isol8 0.10.3 → 0.11.1

package/dist/cli.js

@@ -6929,11 +6929,6 @@ var require_utils2 = __commonJS((exports, module) => {
   };
 });
 
-// node_modules/ssh2/lib/protocol/crypto/build/Release/sshcrypto.node
-var require_sshcrypto = __commonJS((exports, module) => {
-  module.exports = __require("./sshcrypto-0209sx47.node");
-});
-
 // node_modules/ssh2/lib/protocol/crypto/poly1305.js
 var require_poly1305 = __commonJS((exports, module) => {
   var __dirname = "/home/runner/work/isol8/isol8/node_modules/ssh2/lib/protocol/crypto", __filename = "/home/runner/work/isol8/isol8/node_modules/ssh2/lib/protocol/crypto/poly1305.js";
@@ -7420,7 +7415,7 @@ var require_crypto = __commonJS((exports, module) => {
   var ChaChaPolyDecipher;
   var GenericDecipher;
   try {
-    binding = require_sshcrypto();
+    binding = (()=>{throw new Error("Cannot require module "+"./crypto/build/Release/sshcrypto.node");})();
     ({
       AESGCMCipher,
       ChaChaPolyCipher,
@@ -54795,6 +54790,8 @@ function mergeConfig(defaults, overrides) {
       ...defaults.cleanup,
       ...overrides.cleanup
     },
+    poolStrategy: overrides.poolStrategy ?? defaults.poolStrategy,
+    poolSize: overrides.poolSize ?? defaults.poolSize,
     dependencies: {
       ...defaults.dependencies,
       ...overrides.dependencies
@@ -54803,6 +54800,13 @@ function mergeConfig(defaults, overrides) {
       seccomp: overrides.security?.seccomp ?? defaults.security.seccomp,
       customProfilePath: overrides.security?.customProfilePath ?? defaults.security.customProfilePath
     },
+    remoteCode: {
+      ...defaults.remoteCode,
+      ...overrides.remoteCode,
+      allowedSchemes: overrides.remoteCode?.allowedSchemes ?? defaults.remoteCode.allowedSchemes,
+      allowedHosts: overrides.remoteCode?.allowedHosts ?? defaults.remoteCode.allowedHosts,
+      blockedHosts: overrides.remoteCode?.blockedHosts ?? defaults.remoteCode.blockedHosts
+    },
     audit: {
       ...defaults.audit,
       ...overrides.audit
@@ -54830,10 +54834,34 @@ var init_config = __esm(() => {
       autoPrune: true,
       maxContainerAgeMs: 3600000
     },
+    poolStrategy: "fast",
+    poolSize: { clean: 1, dirty: 1 },
     dependencies: {},
     security: {
       seccomp: "strict"
     },
+    remoteCode: {
+      enabled: false,
+      allowedSchemes: ["https"],
+      allowedHosts: [],
+      blockedHosts: [
+        "^localhost$",
+        "^127(?:\\.[0-9]{1,3}){3}$",
+        "^\\[::1\\]$",
+        "^::1$",
+        "^10(?:\\.[0-9]{1,3}){3}$",
+        "^172\\.(?:1[6-9]|2[0-9]|3[0-1])(?:\\.[0-9]{1,3}){2}$",
+        "^192\\.168(?:\\.[0-9]{1,3}){2}$",
+        "^169\\.254(?:\\.[0-9]{1,3}){2}$",
+        "^metadata\\.google\\.internal$",
+        "^169\\.254\\.169\\.254$"
+      ],
+      maxCodeSize: 10 * 1024 * 1024,
+      fetchTimeoutMs: 30000,
+      requireHash: false,
+      enableCache: true,
+      cacheTtl: 3600
+    },
     audit: {
       enabled: false,
       destination: "filesystem",
@@ -55174,6 +55202,180 @@ var init_audit = __esm(() => {
   init_logger();
 });
 
+// src/engine/code-fetcher.ts
+import { createHash } from "node:crypto";
+import { lookup as dnsLookup } from "node:dns/promises";
+import { isIP } from "node:net";
+function sha256Hex(input) {
+  return createHash("sha256").update(input, "utf-8").digest("hex");
+}
+function normalizeScheme(url) {
+  return url.protocol.replace(/:$/, "").toLowerCase();
+}
+function isBlockedByPattern(host, patterns) {
+  return patterns.some((pattern) => new RegExp(pattern, "i").test(host));
+}
+function isAllowedByPattern(host, patterns) {
+  if (patterns.length === 0) {
+    return true;
+  }
+  return patterns.some((pattern) => new RegExp(pattern, "i").test(host));
+}
+function isPrivateIpv4(ip) {
+  const parts = ip.split(IPV4_SEPARATOR).map((v) => Number.parseInt(v, 10));
+  if (parts.length !== 4 || parts.some((p) => Number.isNaN(p))) {
+    return false;
+  }
+  const a = parts[0];
+  const b = parts[1];
+  if (a === 10 || a === 127 || a === 0) {
+    return true;
+  }
+  if (a === 169 && b === 254) {
+    return true;
+  }
+  if (a === 172 && b >= 16 && b <= 31) {
+    return true;
+  }
+  if (a === 192 && b === 168) {
+    return true;
+  }
+  if (a === 100 && b >= 64 && b <= 127) {
+    return true;
+  }
+  return false;
+}
+function isPrivateIpv6(ip) {
+  const normalized = ip.toLowerCase();
+  if (normalized === IPV6_LOOPBACK) {
+    return true;
+  }
+  return normalized.startsWith("fc") || normalized.startsWith("fd") || normalized.startsWith("fe8") || normalized.startsWith("fe9") || normalized.startsWith("fea") || normalized.startsWith("feb");
+}
+function isPrivateIp(ip) {
+  const family = isIP(ip);
+  if (family === 4) {
+    return isPrivateIpv4(ip);
+  }
+  if (family === 6) {
+    return isPrivateIpv6(ip);
+  }
+  return false;
+}
+async function assertHostResolvesPublic(host, lookupFn) {
+  if (isIP(host) && isPrivateIp(host)) {
+    throw new Error(`Blocked code URL host: ${host}`);
+  }
+  try {
+    const records = await lookupFn(host);
+    for (const record of records) {
+      if (isPrivateIp(record.address)) {
+        throw new Error(`Blocked code URL host: ${host}`);
+      }
+    }
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Blocked code URL host:")) {
+      throw err;
+    }
+    throw new Error(`Failed to resolve code URL host: ${host}`);
+  }
+}
+function decodeUtf8(content) {
+  const decoder = new TextDecoder("utf-8", { fatal: true });
+  const text = decoder.decode(content);
+  if (text.includes("\x00")) {
+    throw new Error("Fetched code appears to be binary content");
+  }
+  return text;
+}
+async function fetchRemoteCode(request, policy, deps = {}) {
+  if (!policy.enabled) {
+    throw new Error("Remote code fetching is disabled. Set remoteCode.enabled=true to allow it.");
+  }
+  const fetchFn = deps.fetchFn ?? globalThis.fetch;
+  const lookupFn = deps.lookupFn ?? (async (hostname) => {
+    const records = await dnsLookup(hostname, { all: true, verbatim: true });
+    return records;
+  });
+  if (!request.codeUrl) {
+    throw new Error("codeUrl is required for remote code fetching");
+  }
+  const url = new URL(request.codeUrl);
+  const scheme = normalizeScheme(url);
+  if (scheme === "http" && !request.allowInsecureCodeUrl) {
+    throw new Error("Insecure code URL blocked. Use allowInsecureCodeUrl=true to allow HTTP.");
+  }
+  if (!policy.allowedSchemes.map((s) => s.toLowerCase()).includes(scheme)) {
+    throw new Error(`URL scheme not allowed: ${scheme}`);
+  }
+  const host = url.hostname.toLowerCase();
+  if (!isAllowedByPattern(host, policy.allowedHosts) || isBlockedByPattern(host, policy.blockedHosts)) {
+    throw new Error(`Blocked code URL host: ${host}`);
+  }
+  await assertHostResolvesPublic(host, lookupFn);
+  if (policy.requireHash && !request.codeHash) {
+    throw new Error("Hash verification required: provide codeHash for remote code execution.");
+  }
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), policy.fetchTimeoutMs);
+  let response;
+  try {
+    response = await fetchFn(url.toString(), {
+      method: "GET",
+      redirect: "follow",
+      signal: controller.signal
+    });
+  } catch (err) {
+    throw new Error(err instanceof Error && err.name === "AbortError" ? `Remote code fetch timed out after ${policy.fetchTimeoutMs}ms` : `Failed to fetch remote code: ${err instanceof Error ? err.message : String(err)}`);
+  } finally {
+    clearTimeout(timeout);
+  }
+  if (!response.ok) {
+    throw new Error(`Failed to fetch remote code: HTTP ${response.status}`);
+  }
+  const contentLengthHeader = response.headers.get("content-length");
+  if (contentLengthHeader) {
+    const parsedLength = Number.parseInt(contentLengthHeader, 10);
+    if (!Number.isNaN(parsedLength) && parsedLength > policy.maxCodeSize) {
+      throw new Error(`Remote code exceeds maxCodeSize (${policy.maxCodeSize} bytes): ${parsedLength} bytes`);
+    }
+  }
+  if (!response.body) {
+    throw new Error("Remote code response body is empty");
+  }
+  const reader = response.body.getReader();
+  const chunks = [];
+  let totalBytes = 0;
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) {
+      break;
+    }
+    if (!value) {
+      continue;
+    }
+    totalBytes += value.byteLength;
+    if (totalBytes > policy.maxCodeSize) {
+      throw new Error(`Remote code exceeds maxCodeSize (${policy.maxCodeSize} bytes)`);
+    }
+    chunks.push(value);
+  }
+  const buffer = new Uint8Array(totalBytes);
+  let offset = 0;
+  for (const chunk of chunks) {
+    buffer.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  const code = decodeUtf8(buffer);
+  const hash = sha256Hex(code);
+  if (request.codeHash && hash.toLowerCase() !== request.codeHash.toLowerCase()) {
+    throw new Error("Remote code hash mismatch");
+  }
+  return { code, url: url.toString(), hash };
+}
+var IPV4_SEPARATOR = ".", IPV6_LOOPBACK = "::1";
+var init_code_fetcher = () => {};
+
 // src/engine/concurrency.ts
 class Semaphore {
   max;
@@ -55210,6 +55412,333 @@ class Semaphore {
   }
 }
 
+// src/engine/utils.ts
+var exports_utils = {};
+__export(exports_utils, {
+  validatePackageName: () => validatePackageName,
+  truncateOutput: () => truncateOutput,
+  parseMemoryLimit: () => parseMemoryLimit,
+  maskSecrets: () => maskSecrets,
+  extractFromTar: () => extractFromTar,
+  createTarBuffer: () => createTarBuffer
+});
+function parseMemoryLimit(limit) {
+  const match = limit.match(/^(\d+(?:\.\d+)?)\s*([kmgt]?)b?$/i);
+  if (!match) {
+    throw new Error(`Invalid memory limit format: "${limit}". Use e.g. "512m", "1g".`);
+  }
+  const value = Number.parseFloat(match[1]);
+  const unit = (match[2] || "b").toLowerCase();
+  const multipliers = {
+    b: 1,
+    k: 1024,
+    m: 1024 ** 2,
+    g: 1024 ** 3,
+    t: 1024 ** 4
+  };
+  return Math.floor(value * (multipliers[unit] ?? 1));
+}
+function truncateOutput(output, maxBytes) {
+  const encoder = new TextEncoder;
+  const bytes = encoder.encode(output);
+  if (bytes.length <= maxBytes) {
+    return { text: output, truncated: false };
+  }
+  const decoder = new TextDecoder("utf-8", { fatal: false });
+  const truncated = decoder.decode(bytes.slice(0, maxBytes));
+  return {
+    text: `${truncated}
+
+--- OUTPUT TRUNCATED (${bytes.length} bytes, limit: ${maxBytes}) ---`,
+    truncated: true
+  };
+}
+function maskSecrets(text, secrets) {
+  let result = text;
+  for (const value of Object.values(secrets)) {
+    if (value.length > 0) {
+      result = result.replaceAll(value, "***");
+    }
+  }
+  return result;
+}
+function createTarBuffer(filePath, content) {
+  const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
+  const headerSize = 512;
+  const dataBlocks = Math.ceil(data.length / 512);
+  const totalSize = headerSize + dataBlocks * 512 + 1024;
+  const buf = Buffer.alloc(totalSize);
+  buf.write(filePath.replace(/^\//, ""), 0, 100, "utf-8");
+  buf.write("0000644\x00", 100, 8, "utf-8");
+  buf.write("0000000\x00", 108, 8, "utf-8");
+  buf.write("0000000\x00", 116, 8, "utf-8");
+  buf.write(`${data.length.toString(8).padStart(11, "0")}\x00`, 124, 12, "utf-8");
+  buf.write(`${Math.floor(Date.now() / 1000).toString(8).padStart(11, "0")}\x00`, 136, 12, "utf-8");
+  buf.write("0", 156, 1, "utf-8");
+  buf.write("ustar\x00", 257, 6, "utf-8");
+  buf.write("00", 263, 2, "utf-8");
+  buf.write("        ", 148, 8, "utf-8");
+  let checksum = 0;
+  for (let i = 0;i < headerSize; i++) {
+    checksum += buf[i];
+  }
+  buf.write(`${checksum.toString(8).padStart(6, "0")}\x00 `, 148, 8, "utf-8");
+  data.copy(buf, headerSize);
+  return buf;
+}
+function extractFromTar(tarBuffer, targetPath) {
+  const normalizedTarget = targetPath.replace(/^\//, "");
+  const basename = targetPath.split("/").pop() ?? targetPath;
+  let offset = 0;
+  while (offset < tarBuffer.length - 512) {
+    const nameEnd = tarBuffer.indexOf(0, offset);
+    const name = tarBuffer.subarray(offset, Math.min(nameEnd, offset + 100)).toString("utf-8");
+    if (name.length === 0) {
+      break;
+    }
+    const sizeStr = tarBuffer.subarray(offset + 124, offset + 136).toString("utf-8").trim();
+    const size = Number.parseInt(sizeStr, 8);
+    if (Number.isNaN(size)) {
+      break;
+    }
+    const dataStart = offset + 512;
+    const dataBlocks = Math.ceil(size / 512);
+    if (name === normalizedTarget || name.endsWith(`/${normalizedTarget}`) || name === basename) {
+      return Buffer.from(tarBuffer.subarray(dataStart, dataStart + size));
+    }
+    offset = dataStart + dataBlocks * 512;
+  }
+  throw new Error(`File "${targetPath}" not found in tar archive`);
+}
+function validatePackageName(name) {
+  if (!/^[@a-zA-Z0-9_./\-=]+$/.test(name)) {
+    throw new Error(`Invalid package name: "${name}". Only alphanumeric, -, _, ., /, @, and = are allowed.`);
+  }
+  return name;
+}
+
+// src/engine/image-builder.ts
+import { createHash as createHash2 } from "node:crypto";
+import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
+import { join as join3 } from "node:path";
+function resolveDockerDir() {
+  const fromBundled = new URL("./docker", import.meta.url).pathname;
+  if (existsSync3(fromBundled)) {
+    return fromBundled;
+  }
+  return new URL("../../docker", import.meta.url).pathname;
+}
+function computeDockerDirHash() {
+  const hash = createHash2("sha256");
+  const files = [...DOCKER_BUILD_FILES].sort();
+  for (const file of files) {
+    const filePath = join3(DOCKERFILE_DIR, file);
+    if (existsSync3(filePath)) {
+      const content = readFileSync2(filePath);
+      hash.update(file);
+      hash.update(content);
+    }
+  }
+  return hash.digest("hex");
+}
+function computeDepsHash(runtime, packages) {
+  const hash = createHash2("sha256");
+  hash.update(runtime);
+  for (const pkg of [...packages].sort()) {
+    hash.update(pkg);
+  }
+  return hash.digest("hex");
+}
+function normalizePackages(packages) {
+  return [...new Set(packages.map((pkg) => pkg.trim()).filter(Boolean))].sort();
+}
+function getCustomImageTag(runtime, packages) {
+  const normalizedPackages = normalizePackages(packages);
+  const depsHash = computeDepsHash(runtime, normalizedPackages);
+  const shortHash = depsHash.slice(0, 12);
+  return `isol8:${runtime}-custom-${shortHash}`;
+}
+async function getImageLabels(docker, imageName) {
+  try {
+    const image = docker.getImage(imageName);
+    const inspect = await image.inspect();
+    return inspect.Config?.Labels ?? {};
+  } catch {
+    return null;
+  }
+}
+async function removeImage(docker, imageId) {
+  try {
+    const image = docker.getImage(imageId);
+    await image.remove();
+    logger.debug(`[ImageBuilder] Removed old image: ${imageId.slice(0, 12)}`);
+  } catch (err) {
+    logger.debug(`[ImageBuilder] Could not remove image ${imageId.slice(0, 12)}: ${err}`);
+  }
+}
+async function buildBaseImages(docker, onProgress, force = false) {
+  const runtimes = RuntimeRegistry.list();
+  const dockerHash = computeDockerDirHash();
+  logger.debug(`[ImageBuilder] Docker directory hash: ${dockerHash.slice(0, 16)}...`);
+  for (const adapter of runtimes) {
+    const target = adapter.name;
+    const imageName = adapter.image;
+    if (!force) {
+      const labels = await getImageLabels(docker, imageName);
+      if (labels && labels[LABELS.dockerHash] === dockerHash) {
+        logger.debug(`[ImageBuilder] Base image ${target} is up to date, skipping build`);
+        onProgress?.({ runtime: target, status: "done", message: "Up to date" });
+        continue;
+      }
+    }
+    let oldImageId = null;
+    try {
+      const oldImage = await docker.getImage(imageName).inspect();
+      oldImageId = oldImage.Id;
+      logger.debug(`[ImageBuilder] Existing image ${target} ID: ${oldImageId.slice(0, 12)}`);
+    } catch {
+      logger.debug(`[ImageBuilder] No existing image for ${target}`);
+    }
+    onProgress?.({ runtime: target, status: "building" });
+    try {
+      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: DOCKER_BUILD_FILES }, {
+        t: imageName,
+        target,
+        dockerfile: "Dockerfile",
+        labels: {
+          [LABELS.dockerHash]: dockerHash
+        }
+      });
+      await new Promise((resolve2, reject) => {
+        docker.modem.followProgress(stream, (err) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve2();
+          }
+        });
+      });
+      if (oldImageId) {
+        await removeImage(docker, oldImageId);
+      }
+      onProgress?.({ runtime: target, status: "done" });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      onProgress?.({ runtime: target, status: "error", message });
+      throw new Error(`Failed to build image for ${target}: ${message}`);
+    }
+  }
+}
+async function buildCustomImages(docker, config, onProgress, force = false) {
+  const deps = config.dependencies;
+  const python = deps.python ? normalizePackages(deps.python) : [];
+  const node = deps.node ? normalizePackages(deps.node) : [];
+  const bun = deps.bun ? normalizePackages(deps.bun) : [];
+  const deno = deps.deno ? normalizePackages(deps.deno) : [];
+  const bash = deps.bash ? normalizePackages(deps.bash) : [];
+  if (python.length) {
+    await buildCustomImage(docker, "python", python, onProgress, force);
+  }
+  if (node.length) {
+    await buildCustomImage(docker, "node", node, onProgress, force);
+  }
+  if (bun.length) {
+    await buildCustomImage(docker, "bun", bun, onProgress, force);
+  }
+  if (deno.length) {
+    await buildCustomImage(docker, "deno", deno, onProgress, force);
+  }
+  if (bash.length) {
+    await buildCustomImage(docker, "bash", bash, onProgress, force);
+  }
+}
+async function buildCustomImage(docker, runtime, packages, onProgress, force = false) {
+  const normalizedPackages = normalizePackages(packages);
+  const tag = getCustomImageTag(runtime, normalizedPackages);
+  const depsHash = computeDepsHash(runtime, normalizedPackages);
+  logger.debug(`[ImageBuilder] ${runtime} custom deps hash: ${depsHash.slice(0, 16)}...`);
+  if (!force) {
+    const labels = await getImageLabels(docker, tag);
+    if (labels && labels[LABELS.depsHash] === depsHash) {
+      logger.debug(`[ImageBuilder] Custom image ${runtime} is up to date, skipping build`);
+      onProgress?.({ runtime, status: "done", message: "Up to date" });
+      return;
+    }
+  }
+  let oldImageId = null;
+  try {
+    const oldImage = await docker.getImage(tag).inspect();
+    oldImageId = oldImage.Id;
+    logger.debug(`[ImageBuilder] Existing custom image ${runtime} ID: ${oldImageId.slice(0, 12)}`);
+  } catch {
+    logger.debug(`[ImageBuilder] No existing custom image for ${runtime}`);
+  }
+  onProgress?.({
+    runtime,
+    status: "building",
+    message: `Custom: ${normalizedPackages.join(", ")}`
+  });
+  let installCmd;
+  switch (runtime) {
+    case "python":
+      installCmd = `RUN pip install --no-cache-dir ${normalizedPackages.join(" ")}`;
+      break;
+    case "node":
+      installCmd = `RUN npm install -g ${normalizedPackages.join(" ")}`;
+      break;
+    case "bun":
+      installCmd = `RUN bun install -g ${normalizedPackages.join(" ")}`;
+      break;
+    case "deno":
+      installCmd = normalizedPackages.map((p) => `RUN deno cache ${p}`).join(`
+`);
+      break;
+    case "bash":
+      installCmd = `RUN apk add --no-cache ${normalizedPackages.join(" ")}`;
+      break;
+    default:
+      throw new Error(`Unknown runtime: ${runtime}`);
+  }
+  const dockerfileContent = `FROM isol8:${runtime}
+${installCmd}
+`;
+  const { createTarBuffer: createTarBuffer2, validatePackageName: validatePackageName2 } = await Promise.resolve().then(() => exports_utils);
+  const { Readable } = await import("node:stream");
+  normalizedPackages.forEach(validatePackageName2);
+  const tarBuffer = createTarBuffer2("Dockerfile", dockerfileContent);
+  const stream = await docker.buildImage(Readable.from(tarBuffer), {
+    t: tag,
+    dockerfile: "Dockerfile",
+    labels: {
+      [LABELS.depsHash]: depsHash
+    }
+  });
+  await new Promise((resolve2, reject) => {
+    docker.modem.followProgress(stream, (err) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve2();
+      }
+    });
+  });
+  if (oldImageId) {
+    await removeImage(docker, oldImageId);
+  }
+  onProgress?.({ runtime, status: "done" });
+}
+var DOCKERFILE_DIR, LABELS, DOCKER_BUILD_FILES;
+var init_image_builder = __esm(() => {
+  init_runtime();
+  init_logger();
+  DOCKERFILE_DIR = resolveDockerDir();
+  LABELS = {
+    dockerHash: "org.isol8.build.hash",
+    depsHash: "org.isol8.deps.hash"
+  };
+  DOCKER_BUILD_FILES = ["Dockerfile", "proxy.sh", "proxy-handler.sh"];
+});
+
 // src/engine/pool.ts
 class ContainerPool {
   docker;
@@ -55400,46 +55929,44 @@ class ContainerPool {
   }
   replenish(image) {
     if (this.replenishing.has(image)) {
-      if (this.replenishing.has(image)) {
-        return;
-      }
-      const pool = this.pools.get(image);
-      const currentSize = pool ? this.poolStrategy === "fast" ? pool.clean.length : pool.clean?.length ?? 0 : 0;
-      const targetSize = this.poolStrategy === "fast" ? this.cleanPoolSize : this.cleanPoolSize;
-      if (currentSize >= targetSize) {
+      return;
+    }
+    const pool = this.pools.get(image);
+    const currentSize = pool ? this.poolStrategy === "fast" ? pool.clean.length : pool.clean?.length ?? 0 : 0;
+    const targetSize = this.cleanPoolSize;
+    if (currentSize >= targetSize) {
+      return;
+    }
+    this.replenishing.add(image);
+    const promise = this.createContainer(image).then((container) => {
+      const p = this.pools.get(image);
+      if (!p) {
+        container.remove({ force: true }).catch(() => {});
         return;
       }
-      this.replenishing.add(image);
-      const promise = this.createContainer(image).then((container) => {
-        const p = this.pools.get(image);
-        if (!p) {
+      if (this.poolStrategy === "fast") {
+        if (p.clean.length < this.cleanPoolSize) {
+          p.clean.push({ container, createdAt: Date.now() });
+        } else {
           container.remove({ force: true }).catch(() => {});
-          return;
         }
-        if (this.poolStrategy === "fast") {
-          if (p.clean.length < this.cleanPoolSize) {
-            p.clean.push({ container, createdAt: Date.now() });
-          } else {
-            container.remove({ force: true }).catch(() => {});
-          }
+      } else {
+        if (!p.clean) {
+          p.clean = [];
+        }
+        if (p.clean.length < this.cleanPoolSize) {
+          p.clean.push({ container, createdAt: Date.now() });
         } else {
-          if (!p.clean) {
-            p.clean = [];
-          }
-          if (p.clean.length < this.cleanPoolSize) {
-            p.clean.push({ container, createdAt: Date.now() });
-          } else {
-            container.remove({ force: true }).catch(() => {});
-          }
+          container.remove({ force: true }).catch(() => {});
         }
-      }).catch((err) => {
-        logger.error(`[Pool] Error during replenishment for ${image}:`, err);
-      }).finally(() => {
-        this.replenishing.delete(image);
-        this.pendingReplenishments.delete(promise);
-      });
-      this.pendingReplenishments.add(promise);
-    }
+      }
+    }).catch((err) => {
+      logger.error(`[Pool] Error during replenishment for ${image}:`, err);
+    }).finally(() => {
+      this.replenishing.delete(image);
+      this.pendingReplenishments.delete(promise);
+    });
+    this.pendingReplenishments.add(promise);
   }
 }
 var init_pool = __esm(() => {
@@ -55491,118 +56018,13 @@ function calculateResourceDelta(before, after) {
   };
 }
 
-// src/engine/utils.ts
-var exports_utils = {};
-__export(exports_utils, {
-  validatePackageName: () => validatePackageName,
-  truncateOutput: () => truncateOutput,
-  parseMemoryLimit: () => parseMemoryLimit,
-  maskSecrets: () => maskSecrets,
-  extractFromTar: () => extractFromTar,
-  createTarBuffer: () => createTarBuffer
-});
-function parseMemoryLimit(limit) {
-  const match = limit.match(/^(\d+(?:\.\d+)?)\s*([kmgt]?)b?$/i);
-  if (!match) {
-    throw new Error(`Invalid memory limit format: "${limit}". Use e.g. "512m", "1g".`);
-  }
-  const value = Number.parseFloat(match[1]);
-  const unit = (match[2] || "b").toLowerCase();
-  const multipliers = {
-    b: 1,
-    k: 1024,
-    m: 1024 ** 2,
-    g: 1024 ** 3,
-    t: 1024 ** 4
-  };
-  return Math.floor(value * (multipliers[unit] ?? 1));
-}
-function truncateOutput(output, maxBytes) {
-  const encoder = new TextEncoder;
-  const bytes = encoder.encode(output);
-  if (bytes.length <= maxBytes) {
-    return { text: output, truncated: false };
-  }
-  const decoder = new TextDecoder("utf-8", { fatal: false });
-  const truncated = decoder.decode(bytes.slice(0, maxBytes));
-  return {
-    text: `${truncated}
-
---- OUTPUT TRUNCATED (${bytes.length} bytes, limit: ${maxBytes}) ---`,
-    truncated: true
-  };
-}
-function maskSecrets(text, secrets) {
-  let result = text;
-  for (const value of Object.values(secrets)) {
-    if (value.length > 0) {
-      result = result.replaceAll(value, "***");
-    }
-  }
-  return result;
-}
-function createTarBuffer(filePath, content) {
-  const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
-  const headerSize = 512;
-  const dataBlocks = Math.ceil(data.length / 512);
-  const totalSize = headerSize + dataBlocks * 512 + 1024;
-  const buf = Buffer.alloc(totalSize);
-  buf.write(filePath.replace(/^\//, ""), 0, 100, "utf-8");
-  buf.write("0000644\x00", 100, 8, "utf-8");
-  buf.write("0000000\x00", 108, 8, "utf-8");
-  buf.write("0000000\x00", 116, 8, "utf-8");
-  buf.write(`${data.length.toString(8).padStart(11, "0")}\x00`, 124, 12, "utf-8");
-  buf.write(`${Math.floor(Date.now() / 1000).toString(8).padStart(11, "0")}\x00`, 136, 12, "utf-8");
-  buf.write("0", 156, 1, "utf-8");
-  buf.write("ustar\x00", 257, 6, "utf-8");
-  buf.write("00", 263, 2, "utf-8");
-  buf.write("        ", 148, 8, "utf-8");
-  let checksum = 0;
-  for (let i = 0;i < headerSize; i++) {
-    checksum += buf[i];
-  }
-  buf.write(`${checksum.toString(8).padStart(6, "0")}\x00 `, 148, 8, "utf-8");
-  data.copy(buf, headerSize);
-  return buf;
-}
-function extractFromTar(tarBuffer, targetPath) {
-  const normalizedTarget = targetPath.replace(/^\//, "");
-  const basename = targetPath.split("/").pop() ?? targetPath;
-  let offset = 0;
-  while (offset < tarBuffer.length - 512) {
-    const nameEnd = tarBuffer.indexOf(0, offset);
-    const name = tarBuffer.subarray(offset, Math.min(nameEnd, offset + 100)).toString("utf-8");
-    if (name.length === 0) {
-      break;
-    }
-    const sizeStr = tarBuffer.subarray(offset + 124, offset + 136).toString("utf-8").trim();
-    const size = Number.parseInt(sizeStr, 8);
-    if (Number.isNaN(size)) {
-      break;
-    }
-    const dataStart = offset + 512;
-    const dataBlocks = Math.ceil(size / 512);
-    if (name === normalizedTarget || name.endsWith(`/${normalizedTarget}`) || name === basename) {
-      return Buffer.from(tarBuffer.subarray(dataStart, dataStart + size));
-    }
-    offset = dataStart + dataBlocks * 512;
-  }
-  throw new Error(`File "${targetPath}" not found in tar archive`);
-}
-function validatePackageName(name) {
-  if (!/^[@a-zA-Z0-9_./\-=]+$/.test(name)) {
-    throw new Error(`Invalid package name: "${name}". Only alphanumeric, -, _, ., /, @, and = are allowed.`);
-  }
-  return name;
-}
-
 // src/engine/docker.ts
 var exports_docker = {};
 __export(exports_docker, {
   DockerIsol8: () => DockerIsol8
 });
 import { randomUUID } from "node:crypto";
-import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "node:fs";
 import { PassThrough } from "node:stream";
 async function writeFileViaExec(container, filePath, content) {
   const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
@@ -55818,11 +56240,32 @@ class DockerIsol8 {
   logNetwork;
   poolStrategy;
   poolSize;
+  dependencies;
   auditLogger;
+  remoteCodePolicy;
   container = null;
   persistentRuntime = null;
   pool = null;
   imageCache = new Map;
+  async resolveExecutionRequest(req) {
+    const inlineCode = req.code?.trim();
+    const codeUrl = req.codeUrl?.trim();
+    if (inlineCode && codeUrl) {
+      throw new Error("ExecutionRequest.code and ExecutionRequest.codeUrl are mutually exclusive.");
+    }
+    if (!(inlineCode || codeUrl)) {
+      throw new Error("ExecutionRequest must include either code or codeUrl.");
+    }
+    if (inlineCode) {
+      return { ...req, code: req.code };
+    }
+    const fetched = await fetchRemoteCode({
+      codeUrl,
+      codeHash: req.codeHash,
+      allowInsecureCodeUrl: req.allowInsecureCodeUrl
+    }, this.remoteCodePolicy);
+    return { ...req, code: fetched.code };
+  }
   constructor(options = {}, maxConcurrent = 10) {
     this.docker = options.docker ?? new import_dockerode.default;
     this.mode = options.mode ?? "ephemeral";
@@ -55844,6 +56287,18 @@ class DockerIsol8 {
     this.logNetwork = options.logNetwork ?? false;
     this.poolStrategy = options.poolStrategy ?? "fast";
     this.poolSize = options.poolSize ?? { clean: 1, dirty: 1 };
+    this.dependencies = options.dependencies ?? {};
+    this.remoteCodePolicy = options.remoteCode ?? {
+      enabled: false,
+      allowedSchemes: ["https"],
+      allowedHosts: [],
+      blockedHosts: [],
+      maxCodeSize: 10 * 1024 * 1024,
+      fetchTimeoutMs: 30000,
+      requireHash: false,
+      enableCache: true,
+      cacheTtl: 3600
+    };
     if (options.audit) {
       this.auditLogger = new AuditLogger(options.audit);
     }
@@ -55851,7 +56306,33 @@ class DockerIsol8 {
       logger.setDebug(true);
     }
   }
-  async start() {}
+  async start(options = {}) {
+    if (this.mode !== "ephemeral") {
+      return;
+    }
+    const prewarm = options.prewarm;
+    if (!prewarm) {
+      return;
+    }
+    const pool = this.ensurePool();
+    const images = new Set;
+    const adapters2 = typeof prewarm === "object" && prewarm.runtimes?.length ? prewarm.runtimes.map((runtime) => RuntimeRegistry.get(runtime)) : RuntimeRegistry.list();
+    for (const adapter of adapters2) {
+      try {
+        images.add(await this.resolveImage(adapter));
+      } catch (err) {
+        logger.debug(`[Pool] Pre-warm image resolution failed for ${adapter.name}: ${err}`);
+      }
+    }
+    await Promise.all([...images].map(async (image) => {
+      try {
+        await pool.warm(image);
+        logger.debug(`[Pool] Pre-warmed image: ${image}`);
+      } catch (err) {
+        logger.debug(`[Pool] Pre-warm failed for ${image}: ${err}`);
+      }
+    }));
+  }
   async stop() {
     if (this.container) {
       try {
@@ -55872,7 +56353,8 @@ class DockerIsol8 {
     await this.semaphore.acquire();
     const startTime = Date.now();
     try {
-      const result = this.mode === "persistent" ? await this.executePersistent(req, startTime) : await this.executeEphemeral(req, startTime);
+      const request = await this.resolveExecutionRequest(req);
+      const result = this.mode === "persistent" ? await this.executePersistent(request, startTime) : await this.executeEphemeral(request, startTime);
       return result;
     } finally {
       this.semaphore.release();
@@ -56026,8 +56508,9 @@ class DockerIsol8 {
   async* executeStream(req) {
     await this.semaphore.acquire();
     try {
-      const adapter = this.getAdapter(req.runtime);
-      const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
+      const request = await this.resolveExecutionRequest(req);
+      const adapter = this.getAdapter(request.runtime);
+      const timeoutMs = request.timeoutMs ?? this.defaultTimeoutMs;
       const image = await this.resolveImage(adapter);
       const container = await this.docker.createContainer({
         Image: image,
@@ -56044,23 +56527,23 @@ class DockerIsol8 {
           await startProxy(container, this.networkFilter);
           await setupIptables(container);
         }
-        const ext = req.fileExtension ?? adapter.getFileExtension();
+        const ext = request.fileExtension ?? adapter.getFileExtension();
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
-        await writeFileViaExec(container, filePath, req.code);
-        if (req.installPackages?.length) {
-          await installPackages(container, req.runtime, req.installPackages);
+        await writeFileViaExec(container, filePath, request.code);
+        if (request.installPackages?.length) {
+          await installPackages(container, request.runtime, request.installPackages);
         }
-        if (req.files) {
-          for (const [fPath, fContent] of Object.entries(req.files)) {
+        if (request.files) {
+          for (const [fPath, fContent] of Object.entries(request.files)) {
             await writeFileViaExec(container, fPath, fContent);
           }
         }
-        const rawCmd = adapter.getCommand(req.code, filePath);
+        const rawCmd = adapter.getCommand(request.code, filePath);
         const timeoutSec = Math.ceil(timeoutMs / 1000);
         let cmd;
-        if (req.stdin) {
+        if (request.stdin) {
           const stdinPath = `${SANDBOX_WORKDIR}/_stdin`;
-          await writeFileViaExec(container, stdinPath, req.stdin);
+          await writeFileViaExec(container, stdinPath, request.stdin);
           const cmdStr = rawCmd.map((a) => `'${a.replace(/'/g, "'\\''")}'`).join(" ");
           cmd = wrapWithTimeout(["sh", "-c", `cat ${stdinPath} | ${cmdStr}`], timeoutSec);
         } else {
@@ -56068,7 +56551,7 @@ class DockerIsol8 {
         }
         const exec = await container.exec({
           Cmd: cmd,
-          Env: this.buildEnv(req.env),
+          Env: this.buildEnv(request.env),
           AttachStdout: true,
           AttachStderr: true,
           WorkingDir: SANDBOX_WORKDIR,
@@ -56098,21 +56581,29 @@ class DockerIsol8 {
     if (cached) {
       return cached;
     }
-    const customTag = `${adapter.image}-custom`;
-    let resolvedImage;
-    try {
-      await this.docker.getImage(customTag).inspect();
-      resolvedImage = customTag;
-    } catch {
-      resolvedImage = adapter.image;
+    let resolvedImage = adapter.image;
+    const configuredDeps = this.dependencies[adapter.name];
+    const normalizedDeps = configuredDeps ? normalizePackages(configuredDeps) : [];
+    if (normalizedDeps.length > 0) {
+      const hashedCustomTag = getCustomImageTag(adapter.name, normalizedDeps);
+      try {
+        await this.docker.getImage(hashedCustomTag).inspect();
+        resolvedImage = hashedCustomTag;
+      } catch {
+        logger.debug(`[ImageBuilder] Hashed custom image not found for ${adapter.name}: ${hashedCustomTag}`);
+      }
+    }
+    if (resolvedImage === adapter.image) {
+      const legacyCustomTag = `${adapter.image}-custom`;
+      try {
+        await this.docker.getImage(legacyCustomTag).inspect();
+        resolvedImage = legacyCustomTag;
+      } catch {}
     }
     this.imageCache.set(cacheKey, resolvedImage);
     return resolvedImage;
   }
-  async executeEphemeral(req, startTime) {
-    const adapter = this.getAdapter(req.runtime);
-    const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
-    const image = await this.resolveImage(adapter);
+  ensurePool() {
     if (!this.pool) {
       this.pool = new ContainerPool({
         docker: this.docker,
@@ -56130,7 +56621,14 @@ class DockerIsol8 {
         }
       });
     }
-    const container = await this.pool.acquire(image);
+    return this.pool;
+  }
+  async executeEphemeral(req, startTime) {
+    const adapter = this.getAdapter(req.runtime);
+    const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
+    const image = await this.resolveImage(adapter);
+    const pool = this.ensurePool();
+    const container = await pool.acquire(image);
     let startStats;
     if (this.auditLogger) {
       try {
@@ -56144,13 +56642,26 @@ class DockerIsol8 {
         await startProxy(container, this.networkFilter);
         await setupIptables(container);
       }
-      const ext = req.fileExtension ?? adapter.getFileExtension();
-      const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
-      await writeFileViaExec(container, filePath, req.code);
+      const canUseInline = !(req.stdin || req.files || req.outputPaths) && (!req.installPackages || req.installPackages.length === 0);
+      let rawCmd;
+      if (canUseInline) {
+        try {
+          rawCmd = adapter.getCommand(req.code);
+        } catch {
+          const ext = req.fileExtension ?? adapter.getFileExtension();
+          const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
+          await writeFileViaExec(container, filePath, req.code);
+          rawCmd = adapter.getCommand(req.code, filePath);
+        }
+      } else {
+        const ext = req.fileExtension ?? adapter.getFileExtension();
+        const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
+        await writeFileViaExec(container, filePath, req.code);
+        rawCmd = adapter.getCommand(req.code, filePath);
+      }
       if (req.installPackages?.length) {
         await installPackages(container, req.runtime, req.installPackages);
       }
-      const rawCmd = adapter.getCommand(req.code, filePath);
       const timeoutSec = Math.ceil(timeoutMs / 1000);
       let cmd;
       if (req.stdin) {
@@ -56221,7 +56732,7 @@ class DockerIsol8 {
       if (this.persist) {
         logger.debug(`[Persist] Leaving container running for inspection: ${container.id}`);
       } else {
-        this.pool.release(container, image).catch((err) => {
+        pool.release(container, image).catch((err) => {
           logger.debug(`[Pool] release failed: ${err}`);
           container.remove({ force: true }).catch(() => {});
         });
@@ -56397,7 +56908,7 @@ class DockerIsol8 {
     }
     if (this.security.seccomp === "custom" && this.security.customProfilePath) {
       try {
-        const profile = readFileSync2(this.security.customProfilePath, "utf-8");
+        const profile = readFileSync3(this.security.customProfilePath, "utf-8");
         opts.push(`seccomp=${profile}`);
       } catch (e) {
         logger.error(`Failed to load custom seccomp profile: ${e}`);
@@ -56416,12 +56927,12 @@ class DockerIsol8 {
   }
   loadDefaultSeccompProfile() {
     const devPath = new URL("../../docker/seccomp-profile.json", import.meta.url);
-    if (existsSync3(devPath)) {
-      return readFileSync2(devPath, "utf-8");
+    if (existsSync4(devPath)) {
+      return readFileSync3(devPath, "utf-8");
     }
     const prodPath = new URL("./docker/seccomp-profile.json", import.meta.url);
-    if (existsSync3(prodPath)) {
-      return readFileSync2(prodPath, "utf-8");
+    if (existsSync4(prodPath)) {
+      return readFileSync3(prodPath, "utf-8");
     }
     logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
     return null;
@@ -56604,7 +57115,7 @@ class DockerIsol8 {
   static async cleanup(docker) {
     const dockerInstance = docker ?? new import_dockerode.default;
     const containers = await dockerInstance.listContainers({ all: true });
-    const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:") || c.Image.startsWith("isol8-custom:"));
+    const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:"));
     let removed = 0;
     let failed = 0;
     const errors = [];
@@ -56621,12 +57132,35 @@ class DockerIsol8 {
     }
     return { removed, failed, errors };
   }
+  static async cleanupImages(docker) {
+    const dockerInstance = docker ?? new import_dockerode.default;
+    const images = await dockerInstance.listImages({ all: true });
+    const isol8Images = images.filter((img) => img.RepoTags?.some((tag) => tag.startsWith("isol8:")));
+    let removed = 0;
+    let failed = 0;
+    const errors = [];
+    for (const imageInfo of isol8Images) {
+      try {
+        const image = dockerInstance.getImage(imageInfo.Id);
+        await image.remove({ force: true });
+        removed++;
+      } catch (err) {
+        failed++;
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        const imageRef = imageInfo.RepoTags?.[0] ?? imageInfo.Id.slice(0, 12);
+        errors.push(`${imageRef}: ${errorMsg}`);
+      }
+    }
+    return { removed, failed, errors };
+  }
 }
 var import_dockerode, SANDBOX_WORKDIR = "/sandbox", MAX_OUTPUT_BYTES, PROXY_PORT = 8118, PROXY_STARTUP_TIMEOUT_MS = 5000, PROXY_POLL_INTERVAL_MS = 100;
 var init_docker = __esm(() => {
   init_runtime();
   init_logger();
   init_audit();
+  init_code_fetcher();
+  init_image_builder();
   init_pool();
   import_dockerode = __toESM(require_docker(), 1);
   MAX_OUTPUT_BYTES = 1024 * 1024;
@@ -56637,7 +57171,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "isol8",
-    version: "0.10.2",
+    version: "0.11.0",
     description: "Secure code execution engine for AI agents",
     author: "Illusion47586",
     license: "MIT",
@@ -56682,6 +57216,8 @@ var init_package = __esm(() => {
       "lint:check": "ultracite check",
       "lint:fix": "ultracite fix",
       bench: "bunx tsx benchmarks/spawn.ts",
+      "bench:tti": "bunx tsx benchmarks/tti.ts",
+      "bench:tti:pool": "bunx tsx benchmarks/tti.ts --warm-pool --iterations 5",
       "bench:pool": "bunx tsx benchmarks/spawn-pool.ts",
       "bench:detailed": "bunx tsx benchmarks/spawn-detailed.ts",
       "bench:cli": "bun run tests/production/bench-cli.ts",
@@ -58388,7 +58924,12 @@ async function createServer(options) {
   app.post("/execute", async (c) => {
     const body = await c.req.json();
     logger.debug(`[Server] POST /execute runtime=${body.request.runtime} sessionId=${body.sessionId ?? "ephemeral"}`);
-    logger.debug(`[Server] Code length: ${body.request.code.length} chars`);
+    logger.debug(`[Server] Code source: ${body.request.codeUrl ? `url=${body.request.codeUrl}` : `inline (${body.request.code?.length ?? 0} chars)`}`);
+    const {
+      poolStrategy: _ignoredPoolStrategy,
+      poolSize: _ignoredPoolSize,
+      ...requestOptions
+    } = body.options ?? {};
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -58396,7 +58937,11 @@ async function createServer(options) {
       timeoutMs: config.defaults.timeoutMs,
       sandboxSize: config.defaults.sandboxSize,
       tmpSize: config.defaults.tmpSize,
-      ...body.options,
+      poolStrategy: config.poolStrategy,
+      poolSize: config.poolSize,
+      dependencies: config.dependencies,
+      remoteCode: config.remoteCode,
+      ...requestOptions,
       mode: body.sessionId ? "persistent" : "ephemeral",
       audit: config.audit
     };
@@ -58449,7 +58994,12 @@ async function createServer(options) {
   app.post("/execute/stream", async (c) => {
     const body = await c.req.json();
     logger.debug(`[Server] POST /execute/stream runtime=${body.request.runtime}`);
-    logger.debug(`[Server] Code length: ${body.request.code.length} chars`);
+    logger.debug(`[Server] Code source: ${body.request.codeUrl ? `url=${body.request.codeUrl}` : `inline (${body.request.code?.length ?? 0} chars)`}`);
+    const {
+      poolStrategy: _ignoredPoolStrategy,
+      poolSize: _ignoredPoolSize,
+      ...requestOptions
+    } = body.options ?? {};
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -58457,7 +59007,11 @@ async function createServer(options) {
       timeoutMs: config.defaults.timeoutMs,
       sandboxSize: config.defaults.sandboxSize,
       tmpSize: config.defaults.tmpSize,
-      ...body.options,
+      poolStrategy: config.poolStrategy,
+      poolSize: config.poolSize,
+      dependencies: config.dependencies,
+      remoteCode: config.remoteCode,
+      ...requestOptions,
       mode: "ephemeral"
     };
     const engine = new DockerIsol82(engineOptions, config.maxConcurrent);
@@ -58581,13 +59135,13 @@ import {
   chmodSync,
   existsSync as existsSync5,
   mkdirSync as mkdirSync2,
-  readFileSync as readFileSync3,
+  readFileSync as readFileSync4,
   renameSync,
   unlinkSync as unlinkSync2,
   writeFileSync
 } from "node:fs";
 import { arch, homedir as homedir2, platform } from "node:os";
-import { join as join3, resolve as resolve2 } from "node:path";
+import { join as join4, resolve as resolve2 } from "node:path";
 
 // node_modules/commander/esm.mjs
 var import__ = __toESM(require_commander(), 1);
@@ -61860,7 +62414,7 @@ class RemoteIsol8 {
     this.sessionId = options.sessionId;
     this.isol8Options = isol8Options;
   }
-  async start() {
+  async start(_options) {
     const res = await this.fetch("/health");
     if (!res.ok) {
       throw new Error(`Remote server health check failed: ${res.status}`);
@@ -61978,112 +62532,7 @@ class RemoteIsol8 {
 // src/cli.ts
 init_config();
 init_docker();
-
-// src/engine/image-builder.ts
-init_runtime();
-import { existsSync as existsSync4 } from "node:fs";
-function resolveDockerDir() {
-  const fromBundled = new URL("./docker", import.meta.url).pathname;
-  if (existsSync4(fromBundled)) {
-    return fromBundled;
-  }
-  return new URL("../../docker", import.meta.url).pathname;
-}
-var DOCKERFILE_DIR = resolveDockerDir();
-async function buildBaseImages(docker, onProgress) {
-  const runtimes = RuntimeRegistry.list();
-  for (const adapter of runtimes) {
-    const target = adapter.name;
-    onProgress?.({ runtime: target, status: "building" });
-    try {
-      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: ["Dockerfile", "proxy.sh", "proxy-handler.sh"] }, {
-        t: adapter.image,
-        target,
-        dockerfile: "Dockerfile"
-      });
-      await new Promise((resolve2, reject) => {
-        docker.modem.followProgress(stream, (err) => {
-          if (err) {
-            reject(err);
-          } else {
-            resolve2();
-          }
-        });
-      });
-      onProgress?.({ runtime: target, status: "done" });
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      onProgress?.({ runtime: target, status: "error", message });
-      throw new Error(`Failed to build image for ${target}: ${message}`);
-    }
-  }
-}
-async function buildCustomImages(docker, config, onProgress) {
-  const deps = config.dependencies;
-  if (deps.python?.length) {
-    await buildCustomImage(docker, "python", deps.python, onProgress);
-  }
-  if (deps.node?.length) {
-    await buildCustomImage(docker, "node", deps.node, onProgress);
-  }
-  if (deps.bun?.length) {
-    await buildCustomImage(docker, "bun", deps.bun, onProgress);
-  }
-  if (deps.deno?.length) {
-    await buildCustomImage(docker, "deno", deps.deno, onProgress);
-  }
-  if (deps.bash?.length) {
-    await buildCustomImage(docker, "bash", deps.bash, onProgress);
-  }
-}
-async function buildCustomImage(docker, runtime, packages, onProgress) {
-  const tag = `isol8:${runtime}-custom`;
-  onProgress?.({ runtime, status: "building", message: `Custom: ${packages.join(", ")}` });
-  let installCmd;
-  switch (runtime) {
-    case "python":
-      installCmd = `RUN pip install --no-cache-dir ${packages.join(" ")}`;
-      break;
-    case "node":
-      installCmd = `RUN npm install -g ${packages.join(" ")}`;
-      break;
-    case "bun":
-      installCmd = `RUN bun install -g ${packages.join(" ")}`;
-      break;
-    case "deno":
-      installCmd = packages.map((p) => `RUN deno cache ${p}`).join(`
-`);
-      break;
-    case "bash":
-      installCmd = `RUN apk add --no-cache ${packages.join(" ")}`;
-      break;
-    default:
-      throw new Error(`Unknown runtime: ${runtime}`);
-  }
-  const dockerfileContent = `FROM isol8:${runtime}
-${installCmd}
-`;
-  const { createTarBuffer: createTarBuffer2, validatePackageName: validatePackageName2 } = await Promise.resolve().then(() => exports_utils);
-  const { Readable } = await import("node:stream");
-  packages.forEach(validatePackageName2);
-  const tarBuffer = createTarBuffer2("Dockerfile", dockerfileContent);
-  const stream = await docker.buildImage(Readable.from(tarBuffer), {
-    t: tag,
-    dockerfile: "Dockerfile"
-  });
-  await new Promise((resolve2, reject) => {
-    docker.modem.followProgress(stream, (err) => {
-      if (err) {
-        reject(err);
-      } else {
-        resolve2();
-      }
-    });
-  });
-  onProgress?.({ runtime, status: "done" });
-}
-
-// src/cli.ts
+init_image_builder();
 init_runtime();
 init_logger();
 init_version();
@@ -62097,7 +62546,7 @@ program2.name("isol8").description("Secure code execution engine").version(VERSI
   logger.debug(`[CLI] Version: ${VERSION}`);
   logger.debug(`[CLI] Platform: ${platform()} ${arch()}`);
 });
-program2.command("setup").description("Check Docker and build isol8 images").option("--python <packages>", "Additional Python packages (comma-separated)").option("--node <packages>", "Additional Node.js packages (comma-separated)").option("--bun <packages>", "Additional Bun packages (comma-separated)").option("--deno <packages>", "Additional Deno packages (comma-separated)").option("--bash <packages>", "Additional Bash packages (comma-separated)").action(async (opts) => {
+program2.command("setup").description("Check Docker and build isol8 images").option("--python <packages>", "Additional Python packages (comma-separated)").option("--node <packages>", "Additional Node.js packages (comma-separated)").option("--bun <packages>", "Additional Bun packages (comma-separated)").option("--deno <packages>", "Additional Deno packages (comma-separated)").option("--bash <packages>", "Additional Bash packages (comma-separated)").option("--force", "Force rebuild even if images are up to date").action(async (opts) => {
   const docker = new import_dockerode2.default;
   logger.debug("[Setup] Connecting to Docker daemon");
   const spinner = ora("Checking Docker...").start();
@@ -62112,7 +62561,7 @@ program2.command("setup").description("Check Docker and build isol8 images").opt
     process.exit(1);
   }
   spinner.start("Building isol8 images...");
-  logger.debug("[Setup] Building base images");
+  logger.debug(`[Setup] Building base images (force=${opts.force ?? false})`);
   await buildBaseImages(docker, (progress) => {
     const status = progress.status === "error" ? "[ERR]" : progress.status === "done" ? "[OK]" : "[..]";
     if (progress.status === "building") {
@@ -62128,7 +62577,7 @@ program2.command("setup").description("Check Docker and build isol8 images").opt
         spinner.start();
       }
     }
-  });
+  }, opts.force ?? false);
   if (spinner.isSpinning) {
     spinner.stop();
   }
@@ -62176,7 +62625,7 @@ program2.command("setup").description("Check Docker and build isol8 images").opt
           spinner.start();
         }
       }
-    });
+    }, opts.force ?? false);
     if (spinner.isSpinning) {
       spinner.stop();
     }
@@ -62184,12 +62633,25 @@ program2.command("setup").description("Check Docker and build isol8 images").opt
   console.log(`
 [DONE] Setup complete!`);
 });
-program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--writable", "Disable read-only root filesystem").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").option("--pool-strategy <mode>", "Pool strategy: fast (default) or secure", "fast").option("--pool-size <size>", "Pool size (number or 'clean,dirty' for fast mode)", "1,1").action(async (file, opts) => {
-  const { code, runtime, engineOptions, engine, stdinData, fileExtension } = await resolveRunInput(file, opts);
+program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--writable", "Disable read-only root filesystem").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--url <url>", "Fetch code from URL").option("--github <path>", "GitHub shorthand: owner/repo/ref/path/to/file").option("--gist <path>", "Gist shorthand: gistId/file.ext").option("--hash <sha256>", "Expected SHA-256 hash of fetched code").option("--allow-insecure-code-url", "Allow insecure HTTP code URLs").option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").action(async (file, opts) => {
+  const {
+    code,
+    codeUrl,
+    codeHash,
+    allowInsecureCodeUrl,
+    runtime,
+    engineOptions,
+    engine,
+    stdinData,
+    fileExtension
+  } = await resolveRunInput(file, opts);
   logger.debug(`[Run] Runtime: ${runtime}, mode: ${engineOptions.mode}`);
   logger.debug(`[Run] Network: ${engineOptions.network}, timeout: ${engineOptions.timeoutMs}ms`);
   logger.debug(`[Run] Memory: ${engineOptions.memoryLimit}, CPU: ${engineOptions.cpuLimit}`);
-  logger.debug(`[Run] Code length: ${code.length} chars`);
+  logger.debug(`[Run] Code source: ${codeUrl ? `url=${codeUrl}` : "inline/file/stdin"}`);
+  if (code) {
+    logger.debug(`[Run] Code length: ${code.length} chars`);
+  }
   if (stdinData) {
     logger.debug(`[Run] Stdin data provided (${stdinData.length} chars)`);
   }
@@ -62215,9 +62677,12 @@ program2.command("run").description("Execute code in isol8").argument("[file]",
     logger.debug("[Run] Engine started");
     spinner.text = "Running code...";
     const req = {
-      code,
       runtime,
       timeoutMs: engineOptions.timeoutMs,
+      ...code ? { code } : {},
+      ...codeUrl ? { codeUrl } : {},
+      ...codeHash ? { codeHash } : {},
+      ...allowInsecureCodeUrl ? { allowInsecureCodeUrl } : {},
       ...stdinData ? { stdin: stdinData } : {},
       ...opts.install.length > 0 ? { installPackages: opts.install } : {},
       fileExtension
@@ -62377,7 +62842,7 @@ async function downloadServerBinary(binaryPath) {
       }
       process.exit(1);
     }
-    const binDir = join3(homedir2(), ".isol8", "bin");
+    const binDir = join4(homedir2(), ".isol8", "bin");
     mkdirSync2(binDir, { recursive: true });
     const tmpPath = `${binaryPath}.tmp`;
     const buffer = Buffer.from(await response.arrayBuffer());
@@ -62409,8 +62874,8 @@ async function promptYesNo(question) {
   return normalized === "" || normalized === "y" || normalized === "yes";
 }
 async function ensureServerBinary(forceUpdate) {
-  const binDir = join3(homedir2(), ".isol8", "bin");
-  const binaryPath = join3(binDir, "isol8-server");
+  const binDir = join4(homedir2(), ".isol8", "bin");
+  const binaryPath = join4(binDir, "isol8-server");
   logger.debug(`[Serve] Binary path: ${binaryPath}, forceUpdate: ${forceUpdate}`);
   if (forceUpdate) {
     logger.debug("[Serve] Force update requested");
@@ -62440,8 +62905,8 @@ async function ensureServerBinary(forceUpdate) {
 program2.command("config").description("Show the resolved isol8 configuration").option("--json", "Output as raw JSON").action((opts) => {
   const config = loadConfig();
   const searchPaths = [
-    join3(resolve2(process.cwd()), "isol8.config.json"),
-    join3(homedir2(), ".isol8", "config.json")
+    join4(resolve2(process.cwd()), "isol8.config.json"),
+    join4(homedir2(), ".isol8", "config.json")
   ];
   const loadedFrom = searchPaths.find((p) => existsSync5(p));
   logger.debug(`[Config] Config source: ${loadedFrom ?? "defaults"}`);
@@ -62476,6 +62941,13 @@ Isol8 Configuration
   } else {
     console.log("  Whitelist:       (none)");
   }
+  console.log("");
+  console.log("  ── Remote Code ──");
+  console.log(`  Enabled:         ${config.remoteCode.enabled ? "yes" : "no"}`);
+  console.log(`  Schemes:         ${config.remoteCode.allowedSchemes.join(", ")}`);
+  console.log(`  Max code size:   ${config.remoteCode.maxCodeSize} bytes`);
+  console.log(`  Fetch timeout:   ${config.remoteCode.fetchTimeoutMs}ms`);
+  console.log(`  Require hash:    ${config.remoteCode.requireHash ? "yes" : "no"}`);
   if (config.network.blacklist.length > 0) {
     console.log(`  Blacklist:       ${config.network.blacklist.join(", ")}`);
   } else {
@@ -62485,6 +62957,11 @@ Isol8 Configuration
   console.log("  ── Cleanup ──");
   console.log(`  Auto-prune:      ${config.cleanup.autoPrune ? "yes" : "no"}`);
   console.log(`  Max idle time:   ${config.cleanup.maxContainerAgeMs}ms (${Math.round(config.cleanup.maxContainerAgeMs / 60000)}min)`);
+  console.log("");
+  console.log("  ── Pool Defaults (Serve) ──");
+  console.log(`  Pool strategy:   ${config.poolStrategy}`);
+  const poolSize = typeof config.poolSize === "number" ? String(config.poolSize) : `${config.poolSize.clean},${config.poolSize.dirty}`;
+  console.log(`  Pool size:       ${poolSize}`);
   const deps = config.dependencies;
   const hasDeps = Object.values(deps).some((pkgs) => pkgs && pkgs.length > 0);
   console.log("");
@@ -62507,7 +62984,7 @@ Isol8 Configuration
   }
   console.log("");
 });
-program2.command("cleanup").description("Remove orphaned isol8 containers").option("--force", "Skip confirmation prompt").action(async (opts) => {
+program2.command("cleanup").description("Remove orphaned isol8 containers (and optionally images)").option("--force", "Skip confirmation prompt").option("--images", "Also remove isol8 Docker images").action(async (opts) => {
   const docker = new import_dockerode2.default;
   logger.debug("[Cleanup] Connecting to Docker daemon");
   const spinner = ora("Checking Docker...").start();
@@ -62523,17 +63000,33 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
   const containers = await docker.listContainers({ all: true });
   const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:") || c.Image.startsWith("isol8-custom:"));
   logger.debug(`[Cleanup] Found ${containers.length} total containers, ${isol8Containers.length} isol8 containers`);
-  if (isol8Containers.length === 0) {
-    spinner.info("No isol8 containers found");
+  let isol8Images = [];
+  if (opts.images) {
+    spinner.start("Finding isol8 images...");
+    const images = await docker.listImages({ all: true });
+    isol8Images = images.filter((img) => img.RepoTags?.some((tag) => tag.startsWith("isol8:"))).map((img) => ({ id: img.Id, tags: img.RepoTags ?? [] }));
+    logger.debug(`[Cleanup] Found ${images.length} total images, ${isol8Images.length} isol8 images`);
+  }
+  if (isol8Containers.length === 0 && (!opts.images || isol8Images.length === 0)) {
+    spinner.info(opts.images ? "No isol8 containers or images found" : "No isol8 containers found");
     return;
   }
-  spinner.succeed(`Found ${isol8Containers.length} isol8 container(s)`);
+  spinner.succeed(`Found ${isol8Containers.length} isol8 container(s)` + (opts.images ? ` and ${isol8Images.length} image(s)` : ""));
   console.log("");
   for (const c of isol8Containers) {
     const status = c.State === "running" ? "\uD83D\uDFE2 running" : "⚪ stopped";
     const created = new Date(c.Created * 1000).toLocaleString();
     console.log(`  ${status} ${c.Id.slice(0, 12)} | ${c.Image} | created ${created}`);
   }
+  if (opts.images && isol8Images.length > 0) {
+    if (isol8Containers.length > 0) {
+      console.log("");
+    }
+    for (const image of isol8Images) {
+      const tagText = image.tags.length > 0 ? image.tags.join(", ") : "<untagged>";
+      console.log(`  \uD83D\uDDBC️ image ${image.id.slice(0, 12)} | ${tagText}`);
+    }
+  }
   console.log("");
   if (!opts.force) {
     const readline = await import("node:readline");
@@ -62542,7 +63035,8 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
       output: process.stdout
     });
     const answer = await new Promise((resolve3) => {
-      rl.question("Remove all these containers? [y/N] ", resolve3);
+      const targetLabel = opts.images ? "containers and images" : "containers";
+      rl.question(`Remove all these ${targetLabel}? [y/N] `, resolve3);
     });
     rl.close();
     if (answer.toLowerCase() !== "y" && answer.toLowerCase() !== "yes") {
@@ -62550,28 +63044,65 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
       return;
     }
   }
-  spinner.start("Removing containers...");
-  logger.debug("[Cleanup] Removing containers");
-  const result = await DockerIsol8.cleanup(docker);
-  logger.debug(`[Cleanup] Removed: ${result.removed}, failed: ${result.failed}`);
-  if (result.errors.length > 0) {
+  let containerResult = { removed: 0, failed: 0, errors: [] };
+  if (isol8Containers.length > 0) {
+    spinner.start("Removing containers...");
+    logger.debug("[Cleanup] Removing containers");
+    containerResult = await DockerIsol8.cleanup(docker);
+    logger.debug(`[Cleanup] Containers removed: ${containerResult.removed}, failed: ${containerResult.failed}`);
+  }
+  if (containerResult.errors.length > 0) {
     console.log("");
-    for (const err of result.errors) {
+    for (const err of containerResult.errors) {
       console.error(`  Failed to remove ${err}`);
     }
   }
-  if (result.failed === 0) {
-    spinner.succeed(`Removed ${result.removed} container(s)`);
+  if (containerResult.failed === 0) {
+    spinner.succeed(`Removed ${containerResult.removed} container(s)`);
   } else {
-    spinner.warn(`Removed ${result.removed} container(s), ${result.failed} failed`);
+    spinner.warn(`Removed ${containerResult.removed} container(s), ${containerResult.failed} failed`);
+  }
+  if (opts.images && isol8Images.length > 0) {
+    spinner.start("Removing images...");
+    logger.debug("[Cleanup] Removing images");
+    const imageResult = await DockerIsol8.cleanupImages(docker);
+    logger.debug(`[Cleanup] Images removed: ${imageResult.removed}, failed: ${imageResult.failed}`);
+    if (imageResult.errors.length > 0) {
+      console.log("");
+      for (const err of imageResult.errors) {
+        console.error(`  Failed to remove image ${err}`);
+      }
+    }
+    if (imageResult.failed === 0) {
+      spinner.succeed(`Removed ${imageResult.removed} image(s)`);
+    } else {
+      spinner.warn(`Removed ${imageResult.removed} image(s), ${imageResult.failed} failed`);
+    }
   }
 });
 async function resolveRunInput(file, opts) {
   const config = loadConfig();
   logger.debug("[Run] Config loaded");
   let code;
+  let codeUrl;
+  let codeHash;
+  let allowInsecureCodeUrl = false;
   let runtime;
-  if (opts.eval) {
+  if (opts.url || opts.github || opts.gist) {
+    if (file || opts.eval) {
+      console.error("[ERR] --url/--github/--gist cannot be used with file input or --eval.");
+      process.exit(1);
+    }
+    codeUrl = resolveCodeUrl(opts);
+    codeHash = opts.hash ?? undefined;
+    allowInsecureCodeUrl = opts.allowInsecureCodeUrl ?? false;
+    runtime = opts.runtime ?? detectRuntimeFromPath(new URL(codeUrl).pathname);
+    if (!runtime) {
+      console.error("[ERR] Cannot detect runtime from URL path. Use --runtime to specify.");
+      process.exit(1);
+    }
+    logger.debug(`[Run] Remote code URL: ${codeUrl}`);
+  } else if (opts.eval) {
     code = opts.eval;
     runtime = opts.runtime ?? "python";
     logger.debug(`[Run] Inline eval, runtime: ${runtime}`);
@@ -62582,7 +63113,7 @@ async function resolveRunInput(file, opts) {
       console.error(`[ERR] File not found: ${file}`);
       process.exit(1);
     }
-    code = readFileSync3(filePath, "utf-8");
+    code = readFileSync4(filePath, "utf-8");
     if (opts.runtime) {
       runtime = opts.runtime;
       logger.debug(`[Run] Runtime specified: ${runtime}`);
@@ -62622,11 +63153,8 @@ async function resolveRunInput(file, opts) {
     debug: opts.debug ?? config.debug,
     persist: opts.persist ?? false,
     ...opts.logNetwork ? { logNetwork: true } : {},
-    poolStrategy: opts.poolStrategy === "secure" ? "secure" : "fast",
-    poolSize: opts.poolSize ? opts.poolSize.includes(",") ? {
-      clean: Number.parseInt(opts.poolSize.split(",")[0], 10),
-      dirty: Number.parseInt(opts.poolSize.split(",")[1], 10)
-    } : Number.parseInt(opts.poolSize, 10) : { clean: 1, dirty: 1 }
+    dependencies: config.dependencies,
+    remoteCode: config.remoteCode
   };
   logger.debug(`[Run] Engine options: mode=${engineOptions.mode}, network=${engineOptions.network}`);
   let fileExtension;
@@ -62660,7 +63188,48 @@ async function resolveRunInput(file, opts) {
     logger.debug("[Run] Using local Docker engine");
     engine = new DockerIsol8(engineOptions, config.maxConcurrent);
   }
-  return { code, runtime, engineOptions, engine, stdinData, fileExtension };
+  return {
+    code,
+    codeUrl,
+    codeHash,
+    allowInsecureCodeUrl,
+    runtime,
+    engineOptions,
+    engine,
+    stdinData,
+    fileExtension
+  };
+}
+function resolveCodeUrl(opts) {
+  if (typeof opts.url === "string") {
+    return opts.url;
+  }
+  if (typeof opts.github === "string") {
+    const parts = opts.github.split("/");
+    if (parts.length < 4) {
+      console.error("[ERR] --github format must be owner/repo/ref/path/to/file");
+      process.exit(1);
+    }
+    const [owner, repo, ref, ...pathParts] = parts;
+    return `https://raw.githubusercontent.com/${owner}/${repo}/${ref}/${pathParts.join("/")}`;
+  }
+  if (typeof opts.gist === "string") {
+    const [gistId, ...fileParts] = opts.gist.split("/");
+    if (!gistId || fileParts.length === 0) {
+      console.error("[ERR] --gist format must be gistId/file.ext");
+      process.exit(1);
+    }
+    return `https://gist.githubusercontent.com/${gistId}/raw/${fileParts.join("/")}`;
+  }
+  console.error("[ERR] Missing code URL source.");
+  process.exit(1);
+}
+function detectRuntimeFromPath(pathValue) {
+  try {
+    return RuntimeRegistry.detect(pathValue).name;
+  } catch {
+    return;
+  }
 }
 function collect(value, previous) {
   return previous.concat([value]);
@@ -62671,4 +63240,4 @@ if (!process.argv.slice(2).length) {
 }
 program2.parse();
 
-//# debugId=FB4CACFD75FE97A064756E2164756E21
+//# debugId=6B3AFECE6CC836BD64756E2164756E21