@vibecodetown/mcp-server 2.1.0

package/build/tools/vibe_pm/run_app.js

@@ -0,0 +1,597 @@
+// adapters/mcp-ts/src/tools/vibe_pm/run_app.ts
+// vibe_pm.run_app - One-click application launch
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { spawn, spawnSync } from "node:child_process";
+import { createHash } from "node:crypto";
+import { resolveRunDir, resolveRunId } from "./context.js";
+import { buildPodmanRunCommand, filterContainerEnvAllowlist, normalizeMounts, normalizePorts } from "./run_app_podman.js";
+/**
+ * vibe_pm.run_app - Auto-detect project type and run
+ *
+ * Steps:
+ * 1. Detect project type (Node.js vs Python)
+ * 2. Determine run command based on mode
+ * 3. Start process in background
+ * 4. Return URL and PID
+ */
+export async function runApp(input) {
+    const basePath = process.cwd();
+    const mode = input.mode ?? "dev";
+    const customPort = input.port;
+    const container = input.container ?? "none";
+    // Step 1: Detect project type and get run info
+    const projectInfo = detectProject(basePath, mode, customPort);
+    if (projectInfo.type === "unknown") {
+        return {
+            success: false,
+            command_executed: "detect_project",
+            message: "프로젝트 유형을 감지할 수 없습니다. package.json 또는 requirements.txt가 필요합니다.",
+            runtime: "host"
+        };
+    }
+    if (container === "podman") {
+        return await runAppWithPodman(input, basePath, mode, projectInfo);
+    }
+    const opaInput = buildOpaPolicyInput(basePath, projectInfo.command, projectInfo.args, {
+        paths: [basePath],
+        runtime: "host"
+    });
+    const opaDecision = evaluateOpaGate(basePath, opaInput);
+    if (!opaDecision.allow) {
+        return {
+            success: false,
+            command_executed: `${projectInfo.command} ${projectInfo.args.join(" ")}`.trim(),
+            message: formatOpaBlockMessage(opaDecision),
+            runtime: "host"
+        };
+    }
+    // Step 2: Start process
+    const fullCommand = `${projectInfo.command} ${projectInfo.args.join(" ")}`.trim();
+    try {
+        const child = spawn(projectInfo.command, projectInfo.args, {
+            cwd: basePath,
+            detached: true,
+            stdio: "ignore",
+            env: {
+                ...process.env,
+                PORT: String(projectInfo.port),
+                NODE_ENV: mode === "prod" ? "production" : "development"
+            }
+        });
+        // Unref to allow parent to exit independently
+        child.unref();
+        const pid = child.pid;
+        // Give the process a moment to start
+        await new Promise((resolve) => setTimeout(resolve, 500));
+        writeRunAppEvidenceBestEffort(basePath, {
+            runtime: "host",
+            mode,
+            port: projectInfo.port,
+            url: projectInfo.url,
+            command_executed: fullCommand,
+            process_id: pid
+        });
+        return {
+            success: true,
+            process_id: pid,
+            url: projectInfo.url,
+            command_executed: fullCommand,
+            message: `애플리케이션이 시작되었습니다. ${projectInfo.url} 에서 확인하세요.`,
+            runtime: "host"
+        };
+    }
+    catch (err) {
+        return {
+            success: false,
+            command_executed: fullCommand,
+            message: `실행 실패: ${err instanceof Error ? err.message : String(err)}`,
+            runtime: "host"
+        };
+    }
+}
+function stableShortHash(input) {
+    return createHash("sha256").update(input).digest("hex").slice(0, 12);
+}
+function readCurrentWorkOrderRunId(basePath) {
+    const workOrderPath = path.join(basePath, ".vibe", "state", "current_work_order.json");
+    if (!fs.existsSync(workOrderPath))
+        return null;
+    try {
+        const raw = JSON.parse(fs.readFileSync(workOrderPath, "utf-8"));
+        const runId = typeof raw?.run_id === "string" ? raw.run_id.trim() : "";
+        if (!runId)
+            return null;
+        if (runId.includes("..") || runId.includes("/") || runId.includes("\\") || runId.includes("\0")) {
+            return null;
+        }
+        return runId;
+    }
+    catch {
+        return null;
+    }
+}
+function resolveRunIdForSecurity(basePath) {
+    return readCurrentWorkOrderRunId(basePath) ?? resolveRunId(undefined, basePath).run_id;
+}
+function resolveSecurityDir(basePath, runId) {
+    try {
+        const resolved = resolveRunDir(runId, basePath);
+        const runDir = resolved?.run_dir ?? path.join(basePath, "runs", runId);
+        const securityDir = path.join(runDir, "security");
+        fs.mkdirSync(securityDir, { recursive: true });
+        return securityDir;
+    }
+    catch {
+        return null;
+    }
+}
+function writeJsonBestEffort(filePath, payload) {
+    try {
+        fs.mkdirSync(path.dirname(filePath), { recursive: true });
+        fs.writeFileSync(filePath, JSON.stringify(payload, null, 2), "utf-8");
+    }
+    catch {
+        // ignore
+    }
+}
+function normalizeOpaPath(value) {
+    return value.replace(/\\/g, "/");
+}
+function normalizeOpaPathRelative(basePath, value) {
+    const trimmed = value.trim();
+    if (!trimmed)
+        return "";
+    const absolute = path.isAbsolute(trimmed) ? trimmed : path.resolve(basePath, trimmed);
+    const relative = path.relative(basePath, absolute);
+    if (!relative)
+        return ".";
+    return normalizeOpaPath(relative);
+}
+function normalizeOpaPaths(basePath, values) {
+    const seen = new Set();
+    const out = [];
+    for (const raw of values) {
+        const normalized = normalizeOpaPathRelative(basePath, raw);
+        if (!normalized || seen.has(normalized))
+            continue;
+        seen.add(normalized);
+        out.push(normalized);
+    }
+    return out;
+}
+function buildOpaPolicyInput(basePath, command, args, opts) {
+    const cwd = normalizeOpaPath(basePath);
+    const paths = normalizeOpaPaths(basePath, opts?.paths ?? [basePath]);
+    const mounts = opts?.mounts ? normalizeOpaPaths(basePath, opts.mounts) : undefined;
+    return {
+        action: "run_app",
+        project_root: cwd,
+        request: {
+            command,
+            args,
+            cwd,
+            paths,
+            mounts
+        },
+        meta: {
+            tool: "vibe_pm.run_app",
+            runtime: opts?.runtime ?? "host"
+        }
+    };
+}
+function evaluateOpaGate(basePath, input) {
+    const runId = resolveRunIdForSecurity(basePath);
+    const securityDir = resolveSecurityDir(basePath, runId);
+    const inputPath = securityDir ? path.join(securityDir, "policy_input.json") : null;
+    const resultPath = securityDir ? path.join(securityDir, "policy_result.json") : null;
+    if (inputPath)
+        writeJsonBestEffort(inputPath, input);
+    const policyPath = path.join(basePath, "policy", "vibepm", "run_app.rego");
+    if (!fs.existsSync(policyPath)) {
+        const deny = {
+            allow: false,
+            reasons: ["OPA_POLICY_MISSING: policy file missing"],
+            matched_rules: ["OPA_POLICY_MISSING"]
+        };
+        if (resultPath)
+            writeJsonBestEffort(resultPath, deny);
+        return deny;
+    }
+    const opa = spawnSync("opa", ["eval", "-f", "json", "-I", "-d", policyPath, "data.vibepm.runapp"], { input: JSON.stringify(input), encoding: "utf-8", timeout: 1500 });
+    if (opa.error) {
+        const err = opa.error;
+        const missing = err?.code === "ENOENT";
+        const deny = {
+            allow: false,
+            reasons: [
+                missing ? "OPA_POLICY_MISSING: opa binary not found" : `OPA_POLICY_EVAL_FAILED: ${err.message ?? "unknown error"}`
+            ],
+            matched_rules: [missing ? "OPA_POLICY_MISSING" : "OPA_POLICY_EVAL_FAILED"]
+        };
+        if (resultPath)
+            writeJsonBestEffort(resultPath, deny);
+        return deny;
+    }
+    if (opa.status !== 0) {
+        const deny = {
+            allow: false,
+            reasons: [`OPA_POLICY_EVAL_FAILED: exit_code=${opa.status}`],
+            matched_rules: ["OPA_POLICY_EVAL_FAILED"]
+        };
+        if (resultPath)
+            writeJsonBestEffort(resultPath, deny);
+        return deny;
+    }
+    try {
+        const parsed = JSON.parse(opa.stdout || "{}");
+        const value = parsed?.result?.[0]?.expressions?.[0]?.value ?? {};
+        const allow = Boolean(value?.allow);
+        const reasons = Array.isArray(value?.reasons) ? value.reasons : [];
+        const matched_rules = Array.isArray(value?.matched_rules) ? value.matched_rules : [];
+        const result = { allow, reasons, matched_rules };
+        if (typeof value?.allow !== "boolean") {
+            const deny = {
+                allow: false,
+                reasons: ["OPA_POLICY_EVAL_FAILED: missing allow result"],
+                matched_rules: ["OPA_POLICY_EVAL_FAILED"]
+            };
+            if (resultPath)
+                writeJsonBestEffort(resultPath, deny);
+            return deny;
+        }
+        if (resultPath)
+            writeJsonBestEffort(resultPath, result);
+        return result;
+    }
+    catch (e) {
+        const deny = {
+            allow: false,
+            reasons: ["OPA_POLICY_EVAL_FAILED: invalid JSON output"],
+            matched_rules: ["OPA_POLICY_EVAL_FAILED"]
+        };
+        if (resultPath)
+            writeJsonBestEffort(resultPath, deny);
+        return deny;
+    }
+}
+function formatOpaBlockMessage(result) {
+    const text = `${result.reasons?.join(" ") ?? ""} ${(result.matched_rules ?? []).join(" ")}`.toLowerCase();
+    if (text.includes("missing")) {
+        return "OPA가 설치되어 있지 않거나 정책 파일이 없어 실행을 차단했습니다. OPA 설치/정책 파일을 확인하세요.";
+    }
+    if (text.includes("eval_failed")) {
+        return "OPA 평가에 실패하여 안전을 위해 실행을 차단했습니다. OPA 상태를 확인하세요.";
+    }
+    return "OPA 정책에서 허용되지 않은 커맨드/경로입니다. 정책을 만족하도록 수정하세요.";
+}
+function ensureDir(dirPath) {
+    fs.mkdirSync(dirPath, { recursive: true });
+}
+function writeRunAppEvidenceBestEffort(repoRootAbs, payload) {
+    try {
+        const dir = path.join(repoRootAbs, ".vibe", "evidence");
+        ensureDir(dir);
+        const ts = new Date().toISOString().replace(/[:.]/g, "-");
+        const file = path.join(dir, `run_app_runtime_${ts}.json`);
+        fs.writeFileSync(file, JSON.stringify(payload, null, 2), "utf-8");
+        return file;
+    }
+    catch {
+        return null;
+    }
+}
+async function assertPodmanAvailable() {
+    await new Promise((resolve, reject) => {
+        const p = spawn("podman", ["--version"], { stdio: ["ignore", "pipe", "pipe"] });
+        let out = "";
+        let err = "";
+        p.stdout.on("data", (d) => (out += String(d)));
+        p.stderr.on("data", (d) => (err += String(d)));
+        p.on("error", reject);
+        p.on("close", (code) => {
+            if (code === 0)
+                return resolve();
+            reject(new Error(`podman_unavailable: code=${code} out=${out} err=${err}`));
+        });
+    });
+}
+function defaultImageForProject(projectType) {
+    if (projectType === "node")
+        return "docker.io/library/node:20-bookworm";
+    if (projectType === "python")
+        return "docker.io/library/python:3.11-slim";
+    return "docker.io/library/ubuntu:24.04";
+}
+function shellQuoteArg(arg) {
+    // Best-effort: single-quote wrapping for /bin/sh -lc
+    return `'${arg.replace(/'/g, `'\"'\"'`)}'`;
+}
+function buildInsideCommand(projectInfo) {
+    const cmd = projectInfo.command;
+    const args = projectInfo.args.map(shellQuoteArg).join(" ");
+    const run = `${cmd} ${args}`.trim();
+    if (projectInfo.type === "node") {
+        // Avoid polluting host node_modules by mounting a volume at /work/node_modules.
+        // Install only if node_modules is missing.
+        return `if [ ! -d node_modules ]; then if [ -f package-lock.json ]; then npm ci; else npm install; fi; fi; ${run}`;
+    }
+    if (projectInfo.type === "python") {
+        // Install dependencies best-effort every time (pip cache volume reduces cost).
+        // If command is "uvicorn", prefer python -m uvicorn so requirements installation covers it.
+        if (cmd === "uvicorn") {
+            const uvArgs = projectInfo.args.map(shellQuoteArg).join(" ");
+            return `python -m pip install -r requirements.txt && python -m uvicorn ${uvArgs}`.trim();
+        }
+        return `python -m pip install -r requirements.txt && ${run}`;
+    }
+    return run;
+}
+async function runPodmanDetached(cmd) {
+    return await new Promise((resolve, reject) => {
+        const p = spawn(cmd.cmd, cmd.args, { stdio: ["ignore", "pipe", "pipe"] });
+        let out = "";
+        let err = "";
+        p.stdout.on("data", (d) => (out += String(d)));
+        p.stderr.on("data", (d) => (err += String(d)));
+        p.on("error", reject);
+        p.on("close", (code) => resolve({ exitCode: code ?? 1, stdout: out, stderr: err }));
+    });
+}
+async function runAppWithPodman(input, repoRootAbs, mode, projectInfo) {
+    const image = input.container_image ?? defaultImageForProject(projectInfo.type);
+    const runId = stableShortHash(`${repoRootAbs}:${Date.now()}`);
+    // mounts & ports
+    let mounts;
+    try {
+        mounts = normalizeMounts(repoRootAbs, input.container_mounts);
+    }
+    catch (e) {
+        return {
+            success: false,
+            command_executed: "podman run",
+            message: `컨테이너 마운트 설정이 허용되지 않습니다: ${e instanceof Error ? e.message : String(e)}`,
+            runtime: "podman"
+        };
+    }
+    const ports = normalizePorts(projectInfo.port, input.container_ports);
+    // env (allowlist + defaults)
+    const userEnv = filterContainerEnvAllowlist(input.container_env);
+    const env = {
+        ...userEnv,
+        PORT: String(projectInfo.port)
+    };
+    if (projectInfo.type === "node") {
+        env.NODE_ENV = mode === "prod" ? "production" : "development";
+    }
+    if (projectInfo.type === "python") {
+        env.PYTHONUNBUFFERED = env.PYTHONUNBUFFERED ?? "1";
+    }
+    // extra volumes (cache + node_modules safety)
+    const repoHash = stableShortHash(repoRootAbs);
+    const extraVolumes = [];
+    if (projectInfo.type === "node") {
+        extraVolumes.push({ name: `vibe-${repoHash}-node-modules`, containerPath: "/work/node_modules" }, { name: `vibe-${repoHash}-npm-cache`, containerPath: "/root/.npm" });
+    }
+    if (projectInfo.type === "python") {
+        extraVolumes.push({ name: `vibe-${repoHash}-pip-cache`, containerPath: "/root/.cache/pip" });
+    }
+    const insideCommand = buildInsideCommand(projectInfo);
+    const pod = buildPodmanRunCommand({
+        runNameSuffix: runId,
+        image,
+        mounts,
+        ports,
+        env,
+        insideCommand,
+        extraVolumes
+    });
+    const opaInput = buildOpaPolicyInput(repoRootAbs, pod.cmd, pod.args, {
+        paths: [repoRootAbs, ...mounts.map((m) => m.hostAbs)],
+        mounts: mounts.map((m) => m.hostAbs),
+        runtime: "podman"
+    });
+    const opaDecision = evaluateOpaGate(repoRootAbs, opaInput);
+    if (!opaDecision.allow) {
+        return {
+            success: false,
+            command_executed: pod.command_executed,
+            message: formatOpaBlockMessage(opaDecision),
+            runtime: "podman"
+        };
+    }
+    try {
+        await assertPodmanAvailable();
+    }
+    catch (e) {
+        return {
+            success: false,
+            command_executed: "podman --version",
+            message: `Podman 실행 불가: ${e instanceof Error ? e.message : String(e)}. container 옵션을 끄고(host) 다시 실행하세요.`,
+            runtime: "podman"
+        };
+    }
+    const evidencePath = writeRunAppEvidenceBestEffort(repoRootAbs, {
+        runtime: "podman",
+        mode,
+        image,
+        ports,
+        env_keys: Object.keys(env),
+        mounts,
+        extra_volumes: extraVolumes,
+        command_executed: pod.command_executed
+    });
+    const started = await runPodmanDetached(pod);
+    if (started.exitCode !== 0) {
+        return {
+            success: false,
+            command_executed: pod.command_executed,
+            message: `Podman 실행 실패(exit=${started.exitCode}). ${started.stderr.trim()}`,
+            runtime: "podman"
+        };
+    }
+    const containerId = started.stdout.trim().split(/\s+/)[0] || undefined;
+    // Give the container a moment to start
+    await new Promise((resolve) => setTimeout(resolve, 500));
+    writeRunAppEvidenceBestEffort(repoRootAbs, {
+        runtime: "podman",
+        container_id: containerId,
+        url: projectInfo.url,
+        evidence: evidencePath
+    });
+    return {
+        success: true,
+        url: projectInfo.url,
+        command_executed: pod.command_executed,
+        message: `애플리케이션이 시작되었습니다. ${projectInfo.url} 에서 확인하세요.`,
+        runtime: "podman",
+        container_id: containerId
+    };
+}
+/**
+ * Detect project type and determine run command
+ */
+function detectProject(basePath, mode, customPort) {
+    const packageJsonPath = path.join(basePath, "package.json");
+    const requirementsPath = path.join(basePath, "requirements.txt");
+    // Check for Node.js project
+    if (fs.existsSync(packageJsonPath)) {
+        return detectNodeProject(basePath, packageJsonPath, mode, customPort);
+    }
+    // Check for Python project
+    if (fs.existsSync(requirementsPath)) {
+        return detectPythonProject(basePath, mode, customPort);
+    }
+    return {
+        type: "unknown",
+        command: "",
+        args: [],
+        port: 3000,
+        url: ""
+    };
+}
+/**
+ * Detect Node.js project run command
+ */
+function detectNodeProject(basePath, packageJsonPath, mode, customPort) {
+    const port = customPort ?? 3000;
+    const url = `http://localhost:${port}`;
+    try {
+        const content = fs.readFileSync(packageJsonPath, "utf-8");
+        const pkg = JSON.parse(content);
+        const scripts = pkg.scripts ?? {};
+        // Determine command based on mode and available scripts
+        if (mode === "test" && scripts.test) {
+            return { type: "node", command: "npm", args: ["run", "test"], port, url };
+        }
+        if (mode === "prod") {
+            if (scripts.start) {
+                return { type: "node", command: "npm", args: ["start"], port, url };
+            }
+            if (scripts.build && scripts.preview) {
+                return { type: "node", command: "npm", args: ["run", "preview"], port, url };
+            }
+        }
+        // Dev mode (default)
+        if (scripts.dev) {
+            return { type: "node", command: "npm", args: ["run", "dev"], port, url };
+        }
+        if (scripts.start) {
+            return { type: "node", command: "npm", args: ["start"], port, url };
+        }
+        // Fallback: run main file directly
+        const mainFile = pkg.main ?? "index.js";
+        if (fs.existsSync(path.join(basePath, mainFile))) {
+            return { type: "node", command: "node", args: [mainFile], port, url };
+        }
+        // Try common entry points
+        const commonEntries = ["src/index.js", "src/index.ts", "index.ts", "main.js", "server.js", "app.js"];
+        for (const entry of commonEntries) {
+            if (fs.existsSync(path.join(basePath, entry))) {
+                const runner = entry.endsWith(".ts") ? "npx" : "node";
+                const runArgs = entry.endsWith(".ts") ? ["tsx", entry] : [entry];
+                return { type: "node", command: runner, args: runArgs, port, url };
+            }
+        }
+    }
+    catch {
+        // Fall through to default
+    }
+    // Default Node.js command
+    return { type: "node", command: "npm", args: ["start"], port, url };
+}
+/**
+ * Detect Python project run command
+ */
+function detectPythonProject(basePath, mode, customPort) {
+    const port = customPort ?? 8000;
+    const url = `http://localhost:${port}`;
+    // Check for test mode
+    if (mode === "test") {
+        if (fs.existsSync(path.join(basePath, "pytest.ini")) ||
+            fs.existsSync(path.join(basePath, "tests"))) {
+            return { type: "python", command: "python", args: ["-m", "pytest"], port, url };
+        }
+        return { type: "python", command: "python", args: ["-m", "unittest"], port, url };
+    }
+    // Check for Django
+    const managePyPath = path.join(basePath, "manage.py");
+    if (fs.existsSync(managePyPath)) {
+        return {
+            type: "python",
+            command: "python",
+            args: ["manage.py", "runserver", `0.0.0.0:${port}`],
+            port,
+            url
+        };
+    }
+    // Check for Flask
+    const appPyPath = path.join(basePath, "app.py");
+    if (fs.existsSync(appPyPath)) {
+        // Check if it's a Flask app
+        try {
+            const content = fs.readFileSync(appPyPath, "utf-8");
+            if (content.includes("flask") || content.includes("Flask")) {
+                return {
+                    type: "python",
+                    command: "python",
+                    args: ["-m", "flask", "run", "--host=0.0.0.0", `--port=${port}`],
+                    port,
+                    url
+                };
+            }
+        }
+        catch {
+            // Fall through
+        }
+    }
+    // Check for FastAPI
+    const mainPyPath = path.join(basePath, "main.py");
+    if (fs.existsSync(mainPyPath)) {
+        try {
+            const content = fs.readFileSync(mainPyPath, "utf-8");
+            if (content.includes("fastapi") || content.includes("FastAPI")) {
+                return {
+                    type: "python",
+                    command: "uvicorn",
+                    args: ["main:app", "--host", "0.0.0.0", "--port", String(port), "--reload"],
+                    port,
+                    url
+                };
+            }
+        }
+        catch {
+            // Fall through
+        }
+    }
+    // Default: run main.py
+    if (fs.existsSync(mainPyPath)) {
+        return { type: "python", command: "python", args: ["main.py"], port, url };
+    }
+    // Try app.py
+    if (fs.existsSync(appPyPath)) {
+        return { type: "python", command: "python", args: ["app.py"], port, url };
+    }
+    // Fallback
+    return { type: "python", command: "python", args: ["main.py"], port, url };
+}

package/build/tools/vibe_pm/run_app_podman.js

@@ -0,0 +1,64 @@
+// adapters/mcp-ts/src/tools/vibe_pm/run_app_podman.ts
+// Pure helpers for Podman run_app path (testable without spawning Podman)
+import * as path from "node:path";
+export const CONTAINER_ENV_ALLOWLIST = new Set(["NODE_ENV", "PORT", "PYTHONUNBUFFERED", "CI"]);
+export function filterContainerEnvAllowlist(env) {
+    const out = {};
+    if (!env)
+        return out;
+    for (const [k, v] of Object.entries(env)) {
+        if (CONTAINER_ENV_ALLOWLIST.has(k))
+            out[k] = v;
+    }
+    return out;
+}
+function isSubPath(childAbs, parentAbs) {
+    const rel = path.relative(parentAbs, childAbs);
+    return !!rel && !rel.startsWith("..") && !path.isAbsolute(rel);
+}
+export function normalizeMounts(repoRootAbs, mounts) {
+    const out = [];
+    for (const m of mounts ?? []) {
+        const hostAbs = path.isAbsolute(m.host) ? m.host : path.resolve(repoRootAbs, m.host);
+        if (hostAbs !== repoRootAbs && !isSubPath(hostAbs, repoRootAbs)) {
+            throw new Error(`mount_escape_blocked: host=${hostAbs}`);
+        }
+        out.push({ hostAbs, container: m.container, mode: m.mode });
+    }
+    if (!out.some((m) => m.container === "/work")) {
+        out.unshift({ hostAbs: repoRootAbs, container: "/work", mode: "rw" });
+    }
+    return out;
+}
+export function normalizePorts(primary, ports) {
+    const out = new Set([primary]);
+    for (const p of ports ?? [])
+        out.add(p);
+    return [...out];
+}
+export function buildPodmanRunCommand(args) {
+    const podArgs = [
+        "run",
+        "-d",
+        "--rm",
+        "--name",
+        `vibe-run-${args.runNameSuffix}`,
+        "-w",
+        "/work"
+    ];
+    for (const m of args.mounts) {
+        podArgs.push("-v", `${m.hostAbs}:${m.container}:${m.mode}`);
+    }
+    for (const v of args.extraVolumes) {
+        podArgs.push("-v", `${v.name}:${v.containerPath}:rw`);
+    }
+    for (const [k, v] of Object.entries(args.env)) {
+        podArgs.push("-e", `${k}=${v}`);
+    }
+    for (const p of args.ports) {
+        podArgs.push("-p", `${p}:${p}`);
+    }
+    podArgs.push("--pull=missing");
+    podArgs.push(args.image, "sh", "-lc", args.insideCommand);
+    return { cmd: "podman", args: podArgs, command_executed: ["podman", ...podArgs].join(" ") };
+}