@wavexzore/sandbox 0.1.0

package/dist/sandbox/core/docker-sandbox.js

@@ -0,0 +1,675 @@
+import { execSync } from 'child_process';
+import { randomUUID } from 'crypto';
+import { execInContainer, parseGrepOutput } from './stream-utils.js';
+import { getFileFromContainer, putFileToContainer } from './docker-archive-utils.js';
+import { DEFAULT_SHELL_MAX_OUTPUT_BYTES, DEFAULT_SHELL_MAX_OUTPUT_LINES, formatShellOutput, writeHostShellOutput, } from './shell/output.js';
+export class DockerSandbox {
+    docker;
+    container;
+    _state = 'created';
+    _workDir;
+    _id;
+    backgroundCommands = new Map();
+    constructor(docker, container, workDir) {
+        this.docker = docker;
+        this.container = container;
+        this._workDir = workDir;
+        this._id = container.id;
+    }
+    get id() {
+        return this._id.slice(0, 12);
+    }
+    get state() {
+        return this._state;
+    }
+    async refreshData() {
+        const info = await this.container.inspect();
+        this._state = normalizeDockerState(info.State.Status);
+    }
+    async start() {
+        const info = await this.container.inspect();
+        if (!info.State.Running) {
+            await this.container.start();
+        }
+        this._state = 'started';
+    }
+    async delete() {
+        try {
+            await this.container.stop();
+        }
+        catch (error) {
+            void error;
+        }
+        await this.container.remove({ force: true });
+    }
+    deleteSync() {
+        try {
+            execSync(`docker rm -f ${this._id}`, { stdio: 'pipe', timeout: 10000 });
+        }
+        catch (error) {
+            void error;
+        }
+    }
+    get process() {
+        return {
+            executeCommand: async (command, cwd) => {
+                assertNonEmptyCommand(command);
+                if (typeof cwd === 'object' && cwd !== null) {
+                    return this.executeManagedCommand(command, cwd);
+                }
+                const directCwd = typeof cwd === 'string' ? cwd : undefined;
+                const { exitCode, stdout, stderr } = await execInContainer(this.container, ['/bin/sh', '-c', command], directCwd || this._workDir);
+                return {
+                    exitCode,
+                    result: stdout + stderr,
+                    stdout,
+                    stderr,
+                    durationMs: 0,
+                    timedOut: false,
+                    aborted: false,
+                    truncated: false,
+                    stdoutBytes: Buffer.byteLength(stdout, 'utf8'),
+                    stderrBytes: Buffer.byteLength(stderr, 'utf8'),
+                };
+            },
+            startBackgroundCommand: async (command, opts) => {
+                return this.startManagedShellCommand(command, opts);
+            },
+            getBackgroundCommand: async (cmdId) => {
+                return this.getManagedCommandStatus(cmdId);
+            },
+            readBackgroundCommand: async (cmdId, opts) => {
+                return this.readManagedCommandOutput(cmdId, opts);
+            },
+            stopBackgroundCommand: async (cmdId) => {
+                return this.stopManagedCommand(cmdId);
+            },
+            createSession: async (sessionId) => {
+                await execInContainer(this.container, ['/bin/sh', '-c', `tmux new-session -d -s '${escapeShell(sessionId)}' 2>/dev/null || true`], this._workDir);
+            },
+            getSession: async (sessionId) => {
+                const { exitCode } = await execInContainer(this.container, [
+                    '/bin/sh',
+                    '-c',
+                    `tmux has-session -t '${escapeShell(sessionId)}'`,
+                ]);
+                if (exitCode !== 0)
+                    throw new Error(`Session ${sessionId} not found`);
+            },
+            executeSessionCommand: async (sessionId, opts) => {
+                const b64Cmd = Buffer.from(opts.command).toString('base64');
+                const shellCmd = `tmux send-keys -t '${escapeShell(sessionId)}' "$(echo '${b64Cmd}' | base64 -d)" Enter`;
+                await execInContainer(this.container, ['/bin/sh', '-c', shellCmd], opts.cwd || this._workDir);
+                return { cmdId: `tmux-${sessionId}-${Date.now()}` };
+            },
+        };
+    }
+    get fs() {
+        return {
+            downloadFile: async (filePath) => {
+                return getFileFromContainer(this.container, filePath);
+            },
+            uploadFile: async (content, filePath) => {
+                return putFileToContainer(this.container, filePath, content);
+            },
+            createFolder: async (path, mode) => {
+                await execInContainer(this.container, ['/bin/sh', '-c', `mkdir -p -m ${mode || '755'} "${path}"`], this._workDir);
+            },
+            listFiles: async (dirPath) => {
+                const quoted = `'${escapeShell(dirPath)}'`;
+                const listCommand = [
+                    `for entry in ${quoted}/* ${quoted}/.[!.]* ${quoted}/..?*; do`,
+                    `[ -e "$entry" ] || continue;`,
+                    'name="${entry##*/}";',
+                    `[ "$name" = "." ] || [ "$name" = ".." ] && continue;`,
+                    `if [ -d "$entry" ]; then type=d; size=0; else type=f; size=$(wc -c < "$entry" 2>/dev/null || echo 0); fi;`,
+                    `printf '%s\\t%s\\t%s\\n' "$type" "$size" "$name";`,
+                    `done`,
+                ].join(' ');
+                const { exitCode, stdout } = await execInContainer(this.container, ['/bin/sh', '-c', listCommand], this._workDir);
+                if (exitCode !== 0)
+                    return [];
+                return stdout
+                    .trim()
+                    .split('\n')
+                    .filter(Boolean)
+                    .map((line) => {
+                    const [type, size, ...nameParts] = line.split('\t');
+                    const parsedSize = Number.parseInt(size ?? '0', 10);
+                    return {
+                        name: nameParts.join('\t'),
+                        isDirectory: type === 'd',
+                        size: Number.isFinite(parsedSize) ? parsedSize : 0,
+                    };
+                });
+            },
+            searchFiles: async (path, pattern) => {
+                const { stdout } = await execInContainer(this.container, ['/bin/sh', '-c', `find "${path}" -path "${pattern}" -type f 2>/dev/null`], this._workDir);
+                return { files: stdout.trim().split('\n').filter(Boolean) };
+            },
+            findFiles: async (path, pattern) => {
+                const { stdout } = await execInContainer(this.container, ['/bin/sh', '-c', `grep -rn "${pattern}" "${path}" 2>/dev/null | head -100`], this._workDir);
+                return parseGrepOutput(stdout);
+            },
+        };
+    }
+    async getWorkDir() {
+        return this._workDir;
+    }
+    async getPreviewLink(port) {
+        const info = await this.container.inspect();
+        const bindings = info.NetworkSettings?.Ports?.[`${port}/tcp`];
+        if (bindings && bindings.length > 0) {
+            const hostPort = bindings[0].HostPort;
+            return { url: `http://localhost:${hostPort}` };
+        }
+        return { url: `http://localhost:${port}` };
+    }
+    async executeManagedCommand(command, opts) {
+        assertNonEmptyCommand(command);
+        const startedAt = Date.now();
+        const timeoutMs = opts.timeoutMs;
+        const maxOutputBytes = opts.maxOutputBytes ?? DEFAULT_SHELL_MAX_OUTPUT_BYTES;
+        const maxOutputLines = opts.maxOutputLines ?? DEFAULT_SHELL_MAX_OUTPUT_LINES;
+        let lastUpdateAt = 0;
+        const commandInfo = await this.startManagedShellCommand(command, {
+            cwd: opts.cwd || this._workDir,
+            sessionId: opts.sessionId,
+        });
+        while (true) {
+            if (opts.signal?.aborted) {
+                await this.stopManagedCommand(commandInfo.cmdId);
+                const output = await this.readManagedCommandOutput(commandInfo.cmdId, { maxOutputBytes, maxOutputLines });
+                const outputPath = output.truncated
+                    ? await this.persistFullOutput(opts.sessionId, commandInfo.cmdId, output)
+                    : undefined;
+                const durationMs = Date.now() - startedAt;
+                return {
+                    exitCode: null,
+                    result: formatShellOutput({
+                        ...output,
+                        exitCode: null,
+                        durationMs,
+                        aborted: true,
+                        outputPath,
+                    }),
+                    stdout: output.stdout,
+                    stderr: output.stderr,
+                    durationMs,
+                    aborted: true,
+                    timedOut: false,
+                    truncated: output.truncated,
+                    outputPath,
+                    stdoutBytes: output.stdoutBytes,
+                    stderrBytes: output.stderrBytes,
+                    stdoutLines: output.stdoutLines,
+                    stderrLines: output.stderrLines,
+                    cmdId: commandInfo.cmdId,
+                };
+            }
+            if (timeoutMs && Date.now() - startedAt >= timeoutMs) {
+                await this.stopManagedCommand(commandInfo.cmdId);
+                const output = await this.readManagedCommandOutput(commandInfo.cmdId, { maxOutputBytes, maxOutputLines });
+                const outputPath = output.truncated
+                    ? await this.persistFullOutput(opts.sessionId, commandInfo.cmdId, output)
+                    : undefined;
+                const durationMs = Date.now() - startedAt;
+                return {
+                    exitCode: null,
+                    result: formatShellOutput({
+                        ...output,
+                        exitCode: null,
+                        durationMs,
+                        timedOut: true,
+                        outputPath,
+                    }),
+                    stdout: output.stdout,
+                    stderr: output.stderr,
+                    durationMs,
+                    aborted: false,
+                    timedOut: true,
+                    truncated: output.truncated,
+                    outputPath,
+                    stdoutBytes: output.stdoutBytes,
+                    stderrBytes: output.stderrBytes,
+                    stdoutLines: output.stdoutLines,
+                    stderrLines: output.stderrLines,
+                    cmdId: commandInfo.cmdId,
+                };
+            }
+            const status = await this.getManagedCommandStatus(commandInfo.cmdId);
+            if (status.status === 'exited' || status.status === 'failed' || status.status === 'stopped') {
+                const output = await this.readManagedCommandOutput(commandInfo.cmdId, { maxOutputBytes, maxOutputLines });
+                const outputPath = output.truncated
+                    ? await this.persistFullOutput(opts.sessionId, commandInfo.cmdId, output)
+                    : undefined;
+                const durationMs = Date.now() - startedAt;
+                return {
+                    exitCode: status.exitCode,
+                    result: formatShellOutput({
+                        ...output,
+                        exitCode: status.exitCode,
+                        durationMs,
+                        truncated: output.truncated,
+                        outputPath,
+                    }),
+                    stdout: output.stdout,
+                    stderr: output.stderr,
+                    durationMs,
+                    aborted: false,
+                    timedOut: false,
+                    truncated: output.truncated,
+                    outputPath,
+                    stdoutBytes: output.stdoutBytes,
+                    stderrBytes: output.stderrBytes,
+                    stdoutLines: output.stdoutLines,
+                    stderrLines: output.stderrLines,
+                    cmdId: commandInfo.cmdId,
+                };
+            }
+            if (opts.onUpdate && Date.now() - lastUpdateAt >= 1_000) {
+                const output = await this.readManagedCommandOutput(commandInfo.cmdId, { maxOutputBytes, maxOutputLines });
+                opts.onUpdate({
+                    ...output,
+                    durationMs: Date.now() - startedAt,
+                });
+                lastUpdateAt = Date.now();
+            }
+            await sleep(150);
+        }
+    }
+    async startManagedShellCommand(command, opts) {
+        assertNonEmptyCommand(command);
+        const sessionId = safeId(opts?.sessionId || 'session');
+        const cmdId = `shell-${Date.now()}-${randomUUID().slice(0, 8)}`;
+        const runDir = `/tmp/sandbox-shell/${sessionId}/${safeId(cmdId)}`;
+        const cwd = opts?.cwd || this._workDir;
+        const startedAt = Date.now();
+        await execInContainer(this.container, ['/bin/sh', '-c', `mkdir -p ${shellQuote(runDir)}`], this._workDir, {
+            tty: false,
+        });
+        await this.writeContainerTextFile(`${runDir}/command.sh`, command);
+        await this.writeContainerTextFile(`${runDir}/runner.sh`, this.runnerScript(runDir, cwd, cmdId));
+        await execInContainer(this.container, [
+            '/bin/sh',
+            '-c',
+            [
+                `chmod 700 ${shellQuote(`${runDir}/runner.sh`)} ${shellQuote(`${runDir}/command.sh`)}`,
+                'if command -v setsid >/dev/null 2>&1; then',
+                `  setsid /bin/sh ${shellQuote(`${runDir}/runner.sh`)} >/dev/null 2>&1 < /dev/null &`,
+                'else',
+                `  nohup /bin/sh ${shellQuote(`${runDir}/runner.sh`)} >/dev/null 2>&1 < /dev/null &`,
+                'fi',
+                `echo $! > ${shellQuote(`${runDir}/pid`)}`,
+            ].join('\n'),
+        ], this._workDir, { tty: false });
+        this.backgroundCommands.set(cmdId, { runDir, startedAt, cwd });
+        return { cmdId, runDir, startedAt };
+    }
+    runnerScript(runDir, cwd, cmdId) {
+        return `#!/bin/sh
+set +e
+RUN_DIR=${shellQuote(runDir)}
+STDOUT="$RUN_DIR/stdout"
+STDERR="$RUN_DIR/stderr"
+EXIT="$RUN_DIR/exit"
+CHILD="$RUN_DIR/child"
+: > "$STDOUT"
+: > "$STDERR"
+date +%s > "$RUN_DIR/started" 2>/dev/null || true
+cd ${shellQuote(cwd)}
+if [ "$?" -ne 0 ]; then
+  echo 97 > "$EXIT"
+  date +%s > "$RUN_DIR/ended" 2>/dev/null || true
+  exit 97
+fi
+${managedCommandEnv(cmdId, runDir)} /bin/sh "$RUN_DIR/command.sh" > "$STDOUT" 2> "$STDERR" &
+child=$!
+echo "$child" > "$CHILD"
+term() {
+  trap '' TERM INT
+  kill -TERM -- "-$$" 2>/dev/null || kill -TERM "-$$" 2>/dev/null || true
+  kill -TERM "$child" 2>/dev/null || true
+  sleep 1
+  kill -KILL "$child" 2>/dev/null || true
+  echo 143 > "$EXIT"
+  date +%s > "$RUN_DIR/ended" 2>/dev/null || true
+  exit 143
+}
+trap term TERM INT
+wait "$child"
+code=$?
+echo "$code" > "$EXIT"
+date +%s > "$RUN_DIR/ended" 2>/dev/null || true
+exit "$code"
+`;
+    }
+    async writeContainerTextFile(filePath, content) {
+        let delimiter = `SANDBOX_${randomUUID().replace(/-/g, '')}`;
+        while (content.includes(delimiter)) {
+            delimiter = `SANDBOX_${randomUUID().replace(/-/g, '')}`;
+        }
+        const script = `cat > ${shellQuote(filePath)} <<'${delimiter}'
+${content}
+${delimiter}
+`;
+        const { exitCode, stderr } = await execInContainer(this.container, ['/bin/sh', '-c', script], this._workDir, {
+            tty: false,
+        });
+        if (exitCode !== 0) {
+            throw new Error(`Failed to write container command file ${filePath}: ${stderr}`);
+        }
+    }
+    async getManagedCommandStatus(cmdId) {
+        const record = this.backgroundCommands.get(cmdId);
+        if (!record)
+            return { cmdId, status: 'unknown', exitCode: null };
+        const runDir = record.runDir;
+        const script = `
+if [ -f ${shellQuote(`${runDir}/stopped`)} ]; then
+  printf 'status=stopped\\n'
+  printf 'exit=%s\\n' "$(cat ${shellQuote(`${runDir}/exit`)} 2>/dev/null || echo 143)"
+elif [ -f ${shellQuote(`${runDir}/exit`)} ]; then
+  printf 'status=exited\\n'
+  printf 'exit=%s\\n' "$(cat ${shellQuote(`${runDir}/exit`)})"
+elif [ -f ${shellQuote(`${runDir}/pid`)} ] && kill -0 "$(cat ${shellQuote(`${runDir}/pid`)})" 2>/dev/null; then
+  printf 'status=running\\n'
+  printf 'pid=%s\\n' "$(cat ${shellQuote(`${runDir}/pid`)})"
+else
+  printf 'status=failed\\n'
+fi`;
+        const { stdout } = await execInContainer(this.container, ['/bin/sh', '-c', script], this._workDir, { tty: false });
+        const parsed = parseKeyValues(stdout);
+        return {
+            cmdId,
+            status: parseStatus(parsed.status),
+            exitCode: parseNullableInt(parsed.exit),
+            pid: parseNullableInt(parsed.pid) ?? undefined,
+            runDir,
+        };
+    }
+    async readManagedCommandOutput(cmdId, opts) {
+        const record = this.backgroundCommands.get(cmdId);
+        if (!record) {
+            return {
+                cmdId,
+                output: `Unknown background command: ${cmdId}`,
+                stdout: '',
+                stderr: `Unknown background command: ${cmdId}`,
+                stdoutBytes: 0,
+                stderrBytes: 0,
+                truncated: false,
+            };
+        }
+        const maxOutputBytes = opts?.maxOutputBytes ?? DEFAULT_SHELL_MAX_OUTPUT_BYTES;
+        const maxOutputLines = opts?.maxOutputLines ?? DEFAULT_SHELL_MAX_OUTPUT_LINES;
+        const perStreamLimit = Math.max(1024, Math.floor(maxOutputBytes / 2));
+        const perStreamLines = Math.max(1, Math.floor(maxOutputLines / 2));
+        const stdoutPath = `${record.runDir}/stdout`;
+        const stderrPath = `${record.runDir}/stderr`;
+        const [stdoutBytes, stderrBytes, stdoutLines, stderrLines, stdout, stderr] = await Promise.all([
+            this.containerFileSize(stdoutPath),
+            this.containerFileSize(stderrPath),
+            this.containerFileLineCount(stdoutPath),
+            this.containerFileLineCount(stderrPath),
+            this.readContainerTextTail(stdoutPath, perStreamLimit, perStreamLines),
+            this.readContainerTextTail(stderrPath, perStreamLimit, perStreamLines),
+        ]);
+        const truncated = stdoutBytes > perStreamLimit ||
+            stderrBytes > perStreamLimit ||
+            stdoutLines > perStreamLines ||
+            stderrLines > perStreamLines;
+        return {
+            cmdId,
+            output: [stdout, stderr].filter(Boolean).join('\n'),
+            stdout,
+            stderr,
+            stdoutBytes,
+            stderrBytes,
+            stdoutLines,
+            stderrLines,
+            truncated,
+            runDir: record.runDir,
+        };
+    }
+    async stopManagedCommand(cmdId) {
+        const record = this.backgroundCommands.get(cmdId);
+        if (!record)
+            return { cmdId, status: 'unknown', exitCode: null };
+        const runDir = record.runDir;
+        const script = managedCleanupScript(runDir, cmdId);
+        await execInContainer(this.container, ['/bin/sh', '-c', script], this._workDir, { tty: false });
+        return this.getManagedCommandStatus(cmdId);
+    }
+    async containerFileSize(filePath) {
+        const { stdout } = await execInContainer(this.container, ['/bin/sh', '-c', `if [ -f ${shellQuote(filePath)} ]; then wc -c < ${shellQuote(filePath)}; else echo 0; fi`], this._workDir, { tty: false });
+        const parsed = Number.parseInt(stdout.trim(), 10);
+        return Number.isFinite(parsed) ? parsed : 0;
+    }
+    async containerFileLineCount(filePath) {
+        const { stdout } = await execInContainer(this.container, ['/bin/sh', '-c', `if [ -f ${shellQuote(filePath)} ]; then wc -l < ${shellQuote(filePath)}; else echo 0; fi`], this._workDir, { tty: false });
+        const parsed = Number.parseInt(stdout.trim(), 10);
+        return Number.isFinite(parsed) ? parsed : 0;
+    }
+    async readContainerTextTail(filePath, maxBytes, maxLines) {
+        const script = `if [ -f ${shellQuote(filePath)} ]; then tail -n ${Math.max(1, maxLines)} ${shellQuote(filePath)} | tail -c ${Math.max(1, maxBytes)}; fi`;
+        const { stdout, stderr } = await execInContainer(this.container, ['/bin/sh', '-c', script], this._workDir, {
+            tty: false,
+        });
+        return stdout + stderr;
+    }
+    async persistFullOutput(sessionId, cmdId, output) {
+        const record = this.backgroundCommands.get(cmdId);
+        if (!record)
+            return undefined;
+        try {
+            const [stdout, stderr] = await Promise.all([
+                getFileFromContainer(this.container, `${record.runDir}/stdout`).catch(() => Buffer.from(output.stdout)),
+                getFileFromContainer(this.container, `${record.runDir}/stderr`).catch(() => Buffer.from(output.stderr)),
+            ]);
+            return writeHostShellOutput({
+                sessionId: sessionId || 'session',
+                cmdId,
+                stdout: stdout.toString('utf8'),
+                stderr: stderr.toString('utf8'),
+            });
+        }
+        catch {
+            return undefined;
+        }
+    }
+}
+function normalizeDockerState(dockerStatus) {
+    switch (dockerStatus) {
+        case 'running':
+            return 'started';
+        case 'exited':
+        case 'dead':
+        case 'removing':
+            return 'stopped';
+        case 'paused':
+            return 'paused';
+        case 'created':
+            return 'created';
+        default:
+            return dockerStatus;
+    }
+}
+function escapeShell(str) {
+    return str.replace(/'/g, "'\\''");
+}
+function shellQuote(str) {
+    return `'${str.replace(/'/g, "'\\''")}'`;
+}
+function assertNonEmptyCommand(command) {
+    if (command.trim().length === 0) {
+        throw new Error('Command must not be empty');
+    }
+}
+function managedCommandEnv(cmdId, runDir) {
+    return [
+        `OPENCODE_SANDBOX_CMD_ID=${shellQuote(cmdId)}`,
+        `OPENCODE_SANDBOX_RUN_DIR=${shellQuote(runDir)}`,
+    ].join(' ');
+}
+function managedCleanupScript(runDir, cmdId) {
+    return `
+RUN_DIR=${shellQuote(runDir)}
+CMD_MARKER=${shellQuote(`OPENCODE_SANDBOX_CMD_ID=${cmdId}`)}
+pid="$(cat "$RUN_DIR/pid" 2>/dev/null || true)"
+child="$(cat "$RUN_DIR/child" 2>/dev/null || true)"
+self="$$"
+parent="$PPID"
+targets=""
+
+is_pid() {
+  case "$1" in
+    ''|*[!0-9]*) return 1 ;;
+    *) [ "$1" -gt 1 ] 2>/dev/null ;;
+  esac
+}
+
+contains_pid() {
+  case " $1 " in
+    *" $2 "*) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+add_pid() {
+  target="$1"
+  is_pid "$target" || return 0
+  [ "$target" = "$self" ] && return 0
+  [ "$target" = "$parent" ] && return 0
+  contains_pid "$targets" "$target" && return 0
+  targets="$targets $target"
+}
+
+ppid_of() {
+  awk '/^PPid:[[:space:]]*/ { print $2; exit }' "/proc/$1/status" 2>/dev/null || true
+}
+
+collect_marker_roots() {
+  marker_roots=""
+  for env in /proc/[0-9]*/environ; do
+    [ -r "$env" ] || continue
+    proc_dir="$(dirname "$env")"
+    proc_pid="$(basename "$proc_dir")"
+    is_pid "$proc_pid" || continue
+    if tr '\\000' '\\n' < "$env" 2>/dev/null | grep -Fqx "$CMD_MARKER"; then
+      add_pid "$proc_pid"
+      contains_pid "$marker_roots" "$proc_pid" || marker_roots="$marker_roots $proc_pid"
+    fi
+  done
+  printf '%s\\n' "$marker_roots"
+}
+
+collect_descendants() {
+  roots="$1"
+  known=""
+  for root in $roots; do
+    is_pid "$root" || continue
+    contains_pid "$known" "$root" || known="$known $root"
+    add_pid "$root"
+  done
+
+  changed=1
+  while [ "$changed" = 1 ]; do
+    changed=0
+    for status in /proc/[0-9]*/status; do
+      [ -r "$status" ] || continue
+      proc_dir="$(dirname "$status")"
+      proc_pid="$(basename "$proc_dir")"
+      is_pid "$proc_pid" || continue
+      contains_pid "$known" "$proc_pid" && continue
+      proc_ppid="$(ppid_of "$proc_pid")"
+      if is_pid "$proc_ppid" && contains_pid "$known" "$proc_ppid"; then
+        known="$known $proc_pid"
+        add_pid "$proc_pid"
+        changed=1
+      fi
+    done
+  done
+}
+
+collect_all_targets() {
+  targets=""
+  roots="$pid $child"
+  marker_roots="$(collect_marker_roots)"
+  roots="$roots $marker_roots"
+  collect_descendants "$roots"
+  printf '%s\\n' "$targets"
+}
+
+depth_of() {
+  depth=0
+  current="$1"
+  while is_pid "$current" && [ "$current" -gt 1 ] && [ "$depth" -lt 512 ]; do
+    current="$(ppid_of "$current")"
+    depth=$((depth + 1))
+  done
+  printf '%s\\n' "$depth"
+}
+
+kill_group() {
+  signal="$1"
+  target="$2"
+  is_pid "$target" || return 0
+  kill -"$signal" -- "-$target" 2>/dev/null || kill -"$signal" "-$target" 2>/dev/null || true
+}
+
+kill_targets_deepest_first() {
+  signal="$1"
+  target_list="$2"
+  for target in $(
+    for target in $target_list; do
+      [ -d "/proc/$target" ] || continue
+      printf '%s %s\\n' "$(depth_of "$target")" "$target"
+    done | sort -rn | awk '{ print $2 }'
+  ); do
+    is_pid "$target" || continue
+    [ -d "/proc/$target" ] || continue
+    kill -"$signal" "$target" 2>/dev/null || true
+  done
+}
+
+current_targets="$(collect_all_targets)"
+kill_group TERM "$pid"
+kill_group TERM "$child"
+kill_targets_deepest_first TERM "$current_targets"
+sleep 1
+current_targets="$(collect_all_targets)"
+kill_group KILL "$pid"
+kill_group KILL "$child"
+kill_targets_deepest_first KILL "$current_targets"
+echo 143 > "$RUN_DIR/exit"
+touch "$RUN_DIR/stopped"
+`;
+}
+function safeId(value) {
+    return value.replace(/[^a-zA-Z0-9_.-]/g, '_').slice(0, 120) || 'unknown';
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function parseKeyValues(text) {
+    const result = {};
+    for (const line of text.split(/\r?\n/)) {
+        const index = line.indexOf('=');
+        if (index === -1)
+            continue;
+        result[line.slice(0, index)] = line.slice(index + 1);
+    }
+    return result;
+}
+function parseNullableInt(value) {
+    if (value == null || value === '')
+        return null;
+    const parsed = Number.parseInt(value, 10);
+    return Number.isFinite(parsed) ? parsed : null;
+}
+function parseStatus(value) {
+    if (value === 'running' || value === 'exited' || value === 'failed' || value === 'stopped')
+        return value;
+    return 'unknown';
+}

package/dist/sandbox/core/edit/filediff.d.ts

@@ -0,0 +1,16 @@
+export type FileDiff = {
+    file: string;
+    patch: string;
+    additions: number;
+    deletions: number;
+};
+export declare function createFileDiff(input: {
+    file: string;
+    oldContent: string;
+    newContent: string;
+}): {
+    file: string;
+    patch: string;
+    additions: number;
+    deletions: number;
+};