bulkhead-runtime 0.1.0 → 2026.4.5-beta.2

package/dist/sandbox/index.d.ts

@@ -1,10 +1,11 @@
-export { createSandboxManager, preserveKeys, removeCredentialKeys } from "./manager.js";
+export { createSandboxManager, sanitizeEnv } from "./manager.js";
 export { createIpcServer, createIpcClient, createIpcPeer, type IpcServer, type IpcClient, type IpcPeer, type IpcHandler } from "./ipc.js";
 export { detectCapabilities, buildUnshareArgs, buildNamespaceFlags } from "./namespace.js";
 export { createCgroupController, cgroupLimitsFromConfig, type CgroupController, type CgroupLimits } from "./cgroup.js";
 export { buildDefaultProfile, buildRestrictedProfile, writeSeccompProfile, cleanupSeccompProfile } from "./seccomp.js";
 export { prepareRootfs, buildMountScript, type PreparedRootfs, type RootfsOptions } from "./rootfs.js";
 export { createProxyTools } from "./proxy-tools.js";
+export { ensureSeccompLoader, buildSeccompWrapperArgs, isSeccompAvailable, } from "./seccomp-apply.js";
 export type { WorkerConfig } from "./worker.js";
 export type { SandboxConfig, SandboxCapabilities, SandboxManager, SandboxProcess, SandboxSpawnOptions, MountBind, IpcMessage, IpcError, } from "./types.js";
 export { IPC_ERROR_CODES } from "./types.js";

package/dist/sandbox/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACxF,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,KAAK,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AAC1I,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC3F,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvH,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,KAAK,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AACvG,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EACV,aAAa,EACb,mBAAmB,EACnB,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,SAAS,EACT,UAAU,EACV,QAAQ,GACT,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,KAAK,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,UAAU,CAAC;AAC1I,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC3F,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvH,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,KAAK,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AACvG,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,YAAY,EACV,aAAa,EACb,mBAAmB,EACnB,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,SAAS,EACT,UAAU,EACV,QAAQ,GACT,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC"}

package/dist/sandbox/index.js

@@ -1,9 +1,10 @@
-export { createSandboxManager, preserveKeys, removeCredentialKeys } from "./manager.js";
+export { createSandboxManager, sanitizeEnv } from "./manager.js";
 export { createIpcServer, createIpcClient, createIpcPeer } from "./ipc.js";
 export { detectCapabilities, buildUnshareArgs, buildNamespaceFlags } from "./namespace.js";
 export { createCgroupController, cgroupLimitsFromConfig } from "./cgroup.js";
 export { buildDefaultProfile, buildRestrictedProfile, writeSeccompProfile, cleanupSeccompProfile } from "./seccomp.js";
 export { prepareRootfs, buildMountScript } from "./rootfs.js";
 export { createProxyTools } from "./proxy-tools.js";
+export { ensureSeccompLoader, buildSeccompWrapperArgs, isSeccompAvailable, } from "./seccomp-apply.js";
 export { IPC_ERROR_CODES } from "./types.js";
 //# sourceMappingURL=index.js.map

package/dist/sandbox/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACxF,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAiE,MAAM,UAAU,CAAC;AAC1I,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC3F,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAA4C,MAAM,aAAa,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvH,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAA2C,MAAM,aAAa,CAAC;AACvG,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAYpD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAiE,MAAM,UAAU,CAAC;AAC1I,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC3F,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAA4C,MAAM,aAAa,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvH,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAA2C,MAAM,aAAa,CAAC;AACvG,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAY5B,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC"}

package/dist/sandbox/ipc.d.ts

@@ -17,7 +17,10 @@ export interface IpcPeer {
     stop(): void;
 }
 export type IpcHandler = (params: unknown) => Promise<unknown>;
-export declare function createIpcPeer(input: Readable, output: Writable): IpcPeer;
+export interface IpcPeerOptions {
+    callTimeoutMs?: number;
+}
+export declare function createIpcPeer(input: Readable, output: Writable, options?: IpcPeerOptions): IpcPeer;
 export declare function createIpcServer(input: Readable, output: Writable): IpcServer;
 export declare function createIpcClient(input: Readable, output: Writable): IpcClient;
 //# sourceMappingURL=ipc.d.ts.map

package/dist/sandbox/ipc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ipc.d.ts","sourceRoot":"","sources":["../../src/sandbox/ipc.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGtD,MAAM,WAAW,SAAS;IACxB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;IAClD,KAAK,IAAI,IAAI,CAAC;IACd,IAAI,IAAI,IAAI,CAAC;CACd;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC/C,OAAO,IAAI,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,OAAO;IACtB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;IAClD,IAAI,CAAC,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC/C,KAAK,IAAI,IAAI,CAAC;IACd,IAAI,IAAI,IAAI,CAAC;CACd;AAED,MAAM,MAAM,UAAU,GAAG,CAAC,MAAM,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAI/D,wBAAgB,aAAa,CAC3B,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,QAAQ,GACf,OAAO,CA4HT;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,QAAQ,GACf,SAAS,CAOX;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,QAAQ,GACf,SAAS,CAQX"}
+{"version":3,"file":"ipc.d.ts","sourceRoot":"","sources":["../../src/sandbox/ipc.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGtD,MAAM,WAAW,SAAS;IACxB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;IAClD,KAAK,IAAI,IAAI,CAAC;IACd,IAAI,IAAI,IAAI,CAAC;CACd;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC/C,OAAO,IAAI,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,OAAO;IACtB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;IAClD,IAAI,CAAC,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IAC/C,KAAK,IAAI,IAAI,CAAC;IACd,IAAI,IAAI,IAAI,CAAC;CACd;AAED,MAAM,MAAM,UAAU,GAAG,CAAC,MAAM,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAM/D,MAAM,WAAW,cAAc;IAC7B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,QAAQ,EAChB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CA4IT;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,QAAQ,GACf,SAAS,CAOX;AAED,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,QAAQ,GACf,SAAS,CAQX"}

package/dist/sandbox/ipc.js

@@ -1,13 +1,34 @@
 import { IPC_ERROR_CODES } from "./types.js";
 const DELIMITER = "\n";
-export function createIpcPeer(input, output) {
+const MAX_BUFFER_SIZE = 50 * 1024 * 1024; // 50 MB
+const DEFAULT_CALL_TIMEOUT_MS = 60_000;
+export function createIpcPeer(input, output, options) {
+    const callTimeoutMs = options?.callTimeoutMs ?? DEFAULT_CALL_TIMEOUT_MS;
     const handlers = new Map();
-    let nextId = 1;
+    let nextId = 0;
     let buffer = "";
     let running = false;
     const pending = new Map();
+    function stopPeer() {
+        running = false;
+        input.removeListener("data", onData);
+        for (const [, p] of pending) {
+            p.reject(new Error("IPC peer stopped"));
+        }
+        pending.clear();
+    }
     function onData(chunk) {
         buffer += chunk.toString("utf-8");
+        if (buffer.length > MAX_BUFFER_SIZE) {
+            buffer = "";
+            send({
+                jsonrpc: "2.0",
+                id: 0,
+                error: { code: IPC_ERROR_CODES.INTERNAL_ERROR, message: "IPC buffer overflow: message too large" },
+            });
+            stopPeer();
+            return;
+        }
         processBuffer();
     }
     function processBuffer() {
@@ -78,24 +99,24 @@ export function createIpcPeer(input, output) {
     }
     function send(msg) {
         const line = JSON.stringify(msg) + DELIMITER;
-        if (output.writableNeedDrain) {
-            setImmediate(() => output.write(line));
-        }
-        else {
-            process.nextTick(() => output.write(line));
-        }
+        setImmediate(() => output.write(line));
     }
     return {
         handle(method, handler) {
             handlers.set(method, handler);
         },
         call(method, params) {
-            const id = nextId++;
+            nextId = (nextId + 1) % Number.MAX_SAFE_INTEGER;
+            const id = nextId;
             send({ jsonrpc: "2.0", id, method, params });
             return new Promise((resolve, reject) => {
+                const timer = setTimeout(() => {
+                    pending.delete(id);
+                    reject(new Error(`IPC call "${method}" (id=${id}) timed out after ${callTimeoutMs}ms`));
+                }, callTimeoutMs);
                 pending.set(id, {
-                    resolve: resolve,
-                    reject,
+                    resolve: (value) => { clearTimeout(timer); resolve(value); },
+                    reject: (err) => { clearTimeout(timer); reject(err); },
                 });
             });
         },
@@ -109,12 +130,7 @@ export function createIpcPeer(input, output) {
             input.on("data", onData);
         },
         stop() {
-            running = false;
-            input.removeListener("data", onData);
-            for (const [, handler] of pending) {
-                handler.reject(new Error("IPC peer stopped"));
-            }
-            pending.clear();
+            stopPeer();
         },
     };
 }

package/dist/sandbox/ipc.js.map

@@ -1 +1 @@
-{"version":3,"file":"ipc.js","sourceRoot":"","sources":["../../src/sandbox/ipc.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAkC,MAAM,YAAY,CAAC;AAwB7E,MAAM,SAAS,GAAG,IAAI,CAAC;AAEvB,MAAM,UAAU,aAAa,CAC3B,KAAe,EACf,MAAgB;IAEhB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC/C,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAGpB,CAAC;IAEJ,SAAS,MAAM,CAAC,KAAa;QAC3B,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClC,aAAa,EAAE,CAAC;IAClB,CAAC;IAED,SAAS,aAAa;QACpB,IAAI,GAAW,CAAC;QAChB,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YAC/B,IAAI,IAAI;gBAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,SAAS,QAAQ,CAAC,IAAY;QAC5B,IAAI,GAAe,CAAC;QACpB,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,EAAE,cAAc,EAAE,EAAE,CAAC,CAAC;YACvG,OAAO;QACT,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,GAAG,CAAC,EAAE;wBACV,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,gBAAgB,EAAE,OAAO,EAAE,mBAAmB,GAAG,CAAC,MAAM,EAAE,EAAE;qBAC5F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;YAChC,cAAc,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,KAAK,UAAU,cAAc,CAAC,GAAe,EAAE,OAAmB;QAChE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;gBACzB,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE;iBACtE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS,cAAc,CAAC,GAAe;QACrC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAG,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO;YAAE,OAAO;QACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAG,CAAC,CAAC;QAExB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YACd,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACjF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,SAAS,IAAI,CAAC,GAAe;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;QAC7C,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAC7B,YAAY,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,CAAC,MAAM,EAAE,OAAO;YACpB,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,CAAC;QAED,IAAI,CAAc,MAAc,EAAE,MAAgB;YAChD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YAC7C,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACxC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE;oBACd,OAAO,EAAE,OAAmC;oBAC5C,MAAM;iBACP,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,CAAC,MAAc,EAAE,MAAgB;YACrC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3C,CAAC;QAED,KAAK;YACH,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3B,CAAC;QAED,IAAI;YACF,OAAO,GAAG,KAAK,CAAC;YAChB,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACrC,KAAK,MAAM,CAAC,EAAE,OAAO,CAAC,IAAI,OAAO,EAAE,CAAC;gBAClC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;YAChD,CAAC;YACD,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAe,EACf,MAAgB;IAEhB,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAe,EACf,MAAgB;IAEhB,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;IACb,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,IAAI;KACnB,CAAC;AACJ,CAAC"}
+{"version":3,"file":"ipc.js","sourceRoot":"","sources":["../../src/sandbox/ipc.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAkC,MAAM,YAAY,CAAC;AAwB7E,MAAM,SAAS,GAAG,IAAI,CAAC;AACvB,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAClD,MAAM,uBAAuB,GAAG,MAAM,CAAC;AAMvC,MAAM,UAAU,aAAa,CAC3B,KAAe,EACf,MAAgB,EAChB,OAAwB;IAExB,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,uBAAuB,CAAC;IACxE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC/C,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAGpB,CAAC;IAEJ,SAAS,QAAQ;QACf,OAAO,GAAG,KAAK,CAAC;QAChB,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,KAAK,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC;YAC5B,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;IAED,SAAS,MAAM,CAAC,KAAa;QAC3B,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,MAAM,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;YACpC,MAAM,GAAG,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,CAAC;gBACL,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,cAAc,EAAE,OAAO,EAAE,wCAAwC,EAAE;aACnG,CAAC,CAAC;YACH,QAAQ,EAAE,CAAC;YACX,OAAO;QACT,CAAC;QACD,aAAa,EAAE,CAAC;IAClB,CAAC;IAED,SAAS,aAAa;QACpB,IAAI,GAAW,CAAC;QAChB,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;YAC/B,IAAI,IAAI;gBAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,SAAS,QAAQ,CAAC,IAAY;QAC5B,IAAI,GAAe,CAAC;QACpB,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,WAAW,EAAE,OAAO,EAAE,cAAc,EAAE,EAAE,CAAC,CAAC;YACvG,OAAO;QACT,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,GAAG,CAAC,EAAE;wBACV,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,gBAAgB,EAAE,OAAO,EAAE,mBAAmB,GAAG,CAAC,MAAM,EAAE,EAAE;qBAC5F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;aAAM,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;YAChC,cAAc,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,KAAK,UAAU,cAAc,CAAC,GAAe,EAAE,OAAmB;QAChE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;gBACzB,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE;iBACtE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS,cAAc,CAAC,GAAe;QACrC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAG,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO;YAAE,OAAO;QACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAG,CAAC,CAAC;QAExB,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YACd,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACjF,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,SAAS,IAAI,CAAC,GAAe;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;QAC7C,YAAY,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,OAAO;QACL,MAAM,CAAC,MAAM,EAAE,OAAO;YACpB,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,CAAC;QAED,IAAI,CAAc,MAAc,EAAE,MAAgB;YAChD,MAAM,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,gBAAgB,CAAC;YAChD,MAAM,EAAE,GAAG,MAAM,CAAC;YAClB,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YAC7C,OAAO,IAAI,OAAO,CAAI,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACxC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC5B,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;oBACnB,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,MAAM,SAAS,EAAE,qBAAqB,aAAa,IAAI,CAAC,CAAC,CAAC;gBAC1F,CAAC,EAAE,aAAa,CAAC,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE;oBACd,OAAO,EAAE,CAAC,KAAc,EAAE,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,OAAgC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;oBAC/F,MAAM,EAAE,CAAC,GAAU,EAAE,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;iBAC9D,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,CAAC,MAAc,EAAE,MAAgB;YACrC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3C,CAAC;QAED,KAAK;YACH,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3B,CAAC;QAED,IAAI;YACF,QAAQ,EAAE,CAAC;QACb,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAe,EACf,MAAgB;IAEhB,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI;KAChB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,KAAe,EACf,MAAgB;IAEhB,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;IACb,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,IAAI;KACnB,CAAC;AACJ,CAAC"}

package/dist/sandbox/manager.d.ts

@@ -1,5 +1,4 @@
 import type { SandboxManager } from "./types.js";
 export declare function createSandboxManager(): SandboxManager;
-export declare function preserveKeys(env: Record<string, string>, keys?: string[]): Record<string, string>;
-export declare function removeCredentialKeys(env: Record<string, string>): void;
+export declare function sanitizeEnv(env: Record<string, string>, protectedKeys?: string[]): Record<string, string>;
 //# sourceMappingURL=manager.d.ts.map

package/dist/sandbox/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/sandbox/manager.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAEV,cAAc,EAGf,MAAM,YAAY,CAAC;AAKpB,wBAAgB,oBAAoB,IAAI,cAAc,CAqBrD;AAkOD,wBAAgB,YAAY,CAC1B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC3B,IAAI,CAAC,EAAE,MAAM,EAAE,GACd,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAOxB;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAMtE"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/sandbox/manager.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAEV,cAAc,EAGf,MAAM,YAAY,CAAC;AAsCpB,wBAAgB,oBAAoB,IAAI,cAAc,CAwCrD;AAiND,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,GACvB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CASxB"}

package/dist/sandbox/manager.js

@@ -6,21 +6,64 @@ import * as crypto from "node:crypto";
 import { detectCapabilities, buildUnshareArgs, buildNamespaceFlags } from "./namespace.js";
 import { createCgroupController, cgroupLimitsFromConfig } from "./cgroup.js";
 import { prepareRootfs, buildMountScript } from "./rootfs.js";
+import { escapeShellArg } from "../shared/index.js";
+import { buildDefaultProfile } from "./seccomp.js";
+import { buildSeccompWrapperArgs, isSeccompAvailable } from "./seccomp-apply.js";
+import { cleanupSeccompProfile } from "./seccomp.js";
+import { createSubsystemLogger } from "../logging/subsystem.js";
+const log = createSubsystemLogger("sandbox");
+const activeSandboxCleanups = new Set();
+function registerCleanupHandlers() {
+    const cleanup = () => {
+        for (const fn of activeSandboxCleanups) {
+            try {
+                fn();
+            }
+            catch { }
+        }
+        activeSandboxCleanups.clear();
+    };
+    process.on("exit", cleanup);
+    let terminating = false;
+    const handleSignal = (signal, code) => {
+        if (terminating) {
+            process.exit(128 + code);
+        }
+        terminating = true;
+        cleanup();
+        process.exit(128 + code);
+    };
+    process.on("SIGTERM", () => handleSignal("SIGTERM", 15));
+    process.on("SIGINT", () => handleSignal("SIGINT", 2));
+}
+let cleanupHandlersRegistered = false;
 export function createSandboxManager() {
-    let cachedCapabilities = null;
+    if (!cleanupHandlersRegistered) {
+        registerCleanupHandlers();
+        cleanupHandlersRegistered = true;
+    }
+    let capabilitiesPromise = null;
     return {
         async capabilities() {
-            if (!cachedCapabilities) {
-                cachedCapabilities = detectCapabilities();
+            if (!capabilitiesPromise) {
+                capabilitiesPromise = detectCapabilities();
             }
-            return cachedCapabilities;
+            return capabilitiesPromise;
         },
         async spawn(options) {
             const caps = await this.capabilities();
-            if (caps.platform === "linux" && caps.hasUnshare) {
-                return spawnLinuxSandbox(options, caps);
+            if (!caps.hasUnshare) {
+                throw new Error("Sandbox requires 'unshare' command. Install util-linux or run on a standard Linux distribution.");
+            }
+            if (!caps.hasMountNamespace) {
+                throw new Error("Sandbox requires mount namespace support. Ensure the kernel supports user namespaces " +
+                    "and /proc/sys/user/max_user_namespaces > 0.");
             }
-            return spawnFallbackSandbox(options);
+            if (options.config.networkIsolation && !caps.hasNetNamespace) {
+                throw new Error("Sandbox requires network namespace for network isolation but the kernel does not support it. " +
+                    "Set networkIsolation to false or enable network namespace support.");
+            }
+            return spawnLinuxSandbox(options, caps);
         },
     };
 }
@@ -36,6 +79,23 @@ async function spawnLinuxSandbox(options, caps) {
     if (caps.hasCgroupV2) {
         const limits = cgroupLimitsFromConfig(config);
         cgroup = createCgroupController(sandboxId, limits);
+        if (!cgroup.setup()) {
+            cgroup.cleanup();
+            throw new Error("Failed to create cgroup directory for sandbox resource limits");
+        }
+    }
+    let seccompProfilePath = null;
+    let targetCommand = options.command;
+    let targetArgs = options.args;
+    if (isSeccompAvailable()) {
+        const profile = buildDefaultProfile();
+        const seccomp = buildSeccompWrapperArgs(profile, sandboxId, options.command, options.args);
+        if (seccomp) {
+            targetCommand = seccomp.command;
+            targetArgs = seccomp.args;
+            seccompProfilePath = seccomp.profilePath;
+            log.debug("seccomp: PR_SET_NO_NEW_PRIVS + BPF syscall filter applied", { sandboxId });
+        }
     }
     let rootfs = null;
     let wrapperScriptPath = null;
@@ -45,25 +105,25 @@ async function spawnLinuxSandbox(options, caps) {
             workspaceDir: options.cwd,
             additionalBinds: config.mountBinds,
         });
-        const mountScript = buildMountScript(rootfs.rootDir, rootfs.mounts, options.cwd);
-        wrapperScriptPath = writeWrapperScript(sandboxId, mountScript, options);
+        const mountScript = buildMountScript(rootfs.rootDir, rootfs.mounts, {
+            hasPidNamespace: nsFlags.pid,
+        });
+        wrapperScriptPath = writeWrapperScript(sandboxId, mountScript, options, cgroup?.cgroupPath, targetCommand !== options.command ? targetCommand : undefined, targetArgs !== options.args ? targetArgs : undefined);
     }
-    const sanitizedEnv = {
-        PATH: "/usr/local/bin:/usr/bin:/bin",
+    const rawEnv = {
+        PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
         HOME: "/tmp",
         NODE_ENV: "production",
         SANDBOX_ID: sandboxId,
         ...options.env,
     };
-    const preserved = preserveKeys(sanitizedEnv, options.protectedKeys);
-    removeCredentialKeys(sanitizedEnv);
-    Object.assign(sanitizedEnv, preserved);
+    const sanitizedEnv = sanitizeEnv(rawEnv, options.protectedKeys);
     let fullArgs;
     if (wrapperScriptPath) {
         fullArgs = [...unshareArgs, "/bin/sh", wrapperScriptPath];
     }
     else {
-        fullArgs = [...unshareArgs, options.command, ...options.args];
+        fullArgs = [...unshareArgs, targetCommand, ...targetArgs];
     }
     const child = spawn("unshare", fullArgs, {
         cwd: options.cwd,
@@ -71,138 +131,99 @@ async function spawnLinuxSandbox(options, caps) {
         stdio: ["pipe", "pipe", "pipe"],
     });
     let spawnError = null;
-    child.on("error", (err) => {
-        spawnError = err;
-    });
-    if (cgroup && child.pid) {
-        cgroup.apply(child.pid);
-    }
-    if (options.onStderr && child.stderr) {
-        child.stderr.on("data", (data) => {
-            options.onStderr(data.toString("utf-8"));
-        });
-    }
-    let timeoutTimer = null;
-    if (config.timeoutMs) {
-        timeoutTimer = setTimeout(() => {
-            child.kill("SIGKILL");
-        }, config.timeoutMs);
-    }
+    let cleanedUp = false;
     const cleanupAll = () => {
+        if (cleanedUp)
+            return;
+        cleanedUp = true;
+        activeSandboxCleanups.delete(cleanupAll);
         if (timeoutTimer)
             clearTimeout(timeoutTimer);
         cgroup?.cleanup();
         rootfs?.cleanup();
         if (wrapperScriptPath)
             cleanupFile(wrapperScriptPath);
+        if (seccompProfilePath)
+            cleanupSeccompProfile(seccompProfilePath);
     };
-    child.on("exit", cleanupAll);
-    return {
-        pid: child.pid ?? -1,
-        stdin: child.stdin,
-        stdout: child.stdout,
-        stderr: child.stderr,
-        kill() {
-            try {
-                child.kill("SIGKILL");
-            }
-            catch { /* already dead */ }
-        },
-        waitForExit() {
-            return new Promise((resolve, reject) => {
-                if (spawnError) {
-                    reject(spawnError);
-                    return;
-                }
-                if (child.exitCode !== null) {
-                    resolve(child.exitCode);
-                    return;
-                }
-                child.on("error", reject);
-                child.on("exit", (code) => { resolve(code ?? 1); });
-            });
-        },
-    };
-}
-async function spawnFallbackSandbox(options) {
-    const sandboxId = generateSandboxId();
-    const sanitizedEnv = {
-        PATH: process.env["PATH"] ?? "/usr/local/bin:/usr/bin:/bin",
-        HOME: process.env["HOME"] ?? "/tmp",
-        NODE_ENV: "production",
-        SANDBOX_ID: sandboxId,
-        ...options.env,
-    };
-    const preserved = preserveKeys(sanitizedEnv, options.protectedKeys);
-    removeCredentialKeys(sanitizedEnv);
-    Object.assign(sanitizedEnv, preserved);
-    const child = spawn(options.command, options.args, {
-        cwd: options.cwd,
-        env: sanitizedEnv,
-        stdio: ["pipe", "pipe", "pipe"],
-    });
-    let spawnError = null;
+    activeSandboxCleanups.add(cleanupAll);
     child.on("error", (err) => {
         spawnError = err;
+        cleanupAll();
     });
+    child.on("exit", cleanupAll);
+    if (cgroup && child.pid && !wrapperScriptPath) {
+        cgroup.assignPid(child.pid);
+    }
     if (options.onStderr && child.stderr) {
         child.stderr.on("data", (data) => {
             options.onStderr(data.toString("utf-8"));
         });
     }
     let timeoutTimer = null;
-    if (options.config.timeoutMs) {
+    if (config.timeoutMs) {
         timeoutTimer = setTimeout(() => {
-            child.kill("SIGKILL");
-        }, options.config.timeoutMs);
+            try {
+                child.kill("SIGKILL");
+            }
+            catch { /* already dead */ }
+        }, config.timeoutMs);
     }
+    let exitPromise = null;
     return {
         pid: child.pid ?? -1,
         stdin: child.stdin,
         stdout: child.stdout,
         stderr: child.stderr,
         kill() {
-            if (timeoutTimer)
-                clearTimeout(timeoutTimer);
             try {
                 child.kill("SIGKILL");
             }
             catch { /* already dead */ }
         },
         waitForExit() {
-            return new Promise((resolve, reject) => {
-                if (spawnError) {
-                    reject(spawnError);
-                    return;
-                }
-                if (child.exitCode !== null) {
-                    resolve(child.exitCode);
-                    return;
-                }
-                child.on("error", reject);
-                child.on("exit", (code) => {
-                    if (timeoutTimer)
-                        clearTimeout(timeoutTimer);
-                    resolve(code ?? 1);
+            if (!exitPromise) {
+                exitPromise = new Promise((resolve, reject) => {
+                    if (spawnError) {
+                        cleanupAll();
+                        reject(spawnError);
+                        return;
+                    }
+                    if (child.exitCode !== null) {
+                        cleanupAll();
+                        resolve(child.exitCode);
+                        return;
+                    }
+                    child.on("error", (err) => { cleanupAll(); reject(err); });
+                    child.on("exit", (code) => { cleanupAll(); resolve(code ?? 1); });
                 });
-            });
+            }
+            return exitPromise;
         },
     };
 }
-function writeWrapperScript(sandboxId, mountScript, options) {
-    const tmpDir = path.join(os.tmpdir(), "openclaw-sandbox");
-    fs.mkdirSync(tmpDir, { recursive: true });
+function writeWrapperScript(sandboxId, mountScript, options, cgroupProcsPath, seccompCmd, seccompArgs) {
+    const tmpDir = path.join(os.tmpdir(), "bulkhead-runtime-sandbox");
+    fs.mkdirSync(tmpDir, { recursive: true, mode: 0o700 });
     const scriptPath = path.join(tmpDir, `${sandboxId}-init.sh`);
-    const escapedArgs = options.args.map((a) => `'${a.replace(/'/g, "'\\''")}'`).join(" ");
+    const cmd = seccompCmd ?? options.command;
+    const args = seccompArgs ?? options.args;
+    const escapedCmd = escapeShellArg(cmd);
+    const escapedArgs = args.map(escapeShellArg).join(" ");
+    const preamble = [];
+    if (cgroupProcsPath) {
+        preamble.push("# Assign to cgroup before pivot_root (while host FS is accessible)", `echo $$ > ${escapeShellArg(path.join(cgroupProcsPath, "cgroup.procs"))} || { echo 'FATAL: cannot assign process to cgroup' >&2; exit 1; }`, "");
+    }
     const script = [
         "#!/bin/sh",
         "set -e",
         "",
+        ...preamble,
         mountScript,
         "",
-        `exec ${options.command} ${escapedArgs}`,
+        `exec ${escapedCmd} ${escapedArgs}`,
     ].join("\n");
-    fs.writeFileSync(scriptPath, script, { mode: 0o755 });
+    fs.writeFileSync(scriptPath, script, { mode: 0o700 });
     return scriptPath;
 }
 function cleanupFile(filePath) {
@@ -213,33 +234,18 @@ function cleanupFile(filePath) {
         // best effort
     }
 }
-const CREDENTIAL_KEY_PATTERNS = [
-    /_API_KEY$/,
-    /_SECRET$/,
-    /_TOKEN$/,
-    /_PASSWORD$/,
-    /^AWS_/,
-    /^OPENAI_/,
-    /^ANTHROPIC_/,
-    /^GEMINI_/,
-    /^GOOGLE_/,
-    /^OPENCLAW_CREDENTIAL/,
-];
-export function preserveKeys(env, keys) {
-    if (!keys)
-        return {};
-    const saved = {};
-    for (const key of keys) {
-        if (key in env)
-            saved[key] = env[key];
-    }
-    return saved;
-}
-export function removeCredentialKeys(env) {
-    for (const key of Object.keys(env)) {
-        if (CREDENTIAL_KEY_PATTERNS.some((p) => p.test(key))) {
-            delete env[key];
+const SANDBOX_ALLOWED_ENV_KEYS = new Set([
+    "PATH", "HOME", "NODE_ENV", "SANDBOX_ID", "SANDBOX_WORKER_CONFIG",
+    "LANG", "LC_ALL", "TZ", "TERM", "NODE_PATH",
+]);
+export function sanitizeEnv(env, protectedKeys) {
+    const allowed = new Set([...SANDBOX_ALLOWED_ENV_KEYS, ...(protectedKeys ?? [])]);
+    const result = {};
+    for (const [key, value] of Object.entries(env)) {
+        if (allowed.has(key)) {
+            result[key] = value;
         }
     }
+    return result;
 }
 //# sourceMappingURL=manager.js.map

package/dist/sandbox/manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/sandbox/manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAOtC,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC3F,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAyB,MAAM,aAAa,CAAC;AACpG,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAuB,MAAM,aAAa,CAAC;AAEnF,MAAM,UAAU,oBAAoB;IAClC,IAAI,kBAAkB,GAA+B,IAAI,CAAC;IAE1D,OAAO;QACL,KAAK,CAAC,YAAY;YAChB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,kBAAkB,EAAE,CAAC;YAC5C,CAAC;YACD,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,OAA4B;YACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAEvC,IAAI,IAAI,CAAC,QAAQ,KAAK,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACjD,OAAO,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAC1C,CAAC;YAED,OAAO,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,MAAM,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrE,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,OAA4B,EAC5B,IAAyB;IAEzB,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAE9B,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,EAAE,MAAM,CAAC,gBAAgB,IAAI,KAAK,CAAC,CAAC;IAC5E,MAAM,WAAW,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAE9C,IAAI,MAAM,GAA4B,IAAI,CAAC;IAC3C,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,GAAG,sBAAsB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,MAAM,GAA0B,IAAI,CAAC;IACzC,IAAI,iBAAiB,GAAkB,IAAI,CAAC;IAE5C,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,GAAG,aAAa,CAAC;YACrB,SAAS;YACT,YAAY,EAAE,OAAO,CAAC,GAAG;YACzB,eAAe,EAAE,MAAM,CAAC,UAAU;SACnC,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACjF,iBAAiB,GAAG,kBAAkB,CAAC,SAAS,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,YAAY,GAA2B;QAC3C,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,YAAY;QACtB,UAAU,EAAE,SAAS;QACrB,GAAG,OAAO,CAAC,GAAG;KACf,CAAC;IAEF,MAAM,SAAS,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IACpE,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACnC,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IAEvC,IAAI,QAAkB,CAAC;IACvB,IAAI,iBAAiB,EAAE,CAAC;QACtB,QAAQ,GAAG,CAAC,GAAG,WAAW,EAAE,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,CAAC,GAAG,WAAW,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,EAAE,QAAQ,EAAE;QACvC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,YAAY;QACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KAChC,CAAC,CAAC;IAEH,IAAI,UAAU,GAAiB,IAAI,CAAC;IACpC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,UAAU,GAAG,GAAG,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,IAAI,MAAM,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACrC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvC,OAAO,CAAC,QAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,YAAY,GAAyC,IAAI,CAAC;IAC9D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,EAAE;QACtB,IAAI,YAAY;YAAE,YAAY,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,EAAE,OAAO,EAAE,CAAC;QAClB,MAAM,EAAE,OAAO,EAAE,CAAC;QAClB,IAAI,iBAAiB;YAAE,WAAW,CAAC,iBAAiB,CAAC,CAAC;IACxD,CAAC,CAAC;IAEF,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAE7B,OAAO;QACL,GAAG,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;QACpB,KAAK,EAAE,KAAK,CAAC,KAAM;QACnB,MAAM,EAAE,KAAK,CAAC,MAAO;QACrB,MAAM,EAAE,KAAK,CAAC,MAAO;QAErB,IAAI;YACF,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAC7D,CAAC;QAED,WAAW;YACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,IAAI,UAAU,EAAE,CAAC;oBAAC,MAAM,CAAC,UAAU,CAAC,CAAC;oBAAC,OAAO;gBAAC,CAAC;gBAC/C,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;oBAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;oBAAC,OAAO;gBAAC,CAAC;gBACjE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC1B,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACtD,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,OAA4B;IAE5B,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IAEtC,MAAM,YAAY,GAA2B;QAC3C,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,8BAA8B;QAC3D,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,MAAM;QACnC,QAAQ,EAAE,YAAY;QACtB,UAAU,EAAE,SAAS;QACrB,GAAG,OAAO,CAAC,GAAG;KACf,CAAC;IAEF,MAAM,SAAS,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IACpE,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACnC,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IAEvC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE;QACjD,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,YAAY;QACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KAChC,CAAC,CAAC;IAEH,IAAI,UAAU,GAAiB,IAAI,CAAC;IACpC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,UAAU,GAAG,GAAG,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,IAAI,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACrC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvC,OAAO,CAAC,QAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,YAAY,GAAyC,IAAI,CAAC;IAC9D,IAAI,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QAC7B,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,GAAG,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;QACpB,KAAK,EAAE,KAAK,CAAC,KAAM;QACnB,MAAM,EAAE,KAAK,CAAC,MAAO;QACrB,MAAM,EAAE,KAAK,CAAC,MAAO;QAErB,IAAI;YACF,IAAI,YAAY;gBAAE,YAAY,CAAC,YAAY,CAAC,CAAC;YAC7C,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAC7D,CAAC;QAED,WAAW;YACT,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,IAAI,UAAU,EAAE,CAAC;oBAAC,MAAM,CAAC,UAAU,CAAC,CAAC;oBAAC,OAAO;gBAAC,CAAC;gBAC/C,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;oBAC5B,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;oBACxB,OAAO;gBACT,CAAC;gBACD,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC1B,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;oBACxB,IAAI,YAAY;wBAAE,YAAY,CAAC,YAAY,CAAC,CAAC;oBAC7C,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;gBACrB,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAiB,EACjB,WAAmB,EACnB,OAA4B;IAE5B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC;IAC1D,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,UAAU,CAAC,CAAC;IAE7D,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEvF,MAAM,MAAM,GAAG;QACb,WAAW;QACX,QAAQ;QACR,EAAE;QACF,WAAW;QACX,EAAE;QACF,QAAQ,OAAO,CAAC,OAAO,IAAI,WAAW,EAAE;KACzC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB;IACnC,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,MAAM,uBAAuB,GAAG;IAC9B,WAAW;IACX,UAAU;IACV,SAAS;IACT,YAAY;IACZ,OAAO;IACP,UAAU;IACV,aAAa;IACb,UAAU;IACV,UAAU;IACV,sBAAsB;CACvB,CAAC;AAEF,MAAM,UAAU,YAAY,CAC1B,GAA2B,EAC3B,IAAe;IAEf,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,GAAG;YAAE,KAAK,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAA2B;IAC9D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACrD,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/sandbox/manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAOtC,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC3F,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAyB,MAAM,aAAa,CAAC;AACpG,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAuB,MAAM,aAAa,CAAC;AACnF,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAuB,MAAM,cAAc,CAAC;AACxE,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAEhE,MAAM,GAAG,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;AAE7C,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAc,CAAC;AAEpD,SAAS,uBAAuB;IAC9B,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,KAAK,MAAM,EAAE,IAAI,qBAAqB,EAAE,CAAC;YACvC,IAAI,CAAC;gBAAC,EAAE,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACxB,CAAC;QACD,qBAAqB,CAAC,KAAK,EAAE,CAAC;IAChC,CAAC,CAAC;IACF,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE5B,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,MAAM,YAAY,GAAG,CAAC,MAAsB,EAAE,IAAY,EAAE,EAAE;QAC5D,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;QAC3B,CAAC;QACD,WAAW,GAAG,IAAI,CAAC;QACnB,OAAO,EAAE,CAAC;QACV,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;IAC3B,CAAC,CAAC;IACF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,IAAI,yBAAyB,GAAG,KAAK,CAAC;AAEtC,MAAM,UAAU,oBAAoB;IAClC,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC/B,uBAAuB,EAAE,CAAC;QAC1B,yBAAyB,GAAG,IAAI,CAAC;IACnC,CAAC;IAED,IAAI,mBAAmB,GAAwC,IAAI,CAAC;IAEpE,OAAO;QACL,KAAK,CAAC,YAAY;YAChB,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBACzB,mBAAmB,GAAG,kBAAkB,EAAE,CAAC;YAC7C,CAAC;YACD,OAAO,mBAAmB,CAAC;QAC7B,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,OAA4B;YACtC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAEvC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CACb,iGAAiG,CAClG,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,uFAAuF;oBACvF,6CAA6C,CAC9C,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC7D,MAAM,IAAI,KAAK,CACb,+FAA+F;oBAC/F,oEAAoE,CACrE,CAAC;YACJ,CAAC;YAED,OAAO,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,MAAM,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrE,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,OAA4B,EAC5B,IAAyB;IAEzB,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAE9B,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,EAAE,MAAM,CAAC,gBAAgB,IAAI,KAAK,CAAC,CAAC;IAC5E,MAAM,WAAW,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAE9C,IAAI,MAAM,GAA4B,IAAI,CAAC;IAC3C,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,GAAG,sBAAsB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;YACpB,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,IAAI,kBAAkB,GAAkB,IAAI,CAAC;IAC7C,IAAI,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;IACpC,IAAI,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAE9B,IAAI,kBAAkB,EAAE,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,uBAAuB,CACrC,OAAO,EACP,SAAS,EACT,OAAO,CAAC,OAAO,EACf,OAAO,CAAC,IAAI,CACb,CAAC;QACF,IAAI,OAAO,EAAE,CAAC;YACZ,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC;YAChC,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;YAC1B,kBAAkB,GAAG,OAAO,CAAC,WAAW,CAAC;YACzC,GAAG,CAAC,KAAK,CAAC,2DAA2D,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED,IAAI,MAAM,GAA0B,IAAI,CAAC;IACzC,IAAI,iBAAiB,GAAkB,IAAI,CAAC;IAE5C,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,GAAG,aAAa,CAAC;YACrB,SAAS;YACT,YAAY,EAAE,OAAO,CAAC,GAAG;YACzB,eAAe,EAAE,MAAM,CAAC,UAAU;SACnC,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE;YAClE,eAAe,EAAE,OAAO,CAAC,GAAG;SAC7B,CAAC,CAAC;QACH,iBAAiB,GAAG,kBAAkB,CACpC,SAAS,EACT,WAAW,EACX,OAAO,EACP,MAAM,EAAE,UAAU,EAClB,aAAa,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,EAC7D,UAAU,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CACrD,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAA2B;QACrC,IAAI,EAAE,8DAA8D;QACpE,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,YAAY;QACtB,UAAU,EAAE,SAAS;QACrB,GAAG,OAAO,CAAC,GAAG;KACf,CAAC;IAEF,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAEhE,IAAI,QAAkB,CAAC;IACvB,IAAI,iBAAiB,EAAE,CAAC;QACtB,QAAQ,GAAG,CAAC,GAAG,WAAW,EAAE,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,CAAC,GAAG,WAAW,EAAE,aAAa,EAAE,GAAG,UAAU,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,EAAE,QAAQ,EAAE;QACvC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,YAAY;QACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KAChC,CAAC,CAAC;IAEH,IAAI,UAAU,GAAiB,IAAI,CAAC;IACpC,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,MAAM,UAAU,GAAG,GAAG,EAAE;QACtB,IAAI,SAAS;YAAE,OAAO;QACtB,SAAS,GAAG,IAAI,CAAC;QACjB,qBAAqB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,YAAY;YAAE,YAAY,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,EAAE,OAAO,EAAE,CAAC;QAClB,MAAM,EAAE,OAAO,EAAE,CAAC;QAClB,IAAI,iBAAiB;YAAE,WAAW,CAAC,iBAAiB,CAAC,CAAC;QACtD,IAAI,kBAAkB;YAAE,qBAAqB,CAAC,kBAAkB,CAAC,CAAC;IACpE,CAAC,CAAC;IAEF,qBAAqB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAEtC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,UAAU,GAAG,GAAG,CAAC;QACjB,UAAU,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAE7B,IAAI,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC9C,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACrC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvC,OAAO,CAAC,QAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,YAAY,GAAyC,IAAI,CAAC;IAC9D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;YAC7B,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAC7D,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACvB,CAAC;IAED,IAAI,WAAW,GAA2B,IAAI,CAAC;IAE/C,OAAO;QACL,GAAG,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;QACpB,KAAK,EAAE,KAAK,CAAC,KAAM;QACnB,MAAM,EAAE,KAAK,CAAC,MAAO;QACrB,MAAM,EAAE,KAAK,CAAC,MAAO;QAErB,IAAI;YACF,IAAI,CAAC;gBAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAC7D,CAAC;QAED,WAAW;YACT,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,WAAW,GAAG,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBAC5C,IAAI,UAAU,EAAE,CAAC;wBAAC,UAAU,EAAE,CAAC;wBAAC,MAAM,CAAC,UAAU,CAAC,CAAC;wBAAC,OAAO;oBAAC,CAAC;oBAC7D,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;wBAAC,UAAU,EAAE,CAAC;wBAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;wBAAC,OAAO;oBAAC,CAAC;oBAC/E,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,GAAG,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;oBAC3D,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,GAAG,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACpE,CAAC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,WAAW,CAAC;QACrB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAiB,EACjB,WAAmB,EACnB,OAA4B,EAC5B,eAAwB,EACxB,UAAmB,EACnB,WAAsB;IAEtB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC;IAClE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,UAAU,CAAC,CAAC;IAE7D,MAAM,GAAG,GAAG,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC;IAC1C,MAAM,IAAI,GAAG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IACzC,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEvD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,eAAe,EAAE,CAAC;QACpB,QAAQ,CAAC,IAAI,CACX,oEAAoE,EACpE,aAAa,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC,oEAAoE,EAC3I,EAAE,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG;QACb,WAAW;QACX,QAAQ;QACR,EAAE;QACF,GAAG,QAAQ;QACX,WAAW;QACX,EAAE;QACF,QAAQ,UAAU,IAAI,WAAW,EAAE;KACpC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB;IACnC,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,uBAAuB;IACjE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW;CAC5C,CAAC,CAAC;AAEH,MAAM,UAAU,WAAW,CACzB,GAA2B,EAC3B,aAAwB;IAExB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,wBAAwB,EAAE,GAAG,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACjF,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/sandbox/namespace.d.ts

@@ -1,5 +1,5 @@
 import type { SandboxCapabilities } from "./types.js";
-export declare function detectCapabilities(): SandboxCapabilities;
+export declare function detectCapabilities(): Promise<SandboxCapabilities>;
 export interface NamespaceFlags {
     user: boolean;
     mount: boolean;

package/dist/sandbox/namespace.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../src/sandbox/namespace.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD,wBAAgB,kBAAkB,IAAI,mBAAmB,CA0BxD;AAqED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;CACd;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,EAAE,CAsBhE;AAED,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,mBAAmB,EACjC,gBAAgB,EAAE,OAAO,GACxB,cAAc,CAQhB"}
+{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../src/sandbox/namespace.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAKtD,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAuBvE;AAmED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;CACd;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,EAAE,CAsBhE;AAED,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,mBAAmB,EACjC,gBAAgB,EAAE,OAAO,GACxB,cAAc,CAQhB"}