isol8 0.11.1 → 0.11.3

package/README.md

@@ -105,7 +105,7 @@ isol8 run script.py --host http://server:3000 --key my-api-key
 |------|-------------|---------|
 | `-e, --eval <code>` | Execute inline code | — |
 | `-r, --runtime <rt>` | Force runtime: `python`, `node`, `bun`, `deno`, `bash` | auto-detect |
-| `--net <mode>` | Network mode: `none`, `host`, `filtered` | `none` |
+| `--net <mode>` | Network mode: `none`, `host`, `filtered` | `none` (unless `--install` is used without explicit `--net`, then auto `filtered`) |
 | `--allow <regex>` | Whitelist regex (repeatable, for `filtered`) | — |
 | `--deny <regex>` | Blacklist regex (repeatable, for `filtered`) | — |
 | `--out <file>` | Write stdout to file | — |
@@ -113,7 +113,7 @@ isol8 run script.py --host http://server:3000 --key my-api-key
 | `--persistent` | Keep container alive between runs | `false` |
 | `--persist` | Keep container after execution for inspection/debugging | `false` |
 | `--debug` | Enable debug logging for internal engine operations | `false` |
-| `--timeout <ms>` | Execution timeout in milliseconds | `30000` |
+| `--timeout <ms>` | Timeout in milliseconds for package install + execution phases | `30000` |
 | `--memory <limit>` | Memory limit (e.g. `512m`, `1g`) | `512m` |
 | `--cpu <limit>` | CPU limit as fraction (e.g. `0.5`, `2.0`) | `1.0` |
 | `--image <name>` | Override Docker image | — |
@@ -124,7 +124,7 @@ isol8 run script.py --host http://server:3000 --key my-api-key
 | `--sandbox-size <size>` | Sandbox tmpfs size (e.g. `512m`, `1g`) | `512m` |
 | `--tmp-size <size>` | Tmp tmpfs size (e.g. `256m`, `512m`) | `256m` |
 | `--stdin <data>` | Data to pipe to stdin | — |
-| `--install <pkg>` | Install package for runtime (repeatable) | — |
+| `--install <pkg>` | Install package for runtime (repeatable) | — (auto-adds default runtime registry allowlist in `filtered` mode) |
 | `--url <url>` | Fetch code from URL (requires `remoteCode.enabled=true`) | — |
 | `--github <owner/repo/ref/path>` | GitHub shorthand for raw source | — |
 | `--gist <gistId/file.ext>` | Gist shorthand for raw source | — |
@@ -169,11 +169,15 @@ isol8 serve --update  # Force re-download the server binary
 
 | Flag | Description | Default |
 |------|-------------|---------|
-| `-p, --port <port>` | Port to listen on | `3000` |
+| `-p, --port <port>` | Port to listen on | `--port` > `$ISOL8_PORT` > `$PORT` > `3000` |
 | `-k, --key <key>` | API key for Bearer token auth | `$ISOL8_API_KEY` |
 | `--update` | Force re-download the server binary | `false` |
 | `--debug` | Enable debug logging for server operations | `false` |
 
+If the selected port is already in use, `isol8 serve` now prompts to enter another port or auto-select an available one. In non-interactive environments, it auto-falls back to a free port.
+
+On graceful shutdown (`SIGINT`/`SIGTERM`), the server now cleans up tracked sessions, isol8 containers, and isol8 images before exiting.
+
 ### `isol8 config`
 
 Display the resolved configuration (merged defaults + config file). Shows the source file, defaults, network rules, cleanup policy, and dependencies.
@@ -375,7 +379,7 @@ Add the `$schema` property to get autocompletion, validation, and inline documen
     "node": ["lodash"]
   },
   "security": {
-    "seccomp": "safety"
+    "seccomp": "strict"
   }
 }
 ```
@@ -439,7 +443,7 @@ bun run bench:detailed   # Phase breakdown
 | **Network** | Disabled by default; optional proxy-based filtering |
 | **Output** | Truncated at 1MB; secrets masked from stdout/stderr |
 | **Isolation** | Each execution in its own container (ephemeral) or exec (persistent) |
-| **Seccomp** | Default "safety" profile blocks dangerous syscalls (mount, swap, ptrace) but allows others for compatibility; configurable via `security.seccomp` |
+| **Seccomp** | Default `strict` mode applies the built-in profile that blocks dangerous syscalls (mount, swap, ptrace). In standalone server binaries, an embedded copy is used when profile files are not present. If strict/custom profile loading fails, execution fails. |
 
 ### Container Filesystem
 
@@ -468,6 +472,7 @@ When running `isol8 serve`, these endpoints are available:
 | `POST` | `/file` | Upload file (base64) |
 | `GET` | `/file?sessionId=&path=` | Download file (base64) |
 | `DELETE` | `/session/:id` | Destroy persistent session |
+| `POST` | `/cleanup` | Run server-side cleanup for sessions/containers (and images by default) |
 
 All endpoints (except `/health`) require `Authorization: Bearer <key>`.
 

package/dist/cli.js

@@ -6318,7 +6318,7 @@ var require_bcrypt_pbkdf = __commonJS((exports, module) => {
 
 // node_modules/cpu-features/build/Release/cpufeatures.node
 var require_cpufeatures = __commonJS((exports, module) => {
-  module.exports = __require("./cpufeatures-tjjrgpt7.node");
+  module.exports = __require("./cpufeatures-1yrn0vtw.node");
 });
 
 // node_modules/cpu-features/lib/index.js
@@ -55412,6 +55412,73 @@ class Semaphore {
   }
 }
 
+// src/engine/default-seccomp-profile.ts
+var EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+var init_default_seccomp_profile = __esm(() => {
+  EMBEDDED_DEFAULT_SECCOMP_PROFILE = JSON.stringify({
+    defaultAction: "SCMP_ACT_ALLOW",
+    architectures: ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
+    syscalls: [
+      {
+        names: [
+          "acct",
+          "add_key",
+          "bpf",
+          "clock_adjtime",
+          "clock_settime",
+          "create_module",
+          "delete_module",
+          "finit_module",
+          "get_mempolicy",
+          "init_module",
+          "ioperm",
+          "iopl",
+          "kcmp",
+          "kexec_file_load",
+          "kexec_load",
+          "keyctl",
+          "lookup_dcookie",
+          "mbind",
+          "mount",
+          "move_pages",
+          "name_to_handle_at",
+          "open_by_handle_at",
+          "perf_event_open",
+          "pivot_root",
+          "process_vm_readv",
+          "process_vm_writev",
+          "ptrace",
+          "query_module",
+          "quotactl",
+          "reboot",
+          "request_key",
+          "set_mempolicy",
+          "setns",
+          "settimeofday",
+          "stime",
+          "swapon",
+          "swapoff",
+          "sysfs",
+          "syslog",
+          "umount",
+          "umount2",
+          "unshare",
+          "uselib",
+          "userfaultfd",
+          "ustat",
+          "vm86",
+          "vm86old"
+        ],
+        action: "SCMP_ACT_ERRNO",
+        args: [],
+        comment: "",
+        includes: {},
+        excludes: {}
+      }
+    ]
+  });
+});
+
 // src/engine/utils.ts
 var exports_utils = {};
 __export(exports_utils, {
@@ -56155,7 +56222,19 @@ function wrapWithTimeout(cmd, timeoutSec) {
 function getInstallCommand(runtime, packages) {
   switch (runtime) {
     case "python":
-      return ["pip", "install", "--user", "--no-cache-dir", "--break-system-packages", ...packages];
+      return [
+        "pip",
+        "install",
+        "--user",
+        "--no-cache-dir",
+        "--break-system-packages",
+        "--disable-pip-version-check",
+        "--retries",
+        "0",
+        "--timeout",
+        "15",
+        ...packages
+      ];
     case "node":
       return ["npm", "install", "--prefix", "/sandbox", ...packages];
     case "bun":
@@ -56168,8 +56247,9 @@ function getInstallCommand(runtime, packages) {
       throw new Error(`Unknown runtime for package install: ${runtime}`);
   }
 }
-async function installPackages(container, runtime, packages) {
-  const cmd = getInstallCommand(runtime, packages);
+async function installPackages(container, runtime, packages, timeoutMs) {
+  const timeoutSec = Math.max(1, Math.ceil(timeoutMs / 1000));
+  const cmd = wrapWithTimeout(getInstallCommand(runtime, packages), timeoutSec);
   logger.debug(`Installing packages: ${JSON.stringify(cmd)}`);
   const env2 = [
     "PATH=/sandbox/.local/bin:/sandbox/.npm-global/bin:/sandbox/.bun-global/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
@@ -56180,6 +56260,12 @@ async function installPackages(container, runtime, packages) {
     env2.push("NPM_CONFIG_PREFIX=/sandbox/.npm-global");
     env2.push("NPM_CONFIG_CACHE=/sandbox/.npm-cache");
     env2.push("npm_config_cache=/sandbox/.npm-cache");
+    env2.push("NPM_CONFIG_FETCH_RETRIES=0");
+    env2.push("npm_config_fetch_retries=0");
+    env2.push("NPM_CONFIG_FETCH_RETRY_MINTIMEOUT=1000");
+    env2.push("npm_config_fetch_retry_mintimeout=1000");
+    env2.push("NPM_CONFIG_FETCH_RETRY_MAXTIMEOUT=2000");
+    env2.push("npm_config_fetch_retry_maxtimeout=2000");
   } else if (runtime === "bun") {
     env2.push("BUN_INSTALL_GLOBAL_DIR=/sandbox/.bun-global");
     env2.push("BUN_INSTALL_CACHE_DIR=/sandbox/.bun-cache");
@@ -56201,7 +56287,13 @@ async function installPackages(container, runtime, packages) {
     const stderrStream = new PassThrough;
     container.modem.demuxStream(stream, stdoutStream, stderrStream);
     stderrStream.on("data", (chunk) => {
-      stderr += chunk.toString();
+      const text = chunk.toString();
+      stderr += text;
+      logger.debug(`[install:${runtime}:stderr] ${text.trimEnd()}`);
+    });
+    stdoutStream.on("data", (chunk) => {
+      const text = chunk.toString();
+      logger.debug(`[install:${runtime}:stdout] ${text.trimEnd()}`);
     });
     stream.on("end", async () => {
       try {
@@ -56531,7 +56623,7 @@ class DockerIsol8 {
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
         await writeFileViaExec(container, filePath, request.code);
         if (request.installPackages?.length) {
-          await installPackages(container, request.runtime, request.installPackages);
+          await installPackages(container, request.runtime, request.installPackages, timeoutMs);
         }
         if (request.files) {
           for (const [fPath, fContent] of Object.entries(request.files)) {
@@ -56660,7 +56752,7 @@ class DockerIsol8 {
         rawCmd = adapter.getCommand(req.code, filePath);
       }
       if (req.installPackages?.length) {
-        await installPackages(container, req.runtime, req.installPackages);
+        await installPackages(container, req.runtime, req.installPackages, timeoutMs);
       }
       const timeoutSec = Math.ceil(timeoutMs / 1000);
       let cmd;
@@ -56768,7 +56860,7 @@ class DockerIsol8 {
     const rawCmd = adapter.getCommand(req.code, filePath);
     const timeoutSec = Math.ceil(timeoutMs / 1000);
     if (req.installPackages?.length) {
-      await installPackages(this.container, req.runtime, req.installPackages);
+      await installPackages(this.container, req.runtime, req.installPackages, timeoutMs);
     }
     let cmd;
     if (req.stdin) {
@@ -56911,17 +57003,15 @@ class DockerIsol8 {
         const profile = readFileSync3(this.security.customProfilePath, "utf-8");
         opts.push(`seccomp=${profile}`);
       } catch (e) {
-        logger.error(`Failed to load custom seccomp profile: ${e}`);
+        throw new Error(`Failed to load custom seccomp profile at ${this.security.customProfilePath}: ${e}`);
       }
       return opts;
     }
     try {
       const profile = this.loadDefaultSeccompProfile();
-      if (profile) {
-        opts.push(`seccomp=${profile}`);
-      }
+      opts.push(`seccomp=${profile}`);
     } catch (e) {
-      logger.error(`Failed to load default seccomp profile: ${e}`);
+      throw new Error(`Failed to load default seccomp profile: ${e}`);
     }
     return opts;
   }
@@ -56934,8 +57024,11 @@ class DockerIsol8 {
     if (existsSync4(prodPath)) {
       return readFileSync3(prodPath, "utf-8");
     }
-    logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
-    return null;
+    if (EMBEDDED_DEFAULT_SECCOMP_PROFILE.length > 0) {
+      logger.debug(`Default seccomp profile file not found. Using embedded profile. Tried: ${devPath.pathname}, ${prodPath.pathname}`);
+      return EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+    }
+    throw new Error("Embedded default seccomp profile is unavailable");
   }
   buildEnv(extra) {
     const env2 = [
@@ -57160,6 +57253,7 @@ var init_docker = __esm(() => {
   init_logger();
   init_audit();
   init_code_fetcher();
+  init_default_seccomp_profile();
   init_image_builder();
   init_pool();
   import_dockerode = __toESM(require_docker(), 1);
@@ -57171,7 +57265,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "isol8",
-    version: "0.11.0",
+    version: "0.11.2",
     description: "Secure code execution engine for AI agents",
     author: "Illusion47586",
     license: "MIT",
@@ -58919,6 +59013,50 @@ async function createServer(options) {
   logger.debug(`[Server] Auto-prune: ${config.cleanup.autoPrune}`);
   const app = new Hono2;
   const globalSemaphore = new Semaphore(config.maxConcurrent);
+  let pruneInterval;
+  let cleanupInFlight = null;
+  const cleanupSessions = async () => {
+    let removed = 0;
+    let failed = 0;
+    const errors = [];
+    for (const [id, session] of sessions) {
+      try {
+        await session.engine.stop();
+        removed++;
+      } catch (err) {
+        failed++;
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        errors.push(`${id}: ${errorMsg}`);
+      } finally {
+        sessions.delete(id);
+      }
+    }
+    return { removed, failed, errors };
+  };
+  const runCleanup = async (includeImages) => {
+    if (cleanupInFlight) {
+      return cleanupInFlight;
+    }
+    cleanupInFlight = (async () => {
+      logger.info(`[Server] Starting cleanup (sessions=true containers=true images=${includeImages})`);
+      const sessionsResult = await cleanupSessions();
+      const containersResult = await DockerIsol82.cleanup();
+      const result = {
+        sessions: sessionsResult,
+        containers: containersResult
+      };
+      if (includeImages) {
+        result.images = await DockerIsol82.cleanupImages();
+      }
+      logger.info(`[Server] Cleanup complete: sessions=${result.sessions.removed}/${result.sessions.failed} containers=${result.containers.removed}/${result.containers.failed}${result.images ? ` images=${result.images.removed}/${result.images.failed}` : ""}`);
+      return result;
+    })();
+    try {
+      return await cleanupInFlight;
+    } finally {
+      cleanupInFlight = null;
+    }
+  };
   app.use("*", authMiddleware(options.apiKey));
   app.get("/health", (c) => c.json({ status: "ok", version: VERSION }));
   app.post("/execute", async (c) => {
@@ -59099,8 +59237,21 @@ async function createServer(options) {
     }
     return c.json({ ok: true });
   });
+  app.post("/cleanup", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const includeImages = body.images ?? true;
+    logger.debug(`[Server] POST /cleanup images=${includeImages}`);
+    try {
+      const result = await runCleanup(includeImages);
+      return c.json({ ok: true, ...result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`[Server] Cleanup failed: ${message}`);
+      return c.json({ error: message }, 500);
+    }
+  });
   if (config.cleanup.autoPrune) {
-    setInterval(async () => {
+    pruneInterval = setInterval(async () => {
       const maxAge = config.cleanup.maxContainerAgeMs;
       const now = Date.now();
       for (const [id, session] of sessions) {
@@ -59118,7 +59269,15 @@ async function createServer(options) {
   return {
     app,
     fetch: app.fetch,
-    port: options.port
+    port: options.port,
+    cleanup: async (includeImages = true) => runCleanup(includeImages),
+    shutdown: async (includeImages = true) => {
+      if (pruneInterval) {
+        clearInterval(pruneInterval);
+        pruneInterval = undefined;
+      }
+      await runCleanup(includeImages);
+    }
   };
 }
 var sessions;
@@ -62747,22 +62906,54 @@ program2.command("run").description("Execute code in isol8").argument("[file]",
     process.exit(exitCode);
   }
 });
-program2.command("serve").description("Start the isol8 remote server").option("-p, --port <port>", "Port to listen on", "3000").option("-k, --key <key>", "API key for authentication").option("--update", "Force re-download the server binary").option("--debug", "Enable debug logging").action(async (opts) => {
+program2.command("serve").description("Start the isol8 remote server").option("-p, --port <port>", "Port to listen on").option("-k, --key <key>", "API key for authentication").option("--update", "Force re-download the server binary").option("--debug", "Enable debug logging").action(async (opts) => {
   const apiKey = opts.key ?? process.env.ISOL8_API_KEY;
   if (!apiKey) {
     console.error("[ERR] API key required. Use --key or ISOL8_API_KEY env var.");
     process.exit(1);
   }
-  const port = Number.parseInt(opts.port, 10);
-  logger.debug(`[Serve] Port: ${port}`);
+  const requestedPort = resolveServePort(opts.port);
+  const port = await resolveAvailableServePort(requestedPort);
+  logger.debug(`[Serve] Requested port: ${requestedPort}`);
+  logger.debug(`[Serve] Using port: ${port}`);
   logger.debug(`[Serve] API key: ${"*".repeat(apiKey.length)}`);
   if (typeof globalThis.Bun !== "undefined") {
     logger.debug("[Serve] Running under Bun, starting server in-process");
     const { createServer: createServer2 } = await Promise.resolve().then(() => (init_server(), exports_server));
     const server = await createServer2({ port, apiKey, debug: opts.debug ?? false });
+    let shuttingDown = false;
+    const bunServer = Bun.serve({ fetch: server.app.fetch, port });
+    const shutdown = async () => {
+      if (shuttingDown) {
+        return;
+      }
+      shuttingDown = true;
+      logger.info("[Serve] Shutting down server and cleaning up resources...");
+      bunServer.stop();
+      try {
+        await server.shutdown();
+        logger.info("[Serve] Cleanup complete");
+        process.exit(0);
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[Serve] Cleanup failed: ${message}`);
+        process.exit(1);
+      }
+    };
+    process.on("SIGINT", () => {
+      shutdown().catch((err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[Serve] Shutdown handler failed: ${message}`);
+      });
+    });
+    process.on("SIGTERM", () => {
+      shutdown().catch((err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[Serve] Shutdown handler failed: ${message}`);
+      });
+    });
     console.log(`[INFO] isol8 server v${VERSION} listening on http://localhost:${port}`);
     console.log("       Auth: Bearer token required");
-    Bun.serve({ fetch: server.app.fetch, port });
     return;
   }
   logger.debug("[Serve] Running under Node.js, launching standalone binary");
@@ -62861,6 +63052,11 @@ async function downloadServerBinary(binaryPath) {
   }
 }
 async function promptYesNo(question) {
+  const answer = await promptText(question);
+  const normalized = answer.trim().toLowerCase();
+  return normalized === "" || normalized === "y" || normalized === "yes";
+}
+async function promptText(question) {
   const readline = await import("node:readline");
   const rl = readline.createInterface({
     input: process.stdin,
@@ -62870,8 +63066,103 @@ async function promptYesNo(question) {
     rl.question(question, resolve3);
   });
   rl.close();
-  const normalized = answer.trim().toLowerCase();
-  return normalized === "" || normalized === "y" || normalized === "yes";
+  return answer;
+}
+function parsePort(raw2, source) {
+  const parsed = Number(raw2);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+    console.error(`[ERR] Invalid port from ${source}: ${raw2}. Expected 1-65535.`);
+    process.exit(1);
+  }
+  return parsed;
+}
+function resolveServePort(portFlag) {
+  if (typeof portFlag === "string") {
+    return parsePort(portFlag, "--port");
+  }
+  if (process.env.ISOL8_PORT) {
+    return parsePort(process.env.ISOL8_PORT, "ISOL8_PORT");
+  }
+  if (process.env.PORT) {
+    return parsePort(process.env.PORT, "PORT");
+  }
+  return 3000;
+}
+async function isPortAvailable(port) {
+  const { createServer: createServer2 } = await import("node:net");
+  return await new Promise((resolve3) => {
+    const server = createServer2();
+    server.once("error", () => {
+      resolve3(false);
+    });
+    server.once("listening", () => {
+      server.close(() => resolve3(true));
+    });
+    server.listen(port);
+  });
+}
+async function findAvailablePort() {
+  const { createServer: createServer2 } = await import("node:net");
+  return await new Promise((resolve3, reject) => {
+    const server = createServer2();
+    server.once("error", reject);
+    server.once("listening", () => {
+      const address = server.address();
+      if (!address || typeof address === "string") {
+        server.close(() => reject(new Error("Failed to determine available port")));
+        return;
+      }
+      server.close((closeErr) => {
+        if (closeErr) {
+          reject(closeErr);
+          return;
+        }
+        resolve3(address.port);
+      });
+    });
+    server.listen(0);
+  });
+}
+async function resolveAvailableServePort(port) {
+  if (await isPortAvailable(port)) {
+    return port;
+  }
+  if (!(process.stdin.isTTY && process.stdout.isTTY)) {
+    const autoPort = await findAvailablePort();
+    console.warn(`[WARN] Port ${port} is in use. Falling back to available port ${autoPort}.`);
+    return autoPort;
+  }
+  let candidate = port;
+  while (true) {
+    console.warn(`[WARN] Port ${candidate} is already in use.`);
+    const choice = (await promptText("Choose: [1] Enter another port  [2] Find an available port  [3] Exit (default: 2): ")).trim().toLowerCase();
+    if (choice === "" || choice === "2") {
+      const autoPort = await findAvailablePort();
+      console.log(`[INFO] Using available port ${autoPort}`);
+      return autoPort;
+    }
+    if (choice === "1") {
+      const rawPort = (await promptText("Enter port (1-65535): ")).trim();
+      if (!rawPort) {
+        continue;
+      }
+      const parsed = Number(rawPort);
+      if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+        console.error(`[ERR] Invalid port: ${rawPort}. Expected 1-65535.`);
+        continue;
+      }
+      candidate = parsed;
+      if (await isPortAvailable(candidate)) {
+        return candidate;
+      }
+      continue;
+    }
+    if (choice === "3") {
+      console.error("[ERR] Server startup cancelled.");
+      process.exit(1);
+    }
+    console.error("[ERR] Invalid selection. Enter 1, 2, or 3.");
+  }
 }
 async function ensureServerBinary(forceUpdate) {
   const binDir = join4(homedir2(), ".isol8", "bin");
@@ -63083,6 +63374,7 @@ program2.command("cleanup").description("Remove orphaned isol8 containers (and o
 async function resolveRunInput(file, opts) {
   const config = loadConfig();
   logger.debug("[Run] Config loaded");
+  const hasExplicitNetFlag = process.argv.some((arg) => arg === "--net");
   let code;
   let codeUrl;
   let codeHash;
@@ -63156,6 +63448,20 @@ async function resolveRunInput(file, opts) {
     dependencies: config.dependencies,
     remoteCode: config.remoteCode
   };
+  if (opts.install.length > 0 && !hasExplicitNetFlag) {
+    engineOptions.network = "filtered";
+    logger.debug("[Run] --install detected without explicit --net; using filtered network mode automatically");
+  }
+  if (opts.install.length > 0 && engineOptions.network === "filtered") {
+    const runtimeRegistryAllowlist = getDefaultRegistryAllowPatterns(runtime);
+    if (runtimeRegistryAllowlist.length > 0) {
+      engineOptions.networkFilter = {
+        whitelist: Array.from(new Set([...engineOptions.networkFilter?.whitelist ?? [], ...runtimeRegistryAllowlist])),
+        blacklist: engineOptions.networkFilter?.blacklist ?? []
+      };
+      logger.debug(`[Run] Added default package registries for ${runtime}: ${runtimeRegistryAllowlist.join(", ")}`);
+    }
+  }
   logger.debug(`[Run] Engine options: mode=${engineOptions.mode}, network=${engineOptions.network}`);
   let fileExtension;
   if (file) {
@@ -63231,6 +63537,19 @@ function detectRuntimeFromPath(pathValue) {
     return;
   }
 }
+function getDefaultRegistryAllowPatterns(runtime) {
+  switch (runtime) {
+    case "python":
+      return ["^pypi\\.org$", "^files\\.pythonhosted\\.org$"];
+    case "node":
+    case "bun":
+      return ["^registry\\.npmjs\\.org$"];
+    case "bash":
+      return ["^dl-cdn\\.alpinelinux\\.org$"];
+    default:
+      return [];
+  }
+}
 function collect(value, previous) {
   return previous.concat([value]);
 }
@@ -63240,4 +63559,4 @@ if (!process.argv.slice(2).length) {
 }
 program2.parse();
 
-//# debugId=6B3AFECE6CC836BD64756E2164756E21
+//# debugId=DC4F72D2D8660BF264756E2164756E21

package/dist/index.js

@@ -546,6 +546,73 @@ class Semaphore {
   }
 }
 
+// src/engine/default-seccomp-profile.ts
+var EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+var init_default_seccomp_profile = __esm(() => {
+  EMBEDDED_DEFAULT_SECCOMP_PROFILE = JSON.stringify({
+    defaultAction: "SCMP_ACT_ALLOW",
+    architectures: ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
+    syscalls: [
+      {
+        names: [
+          "acct",
+          "add_key",
+          "bpf",
+          "clock_adjtime",
+          "clock_settime",
+          "create_module",
+          "delete_module",
+          "finit_module",
+          "get_mempolicy",
+          "init_module",
+          "ioperm",
+          "iopl",
+          "kcmp",
+          "kexec_file_load",
+          "kexec_load",
+          "keyctl",
+          "lookup_dcookie",
+          "mbind",
+          "mount",
+          "move_pages",
+          "name_to_handle_at",
+          "open_by_handle_at",
+          "perf_event_open",
+          "pivot_root",
+          "process_vm_readv",
+          "process_vm_writev",
+          "ptrace",
+          "query_module",
+          "quotactl",
+          "reboot",
+          "request_key",
+          "set_mempolicy",
+          "setns",
+          "settimeofday",
+          "stime",
+          "swapon",
+          "swapoff",
+          "sysfs",
+          "syslog",
+          "umount",
+          "umount2",
+          "unshare",
+          "uselib",
+          "userfaultfd",
+          "ustat",
+          "vm86",
+          "vm86old"
+        ],
+        action: "SCMP_ACT_ERRNO",
+        args: [],
+        comment: "",
+        includes: {},
+        excludes: {}
+      }
+    ]
+  });
+});
+
 // src/engine/image-builder.ts
 import { createHash as createHash2 } from "node:crypto";
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
@@ -1087,7 +1154,19 @@ function wrapWithTimeout(cmd, timeoutSec) {
 function getInstallCommand(runtime, packages) {
   switch (runtime) {
     case "python":
-      return ["pip", "install", "--user", "--no-cache-dir", "--break-system-packages", ...packages];
+      return [
+        "pip",
+        "install",
+        "--user",
+        "--no-cache-dir",
+        "--break-system-packages",
+        "--disable-pip-version-check",
+        "--retries",
+        "0",
+        "--timeout",
+        "15",
+        ...packages
+      ];
     case "node":
       return ["npm", "install", "--prefix", "/sandbox", ...packages];
     case "bun":
@@ -1100,8 +1179,9 @@ function getInstallCommand(runtime, packages) {
       throw new Error(`Unknown runtime for package install: ${runtime}`);
   }
 }
-async function installPackages(container, runtime, packages) {
-  const cmd = getInstallCommand(runtime, packages);
+async function installPackages(container, runtime, packages, timeoutMs) {
+  const timeoutSec = Math.max(1, Math.ceil(timeoutMs / 1000));
+  const cmd = wrapWithTimeout(getInstallCommand(runtime, packages), timeoutSec);
   logger.debug(`Installing packages: ${JSON.stringify(cmd)}`);
   const env = [
     "PATH=/sandbox/.local/bin:/sandbox/.npm-global/bin:/sandbox/.bun-global/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
@@ -1112,6 +1192,12 @@ async function installPackages(container, runtime, packages) {
     env.push("NPM_CONFIG_PREFIX=/sandbox/.npm-global");
     env.push("NPM_CONFIG_CACHE=/sandbox/.npm-cache");
     env.push("npm_config_cache=/sandbox/.npm-cache");
+    env.push("NPM_CONFIG_FETCH_RETRIES=0");
+    env.push("npm_config_fetch_retries=0");
+    env.push("NPM_CONFIG_FETCH_RETRY_MINTIMEOUT=1000");
+    env.push("npm_config_fetch_retry_mintimeout=1000");
+    env.push("NPM_CONFIG_FETCH_RETRY_MAXTIMEOUT=2000");
+    env.push("npm_config_fetch_retry_maxtimeout=2000");
   } else if (runtime === "bun") {
     env.push("BUN_INSTALL_GLOBAL_DIR=/sandbox/.bun-global");
     env.push("BUN_INSTALL_CACHE_DIR=/sandbox/.bun-cache");
@@ -1133,7 +1219,13 @@ async function installPackages(container, runtime, packages) {
     const stderrStream = new PassThrough;
     container.modem.demuxStream(stream, stdoutStream, stderrStream);
     stderrStream.on("data", (chunk) => {
-      stderr += chunk.toString();
+      const text = chunk.toString();
+      stderr += text;
+      logger.debug(`[install:${runtime}:stderr] ${text.trimEnd()}`);
+    });
+    stdoutStream.on("data", (chunk) => {
+      const text = chunk.toString();
+      logger.debug(`[install:${runtime}:stdout] ${text.trimEnd()}`);
     });
     stream.on("end", async () => {
       try {
@@ -1463,7 +1555,7 @@ class DockerIsol8 {
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
         await writeFileViaExec(container, filePath, request.code);
         if (request.installPackages?.length) {
-          await installPackages(container, request.runtime, request.installPackages);
+          await installPackages(container, request.runtime, request.installPackages, timeoutMs);
         }
         if (request.files) {
           for (const [fPath, fContent] of Object.entries(request.files)) {
@@ -1592,7 +1684,7 @@ class DockerIsol8 {
         rawCmd = adapter.getCommand(req.code, filePath);
       }
       if (req.installPackages?.length) {
-        await installPackages(container, req.runtime, req.installPackages);
+        await installPackages(container, req.runtime, req.installPackages, timeoutMs);
       }
       const timeoutSec = Math.ceil(timeoutMs / 1000);
       let cmd;
@@ -1700,7 +1792,7 @@ class DockerIsol8 {
     const rawCmd = adapter.getCommand(req.code, filePath);
     const timeoutSec = Math.ceil(timeoutMs / 1000);
     if (req.installPackages?.length) {
-      await installPackages(this.container, req.runtime, req.installPackages);
+      await installPackages(this.container, req.runtime, req.installPackages, timeoutMs);
     }
     let cmd;
     if (req.stdin) {
@@ -1843,17 +1935,15 @@ class DockerIsol8 {
         const profile = readFileSync3(this.security.customProfilePath, "utf-8");
         opts.push(`seccomp=${profile}`);
       } catch (e) {
-        logger.error(`Failed to load custom seccomp profile: ${e}`);
+        throw new Error(`Failed to load custom seccomp profile at ${this.security.customProfilePath}: ${e}`);
       }
       return opts;
     }
     try {
       const profile = this.loadDefaultSeccompProfile();
-      if (profile) {
-        opts.push(`seccomp=${profile}`);
-      }
+      opts.push(`seccomp=${profile}`);
     } catch (e) {
-      logger.error(`Failed to load default seccomp profile: ${e}`);
+      throw new Error(`Failed to load default seccomp profile: ${e}`);
     }
     return opts;
   }
@@ -1866,8 +1956,11 @@ class DockerIsol8 {
     if (existsSync4(prodPath)) {
       return readFileSync3(prodPath, "utf-8");
     }
-    logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
-    return null;
+    if (EMBEDDED_DEFAULT_SECCOMP_PROFILE.length > 0) {
+      logger.debug(`Default seccomp profile file not found. Using embedded profile. Tried: ${devPath.pathname}, ${prodPath.pathname}`);
+      return EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+    }
+    throw new Error("Embedded default seccomp profile is unavailable");
   }
   buildEnv(extra) {
     const env = [
@@ -2092,6 +2185,7 @@ var init_docker = __esm(() => {
   init_logger();
   init_audit();
   init_code_fetcher();
+  init_default_seccomp_profile();
   init_image_builder();
   init_pool();
   MAX_OUTPUT_BYTES = 1024 * 1024;
@@ -2349,7 +2443,7 @@ init_logger();
 // package.json
 var package_default = {
   name: "isol8",
-  version: "0.11.0",
+  version: "0.11.2",
   description: "Secure code execution engine for AI agents",
   author: "Illusion47586",
   license: "MIT",
@@ -2501,6 +2595,50 @@ async function createServer(options) {
   logger.debug(`[Server] Auto-prune: ${config.cleanup.autoPrune}`);
   const app = new Hono;
   const globalSemaphore = new Semaphore(config.maxConcurrent);
+  let pruneInterval;
+  let cleanupInFlight = null;
+  const cleanupSessions = async () => {
+    let removed = 0;
+    let failed = 0;
+    const errors = [];
+    for (const [id, session] of sessions) {
+      try {
+        await session.engine.stop();
+        removed++;
+      } catch (err) {
+        failed++;
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        errors.push(`${id}: ${errorMsg}`);
+      } finally {
+        sessions.delete(id);
+      }
+    }
+    return { removed, failed, errors };
+  };
+  const runCleanup = async (includeImages) => {
+    if (cleanupInFlight) {
+      return cleanupInFlight;
+    }
+    cleanupInFlight = (async () => {
+      logger.info(`[Server] Starting cleanup (sessions=true containers=true images=${includeImages})`);
+      const sessionsResult = await cleanupSessions();
+      const containersResult = await DockerIsol82.cleanup();
+      const result = {
+        sessions: sessionsResult,
+        containers: containersResult
+      };
+      if (includeImages) {
+        result.images = await DockerIsol82.cleanupImages();
+      }
+      logger.info(`[Server] Cleanup complete: sessions=${result.sessions.removed}/${result.sessions.failed} containers=${result.containers.removed}/${result.containers.failed}${result.images ? ` images=${result.images.removed}/${result.images.failed}` : ""}`);
+      return result;
+    })();
+    try {
+      return await cleanupInFlight;
+    } finally {
+      cleanupInFlight = null;
+    }
+  };
   app.use("*", authMiddleware(options.apiKey));
   app.get("/health", (c) => c.json({ status: "ok", version: VERSION }));
   app.post("/execute", async (c) => {
@@ -2681,8 +2819,21 @@ async function createServer(options) {
     }
     return c.json({ ok: true });
   });
+  app.post("/cleanup", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const includeImages = body.images ?? true;
+    logger.debug(`[Server] POST /cleanup images=${includeImages}`);
+    try {
+      const result = await runCleanup(includeImages);
+      return c.json({ ok: true, ...result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`[Server] Cleanup failed: ${message}`);
+      return c.json({ error: message }, 500);
+    }
+  });
   if (config.cleanup.autoPrune) {
-    setInterval(async () => {
+    pruneInterval = setInterval(async () => {
       const maxAge = config.cleanup.maxContainerAgeMs;
       const now = Date.now();
       for (const [id, session] of sessions) {
@@ -2700,7 +2851,15 @@ async function createServer(options) {
   return {
     app,
     fetch: app.fetch,
-    port: options.port
+    port: options.port,
+    cleanup: async (includeImages = true) => runCleanup(includeImages),
+    shutdown: async (includeImages = true) => {
+      if (pruneInterval) {
+        clearInterval(pruneInterval);
+        pruneInterval = undefined;
+      }
+      await runCleanup(includeImages);
+    }
   };
 }
 export {
@@ -2717,4 +2876,4 @@ export {
   BunAdapter
 };
 
-//# debugId=C48E982CAC86EB5964756E2164756E21
+//# debugId=C10FBC887CAF691764756E2164756E21

package/dist/src/engine/default-seccomp-profile.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Embedded default seccomp profile.
+ *
+ * This keeps strict seccomp available in standalone compiled binaries where
+ * docker/seccomp-profile.json may not be present on disk.
+ */
+export declare const EMBEDDED_DEFAULT_SECCOMP_PROFILE: string;
+//# sourceMappingURL=default-seccomp-profile.d.ts.map

package/dist/src/engine/default-seccomp-profile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-seccomp-profile.d.ts","sourceRoot":"","sources":["../../../src/engine/default-seccomp-profile.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,QA6D3C,CAAC"}

package/dist/src/engine/docker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EAEf,WAAW,EAEX,YAAY,EAKZ,YAAY,EACZ,WAAW,EACZ,MAAM,UAAU,CAAC;AA2UlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAU;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA4C;IACrE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IAEpD,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAC1C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;YAE1C,uBAAuB;IA6BrC;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IA4ChE;;;;;OAKG;IACG,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAsCtD,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAgB9D;;OAEG;YACW,WAAW;IAoDzB;;OAEG;YACW,qBAAqB;IA8CnC;;OAEG;YACW,kBAAkB;IA+DhC;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAuFzD,YAAY;IA0C1B,OAAO,CAAC,UAAU;YAsBJ,gBAAgB;YAgKhB,iBAAiB;YAwIjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA4BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IAyBjC,OAAO,CAAC,QAAQ;YAwCD,gBAAgB;YA8EjB,iBAAiB;IAiG/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA0BjE;;;;;OAKG;WACU,aAAa,CACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}
+{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EAEf,WAAW,EAEX,YAAY,EAKZ,YAAY,EACZ,WAAW,EACZ,MAAM,UAAU,CAAC;AAuWlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAU;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA4C;IACrE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IAEpD,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAC1C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;YAE1C,uBAAuB;IA6BrC;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IA4ChE;;;;;OAKG;IACG,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAsCtD,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAgB9D;;OAEG;YACW,WAAW;IAoDzB;;OAEG;YACW,qBAAqB;IA8CnC;;OAEG;YACW,kBAAkB;IA+DhC;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAuFzD,YAAY;IA0C1B,OAAO,CAAC,UAAU;YAsBJ,gBAAgB;YAgKhB,iBAAiB;YAwIjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA4BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IA6BjC,OAAO,CAAC,QAAQ;YAwCD,gBAAgB;YA8EjB,iBAAiB;IAiG/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA0BjE;;;;;OAKG;WACU,aAAa,CACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}

package/dist/src/server/index.d.ts

@@ -15,6 +15,23 @@ export interface ServerOptions {
     /** Enable debug logging for internal server operations. */
     debug?: boolean;
 }
+interface CleanupResult {
+    sessions: {
+        removed: number;
+        failed: number;
+        errors: string[];
+    };
+    containers: {
+        removed: number;
+        failed: number;
+        errors: string[];
+    };
+    images?: {
+        removed: number;
+        failed: number;
+        errors: string[];
+    };
+}
 /**
  * Creates and configures the isol8 HTTP server.
  *
@@ -36,5 +53,8 @@ export declare function createServer(options: ServerOptions): Promise<{
     app: Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;
     fetch: (request: Request, Env?: unknown, executionCtx?: import("hono").ExecutionContext) => Response | Promise<Response>;
     port: number;
+    cleanup: (includeImages?: boolean) => Promise<CleanupResult>;
+    shutdown: (includeImages?: boolean) => Promise<void>;
 }>;
+export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/src/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAS5B,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAaD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa;;;;GAmRxD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAS5B,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAaD,UAAU,aAAa;IACrB,QAAQ,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAChE,UAAU,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAClE,MAAM,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAChE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa;;;;;;GAyWxD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "isol8",
-  "version": "0.11.1",
+  "version": "0.11.3",
   "description": "Secure code execution engine for AI agents",
   "author": "Illusion47586",
   "license": "MIT",