil-works/gondolin';\n\nexport interface PinnedRealFsRoot {\n\treadonly hostPath: string;\n\treadonly realPath: string;\n\treadonly fd: number;\n\treadonly device: number;\n\treadonly inode: number;\n}\n\nexport interface CreatePinnedRealFsProviderOptions {\n\treadonly root: PinnedRealFsRoot;\n\treadonly createRealFsProvider: (hostPath: string) => VirtualProvider;\n}\n\nfunction formatRootIdentity(root: PinnedRealFsRoot): string {\n\treturn `${root.device}:${root.inode}`;\n}\n\nfunction openDirectoryNoFollow(candidatePath: string): number {\n\treturn fs.openSync(\n\t\tcandidatePath,\n\t\tfs.constants.O_RDONLY | fs.constants.O_DIRECTORY | fs.constants.O_NOFOLLOW,\n\t);\n}\n\nexport function pinRealFsRoot(hostPath: string): PinnedRealFsRoot {\n\tif (!hostPath || !path.isAbsolute(hostPath)) {\n\t\tthrow new Error(`Pinned RealFS root must be a non-empty absolute path: ${hostPath}`);\n\t}\n\n\tconst resolvedHostPath = path.resolve(hostPath);\n\tconst fd = openDirectoryNoFollow(resolvedHostPath);\n\ttry {\n\t\tconst stats = fs.fstatSync(fd);\n\t\tif (!stats.isDirectory()) {\n\t\t\tthrow new Error(`Pinned RealFS root is not a directory: ${resolvedHostPath}`);\n\t\t}\n\t\tconst realPath = fs.realpathSync(resolvedHostPath);\n\t\tconst realPathStats = fs.statSync(realPath);\n\t\tif (realPathStats.dev !== stats.dev || realPathStats.ino !== stats.ino) {\n\t\t\tthrow new Error(\n\t\t\t\t`Pinned RealFS root changed while opening: ${resolvedHostPath} opened ${stats.dev}:${stats.ino} but resolved to ${realPathStats.dev}:${realPathStats.ino}`,\n\t\t\t);\n\t\t}\n\t\treturn {\n\t\t\tdevice: stats.dev,\n\t\t\tfd,\n\t\t\thostPath: resolvedHostPath,\n\t\t\tinode: stats.ino,\n\t\t\trealPath,\n\t\t};\n\t} catch (error) {\n\t\tfs.closeSync(fd);\n\t\tthrow error;\n\t}\n}\n\nexport function closePinnedRealFsRoot(root: PinnedRealFsRoot): void {\n\tfs.closeSync(root.fd);\n}\n\nexport function assertPinnedRealFsRoot(root: PinnedRealFsRoot): void {\n\tconst pinnedStats = fs.fstatSync(root.fd);\n\tconst currentStats = fs.statSync(root.realPath);\n\tif (\n\t\tpinnedStats.dev !== root.device ||\n\t\tpinnedStats.ino !== root.inode ||\n\t\tcurrentStats.dev !== root.device ||\n\t\tcurrentStats.ino !== root.inode\n\t) {\n\t\tthrow new Error(\n\t\t\t`Pinned RealFS root changed before mount access: ${root.realPath} expected ${formatRootIdentity(root)} got ${currentStats.dev}:${currentStats.ino}`,\n\t\t);\n\t}\n}\n\ntype ProviderMethod = (...args: unknown[]) => unknown;\n\n/* oxlint-disable typescript-eslint/no-unsafe-type-assertion -- Reflect.get()\n loses the method signature from Gondolin's VirtualProvider union. The proxy\n keeps the same provider object and only wraps callable properties with the\n pinned-root assertion. */\nexport function createPinnedRealFsProvider(\n\toptions: CreatePinnedRealFsProviderOptions,\n): VirtualProvider {\n\tassertPinnedRealFsRoot(options.root);\n\tconst provider = options.createRealFsProvider(options.root.realPath);\n\n\treturn new Proxy(provider, {\n\t\tget(target: VirtualProvider, property: string | symbol, receiver: unknown): unknown {\n\t\t\tconst value = Reflect.get(target, property, receiver) as unknown;\n\t\t\tif (typeof value !== 'function') {\n\t\t\t\treturn value;\n\t\t\t}\n\n\t\t\treturn (...methodArguments: readonly unknown[]): unknown => {\n\t\t\t\tassertPinnedRealFsRoot(options.root);\n\t\t\t\treturn Reflect.apply(value as ProviderMethod, target, methodArguments);\n\t\t\t};\n\t\t},\n\t});\n}\n/* oxlint-enable typescript-eslint/no-unsafe-type-assertion */\n","export interface PolicySources {\n\treadonly base: readonly string[];\n\treadonly profile: readonly string[];\n\treadonly extra: readonly string[];\n}\n\nexport function normalizeHostname(rawHostname: string): string {\n\treturn rawHostname.trim().toLowerCase().replace(/\\.+$/u, '');\n}\n\nexport function dedupeStable(values: readonly string[]): string[] {\n\tconst seenHostnames = new Set<string>();\n\tconst normalizedValues: string[] = [];\n\n\tfor (const value of values) {\n\t\tconst normalizedValue = normalizeHostname(value);\n\t\tif (normalizedValue.length === 0 || normalizedValue.startsWith('#')) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (!seenHostnames.has(normalizedValue)) {\n\t\t\tseenHostnames.add(normalizedValue);\n\t\t\tnormalizedValues.push(normalizedValue);\n\t\t}\n\t}\n\n\treturn normalizedValues;\n}\n\nexport function compilePolicy(sources: PolicySources): string[] {\n\treturn dedupeStable([...sources.base, ...sources.profile, ...sources.extra]);\n}\n","import net from 'node:net';\n\nimport type { MediatedSecretSpec } from '@agent-vm/secret-management';\nimport {\n\tMemoryProvider,\n\tReadonlyProvider,\n\tRealFSProvider,\n\tShadowProvider,\n\tVM,\n\tcreateHttpHooks,\n\tcreateShadowPathPredicate,\n\ttype CreateHttpHooksResult,\n\ttype EnableIngressOptions,\n\ttype EnableSshOptions,\n\ttype ExecOptions as GondolinExecOptions,\n\ttype ExecProcess as GondolinExecProcess,\n\ttype ExecResult as GondolinExecResult,\n\ttype HttpHooks,\n\ttype IngressRoute as GondolinIngressRoute,\n\ttype ShadowPredicate,\n\ttype ShadowProviderOptions,\n\ttype VMOptions,\n\ttype VmFs as GondolinVmFs,\n\ttype VirtualProvider,\n} from '@earendil-works/gondolin';\n\nimport {\n\tconfigureHostNetworkDefaults,\n\ttype HostNetworkDefaultsResult,\n} from './host-network-defaults.js';\nimport {\n\tclosePinnedRealFsRoot,\n\tcreatePinnedRealFsProvider,\n\ttype PinnedRealFsRoot,\n} from './pinned-realfs.js';\n\nexport const SYNTHETIC_DNS_IPV4_BENCHMARK = '198.18.0.1';\nexport const SYNTHETIC_DNS_IPV6_IPV4_MAPPED_BENCHMARK = '::ffff:198.18.0.1';\nexport const MANAGED_VM_DEFAULT_INGRESS_MAX_BUFFERED_RESPONSE_BODY_BYTES = 512 * 1024 * 1024;\nexport const MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_HEADER_TIMEOUT_MS = 120_000;\nexport const MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_RESPONSE_TIMEOUT_MS = 120_000;\n\nexport const MANAGED_VM_DEFAULT_INGRESS_OPTIONS = {\n\tallowWebSockets: true,\n\tbufferResponseBody: false,\n\tmaxBufferedResponseBodyBytes: MANAGED_VM_DEFAULT_INGRESS_MAX_BUFFERED_RESPONSE_BODY_BYTES,\n\tupstreamHeaderTimeoutMs: MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_HEADER_TIMEOUT_MS,\n\tupstreamResponseTimeoutMs: MANAGED_VM_DEFAULT_INGRESS_UPSTREAM_RESPONSE_TIMEOUT_MS,\n} satisfies EnableIngressOptions;\n\nexport type ManagedExecInput = string | readonly string[];\nexport type ManagedExecOptions = GondolinExecOptions;\nexport type ManagedExecProcess = GondolinExecProcess;\nexport type ManagedExecResult = GondolinExecResult;\nexport type ManagedVmFs = GondolinVmFs;\n\nexport type IngressRoute = GondolinIngressRoute;\n\nexport interface SshAccess {\n\treadonly host: string;\n\treadonly command?: string;\n\treadonly identityFile?: string;\n\treadonly port: number;\n\treadonly user?: string;\n}\n\nexport interface IngressAccess {\n\treadonly host: string;\n\treadonly port: number;\n}\n\nexport interface ManagedVmInstance {\n\treadonly fs: ManagedVmFs;\n\treadonly id: string;\n\texec(command: string | string[], options?: ManagedExecOptions): ManagedExecProcess;\n\tenableSsh(options?: EnableSshOptions): Promise<SshAccess>;\n\tenableIngress(options?: EnableIngressOptions): Promise<IngressAccess>;\n\tgetHostPid?(): number | null;\n\tsetIngressRoutes(routes: readonly IngressRoute[]): void;\n\tclose(): Promise<void>;\n}\n\nexport interface ManagedVmDependencies {\n\tconfigureHostNetworkDefaults?: () => HostNetworkDefaultsResult;\n\tcreateVm(vmOptions: VMOptions): Promise<ManagedVmInstance>;\n\tcreateHttpHooks(options: {\n\t\treadonly allowedHosts: readonly string[];\n\t\treadonly isIpAllowed?: HttpHooks['isIpAllowed'];\n\t\treadonly secrets: Record<string, MediatedSecretSpec>;\n\t\treadonly onRequest?: (request: Request) => Promise<Request | Response | void>;\n\t\treadonly onResponse?: (response: Response) => Promise<Response | void>;\n\t}): Pick<CreateHttpHooksResult, 'env' | 'httpHooks'>;\n\tclosePinnedRealFsRoot(root: PinnedRealFsRoot): void;\n\tcreatePinnedRealFsProvider(root: PinnedRealFsRoot): VirtualProvider;\n\tcreateRealFsProvider(hostPath: string): VirtualProvider;\n\tcreateReadonlyProvider(provider: VirtualProvider): VirtualProvider;\n\tcreateMemoryProvider(): VirtualProvider;\n\tcreateShadowProvider(provider: VirtualProvider, options: ShadowProviderOptions): VirtualProvider;\n\tcreateShadowPathPredicate(paths: readonly string[]): ShadowPredicate;\n}\n\nexport interface VfsMountSpec {\n\treadonly kind: 'realfs' | 'realfs-readonly' | 'memory' | 'shadow';\n\treadonly hostPath?: string;\n\treadonly pinnedHostRoot?: PinnedRealFsRoot;\n\treadonly shadowConfig?: {\n\t\treadonly deny: readonly string[];\n\t\treadonly tmpfs: readonly string[];\n\t};\n}\n\nexport interface CreateVmOptions {\n\treadonly imagePath: string;\n\treadonly memory: string;\n\treadonly cpus: number;\n\treadonly rootfsMode: 'readonly' | 'memory' | 'cow';\n\treadonly runtimeRootfsSize?: string;\n\treadonly allowedHosts: readonly string[];\n\treadonly secrets: Record<string, MediatedSecretSpec>;\n\treadonly vfsMounts: Record<string, VfsMountSpec>;\n\treadonly tcpHosts?: Record<string, string>;\n\treadonly env?: Record<string, string>;\n\treadonly sessionLabel?: string;\n\treadonly onRequest?: (request: Request) => Promise<Request | Response | void>;\n\treadonly onResponse?: (response: Response) => Promise<Response | void>;\n}\n\nexport interface ManagedVm {\n\treadonly fs: ManagedVmFs;\n\treadonly id: string;\n\texec(command: ManagedExecInput, options?: ManagedExecOptions): ManagedExecProcess;\n\tenableSsh(options?: EnableSshOptions): Promise<SshAccess>;\n\tenableIngress(options?: EnableIngressOptions): Promise<IngressAccess>;\n\tgetHostPid(): number | null;\n\tgetVmInstance(): ManagedVmInstance;\n\tsetIngressRoutes(routes: readonly IngressRoute[]): void;\n\tclose(): Promise<void>;\n}\n\n/* oxlint-disable typescript-eslint/no-unsafe-type-assertion -- VM.create() returns\n Gondolin's concrete VM class; this adapter exposes only the narrower\n ManagedVmInstance interface used by agent-vm. */\nfunction createDefaultDependencies(): ManagedVmDependencies {\n\tconst createDefaultRealFsProvider = (hostPath: string): VirtualProvider =>\n\t\tnew RealFSProvider(hostPath);\n\treturn {\n\t\tconfigureHostNetworkDefaults,\n\t\tcreateVm: async (vmOptions: VMOptions): Promise<ManagedVmInstance> =>\n\t\t\t(await VM.create(vmOptions)) as unknown as ManagedVmInstance,\n\t\tcreateHttpHooks: (hookOptions) =>\n\t\t\tcreateHttpHooks({\n\t\t\t\tallowedHosts: [...hookOptions.allowedHosts],\n\t\t\t\t...(hookOptions.isIpAllowed\n\t\t\t\t\t? { blockInternalRanges: false, isIpAllowed: hookOptions.isIpAllowed }\n\t\t\t\t\t: {}),\n\t\t\t\tsecrets: Object.fromEntries(\n\t\t\t\t\tObject.entries(hookOptions.secrets).map(([secretName, secretSpec]) => [\n\t\t\t\t\t\tsecretName,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\thosts: [...secretSpec.hosts],\n\t\t\t\t\t\t\tvalue: secretSpec.value,\n\t\t\t\t\t\t},\n\t\t\t\t\t]),\n\t\t\t\t),\n\t\t\t\t...(hookOptions.onRequest ? { onRequest: hookOptions.onRequest } : {}),\n\t\t\t\t...(hookOptions.onResponse ? { onResponse: hookOptions.onResponse } : {}),\n\t\t\t}),\n\t\tclosePinnedRealFsRoot,\n\t\tcreatePinnedRealFsProvider: (root: PinnedRealFsRoot): VirtualProvider =>\n\t\t\tcreatePinnedRealFsProvider({\n\t\t\t\tcreateRealFsProvider: createDefaultRealFsProvider,\n\t\t\t\troot,\n\t\t\t}),\n\t\tcreateRealFsProvider: createDefaultRealFsProvider,\n\t\tcreateReadonlyProvider: (provider: VirtualProvider): VirtualProvider =>\n\t\t\tnew ReadonlyProvider(provider),\n\t\tcreateMemoryProvider: (): VirtualProvider => new MemoryProvider(),\n\t\tcreateShadowProvider: (\n\t\t\tprovider: VirtualProvider,\n\t\t\tshadowOptions: ShadowProviderOptions,\n\t\t): VirtualProvider => new ShadowProvider(provider, shadowOptions),\n\t\tcreateShadowPathPredicate: (paths: readonly string[]): ShadowPredicate =>\n\t\t\tcreateShadowPathPredicate([...paths]),\n\t};\n}\n/* oxlint-enable typescript-eslint/no-unsafe-type-assertion */\n\nfunction normalizeShadowPath(pathValue: string): string {\n\tconst trimmedPath = pathValue.trim();\n\tif (trimmedPath.startsWith('/')) {\n\t\treturn trimmedPath;\n\t}\n\n\tconst relativePath = trimmedPath.startsWith('./') ? trimmedPath.slice('./'.length) : trimmedPath;\n\treturn `/${relativePath}`;\n}\n\nfunction createRealFsProviderForSpec(\n\tmountSpec: VfsMountSpec,\n\tdependencies: ManagedVmDependencies,\n\tmountKind: string,\n): VirtualProvider {\n\tif (mountSpec.pinnedHostRoot) {\n\t\treturn dependencies.createPinnedRealFsProvider(mountSpec.pinnedHostRoot);\n\t}\n\tif (mountSpec.hostPath) {\n\t\treturn dependencies.createRealFsProvider(mountSpec.hostPath);\n\t}\n\n\tthrow new Error(`${mountKind} mounts require hostPath or pinnedHostRoot`);\n}\n\nfunction createProviderFromSpec(\n\tmountSpec: VfsMountSpec,\n\tdependencies: ManagedVmDependencies,\n): VirtualProvider {\n\tswitch (mountSpec.kind) {\n\t\tcase 'memory':\n\t\t\treturn dependencies.createMemoryProvider();\n\t\tcase 'realfs': {\n\t\t\treturn createRealFsProviderForSpec(mountSpec, dependencies, 'realfs');\n\t\t}\n\t\tcase 'realfs-readonly': {\n\t\t\treturn dependencies.createReadonlyProvider(\n\t\t\t\tcreateRealFsProviderForSpec(mountSpec, dependencies, 'realfs-readonly'),\n\t\t\t);\n\t\t}\n\t\tcase 'shadow': {\n\t\t\tconst baseProvider =\n\t\t\t\tmountSpec.hostPath || mountSpec.pinnedHostRoot\n\t\t\t\t\t? createRealFsProviderForSpec(mountSpec, dependencies, 'shadow')\n\t\t\t\t\t: dependencies.createMemoryProvider();\n\n\t\t\tlet shadowProvider = baseProvider;\n\t\t\tconst shadowConfig = mountSpec.shadowConfig;\n\n\t\t\tif (shadowConfig?.deny.length) {\n\t\t\t\tshadowProvider = dependencies.createShadowProvider(shadowProvider, {\n\t\t\t\t\tshouldShadow: dependencies.createShadowPathPredicate(\n\t\t\t\t\t\tshadowConfig.deny.map((shadowPath) => normalizeShadowPath(shadowPath)),\n\t\t\t\t\t),\n\t\t\t\t\twriteMode: 'deny',\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (shadowConfig?.tmpfs.length) {\n\t\t\t\tshadowProvider = dependencies.createShadowProvider(shadowProvider, {\n\t\t\t\t\tshouldShadow: dependencies.createShadowPathPredicate(\n\t\t\t\t\t\tshadowConfig.tmpfs.map((shadowPath) => normalizeShadowPath(shadowPath)),\n\t\t\t\t\t),\n\t\t\t\t\twriteMode: 'tmpfs',\n\t\t\t\t});\n\t\t\t}\n\n\t\t\treturn shadowProvider;\n\t\t}\n\t\tdefault: {\n\t\t\tthrow new Error(`Unsupported VFS mount kind: ${String(mountSpec.kind)}`);\n\t\t}\n\t}\n}\n\nfunction createVfsMounts(\n\tvfsMounts: Record<string, VfsMountSpec>,\n\tdependencies: ManagedVmDependencies,\n): Record<string, VirtualProvider> {\n\tconst mountMap: Record<string, VirtualProvider> = {};\n\n\tfor (const [guestPath, mountSpec] of Object.entries(vfsMounts)) {\n\t\tmountMap[guestPath] = createProviderFromSpec(mountSpec, dependencies);\n\t}\n\n\treturn mountMap;\n}\n\nfunction collectPinnedRealFsRoots(\n\tvfsMounts: Record<string, VfsMountSpec>,\n): readonly PinnedRealFsRoot[] {\n\tconst roots = new Map<number, PinnedRealFsRoot>();\n\tfor (const mountSpec of Object.values(vfsMounts)) {\n\t\tif (mountSpec.pinnedHostRoot) {\n\t\t\troots.set(mountSpec.pinnedHostRoot.fd, mountSpec.pinnedHostRoot);\n\t\t}\n\t}\n\treturn [...roots.values()];\n}\n\nfunction closePinnedRealFsRoots(\n\troots: readonly PinnedRealFsRoot[],\n\tdependencies: ManagedVmDependencies,\n): void {\n\tfor (const root of roots) {\n\t\tdependencies.closePinnedRealFsRoot(root);\n\t}\n}\n\nfunction closePinnedRealFsRootsAfterFailure(\n\troots: readonly PinnedRealFsRoot[],\n\tdependencies: ManagedVmDependencies,\n): void {\n\ttry {\n\t\tclosePinnedRealFsRoots(roots, dependencies);\n\t} catch {\n\t\t// Preserve the VM creation failure; leaked-fd risk is lower than hiding\n\t\t// the root cause of a failed lease.\n\t}\n}\n\nfunction resolveManagedVmIngressOptions(\n\tingressOptions: EnableIngressOptions = {},\n): EnableIngressOptions {\n\tconst resolvedOptions: EnableIngressOptions = {\n\t\t...MANAGED_VM_DEFAULT_INGRESS_OPTIONS,\n\t};\n\n\tif (ingressOptions.listenHost !== undefined) {\n\t\tresolvedOptions.listenHost = ingressOptions.listenHost;\n\t}\n\tif (ingressOptions.listenPort !== undefined) {\n\t\tresolvedOptions.listenPort = ingressOptions.listenPort;\n\t}\n\tif (ingressOptions.allowWebSockets !== undefined) {\n\t\tresolvedOptions.allowWebSockets = ingressOptions.allowWebSockets;\n\t}\n\tif (ingressOptions.hooks !== undefined) {\n\t\tresolvedOptions.hooks = ingressOptions.hooks;\n\t}\n\tif (ingressOptions.bufferResponseBody !== undefined) {\n\t\tresolvedOptions.bufferResponseBody = ingressOptions.bufferResponseBody;\n\t}\n\tif (ingressOptions.maxBufferedResponseBodyBytes !== undefined) {\n\t\tresolvedOptions.maxBufferedResponseBodyBytes = ingressOptions.maxBufferedResponseBodyBytes;\n\t}\n\tif (ingressOptions.upstreamHeaderTimeoutMs !== undefined) {\n\t\tresolvedOptions.upstreamHeaderTimeoutMs = ingressOptions.upstreamHeaderTimeoutMs;\n\t}\n\tif (ingressOptions.upstreamResponseTimeoutMs !== undefined) {\n\t\tresolvedOptions.upstreamResponseTimeoutMs = ingressOptions.upstreamResponseTimeoutMs;\n\t}\n\n\treturn resolvedOptions;\n}\n\ninterface TcpHostEndpoint {\n\treadonly hostname: string;\n\treadonly port: number;\n}\n\ninterface InternalTcpHostRule extends TcpHostEndpoint {}\n\nfunction normalizePolicyHostname(hostname: string): string {\n\treturn hostname.toLowerCase();\n}\n\nfunction parseTcpHostEndpoint(endpoint: string): TcpHostEndpoint | undefined {\n\tif (endpoint.startsWith('[')) {\n\t\tconst closingBracketIndex = endpoint.indexOf(']');\n\t\tif (closingBracketIndex > 1) {\n\t\t\tconst portValue = Number.parseInt(endpoint.slice(closingBracketIndex + 2), 10);\n\t\t\tif (!Number.isFinite(portValue)) {\n\t\t\t\treturn undefined;\n\t\t\t}\n\t\t\treturn {\n\t\t\t\thostname: normalizePolicyHostname(endpoint.slice(1, closingBracketIndex)),\n\t\t\t\tport: portValue,\n\t\t\t};\n\t\t}\n\t}\n\n\tconst portSeparatorIndex = endpoint.lastIndexOf(':');\n\tif (portSeparatorIndex <= 0) {\n\t\treturn undefined;\n\t}\n\tconst portValue = Number.parseInt(endpoint.slice(portSeparatorIndex + 1), 10);\n\tif (!Number.isFinite(portValue)) {\n\t\treturn undefined;\n\t}\n\treturn {\n\t\thostname: normalizePolicyHostname(endpoint.slice(0, portSeparatorIndex)),\n\t\tport: portValue,\n\t};\n}\n\nfunction ipv4AddressIsInternal(ipAddress: string): boolean {\n\tconst octets = ipAddress.split('.').map((segment) => Number.parseInt(segment, 10));\n\tif (octets.length !== 4 || octets.some((octet) => !Number.isInteger(octet))) {\n\t\treturn false;\n\t}\n\tconst firstOctet = octets[0];\n\tconst secondOctet = octets[1];\n\tif (firstOctet === undefined || secondOctet === undefined) {\n\t\treturn false;\n\t}\n\treturn (\n\t\tfirstOctet === 10 ||\n\t\tfirstOctet === 127 ||\n\t\t(firstOctet === 169 && secondOctet === 254) ||\n\t\t(firstOctet === 172 && secondOctet >= 16 && secondOctet <= 31) ||\n\t\t(firstOctet === 192 && secondOctet === 168) ||\n\t\t(firstOctet === 100 && secondOctet >= 64 && secondOctet <= 127)\n\t);\n}\n\nfunction ipAddressIsInternal(ipAddress: string): boolean {\n\tif (net.isIP(ipAddress) === 4) {\n\t\treturn ipv4AddressIsInternal(ipAddress);\n\t}\n\tconst normalizedIpAddress = ipAddress.toLowerCase();\n\tif (normalizedIpAddress.startsWith('::ffff:')) {\n\t\treturn ipv4AddressIsInternal(normalizedIpAddress.slice('::ffff:'.length));\n\t}\n\treturn (\n\t\tnormalizedIpAddress === '::1' ||\n\t\tnormalizedIpAddress.startsWith('fc') ||\n\t\tnormalizedIpAddress.startsWith('fd') ||\n\t\tnormalizedIpAddress.startsWith('fe80:')\n\t);\n}\n\nfunction endpointHostnameIsInternal(hostname: string): boolean {\n\tconst normalizedHostname = normalizePolicyHostname(hostname);\n\treturn (\n\t\tnormalizedHostname === 'localhost' ||\n\t\tnormalizedHostname === 'host.docker.internal' ||\n\t\tipAddressIsInternal(normalizedHostname)\n\t);\n}\n\nfunction deriveInternalTcpHostRules(\n\ttcpHosts: Record<string, string> | undefined,\n): readonly InternalTcpHostRule[] {\n\tif (!tcpHosts) {\n\t\treturn [];\n\t}\n\n\tconst rules: InternalTcpHostRule[] = [];\n\tfor (const [tcpHostKey, tcpHostTarget] of Object.entries(tcpHosts)) {\n\t\tconst exposedEndpoint = parseTcpHostEndpoint(tcpHostKey);\n\t\tconst targetEndpoint = parseTcpHostEndpoint(tcpHostTarget);\n\t\tif (\n\t\t\t!exposedEndpoint ||\n\t\t\t!targetEndpoint ||\n\t\t\t!endpointHostnameIsInternal(targetEndpoint.hostname)\n\t\t) {\n\t\t\tcontinue;\n\t\t}\n\t\tif (\n\t\t\t!rules.some(\n\t\t\t\t(rule) => rule.hostname === exposedEndpoint.hostname && rule.port === exposedEndpoint.port,\n\t\t\t)\n\t\t) {\n\t\t\trules.push(exposedEndpoint);\n\t\t}\n\t}\n\treturn rules;\n}\n\nfunction mergeUniqueHosts(\n\thosts: readonly string[],\n\tadditionalHosts: readonly string[],\n): readonly string[] {\n\tconst mergedHosts = [...hosts];\n\tfor (const host of additionalHosts) {\n\t\tif (!mergedHosts.includes(host)) {\n\t\t\tmergedHosts.push(host);\n\t\t}\n\t}\n\treturn mergedHosts;\n}\n\nfunction createInternalTcpHostPolicy(\n\trules: readonly InternalTcpHostRule[],\n): HttpHooks['isIpAllowed'] | undefined {\n\tif (rules.length === 0) {\n\t\treturn undefined;\n\t}\n\tconst ruleHostnames = new Set(rules.map((rule) => rule.hostname));\n\treturn (info) => {\n\t\tconst hostname = normalizePolicyHostname(info.hostname);\n\t\tconst exactRuleMatched = rules.some(\n\t\t\t(rule) => rule.hostname === hostname && rule.port === info.port,\n\t\t);\n\t\tif (ruleHostnames.has(hostname)) {\n\t\t\treturn exactRuleMatched;\n\t\t}\n\t\tif (ipAddressIsInternal(info.ip)) {\n\t\t\treturn false;\n\t\t}\n\t\treturn true;\n\t};\n}\n\nexport async function createManagedVm(\n\toptions: CreateVmOptions,\n\tdependencies: ManagedVmDependencies = createDefaultDependencies(),\n): Promise<ManagedVm> {\n\tdependencies.configureHostNetworkDefaults?.();\n\tconst hasTcpHosts = options.tcpHosts && Object.keys(options.tcpHosts).length > 0;\n\tconst internalTcpHostRules = deriveInternalTcpHostRules(options.tcpHosts);\n\tconst allowedHosts = mergeUniqueHosts(\n\t\toptions.allowedHosts,\n\t\tinternalTcpHostRules.map((rule) => rule.hostname),\n\t);\n\tconst isIpAllowed = createInternalTcpHostPolicy(internalTcpHostRules);\n\tconst pinnedRealFsRoots = collectPinnedRealFsRoots(options.vfsMounts);\n\tlet vmInstance: ManagedVmInstance;\n\ttry {\n\t\tconst hookBundle = dependencies.createHttpHooks({\n\t\t\tallowedHosts,\n\t\t\t...(isIpAllowed ? { isIpAllowed } : {}),\n\t\t\tsecrets: options.secrets,\n\t\t\t...(options.onRequest ? { onRequest: options.onRequest } : {}),\n\t\t\t...(options.onResponse ? { onResponse: options.onResponse } : {}),\n\t\t});\n\t\tvmInstance = await dependencies.createVm({\n\t\t\t...(options.imagePath.length > 0 ? { sandbox: { imagePath: options.imagePath } } : {}),\n\t\t\t...(options.sessionLabel ? { sessionLabel: options.sessionLabel } : {}),\n\t\t\trootfs: {\n\t\t\t\tmode: options.rootfsMode,\n\t\t\t\t...(options.runtimeRootfsSize === undefined ? {} : { size: options.runtimeRootfsSize }),\n\t\t\t},\n\t\t\tmemory: options.memory,\n\t\t\tcpus: options.cpus,\n\t\t\tenv: {\n\t\t\t\t...hookBundle.env,\n\t\t\t\t...options.env,\n\t\t\t},\n\t\t\thttpHooks: hookBundle.httpHooks,\n\t\t\tvfs: {\n\t\t\t\tfuseMount: '/data',\n\t\t\t\tmounts: createVfsMounts(options.vfsMounts, dependencies),\n\t\t\t},\n\t\t\t...(hasTcpHosts\n\t\t\t\t? {\n\t\t\t\t\t\tdns: {\n\t\t\t\t\t\t\tmode: 'synthetic',\n\t\t\t\t\t\t\tsyntheticIPv4: SYNTHETIC_DNS_IPV4_BENCHMARK,\n\t\t\t\t\t\t\tsyntheticIPv6: SYNTHETIC_DNS_IPV6_IPV4_MAPPED_BENCHMARK,\n\t\t\t\t\t\t\tsyntheticHostMapping: 'per-host',\n\t\t\t\t\t\t},\n\t\t\t\t\t\ttcp: {\n\t\t\t\t\t\t\thosts: options.tcpHosts,\n\t\t\t\t\t\t},\n\t\t\t\t\t}\n\t\t\t\t: {}),\n\t\t});\n\t} catch (error) {\n\t\tclosePinnedRealFsRootsAfterFailure(pinnedRealFsRoots, dependencies);\n\t\tthrow error;\n\t}\n\n\treturn {\n\t\tfs: vmInstance.fs,\n\t\tid: vmInstance.id,\n\t\texec(command: ManagedExecInput, execOptions?: ManagedExecOptions): ManagedExecProcess {\n\t\t\tconst normalizedCommand = typeof command === 'string' ? command : [...command];\n\t\t\treturn vmInstance.exec(normalizedCommand, execOptions);\n\t\t},\n\t\tasync enableSsh(sshOptions?: EnableSshOptions): Promise<SshAccess> {\n\t\t\treturn await vmInstance.enableSsh(sshOptions);\n\t\t},\n\t\tasync enableIngress(ingressOptions?: EnableIngressOptions): Promise<IngressAccess> {\n\t\t\treturn await vmInstance.enableIngress(resolveManagedVmIngressOptions(ingressOptions));\n\t\t},\n\t\tgetHostPid(): number | null {\n\t\t\treturn vmInstance.getHostPid?.() ?? null;\n\t\t},\n\t\tgetVmInstance(): ManagedVmInstance {\n\t\t\treturn vmInstance;\n\t\t},\n\t\tsetIngressRoutes(routes: readonly IngressRoute[]): void {\n\t\t\tvmInstance.setIngressRoutes(routes);\n\t\t},\n\t\tasync close(): Promise<void> {\n\t\t\tlet closeError: unknown;\n\t\t\ttry {\n\t\t\t\tawait vmInstance.close();\n\t\t\t} catch (error) {\n\t\t\t\tcloseError = error;\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tclosePinnedRealFsRoots(pinnedRealFsRoots, dependencies);\n\t\t\t} catch (error) {\n\t\t\t\tcloseError ??= error;\n\t\t\t}\n\t\t\tif (closeError !== undefined) {\n\t\t\t\tthrow closeError;\n\t\t\t}\n\t\t},\n\t};\n}\n","import fs from 'node:fs/promises';\nimport path from 'node:path';\n\nexport interface VolumeConfigEntry {\n\treadonly guestPath: string;\n}\n\nexport interface ResolvedVolume {\n\treadonly hostDir: string;\n\treadonly guestPath: string;\n}\n\nexport async function ensureVolumeDir(\n\tcacheBase: string,\n\tworkspaceHash: string,\n\tvolumeName: string,\n): Promise<string> {\n\tconst volumeDirectory = path.join(cacheBase, workspaceHash, volumeName);\n\tawait fs.mkdir(volumeDirectory, { recursive: true });\n\treturn volumeDirectory;\n}\n\nexport async function resolveVolumeDirs(\n\tcacheBase: string,\n\tworkspaceHash: string,\n\tvolumes: Readonly<Record<string, VolumeConfigEntry>>,\n): Promise<Record<string, ResolvedVolume>> {\n\tconst resolvedVolumeEntries = await Promise.all(\n\t\tObject.entries(volumes).map(\n\t\t\tasync ([volumeName, volumeConfig]) =>\n\t\t\t\t[\n\t\t\t\t\tvolumeName,\n\t\t\t\t\t{\n\t\t\t\t\t\tguestPath: volumeConfig.guestPath,\n\t\t\t\t\t\thostDir: await ensureVolumeDir(cacheBase, workspaceHash, volumeName),\n\t\t\t\t\t},\n\t\t\t\t] satisfies readonly [string, ResolvedVolume],\n\t\t),\n\t);\n\n\treturn Object.fromEntries(resolvedVolumeEntries);\n}\n","import fs from 'node:fs/promises';\n\nexport async function writeFileAtomically(\n\tfilePath: string,\n\tcontent: string,\n\toptions: {\n\t\treadonly mode?: number;\n\t} = {},\n): Promise<void> {\n\tconst temporaryFilePath = `${filePath}.${process.pid}.${Date.now()}.tmp`;\n\tawait fs.writeFile(temporaryFilePath, content, {\n\t\tencoding: 'utf8',\n\t\t...(options.mode ? { mode: options.mode } : {}),\n\t});\n\ttry {\n\t\tawait fs.rename(temporaryFilePath, filePath);\n\t} catch (renameError) {\n\t\ttry {\n\t\t\tawait fs.rm(temporaryFilePath, { force: true });\n\t\t} catch (cleanupError) {\n\t\t\tthrow new Error(\n\t\t\t\t`Failed to replace '${filePath}' (${renameError instanceof Error ? renameError.message : JSON.stringify(renameError)}) and failed to remove temporary file '${temporaryFilePath}': ${cleanupError instanceof Error ? cleanupError.message : JSON.stringify(cleanupError)}`,\n\t\t\t\t{ cause: cleanupError },\n\t\t\t);\n\t\t}\n\t\tthrow renameError;\n\t}\n}\n"],"mappings":";;;;;;;;;;;AAKA,MAAa,+BAA+B;;;;;;;;;;;AA+B5C,SAAS,uBAAuB,UAAkB,WAAuC;CACxF,OAAO,KAAK,WAAW,SAAS,GAAG,WAAW,KAAK,QAAQ,aAAa,QAAQ,KAAK,EAAE,SAAS;;AAGjG,eAAe,4BACd,aACA,WAC8B;CAC9B,MAAM,0BAA0B,YAAY,MAAM;CAClD,IAAI,CAAC,yBACJ;CAGD,MAAM,0BAA0B,uBAAuB,yBAAyB,UAAU;CAC1F,IAAI;EACH,OAAO,MAAM,GAAG,SAAS,yBAAyB,OAAO;UACjD,OAAO;EACf,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;EACtE,MAAM,IAAI,MACT,8CAA8C,wBAAwB,KAAK,WAC3E,EAAE,OAAO,OAAO,CAChB;;;AAIH,SAAS,uBAAuB,yBAAqD;CACpF,OAAO,0BACJ,GAAG,6BAA6B,SAAS,CAAC,MAAM,4BAChD;;AAGJ,eAAsB,uBACrB,SACmC;CACnC,MAAM,0BAA0B,MAAM,4BACrC,QAAQ,aACR,QAAQ,UACR;CAED,OAAO;EACN,SAAS,uBAAuB,wBAAwB;EACxD,kBAAkB;GACjB,wBAAwB;GACxB,GAAI,4BAA4B,KAAA,IAC7B,EAAE,GACF,EAAE,2BAA2B,yBAAyB;GACzD;EACD;;AAGF,eAAsB,6CACrB,SACuB;CACvB,MAAM,sBAAsB,KAAK,KAAK,QAAQ,WAAW,gCAAgC;CAEzF,MAAM,GAAG,UAAU,qBAAqB,QAAQ,wBAAwB;EACvE,UAAU;EACV,MAAM;EACN,CAAC;CAEF,OAAO;EACN,GAAG,QAAQ;EACX,MAAM;GACL,GAAG,QAAQ,YAAY;GACvB,iBAAiB;GACjB;EACD;;;;ACpEF,MAAa,2BAA2B;CACvC;CACA;CACA;CACA;CACA;AAaD,MAAM,sCAAsB,IAAI,KAAwC;AACxE,MAAM,4BAA4B;AAElC,SAAS,SAAS,OAAkD;CACnE,OAAO,OAAO,UAAU,YAAY,UAAU;;AAG/C,SAAS,gBAAgB,OAAwB;CAChD,IAAI,MAAM,QAAQ,MAAM,EACvB,OAAO,IAAI,MAAM,KAAK,UAAU,gBAAgB,MAAM,CAAC,CAAC,KAAK,IAAI,CAAC;CAGnE,IAAI,SAAS,MAAM,EAIlB,OAAO,IAHe,OAAO,QAAQ,MAAM,CACzC,QAAQ,GAAG,gBAAgB,eAAe,KAAA,EAAU,CACpD,UAAU,CAAC,UAAU,CAAC,cAAc,QAAQ,cAAc,SAAS,CAC7C,CACtB,KAAK,CAAC,UAAU,gBAAgB,GAAG,KAAK,UAAU,SAAS,CAAC,GAAG,gBAAgB,WAAW,GAAG,CAC7F,KAAK,IAAI,CAAC;CAGb,OAAO,KAAK,UAAU,MAAM;;AAG7B,SAAS,mBAAmB,OAAyB;CACpD,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,UAAU,SAAS,MAAM,SAAS;;AAGzF,eAAe,WAAW,UAAoC;CAC7D,IAAI;EACH,MAAM,GAAG,OAAO,SAAS;EACzB,OAAO;UACC,OAAO;EACf,IAAI,CAAC,mBAAmB,MAAM,EAC7B,MAAM;EAEP,OAAO;;;AAIT,eAAsB,oBAAoB,qBAA+C;CACxF,KAAK,MAAM,YAAY,0BAEtB,IAAI,CAAE,MAAM,WAAW,KAAK,KAAK,qBAAqB,SAAS,CAAC,EAC/D,OAAO;CAGT,OAAO;;AAGR,eAAe,kBAQb;CACD,MAAM,iBAAiB,MAAM,OAAO;CACpC,OAAO,OACN,aACA,iBACA,WACA,SACA,YAEA,MAAM,eAAe,YAAY,aAAa;EAC7C,WAAW;EACX,SAAS,WAAW;EACpB,GAAI,YAAY,EAAE,WAAW,GAAG,EAAE;EAClC,GAAI,UAAU,EAAE,SAAS,GAAG,EAAE;EAC9B,CAAwB;;AAG3B,SAAS,sBAAsB,QAAkD;CAChF,SACC,OACA,oBACA,aACa;EACb,MAAM,gBAAgB,OAAO,uBAAuB,aAAa,qBAAqB;EACtF,MAAM,QAAQ,OAAO,MAAM,MAAM;EACjC,iBAAiB;EACjB,OAAO;;;AAIT,eAAe,wBACd,QACA,IACmB;CACnB,IAAI,CAAC,QACJ,OAAO,MAAM,IAAI;CAGlB,MAAM,sBAAsB,QAAQ,OAAO,MAAM,KAAK,QAAQ,OAAO;CACrE,MAAM,sBAAsB,QAAQ,OAAO,MAAM,KAAK,QAAQ,OAAO;CACrE,MAAM,aAAa,QAAQ,IAAI;CAC/B,MAAM,kBAAkB,sBAAsB,OAAO;CAErD,QAAQ,OAAO,QAAQ;CACvB,QAAQ,OAAO,QAAQ;CACvB,QAAQ,IAAI,KAAK;CAEjB,IAAI;EACH,OAAO,MAAM,IAAI;WACR;EACT,QAAQ,OAAO,QAAQ;EACvB,QAAQ,OAAO,QAAQ;EACvB,IAAI,eAAe,KAAA,GAClB,OAAO,QAAQ,IAAI;OAEnB,QAAQ,IAAI,KAAK;;;AAKpB,SAAgB,wBACf,aACA,kBAA0B,WAC1B,kBACS;CACT,MAAM,UACL,qBAAqB,KAAA,IAClB,GAAG,gBAAgB,YAAY,CAAC,GAAG,oBACnC,GAAG,gBAAgB,YAAY,CAAC,GAAG,gBAAgB,GAAG,gBAAgB,iBAAiB;CAE3F,OAAO,OAAO,WAAW,SAAS,CAAC,OAAO,QAAQ,CAAC,OAAO,MAAM,CAAC,MAAM,GAAG,GAAG;;AAG9E,eAAsB,iCAAiC,SAQpD;CACF,MAAM,0BAA0B,MAAM,uBAAuB;EAC5D,aAAa,QAAQ;EACrB,GAAI,QAAQ,YAAY,EAAE,WAAW,QAAQ,WAAW,GAAG,EAAE;EAC7D,CAAC;CAQF,OAAO;EACN,aARmB,wBAAwB,QAAQ,aAAa,QAAQ,iBAAiB;GACzF,wBAAwB,wBAAwB;GAChD,GAAI,QAAQ,qBAAqB,KAAA,IAC9B,EAAE,GACF,EAAE,wBAAwB,QAAQ,kBAAkB;GACvD,CAGW;EACX,wBAAwB,wBAAwB;EAChD;;AAGF,eAAsB,WACrB,SACA,eAA0C,EAAE,EAChB;CAC5B,MAAM,4BAA4B,MAAM,iCAAiC;EACxE,aAAa,QAAQ;EACrB,GAAI,QAAQ,YAAY,EAAE,WAAW,QAAQ,WAAW,GAAG,EAAE;EAC7D,GAAI,QAAQ,qBAAqB,KAAA,IAC9B,EAAE,GACF,EAAE,kBAAkB,QAAQ,kBAAkB;EACjD,GAAI,aAAa,kBAAkB,EAAE,iBAAiB,aAAa,iBAAiB,GAAG,EAAE;EACzF,CAAC;CACF,MAAM,cAAc,0BAA0B;CAC9C,MAAM,YAAY,KAAK,KAAK,QAAQ,UAAU,YAAY;CAC1D,MAAM,2BAA2B,YAAuC;EACvE,IAAI,QAAQ,WACX,MAAM,GAAG,GAAG,WAAW;GAAE,WAAW;GAAM,OAAO;GAAM,CAAC;EAGzD,IAAI,MAAM,oBAAoB,UAAU,EACvC,OAAO;GACN,OAAO;GACP;GACA;GACA;EAGF,MAAM,GAAG,MAAM,WAAW,EAAE,WAAW,MAAM,CAAC;EAC9C,MAAM,4BAA4B,aAAa,eAAgB,MAAM,iBAAiB;EACtF,MAAM,uBAAuB,MAAM,6CAA6C;GAC/E,aAAa,QAAQ;GACrB;GACA,wBAAwB,0BAA0B;GAClD,CAAC;EACF,MAAM,kBAAkB,KAAK,KAAK,WAAW,0BAA0B;EACvE,MAAM,GAAG,GAAG,iBAAiB;GAAE,WAAW;GAAM,OAAO;GAAM,CAAC;EAC9D,IAAI;GACH,MAAM,wBAAwB,QAAQ,QAAQ,YAAY;IACzD,MAAM,0BACL,sBACA,WACA,QAAQ,WACR,iBACA,QAAQ,WAAW,KAAA,EACnB;KACA;YACO;GACT,MAAM,GAAG,GAAG,iBAAiB;IAAE,WAAW;IAAM,OAAO;IAAM,CAAC;;EAG/D,IAAI,CAAE,MAAM,oBAAoB,UAAU,EACzC,MAAM,IAAI,MAAM,6CAA6C,UAAU,GAAG;EAG3E,OAAO;GACN,OAAO;GACP;GACA;GACA;;CAGF,IAAI,QAAQ,QACX,OAAO,MAAM,0BAA0B;CAGxC,MAAM,cAAc,KAAK,QAAQ,UAAU;CAC3C,MAAM,gBAAgB,oBAAoB,IAAI,YAAY;CAC1D,IAAI,eACH,OAAO,MAAM;CAEd,MAAM,eAAe,0BAA0B;CAC/C,oBAAoB,IAAI,aAAa,aAAa;CAClD,IAAI;EACH,OAAO,MAAM;WACJ;EACT,IAAI,oBAAoB,IAAI,YAAY,KAAK,cAC5C,oBAAoB,OAAO,YAAY;;;;;ACvR1C,MAAM,kBAAkB,cAAc,OAAO,KAAK,IAAI;AAEtD,MAAM,4BAA4B,EAAE,OAAO,EAC1C,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE,EAC1B,CAAC;AAEF,SAAS,mBAAmB,OAAyB;CACpD,OAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,UAAU,SAAS,MAAM,SAAS;;AAGzF,SAAS,gBAAgB,OAAwB;CAChD,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;;AAG9D,SAAgB,uBAAuB,aAA6B;CACnE,MAAM,QAAQ,YAAY,MAAM,yCAAyC;CACzE,IAAI,CAAC,OACJ,MAAM,IAAI,MACT,uGACA;CAGF,MAAM,UAAU,MAAM;CACtB,IAAI,CAAC,SACJ,MAAM,IAAI,MAAM,gCAAgC;CAEjD,OAAO;;AAGR,SAAgB,iCAAyC;CACxD,OAAO,gBAAgB,QAAQ,wCAAwC;;AAGxE,eAAsB,6BAA8C;CACnE,MAAM,kBAAkB,gCAAgC;CACxD,MAAM,SAAkB,KAAK,MAAM,MAAM,GAAG,SAAS,iBAAiB,OAAO,CAAC;CAE9E,OAAO,4BADa,0BAA0B,MAAM,OACN,CAAC;;AAOhD,eAAe,gCAAiD;CAC/D,MAAM,kBAAkB,gCAAgC;CACxD,OAAO,KAAK,KAAK,KAAK,QAAQ,gBAAgB,EAAE,QAAQ,SAAS,gBAAgB;;AAGlF,eAAsB,iCACrB,UAAmD,EAAE,EACnC;CAClB,MAAM,UAAU,QAAQ,mBAAoB,MAAM,+BAA+B;CACjF,IAAI;CACJ,IAAI;EACH,cAAc,MAAM,GAAG,SAAS,SAAS,OAAO;UACxC,OAAO;EACf,IAAI,mBAAmB,MAAM,EAC5B,MAAM,IAAI,MAAM,sCAAsC,QAAQ,KAAK,EAAE,OAAO,OAAO,CAAC;EAErF,MAAM,IAAI,MACT,6CAA6C,QAAQ,KAAK,gBAAgB,MAAM,IAChF,EAAE,OAAO,OAAO,CAChB;;CAGF,IAAI;EACH,OAAO,uBAAuB,YAAY;UAClC,OAAO;EACf,MAAM,IAAI,MACT,8CAA8C,QAAQ,KAAK,gBAAgB,MAAM,IACjF,EAAE,OAAO,OAAO,CAChB;;;;;;;;;;;AC3DH,SAAgB,6BACf,eAAgD,EAAE,EACtB;CAC5B,MAAM,wBACL,2BAA2B,eACxB,aAAa,wBACb,IAAI;CACR,MAAM,6BACL,gCAAgC,eAC7B,aAAa,6BACbA,MAAI;CAER,IAAI,iBAA8D;CAClE,IAAI,OAAO,0BAA0B,YAAY;EAChD,sBAAsB,YAAY;EAClC,iBAAiB;;CAGlB,IAAI,mBAAkE;CACtE,IAAI,OAAO,+BAA+B,YAAY;EACrD,2BAA2B,MAAM;EACjC,mBAAmB;;CAGpB,OAAO;EACN;EACA;EACA;;;;AC3CF,MAAM,2BAA2B;CAChC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AAYD,SAAS,wBAAwB,UAAqC;CACrE,OAAO;EACN,KAAK,KAAK,UAAU,OAAO;EAC3B,KAAK,KAAK,UAAU,UAAU;EAC9B,KAAK,KAAK,UAAU,SAAS;EAC7B,KAAK,KAAK,UAAU,UAAU;EAC9B;;AAGF,SAAgB,sBAAsB,WAAmB,SAAyB;CACjF,IAAI,KAAK,WAAW,UAAU,EAC7B,OAAO,KAAK,QAAQ,UAAU;CAG/B,OAAO,KAAK,QAAQ,SAAS,UAAU;;AAGxC,SAAS,mBAAmB,eAAuB,YAA6B;CAC/E,MAAM,eAAe,KAAK,SAAS,YAAY,cAAc;CAC7D,OAAO,iBAAiB,MAAO,CAAC,aAAa,WAAW,KAAK,IAAI,CAAC,KAAK,WAAW,aAAa;;AAGhG,eAAe,kBAAkB,UAAmC;CACnE,MAAM,mBAAmB,KAAK,QAAQ,SAAS;CAE/C,IAAI;EACH,OAAO,MAAM,GAAG,SAAS,iBAAiB;SACnC;EACP,OAAO;;;AAIT,SAAS,aAAa,eAAuB,eAAgC;CAC5E,OACC,mBAAmB,eAAe,cAAc,IAChD,mBAAmB,eAAe,cAAc;;AAIlD,SAAgB,sBACf,WACA,QACA,SACO;CACP,MAAM,oBAAoB,sBAAsB,WAAW,QAAQ,QAAQ;CAC3E,MAAM,0BAA0B,OAAO,6BAA6B,KAAK,kBACxE,sBAAsB,eAAe,QAAQ,QAAQ,CACrD;CAKD,IAAI,CAHuB,wBAAwB,MAAM,kBACxD,mBAAmB,mBAAmB,cAAc,CAE9B,EACtB,MAAM,IAAI,MACT,8BAA8B,kBAAkB,mCAAmC,wBAAwB,KAAK,KAAK,CAAC,IACtH;CAGF,IAAI,CAAC,OAAO;MACuB,yBAAyB,MAAM,eAChE,mBAAmB,mBAAmB,WAAW,CAErB,EAC5B,MAAM,IAAI,MACT,8BAA8B,kBAAkB,4FAChD;;;AAKJ,eAAsB,2BACrB,QACA,SACgB;CAChB,MAAM,eAAe,OAAO,QAAQ,OAAO,YAAY;CACvD,KAAK,MAAM,CAAC,cAAc,cACzB,sBAAsB,WAAW,OAAO,eAAe,QAAQ;CAGhE,IAAI,OAAO,cAAc,gBACxB;CAGD,MAAM,2BAA2B,aAAa,QAAQ,GAAG,cAAc,KAAK,WAAW,SAAS,CAAC;CACjG,MAAM,CAAC,oBAAoB,qBAAqB,MAAM,QAAQ,IAAI,CACjE,QAAQ,IACP,wBAAwB,QAAQ,SAAS,CAAC,IACzC,OAAO,mBAAmB,MAAM,kBAAkB,eAAe,CACjE,CACD,EACD,QAAQ,IACP,yBAAyB,IAAI,OAAO,GAAG,cAAc,MAAM,kBAAkB,SAAS,CAAC,CACvF,CACD,CAAC;CAEF,KAAK,MAAM,4BAA4B,mBAKtC,IAJkC,mBAAmB,MAAM,mBAC1D,aAAa,0BAA0B,eAAe,CAG1B,EAC5B,MAAM,IAAI,MACT,uBAAuB,yBAAyB,gGAChD;;;;AC9GJ,SAAS,mBAAmB,MAAgC;CAC3D,OAAO,GAAG,KAAK,OAAO,GAAG,KAAK;;AAG/B,SAAS,sBAAsB,eAA+B;CAC7D,OAAOC,KAAG,SACT,eACAA,KAAG,UAAU,WAAWA,KAAG,UAAU,cAAcA,KAAG,UAAU,WAChE;;AAGF,SAAgB,cAAc,UAAoC;CACjE,IAAI,CAAC,YAAY,CAAC,KAAK,WAAW,SAAS,EAC1C,MAAM,IAAI,MAAM,yDAAyD,WAAW;CAGrF,MAAM,mBAAmB,KAAK,QAAQ,SAAS;CAC/C,MAAM,KAAK,sBAAsB,iBAAiB;CAClD,IAAI;EACH,MAAM,QAAQA,KAAG,UAAU,GAAG;EAC9B,IAAI,CAAC,MAAM,aAAa,EACvB,MAAM,IAAI,MAAM,0CAA0C,mBAAmB;EAE9E,MAAM,WAAWA,KAAG,aAAa,iBAAiB;EAClD,MAAM,gBAAgBA,KAAG,SAAS,SAAS;EAC3C,IAAI,cAAc,QAAQ,MAAM,OAAO,cAAc,QAAQ,MAAM,KAClE,MAAM,IAAI,MACT,6CAA6C,iBAAiB,UAAU,MAAM,IAAI,GAAG,MAAM,IAAI,mBAAmB,cAAc,IAAI,GAAG,cAAc,MACrJ;EAEF,OAAO;GACN,QAAQ,MAAM;GACd;GACA,UAAU;GACV,OAAO,MAAM;GACb;GACA;UACO,OAAO;EACf,KAAG,UAAU,GAAG;EAChB,MAAM;;;AAIR,SAAgB,sBAAsB,MAA8B;CACnE,KAAG,UAAU,KAAK,GAAG;;AAGtB,SAAgB,uBAAuB,MAA8B;CACpE,MAAM,cAAcA,KAAG,UAAU,KAAK,GAAG;CACzC,MAAM,eAAeA,KAAG,SAAS,KAAK,SAAS;CAC/C,IACC,YAAY,QAAQ,KAAK,UACzB,YAAY,QAAQ,KAAK,SACzB,aAAa,QAAQ,KAAK,UAC1B,aAAa,QAAQ,KAAK,OAE1B,MAAM,IAAI,MACT,mDAAmD,KAAK,SAAS,YAAY,mBAAmB,KAAK,CAAC,OAAO,aAAa,IAAI,GAAG,aAAa,MAC9I;;AAUH,SAAgB,2BACf,SACkB;CAClB,uBAAuB,QAAQ,KAAK;CACpC,MAAM,WAAW,QAAQ,qBAAqB,QAAQ,KAAK,SAAS;CAEpE,OAAO,IAAI,MAAM,UAAU,EAC1B,IAAI,QAAyB,UAA2B,UAA4B;EACnF,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,SAAS;EACrD,IAAI,OAAO,UAAU,YACpB,OAAO;EAGR,QAAQ,GAAG,oBAAiD;GAC3D,uBAAuB,QAAQ,KAAK;GACpC,OAAO,QAAQ,MAAM,OAAyB,QAAQ,gBAAgB;;IAGxE,CAAC;;;;AClGH,SAAgB,kBAAkB,aAA6B;CAC9D,OAAO,YAAY,MAAM,CAAC,aAAa,CAAC,QAAQ,SAAS,GAAG;;AAG7D,SAAgB,aAAa,QAAqC;CACjE,MAAM,gCAAgB,IAAI,KAAa;CACvC,MAAM,mBAA6B,EAAE;CAErC,KAAK,MAAM,SAAS,QAAQ;EAC3B,MAAM,kBAAkB,kBAAkB,MAAM;EAChD,IAAI,gBAAgB,WAAW,KAAK,gBAAgB,WAAW,IAAI,EAClE;EAGD,IAAI,CAAC,cAAc,IAAI,gBAAgB,EAAE;GACxC,cAAc,IAAI,gBAAgB;GAClC,iBAAiB,KAAK,gBAAgB;;;CAIxC,OAAO;;AAGR,SAAgB,cAAc,SAAkC;CAC/D,OAAO,aAAa;EAAC,GAAG,QAAQ;EAAM,GAAG,QAAQ;EAAS,GAAG,QAAQ;EAAM,CAAC;;;;ACM7E,MAAa,+BAA+B;AAC5C,MAAa,2CAA2C;AACxD,MAAa,8DAA8D,MAAM,OAAO;AACxF,MAAa,wDAAwD;AACrE,MAAa,0DAA0D;AAEvE,MAAa,qCAAqC;CACjD,iBAAiB;CACjB,oBAAoB;CACpB,8BAA8B;CAC9B,yBAAyB;CACzB,2BAA2B;CAC3B;AA8FD,SAAS,4BAAmD;CAC3D,MAAM,+BAA+B,aACpC,IAAI,eAAe,SAAS;CAC7B,OAAO;EACN;EACA,UAAU,OAAO,cACf,MAAM,GAAG,OAAO,UAAU;EAC5B,kBAAkB,gBACjB,gBAAgB;GACf,cAAc,CAAC,GAAG,YAAY,aAAa;GAC3C,GAAI,YAAY,cACb;IAAE,qBAAqB;IAAO,aAAa,YAAY;IAAa,GACpE,EAAE;GACL,SAAS,OAAO,YACf,OAAO,QAAQ,YAAY,QAAQ,CAAC,KAAK,CAAC,YAAY,gBAAgB,CACrE,YACA;IACC,OAAO,CAAC,GAAG,WAAW,MAAM;IAC5B,OAAO,WAAW;IAClB,CACD,CAAC,CACF;GACD,GAAI,YAAY,YAAY,EAAE,WAAW,YAAY,WAAW,GAAG,EAAE;GACrE,GAAI,YAAY,aAAa,EAAE,YAAY,YAAY,YAAY,GAAG,EAAE;GACxE,CAAC;EACH;EACA,6BAA6B,SAC5B,2BAA2B;GAC1B,sBAAsB;GACtB;GACA,CAAC;EACH,sBAAsB;EACtB,yBAAyB,aACxB,IAAI,iBAAiB,SAAS;EAC/B,4BAA6C,IAAI,gBAAgB;EACjE,uBACC,UACA,kBACqB,IAAI,eAAe,UAAU,cAAc;EACjE,4BAA4B,UAC3B,0BAA0B,CAAC,GAAG,MAAM,CAAC;EACtC;;AAIF,SAAS,oBAAoB,WAA2B;CACvD,MAAM,cAAc,UAAU,MAAM;CACpC,IAAI,YAAY,WAAW,IAAI,EAC9B,OAAO;CAIR,OAAO,IADc,YAAY,WAAW,KAAK,GAAG,YAAY,MAAM,EAAY,GAAG;;AAItF,SAAS,4BACR,WACA,cACA,WACkB;CAClB,IAAI,UAAU,gBACb,OAAO,aAAa,2BAA2B,UAAU,eAAe;CAEzE,IAAI,UAAU,UACb,OAAO,aAAa,qBAAqB,UAAU,SAAS;CAG7D,MAAM,IAAI,MAAM,GAAG,UAAU,4CAA4C;;AAG1E,SAAS,uBACR,WACA,cACkB;CAClB,QAAQ,UAAU,MAAlB;EACC,KAAK,UACJ,OAAO,aAAa,sBAAsB;EAC3C,KAAK,UACJ,OAAO,4BAA4B,WAAW,cAAc,SAAS;EAEtE,KAAK,mBACJ,OAAO,aAAa,uBACnB,4BAA4B,WAAW,cAAc,kBAAkB,CACvE;EAEF,KAAK,UAAU;GAMd,IAAI,iBAJH,UAAU,YAAY,UAAU,iBAC7B,4BAA4B,WAAW,cAAc,SAAS,GAC9D,aAAa,sBAAsB;GAGvC,MAAM,eAAe,UAAU;GAE/B,IAAI,cAAc,KAAK,QACtB,iBAAiB,aAAa,qBAAqB,gBAAgB;IAClE,cAAc,aAAa,0BAC1B,aAAa,KAAK,KAAK,eAAe,oBAAoB,WAAW,CAAC,CACtE;IACD,WAAW;IACX,CAAC;GAGH,IAAI,cAAc,MAAM,QACvB,iBAAiB,aAAa,qBAAqB,gBAAgB;IAClE,cAAc,aAAa,0BAC1B,aAAa,MAAM,KAAK,eAAe,oBAAoB,WAAW,CAAC,CACvE;IACD,WAAW;IACX,CAAC;GAGH,OAAO;;EAER,SACC,MAAM,IAAI,MAAM,+BAA+B,OAAO,UAAU,KAAK,GAAG;;;AAK3E,SAAS,gBACR,WACA,cACkC;CAClC,MAAM,WAA4C,EAAE;CAEpD,KAAK,MAAM,CAAC,WAAW,cAAc,OAAO,QAAQ,UAAU,EAC7D,SAAS,aAAa,uBAAuB,WAAW,aAAa;CAGtE,OAAO;;AAGR,SAAS,yBACR,WAC8B;CAC9B,MAAM,wBAAQ,IAAI,KAA+B;CACjD,KAAK,MAAM,aAAa,OAAO,OAAO,UAAU,EAC/C,IAAI,UAAU,gBACb,MAAM,IAAI,UAAU,eAAe,IAAI,UAAU,eAAe;CAGlE,OAAO,CAAC,GAAG,MAAM,QAAQ,CAAC;;AAG3B,SAAS,uBACR,OACA,cACO;CACP,KAAK,MAAM,QAAQ,OAClB,aAAa,sBAAsB,KAAK;;AAI1C,SAAS,mCACR,OACA,cACO;CACP,IAAI;EACH,uBAAuB,OAAO,aAAa;SACpC;;AAMT,SAAS,+BACR,iBAAuC,EAAE,EAClB;CACvB,MAAM,kBAAwC,EAC7C,GAAG,oCACH;CAED,IAAI,eAAe,eAAe,KAAA,GACjC,gBAAgB,aAAa,eAAe;CAE7C,IAAI,eAAe,eAAe,KAAA,GACjC,gBAAgB,aAAa,eAAe;CAE7C,IAAI,eAAe,oBAAoB,KAAA,GACtC,gBAAgB,kBAAkB,eAAe;CAElD,IAAI,eAAe,UAAU,KAAA,GAC5B,gBAAgB,QAAQ,eAAe;CAExC,IAAI,eAAe,uBAAuB,KAAA,GACzC,gBAAgB,qBAAqB,eAAe;CAErD,IAAI,eAAe,iCAAiC,KAAA,GACnD,gBAAgB,+BAA+B,eAAe;CAE/D,IAAI,eAAe,4BAA4B,KAAA,GAC9C,gBAAgB,0BAA0B,eAAe;CAE1D,IAAI,eAAe,8BAA8B,KAAA,GAChD,gBAAgB,4BAA4B,eAAe;CAG5D,OAAO;;AAUR,SAAS,wBAAwB,UAA0B;CAC1D,OAAO,SAAS,aAAa;;AAG9B,SAAS,qBAAqB,UAA+C;CAC5E,IAAI,SAAS,WAAW,IAAI,EAAE;EAC7B,MAAM,sBAAsB,SAAS,QAAQ,IAAI;EACjD,IAAI,sBAAsB,GAAG;GAC5B,MAAM,YAAY,OAAO,SAAS,SAAS,MAAM,sBAAsB,EAAE,EAAE,GAAG;GAC9E,IAAI,CAAC,OAAO,SAAS,UAAU,EAC9B;GAED,OAAO;IACN,UAAU,wBAAwB,SAAS,MAAM,GAAG,oBAAoB,CAAC;IACzE,MAAM;IACN;;;CAIH,MAAM,qBAAqB,SAAS,YAAY,IAAI;CACpD,IAAI,sBAAsB,GACzB;CAED,MAAM,YAAY,OAAO,SAAS,SAAS,MAAM,qBAAqB,EAAE,EAAE,GAAG;CAC7E,IAAI,CAAC,OAAO,SAAS,UAAU,EAC9B;CAED,OAAO;EACN,UAAU,wBAAwB,SAAS,MAAM,GAAG,mBAAmB,CAAC;EACxE,MAAM;EACN;;AAGF,SAAS,sBAAsB,WAA4B;CAC1D,MAAM,SAAS,UAAU,MAAM,IAAI,CAAC,KAAK,YAAY,OAAO,SAAS,SAAS,GAAG,CAAC;CAClF,IAAI,OAAO,WAAW,KAAK,OAAO,MAAM,UAAU,CAAC,OAAO,UAAU,MAAM,CAAC,EAC1E,OAAO;CAER,MAAM,aAAa,OAAO;CAC1B,MAAM,cAAc,OAAO;CAC3B,IAAI,eAAe,KAAA,KAAa,gBAAgB,KAAA,GAC/C,OAAO;CAER,OACC,eAAe,MACf,eAAe,OACd,eAAe,OAAO,gBAAgB,OACtC,eAAe,OAAO,eAAe,MAAM,eAAe,MAC1D,eAAe,OAAO,gBAAgB,OACtC,eAAe,OAAO,eAAe,MAAM,eAAe;;AAI7D,SAAS,oBAAoB,WAA4B;CACxD,IAAI,IAAI,KAAK,UAAU,KAAK,GAC3B,OAAO,sBAAsB,UAAU;CAExC,MAAM,sBAAsB,UAAU,aAAa;CACnD,IAAI,oBAAoB,WAAW,UAAU,EAC5C,OAAO,sBAAsB,oBAAoB,MAAM,EAAiB,CAAC;CAE1E,OACC,wBAAwB,SACxB,oBAAoB,WAAW,KAAK,IACpC,oBAAoB,WAAW,KAAK,IACpC,oBAAoB,WAAW,QAAQ;;AAIzC,SAAS,2BAA2B,UAA2B;CAC9D,MAAM,qBAAqB,wBAAwB,SAAS;CAC5D,OACC,uBAAuB,eACvB,uBAAuB,0BACvB,oBAAoB,mBAAmB;;AAIzC,SAAS,2BACR,UACiC;CACjC,IAAI,CAAC,UACJ,OAAO,EAAE;CAGV,MAAM,QAA+B,EAAE;CACvC,KAAK,MAAM,CAAC,YAAY,kBAAkB,OAAO,QAAQ,SAAS,EAAE;EACnE,MAAM,kBAAkB,qBAAqB,WAAW;EACxD,MAAM,iBAAiB,qBAAqB,cAAc;EAC1D,IACC,CAAC,mBACD,CAAC,kBACD,CAAC,2BAA2B,eAAe,SAAS,EAEpD;EAED,IACC,CAAC,MAAM,MACL,SAAS,KAAK,aAAa,gBAAgB,YAAY,KAAK,SAAS,gBAAgB,KACtF,EAED,MAAM,KAAK,gBAAgB;;CAG7B,OAAO;;AAGR,SAAS,iBACR,OACA,iBACoB;CACpB,MAAM,cAAc,CAAC,GAAG,MAAM;CAC9B,KAAK,MAAM,QAAQ,iBAClB,IAAI,CAAC,YAAY,SAAS,KAAK,EAC9B,YAAY,KAAK,KAAK;CAGxB,OAAO;;AAGR,SAAS,4BACR,OACuC;CACvC,IAAI,MAAM,WAAW,GACpB;CAED,MAAM,gBAAgB,IAAI,IAAI,MAAM,KAAK,SAAS,KAAK,SAAS,CAAC;CACjE,QAAQ,SAAS;EAChB,MAAM,WAAW,wBAAwB,KAAK,SAAS;EACvD,MAAM,mBAAmB,MAAM,MAC7B,SAAS,KAAK,aAAa,YAAY,KAAK,SAAS,KAAK,KAC3D;EACD,IAAI,cAAc,IAAI,SAAS,EAC9B,OAAO;EAER,IAAI,oBAAoB,KAAK,GAAG,EAC/B,OAAO;EAER,OAAO;;;AAIT,eAAsB,gBACrB,SACA,eAAsC,2BAA2B,EAC5C;CACrB,aAAa,gCAAgC;CAC7C,MAAM,cAAc,QAAQ,YAAY,OAAO,KAAK,QAAQ,SAAS,CAAC,SAAS;CAC/E,MAAM,uBAAuB,2BAA2B,QAAQ,SAAS;CACzE,MAAM,eAAe,iBACpB,QAAQ,cACR,qBAAqB,KAAK,SAAS,KAAK,SAAS,CACjD;CACD,MAAM,cAAc,4BAA4B,qBAAqB;CACrE,MAAM,oBAAoB,yBAAyB,QAAQ,UAAU;CACrE,IAAI;CACJ,IAAI;EACH,MAAM,aAAa,aAAa,gBAAgB;GAC/C;GACA,GAAI,cAAc,EAAE,aAAa,GAAG,EAAE;GACtC,SAAS,QAAQ;GACjB,GAAI,QAAQ,YAAY,EAAE,WAAW,QAAQ,WAAW,GAAG,EAAE;GAC7D,GAAI,QAAQ,aAAa,EAAE,YAAY,QAAQ,YAAY,GAAG,EAAE;GAChE,CAAC;EACF,aAAa,MAAM,aAAa,SAAS;GACxC,GAAI,QAAQ,UAAU,SAAS,IAAI,EAAE,SAAS,EAAE,WAAW,QAAQ,WAAW,EAAE,GAAG,EAAE;GACrF,GAAI,QAAQ,eAAe,EAAE,cAAc,QAAQ,cAAc,GAAG,EAAE;GACtE,QAAQ;IACP,MAAM,QAAQ;IACd,GAAI,QAAQ,sBAAsB,KAAA,IAAY,EAAE,GAAG,EAAE,MAAM,QAAQ,mBAAmB;IACtF;GACD,QAAQ,QAAQ;GAChB,MAAM,QAAQ;GACd,KAAK;IACJ,GAAG,WAAW;IACd,GAAG,QAAQ;IACX;GACD,WAAW,WAAW;GACtB,KAAK;IACJ,WAAW;IACX,QAAQ,gBAAgB,QAAQ,WAAW,aAAa;IACxD;GACD,GAAI,cACD;IACA,KAAK;KACJ,MAAM;KACN,eAAe;KACf,eAAe;KACf,sBAAsB;KACtB;IACD,KAAK,EACJ,OAAO,QAAQ,UACf;IACD,GACA,EAAE;GACL,CAAC;UACM,OAAO;EACf,mCAAmC,mBAAmB,aAAa;EACnE,MAAM;;CAGP,OAAO;EACN,IAAI,WAAW;EACf,IAAI,WAAW;EACf,KAAK,SAA2B,aAAsD;GACrF,MAAM,oBAAoB,OAAO,YAAY,WAAW,UAAU,CAAC,GAAG,QAAQ;GAC9E,OAAO,WAAW,KAAK,mBAAmB,YAAY;;EAEvD,MAAM,UAAU,YAAmD;GAClE,OAAO,MAAM,WAAW,UAAU,WAAW;;EAE9C,MAAM,cAAc,gBAA+D;GAClF,OAAO,MAAM,WAAW,cAAc,+BAA+B,eAAe,CAAC;;EAEtF,aAA4B;GAC3B,OAAO,WAAW,cAAc,IAAI;;EAErC,gBAAmC;GAClC,OAAO;;EAER,iBAAiB,QAAuC;GACvD,WAAW,iBAAiB,OAAO;;EAEpC,MAAM,QAAuB;GAC5B,IAAI;GACJ,IAAI;IACH,MAAM,WAAW,OAAO;YAChB,OAAO;IACf,aAAa;;GAEd,IAAI;IACH,uBAAuB,mBAAmB,aAAa;YAC/C,OAAO;IACf,eAAe;;GAEhB,IAAI,eAAe,KAAA,GAClB,MAAM;;EAGR;;;;ACjkBF,eAAsB,gBACrB,WACA,eACA,YACkB;CAClB,MAAM,kBAAkB,KAAK,KAAK,WAAW,eAAe,WAAW;CACvE,MAAM,GAAG,MAAM,iBAAiB,EAAE,WAAW,MAAM,CAAC;CACpD,OAAO;;AAGR,eAAsB,kBACrB,WACA,eACA,SAC0C;CAC1C,MAAM,wBAAwB,MAAM,QAAQ,IAC3C,OAAO,QAAQ,QAAQ,CAAC,IACvB,OAAO,CAAC,YAAY,kBACnB,CACC,YACA;EACC,WAAW,aAAa;EACxB,SAAS,MAAM,gBAAgB,WAAW,eAAe,WAAW;EACpE,CACD,CACF,CACD;CAED,OAAO,OAAO,YAAY,sBAAsB;;;;ACtCjD,eAAsB,oBACrB,UACA,SACA,UAEI,EAAE,EACU;CAChB,MAAM,oBAAoB,GAAG,SAAS,GAAG,QAAQ,IAAI,GAAG,KAAK,KAAK,CAAC;CACnE,MAAM,GAAG,UAAU,mBAAmB,SAAS;EAC9C,UAAU;EACV,GAAI,QAAQ,OAAO,EAAE,MAAM,QAAQ,MAAM,GAAG,EAAE;EAC9C,CAAC;CACF,IAAI;EACH,MAAM,GAAG,OAAO,mBAAmB,SAAS;UACpC,aAAa;EACrB,IAAI;GACH,MAAM,GAAG,GAAG,mBAAmB,EAAE,OAAO,MAAM,CAAC;WACvC,cAAc;GACtB,MAAM,IAAI,MACT,sBAAsB,SAAS,KAAK,uBAAuB,QAAQ,YAAY,UAAU,KAAK,UAAU,YAAY,CAAC,yCAAyC,kBAAkB,KAAK,wBAAwB,QAAQ,aAAa,UAAU,KAAK,UAAU,aAAa,IACxQ,EAAE,OAAO,cAAc,CACvB;;EAEF,MAAM"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-vm/gondolin-adapter",
3
- "version": "0.0.92",
3
+ "version": "0.0.94",
4
4
  "description": "Adapter over @earendil-works/gondolin: VM build pipeline, image cache, and secret resolver.",
5
5
  "homepage": "https://github.com/ShravanSunder/agent-vm#readme",
6
6
  "bugs": {
@@ -31,7 +31,7 @@
31
31
  "dependencies": {
32
32
  "@earendil-works/gondolin": "0.12.0",
33
33
  "zod": "^4.4.3",
34
- "@agent-vm/secret-management": "0.0.92"
34
+ "@agent-vm/secret-management": "0.0.94"
35
35
  },
36
36
  "scripts": {
37
37
  "build": "tsdown",