npm - isol8 - Versions diffs - 0.11.0 → 0.11.2 - Mend

isol8 0.11.0 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +13 -2
package/dist/cli.js +657 -403
package/dist/index.js +196 -64
package/dist/src/client/remote.d.ts +2 -2
package/dist/src/client/remote.d.ts.map +1 -1
package/dist/src/config.d.ts.map +1 -1
package/dist/src/engine/docker.d.ts +20 -5
package/dist/src/engine/docker.d.ts.map +1 -1
package/dist/src/engine/image-builder.d.ts +14 -0
package/dist/src/engine/image-builder.d.ts.map +1 -1
package/dist/src/engine/pool.d.ts.map +1 -1
package/dist/src/server/index.d.ts.map +1 -1
package/dist/src/types.d.ts +48 -1
package/dist/src/types.d.ts.map +1 -1
package/package.json +3 -1
package/schema/isol8.config.schema.json +31 -0

package/dist/cli.js CHANGED Viewed

@@ -6929,11 +6929,6 @@ var require_utils2 = __commonJS((exports, module) => {
   };
 });
-// node_modules/ssh2/lib/protocol/crypto/build/Release/sshcrypto.node
-var require_sshcrypto = __commonJS((exports, module) => {
-  module.exports = __require("./sshcrypto-0209sx47.node");
-});
 // node_modules/ssh2/lib/protocol/crypto/poly1305.js
 var require_poly1305 = __commonJS((exports, module) => {
   var __dirname = "/home/runner/work/isol8/isol8/node_modules/ssh2/lib/protocol/crypto", __filename = "/home/runner/work/isol8/isol8/node_modules/ssh2/lib/protocol/crypto/poly1305.js";
@@ -7420,7 +7415,7 @@ var require_crypto = __commonJS((exports, module) => {
   var ChaChaPolyDecipher;
   var GenericDecipher;
   try {
-    binding = require_sshcrypto();
+    binding = (()=>{throw new Error("Cannot require module "+"./crypto/build/Release/sshcrypto.node");})();
     ({
       AESGCMCipher,
       ChaChaPolyCipher,
@@ -54795,6 +54790,8 @@ function mergeConfig(defaults, overrides) {
       ...defaults.cleanup,
       ...overrides.cleanup
     },
+    poolStrategy: overrides.poolStrategy ?? defaults.poolStrategy,
+    poolSize: overrides.poolSize ?? defaults.poolSize,
     dependencies: {
       ...defaults.dependencies,
       ...overrides.dependencies
@@ -54837,6 +54834,8 @@ var init_config = __esm(() => {
       autoPrune: true,
       maxContainerAgeMs: 3600000
     },
+    poolStrategy: "fast",
+    poolSize: { clean: 1, dirty: 1 },
     dependencies: {},
     security: {
       seccomp: "strict"
@@ -55413,6 +55412,333 @@ class Semaphore {
   }
 }
+// src/engine/utils.ts
+var exports_utils = {};
+__export(exports_utils, {
+  validatePackageName: () => validatePackageName,
+  truncateOutput: () => truncateOutput,
+  parseMemoryLimit: () => parseMemoryLimit,
+  maskSecrets: () => maskSecrets,
+  extractFromTar: () => extractFromTar,
+  createTarBuffer: () => createTarBuffer
+});
+function parseMemoryLimit(limit) {
+  const match = limit.match(/^(\d+(?:\.\d+)?)\s*([kmgt]?)b?$/i);
+  if (!match) {
+    throw new Error(`Invalid memory limit format: "${limit}". Use e.g. "512m", "1g".`);
+  }
+  const value = Number.parseFloat(match[1]);
+  const unit = (match[2] || "b").toLowerCase();
+  const multipliers = {
+    b: 1,
+    k: 1024,
+    m: 1024 ** 2,
+    g: 1024 ** 3,
+    t: 1024 ** 4
+  };
+  return Math.floor(value * (multipliers[unit] ?? 1));
+}
+function truncateOutput(output, maxBytes) {
+  const encoder = new TextEncoder;
+  const bytes = encoder.encode(output);
+  if (bytes.length <= maxBytes) {
+    return { text: output, truncated: false };
+  }
+  const decoder = new TextDecoder("utf-8", { fatal: false });
+  const truncated = decoder.decode(bytes.slice(0, maxBytes));
+  return {
+    text: `${truncated}
+--- OUTPUT TRUNCATED (${bytes.length} bytes, limit: ${maxBytes}) ---`,
+    truncated: true
+  };
+}
+function maskSecrets(text, secrets) {
+  let result = text;
+  for (const value of Object.values(secrets)) {
+    if (value.length > 0) {
+      result = result.replaceAll(value, "***");
+    }
+  }
+  return result;
+}
+function createTarBuffer(filePath, content) {
+  const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
+  const headerSize = 512;
+  const dataBlocks = Math.ceil(data.length / 512);
+  const totalSize = headerSize + dataBlocks * 512 + 1024;
+  const buf = Buffer.alloc(totalSize);
+  buf.write(filePath.replace(/^\//, ""), 0, 100, "utf-8");
+  buf.write("0000644\x00", 100, 8, "utf-8");
+  buf.write("0000000\x00", 108, 8, "utf-8");
+  buf.write("0000000\x00", 116, 8, "utf-8");
+  buf.write(`${data.length.toString(8).padStart(11, "0")}\x00`, 124, 12, "utf-8");
+  buf.write(`${Math.floor(Date.now() / 1000).toString(8).padStart(11, "0")}\x00`, 136, 12, "utf-8");
+  buf.write("0", 156, 1, "utf-8");
+  buf.write("ustar\x00", 257, 6, "utf-8");
+  buf.write("00", 263, 2, "utf-8");
+  buf.write("        ", 148, 8, "utf-8");
+  let checksum = 0;
+  for (let i = 0;i < headerSize; i++) {
+    checksum += buf[i];
+  }
+  buf.write(`${checksum.toString(8).padStart(6, "0")}\x00 `, 148, 8, "utf-8");
+  data.copy(buf, headerSize);
+  return buf;
+}
+function extractFromTar(tarBuffer, targetPath) {
+  const normalizedTarget = targetPath.replace(/^\//, "");
+  const basename = targetPath.split("/").pop() ?? targetPath;
+  let offset = 0;
+  while (offset < tarBuffer.length - 512) {
+    const nameEnd = tarBuffer.indexOf(0, offset);
+    const name = tarBuffer.subarray(offset, Math.min(nameEnd, offset + 100)).toString("utf-8");
+    if (name.length === 0) {
+      break;
+    }
+    const sizeStr = tarBuffer.subarray(offset + 124, offset + 136).toString("utf-8").trim();
+    const size = Number.parseInt(sizeStr, 8);
+    if (Number.isNaN(size)) {
+      break;
+    }
+    const dataStart = offset + 512;
+    const dataBlocks = Math.ceil(size / 512);
+    if (name === normalizedTarget || name.endsWith(`/${normalizedTarget}`) || name === basename) {
+      return Buffer.from(tarBuffer.subarray(dataStart, dataStart + size));
+    }
+    offset = dataStart + dataBlocks * 512;
+  }
+  throw new Error(`File "${targetPath}" not found in tar archive`);
+}
+function validatePackageName(name) {
+  if (!/^[@a-zA-Z0-9_./\-=]+$/.test(name)) {
+    throw new Error(`Invalid package name: "${name}". Only alphanumeric, -, _, ., /, @, and = are allowed.`);
+  }
+  return name;
+}
+// src/engine/image-builder.ts
+import { createHash as createHash2 } from "node:crypto";
+import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
+import { join as join3 } from "node:path";
+function resolveDockerDir() {
+  const fromBundled = new URL("./docker", import.meta.url).pathname;
+  if (existsSync3(fromBundled)) {
+    return fromBundled;
+  }
+  return new URL("../../docker", import.meta.url).pathname;
+}
+function computeDockerDirHash() {
+  const hash = createHash2("sha256");
+  const files = [...DOCKER_BUILD_FILES].sort();
+  for (const file of files) {
+    const filePath = join3(DOCKERFILE_DIR, file);
+    if (existsSync3(filePath)) {
+      const content = readFileSync2(filePath);
+      hash.update(file);
+      hash.update(content);
+    }
+  }
+  return hash.digest("hex");
+}
+function computeDepsHash(runtime, packages) {
+  const hash = createHash2("sha256");
+  hash.update(runtime);
+  for (const pkg of [...packages].sort()) {
+    hash.update(pkg);
+  }
+  return hash.digest("hex");
+}
+function normalizePackages(packages) {
+  return [...new Set(packages.map((pkg) => pkg.trim()).filter(Boolean))].sort();
+}
+function getCustomImageTag(runtime, packages) {
+  const normalizedPackages = normalizePackages(packages);
+  const depsHash = computeDepsHash(runtime, normalizedPackages);
+  const shortHash = depsHash.slice(0, 12);
+  return `isol8:${runtime}-custom-${shortHash}`;
+}
+async function getImageLabels(docker, imageName) {
+  try {
+    const image = docker.getImage(imageName);
+    const inspect = await image.inspect();
+    return inspect.Config?.Labels ?? {};
+  } catch {
+    return null;
+  }
+}
+async function removeImage(docker, imageId) {
+  try {
+    const image = docker.getImage(imageId);
+    await image.remove();
+    logger.debug(`[ImageBuilder] Removed old image: ${imageId.slice(0, 12)}`);
+  } catch (err) {
+    logger.debug(`[ImageBuilder] Could not remove image ${imageId.slice(0, 12)}: ${err}`);
+  }
+}
+async function buildBaseImages(docker, onProgress, force = false) {
+  const runtimes = RuntimeRegistry.list();
+  const dockerHash = computeDockerDirHash();
+  logger.debug(`[ImageBuilder] Docker directory hash: ${dockerHash.slice(0, 16)}...`);
+  for (const adapter of runtimes) {
+    const target = adapter.name;
+    const imageName = adapter.image;
+    if (!force) {
+      const labels = await getImageLabels(docker, imageName);
+      if (labels && labels[LABELS.dockerHash] === dockerHash) {
+        logger.debug(`[ImageBuilder] Base image ${target} is up to date, skipping build`);
+        onProgress?.({ runtime: target, status: "done", message: "Up to date" });
+        continue;
+      }
+    }
+    let oldImageId = null;
+    try {
+      const oldImage = await docker.getImage(imageName).inspect();
+      oldImageId = oldImage.Id;
+      logger.debug(`[ImageBuilder] Existing image ${target} ID: ${oldImageId.slice(0, 12)}`);
+    } catch {
+      logger.debug(`[ImageBuilder] No existing image for ${target}`);
+    }
+    onProgress?.({ runtime: target, status: "building" });
+    try {
+      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: DOCKER_BUILD_FILES }, {
+        t: imageName,
+        target,
+        dockerfile: "Dockerfile",
+        labels: {
+          [LABELS.dockerHash]: dockerHash
+        }
+      });
+      await new Promise((resolve2, reject) => {
+        docker.modem.followProgress(stream, (err) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve2();
+          }
+        });
+      });
+      if (oldImageId) {
+        await removeImage(docker, oldImageId);
+      }
+      onProgress?.({ runtime: target, status: "done" });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      onProgress?.({ runtime: target, status: "error", message });
+      throw new Error(`Failed to build image for ${target}: ${message}`);
+    }
+  }
+}
+async function buildCustomImages(docker, config, onProgress, force = false) {
+  const deps = config.dependencies;
+  const python = deps.python ? normalizePackages(deps.python) : [];
+  const node = deps.node ? normalizePackages(deps.node) : [];
+  const bun = deps.bun ? normalizePackages(deps.bun) : [];
+  const deno = deps.deno ? normalizePackages(deps.deno) : [];
+  const bash = deps.bash ? normalizePackages(deps.bash) : [];
+  if (python.length) {
+    await buildCustomImage(docker, "python", python, onProgress, force);
+  }
+  if (node.length) {
+    await buildCustomImage(docker, "node", node, onProgress, force);
+  }
+  if (bun.length) {
+    await buildCustomImage(docker, "bun", bun, onProgress, force);
+  }
+  if (deno.length) {
+    await buildCustomImage(docker, "deno", deno, onProgress, force);
+  }
+  if (bash.length) {
+    await buildCustomImage(docker, "bash", bash, onProgress, force);
+  }
+}
+async function buildCustomImage(docker, runtime, packages, onProgress, force = false) {
+  const normalizedPackages = normalizePackages(packages);
+  const tag = getCustomImageTag(runtime, normalizedPackages);
+  const depsHash = computeDepsHash(runtime, normalizedPackages);
+  logger.debug(`[ImageBuilder] ${runtime} custom deps hash: ${depsHash.slice(0, 16)}...`);
+  if (!force) {
+    const labels = await getImageLabels(docker, tag);
+    if (labels && labels[LABELS.depsHash] === depsHash) {
+      logger.debug(`[ImageBuilder] Custom image ${runtime} is up to date, skipping build`);
+      onProgress?.({ runtime, status: "done", message: "Up to date" });
+      return;
+    }
+  }
+  let oldImageId = null;
+  try {
+    const oldImage = await docker.getImage(tag).inspect();
+    oldImageId = oldImage.Id;
+    logger.debug(`[ImageBuilder] Existing custom image ${runtime} ID: ${oldImageId.slice(0, 12)}`);
+  } catch {
+    logger.debug(`[ImageBuilder] No existing custom image for ${runtime}`);
+  }
+  onProgress?.({
+    runtime,
+    status: "building",
+    message: `Custom: ${normalizedPackages.join(", ")}`
+  });
+  let installCmd;
+  switch (runtime) {
+    case "python":
+      installCmd = `RUN pip install --no-cache-dir ${normalizedPackages.join(" ")}`;
+      break;
+    case "node":
+      installCmd = `RUN npm install -g ${normalizedPackages.join(" ")}`;
+      break;
+    case "bun":
+      installCmd = `RUN bun install -g ${normalizedPackages.join(" ")}`;
+      break;
+    case "deno":
+      installCmd = normalizedPackages.map((p) => `RUN deno cache ${p}`).join(`
+`);
+      break;
+    case "bash":
+      installCmd = `RUN apk add --no-cache ${normalizedPackages.join(" ")}`;
+      break;
+    default:
+      throw new Error(`Unknown runtime: ${runtime}`);
+  }
+  const dockerfileContent = `FROM isol8:${runtime}
+${installCmd}
+`;
+  const { createTarBuffer: createTarBuffer2, validatePackageName: validatePackageName2 } = await Promise.resolve().then(() => exports_utils);
+  const { Readable } = await import("node:stream");
+  normalizedPackages.forEach(validatePackageName2);
+  const tarBuffer = createTarBuffer2("Dockerfile", dockerfileContent);
+  const stream = await docker.buildImage(Readable.from(tarBuffer), {
+    t: tag,
+    dockerfile: "Dockerfile",
+    labels: {
+      [LABELS.depsHash]: depsHash
+    }
+  });
+  await new Promise((resolve2, reject) => {
+    docker.modem.followProgress(stream, (err) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve2();
+      }
+    });
+  });
+  if (oldImageId) {
+    await removeImage(docker, oldImageId);
+  }
+  onProgress?.({ runtime, status: "done" });
+}
+var DOCKERFILE_DIR, LABELS, DOCKER_BUILD_FILES;
+var init_image_builder = __esm(() => {
+  init_runtime();
+  init_logger();
+  DOCKERFILE_DIR = resolveDockerDir();
+  LABELS = {
+    dockerHash: "org.isol8.build.hash",
+    depsHash: "org.isol8.deps.hash"
+  };
+  DOCKER_BUILD_FILES = ["Dockerfile", "proxy.sh", "proxy-handler.sh"];
+});
 // src/engine/pool.ts
 class ContainerPool {
   docker;
@@ -55603,46 +55929,44 @@ class ContainerPool {
   }
   replenish(image) {
     if (this.replenishing.has(image)) {
-      if (this.replenishing.has(image)) {
-        return;
-      }
-      const pool = this.pools.get(image);
-      const currentSize = pool ? this.poolStrategy === "fast" ? pool.clean.length : pool.clean?.length ?? 0 : 0;
-      const targetSize = this.poolStrategy === "fast" ? this.cleanPoolSize : this.cleanPoolSize;
-      if (currentSize >= targetSize) {
+      return;
+    }
+    const pool = this.pools.get(image);
+    const currentSize = pool ? this.poolStrategy === "fast" ? pool.clean.length : pool.clean?.length ?? 0 : 0;
+    const targetSize = this.cleanPoolSize;
+    if (currentSize >= targetSize) {
+      return;
+    }
+    this.replenishing.add(image);
+    const promise = this.createContainer(image).then((container) => {
+      const p = this.pools.get(image);
+      if (!p) {
+        container.remove({ force: true }).catch(() => {});
         return;
       }
-      this.replenishing.add(image);
-      const promise = this.createContainer(image).then((container) => {
-        const p = this.pools.get(image);
-        if (!p) {
+      if (this.poolStrategy === "fast") {
+        if (p.clean.length < this.cleanPoolSize) {
+          p.clean.push({ container, createdAt: Date.now() });
+        } else {
           container.remove({ force: true }).catch(() => {});
-          return;
         }
-        if (this.poolStrategy === "fast") {
-          if (p.clean.length < this.cleanPoolSize) {
-            p.clean.push({ container, createdAt: Date.now() });
-          } else {
-            container.remove({ force: true }).catch(() => {});
-          }
+      } else {
+        if (!p.clean) {
+          p.clean = [];
+        }
+        if (p.clean.length < this.cleanPoolSize) {
+          p.clean.push({ container, createdAt: Date.now() });
         } else {
-          if (!p.clean) {
-            p.clean = [];
-          }
-          if (p.clean.length < this.cleanPoolSize) {
-            p.clean.push({ container, createdAt: Date.now() });
-          } else {
-            container.remove({ force: true }).catch(() => {});
-          }
+          container.remove({ force: true }).catch(() => {});
         }
-      }).catch((err) => {
-        logger.error(`[Pool] Error during replenishment for ${image}:`, err);
-      }).finally(() => {
-        this.replenishing.delete(image);
-        this.pendingReplenishments.delete(promise);
-      });
-      this.pendingReplenishments.add(promise);
-    }
+      }
+    }).catch((err) => {
+      logger.error(`[Pool] Error during replenishment for ${image}:`, err);
+    }).finally(() => {
+      this.replenishing.delete(image);
+      this.pendingReplenishments.delete(promise);
+    });
+    this.pendingReplenishments.add(promise);
   }
 }
 var init_pool = __esm(() => {
@@ -55694,118 +56018,13 @@ function calculateResourceDelta(before, after) {
   };
 }
-// src/engine/utils.ts
-var exports_utils = {};
-__export(exports_utils, {
-  validatePackageName: () => validatePackageName,
-  truncateOutput: () => truncateOutput,
-  parseMemoryLimit: () => parseMemoryLimit,
-  maskSecrets: () => maskSecrets,
-  extractFromTar: () => extractFromTar,
-  createTarBuffer: () => createTarBuffer
-});
-function parseMemoryLimit(limit) {
-  const match = limit.match(/^(\d+(?:\.\d+)?)\s*([kmgt]?)b?$/i);
-  if (!match) {
-    throw new Error(`Invalid memory limit format: "${limit}". Use e.g. "512m", "1g".`);
-  }
-  const value = Number.parseFloat(match[1]);
-  const unit = (match[2] || "b").toLowerCase();
-  const multipliers = {
-    b: 1,
-    k: 1024,
-    m: 1024 ** 2,
-    g: 1024 ** 3,
-    t: 1024 ** 4
-  };
-  return Math.floor(value * (multipliers[unit] ?? 1));
-}
-function truncateOutput(output, maxBytes) {
-  const encoder = new TextEncoder;
-  const bytes = encoder.encode(output);
-  if (bytes.length <= maxBytes) {
-    return { text: output, truncated: false };
-  }
-  const decoder = new TextDecoder("utf-8", { fatal: false });
-  const truncated = decoder.decode(bytes.slice(0, maxBytes));
-  return {
-    text: `${truncated}
---- OUTPUT TRUNCATED (${bytes.length} bytes, limit: ${maxBytes}) ---`,
-    truncated: true
-  };
-}
-function maskSecrets(text, secrets) {
-  let result = text;
-  for (const value of Object.values(secrets)) {
-    if (value.length > 0) {
-      result = result.replaceAll(value, "***");
-    }
-  }
-  return result;
-}
-function createTarBuffer(filePath, content) {
-  const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
-  const headerSize = 512;
-  const dataBlocks = Math.ceil(data.length / 512);
-  const totalSize = headerSize + dataBlocks * 512 + 1024;
-  const buf = Buffer.alloc(totalSize);
-  buf.write(filePath.replace(/^\//, ""), 0, 100, "utf-8");
-  buf.write("0000644\x00", 100, 8, "utf-8");
-  buf.write("0000000\x00", 108, 8, "utf-8");
-  buf.write("0000000\x00", 116, 8, "utf-8");
-  buf.write(`${data.length.toString(8).padStart(11, "0")}\x00`, 124, 12, "utf-8");
-  buf.write(`${Math.floor(Date.now() / 1000).toString(8).padStart(11, "0")}\x00`, 136, 12, "utf-8");
-  buf.write("0", 156, 1, "utf-8");
-  buf.write("ustar\x00", 257, 6, "utf-8");
-  buf.write("00", 263, 2, "utf-8");
-  buf.write("        ", 148, 8, "utf-8");
-  let checksum = 0;
-  for (let i = 0;i < headerSize; i++) {
-    checksum += buf[i];
-  }
-  buf.write(`${checksum.toString(8).padStart(6, "0")}\x00 `, 148, 8, "utf-8");
-  data.copy(buf, headerSize);
-  return buf;
-}
-function extractFromTar(tarBuffer, targetPath) {
-  const normalizedTarget = targetPath.replace(/^\//, "");
-  const basename = targetPath.split("/").pop() ?? targetPath;
-  let offset = 0;
-  while (offset < tarBuffer.length - 512) {
-    const nameEnd = tarBuffer.indexOf(0, offset);
-    const name = tarBuffer.subarray(offset, Math.min(nameEnd, offset + 100)).toString("utf-8");
-    if (name.length === 0) {
-      break;
-    }
-    const sizeStr = tarBuffer.subarray(offset + 124, offset + 136).toString("utf-8").trim();
-    const size = Number.parseInt(sizeStr, 8);
-    if (Number.isNaN(size)) {
-      break;
-    }
-    const dataStart = offset + 512;
-    const dataBlocks = Math.ceil(size / 512);
-    if (name === normalizedTarget || name.endsWith(`/${normalizedTarget}`) || name === basename) {
-      return Buffer.from(tarBuffer.subarray(dataStart, dataStart + size));
-    }
-    offset = dataStart + dataBlocks * 512;
-  }
-  throw new Error(`File "${targetPath}" not found in tar archive`);
-}
-function validatePackageName(name) {
-  if (!/^[@a-zA-Z0-9_./\-=]+$/.test(name)) {
-    throw new Error(`Invalid package name: "${name}". Only alphanumeric, -, _, ., /, @, and = are allowed.`);
-  }
-  return name;
-}
 // src/engine/docker.ts
 var exports_docker = {};
 __export(exports_docker, {
   DockerIsol8: () => DockerIsol8
 });
 import { randomUUID } from "node:crypto";
-import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "node:fs";
 import { PassThrough } from "node:stream";
 async function writeFileViaExec(container, filePath, content) {
   const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
@@ -56021,6 +56240,7 @@ class DockerIsol8 {
   logNetwork;
   poolStrategy;
   poolSize;
+  dependencies;
   auditLogger;
   remoteCodePolicy;
   container = null;
@@ -56067,6 +56287,7 @@ class DockerIsol8 {
     this.logNetwork = options.logNetwork ?? false;
     this.poolStrategy = options.poolStrategy ?? "fast";
     this.poolSize = options.poolSize ?? { clean: 1, dirty: 1 };
+    this.dependencies = options.dependencies ?? {};
     this.remoteCodePolicy = options.remoteCode ?? {
       enabled: false,
       allowedSchemes: ["https"],
@@ -56085,7 +56306,33 @@ class DockerIsol8 {
       logger.setDebug(true);
     }
   }
-  async start() {}
+  async start(options = {}) {
+    if (this.mode !== "ephemeral") {
+      return;
+    }
+    const prewarm = options.prewarm;
+    if (!prewarm) {
+      return;
+    }
+    const pool = this.ensurePool();
+    const images = new Set;
+    const adapters2 = typeof prewarm === "object" && prewarm.runtimes?.length ? prewarm.runtimes.map((runtime) => RuntimeRegistry.get(runtime)) : RuntimeRegistry.list();
+    for (const adapter of adapters2) {
+      try {
+        images.add(await this.resolveImage(adapter));
+      } catch (err) {
+        logger.debug(`[Pool] Pre-warm image resolution failed for ${adapter.name}: ${err}`);
+      }
+    }
+    await Promise.all([...images].map(async (image) => {
+      try {
+        await pool.warm(image);
+        logger.debug(`[Pool] Pre-warmed image: ${image}`);
+      } catch (err) {
+        logger.debug(`[Pool] Pre-warm failed for ${image}: ${err}`);
+      }
+    }));
+  }
   async stop() {
     if (this.container) {
       try {
@@ -56334,21 +56581,29 @@ class DockerIsol8 {
     if (cached) {
       return cached;
     }
-    const customTag = `${adapter.image}-custom`;
-    let resolvedImage;
-    try {
-      await this.docker.getImage(customTag).inspect();
-      resolvedImage = customTag;
-    } catch {
-      resolvedImage = adapter.image;
+    let resolvedImage = adapter.image;
+    const configuredDeps = this.dependencies[adapter.name];
+    const normalizedDeps = configuredDeps ? normalizePackages(configuredDeps) : [];
+    if (normalizedDeps.length > 0) {
+      const hashedCustomTag = getCustomImageTag(adapter.name, normalizedDeps);
+      try {
+        await this.docker.getImage(hashedCustomTag).inspect();
+        resolvedImage = hashedCustomTag;
+      } catch {
+        logger.debug(`[ImageBuilder] Hashed custom image not found for ${adapter.name}: ${hashedCustomTag}`);
+      }
+    }
+    if (resolvedImage === adapter.image) {
+      const legacyCustomTag = `${adapter.image}-custom`;
+      try {
+        await this.docker.getImage(legacyCustomTag).inspect();
+        resolvedImage = legacyCustomTag;
+      } catch {}
     }
     this.imageCache.set(cacheKey, resolvedImage);
     return resolvedImage;
   }
-  async executeEphemeral(req, startTime) {
-    const adapter = this.getAdapter(req.runtime);
-    const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
-    const image = await this.resolveImage(adapter);
+  ensurePool() {
     if (!this.pool) {
       this.pool = new ContainerPool({
         docker: this.docker,
@@ -56366,7 +56621,14 @@ class DockerIsol8 {
         }
       });
     }
-    const container = await this.pool.acquire(image);
+    return this.pool;
+  }
+  async executeEphemeral(req, startTime) {
+    const adapter = this.getAdapter(req.runtime);
+    const timeoutMs = req.timeoutMs ?? this.defaultTimeoutMs;
+    const image = await this.resolveImage(adapter);
+    const pool = this.ensurePool();
+    const container = await pool.acquire(image);
     let startStats;
     if (this.auditLogger) {
       try {
@@ -56380,13 +56642,26 @@ class DockerIsol8 {
         await startProxy(container, this.networkFilter);
         await setupIptables(container);
       }
-      const ext = req.fileExtension ?? adapter.getFileExtension();
-      const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
-      await writeFileViaExec(container, filePath, req.code);
+      const canUseInline = !(req.stdin || req.files || req.outputPaths) && (!req.installPackages || req.installPackages.length === 0);
+      let rawCmd;
+      if (canUseInline) {
+        try {
+          rawCmd = adapter.getCommand(req.code);
+        } catch {
+          const ext = req.fileExtension ?? adapter.getFileExtension();
+          const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
+          await writeFileViaExec(container, filePath, req.code);
+          rawCmd = adapter.getCommand(req.code, filePath);
+        }
+      } else {
+        const ext = req.fileExtension ?? adapter.getFileExtension();
+        const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
+        await writeFileViaExec(container, filePath, req.code);
+        rawCmd = adapter.getCommand(req.code, filePath);
+      }
       if (req.installPackages?.length) {
         await installPackages(container, req.runtime, req.installPackages);
       }
-      const rawCmd = adapter.getCommand(req.code, filePath);
       const timeoutSec = Math.ceil(timeoutMs / 1000);
       let cmd;
       if (req.stdin) {
@@ -56457,7 +56732,7 @@ class DockerIsol8 {
       if (this.persist) {
         logger.debug(`[Persist] Leaving container running for inspection: ${container.id}`);
       } else {
-        this.pool.release(container, image).catch((err) => {
+        pool.release(container, image).catch((err) => {
           logger.debug(`[Pool] release failed: ${err}`);
           container.remove({ force: true }).catch(() => {});
         });
@@ -56633,7 +56908,7 @@ class DockerIsol8 {
     }
     if (this.security.seccomp === "custom" && this.security.customProfilePath) {
       try {
-        const profile = readFileSync2(this.security.customProfilePath, "utf-8");
+        const profile = readFileSync3(this.security.customProfilePath, "utf-8");
         opts.push(`seccomp=${profile}`);
       } catch (e) {
         logger.error(`Failed to load custom seccomp profile: ${e}`);
@@ -56652,12 +56927,12 @@ class DockerIsol8 {
   }
   loadDefaultSeccompProfile() {
     const devPath = new URL("../../docker/seccomp-profile.json", import.meta.url);
-    if (existsSync3(devPath)) {
-      return readFileSync2(devPath, "utf-8");
+    if (existsSync4(devPath)) {
+      return readFileSync3(devPath, "utf-8");
     }
     const prodPath = new URL("./docker/seccomp-profile.json", import.meta.url);
-    if (existsSync3(prodPath)) {
-      return readFileSync2(prodPath, "utf-8");
+    if (existsSync4(prodPath)) {
+      return readFileSync3(prodPath, "utf-8");
     }
     logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
     return null;
@@ -56840,7 +57115,7 @@ class DockerIsol8 {
   static async cleanup(docker) {
     const dockerInstance = docker ?? new import_dockerode.default;
     const containers = await dockerInstance.listContainers({ all: true });
-    const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:") || c.Image.startsWith("isol8-custom:"));
+    const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:"));
     let removed = 0;
     let failed = 0;
     const errors = [];
@@ -56857,6 +57132,27 @@ class DockerIsol8 {
     }
     return { removed, failed, errors };
   }
+  static async cleanupImages(docker) {
+    const dockerInstance = docker ?? new import_dockerode.default;
+    const images = await dockerInstance.listImages({ all: true });
+    const isol8Images = images.filter((img) => img.RepoTags?.some((tag) => tag.startsWith("isol8:")));
+    let removed = 0;
+    let failed = 0;
+    const errors = [];
+    for (const imageInfo of isol8Images) {
+      try {
+        const image = dockerInstance.getImage(imageInfo.Id);
+        await image.remove({ force: true });
+        removed++;
+      } catch (err) {
+        failed++;
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        const imageRef = imageInfo.RepoTags?.[0] ?? imageInfo.Id.slice(0, 12);
+        errors.push(`${imageRef}: ${errorMsg}`);
+      }
+    }
+    return { removed, failed, errors };
+  }
 }
 var import_dockerode, SANDBOX_WORKDIR = "/sandbox", MAX_OUTPUT_BYTES, PROXY_PORT = 8118, PROXY_STARTUP_TIMEOUT_MS = 5000, PROXY_POLL_INTERVAL_MS = 100;
 var init_docker = __esm(() => {
@@ -56864,6 +57160,7 @@ var init_docker = __esm(() => {
   init_logger();
   init_audit();
   init_code_fetcher();
+  init_image_builder();
   init_pool();
   import_dockerode = __toESM(require_docker(), 1);
   MAX_OUTPUT_BYTES = 1024 * 1024;
@@ -56874,7 +57171,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "isol8",
-    version: "0.10.3",
+    version: "0.11.1",
     description: "Secure code execution engine for AI agents",
     author: "Illusion47586",
     license: "MIT",
@@ -56919,6 +57216,8 @@ var init_package = __esm(() => {
       "lint:check": "ultracite check",
       "lint:fix": "ultracite fix",
       bench: "bunx tsx benchmarks/spawn.ts",
+      "bench:tti": "bunx tsx benchmarks/tti.ts",
+      "bench:tti:pool": "bunx tsx benchmarks/tti.ts --warm-pool --iterations 5",
       "bench:pool": "bunx tsx benchmarks/spawn-pool.ts",
       "bench:detailed": "bunx tsx benchmarks/spawn-detailed.ts",
       "bench:cli": "bun run tests/production/bench-cli.ts",
@@ -58626,6 +58925,11 @@ async function createServer(options) {
     const body = await c.req.json();
     logger.debug(`[Server] POST /execute runtime=${body.request.runtime} sessionId=${body.sessionId ?? "ephemeral"}`);
     logger.debug(`[Server] Code source: ${body.request.codeUrl ? `url=${body.request.codeUrl}` : `inline (${body.request.code?.length ?? 0} chars)`}`);
+    const {
+      poolStrategy: _ignoredPoolStrategy,
+      poolSize: _ignoredPoolSize,
+      ...requestOptions
+    } = body.options ?? {};
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -58633,8 +58937,11 @@ async function createServer(options) {
       timeoutMs: config.defaults.timeoutMs,
       sandboxSize: config.defaults.sandboxSize,
       tmpSize: config.defaults.tmpSize,
+      poolStrategy: config.poolStrategy,
+      poolSize: config.poolSize,
+      dependencies: config.dependencies,
       remoteCode: config.remoteCode,
-      ...body.options,
+      ...requestOptions,
       mode: body.sessionId ? "persistent" : "ephemeral",
       audit: config.audit
     };
@@ -58688,6 +58995,11 @@ async function createServer(options) {
     const body = await c.req.json();
     logger.debug(`[Server] POST /execute/stream runtime=${body.request.runtime}`);
     logger.debug(`[Server] Code source: ${body.request.codeUrl ? `url=${body.request.codeUrl}` : `inline (${body.request.code?.length ?? 0} chars)`}`);
+    const {
+      poolStrategy: _ignoredPoolStrategy,
+      poolSize: _ignoredPoolSize,
+      ...requestOptions
+    } = body.options ?? {};
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -58695,8 +59007,11 @@ async function createServer(options) {
       timeoutMs: config.defaults.timeoutMs,
       sandboxSize: config.defaults.sandboxSize,
       tmpSize: config.defaults.tmpSize,
+      poolStrategy: config.poolStrategy,
+      poolSize: config.poolSize,
+      dependencies: config.dependencies,
       remoteCode: config.remoteCode,
-      ...body.options,
+      ...requestOptions,
       mode: "ephemeral"
     };
     const engine = new DockerIsol82(engineOptions, config.maxConcurrent);
@@ -62099,7 +62414,7 @@ class RemoteIsol8 {
     this.sessionId = options.sessionId;
     this.isol8Options = isol8Options;
   }
-  async start() {
+  async start(_options) {
     const res = await this.fetch("/health");
     if (!res.ok) {
       throw new Error(`Remote server health check failed: ${res.status}`);
@@ -62217,208 +62532,7 @@ class RemoteIsol8 {
 // src/cli.ts
 init_config();
 init_docker();
-// src/engine/image-builder.ts
-init_runtime();
-init_logger();
-import { createHash as createHash2 } from "node:crypto";
-import { existsSync as existsSync4, readFileSync as readFileSync3 } from "node:fs";
-import { join as join3 } from "node:path";
-function resolveDockerDir() {
-  const fromBundled = new URL("./docker", import.meta.url).pathname;
-  if (existsSync4(fromBundled)) {
-    return fromBundled;
-  }
-  return new URL("../../docker", import.meta.url).pathname;
-}
-var DOCKERFILE_DIR = resolveDockerDir();
-var LABELS = {
-  dockerHash: "org.isol8.build.hash",
-  depsHash: "org.isol8.deps.hash"
-};
-var DOCKER_BUILD_FILES = ["Dockerfile", "proxy.sh", "proxy-handler.sh"];
-function computeDockerDirHash() {
-  const hash = createHash2("sha256");
-  const files = [...DOCKER_BUILD_FILES].sort();
-  for (const file of files) {
-    const filePath = join3(DOCKERFILE_DIR, file);
-    if (existsSync4(filePath)) {
-      const content = readFileSync3(filePath);
-      hash.update(file);
-      hash.update(content);
-    }
-  }
-  return hash.digest("hex");
-}
-function computeDepsHash(runtime, packages) {
-  const hash = createHash2("sha256");
-  hash.update(runtime);
-  for (const pkg of [...packages].sort()) {
-    hash.update(pkg);
-  }
-  return hash.digest("hex");
-}
-async function getImageLabels(docker, imageName) {
-  try {
-    const image = docker.getImage(imageName);
-    const inspect = await image.inspect();
-    return inspect.Config?.Labels ?? {};
-  } catch {
-    return null;
-  }
-}
-async function removeImage(docker, imageId) {
-  try {
-    const image = docker.getImage(imageId);
-    await image.remove();
-    logger.debug(`[ImageBuilder] Removed old image: ${imageId.slice(0, 12)}`);
-  } catch (err) {
-    logger.debug(`[ImageBuilder] Could not remove image ${imageId.slice(0, 12)}: ${err}`);
-  }
-}
-async function buildBaseImages(docker, onProgress, force = false) {
-  const runtimes = RuntimeRegistry.list();
-  const dockerHash = computeDockerDirHash();
-  logger.debug(`[ImageBuilder] Docker directory hash: ${dockerHash.slice(0, 16)}...`);
-  for (const adapter of runtimes) {
-    const target = adapter.name;
-    const imageName = adapter.image;
-    if (!force) {
-      const labels = await getImageLabels(docker, imageName);
-      if (labels && labels[LABELS.dockerHash] === dockerHash) {
-        logger.debug(`[ImageBuilder] Base image ${target} is up to date, skipping build`);
-        onProgress?.({ runtime: target, status: "done", message: "Up to date" });
-        continue;
-      }
-    }
-    let oldImageId = null;
-    try {
-      const oldImage = await docker.getImage(imageName).inspect();
-      oldImageId = oldImage.Id;
-      logger.debug(`[ImageBuilder] Existing image ${target} ID: ${oldImageId.slice(0, 12)}`);
-    } catch {
-      logger.debug(`[ImageBuilder] No existing image for ${target}`);
-    }
-    onProgress?.({ runtime: target, status: "building" });
-    try {
-      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: DOCKER_BUILD_FILES }, {
-        t: imageName,
-        target,
-        dockerfile: "Dockerfile",
-        labels: {
-          [LABELS.dockerHash]: dockerHash
-        }
-      });
-      await new Promise((resolve2, reject) => {
-        docker.modem.followProgress(stream, (err) => {
-          if (err) {
-            reject(err);
-          } else {
-            resolve2();
-          }
-        });
-      });
-      if (oldImageId) {
-        await removeImage(docker, oldImageId);
-      }
-      onProgress?.({ runtime: target, status: "done" });
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      onProgress?.({ runtime: target, status: "error", message });
-      throw new Error(`Failed to build image for ${target}: ${message}`);
-    }
-  }
-}
-async function buildCustomImages(docker, config, onProgress, force = false) {
-  const deps = config.dependencies;
-  if (deps.python?.length) {
-    await buildCustomImage(docker, "python", deps.python, onProgress, force);
-  }
-  if (deps.node?.length) {
-    await buildCustomImage(docker, "node", deps.node, onProgress, force);
-  }
-  if (deps.bun?.length) {
-    await buildCustomImage(docker, "bun", deps.bun, onProgress, force);
-  }
-  if (deps.deno?.length) {
-    await buildCustomImage(docker, "deno", deps.deno, onProgress, force);
-  }
-  if (deps.bash?.length) {
-    await buildCustomImage(docker, "bash", deps.bash, onProgress, force);
-  }
-}
-async function buildCustomImage(docker, runtime, packages, onProgress, force = false) {
-  const tag = `isol8:${runtime}-custom`;
-  const depsHash = computeDepsHash(runtime, packages);
-  logger.debug(`[ImageBuilder] ${runtime} custom deps hash: ${depsHash.slice(0, 16)}...`);
-  if (!force) {
-    const labels = await getImageLabels(docker, tag);
-    if (labels && labels[LABELS.depsHash] === depsHash) {
-      logger.debug(`[ImageBuilder] Custom image ${runtime} is up to date, skipping build`);
-      onProgress?.({ runtime, status: "done", message: "Up to date" });
-      return;
-    }
-  }
-  let oldImageId = null;
-  try {
-    const oldImage = await docker.getImage(tag).inspect();
-    oldImageId = oldImage.Id;
-    logger.debug(`[ImageBuilder] Existing custom image ${runtime} ID: ${oldImageId.slice(0, 12)}`);
-  } catch {
-    logger.debug(`[ImageBuilder] No existing custom image for ${runtime}`);
-  }
-  onProgress?.({ runtime, status: "building", message: `Custom: ${packages.join(", ")}` });
-  let installCmd;
-  switch (runtime) {
-    case "python":
-      installCmd = `RUN pip install --no-cache-dir ${packages.join(" ")}`;
-      break;
-    case "node":
-      installCmd = `RUN npm install -g ${packages.join(" ")}`;
-      break;
-    case "bun":
-      installCmd = `RUN bun install -g ${packages.join(" ")}`;
-      break;
-    case "deno":
-      installCmd = packages.map((p) => `RUN deno cache ${p}`).join(`
-`);
-      break;
-    case "bash":
-      installCmd = `RUN apk add --no-cache ${packages.join(" ")}`;
-      break;
-    default:
-      throw new Error(`Unknown runtime: ${runtime}`);
-  }
-  const dockerfileContent = `FROM isol8:${runtime}
-${installCmd}
-`;
-  const { createTarBuffer: createTarBuffer2, validatePackageName: validatePackageName2 } = await Promise.resolve().then(() => exports_utils);
-  const { Readable } = await import("node:stream");
-  packages.forEach(validatePackageName2);
-  const tarBuffer = createTarBuffer2("Dockerfile", dockerfileContent);
-  const stream = await docker.buildImage(Readable.from(tarBuffer), {
-    t: tag,
-    dockerfile: "Dockerfile",
-    labels: {
-      [LABELS.depsHash]: depsHash
-    }
-  });
-  await new Promise((resolve2, reject) => {
-    docker.modem.followProgress(stream, (err) => {
-      if (err) {
-        reject(err);
-      } else {
-        resolve2();
-      }
-    });
-  });
-  if (oldImageId) {
-    await removeImage(docker, oldImageId);
-  }
-  onProgress?.({ runtime, status: "done" });
-}
-// src/cli.ts
+init_image_builder();
 init_runtime();
 init_logger();
 init_version();
@@ -62519,7 +62633,7 @@ program2.command("setup").description("Check Docker and build isol8 images").opt
   console.log(`
 [DONE] Setup complete!`);
 });
-program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--writable", "Disable read-only root filesystem").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--url <url>", "Fetch code from URL").option("--github <path>", "GitHub shorthand: owner/repo/ref/path/to/file").option("--gist <path>", "Gist shorthand: gistId/file.ext").option("--hash <sha256>", "Expected SHA-256 hash of fetched code").option("--allow-insecure-code-url", "Allow insecure HTTP code URLs").option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").option("--pool-strategy <mode>", "Pool strategy: fast (default) or secure", "fast").option("--pool-size <size>", "Pool size (number or 'clean,dirty' for fast mode)", "1,1").action(async (file, opts) => {
+program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--writable", "Disable read-only root filesystem").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--url <url>", "Fetch code from URL").option("--github <path>", "GitHub shorthand: owner/repo/ref/path/to/file").option("--gist <path>", "Gist shorthand: gistId/file.ext").option("--hash <sha256>", "Expected SHA-256 hash of fetched code").option("--allow-insecure-code-url", "Allow insecure HTTP code URLs").option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").action(async (file, opts) => {
   const {
     code,
     codeUrl,
@@ -62633,14 +62747,16 @@ program2.command("run").description("Execute code in isol8").argument("[file]",
     process.exit(exitCode);
   }
 });
-program2.command("serve").description("Start the isol8 remote server").option("-p, --port <port>", "Port to listen on", "3000").option("-k, --key <key>", "API key for authentication").option("--update", "Force re-download the server binary").option("--debug", "Enable debug logging").action(async (opts) => {
+program2.command("serve").description("Start the isol8 remote server").option("-p, --port <port>", "Port to listen on").option("-k, --key <key>", "API key for authentication").option("--update", "Force re-download the server binary").option("--debug", "Enable debug logging").action(async (opts) => {
   const apiKey = opts.key ?? process.env.ISOL8_API_KEY;
   if (!apiKey) {
     console.error("[ERR] API key required. Use --key or ISOL8_API_KEY env var.");
     process.exit(1);
   }
-  const port = Number.parseInt(opts.port, 10);
-  logger.debug(`[Serve] Port: ${port}`);
+  const requestedPort = resolveServePort(opts.port);
+  const port = await resolveAvailableServePort(requestedPort);
+  logger.debug(`[Serve] Requested port: ${requestedPort}`);
+  logger.debug(`[Serve] Using port: ${port}`);
   logger.debug(`[Serve] API key: ${"*".repeat(apiKey.length)}`);
   if (typeof globalThis.Bun !== "undefined") {
     logger.debug("[Serve] Running under Bun, starting server in-process");
@@ -62747,6 +62863,11 @@ async function downloadServerBinary(binaryPath) {
   }
 }
 async function promptYesNo(question) {
+  const answer = await promptText(question);
+  const normalized = answer.trim().toLowerCase();
+  return normalized === "" || normalized === "y" || normalized === "yes";
+}
+async function promptText(question) {
   const readline = await import("node:readline");
   const rl = readline.createInterface({
     input: process.stdin,
@@ -62756,8 +62877,103 @@ async function promptYesNo(question) {
     rl.question(question, resolve3);
   });
   rl.close();
-  const normalized = answer.trim().toLowerCase();
-  return normalized === "" || normalized === "y" || normalized === "yes";
+  return answer;
+}
+function parsePort(raw2, source) {
+  const parsed = Number(raw2);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+    console.error(`[ERR] Invalid port from ${source}: ${raw2}. Expected 1-65535.`);
+    process.exit(1);
+  }
+  return parsed;
+}
+function resolveServePort(portFlag) {
+  if (typeof portFlag === "string") {
+    return parsePort(portFlag, "--port");
+  }
+  if (process.env.ISOL8_PORT) {
+    return parsePort(process.env.ISOL8_PORT, "ISOL8_PORT");
+  }
+  if (process.env.PORT) {
+    return parsePort(process.env.PORT, "PORT");
+  }
+  return 3000;
+}
+async function isPortAvailable(port) {
+  const { createServer: createServer2 } = await import("node:net");
+  return await new Promise((resolve3) => {
+    const server = createServer2();
+    server.once("error", () => {
+      resolve3(false);
+    });
+    server.once("listening", () => {
+      server.close(() => resolve3(true));
+    });
+    server.listen(port);
+  });
+}
+async function findAvailablePort() {
+  const { createServer: createServer2 } = await import("node:net");
+  return await new Promise((resolve3, reject) => {
+    const server = createServer2();
+    server.once("error", reject);
+    server.once("listening", () => {
+      const address = server.address();
+      if (!address || typeof address === "string") {
+        server.close(() => reject(new Error("Failed to determine available port")));
+        return;
+      }
+      server.close((closeErr) => {
+        if (closeErr) {
+          reject(closeErr);
+          return;
+        }
+        resolve3(address.port);
+      });
+    });
+    server.listen(0);
+  });
+}
+async function resolveAvailableServePort(port) {
+  if (await isPortAvailable(port)) {
+    return port;
+  }
+  if (!(process.stdin.isTTY && process.stdout.isTTY)) {
+    const autoPort = await findAvailablePort();
+    console.warn(`[WARN] Port ${port} is in use. Falling back to available port ${autoPort}.`);
+    return autoPort;
+  }
+  let candidate = port;
+  while (true) {
+    console.warn(`[WARN] Port ${candidate} is already in use.`);
+    const choice = (await promptText("Choose: [1] Enter another port  [2] Find an available port  [3] Exit (default: 2): ")).trim().toLowerCase();
+    if (choice === "" || choice === "2") {
+      const autoPort = await findAvailablePort();
+      console.log(`[INFO] Using available port ${autoPort}`);
+      return autoPort;
+    }
+    if (choice === "1") {
+      const rawPort = (await promptText("Enter port (1-65535): ")).trim();
+      if (!rawPort) {
+        continue;
+      }
+      const parsed = Number(rawPort);
+      if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+        console.error(`[ERR] Invalid port: ${rawPort}. Expected 1-65535.`);
+        continue;
+      }
+      candidate = parsed;
+      if (await isPortAvailable(candidate)) {
+        return candidate;
+      }
+      continue;
+    }
+    if (choice === "3") {
+      console.error("[ERR] Server startup cancelled.");
+      process.exit(1);
+    }
+    console.error("[ERR] Invalid selection. Enter 1, 2, or 3.");
+  }
 }
 async function ensureServerBinary(forceUpdate) {
   const binDir = join4(homedir2(), ".isol8", "bin");
@@ -62843,6 +63059,11 @@ Isol8 Configuration
   console.log("  ── Cleanup ──");
   console.log(`  Auto-prune:      ${config.cleanup.autoPrune ? "yes" : "no"}`);
   console.log(`  Max idle time:   ${config.cleanup.maxContainerAgeMs}ms (${Math.round(config.cleanup.maxContainerAgeMs / 60000)}min)`);
+  console.log("");
+  console.log("  ── Pool Defaults (Serve) ──");
+  console.log(`  Pool strategy:   ${config.poolStrategy}`);
+  const poolSize = typeof config.poolSize === "number" ? String(config.poolSize) : `${config.poolSize.clean},${config.poolSize.dirty}`;
+  console.log(`  Pool size:       ${poolSize}`);
   const deps = config.dependencies;
   const hasDeps = Object.values(deps).some((pkgs) => pkgs && pkgs.length > 0);
   console.log("");
@@ -62865,7 +63086,7 @@ Isol8 Configuration
   }
   console.log("");
 });
-program2.command("cleanup").description("Remove orphaned isol8 containers").option("--force", "Skip confirmation prompt").action(async (opts) => {
+program2.command("cleanup").description("Remove orphaned isol8 containers (and optionally images)").option("--force", "Skip confirmation prompt").option("--images", "Also remove isol8 Docker images").action(async (opts) => {
   const docker = new import_dockerode2.default;
   logger.debug("[Cleanup] Connecting to Docker daemon");
   const spinner = ora("Checking Docker...").start();
@@ -62881,17 +63102,33 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
   const containers = await docker.listContainers({ all: true });
   const isol8Containers = containers.filter((c) => c.Image.startsWith("isol8:") || c.Image.startsWith("isol8-custom:"));
   logger.debug(`[Cleanup] Found ${containers.length} total containers, ${isol8Containers.length} isol8 containers`);
-  if (isol8Containers.length === 0) {
-    spinner.info("No isol8 containers found");
+  let isol8Images = [];
+  if (opts.images) {
+    spinner.start("Finding isol8 images...");
+    const images = await docker.listImages({ all: true });
+    isol8Images = images.filter((img) => img.RepoTags?.some((tag) => tag.startsWith("isol8:"))).map((img) => ({ id: img.Id, tags: img.RepoTags ?? [] }));
+    logger.debug(`[Cleanup] Found ${images.length} total images, ${isol8Images.length} isol8 images`);
+  }
+  if (isol8Containers.length === 0 && (!opts.images || isol8Images.length === 0)) {
+    spinner.info(opts.images ? "No isol8 containers or images found" : "No isol8 containers found");
     return;
   }
-  spinner.succeed(`Found ${isol8Containers.length} isol8 container(s)`);
+  spinner.succeed(`Found ${isol8Containers.length} isol8 container(s)` + (opts.images ? ` and ${isol8Images.length} image(s)` : ""));
   console.log("");
   for (const c of isol8Containers) {
     const status = c.State === "running" ? "\uD83D\uDFE2 running" : "⚪ stopped";
     const created = new Date(c.Created * 1000).toLocaleString();
     console.log(`  ${status} ${c.Id.slice(0, 12)} | ${c.Image} | created ${created}`);
   }
+  if (opts.images && isol8Images.length > 0) {
+    if (isol8Containers.length > 0) {
+      console.log("");
+    }
+    for (const image of isol8Images) {
+      const tagText = image.tags.length > 0 ? image.tags.join(", ") : "<untagged>";
+      console.log(`  \uD83D\uDDBC️ image ${image.id.slice(0, 12)} | ${tagText}`);
+    }
+  }
   console.log("");
   if (!opts.force) {
     const readline = await import("node:readline");
@@ -62900,7 +63137,8 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
       output: process.stdout
     });
     const answer = await new Promise((resolve3) => {
-      rl.question("Remove all these containers? [y/N] ", resolve3);
+      const targetLabel = opts.images ? "containers and images" : "containers";
+      rl.question(`Remove all these ${targetLabel}? [y/N] `, resolve3);
     });
     rl.close();
     if (answer.toLowerCase() !== "y" && answer.toLowerCase() !== "yes") {
@@ -62908,20 +63146,40 @@ program2.command("cleanup").description("Remove orphaned isol8 containers").opti
       return;
     }
   }
-  spinner.start("Removing containers...");
-  logger.debug("[Cleanup] Removing containers");
-  const result = await DockerIsol8.cleanup(docker);
-  logger.debug(`[Cleanup] Removed: ${result.removed}, failed: ${result.failed}`);
-  if (result.errors.length > 0) {
+  let containerResult = { removed: 0, failed: 0, errors: [] };
+  if (isol8Containers.length > 0) {
+    spinner.start("Removing containers...");
+    logger.debug("[Cleanup] Removing containers");
+    containerResult = await DockerIsol8.cleanup(docker);
+    logger.debug(`[Cleanup] Containers removed: ${containerResult.removed}, failed: ${containerResult.failed}`);
+  }
+  if (containerResult.errors.length > 0) {
     console.log("");
-    for (const err of result.errors) {
+    for (const err of containerResult.errors) {
       console.error(`  Failed to remove ${err}`);
     }
   }
-  if (result.failed === 0) {
-    spinner.succeed(`Removed ${result.removed} container(s)`);
+  if (containerResult.failed === 0) {
+    spinner.succeed(`Removed ${containerResult.removed} container(s)`);
   } else {
-    spinner.warn(`Removed ${result.removed} container(s), ${result.failed} failed`);
+    spinner.warn(`Removed ${containerResult.removed} container(s), ${containerResult.failed} failed`);
+  }
+  if (opts.images && isol8Images.length > 0) {
+    spinner.start("Removing images...");
+    logger.debug("[Cleanup] Removing images");
+    const imageResult = await DockerIsol8.cleanupImages(docker);
+    logger.debug(`[Cleanup] Images removed: ${imageResult.removed}, failed: ${imageResult.failed}`);
+    if (imageResult.errors.length > 0) {
+      console.log("");
+      for (const err of imageResult.errors) {
+        console.error(`  Failed to remove image ${err}`);
+      }
+    }
+    if (imageResult.failed === 0) {
+      spinner.succeed(`Removed ${imageResult.removed} image(s)`);
+    } else {
+      spinner.warn(`Removed ${imageResult.removed} image(s), ${imageResult.failed} failed`);
+    }
   }
 });
 async function resolveRunInput(file, opts) {
@@ -62997,12 +63255,8 @@ async function resolveRunInput(file, opts) {
     debug: opts.debug ?? config.debug,
     persist: opts.persist ?? false,
     ...opts.logNetwork ? { logNetwork: true } : {},
-    remoteCode: config.remoteCode,
-    poolStrategy: opts.poolStrategy === "secure" ? "secure" : "fast",
-    poolSize: opts.poolSize ? opts.poolSize.includes(",") ? {
-      clean: Number.parseInt(opts.poolSize.split(",")[0], 10),
-      dirty: Number.parseInt(opts.poolSize.split(",")[1], 10)
-    } : Number.parseInt(opts.poolSize, 10) : { clean: 1, dirty: 1 }
+    dependencies: config.dependencies,
+    remoteCode: config.remoteCode
   };
   logger.debug(`[Run] Engine options: mode=${engineOptions.mode}, network=${engineOptions.network}`);
   let fileExtension;
@@ -63088,4 +63342,4 @@ if (!process.argv.slice(2).length) {
 }
 program2.parse();
-//# debugId=280ED4C71DBDC32964756E2164756E21
+//# debugId=33A00A6A263B687D64756E2164756E21