npm - @geminixiang/mama - Versions diffs - 0.2.0-beta.1 → 0.2.0-beta.11 - Mend

@geminixiang/mama 0.2.0-beta.1 → 0.2.0-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (271) hide show

package/README.md +168 -371
package/dist/adapter.d.ts +36 -12
package/dist/adapter.d.ts.map +1 -1
package/dist/adapter.js.map +1 -1
package/dist/adapters/discord/bot.d.ts +12 -7
package/dist/adapters/discord/bot.d.ts.map +1 -1
package/dist/adapters/discord/bot.js +358 -135
package/dist/adapters/discord/bot.js.map +1 -1
package/dist/adapters/discord/context.d.ts +1 -1
package/dist/adapters/discord/context.d.ts.map +1 -1
package/dist/adapters/discord/context.js +100 -36
package/dist/adapters/discord/context.js.map +1 -1
package/dist/adapters/shared.d.ts +71 -0
package/dist/adapters/shared.d.ts.map +1 -0
package/dist/adapters/shared.js +168 -0
package/dist/adapters/shared.js.map +1 -0
package/dist/adapters/slack/bot.d.ts +30 -24
package/dist/adapters/slack/bot.d.ts.map +1 -1
package/dist/adapters/slack/bot.js +613 -224
package/dist/adapters/slack/bot.js.map +1 -1
package/dist/adapters/slack/branch-manager.d.ts +22 -0
package/dist/adapters/slack/branch-manager.d.ts.map +1 -0
package/dist/adapters/slack/branch-manager.js +97 -0
package/dist/adapters/slack/branch-manager.js.map +1 -0
package/dist/adapters/slack/context.d.ts +1 -1
package/dist/adapters/slack/context.d.ts.map +1 -1
package/dist/adapters/slack/context.js +127 -72
package/dist/adapters/slack/context.js.map +1 -1
package/dist/adapters/slack/session.d.ts +3 -0
package/dist/adapters/slack/session.d.ts.map +1 -0
package/dist/adapters/slack/session.js +16 -0
package/dist/adapters/slack/session.js.map +1 -0
package/dist/adapters/slack/tools/attach.d.ts +1 -1
package/dist/adapters/slack/tools/attach.d.ts.map +1 -1
package/dist/adapters/slack/tools/attach.js.map +1 -1
package/dist/adapters/telegram/bot.d.ts +4 -2
package/dist/adapters/telegram/bot.d.ts.map +1 -1
package/dist/adapters/telegram/bot.js +193 -147
package/dist/adapters/telegram/bot.js.map +1 -1
package/dist/adapters/telegram/context.d.ts.map +1 -1
package/dist/adapters/telegram/context.js +58 -111
package/dist/adapters/telegram/context.js.map +1 -1
package/dist/adapters/telegram/html.d.ts +3 -0
package/dist/adapters/telegram/html.d.ts.map +1 -0
package/dist/adapters/telegram/html.js +98 -0
package/dist/adapters/telegram/html.js.map +1 -0
package/dist/agent.d.ts +9 -13
package/dist/agent.d.ts.map +1 -1
package/dist/agent.js +601 -567
package/dist/agent.js.map +1 -1
package/dist/commands/auto-reply.d.ts +16 -0
package/dist/commands/auto-reply.d.ts.map +1 -0
package/dist/commands/auto-reply.js +69 -0
package/dist/commands/auto-reply.js.map +1 -0
package/dist/commands/index.d.ts +5 -0
package/dist/commands/index.d.ts.map +1 -0
package/dist/commands/index.js +19 -0
package/dist/commands/index.js.map +1 -0
package/dist/commands/login.d.ts +5 -0
package/dist/commands/login.d.ts.map +1 -0
package/dist/commands/login.js +76 -0
package/dist/commands/login.js.map +1 -0
package/dist/commands/model.d.ts +14 -0
package/dist/commands/model.d.ts.map +1 -0
package/dist/commands/model.js +112 -0
package/dist/commands/model.js.map +1 -0
package/dist/commands/new.d.ts +9 -0
package/dist/commands/new.d.ts.map +1 -0
package/dist/commands/new.js +28 -0
package/dist/commands/new.js.map +1 -0
package/dist/commands/registry.d.ts +7 -0
package/dist/commands/registry.d.ts.map +1 -0
package/dist/commands/registry.js +14 -0
package/dist/commands/registry.js.map +1 -0
package/dist/commands/sandbox.d.ts +10 -0
package/dist/commands/sandbox.d.ts.map +1 -0
package/dist/commands/sandbox.js +88 -0
package/dist/commands/sandbox.js.map +1 -0
package/dist/commands/session-view.d.ts +5 -0
package/dist/commands/session-view.d.ts.map +1 -0
package/dist/commands/session-view.js +62 -0
package/dist/commands/session-view.js.map +1 -0
package/dist/commands/types.d.ts +41 -0
package/dist/commands/types.d.ts.map +1 -0
package/dist/commands/types.js +2 -0
package/dist/commands/types.js.map +1 -0
package/dist/commands/utils.d.ts +8 -0
package/dist/commands/utils.d.ts.map +1 -0
package/dist/commands/utils.js +14 -0
package/dist/commands/utils.js.map +1 -0
package/dist/config.d.ts +49 -30
package/dist/config.d.ts.map +1 -1
package/dist/config.js +313 -75
package/dist/config.js.map +1 -1
package/dist/context.d.ts +10 -42
package/dist/context.d.ts.map +1 -1
package/dist/context.js +14 -127
package/dist/context.js.map +1 -1
package/dist/events.d.ts +13 -6
package/dist/events.d.ts.map +1 -1
package/dist/events.js +118 -64
package/dist/events.js.map +1 -1
package/dist/execution-resolver.d.ts +9 -5
package/dist/execution-resolver.d.ts.map +1 -1
package/dist/execution-resolver.js +82 -18
package/dist/execution-resolver.js.map +1 -1
package/dist/file-guards.d.ts +6 -0
package/dist/file-guards.d.ts.map +1 -0
package/dist/file-guards.js +48 -0
package/dist/file-guards.js.map +1 -0
package/dist/fs-atomic.d.ts +10 -0
package/dist/fs-atomic.d.ts.map +1 -0
package/dist/fs-atomic.js +45 -0
package/dist/fs-atomic.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +4 -0
package/dist/index.js.map +1 -0
package/dist/instrument.d.ts.map +1 -1
package/dist/instrument.js +4 -11
package/dist/instrument.js.map +1 -1
package/dist/log.d.ts +1 -5
package/dist/log.d.ts.map +1 -1
package/dist/log.js +13 -38
package/dist/log.js.map +1 -1
package/dist/{login.d.ts → login/index.d.ts} +16 -4
package/dist/login/index.d.ts.map +1 -0
package/dist/{login.js → login/index.js} +55 -17
package/dist/login/index.js.map +1 -0
package/dist/{link-server.d.ts → login/portal.d.ts} +7 -4
package/dist/login/portal.d.ts.map +1 -0
package/dist/login/portal.js +1453 -0
package/dist/login/portal.js.map +1 -0
package/dist/{link-token.d.ts → login/session.d.ts} +4 -3
package/dist/login/session.d.ts.map +1 -0
package/dist/{link-token.js → login/session.js} +1 -1
package/dist/login/session.js.map +1 -0
package/dist/main.d.ts.map +1 -1
package/dist/main.js +151 -373
package/dist/main.js.map +1 -1
package/dist/provisioner.d.ts +42 -52
package/dist/provisioner.d.ts.map +1 -1
package/dist/provisioner.js +256 -111
package/dist/provisioner.js.map +1 -1
package/dist/runtime/conversation-orchestrator.d.ts +42 -0
package/dist/runtime/conversation-orchestrator.d.ts.map +1 -0
package/dist/runtime/conversation-orchestrator.js +150 -0
package/dist/runtime/conversation-orchestrator.js.map +1 -0
package/dist/runtime/index.d.ts +2 -0
package/dist/runtime/index.d.ts.map +1 -0
package/dist/runtime/index.js +2 -0
package/dist/runtime/index.js.map +1 -0
package/dist/runtime/session-runtime.d.ts +27 -0
package/dist/runtime/session-runtime.d.ts.map +1 -0
package/dist/runtime/session-runtime.js +211 -0
package/dist/runtime/session-runtime.js.map +1 -0
package/dist/sandbox/cloudflare.d.ts +15 -0
package/dist/sandbox/cloudflare.d.ts.map +1 -0
package/dist/sandbox/cloudflare.js +137 -0
package/dist/sandbox/cloudflare.js.map +1 -0
package/dist/sandbox/container.d.ts +2 -1
package/dist/sandbox/container.d.ts.map +1 -1
package/dist/sandbox/container.js +5 -1
package/dist/sandbox/container.js.map +1 -1
package/dist/sandbox/firecracker.d.ts +2 -1
package/dist/sandbox/firecracker.d.ts.map +1 -1
package/dist/sandbox/firecracker.js +6 -0
package/dist/sandbox/firecracker.js.map +1 -1
package/dist/sandbox/host.d.ts +2 -3
package/dist/sandbox/host.d.ts.map +1 -1
package/dist/sandbox/host.js +5 -5
package/dist/sandbox/host.js.map +1 -1
package/dist/sandbox/index.d.ts +6 -4
package/dist/sandbox/index.d.ts.map +1 -1
package/dist/sandbox/index.js +9 -6
package/dist/sandbox/index.js.map +1 -1
package/dist/sandbox/path-context.d.ts +4 -0
package/dist/sandbox/path-context.d.ts.map +1 -0
package/dist/sandbox/path-context.js +20 -0
package/dist/sandbox/path-context.js.map +1 -0
package/dist/sandbox/types.d.ts +17 -1
package/dist/sandbox/types.d.ts.map +1 -1
package/dist/sandbox/types.js.map +1 -1
package/dist/sentry.d.ts +1 -1
package/dist/sentry.d.ts.map +1 -1
package/dist/sentry.js +4 -2
package/dist/sentry.js.map +1 -1
package/dist/session-policy.d.ts +13 -0
package/dist/session-policy.d.ts.map +1 -0
package/dist/session-policy.js +23 -0
package/dist/session-policy.js.map +1 -0
package/dist/session-store.d.ts +34 -3
package/dist/session-store.d.ts.map +1 -1
package/dist/session-store.js +184 -22
package/dist/session-store.js.map +1 -1
package/dist/session-view/command.d.ts +5 -0
package/dist/session-view/command.d.ts.map +1 -0
package/dist/session-view/command.js +11 -0
package/dist/session-view/command.js.map +1 -0
package/dist/session-view/portal.d.ts +16 -0
package/dist/session-view/portal.d.ts.map +1 -0
package/dist/session-view/portal.js +1742 -0
package/dist/session-view/portal.js.map +1 -0
package/dist/session-view/service.d.ts +34 -0
package/dist/session-view/service.d.ts.map +1 -0
package/dist/session-view/service.js +427 -0
package/dist/session-view/service.js.map +1 -0
package/dist/session-view/store.d.ts +18 -0
package/dist/session-view/store.d.ts.map +1 -0
package/dist/session-view/store.js +39 -0
package/dist/session-view/store.js.map +1 -0
package/dist/store.d.ts +3 -6
package/dist/store.d.ts.map +1 -1
package/dist/store.js +22 -48
package/dist/store.js.map +1 -1
package/dist/tool-diagnostics.d.ts +2 -0
package/dist/tool-diagnostics.d.ts.map +1 -0
package/dist/tool-diagnostics.js +7 -0
package/dist/tool-diagnostics.js.map +1 -0
package/dist/tools/bash.d.ts +1 -1
package/dist/tools/bash.d.ts.map +1 -1
package/dist/tools/bash.js.map +1 -1
package/dist/tools/edit.d.ts +1 -1
package/dist/tools/edit.d.ts.map +1 -1
package/dist/tools/edit.js.map +1 -1
package/dist/tools/event.d.ts +43 -2
package/dist/tools/event.d.ts.map +1 -1
package/dist/tools/event.js +48 -13
package/dist/tools/event.js.map +1 -1
package/dist/tools/index.d.ts +2 -1
package/dist/tools/index.d.ts.map +1 -1
package/dist/tools/index.js +3 -3
package/dist/tools/index.js.map +1 -1
package/dist/tools/read.d.ts +1 -1
package/dist/tools/read.d.ts.map +1 -1
package/dist/tools/read.js.map +1 -1
package/dist/tools/write.d.ts +1 -1
package/dist/tools/write.d.ts.map +1 -1
package/dist/tools/write.js.map +1 -1
package/dist/trigger.d.ts +31 -0
package/dist/trigger.d.ts.map +1 -0
package/dist/trigger.js +98 -0
package/dist/trigger.js.map +1 -0
package/dist/ui-copy.d.ts +1 -0
package/dist/ui-copy.d.ts.map +1 -1
package/dist/ui-copy.js +3 -0
package/dist/ui-copy.js.map +1 -1
package/dist/vault-routing.d.ts +1 -7
package/dist/vault-routing.d.ts.map +1 -1
package/dist/vault-routing.js +6 -48
package/dist/vault-routing.js.map +1 -1
package/dist/vault.d.ts +21 -55
package/dist/vault.d.ts.map +1 -1
package/dist/vault.js +144 -263
package/dist/vault.js.map +1 -1
package/package.json +12 -10
package/dist/bindings.d.ts +0 -63
package/dist/bindings.d.ts.map +0 -1
package/dist/bindings.js +0 -94
package/dist/bindings.js.map +0 -1
package/dist/link-server.d.ts.map +0 -1
package/dist/link-server.js +0 -839
package/dist/link-server.js.map +0 -1
package/dist/link-token.d.ts.map +0 -1
package/dist/link-token.js.map +0 -1
package/dist/login.d.ts.map +0 -1
package/dist/login.js.map +0 -1
package/dist/vault.test.d.ts +0 -2
package/dist/vault.test.d.ts.map +0 -1
package/dist/vault.test.js +0 -67
package/dist/vault.test.js.map +0 -1

package/dist/provisioner.js CHANGED Viewed

@@ -1,33 +1,42 @@
 import { execFile } from "child_process";
+import { createHash } from "crypto";
+import { readFileSync, statSync } from "fs";
 import { promisify } from "util";
 import * as log from "./log.js";
 const execFileAsync = promisify(execFile);
-// ── DockerContainerManager ─────────────────────────────────────────────────────
-/**
- * Manages the lifecycle of per-user Docker containers.
- *
- * Tracks each container's status in memory (running / stopped / missing).
- * State is always verified against Docker on provision(), so in-memory state
- * stays accurate without polling.
- */
+function isDockerNotFoundError(err) {
+    if (!err || typeof err !== "object")
+        return false;
+    const stderr = err.stderr;
+    const message = err.message;
+    const haystack = `${typeof stderr === "string" ? stderr : ""}\n${typeof message === "string" ? message : ""}`.toLowerCase();
+    return (haystack.includes("no such network") ||
+        haystack.includes("no such container") ||
+        haystack.includes("no such object") ||
+        haystack.includes("network not found") ||
+        /network [^\n]+ not found/.test(haystack) ||
+        /error: no such [^\n]+/.test(haystack));
+}
 export class DockerContainerManager {
     static { this.MANAGED_LABEL = "mama.managed=true"; }
     static { this.IMAGE_MODE_LABEL = "mama.sandbox=image"; }
     static { this.VAULT_ID_LABEL_KEY = "mama.vault-id"; }
-    constructor(image, workspaceDir, execFileImpl = execFileAsync) {
+    static { this.CONVERSATION_ID_LABEL_KEY = "mama.conversation-id"; }
+    static { this.MOUNT_SIGNATURE_LABEL_KEY = "mama.mount-signature"; }
+    constructor(image, options = {}) {
         this.image = image;
-        this.workspaceDir = workspaceDir;
-        this.execFileImpl = execFileImpl;
         this.state = new Map();
-        /**
-         * In-flight provision() calls per vaultId. A concurrent second call for the
-         * same user piggybacks on the first docker start/run instead of racing —
-         * without this, two parallel messages from one user could produce duplicate
-         * containers or conflict on docker run.
-         */
         this.inflight = new Map();
+        this.boostedKeys = new Set();
+        if (typeof options === "function") {
+            this.execFileImpl = options;
+        }
+        else {
+            this.limits = options.limits;
+            this.boostLimits = options.boostLimits;
+            this.execFileImpl = options.execFileImpl ?? execFileAsync;
+        }
     }
-    /** Sanitize an identifier segment for use in vault keys and container names. */
     static sanitizeSegment(value) {
         const sanitized = value
             .toLowerCase()
@@ -35,45 +44,32 @@ export class DockerContainerManager {
             .replace(/^-+|-+$/g, "");
         return sanitized || "unknown";
     }
-    /**
-     * Deterministic vault key for a platform user.
-     * e.g. ("slack", "U04ABC") → "slack-u04abc"
-     */
-    static vaultId(platform, platformUserId) {
-        return `${DockerContainerManager.sanitizeSegment(platform)}-${DockerContainerManager.sanitizeSegment(platformUserId)}`;
-    }
-    /** Deterministic container name for a vault-backed user sandbox. */
-    static containerName(vaultId) {
-        return `mama-sandbox-${vaultId}`;
-    }
-    /**
-     * Ensure a container exists and is running for the given vaultId.
-     * Always inspects the actual Docker state, then acts accordingly:
-     * - running  → no-op
-     * - stopped  → docker start
-     * - missing  → docker run
-     *
-     * Returns the container name.
-     */
-    async provision(vaultId, options = {}) {
-        const existing = this.inflight.get(vaultId);
+    static containerName(containerKey) {
+        return `mama-sandbox-${containerKey}`;
+    }
+    static networkName(containerKey) {
+        return `mama-sandbox-net-${containerKey}`;
+    }
+    async provision(containerKey, options = {}) {
+        const existing = this.inflight.get(containerKey);
         if (existing)
             return existing;
-        const pending = this.provisionInner(vaultId, options).finally(() => {
-            this.inflight.delete(vaultId);
+        const pending = this.provisionInner(containerKey, options).finally(() => {
+            this.inflight.delete(containerKey);
         });
-        this.inflight.set(vaultId, pending);
+        this.inflight.set(containerKey, pending);
         return pending;
     }
-    async provisionInner(vaultId, options) {
-        const containerName = options.containerName ?? DockerContainerManager.containerName(vaultId);
+    async provisionInner(containerKey, options) {
+        const containerName = options.containerName ?? DockerContainerManager.containerName(containerKey);
         const mounts = options.mounts ?? [];
         const status = await this.inspectStatus(containerName);
         try {
-            if (status !== "missing" && (await this.hasBindMountDrift(containerName, mounts))) {
-                log.logInfo(`Container ${containerName} mounts changed; recreating container`);
+            if (status !== "missing" &&
+                (await this.hasRuntimeDrift(containerKey, containerName, mounts))) {
+                log.logInfo(`Container ${containerName} configuration changed; recreating container`);
                 await this.execFileImpl("docker", ["rm", "-f", containerName]);
-                await this.runContainer(vaultId, containerName, mounts);
+                await this.runContainer(containerKey, containerName, mounts, options);
                 log.logInfo(`Container ${containerName} recreated`);
             }
             else if (status === "running") {
@@ -84,65 +80,75 @@ export class DockerContainerManager {
                 log.logInfo(`Container ${containerName} started`);
             }
             else {
-                await this.runContainer(vaultId, containerName, mounts);
+                await this.runContainer(containerKey, containerName, mounts, options);
                 log.logInfo(`Container ${containerName} created`);
             }
         }
         catch (err) {
-            // Drop cached state so the next provision() re-inspects Docker cleanly
-            // and stopIdle doesn't keep trying to stop a container that never
-            // became running. We deliberately don't bump lastUsed here.
-            this.state.delete(vaultId);
+            this.state.delete(containerKey);
             throw err;
         }
-        this.setState(vaultId, "running", containerName);
+        this.setState(containerKey, "running", containerName);
+        await this.applyResourceLimits(containerKey, containerName);
         return containerName;
     }
-    /**
-     * Stop a running container (docker stop). Container is preserved and can be
-     * restarted via provision(). Intended for idle lifecycle management.
-     */
-    async stop(vaultId) {
-        const containerName = this.getContainerName(vaultId);
+    async boost(containerKey) {
+        if (!this.boostLimits?.cpus && !this.boostLimits?.memory) {
+            return this.getLimitStatus(containerKey);
+        }
+        this.boostedKeys.add(containerKey);
+        const state = this.state.get(containerKey);
+        if (state?.status === "running") {
+            await this.applyResourceLimits(containerKey, state.containerName);
+        }
+        return this.getLimitStatus(containerKey);
+    }
+    getLimitStatus(containerKey) {
+        const boosted = this.boostedKeys.has(containerKey);
+        return { limits: this.effectiveLimits(containerKey), boosted };
+    }
+    getDefaultLimits() {
+        return this.limits;
+    }
+    getBoostLimits() {
+        return this.boostLimits;
+    }
+    async stop(containerKey) {
+        const containerName = this.getContainerName(containerKey);
         try {
             await this.execFileImpl("docker", ["stop", containerName]);
-            this.setState(vaultId, "stopped", containerName);
+            this.setState(containerKey, "stopped", containerName);
+            this.boostedKeys.delete(containerKey);
             log.logInfo(`Container ${containerName} stopped (idle)`);
         }
         catch (err) {
             log.logWarning(`Failed to stop container ${containerName}`, err instanceof Error ? err.message : String(err));
         }
     }
-    /** Stop and remove a container permanently (e.g. on vault revocation). */
-    async remove(vaultId) {
-        const containerName = this.getContainerName(vaultId);
+    async remove(containerKey) {
+        const containerName = this.getContainerName(containerKey);
+        const networkName = DockerContainerManager.networkName(containerKey);
+        await this.forceRemoveContainer(containerName, `Container ${containerName} removed`, `Failed to remove container ${containerName}`);
         try {
-            await this.execFileImpl("docker", ["rm", "-f", containerName]);
-            this.state.delete(vaultId);
-            log.logInfo(`Container ${containerName} removed`);
+            await this.execFileImpl("docker", ["network", "rm", networkName]);
+            log.logInfo(`Network ${networkName} removed`);
         }
         catch (err) {
-            log.logWarning(`Failed to remove container ${containerName}`, err instanceof Error ? err.message : String(err));
+            log.logWarning(`Failed to remove network ${networkName}`, err instanceof Error ? err.message : String(err));
         }
+        this.state.delete(containerKey);
+        this.boostedKeys.delete(containerKey);
     }
-    /**
-     * Stop all containers that have been idle for longer than maxIdleMs.
-     * Idle time is measured from the last provision() call.
-     */
     async stopIdle(maxIdleMs) {
         const now = Date.now();
         const toStop = [];
-        for (const [vaultId, containerState] of this.state) {
+        for (const [containerKey, containerState] of this.state) {
             if (containerState.status === "running" && now - containerState.lastUsed > maxIdleMs) {
-                toStop.push(vaultId);
+                toStop.push(containerKey);
             }
         }
-        await Promise.all(toStop.map((vaultId) => this.stop(vaultId)));
+        await Promise.all(toStop.map((containerKey) => this.stop(containerKey)));
     }
-    /**
-     * Rebuild in-memory state from existing Docker containers managed by mama image mode.
-     * Supports both new labeled containers and legacy name-prefixed containers.
-     */
     async reconcile() {
         const discovered = new Set();
         const labeledNames = await this.listContainerNamesByLabel();
@@ -152,28 +158,38 @@ export class DockerContainerManager {
         for (const name of legacyNames)
             discovered.add(name);
         this.state.clear();
-        for (const containerName of discovered) {
-            const details = await this.inspectContainerDetails(containerName);
+        const inspected = await Promise.all(Array.from(discovered).map(async (containerName) => ({
+            containerName,
+            details: await this.inspectContainerDetails(containerName),
+        })));
+        const legacyRemovals = [];
+        for (const { containerName, details } of inspected) {
             if (!details)
                 continue;
-            const vaultId = details.vaultId || this.vaultIdFromContainerName(containerName);
-            if (!vaultId) {
-                log.logWarning(`Skipping unmanaged-style container without vault id`, containerName);
+            if (!details.conversationId) {
+                legacyRemovals.push(this.removeLegacyContainer(containerName));
+                continue;
+            }
+            const containerKey = this.containerKeyFromContainerName(containerName);
+            if (!containerKey) {
+                log.logWarning(`Skipping unmanaged-style container without container key`, containerName);
                 continue;
             }
             const status = details.running ? "running" : "stopped";
             const lastUsed = details.startedAtMs ?? Date.now();
-            this.state.set(vaultId, { status, lastUsed, containerName });
+            this.state.set(containerKey, { status, lastUsed, containerName });
         }
+        await Promise.all(legacyRemovals);
         const running = Array.from(this.state.values()).filter((s) => s.status === "running").length;
         const stopped = this.state.size - running;
         log.logInfo(`Reconciled ${this.state.size} managed containers (running=${running}, stopped=${stopped})`);
     }
-    setState(vaultId, status, containerName) {
-        this.state.set(vaultId, { status, lastUsed: Date.now(), containerName });
+    setState(containerKey, status, containerName) {
+        this.state.set(containerKey, { status, lastUsed: Date.now(), containerName });
     }
-    getContainerName(vaultId) {
-        return this.state.get(vaultId)?.containerName ?? DockerContainerManager.containerName(vaultId);
+    getContainerName(containerKey) {
+        return (this.state.get(containerKey)?.containerName ??
+            DockerContainerManager.containerName(containerKey));
     }
     mountArgs(mounts) {
         return mounts.flatMap((mount) => ["-v", this.toBindSpec(mount)]);
@@ -181,36 +197,82 @@ export class DockerContainerManager {
     toBindSpec(mount) {
         return `${mount.source}:${mount.target}`;
     }
-    async runContainer(vaultId, containerName, mounts) {
+    async runContainer(containerKey, containerName, mounts, options) {
+        const networkName = await this.ensureNetwork(containerKey);
         log.logInfo(`Creating container ${containerName} from image ${this.image}`);
-        await this.execFileImpl("docker", [
-            "run",
-            "-d",
-            "--name",
-            containerName,
+        const labels = [
             "--label",
             DockerContainerManager.MANAGED_LABEL,
             "--label",
             DockerContainerManager.IMAGE_MODE_LABEL,
             "--label",
-            `${DockerContainerManager.VAULT_ID_LABEL_KEY}=${vaultId}`,
-            "-v",
-            `${this.workspaceDir}:/workspace`,
+            `${DockerContainerManager.VAULT_ID_LABEL_KEY}=${containerKey}`,
+        ];
+        if (options.conversationId) {
+            labels.push("--label", `${DockerContainerManager.CONVERSATION_ID_LABEL_KEY}=${options.conversationId}`);
+        }
+        if (mounts.length > 0) {
+            labels.push("--label", `${DockerContainerManager.MOUNT_SIGNATURE_LABEL_KEY}=${this.mountSignature(mounts)}`);
+        }
+        await this.execFileImpl("docker", [
+            "run",
+            "-d",
+            "--name",
+            containerName,
+            "--network",
+            networkName,
+            ...labels,
+            ...this.resourceLimitArgs(this.effectiveLimits(containerKey)),
             ...this.mountArgs(mounts),
             this.image,
             "sleep",
             "infinity",
         ]);
     }
+    effectiveLimits(containerKey) {
+        if (!this.boostedKeys.has(containerKey))
+            return this.limits;
+        return { ...this.limits, ...this.boostLimits };
+    }
+    resourceLimitArgs(limits) {
+        const args = [];
+        if (limits?.cpus)
+            args.push("--cpus", limits.cpus);
+        if (limits?.memory)
+            args.push("--memory", limits.memory);
+        return args;
+    }
+    async applyResourceLimits(containerKey, containerName) {
+        const limitArgs = this.resourceLimitArgs(this.effectiveLimits(containerKey));
+        if (limitArgs.length === 0)
+            return;
+        const args = ["update", ...limitArgs, containerName];
+        try {
+            await this.execFileImpl("docker", args);
+        }
+        catch (err) {
+            log.logWarning(`Failed to apply resource limits to container ${containerName}`, err instanceof Error ? err.message : String(err));
+        }
+    }
+    async hasRuntimeDrift(containerKey, containerName, mounts) {
+        if (await this.hasBindMountDrift(containerName, mounts)) {
+            return true;
+        }
+        if (await this.hasMountSignatureDrift(containerName, mounts)) {
+            return true;
+        }
+        return this.hasNetworkModeDrift(containerKey, containerName);
+    }
     async hasBindMountDrift(containerName, mounts) {
         const expected = this.expectedBinds(mounts);
         const actual = await this.inspectBindMounts(containerName);
         return !this.sameBinds(expected, actual);
     }
     expectedBinds(mounts) {
-        return [`${this.workspaceDir}:/workspace`, ...mounts.map((mount) => this.toBindSpec(mount))]
+        return mounts
+            .map((mount) => this.toBindSpec(mount))
             .slice()
-            .sort();
+            .toSorted();
     }
     sameBinds(expected, actual) {
         if (expected.length !== actual.length) {
@@ -218,6 +280,41 @@ export class DockerContainerManager {
         }
         return expected.every((bind, index) => bind === actual[index]);
     }
+    async hasMountSignatureDrift(containerName, mounts) {
+        if (mounts.length === 0)
+            return false;
+        const expected = this.mountSignature(mounts);
+        const { stdout } = await this.execFileImpl("docker", [
+            "inspect",
+            "-f",
+            `{{index .Config.Labels "${DockerContainerManager.MOUNT_SIGNATURE_LABEL_KEY}"}}`,
+            containerName,
+        ]);
+        const actual = this.normalizeDockerValue(stdout.trim());
+        return actual !== expected;
+    }
+    mountSignature(mounts) {
+        const payload = mounts
+            .map((mount) => ({
+            source: mount.source,
+            target: mount.target,
+            fingerprint: this.mountSourceFingerprint(mount.source),
+        }))
+            .toSorted((left, right) => `${left.target}\0${left.source}`.localeCompare(`${right.target}\0${right.source}`));
+        return createHash("sha256").update(JSON.stringify(payload)).digest("hex");
+    }
+    mountSourceFingerprint(source) {
+        try {
+            const stat = statSync(source);
+            if (stat.isFile()) {
+                return createHash("sha256").update(readFileSync(source)).digest("hex");
+            }
+            return `${stat.isDirectory() ? "dir" : "other"}:${stat.size}:${stat.mtimeMs}`;
+        }
+        catch {
+            return "missing";
+        }
+    }
     async inspectBindMounts(containerName) {
         const { stdout } = await this.execFileImpl("docker", [
             "inspect",
@@ -233,7 +330,42 @@ export class DockerContainerManager {
         if (!Array.isArray(parsed) || parsed.some((bind) => typeof bind !== "string")) {
             throw new Error(`Unexpected docker bind mount payload for container "${containerName}"`);
         }
-        return [...parsed].sort();
+        return [...parsed].toSorted();
+    }
+    async hasNetworkModeDrift(containerKey, containerName) {
+        const expected = DockerContainerManager.networkName(containerKey);
+        const { stdout } = await this.execFileImpl("docker", [
+            "inspect",
+            "-f",
+            "{{.HostConfig.NetworkMode}}",
+            containerName,
+        ]);
+        return stdout.trim() !== expected;
+    }
+    async ensureNetwork(containerKey) {
+        const networkName = DockerContainerManager.networkName(containerKey);
+        try {
+            await this.execFileImpl("docker", ["network", "inspect", networkName]);
+            return networkName;
+        }
+        catch (err) {
+            if (!isDockerNotFoundError(err))
+                throw err;
+        }
+        await this.execFileImpl("docker", [
+            "network",
+            "create",
+            "--driver",
+            "bridge",
+            "--label",
+            DockerContainerManager.MANAGED_LABEL,
+            "--label",
+            DockerContainerManager.IMAGE_MODE_LABEL,
+            "--label",
+            `${DockerContainerManager.VAULT_ID_LABEL_KEY}=${containerKey}`,
+            networkName,
+        ]);
+        return networkName;
     }
     async inspectStatus(containerName) {
         try {
@@ -245,8 +377,10 @@ export class DockerContainerManager {
             ]);
             return stdout.trim() === "true" ? "running" : "stopped";
         }
-        catch {
-            return "missing";
+        catch (err) {
+            if (isDockerNotFoundError(err))
+                return "missing";
+            throw err;
         }
     }
     async listContainerNamesByLabel() {
@@ -296,14 +430,15 @@ export class DockerContainerManager {
             const { stdout } = await this.execFileImpl("docker", [
                 "inspect",
                 "-f",
-                `{{.State.Running}}\t{{.State.StartedAt}}\t{{index .Config.Labels "${DockerContainerManager.VAULT_ID_LABEL_KEY}"}}`,
+                `{{.State.Running}}\t{{.State.StartedAt}}\t{{index .Config.Labels "${DockerContainerManager.VAULT_ID_LABEL_KEY}"}}\t{{index .Config.Labels "${DockerContainerManager.CONVERSATION_ID_LABEL_KEY}"}}`,
                 containerName,
             ]);
-            const [runningRaw, startedAtRaw, vaultIdRaw] = stdout.trim().split("\t");
+            const [runningRaw, startedAtRaw, vaultIdRaw, conversationIdRaw] = stdout.trim().split("\t");
             const running = runningRaw === "true";
             const startedAtMs = this.parseDockerTimestamp(startedAtRaw);
             const vaultId = this.normalizeDockerValue(vaultIdRaw);
-            return { running, startedAtMs, vaultId };
+            const conversationId = this.normalizeDockerValue(conversationIdRaw);
+            return { running, startedAtMs, vaultId, conversationId };
         }
         catch (err) {
             log.logWarning(`Failed to inspect container ${containerName} during reconcile`, err instanceof Error ? err.message : String(err));
@@ -323,14 +458,24 @@ export class DockerContainerManager {
         const parsed = Date.parse(normalized);
         return Number.isNaN(parsed) ? undefined : parsed;
     }
-    vaultIdFromContainerName(containerName) {
+    containerKeyFromContainerName(containerName) {
         const prefix = DockerContainerManager.containerName("");
         if (!containerName.startsWith(prefix))
             return undefined;
-        const vaultId = containerName.slice(prefix.length);
-        return vaultId.length > 0 ? vaultId : undefined;
+        const containerKey = containerName.slice(prefix.length);
+        return containerKey.length > 0 ? containerKey : undefined;
+    }
+    async forceRemoveContainer(containerName, successLog, failureLog) {
+        try {
+            await this.execFileImpl("docker", ["rm", "-f", containerName]);
+            log.logInfo(successLog);
+        }
+        catch (err) {
+            log.logWarning(failureLog, err instanceof Error ? err.message : String(err));
+        }
+    }
+    async removeLegacyContainer(containerName) {
+        await this.forceRemoveContainer(containerName, `Removed legacy mama container ${containerName} (pre-channel-isolation scheme)`, `Failed to remove legacy mama container ${containerName}`);
     }
 }
-/** @deprecated Use DockerContainerManager */
-export const DockerProvisioner = DockerContainerManager;
 //# sourceMappingURL=provisioner.js.map