isol8 0.11.2 → 0.12.0

package/README.md

@@ -105,7 +105,7 @@ isol8 run script.py --host http://server:3000 --key my-api-key
 |------|-------------|---------|
 | `-e, --eval <code>` | Execute inline code | — |
 | `-r, --runtime <rt>` | Force runtime: `python`, `node`, `bun`, `deno`, `bash` | auto-detect |
-| `--net <mode>` | Network mode: `none`, `host`, `filtered` | `none` |
+| `--net <mode>` | Network mode: `none`, `host`, `filtered` | `none` (unless `--install` is used without explicit `--net`, then auto `filtered`) |
 | `--allow <regex>` | Whitelist regex (repeatable, for `filtered`) | — |
 | `--deny <regex>` | Blacklist regex (repeatable, for `filtered`) | — |
 | `--out <file>` | Write stdout to file | — |
@@ -113,7 +113,7 @@ isol8 run script.py --host http://server:3000 --key my-api-key
 | `--persistent` | Keep container alive between runs | `false` |
 | `--persist` | Keep container after execution for inspection/debugging | `false` |
 | `--debug` | Enable debug logging for internal engine operations | `false` |
-| `--timeout <ms>` | Execution timeout in milliseconds | `30000` |
+| `--timeout <ms>` | Timeout in milliseconds for package install + execution phases | `30000` |
 | `--memory <limit>` | Memory limit (e.g. `512m`, `1g`) | `512m` |
 | `--cpu <limit>` | CPU limit as fraction (e.g. `0.5`, `2.0`) | `1.0` |
 | `--image <name>` | Override Docker image | — |
@@ -124,7 +124,7 @@ isol8 run script.py --host http://server:3000 --key my-api-key
 | `--sandbox-size <size>` | Sandbox tmpfs size (e.g. `512m`, `1g`) | `512m` |
 | `--tmp-size <size>` | Tmp tmpfs size (e.g. `256m`, `512m`) | `256m` |
 | `--stdin <data>` | Data to pipe to stdin | — |
-| `--install <pkg>` | Install package for runtime (repeatable) | — |
+| `--install <pkg>` | Install package for runtime (repeatable) | — (auto-adds default runtime registry allowlist in `filtered` mode) |
 | `--url <url>` | Fetch code from URL (requires `remoteCode.enabled=true`) | — |
 | `--github <owner/repo/ref/path>` | GitHub shorthand for raw source | — |
 | `--gist <gistId/file.ext>` | Gist shorthand for raw source | — |
@@ -176,6 +176,8 @@ isol8 serve --update  # Force re-download the server binary
 
 If the selected port is already in use, `isol8 serve` now prompts to enter another port or auto-select an available one. In non-interactive environments, it auto-falls back to a free port.
 
+On graceful shutdown (`SIGINT`/`SIGTERM`), the server now cleans up tracked sessions, isol8 containers, and isol8 images before exiting.
+
 ### `isol8 config`
 
 Display the resolved configuration (merged defaults + config file). Shows the source file, defaults, network rules, cleanup policy, and dependencies.
@@ -377,7 +379,7 @@ Add the `$schema` property to get autocompletion, validation, and inline documen
     "node": ["lodash"]
   },
   "security": {
-    "seccomp": "safety"
+    "seccomp": "strict"
   }
 }
 ```
@@ -441,7 +443,7 @@ bun run bench:detailed   # Phase breakdown
 | **Network** | Disabled by default; optional proxy-based filtering |
 | **Output** | Truncated at 1MB; secrets masked from stdout/stderr |
 | **Isolation** | Each execution in its own container (ephemeral) or exec (persistent) |
-| **Seccomp** | Default "safety" profile blocks dangerous syscalls (mount, swap, ptrace) but allows others for compatibility; configurable via `security.seccomp` |
+| **Seccomp** | Default `strict` mode applies the built-in profile that blocks dangerous syscalls (mount, swap, ptrace). In standalone server binaries, an embedded copy is used when profile files are not present. If strict/custom profile loading fails, execution fails. |
 
 ### Container Filesystem
 
@@ -470,6 +472,7 @@ When running `isol8 serve`, these endpoints are available:
 | `POST` | `/file` | Upload file (base64) |
 | `GET` | `/file?sessionId=&path=` | Download file (base64) |
 | `DELETE` | `/session/:id` | Destroy persistent session |
+| `POST` | `/cleanup` | Run server-side cleanup for sessions/containers (and images by default) |
 
 All endpoints (except `/health`) require `Authorization: Bearer <key>`.
 

package/dist/cli.js

@@ -54780,7 +54780,8 @@ function mergeConfig(defaults, overrides) {
     maxConcurrent: overrides.maxConcurrent ?? defaults.maxConcurrent,
     defaults: {
       ...defaults.defaults,
-      ...overrides.defaults
+      ...overrides.defaults,
+      readonlyRootFs: overrides.defaults?.readonlyRootFs ?? defaults.defaults.readonlyRootFs
     },
     network: {
       whitelist: overrides.network?.whitelist ?? defaults.network.whitelist,
@@ -54824,7 +54825,8 @@ var init_config = __esm(() => {
       cpuLimit: 1,
       network: "none",
       sandboxSize: "512m",
-      tmpSize: "256m"
+      tmpSize: "256m",
+      readonlyRootFs: true
     },
     network: {
       whitelist: [],
@@ -55412,6 +55414,73 @@ class Semaphore {
   }
 }
 
+// src/engine/default-seccomp-profile.ts
+var EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+var init_default_seccomp_profile = __esm(() => {
+  EMBEDDED_DEFAULT_SECCOMP_PROFILE = JSON.stringify({
+    defaultAction: "SCMP_ACT_ALLOW",
+    architectures: ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
+    syscalls: [
+      {
+        names: [
+          "acct",
+          "add_key",
+          "bpf",
+          "clock_adjtime",
+          "clock_settime",
+          "create_module",
+          "delete_module",
+          "finit_module",
+          "get_mempolicy",
+          "init_module",
+          "ioperm",
+          "iopl",
+          "kcmp",
+          "kexec_file_load",
+          "kexec_load",
+          "keyctl",
+          "lookup_dcookie",
+          "mbind",
+          "mount",
+          "move_pages",
+          "name_to_handle_at",
+          "open_by_handle_at",
+          "perf_event_open",
+          "pivot_root",
+          "process_vm_readv",
+          "process_vm_writev",
+          "ptrace",
+          "query_module",
+          "quotactl",
+          "reboot",
+          "request_key",
+          "set_mempolicy",
+          "setns",
+          "settimeofday",
+          "stime",
+          "swapon",
+          "swapoff",
+          "sysfs",
+          "syslog",
+          "umount",
+          "umount2",
+          "unshare",
+          "uselib",
+          "userfaultfd",
+          "ustat",
+          "vm86",
+          "vm86old"
+        ],
+        action: "SCMP_ACT_ERRNO",
+        args: [],
+        comment: "",
+        includes: {},
+        excludes: {}
+      }
+    ]
+  });
+});
+
 // src/engine/utils.ts
 var exports_utils = {};
 __export(exports_utils, {
@@ -56155,7 +56224,19 @@ function wrapWithTimeout(cmd, timeoutSec) {
 function getInstallCommand(runtime, packages) {
   switch (runtime) {
     case "python":
-      return ["pip", "install", "--user", "--no-cache-dir", "--break-system-packages", ...packages];
+      return [
+        "pip",
+        "install",
+        "--user",
+        "--no-cache-dir",
+        "--break-system-packages",
+        "--disable-pip-version-check",
+        "--retries",
+        "0",
+        "--timeout",
+        "15",
+        ...packages
+      ];
     case "node":
       return ["npm", "install", "--prefix", "/sandbox", ...packages];
     case "bun":
@@ -56168,8 +56249,9 @@ function getInstallCommand(runtime, packages) {
       throw new Error(`Unknown runtime for package install: ${runtime}`);
   }
 }
-async function installPackages(container, runtime, packages) {
-  const cmd = getInstallCommand(runtime, packages);
+async function installPackages(container, runtime, packages, timeoutMs) {
+  const timeoutSec = Math.max(1, Math.ceil(timeoutMs / 1000));
+  const cmd = wrapWithTimeout(getInstallCommand(runtime, packages), timeoutSec);
   logger.debug(`Installing packages: ${JSON.stringify(cmd)}`);
   const env2 = [
     "PATH=/sandbox/.local/bin:/sandbox/.npm-global/bin:/sandbox/.bun-global/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
@@ -56180,6 +56262,12 @@ async function installPackages(container, runtime, packages) {
     env2.push("NPM_CONFIG_PREFIX=/sandbox/.npm-global");
     env2.push("NPM_CONFIG_CACHE=/sandbox/.npm-cache");
     env2.push("npm_config_cache=/sandbox/.npm-cache");
+    env2.push("NPM_CONFIG_FETCH_RETRIES=0");
+    env2.push("npm_config_fetch_retries=0");
+    env2.push("NPM_CONFIG_FETCH_RETRY_MINTIMEOUT=1000");
+    env2.push("npm_config_fetch_retry_mintimeout=1000");
+    env2.push("NPM_CONFIG_FETCH_RETRY_MAXTIMEOUT=2000");
+    env2.push("npm_config_fetch_retry_maxtimeout=2000");
   } else if (runtime === "bun") {
     env2.push("BUN_INSTALL_GLOBAL_DIR=/sandbox/.bun-global");
     env2.push("BUN_INSTALL_CACHE_DIR=/sandbox/.bun-cache");
@@ -56201,7 +56289,13 @@ async function installPackages(container, runtime, packages) {
     const stderrStream = new PassThrough;
     container.modem.demuxStream(stream, stdoutStream, stderrStream);
     stderrStream.on("data", (chunk) => {
-      stderr += chunk.toString();
+      const text = chunk.toString();
+      stderr += text;
+      logger.debug(`[install:${runtime}:stderr] ${text.trimEnd()}`);
+    });
+    stdoutStream.on("data", (chunk) => {
+      const text = chunk.toString();
+      logger.debug(`[install:${runtime}:stdout] ${text.trimEnd()}`);
     });
     stream.on("end", async () => {
       try {
@@ -56531,7 +56625,7 @@ class DockerIsol8 {
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
         await writeFileViaExec(container, filePath, request.code);
         if (request.installPackages?.length) {
-          await installPackages(container, request.runtime, request.installPackages);
+          await installPackages(container, request.runtime, request.installPackages, timeoutMs);
         }
         if (request.files) {
           for (const [fPath, fContent] of Object.entries(request.files)) {
@@ -56660,7 +56754,7 @@ class DockerIsol8 {
         rawCmd = adapter.getCommand(req.code, filePath);
       }
       if (req.installPackages?.length) {
-        await installPackages(container, req.runtime, req.installPackages);
+        await installPackages(container, req.runtime, req.installPackages, timeoutMs);
       }
       const timeoutSec = Math.ceil(timeoutMs / 1000);
       let cmd;
@@ -56768,7 +56862,7 @@ class DockerIsol8 {
     const rawCmd = adapter.getCommand(req.code, filePath);
     const timeoutSec = Math.ceil(timeoutMs / 1000);
     if (req.installPackages?.length) {
-      await installPackages(this.container, req.runtime, req.installPackages);
+      await installPackages(this.container, req.runtime, req.installPackages, timeoutMs);
     }
     let cmd;
     if (req.stdin) {
@@ -56911,17 +57005,15 @@ class DockerIsol8 {
         const profile = readFileSync3(this.security.customProfilePath, "utf-8");
         opts.push(`seccomp=${profile}`);
       } catch (e) {
-        logger.error(`Failed to load custom seccomp profile: ${e}`);
+        throw new Error(`Failed to load custom seccomp profile at ${this.security.customProfilePath}: ${e}`);
       }
       return opts;
     }
     try {
       const profile = this.loadDefaultSeccompProfile();
-      if (profile) {
-        opts.push(`seccomp=${profile}`);
-      }
+      opts.push(`seccomp=${profile}`);
     } catch (e) {
-      logger.error(`Failed to load default seccomp profile: ${e}`);
+      throw new Error(`Failed to load default seccomp profile: ${e}`);
     }
     return opts;
   }
@@ -56934,8 +57026,11 @@ class DockerIsol8 {
     if (existsSync4(prodPath)) {
       return readFileSync3(prodPath, "utf-8");
     }
-    logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
-    return null;
+    if (EMBEDDED_DEFAULT_SECCOMP_PROFILE.length > 0) {
+      logger.debug(`Default seccomp profile file not found. Using embedded profile. Tried: ${devPath.pathname}, ${prodPath.pathname}`);
+      return EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+    }
+    throw new Error("Embedded default seccomp profile is unavailable");
   }
   buildEnv(extra) {
     const env2 = [
@@ -57160,6 +57255,7 @@ var init_docker = __esm(() => {
   init_logger();
   init_audit();
   init_code_fetcher();
+  init_default_seccomp_profile();
   init_image_builder();
   init_pool();
   import_dockerode = __toESM(require_docker(), 1);
@@ -57171,7 +57267,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "isol8",
-    version: "0.11.1",
+    version: "0.11.3",
     description: "Secure code execution engine for AI agents",
     author: "Illusion47586",
     license: "MIT",
@@ -58919,6 +59015,50 @@ async function createServer(options) {
   logger.debug(`[Server] Auto-prune: ${config.cleanup.autoPrune}`);
   const app = new Hono2;
   const globalSemaphore = new Semaphore(config.maxConcurrent);
+  let pruneInterval;
+  let cleanupInFlight = null;
+  const cleanupSessions = async () => {
+    let removed = 0;
+    let failed = 0;
+    const errors = [];
+    for (const [id, session] of sessions) {
+      try {
+        await session.engine.stop();
+        removed++;
+      } catch (err) {
+        failed++;
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        errors.push(`${id}: ${errorMsg}`);
+      } finally {
+        sessions.delete(id);
+      }
+    }
+    return { removed, failed, errors };
+  };
+  const runCleanup = async (includeImages) => {
+    if (cleanupInFlight) {
+      return cleanupInFlight;
+    }
+    cleanupInFlight = (async () => {
+      logger.info(`[Server] Starting cleanup (sessions=true containers=true images=${includeImages})`);
+      const sessionsResult = await cleanupSessions();
+      const containersResult = await DockerIsol82.cleanup();
+      const result = {
+        sessions: sessionsResult,
+        containers: containersResult
+      };
+      if (includeImages) {
+        result.images = await DockerIsol82.cleanupImages();
+      }
+      logger.info(`[Server] Cleanup complete: sessions=${result.sessions.removed}/${result.sessions.failed} containers=${result.containers.removed}/${result.containers.failed}${result.images ? ` images=${result.images.removed}/${result.images.failed}` : ""}`);
+      return result;
+    })();
+    try {
+      return await cleanupInFlight;
+    } finally {
+      cleanupInFlight = null;
+    }
+  };
   app.use("*", authMiddleware(options.apiKey));
   app.get("/health", (c) => c.json({ status: "ok", version: VERSION }));
   app.post("/execute", async (c) => {
@@ -59099,8 +59239,21 @@ async function createServer(options) {
     }
     return c.json({ ok: true });
   });
+  app.post("/cleanup", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const includeImages = body.images ?? true;
+    logger.debug(`[Server] POST /cleanup images=${includeImages}`);
+    try {
+      const result = await runCleanup(includeImages);
+      return c.json({ ok: true, ...result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`[Server] Cleanup failed: ${message}`);
+      return c.json({ error: message }, 500);
+    }
+  });
   if (config.cleanup.autoPrune) {
-    setInterval(async () => {
+    pruneInterval = setInterval(async () => {
       const maxAge = config.cleanup.maxContainerAgeMs;
       const now = Date.now();
       for (const [id, session] of sessions) {
@@ -59118,7 +59271,15 @@ async function createServer(options) {
   return {
     app,
     fetch: app.fetch,
-    port: options.port
+    port: options.port,
+    cleanup: async (includeImages = true) => runCleanup(includeImages),
+    shutdown: async (includeImages = true) => {
+      if (pruneInterval) {
+        clearInterval(pruneInterval);
+        pruneInterval = undefined;
+      }
+      await runCleanup(includeImages);
+    }
   };
 }
 var sessions;
@@ -62633,7 +62794,7 @@ program2.command("setup").description("Check Docker and build isol8 images").opt
   console.log(`
 [DONE] Setup complete!`);
 });
-program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--writable", "Disable read-only root filesystem").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--url <url>", "Fetch code from URL").option("--github <path>", "GitHub shorthand: owner/repo/ref/path/to/file").option("--gist <path>", "Gist shorthand: gistId/file.ext").option("--hash <sha256>", "Expected SHA-256 hash of fetched code").option("--allow-insecure-code-url", "Allow insecure HTTP code URLs").option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").action(async (file, opts) => {
+program2.command("run").description("Execute code in isol8").argument("[file]", "Script file to execute").option("-e, --eval <code>", "Execute inline code string").option("-r, --runtime <name>", "Force runtime (python, node, bun, deno, bash)").option("--net <mode>", "Network mode: none, host, filtered", "none").option("--allow <regex>", "Whitelist regex for filtered mode (repeatable)", collect, []).option("--deny <regex>", "Blacklist regex for filtered mode (repeatable)", collect, []).option("--out <file>", "Write output to file").option("--persistent", "Use persistent container").option("--timeout <ms>", "Execution timeout in milliseconds").option("--memory <limit>", "Memory limit (e.g. 512m, 1g)").option("--cpu <limit>", "CPU limit as fraction (e.g. 0.5, 2.0)").option("--image <name>", "Override Docker image").option("--pids-limit <n>", "Maximum number of processes").option("--max-output <bytes>", "Maximum output size in bytes").option("--secret <KEY=VALUE>", "Secret env var (repeatable, values masked)", collect, []).option("--sandbox-size <size>", "Sandbox tmpfs size (e.g. 128m, 512m)").option("--tmp-size <size>", "Tmp tmpfs size (e.g. 256m, 512m)").option("--stdin <data>", "Data to pipe to stdin").option("--install <package>", "Install package for runtime (repeatable)", collect, []).option("--url <url>", "Fetch code from URL").option("--github <path>", "GitHub shorthand: owner/repo/ref/path/to/file").option("--gist <path>", "Gist shorthand: gistId/file.ext").option("--hash <sha256>", "Expected SHA-256 hash of fetched code").option("--allow-insecure-code-url", "Allow insecure HTTP code URLs").option("--host <url>", "Execute on remote server").option("--key <key>", "API key for remote server").option("--no-stream", "Disable real-time output streaming").option("--debug", "Enable debug logging").option("--persist", "Keep container running after execution for inspection").option("--log-network", "Log all network requests (requires --net filtered)").action(async (file, opts) => {
   const {
     code,
     codeUrl,
@@ -62762,9 +62923,39 @@ program2.command("serve").description("Start the isol8 remote server").option("-
     logger.debug("[Serve] Running under Bun, starting server in-process");
     const { createServer: createServer2 } = await Promise.resolve().then(() => (init_server(), exports_server));
     const server = await createServer2({ port, apiKey, debug: opts.debug ?? false });
+    let shuttingDown = false;
+    const bunServer = Bun.serve({ fetch: server.app.fetch, port });
+    const shutdown = async () => {
+      if (shuttingDown) {
+        return;
+      }
+      shuttingDown = true;
+      logger.info("[Serve] Shutting down server and cleaning up resources...");
+      bunServer.stop();
+      try {
+        await server.shutdown();
+        logger.info("[Serve] Cleanup complete");
+        process.exit(0);
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[Serve] Cleanup failed: ${message}`);
+        process.exit(1);
+      }
+    };
+    process.on("SIGINT", () => {
+      shutdown().catch((err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[Serve] Shutdown handler failed: ${message}`);
+      });
+    });
+    process.on("SIGTERM", () => {
+      shutdown().catch((err) => {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.error(`[Serve] Shutdown handler failed: ${message}`);
+      });
+    });
     console.log(`[INFO] isol8 server v${VERSION} listening on http://localhost:${port}`);
     console.log("       Auth: Bearer token required");
-    Bun.serve({ fetch: server.app.fetch, port });
     return;
   }
   logger.debug("[Serve] Running under Node.js, launching standalone binary");
@@ -63185,6 +63376,7 @@ program2.command("cleanup").description("Remove orphaned isol8 containers (and o
 async function resolveRunInput(file, opts) {
   const config = loadConfig();
   logger.debug("[Run] Config loaded");
+  const hasExplicitNetFlag = process.argv.some((arg) => arg === "--net");
   let code;
   let codeUrl;
   let codeHash;
@@ -63249,7 +63441,6 @@ async function resolveRunInput(file, opts) {
     timeoutMs: opts.timeout ? Number.parseInt(opts.timeout, 10) : config.defaults.timeoutMs,
     ...opts.image ? { image: opts.image } : {},
     ...opts.pidsLimit ? { pidsLimit: Number.parseInt(opts.pidsLimit, 10) } : {},
-    ...opts.writable ? { readonlyRootFs: false } : {},
     ...opts.maxOutput ? { maxOutputSize: Number.parseInt(opts.maxOutput, 10) } : {},
     ...opts.tmpSize ? { tmpSize: opts.tmpSize } : {},
     debug: opts.debug ?? config.debug,
@@ -63258,6 +63449,20 @@ async function resolveRunInput(file, opts) {
     dependencies: config.dependencies,
     remoteCode: config.remoteCode
   };
+  if (opts.install.length > 0 && !hasExplicitNetFlag) {
+    engineOptions.network = "filtered";
+    logger.debug("[Run] --install detected without explicit --net; using filtered network mode automatically");
+  }
+  if (opts.install.length > 0 && engineOptions.network === "filtered") {
+    const runtimeRegistryAllowlist = getDefaultRegistryAllowPatterns(runtime);
+    if (runtimeRegistryAllowlist.length > 0) {
+      engineOptions.networkFilter = {
+        whitelist: Array.from(new Set([...engineOptions.networkFilter?.whitelist ?? [], ...runtimeRegistryAllowlist])),
+        blacklist: engineOptions.networkFilter?.blacklist ?? []
+      };
+      logger.debug(`[Run] Added default package registries for ${runtime}: ${runtimeRegistryAllowlist.join(", ")}`);
+    }
+  }
   logger.debug(`[Run] Engine options: mode=${engineOptions.mode}, network=${engineOptions.network}`);
   let fileExtension;
   if (file) {
@@ -63333,6 +63538,19 @@ function detectRuntimeFromPath(pathValue) {
     return;
   }
 }
+function getDefaultRegistryAllowPatterns(runtime) {
+  switch (runtime) {
+    case "python":
+      return ["^pypi\\.org$", "^files\\.pythonhosted\\.org$"];
+    case "node":
+    case "bun":
+      return ["^registry\\.npmjs\\.org$"];
+    case "bash":
+      return ["^dl-cdn\\.alpinelinux\\.org$"];
+    default:
+      return [];
+  }
+}
 function collect(value, previous) {
   return previous.concat([value]);
 }
@@ -63342,4 +63560,4 @@ if (!process.argv.slice(2).length) {
 }
 program2.parse();
 
-//# debugId=33A00A6A263B687D64756E2164756E21
+//# debugId=CC119428D90FAE3C64756E2164756E21

package/dist/index.js

@@ -546,6 +546,73 @@ class Semaphore {
   }
 }
 
+// src/engine/default-seccomp-profile.ts
+var EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+var init_default_seccomp_profile = __esm(() => {
+  EMBEDDED_DEFAULT_SECCOMP_PROFILE = JSON.stringify({
+    defaultAction: "SCMP_ACT_ALLOW",
+    architectures: ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
+    syscalls: [
+      {
+        names: [
+          "acct",
+          "add_key",
+          "bpf",
+          "clock_adjtime",
+          "clock_settime",
+          "create_module",
+          "delete_module",
+          "finit_module",
+          "get_mempolicy",
+          "init_module",
+          "ioperm",
+          "iopl",
+          "kcmp",
+          "kexec_file_load",
+          "kexec_load",
+          "keyctl",
+          "lookup_dcookie",
+          "mbind",
+          "mount",
+          "move_pages",
+          "name_to_handle_at",
+          "open_by_handle_at",
+          "perf_event_open",
+          "pivot_root",
+          "process_vm_readv",
+          "process_vm_writev",
+          "ptrace",
+          "query_module",
+          "quotactl",
+          "reboot",
+          "request_key",
+          "set_mempolicy",
+          "setns",
+          "settimeofday",
+          "stime",
+          "swapon",
+          "swapoff",
+          "sysfs",
+          "syslog",
+          "umount",
+          "umount2",
+          "unshare",
+          "uselib",
+          "userfaultfd",
+          "ustat",
+          "vm86",
+          "vm86old"
+        ],
+        action: "SCMP_ACT_ERRNO",
+        args: [],
+        comment: "",
+        includes: {},
+        excludes: {}
+      }
+    ]
+  });
+});
+
 // src/engine/image-builder.ts
 import { createHash as createHash2 } from "node:crypto";
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
@@ -1087,7 +1154,19 @@ function wrapWithTimeout(cmd, timeoutSec) {
 function getInstallCommand(runtime, packages) {
   switch (runtime) {
     case "python":
-      return ["pip", "install", "--user", "--no-cache-dir", "--break-system-packages", ...packages];
+      return [
+        "pip",
+        "install",
+        "--user",
+        "--no-cache-dir",
+        "--break-system-packages",
+        "--disable-pip-version-check",
+        "--retries",
+        "0",
+        "--timeout",
+        "15",
+        ...packages
+      ];
     case "node":
       return ["npm", "install", "--prefix", "/sandbox", ...packages];
     case "bun":
@@ -1100,8 +1179,9 @@ function getInstallCommand(runtime, packages) {
       throw new Error(`Unknown runtime for package install: ${runtime}`);
   }
 }
-async function installPackages(container, runtime, packages) {
-  const cmd = getInstallCommand(runtime, packages);
+async function installPackages(container, runtime, packages, timeoutMs) {
+  const timeoutSec = Math.max(1, Math.ceil(timeoutMs / 1000));
+  const cmd = wrapWithTimeout(getInstallCommand(runtime, packages), timeoutSec);
   logger.debug(`Installing packages: ${JSON.stringify(cmd)}`);
   const env = [
     "PATH=/sandbox/.local/bin:/sandbox/.npm-global/bin:/sandbox/.bun-global/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
@@ -1112,6 +1192,12 @@ async function installPackages(container, runtime, packages) {
     env.push("NPM_CONFIG_PREFIX=/sandbox/.npm-global");
     env.push("NPM_CONFIG_CACHE=/sandbox/.npm-cache");
     env.push("npm_config_cache=/sandbox/.npm-cache");
+    env.push("NPM_CONFIG_FETCH_RETRIES=0");
+    env.push("npm_config_fetch_retries=0");
+    env.push("NPM_CONFIG_FETCH_RETRY_MINTIMEOUT=1000");
+    env.push("npm_config_fetch_retry_mintimeout=1000");
+    env.push("NPM_CONFIG_FETCH_RETRY_MAXTIMEOUT=2000");
+    env.push("npm_config_fetch_retry_maxtimeout=2000");
   } else if (runtime === "bun") {
     env.push("BUN_INSTALL_GLOBAL_DIR=/sandbox/.bun-global");
     env.push("BUN_INSTALL_CACHE_DIR=/sandbox/.bun-cache");
@@ -1133,7 +1219,13 @@ async function installPackages(container, runtime, packages) {
     const stderrStream = new PassThrough;
     container.modem.demuxStream(stream, stdoutStream, stderrStream);
     stderrStream.on("data", (chunk) => {
-      stderr += chunk.toString();
+      const text = chunk.toString();
+      stderr += text;
+      logger.debug(`[install:${runtime}:stderr] ${text.trimEnd()}`);
+    });
+    stdoutStream.on("data", (chunk) => {
+      const text = chunk.toString();
+      logger.debug(`[install:${runtime}:stdout] ${text.trimEnd()}`);
     });
     stream.on("end", async () => {
       try {
@@ -1463,7 +1555,7 @@ class DockerIsol8 {
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
         await writeFileViaExec(container, filePath, request.code);
         if (request.installPackages?.length) {
-          await installPackages(container, request.runtime, request.installPackages);
+          await installPackages(container, request.runtime, request.installPackages, timeoutMs);
         }
         if (request.files) {
           for (const [fPath, fContent] of Object.entries(request.files)) {
@@ -1592,7 +1684,7 @@ class DockerIsol8 {
         rawCmd = adapter.getCommand(req.code, filePath);
       }
       if (req.installPackages?.length) {
-        await installPackages(container, req.runtime, req.installPackages);
+        await installPackages(container, req.runtime, req.installPackages, timeoutMs);
       }
       const timeoutSec = Math.ceil(timeoutMs / 1000);
       let cmd;
@@ -1700,7 +1792,7 @@ class DockerIsol8 {
     const rawCmd = adapter.getCommand(req.code, filePath);
     const timeoutSec = Math.ceil(timeoutMs / 1000);
     if (req.installPackages?.length) {
-      await installPackages(this.container, req.runtime, req.installPackages);
+      await installPackages(this.container, req.runtime, req.installPackages, timeoutMs);
     }
     let cmd;
     if (req.stdin) {
@@ -1843,17 +1935,15 @@ class DockerIsol8 {
         const profile = readFileSync3(this.security.customProfilePath, "utf-8");
         opts.push(`seccomp=${profile}`);
       } catch (e) {
-        logger.error(`Failed to load custom seccomp profile: ${e}`);
+        throw new Error(`Failed to load custom seccomp profile at ${this.security.customProfilePath}: ${e}`);
       }
       return opts;
     }
     try {
       const profile = this.loadDefaultSeccompProfile();
-      if (profile) {
-        opts.push(`seccomp=${profile}`);
-      }
+      opts.push(`seccomp=${profile}`);
     } catch (e) {
-      logger.error(`Failed to load default seccomp profile: ${e}`);
+      throw new Error(`Failed to load default seccomp profile: ${e}`);
     }
     return opts;
   }
@@ -1866,8 +1956,11 @@ class DockerIsol8 {
     if (existsSync4(prodPath)) {
       return readFileSync3(prodPath, "utf-8");
     }
-    logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
-    return null;
+    if (EMBEDDED_DEFAULT_SECCOMP_PROFILE.length > 0) {
+      logger.debug(`Default seccomp profile file not found. Using embedded profile. Tried: ${devPath.pathname}, ${prodPath.pathname}`);
+      return EMBEDDED_DEFAULT_SECCOMP_PROFILE;
+    }
+    throw new Error("Embedded default seccomp profile is unavailable");
   }
   buildEnv(extra) {
     const env = [
@@ -2092,6 +2185,7 @@ var init_docker = __esm(() => {
   init_logger();
   init_audit();
   init_code_fetcher();
+  init_default_seccomp_profile();
   init_image_builder();
   init_pool();
   MAX_OUTPUT_BYTES = 1024 * 1024;
@@ -2235,7 +2329,8 @@ var DEFAULT_CONFIG = {
     cpuLimit: 1,
     network: "none",
     sandboxSize: "512m",
-    tmpSize: "256m"
+    tmpSize: "256m",
+    readonlyRootFs: true
   },
   network: {
     whitelist: [],
@@ -2304,7 +2399,8 @@ function mergeConfig(defaults, overrides) {
     maxConcurrent: overrides.maxConcurrent ?? defaults.maxConcurrent,
     defaults: {
       ...defaults.defaults,
-      ...overrides.defaults
+      ...overrides.defaults,
+      readonlyRootFs: overrides.defaults?.readonlyRootFs ?? defaults.defaults.readonlyRootFs
     },
     network: {
       whitelist: overrides.network?.whitelist ?? defaults.network.whitelist,
@@ -2349,7 +2445,7 @@ init_logger();
 // package.json
 var package_default = {
   name: "isol8",
-  version: "0.11.1",
+  version: "0.11.3",
   description: "Secure code execution engine for AI agents",
   author: "Illusion47586",
   license: "MIT",
@@ -2501,6 +2597,50 @@ async function createServer(options) {
   logger.debug(`[Server] Auto-prune: ${config.cleanup.autoPrune}`);
   const app = new Hono;
   const globalSemaphore = new Semaphore(config.maxConcurrent);
+  let pruneInterval;
+  let cleanupInFlight = null;
+  const cleanupSessions = async () => {
+    let removed = 0;
+    let failed = 0;
+    const errors = [];
+    for (const [id, session] of sessions) {
+      try {
+        await session.engine.stop();
+        removed++;
+      } catch (err) {
+        failed++;
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        errors.push(`${id}: ${errorMsg}`);
+      } finally {
+        sessions.delete(id);
+      }
+    }
+    return { removed, failed, errors };
+  };
+  const runCleanup = async (includeImages) => {
+    if (cleanupInFlight) {
+      return cleanupInFlight;
+    }
+    cleanupInFlight = (async () => {
+      logger.info(`[Server] Starting cleanup (sessions=true containers=true images=${includeImages})`);
+      const sessionsResult = await cleanupSessions();
+      const containersResult = await DockerIsol82.cleanup();
+      const result = {
+        sessions: sessionsResult,
+        containers: containersResult
+      };
+      if (includeImages) {
+        result.images = await DockerIsol82.cleanupImages();
+      }
+      logger.info(`[Server] Cleanup complete: sessions=${result.sessions.removed}/${result.sessions.failed} containers=${result.containers.removed}/${result.containers.failed}${result.images ? ` images=${result.images.removed}/${result.images.failed}` : ""}`);
+      return result;
+    })();
+    try {
+      return await cleanupInFlight;
+    } finally {
+      cleanupInFlight = null;
+    }
+  };
   app.use("*", authMiddleware(options.apiKey));
   app.get("/health", (c) => c.json({ status: "ok", version: VERSION }));
   app.post("/execute", async (c) => {
@@ -2681,8 +2821,21 @@ async function createServer(options) {
     }
     return c.json({ ok: true });
   });
+  app.post("/cleanup", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const includeImages = body.images ?? true;
+    logger.debug(`[Server] POST /cleanup images=${includeImages}`);
+    try {
+      const result = await runCleanup(includeImages);
+      return c.json({ ok: true, ...result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`[Server] Cleanup failed: ${message}`);
+      return c.json({ error: message }, 500);
+    }
+  });
   if (config.cleanup.autoPrune) {
-    setInterval(async () => {
+    pruneInterval = setInterval(async () => {
       const maxAge = config.cleanup.maxContainerAgeMs;
       const now = Date.now();
       for (const [id, session] of sessions) {
@@ -2700,7 +2853,15 @@ async function createServer(options) {
   return {
     app,
     fetch: app.fetch,
-    port: options.port
+    port: options.port,
+    cleanup: async (includeImages = true) => runCleanup(includeImages),
+    shutdown: async (includeImages = true) => {
+      if (pruneInterval) {
+        clearInterval(pruneInterval);
+        pruneInterval = undefined;
+      }
+      await runCleanup(includeImages);
+    }
   };
 }
 export {
@@ -2717,4 +2878,4 @@ export {
   BunAdapter
 };
 
-//# debugId=E6910E46B07952A064756E2164756E21
+//# debugId=91FAFD2CE7996A4E64756E2164756E21

package/dist/src/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C;;;GAGG;AACH,QAAA,MAAM,cAAc,EAAE,WAyDrB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,WAAW,CAepD;AAgDD,OAAO,EAAE,cAAc,EAAE,CAAC"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C;;;GAGG;AACH,QAAA,MAAM,cAAc,EAAE,WA0DrB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,WAAW,CAepD;AAiDD,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/src/engine/default-seccomp-profile.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Embedded default seccomp profile.
+ *
+ * This keeps strict seccomp available in standalone compiled binaries where
+ * docker/seccomp-profile.json may not be present on disk.
+ */
+export declare const EMBEDDED_DEFAULT_SECCOMP_PROFILE: string;
+//# sourceMappingURL=default-seccomp-profile.d.ts.map

package/dist/src/engine/default-seccomp-profile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-seccomp-profile.d.ts","sourceRoot":"","sources":["../../../src/engine/default-seccomp-profile.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,QA6D3C,CAAC"}

package/dist/src/engine/docker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EAEf,WAAW,EAEX,YAAY,EAKZ,YAAY,EACZ,WAAW,EACZ,MAAM,UAAU,CAAC;AA2UlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAU;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA4C;IACrE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IAEpD,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAC1C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;YAE1C,uBAAuB;IA6BrC;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IA4ChE;;;;;OAKG;IACG,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAsCtD,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAgB9D;;OAEG;YACW,WAAW;IAoDzB;;OAEG;YACW,qBAAqB;IA8CnC;;OAEG;YACW,kBAAkB;IA+DhC;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAuFzD,YAAY;IA0C1B,OAAO,CAAC,UAAU;YAsBJ,gBAAgB;YAgKhB,iBAAiB;YAwIjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA4BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IAyBjC,OAAO,CAAC,QAAQ;YAwCD,gBAAgB;YA8EjB,iBAAiB;IAiG/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA0BjE;;;;;OAKG;WACU,aAAa,CACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}
+{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EAEf,WAAW,EAEX,YAAY,EAKZ,YAAY,EACZ,WAAW,EACZ,MAAM,UAAU,CAAC;AAuWlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAU;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA4C;IACrE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IAEpD,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAC1C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;YAE1C,uBAAuB;IA6BrC;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IA4ChE;;;;;OAKG;IACG,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAsCtD,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAgB9D;;OAEG;YACW,WAAW;IAoDzB;;OAEG;YACW,qBAAqB;IA8CnC;;OAEG;YACW,kBAAkB;IA+DhC;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAuFzD,YAAY;IA0C1B,OAAO,CAAC,UAAU;YAsBJ,gBAAgB;YAgKhB,iBAAiB;YAwIjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA4BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IA6BjC,OAAO,CAAC,QAAQ;YAwCD,gBAAgB;YA8EjB,iBAAiB;IAiG/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA0BjE;;;;;OAKG;WACU,aAAa,CACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}

package/dist/src/server/index.d.ts

@@ -15,6 +15,23 @@ export interface ServerOptions {
     /** Enable debug logging for internal server operations. */
     debug?: boolean;
 }
+interface CleanupResult {
+    sessions: {
+        removed: number;
+        failed: number;
+        errors: string[];
+    };
+    containers: {
+        removed: number;
+        failed: number;
+        errors: string[];
+    };
+    images?: {
+        removed: number;
+        failed: number;
+        errors: string[];
+    };
+}
 /**
  * Creates and configures the isol8 HTTP server.
  *
@@ -36,5 +53,8 @@ export declare function createServer(options: ServerOptions): Promise<{
     app: Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;
     fetch: (request: Request, Env?: unknown, executionCtx?: import("hono").ExecutionContext) => Response | Promise<Response>;
     port: number;
+    cleanup: (includeImages?: boolean) => Promise<CleanupResult>;
+    shutdown: (includeImages?: boolean) => Promise<void>;
 }>;
+export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/src/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAS5B,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAaD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa;;;;GAmRxD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAS5B,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAaD,UAAU,aAAa;IACrB,QAAQ,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAChE,UAAU,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAClE,MAAM,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAChE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa;;;;;;GAyWxD"}

package/dist/src/types.d.ts

@@ -389,6 +389,8 @@ export interface Isol8Defaults {
     sandboxSize: string;
     /** Default size of the `/tmp` tmpfs mount. @default "256m" */
     tmpSize: string;
+    /** Whether the root filesystem should be read-only. @default true */
+    readonlyRootFs: boolean;
 }
 /** Configuration for container cleanup and lifecycle. */
 export interface Isol8Cleanup {

package/dist/src/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;;;;;;GAQG;AACH,MAAM,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;AAElE;;;;;;;GAOG;AACH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAE/B,sEAAsE;IACtE,OAAO,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE7B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC;IAExC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAC;IAEf,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IAEf,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IAEjB,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IAEnB,0FAA0F;IAC1F,SAAS,EAAE,OAAO,CAAC;IAEnB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IAEjB,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAC;IAElB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE/B;;;OAGG;IACH,aAAa,CAAC,EAAE;QACd,kDAAkD;QAClD,UAAU,EAAE,MAAM,CAAC;QACnB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,CAAC;QACjB,kDAAkD;QAClD,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,sCAAsC;QACtC,cAAc,EAAE,MAAM,CAAC;QACvB,kCAAkC;QAClC,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAEF;;;OAGG;IACH,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;CACjC,CAAC;;;;GAIC;AACH,MAAM,WAAW,WAAW;IAC1B,wDAAwD;IACxD,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC;IAC7C,0FAA0F;IAC1F,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,uDAAuD;IACvD,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,uBAAuB;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,wEAAwE;IACxE,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC;IAC1B,wDAAwD;IACxD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE;QACd,kDAAkD;QAClD,UAAU,EAAE,MAAM,CAAC;QACnB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,CAAC;QACjB,kDAAkD;QAClD,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,sCAAsC;QACtC,cAAc,EAAE,MAAM,CAAC;QACvB,kCAAkC;QAClC,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,cAAc,CAAC,EAAE,aAAa,EAAE,CAAC;IACjC,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;IAEhC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAID;;;;;;GAMG;AACH,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG,YAAY,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,IAAI,CAAC,EAAE,SAAS,CAAC;IAEjB,2CAA2C;IAC3C,OAAO,CAAC,EAAE,WAAW,CAAC;IAEtB,yFAAyF;IACzF,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC,mFAAmF;IACnF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,mEAAmE;IACnE,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,4DAA4D;IAC5D,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB,6EAA6E;IAC7E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,iEAAiE;IACjE,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,wIAAwI;IACxI,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,yBAAyB;IACzB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAE1B,mCAAmC;IACnC,KAAK,CAAC,EAAE,WAAW,CAAC;IAEpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IAEjC;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAErD;;;;OAIG;IACH,YAAY,CAAC,EAAE,iBAAiB,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,OAAO,GAAG;QAAE,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;KAAE,CAAC;CAC9C;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,gEAAgE;IAChE,KAAK,CAAC,OAAO,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7C,kEAAkE;IAClE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB,0CAA0C;IAC1C,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAEzD;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/D;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEvC;;;;;OAKG;IACH,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;CAClE;AAID;;;;;;;;GAQG;AACH,MAAM,WAAW,mBAAmB;IAClC,2FAA2F;IAC3F,SAAS,EAAE,MAAM,EAAE,CAAC;IAEpB,mGAAmG;IACnG,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAC/B,uDAAuD;IACvD,OAAO,EAAE,OAAO,CAAC;IACjB,8CAA8C;IAC9C,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,qFAAqF;IACrF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,uCAAuC;IACvC,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iEAAiE;IACjE,WAAW,EAAE,MAAM,CAAC;IACpB,oDAAoD;IACpD,cAAc,EAAE,MAAM,CAAC;IACvB,kFAAkF;IAClF,WAAW,EAAE,OAAO,CAAC;IACrB,yDAAyD;IACzD,WAAW,EAAE,OAAO,CAAC;IACrB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;CAClB;AAID,oDAAoD;AACpD,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,OAAO,EAAE,WAAW,CAAC;IACrB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,yDAAyD;AACzD,MAAM,WAAW,YAAY;IAC3B,oEAAoE;IACpE,SAAS,EAAE,OAAO,CAAC;IACnB,kFAAkF;IAClF,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,oDAAoD;IACpD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,iDAAiD;IACjD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,QAAQ,CAAC;IAC7C,mFAAmF;IACnF,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,uCAAuC;AACvC,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,WAAW,EAAE,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC9C,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6FAA6F;IAC7F,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gEAAgE;IAChE,cAAc,EAAE,OAAO,CAAC;IACxB,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,sEAAsE;IACtE,WAAW,EAAE,OAAO,CAAC;IACrB,6EAA6E;IAC7E,aAAa,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAC;IAEtB,sDAAsD;IACtD,QAAQ,EAAE,aAAa,CAAC;IAExB,4DAA4D;IAC5D,OAAO,EAAE,mBAAmB,CAAC;IAE7B,gDAAgD;IAChD,OAAO,EAAE,YAAY,CAAC;IAEtB;;;OAGG;IACH,YAAY,EAAE,QAAQ,GAAG,MAAM,CAAC;IAEhC;;;OAGG;IACH,QAAQ,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAEpD,mEAAmE;IACnE,YAAY,EAAE,iBAAiB,CAAC;IAEhC,yBAAyB;IACzB,QAAQ,EAAE,cAAc,CAAC;IAEzB,mCAAmC;IACnC,UAAU,EAAE,gBAAgB,CAAC;IAE7B,mCAAmC;IACnC,KAAK,EAAE,WAAW,CAAC;IAEnB,2CAA2C;IAC3C,KAAK,EAAE,OAAO,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,kFAAkF;IAClF,QAAQ,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAElC,4DAA4D;IAC5D,OAAO,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEvC,4EAA4E;IAC5E,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAEhC;;;OAGG;IACH,YAAY,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IAEjC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAErD,mEAAmE;IACnE,YAAY,CAAC,EAAE,iBAAiB,CAAC;IAEjC,yBAAyB;IACzB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAE1B,+DAA+D;IAC/D,UAAU,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEvC,mCAAmC;IACnC,KAAK,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;CAC9B"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;;;;;;GAQG;AACH,MAAM,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;AAElE;;;;;;;GAOG;AACH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAE/B,sEAAsE;IACtE,OAAO,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE7B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC;IAExC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAC;IAEf,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IAEf,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IAEjB,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IAEnB,0FAA0F;IAC1F,SAAS,EAAE,OAAO,CAAC;IAEnB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IAEjB,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAC;IAElB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE/B;;;OAGG;IACH,aAAa,CAAC,EAAE;QACd,kDAAkD;QAClD,UAAU,EAAE,MAAM,CAAC;QACnB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,CAAC;QACjB,kDAAkD;QAClD,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,sCAAsC;QACtC,cAAc,EAAE,MAAM,CAAC;QACvB,kCAAkC;QAClC,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IAEF;;;OAGG;IACH,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;CACjC,CAAC;;;;GAIC;AACH,MAAM,WAAW,WAAW;IAC1B,wDAAwD;IACxD,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC;IAC7C,0FAA0F;IAC1F,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,uDAAuD;IACvD,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,uBAAuB;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,wEAAwE;IACxE,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC;IAC1B,wDAAwD;IACxD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE;QACd,kDAAkD;QAClD,UAAU,EAAE,MAAM,CAAC;QACnB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,CAAC;QACjB,kDAAkD;QAClD,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,sCAAsC;QACtC,cAAc,EAAE,MAAM,CAAC;QACvB,kCAAkC;QAClC,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,cAAc,CAAC,EAAE,aAAa,EAAE,CAAC;IACjC,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;IAEhC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAID;;;;;;GAMG;AACH,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG,YAAY,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,IAAI,CAAC,EAAE,SAAS,CAAC;IAEjB,2CAA2C;IAC3C,OAAO,CAAC,EAAE,WAAW,CAAC;IAEtB,yFAAyF;IACzF,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC,mFAAmF;IACnF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,mEAAmE;IACnE,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,4DAA4D;IAC5D,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB,6EAA6E;IAC7E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,iEAAiE;IACjE,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,wIAAwI;IACxI,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,yBAAyB;IACzB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAE1B,mCAAmC;IACnC,KAAK,CAAC,EAAE,WAAW,CAAC;IAEpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IAEjC;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAErD;;;;OAIG;IACH,YAAY,CAAC,EAAE,iBAAiB,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,OAAO,GAAG;QAAE,QAAQ,CAAC,EAAE,OAAO,EAAE,CAAA;KAAE,CAAC;CAC9C;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,gEAAgE;IAChE,KAAK,CAAC,OAAO,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7C,kEAAkE;IAClE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB,0CAA0C;IAC1C,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAEzD;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/D;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEvC;;;;;OAKG;IACH,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;CAClE;AAID;;;;;;;;GAQG;AACH,MAAM,WAAW,mBAAmB;IAClC,2FAA2F;IAC3F,SAAS,EAAE,MAAM,EAAE,CAAC;IAEpB,mGAAmG;IACnG,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAC/B,uDAAuD;IACvD,OAAO,EAAE,OAAO,CAAC;IACjB,8CAA8C;IAC9C,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,qFAAqF;IACrF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,uCAAuC;IACvC,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iEAAiE;IACjE,WAAW,EAAE,MAAM,CAAC;IACpB,oDAAoD;IACpD,cAAc,EAAE,MAAM,CAAC;IACvB,kFAAkF;IAClF,WAAW,EAAE,OAAO,CAAC;IACrB,yDAAyD;IACzD,WAAW,EAAE,OAAO,CAAC;IACrB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;CAClB;AAID,oDAAoD;AACpD,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,OAAO,EAAE,WAAW,CAAC;IACrB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED,yDAAyD;AACzD,MAAM,WAAW,YAAY;IAC3B,oEAAoE;IACpE,SAAS,EAAE,OAAO,CAAC;IACnB,kFAAkF;IAClF,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,oDAAoD;IACpD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,iDAAiD;IACjD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,QAAQ,CAAC;IAC7C,mFAAmF;IACnF,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,uCAAuC;AACvC,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,WAAW,EAAE,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAC;IAC9C,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6FAA6F;IAC7F,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gEAAgE;IAChE,cAAc,EAAE,OAAO,CAAC;IACxB,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,sEAAsE;IACtE,WAAW,EAAE,OAAO,CAAC;IACrB,6EAA6E;IAC7E,aAAa,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAC;IAEtB,sDAAsD;IACtD,QAAQ,EAAE,aAAa,CAAC;IAExB,4DAA4D;IAC5D,OAAO,EAAE,mBAAmB,CAAC;IAE7B,gDAAgD;IAChD,OAAO,EAAE,YAAY,CAAC;IAEtB;;;OAGG;IACH,YAAY,EAAE,QAAQ,GAAG,MAAM,CAAC;IAEhC;;;OAGG;IACH,QAAQ,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAEpD,mEAAmE;IACnE,YAAY,EAAE,iBAAiB,CAAC;IAEhC,yBAAyB;IACzB,QAAQ,EAAE,cAAc,CAAC;IAEzB,mCAAmC;IACnC,UAAU,EAAE,gBAAgB,CAAC;IAE7B,mCAAmC;IACnC,KAAK,EAAE,WAAW,CAAC;IAEnB,2CAA2C;IAC3C,KAAK,EAAE,OAAO,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,kFAAkF;IAClF,QAAQ,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAElC,4DAA4D;IAC5D,OAAO,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEvC,4EAA4E;IAC5E,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAEhC;;;OAGG;IACH,YAAY,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IAEjC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAErD,mEAAmE;IACnE,YAAY,CAAC,EAAE,iBAAiB,CAAC;IAEjC,yBAAyB;IACzB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAE1B,+DAA+D;IAC/D,UAAU,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEvC,mCAAmC;IACnC,KAAK,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;CAC9B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "isol8",
-  "version": "0.11.2",
+  "version": "0.12.0",
   "description": "Secure code execution engine for AI agents",
   "author": "Illusion47586",
   "license": "MIT",

package/schema/isol8.config.schema.json

@@ -140,6 +140,11 @@
               "default": "none",
               "description": "Default network mode."
             },
+            "readonlyRootFs": {
+              "default": true,
+              "description": "Whether the root filesystem should be read-only.",
+              "type": "boolean"
+            },
             "sandboxSize": {
               "default": "512m",
               "description": "Default size of the `/sandbox` tmpfs mount.",