isol8 0.11.0 → 0.11.1

package/dist/cli.js

@@ -6929,11 +6929,6 @@ var require_utils2 = __commonJS((exports, module) => {
   };
 });
 
-// node_modules/ssh2/lib/protocol/crypto/build/Release/sshcrypto.node
-var require_sshcrypto = __commonJS((exports, module) => {
-  module.exports = __require("./sshcrypto-0209sx47.node");
-});
-
 // node_modules/ssh2/lib/protocol/crypto/poly1305.js
 var require_poly1305 = __commonJS((exports, module) => {
   var __dirname = "/home/runner/work/isol8/isol8/node_modules/ssh2/lib/protocol/crypto", __filename = "/home/runner/work/isol8/isol8/node_modules/ssh2/lib/protocol/crypto/poly1305.js";
@@ -7420,7 +7415,7 @@ var require_crypto = __commonJS((exports, module) => {
   var ChaChaPolyDecipher;
   var GenericDecipher;
   try {
-    binding = require_sshcrypto();
+    binding = (()=>{throw new Error("Cannot require module "+"./crypto/build/Release/sshcrypto.node");})();
     ({
       AESGCMCipher,
       ChaChaPolyCipher,
@@ -54795,6 +54790,8 @@ function mergeConfig(defaults, overrides) {
       ...defaults.cleanup,
       ...overrides.cleanup
     },
+    poolStrategy: overrides.poolStrategy ?? defaults.poolStrategy,
+    poolSize: overrides.poolSize ?? defaults.poolSize,
     dependencies: {
       ...defaults.dependencies,
       ...overrides.dependencies
@@ -54837,6 +54834,8 @@ var init_config = __esm(() => {
       autoPrune: true,
       maxContainerAgeMs: 3600000
     },
+    poolStrategy: "fast",
+    poolSize: { clean: 1, dirty: 1 },
     dependencies: {},
     security: {
       seccomp: "strict"
@@ -55413,287 +55412,6 @@ class Semaphore {
   }
 }
 
-// src/engine/pool.ts
-class ContainerPool {
-  docker;
-  poolStrategy;
-  cleanPoolSize;
-  dirtyPoolSize;
-  createOptions;
-  networkMode;
-  securityMode;
-  pools = new Map;
-  replenishing = new Set;
-  pendingReplenishments = new Set;
-  cleaningInterval = null;
-  constructor(options) {
-    this.docker = options.docker;
-    this.poolStrategy = options.poolStrategy ?? "fast";
-    this.createOptions = options.createOptions;
-    this.networkMode = options.networkMode;
-    this.securityMode = options.securityMode;
-    if (typeof options.poolSize === "number") {
-      this.cleanPoolSize = options.poolSize;
-      this.dirtyPoolSize = options.poolSize;
-    } else if (options.poolSize) {
-      this.cleanPoolSize = options.poolSize.clean ?? 1;
-      this.dirtyPoolSize = options.poolSize.dirty ?? 1;
-    } else {
-      this.cleanPoolSize = 1;
-      this.dirtyPoolSize = 1;
-    }
-    if (this.poolStrategy === "fast") {
-      this.startBackgroundCleaning();
-    }
-  }
-  async acquire(image) {
-    const pool = this.pools.get(image) ?? { clean: [], dirty: [] };
-    if (this.poolStrategy === "fast") {
-      if (pool.clean.length > 0) {
-        const entry = pool.clean.shift();
-        this.pools.set(image, pool);
-        this.replenish(image);
-        return entry.container;
-      }
-      if (pool.dirty.length > 0 && pool.clean.length < this.cleanPoolSize) {
-        await this.cleanDirtyImmediate(image);
-        const updatedPool = this.pools.get(image);
-        if (updatedPool && updatedPool.clean.length > 0) {
-          const entry = updatedPool.clean.shift();
-          this.pools.set(image, updatedPool);
-          this.replenish(image);
-          return entry.container;
-        }
-      }
-      return this.createContainer(image);
-    }
-    if (pool.clean && pool.clean.length > 0) {
-      const entry = pool.clean.shift();
-      this.pools.set(image, { clean: pool.clean, dirty: [] });
-      await this.cleanupContainer(entry.container);
-      this.replenish(image);
-      return entry.container;
-    }
-    return this.createContainer(image);
-  }
-  async release(container, image) {
-    let pool = this.pools.get(image);
-    if (!pool) {
-      pool = { clean: [], dirty: [] };
-      this.pools.set(image, pool);
-    }
-    if (this.poolStrategy === "fast") {
-      if (pool.dirty.length >= this.dirtyPoolSize) {
-        await container.remove({ force: true }).catch(() => {});
-        return;
-      }
-      pool.dirty.push({ container, createdAt: Date.now() });
-    } else {
-      if (pool.clean.length >= this.cleanPoolSize) {
-        await container.remove({ force: true }).catch(() => {});
-        return;
-      }
-      if (!pool.clean) {
-        pool.clean = [];
-      }
-      pool.clean.push({ container, createdAt: Date.now() });
-    }
-  }
-  startBackgroundCleaning() {
-    this.cleaningInterval = setInterval(async () => {
-      for (const [_image, pool] of this.pools) {
-        for (let i = 0;i < this.dirtyPoolSize; i++) {
-          if (pool.dirty.length > 0 && pool.clean.length < this.cleanPoolSize) {
-            const entry = pool.dirty.shift();
-            try {
-              await this.cleanupContainer(entry.container);
-              pool.clean.push(entry);
-            } catch {
-              entry.container.remove({ force: true }).catch(() => {});
-            }
-          }
-        }
-      }
-    }, 5000);
-  }
-  async cleanDirtyImmediate(image) {
-    const pool = this.pools.get(image);
-    if (!pool || pool.dirty.length === 0 || pool.clean.length >= this.cleanPoolSize) {
-      return;
-    }
-    const entry = pool.dirty.shift();
-    try {
-      await this.cleanupContainer(entry.container);
-      pool.clean.push(entry);
-    } catch {
-      entry.container.remove({ force: true }).catch(() => {});
-    }
-  }
-  async cleanupContainer(container) {
-    const needsCleanup = this.securityMode === "strict";
-    const needsIptables = this.networkMode === "filtered" && needsCleanup;
-    if (!needsCleanup) {
-      return;
-    }
-    try {
-      const cleanupCmd = needsIptables ? "pkill -9 -u sandbox 2>/dev/null; /usr/sbin/iptables -F OUTPUT 2>/dev/null; rm -rf /sandbox/* /sandbox/.[!.]* 2>/dev/null; true" : "pkill -9 -u sandbox 2>/dev/null; rm -rf /sandbox/* /sandbox/.[!.]* 2>/dev/null; true";
-      const cleanExec = await container.exec({
-        Cmd: ["sh", "-c", cleanupCmd]
-      });
-      await cleanExec.start({ Detach: true });
-      let info2 = await cleanExec.inspect();
-      while (info2.Running) {
-        await new Promise((r) => setTimeout(r, 5));
-        info2 = await cleanExec.inspect();
-      }
-    } catch {}
-  }
-  async warm(image) {
-    const pool = this.pools.get(image) ?? { clean: [], dirty: [] };
-    this.pools.set(image, pool);
-    const needed = this.poolStrategy === "fast" ? this.cleanPoolSize - pool.clean.length : this.cleanPoolSize - (pool.clean?.length ?? 0);
-    if (needed <= 0) {
-      return;
-    }
-    const promises = [];
-    for (let i = 0;i < needed; i++) {
-      promises.push(this.createContainer(image).then((container) => {
-        if (this.poolStrategy === "fast") {
-          pool.clean.push({ container, createdAt: Date.now() });
-        } else {
-          if (!pool.clean) {
-            pool.clean = [];
-          }
-          pool.clean.push({ container, createdAt: Date.now() });
-        }
-      }));
-    }
-    await Promise.all(promises);
-  }
-  async stop() {
-    return this.drain();
-  }
-  async drain() {
-    if (this.cleaningInterval) {
-      clearInterval(this.cleaningInterval);
-      this.cleaningInterval = null;
-    }
-    await Promise.all(this.pendingReplenishments);
-    const promises = [];
-    for (const [, pool] of this.pools) {
-      for (const entry of pool.clean ?? []) {
-        promises.push(entry.container.remove({ force: true }).catch(() => {}));
-      }
-      for (const entry of pool.dirty) {
-        promises.push(entry.container.remove({ force: true }).catch(() => {}));
-      }
-    }
-    await Promise.all(promises);
-    this.pools.clear();
-  }
-  async createContainer(image) {
-    const container = await this.docker.createContainer({
-      ...this.createOptions,
-      Image: image
-    });
-    logger.debug(`[Pool] Container ${container.id} created for image: ${image}`);
-    await container.start();
-    logger.debug(`[Pool] Container ${container.id} started`);
-    return container;
-  }
-  replenish(image) {
-    if (this.replenishing.has(image)) {
-      if (this.replenishing.has(image)) {
-        return;
-      }
-      const pool = this.pools.get(image);
-      const currentSize = pool ? this.poolStrategy === "fast" ? pool.clean.length : pool.clean?.length ?? 0 : 0;
-      const targetSize = this.poolStrategy === "fast" ? this.cleanPoolSize : this.cleanPoolSize;
-      if (currentSize >= targetSize) {
-        return;
-      }
-      this.replenishing.add(image);
-      const promise = this.createContainer(image).then((container) => {
-        const p = this.pools.get(image);
-        if (!p) {
-          container.remove({ force: true }).catch(() => {});
-          return;
-        }
-        if (this.poolStrategy === "fast") {
-          if (p.clean.length < this.cleanPoolSize) {
-            p.clean.push({ container, createdAt: Date.now() });
-          } else {
-            container.remove({ force: true }).catch(() => {});
-          }
-        } else {
-          if (!p.clean) {
-            p.clean = [];
-          }
-          if (p.clean.length < this.cleanPoolSize) {
-            p.clean.push({ container, createdAt: Date.now() });
-          } else {
-            container.remove({ force: true }).catch(() => {});
-          }
-        }
-      }).catch((err) => {
-        logger.error(`[Pool] Error during replenishment for ${image}:`, err);
-      }).finally(() => {
-        this.replenishing.delete(image);
-        this.pendingReplenishments.delete(promise);
-      });
-      this.pendingReplenishments.add(promise);
-    }
-  }
-}
-var init_pool = __esm(() => {
-  init_logger();
-});
-
-// src/engine/stats.ts
-function calculateCPUPercent(stats) {
-  const cpuDelta = stats.cpu_stats.cpu_usage.total_usage - stats.precpu_stats.cpu_usage.total_usage;
-  const systemDelta = stats.cpu_stats.system_cpu_usage - stats.precpu_stats.system_cpu_usage;
-  if (systemDelta === 0 || cpuDelta === 0) {
-    return 0;
-  }
-  const numCores = stats.cpu_stats.online_cpus ?? stats.cpu_stats.cpu_usage.percpu_usage?.length ?? 1;
-  return cpuDelta / systemDelta * numCores * 100;
-}
-function calculateNetworkStats(stats) {
-  if (!stats.networks) {
-    return { in: 0, out: 0 };
-  }
-  let rxBytes = 0;
-  let txBytes = 0;
-  for (const iface of Object.values(stats.networks)) {
-    rxBytes += iface.rx_bytes;
-    txBytes += iface.tx_bytes;
-  }
-  return { in: rxBytes, out: txBytes };
-}
-async function getContainerStats(container) {
-  const stats = await container.stats({
-    stream: false
-  });
-  const cpuPercent = calculateCPUPercent(stats);
-  const memoryBytes = stats.memory_stats.usage;
-  const network = calculateNetworkStats(stats);
-  return {
-    cpuPercent: Math.round(cpuPercent * 100) / 100,
-    memoryMB: Math.round(memoryBytes / (1024 * 1024)),
-    networkBytesIn: network.in,
-    networkBytesOut: network.out
-  };
-}
-function calculateResourceDelta(before, after) {
-  return {
-    cpuPercent: after.cpuPercent,
-    memoryMB: after.memoryMB,
-    networkBytesIn: after.networkBytesIn - before.networkBytesIn,
-    networkBytesOut: after.networkBytesOut - before.networkBytesOut
-  };
-}
-
 // src/engine/utils.ts
 var exports_utils = {};
 __export(exports_utils, {
@@ -55799,13 +55517,514 @@ function validatePackageName(name) {
   return name;
 }
 
+// src/engine/image-builder.ts
+import { createHash as createHash2 } from "node:crypto";
+import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
+import { join as join3 } from "node:path";
+function resolveDockerDir() {
+  const fromBundled = new URL("./docker", import.meta.url).pathname;
+  if (existsSync3(fromBundled)) {
+    return fromBundled;
+  }
+  return new URL("../../docker", import.meta.url).pathname;
+}
+function computeDockerDirHash() {
+  const hash = createHash2("sha256");
+  const files = [...DOCKER_BUILD_FILES].sort();
+  for (const file of files) {
+    const filePath = join3(DOCKERFILE_DIR, file);
+    if (existsSync3(filePath)) {
+      const content = readFileSync2(filePath);
+      hash.update(file);
+      hash.update(content);
+    }
+  }
+  return hash.digest("hex");
+}
+function computeDepsHash(runtime, packages) {
+  const hash = createHash2("sha256");
+  hash.update(runtime);
+  for (const pkg of [...packages].sort()) {
+    hash.update(pkg);
+  }
+  return hash.digest("hex");
+}
+function normalizePackages(packages) {
+  return [...new Set(packages.map((pkg) => pkg.trim()).filter(Boolean))].sort();
+}
+function getCustomImageTag(runtime, packages) {
+  const normalizedPackages = normalizePackages(packages);
+  const depsHash = computeDepsHash(runtime, normalizedPackages);
+  const shortHash = depsHash.slice(0, 12);
+  return `isol8:${runtime}-custom-${shortHash}`;
+}
+async function getImageLabels(docker, imageName) {
+  try {
+    const image = docker.getImage(imageName);
+    const inspect = await image.inspect();
+    return inspect.Config?.Labels ?? {};
+  } catch {
+    return null;
+  }
+}
+async function removeImage(docker, imageId) {
+  try {
+    const image = docker.getImage(imageId);
+    await image.remove();
+    logger.debug(`[ImageBuilder] Removed old image: ${imageId.slice(0, 12)}`);
+  } catch (err) {
+    logger.debug(`[ImageBuilder] Could not remove image ${imageId.slice(0, 12)}: ${err}`);
+  }
+}
+async function buildBaseImages(docker, onProgress, force = false) {
+  const runtimes = RuntimeRegistry.list();
+  const dockerHash = computeDockerDirHash();
+  logger.debug(`[ImageBuilder] Docker directory hash: ${dockerHash.slice(0, 16)}...`);
+  for (const adapter of runtimes) {
+    const target = adapter.name;
+    const imageName = adapter.image;
+    if (!force) {
+      const labels = await getImageLabels(docker, imageName);
+      if (labels && labels[LABELS.dockerHash] === dockerHash) {
+        logger.debug(`[ImageBuilder] Base image ${target} is up to date, skipping build`);
+        onProgress?.({ runtime: target, status: "done", message: "Up to date" });
+        continue;
+      }
+    }
+    let oldImageId = null;
+    try {
+      const oldImage = await docker.getImage(imageName).inspect();
+      oldImageId = oldImage.Id;
+      logger.debug(`[ImageBuilder] Existing image ${target} ID: ${oldImageId.slice(0, 12)}`);
+    } catch {
+      logger.debug(`[ImageBuilder] No existing image for ${target}`);
+    }
+    onProgress?.({ runtime: target, status: "building" });
+    try {
+      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: DOCKER_BUILD_FILES }, {
+        t: imageName,
+        target,
+        dockerfile: "Dockerfile",
+        labels: {
+          [LABELS.dockerHash]: dockerHash
+        }
+      });
+      await new Promise((resolve2, reject) => {
+        docker.modem.followProgress(stream, (err) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve2();
+          }
+        });
+      });
+      if (oldImageId) {
+        await removeImage(docker, oldImageId);
+      }
+      onProgress?.({ runtime: target, status: "done" });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      onProgress?.({ runtime: target, status: "error", message });
+      throw new Error(`Failed to build image for ${target}: ${message}`);
+    }
+  }
+}
+async function buildCustomImages(docker, config, onProgress, force = false) {
+  const deps = config.dependencies;
+  const python = deps.python ? normalizePackages(deps.python) : [];
+  const node = deps.node ? normalizePackages(deps.node) : [];
+  const bun = deps.bun ? normalizePackages(deps.bun) : [];
+  const deno = deps.deno ? normalizePackages(deps.deno) : [];
+  const bash = deps.bash ? normalizePackages(deps.bash) : [];
+  if (python.length) {
+    await buildCustomImage(docker, "python", python, onProgress, force);
+  }
+  if (node.length) {
+    await buildCustomImage(docker, "node", node, onProgress, force);
+  }
+  if (bun.length) {
+    await buildCustomImage(docker, "bun", bun, onProgress, force);
+  }
+  if (deno.length) {
+    await buildCustomImage(docker, "deno", deno, onProgress, force);
+  }
+  if (bash.length) {
+    await buildCustomImage(docker, "bash", bash, onProgress, force);
+  }
+}
+async function buildCustomImage(docker, runtime, packages, onProgress, force = false) {
+  const normalizedPackages = normalizePackages(packages);
+  const tag = getCustomImageTag(runtime, normalizedPackages);
+  const depsHash = computeDepsHash(runtime, normalizedPackages);
+  logger.debug(`[ImageBuilder] ${runtime} custom deps hash: ${depsHash.slice(0, 16)}...`);
+  if (!force) {
+    const labels = await getImageLabels(docker, tag);
+    if (labels && labels[LABELS.depsHash] === depsHash) {
+      logger.debug(`[ImageBuilder] Custom image ${runtime} is up to date, skipping build`);
+      onProgress?.({ runtime, status: "done", message: "Up to date" });
+      return;
+    }
+  }
+  let oldImageId = null;
+  try {
+    const oldImage = await docker.getImage(tag).inspect();
+    oldImageId = oldImage.Id;
+    logger.debug(`[ImageBuilder] Existing custom image ${runtime} ID: ${oldImageId.slice(0, 12)}`);
+  } catch {
+    logger.debug(`[ImageBuilder] No existing custom image for ${runtime}`);
+  }
+  onProgress?.({
+    runtime,
+    status: "building",
+    message: `Custom: ${normalizedPackages.join(", ")}`
+  });
+  let installCmd;
+  switch (runtime) {
+    case "python":
+      installCmd = `RUN pip install --no-cache-dir ${normalizedPackages.join(" ")}`;
+      break;
+    case "node":
+      installCmd = `RUN npm install -g ${normalizedPackages.join(" ")}`;
+      break;
+    case "bun":
+      installCmd = `RUN bun install -g ${normalizedPackages.join(" ")}`;
+      break;
+    case "deno":
+      installCmd = normalizedPackages.map((p) => `RUN deno cache ${p}`).join(`
+`);
+      break;
+    case "bash":
+      installCmd = `RUN apk add --no-cache ${normalizedPackages.join(" ")}`;
+      break;
+    default:
+      throw new Error(`Unknown runtime: ${runtime}`);
+  }
+  const dockerfileContent = `FROM isol8:${runtime}
+${installCmd}
+`;
+  const { createTarBuffer: createTarBuffer2, validatePackageName: validatePackageName2 } = await Promise.resolve().then(() => exports_utils);
+  const { Readable } = await import("node:stream");
+  normalizedPackages.forEach(validatePackageName2);
+  const tarBuffer = createTarBuffer2("Dockerfile", dockerfileContent);
+  const stream = await docker.buildImage(Readable.from(tarBuffer), {
+    t: tag,
+    dockerfile: "Dockerfile",
+    labels: {
+      [LABELS.depsHash]: depsHash
+    }
+  });
+  await new Promise((resolve2, reject) => {
+    docker.modem.followProgress(stream, (err) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve2();
+      }
+    });
+  });
+  if (oldImageId) {
+    await removeImage(docker, oldImageId);
+  }
+  onProgress?.({ runtime, status: "done" });
+}
+var DOCKERFILE_DIR, LABELS, DOCKER_BUILD_FILES;
+var init_image_builder = __esm(() => {
+  init_runtime();
+  init_logger();
+  DOCKERFILE_DIR = resolveDockerDir();
+  LABELS = {
+    dockerHash: "org.isol8.build.hash",
+    depsHash: "org.isol8.deps.hash"
+  };
+  DOCKER_BUILD_FILES = ["Dockerfile", "proxy.sh", "proxy-handler.sh"];
+});
+
+// src/engine/pool.ts
+class ContainerPool {
+  docker;
+  poolStrategy;
+  cleanPoolSize;
+  dirtyPoolSize;
+  createOptions;
+  networkMode;
+  securityMode;
+  pools = new Map;
+  replenishing = new Set;
+  pendingReplenishments = new Set;
+  cleaningInterval = null;
+  constructor(options) {
+    this.docker = options.docker;
+    this.poolStrategy = options.poolStrategy ?? "fast";
+    this.createOptions = options.createOptions;
+    this.networkMode = options.networkMode;
+    this.securityMode = options.securityMode;
+    if (typeof options.poolSize === "number") {
+      this.cleanPoolSize = options.poolSize;
+      this.dirtyPoolSize = options.poolSize;
+    } else if (options.poolSize) {
+      this.cleanPoolSize = options.poolSize.clean ?? 1;
+      this.dirtyPoolSize = options.poolSize.dirty ?? 1;
+    } else {
+      this.cleanPoolSize = 1;
+      this.dirtyPoolSize = 1;
+    }
+    if (this.poolStrategy === "fast") {
+      this.startBackgroundCleaning();
+    }
+  }
+  async acquire(image) {
+    const pool = this.pools.get(image) ?? { clean: [], dirty: [] };
+    if (this.poolStrategy === "fast") {
+      if (pool.clean.length > 0) {
+        const entry = pool.clean.shift();
+        this.pools.set(image, pool);
+        this.replenish(image);
+        return entry.container;
+      }
+      if (pool.dirty.length > 0 && pool.clean.length < this.cleanPoolSize) {
+        await this.cleanDirtyImmediate(image);
+        const updatedPool = this.pools.get(image);
+        if (updatedPool && updatedPool.clean.length > 0) {
+          const entry = updatedPool.clean.shift();
+          this.pools.set(image, updatedPool);
+          this.replenish(image);
+          return entry.container;
+        }
+      }
+      return this.createContainer(image);
+    }
+    if (pool.clean && pool.clean.length > 0) {
+      const entry = pool.clean.shift();
+      this.pools.set(image, { clean: pool.clean, dirty: [] });
+      await this.cleanupContainer(entry.container);
+      this.replenish(image);
+      return entry.container;
+    }
+    return this.createContainer(image);
+  }
+  async release(container, image) {
+    let pool = this.pools.get(image);
+    if (!pool) {
+      pool = { clean: [], dirty: [] };
+      this.pools.set(image, pool);
+    }
+    if (this.poolStrategy === "fast") {
+      if (pool.dirty.length >= this.dirtyPoolSize) {
+        await container.remove({ force: true }).catch(() => {});
+        return;
+      }
+      pool.dirty.push({ container, createdAt: Date.now() });
+    } else {
+      if (pool.clean.length >= this.cleanPoolSize) {
+        await container.remove({ force: true }).catch(() => {});
+        return;
+      }
+      if (!pool.clean) {
+        pool.clean = [];
+      }
+      pool.clean.push({ container, createdAt: Date.now() });
+    }
+  }
+  startBackgroundCleaning() {
+    this.cleaningInterval = setInterval(async () => {
+      for (const [_image, pool] of this.pools) {
+        for (let i = 0;i < this.dirtyPoolSize; i++) {
+          if (pool.dirty.length > 0 && pool.clean.length < this.cleanPoolSize) {
+            const entry = pool.dirty.shift();
+            try {
+              await this.cleanupContainer(entry.container);
+              pool.clean.push(entry);
+            } catch {
+              entry.container.remove({ force: true }).catch(() => {});
+            }
+          }
+        }
+      }
+    }, 5000);
+  }
+  async cleanDirtyImmediate(image) {
+    const pool = this.pools.get(image);
+    if (!pool || pool.dirty.length === 0 || pool.clean.length >= this.cleanPoolSize) {
+      return;
+    }
+    const entry = pool.dirty.shift();
+    try {
+      await this.cleanupContainer(entry.container);
+      pool.clean.push(entry);
+    } catch {
+      entry.container.remove({ force: true }).catch(() => {});
+    }
+  }
+  async cleanupContainer(container) {
+    const needsCleanup = this.securityMode === "strict";
+    const needsIptables = this.networkMode === "filtered" && needsCleanup;
+    if (!needsCleanup) {
+      return;
+    }
+    try {
+      const cleanupCmd = needsIptables ? "pkill -9 -u sandbox 2>/dev/null; /usr/sbin/iptables -F OUTPUT 2>/dev/null; rm -rf /sandbox/* /sandbox/.[!.]* 2>/dev/null; true" : "pkill -9 -u sandbox 2>/dev/null; rm -rf /sandbox/* /sandbox/.[!.]* 2>/dev/null; true";
+      const cleanExec = await container.exec({
+        Cmd: ["sh", "-c", cleanupCmd]
+      });
+      await cleanExec.start({ Detach: true });
+      let info2 = await cleanExec.inspect();
+      while (info2.Running) {
+        await new Promise((r) => setTimeout(r, 5));
+        info2 = await cleanExec.inspect();
+      }
+    } catch {}
+  }
+  async warm(image) {
+    const pool = this.pools.get(image) ?? { clean: [], dirty: [] };
+    this.pools.set(image, pool);
+    const needed = this.poolStrategy === "fast" ? this.cleanPoolSize - pool.clean.length : this.cleanPoolSize - (pool.clean?.length ?? 0);
+    if (needed <= 0) {
+      return;
+    }
+    const promises = [];
+    for (let i = 0;i < needed; i++) {
+      promises.push(this.createContainer(image).then((container) => {
+        if (this.poolStrategy === "fast") {
+          pool.clean.push({ container, createdAt: Date.now() });
+        } else {
+          if (!pool.clean) {
+            pool.clean = [];
+          }
+          pool.clean.push({ container, createdAt: Date.now() });
+        }
+      }));
+    }
+    await Promise.all(promises);
+  }
+  async stop() {
+    return this.drain();
+  }
+  async drain() {
+    if (this.cleaningInterval) {
+      clearInterval(this.cleaningInterval);
+      this.cleaningInterval = null;
+    }
+    await Promise.all(this.pendingReplenishments);
+    const promises = [];
+    for (const [, pool] of this.pools) {
+      for (const entry of pool.clean ?? []) {
+        promises.push(entry.container.remove({ force: true }).catch(() => {}));
+      }
+      for (const entry of pool.dirty) {
+        promises.push(entry.container.remove({ force: true }).catch(() => {}));
+      }
+    }
+    await Promise.all(promises);
+    this.pools.clear();
+  }
+  async createContainer(image) {
+    const container = await this.docker.createContainer({
+      ...this.createOptions,
+      Image: image
+    });
+    logger.debug(`[Pool] Container ${container.id} created for image: ${image}`);
+    await container.start();
+    logger.debug(`[Pool] Container ${container.id} started`);
+    return container;
+  }
+  replenish(image) {
+    if (this.replenishing.has(image)) {
+      return;
+    }
+    const pool = this.pools.get(image);
+    const currentSize = pool ? this.poolStrategy === "fast" ? pool.clean.length : pool.clean?.length ?? 0 : 0;
+    const targetSize = this.cleanPoolSize;
+    if (currentSize >= targetSize) {
+      return;
+    }
+    this.replenishing.add(image);
+    const promise = this.createContainer(image).then((container) => {
+      const p = this.pools.get(image);
+      if (!p) {
+        container.remove({ force: true }).catch(() => {});
+        return;
+      }
+      if (this.poolStrategy === "fast") {
+        if (p.clean.length < this.cleanPoolSize) {
+          p.clean.push({ container, createdAt: Date.now() });
+        } else {
+          container.remove({ force: true }).catch(() => {});
+        }
+      } else {
+        if (!p.clean) {
+          p.clean = [];
+        }
+        if (p.clean.length < this.cleanPoolSize) {
+          p.clean.push({ container, createdAt: Date.now() });
+        } else {
+          container.remove({ force: true }).catch(() => {});
+        }
+      }
+    }).catch((err) => {
+      logger.error(`[Pool] Error during replenishment for ${image}:`, err);
+    }).finally(() => {
+      this.replenishing.delete(image);
+      this.pendingReplenishments.delete(promise);
+    });
+    this.pendingReplenishments.add(promise);
+  }
+}
+var init_pool = __esm(() => {
+  init_logger();
+});
+
+// src/engine/stats.ts
+function calculateCPUPercent(stats) {
+  const cpuDelta = stats.cpu_stats.cpu_usage.total_usage - stats.precpu_stats.cpu_usage.total_usage;
+  const systemDelta = stats.cpu_stats.system_cpu_usage - stats.precpu_stats.system_cpu_usage;
+  if (systemDelta === 0 || cpuDelta === 0) {
+    return 0;
+  }
+  const numCores = stats.cpu_stats.online_cpus ?? stats.cpu_stats.cpu_usage.percpu_usage?.length ?? 1;
+  return cpuDelta / systemDelta * numCores * 100;
+}
+function calculateNetworkStats(stats) {
+  if (!stats.networks) {
+    return { in: 0, out: 0 };
+  }
+  let rxBytes = 0;
+  let txBytes = 0;
+  for (const iface of Object.values(stats.networks)) {
+    rxBytes += iface.rx_bytes;
+    txBytes += iface.tx_bytes;
+  }
+  return { in: rxBytes, out: txBytes };
+}
+async function getContainerStats(container) {
+  const stats = await container.stats({
+    stream: false
+  });
+  const cpuPercent = calculateCPUPercent(stats);
+  const memoryBytes = stats.memory_stats.usage;
+  const network = calculateNetworkStats(stats);
+  return {
+    cpuPercent: Math.round(cpuPercent * 100) / 100,
+    memoryMB: Math.round(memoryBytes / (1024 * 1024)),
+    networkBytesIn: network.in,
+    networkBytesOut: network.out
+  };
+}
+function calculateResourceDelta(before, after) {
+  return {
+    cpuPercent: after.cpuPercent,
+    memoryMB: after.memoryMB,
+    networkBytesIn: after.networkBytesIn - before.networkBytesIn,
+    networkBytesOut: after.networkBytesOut - before.networkBytesOut
+  };
+}
+
 // src/engine/docker.ts
 var exports_docker = {};
 __export(exports_docker, {
   DockerIsol8: () => DockerIsol8
 });
 import { randomUUID } from "node:crypto";
-import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "node:fs";
 import { PassThrough } from "node:stream";
 async function writeFileViaExec(container, filePath, content) {
   const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
@@ -56021,6 +56240,7 @@ class DockerIsol8 {
   logNetwork;
   poolStrategy;
   poolSize;
+  dependencies;
   auditLogger;
   remoteCodePolicy;
   container = null;
@@ -56067,6 +56287,7 @@ class DockerIsol8 {
     this.logNetwork = options.logNetwork ?? false;
     this.poolStrategy = options.poolStrategy ?? "fast";
     this.poolSize = options.poolSize ?? { clean: 1, dirty: 1 };
+    this.dependencies = options.dependencies ?? {};
     this.remoteCodePolicy = options.remoteCode ?? {
       enabled: false,
       allowedSchemes: ["https"],
@@ -56085,7 +56306,33 @@ class DockerIsol8 {
       logger.setDebug(true);
     }
   }
-  async start() {}
+  async start(options = {}) {
+    if (this.mode !== "ephemeral") {
+      return;
+    }
+    const prewarm = options.prewarm;
+    if (!prewarm) {
+      return;
+    }
+    const pool = this.ensurePool();
+    const images = new Set;
+    const adapters2 = typeof prewarm === "object" && prewarm.runtimes?.length ? prewarm.runtimes.map((runtime) => RuntimeRegistry.get(runtime)) : RuntimeRegistry.list();
+    for (const adapter of adapters2) {
+      try {
+        images.add(await this.resolveImage(adapter));
+      } catch (err) {
+        logger.debug(`[Pool] Pre-warm image resolution failed for ${adapter.name}: ${err}`);
+      }
+    }
+    await Promise.all([...images].map(async (image) => {
+      try {
+        await pool.warm(image);
+        logger.debug(`[Pool] Pre-warmed image: ${image}`);
+      } catch (err) {
+        logger.debug(`[Pool] Pre-warm failed for ${image}: ${err}`);
+      }
+    }));
+  }
   async stop() {
     if (this.container) {
       try {
@@ -56334,21 +56581,29 @@ class DockerIsol8 {
     if (cached) {
       return cached;
     }
-    const customTag = `${adapter.image}-custom`;
-    let resolvedImage;
-    try {
-      await this.docker.getImage(customTag).inspect();
-      resolvedImage = customTag;
-    } catch {
-      resolvedImage = adapter.image;
+    let resolvedImage = adapter.image;
+    const configuredDeps = this.dependencies[adapter.name];
+    const normalizedDeps = configuredDeps ? normalizePackages(configuredDeps) : [];
+    if (normalizedDeps.length > 0) {
+      const hashedCustomTag = getCustomImageTag(adapter.name, normalizedDeps);
+      try {
+        await this.docker.getImage(hashedCustomTag).inspect();
+        resolvedImage = hashedCustomTag;
+      } catch {
+        logger.debug(`[ImageBuilder] Hashed custom image not found for ${adapter.name}: ${hashedCustomTag}`);
+      }
+    }
+    if (resolvedImage === adapter.image) {
+      const legacyCustomTag = `${adapter.image}-custom`;
+      try {
+        await this.docker.getImage(legacyCustomTag).inspect();
+        resolvedImage = legacyCustomTag;
+      } catch {}
     }
     this.imageCache.set(cacheKey, resolvedImage);
     return resolvedImage;
   }
-  async executeEphemeral(req, startTime) {
-    const adapter = this.getAdapter(req.runtime);
-    const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
-    const image = await this.resolveImage(adapter);
+  ensurePool() {
     if (!this.pool) {
       this.pool = new ContainerPool({
         docker: this.docker,
@@ -56366,7 +56621,14 @@ class DockerIsol8 {
         }
       });
     }
-    const container = await this.pool.acquire(image);
+    return this.pool;
+  }
+  async executeEphemeral(req, startTime) {
+    const adapter = this.getAdapter(req.runtime);
+    const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
+    const image = await this.resolveImage(adapter);
+    const pool = this.ensurePool();
+    const container = await pool.acquire(image);
     let startStats;
     if (this.auditLogger) {
       try {
@@ -56380,13 +56642,26 @@ class DockerIsol8 {
         await startProxy(container, this.networkFilter);
         await setupIptables(container);
       }
-      const ext = req.fileExtension ?? adapter.getFileExtension();
-      const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
-      await writeFileViaExec(container, filePath, req.code);
+      const canUseInline = !(req.stdin || req.files || req.outputPaths) && (!req.installPackages || req.installPackages.length === 0);
+      let rawCmd;
+      if (canUseInline) {
+        try {
+          rawCmd = adapter.getCommand(req.code);
+        } catch {
+          const ext = req.fileExtension ?? adapter.getFileExtension();
+          const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
+          await writeFileViaExec(container, filePath, req.code);
+          rawCmd = adapter.getCommand(req.code, filePath);
+        }
+      } else {
+        const ext = req.fileExtension ?? adapter.getFileExtension();
+        const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
+        await writeFileViaExec(container, filePath, req.code);
+        rawCmd = adapter.getCommand(req.code, filePath);
+      }
       if (req.installPackages?.length) {
         await installPackages(container, req.runtime, req.installPackages);
       }
-      const rawCmd = adapter.getCommand(req.code, filePath);
       const timeoutSec = Math.ceil(timeoutMs / 1000);
       let cmd;
       if (req.stdin) {
@@ -56457,7 +56732,7 @@ class DockerIsol8 {
       if (this.persist) {
         logger.debug(`[Persist] Leaving container running for inspection: ${container.id}`);
       } else {
-        this.pool.release(container, image).catch((err) => {
+        pool.release(container, image).catch((err) => {
           logger.debug(`[Pool] release failed: ${err}`);
           container.remove({ force: true }).catch(() => {});
         });
@@ -56633,7 +56908,7 @@ class DockerIsol8 {
     }
     if (this.security.seccomp === "custom" && this.security.customProfilePath) {
       try {
-        const profile = readFileSync2(this.security.customProfilePath, "utf-8");
+        const profile = readFileSync3(this.security.customProfilePath, "utf-8");
         opts.push(`seccomp=${profile}`);
       } catch (e) {
         logger.error(`Failed to load custom seccomp profile: ${e}`);
@@ -56652,12 +56927,12 @@ class DockerIsol8 {
   }
   loadDefaultSeccompProfile() {
     const devPath = new URL("../../docker/seccomp-profile.json", import.meta.url);
-    if (existsSync3(devPath)) {
-      return readFileSync2(devPath, "utf-8");
+    if (existsSync4(devPath)) {
+      return readFileSync3(devPath, "utf-8");
     }
     const prodPath = new URL("./docker/seccomp-profile.json", import.meta.url);
-    if (existsSync3(prodPath)) {
-      return readFileSync2(prodPath, "utf-8");
+    if (existsSync4(prodPath)) {
+      return readFileSync3(prodPath, "utf-8");
     }
     logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
     return null;
@@ -56840,7 +57115,7 @@ class DockerIsol8 {
   static async cleanup(docker) {
     const dockerInstance = docker ?? new import_dockerode.default;
     const containers = await dockerInstance.listContainers({ all: true });
-    const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:") || c.Image.startsWith("isol8-custom:"));
+    const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:"));
     let removed = 0;
     let failed = 0;
     const errors = [];
@@ -56857,6 +57132,27 @@ class DockerIsol8 {
     }
     return { removed, failed, errors };
   }
+  static async cleanupImages(docker) {
+    const dockerInstance = docker ?? new import_dockerode.default;
+    const images = await dockerInstance.listImages({ all: true });
+    const isol8Images = images.filter((img) => img.RepoTags?.some((tag) => tag.startsWith("isol8:")));
+    let removed = 0;
+    let failed = 0;
+    const errors = [];
+    for (const imageInfo of isol8Images) {
+      try {
+        const image = dockerInstance.getImage(imageInfo.Id);
+        await image.remove({ force: true });
+        removed++;
+      } catch (err) {
+        failed++;
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        const imageRef = imageInfo.RepoTags?.[0] ?? imageInfo.Id.slice(0, 12);
+        errors.push(`${imageRef}: ${errorMsg}`);
+      }
+    }
+    return { removed, failed, errors };
+  }
 }
 var import_dockerode, SANDBOX_WORKDIR = "/sandbox", MAX_OUTPUT_BYTES, PROXY_PORT = 8118, PROXY_STARTUP_TIMEOUT_MS = 5000, PROXY_POLL_INTERVAL_MS = 100;
 var init_docker = __esm(() => {
@@ -56864,6 +57160,7 @@ var init_docker = __esm(() => {
   init_logger();
   init_audit();
   init_code_fetcher();
+  init_image_builder();
   init_pool();
   import_dockerode = __toESM(require_docker(), 1);
   MAX_OUTPUT_BYTES = 1024 * 1024;
@@ -56874,7 +57171,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "isol8",
-    version: "0.10.3",
+    version: "0.11.0",
     description: "Secure code execution engine for AI agents",
     author: "Illusion47586",
     license: "MIT",
@@ -56919,6 +57216,8 @@ var init_package = __esm(() => {
       "lint:check": "ultracite check",
       "lint:fix": "ultracite fix",
       bench: "bunx tsx benchmarks/spawn.ts",
+      "bench:tti": "bunx tsx benchmarks/tti.ts",
+      "bench:tti:pool": "bunx tsx benchmarks/tti.ts --warm-pool --iterations 5",
       "bench:pool": "bunx tsx benchmarks/spawn-pool.ts",
       "bench:detailed": "bunx tsx benchmarks/spawn-detailed.ts",
       "bench:cli": "bun run tests/production/bench-cli.ts",
@@ -58626,6 +58925,11 @@ async function createServer(options) {
     const body = await c.req.json();
     logger.debug(`[Server] POST /execute runtime=${body.request.runtime} sessionId=${body.sessionId ?? "ephemeral"}`);
     logger.debug(`[Server] Code source: ${body.request.codeUrl ? `url=${body.request.codeUrl}` : `inline (${body.request.code?.length ?? 0} chars)`}`);
+    const {
+      poolStrategy: _ignoredPoolStrategy,
+      poolSize: _ignoredPoolSize,
+      ...requestOptions
+    } = body.options ?? {};
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -58633,8 +58937,11 @@ async function createServer(options) {
       timeoutMs: config.defaults.timeoutMs,
       sandboxSize: config.defaults.sandboxSize,
       tmpSize: config.defaults.tmpSize,
+      poolStrategy: config.poolStrategy,
+      poolSize: config.poolSize,
+      dependencies: config.dependencies,
       remoteCode: config.remoteCode,
-      ...body.options,
+      ...requestOptions,
       mode: body.sessionId ? "persistent" : "ephemeral",
       audit: config.audit
     };
@@ -58688,6 +58995,11 @@ async function createServer(options) {
     const body = await c.req.json();
     logger.debug(`[Server] POST /execute/stream runtime=${body.request.runtime}`);
     logger.debug(`[Server] Code source: ${body.request.codeUrl ? `url=${body.request.codeUrl}` : `inline (${body.request.code?.length ?? 0} chars)`}`);
+    const {
+      poolStrategy: _ignoredPoolStrategy,
+      poolSize: _ignoredPoolSize,
+      ...requestOptions
+    } = body.options ?? {};
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -58695,8 +59007,11 @@ async function createServer(options) {
       timeoutMs: config.defaults.timeoutMs,
       sandboxSize: config.defaults.sandboxSize,
       tmpSize: config.defaults.tmpSize,
+      poolStrategy: config.poolStrategy,
+      poolSize: config.poolSize,
+      dependencies: config.dependencies,
       remoteCode: config.remoteCode,
-      ...body.options,
+      ...requestOptions,
       mode: "ephemeral"
     };
     const engine = new DockerIsol82(engineOptions, config.maxConcurrent);
@@ -62099,7 +62414,7 @@ class RemoteIsol8 {
     this.sessionId = options.sessionId;
     this.isol8Options = isol8Options;
   }
-  async start() {
+  async start(_options) {
     const res = await this.fetch("/health");
     if (!res.ok) {
       throw new Error(`Remote server health check failed: ${res.status}`);
@@ -62217,208 +62532,7 @@ class RemoteIsol8 {
 // src/cli.ts
 init_config();
 init_docker();
-
-// src/engine/image-builder.ts
-init_runtime();
-init_logger();
-import { createHash as createHash2 } from "node:crypto";
-import { existsSync as existsSync4, readFileSync as readFileSync3 } from "node:fs";
-import { join as join3 } from "node:path";
-function resolveDockerDir() {
-  const fromBundled = new URL("./docker", import.meta.url).pathname;
-  if (existsSync4(fromBundled)) {
-    return fromBundled;
-  }
-  return new URL("../../docker", import.meta.url).pathname;
-}
-var DOCKERFILE_DIR = resolveDockerDir();
-var LABELS = {
-  dockerHash: "org.isol8.build.hash",
-  depsHash: "org.isol8.deps.hash"
-};
-var DOCKER_BUILD_FILES = ["Dockerfile", "proxy.sh", "proxy-handler.sh"];
-function computeDockerDirHash() {
-  const hash = createHash2("sha256");
-  const files = [...DOCKER_BUILD_FILES].sort();
-  for (const file of files) {
-    const filePath = join3(DOCKERFILE_DIR, file);
-    if (existsSync4(filePath)) {
-      const content = readFileSync3(filePath);
-      hash.update(file);
-      hash.update(content);
-    }
-  }
-  return hash.digest("hex");
-}
-function computeDepsHash(runtime, packages) {
-  const hash = createHash2("sha256");
-  hash.update(runtime);
-  for (const pkg of [...packages].sort()) {
-    hash.update(pkg);
-  }
-  return hash.digest("hex");
-}
-async function getImageLabels(docker, imageName) {
-  try {
-    const image = docker.getImage(imageName);
-    const inspect = await image.inspect();
-    return inspect.Config?.Labels ?? {};
-  } catch {
-    return null;
-  }
-}
-async function removeImage(docker, imageId) {
-  try {
-    const image = docker.getImage(imageId);
-    await image.remove();
-    logger.debug(`[ImageBuilder] Removed old image: ${imageId.slice(0, 12)}`);
-  } catch (err) {
-    logger.debug(`[ImageBuilder] Could not remove image ${imageId.slice(0, 12)}: ${err}`);
-  }
-}
-async function buildBaseImages(docker, onProgress, force = false) {
-  const runtimes = RuntimeRegistry.list();
-  const dockerHash = computeDockerDirHash();
-  logger.debug(`[ImageBuilder] Docker directory hash: ${dockerHash.slice(0, 16)}...`);
-  for (const adapter of runtimes) {
-    const target = adapter.name;
-    const imageName = adapter.image;
-    if (!force) {
-      const labels = await getImageLabels(docker, imageName);
-      if (labels && labels[LABELS.dockerHash] === dockerHash) {
-        logger.debug(`[ImageBuilder] Base image ${target} is up to date, skipping build`);
-        onProgress?.({ runtime: target, status: "done", message: "Up to date" });
-        continue;
-      }
-    }
-    let oldImageId = null;
-    try {
-      const oldImage = await docker.getImage(imageName).inspect();
-      oldImageId = oldImage.Id;
-      logger.debug(`[ImageBuilder] Existing image ${target} ID: ${oldImageId.slice(0, 12)}`);
-    } catch {
-      logger.debug(`[ImageBuilder] No existing image for ${target}`);
-    }
-    onProgress?.({ runtime: target, status: "building" });
-    try {
-      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: DOCKER_BUILD_FILES }, {
-        t: imageName,
-        target,
-        dockerfile: "Dockerfile",
-        labels: {
-          [LABELS.dockerHash]: dockerHash
-        }
-      });
-      await new Promise((resolve2, reject) => {
-        docker.modem.followProgress(stream, (err) => {
-          if (err) {
-            reject(err);
-          } else {
-            resolve2();
-          }
-        });
-      });
-      if (oldImageId) {
-        await removeImage(docker, oldImageId);
-      }
-      onProgress?.({ runtime: target, status: "done" });
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      onProgress?.({ runtime: target, status: "error", message });
-      throw new Error(`Failed to build image for ${target}: ${message}`);
-    }
-  }
-}
-async function buildCustomImages(docker, config, onProgress, force = false) {
-  const deps = config.dependencies;
-  if (deps.python?.length) {
-    await buildCustomImage(docker, "python", deps.python, onProgress, force);
-  }
-  if (deps.node?.length) {
-    await buildCustomImage(docker, "node", deps.node, onProgress, force);
-  }
-  if (deps.bun?.length) {
-    await buildCustomImage(docker, "bun", deps.bun, onProgress, force);
-  }
-  if (deps.deno?.length) {
-    await buildCustomImage(docker, "deno", deps.deno, onProgress, force);
-  }
-  if (deps.bash?.length) {
-    await buildCustomImage(docker, "bash", deps.bash, onProgress, force);
-  }
-}
-async function buildCustomImage(docker, runtime, packages, onProgress, force = false) {
-  const tag = `isol8:${runtime}-custom`;
-  const depsHash = computeDepsHash(runtime, packages);
-  logger.debug(`[ImageBuilder] ${runtime} custom deps hash: ${depsHash.slice(0, 16)}...`);
-  if (!force) {
-    const labels = await getImageLabels(docker, tag);
-    if (labels && labels[LABELS.depsHash] === depsHash) {
-      logger.debug(`[ImageBuilder] Custom image ${runtime} is up to date, skipping build`);
-      onProgress?.({ runtime, status: "done", message: "Up to date" });
-      return;
-    }
-  }
-  let oldImageId = null;
-  try {
-    const oldImage = await docker.getImage(tag).inspect();
-    oldImageId = oldImage.Id;
-    logger.debug(`[ImageBuilder] Existing custom image ${runtime} ID: ${oldImageId.slice(0, 12)}`);
-  } catch {
-    logger.debug(`[ImageBuilder] No existing custom image for ${runtime}`);
-  }
-  onProgress?.({ runtime, status: "building", message: `Custom: ${packages.join(", ")}` });
-  let installCmd;
-  switch (runtime) {
-    case "python":
-      installCmd = `RUN pip install --no-cache-dir ${packages.join(" ")}`;
-      break;
-    case "node":
-      installCmd = `RUN npm install -g ${packages.join(" ")}`;
-      break;
-    case "bun":
-      installCmd = `RUN bun install -g ${packages.join(" ")}`;
-      break;
-    case "deno":
-      installCmd = packages.map((p) => `RUN deno cache ${p}`).join(`
-`);
-      break;
-    case "bash":
-      installCmd = `RUN apk add --no-cache ${packages.join(" ")}`;
-      break;
-    default:
-      throw new Error(`Unknown runtime: ${runtime}`);
-  }
-  const dockerfileContent = `FROM isol8:${runtime}
-${installCmd}
-`;
-  const { createTarBuffer: createTarBuffer2, validatePackageName: validatePackageName2 } = await Promise.resolve().then(() => exports_utils);
-  const { Readable } = await import("node:stream");
-  packages.forEach(validatePackageName2);
-  const tarBuffer = createTarBuffer2("Dockerfile", dockerfileContent);
-  const stream = await docker.buildImage(Readable.from(tarBuffer), {
-    t: tag,
-    dockerfile: "Dockerfile",
-    labels: {
-      [LABELS.depsHash]: depsHash
-    }
-  });
-  await new Promise((resolve2, reject) => {
-    docker.modem.followProgress(stream, (err) => {
-      if (err) {
-        reject(err);
-      } else {
-        resolve2();
-      }
-    });
-  });
-  if (oldImageId) {
-    await removeImage(docker, oldImageId);
-  }
-  onProgress?.({ runtime, status: "done" });
-}
-
-// src/cli.ts
+init_image_builder();
 init_runtime();
 init_logger();
 init_version();
@@ -62519,7 +62633,7 @@ program2.command("setup").description("Check Docker and build isol8 images").opt
   console.log(`
 [DONE] Setup complete!`);
 });
-program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--writable", "Disable read-only root filesystem").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--url <url>", "Fetch code from URL").option("--github <path>", "GitHub shorthand: owner/repo/ref/path/to/file").option("--gist <path>", "Gist shorthand: gistId/file.ext").option("--hash <sha256>", "Expected SHA-256 hash of fetched code").option("--allow-insecure-code-url", "Allow insecure HTTP code URLs").option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").option("--pool-strategy <mode>", "Pool strategy: fast (default) or secure", "fast").option("--pool-size <size>", "Pool size (number or 'clean,dirty' for fast mode)", "1,1").action(async (file, opts) => {
+program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--writable", "Disable read-only root filesystem").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--url <url>", "Fetch code from URL").option("--github <path>", "GitHub shorthand: owner/repo/ref/path/to/file").option("--gist <path>", "Gist shorthand: gistId/file.ext").option("--hash <sha256>", "Expected SHA-256 hash of fetched code").option("--allow-insecure-code-url", "Allow insecure HTTP code URLs").option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").action(async (file, opts) => {
   const {
     code,
     codeUrl,
@@ -62843,6 +62957,11 @@ Isol8 Configuration
   console.log("  ── Cleanup ──");
   console.log(`  Auto-prune:      ${config.cleanup.autoPrune ? "yes" : "no"}`);
   console.log(`  Max idle time:   ${config.cleanup.maxContainerAgeMs}ms (${Math.round(config.cleanup.maxContainerAgeMs / 60000)}min)`);
+  console.log("");
+  console.log("  ── Pool Defaults (Serve) ──");
+  console.log(`  Pool strategy:   ${config.poolStrategy}`);
+  const poolSize = typeof config.poolSize === "number" ? String(config.poolSize) : `${config.poolSize.clean},${config.poolSize.dirty}`;
+  console.log(`  Pool size:       ${poolSize}`);
   const deps = config.dependencies;
   const hasDeps = Object.values(deps).some((pkgs) => pkgs && pkgs.length > 0);
   console.log("");
@@ -62865,7 +62984,7 @@ Isol8 Configuration
   }
   console.log("");
 });
-program2.command("cleanup").description("Remove orphaned isol8 containers").option("--force", "Skip confirmation prompt").action(async (opts) => {
+program2.command("cleanup").description("Remove orphaned isol8 containers (and optionally images)").option("--force", "Skip confirmation prompt").option("--images", "Also remove isol8 Docker images").action(async (opts) => {
   const docker = new import_dockerode2.default;
   logger.debug("[Cleanup] Connecting to Docker daemon");
   const spinner = ora("Checking Docker...").start();
@@ -62881,17 +63000,33 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
   const containers = await docker.listContainers({ all: true });
   const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:") || c.Image.startsWith("isol8-custom:"));
   logger.debug(`[Cleanup] Found ${containers.length} total containers, ${isol8Containers.length} isol8 containers`);
-  if (isol8Containers.length === 0) {
-    spinner.info("No isol8 containers found");
+  let isol8Images = [];
+  if (opts.images) {
+    spinner.start("Finding isol8 images...");
+    const images = await docker.listImages({ all: true });
+    isol8Images = images.filter((img) => img.RepoTags?.some((tag) => tag.startsWith("isol8:"))).map((img) => ({ id: img.Id, tags: img.RepoTags ?? [] }));
+    logger.debug(`[Cleanup] Found ${images.length} total images, ${isol8Images.length} isol8 images`);
+  }
+  if (isol8Containers.length === 0 && (!opts.images || isol8Images.length === 0)) {
+    spinner.info(opts.images ? "No isol8 containers or images found" : "No isol8 containers found");
     return;
   }
-  spinner.succeed(`Found ${isol8Containers.length} isol8 container(s)`);
+  spinner.succeed(`Found ${isol8Containers.length} isol8 container(s)` + (opts.images ? ` and ${isol8Images.length} image(s)` : ""));
   console.log("");
   for (const c of isol8Containers) {
     const status = c.State === "running" ? "\uD83D\uDFE2 running" : "⚪ stopped";
     const created = new Date(c.Created * 1000).toLocaleString();
     console.log(`  ${status} ${c.Id.slice(0, 12)} | ${c.Image} | created ${created}`);
   }
+  if (opts.images && isol8Images.length > 0) {
+    if (isol8Containers.length > 0) {
+      console.log("");
+    }
+    for (const image of isol8Images) {
+      const tagText = image.tags.length > 0 ? image.tags.join(", ") : "<untagged>";
+      console.log(`  \uD83D\uDDBC️ image ${image.id.slice(0, 12)} | ${tagText}`);
+    }
+  }
   console.log("");
   if (!opts.force) {
     const readline = await import("node:readline");
@@ -62900,7 +63035,8 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
       output: process.stdout
     });
     const answer = await new Promise((resolve3) => {
-      rl.question("Remove all these containers? [y/N] ", resolve3);
+      const targetLabel = opts.images ? "containers and images" : "containers";
+      rl.question(`Remove all these ${targetLabel}? [y/N] `, resolve3);
     });
     rl.close();
     if (answer.toLowerCase() !== "y" && answer.toLowerCase() !== "yes") {
@@ -62908,20 +63044,40 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
       return;
     }
   }
-  spinner.start("Removing containers...");
-  logger.debug("[Cleanup] Removing containers");
-  const result = await DockerIsol8.cleanup(docker);
-  logger.debug(`[Cleanup] Removed: ${result.removed}, failed: ${result.failed}`);
-  if (result.errors.length > 0) {
+  let containerResult = { removed: 0, failed: 0, errors: [] };
+  if (isol8Containers.length > 0) {
+    spinner.start("Removing containers...");
+    logger.debug("[Cleanup] Removing containers");
+    containerResult = await DockerIsol8.cleanup(docker);
+    logger.debug(`[Cleanup] Containers removed: ${containerResult.removed}, failed: ${containerResult.failed}`);
+  }
+  if (containerResult.errors.length > 0) {
     console.log("");
-    for (const err of result.errors) {
+    for (const err of containerResult.errors) {
       console.error(`  Failed to remove ${err}`);
     }
   }
-  if (result.failed === 0) {
-    spinner.succeed(`Removed ${result.removed} container(s)`);
+  if (containerResult.failed === 0) {
+    spinner.succeed(`Removed ${containerResult.removed} container(s)`);
   } else {
-    spinner.warn(`Removed ${result.removed} container(s), ${result.failed} failed`);
+    spinner.warn(`Removed ${containerResult.removed} container(s), ${containerResult.failed} failed`);
+  }
+  if (opts.images && isol8Images.length > 0) {
+    spinner.start("Removing images...");
+    logger.debug("[Cleanup] Removing images");
+    const imageResult = await DockerIsol8.cleanupImages(docker);
+    logger.debug(`[Cleanup] Images removed: ${imageResult.removed}, failed: ${imageResult.failed}`);
+    if (imageResult.errors.length > 0) {
+      console.log("");
+      for (const err of imageResult.errors) {
+        console.error(`  Failed to remove image ${err}`);
+      }
+    }
+    if (imageResult.failed === 0) {
+      spinner.succeed(`Removed ${imageResult.removed} image(s)`);
+    } else {
+      spinner.warn(`Removed ${imageResult.removed} image(s), ${imageResult.failed} failed`);
+    }
   }
 });
 async function resolveRunInput(file, opts) {
@@ -62997,12 +63153,8 @@ async function resolveRunInput(file, opts) {
     debug: opts.debug ?? config.debug,
     persist: opts.persist ?? false,
     ...opts.logNetwork ? { logNetwork: true } : {},
-    remoteCode: config.remoteCode,
-    poolStrategy: opts.poolStrategy === "secure" ? "secure" : "fast",
-    poolSize: opts.poolSize ? opts.poolSize.includes(",") ? {
-      clean: Number.parseInt(opts.poolSize.split(",")[0], 10),
-      dirty: Number.parseInt(opts.poolSize.split(",")[1], 10)
-    } : Number.parseInt(opts.poolSize, 10) : { clean: 1, dirty: 1 }
+    dependencies: config.dependencies,
+    remoteCode: config.remoteCode
   };
   logger.debug(`[Run] Engine options: mode=${engineOptions.mode}, network=${engineOptions.network}`);
   let fileExtension;
@@ -63088,4 +63240,4 @@ if (!process.argv.slice(2).length) {
 }
 program2.parse();
 
-//# debugId=280ED4C71DBDC32964756E2164756E21
+//# debugId=6B3AFECE6CC836BD64756E2164756E21