tensorlake 0.4.40 → 0.4.42

package/dist/sandbox-image.js

@@ -0,0 +1,2069 @@
+// src/sandbox-image.ts
+import { readFile, readdir, stat } from "fs/promises";
+import path from "path";
+import { parseArgs } from "util";
+
+// src/models.ts
+function snakeToCamel(str) {
+  return str.replace(/_([a-z])/g, (_, ch) => ch.toUpperCase());
+}
+function parseTimestamp(v) {
+  if (v == null) return void 0;
+  if (v instanceof Date) return v;
+  if (typeof v === "string") {
+    const parsed = Date.parse(v);
+    return Number.isNaN(parsed) ? void 0 : new Date(parsed);
+  }
+  const ts = Number(v);
+  if (isNaN(ts)) return void 0;
+  if (ts > 1e15) return new Date(ts / 1e3);
+  if (ts > 1e12) return new Date(ts);
+  return new Date(ts * 1e3);
+}
+function fromSnakeKeys(obj, idField) {
+  if (Array.isArray(obj)) return obj.map((item) => fromSnakeKeys(item, idField));
+  if (obj !== null && typeof obj === "object" && !(obj instanceof Date)) {
+    const result = {};
+    for (const [k, v] of Object.entries(obj)) {
+      let key;
+      if (k === "id" && idField) {
+        key = idField;
+      } else {
+        key = snakeToCamel(k);
+      }
+      if (key.endsWith("At") || key === "timestamp" || key === "startedAt" || key === "endedAt") {
+        result[key] = parseTimestamp(v);
+      } else if (typeof v === "object" && v !== null && !Array.isArray(v)) {
+        result[key] = fromSnakeKeys(v);
+      } else if (Array.isArray(v)) {
+        result[key] = v.map((item) => fromSnakeKeys(item));
+      } else {
+        result[key] = v === null ? void 0 : v;
+      }
+    }
+    return result;
+  }
+  return obj;
+}
+
+// src/defaults.ts
+var API_URL = process.env.TENSORLAKE_API_URL ?? "https://api.tensorlake.ai";
+var API_KEY = process.env.TENSORLAKE_API_KEY ?? void 0;
+var NAMESPACE = process.env.INDEXIFY_NAMESPACE ?? "default";
+var SANDBOX_PROXY_URL = process.env.TENSORLAKE_SANDBOX_PROXY_URL ?? "https://sandbox.tensorlake.ai";
+var DEFAULT_HTTP_TIMEOUT_MS = 3e4;
+var MAX_RETRIES = 3;
+var RETRY_BACKOFF_MS = 500;
+var RETRYABLE_STATUS_CODES = /* @__PURE__ */ new Set([429, 502, 503, 504]);
+
+// src/errors.ts
+var SandboxException = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SandboxException";
+  }
+};
+var SandboxError = class extends SandboxException {
+  constructor(message) {
+    super(message);
+    this.name = "SandboxError";
+  }
+};
+var SandboxConnectionError = class extends SandboxError {
+  constructor(message) {
+    super(`Connection error: ${message}`);
+    this.name = "SandboxConnectionError";
+  }
+};
+var SandboxNotFoundError = class extends SandboxError {
+  sandboxId;
+  constructor(sandboxId) {
+    super(`Sandbox not found: ${sandboxId}`);
+    this.name = "SandboxNotFoundError";
+    this.sandboxId = sandboxId;
+  }
+};
+var PoolNotFoundError = class extends SandboxError {
+  poolId;
+  constructor(poolId) {
+    super(`Sandbox pool not found: ${poolId}`);
+    this.name = "PoolNotFoundError";
+    this.poolId = poolId;
+  }
+};
+var PoolInUseError = class extends SandboxError {
+  poolId;
+  constructor(poolId, message) {
+    const base = `Cannot delete pool ${poolId}: pool is in use`;
+    super(message ? `${base} - ${message}` : base);
+    this.name = "PoolInUseError";
+    this.poolId = poolId;
+  }
+};
+var RemoteAPIError = class extends SandboxError {
+  statusCode;
+  responseMessage;
+  constructor(statusCode, message) {
+    super(`API error (status ${statusCode}): ${message}`);
+    this.name = "RemoteAPIError";
+    this.statusCode = statusCode;
+    this.responseMessage = message;
+  }
+};
+
+// src/http.ts
+var HttpClient = class {
+  baseUrl;
+  headers;
+  maxRetries;
+  retryBackoffMs;
+  timeoutMs;
+  abortController = null;
+  constructor(options) {
+    const url = options.baseUrl;
+    this.baseUrl = url.endsWith("/") ? url.slice(0, -1) : url;
+    this.maxRetries = options.maxRetries ?? MAX_RETRIES;
+    this.retryBackoffMs = options.retryBackoffMs ?? RETRY_BACKOFF_MS;
+    this.timeoutMs = options.timeoutMs ?? DEFAULT_HTTP_TIMEOUT_MS;
+    this.headers = {};
+    if (options.apiKey) {
+      this.headers["Authorization"] = `Bearer ${options.apiKey}`;
+    }
+    if (options.organizationId) {
+      this.headers["X-Forwarded-Organization-Id"] = options.organizationId;
+    }
+    if (options.projectId) {
+      this.headers["X-Forwarded-Project-Id"] = options.projectId;
+    }
+    if (options.hostHeader) {
+      this.headers["Host"] = options.hostHeader;
+    }
+  }
+  close() {
+    this.abortController?.abort();
+    this.abortController = null;
+  }
+  /** Make a JSON request, returning the parsed response body. */
+  async requestJson(method, path2, options) {
+    const response = await this.requestResponse(method, path2, {
+      json: options?.body,
+      headers: options?.headers,
+      signal: options?.signal
+    });
+    const text = await response.text();
+    if (!text) return void 0;
+    return JSON.parse(text);
+  }
+  /** Make a request returning raw bytes. */
+  async requestBytes(method, path2, options) {
+    const headers = { ...options?.headers ?? {} };
+    if (options?.contentType) {
+      headers["Content-Type"] = options.contentType;
+    }
+    const response = await this.requestResponse(
+      method,
+      path2,
+      {
+        body: options?.body,
+        headers,
+        signal: options?.signal
+      }
+    );
+    const buffer = await response.arrayBuffer();
+    return new Uint8Array(buffer);
+  }
+  /** Make a request and return the raw Response (for SSE streaming). */
+  async requestStream(method, path2, options) {
+    const response = await this.requestResponse(
+      method,
+      path2,
+      {
+        headers: { Accept: "text/event-stream" },
+        signal: options?.signal
+      }
+    );
+    if (!response.body) {
+      throw new RemoteAPIError(response.status, "No response body for SSE stream");
+    }
+    return response.body;
+  }
+  /** Make a request and return the raw Response. */
+  async requestResponse(method, path2, options) {
+    const headers = {
+      ...this.headers,
+      ...options?.headers ?? {}
+    };
+    const hasJsonBody = options?.json !== void 0;
+    if (hasJsonBody && !hasHeader(headers, "Content-Type")) {
+      headers["Content-Type"] = "application/json";
+    }
+    const body = hasJsonBody ? JSON.stringify(options?.json) : normalizeRequestBody(options?.body);
+    return this.doFetch(
+      method,
+      path2,
+      body,
+      headers,
+      options?.signal,
+      options?.allowHttpErrors ?? false
+    );
+  }
+  async doFetch(method, path2, body, headers, signal, allowHttpErrors = false) {
+    const url = `${this.baseUrl}${path2}`;
+    let lastError;
+    for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+      if (attempt > 0) {
+        const delay = this.retryBackoffMs * Math.pow(2, attempt - 1);
+        await sleep(delay);
+      }
+      this.abortController = new AbortController();
+      const timeoutId = setTimeout(
+        () => this.abortController?.abort(),
+        this.timeoutMs
+      );
+      const combinedSignal = signal ? anySignal([signal, this.abortController.signal]) : this.abortController.signal;
+      try {
+        const response = await fetch(url, {
+          method,
+          headers,
+          body,
+          signal: combinedSignal
+        });
+        clearTimeout(timeoutId);
+        if (response.ok) return response;
+        if (RETRYABLE_STATUS_CODES.has(response.status) && attempt < this.maxRetries) {
+          lastError = new RemoteAPIError(
+            response.status,
+            await response.text().catch(() => "")
+          );
+          continue;
+        }
+        if (allowHttpErrors) {
+          return response;
+        }
+        const errorBody = await response.text().catch(() => "");
+        throwMappedError(response.status, errorBody, path2);
+      } catch (err) {
+        clearTimeout(timeoutId);
+        if (err instanceof RemoteAPIError || err instanceof SandboxNotFoundError || err instanceof PoolNotFoundError || err instanceof PoolInUseError) {
+          throw err;
+        }
+        if (signal?.aborted) {
+          throw new SandboxConnectionError("Request aborted");
+        }
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt >= this.maxRetries) {
+          throw new SandboxConnectionError(lastError.message);
+        }
+      }
+    }
+    throw new SandboxConnectionError(lastError?.message ?? "Request failed");
+  }
+};
+function hasHeader(headers, name) {
+  const lowered = name.toLowerCase();
+  return Object.keys(headers).some((key) => key.toLowerCase() === lowered);
+}
+function normalizeRequestBody(body) {
+  if (body == null) {
+    return void 0;
+  }
+  if (body instanceof Uint8Array) {
+    return Uint8Array.from(body).buffer;
+  }
+  return body;
+}
+function throwMappedError(status, body, path2) {
+  let message = body;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.message) message = parsed.message;
+    else if (parsed.error) message = parsed.error;
+  } catch {
+  }
+  if (status === 404) {
+    if (path2.includes("sandbox-pools") || path2.includes("pools")) {
+      const match = path2.match(/sandbox-pools\/([^/]+)/);
+      if (match) throw new PoolNotFoundError(match[1]);
+    }
+    if (path2.includes("sandboxes")) {
+      const match = path2.match(/sandboxes\/([^/]+)/);
+      if (match) throw new SandboxNotFoundError(match[1]);
+    }
+    throw new RemoteAPIError(404, message);
+  }
+  if (status === 409) {
+    if (path2.includes("sandbox-pools") || path2.includes("pools")) {
+      const match = path2.match(/sandbox-pools\/([^/]+)/);
+      if (match) throw new PoolInUseError(match[1], message);
+    }
+  }
+  throw new RemoteAPIError(status, message);
+}
+function anySignal(signals) {
+  const controller = new AbortController();
+  for (const signal of signals) {
+    if (signal.aborted) {
+      controller.abort(signal.reason);
+      return controller.signal;
+    }
+    signal.addEventListener("abort", () => controller.abort(signal.reason), {
+      once: true
+    });
+  }
+  return controller.signal;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/sse.ts
+async function* parseSSEMessages(stream, signal) {
+  const reader = stream.getReader();
+  const decoder = new TextDecoder();
+  let buffer = "";
+  try {
+    while (true) {
+      if (signal?.aborted) break;
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      const parts = buffer.split(/\r?\n\r?\n/);
+      buffer = parts.pop() ?? "";
+      for (const part of parts) {
+        const lines = part.split(/\r?\n/);
+        const dataLines = [];
+        let event;
+        let id;
+        for (const line of lines) {
+          if (!line || line.startsWith(":")) continue;
+          const separator = line.indexOf(":");
+          const field = separator === -1 ? line : line.slice(0, separator);
+          let value2 = separator === -1 ? "" : line.slice(separator + 1);
+          if (value2.startsWith(" ")) {
+            value2 = value2.slice(1);
+          }
+          if (field === "data") {
+            dataLines.push(value2);
+          } else if (field === "event") {
+            event = value2;
+          } else if (field === "id") {
+            id = value2;
+          }
+        }
+        if (dataLines.length > 0 || event || id) {
+          yield { data: dataLines.join("\n"), event, id };
+        }
+      }
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}
+async function* parseSSEStream(stream, signal) {
+  for await (const message of parseSSEMessages(stream, signal)) {
+    if (!message.data) continue;
+    try {
+      yield JSON.parse(message.data);
+    } catch {
+    }
+  }
+}
+
+// src/url.ts
+function trimTrailingSlashes(url) {
+  return url.endsWith("/") ? url.slice(0, -1) : url;
+}
+function isLocalhost(apiUrl) {
+  try {
+    const parsed = new URL(apiUrl);
+    return parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1";
+  } catch {
+    return false;
+  }
+}
+function resolveProxyUrl(apiUrl) {
+  const explicit = process.env.TENSORLAKE_SANDBOX_PROXY_URL;
+  if (explicit) return explicit;
+  if (isLocalhost(apiUrl)) return "http://localhost:9443";
+  try {
+    const parsed = new URL(apiUrl);
+    const host = parsed.hostname;
+    if (host.startsWith("api.")) {
+      const proxyHost = "sandbox." + host.slice(4);
+      return `${parsed.protocol}//${proxyHost}`;
+    }
+  } catch {
+  }
+  return SANDBOX_PROXY_URL;
+}
+function resolveProxyTarget(proxyUrl, sandboxId) {
+  try {
+    const parsed = new URL(proxyUrl);
+    const host = parsed.hostname;
+    if (host === "localhost" || host === "127.0.0.1") {
+      return {
+        baseUrl: trimTrailingSlashes(proxyUrl),
+        hostHeader: `${sandboxId}.local`
+      };
+    }
+    const port = parsed.port ? `:${parsed.port}` : "";
+    return {
+      baseUrl: `${parsed.protocol}//${sandboxId}.${host}${port}`,
+      hostHeader: void 0
+    };
+  } catch {
+    return {
+      baseUrl: `${trimTrailingSlashes(proxyUrl)}/${sandboxId}`,
+      hostHeader: void 0
+    };
+  }
+}
+function lifecyclePath(path2, isLocal, namespace) {
+  if (isLocal) {
+    return `/v1/namespaces/${namespace}/${path2}`;
+  }
+  return `/${path2}`;
+}
+
+// src/sandbox.ts
+import WebSocket from "ws";
+var PTY_OP_DATA = 0;
+var PTY_OP_RESIZE = 1;
+var PTY_OP_READY = 2;
+var PTY_OP_EXIT = 3;
+var Pty = class {
+  sessionId;
+  token;
+  wsUrl;
+  wsHeaders;
+  killSession;
+  socket = null;
+  connectPromise = null;
+  intentionalDisconnect = false;
+  exitCode = null;
+  waitSettled = false;
+  dataHandlers = /* @__PURE__ */ new Set();
+  exitHandlers = /* @__PURE__ */ new Set();
+  waitPromise;
+  resolveWait;
+  rejectWait;
+  constructor(options) {
+    this.sessionId = options.sessionId;
+    this.token = options.token;
+    this.wsUrl = options.wsUrl;
+    this.wsHeaders = options.wsHeaders;
+    this.killSession = options.killSession;
+    this.waitPromise = new Promise((resolve, reject) => {
+      this.resolveWait = resolve;
+      this.rejectWait = reject;
+    });
+  }
+  onData(handler) {
+    this.dataHandlers.add(handler);
+    return () => this.dataHandlers.delete(handler);
+  }
+  onExit(handler) {
+    this.exitHandlers.add(handler);
+    if (this.exitCode != null) {
+      queueMicrotask(() => handler(this.exitCode));
+    }
+    return () => this.exitHandlers.delete(handler);
+  }
+  async connect() {
+    if (this.socket?.readyState === WebSocket.OPEN) {
+      return this;
+    }
+    if (this.connectPromise) {
+      return this.connectPromise;
+    }
+    this.intentionalDisconnect = false;
+    this.connectPromise = new Promise((resolve, reject) => {
+      let opened = false;
+      const socket = new WebSocket(this.wsUrl, {
+        headers: this.wsHeaders
+      });
+      this.socket = socket;
+      socket.on("open", async () => {
+        try {
+          await sendPtyFrame(socket, Buffer.from([PTY_OP_READY]));
+          opened = true;
+          resolve(this);
+        } catch (error) {
+          reject(error);
+        }
+      });
+      socket.on("message", (message) => {
+        const bytes = normalizePtyMessage(message);
+        const opcode = bytes[0];
+        if (opcode === PTY_OP_DATA) {
+          const payload = bytes.subarray(1);
+          for (const handler of this.dataHandlers) {
+            handler(payload);
+          }
+          return;
+        }
+        if (opcode === PTY_OP_EXIT && bytes.length >= 5) {
+          this.finishWait(bytes.readInt32BE(1));
+        }
+      });
+      socket.on("close", (code, reason) => {
+        const closeReason = Buffer.isBuffer(reason) ? reason.toString("utf8") : String(reason);
+        if (this.socket === socket) {
+          this.socket = null;
+        }
+        this.connectPromise = null;
+        if (this.exitCode != null) {
+          this.finishWait(this.exitCode);
+          return;
+        }
+        if (closeReason.startsWith("exit:")) {
+          const parsed = Number.parseInt(closeReason.slice(5), 10);
+          this.finishWait(Number.isNaN(parsed) ? -1 : parsed);
+          return;
+        }
+        if (this.intentionalDisconnect) {
+          this.intentionalDisconnect = false;
+          return;
+        }
+        if (!opened) {
+          reject(new SandboxError(
+            `PTY websocket closed before READY completed: ${code} ${closeReason || "no reason"}`
+          ));
+          return;
+        }
+        if (closeReason === "session terminated") {
+          this.failWait(new SandboxError("PTY session terminated"));
+          return;
+        }
+        this.failWait(
+          new SandboxError(
+            `PTY websocket closed unexpectedly: ${code} ${closeReason || "no reason"}`
+          )
+        );
+      });
+      socket.on("error", (error) => {
+        if (!opened) {
+          reject(error);
+        }
+      });
+    });
+    return this.connectPromise;
+  }
+  async sendInput(input) {
+    const socket = this.requireOpenSocket();
+    await sendPtyFrame(socket, encodePtyInput(input));
+  }
+  async resize(cols, rows) {
+    const socket = this.requireOpenSocket();
+    await sendPtyFrame(socket, encodePtyResize(cols, rows));
+  }
+  disconnect(code = 1e3, reason = "client disconnect") {
+    if (!this.socket) return;
+    this.intentionalDisconnect = true;
+    this.socket.close(code, reason);
+  }
+  wait() {
+    return this.waitPromise;
+  }
+  async kill() {
+    await this.killSession();
+  }
+  requireOpenSocket() {
+    if (!this.socket || this.socket.readyState !== WebSocket.OPEN) {
+      throw new SandboxError("PTY is not connected");
+    }
+    return this.socket;
+  }
+  finishWait(exitCode) {
+    if (this.waitSettled) return;
+    this.waitSettled = true;
+    this.exitCode = exitCode;
+    for (const handler of this.exitHandlers) {
+      handler(exitCode);
+    }
+    this.resolveWait(exitCode);
+  }
+  failWait(error) {
+    if (this.waitSettled) return;
+    this.waitSettled = true;
+    this.rejectWait(error);
+  }
+};
+function normalizePtyMessage(message) {
+  if (Buffer.isBuffer(message)) return message;
+  if (Array.isArray(message)) {
+    return Buffer.concat(message.map((part) => Buffer.from(part)));
+  }
+  return Buffer.from(message);
+}
+function encodePtyInput(input) {
+  const payload = typeof input === "string" ? Buffer.from(input, "utf8") : Buffer.from(input);
+  return Buffer.concat([Buffer.from([PTY_OP_DATA]), payload]);
+}
+function encodePtyResize(cols, rows) {
+  const frame = Buffer.alloc(5);
+  frame[0] = PTY_OP_RESIZE;
+  frame.writeUInt16BE(cols, 1);
+  frame.writeUInt16BE(rows, 3);
+  return frame;
+}
+function sendPtyFrame(socket, frame) {
+  return new Promise((resolve, reject) => {
+    socket.send(frame, (error) => error ? reject(error) : resolve());
+  });
+}
+var Sandbox = class {
+  sandboxId;
+  http;
+  baseUrl;
+  wsHeaders;
+  ownsSandbox = false;
+  lifecycleClient = null;
+  constructor(options) {
+    this.sandboxId = options.sandboxId;
+    const proxyUrl = options.proxyUrl ?? SANDBOX_PROXY_URL;
+    const { baseUrl, hostHeader } = resolveProxyTarget(proxyUrl, options.sandboxId);
+    this.baseUrl = baseUrl;
+    this.wsHeaders = {};
+    if (options.apiKey) {
+      this.wsHeaders.Authorization = `Bearer ${options.apiKey}`;
+    }
+    if (options.organizationId) {
+      this.wsHeaders["X-Forwarded-Organization-Id"] = options.organizationId;
+    }
+    if (options.projectId) {
+      this.wsHeaders["X-Forwarded-Project-Id"] = options.projectId;
+    }
+    if (hostHeader) {
+      this.wsHeaders.Host = hostHeader;
+    }
+    this.http = new HttpClient({
+      baseUrl,
+      apiKey: options.apiKey,
+      organizationId: options.organizationId,
+      projectId: options.projectId,
+      hostHeader
+    });
+  }
+  /** @internal Used by SandboxClient.createAndConnect to set ownership. */
+  _setOwner(client) {
+    this.ownsSandbox = true;
+    this.lifecycleClient = client;
+  }
+  close() {
+    this.http.close();
+  }
+  async terminate() {
+    const client = this.lifecycleClient;
+    this.ownsSandbox = false;
+    this.lifecycleClient = null;
+    this.close();
+    if (client) {
+      await client.delete(this.sandboxId);
+    }
+  }
+  // --- High-level convenience ---
+  async run(command, options) {
+    const proc = await this.startProcess(command, {
+      args: options?.args,
+      env: options?.env,
+      workingDir: options?.workingDir
+    });
+    const deadline = options?.timeout ? Date.now() + options.timeout * 1e3 : null;
+    let info;
+    while (true) {
+      info = await this.getProcess(proc.pid);
+      if (info.status !== "running" /* RUNNING */) break;
+      if (deadline && Date.now() > deadline) {
+        await this.killProcess(proc.pid);
+        throw new SandboxError(`Command timed out after ${options.timeout}s`);
+      }
+      await sleep2(100);
+    }
+    const stdoutResp = await this.getStdout(proc.pid);
+    const stderrResp = await this.getStderr(proc.pid);
+    let exitCode;
+    if (info.exitCode != null) {
+      exitCode = info.exitCode;
+    } else if (info.signal != null) {
+      exitCode = -info.signal;
+    } else {
+      exitCode = -1;
+    }
+    return {
+      exitCode,
+      stdout: stdoutResp.lines.join("\n"),
+      stderr: stderrResp.lines.join("\n")
+    };
+  }
+  // --- Process management ---
+  async startProcess(command, options) {
+    const payload = { command };
+    if (options?.args != null) payload.args = options.args;
+    if (options?.env != null) payload.env = options.env;
+    if (options?.workingDir != null) payload.working_dir = options.workingDir;
+    if (options?.stdinMode != null && options.stdinMode !== "closed" /* CLOSED */) {
+      payload.stdin_mode = options.stdinMode;
+    }
+    if (options?.stdoutMode != null && options.stdoutMode !== "capture" /* CAPTURE */) {
+      payload.stdout_mode = options.stdoutMode;
+    }
+    if (options?.stderrMode != null && options.stderrMode !== "capture" /* CAPTURE */) {
+      payload.stderr_mode = options.stderrMode;
+    }
+    const raw = await this.http.requestJson(
+      "POST",
+      "/api/v1/processes",
+      { body: payload }
+    );
+    return fromSnakeKeys(raw);
+  }
+  async listProcesses() {
+    const raw = await this.http.requestJson(
+      "GET",
+      "/api/v1/processes"
+    );
+    return (raw.processes ?? []).map((p) => fromSnakeKeys(p));
+  }
+  async getProcess(pid) {
+    const raw = await this.http.requestJson(
+      "GET",
+      `/api/v1/processes/${pid}`
+    );
+    return fromSnakeKeys(raw);
+  }
+  async killProcess(pid) {
+    await this.http.requestJson("DELETE", `/api/v1/processes/${pid}`);
+  }
+  async sendSignal(pid, signal) {
+    const raw = await this.http.requestJson(
+      "POST",
+      `/api/v1/processes/${pid}/signal`,
+      { body: { signal } }
+    );
+    return fromSnakeKeys(raw);
+  }
+  // --- Process I/O ---
+  async writeStdin(pid, data) {
+    await this.http.requestBytes("POST", `/api/v1/processes/${pid}/stdin`, {
+      body: data,
+      contentType: "application/octet-stream"
+    });
+  }
+  async closeStdin(pid) {
+    await this.http.requestJson("POST", `/api/v1/processes/${pid}/stdin/close`);
+  }
+  async getStdout(pid) {
+    const raw = await this.http.requestJson(
+      "GET",
+      `/api/v1/processes/${pid}/stdout`
+    );
+    return fromSnakeKeys(raw);
+  }
+  async getStderr(pid) {
+    const raw = await this.http.requestJson(
+      "GET",
+      `/api/v1/processes/${pid}/stderr`
+    );
+    return fromSnakeKeys(raw);
+  }
+  async getOutput(pid) {
+    const raw = await this.http.requestJson(
+      "GET",
+      `/api/v1/processes/${pid}/output`
+    );
+    return fromSnakeKeys(raw);
+  }
+  // --- Streaming (SSE) ---
+  async *followStdout(pid, options) {
+    const stream = await this.http.requestStream(
+      "GET",
+      `/api/v1/processes/${pid}/stdout/follow`,
+      options
+    );
+    for await (const raw of parseSSEStream(
+      stream,
+      options?.signal
+    )) {
+      yield fromSnakeKeys(raw);
+    }
+  }
+  async *followStderr(pid, options) {
+    const stream = await this.http.requestStream(
+      "GET",
+      `/api/v1/processes/${pid}/stderr/follow`,
+      options
+    );
+    for await (const raw of parseSSEStream(
+      stream,
+      options?.signal
+    )) {
+      yield fromSnakeKeys(raw);
+    }
+  }
+  async *followOutput(pid, options) {
+    const stream = await this.http.requestStream(
+      "GET",
+      `/api/v1/processes/${pid}/output/follow`,
+      options
+    );
+    for await (const raw of parseSSEStream(
+      stream,
+      options?.signal
+    )) {
+      yield fromSnakeKeys(raw);
+    }
+  }
+  // --- File operations ---
+  async readFile(path2) {
+    return this.http.requestBytes(
+      "GET",
+      `/api/v1/files?path=${encodeURIComponent(path2)}`
+    );
+  }
+  async writeFile(path2, content) {
+    await this.http.requestBytes(
+      "PUT",
+      `/api/v1/files?path=${encodeURIComponent(path2)}`,
+      { body: content, contentType: "application/octet-stream" }
+    );
+  }
+  async deleteFile(path2) {
+    await this.http.requestJson(
+      "DELETE",
+      `/api/v1/files?path=${encodeURIComponent(path2)}`
+    );
+  }
+  async listDirectory(path2) {
+    const raw = await this.http.requestJson(
+      "GET",
+      `/api/v1/files/list?path=${encodeURIComponent(path2)}`
+    );
+    return fromSnakeKeys(raw);
+  }
+  // --- PTY ---
+  async createPtySession(options) {
+    const payload = {
+      command: options.command,
+      rows: options.rows ?? 24,
+      cols: options.cols ?? 80
+    };
+    if (options.args != null) payload.args = options.args;
+    if (options.env != null) payload.env = options.env;
+    if (options.workingDir != null) payload.working_dir = options.workingDir;
+    const raw = await this.http.requestJson(
+      "POST",
+      "/api/v1/pty",
+      { body: payload }
+    );
+    return fromSnakeKeys(raw);
+  }
+  async createPty(options) {
+    const { onData, onExit, ...createOptions } = options;
+    const session = await this.createPtySession(createOptions);
+    try {
+      return await this.connectPty(session.sessionId, session.token, { onData, onExit });
+    } catch (error) {
+      try {
+        await this.http.requestResponse("DELETE", `/api/v1/pty/${session.sessionId}`);
+      } catch {
+      }
+      throw error;
+    }
+  }
+  async connectPty(sessionId, token, options) {
+    const wsUrl = new URL(this.ptyWsUrl(sessionId, token));
+    const authToken = wsUrl.searchParams.get("token") ?? token;
+    const pty = new Pty({
+      sessionId,
+      token: authToken,
+      wsUrl: wsUrl.toString(),
+      wsHeaders: {
+        ...this.wsHeaders,
+        "X-PTY-Token": authToken
+      },
+      killSession: async () => {
+        await this.http.requestResponse("DELETE", `/api/v1/pty/${sessionId}`);
+      }
+    });
+    if (options?.onData) {
+      pty.onData(options.onData);
+    }
+    if (options?.onExit) {
+      pty.onExit(options.onExit);
+    }
+    await pty.connect();
+    return pty;
+  }
+  ptyWsUrl(sessionId, token) {
+    let wsBase;
+    if (this.baseUrl.startsWith("https://")) {
+      wsBase = "wss://" + this.baseUrl.slice(8);
+    } else if (this.baseUrl.startsWith("http://")) {
+      wsBase = "ws://" + this.baseUrl.slice(7);
+    } else {
+      wsBase = this.baseUrl;
+    }
+    return `${wsBase}/api/v1/pty/${sessionId}/ws?token=${token}`;
+  }
+  // --- Health ---
+  async health() {
+    const raw = await this.http.requestJson(
+      "GET",
+      "/api/v1/health"
+    );
+    return fromSnakeKeys(raw);
+  }
+  async info() {
+    const raw = await this.http.requestJson(
+      "GET",
+      "/api/v1/info"
+    );
+    return fromSnakeKeys(raw);
+  }
+};
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/client.ts
+var SandboxClient = class _SandboxClient {
+  http;
+  apiUrl;
+  apiKey;
+  organizationId;
+  projectId;
+  namespace;
+  local;
+  constructor(options) {
+    this.apiUrl = options?.apiUrl ?? API_URL;
+    this.apiKey = options?.apiKey ?? API_KEY;
+    this.organizationId = options?.organizationId;
+    this.projectId = options?.projectId;
+    this.namespace = options?.namespace ?? NAMESPACE;
+    this.local = isLocalhost(this.apiUrl);
+    this.http = new HttpClient({
+      baseUrl: this.apiUrl,
+      apiKey: this.apiKey,
+      organizationId: this.organizationId,
+      projectId: this.projectId,
+      maxRetries: options?.maxRetries ?? MAX_RETRIES,
+      retryBackoffMs: options?.retryBackoffMs ?? RETRY_BACKOFF_MS
+    });
+  }
+  /** Create a client for the TensorLake cloud platform. */
+  static forCloud(options) {
+    return new _SandboxClient({
+      apiUrl: options?.apiUrl ?? "https://api.tensorlake.ai",
+      apiKey: options?.apiKey,
+      organizationId: options?.organizationId,
+      projectId: options?.projectId
+    });
+  }
+  /** Create a client for a local Indexify server. */
+  static forLocalhost(options) {
+    return new _SandboxClient({
+      apiUrl: options?.apiUrl ?? "http://localhost:8900",
+      namespace: options?.namespace ?? "default"
+    });
+  }
+  close() {
+    this.http.close();
+  }
+  // --- Path helper ---
+  path(subpath) {
+    return lifecyclePath(subpath, this.local, this.namespace);
+  }
+  // --- Sandbox CRUD ---
+  async create(options) {
+    const body = {
+      resources: {
+        cpus: options?.cpus ?? 1,
+        memory_mb: options?.memoryMb ?? 1024,
+        ephemeral_disk_mb: options?.ephemeralDiskMb ?? 1024
+      }
+    };
+    if (options?.image != null) body.image = options.image;
+    if (options?.secretNames != null) body.secret_names = options.secretNames;
+    if (options?.timeoutSecs != null) body.timeout_secs = options.timeoutSecs;
+    if (options?.entrypoint != null) body.entrypoint = options.entrypoint;
+    if (options?.snapshotId != null) body.snapshot_id = options.snapshotId;
+    if (options?.name != null) body.name = options.name;
+    if (options?.allowInternetAccess === false || options?.allowOut != null || options?.denyOut != null) {
+      body.network = {
+        allow_internet_access: options?.allowInternetAccess ?? true,
+        allow_out: options?.allowOut ?? [],
+        deny_out: options?.denyOut ?? []
+      };
+    }
+    const raw = await this.http.requestJson(
+      "POST",
+      this.path("sandboxes"),
+      { body }
+    );
+    return fromSnakeKeys(raw, "sandboxId");
+  }
+  async get(sandboxId) {
+    const raw = await this.http.requestJson(
+      "GET",
+      this.path(`sandboxes/${sandboxId}`)
+    );
+    return fromSnakeKeys(raw, "sandboxId");
+  }
+  async list() {
+    const raw = await this.http.requestJson(
+      "GET",
+      this.path("sandboxes")
+    );
+    return (raw.sandboxes ?? []).map(
+      (s) => fromSnakeKeys(s, "sandboxId")
+    );
+  }
+  async update(sandboxId, options) {
+    const body = {};
+    if (options.name != null) body.name = options.name;
+    if (options.allowUnauthenticatedAccess != null) {
+      body.allow_unauthenticated_access = options.allowUnauthenticatedAccess;
+    }
+    if (options.exposedPorts != null) {
+      body.exposed_ports = normalizeUserPorts(options.exposedPorts);
+    }
+    if (Object.keys(body).length === 0) {
+      throw new SandboxError("At least one sandbox update field must be provided.");
+    }
+    const raw = await this.http.requestJson(
+      "PATCH",
+      this.path(`sandboxes/${sandboxId}`),
+      { body }
+    );
+    return fromSnakeKeys(raw, "sandboxId");
+  }
+  async getPortAccess(sandboxId) {
+    const info = await this.get(sandboxId);
+    return {
+      allowUnauthenticatedAccess: info.allowUnauthenticatedAccess ?? false,
+      exposedPorts: dedupeAndSortPorts(info.exposedPorts ?? []),
+      sandboxUrl: info.sandboxUrl
+    };
+  }
+  async exposePorts(sandboxId, ports, options) {
+    const requestedPorts = normalizeUserPorts(ports);
+    const current = await this.getPortAccess(sandboxId);
+    const desiredPorts = dedupeAndSortPorts([
+      ...current.exposedPorts,
+      ...requestedPorts
+    ]);
+    return this.update(sandboxId, {
+      allowUnauthenticatedAccess: options?.allowUnauthenticatedAccess ?? current.allowUnauthenticatedAccess,
+      exposedPorts: desiredPorts
+    });
+  }
+  async unexposePorts(sandboxId, ports) {
+    const requestedPorts = normalizeUserPorts(ports);
+    const current = await this.getPortAccess(sandboxId);
+    const toRemove = new Set(requestedPorts);
+    const desiredPorts = current.exposedPorts.filter((port) => !toRemove.has(port));
+    return this.update(sandboxId, {
+      allowUnauthenticatedAccess: desiredPorts.length ? current.allowUnauthenticatedAccess : false,
+      exposedPorts: desiredPorts
+    });
+  }
+  async delete(sandboxId) {
+    await this.http.requestJson(
+      "DELETE",
+      this.path(`sandboxes/${sandboxId}`)
+    );
+  }
+  async suspend(sandboxId) {
+    await this.http.requestResponse(
+      "POST",
+      this.path(`sandboxes/${sandboxId}/suspend`)
+    );
+  }
+  async resume(sandboxId) {
+    await this.http.requestResponse(
+      "POST",
+      this.path(`sandboxes/${sandboxId}/resume`)
+    );
+  }
+  async claim(poolId) {
+    const raw = await this.http.requestJson(
+      "POST",
+      this.path(`sandbox-pools/${poolId}/sandboxes`)
+    );
+    return fromSnakeKeys(raw, "sandboxId");
+  }
+  // --- Snapshots ---
+  async snapshot(sandboxId) {
+    const raw = await this.http.requestJson(
+      "POST",
+      this.path(`sandboxes/${sandboxId}/snapshot`)
+    );
+    return fromSnakeKeys(raw, "snapshotId");
+  }
+  async getSnapshot(snapshotId) {
+    const raw = await this.http.requestJson(
+      "GET",
+      this.path(`snapshots/${snapshotId}`)
+    );
+    return fromSnakeKeys(raw, "snapshotId");
+  }
+  async listSnapshots() {
+    const raw = await this.http.requestJson(
+      "GET",
+      this.path("snapshots")
+    );
+    return (raw.snapshots ?? []).map(
+      (s) => fromSnakeKeys(s, "snapshotId")
+    );
+  }
+  async deleteSnapshot(snapshotId) {
+    await this.http.requestJson(
+      "DELETE",
+      this.path(`snapshots/${snapshotId}`)
+    );
+  }
+  async snapshotAndWait(sandboxId, options) {
+    const timeout = options?.timeout ?? 300;
+    const pollInterval = options?.pollInterval ?? 1;
+    const result = await this.snapshot(sandboxId);
+    const deadline = Date.now() + timeout * 1e3;
+    while (Date.now() < deadline) {
+      const info = await this.getSnapshot(result.snapshotId);
+      if (info.status === "completed" /* COMPLETED */) return info;
+      if (info.status === "failed" /* FAILED */) {
+        throw new SandboxError(
+          `Snapshot ${result.snapshotId} failed: ${info.error}`
+        );
+      }
+      await sleep3(pollInterval * 1e3);
+    }
+    throw new SandboxError(
+      `Snapshot ${result.snapshotId} did not complete within ${timeout}s`
+    );
+  }
+  // --- Pools ---
+  async createPool(options) {
+    const body = {
+      image: options.image,
+      resources: {
+        cpus: options.cpus ?? 1,
+        memory_mb: options.memoryMb ?? 1024,
+        ephemeral_disk_mb: options.ephemeralDiskMb ?? 1024
+      },
+      timeout_secs: options.timeoutSecs ?? 0
+    };
+    if (options.secretNames != null) body.secret_names = options.secretNames;
+    if (options.entrypoint != null) body.entrypoint = options.entrypoint;
+    if (options.maxContainers != null) body.max_containers = options.maxContainers;
+    if (options.warmContainers != null) body.warm_containers = options.warmContainers;
+    const raw = await this.http.requestJson(
+      "POST",
+      this.path("sandbox-pools"),
+      { body }
+    );
+    return fromSnakeKeys(raw, "poolId");
+  }
+  async getPool(poolId) {
+    const raw = await this.http.requestJson(
+      "GET",
+      this.path(`sandbox-pools/${poolId}`)
+    );
+    return fromSnakeKeys(raw, "poolId");
+  }
+  async listPools() {
+    const raw = await this.http.requestJson(
+      "GET",
+      this.path("sandbox-pools")
+    );
+    return (raw.pools ?? []).map(
+      (p) => fromSnakeKeys(p, "poolId")
+    );
+  }
+  async updatePool(poolId, options) {
+    const body = {
+      image: options.image,
+      resources: {
+        cpus: options.cpus ?? 1,
+        memory_mb: options.memoryMb ?? 1024,
+        ephemeral_disk_mb: options.ephemeralDiskMb ?? 1024
+      },
+      timeout_secs: options.timeoutSecs ?? 0
+    };
+    if (options.secretNames != null) body.secret_names = options.secretNames;
+    if (options.entrypoint != null) body.entrypoint = options.entrypoint;
+    if (options.maxContainers != null) body.max_containers = options.maxContainers;
+    if (options.warmContainers != null) body.warm_containers = options.warmContainers;
+    const raw = await this.http.requestJson(
+      "PUT",
+      this.path(`sandbox-pools/${poolId}`),
+      { body }
+    );
+    return fromSnakeKeys(raw, "poolId");
+  }
+  async deletePool(poolId) {
+    await this.http.requestJson(
+      "DELETE",
+      this.path(`sandbox-pools/${poolId}`)
+    );
+  }
+  // --- Connect ---
+  connect(identifier, proxyUrl) {
+    const resolvedProxy = proxyUrl ?? resolveProxyUrl(this.apiUrl);
+    return new Sandbox({
+      sandboxId: identifier,
+      proxyUrl: resolvedProxy,
+      apiKey: this.apiKey,
+      organizationId: this.organizationId,
+      projectId: this.projectId
+    });
+  }
+  async createAndConnect(options) {
+    const startupTimeout = options?.startupTimeout ?? 60;
+    let result;
+    if (options?.poolId != null) {
+      result = await this.claim(options.poolId);
+    } else {
+      result = await this.create(options);
+    }
+    const deadline = Date.now() + startupTimeout * 1e3;
+    while (Date.now() < deadline) {
+      const info = await this.get(result.sandboxId);
+      if (info.status === "running" /* RUNNING */) {
+        const sandbox = this.connect(result.sandboxId, options?.proxyUrl);
+        sandbox._setOwner(this);
+        return sandbox;
+      }
+      if (info.status === "terminated" /* TERMINATED */) {
+        throw new SandboxError(
+          `Sandbox ${result.sandboxId} terminated during startup`
+        );
+      }
+      await sleep3(500);
+    }
+    try {
+      await this.delete(result.sandboxId);
+    } catch {
+    }
+    throw new SandboxError(
+      `Sandbox ${result.sandboxId} did not start within ${startupTimeout}s`
+    );
+  }
+};
+function sleep3(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+var RESERVED_SANDBOX_MANAGEMENT_PORT = 9501;
+function normalizeUserPorts(ports) {
+  return dedupeAndSortPorts(ports.map(validateUserPort));
+}
+function validateUserPort(port) {
+  if (!Number.isInteger(port) || port < 1 || port > 65535) {
+    throw new SandboxError(`invalid port '${port}'`);
+  }
+  if (port === RESERVED_SANDBOX_MANAGEMENT_PORT) {
+    throw new SandboxError("port 9501 is reserved for sandbox management");
+  }
+  return port;
+}
+function dedupeAndSortPorts(ports) {
+  return [...new Set(ports)].sort((a, b) => a - b);
+}
+
+// src/image.ts
+import { randomUUID } from "crypto";
+var ImageBuildOperationType = {
+  ADD: "ADD",
+  COPY: "COPY",
+  ENV: "ENV",
+  RUN: "RUN",
+  WORKDIR: "WORKDIR"
+};
+function renderOptions(options) {
+  const entries = Object.entries(options);
+  if (entries.length === 0) {
+    return "";
+  }
+  return ` ${entries.map(([key, value]) => `--${key}=${value}`).join(" ")}`;
+}
+function renderBuildOp(op) {
+  const options = renderOptions(op.options);
+  if (op.type === ImageBuildOperationType.ENV) {
+    return `ENV${options} ${op.args[0]}=${JSON.stringify(op.args[1])}`;
+  }
+  return `${op.type}${options} ${op.args.join(" ")}`;
+}
+function dockerfileContent(image) {
+  const lines = image.baseImage == null ? [] : [`FROM ${image.baseImage}`];
+  lines.push(...image.buildOperations.map((op) => renderBuildOp(op)));
+  return lines.join("\n");
+}
+
+// src/sandbox-image.ts
+var BUILD_SANDBOX_PIP_ENV = { PIP_BREAK_SYSTEM_PACKAGES: "1" };
+var IGNORED_DOCKERFILE_INSTRUCTIONS = /* @__PURE__ */ new Set([
+  "CMD",
+  "ENTRYPOINT",
+  "EXPOSE",
+  "HEALTHCHECK",
+  "LABEL",
+  "STOPSIGNAL",
+  "VOLUME"
+]);
+var UNSUPPORTED_DOCKERFILE_INSTRUCTIONS = /* @__PURE__ */ new Set([
+  "ARG",
+  "ONBUILD",
+  "SHELL",
+  "USER"
+]);
+function defaultRegisteredName(dockerfilePath) {
+  const parsed = path.parse(dockerfilePath);
+  if (parsed.name.toLowerCase() === "dockerfile") {
+    const parentName = path.basename(path.dirname(dockerfilePath)).trim();
+    return parentName || "sandbox-image";
+  }
+  return parsed.name || "sandbox-image";
+}
+function logicalDockerfileLines(dockerfileText) {
+  const logicalLines = [];
+  let parts = [];
+  let startLine = null;
+  for (const [index, rawLine] of dockerfileText.split(/\r?\n/).entries()) {
+    const lineNumber = index + 1;
+    const stripped = rawLine.trim();
+    if (parts.length === 0 && (!stripped || stripped.startsWith("#"))) {
+      continue;
+    }
+    if (startLine == null) {
+      startLine = lineNumber;
+    }
+    let line = rawLine.replace(/\s+$/, "");
+    const continued = line.endsWith("\\");
+    if (continued) {
+      line = line.slice(0, -1);
+    }
+    const normalized = line.trim();
+    if (normalized && !normalized.startsWith("#")) {
+      parts.push(normalized);
+    }
+    if (continued) {
+      continue;
+    }
+    if (parts.length > 0) {
+      logicalLines.push({
+        lineNumber: startLine ?? lineNumber,
+        line: parts.join(" ")
+      });
+    }
+    parts = [];
+    startLine = null;
+  }
+  if (parts.length > 0) {
+    logicalLines.push({
+      lineNumber: startLine ?? 1,
+      line: parts.join(" ")
+    });
+  }
+  return logicalLines;
+}
+function splitInstruction(line, lineNumber) {
+  const trimmed = line.trim();
+  if (!trimmed) {
+    throw new Error(`line ${lineNumber}: empty Dockerfile instruction`);
+  }
+  const match = trimmed.match(/^(\S+)(?:\s+(.*))?$/);
+  if (!match) {
+    throw new Error(`line ${lineNumber}: invalid Dockerfile instruction`);
+  }
+  return {
+    keyword: match[1].toUpperCase(),
+    value: (match[2] ?? "").trim()
+  };
+}
+function shellSplit(input) {
+  const tokens = [];
+  let current = "";
+  let quote = null;
+  let escape = false;
+  for (let i = 0; i < input.length; i++) {
+    const char = input[i];
+    if (escape) {
+      current += char;
+      escape = false;
+      continue;
+    }
+    if (quote == null) {
+      if (/\s/.test(char)) {
+        if (current) {
+          tokens.push(current);
+          current = "";
+        }
+        continue;
+      }
+      if (char === "'" || char === '"') {
+        quote = char;
+        continue;
+      }
+      if (char === "\\") {
+        escape = true;
+        continue;
+      }
+      current += char;
+      continue;
+    }
+    if (quote === "'") {
+      if (char === "'") {
+        quote = null;
+      } else {
+        current += char;
+      }
+      continue;
+    }
+    if (char === '"') {
+      quote = null;
+      continue;
+    }
+    if (char === "\\") {
+      const next = input[++i];
+      if (next == null) {
+        throw new Error(`unterminated escape sequence in '${input}'`);
+      }
+      current += next;
+      continue;
+    }
+    current += char;
+  }
+  if (escape) {
+    throw new Error(`unterminated escape sequence in '${input}'`);
+  }
+  if (quote != null) {
+    throw new Error(`unterminated quoted string in '${input}'`);
+  }
+  if (current) {
+    tokens.push(current);
+  }
+  return tokens;
+}
+function shellQuote(value) {
+  if (!value) {
+    return "''";
+  }
+  return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+function stripLeadingFlags(value) {
+  const flags = {};
+  let remaining = value.trimStart();
+  while (remaining.startsWith("--")) {
+    const firstSpace = remaining.indexOf(" ");
+    if (firstSpace === -1) {
+      throw new Error(`invalid Dockerfile flag syntax: ${value}`);
+    }
+    const token = remaining.slice(0, firstSpace);
+    const rest = remaining.slice(firstSpace + 1).trimStart();
+    const flagBody = token.slice(2);
+    if (flagBody.includes("=")) {
+      const [key, flagValue2] = flagBody.split(/=(.*)/s, 2);
+      flags[key] = flagValue2;
+      remaining = rest;
+      continue;
+    }
+    const [flagValue, ...restTokens] = shellSplit(rest);
+    if (flagValue == null) {
+      throw new Error(`missing value for Dockerfile flag '${token}'`);
+    }
+    flags[flagBody] = flagValue;
+    remaining = restTokens.join(" ");
+  }
+  return { flags, remaining };
+}
+function parseFromValue(value, lineNumber) {
+  const { remaining } = stripLeadingFlags(value);
+  const tokens = shellSplit(remaining);
+  if (tokens.length === 0) {
+    throw new Error(`line ${lineNumber}: FROM must include a base image`);
+  }
+  if (tokens.length > 1 && tokens[1].toLowerCase() !== "as") {
+    throw new Error(`line ${lineNumber}: unsupported FROM syntax '${value}'`);
+  }
+  return tokens[0];
+}
+function parseCopyLikeValues(value, lineNumber, keyword) {
+  const { flags, remaining } = stripLeadingFlags(value);
+  if ("from" in flags) {
+    throw new Error(
+      `line ${lineNumber}: ${keyword} --from is not supported for sandbox image creation`
+    );
+  }
+  const payload = remaining.trim();
+  if (!payload) {
+    throw new Error(
+      `line ${lineNumber}: ${keyword} must include source and destination`
+    );
+  }
+  let parts;
+  if (payload.startsWith("[")) {
+    let parsed;
+    try {
+      parsed = JSON.parse(payload);
+    } catch (error) {
+      throw new Error(
+        `line ${lineNumber}: invalid JSON array syntax for ${keyword}: ${error.message}`
+      );
+    }
+    if (!Array.isArray(parsed) || parsed.length < 2 || parsed.some((item) => typeof item !== "string")) {
+      throw new Error(
+        `line ${lineNumber}: ${keyword} JSON array form requires at least two string values`
+      );
+    }
+    parts = parsed;
+  } else {
+    parts = shellSplit(payload);
+    if (parts.length < 2) {
+      throw new Error(
+        `line ${lineNumber}: ${keyword} must include at least one source and one destination`
+      );
+    }
+  }
+  return {
+    flags,
+    sources: parts.slice(0, -1),
+    destination: parts[parts.length - 1]
+  };
+}
+function parseEnvPairs(value, lineNumber) {
+  const tokens = shellSplit(value);
+  if (tokens.length === 0) {
+    throw new Error(`line ${lineNumber}: ENV must include a key and value`);
+  }
+  if (tokens.every((token) => token.includes("="))) {
+    return tokens.map((token) => {
+      const [key, envValue] = token.split(/=(.*)/s, 2);
+      if (!key) {
+        throw new Error(`line ${lineNumber}: invalid ENV token '${token}'`);
+      }
+      return [key, envValue];
+    });
+  }
+  if (tokens.length < 2) {
+    throw new Error(`line ${lineNumber}: ENV must include a key and value`);
+  }
+  return [[tokens[0], tokens.slice(1).join(" ")]];
+}
+function resolveContainerPath(containerPath, workingDir) {
+  if (!containerPath) {
+    return workingDir;
+  }
+  const normalized = containerPath.startsWith("/") ? path.posix.normalize(containerPath) : path.posix.normalize(path.posix.join(workingDir, containerPath));
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function buildPlanFromDockerfileText(dockerfileText, dockerfilePath, contextDir, registeredName) {
+  let baseImage;
+  const instructions = [];
+  for (const logicalLine of logicalDockerfileLines(dockerfileText)) {
+    const { keyword, value } = splitInstruction(
+      logicalLine.line,
+      logicalLine.lineNumber
+    );
+    if (keyword === "FROM") {
+      if (baseImage != null) {
+        throw new Error(
+          `line ${logicalLine.lineNumber}: multi-stage Dockerfiles are not supported for sandbox image creation`
+        );
+      }
+      baseImage = parseFromValue(value, logicalLine.lineNumber);
+      continue;
+    }
+    if (UNSUPPORTED_DOCKERFILE_INSTRUCTIONS.has(keyword)) {
+      throw new Error(
+        `line ${logicalLine.lineNumber}: Dockerfile instruction '${keyword}' is not supported for sandbox image creation`
+      );
+    }
+    instructions.push({
+      keyword,
+      value,
+      lineNumber: logicalLine.lineNumber
+    });
+  }
+  if (!baseImage) {
+    throw new Error("Dockerfile must contain a FROM instruction");
+  }
+  return {
+    dockerfilePath,
+    contextDir,
+    registeredName: registeredName ?? defaultRegisteredName(dockerfilePath),
+    dockerfileText,
+    baseImage,
+    instructions
+  };
+}
+async function loadDockerfilePlan(dockerfilePath, registeredName) {
+  const resolvedPath = path.resolve(dockerfilePath);
+  const fileStats = await stat(resolvedPath).catch(() => null);
+  if (!fileStats?.isFile()) {
+    throw new Error(`Dockerfile not found: ${dockerfilePath}`);
+  }
+  const dockerfileText = await readFile(resolvedPath, "utf8");
+  return buildPlanFromDockerfileText(
+    dockerfileText,
+    resolvedPath,
+    path.dirname(resolvedPath),
+    registeredName
+  );
+}
+function loadImagePlan(image, options = {}) {
+  const contextDir = path.resolve(options.contextDir ?? process.cwd());
+  const dockerfileText = dockerfileContent(image);
+  const logicalLines = logicalDockerfileLines(dockerfileText);
+  const instructions = image.baseImage == null ? logicalLines : logicalLines.slice(1);
+  return {
+    dockerfilePath: path.join(contextDir, "Dockerfile"),
+    contextDir,
+    registeredName: options.registeredName ?? image.name,
+    dockerfileText,
+    baseImage: image.baseImage ?? void 0,
+    instructions: instructions.map(({ line, lineNumber }) => {
+      const parsed = splitInstruction(line, lineNumber);
+      return {
+        keyword: parsed.keyword,
+        value: parsed.value,
+        lineNumber
+      };
+    })
+  };
+}
+function defaultEmit(event) {
+  process.stdout.write(`${JSON.stringify(event)}
+`);
+}
+function debugEnabled() {
+  return ["1", "true", "yes", "on"].includes(
+    (process.env.TENSORLAKE_DEBUG ?? "").toLowerCase()
+  );
+}
+function buildContextFromEnv() {
+  return {
+    apiUrl: process.env.TENSORLAKE_API_URL ?? "https://api.tensorlake.ai",
+    apiKey: process.env.TENSORLAKE_API_KEY,
+    personalAccessToken: process.env.TENSORLAKE_PAT,
+    namespace: process.env.INDEXIFY_NAMESPACE ?? "default",
+    organizationId: process.env.TENSORLAKE_ORGANIZATION_ID,
+    projectId: process.env.TENSORLAKE_PROJECT_ID,
+    debug: debugEnabled()
+  };
+}
+function createDefaultClient(context) {
+  return new SandboxClient({
+    apiUrl: context.apiUrl,
+    apiKey: context.apiKey ?? context.personalAccessToken,
+    organizationId: context.organizationId,
+    projectId: context.projectId,
+    namespace: context.namespace
+  });
+}
+async function runChecked(sandbox, command, args, env, workingDir) {
+  const result = await sandbox.run(command, {
+    args,
+    env,
+    workingDir
+  });
+  if (result.exitCode !== 0) {
+    throw new Error(
+      `Command '${command} ${args.join(" ")}' failed with exit code ${result.exitCode}`
+    );
+  }
+  return result;
+}
+async function runStreaming(sandbox, emit, sleep4, command, args = [], env, workingDir) {
+  const proc = await sandbox.startProcess(command, {
+    args,
+    env,
+    workingDir
+  });
+  let stdoutSeen = 0;
+  let stderrSeen = 0;
+  let info;
+  while (true) {
+    const stdoutResp = await sandbox.getStdout(proc.pid);
+    emitOutputLines(emit, "stdout", stdoutResp, stdoutSeen);
+    stdoutSeen = stdoutResp.lines.length;
+    const stderrResp = await sandbox.getStderr(proc.pid);
+    emitOutputLines(emit, "stderr", stderrResp, stderrSeen);
+    stderrSeen = stderrResp.lines.length;
+    info = await sandbox.getProcess(proc.pid);
+    if (info.status !== "running" /* RUNNING */) {
+      const finalStdout = await sandbox.getStdout(proc.pid);
+      emitOutputLines(emit, "stdout", finalStdout, stdoutSeen);
+      stdoutSeen = finalStdout.lines.length;
+      const finalStderr = await sandbox.getStderr(proc.pid);
+      emitOutputLines(emit, "stderr", finalStderr, stderrSeen);
+      break;
+    }
+    await sleep4(300);
+  }
+  for (let i = 0; i < 10; i++) {
+    if (info.exitCode != null || info.signal != null) {
+      break;
+    }
+    await sleep4(200);
+    info = await sandbox.getProcess(proc.pid);
+  }
+  const exitCode = info.exitCode != null ? info.exitCode : info.signal != null ? -info.signal : 0;
+  if (exitCode !== 0) {
+    throw new Error(
+      `Command '${command} ${args.join(" ")}' failed with exit code ${exitCode}`
+    );
+  }
+}
+function emitOutputLines(emit, stream, response, seen) {
+  for (const line of response.lines.slice(seen)) {
+    emit({ type: "build_log", stream, message: line });
+  }
+}
+function isPathWithinContext(contextDir, localPath) {
+  const relative = path.relative(contextDir, localPath);
+  return relative === "" || !relative.startsWith("..") && !path.isAbsolute(relative);
+}
+function resolveContextSourcePath(contextDir, source) {
+  const resolvedContextDir = path.resolve(contextDir);
+  const resolvedSource = path.resolve(resolvedContextDir, source);
+  if (!isPathWithinContext(resolvedContextDir, resolvedSource)) {
+    throw new Error(`Local path escapes the build context: ${source}`);
+  }
+  return resolvedSource;
+}
+async function copyLocalPathToSandbox(sandbox, localPath, remotePath) {
+  const fileStats = await stat(localPath).catch(() => null);
+  if (!fileStats) {
+    throw new Error(`Local path not found: ${localPath}`);
+  }
+  if (fileStats.isFile()) {
+    await runChecked(sandbox, "mkdir", ["-p", path.posix.dirname(remotePath)]);
+    await sandbox.writeFile(remotePath, await readFile(localPath));
+    return;
+  }
+  if (!fileStats.isDirectory()) {
+    throw new Error(`Local path not found: ${localPath}`);
+  }
+  const entries = await readdir(localPath, { withFileTypes: true });
+  for (const entry of entries) {
+    const sourcePath = path.join(localPath, entry.name);
+    const destinationPath = path.posix.join(remotePath, entry.name);
+    if (entry.isDirectory()) {
+      await runChecked(sandbox, "mkdir", ["-p", destinationPath]);
+      await copyLocalPathToSandbox(sandbox, sourcePath, destinationPath);
+    } else if (entry.isFile()) {
+      await runChecked(
+        sandbox,
+        "mkdir",
+        ["-p", path.posix.dirname(destinationPath)]
+      );
+      await sandbox.writeFile(destinationPath, await readFile(sourcePath));
+    }
+  }
+}
+async function persistEnvVar(sandbox, processEnv, key, value) {
+  const exportLine = `export ${key}=${shellQuote(value)}`;
+  await runChecked(
+    sandbox,
+    "sh",
+    ["-c", `printf '%s\\n' ${shellQuote(exportLine)} >> /etc/environment`],
+    processEnv
+  );
+}
+async function copyFromContext(sandbox, emit, contextDir, sources, destination, workingDir, keyword) {
+  const destinationPath = resolveContainerPath(destination, workingDir);
+  if (sources.length > 1 && !destinationPath.endsWith("/")) {
+    throw new Error(
+      `${keyword} with multiple sources requires a directory destination ending in '/'`
+    );
+  }
+  for (const source of sources) {
+    const localSource = resolveContextSourcePath(contextDir, source);
+    const localStats = await stat(localSource).catch(() => null);
+    if (!localStats) {
+      throw new Error(`Local path not found: ${localSource}`);
+    }
+    let remoteDestination = destinationPath;
+    if (sources.length > 1) {
+      remoteDestination = path.posix.join(
+        destinationPath.replace(/\/$/, ""),
+        path.posix.basename(source.replace(/\/$/, ""))
+      );
+    } else if (localStats.isFile() && destinationPath.endsWith("/")) {
+      remoteDestination = path.posix.join(
+        destinationPath.replace(/\/$/, ""),
+        path.basename(source)
+      );
+    }
+    emit({
+      type: "status",
+      message: `${keyword} ${source} -> ${remoteDestination}`
+    });
+    await copyLocalPathToSandbox(sandbox, localSource, remoteDestination);
+  }
+}
+async function addUrlToSandbox(sandbox, emit, url, destination, workingDir, processEnv, sleep4) {
+  let destinationPath = resolveContainerPath(destination, workingDir);
+  const parsedUrl = new URL(url);
+  const fileName = path.posix.basename(parsedUrl.pathname.replace(/\/$/, "")) || "downloaded";
+  if (destinationPath.endsWith("/")) {
+    destinationPath = path.posix.join(destinationPath.replace(/\/$/, ""), fileName);
+  }
+  const parentDir = path.posix.dirname(destinationPath) || "/";
+  emit({
+    type: "status",
+    message: `ADD ${url} -> ${destinationPath}`
+  });
+  await runChecked(sandbox, "mkdir", ["-p", parentDir], processEnv);
+  await runStreaming(
+    sandbox,
+    emit,
+    sleep4,
+    "sh",
+    [
+      "-c",
+      `curl -fsSL --location ${shellQuote(url)} -o ${shellQuote(destinationPath)}`
+    ],
+    processEnv,
+    workingDir
+  );
+}
+async function executeDockerfilePlan(sandbox, plan, emit, sleep4) {
+  const processEnv = { ...BUILD_SANDBOX_PIP_ENV };
+  let workingDir = "/";
+  for (const instruction of plan.instructions) {
+    const { keyword, value, lineNumber } = instruction;
+    if (keyword === "RUN") {
+      emit({ type: "status", message: `RUN ${value}` });
+      await runStreaming(
+        sandbox,
+        emit,
+        sleep4,
+        "sh",
+        ["-c", value],
+        processEnv,
+        workingDir
+      );
+      continue;
+    }
+    if (keyword === "WORKDIR") {
+      const tokens = shellSplit(value);
+      if (tokens.length !== 1) {
+        throw new Error(`line ${lineNumber}: WORKDIR must include exactly one path`);
+      }
+      workingDir = resolveContainerPath(tokens[0], workingDir);
+      emit({ type: "status", message: `WORKDIR ${workingDir}` });
+      await runChecked(sandbox, "mkdir", ["-p", workingDir], processEnv);
+      continue;
+    }
+    if (keyword === "ENV") {
+      for (const [key, envValue] of parseEnvPairs(value, lineNumber)) {
+        emit({ type: "status", message: `ENV ${key}=${envValue}` });
+        processEnv[key] = envValue;
+        await persistEnvVar(sandbox, processEnv, key, envValue);
+      }
+      continue;
+    }
+    if (keyword === "COPY") {
+      const { sources, destination } = parseCopyLikeValues(
+        value,
+        lineNumber,
+        keyword
+      );
+      await copyFromContext(
+        sandbox,
+        emit,
+        plan.contextDir,
+        sources,
+        destination,
+        workingDir,
+        keyword
+      );
+      continue;
+    }
+    if (keyword === "ADD") {
+      const { sources, destination } = parseCopyLikeValues(
+        value,
+        lineNumber,
+        keyword
+      );
+      if (sources.length === 1 && /^https?:\/\//.test(sources[0])) {
+        await addUrlToSandbox(
+          sandbox,
+          emit,
+          sources[0],
+          destination,
+          workingDir,
+          processEnv,
+          sleep4
+        );
+      } else {
+        await copyFromContext(
+          sandbox,
+          emit,
+          plan.contextDir,
+          sources,
+          destination,
+          workingDir,
+          keyword
+        );
+      }
+      continue;
+    }
+    if (IGNORED_DOCKERFILE_INSTRUCTIONS.has(keyword)) {
+      emit({
+        type: "warning",
+        message: `Skipping Dockerfile instruction '${keyword}' during snapshot materialization. It is still preserved in the registered Dockerfile.`
+      });
+      continue;
+    }
+    throw new Error(
+      `line ${lineNumber}: Dockerfile instruction '${keyword}' is not supported for sandbox image creation`
+    );
+  }
+}
+async function registerImage(context, name, dockerfile, snapshotId, snapshotUri, isPublic) {
+  if (!context.organizationId || !context.projectId) {
+    throw new Error(
+      "Organization ID and Project ID are required. Run 'tl login' and 'tl init'."
+    );
+  }
+  const bearerToken = context.apiKey ?? context.personalAccessToken;
+  if (!bearerToken) {
+    throw new Error("Missing TENSORLAKE_API_KEY or TENSORLAKE_PAT.");
+  }
+  const baseUrl = context.apiUrl.replace(/\/+$/, "");
+  const url = `${baseUrl}/platform/v1/organizations/${encodeURIComponent(context.organizationId)}/projects/${encodeURIComponent(context.projectId)}/sandbox-templates`;
+  const headers = {
+    Authorization: `Bearer ${bearerToken}`,
+    "Content-Type": "application/json"
+  };
+  if (context.personalAccessToken && !context.apiKey) {
+    headers["X-Forwarded-Organization-Id"] = context.organizationId;
+    headers["X-Forwarded-Project-Id"] = context.projectId;
+  }
+  const response = await fetch(url, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      name,
+      dockerfile,
+      snapshotId,
+      snapshotUri,
+      isPublic
+    })
+  });
+  if (!response.ok) {
+    throw new Error(
+      `${response.status} ${response.statusText}: ${await response.text()}`
+    );
+  }
+  const text = await response.text();
+  return text ? JSON.parse(text) : {};
+}
+async function createSandboxImage(source, options = {}, deps = {}) {
+  const emit = deps.emit ?? defaultEmit;
+  const sleep4 = deps.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+  const context = buildContextFromEnv();
+  const clientFactory = deps.createClient ?? createDefaultClient;
+  const register = deps.registerImage ?? ((...args) => registerImage(...args));
+  const sourceLabel = typeof source === "string" ? source : `Image(${source.name})`;
+  emit({ type: "status", message: `Loading ${sourceLabel}...` });
+  const plan = typeof source === "string" ? await loadDockerfilePlan(source, options.registeredName) : loadImagePlan(source, options);
+  emit({
+    type: "status",
+    message: plan.baseImage == null ? "Starting build sandbox with the default server image..." : `Starting build sandbox from ${plan.baseImage}...`
+  });
+  const client = clientFactory(context);
+  let sandbox;
+  try {
+    sandbox = await client.createAndConnect({
+      ...plan.baseImage == null ? {} : { image: plan.baseImage },
+      cpus: options.cpus ?? 2,
+      memoryMb: options.memoryMb ?? 4096
+    });
+    emit({
+      type: "status",
+      message: `Materializing image in sandbox ${sandbox.sandboxId}...`
+    });
+    await executeDockerfilePlan(sandbox, plan, emit, sleep4);
+    emit({ type: "status", message: "Creating snapshot..." });
+    const snapshot = await client.snapshotAndWait(sandbox.sandboxId);
+    emit({
+      type: "snapshot_created",
+      snapshot_id: snapshot.snapshotId,
+      snapshot_uri: snapshot.snapshotUri ?? null
+    });
+    if (!snapshot.snapshotUri) {
+      throw new Error(
+        `Snapshot ${snapshot.snapshotId} is missing snapshotUri and cannot be registered as a sandbox image.`
+      );
+    }
+    emit({
+      type: "status",
+      message: `Registering image '${plan.registeredName}'...`
+    });
+    const result = await register(
+      context,
+      plan.registeredName,
+      plan.dockerfileText,
+      snapshot.snapshotId,
+      snapshot.snapshotUri,
+      options.isPublic ?? false
+    );
+    emit({
+      type: "image_registered",
+      name: plan.registeredName,
+      image_id: typeof result.id === "string" && result.id || typeof result.templateId === "string" && result.templateId || ""
+    });
+    emit({ type: "done" });
+    return result;
+  } finally {
+    if (sandbox) {
+      try {
+        await sandbox.terminate();
+      } catch {
+      }
+    }
+    client.close();
+  }
+}
+async function runCreateSandboxImageCli(argv = process.argv.slice(2)) {
+  const parsed = parseArgs({
+    args: argv,
+    allowPositionals: true,
+    options: {
+      name: { type: "string", short: "n" },
+      cpus: { type: "string" },
+      memory: { type: "string" },
+      public: { type: "boolean", default: false }
+    }
+  });
+  const dockerfilePath = parsed.positionals[0];
+  if (!dockerfilePath) {
+    throw new Error("Usage: tensorlake-create-sandbox-image <dockerfile_path> [--name NAME] [--cpus N] [--memory MB] [--public]");
+  }
+  const cpus = parsed.values.cpus != null ? Number(parsed.values.cpus) : void 0;
+  const memoryMb = parsed.values.memory != null ? Number(parsed.values.memory) : void 0;
+  if (cpus != null && !Number.isFinite(cpus)) {
+    throw new Error(`Invalid --cpus value: ${parsed.values.cpus}`);
+  }
+  if (memoryMb != null && !Number.isInteger(memoryMb)) {
+    throw new Error(`Invalid --memory value: ${parsed.values.memory}`);
+  }
+  await createSandboxImage(dockerfilePath, {
+    registeredName: parsed.values.name,
+    cpus,
+    memoryMb,
+    isPublic: parsed.values.public
+  });
+}
+export {
+  createSandboxImage,
+  defaultRegisteredName,
+  loadDockerfilePlan,
+  loadImagePlan,
+  logicalDockerfileLines,
+  runCreateSandboxImageCli
+};
+//# sourceMappingURL=sandbox-image.js.map