@torkbot/sandbox 0.1.1 → 0.2.0

package/dist/index.js

@@ -1,176 +1,85 @@
+import { builtInRootfsIdentity, builtInRootfsPath, } from "./artifacts.js";
 import { HostControlTransport } from "./control.js";
 import { HostProcessSandboxVm } from "./host-process.js";
-import { createSandboxHostFileSystemTools } from "./host-filesystem-tools.js";
-import { isSandboxWritableFileSystem } from "./vfs.js";
-export { HostControlTransport } from "./control.js";
-export function projectKernel(options = {}) {
-    return {
-        kind: "project-kernel",
-        ...options,
-    };
-}
-export function projectInit() {
-    return {
-        kind: "project-init",
-        crate: "sandbox-init",
-    };
-}
-export function prebuiltRootfs(path, options) {
-    return {
-        kind: "prebuilt-rootfs",
-        path,
-        readonly: options.readonly ?? true,
-        format: options.format,
-    };
-}
-export function scratchFs() {
-    return {
-        kind: "scratch-fs",
-    };
-}
-export function linuxOverlayFs(input) {
-    return {
-        kind: "linux-overlay-fs",
-        lower: input.lower,
-        upper: input.upper,
-    };
-}
-export function virtualFsMount(path, fileSystem) {
+import { createMemoryFileSystem } from "./memory-fs.js";
+import { isSandboxPosixFileSystem, isSandboxWritableFileSystem, } from "./vfs.js";
+const networkPolicyHandler = Symbol("networkPolicyHandler");
+export const rootfs = {
+    builtIn(name) {
+        return {
+            kind: "built-in-rootfs",
+            name,
+        };
+    },
+    cow(options) {
+        return {
+            kind: "cow-rootfs",
+            base: options.base,
+            writable: options.writable,
+        };
+    },
+};
+function virtualFs(fileSystem) {
     return {
         kind: "virtual-fs",
-        path,
         fileSystem,
     };
 }
-export function mount(path, fileSystem) {
-    return virtualFsMount(path, fileSystem);
-}
-export function binding(path, fileSystem) {
-    return {
-        kind: "filesystem-binding",
-        path,
-        fileSystem,
-    };
-}
-export function acceptTcp(input) {
-    return {
-        action: "accept",
-        protocol: "tcp",
-        cidr: input.cidr,
-        ports: input.ports,
-    };
-}
-export function acceptUdp(input) {
-    return {
-        action: "accept",
-        protocol: "udp",
-        cidr: input.cidr,
-        ports: input.ports,
-    };
-}
-export function acceptPublicInternet(input = {}) {
-    return {
-        action: "accept",
-        scope: "public-internet",
-        ports: input.ports,
-    };
-}
-export async function spawnSandbox(options) {
-    validateSandboxOptions(options);
-    const hostOptions = toHostSpawnOptions(options, []);
-    const hostVm = await HostProcessSandboxVm.spawn(options, hostOptions, new Map());
-    return new HostBackedSandboxVm(hostVm, options);
-}
-export function createSandbox(options) {
-    validateSandboxOptions(options);
-    return new ConfiguredSandboxBuilder(options);
+export const fs = {
+    memory: createMemoryFileSystem,
+    virtual: virtualFs,
+};
+export const network = {
+    policy(onConnectionRequest) {
+        return {
+            kind: "network-policy",
+            [networkPolicyHandler]: onConnectionRequest,
+        };
+    },
+};
+export function defineSandbox(options) {
+    validateSandboxDefinitionOptions(options);
+    return new DefinedSandbox(options);
 }
-class ConfiguredSandboxBuilder {
-    http;
+class DefinedSandbox {
     #options;
-    #requestHeaderHooks = new Set();
-    #nextRequestHeaderHookId = 1;
-    #runStarted = false;
-    #vm = null;
-    #closed = false;
     constructor(options) {
         this.#options = options;
-        this.http = {
-            onRequest: (selector, hook) => {
-                this.#assertOpen();
-                if (this.#runStarted) {
-                    throw new Error("sandbox has already been run");
-                }
-                const registration = {
-                    id: `http-request-headers-${this.#nextRequestHeaderHookId++}`,
-                    selector,
-                    hook,
-                    active: true,
-                };
-                this.#requestHeaderHooks.add(registration);
-                return new ConfiguredSandboxHttpHook(this, registration);
-            },
-        };
-    }
-    async run() {
-        this.#assertOpen();
-        if (this.#runStarted) {
-            throw new Error("sandbox has already been run");
-        }
-        this.#runStarted = true;
-        const registrations = Array.from(this.#requestHeaderHooks);
-        const hostOptions = toHostSpawnOptions(this.#options, registrations);
-        const hostVm = await HostProcessSandboxVm.spawn(this.#options, hostOptions, new Map(registrations.map((registration) => [registration.id, registration])));
-        this.#vm = new HostBackedSandboxVm(hostVm, this.#options);
-        return this.#vm;
-    }
-    async [Symbol.asyncDispose]() {
-        if (this.#closed) {
-            return;
-        }
-        this.#closed = true;
-        await this.#vm?.close();
-        this.#requestHeaderHooks.clear();
     }
-    async removeHook(registration) {
-        registration.active = false;
-        this.#requestHeaderHooks.delete(registration);
-    }
-    #assertOpen() {
-        if (this.#closed) {
-            throw new Error("sandbox is closed");
+    async boot(options = {}) {
+        validateSandboxBootOptions(options);
+        const networkPolicy = this.#options.network === undefined
+            ? undefined
+            : createNetworkPolicyHookRegistration(this.#options.network);
+        const launchOptions = await toInternalSandboxOptions(this.#options, options, networkPolicy?.network);
+        try {
+            validateInternalSandboxOptions(launchOptions);
+            const hostOptions = toHostSpawnOptions(launchOptions, networkPolicy?.hooks ?? []);
+            const hostVm = await HostProcessSandboxVm.spawn(launchOptions, hostOptions, new Map((networkPolicy?.hooks ?? []).map((hook) => [hook.id, hook])));
+            return new HostBackedSandboxVm(hostVm, launchOptions);
         }
-    }
-}
-class ConfiguredSandboxHttpHook {
-    #sandbox;
-    #registration;
-    #disposed = false;
-    constructor(sandbox, registration) {
-        this.#sandbox = sandbox;
-        this.#registration = registration;
-    }
-    async [Symbol.asyncDispose]() {
-        if (this.#disposed) {
-            return;
+        catch (error) {
+            throw error;
         }
-        this.#disposed = true;
-        await this.#sandbox.removeHook(this.#registration);
     }
 }
 class HostBackedSandboxVm {
-    mounts;
     control;
     diagnostics;
+    #exec;
+    #rootExec;
+    #options;
     #hostVm;
     #closed = false;
     constructor(hostVm, options) {
         this.#hostVm = hostVm;
-        this.mounts = new ConfiguredSandboxMounts(options.mounts ?? [], options.bindings ?? []);
+        this.#options = options;
         this.control = new HostControlTransport({
             connected: hostVm.hasControlSocket,
             channel: hostVm,
         });
+        this.#exec = new ControlBackedSandboxExec(this.control, options.cwd);
+        this.#rootExec = new ControlBackedSandboxExec(this.control, "/");
         if (hostVm.terminateHostForTest !== undefined) {
             this.diagnostics = {
                 terminateHostForTest: () => hostVm.terminateHostForTest?.() ?? Promise.resolve(),
@@ -182,65 +91,80 @@ class HostBackedSandboxVm {
             return;
         }
         this.#closed = true;
-        await this.control.close();
-        await this.#hostVm.close();
-    }
-    async [Symbol.asyncDispose]() {
-        await this.close();
-    }
-}
-class ConfiguredSandboxMounts {
-    #mounts = new Map();
-    #virtualMounts = new Map();
-    #hostTools = new Map();
-    constructor(mounts, bindings) {
-        for (const mount of mounts) {
-            this.#mounts.set(mount.path, mount.fileSystem);
-            this.#virtualMounts.set(mount.path, mount.fileSystem);
-            this.#hostTools.set(mount.path, createSandboxHostFileSystemTools(mount.fileSystem));
+        let syncError;
+        if (this.#options.rootfs.storage !== undefined) {
+            try {
+                const result = await this.#rootExec.exec("/bin/sync");
+                if (result.exitCode !== 0) {
+                    throw new Error(`sandbox close sync failed with exit code ${result.exitCode}: ${result.stderr}`);
+                }
+            }
+            catch (error) {
+                syncError = error;
+            }
         }
-        for (const binding of bindings) {
-            this.#hostTools.set(binding.path, createSandboxHostFileSystemTools(binding.fileSystem));
+        try {
+            await this.control.close();
+            await this.#hostVm.close();
         }
-    }
-    get(path) {
-        const mount = this.#mounts.get(path);
-        if (mount === undefined) {
-            throw new Error(`sandbox mount not found: ${path}`);
+        finally {
         }
-        return mount;
-    }
-    virtualFs(path) {
-        const mount = this.#virtualMounts.get(path);
-        if (mount === undefined) {
-            throw new Error(`virtualFs mount not found: ${path}`);
+        if (syncError !== undefined) {
+            throw syncError;
         }
-        return mount;
     }
-    host(path) {
-        const tools = this.#hostTools.get(path);
-        if (tools === undefined) {
-            throw new Error(`host filesystem tools not found: ${path}`);
-        }
-        return tools;
+    async [Symbol.asyncDispose]() {
+        await this.close();
+    }
+    async exec(command, args = [], options = {}) {
+        return await this.#exec.exec(command, args, options);
+    }
+}
+class ControlBackedSandboxExec {
+    #control;
+    #cwd;
+    constructor(control, cwd) {
+        this.#control = control;
+        this.#cwd = cwd;
+    }
+    async exec(command, args = [], options = {}) {
+        const cwd = options.cwd ?? this.#cwd;
+        const env = cwd === undefined
+            ? options.env
+            : {
+                ...options.env,
+                SANDBOX_EXEC_CWD: cwd,
+                PWD: cwd,
+            };
+        const argv = cwd === undefined
+            ? [command, ...args]
+            : ["/bin/sh", "-lc", "cd \"$SANDBOX_EXEC_CWD\" && exec \"$@\"", "sandbox-exec", command, ...args];
+        const result = await this.#control.exec({
+            argv,
+            env,
+        });
+        return {
+            exitCode: result.exitCode,
+            stdout: result.stdout,
+            stderr: result.stderr,
+        };
     }
 }
 function toHostSpawnOptions(options, requestHeaderHooks) {
-    const rootfs = lowerNativeRootfs(options.rootfs);
     if ((requestHeaderHooks.length > 0 || options.network?.http !== undefined)
         && options.network?.outbound === undefined) {
-        throw new Error("invalid spawnSandbox options: network.outbound is required when HTTP interception is configured");
+        throw new Error("invalid sandbox options: network.outbound is required when HTTP interception is configured");
     }
     const network = options.network === undefined && requestHeaderHooks.length === 0
         ? undefined
         : {
             outbound: options.network?.outbound,
             http: requestHeaderHooks.length === 0
-                && options.network?.http?.certificateAuthority === undefined
+                && options.network?.http?.caCertificatePem === undefined
                 ? undefined
                 : {
-                    caCertificatePem: options.network?.http?.certificateAuthority?.certificatePem,
-                    caPrivateKeyPem: options.network?.http?.certificateAuthority?.privateKeyPem,
+                    caCertificatePem: options.network?.http?.caCertificatePem,
+                    caPrivateKeyPem: options.network?.http?.caPrivateKeyPem,
                     requestHeaderHooks: requestHeaderHooks.map((hook) => ({
                         id: hook.id,
                         origin: hook.selector.origin,
@@ -248,26 +172,22 @@ function toHostSpawnOptions(options, requestHeaderHooks) {
                 },
         };
     return {
-        name: options.name,
-        cpu: options.cpu,
-        memory: options.memory,
         kernel: {
-            format: options.kernel.format,
+            format: undefined,
         },
-        init: {
-            crateName: options.init.crate,
+        cpu: {
+            vcpus: options.resources?.cpus,
+        },
+        memory: {
+            mib: options.resources?.memoryMiB,
         },
-        rootfs: {
-            path: rootfs.path,
-            readonly: rootfs.readonly,
-            format: rootfs.format,
+        init: {
+            crateName: "sandbox-init",
         },
-        rootfsOverlay: options.rootfs.kind === "linux-overlay-fs"
-            ? { mode: "writable" }
-            : undefined,
+        rootfs: options.rootfs,
         mounts: options.mounts?.map((mount) => {
             return {
-                kind: mount.kind,
+                kind: "virtual-fs",
                 path: mount.path,
                 writable: isSandboxWritableFileSystem(mount.fileSystem),
             };
@@ -275,56 +195,187 @@ function toHostSpawnOptions(options, requestHeaderHooks) {
         network,
     };
 }
-function lowerNativeRootfs(rootfs) {
-    if (rootfs.kind === "prebuilt-rootfs") {
-        return rootfs;
+async function toInternalSandboxOptions(config, boot, network) {
+    const rootfs = await lowerRootfs(config.rootfs);
+    return {
+        resources: config.resources,
+        rootfs,
+        cwd: boot.cwd,
+        mounts: Object.entries(boot.mounts ?? {}).map(([path, source]) => {
+            return {
+                path,
+                fileSystem: source.fileSystem,
+            };
+        }),
+        network,
+    };
+}
+function createNetworkPolicyHookRegistration(policy) {
+    const hook = async (request) => {
+        const grants = [];
+        const connection = {
+            transport: "tcp",
+            host: request.url.hostname,
+            ip: request.destination.upstreamIp,
+            port: request.destination.upstreamPort,
+            allow() {
+                grants.push({ kind: "http" });
+                return {};
+            },
+            allowHttp(middleware) {
+                grants.push({ kind: "http", middleware });
+                return {};
+            },
+        };
+        await policy[networkPolicyHandler](connection);
+        if (grants.length === 0) {
+            throw new Error(`network connection denied: ${request.url.origin}`);
+        }
+        for (const grant of grants) {
+            if (grant.kind === "http") {
+                await grant.middleware?.(request);
+            }
+        }
+    };
+    const hooks = [
+        {
+            id: "network-policy-http",
+            selector: { origin: "http://*" },
+            hook,
+            active: true,
+        },
+        {
+            id: "network-policy-https",
+            selector: { origin: "https://*" },
+            hook,
+            active: true,
+        },
+    ];
+    return {
+        hooks,
+        network: {
+            outbound: {
+                policy: "deny",
+                rules: [
+                    { action: "accept", scope: "public-internet", ports: [] },
+                    { action: "accept", protocol: "udp", cidr: "10.0.2.1/32", ports: [53] },
+                ],
+            },
+        },
+    };
+}
+async function lowerRootfs(rootfs) {
+    switch (rootfs.kind) {
+        case "built-in-rootfs":
+            return {
+                path: builtInRootfsPath(rootfs.name),
+                readonly: true,
+                format: "erofs",
+            };
+        case "cow-rootfs":
+            return {
+                path: builtInRootfsPath(rootfs.base.name, "ext4"),
+                readonly: false,
+                format: "ext4",
+                storage: {
+                    kind: "cow-block-store",
+                    blockSize: rootfs.writable.blockSize,
+                    blockStore: rootfs.writable,
+                    context: {
+                        base: builtInRootfsIdentity(rootfs.base.name, "ext4"),
+                    },
+                },
+            };
+    }
+}
+function validateRootfs(rootfs) {
+    switch (rootfs.kind) {
+        case "built-in-rootfs":
+            validateBuiltInRootfsName(rootfs.name);
+            return;
+        case "cow-rootfs":
+            if (rootfs.base.kind !== "built-in-rootfs") {
+                throw new Error("invalid sandbox definition: rootfs.cow base must be created with rootfs.builtIn(...)");
+            }
+            validateBuiltInRootfsName(rootfs.base.name);
+            validateBlockStore(rootfs.writable);
+            return;
+        default:
+            throw new Error("invalid sandbox definition: rootfs must be created with rootfs.builtIn(...) or rootfs.cow(...)");
     }
-    if (rootfs.lower.kind !== "prebuilt-rootfs") {
-        throw new Error(`rootfs ${rootfs.kind} lower ${rootfs.lower.kind} is not implemented yet`);
+}
+function validateBlockStore(blockStore) {
+    if (!Number.isInteger(blockStore.blockSize) || blockStore.blockSize <= 0) {
+        throw new Error("invalid sandbox definition: rootfs COW block size must be a positive integer");
     }
-    if (rootfs.upper.kind !== "scratch-fs") {
-        throw new Error(`rootfs ${rootfs.kind} upper ${rootfs.upper.kind} is not implemented yet`);
+    if (blockStore.blockSize % 512 !== 0) {
+        throw new Error("invalid sandbox definition: rootfs COW block size must be a multiple of 512 bytes");
+    }
+    if (typeof blockStore.list !== "function") {
+        throw new Error("invalid sandbox definition: rootfs COW block store must provide list()");
+    }
+    if (typeof blockStore.read !== "function") {
+        throw new Error("invalid sandbox definition: rootfs COW block store must provide read()");
+    }
+    if (typeof blockStore.write !== "function") {
+        throw new Error("invalid sandbox definition: rootfs COW block store must provide write()");
+    }
+}
+function validateSandboxDefinitionOptions(options) {
+    validateRootfs(options.rootfs);
+    if (options.resources?.cpus !== undefined && (!Number.isInteger(options.resources.cpus) || options.resources.cpus <= 0)) {
+        throw new Error("invalid sandbox definition: resources.cpus must be a positive integer");
+    }
+    if (options.resources?.cpus !== undefined && options.resources.cpus > 255) {
+        throw new Error("invalid sandbox definition: resources.cpus must be less than or equal to 255");
+    }
+    if (options.resources?.memoryMiB !== undefined
+        && (!Number.isInteger(options.resources.memoryMiB) || options.resources.memoryMiB <= 0)) {
+        throw new Error("invalid sandbox definition: resources.memoryMiB must be a positive integer");
+    }
+    if (options.network !== undefined && options.network.kind !== "network-policy") {
+        throw new Error("invalid sandbox definition: network must be created with network.policy(...)");
+    }
+}
+function validateBuiltInRootfsName(name) {
+    if (name !== "alpine:3.20") {
+        throw new Error(`unsupported built-in rootfs: ${name}`);
     }
-    return {
-        ...rootfs.lower,
-        readonly: true,
-    };
 }
-function validateSandboxOptions(options) {
-    if (options.cpu?.vcpus !== undefined && (!Number.isInteger(options.cpu.vcpus) || options.cpu.vcpus <= 0)) {
-        throw new Error("invalid spawnSandbox options: cpu.vcpus must be greater than zero");
+function validateSandboxBootOptions(options) {
+    const mountPaths = new Set();
+    for (const [path, source] of Object.entries(options.mounts ?? {})) {
+        validateGuestPath(path, "mount.path");
+        if (mountPaths.has(path)) {
+            throw new Error(`invalid sandbox boot options: duplicate mount path: ${path}`);
+        }
+        if (isSandboxWritableFileSystem(source.fileSystem)
+            && !isSandboxPosixFileSystem(source.fileSystem)) {
+            throw new Error(`invalid sandbox boot options: writable mount must implement the POSIX filesystem interface: ${path}`);
+        }
+        mountPaths.add(path);
     }
-    if (options.cpu?.vcpus !== undefined && options.cpu.vcpus > 255) {
-        throw new Error("invalid spawnSandbox options: cpu.vcpus must be less than or equal to 255");
+    if (options.cwd !== undefined && !options.cwd.startsWith("/")) {
+        throw new Error("invalid sandbox boot options: cwd must be absolute");
     }
-    if (options.memory?.mib !== undefined && (!Number.isInteger(options.memory.mib) || options.memory.mib <= 0)) {
-        throw new Error("invalid spawnSandbox options: memory.mib must be greater than zero");
+}
+function validateInternalSandboxOptions(options) {
+    if (options.rootfs.path.length === 0) {
+        throw new Error("invalid sandbox options: rootfs.path must not be empty");
     }
-    if (options.init.crate !== "sandbox-init") {
-        throw new Error(`invalid spawnSandbox options: unsupported init crate: ${options.init.crate}`);
+    if (options.rootfs.format !== "erofs" && options.rootfs.format !== "ext4") {
+        throw new Error("invalid sandbox options: rootfs.format must be erofs or ext4");
     }
-    validateRootfsConfig(options.rootfs, "rootfs");
     const mountPaths = new Set();
     for (const mount of options.mounts ?? []) {
         validateGuestPath(mount.path, "mount.path");
         if (mountPaths.has(mount.path)) {
-            throw new Error(`invalid spawnSandbox options: duplicate mount path: ${mount.path}`);
+            throw new Error(`invalid sandbox options: duplicate mount path: ${mount.path}`);
         }
         mountPaths.add(mount.path);
     }
-    const bindingPaths = new Set();
-    for (const binding of options.bindings ?? []) {
-        validateGuestPath(binding.path, "binding.path");
-        if (mountPaths.has(binding.path)) {
-            throw new Error(`invalid spawnSandbox options: binding path conflicts with mount path: ${binding.path}`);
-        }
-        if (bindingPaths.has(binding.path)) {
-            throw new Error(`invalid spawnSandbox options: duplicate binding path: ${binding.path}`);
-        }
-        bindingPaths.add(binding.path);
-    }
     if (options.network?.outbound?.policy !== undefined && options.network.outbound.policy !== "deny") {
-        throw new Error("invalid spawnSandbox options: network.outbound.policy must be deny");
+        throw new Error("invalid sandbox options: network.outbound.policy must be deny");
     }
     for (const rule of options.network?.outbound?.rules ?? []) {
         if ("cidr" in rule) {
@@ -333,71 +384,50 @@ function validateSandboxOptions(options) {
         validateOutboundPorts(rule.ports);
     }
 }
-function validateRootfsConfig(rootfs, field) {
-    if (rootfs.kind === "prebuilt-rootfs") {
-        if (rootfs.path.length === 0) {
-            throw new Error(`invalid spawnSandbox options: ${field}.path must not be empty`);
-        }
-        if (rootfs.format === "directory") {
-            const prefix = field === "rootfs" ? "" : `${field} `;
-            throw new Error(`invalid spawnSandbox options: ${prefix}directory rootfs is not supported for sandboxed VM launch; use an EROFS rootfs`);
-        }
-        return;
-    }
-    if (rootfs.kind === "linux-overlay-fs") {
-        validateRootfsConfig(rootfs.lower, `${field}.lower`);
-        validateRootfsConfig(rootfs.upper, `${field}.upper`);
-        return;
-    }
-    if (rootfs.kind === "scratch-fs") {
-        return;
-    }
-    throw new Error(`invalid spawnSandbox options: unsupported ${field} kind`);
-}
 function validateGuestPath(path, field) {
     if (!path.startsWith("/")) {
-        throw new Error(`invalid spawnSandbox options: ${field} must be absolute`);
+        throw new Error(`invalid sandbox options: ${field} must be absolute`);
     }
     if (path === "/") {
-        throw new Error(`invalid spawnSandbox options: ${field} must not be root`);
+        throw new Error(`invalid sandbox options: ${field} must not be root`);
     }
     if (path.includes("\0")) {
-        throw new Error(`invalid spawnSandbox options: ${field} must not contain NUL bytes`);
+        throw new Error(`invalid sandbox options: ${field} must not contain NUL bytes`);
     }
     if (path.split("/").some((component) => component === "." || component === "..")) {
-        throw new Error(`invalid spawnSandbox options: ${field} must not contain '.' or '..' components`);
+        throw new Error(`invalid sandbox options: ${field} must not contain '.' or '..' components`);
     }
 }
 function validateOutboundPorts(ports) {
     for (const port of ports ?? []) {
         if (!Number.isInteger(port) || port < 1 || port > 65_535) {
-            throw new Error(`invalid spawnSandbox options: invalid outbound network port: ${port}`);
+            throw new Error(`invalid sandbox options: invalid outbound network port: ${port}`);
         }
     }
 }
 function validateCidr(range) {
     const [address, prefixText, extra] = range.split("/");
     if (address === undefined || prefixText === undefined || extra !== undefined) {
-        throw new Error(`invalid spawnSandbox options: invalid CIDR range: ${range}`);
+        throw new Error(`invalid sandbox options: invalid CIDR range: ${range}`);
     }
     const prefix = Number(prefixText);
     if (!Number.isInteger(prefix)) {
-        throw new Error(`invalid spawnSandbox options: invalid CIDR prefix: ${range}`);
+        throw new Error(`invalid sandbox options: invalid CIDR prefix: ${range}`);
     }
     if (address.includes(":")) {
         if (prefix < 0 || prefix > 128) {
-            throw new Error(`invalid spawnSandbox options: invalid CIDR prefix: ${range}`);
+            throw new Error(`invalid sandbox options: invalid CIDR prefix: ${range}`);
         }
         if (parseIpv6Address(address) === null) {
-            throw new Error(`invalid spawnSandbox options: invalid CIDR address: ${range}`);
+            throw new Error(`invalid sandbox options: invalid CIDR address: ${range}`);
         }
-        throw new Error(`invalid spawnSandbox options: IPv6 outbound CIDR ranges are not supported yet: ${range}`);
+        throw new Error(`invalid sandbox options: IPv6 outbound CIDR ranges are not supported yet: ${range}`);
     }
     if (prefix < 0 || prefix > 32) {
-        throw new Error(`invalid spawnSandbox options: invalid CIDR prefix: ${range}`);
+        throw new Error(`invalid sandbox options: invalid CIDR prefix: ${range}`);
     }
     if (parseIpv4Address(address) === null) {
-        throw new Error(`invalid spawnSandbox options: invalid CIDR address: ${range}`);
+        throw new Error(`invalid sandbox options: invalid CIDR address: ${range}`);
     }
 }
 function parseIpv4Address(address) {