@ebowwa/sandbox 0.1.1

package/dist/runtimes/docker.js

@@ -0,0 +1,368 @@
+/**
+ * Docker Runtime
+ *
+ * Runs code in Docker containers for maximum isolation.
+ * Provides full filesystem and network control with container-level security.
+ *
+ * Isolation level: 'container'
+ */
+import { spawn } from "node:child_process";
+import { randomUUID } from "node:crypto";
+import { setTimeout as setTimeoutPromise } from "node:timers/promises";
+/**
+ * Docker Runtime
+ *
+ * Executes code in isolated Docker containers with full resource control.
+ * Maximum isolation with configurable filesystem and network access.
+ */
+export class DockerRuntime {
+    name = "docker";
+    capabilities = {
+        isolation: "container",
+        stateful: true,
+        async: true,
+        filesystem: true,
+        network: true,
+        maxMemory: 16 * 1024 * 1024 * 1024, // 16GB
+        wasi: true,
+    };
+    executing = false;
+    config;
+    containers = new Map(); // name -> containerId
+    constructor(config = {}) {
+        this.config = {
+            defaultImage: config.defaultImage ?? "node:20-slim",
+            dockerSocket: config.dockerSocket ?? "/var/run/docker.sock",
+            networkMode: config.networkMode ?? "none",
+            autoCleanup: config.autoCleanup ?? true,
+            defaultMemory: config.defaultMemory ?? 512 * 1024 * 1024, // 512MB
+            cpuLimit: config.cpuLimit ?? 1,
+        };
+    }
+    async init() {
+        // Verify Docker is available
+        const available = await this.checkDockerAvailable();
+        if (!available) {
+            throw new Error("Docker is not available. Ensure Docker daemon is running.");
+        }
+    }
+    async isAvailable() {
+        return this.checkDockerAvailable();
+    }
+    async execute(request, options) {
+        const startTime = Date.now();
+        this.executing = true;
+        const stdout = [];
+        const stderr = [];
+        const displays = [];
+        const containerName = `sandbox-${randomUUID().slice(0, 8)}`;
+        try {
+            // Parse limits
+            const timeout = this.parseTimeout(options.limits?.timeout);
+            const maxMemory = this.parseMemory(options.limits?.memory) || this.config.defaultMemory;
+            const cpuLimit = options.limits?.cpuTime
+                ? Math.max(0.1, (options.limits.cpuTime / 1000))
+                : this.config.cpuLimit;
+            // Build container options from permissions
+            const containerOptions = this.buildContainerOptions(request, options, {
+                memory: maxMemory,
+                cpu: cpuLimit,
+                name: containerName,
+            });
+            // Create abort controller for timeout
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+            if (options.signal) {
+                options.signal.addEventListener("abort", () => {
+                    controller.abort();
+                    clearTimeout(timeoutId);
+                });
+            }
+            // Pull image if needed
+            await this.pullImageIfNeeded(containerOptions.image);
+            // Create and start container
+            const containerId = await this.createContainer(containerOptions);
+            this.containers.set(containerName, containerId);
+            // Execute code in container
+            const result = await this.runInContainer(containerId, request, controller.signal);
+            clearTimeout(timeoutId);
+            // Collect output
+            stdout.push(...result.stdout);
+            stderr.push(...result.stderr);
+            return {
+                success: result.exitCode === 0,
+                value: result.value,
+                metrics: {
+                    duration: Date.now() - startTime,
+                    memoryUsed: maxMemory, // Approximate
+                },
+                output: { stdout, stderr, displays },
+            };
+        }
+        catch (error) {
+            if (error instanceof Error && error.name === "AbortError") {
+                return this.createErrorResult("Execution timed out", "timeout", startTime, stdout, stderr);
+            }
+            return this.createErrorResult(error instanceof Error ? error.message : String(error), "runtime", startTime, stdout, stderr);
+        }
+        finally {
+            // Cleanup container
+            if (this.config.autoCleanup) {
+                await this.removeContainer(containerName);
+            }
+            this.executing = false;
+        }
+    }
+    async terminate() {
+        // Cleanup all containers
+        for (const [name] of this.containers) {
+            await this.removeContainer(name);
+        }
+        this.containers.clear();
+        this.executing = false;
+    }
+    isExecuting() {
+        return this.executing;
+    }
+    /**
+     * Check if Docker is available
+     */
+    async checkDockerAvailable() {
+        return new Promise((resolve) => {
+            const proc = spawn("docker", ["version"], { stdio: "ignore" });
+            proc.on("close", (code) => resolve(code === 0));
+            proc.on("error", () => resolve(false));
+        });
+    }
+    /**
+     * Pull Docker image if not present
+     */
+    async pullImageIfNeeded(image) {
+        // Check if image exists
+        const exists = await new Promise((resolve) => {
+            const proc = spawn("docker", ["image", "inspect", image], { stdio: "ignore" });
+            proc.on("close", (code) => resolve(code === 0));
+            proc.on("error", () => resolve(false));
+        });
+        if (!exists) {
+            await new Promise((resolve, reject) => {
+                const proc = spawn("docker", ["pull", image], { stdio: "inherit" });
+                proc.on("close", (code) => {
+                    if (code === 0)
+                        resolve();
+                    else
+                        reject(new Error(`Failed to pull image: ${image}`));
+                });
+                proc.on("error", reject);
+            });
+        }
+    }
+    /**
+     * Build container options from execution request
+     */
+    buildContainerOptions(request, options, limits) {
+        const perms = options.permissions;
+        const containerOptions = {
+            image: this.config.defaultImage,
+            name: limits.name,
+            env: options.env,
+            workdir: options.cwd ?? "/workspace",
+            network: this.config.networkMode,
+        };
+        // Filesystem permissions
+        if (perms.fs?.read || perms.fs?.write) {
+            containerOptions.mounts = [
+                {
+                    source: options.cwd ?? process.cwd(),
+                    target: containerOptions.workdir ?? "/workspace",
+                    readonly: !perms.fs.write,
+                },
+            ];
+        }
+        // Network permissions
+        if (perms.network?.outbound || perms.network?.inbound) {
+            containerOptions.network = "bridge";
+        }
+        return containerOptions;
+    }
+    /**
+     * Create Docker container
+     */
+    async createContainer(opts) {
+        const args = ["create"];
+        // Name
+        args.push("--name", opts.name);
+        // Memory limit
+        args.push("--memory", `${Math.floor(this.config.defaultMemory / (1024 * 1024))}m`);
+        // CPU limit
+        args.push("--cpus", this.config.cpuLimit.toString());
+        // Network mode
+        if (opts.network) {
+            args.push(`--network=${opts.network}`);
+        }
+        // Working directory
+        if (opts.workdir) {
+            args.push("--workdir", opts.workdir);
+        }
+        // Environment variables
+        if (opts.env) {
+            for (const [key, value] of Object.entries(opts.env)) {
+                args.push("--env", `${key}=${value}`);
+            }
+        }
+        // Mounts
+        if (opts.mounts) {
+            for (const mount of opts.mounts) {
+                const mode = mount.readonly ? ":ro" : "";
+                args.push("--volume", `${mount.source}:${mount.target}${mode}`);
+            }
+        }
+        // Port mappings
+        if (opts.ports) {
+            for (const port of opts.ports) {
+                const protocol = port.protocol ?? "tcp";
+                args.push("--publish", `${port.hostPort}:${port.containerPort}/${protocol}`);
+            }
+        }
+        // Security options
+        args.push("--security-opt", "no-new-privileges");
+        // Disable inter-container communication
+        args.push("--icc=false");
+        // Image
+        args.push(opts.image);
+        return new Promise((resolve, reject) => {
+            const proc = spawn("docker", args);
+            let output = "";
+            proc.stdout.on("data", (data) => {
+                output += data.toString();
+            });
+            proc.stderr.on("data", (data) => {
+                console.error(`docker stderr: ${data}`);
+            });
+            proc.on("close", (code) => {
+                if (code === 0) {
+                    resolve(output.trim());
+                }
+                else {
+                    reject(new Error(`Failed to create container: ${output}`));
+                }
+            });
+            proc.on("error", reject);
+        });
+    }
+    /**
+     * Run code in container
+     */
+    async runInContainer(containerId, request, signal) {
+        const stdout = [];
+        const stderr = [];
+        // Start container
+        await new Promise((resolve, reject) => {
+            const proc = spawn("docker", ["start", containerId]);
+            proc.on("close", (code) => {
+                if (code === 0)
+                    resolve();
+                else
+                    reject(new Error("Failed to start container"));
+            });
+            proc.on("error", reject);
+        });
+        // Write WASM to temp file and execute
+        const wasmBase64 = Buffer.from(request.wasm.wasmBytes).toString("base64");
+        const execCommand = `node -e "require('fs').writeFileSync('/tmp/code.wasm',Buffer.from('${wasmBase64}','base64'));const {WASI}=require('wasi');const wasi=new WASI({version:'preview1'});WebAssembly.instantiate(require('fs').readFileSync('/tmp/code.wasm'),{wasi_snapshot_preview1:wasi.wasiImport}).then(({instance})=>{wasi.start(instance)})"`;
+        // Execute in container
+        return new Promise((resolve, reject) => {
+            const proc = spawn("docker", [
+                "exec",
+                containerId,
+                "/bin/sh",
+                "-c",
+                execCommand,
+            ]);
+            proc.stdout.on("data", (data) => {
+                stdout.push(data.toString("utf8"));
+            });
+            proc.stderr.on("data", (data) => {
+                stderr.push(data.toString("utf8"));
+            });
+            signal.addEventListener("abort", () => {
+                proc.kill("SIGKILL");
+            });
+            proc.on("close", (code) => {
+                // Try to parse output as JSON
+                let value = undefined;
+                const output = stdout.join("");
+                try {
+                    const parsed = JSON.parse(output);
+                    if (parsed.__return_value !== undefined) {
+                        value = parsed.__return_value;
+                    }
+                }
+                catch {
+                    value = output.trim() || undefined;
+                }
+                resolve({
+                    stdout,
+                    stderr,
+                    exitCode: code ?? 1,
+                    value,
+                });
+            });
+            proc.on("error", reject);
+        });
+    }
+    /**
+     * Remove container
+     */
+    async removeContainer(nameOrId) {
+        const containerId = this.containers.get(nameOrId) ?? nameOrId;
+        await new Promise((resolve) => {
+            const proc = spawn("docker", ["rm", "-f", containerId], { stdio: "ignore" });
+            proc.on("close", () => {
+                this.containers.delete(nameOrId);
+                resolve();
+            });
+            proc.on("error", () => resolve());
+        });
+    }
+    createErrorResult(message, type, startTime, stdout = [], stderr = []) {
+        return {
+            success: false,
+            error: { message, type },
+            metrics: {
+                duration: Date.now() - startTime,
+                memoryUsed: 0,
+            },
+            output: { stdout, stderr, displays: [] },
+        };
+    }
+    parseMemory(memory) {
+        if (!memory)
+            return this.config.defaultMemory;
+        if (typeof memory === "number")
+            return memory;
+        const match = memory.match(/^(\d+(?:\.\d+)?)\s*(b|kb|mb|gb)?$/i);
+        if (!match)
+            return this.config.defaultMemory;
+        const [, num, unit] = match;
+        const multipliers = {
+            b: 1, kb: 1024, mb: 1024 ** 2, gb: 1024 ** 3,
+        };
+        return Math.floor(parseFloat(num) * (multipliers[unit?.toLowerCase() ?? "b"] ?? 1));
+    }
+    parseTimeout(timeout) {
+        if (!timeout)
+            return 300000; // 5 minutes default for containers
+        if (typeof timeout === "number")
+            return timeout;
+        const match = timeout.match(/^(\d+(?:\.\d+)?)\s*(ms|s|m)?$/i);
+        if (!match)
+            return 300000;
+        const [, num, unit] = match;
+        const multipliers = {
+            ms: 1, s: 1000, m: 60000,
+        };
+        return Math.floor(parseFloat(num) * (multipliers[unit?.toLowerCase() ?? "ms"] ?? 1));
+    }
+}
+//# sourceMappingURL=docker.js.map

package/dist/runtimes/docker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker.js","sourceRoot":"","sources":["../../src/runtimes/docker.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,IAAI,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAwDvE;;;;;GAKG;AACH,MAAM,OAAO,aAAa;IACf,IAAI,GAAG,QAAQ,CAAC;IAChB,YAAY,GAAwB;QAC3C,SAAS,EAAE,WAAW;QACtB,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,IAAI;QACX,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;QAC3C,IAAI,EAAE,IAAI;KACX,CAAC;IAEM,SAAS,GAAG,KAAK,CAAC;IAClB,MAAM,CAAgC;IACtC,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,sBAAsB;IAEtE,YAAY,SAA8B,EAAE;QAC1C,IAAI,CAAC,MAAM,GAAG;YACZ,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,cAAc;YACnD,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,sBAAsB;YAC3D,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,MAAM;YACzC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;YACvC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,GAAG,GAAG,IAAI,GAAG,IAAI,EAAE,QAAQ;YAClE,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,CAAC;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI;QACR,6BAA6B;QAC7B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,oBAAoB,EAAE,CAAC;QACpD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC,oBAAoB,EAAE,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAyB,EACzB,OAAuB;QAEvB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QAEtB,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,MAAM,aAAa,GAAG,WAAW,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAE5D,IAAI,CAAC;YACH,eAAe;YACf,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YACxF,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,OAAO;gBACtC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;gBAChD,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;YAEzB,2CAA2C;YAC3C,MAAM,gBAAgB,GAAG,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,OAAO,EAAE;gBACpE,MAAM,EAAE,SAAS;gBACjB,GAAG,EAAE,QAAQ;gBACb,IAAI,EAAE,aAAa;aACpB,CAAC,CAAC;YAEH,sCAAsC;YACtC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;YAEhE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;oBAC5C,UAAU,CAAC,KAAK,EAAE,CAAC;oBACnB,YAAY,CAAC,SAAS,CAAC,CAAC;gBAC1B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,uBAAuB;YACvB,MAAM,IAAI,CAAC,iBAAiB,CAAC,gBAAgB,CAAC,KAAM,CAAC,CAAC;YAEtD,6BAA6B;YAC7B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,gBAAgB,CAAC,CAAC;YACjE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;YAEhD,4BAA4B;YAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CACtC,WAAW,EACX,OAAO,EACP,UAAU,CAAC,MAAM,CAClB,CAAC;YAEF,YAAY,CAAC,SAAS,CAAC,CAAC;YAExB,iBAAiB;YACjB,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;YAE9B,OAAO;gBACL,OAAO,EAAE,MAAM,CAAC,QAAQ,KAAK,CAAC;gBAC9B,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO,EAAE;oBACP,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;oBAChC,UAAU,EAAE,SAAS,EAAE,cAAc;iBACtC;gBACD,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE;aACrC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC1D,OAAO,IAAI,CAAC,iBAAiB,CAC3B,qBAAqB,EACrB,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,CACP,CAAC;YACJ,CAAC;YAED,OAAO,IAAI,CAAC,iBAAiB,CAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EACtD,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,CACP,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,oBAAoB;YACpB,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YAC5C,CAAC;YACD,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;QACzB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,SAAS;QACb,yBAAyB;QACzB,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACxB,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;IACzB,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,oBAAoB;QAChC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/D,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;YAChD,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAAC,KAAa;QAC3C,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;YACpD,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC/E,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;YAChD,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;gBACpE,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;oBACxB,IAAI,IAAI,KAAK,CAAC;wBAAE,OAAO,EAAE,CAAC;;wBACrB,MAAM,CAAC,IAAI,KAAK,CAAC,yBAAyB,KAAK,EAAE,CAAC,CAAC,CAAC;gBAC3D,CAAC,CAAC,CAAC;gBACH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC3B,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACK,qBAAqB,CAC3B,OAAyB,EACzB,OAAuB,EACvB,MAAqD;QAErD,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC;QAClC,MAAM,gBAAgB,GAAqB;YACzC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;YAC/B,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,OAAO,EAAE,OAAO,CAAC,GAAG,IAAI,YAAY;YACpC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACjC,CAAC;QAEF,yBAAyB;QACzB,IAAI,KAAK,CAAC,EAAE,EAAE,IAAI,IAAI,KAAK,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC;YACtC,gBAAgB,CAAC,MAAM,GAAG;gBACxB;oBACE,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;oBACpC,MAAM,EAAE,gBAAgB,CAAC,OAAO,IAAI,YAAY;oBAChD,QAAQ,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK;iBAC1B;aACF,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,IAAI,KAAK,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YACtD,gBAAgB,CAAC,OAAO,GAAG,QAAQ,CAAC;QACtC,CAAC;QAED,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe,CAAC,IAAsB;QAClD,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAExB,OAAO;QACP,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAK,CAAC,CAAC;QAEhC,eAAe;QACf,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAEnF,YAAY;QACZ,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;QAErD,eAAe;QACf,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,oBAAoB;QACpB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC;QAED,wBAAwB;QACxB,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAED,SAAS;QACT,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC;gBACxC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,aAAa,IAAI,QAAQ,EAAE,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC;QAEjD,wCAAwC;QACxC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAEzB,QAAQ;QACR,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAM,CAAC,CAAC;QAEvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACnC,IAAI,MAAM,GAAG,EAAE,CAAC;YAEhB,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,OAAO,CAAC,KAAK,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC;YAC1C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACxB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;oBACf,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBACzB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,MAAM,EAAE,CAAC,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,cAAc,CAC1B,WAAmB,EACnB,OAAyB,EACzB,MAAmB;QAEnB,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,kBAAkB;QAClB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;YACrD,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACxB,IAAI,IAAI,KAAK,CAAC;oBAAE,OAAO,EAAE,CAAC;;oBACrB,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACtD,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;QAEH,sCAAsC;QACtC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1E,MAAM,WAAW,GAAG,sEAAsE,UAAU,gPAAgP,CAAC;QAErV,uBAAuB;QACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE;gBAC3B,MAAM;gBACN,WAAW;gBACX,SAAS;gBACT,IAAI;gBACJ,WAAW;aACZ,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACrC,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;gBACtC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACrC,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;gBACpC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACxB,8BAA8B;gBAC9B,IAAI,KAAK,GAAY,SAAS,CAAC;gBAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC/B,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBAClC,IAAI,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;wBACxC,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC;oBAChC,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;gBACrC,CAAC;gBAED,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM;oBACN,QAAQ,EAAE,IAAI,IAAI,CAAC;oBACnB,KAAK;iBACN,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe,CAAC,QAAgB;QAC5C,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC;QAE9D,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAClC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC7E,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACpB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACjC,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,iBAAiB,CACvB,OAAe,EACf,IAA2E,EAC3E,SAAiB,EACjB,SAAmB,EAAE,EACrB,SAAmB,EAAE;QAErB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;YACxB,OAAO,EAAE;gBACP,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,UAAU,EAAE,CAAC;aACd;YACD,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE;SACzC,CAAC;IACJ,CAAC;IAEO,WAAW,CAAC,MAAmC;QACrD,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QAC9C,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,OAAO,MAAM,CAAC;QAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACjE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;QAC7C,MAAM,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC;QAC5B,MAAM,WAAW,GAA2B;YAC1C,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,IAAI,CAAC;SAC7C,CAAC;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtF,CAAC;IAEO,YAAY,CAAC,OAAoC;QACvD,IAAI,CAAC,OAAO;YAAE,OAAO,MAAM,CAAC,CAAC,mCAAmC;QAChE,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,OAAO,CAAC;QAChD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAC9D,IAAI,CAAC,KAAK;YAAE,OAAO,MAAM,CAAC;QAC1B,MAAM,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC;QAC5B,MAAM,WAAW,GAA2B;YAC1C,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK;SACzB,CAAC;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACvF,CAAC;CACF"}

package/dist/runtimes/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Runtime Exports
+ *
+ * Exports all available runtimes for sandboxed code execution.
+ */
+export type { ProcessRuntimeConfig } from "./process.js";
+export type { DockerRuntimeConfig, ContainerOptions } from "./docker.js";
+export { ProcessRuntime } from "./process.js";
+export { DockerRuntime } from "./docker.js";
+export type { IRuntime, RuntimeOptions, ExecutionRequest, RuntimeCapabilities, } from "../core/runtime.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/runtimes/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/runtimes/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzD,YAAY,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGzE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C,YAAY,EACV,QAAQ,EACR,cAAc,EACd,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC"}

package/dist/runtimes/index.js

@@ -0,0 +1,9 @@
+/**
+ * Runtime Exports
+ *
+ * Exports all available runtimes for sandboxed code execution.
+ */
+// Runtime implementations
+export { ProcessRuntime } from "./process.js";
+export { DockerRuntime } from "./docker.js";
+//# sourceMappingURL=index.js.map

package/dist/runtimes/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtimes/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,0BAA0B;AAC1B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC"}

package/dist/runtimes/process.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Process Runtime
+ *
+ * Spawns child processes for code execution with elevated permissions.
+ * Supports filesystem and network access with configurable limits.
+ *
+ * Isolation level: 'process'
+ */
+import type { ExecutionResult } from "../core/types.js";
+import type { IRuntime, RuntimeOptions, ExecutionRequest, RuntimeCapabilities } from "../core/runtime.js";
+/** Process runtime configuration */
+export interface ProcessRuntimeConfig {
+    /** Default shell to use */
+    shell?: string;
+    /** Timeout for availability check */
+    availabilityTimeout?: number;
+}
+/**
+ * Process Runtime
+ *
+ * Executes code in child processes with configurable permissions.
+ * Provides filesystem and network access based on permission level.
+ */
+export declare class ProcessRuntime implements IRuntime {
+    readonly name = "process";
+    readonly capabilities: RuntimeCapabilities;
+    private executing;
+    private config;
+    constructor(config?: ProcessRuntimeConfig);
+    init(): Promise<void>;
+    isAvailable(): Promise<boolean>;
+    execute(request: ExecutionRequest, options: RuntimeOptions): Promise<ExecutionResult>;
+    terminate(): Promise<void>;
+    isExecuting(): boolean;
+    /**
+     * Build command and arguments for execution
+     */
+    private buildCommand;
+    /**
+     * Generate WASM runner script
+     */
+    private generateWasmRunner;
+    private createErrorResult;
+    private parseMemory;
+    private parseTimeout;
+}
+//# sourceMappingURL=process.d.ts.map

package/dist/runtimes/process.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"process.d.ts","sourceRoot":"","sources":["../../src/runtimes/process.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EACV,eAAe,EAIhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,KAAK,EACV,QAAQ,EACR,cAAc,EACd,gBAAgB,EAChB,mBAAmB,EACpB,MAAM,oBAAoB,CAAC;AAE5B,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACnC,2BAA2B;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;GAKG;AACH,qBAAa,cAAe,YAAW,QAAQ;IAC7C,QAAQ,CAAC,IAAI,aAAa;IAC1B,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAQxC;IAEF,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,MAAM,CAAuB;gBAEzB,MAAM,GAAE,oBAAyB;IAOvC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAIrB,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAK/B,OAAO,CACX,OAAO,EAAE,gBAAgB,EACzB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,eAAe,CAAC;IA8IrB,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAIhC,WAAW,IAAI,OAAO;IAItB;;OAEG;IACH,OAAO,CAAC,YAAY;IAepB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,iBAAiB;IAkBzB,OAAO,CAAC,WAAW;IAYnB,OAAO,CAAC,YAAY;CAWrB"}