@torkbot/sandbox 0.1.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +237 -133
- package/dist/artifacts.d.ts +4 -0
- package/dist/artifacts.d.ts.map +1 -1
- package/dist/artifacts.js +44 -0
- package/dist/artifacts.js.map +1 -1
- package/dist/control-codec.d.ts +23 -1
- package/dist/control-codec.d.ts.map +1 -1
- package/dist/control-codec.js.map +1 -1
- package/dist/control.d.ts +15 -1
- package/dist/control.d.ts.map +1 -1
- package/dist/control.js.map +1 -1
- package/dist/host-process.d.ts +2 -7
- package/dist/host-process.d.ts.map +1 -1
- package/dist/host-process.js +239 -10
- package/dist/host-process.js.map +1 -1
- package/dist/index.d.ts +104 -199
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +298 -268
- package/dist/index.js.map +1 -1
- package/dist/launch-options.d.ts +64 -0
- package/dist/launch-options.d.ts.map +1 -0
- package/dist/launch-options.js +2 -0
- package/dist/launch-options.js.map +1 -0
- package/dist/memory-fs.d.ts +3 -0
- package/dist/memory-fs.d.ts.map +1 -0
- package/dist/memory-fs.js +308 -0
- package/dist/memory-fs.js.map +1 -0
- package/dist/spawn-options.d.ts +7 -6
- package/dist/spawn-options.d.ts.map +1 -1
- package/dist/vfs.d.ts +2 -1
- package/dist/vfs.d.ts.map +1 -1
- package/dist/vfs.js +14 -0
- package/dist/vfs.js.map +1 -1
- package/package.json +3 -3
- package/dist/host-filesystem-tools.d.ts +0 -3
- package/dist/host-filesystem-tools.d.ts.map +0 -1
- package/dist/host-filesystem-tools.js +0 -330
- package/dist/host-filesystem-tools.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,108 +1,70 @@
|
|
|
1
1
|
# Sandbox
|
|
2
2
|
|
|
3
|
-
Sandbox is a TypeScript-first Node.js library for
|
|
4
|
-
|
|
5
|
-
The target shape is:
|
|
6
|
-
|
|
7
|
-
- boot a guest from a prebuilt read-only rootfs artifact, likely EROFS,
|
|
8
|
-
- mount host-implemented virtual filesystems,
|
|
9
|
-
- intercept guest HTTP request headers through host TypeScript hooks,
|
|
10
|
-
- communicate with guest init over a bidirectional transport,
|
|
11
|
-
- ship as a statically linked host artifact.
|
|
3
|
+
Sandbox is a TypeScript-first Node.js library for running work inside
|
|
4
|
+
libkrun-backed microVMs with host-controlled filesystems and network policy.
|
|
12
5
|
|
|
13
6
|
```ts
|
|
14
7
|
import {
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
linuxOverlayFs,
|
|
19
|
-
mount,
|
|
20
|
-
prebuiltRootfs,
|
|
21
|
-
projectInit,
|
|
22
|
-
projectKernel,
|
|
23
|
-
scratchFs,
|
|
24
|
-
createSandbox,
|
|
25
|
-
type SandboxWritableFileSystem,
|
|
8
|
+
defineSandbox,
|
|
9
|
+
fs,
|
|
10
|
+
rootfs,
|
|
26
11
|
} from "@torkbot/sandbox";
|
|
27
12
|
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
rootfs: linuxOverlayFs({
|
|
34
|
-
lower: prebuiltRootfs("dist/rootfs/sandbox.erofs", { format: "erofs" }),
|
|
35
|
-
upper: scratchFs(),
|
|
36
|
-
}),
|
|
13
|
+
const workspaceFs = fs.memory({
|
|
14
|
+
files: {
|
|
15
|
+
"/hello.txt": "hello from the host filesystem\n",
|
|
16
|
+
},
|
|
17
|
+
});
|
|
37
18
|
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
type: "directory",
|
|
44
|
-
sizeBytes: null,
|
|
45
|
-
mediaType: null,
|
|
46
|
-
modifiedAtMs: null,
|
|
47
|
-
};
|
|
48
|
-
}
|
|
49
|
-
|
|
50
|
-
if (path === "/status.json") {
|
|
51
|
-
const body = JSON.stringify({ ready: true });
|
|
52
|
-
return {
|
|
53
|
-
type: "file",
|
|
54
|
-
sizeBytes: Buffer.byteLength(body),
|
|
55
|
-
mediaType: "application/json",
|
|
56
|
-
modifiedAtMs: null,
|
|
57
|
-
};
|
|
58
|
-
}
|
|
59
|
-
|
|
60
|
-
throw new Error(`missing path ${path}`);
|
|
61
|
-
},
|
|
62
|
-
|
|
63
|
-
async list(path) {
|
|
64
|
-
if (path !== "/") throw new Error(`missing directory ${path}`);
|
|
65
|
-
return [{ name: "status.json", type: "file" }];
|
|
66
|
-
},
|
|
67
|
-
|
|
68
|
-
async read(input) {
|
|
69
|
-
if (input.path !== "/status.json") {
|
|
70
|
-
throw new Error(`unknown virtual file: ${input.path}`);
|
|
71
|
-
}
|
|
72
|
-
|
|
73
|
-
return Buffer.from(JSON.stringify({ ready: true }));
|
|
74
|
-
},
|
|
75
|
-
}),
|
|
76
|
-
],
|
|
77
|
-
|
|
78
|
-
bindings: [
|
|
79
|
-
binding("/workspace", workspaceFs),
|
|
80
|
-
],
|
|
81
|
-
|
|
82
|
-
network: {
|
|
83
|
-
outbound: {
|
|
84
|
-
policy: "deny",
|
|
85
|
-
rules: [
|
|
86
|
-
acceptTcp({ cidr: "127.0.0.1/32", ports: [8080] }),
|
|
87
|
-
acceptPublicInternet({ ports: [443] }),
|
|
88
|
-
],
|
|
89
|
-
},
|
|
19
|
+
const sandbox = defineSandbox({
|
|
20
|
+
rootfs: rootfs.builtIn("alpine:3.20"),
|
|
21
|
+
resources: {
|
|
22
|
+
cpus: 2,
|
|
23
|
+
memoryMiB: 2048,
|
|
90
24
|
},
|
|
91
25
|
});
|
|
92
26
|
|
|
93
|
-
|
|
94
|
-
|
|
27
|
+
await using lane = await sandbox.boot({
|
|
28
|
+
mounts: {
|
|
29
|
+
"/workspace": fs.virtual(workspaceFs),
|
|
30
|
+
},
|
|
31
|
+
cwd: "/workspace",
|
|
95
32
|
});
|
|
96
33
|
|
|
97
|
-
|
|
34
|
+
const result = await lane.exec("cat", ["hello.txt"]);
|
|
35
|
+
|
|
36
|
+
if (result.exitCode !== 0) {
|
|
37
|
+
throw new Error(result.stderr);
|
|
38
|
+
}
|
|
98
39
|
```
|
|
99
40
|
|
|
100
|
-
|
|
41
|
+
## Quick Start
|
|
42
|
+
|
|
43
|
+
Create reusable machine configuration once, then boot one or more instances with
|
|
44
|
+
the mounts each instance needs:
|
|
101
45
|
|
|
102
46
|
```ts
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
47
|
+
import {
|
|
48
|
+
defineSandbox,
|
|
49
|
+
fs,
|
|
50
|
+
rootfs,
|
|
51
|
+
} from "@torkbot/sandbox";
|
|
52
|
+
|
|
53
|
+
const workspaceFs = fs.memory();
|
|
54
|
+
|
|
55
|
+
const sandbox = defineSandbox({
|
|
56
|
+
rootfs: rootfs.builtIn("alpine:3.20"),
|
|
57
|
+
});
|
|
58
|
+
|
|
59
|
+
await using lane = await sandbox.boot({
|
|
60
|
+
mounts: {
|
|
61
|
+
"/workspace": fs.virtual(workspaceFs),
|
|
62
|
+
},
|
|
63
|
+
cwd: "/workspace",
|
|
64
|
+
});
|
|
65
|
+
|
|
66
|
+
const result = await lane.exec("sh", ["-lc", "printf 'ok\\n'"], {
|
|
67
|
+
env: { CI: "1" },
|
|
106
68
|
});
|
|
107
69
|
|
|
108
70
|
if (result.exitCode !== 0) {
|
|
@@ -110,70 +72,212 @@ if (result.exitCode !== 0) {
|
|
|
110
72
|
}
|
|
111
73
|
```
|
|
112
74
|
|
|
113
|
-
|
|
75
|
+
The public API is split into three layers:
|
|
76
|
+
|
|
77
|
+
- `defineSandbox(...)` describes reusable machine configuration.
|
|
78
|
+
- `sandbox.boot(...)` creates a runtime instance with per-instance mounts.
|
|
79
|
+
- `lane.exec(...)` runs buffered work inside the booted instance.
|
|
80
|
+
|
|
81
|
+
Expensive artifact preparation is intentionally outside `boot()`.
|
|
82
|
+
`rootfs.builtIn("alpine:3.20")` selects a built-in rootfs artifact that must
|
|
83
|
+
already be installed with Sandbox. It does not pull an image or build a rootfs
|
|
84
|
+
at runtime.
|
|
85
|
+
|
|
86
|
+
## API Overview
|
|
87
|
+
|
|
88
|
+
### Configuration
|
|
114
89
|
|
|
115
90
|
```ts
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
91
|
+
type SandboxDefinition = {
|
|
92
|
+
rootfs: Rootfs;
|
|
93
|
+
resources?: {
|
|
94
|
+
cpus?: number;
|
|
95
|
+
memoryMiB?: number;
|
|
96
|
+
};
|
|
97
|
+
network?: NetworkPolicy;
|
|
98
|
+
};
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
`rootfs` selects the guest root filesystem. The first public rootfs source is
|
|
102
|
+
the read-only built-in catalog:
|
|
121
103
|
|
|
122
|
-
|
|
104
|
+
```ts
|
|
105
|
+
rootfs.builtIn("alpine:3.20");
|
|
106
|
+
```
|
|
123
107
|
|
|
124
|
-
|
|
108
|
+
`resources` controls the VM shape used by every instance booted from the
|
|
109
|
+
definition. Omitted values use Sandbox defaults.
|
|
125
110
|
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
111
|
+
```ts
|
|
112
|
+
defineSandbox({
|
|
113
|
+
rootfs: rootfs.builtIn("alpine:3.20"),
|
|
114
|
+
resources: {
|
|
115
|
+
cpus: 4,
|
|
116
|
+
memoryMiB: 4096,
|
|
117
|
+
},
|
|
130
118
|
});
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
Use `rootfs.cow(...)` when rootfs mutations should persist. The sandbox library
|
|
122
|
+
owns the COW block-device contract; user-space owns the block store's
|
|
123
|
+
durability, compression, migration, and checkpoint policy. Built-in rootfs
|
|
124
|
+
packages include a read-only EROFS image for normal boots and a writable ext4
|
|
125
|
+
image used as the COW base.
|
|
131
126
|
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
127
|
+
```ts
|
|
128
|
+
defineSandbox({
|
|
129
|
+
rootfs: rootfs.cow({
|
|
130
|
+
base: rootfs.builtIn("alpine:3.20"),
|
|
131
|
+
writable: laneBlockStore,
|
|
132
|
+
}),
|
|
135
133
|
});
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
The block store interface is intentionally storage-agnostic:
|
|
137
|
+
|
|
138
|
+
```ts
|
|
139
|
+
interface SandboxBlockStore {
|
|
140
|
+
readonly blockSize: number;
|
|
141
|
+
list(context: SandboxBlockStoreContext): Promise<readonly bigint[]>;
|
|
142
|
+
read(
|
|
143
|
+
range: SandboxBlockRange,
|
|
144
|
+
context: SandboxBlockStoreContext,
|
|
145
|
+
): Promise<readonly SandboxBlockChunk[]>;
|
|
146
|
+
write(
|
|
147
|
+
chunks: readonly SandboxBlockChunk[],
|
|
148
|
+
context: SandboxBlockStoreContext,
|
|
149
|
+
): Promise<void>;
|
|
150
|
+
flush?(context: SandboxBlockStoreContext): Promise<void>;
|
|
151
|
+
}
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
The `context.base` value identifies the exact built-in base image for this boot.
|
|
155
|
+
The sandbox library passes it through to every block-store operation; user-space
|
|
156
|
+
storage can use it to namespace blocks, reject mismatched snapshots, or migrate
|
|
157
|
+
state. `list()` returns the block IDs currently present in the COW store. The
|
|
158
|
+
Rust block backend reads that manifest once at boot, so clean base-image blocks
|
|
159
|
+
are served without asking JavaScript. Dirty blocks are read lazily and writes are
|
|
160
|
+
batched back through `write(...)` on flush.
|
|
136
161
|
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
162
|
+
A writable COW block store must be attached to at most one running sandbox
|
|
163
|
+
instance at a time. Concurrent sandboxes sharing the same writable store are
|
|
164
|
+
undefined behavior; create one store per lane or enforce exclusivity in the
|
|
165
|
+
storage driver.
|
|
166
|
+
|
|
167
|
+
`network` is optional. When omitted, egress is denied. A network policy receives
|
|
168
|
+
connection requests and grants only the traffic it explicitly allows:
|
|
169
|
+
|
|
170
|
+
```ts
|
|
171
|
+
const policy = network.policy(async (conn) => {
|
|
172
|
+
if (conn.host === "registry.npmjs.org") {
|
|
173
|
+
conn.allowHttp();
|
|
174
|
+
}
|
|
140
175
|
});
|
|
176
|
+
```
|
|
141
177
|
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
178
|
+
`conn.allow()` grants HTTP(S)-classified traffic without request middleware.
|
|
179
|
+
`conn.allowHttp(...)` grants HTTP(S)-classified traffic and can apply request
|
|
180
|
+
middleware:
|
|
181
|
+
|
|
182
|
+
```ts
|
|
183
|
+
const policy = network.policy(async (conn) => {
|
|
184
|
+
if (conn.host !== "api.example.com") return;
|
|
185
|
+
|
|
186
|
+
conn.allowHttp(async (request) => {
|
|
187
|
+
request.headers.set(
|
|
188
|
+
"authorization",
|
|
189
|
+
`Bearer ${await credentialBroker.authorizationFor(request)}`,
|
|
190
|
+
);
|
|
191
|
+
});
|
|
145
192
|
});
|
|
146
193
|
```
|
|
147
194
|
|
|
148
|
-
|
|
195
|
+
Deny remains the default. If the policy callback does not create a grant, the
|
|
196
|
+
connection is blocked. The `NetworkGrant` returned by `allow()` and
|
|
197
|
+
`allowHttp()` is reserved as the future extension point for instance-local
|
|
198
|
+
state, such as remembering a grant for a time window.
|
|
199
|
+
|
|
200
|
+
The runtime uses this policy shape to keep the JavaScript boundary explicit.
|
|
201
|
+
Native rules can be added under the same model later without changing the
|
|
202
|
+
caller-facing API.
|
|
203
|
+
|
|
204
|
+
### Boot Options
|
|
205
|
+
|
|
206
|
+
Mounts are per-instance because different sandbox instances often need
|
|
207
|
+
different filesystems over the same reusable machine configuration:
|
|
149
208
|
|
|
150
209
|
```ts
|
|
151
|
-
await using
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
210
|
+
await using lane = await sandbox.boot({
|
|
211
|
+
mounts: {
|
|
212
|
+
"/workspace": fs.virtual(workspaceFs),
|
|
213
|
+
"/tmp": fs.virtual(privateFs),
|
|
214
|
+
"/mnt": fs.virtual(sharedFs),
|
|
215
|
+
},
|
|
216
|
+
cwd: "/workspace",
|
|
158
217
|
});
|
|
218
|
+
```
|
|
159
219
|
|
|
160
|
-
|
|
220
|
+
Sandbox does not special-case `/workspace`. Mount paths are just guest-visible
|
|
221
|
+
paths backed by user-supplied filesystems. The target path must already exist
|
|
222
|
+
in the selected rootfs; the built-in Alpine rootfs includes `/workspace`,
|
|
223
|
+
`/tmp`, and `/mnt`.
|
|
161
224
|
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
225
|
+
### Filesystems
|
|
226
|
+
|
|
227
|
+
`fs.memory(...)` creates a real in-memory POSIX filesystem that can be mounted:
|
|
228
|
+
|
|
229
|
+
```ts
|
|
230
|
+
const workspaceFs = fs.memory({
|
|
231
|
+
files: {
|
|
232
|
+
"/README.md": "# Example\n",
|
|
233
|
+
},
|
|
165
234
|
});
|
|
166
235
|
```
|
|
167
236
|
|
|
168
|
-
`
|
|
237
|
+
`fs.virtual(...)` adapts any compatible user-space JavaScript filesystem to
|
|
238
|
+
Sandbox mounts:
|
|
169
239
|
|
|
170
|
-
|
|
240
|
+
```ts
|
|
241
|
+
const workspace = fs.virtual(workspaceFs);
|
|
242
|
+
```
|
|
243
|
+
|
|
244
|
+
### Processes
|
|
245
|
+
|
|
246
|
+
`exec` is the simple buffered process API:
|
|
247
|
+
|
|
248
|
+
```ts
|
|
249
|
+
const result = await lane.exec("npm", ["test"], {
|
|
250
|
+
cwd: "/workspace",
|
|
251
|
+
env: { CI: "1" },
|
|
252
|
+
});
|
|
253
|
+
```
|
|
171
254
|
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
255
|
+
`exec` is intentionally small: it buffers stdout and stderr and returns when the
|
|
256
|
+
process exits. Streaming stdin/stdout/stderr belongs in the future
|
|
257
|
+
`lane.spawn(...)` API.
|
|
258
|
+
|
|
259
|
+
## Internal Architecture
|
|
260
|
+
|
|
261
|
+
Sandbox hides the kernel, init, transport, and host helper behind a small
|
|
262
|
+
TypeScript API:
|
|
263
|
+
|
|
264
|
+
- The runtime boots a libkrun-backed guest from a prebuilt rootfs artifact:
|
|
265
|
+
read-only EROFS by default, or writable ext4 when a COW rootfs is used.
|
|
266
|
+
- Kernel and init artifacts are implementation details owned by Sandbox.
|
|
267
|
+
- A signed `sandbox-host` helper owns the Node/Rust/libkrun boundary.
|
|
268
|
+
- Guest control traffic uses an implicit fd-backed transport between the host
|
|
269
|
+
and Sandbox init.
|
|
270
|
+
- Host-implemented virtual filesystems are mounted into the guest.
|
|
271
|
+
- Rootfs mutation persistence is modeled as block-level copy-on-write rootfs,
|
|
272
|
+
not as a guest-visible POSIX filesystem.
|
|
273
|
+
- Network egress is default-deny. Native code should enforce fast-path policy
|
|
274
|
+
decisions and delegate to JavaScript only when a policy callback is required.
|
|
275
|
+
- HTTP request middleware is caller-provided JavaScript, but Sandbox owns the
|
|
276
|
+
interception machinery and certificate plumbing.
|
|
277
|
+
|
|
278
|
+
The intended boundary is that Sandbox knows how to launch, isolate, mount,
|
|
279
|
+
intercept, and enforce. User-space owns artifact selection, filesystem
|
|
280
|
+
durability, network policy state, confirmation flows, and credential brokering.
|
|
177
281
|
|
|
178
282
|
## Design Targets
|
|
179
283
|
|
|
@@ -182,12 +286,12 @@ The guest contract is intentionally narrow:
|
|
|
182
286
|
- custom guest init owned by this repo,
|
|
183
287
|
- implicit fd-backed host control sockets owned by Sandbox,
|
|
184
288
|
- avoid host filesystem coordination unless it is intrinsic to the artifact; prefer file descriptors, database handles, bytes, and async iterables over paths,
|
|
185
|
-
- build-time rootfs shaping, with
|
|
186
|
-
-
|
|
187
|
-
-
|
|
289
|
+
- build-time rootfs shaping, with built-in rootfs artifacts selected by typed logical names at VM instantiation,
|
|
290
|
+
- immutable rootfs by default, with copy-on-write rootfs supplied by a user-space block store when requested,
|
|
291
|
+
- generic guest-visible mounts backed by the same user-space filesystem abstraction,
|
|
188
292
|
- programmable virtual filesystems backed by TypeScript callbacks,
|
|
189
293
|
- transparent HTTP interception with TypeScript request-header hooks,
|
|
190
|
-
- default-deny outbound networking with
|
|
294
|
+
- default-deny outbound networking with JavaScript policy callbacks only where native rules cannot decide,
|
|
191
295
|
- Rust-native or statically linkable networking components; sidecar network daemons are references, not default runtime dependencies,
|
|
192
296
|
- macOS HVF entitlement signing verified as part of the integration test flow.
|
|
193
297
|
|
|
@@ -211,7 +315,7 @@ The npm package is published as `@torkbot/sandbox`. It does not use post-install
|
|
|
211
315
|
- `@torkbot/sandbox-darwin-arm64`
|
|
212
316
|
- `@torkbot/sandbox-linux-x64-gnu`
|
|
213
317
|
|
|
214
|
-
Each platform package contains the
|
|
318
|
+
Each platform package contains the `sandbox-host` helper and built-in rootfs artifacts for that target. Runtime artifact resolution only loads the installed optional dependency for the current platform. Local development uses the same layout by materializing the current platform package under `node_modules`.
|
|
215
319
|
|
|
216
320
|
### macOS signing setup
|
|
217
321
|
|
package/dist/artifacts.d.ts
CHANGED
|
@@ -1,12 +1,16 @@
|
|
|
1
1
|
type SandboxTarget = {
|
|
2
2
|
readonly packageName: string;
|
|
3
3
|
readonly hostBinaryName: string;
|
|
4
|
+
readonly rootfsNames: Record<BuiltInRootfsFormat, string>;
|
|
4
5
|
readonly platform: NodeJS.Platform;
|
|
5
6
|
readonly arch: NodeJS.Architecture;
|
|
6
7
|
readonly libc?: "glibc";
|
|
7
8
|
};
|
|
9
|
+
type BuiltInRootfsFormat = "erofs" | "ext4";
|
|
8
10
|
export declare function currentSandboxTarget(): SandboxTarget;
|
|
9
11
|
export declare function hostBinaryPath(): string;
|
|
12
|
+
export declare function builtInRootfsPath(name: "alpine:3.20", format?: BuiltInRootfsFormat): string;
|
|
13
|
+
export declare function builtInRootfsIdentity(name: "alpine:3.20", format: BuiltInRootfsFormat): string;
|
|
10
14
|
export declare function rawHostBinaryPath(): string;
|
|
11
15
|
export declare function assertMacosHostIsSigned(path: string): void;
|
|
12
16
|
export declare function macosHostSigningError(path: string): Error | null;
|
package/dist/artifacts.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"artifacts.d.ts","sourceRoot":"","sources":["../src/artifacts.ts"],"names":[],"mappings":"AAKA,KAAK,aAAa,GAAG;IACnB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC;IACnC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,YAAY,CAAC;IACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;
|
|
1
|
+
{"version":3,"file":"artifacts.d.ts","sourceRoot":"","sources":["../src/artifacts.ts"],"names":[],"mappings":"AAKA,KAAK,aAAa,GAAG;IACnB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;IAC1D,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC;IACnC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,YAAY,CAAC;IACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,KAAK,mBAAmB,GAAG,OAAO,GAAG,MAAM,CAAC;AA0B5C,wBAAgB,oBAAoB,IAAI,aAAa,CAYpD;AAED,wBAAgB,cAAc,IAAI,MAAM,CAEvC;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,aAAa,EAAE,MAAM,GAAE,mBAA6B,GAAG,MAAM,CAMpG;AAED,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,mBAAmB,GAAG,MAAM,CAiB9F;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAG1C;AA2BD,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAuB1D;AAcD,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,KAAK,GAAG,IAAI,CAWhE"}
|
package/dist/artifacts.js
CHANGED
|
@@ -5,12 +5,20 @@ const targets = [
|
|
|
5
5
|
{
|
|
6
6
|
packageName: "@torkbot/sandbox-darwin-arm64",
|
|
7
7
|
hostBinaryName: "sandbox-host",
|
|
8
|
+
rootfsNames: {
|
|
9
|
+
erofs: "rootfs/alpine-3.20.erofs",
|
|
10
|
+
ext4: "rootfs/alpine-3.20.ext4",
|
|
11
|
+
},
|
|
8
12
|
platform: "darwin",
|
|
9
13
|
arch: "arm64",
|
|
10
14
|
},
|
|
11
15
|
{
|
|
12
16
|
packageName: "@torkbot/sandbox-linux-x64-gnu",
|
|
13
17
|
hostBinaryName: "sandbox-host",
|
|
18
|
+
rootfsNames: {
|
|
19
|
+
erofs: "rootfs/alpine-3.20.erofs",
|
|
20
|
+
ext4: "rootfs/alpine-3.20.ext4",
|
|
21
|
+
},
|
|
14
22
|
platform: "linux",
|
|
15
23
|
arch: "x64",
|
|
16
24
|
libc: "glibc",
|
|
@@ -28,6 +36,31 @@ export function currentSandboxTarget() {
|
|
|
28
36
|
export function hostBinaryPath() {
|
|
29
37
|
return rawHostBinaryPath();
|
|
30
38
|
}
|
|
39
|
+
export function builtInRootfsPath(name, format = "erofs") {
|
|
40
|
+
if (name === "alpine:3.20") {
|
|
41
|
+
const target = currentSandboxTarget();
|
|
42
|
+
return resolveArtifactPath(target, target.rootfsNames[format]);
|
|
43
|
+
}
|
|
44
|
+
throw new Error(`unsupported built-in rootfs: ${name}`);
|
|
45
|
+
}
|
|
46
|
+
export function builtInRootfsIdentity(name, format) {
|
|
47
|
+
if (name === "alpine:3.20") {
|
|
48
|
+
const target = currentSandboxTarget();
|
|
49
|
+
const packageVersion = platformPackageVersion(target);
|
|
50
|
+
return [
|
|
51
|
+
"built-in",
|
|
52
|
+
name,
|
|
53
|
+
format,
|
|
54
|
+
target.platform,
|
|
55
|
+
target.arch,
|
|
56
|
+
target.libc ?? "none",
|
|
57
|
+
target.packageName,
|
|
58
|
+
packageVersion,
|
|
59
|
+
target.rootfsNames[format],
|
|
60
|
+
].join(":");
|
|
61
|
+
}
|
|
62
|
+
throw new Error(`unsupported built-in rootfs: ${name}`);
|
|
63
|
+
}
|
|
31
64
|
export function rawHostBinaryPath() {
|
|
32
65
|
const target = currentSandboxTarget();
|
|
33
66
|
return resolveArtifactPath(target, target.hostBinaryName);
|
|
@@ -41,6 +74,17 @@ function resolveArtifactPath(target, artifactName) {
|
|
|
41
74
|
throw new Error(`missing ${target.packageName} artifact ${artifactName}; reinstall @torkbot/sandbox for ${process.platform}-${process.arch}, or run npm run artifacts:link-current after building local artifacts. ${installError}`);
|
|
42
75
|
}
|
|
43
76
|
}
|
|
77
|
+
function platformPackageVersion(target) {
|
|
78
|
+
try {
|
|
79
|
+
const packageJson = require(`${target.packageName}/package.json`);
|
|
80
|
+
if (typeof packageJson.version === "string" && packageJson.version.length > 0) {
|
|
81
|
+
return packageJson.version;
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
catch {
|
|
85
|
+
}
|
|
86
|
+
return "unknown";
|
|
87
|
+
}
|
|
44
88
|
export function assertMacosHostIsSigned(path) {
|
|
45
89
|
if (process.platform !== "darwin") {
|
|
46
90
|
return;
|
package/dist/artifacts.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"artifacts.js","sourceRoot":"","sources":["../src/artifacts.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"artifacts.js","sourceRoot":"","sources":["../src/artifacts.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;AAa/C,MAAM,OAAO,GAAG;IACd;QACE,WAAW,EAAE,+BAA+B;QAC5C,cAAc,EAAE,cAAc;QAC9B,WAAW,EAAE;YACX,KAAK,EAAE,0BAA0B;YACjC,IAAI,EAAE,yBAAyB;SAChC;QACD,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,OAAO;KACd;IACD;QACE,WAAW,EAAE,gCAAgC;QAC7C,cAAc,EAAE,cAAc;QAC9B,WAAW,EAAE;YACX,KAAK,EAAE,0BAA0B;YACjC,IAAI,EAAE,yBAAyB;SAChC;QACD,QAAQ,EAAE,OAAO;QACjB,IAAI,EAAE,KAAK;QACX,IAAI,EAAE,OAAO;KACd;CAC0C,CAAC;AAE9C,MAAM,UAAU,oBAAoB;IAClC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QACxC,OAAO,SAAS,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,sCAAsC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,CACzE,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,OAAO,iBAAiB,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAmB,EAAE,MAAM,GAAwB,OAAO;IAC1F,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAC;QACtC,OAAO,mBAAmB,CAAC,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAoB,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAmB,EAAE,MAA2B;IACpF,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAC;QACtC,MAAM,cAAc,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACtD,OAAO;YACL,UAAU;YACV,IAAI;YACJ,MAAM;YACN,MAAM,CAAC,QAAQ;YACf,MAAM,CAAC,IAAI;YACX,MAAM,CAAC,IAAI,IAAI,MAAM;YACrB,MAAM,CAAC,WAAW;YAClB,cAAc;YACd,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC;SAC3B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACd,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAoB,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,MAAM,MAAM,GAAG,oBAAoB,EAAE,CAAC;IACtC,OAAO,mBAAmB,CAAC,MAAM,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAAqB,EACrB,YAAoB;IAEpB,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,WAAW,IAAI,YAAY,EAAE,CAAC,CAAC;IAClE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5E,MAAM,IAAI,KAAK,CACb,WAAW,MAAM,CAAC,WAAW,aAAa,YAAY,oCAAoC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,2EAA2E,YAAY,EAAE,CACpN,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAqB;IACnD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,MAAM,CAAC,WAAW,eAAe,CAA0B,CAAC;QAC3F,IAAI,OAAO,WAAW,CAAC,OAAO,KAAK,QAAQ,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9E,OAAO,WAAW,CAAC,OAAO,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;IACT,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IAED,IAAI,YAAoB,CAAC;IACzB,MAAM,MAAM,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;QACzE,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,GAAG,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACxF,CAAC;IAED,YAAY,GAAG,GAAG,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;IACpD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,0CAA0C,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,mDAAmD,CAAC,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,MAAc;IACrD,OAAO;QACL,mEAAmE;QACnE,EAAE;QACF,kDAAkD;QAClD,oCAAoC;QACpC,EAAE;QACF,aAAa,IAAI,EAAE;QACnB,WAAW,MAAM,EAAE;KACpB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,uBAAuB,CAAC,IAAI,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACnE,CAAC;AACH,CAAC"}
|
package/dist/control-codec.d.ts
CHANGED
|
@@ -1,4 +1,26 @@
|
|
|
1
|
-
|
|
1
|
+
export type SandboxControlEvent = {
|
|
2
|
+
readonly type: "init.ready";
|
|
3
|
+
readonly guest: {
|
|
4
|
+
readonly root: {
|
|
5
|
+
readonly readonly: boolean;
|
|
6
|
+
};
|
|
7
|
+
readonly init: {
|
|
8
|
+
readonly name: string;
|
|
9
|
+
};
|
|
10
|
+
};
|
|
11
|
+
} | {
|
|
12
|
+
readonly type: "guest.exec.complete";
|
|
13
|
+
readonly id: string;
|
|
14
|
+
readonly exitCode: number;
|
|
15
|
+
readonly stdout: string;
|
|
16
|
+
readonly stderr: string;
|
|
17
|
+
};
|
|
18
|
+
export type SandboxControlCommand = {
|
|
19
|
+
readonly type: "guest.exec";
|
|
20
|
+
readonly id: string;
|
|
21
|
+
readonly argv: readonly string[];
|
|
22
|
+
readonly env?: Record<string, string>;
|
|
23
|
+
};
|
|
2
24
|
export declare function encodeControlCommand(command: SandboxControlCommand): Uint8Array;
|
|
3
25
|
export declare function decodeControlEvent(packet: Uint8Array): SandboxControlEvent;
|
|
4
26
|
//# sourceMappingURL=control-codec.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"control-codec.d.ts","sourceRoot":"","sources":["../src/control-codec.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"control-codec.d.ts","sourceRoot":"","sources":["../src/control-codec.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,mBAAmB,GAC3B;IACE,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE;QACd,QAAQ,CAAC,IAAI,EAAE;YAAE,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;SAAE,CAAC;QAC9C,QAAQ,CAAC,IAAI,EAAE;YAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC;KAC1C,CAAC;CACH,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB,CAAC;AAEN,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,CAAC;AAEF,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,UAAU,CAU/E;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,mBAAmB,CAwB1E"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"control-codec.js","sourceRoot":"","sources":["../src/control-codec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"control-codec.js","sourceRoot":"","sources":["../src/control-codec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAyBpC,MAAM,UAAU,oBAAoB,CAAC,OAA8B;IACjE,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,YAAY;YACf,OAAO,YAAY,CAAC;gBAClB,IAAI,EAAE,YAAY;gBAClB,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,IAAI,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;gBACvB,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;aAC/E,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAkB;IACnD,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAE/C,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,YAAY;YACf,OAAO;gBACL,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE;oBACL,IAAI,EAAE,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE;oBACzD,IAAI,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE;iBACjD;aACF,CAAC;QACJ,KAAK,qBAAqB;YACxB,OAAO;gBACL,IAAI,EAAE,qBAAqB;gBAC3B,EAAE,EAAE,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC;gBAC9B,QAAQ,EAAE,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;gBAC1C,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;gBAC/D,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;aAChE,CAAC;QACJ;YACE,MAAM,IAAI,KAAK,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,QAAiC;IACrD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IACpD,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IACvF,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,YAAY,CAAC,MAAkB;IACtC,IAAI,MAAM,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IACzF,IAAI,MAAM,CAAC,UAAU,GAAG,CAAC,GAAG,WAAW,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,KAAK,CAAC,GAAG,WAAW,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAA4B,CAAC;AACzE,CAAC;AAED,SAAS,UAAU,CAAC,QAAiC,EAAE,GAAW;IAChE,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yCAAyC,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,QAAiC,EAAE,GAAW;IACjE,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0CAA0C,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,QAAiC,EAAE,GAAW;IAChE,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yCAAyC,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS,CAAC,QAAiC,EAAE,GAAW;IAC/D,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,KAAK,YAAY,MAAM,EAAE,CAAC;QAC5B,OAAO,KAAK,CAAC,MAAM,CAAC;IACtB,CAAC;IACD,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,uCAAuC,GAAG,EAAE,CAAC,CAAC;AAChE,CAAC"}
|
package/dist/control.d.ts
CHANGED
|
@@ -1,4 +1,18 @@
|
|
|
1
|
-
import type {
|
|
1
|
+
import type { SandboxControlCommand, SandboxControlEvent } from "./control-codec.ts";
|
|
2
|
+
export interface SandboxControl extends Transport<SandboxControlEvent, SandboxControlCommand> {
|
|
3
|
+
exec(input: {
|
|
4
|
+
readonly id?: string;
|
|
5
|
+
readonly argv: readonly string[];
|
|
6
|
+
readonly env?: Record<string, string>;
|
|
7
|
+
}): Promise<Extract<SandboxControlEvent, {
|
|
8
|
+
type: "guest.exec.complete";
|
|
9
|
+
}>>;
|
|
10
|
+
}
|
|
11
|
+
export interface Transport<TIncoming = unknown, TOutgoing = unknown> {
|
|
12
|
+
readonly incoming: AsyncIterable<TIncoming>;
|
|
13
|
+
send(message: TOutgoing): Promise<void>;
|
|
14
|
+
close(): Promise<void>;
|
|
15
|
+
}
|
|
2
16
|
export interface HostControlChannel {
|
|
3
17
|
readonly packets: AsyncIterable<Uint8Array>;
|
|
4
18
|
writeControlPacket(packet: Uint8Array): void;
|
package/dist/control.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"control.d.ts","sourceRoot":"","sources":["../src/control.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,
|
|
1
|
+
{"version":3,"file":"control.d.ts","sourceRoot":"","sources":["../src/control.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,qBAAqB,EACrB,mBAAmB,EACpB,MAAM,oBAAoB,CAAC;AAM5B,MAAM,WAAW,cAAe,SAAQ,SAAS,CAAC,mBAAmB,EAAE,qBAAqB,CAAC;IAC3F,IAAI,CAAC,KAAK,EAAE;QACV,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;QACjC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACvC,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE;QAAE,IAAI,EAAE,qBAAqB,CAAA;KAAE,CAAC,CAAC,CAAC;CAC5E;AAED,MAAM,WAAW,SAAS,CAAC,SAAS,GAAG,OAAO,EAAE,SAAS,GAAG,OAAO;IACjE,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IAC5C,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;CAC9C;AAED,qBAAa,oBAAqB,YAAW,cAAc;;IACzD,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAC;IAWtD,YAAY,OAAO,GAAE;QACnB,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;QAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,kBAAkB,CAAC;KAClC,EAeL;IAEK,IAAI,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CAMxD;IAEK,IAAI,CAAC,KAAK,EAAE;QAChB,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;QACjC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACvC,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE;QAAE,IAAI,EAAE,qBAAqB,CAAA;KAAE,CAAC,CAAC,CAqBzE;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAQ3B;IAED,IAAI,CAAC,KAAK,EAAE,mBAAmB,GAAG,IAAI,CAGrC;CA4DF"}
|