@deepwhale/coding-agent 1.0.12 → 1.0.13

package/dist/sandbox/docker-runner.d.ts

@@ -0,0 +1,147 @@
+/**
+ * DockerSandboxRunner — 通过 `docker run --rm` 隔离执行 BashTool 命令
+ *
+ * Sprint 1c-revive-3-D-12 (2026-06-05): MVP 隔离, **不**等于完整 sandbox.
+ * .hermes/plans/d12/D12-PLAN.md 写清威胁模型 + 已知风险.
+ *
+ * 安全红线 (实现 + 自查都覆盖):
+ * - args 用数组传给 execFile, **不** 拼 shell 字符串
+ * - **不** 加 --privileged (grep 自查)
+ * - **不** 挂宿主根目录 (--volume /:/host 之类)
+ * - **不** 传 --env-file, **不** 传 DEEPSEEK_API_KEY / ANTHROPIC_AUTH_TOKEN
+ * - 容器名加 random suffix (8 字符) 避免冲突
+ * - workspace mount 用 --volume ${resolvedCwd}:/workspace:rw
+ * - 默认 --network=none (DEEPWHALE_DOCKER_NETWORK=bridge 显式允许)
+ * - timeout 走 docker stop 5s grace, 然后 docker kill 兜底
+ * - cleanup 失败进 result.warning, 不静默假成功
+ *
+ * MVP 边界: 这是执行环境抽象, **不是**:
+ * - 完整 policy language (Sprint D-15)
+ * - 完整 seccomp / apparmor profile (用 Docker default)
+ * - 远程容器 (本地 docker socket)
+ * - 跨平台验证 (Linux 本机; Docker Desktop on Mac/Win 不在 D-12 范围)
+ */
+import type { SandboxRunRequest, SandboxRunResult, SandboxRunner } from './types.js';
+/** 上限 10 分钟, BashTool 60s 但 docker 模式可放宽. */
+export declare const DOCKER_DEFAULT_TIMEOUT_MS = 60000;
+/**
+ * Sprint 1c-revive-3-D-12 review 修复 (2026-06-05, 基于 9348650 review).
+ *
+ * 黑名单: 这些 key **必须** 不传给 docker CLI 子进程. D-7 `.env` loader 会把
+ * API key 放进 `process.env`; 默认 `env: process.env` 透传给 docker CLI 时,
+ * docker CLI 自身能 `env | grep KEY` dump 出来, 也可能透传到 `docker run --env`
+ * 启动的容器 (MVP 没用 --env, 但 docker CLI 内部行为 / 错误日志 / 未来扩展都有
+ * 风险).
+ *
+ * 范围拍板: D-12 review 只列了 deepseek + anthropic + "等". 保守走 deepseek/
+ * anthropic + session key (README L159 拍板的 at-rest encryption key), 其他
+ * 第三方 API key 风险不在 D-12 范围. 后续 sprint 可扩.
+ *
+ * 模式: 黑名单 (比白名单稳 — 加新 deny 项立即生效, 不需要遍历允许列表).
+ */
+export declare const DOCKER_CLI_DENY_KEYS: ReadonlySet<string>;
+/**
+ * Sprint 1c-revive-3-D-12 review 修复 (2026-06-05, 基于 9348650 review).
+ *
+ * 给 docker CLI 子进程构造最小 env. docker CLI 自身需要的:
+ *   - PATH (Linux/macOS 找其他 binary; 这里是子进程启动新 docker 子调用时用)
+ *   - HOME (读 ~/.docker/config.json, docker config 凭据加载)
+ *   - USERPROFILE (Windows 走这个替代 HOME)
+ *   - DOCKER_HOST (连远程 docker daemon, e.g. ssh:// / tcp://)
+ *   - DOCKER_CONFIG (config 路径, 跟 HOME/config 区分时)
+ *   - DOCKER_TLS_VERIFY (TLS 开关)
+ *   - DOCKER_TLS_CERTPATH (TLS 凭据路径)
+ *
+ * 其他 host 进程 env (TZ / LANG / 等) 通过 DOCKER_CLI_ALLOW_KEYS 白名单兜底,
+ * 默认**不**透传. 跟 process.env 的差别显式记录, 避免 review 时再撞"env 注入
+ * 未知 key" 的问题.
+ */
+export declare const DOCKER_CLI_ALLOW_KEYS: ReadonlySet<string>;
+/**
+ * 构造给 docker CLI 子进程的 env: DOCKER_CLI_ALLOW_KEYS 交集 process.env
+ * + 跳过 DOCKER_CLI_DENY_KEYS (黑名单优先, 即便用户在 allow set 里也跳过).
+ * 返回**新对象**, 不影响 process.env.
+ */
+export declare function makeDockerCliEnv(env?: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
+export interface DockerSandboxOptions {
+    /** 容器镜像. 默认 'node:22-alpine'. */
+    readonly image?: string;
+    /** 沙箱根目录. BashTool ctor 拿 process.cwd() 注入. */
+    readonly sandboxRoot: string;
+    /** 'none' (默认, 禁网) / 'bridge' (允许 docker 默认 bridge). */
+    readonly network?: 'none' | 'bridge';
+    /** 默认 60_000. clamp 上限 10 分钟. */
+    readonly defaultTimeoutMs?: number;
+    /**
+     * Sprint 1c-revive-4-D-20.1 P0-F (2026-06-05): 容器内存硬上限.
+     * 默认 '512m' (拍板: 防 OOM 把宿主打挂). docker CLI 接受字符串 ('512m'/'1g'/'2048m' 等).
+     * env override: DEEPWHALE_DOCKER_MEMORY. 解析失败 docker 自身会 stderr, 走 result.warning.
+     */
+    readonly memory?: string;
+    /**
+     * Sprint 1c-revive-4-D-20.1 P0-F: 容器 CPU 配额.
+     * 默认 '1.0' (1 核). docker 接受小数 ('0.5' / '2.0' / 等).
+     * env override: DEEPWHALE_DOCKER_CPUS.
+     */
+    readonly cpus?: string;
+    /**
+     * Sprint 1c-revive-4-D-20.1 P0-F: 容器进程数硬上限.
+     * 默认 '256' (防 fork 炸弹). docker 接受整数字符串.
+     * env override: DEEPWHALE_DOCKER_PIDS_LIMIT.
+     */
+    readonly pidsLimit?: string;
+}
+/**
+ * DockerSandboxRunner — opt-in sandbox, 通过 `docker run` 隔离命令.
+ *
+ * 关键: 所有 docker 子命令都用 execFile 传数组, **不** 拼字符串.
+ */
+export declare class DockerSandboxRunner implements SandboxRunner {
+    readonly kind: "docker";
+    private readonly image;
+    private readonly sandboxRoot;
+    private readonly network;
+    private readonly defaultTimeoutMs;
+    /** Sprint 1c-revive-4-D-20.1 P0-F: 资源限制字段. env override 走 env-gate. */
+    private readonly memory;
+    private readonly cpus;
+    private readonly pidsLimit;
+    /**
+     * Sprint 1c-revive-3-D-12 review P2 修复 (2026-06-05): 每个 runner 实例
+     * 唯一 runId. 容器打两个 label: `deepwhale.sandbox=true` (粗筛) +
+     * `deepwhale.sandbox.run_id=<runId>` (精筛). cleanup() 只删**自己** runId
+     * 的容器, 避免并发 runner 时一个 cleanup 误删另一个的容器.
+     */
+    readonly runId: string;
+    constructor(opts: DockerSandboxOptions);
+    /**
+     * 跑命令. 不抛异常 — 失败 / timeout / docker 不存在都在 result 里.
+     *
+     * docker run → 在容器里跑命令. timeout 通过 docker stop 触发.
+     * 实现拆 3 步: buildArgs → spawn → 收集 stdout/stderr/exit.
+     * 不在沙箱里, 行为是 Node 进程, timeout 走 SIGKILL child of docker CLI.
+     */
+    run(req: SandboxRunRequest): Promise<SandboxRunResult>;
+    /**
+     * 构建 docker run args. **核心安全边界** — 全部用数组, 任何 caller 都无法通过
+     * 输入污染 args (args 里的空格/--xxx 都被当作字面量).
+     */
+    buildDockerArgs(containerName: string, workspaceAbs: string, req: SandboxRunRequest): string[];
+    /** cwd 是否在 sandboxRoot 内. */
+    private isInsideSandbox;
+    /** 停容器 (SIGTERM), grace ms 内不退就当失败. */
+    private stopContainer;
+    /** 强杀容器 (SIGKILL). 失败不抛. */
+    private killContainer;
+    /**
+     * 主动清理 — 给 BashTool 退出时调. docker run --rm 模式理论上不需要, 但如果
+     * 容器因 timeout 残留 (kill 失败) 就在这里兜底.
+     * **不抛异常**, 错误进 stderr warning.
+     *
+     * Sprint 1c-revive-3-D-12 review P2 修复 (2026-06-05): filter 同时**精筛**
+     * runId label, 只删本 runner 的容器. 之前只用 `deepwhale.sandbox=true` 粗筛,
+     * 并发两个 runner 时一个 cleanup 可能误删另一个 runner 的容器 — 跨实例污染.
+     */
+    cleanup(): Promise<void>;
+}
+//# sourceMappingURL=docker-runner.d.ts.map

package/dist/sandbox/docker-runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker-runner.d.ts","sourceRoot":"","sources":["../../src/sandbox/docker-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAOH,OAAO,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKrF,6CAA6C;AAC7C,eAAO,MAAM,yBAAyB,QAAS,CAAC;AAgBhD;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAAW,CAAC,MAAM,CAInD,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,EAAE,WAAW,CAAC,MAAM,CAcpD,CAAC;AAEH;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,MAAM,CAAC,UAAU,CASxF;AAED,MAAM,WAAW,oBAAoB;IACnC,iCAAiC;IACjC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,+CAA+C;IAC/C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,wDAAwD;IACxD,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC;IACrC,iCAAiC;IACjC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAWD;;;;GAIG;AACH,qBAAa,mBAAoB,YAAW,aAAa;IACvD,QAAQ,CAAC,IAAI,EAAG,QAAQ,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAoB;IAC5C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,uEAAuE;IACvE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;gBAEX,IAAI,EAAE,oBAAoB;IAkBtC;;;;;;OAMG;IACG,GAAG,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAuI5D;;;OAGG;IACH,eAAe,CAAC,aAAa,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,iBAAiB,GAAG,MAAM,EAAE;IA6C9F,6BAA6B;IAC7B,OAAO,CAAC,eAAe;IAQvB,uCAAuC;YACzB,aAAa;IAmB3B,4BAA4B;YACd,aAAa;IAY3B;;;;;;;;OAQG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAuC/B"}

package/dist/sandbox/docker-runner.js

@@ -0,0 +1,426 @@
+/**
+ * DockerSandboxRunner — 通过 `docker run --rm` 隔离执行 BashTool 命令
+ *
+ * Sprint 1c-revive-3-D-12 (2026-06-05): MVP 隔离, **不**等于完整 sandbox.
+ * .hermes/plans/d12/D12-PLAN.md 写清威胁模型 + 已知风险.
+ *
+ * 安全红线 (实现 + 自查都覆盖):
+ * - args 用数组传给 execFile, **不** 拼 shell 字符串
+ * - **不** 加 --privileged (grep 自查)
+ * - **不** 挂宿主根目录 (--volume /:/host 之类)
+ * - **不** 传 --env-file, **不** 传 DEEPSEEK_API_KEY / ANTHROPIC_AUTH_TOKEN
+ * - 容器名加 random suffix (8 字符) 避免冲突
+ * - workspace mount 用 --volume ${resolvedCwd}:/workspace:rw
+ * - 默认 --network=none (DEEPWHALE_DOCKER_NETWORK=bridge 显式允许)
+ * - timeout 走 docker stop 5s grace, 然后 docker kill 兜底
+ * - cleanup 失败进 result.warning, 不静默假成功
+ *
+ * MVP 边界: 这是执行环境抽象, **不是**:
+ * - 完整 policy language (Sprint D-15)
+ * - 完整 seccomp / apparmor profile (用 Docker default)
+ * - 远程容器 (本地 docker socket)
+ * - 跨平台验证 (Linux 本机; Docker Desktop on Mac/Win 不在 D-12 范围)
+ */
+import { execFile, spawn } from 'node:child_process';
+import { randomUUID } from 'node:crypto';
+import { resolve as pathResolve, sep as pathSep } from 'node:path';
+import { promisify } from 'node:util';
+import process from 'node:process';
+const execFileP = promisify(execFile);
+const DEFAULT_IMAGE = 'node:22-alpine';
+/** 上限 10 分钟, BashTool 60s 但 docker 模式可放宽. */
+export const DOCKER_DEFAULT_TIMEOUT_MS = 60_000;
+/** Docker 容器 stop grace 5s, 之后 SIGKILL. */
+const _STOP_GRACE_MS_UNUSED = 5_000;
+/** sandboxRoot 内的相对路径映射到容器 /workspace. */
+const CONTAINER_WORKDIR = '/workspace';
+/** stdout/stderr 末尾 cap 跟 LocalSandboxRunner 一致. */
+const DEFAULT_STDOUT_CAP = 4 * 1024;
+/** 10MB hard ceiling, 跟 LocalSandboxRunner 一致. */
+const _MAX_BUFFER_UNUSED = 10 * 1024 * 1024;
+// Sprint 1c-revive-4-D-20.1 P0-F (2026-06-05): 容器资源限制默认值 (拍板红线).
+// 防止 fork 炸弹 / OOM / CPU 100% 把宿主打挂. env override 走 env-gate.
+const DEFAULT_MEMORY = '512m';
+const DEFAULT_CPUS = '1.0';
+const DEFAULT_PIDS_LIMIT = '256';
+/**
+ * Sprint 1c-revive-3-D-12 review 修复 (2026-06-05, 基于 9348650 review).
+ *
+ * 黑名单: 这些 key **必须** 不传给 docker CLI 子进程. D-7 `.env` loader 会把
+ * API key 放进 `process.env`; 默认 `env: process.env` 透传给 docker CLI 时,
+ * docker CLI 自身能 `env | grep KEY` dump 出来, 也可能透传到 `docker run --env`
+ * 启动的容器 (MVP 没用 --env, 但 docker CLI 内部行为 / 错误日志 / 未来扩展都有
+ * 风险).
+ *
+ * 范围拍板: D-12 review 只列了 deepseek + anthropic + "等". 保守走 deepseek/
+ * anthropic + session key (README L159 拍板的 at-rest encryption key), 其他
+ * 第三方 API key 风险不在 D-12 范围. 后续 sprint 可扩.
+ *
+ * 模式: 黑名单 (比白名单稳 — 加新 deny 项立即生效, 不需要遍历允许列表).
+ */
+export const DOCKER_CLI_DENY_KEYS = new Set([
+    'DEEPSEEK_API_KEY',
+    'ANTHROPIC_AUTH_TOKEN',
+    'DEEPWHALE_SESSION_KEY',
+]);
+/**
+ * Sprint 1c-revive-3-D-12 review 修复 (2026-06-05, 基于 9348650 review).
+ *
+ * 给 docker CLI 子进程构造最小 env. docker CLI 自身需要的:
+ *   - PATH (Linux/macOS 找其他 binary; 这里是子进程启动新 docker 子调用时用)
+ *   - HOME (读 ~/.docker/config.json, docker config 凭据加载)
+ *   - USERPROFILE (Windows 走这个替代 HOME)
+ *   - DOCKER_HOST (连远程 docker daemon, e.g. ssh:// / tcp://)
+ *   - DOCKER_CONFIG (config 路径, 跟 HOME/config 区分时)
+ *   - DOCKER_TLS_VERIFY (TLS 开关)
+ *   - DOCKER_TLS_CERTPATH (TLS 凭据路径)
+ *
+ * 其他 host 进程 env (TZ / LANG / 等) 通过 DOCKER_CLI_ALLOW_KEYS 白名单兜底,
+ * 默认**不**透传. 跟 process.env 的差别显式记录, 避免 review 时再撞"env 注入
+ * 未知 key" 的问题.
+ */
+export const DOCKER_CLI_ALLOW_KEYS = new Set([
+    'PATH',
+    // Sprint 1c-revive-3-D-12 review chain 关单 (2026-06-05, 基于 dfe9d9a review):
+    // Windows / PowerShell 用户的 process.env 习惯用 'Path' (跟 cmd.exe / PowerShell
+    // 一致), Unix 用 'PATH'. Node 透传时**不**归一化大小写, 只 allow 单一大小写会
+    // 漏 Windows. 两个都列, 跟其他 DOCKER_* key 风格一致; case-insensitive 归一化
+    // 跨平台有"同 key 不同大小写同时存在被覆盖" 的不可见副作用, 不引入.
+    'Path',
+    'HOME',
+    'USERPROFILE',
+    'DOCKER_HOST',
+    'DOCKER_CONFIG',
+    'DOCKER_TLS_VERIFY',
+    'DOCKER_TLS_CERTPATH',
+]);
+/**
+ * 构造给 docker CLI 子进程的 env: DOCKER_CLI_ALLOW_KEYS 交集 process.env
+ * + 跳过 DOCKER_CLI_DENY_KEYS (黑名单优先, 即便用户在 allow set 里也跳过).
+ * 返回**新对象**, 不影响 process.env.
+ */
+export function makeDockerCliEnv(env = process.env) {
+    const result = {};
+    for (const key of DOCKER_CLI_ALLOW_KEYS) {
+        const value = env[key];
+        if (value === undefined)
+            continue;
+        if (DOCKER_CLI_DENY_KEYS.has(key))
+            continue; // 防御: 黑名单优先
+        result[key] = value;
+    }
+    return result;
+}
+/**
+ * 容器的 stdout/stderr cap. 用 Buffer.from 包一层, ts 5.x 严格模式抓得到
+ * Buffer<ArrayBufferLike> 跟 Buffer<ArrayBuffer> 的差别.
+ */
+function capTail(buf, cap) {
+    if (buf.length <= cap)
+        return buf;
+    return Buffer.from(buf.subarray(buf.length - cap));
+}
+/**
+ * DockerSandboxRunner — opt-in sandbox, 通过 `docker run` 隔离命令.
+ *
+ * 关键: 所有 docker 子命令都用 execFile 传数组, **不** 拼字符串.
+ */
+export class DockerSandboxRunner {
+    kind = 'docker';
+    image;
+    sandboxRoot;
+    network;
+    defaultTimeoutMs;
+    /** Sprint 1c-revive-4-D-20.1 P0-F: 资源限制字段. env override 走 env-gate. */
+    memory;
+    cpus;
+    pidsLimit;
+    /**
+     * Sprint 1c-revive-3-D-12 review P2 修复 (2026-06-05): 每个 runner 实例
+     * 唯一 runId. 容器打两个 label: `deepwhale.sandbox=true` (粗筛) +
+     * `deepwhale.sandbox.run_id=<runId>` (精筛). cleanup() 只删**自己** runId
+     * 的容器, 避免并发 runner 时一个 cleanup 误删另一个的容器.
+     */
+    runId;
+    constructor(opts) {
+        this.image = opts.image ?? DEFAULT_IMAGE;
+        // Sprint 1c-revive-5-D-20.6.1 review-fix (2026-06-06): 规范化 sandboxRoot
+        // 到绝对路径, 避免 Windows 端 caller 传 '/tmp/sbx-test' (POSIX 风格)
+        // 跟 pathResolve(req.cwd) 落到 Windows 盘符 (e.g. C:\Users\xxx) 不在同空间
+        // → isInsideSandbox early return → mock child 不创建, 测试 fail.
+        // 修法: 构造时 pathResolve(opts.sandboxRoot), 绝对路径原样, 相对路径
+        // 也变成绝对 (跟 process.cwd() 解). 兼容 caller 写 '/tmp/sbx-test' /
+        // 'C:\xxx' / 'C:/xxx' / './sbx' 多种形态.
+        this.sandboxRoot = pathResolve(opts.sandboxRoot);
+        this.network = opts.network ?? 'none';
+        this.defaultTimeoutMs = opts.defaultTimeoutMs ?? DOCKER_DEFAULT_TIMEOUT_MS;
+        this.memory = opts.memory ?? DEFAULT_MEMORY;
+        this.cpus = opts.cpus ?? DEFAULT_CPUS;
+        this.pidsLimit = opts.pidsLimit ?? DEFAULT_PIDS_LIMIT;
+        this.runId = randomUUID().slice(0, 8);
+    }
+    /**
+     * 跑命令. 不抛异常 — 失败 / timeout / docker 不存在都在 result 里.
+     *
+     * docker run → 在容器里跑命令. timeout 通过 docker stop 触发.
+     * 实现拆 3 步: buildArgs → spawn → 收集 stdout/stderr/exit.
+     * 不在沙箱里, 行为是 Node 进程, timeout 走 SIGKILL child of docker CLI.
+     */
+    async run(req) {
+        const start = Date.now();
+        const cap = req.stdoutCapBytes || DEFAULT_STDOUT_CAP;
+        const timeoutMs = req.timeoutMs || this.defaultTimeoutMs;
+        // clamp timeout 上限 10 分钟
+        const clampedTimeout = Math.min(Math.max(timeoutMs, 1_000), 10 * 60_000);
+        const containerName = `deepwhale-sbx-${randomUUID().slice(0, 8)}`;
+        const workspaceAbs = pathResolve(req.cwd);
+        // 校验 cwd 在 sandboxRoot 内 (防止 mount escape: bash 工具说在 /workspace
+        // 但实际 pathResolve 跳出 sandboxRoot 之后 docker -v 挂载到宿主别处)
+        if (!this.isInsideSandbox(workspaceAbs)) {
+            return {
+                ok: false,
+                exitCode: null,
+                stdoutTail: '',
+                stderrTail: '',
+                durationMs: Date.now() - start,
+                warning: `cwd '${workspaceAbs}' is outside sandbox root '${this.sandboxRoot}' — refusing to mount`,
+            };
+        }
+        const dockerArgs = this.buildDockerArgs(containerName, workspaceAbs, req);
+        return new Promise((resolve) => {
+            let stdoutBuf = Buffer.alloc(0);
+            let stderrBuf = Buffer.alloc(0);
+            let killTimer = null;
+            let sigkillTimer = null;
+            let resolved = false;
+            const finalize = (r) => {
+                if (resolved)
+                    return;
+                resolved = true;
+                if (killTimer)
+                    clearTimeout(killTimer);
+                if (sigkillTimer)
+                    clearTimeout(sigkillTimer);
+                resolve({ ...r, durationMs: Date.now() - start });
+            };
+            const child = spawn('docker', dockerArgs, {
+                cwd: this.sandboxRoot,
+                stdio: ['ignore', 'pipe', 'pipe'],
+                // Sprint 1c-revive-3-D-12 review 修复 (2026-06-05, 基于 9348650 review):
+                // 之前 `env: process.env` 透传, D-7 `.env` loader 注入的 API key 会
+                // 进 docker CLI 子进程 (可能被 docker 内部 dump 到诊断日志 / 未来
+                // 扩展透传到容器). 修法: makeDockerCliEnv() 黑名单 + 白名单, 默认
+                // 只透传 docker CLI 必需的 7 个 key, 显式剔除 API key.
+                env: makeDockerCliEnv(),
+                // 注: 这里不传 shell: true (默认 false), 数组 args 安全
+            });
+            child.stdout?.on('data', (chunk) => {
+                stdoutBuf = capTail(Buffer.concat([stdoutBuf, chunk]), cap);
+            });
+            child.stderr?.on('data', (chunk) => {
+                stderrBuf = capTail(Buffer.concat([stderrBuf, chunk]), cap);
+            });
+            // timeout 触发: 走 docker stop (SIGTERM + 5s grace) → docker kill (SIGKILL)
+            killTimer = setTimeout(() => {
+                // docker stop 给容器 5s grace, 容器跑不到就 docker kill
+                void this.stopContainer(containerName, 5_000)
+                    .then((stopOk) => {
+                    if (stopOk) {
+                        finalize({
+                            ok: false,
+                            exitCode: null,
+                            stdoutTail: stdoutBuf.toString('utf8'),
+                            stderrTail: stderrBuf.toString('utf8'),
+                            signal: 'SIGTERM',
+                        });
+                    }
+                    else {
+                        // stop 失败, 兜底 kill
+                        void this.killContainer(containerName).finally(() => {
+                            finalize({
+                                ok: false,
+                                exitCode: null,
+                                stdoutTail: stdoutBuf.toString('utf8'),
+                                stderrTail: stderrBuf.toString('utf8'),
+                                signal: 'SIGKILL',
+                                warning: 'docker stop failed, force-killed via docker kill',
+                            });
+                        });
+                    }
+                })
+                    .catch((err) => {
+                    finalize({
+                        ok: false,
+                        exitCode: null,
+                        stdoutTail: stdoutBuf.toString('utf8'),
+                        stderrTail: stderrBuf.toString('utf8'),
+                        signal: 'SIGKILL',
+                        warning: `docker stop error: ${err instanceof Error ? err.message : String(err)}`,
+                    });
+                });
+            }, clampedTimeout);
+            // 上面的 finalize 内部已清 killTimer, 但 sigkill 兜底场景下我们没注册 sigkillTimer
+            // 实际 SIGTERM 失败转 SIGKILL 已经在上面, sigkillTimer 字段是预留, 这里清空
+            sigkillTimer = null;
+            child.on('error', (err) => {
+                // spawn 失败 (docker 不在 PATH / docker daemon 死)
+                finalize({
+                    ok: false,
+                    exitCode: null,
+                    stdoutTail: stdoutBuf.toString('utf8'),
+                    stderrTail: stderrBuf.toString('utf8'),
+                    warning: `docker spawn failed: ${err.message}. Is docker installed and running?`,
+                });
+            });
+            child.on('close', (code, signal) => {
+                // docker CLI 自己的 exit code: 0 = 容器跑完 + 退出 0
+                // 非 0 = 容器命令失败 / docker 出错
+                // signal = docker CLI 自己被 kill (这里只有 child.kill 时, 实际不走这里)
+                if (signal === 'SIGTERM' || signal === 'SIGKILL') {
+                    finalize({
+                        ok: false,
+                        exitCode: null,
+                        stdoutTail: stdoutBuf.toString('utf8'),
+                        stderrTail: stderrBuf.toString('utf8'),
+                        signal: signal === 'SIGTERM' ? 'SIGTERM' : 'SIGKILL',
+                    });
+                    return;
+                }
+                finalize({
+                    ok: code === 0,
+                    exitCode: code,
+                    stdoutTail: stdoutBuf.toString('utf8'),
+                    stderrTail: stderrBuf.toString('utf8'),
+                });
+            });
+        });
+    }
+    /**
+     * 构建 docker run args. **核心安全边界** — 全部用数组, 任何 caller 都无法通过
+     * 输入污染 args (args 里的空格/--xxx 都被当作字面量).
+     */
+    buildDockerArgs(containerName, workspaceAbs, req) {
+        const args = [
+            'run',
+            '--rm', // 跑完自动删容器
+            '--label',
+            'deepwhale.sandbox=true',
+            // Sprint 1c-revive-3-D-12 review P2 修复: 跟 runId 配对的精筛 label.
+            // cleanup() 用它只删本 runner 的容器, 并发安全.
+            '--label',
+            `deepwhale.sandbox.run_id=${this.runId}`,
+            '--name',
+            containerName,
+            '--user',
+            '1000:1000', // 非 root
+            '--read-only', // 容器 fs 只读, 写只走 /workspace + /tmp
+            '--cap-drop=ALL', // 丢弃所有 capabilities
+            '--security-opt',
+            'no-new-privileges', // 防 setuid 提权
+            '--network',
+            this.network, // 默认 none 禁网
+            // Sprint 1c-revive-4-D-20.1 P0-F: 资源限制, 防 fork 炸弹 / OOM / CPU 100%
+            // 拍板默认值: memory=512m / cpus=1.0 / pids-limit=256, env override 走 env-gate.
+            '--memory',
+            this.memory,
+            '--cpus',
+            this.cpus,
+            '--pids-limit',
+            this.pidsLimit,
+            '-v',
+            `${workspaceAbs}:${CONTAINER_WORKDIR}:rw`, // 显式 workspace bind mount
+            '-w',
+            CONTAINER_WORKDIR, // 容器内工作目录
+            '--tmpfs',
+            '/tmp:size=64m,noexec,nosuid', // 临时目录禁执行
+            // **不** 加 --privileged (grep 自查红线)
+            // **不** 加 --env-file, **不** 传 .env / API key
+            // **不** 加 --volume /:/host (禁止宿主根 mount)
+            this.image,
+            // 容器里要执行的命令
+            req.command,
+            ...req.args,
+        ];
+        return args;
+    }
+    /** cwd 是否在 sandboxRoot 内. */
+    isInsideSandbox(absoluteCwd) {
+        if (absoluteCwd === this.sandboxRoot)
+            return true;
+        const rootWithSep = this.sandboxRoot.endsWith(pathSep)
+            ? this.sandboxRoot
+            : this.sandboxRoot + pathSep;
+        return absoluteCwd.startsWith(rootWithSep);
+    }
+    /** 停容器 (SIGTERM), grace ms 内不退就当失败. */
+    async stopContainer(name, graceMs) {
+        try {
+            const { stdout } = await execFileP('docker', ['stop', '--time', String(Math.ceil(graceMs / 1000)), name], {
+                timeout: graceMs + 2_000,
+                encoding: 'buffer',
+                maxBuffer: 1024 * 1024,
+            });
+            const out = stdout.toString('utf8').trim();
+            // docker stop 退 0 + stdout 含容器名 = 成功
+            return out.includes(name);
+        }
+        catch {
+            return false;
+        }
+    }
+    /** 强杀容器 (SIGKILL). 失败不抛. */
+    async killContainer(name) {
+        try {
+            await execFileP('docker', ['kill', name], {
+                timeout: 5_000,
+                encoding: 'buffer',
+                maxBuffer: 1024 * 1024,
+            });
+        }
+        catch {
+            // best-effort, 不抛
+        }
+    }
+    /**
+     * 主动清理 — 给 BashTool 退出时调. docker run --rm 模式理论上不需要, 但如果
+     * 容器因 timeout 残留 (kill 失败) 就在这里兜底.
+     * **不抛异常**, 错误进 stderr warning.
+     *
+     * Sprint 1c-revive-3-D-12 review P2 修复 (2026-06-05): filter 同时**精筛**
+     * runId label, 只删本 runner 的容器. 之前只用 `deepwhale.sandbox=true` 粗筛,
+     * 并发两个 runner 时一个 cleanup 可能误删另一个 runner 的容器 — 跨实例污染.
+     */
+    async cleanup() {
+        try {
+            // 找本 runner runId 的残留容器并删
+            const { stdout } = await execFileP('docker', [
+                'ps',
+                '-aq',
+                '--filter',
+                'label=deepwhale.sandbox=true',
+                '--filter',
+                `label=deepwhale.sandbox.run_id=${this.runId}`,
+            ], { encoding: 'buffer', maxBuffer: 1024 * 1024 });
+            const ids = stdout.toString('utf8').trim().split('\n').filter(Boolean);
+            if (ids.length === 0)
+                return;
+            // 逐个删, 失败不阻塞其他
+            const results = await Promise.allSettled(ids.map((id) => execFileP('docker', ['rm', '-f', id], { encoding: 'buffer', maxBuffer: 1024 * 1024 })));
+            const failures = results.filter((r) => r.status === 'rejected');
+            if (failures.length > 0) {
+                // warning 通过 console 报告, 不抛 (caller 拿不到 stderr)
+                // 注: 跟 result.warning 是不同通道 — cleanup() 是 no-return, 没法填 result.
+                // D-12 MVP 接受这个限制; 后续 sprint 加 sandbox-level logger.
+                const msgs = failures
+                    .map((f) => f.reason)
+                    .map((r) => (r instanceof Error ? r.message : String(r)))
+                    .join('; ');
+                console.warn(`[sandbox] cleanup partial failure: ${msgs}`);
+            }
+        }
+        catch (err) {
+            console.warn(`[sandbox] cleanup error: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+}
+//# sourceMappingURL=docker-runner.js.map

package/dist/sandbox/docker-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker-runner.js","sourceRoot":"","sources":["../../src/sandbox/docker-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,GAAG,IAAI,OAAO,EAAE,MAAM,WAAW,CAAC;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,OAAO,MAAM,cAAc,CAAC;AAGnC,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEtC,MAAM,aAAa,GAAG,gBAAgB,CAAC;AACvC,6CAA6C;AAC7C,MAAM,CAAC,MAAM,yBAAyB,GAAG,MAAM,CAAC;AAChD,2CAA2C;AAC3C,MAAM,qBAAqB,GAAG,KAAK,CAAC;AACpC,0CAA0C;AAC1C,MAAM,iBAAiB,GAAG,YAAY,CAAC;AACvC,oDAAoD;AACpD,MAAM,kBAAkB,GAAG,CAAC,GAAG,IAAI,CAAC;AACpC,kDAAkD;AAClD,MAAM,kBAAkB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAE5C,iEAAiE;AACjE,8DAA8D;AAC9D,MAAM,cAAc,GAAG,MAAM,CAAC;AAC9B,MAAM,YAAY,GAAG,KAAK,CAAC;AAC3B,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAEjC;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAwB,IAAI,GAAG,CAAC;IAC/D,kBAAkB;IAClB,sBAAsB;IACtB,uBAAuB;CACxB,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IAChE,MAAM;IACN,2EAA2E;IAC3E,0EAA0E;IAC1E,0DAA0D;IAC1D,+DAA+D;IAC/D,yCAAyC;IACzC,MAAM;IACN,MAAM;IACN,aAAa;IACb,aAAa;IACb,eAAe;IACf,mBAAmB;IACnB,qBAAqB;CACtB,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAyB,OAAO,CAAC,GAAG;IACnE,MAAM,MAAM,GAAsB,EAAE,CAAC;IACrC,KAAK,MAAM,GAAG,IAAI,qBAAqB,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAClC,IAAI,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,YAAY;QACzD,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACtB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AA+BD;;;GAGG;AACH,SAAS,OAAO,CAAC,GAAW,EAAE,GAAW;IACvC,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,GAAG,CAAC;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,QAAiB,CAAC;IACjB,KAAK,CAAS;IACd,WAAW,CAAS;IACpB,OAAO,CAAoB;IAC3B,gBAAgB,CAAS;IAC1C,uEAAuE;IACtD,MAAM,CAAS;IACf,IAAI,CAAS;IACb,SAAS,CAAS;IACnC;;;;;OAKG;IACM,KAAK,CAAS;IAEvB,YAAY,IAA0B;QACpC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,aAAa,CAAC;QACzC,uEAAuE;QACvE,0DAA0D;QAC1D,iEAAiE;QACjE,4DAA4D;QAC5D,sDAAsD;QACtD,2DAA2D;QAC3D,sCAAsC;QACtC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC;QACtC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,IAAI,yBAAyB,CAAC;QAC3E,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,cAAc,CAAC;QAC5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,YAAY,CAAC;QACtC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;QACtD,IAAI,CAAC,KAAK,GAAG,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACxC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,GAAG,CAAC,GAAsB;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,GAAG,CAAC,cAAc,IAAI,kBAAkB,CAAC;QACrD,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,gBAAgB,CAAC;QACzD,yBAAyB;QACzB,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,EAAE,GAAG,MAAM,CAAC,CAAC;QAEzE,MAAM,aAAa,GAAG,iBAAiB,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAClE,MAAM,YAAY,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1C,gEAAgE;QAChE,uDAAuD;QACvD,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC9B,OAAO,EAAE,QAAQ,YAAY,8BAA8B,IAAI,CAAC,WAAW,uBAAuB;aACnG,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC;QAE1E,OAAO,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,EAAE;YAC/C,IAAI,SAAS,GAAW,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACxC,IAAI,SAAS,GAAW,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACxC,IAAI,SAAS,GAA0B,IAAI,CAAC;YAC5C,IAAI,YAAY,GAA0B,IAAI,CAAC;YAC/C,IAAI,QAAQ,GAAG,KAAK,CAAC;YAErB,MAAM,QAAQ,GAAG,CAAC,CAAuC,EAAQ,EAAE;gBACjE,IAAI,QAAQ;oBAAE,OAAO;gBACrB,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,SAAS;oBAAE,YAAY,CAAC,SAAS,CAAC,CAAC;gBACvC,IAAI,YAAY;oBAAE,YAAY,CAAC,YAAY,CAAC,CAAC;gBAC7C,OAAO,CAAC,EAAE,GAAG,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;YACpD,CAAC,CAAC;YAEF,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,UAAU,EAAE;gBACxC,GAAG,EAAE,IAAI,CAAC,WAAW;gBACrB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;gBACjC,qEAAqE;gBACrE,4DAA4D;gBAC5D,kDAAkD;gBAClD,iDAAiD;gBACjD,4CAA4C;gBAC5C,GAAG,EAAE,gBAAgB,EAAE;gBACvB,6CAA6C;aAC9C,CAAC,CAAC;YAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACzC,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACzC,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;YAEH,yEAAyE;YACzE,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC1B,+CAA+C;gBAC/C,KAAK,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,KAAK,CAAC;qBAC1C,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;oBACf,IAAI,MAAM,EAAE,CAAC;wBACX,QAAQ,CAAC;4BACP,EAAE,EAAE,KAAK;4BACT,QAAQ,EAAE,IAAI;4BACd,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;4BACtC,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;4BACtC,MAAM,EAAE,SAAS;yBAClB,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,mBAAmB;wBACnB,KAAK,IAAI,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE;4BAClD,QAAQ,CAAC;gCACP,EAAE,EAAE,KAAK;gCACT,QAAQ,EAAE,IAAI;gCACd,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;gCACtC,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;gCACtC,MAAM,EAAE,SAAS;gCACjB,OAAO,EAAE,kDAAkD;6BAC5D,CAAC,CAAC;wBACL,CAAC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC,CAAC;qBACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;oBACtB,QAAQ,CAAC;wBACP,EAAE,EAAE,KAAK;wBACT,QAAQ,EAAE,IAAI;wBACd,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;wBACtC,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;wBACtC,MAAM,EAAE,SAAS;wBACjB,OAAO,EAAE,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;qBAClF,CAAC,CAAC;gBACL,CAAC,CAAC,CAAC;YACP,CAAC,EAAE,cAAc,CAAC,CAAC;YACnB,iEAAiE;YACjE,yDAAyD;YACzD,YAAY,GAAG,IAAI,CAAC;YAEpB,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACxB,8CAA8C;gBAC9C,QAAQ,CAAC;oBACP,EAAE,EAAE,KAAK;oBACT,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACtC,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACtC,OAAO,EAAE,wBAAwB,GAAG,CAAC,OAAO,oCAAoC;iBACjF,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBACjC,4CAA4C;gBAC5C,2BAA2B;gBAC3B,2DAA2D;gBAC3D,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;oBACjD,QAAQ,CAAC;wBACP,EAAE,EAAE,KAAK;wBACT,QAAQ,EAAE,IAAI;wBACd,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;wBACtC,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;wBACtC,MAAM,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;qBACrD,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBACD,QAAQ,CAAC;oBACP,EAAE,EAAE,IAAI,KAAK,CAAC;oBACd,QAAQ,EAAE,IAAI;oBACd,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACtC,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;iBACvC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,aAAqB,EAAE,YAAoB,EAAE,GAAsB;QACjF,MAAM,IAAI,GAAa;YACrB,KAAK;YACL,MAAM,EAAE,UAAU;YAClB,SAAS;YACT,wBAAwB;YACxB,6DAA6D;YAC7D,oCAAoC;YACpC,SAAS;YACT,4BAA4B,IAAI,CAAC,KAAK,EAAE;YACxC,QAAQ;YACR,aAAa;YACb,QAAQ;YACR,WAAW,EAAE,SAAS;YACtB,aAAa,EAAE,kCAAkC;YACjD,gBAAgB,EAAE,oBAAoB;YACtC,gBAAgB;YAChB,mBAAmB,EAAE,cAAc;YACnC,WAAW;YACX,IAAI,CAAC,OAAO,EAAE,aAAa;YAC3B,mEAAmE;YACnE,2EAA2E;YAC3E,UAAU;YACV,IAAI,CAAC,MAAM;YACX,QAAQ;YACR,IAAI,CAAC,IAAI;YACT,cAAc;YACd,IAAI,CAAC,SAAS;YACd,IAAI;YACJ,GAAG,YAAY,IAAI,iBAAiB,KAAK,EAAE,0BAA0B;YACrE,IAAI;YACJ,iBAAiB,EAAE,UAAU;YAC7B,SAAS;YACT,6BAA6B,EAAE,UAAU;YACzC,mCAAmC;YACnC,6CAA6C;YAC7C,yCAAyC;YACzC,IAAI,CAAC,KAAK;YACV,YAAY;YACZ,GAAG,CAAC,OAAO;YACX,GAAG,GAAG,CAAC,IAAI;SACZ,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6BAA6B;IACrB,eAAe,CAAC,WAAmB;QACzC,IAAI,WAAW,KAAK,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAClD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC;YACpD,CAAC,CAAC,IAAI,CAAC,WAAW;YAClB,CAAC,CAAC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;QAC/B,OAAO,WAAW,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;IAC7C,CAAC;IAED,uCAAuC;IAC/B,KAAK,CAAC,aAAa,CAAC,IAAY,EAAE,OAAe;QACvD,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAChC,QAAQ,EACR,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,EAC3D;gBACE,OAAO,EAAE,OAAO,GAAG,KAAK;gBACxB,QAAQ,EAAE,QAAQ;gBAClB,SAAS,EAAE,IAAI,GAAG,IAAI;aACvB,CACF,CAAC;YACF,MAAM,GAAG,GAAI,MAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YACvD,qCAAqC;YACrC,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,4BAA4B;IACpB,KAAK,CAAC,aAAa,CAAC,IAAY;QACtC,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE;gBACxC,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,QAAQ;gBAClB,SAAS,EAAE,IAAI,GAAG,IAAI;aACvB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,0BAA0B;YAC1B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAChC,QAAQ,EACR;gBACE,IAAI;gBACJ,KAAK;gBACL,UAAU;gBACV,8BAA8B;gBAC9B,UAAU;gBACV,kCAAkC,IAAI,CAAC,KAAK,EAAE;aAC/C,EACD,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,GAAG,IAAI,EAAE,CAC/C,CAAC;YACF,MAAM,GAAG,GAAI,MAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACnF,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAC7B,eAAe;YACf,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CACb,SAAS,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,GAAG,IAAI,EAAE,CAAC,CACtF,CACF,CAAC;YACF,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;YAChE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,gDAAgD;gBAChD,iEAAiE;gBACjE,qDAAqD;gBACrD,MAAM,IAAI,GAAG,QAAQ;qBAClB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAA2B,CAAC,MAAM,CAAC;qBAC/C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;qBACxD,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEd,OAAO,CAAC,IAAI,CAAC,sCAAsC,IAAI,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC/F,CAAC;IACH,CAAC;CACF"}

package/dist/sandbox/env-gate.d.ts

@@ -0,0 +1,28 @@
+/**
+ * env gate helper — 从环境变量解析 sandbox 配置
+ *
+ * Sprint 1c-revive-3-D-12 (2026-06-05). MVP 入口, 跟 BashTool 解耦, 后续可换 config.toml.
+ *
+ * 支持的 env:
+ * - DEEPWHALE_SANDBOX=local|docker — 选 runner. 缺省 = local (BashTool 现状行为)
+ * - DEEPWHALE_DOCKER_IMAGE — 容器镜像. 缺省 = 'node:22-alpine'
+ * - DEEPWHALE_DOCKER_NETWORK=none|bridge — 容器网络. 缺省 = 'none' 禁网
+ *
+ * 安全: 不传 DEEPSEEK_API_KEY / ANTHROPIC_AUTH_TOKEN 等敏感 env 到 docker 容器
+ * (DockerSandboxRunner 默认只透 process.env, **不** 注入 .env / API key).
+ */
+import type { SandboxRunner } from './types.js';
+export interface SandboxEnvConfig {
+    readonly sandboxRoot: string;
+}
+/**
+ * 解析 env → 选 sandbox runner. 缺省 = LocalSandboxRunner (BashTool 现状).
+ * env DEEPWHALE_SANDBOX=docker 时返 DockerSandboxRunner, 镜像/网络用对应 env.
+ *
+ * Sprint 1c-revive-3-D-12 review P1 修复 (2026-06-05): 严格 enum, 未知值 throw.
+ * 之前 `mode !== 'docker'` 全部 fallback local, 拼错 `dokcer` 之类会静默本地执行
+ * — fail-open, 安全红线. 修法: 只接受 unset / `local` / `docker`, 其他值抛错.
+ * 入口 (CLI / REPL 启动) 应当把 throw 转到 stderr + exit 1, 不静默.
+ */
+export declare function resolveSandboxRunnerFromEnv(config: SandboxEnvConfig, env?: NodeJS.ProcessEnv): SandboxRunner;
+//# sourceMappingURL=env-gate.d.ts.map

package/dist/sandbox/env-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-gate.d.ts","sourceRoot":"","sources":["../../src/sandbox/env-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAIhD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,gBAAgB,EACxB,GAAG,GAAE,MAAM,CAAC,UAAwB,GACnC,aAAa,CAyCf"}