@agentforge-ai/sandbox 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/LICENSE +197 -0
  2. package/README.md +108 -0
  3. package/dist/container-pool.d.ts +89 -0
  4. package/dist/container-pool.js +539 -0
  5. package/dist/container-pool.js.map +1 -0
  6. package/dist/docker-sandbox.d.ts +92 -0
  7. package/dist/docker-sandbox.js +343 -0
  8. package/dist/docker-sandbox.js.map +1 -0
  9. package/dist/index.d.ts +6 -0
  10. package/dist/index.js +701 -0
  11. package/dist/index.js.map +1 -0
  12. package/dist/sandbox-manager.d.ts +77 -0
  13. package/dist/sandbox-manager.js +498 -0
  14. package/dist/sandbox-manager.js.map +1 -0
  15. package/dist/security.d.ts +59 -0
  16. package/dist/security.js +89 -0
  17. package/dist/security.js.map +1 -0
  18. package/dist/types.d.ts +179 -0
  19. package/dist/types.js +1 -0
  20. package/dist/types.js.map +1 -0
  21. package/package.json +64 -0
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/docker-sandbox.ts","../src/security.ts","../src/container-pool.ts","../src/sandbox-manager.ts"],"sourcesContent":["/**\n * @module docker-sandbox\n *\n * DockerSandbox — a container-backed {@link SandboxProvider} for AgentForge.\n *\n * Each instance manages exactly one Docker container. The container is\n * created lazily on the first call to {@link DockerSandbox.start}, executed\n * via the Docker exec API, and destroyed via {@link DockerSandbox.destroy}.\n *\n * @example\n * ```ts\n * const sandbox = new DockerSandbox({\n * scope: 'agent',\n * workspaceAccess: 'ro',\n * workspacePath: '/home/user/project',\n * resourceLimits: { memoryMb: 512, cpuShares: 512 },\n * });\n * await sandbox.start();\n * const result = await sandbox.exec('echo hello');\n * console.log(result.stdout); // \"hello\\n\"\n * await sandbox.destroy();\n * ```\n */\n\nimport Dockerode from 'dockerode';\nimport { randomUUID } from 'node:crypto';\nimport type { DockerSandboxConfig, ExecOptions, ExecResult, SandboxProvider } from './types.js';\nimport { DEFAULT_CAP_DROP, SecurityError, validateBinds, validateCommand, validateImageName } from './security.js';\n\n/** Default Docker image used when none is specified. */\nconst DEFAULT_IMAGE = 'node:22-slim';\n\n/** Default per-exec timeout in milliseconds. */\nconst DEFAULT_EXEC_TIMEOUT_MS = 30_000;\n\n/** Default container workspace mount point. */\nconst DEFAULT_CONTAINER_WORKSPACE = '/workspace';\n\n// ---------------------------------------------------------------------------\n// Stream demuxing\n// ---------------------------------------------------------------------------\n\n/**\n * Decodes the multiplexed stream that Docker returns for exec output.\n *\n * Docker prefixes every chunk with an 8-byte header:\n * [stream_type(1)] [0(3)] [size(4 BE)]\n * where stream_type is 1 = stdout, 2 = stderr.\n */\nfunction demuxDockerStream(buffer: Buffer): { stdout: string; stderr: string } {\n let stdout = '';\n let stderr = '';\n let offset = 0;\n\n while (offset + 8 <= buffer.length) {\n const streamType = buffer[offset];\n const frameSize = buffer.readUInt32BE(offset + 4);\n offset += 8;\n\n if (offset + frameSize > buffer.length) break;\n\n const chunk = buffer.slice(offset, offset + frameSize).toString('utf8');\n offset += frameSize;\n\n if (streamType === 1) {\n stdout += chunk;\n } else if (streamType === 2) {\n stderr += chunk;\n }\n }\n\n return { stdout, stderr };\n}\n\n// ---------------------------------------------------------------------------\n// DockerSandbox\n// ---------------------------------------------------------------------------\n\n/**\n * Container-based sandbox using the Docker engine.\n *\n * Implements the {@link SandboxProvider} interface for full lifecycle\n * management, command execution, and file I/O within an isolated container.\n */\nexport class DockerSandbox implements SandboxProvider {\n private readonly config: Required<\n Pick<DockerSandboxConfig, 'scope' | 'workspaceAccess' | 'image' | 'containerWorkspacePath'>\n > &\n DockerSandboxConfig;\n\n private readonly docker: Dockerode;\n private container: Dockerode.Container | null = null;\n private containerId: string | null = null;\n private killTimer: ReturnType<typeof setTimeout> | null = null;\n\n /**\n * @param config - Sandbox configuration.\n * @param docker - Optional pre-configured Dockerode instance (useful in tests).\n */\n constructor(config: DockerSandboxConfig, docker?: Dockerode) {\n // Validate security constraints eagerly\n const image = config.image ?? DEFAULT_IMAGE;\n validateImageName(image);\n\n if (config.binds && config.binds.length > 0) {\n validateBinds(config.binds);\n }\n\n this.config = {\n ...config,\n image,\n containerWorkspacePath: config.containerWorkspacePath ?? DEFAULT_CONTAINER_WORKSPACE,\n };\n\n this.docker =\n docker ??\n new Dockerode(\n process.env['DOCKER_HOST']\n ? { host: process.env['DOCKER_HOST'] }\n : { socketPath: '/var/run/docker.sock' },\n );\n }\n\n // ---------------------------------------------------------------------------\n // Lifecycle\n // ---------------------------------------------------------------------------\n\n /**\n * Create and start the Docker container.\n * Idempotent — calling start() on an already-running sandbox is a no-op.\n */\n async start(): Promise<void> {\n if (this.container) return;\n\n const { image, scope, resourceLimits, binds, env, timeout, workspaceAccess, workspacePath, containerWorkspacePath } = this.config;\n\n const name = `agentforge-${scope}-${randomUUID().slice(0, 8)}`;\n\n const envArray = Object.entries(env ?? {}).map(([k, v]) => `${k}=${v}`);\n\n // Build bind mounts\n const allBinds: string[] = [...(binds ?? [])];\n\n // Mount workspace if configured\n if (workspaceAccess !== 'none' && workspacePath) {\n const mode = workspaceAccess === 'ro' ? 'ro' : 'rw';\n allBinds.push(`${workspacePath}:${containerWorkspacePath}:${mode}`);\n }\n\n const hostConfig: Dockerode.HostConfig = {\n // Resource limits\n CpuShares: resourceLimits?.cpuShares,\n Memory: resourceLimits?.memoryMb ? resourceLimits.memoryMb * 1024 * 1024 : undefined,\n PidsLimit: resourceLimits?.pidsLimit ?? 256,\n\n // Security hardening\n CapDrop: [...DEFAULT_CAP_DROP],\n SecurityOpt: ['no-new-privileges:true'],\n ReadonlyRootfs: false,\n\n // Bind mounts\n Binds: allBinds.length > 0 ? allBinds : undefined,\n };\n\n this.container = await this.docker.createContainer({\n name,\n Image: image,\n // Keep container alive — we run commands via exec\n Cmd: ['/bin/sh', '-c', 'while true; do sleep 3600; done'],\n Env: envArray,\n AttachStdin: false,\n AttachStdout: false,\n AttachStderr: false,\n Tty: false,\n NetworkDisabled: resourceLimits?.networkDisabled ?? false,\n WorkingDir: containerWorkspacePath,\n Labels: {\n 'agentforge.scope': scope,\n 'agentforge.managed': 'true',\n },\n HostConfig: hostConfig,\n });\n\n await this.container.start();\n this.containerId = this.container.id;\n\n // Auto-kill after configured timeout\n if (timeout && timeout > 0) {\n this.killTimer = setTimeout(() => {\n void this.destroy();\n }, timeout * 1000);\n }\n }\n\n /**\n * Stop the container gracefully (10 s grace period then SIGKILL).\n * The container is kept for potential restart.\n */\n async stop(): Promise<void> {\n this._clearKillTimer();\n if (!this.container) return;\n\n try {\n const info = await this.container.inspect();\n if (info.State.Running) {\n await this.container.stop({ t: 10 });\n }\n } catch {\n // Container may already be stopped — ignore\n }\n }\n\n /**\n * Destroy the container and release all resources.\n * Safe to call multiple times.\n */\n async destroy(): Promise<void> {\n this._clearKillTimer();\n const container = this.container;\n this.container = null;\n this.containerId = null;\n\n if (!container) return;\n\n try {\n await container.remove({ force: true });\n } catch {\n // Already gone — ignore\n }\n }\n\n // ---------------------------------------------------------------------------\n // Execution\n // ---------------------------------------------------------------------------\n\n /**\n * Execute a shell command inside the running container.\n *\n * @param command - Shell command string passed to `/bin/sh -c`.\n * @param options - Per-call options (timeout, cwd, env overrides).\n */\n async exec(command: string, options: ExecOptions = {}): Promise<ExecResult> {\n if (!this.container) {\n throw new Error('DockerSandbox: container is not running. Call start() first.');\n }\n\n // Defense-in-depth command validation\n validateCommand(command);\n\n const timeoutMs = options.timeout ?? DEFAULT_EXEC_TIMEOUT_MS;\n const envOverride = Object.entries(options.env ?? {}).map(([k, v]) => `${k}=${v}`);\n\n const execInstance = await this.container.exec({\n Cmd: ['/bin/sh', '-c', command],\n AttachStdout: true,\n AttachStderr: true,\n Tty: false,\n WorkingDir: options.cwd,\n Env: envOverride.length > 0 ? envOverride : undefined,\n });\n\n return new Promise<ExecResult>((resolve, reject) => {\n const timer = setTimeout(() => {\n reject(new Error(`DockerSandbox: exec timed out after ${timeoutMs}ms`));\n }, timeoutMs);\n\n execInstance.start({ hijack: true, stdin: false }, (err, stream) => {\n if (err) {\n clearTimeout(timer);\n reject(err);\n return;\n }\n\n if (!stream) {\n clearTimeout(timer);\n reject(new Error('DockerSandbox: no stream returned from exec'));\n return;\n }\n\n const chunks: Buffer[] = [];\n\n stream.on('data', (chunk: Buffer) => chunks.push(chunk));\n\n stream.on('end', async () => {\n clearTimeout(timer);\n try {\n const raw = Buffer.concat(chunks);\n const { stdout, stderr } = demuxDockerStream(raw);\n\n // Inspect exec to get exit code\n const inspectResult = await execInstance.inspect();\n const exitCode = inspectResult.ExitCode ?? 0;\n\n resolve({ stdout, stderr, exitCode });\n } catch (inspectErr) {\n reject(inspectErr);\n }\n });\n\n stream.on('error', (streamErr: Error) => {\n clearTimeout(timer);\n reject(streamErr);\n });\n });\n });\n }\n\n /**\n * Read a file from the container filesystem by running `cat`.\n *\n * @param path - Absolute path inside the container.\n */\n async readFile(path: string): Promise<string> {\n const result = await this.exec(`cat \"${path.replace(/\"/g, '\\\\\"')}\"`);\n if (result.exitCode !== 0) {\n throw new Error(\n `DockerSandbox.readFile: failed to read \"${path}\" (exit ${result.exitCode}): ${result.stderr}`,\n );\n }\n return result.stdout;\n }\n\n /**\n * Write content to a file inside the container using base64 encoding\n * to avoid shell quoting issues.\n *\n * @param path - Absolute path inside the container.\n * @param content - UTF-8 string content.\n */\n async writeFile(path: string, content: string): Promise<void> {\n const b64 = Buffer.from(content, 'utf8').toString('base64');\n const cmd = `printf '%s' \"${b64}\" | base64 -d > \"${path.replace(/\"/g, '\\\\\"')}\"`;\n const result = await this.exec(cmd);\n if (result.exitCode !== 0) {\n throw new Error(\n `DockerSandbox.writeFile: failed to write \"${path}\" (exit ${result.exitCode}): ${result.stderr}`,\n );\n }\n }\n\n // ---------------------------------------------------------------------------\n // Health\n // ---------------------------------------------------------------------------\n\n /**\n * Returns true if the underlying Docker container is running.\n */\n async isRunning(): Promise<boolean> {\n if (!this.container) return false;\n try {\n const info = await this.container.inspect();\n return info.State.Running === true;\n } catch {\n return false;\n }\n }\n\n /**\n * Returns the Docker container ID or null if not yet started.\n */\n getContainerId(): string | null {\n return this.containerId;\n }\n\n // ---------------------------------------------------------------------------\n // Private helpers\n // ---------------------------------------------------------------------------\n\n private _clearKillTimer(): void {\n if (this.killTimer !== null) {\n clearTimeout(this.killTimer);\n this.killTimer = null;\n }\n }\n}\n","/**\n * @module security\n *\n * Security helpers for the Docker sandbox implementation.\n *\n * Centralised in one module so policy changes propagate everywhere.\n * All validation functions throw {@link SecurityError} on violations.\n */\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/**\n * Host-side paths that must never be bind-mounted into a sandbox container.\n * Mounting these paths would allow container-escape or privilege escalation.\n */\nexport const BLOCKED_BIND_PREFIXES: readonly string[] = [\n '/var/run/docker.sock',\n '/etc',\n '/proc',\n '/sys',\n '/dev',\n '/boot',\n '/root',\n];\n\n/**\n * Linux capabilities dropped by default for every sandbox container.\n * We start with no capabilities at all (drop \"ALL\") then add nothing back.\n */\nexport const DEFAULT_CAP_DROP: readonly string[] = ['ALL'];\n\n/**\n * Allowed image name patterns (non-arbitrary image names in production).\n * Only images that match one of these prefixes are permitted.\n * In test / dev the list can be extended via AGENTFORGE_ALLOWED_IMAGES env var.\n */\nconst BASE_ALLOWED_IMAGE_PREFIXES: readonly string[] = [\n 'node:',\n 'python:',\n 'ubuntu:',\n 'debian:',\n 'alpine:',\n 'agentforge/',\n];\n\n// ---------------------------------------------------------------------------\n// Validation functions\n// ---------------------------------------------------------------------------\n\n/**\n * Throws if the provided bind-mount spec contains a blocked host path.\n *\n * @param bind - A bind-mount spec in `host:container[:mode]` format.\n * @throws {SecurityError} when the host path is on the block-list.\n */\nexport function validateBind(bind: string): void {\n const hostPath = bind.split(':')[0];\n if (!hostPath) {\n throw new SecurityError(`Invalid bind mount spec: \"${bind}\"`);\n }\n\n for (const blocked of BLOCKED_BIND_PREFIXES) {\n if (hostPath === blocked || hostPath.startsWith(blocked + '/') || hostPath.startsWith(blocked)) {\n throw new SecurityError(\n `Bind mount \"${bind}\" is blocked. Host path \"${hostPath}\" matches blocked prefix \"${blocked}\".`,\n );\n }\n }\n}\n\n/**\n * Validate all bind mounts in the provided array.\n * @throws {SecurityError} on the first violation found.\n */\nexport function validateBinds(binds: string[]): void {\n for (const bind of binds) {\n validateBind(bind);\n }\n}\n\n/**\n * Validate that an image name is on the allow-list.\n *\n * In production (NODE_ENV === 'production') only known safe images are allowed.\n * In development/test any image name that passes format validation is accepted.\n *\n * Additional allowed prefixes can be injected via the\n * `AGENTFORGE_ALLOWED_IMAGES` env var (comma-separated prefixes).\n *\n * @param image - Docker image name, e.g. `node:22-slim`.\n * @throws {SecurityError} if the image is not permitted.\n */\nexport function validateImageName(image: string): void {\n if (!image || typeof image !== 'string') {\n throw new SecurityError('Image name must be a non-empty string.');\n }\n\n // Reject obviously dangerous patterns (shell metacharacters)\n if (/[;&|`$(){}[\\]<>]/.test(image)) {\n throw new SecurityError(`Image name \"${image}\" contains forbidden characters.`);\n }\n\n if (process.env['NODE_ENV'] !== 'production') {\n // In dev/test, just ensure the name is a plausible Docker image reference\n return;\n }\n\n // Build the full allow-list (base + env-configured extras)\n const extraPrefixes = (process.env['AGENTFORGE_ALLOWED_IMAGES'] ?? '')\n .split(',')\n .map((s) => s.trim())\n .filter(Boolean);\n\n const allowedPrefixes = [...BASE_ALLOWED_IMAGE_PREFIXES, ...extraPrefixes];\n\n const allowed = allowedPrefixes.some((prefix) => image.startsWith(prefix));\n if (!allowed) {\n throw new SecurityError(\n `Image \"${image}\" is not on the allow-list. ` +\n `Allowed prefixes: ${allowedPrefixes.join(', ')}. ` +\n `Add custom prefixes via AGENTFORGE_ALLOWED_IMAGES env var.`,\n );\n }\n}\n\n/**\n * Validate that a command does not contain obvious escape attempts.\n * This is a defense-in-depth measure — the container itself is the primary boundary.\n *\n * @param command - The shell command to validate.\n * @throws {SecurityError} if the command contains dangerous patterns.\n */\nexport function validateCommand(command: string): void {\n if (!command || typeof command !== 'string') {\n throw new SecurityError('Command must be a non-empty string.');\n }\n\n // Block attempts to access the Docker socket from within the container\n const dangerousPatterns = [\n /docker\\.sock/i,\n /nsenter\\s/i,\n /mount\\s+-t\\s+proc/i,\n ];\n\n for (const pattern of dangerousPatterns) {\n if (pattern.test(command)) {\n throw new SecurityError(\n `Command contains a potentially dangerous pattern: ${pattern.source}`,\n );\n }\n }\n}\n\n// ---------------------------------------------------------------------------\n// Error class\n// ---------------------------------------------------------------------------\n\n/**\n * A structured error type for sandbox security violations.\n */\nexport class SecurityError extends Error {\n constructor(message: string) {\n super(message);\n this.name = 'SecurityError';\n }\n}\n","/**\n * @module container-pool\n *\n * ContainerPool — maintains a pool of warm {@link DockerSandbox} instances\n * to amortise container cold-start latency.\n *\n * Design:\n * - A fixed-size pool of pre-started containers (warm slots).\n * - {@link ContainerPool.acquire} returns the least-recently-used idle\n * container or starts a new one if the pool has not yet reached capacity.\n * - {@link ContainerPool.release} marks a container as idle so it can be reused.\n * - An idle-eviction sweep runs periodically and destroys containers that have\n * been idle longer than `idleTimeoutSeconds`.\n * - LRU eviction is applied when the pool is at capacity and a new container is\n * requested but none are idle.\n */\n\nimport type Dockerode from 'dockerode';\nimport { DockerSandbox } from './docker-sandbox.js';\nimport type { DockerSandboxConfig, PoolConfig, PoolEntry, SandboxProvider } from './types.js';\nimport { randomUUID } from 'node:crypto';\n\nconst DEFAULT_MAX_SIZE = 3;\nconst DEFAULT_IDLE_TIMEOUT_SECONDS = 300;\nconst SWEEP_INTERVAL_MS = 30_000;\n\n/**\n * A pool of warm Docker containers that can be acquired and released for reuse.\n *\n * @example\n * ```ts\n * const pool = new ContainerPool({ image: 'node:22-slim', scope: 'agent' });\n * await pool.warmUp();\n *\n * const sb = await pool.acquire();\n * await sb.exec('node -e \"console.log(1+1)\"');\n * await pool.release(sb);\n *\n * await pool.drain();\n * ```\n */\nexport class ContainerPool {\n private readonly config: Required<PoolConfig>;\n private readonly docker?: Dockerode;\n private readonly entries: Map<string, PoolEntry> = new Map();\n private sweepTimer: ReturnType<typeof setInterval> | null = null;\n private draining = false;\n\n constructor(config: PoolConfig, docker?: Dockerode) {\n this.config = {\n maxSize: DEFAULT_MAX_SIZE,\n idleTimeoutSeconds: DEFAULT_IDLE_TIMEOUT_SECONDS,\n ...config,\n };\n this.docker = docker;\n }\n\n // ---------------------------------------------------------------------------\n // Public API\n // ---------------------------------------------------------------------------\n\n /**\n * Pre-warm the pool up to `maxSize` containers.\n * Resolves once all warm containers are started.\n */\n async warmUp(): Promise<void> {\n const needed = this.config.maxSize - this.entries.size;\n if (needed <= 0) return;\n\n await Promise.all(\n Array.from({ length: needed }).map(async () => {\n await this._addEntry();\n }),\n );\n\n this._startSweep();\n }\n\n /**\n * Acquire an idle sandbox from the pool.\n *\n * If an idle entry is available, it is marked in-use and returned immediately.\n * If the pool is not yet at capacity, a new container is started and returned.\n * If the pool is at capacity and all containers are in use, the LRU idle\n * container is evicted and a fresh one is started.\n *\n * @throws If the pool is draining.\n */\n async acquire(): Promise<SandboxProvider> {\n if (this.draining) {\n throw new Error('ContainerPool: pool is draining — cannot acquire new sandboxes.');\n }\n\n // 1. Find an idle entry (LRU = smallest lastUsedAt)\n const idle = this._lruIdle();\n if (idle) {\n idle.inUse = true;\n idle.lastUsedAt = Date.now();\n return idle.sandbox;\n }\n\n // 2. Pool has spare capacity — start a fresh container\n if (this.entries.size < this.config.maxSize) {\n const entry = await this._addEntry();\n entry.inUse = true;\n entry.lastUsedAt = Date.now();\n return entry.sandbox;\n }\n\n // 3. Pool at capacity, all in use — evict LRU entry and replace\n const lruKey = this._lruAnyKey();\n if (lruKey) {\n const evicted = this.entries.get(lruKey)!;\n this.entries.delete(lruKey);\n void evicted.sandbox.destroy().catch(() => {/* best-effort */});\n }\n\n const entry = await this._addEntry();\n entry.inUse = true;\n entry.lastUsedAt = Date.now();\n return entry.sandbox;\n }\n\n /**\n * Release a previously acquired sandbox back to the pool.\n * The sandbox is reset to an idle state for future reuse.\n */\n async release(sandbox: SandboxProvider): Promise<void> {\n for (const entry of this.entries.values()) {\n if (entry.sandbox === sandbox) {\n entry.inUse = false;\n entry.lastUsedAt = Date.now();\n return;\n }\n }\n // Sandbox not found in pool — destroy it to avoid leaks\n await sandbox.destroy();\n }\n\n /**\n * Drain the pool: stop acquiring and destroy all containers.\n * After draining, the pool stays in a drained state and rejects new acquires.\n */\n async drain(): Promise<void> {\n if (this.draining && this.entries.size === 0) return;\n this.draining = true;\n this._stopSweep();\n\n await Promise.all(\n Array.from(this.entries.values()).map((entry) =>\n entry.sandbox.destroy().catch(() => {/* best-effort */}),\n ),\n );\n this.entries.clear();\n }\n\n /**\n * Returns the current number of entries (in-use + idle).\n */\n get size(): number {\n return this.entries.size;\n }\n\n /**\n * Returns the number of idle (available) entries.\n */\n get idleCount(): number {\n let count = 0;\n for (const entry of this.entries.values()) {\n if (!entry.inUse) count++;\n }\n return count;\n }\n\n // ---------------------------------------------------------------------------\n // Private helpers\n // ---------------------------------------------------------------------------\n\n private async _addEntry(): Promise<PoolEntry> {\n const sandboxConfig: DockerSandboxConfig = {\n image: this.config.image,\n scope: this.config.scope,\n workspaceAccess: 'none',\n };\n\n const sandbox = new DockerSandbox(sandboxConfig, this.docker);\n await sandbox.start();\n\n const id = randomUUID();\n const entry: PoolEntry = {\n sandbox,\n createdAt: Date.now(),\n lastUsedAt: Date.now(),\n inUse: false,\n };\n\n this.entries.set(id, entry);\n return entry;\n }\n\n /** Return the idle entry with the smallest lastUsedAt (LRU idle). */\n private _lruIdle(): PoolEntry | null {\n let best: PoolEntry | null = null;\n for (const entry of this.entries.values()) {\n if (!entry.inUse) {\n if (!best || entry.lastUsedAt < best.lastUsedAt) {\n best = entry;\n }\n }\n }\n return best;\n }\n\n /** Return the key of the entry with the smallest lastUsedAt (LRU any). */\n private _lruAnyKey(): string | null {\n let bestKey: string | null = null;\n let bestTime = Infinity;\n for (const [key, entry] of this.entries) {\n if (entry.lastUsedAt < bestTime) {\n bestTime = entry.lastUsedAt;\n bestKey = key;\n }\n }\n return bestKey;\n }\n\n /** Start periodic idle-eviction sweep. */\n private _startSweep(): void {\n if (this.sweepTimer) return;\n this.sweepTimer = setInterval(() => void this._sweep(), SWEEP_INTERVAL_MS);\n if (this.sweepTimer.unref) this.sweepTimer.unref();\n }\n\n private _stopSweep(): void {\n if (this.sweepTimer) {\n clearInterval(this.sweepTimer);\n this.sweepTimer = null;\n }\n }\n\n /** Remove and destroy containers that have been idle past the timeout. */\n private async _sweep(): Promise<void> {\n if (this.draining) return;\n\n const nowMs = Date.now();\n const idleTimeoutMs = this.config.idleTimeoutSeconds * 1000;\n\n const evictions: [string, PoolEntry][] = [];\n\n for (const [key, entry] of this.entries) {\n if (!entry.inUse && nowMs - entry.lastUsedAt > idleTimeoutMs) {\n evictions.push([key, entry]);\n }\n }\n\n for (const [key, entry] of evictions) {\n this.entries.delete(key);\n await entry.sandbox.destroy().catch(() => {/* best-effort */});\n }\n }\n}\n","/**\n * @module sandbox-manager\n *\n * SandboxManager — factory + registry for sandbox instances.\n *\n * Responsibilities:\n * - Create the correct sandbox type (Docker | E2B) from a unified config.\n * - Apply the `agentforge-{scope}-{id}` naming convention.\n * - Track active sandboxes and clean them up on process exit.\n * - Verify Docker availability on startup; print a friendly message if absent.\n */\n\nimport Dockerode from 'dockerode';\nimport { randomUUID } from 'node:crypto';\nimport { DockerSandbox } from './docker-sandbox.js';\nimport type {\n DockerSandboxConfig,\n ExecOptions,\n ExecResult,\n SandboxManagerConfig,\n SandboxProvider,\n} from './types.js';\n\n/**\n * A thin E2B stub that satisfies {@link SandboxProvider} but throws at runtime.\n * The real E2B implementation lives in @agentforge-ai/core.\n * This stub lets the manager compile and be tested without the E2B dependency.\n */\nclass E2BProviderStub implements SandboxProvider {\n async start(): Promise<void> {\n throw new Error(\n 'SandboxManager: E2B provider is not bundled in @agentforge-ai/sandbox. ' +\n 'Use the SandboxManager from @agentforge-ai/core instead.',\n );\n }\n async stop(): Promise<void> { /* noop until started */ }\n async destroy(): Promise<void> { /* noop */ }\n async exec(_cmd: string, _opts?: ExecOptions): Promise<ExecResult> {\n throw new Error('E2BProviderStub: not implemented');\n }\n async readFile(_path: string): Promise<string> {\n throw new Error('E2BProviderStub: not implemented');\n }\n async writeFile(_path: string, _content: string): Promise<void> {\n throw new Error('E2BProviderStub: not implemented');\n }\n async isRunning(): Promise<boolean> { return false; }\n getContainerId(): string | null { return null; }\n}\n\n/**\n * Checks whether the Docker daemon is reachable.\n *\n * @param docker - Dockerode instance to ping.\n * @returns `true` if Docker is available, `false` otherwise.\n */\nexport async function isDockerAvailable(docker: Dockerode): Promise<boolean> {\n try {\n await docker.ping();\n return true;\n } catch {\n return false;\n }\n}\n\n/**\n * Central factory and lifecycle manager for sandbox instances.\n *\n * @example\n * ```ts\n * const manager = new SandboxManager({ provider: 'docker' });\n * await manager.initialize();\n *\n * const sb = await manager.create({ scope: 'agent', workspaceAccess: 'none' });\n * const result = await sb.exec('echo hello');\n * await manager.destroy(sb);\n *\n * await manager.shutdown();\n * ```\n */\nexport class SandboxManager {\n private readonly config: SandboxManagerConfig;\n private readonly docker: Dockerode;\n private readonly active = new Map<string, SandboxProvider>();\n private shutdownRegistered = false;\n\n constructor(config: SandboxManagerConfig = {}) {\n this.config = { provider: 'docker', ...config };\n\n const dockerHostCfg = config.dockerHost;\n if (dockerHostCfg?.host) {\n this.docker = new Dockerode({\n host: dockerHostCfg.host,\n port: dockerHostCfg.port ?? 2376,\n protocol: dockerHostCfg.protocol ?? 'http',\n });\n } else {\n this.docker = new Dockerode({\n socketPath: dockerHostCfg?.socketPath ?? '/var/run/docker.sock',\n });\n }\n }\n\n // ---------------------------------------------------------------------------\n // Public API\n // ---------------------------------------------------------------------------\n\n /**\n * Initialize the manager. For the Docker provider this verifies that the\n * Docker daemon is reachable. Call this once at application startup.\n *\n * @throws Error if the Docker daemon cannot be reached (Docker provider only).\n */\n async initialize(): Promise<void> {\n if (this.config.provider === 'docker') {\n const available = await isDockerAvailable(this.docker);\n if (!available) {\n console.warn(\n '[SandboxManager] Docker daemon is not reachable. ' +\n 'Agent tool execution will fail until Docker is started. ' +\n 'Install Docker: https://docs.docker.com/get-docker/',\n );\n }\n }\n\n this._registerShutdownHandlers();\n }\n\n /**\n * Create and start a new sandbox.\n *\n * The sandbox is registered internally; call {@link SandboxManager.destroy}\n * or {@link SandboxManager.shutdown} to release it.\n *\n * @param overrides - Per-sandbox config overrides merged with manager defaults.\n */\n async create(\n overrides: Pick<DockerSandboxConfig, 'scope' | 'workspaceAccess'> &\n Partial<DockerSandboxConfig>,\n ): Promise<SandboxProvider> {\n if (this.config.provider === 'e2b') {\n const stub = new E2BProviderStub();\n const id = this._generateId(overrides.scope);\n this.active.set(id, stub);\n return stub;\n }\n\n const mergedConfig: DockerSandboxConfig = {\n image: 'node:22-slim',\n ...this.config.dockerConfig,\n ...overrides,\n };\n\n const sandbox = new DockerSandbox(mergedConfig, this.docker);\n await sandbox.start();\n\n const id = this._generateId(overrides.scope);\n this.active.set(id, sandbox);\n return sandbox;\n }\n\n /**\n * Destroy a specific sandbox and remove it from the active registry.\n */\n async destroy(sandbox: SandboxProvider): Promise<void> {\n await sandbox.destroy();\n for (const [key, value] of this.active) {\n if (value === sandbox) {\n this.active.delete(key);\n break;\n }\n }\n }\n\n /**\n * Destroy all active sandboxes and shut the manager down.\n * Called automatically on SIGTERM / SIGINT when registered.\n */\n async shutdown(): Promise<void> {\n const destroyAll = Array.from(this.active.values()).map((sb) =>\n sb.destroy().catch((err: unknown) => {\n console.error('[SandboxManager] Error destroying sandbox during shutdown:', err);\n }),\n );\n await Promise.all(destroyAll);\n this.active.clear();\n }\n\n /**\n * Returns the number of currently active sandboxes.\n */\n get activeCount(): number {\n return this.active.size;\n }\n\n // ---------------------------------------------------------------------------\n // Private helpers\n // ---------------------------------------------------------------------------\n\n private _generateId(scope: string): string {\n return `agentforge-${scope}-${randomUUID().slice(0, 8)}`;\n }\n\n private _registerShutdownHandlers(): void {\n if (this.shutdownRegistered) return;\n this.shutdownRegistered = true;\n\n const handler = () => {\n void this.shutdown().finally(() => process.exit(0));\n };\n\n process.once('SIGTERM', handler);\n process.once('SIGINT', handler);\n process.once('beforeExit', () => void this.shutdown());\n }\n}\n"],"mappings":";AAwBA,OAAO,eAAe;AACtB,SAAS,kBAAkB;;;ACRpB,IAAM,wBAA2C;AAAA,EACtD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAMO,IAAM,mBAAsC,CAAC,KAAK;AAOzD,IAAM,8BAAiD;AAAA,EACrD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAYO,SAAS,aAAa,MAAoB;AAC/C,QAAM,WAAW,KAAK,MAAM,GAAG,EAAE,CAAC;AAClC,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,cAAc,6BAA6B,IAAI,GAAG;AAAA,EAC9D;AAEA,aAAW,WAAW,uBAAuB;AAC3C,QAAI,aAAa,WAAW,SAAS,WAAW,UAAU,GAAG,KAAK,SAAS,WAAW,OAAO,GAAG;AAC9F,YAAM,IAAI;AAAA,QACR,eAAe,IAAI,4BAA4B,QAAQ,6BAA6B,OAAO;AAAA,MAC7F;AAAA,IACF;AAAA,EACF;AACF;AAMO,SAAS,cAAc,OAAuB;AACnD,aAAW,QAAQ,OAAO;AACxB,iBAAa,IAAI;AAAA,EACnB;AACF;AAcO,SAAS,kBAAkB,OAAqB;AACrD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,UAAM,IAAI,cAAc,wCAAwC;AAAA,EAClE;AAGA,MAAI,mBAAmB,KAAK,KAAK,GAAG;AAClC,UAAM,IAAI,cAAc,eAAe,KAAK,kCAAkC;AAAA,EAChF;AAEA,MAAI,QAAQ,IAAI,UAAU,MAAM,cAAc;AAE5C;AAAA,EACF;AAGA,QAAM,iBAAiB,QAAQ,IAAI,2BAA2B,KAAK,IAChE,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EACnB,OAAO,OAAO;AAEjB,QAAM,kBAAkB,CAAC,GAAG,6BAA6B,GAAG,aAAa;AAEzE,QAAM,UAAU,gBAAgB,KAAK,CAAC,WAAW,MAAM,WAAW,MAAM,CAAC;AACzE,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI;AAAA,MACR,UAAU,KAAK,iDACQ,gBAAgB,KAAK,IAAI,CAAC;AAAA,IAEnD;AAAA,EACF;AACF;AASO,SAAS,gBAAgB,SAAuB;AACrD,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,UAAM,IAAI,cAAc,qCAAqC;AAAA,EAC/D;AAGA,QAAM,oBAAoB;AAAA,IACxB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,aAAW,WAAW,mBAAmB;AACvC,QAAI,QAAQ,KAAK,OAAO,GAAG;AACzB,YAAM,IAAI;AAAA,QACR,qDAAqD,QAAQ,MAAM;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AACF;AASO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;;;ADzIA,IAAM,gBAAgB;AAGtB,IAAM,0BAA0B;AAGhC,IAAM,8BAA8B;AAapC,SAAS,kBAAkB,QAAoD;AAC7E,MAAI,SAAS;AACb,MAAI,SAAS;AACb,MAAI,SAAS;AAEb,SAAO,SAAS,KAAK,OAAO,QAAQ;AAClC,UAAM,aAAa,OAAO,MAAM;AAChC,UAAM,YAAY,OAAO,aAAa,SAAS,CAAC;AAChD,cAAU;AAEV,QAAI,SAAS,YAAY,OAAO,OAAQ;AAExC,UAAM,QAAQ,OAAO,MAAM,QAAQ,SAAS,SAAS,EAAE,SAAS,MAAM;AACtE,cAAU;AAEV,QAAI,eAAe,GAAG;AACpB,gBAAU;AAAA,IACZ,WAAW,eAAe,GAAG;AAC3B,gBAAU;AAAA,IACZ;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,OAAO;AAC1B;AAYO,IAAM,gBAAN,MAA+C;AAAA,EACnC;AAAA,EAKA;AAAA,EACT,YAAwC;AAAA,EACxC,cAA6B;AAAA,EAC7B,YAAkD;AAAA;AAAA;AAAA;AAAA;AAAA,EAM1D,YAAY,QAA6B,QAAoB;AAE3D,UAAM,QAAQ,OAAO,SAAS;AAC9B,sBAAkB,KAAK;AAEvB,QAAI,OAAO,SAAS,OAAO,MAAM,SAAS,GAAG;AAC3C,oBAAc,OAAO,KAAK;AAAA,IAC5B;AAEA,SAAK,SAAS;AAAA,MACZ,GAAG;AAAA,MACH;AAAA,MACA,wBAAwB,OAAO,0BAA0B;AAAA,IAC3D;AAEA,SAAK,SACH,UACA,IAAI;AAAA,MACF,QAAQ,IAAI,aAAa,IACrB,EAAE,MAAM,QAAQ,IAAI,aAAa,EAAE,IACnC,EAAE,YAAY,uBAAuB;AAAA,IAC3C;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,QAAuB;AAC3B,QAAI,KAAK,UAAW;AAEpB,UAAM,EAAE,OAAO,OAAO,gBAAgB,OAAO,KAAK,SAAS,iBAAiB,eAAe,uBAAuB,IAAI,KAAK;AAE3H,UAAM,OAAO,cAAc,KAAK,IAAI,WAAW,EAAE,MAAM,GAAG,CAAC,CAAC;AAE5D,UAAM,WAAW,OAAO,QAAQ,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,EAAE;AAGtE,UAAM,WAAqB,CAAC,GAAI,SAAS,CAAC,CAAE;AAG5C,QAAI,oBAAoB,UAAU,eAAe;AAC/C,YAAM,OAAO,oBAAoB,OAAO,OAAO;AAC/C,eAAS,KAAK,GAAG,aAAa,IAAI,sBAAsB,IAAI,IAAI,EAAE;AAAA,IACpE;AAEA,UAAM,aAAmC;AAAA;AAAA,MAEvC,WAAW,gBAAgB;AAAA,MAC3B,QAAQ,gBAAgB,WAAW,eAAe,WAAW,OAAO,OAAO;AAAA,MAC3E,WAAW,gBAAgB,aAAa;AAAA;AAAA,MAGxC,SAAS,CAAC,GAAG,gBAAgB;AAAA,MAC7B,aAAa,CAAC,wBAAwB;AAAA,MACtC,gBAAgB;AAAA;AAAA,MAGhB,OAAO,SAAS,SAAS,IAAI,WAAW;AAAA,IAC1C;AAEA,SAAK,YAAY,MAAM,KAAK,OAAO,gBAAgB;AAAA,MACjD;AAAA,MACA,OAAO;AAAA;AAAA,MAEP,KAAK,CAAC,WAAW,MAAM,iCAAiC;AAAA,MACxD,KAAK;AAAA,MACL,aAAa;AAAA,MACb,cAAc;AAAA,MACd,cAAc;AAAA,MACd,KAAK;AAAA,MACL,iBAAiB,gBAAgB,mBAAmB;AAAA,MACpD,YAAY;AAAA,MACZ,QAAQ;AAAA,QACN,oBAAoB;AAAA,QACpB,sBAAsB;AAAA,MACxB;AAAA,MACA,YAAY;AAAA,IACd,CAAC;AAED,UAAM,KAAK,UAAU,MAAM;AAC3B,SAAK,cAAc,KAAK,UAAU;AAGlC,QAAI,WAAW,UAAU,GAAG;AAC1B,WAAK,YAAY,WAAW,MAAM;AAChC,aAAK,KAAK,QAAQ;AAAA,MACpB,GAAG,UAAU,GAAI;AAAA,IACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAsB;AAC1B,SAAK,gBAAgB;AACrB,QAAI,CAAC,KAAK,UAAW;AAErB,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,UAAU,QAAQ;AAC1C,UAAI,KAAK,MAAM,SAAS;AACtB,cAAM,KAAK,UAAU,KAAK,EAAE,GAAG,GAAG,CAAC;AAAA,MACrC;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAyB;AAC7B,SAAK,gBAAgB;AACrB,UAAM,YAAY,KAAK;AACvB,SAAK,YAAY;AACjB,SAAK,cAAc;AAEnB,QAAI,CAAC,UAAW;AAEhB,QAAI;AACF,YAAM,UAAU,OAAO,EAAE,OAAO,KAAK,CAAC;AAAA,IACxC,QAAQ;AAAA,IAER;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,KAAK,SAAiB,UAAuB,CAAC,GAAwB;AAC1E,QAAI,CAAC,KAAK,WAAW;AACnB,YAAM,IAAI,MAAM,8DAA8D;AAAA,IAChF;AAGA,oBAAgB,OAAO;AAEvB,UAAM,YAAY,QAAQ,WAAW;AACrC,UAAM,cAAc,OAAO,QAAQ,QAAQ,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,EAAE;AAEjF,UAAM,eAAe,MAAM,KAAK,UAAU,KAAK;AAAA,MAC7C,KAAK,CAAC,WAAW,MAAM,OAAO;AAAA,MAC9B,cAAc;AAAA,MACd,cAAc;AAAA,MACd,KAAK;AAAA,MACL,YAAY,QAAQ;AAAA,MACpB,KAAK,YAAY,SAAS,IAAI,cAAc;AAAA,IAC9C,CAAC;AAED,WAAO,IAAI,QAAoB,CAAC,SAAS,WAAW;AAClD,YAAM,QAAQ,WAAW,MAAM;AAC7B,eAAO,IAAI,MAAM,uCAAuC,SAAS,IAAI,CAAC;AAAA,MACxE,GAAG,SAAS;AAEZ,mBAAa,MAAM,EAAE,QAAQ,MAAM,OAAO,MAAM,GAAG,CAAC,KAAK,WAAW;AAClE,YAAI,KAAK;AACP,uBAAa,KAAK;AAClB,iBAAO,GAAG;AACV;AAAA,QACF;AAEA,YAAI,CAAC,QAAQ;AACX,uBAAa,KAAK;AAClB,iBAAO,IAAI,MAAM,6CAA6C,CAAC;AAC/D;AAAA,QACF;AAEA,cAAM,SAAmB,CAAC;AAE1B,eAAO,GAAG,QAAQ,CAAC,UAAkB,OAAO,KAAK,KAAK,CAAC;AAEvD,eAAO,GAAG,OAAO,YAAY;AAC3B,uBAAa,KAAK;AAClB,cAAI;AACF,kBAAM,MAAM,OAAO,OAAO,MAAM;AAChC,kBAAM,EAAE,QAAQ,OAAO,IAAI,kBAAkB,GAAG;AAGhD,kBAAM,gBAAgB,MAAM,aAAa,QAAQ;AACjD,kBAAM,WAAW,cAAc,YAAY;AAE3C,oBAAQ,EAAE,QAAQ,QAAQ,SAAS,CAAC;AAAA,UACtC,SAAS,YAAY;AACnB,mBAAO,UAAU;AAAA,UACnB;AAAA,QACF,CAAC;AAED,eAAO,GAAG,SAAS,CAAC,cAAqB;AACvC,uBAAa,KAAK;AAClB,iBAAO,SAAS;AAAA,QAClB,CAAC;AAAA,MACH,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,SAAS,MAA+B;AAC5C,UAAM,SAAS,MAAM,KAAK,KAAK,QAAQ,KAAK,QAAQ,MAAM,KAAK,CAAC,GAAG;AACnE,QAAI,OAAO,aAAa,GAAG;AACzB,YAAM,IAAI;AAAA,QACR,2CAA2C,IAAI,WAAW,OAAO,QAAQ,MAAM,OAAO,MAAM;AAAA,MAC9F;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,UAAU,MAAc,SAAgC;AAC5D,UAAM,MAAM,OAAO,KAAK,SAAS,MAAM,EAAE,SAAS,QAAQ;AAC1D,UAAM,MAAM,gBAAgB,GAAG,oBAAoB,KAAK,QAAQ,MAAM,KAAK,CAAC;AAC5E,UAAM,SAAS,MAAM,KAAK,KAAK,GAAG;AAClC,QAAI,OAAO,aAAa,GAAG;AACzB,YAAM,IAAI;AAAA,QACR,6CAA6C,IAAI,WAAW,OAAO,QAAQ,MAAM,OAAO,MAAM;AAAA,MAChG;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,YAA8B;AAClC,QAAI,CAAC,KAAK,UAAW,QAAO;AAC5B,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,UAAU,QAAQ;AAC1C,aAAO,KAAK,MAAM,YAAY;AAAA,IAChC,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAgC;AAC9B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAMQ,kBAAwB;AAC9B,QAAI,KAAK,cAAc,MAAM;AAC3B,mBAAa,KAAK,SAAS;AAC3B,WAAK,YAAY;AAAA,IACnB;AAAA,EACF;AACF;;;AElWA,SAAS,cAAAA,mBAAkB;AAE3B,IAAM,mBAAmB;AACzB,IAAM,+BAA+B;AACrC,IAAM,oBAAoB;AAiBnB,IAAM,gBAAN,MAAoB;AAAA,EACR;AAAA,EACA;AAAA,EACA,UAAkC,oBAAI,IAAI;AAAA,EACnD,aAAoD;AAAA,EACpD,WAAW;AAAA,EAEnB,YAAY,QAAoB,QAAoB;AAClD,SAAK,SAAS;AAAA,MACZ,SAAS;AAAA,MACT,oBAAoB;AAAA,MACpB,GAAG;AAAA,IACL;AACA,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAwB;AAC5B,UAAM,SAAS,KAAK,OAAO,UAAU,KAAK,QAAQ;AAClD,QAAI,UAAU,EAAG;AAEjB,UAAM,QAAQ;AAAA,MACZ,MAAM,KAAK,EAAE,QAAQ,OAAO,CAAC,EAAE,IAAI,YAAY;AAC7C,cAAM,KAAK,UAAU;AAAA,MACvB,CAAC;AAAA,IACH;AAEA,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAoC;AACxC,QAAI,KAAK,UAAU;AACjB,YAAM,IAAI,MAAM,sEAAiE;AAAA,IACnF;AAGA,UAAM,OAAO,KAAK,SAAS;AAC3B,QAAI,MAAM;AACR,WAAK,QAAQ;AACb,WAAK,aAAa,KAAK,IAAI;AAC3B,aAAO,KAAK;AAAA,IACd;AAGA,QAAI,KAAK,QAAQ,OAAO,KAAK,OAAO,SAAS;AAC3C,YAAMC,SAAQ,MAAM,KAAK,UAAU;AACnC,MAAAA,OAAM,QAAQ;AACd,MAAAA,OAAM,aAAa,KAAK,IAAI;AAC5B,aAAOA,OAAM;AAAA,IACf;AAGA,UAAM,SAAS,KAAK,WAAW;AAC/B,QAAI,QAAQ;AACV,YAAM,UAAU,KAAK,QAAQ,IAAI,MAAM;AACvC,WAAK,QAAQ,OAAO,MAAM;AAC1B,WAAK,QAAQ,QAAQ,QAAQ,EAAE,MAAM,MAAM;AAAA,MAAkB,CAAC;AAAA,IAChE;AAEA,UAAM,QAAQ,MAAM,KAAK,UAAU;AACnC,UAAM,QAAQ;AACd,UAAM,aAAa,KAAK,IAAI;AAC5B,WAAO,MAAM;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAQ,SAAyC;AACrD,eAAW,SAAS,KAAK,QAAQ,OAAO,GAAG;AACzC,UAAI,MAAM,YAAY,SAAS;AAC7B,cAAM,QAAQ;AACd,cAAM,aAAa,KAAK,IAAI;AAC5B;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAQ,QAAQ;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAuB;AAC3B,QAAI,KAAK,YAAY,KAAK,QAAQ,SAAS,EAAG;AAC9C,SAAK,WAAW;AAChB,SAAK,WAAW;AAEhB,UAAM,QAAQ;AAAA,MACZ,MAAM,KAAK,KAAK,QAAQ,OAAO,CAAC,EAAE;AAAA,QAAI,CAAC,UACrC,MAAM,QAAQ,QAAQ,EAAE,MAAM,MAAM;AAAA,QAAkB,CAAC;AAAA,MACzD;AAAA,IACF;AACA,SAAK,QAAQ,MAAM;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,OAAe;AACjB,WAAO,KAAK,QAAQ;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,YAAoB;AACtB,QAAI,QAAQ;AACZ,eAAW,SAAS,KAAK,QAAQ,OAAO,GAAG;AACzC,UAAI,CAAC,MAAM,MAAO;AAAA,IACpB;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,YAAgC;AAC5C,UAAM,gBAAqC;AAAA,MACzC,OAAO,KAAK,OAAO;AAAA,MACnB,OAAO,KAAK,OAAO;AAAA,MACnB,iBAAiB;AAAA,IACnB;AAEA,UAAM,UAAU,IAAI,cAAc,eAAe,KAAK,MAAM;AAC5D,UAAM,QAAQ,MAAM;AAEpB,UAAM,KAAKD,YAAW;AACtB,UAAM,QAAmB;AAAA,MACvB;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,MACpB,YAAY,KAAK,IAAI;AAAA,MACrB,OAAO;AAAA,IACT;AAEA,SAAK,QAAQ,IAAI,IAAI,KAAK;AAC1B,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,WAA6B;AACnC,QAAI,OAAyB;AAC7B,eAAW,SAAS,KAAK,QAAQ,OAAO,GAAG;AACzC,UAAI,CAAC,MAAM,OAAO;AAChB,YAAI,CAAC,QAAQ,MAAM,aAAa,KAAK,YAAY;AAC/C,iBAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,aAA4B;AAClC,QAAI,UAAyB;AAC7B,QAAI,WAAW;AACf,eAAW,CAAC,KAAK,KAAK,KAAK,KAAK,SAAS;AACvC,UAAI,MAAM,aAAa,UAAU;AAC/B,mBAAW,MAAM;AACjB,kBAAU;AAAA,MACZ;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,cAAoB;AAC1B,QAAI,KAAK,WAAY;AACrB,SAAK,aAAa,YAAY,MAAM,KAAK,KAAK,OAAO,GAAG,iBAAiB;AACzE,QAAI,KAAK,WAAW,MAAO,MAAK,WAAW,MAAM;AAAA,EACnD;AAAA,EAEQ,aAAmB;AACzB,QAAI,KAAK,YAAY;AACnB,oBAAc,KAAK,UAAU;AAC7B,WAAK,aAAa;AAAA,IACpB;AAAA,EACF;AAAA;AAAA,EAGA,MAAc,SAAwB;AACpC,QAAI,KAAK,SAAU;AAEnB,UAAM,QAAQ,KAAK,IAAI;AACvB,UAAM,gBAAgB,KAAK,OAAO,qBAAqB;AAEvD,UAAM,YAAmC,CAAC;AAE1C,eAAW,CAAC,KAAK,KAAK,KAAK,KAAK,SAAS;AACvC,UAAI,CAAC,MAAM,SAAS,QAAQ,MAAM,aAAa,eAAe;AAC5D,kBAAU,KAAK,CAAC,KAAK,KAAK,CAAC;AAAA,MAC7B;AAAA,IACF;AAEA,eAAW,CAAC,KAAK,KAAK,KAAK,WAAW;AACpC,WAAK,QAAQ,OAAO,GAAG;AACvB,YAAM,MAAM,QAAQ,QAAQ,EAAE,MAAM,MAAM;AAAA,MAAkB,CAAC;AAAA,IAC/D;AAAA,EACF;AACF;;;ACxPA,OAAOE,gBAAe;AACtB,SAAS,cAAAC,mBAAkB;AAe3B,IAAM,kBAAN,MAAiD;AAAA,EAC/C,MAAM,QAAuB;AAC3B,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAAA,EACA,MAAM,OAAsB;AAAA,EAA2B;AAAA,EACvD,MAAM,UAAyB;AAAA,EAAa;AAAA,EAC5C,MAAM,KAAK,MAAc,OAA0C;AACjE,UAAM,IAAI,MAAM,kCAAkC;AAAA,EACpD;AAAA,EACA,MAAM,SAAS,OAAgC;AAC7C,UAAM,IAAI,MAAM,kCAAkC;AAAA,EACpD;AAAA,EACA,MAAM,UAAU,OAAe,UAAiC;AAC9D,UAAM,IAAI,MAAM,kCAAkC;AAAA,EACpD;AAAA,EACA,MAAM,YAA8B;AAAE,WAAO;AAAA,EAAO;AAAA,EACpD,iBAAgC;AAAE,WAAO;AAAA,EAAM;AACjD;AAQA,eAAsB,kBAAkB,QAAqC;AAC3E,MAAI;AACF,UAAM,OAAO,KAAK;AAClB,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAiBO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EACA;AAAA,EACA,SAAS,oBAAI,IAA6B;AAAA,EACnD,qBAAqB;AAAA,EAE7B,YAAY,SAA+B,CAAC,GAAG;AAC7C,SAAK,SAAS,EAAE,UAAU,UAAU,GAAG,OAAO;AAE9C,UAAM,gBAAgB,OAAO;AAC7B,QAAI,eAAe,MAAM;AACvB,WAAK,SAAS,IAAIC,WAAU;AAAA,QAC1B,MAAM,cAAc;AAAA,QACpB,MAAM,cAAc,QAAQ;AAAA,QAC5B,UAAU,cAAc,YAAY;AAAA,MACtC,CAAC;AAAA,IACH,OAAO;AACL,WAAK,SAAS,IAAIA,WAAU;AAAA,QAC1B,YAAY,eAAe,cAAc;AAAA,MAC3C,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAA4B;AAChC,QAAI,KAAK,OAAO,aAAa,UAAU;AACrC,YAAM,YAAY,MAAM,kBAAkB,KAAK,MAAM;AACrD,UAAI,CAAC,WAAW;AACd,gBAAQ;AAAA,UACN;AAAA,QAGF;AAAA,MACF;AAAA,IACF;AAEA,SAAK,0BAA0B;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,OACJ,WAE0B;AAC1B,QAAI,KAAK,OAAO,aAAa,OAAO;AAClC,YAAM,OAAO,IAAI,gBAAgB;AACjC,YAAMC,MAAK,KAAK,YAAY,UAAU,KAAK;AAC3C,WAAK,OAAO,IAAIA,KAAI,IAAI;AACxB,aAAO;AAAA,IACT;AAEA,UAAM,eAAoC;AAAA,MACxC,OAAO;AAAA,MACP,GAAG,KAAK,OAAO;AAAA,MACf,GAAG;AAAA,IACL;AAEA,UAAM,UAAU,IAAI,cAAc,cAAc,KAAK,MAAM;AAC3D,UAAM,QAAQ,MAAM;AAEpB,UAAM,KAAK,KAAK,YAAY,UAAU,KAAK;AAC3C,SAAK,OAAO,IAAI,IAAI,OAAO;AAC3B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,SAAyC;AACrD,UAAM,QAAQ,QAAQ;AACtB,eAAW,CAAC,KAAK,KAAK,KAAK,KAAK,QAAQ;AACtC,UAAI,UAAU,SAAS;AACrB,aAAK,OAAO,OAAO,GAAG;AACtB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,WAA0B;AAC9B,UAAM,aAAa,MAAM,KAAK,KAAK,OAAO,OAAO,CAAC,EAAE;AAAA,MAAI,CAAC,OACvD,GAAG,QAAQ,EAAE,MAAM,CAAC,QAAiB;AACnC,gBAAQ,MAAM,8DAA8D,GAAG;AAAA,MACjF,CAAC;AAAA,IACH;AACA,UAAM,QAAQ,IAAI,UAAU;AAC5B,SAAK,OAAO,MAAM;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,cAAsB;AACxB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAMQ,YAAY,OAAuB;AACzC,WAAO,cAAc,KAAK,IAAIC,YAAW,EAAE,MAAM,GAAG,CAAC,CAAC;AAAA,EACxD;AAAA,EAEQ,4BAAkC;AACxC,QAAI,KAAK,mBAAoB;AAC7B,SAAK,qBAAqB;AAE1B,UAAM,UAAU,MAAM;AACpB,WAAK,KAAK,SAAS,EAAE,QAAQ,MAAM,QAAQ,KAAK,CAAC,CAAC;AAAA,IACpD;AAEA,YAAQ,KAAK,WAAW,OAAO;AAC/B,YAAQ,KAAK,UAAU,OAAO;AAC9B,YAAQ,KAAK,cAAc,MAAM,KAAK,KAAK,SAAS,CAAC;AAAA,EACvD;AACF;","names":["randomUUID","entry","Dockerode","randomUUID","Dockerode","id","randomUUID"]}
package/dist/sandbox-manager.d.ts ADDED
@@ -0,0 +1,77 @@
1
+ import Dockerode from 'dockerode';
2
+ import { SandboxManagerConfig, DockerSandboxConfig, SandboxProvider } from './types.js';
3
+
4
+ /**
5
+ * @module sandbox-manager
6
+ *
7
+ * SandboxManager — factory + registry for sandbox instances.
8
+ *
9
+ * Responsibilities:
10
+ * - Create the correct sandbox type (Docker | E2B) from a unified config.
11
+ * - Apply the `agentforge-{scope}-{id}` naming convention.
12
+ * - Track active sandboxes and clean them up on process exit.
13
+ * - Verify Docker availability on startup; print a friendly message if absent.
14
+ */
15
+
16
+ /**
17
+ * Checks whether the Docker daemon is reachable.
18
+ *
19
+ * @param docker - Dockerode instance to ping.
20
+ * @returns `true` if Docker is available, `false` otherwise.
21
+ */
22
+ declare function isDockerAvailable(docker: Dockerode): Promise<boolean>;
23
+ /**
24
+ * Central factory and lifecycle manager for sandbox instances.
25
+ *
26
+ * @example
27
+ * ```ts
28
+ * const manager = new SandboxManager({ provider: 'docker' });
29
+ * await manager.initialize();
30
+ *
31
+ * const sb = await manager.create({ scope: 'agent', workspaceAccess: 'none' });
32
+ * const result = await sb.exec('echo hello');
33
+ * await manager.destroy(sb);
34
+ *
35
+ * await manager.shutdown();
36
+ * ```
37
+ */
38
+ declare class SandboxManager {
39
+ private readonly config;
40
+ private readonly docker;
41
+ private readonly active;
42
+ private shutdownRegistered;
43
+ constructor(config?: SandboxManagerConfig);
44
+ /**
45
+ * Initialize the manager. For the Docker provider this verifies that the
46
+ * Docker daemon is reachable. Call this once at application startup.
47
+ *
48
+ * @throws Error if the Docker daemon cannot be reached (Docker provider only).
49
+ */
50
+ initialize(): Promise<void>;
51
+ /**
52
+ * Create and start a new sandbox.
53
+ *
54
+ * The sandbox is registered internally; call {@link SandboxManager.destroy}
55
+ * or {@link SandboxManager.shutdown} to release it.
56
+ *
57
+ * @param overrides - Per-sandbox config overrides merged with manager defaults.
58
+ */
59
+ create(overrides: Pick<DockerSandboxConfig, 'scope' | 'workspaceAccess'> & Partial<DockerSandboxConfig>): Promise<SandboxProvider>;
60
+ /**
61
+ * Destroy a specific sandbox and remove it from the active registry.
62
+ */
63
+ destroy(sandbox: SandboxProvider): Promise<void>;
64
+ /**
65
+ * Destroy all active sandboxes and shut the manager down.
66
+ * Called automatically on SIGTERM / SIGINT when registered.
67
+ */
68
+ shutdown(): Promise<void>;
69
+ /**
70
+ * Returns the number of currently active sandboxes.
71
+ */
72
+ get activeCount(): number;
73
+ private _generateId;
74
+ private _registerShutdownHandlers;
75
+ }
76
+
77
+ export { SandboxManager, isDockerAvailable };
package/dist/sandbox-manager.js ADDED
@@ -0,0 +1,498 @@
1
+ // src/sandbox-manager.ts
2
+ import Dockerode2 from "dockerode";
3
+ import { randomUUID as randomUUID2 } from "crypto";
4
+
5
+ // src/docker-sandbox.ts
6
+ import Dockerode from "dockerode";
7
+ import { randomUUID } from "crypto";
8
+
9
+ // src/security.ts
10
+ var BLOCKED_BIND_PREFIXES = [
11
+ "/var/run/docker.sock",
12
+ "/etc",
13
+ "/proc",
14
+ "/sys",
15
+ "/dev",
16
+ "/boot",
17
+ "/root"
18
+ ];
19
+ var DEFAULT_CAP_DROP = ["ALL"];
20
+ var BASE_ALLOWED_IMAGE_PREFIXES = [
21
+ "node:",
22
+ "python:",
23
+ "ubuntu:",
24
+ "debian:",
25
+ "alpine:",
26
+ "agentforge/"
27
+ ];
28
+ function validateBind(bind) {
29
+ const hostPath = bind.split(":")[0];
30
+ if (!hostPath) {
31
+ throw new SecurityError(`Invalid bind mount spec: "${bind}"`);
32
+ }
33
+ for (const blocked of BLOCKED_BIND_PREFIXES) {
34
+ if (hostPath === blocked || hostPath.startsWith(blocked + "/") || hostPath.startsWith(blocked)) {
35
+ throw new SecurityError(
36
+ `Bind mount "${bind}" is blocked. Host path "${hostPath}" matches blocked prefix "${blocked}".`
37
+ );
38
+ }
39
+ }
40
+ }
41
+ function validateBinds(binds) {
42
+ for (const bind of binds) {
43
+ validateBind(bind);
44
+ }
45
+ }
46
+ function validateImageName(image) {
47
+ if (!image || typeof image !== "string") {
48
+ throw new SecurityError("Image name must be a non-empty string.");
49
+ }
50
+ if (/[;&|`$(){}[\]<>]/.test(image)) {
51
+ throw new SecurityError(`Image name "${image}" contains forbidden characters.`);
52
+ }
53
+ if (process.env["NODE_ENV"] !== "production") {
54
+ return;
55
+ }
56
+ const extraPrefixes = (process.env["AGENTFORGE_ALLOWED_IMAGES"] ?? "").split(",").map((s) => s.trim()).filter(Boolean);
57
+ const allowedPrefixes = [...BASE_ALLOWED_IMAGE_PREFIXES, ...extraPrefixes];
58
+ const allowed = allowedPrefixes.some((prefix) => image.startsWith(prefix));
59
+ if (!allowed) {
60
+ throw new SecurityError(
61
+ `Image "${image}" is not on the allow-list. Allowed prefixes: ${allowedPrefixes.join(", ")}. Add custom prefixes via AGENTFORGE_ALLOWED_IMAGES env var.`
62
+ );
63
+ }
64
+ }
65
+ function validateCommand(command) {
66
+ if (!command || typeof command !== "string") {
67
+ throw new SecurityError("Command must be a non-empty string.");
68
+ }
69
+ const dangerousPatterns = [
70
+ /docker\.sock/i,
71
+ /nsenter\s/i,
72
+ /mount\s+-t\s+proc/i
73
+ ];
74
+ for (const pattern of dangerousPatterns) {
75
+ if (pattern.test(command)) {
76
+ throw new SecurityError(
77
+ `Command contains a potentially dangerous pattern: ${pattern.source}`
78
+ );
79
+ }
80
+ }
81
+ }
82
+ var SecurityError = class extends Error {
83
+ constructor(message) {
84
+ super(message);
85
+ this.name = "SecurityError";
86
+ }
87
+ };
88
+
89
+ // src/docker-sandbox.ts
90
+ var DEFAULT_IMAGE = "node:22-slim";
91
+ var DEFAULT_EXEC_TIMEOUT_MS = 3e4;
92
+ var DEFAULT_CONTAINER_WORKSPACE = "/workspace";
93
+ function demuxDockerStream(buffer) {
94
+ let stdout = "";
95
+ let stderr = "";
96
+ let offset = 0;
97
+ while (offset + 8 <= buffer.length) {
98
+ const streamType = buffer[offset];
99
+ const frameSize = buffer.readUInt32BE(offset + 4);
100
+ offset += 8;
101
+ if (offset + frameSize > buffer.length) break;
102
+ const chunk = buffer.slice(offset, offset + frameSize).toString("utf8");
103
+ offset += frameSize;
104
+ if (streamType === 1) {
105
+ stdout += chunk;
106
+ } else if (streamType === 2) {
107
+ stderr += chunk;
108
+ }
109
+ }
110
+ return { stdout, stderr };
111
+ }
112
+ var DockerSandbox = class {
113
+ config;
114
+ docker;
115
+ container = null;
116
+ containerId = null;
117
+ killTimer = null;
118
+ /**
119
+ * @param config - Sandbox configuration.
120
+ * @param docker - Optional pre-configured Dockerode instance (useful in tests).
121
+ */
122
+ constructor(config, docker) {
123
+ const image = config.image ?? DEFAULT_IMAGE;
124
+ validateImageName(image);
125
+ if (config.binds && config.binds.length > 0) {
126
+ validateBinds(config.binds);
127
+ }
128
+ this.config = {
129
+ ...config,
130
+ image,
131
+ containerWorkspacePath: config.containerWorkspacePath ?? DEFAULT_CONTAINER_WORKSPACE
132
+ };
133
+ this.docker = docker ?? new Dockerode(
134
+ process.env["DOCKER_HOST"] ? { host: process.env["DOCKER_HOST"] } : { socketPath: "/var/run/docker.sock" }
135
+ );
136
+ }
137
+ // ---------------------------------------------------------------------------
138
+ // Lifecycle
139
+ // ---------------------------------------------------------------------------
140
+ /**
141
+ * Create and start the Docker container.
142
+ * Idempotent — calling start() on an already-running sandbox is a no-op.
143
+ */
144
+ async start() {
145
+ if (this.container) return;
146
+ const { image, scope, resourceLimits, binds, env, timeout, workspaceAccess, workspacePath, containerWorkspacePath } = this.config;
147
+ const name = `agentforge-${scope}-${randomUUID().slice(0, 8)}`;
148
+ const envArray = Object.entries(env ?? {}).map(([k, v]) => `${k}=${v}`);
149
+ const allBinds = [...binds ?? []];
150
+ if (workspaceAccess !== "none" && workspacePath) {
151
+ const mode = workspaceAccess === "ro" ? "ro" : "rw";
152
+ allBinds.push(`${workspacePath}:${containerWorkspacePath}:${mode}`);
153
+ }
154
+ const hostConfig = {
155
+ // Resource limits
156
+ CpuShares: resourceLimits?.cpuShares,
157
+ Memory: resourceLimits?.memoryMb ? resourceLimits.memoryMb * 1024 * 1024 : void 0,
158
+ PidsLimit: resourceLimits?.pidsLimit ?? 256,
159
+ // Security hardening
160
+ CapDrop: [...DEFAULT_CAP_DROP],
161
+ SecurityOpt: ["no-new-privileges:true"],
162
+ ReadonlyRootfs: false,
163
+ // Bind mounts
164
+ Binds: allBinds.length > 0 ? allBinds : void 0
165
+ };
166
+ this.container = await this.docker.createContainer({
167
+ name,
168
+ Image: image,
169
+ // Keep container alive — we run commands via exec
170
+ Cmd: ["/bin/sh", "-c", "while true; do sleep 3600; done"],
171
+ Env: envArray,
172
+ AttachStdin: false,
173
+ AttachStdout: false,
174
+ AttachStderr: false,
175
+ Tty: false,
176
+ NetworkDisabled: resourceLimits?.networkDisabled ?? false,
177
+ WorkingDir: containerWorkspacePath,
178
+ Labels: {
179
+ "agentforge.scope": scope,
180
+ "agentforge.managed": "true"
181
+ },
182
+ HostConfig: hostConfig
183
+ });
184
+ await this.container.start();
185
+ this.containerId = this.container.id;
186
+ if (timeout && timeout > 0) {
187
+ this.killTimer = setTimeout(() => {
188
+ void this.destroy();
189
+ }, timeout * 1e3);
190
+ }
191
+ }
192
+ /**
193
+ * Stop the container gracefully (10 s grace period then SIGKILL).
194
+ * The container is kept for potential restart.
195
+ */
196
+ async stop() {
197
+ this._clearKillTimer();
198
+ if (!this.container) return;
199
+ try {
200
+ const info = await this.container.inspect();
201
+ if (info.State.Running) {
202
+ await this.container.stop({ t: 10 });
203
+ }
204
+ } catch {
205
+ }
206
+ }
207
+ /**
208
+ * Destroy the container and release all resources.
209
+ * Safe to call multiple times.
210
+ */
211
+ async destroy() {
212
+ this._clearKillTimer();
213
+ const container = this.container;
214
+ this.container = null;
215
+ this.containerId = null;
216
+ if (!container) return;
217
+ try {
218
+ await container.remove({ force: true });
219
+ } catch {
220
+ }
221
+ }
222
+ // ---------------------------------------------------------------------------
223
+ // Execution
224
+ // ---------------------------------------------------------------------------
225
+ /**
226
+ * Execute a shell command inside the running container.
227
+ *
228
+ * @param command - Shell command string passed to `/bin/sh -c`.
229
+ * @param options - Per-call options (timeout, cwd, env overrides).
230
+ */
231
+ async exec(command, options = {}) {
232
+ if (!this.container) {
233
+ throw new Error("DockerSandbox: container is not running. Call start() first.");
234
+ }
235
+ validateCommand(command);
236
+ const timeoutMs = options.timeout ?? DEFAULT_EXEC_TIMEOUT_MS;
237
+ const envOverride = Object.entries(options.env ?? {}).map(([k, v]) => `${k}=${v}`);
238
+ const execInstance = await this.container.exec({
239
+ Cmd: ["/bin/sh", "-c", command],
240
+ AttachStdout: true,
241
+ AttachStderr: true,
242
+ Tty: false,
243
+ WorkingDir: options.cwd,
244
+ Env: envOverride.length > 0 ? envOverride : void 0
245
+ });
246
+ return new Promise((resolve, reject) => {
247
+ const timer = setTimeout(() => {
248
+ reject(new Error(`DockerSandbox: exec timed out after ${timeoutMs}ms`));
249
+ }, timeoutMs);
250
+ execInstance.start({ hijack: true, stdin: false }, (err, stream) => {
251
+ if (err) {
252
+ clearTimeout(timer);
253
+ reject(err);
254
+ return;
255
+ }
256
+ if (!stream) {
257
+ clearTimeout(timer);
258
+ reject(new Error("DockerSandbox: no stream returned from exec"));
259
+ return;
260
+ }
261
+ const chunks = [];
262
+ stream.on("data", (chunk) => chunks.push(chunk));
263
+ stream.on("end", async () => {
264
+ clearTimeout(timer);
265
+ try {
266
+ const raw = Buffer.concat(chunks);
267
+ const { stdout, stderr } = demuxDockerStream(raw);
268
+ const inspectResult = await execInstance.inspect();
269
+ const exitCode = inspectResult.ExitCode ?? 0;
270
+ resolve({ stdout, stderr, exitCode });
271
+ } catch (inspectErr) {
272
+ reject(inspectErr);
273
+ }
274
+ });
275
+ stream.on("error", (streamErr) => {
276
+ clearTimeout(timer);
277
+ reject(streamErr);
278
+ });
279
+ });
280
+ });
281
+ }
282
+ /**
283
+ * Read a file from the container filesystem by running `cat`.
284
+ *
285
+ * @param path - Absolute path inside the container.
286
+ */
287
+ async readFile(path) {
288
+ const result = await this.exec(`cat "${path.replace(/"/g, '\\"')}"`);
289
+ if (result.exitCode !== 0) {
290
+ throw new Error(
291
+ `DockerSandbox.readFile: failed to read "${path}" (exit ${result.exitCode}): ${result.stderr}`
292
+ );
293
+ }
294
+ return result.stdout;
295
+ }
296
+ /**
297
+ * Write content to a file inside the container using base64 encoding
298
+ * to avoid shell quoting issues.
299
+ *
300
+ * @param path - Absolute path inside the container.
301
+ * @param content - UTF-8 string content.
302
+ */
303
+ async writeFile(path, content) {
304
+ const b64 = Buffer.from(content, "utf8").toString("base64");
305
+ const cmd = `printf '%s' "${b64}" | base64 -d > "${path.replace(/"/g, '\\"')}"`;
306
+ const result = await this.exec(cmd);
307
+ if (result.exitCode !== 0) {
308
+ throw new Error(
309
+ `DockerSandbox.writeFile: failed to write "${path}" (exit ${result.exitCode}): ${result.stderr}`
310
+ );
311
+ }
312
+ }
313
+ // ---------------------------------------------------------------------------
314
+ // Health
315
+ // ---------------------------------------------------------------------------
316
+ /**
317
+ * Returns true if the underlying Docker container is running.
318
+ */
319
+ async isRunning() {
320
+ if (!this.container) return false;
321
+ try {
322
+ const info = await this.container.inspect();
323
+ return info.State.Running === true;
324
+ } catch {
325
+ return false;
326
+ }
327
+ }
328
+ /**
329
+ * Returns the Docker container ID or null if not yet started.
330
+ */
331
+ getContainerId() {
332
+ return this.containerId;
333
+ }
334
+ // ---------------------------------------------------------------------------
335
+ // Private helpers
336
+ // ---------------------------------------------------------------------------
337
+ _clearKillTimer() {
338
+ if (this.killTimer !== null) {
339
+ clearTimeout(this.killTimer);
340
+ this.killTimer = null;
341
+ }
342
+ }
343
+ };
344
+
345
+ // src/sandbox-manager.ts
346
+ var E2BProviderStub = class {
347
+ async start() {
348
+ throw new Error(
349
+ "SandboxManager: E2B provider is not bundled in @agentforge-ai/sandbox. Use the SandboxManager from @agentforge-ai/core instead."
350
+ );
351
+ }
352
+ async stop() {
353
+ }
354
+ async destroy() {
355
+ }
356
+ async exec(_cmd, _opts) {
357
+ throw new Error("E2BProviderStub: not implemented");
358
+ }
359
+ async readFile(_path) {
360
+ throw new Error("E2BProviderStub: not implemented");
361
+ }
362
+ async writeFile(_path, _content) {
363
+ throw new Error("E2BProviderStub: not implemented");
364
+ }
365
+ async isRunning() {
366
+ return false;
367
+ }
368
+ getContainerId() {
369
+ return null;
370
+ }
371
+ };
372
+ async function isDockerAvailable(docker) {
373
+ try {
374
+ await docker.ping();
375
+ return true;
376
+ } catch {
377
+ return false;
378
+ }
379
+ }
380
+ var SandboxManager = class {
381
+ config;
382
+ docker;
383
+ active = /* @__PURE__ */ new Map();
384
+ shutdownRegistered = false;
385
+ constructor(config = {}) {
386
+ this.config = { provider: "docker", ...config };
387
+ const dockerHostCfg = config.dockerHost;
388
+ if (dockerHostCfg?.host) {
389
+ this.docker = new Dockerode2({
390
+ host: dockerHostCfg.host,
391
+ port: dockerHostCfg.port ?? 2376,
392
+ protocol: dockerHostCfg.protocol ?? "http"
393
+ });
394
+ } else {
395
+ this.docker = new Dockerode2({
396
+ socketPath: dockerHostCfg?.socketPath ?? "/var/run/docker.sock"
397
+ });
398
+ }
399
+ }
400
+ // ---------------------------------------------------------------------------
401
+ // Public API
402
+ // ---------------------------------------------------------------------------
403
+ /**
404
+ * Initialize the manager. For the Docker provider this verifies that the
405
+ * Docker daemon is reachable. Call this once at application startup.
406
+ *
407
+ * @throws Error if the Docker daemon cannot be reached (Docker provider only).
408
+ */
409
+ async initialize() {
410
+ if (this.config.provider === "docker") {
411
+ const available = await isDockerAvailable(this.docker);
412
+ if (!available) {
413
+ console.warn(
414
+ "[SandboxManager] Docker daemon is not reachable. Agent tool execution will fail until Docker is started. Install Docker: https://docs.docker.com/get-docker/"
415
+ );
416
+ }
417
+ }
418
+ this._registerShutdownHandlers();
419
+ }
420
+ /**
421
+ * Create and start a new sandbox.
422
+ *
423
+ * The sandbox is registered internally; call {@link SandboxManager.destroy}
424
+ * or {@link SandboxManager.shutdown} to release it.
425
+ *
426
+ * @param overrides - Per-sandbox config overrides merged with manager defaults.
427
+ */
428
+ async create(overrides) {
429
+ if (this.config.provider === "e2b") {
430
+ const stub = new E2BProviderStub();
431
+ const id2 = this._generateId(overrides.scope);
432
+ this.active.set(id2, stub);
433
+ return stub;
434
+ }
435
+ const mergedConfig = {
436
+ image: "node:22-slim",
437
+ ...this.config.dockerConfig,
438
+ ...overrides
439
+ };
440
+ const sandbox = new DockerSandbox(mergedConfig, this.docker);
441
+ await sandbox.start();
442
+ const id = this._generateId(overrides.scope);
443
+ this.active.set(id, sandbox);
444
+ return sandbox;
445
+ }
446
+ /**
447
+ * Destroy a specific sandbox and remove it from the active registry.
448
+ */
449
+ async destroy(sandbox) {
450
+ await sandbox.destroy();
451
+ for (const [key, value] of this.active) {
452
+ if (value === sandbox) {
453
+ this.active.delete(key);
454
+ break;
455
+ }
456
+ }
457
+ }
458
+ /**
459
+ * Destroy all active sandboxes and shut the manager down.
460
+ * Called automatically on SIGTERM / SIGINT when registered.
461
+ */
462
+ async shutdown() {
463
+ const destroyAll = Array.from(this.active.values()).map(
464
+ (sb) => sb.destroy().catch((err) => {
465
+ console.error("[SandboxManager] Error destroying sandbox during shutdown:", err);
466
+ })
467
+ );
468
+ await Promise.all(destroyAll);
469
+ this.active.clear();
470
+ }
471
+ /**
472
+ * Returns the number of currently active sandboxes.
473
+ */
474
+ get activeCount() {
475
+ return this.active.size;
476
+ }
477
+ // ---------------------------------------------------------------------------
478
+ // Private helpers
479
+ // ---------------------------------------------------------------------------
480
+ _generateId(scope) {
481
+ return `agentforge-${scope}-${randomUUID2().slice(0, 8)}`;
482
+ }
483
+ _registerShutdownHandlers() {
484
+ if (this.shutdownRegistered) return;
485
+ this.shutdownRegistered = true;
486
+ const handler = () => {
487
+ void this.shutdown().finally(() => process.exit(0));
488
+ };
489
+ process.once("SIGTERM", handler);
490
+ process.once("SIGINT", handler);
491
+ process.once("beforeExit", () => void this.shutdown());
492
+ }
493
+ };
494
+ export {
495
+ SandboxManager,
496
+ isDockerAvailable
497
+ };
498
+ //# sourceMappingURL=sandbox-manager.js.map