vmsan 0.1.0-alpha.0

package/dist/_chunks/errors.mjs

@@ -0,0 +1,232 @@
+import { r as getOutputMode } from "./logger.mjs";
+import { EvlogError } from "evlog";
+import { consola } from "consola";
+var VmsanError = class extends EvlogError {
+	code;
+	constructor(code, options) {
+		super(options);
+		this.name = "VmsanError";
+		this.code = code;
+		if (Error.captureStackTrace) Error.captureStackTrace(this, new.target);
+	}
+	toJSON() {
+		return {
+			...super.toJSON(),
+			code: this.code
+		};
+	}
+};
+var ValidationError = class extends VmsanError {
+	flag;
+	constructor(code, options) {
+		super(code, options);
+		this.name = "ValidationError";
+		this.flag = options.flag;
+	}
+	toJSON() {
+		return {
+			...super.toJSON(),
+			...this.flag !== void 0 && { flag: this.flag }
+		};
+	}
+};
+const invalidIntegerFlagError = (flag, value, min, max, unitSuffix = "") => new ValidationError("ERR_VALIDATION_INTEGER", {
+	flag,
+	message: `Invalid --${flag}: "${value}". Must be an integer between ${min} and ${max}${unitSuffix}.`
+});
+const invalidRuntimeError = (runtime, validRuntimes) => new ValidationError("ERR_VALIDATION_RUNTIME", {
+	flag: "runtime",
+	message: `Invalid --runtime: "${runtime}". Must be one of: ${validRuntimes.join(", ")}`
+});
+const invalidNetworkPolicyError = (policy, validPolicies) => new ValidationError("ERR_VALIDATION_NETWORK_POLICY", {
+	flag: "network-policy",
+	message: `Invalid --network-policy: "${policy}". Must be one of: ${validPolicies.join(", ")}`
+});
+const invalidPortError = (port) => new ValidationError("ERR_VALIDATION_PORT", {
+	flag: "publish-port",
+	message: `Invalid port: ${port}`
+});
+const portConflictError = (conflictSummary) => new ValidationError("ERR_VALIDATION_PORT_CONFLICT", {
+	flag: "publish-port",
+	message: `Published port conflict: ${conflictSummary}`
+});
+const invalidDomainError = (domain) => new ValidationError("ERR_VALIDATION_DOMAIN", {
+	flag: "allowed-domain",
+	message: `Invalid domain: "${domain}"`
+});
+const invalidDomainPatternError = (domain, detail) => new ValidationError("ERR_VALIDATION_DOMAIN", {
+	flag: "allowed-domain",
+	message: detail ? `Invalid domain pattern: "${domain}". ${detail}` : `Invalid domain pattern: "${domain}"`
+});
+const invalidCidrFormatError = (cidr) => new ValidationError("ERR_VALIDATION_CIDR", { message: `Invalid CIDR format: "${cidr}". Expected format: x.x.x.x/y` });
+const invalidCidrPrefixError = (cidr) => new ValidationError("ERR_VALIDATION_CIDR", { message: `Invalid CIDR prefix length: "${cidr}". Must be 0-32.` });
+const invalidCidrOctetError = (cidr) => new ValidationError("ERR_VALIDATION_CIDR", { message: `Invalid CIDR IP octet: "${cidr}". Each octet must be 0-255.` });
+const invalidImageRefEmptyError = () => new ValidationError("ERR_VALIDATION_IMAGE_REF", {
+	flag: "from-image",
+	message: "Invalid --from-image: image reference cannot be empty."
+});
+const invalidImageRefTagError = (ref) => new ValidationError("ERR_VALIDATION_IMAGE_REF", {
+	flag: "from-image",
+	message: `Invalid --from-image: "${ref}". Tag cannot be empty.`
+});
+const invalidDiskSizeFormatError = (value) => new ValidationError("ERR_VALIDATION_DISK_SIZE", {
+	flag: "disk",
+	message: `Invalid --disk: "${value}". Expected format like 10gb.`
+});
+const invalidDiskSizeRangeError = (value) => new ValidationError("ERR_VALIDATION_DISK_SIZE", {
+	flag: "disk",
+	message: `Invalid --disk: "${value}". Must be an integer between 1gb and 1024gb.`
+});
+const invalidDurationError = (input) => new ValidationError("ERR_VALIDATION_DURATION", { message: `Invalid duration: "${input}". Use format like "1h", "30m", "2h30m", or plain minutes.` });
+const mutuallyExclusiveFlagsError = (flagA, flagB) => new ValidationError("ERR_VALIDATION_FLAGS", {
+	message: `Cannot use ${flagA} and ${flagB} together`,
+	why: "They are mutually exclusive.",
+	fix: `Use either ${flagA} or ${flagB}, not both.`
+});
+const policyConflictError = () => new ValidationError("ERR_VALIDATION_POLICY_CONFLICT", {
+	flag: "network-policy",
+	message: "Cannot combine --network-policy deny-all with --allowed-domain, --allowed-cidr, or --denied-cidr."
+});
+var VmError = class extends VmsanError {
+	vmId;
+	constructor(code, options) {
+		super(code, options);
+		this.name = "VmError";
+		this.vmId = options.vmId;
+	}
+	toJSON() {
+		return {
+			...super.toJSON(),
+			...this.vmId !== void 0 && { vmId: this.vmId }
+		};
+	}
+};
+const vmNotFoundError = (vmId) => new VmError("ERR_VM_NOT_FOUND", {
+	vmId,
+	message: `VM not found: ${vmId}`,
+	fix: "Run 'vmsan list' to see available VMs."
+});
+const vmStateNotFoundError = (vmId) => new VmError("ERR_VM_STATE_NOT_FOUND", {
+	vmId,
+	message: `VM state not found: ${vmId}`
+});
+const vmNotStoppedError = (vmId, currentStatus) => new VmError("ERR_VM_NOT_STOPPED", {
+	vmId,
+	message: `VM ${vmId} is not stopped (current status: ${currentStatus})`,
+	fix: "Run 'vmsan stop <vm-id>' first, or use --force (-f) to stop and remove in one step."
+});
+const chrootNotFoundError = (vmId) => new VmError("ERR_VM_CHROOT_NOT_FOUND", {
+	vmId,
+	message: `Chroot directory not found for VM ${vmId}`,
+	why: "The VM data may have been removed.",
+	fix: "The VM must be recreated with 'vmsan create'."
+});
+const networkSlotsExhaustedError = () => new VmError("ERR_VM_NETWORK_SLOTS_EXHAUSTED", { message: "No available network slots (max 255 VMs)" });
+const vmNotRunningError = (vmId) => new VmError("ERR_VM_NOT_RUNNING", {
+	vmId,
+	message: `VM ${vmId} is not running`,
+	fix: "The VM must be running to update its network policy. Start it with 'vmsan start <vm-id>'."
+});
+const snapshotNotFoundError = (snapshotId) => new VmError("ERR_VM_SNAPSHOT_NOT_FOUND", { message: `Snapshot not found: ${snapshotId}` });
+var FirecrackerApiError = class extends VmsanError {
+	method;
+	path;
+	httpStatus;
+	constructor(code, options) {
+		super(code, options);
+		this.name = "FirecrackerApiError";
+		this.method = options.method;
+		this.path = options.path;
+		this.httpStatus = options.httpStatus;
+	}
+	toJSON() {
+		return {
+			...super.toJSON(),
+			method: this.method,
+			path: this.path,
+			httpStatus: this.httpStatus
+		};
+	}
+};
+const firecrackerApiError = (method, path, httpStatus, body) => new FirecrackerApiError("ERR_FIRECRACKER_API", {
+	method,
+	path,
+	httpStatus,
+	message: `${method} ${path} failed (${httpStatus}): ${body}`
+});
+var NetworkError = class extends VmsanError {
+	constructor(code, options) {
+		super(code, options);
+		this.name = "NetworkError";
+	}
+};
+const defaultInterfaceNotFoundError = () => new NetworkError("ERR_NETWORK_DEFAULT_INTERFACE", { message: "Could not determine default network interface. Check your network configuration." });
+var TimeoutError = class extends VmsanError {
+	target;
+	timeoutMs;
+	constructor(code, options) {
+		super(code, options);
+		this.name = "TimeoutError";
+		this.target = options.target;
+		this.timeoutMs = options.timeoutMs;
+	}
+	toJSON() {
+		return {
+			...super.toJSON(),
+			...this.target !== void 0 && { target: this.target },
+			...this.timeoutMs !== void 0 && { timeoutMs: this.timeoutMs }
+		};
+	}
+};
+const socketTimeoutError = (socketPath) => new TimeoutError("ERR_TIMEOUT_SOCKET", {
+	target: socketPath,
+	message: `Timeout waiting for API socket at ${socketPath}`
+});
+const lockTimeoutError = (lockName) => new TimeoutError("ERR_TIMEOUT_LOCK", {
+	target: lockName,
+	message: `Timed out waiting for ${lockName} lock`
+});
+const agentTimeoutError = (guestIp, timeoutMs) => new TimeoutError("ERR_TIMEOUT_AGENT", {
+	target: guestIp,
+	timeoutMs,
+	message: `Agent at ${guestIp} not available after ${timeoutMs}ms`
+});
+var SetupError = class extends VmsanError {
+	constructor(code, options) {
+		super(code, options);
+		this.name = "SetupError";
+	}
+};
+const INSTALL_FIX = `Run the install script to set up all dependencies:\n\ncurl -fsSL https://raw.githubusercontent.com/angelorc/vmsan/main/install.sh | bash`;
+const missingBinaryError = (binary, path) => new SetupError("ERR_SETUP_MISSING_BINARY", {
+	message: `${binary} not found at ${path}`,
+	fix: INSTALL_FIX
+});
+const noKernelDirError = () => new SetupError("ERR_SETUP_NO_KERNEL_DIR", {
+	message: "No kernels directory found.",
+	fix: INSTALL_FIX
+});
+const noKernelError = () => new SetupError("ERR_SETUP_NO_KERNEL", {
+	message: "No kernel found in ~/.vmsan/kernels/.",
+	fix: INSTALL_FIX
+});
+const noRootfsDirError = () => new SetupError("ERR_SETUP_NO_ROOTFS_DIR", {
+	message: "No rootfs directory found.",
+	fix: INSTALL_FIX
+});
+const noExt4RootfsError = () => new SetupError("ERR_SETUP_NO_EXT4_ROOTFS", {
+	message: "No ext4 rootfs found in ~/.vmsan/rootfs/.",
+	fix: INSTALL_FIX
+});
+function handleCommandError(error, cmdLog) {
+	cmdLog.error(error instanceof Error ? error : String(error));
+	cmdLog.emit();
+	if (getOutputMode() === "json") return;
+	if (error instanceof EvlogError) {
+		consola.error(error.message);
+		if (error.why) consola.log(`  Why: ${error.why}`);
+		if (error.fix) consola.log(`\n  Fix:\n\n${error.fix}\n`);
+		if (error.link) consola.log(`  More: ${error.link}`);
+	} else consola.error(error instanceof Error ? error.message : String(error));
+}
+export { invalidDomainError as A, policyConflictError as B, vmStateNotFoundError as C, invalidCidrPrefixError as D, invalidCidrOctetError as E, invalidIntegerFlagError as F, VmsanError as H, invalidNetworkPolicyError as I, invalidPortError as L, invalidDurationError as M, invalidImageRefEmptyError as N, invalidDiskSizeFormatError as O, invalidImageRefTagError as P, invalidRuntimeError as R, vmNotStoppedError as S, invalidCidrFormatError as T, portConflictError as V, chrootNotFoundError as _, noKernelDirError as a, vmNotFoundError as b, TimeoutError as c, socketTimeoutError as d, NetworkError as f, VmError as g, firecrackerApiError as h, noExt4RootfsError as i, invalidDomainPatternError as j, invalidDiskSizeRangeError as k, agentTimeoutError as l, FirecrackerApiError as m, SetupError as n, noKernelError as o, defaultInterfaceNotFoundError as p, missingBinaryError as r, noRootfsDirError as s, handleCommandError as t, lockTimeoutError as u, networkSlotsExhaustedError as v, ValidationError as w, vmNotRunningError as x, snapshotNotFoundError as y, mutuallyExclusiveFlagsError as z };

package/dist/_chunks/firecracker.mjs

@@ -0,0 +1,110 @@
+import { t as __exportAll } from "./rolldown-runtime.mjs";
+import { h as firecrackerApiError } from "./errors.mjs";
+import { join } from "node:path";
+import { request } from "node:http";
+var firecracker_exports = /* @__PURE__ */ __exportAll({
+	FirecrackerClient: () => FirecrackerClient,
+	firecrackerFetch: () => firecrackerFetch,
+	firecrackerRequest: () => firecrackerRequest
+});
+function firecrackerRequest(socketPath, method, path, body) {
+	return new Promise((resolve, reject) => {
+		const data = body ? JSON.stringify(body) : void 0;
+		const req = request({
+			socketPath,
+			method,
+			path,
+			headers: {
+				"Content-Type": "application/json",
+				...data ? { "Content-Length": String(Buffer.byteLength(data)) } : {}
+			}
+		}, (res) => {
+			const chunks = [];
+			res.on("data", (chunk) => chunks.push(chunk));
+			res.on("end", () => {
+				resolve({
+					statusCode: res.statusCode || 0,
+					body: Buffer.concat(chunks).toString()
+				});
+			});
+		});
+		req.on("error", reject);
+		if (data) req.write(data);
+		req.end();
+	});
+}
+/**
+* Send a type-safe request to the Firecracker API over a Unix socket.
+*
+* The generic parameters ensure the compiler validates:
+* - `path` is a valid Firecracker API path
+* - `method` is a valid HTTP method for that path
+* - `body` matches the expected request body schema
+*
+* Returns the parsed JSON response for 200 responses, `void` for 204,
+* and throws on any error status code.
+*/
+async function firecrackerFetch(socketPath, method, path, ...args) {
+	const res = await firecrackerRequest(socketPath, method, path, args[0]);
+	if (res.statusCode >= 400) throw firecrackerApiError(method, path, res.statusCode, res.body);
+	if (res.statusCode === 204 || !res.body) return;
+	return JSON.parse(res.body);
+}
+var FirecrackerClient = class {
+	constructor(socketPath) {
+		this.socketPath = socketPath;
+	}
+	async boot(kernelPath, bootArgs) {
+		await firecrackerFetch(this.socketPath, "PUT", "/boot-source", {
+			kernel_image_path: kernelPath,
+			boot_args: bootArgs
+		});
+	}
+	async addDrive(driveId, pathOnHost, isRoot, isReadOnly) {
+		await firecrackerFetch(this.socketPath, "PUT", `/drives/${driveId}`, {
+			drive_id: driveId,
+			path_on_host: pathOnHost,
+			is_root_device: isRoot,
+			is_read_only: isReadOnly,
+			cache_type: "Unsafe",
+			io_engine: "Sync"
+		});
+	}
+	async configure(vcpus, memMib) {
+		await firecrackerFetch(this.socketPath, "PUT", "/machine-config", {
+			vcpu_count: vcpus,
+			mem_size_mib: memMib,
+			smt: false,
+			track_dirty_pages: false
+		});
+	}
+	async addNetwork(ifaceId, tapDev, macAddress) {
+		await firecrackerFetch(this.socketPath, "PUT", `/network-interfaces/${ifaceId}`, {
+			iface_id: ifaceId,
+			host_dev_name: tapDev,
+			guest_mac: macAddress
+		});
+	}
+	async start() {
+		await firecrackerFetch(this.socketPath, "PUT", "/actions", { action_type: "InstanceStart" });
+	}
+	async loadSnapshot(snapshotPath, memPath) {
+		await firecrackerFetch(this.socketPath, "PUT", "/snapshot/load", {
+			snapshot_path: snapshotPath,
+			mem_file_path: memPath
+		});
+	}
+	async resume() {
+		await firecrackerFetch(this.socketPath, "PATCH", "/vm", { state: "Resumed" });
+	}
+	static async getVersion(baseDir) {
+		const fcPath = join(baseDir, "bin", "firecracker");
+		try {
+			const { execSync } = await import("node:child_process");
+			return execSync(`"${fcPath}" --version`, { encoding: "utf-8" }).trim();
+		} catch {
+			return;
+		}
+	}
+};
+export { firecrackerFetch as n, firecracker_exports as r, FirecrackerClient as t };

package/dist/_chunks/image-rootfs.mjs

@@ -0,0 +1,329 @@
+import { B as policyConflictError } from "./errors.mjs";
+import { a as parseDuration } from "./vm-state.mjs";
+import { t as assertSnapshotExists } from "./environment.mjs";
+import { c as parsePublishedPorts, d as validateCidr, f as validatePublishedPortsAvailable, i as parseDomains, l as parseRuntime, n as parseCidrList, o as parseMemoryMib, r as parseDiskSizeGb, s as parseNetworkPolicy, u as parseVcpuCount } from "./validation.mjs";
+import { dirname, join } from "node:path";
+import { execFileSync, execSync } from "node:child_process";
+import { consola } from "consola";
+import { copyFileSync, existsSync, mkdirSync, statSync, writeFileSync } from "node:fs";
+function parseCreateInput(args, paths) {
+	const vcpus = parseVcpuCount(args.vcpus);
+	const memMib = parseMemoryMib(args.memory);
+	const runtime = parseRuntime(args.runtime);
+	const networkPolicy = parseNetworkPolicy(args["network-policy"]);
+	const ports = parsePublishedPorts(args["publish-port"]);
+	const domains = parseDomains(args["allowed-domain"]);
+	const allowedCidrs = parseCidrList(args["allowed-cidr"]);
+	const deniedCidrs = parseCidrList(args["denied-cidr"]);
+	const timeoutMs = typeof args.timeout === "string" ? parseDuration(args.timeout) : null;
+	const snapshotId = typeof args.snapshot === "string" ? args.snapshot : null;
+	const diskSizeGb = parseDiskSizeGb(args.disk);
+	validatePublishedPortsAvailable(ports, paths);
+	for (const cidr of allowedCidrs) validateCidr(cidr);
+	for (const cidr of deniedCidrs) validateCidr(cidr);
+	if (networkPolicy === "deny-all" && (domains.length || allowedCidrs.length || deniedCidrs.length)) throw policyConflictError();
+	if (snapshotId) assertSnapshotExists(snapshotId, paths);
+	return {
+		vcpus,
+		memMib,
+		runtime,
+		networkPolicy: networkPolicy === "allow-all" && (domains.length > 0 || allowedCidrs.length > 0 || deniedCidrs.length > 0) ? "custom" : networkPolicy,
+		ports,
+		domains,
+		allowedCidrs,
+		deniedCidrs,
+		timeoutMs,
+		snapshotId,
+		diskSizeGb
+	};
+}
+function buildInitialVmState(input) {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	return {
+		id: input.vmId,
+		project: input.project,
+		runtime: input.runtime,
+		diskSizeGb: input.diskSizeGb,
+		status: "creating",
+		pid: null,
+		apiSocket: "",
+		chrootDir: "",
+		kernel: input.kernelPath,
+		rootfs: input.rootfsPath,
+		vcpuCount: input.vcpus,
+		memSizeMib: input.memMib,
+		network: {
+			tapDevice: input.tapDevice,
+			hostIp: input.hostIp,
+			guestIp: input.guestIp,
+			subnetMask: input.subnetMask,
+			macAddress: input.macAddress,
+			networkPolicy: input.networkPolicy,
+			allowedDomains: input.domains,
+			allowedCidrs: input.allowedCidrs,
+			deniedCidrs: input.deniedCidrs,
+			publishedPorts: input.ports,
+			tunnelHostname: null,
+			tunnelHostnames: [],
+			bandwidthMbit: input.bandwidthMbit,
+			netnsName: input.netnsName
+		},
+		snapshot: input.snapshotId,
+		timeoutMs: input.timeoutMs,
+		timeoutAt: input.timeoutMs ? new Date(Date.now() + input.timeoutMs).toISOString() : null,
+		createdAt: now,
+		error: null,
+		agentToken: input.agentToken,
+		agentPort: input.agentPort
+	};
+}
+function buildCreateSummaryLines(input) {
+	return [
+		`VM Created: ${input.vmId}`,
+		"",
+		"  Status:   running",
+		`  PID:      ${input.pid || "unknown"}`,
+		`  vCPUs:    ${input.vcpus}`,
+		`  Memory:   ${input.memMib} MiB`,
+		`  Runtime:  ${input.runtime}`,
+		`  Disk:     ${input.diskSizeGb} GB`,
+		...input.project ? [`  Project:  ${input.project}`] : [],
+		"",
+		"  Network:",
+		`    TAP:    ${input.tapDevice}`,
+		`    Host:   ${input.hostIp}`,
+		`    Guest:  ${input.guestIp}`,
+		`    MAC:    ${input.macAddress}`,
+		`    Policy: ${input.networkPolicy}`,
+		...input.domains.length > 0 ? [`    Domains: ${input.domains.join(", ")}`] : [],
+		...input.allowedCidrs.length > 0 ? [`    Allowed CIDRs: ${input.allowedCidrs.join(", ")}`] : [],
+		...input.deniedCidrs.length > 0 ? [`    Denied CIDRs:  ${input.deniedCidrs.join(", ")}`] : [],
+		...input.ports.length > 0 ? [`    Ports:  ${input.ports.join(", ")}`] : [],
+		"",
+		`  Kernel:   ${input.kernelPath}`,
+		`  Rootfs:   ${input.rootfsPath}`,
+		...input.snapshotId ? [`  Snapshot: ${input.snapshotId}`] : [],
+		...input.timeout ? [`  Timeout:  ${input.timeout}`] : [],
+		"",
+		`  Socket:   ${input.socketPath}`,
+		`  Chroot:   ${input.chrootDir}`,
+		`  State:    ${input.stateFilePath}`
+	];
+}
+const VALID_ARCHES = ["x86_64", "aarch64"];
+const MAX_FILTER_SIZE = 1048576;
+/**
+* Compile a Firecracker seccomp JSON filter to BPF using seccompiler-bin.
+* Falls back to using the JSON filter directly if seccompiler-bin is not available.
+*/
+function compileSeccompFilter(jsonPath, outputPath, arch) {
+	const targetArch = arch ?? "x86_64";
+	if (!VALID_ARCHES.includes(targetArch)) throw new Error(`unsupported seccomp arch: ${targetArch} (allowed: ${VALID_ARCHES.join(", ")})`);
+	const stat = statSync(jsonPath);
+	if (stat.size > MAX_FILTER_SIZE) throw new Error(`seccomp filter too large: ${stat.size} bytes (max ${MAX_FILTER_SIZE})`);
+	mkdirSync(dirname(outputPath), { recursive: true });
+	execFileSync("seccompiler-bin", [
+		"--input-file",
+		jsonPath,
+		"--target-arch",
+		targetArch,
+		"--output-file",
+		outputPath
+	], { stdio: "pipe" });
+}
+/**
+* Ensure a seccomp filter is available for Firecracker.
+*
+* 1. If a compiled BPF exists at paths.seccompDir/default.bpf, return it.
+* 2. If the JSON source exists, try to compile it; return BPF path on success.
+* 3. If compilation fails (seccompiler-bin not installed), return null
+*    (Firecracker requires compiled BPF, not raw JSON).
+* 4. If no filter source exists at all, return null.
+*/
+function ensureSeccompFilter(paths) {
+	const bpfPath = join(paths.seccompDir, "default.bpf");
+	if (existsSync(bpfPath)) {
+		consola.debug(`seccomp: using compiled BPF filter at ${bpfPath}`);
+		return bpfPath;
+	}
+	const bundledJson = join(dirname(dirname(__dirname)), "seccomp", "default.json");
+	const userJson = paths.seccompFilter;
+	let sourceJson = null;
+	try {
+		const mode = statSync(userJson).mode;
+		if (mode & 18) consola.warn(`seccomp: filter at ${userJson} is group/world writable (mode ${(mode & 511).toString(8)}); consider restricting permissions`);
+		consola.debug(`seccomp: using user filter at ${userJson}`);
+		sourceJson = userJson;
+	} catch {}
+	if (!sourceJson && existsSync(bundledJson)) {
+		mkdirSync(paths.seccompDir, { recursive: true });
+		copyFileSync(bundledJson, userJson);
+		consola.debug(`seccomp: copied bundled filter to ${userJson}`);
+		sourceJson = userJson;
+	}
+	if (!sourceJson) return null;
+	try {
+		compileSeccompFilter(sourceJson, bpfPath);
+		consola.debug(`seccomp: compiled BPF filter at ${bpfPath}`);
+		return bpfPath;
+	} catch {
+		consola.warn("seccomp: BPF compilation failed (seccompiler-bin not available?); seccomp filtering disabled. Install seccompiler-bin for seccomp support.");
+		return null;
+	}
+}
+function dockerUnavailableError() {
+	return /* @__PURE__ */ new Error("Docker is not available. Install Docker and ensure the daemon is running.");
+}
+const APT_PACKAGES = [
+	"bind9-utils",
+	"bzip2",
+	"findutils",
+	"git",
+	"gzip",
+	"iputils-ping",
+	"libicu-dev",
+	"libjpeg-dev",
+	"libpng-dev",
+	"ncurses-base",
+	"libssl-dev",
+	"openssh-server",
+	"openssl",
+	"procps",
+	"tar",
+	"unzip",
+	"debianutils",
+	"whois",
+	"zstd"
+];
+const DNF_PACKAGES = [
+	"bind-utils",
+	"bzip2",
+	"findutils",
+	"git",
+	"gzip",
+	"iputils",
+	"libicu",
+	"libjpeg",
+	"libpng",
+	"ncurses-libs",
+	"openssh-server",
+	"openssl",
+	"openssl-libs",
+	"procps",
+	"tar",
+	"unzip",
+	"which",
+	"whois",
+	"zstd"
+];
+const APK_PACKAGES = [
+	"bind-tools",
+	"bzip2",
+	"findutils",
+	"git",
+	"gzip",
+	"iputils",
+	"icu-libs",
+	"libjpeg-turbo",
+	"libpng",
+	"ncurses-libs",
+	"openrc",
+	"openssh",
+	"openssl",
+	"procps",
+	"tar",
+	"unzip",
+	"whois",
+	"zstd"
+];
+function generateDockerfile(baseImage) {
+	return `FROM ${baseImage}
+RUN if command -v apt-get >/dev/null 2>&1; then ${`apt-get update && apt-get install -y --no-install-recommends ${APT_PACKAGES.join(" ")} && rm -rf /var/lib/apt/lists/*`}; \\
+    elif command -v dnf >/dev/null 2>&1; then ${`dnf install -y ${DNF_PACKAGES.join(" ")} && dnf clean all`}; \\
+    elif command -v yum >/dev/null 2>&1; then ${`yum install -y ${DNF_PACKAGES.join(" ")} && yum clean all`}; \\
+    elif command -v apk >/dev/null 2>&1; then ${`apk add --no-cache ${APK_PACKAGES.join(" ")}`}; \\
+    fi
+RUN ssh-keygen -A 2>/dev/null || true; \\
+    mkdir -p /root/.ssh && chmod 700 /root/.ssh; \\
+    if [ -f /etc/ssh/sshd_config ]; then \\
+      sed -i 's/^#*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config; \\
+    fi; \\
+    if command -v rc-update >/dev/null 2>&1; then \\
+      rc-update add devfs sysinit 2>/dev/null || true; \\
+      rc-update add mdev sysinit 2>/dev/null || true; \\
+      rc-update add hwdrivers sysinit 2>/dev/null || true; \\
+      rc-update add modules boot 2>/dev/null || true; \\
+      rc-update add sysctl boot 2>/dev/null || true; \\
+      rc-update add hostname boot 2>/dev/null || true; \\
+      rc-update add bootmisc boot 2>/dev/null || true; \\
+      rc-update add networking boot 2>/dev/null || true; \\
+      rc-update add sshd default 2>/dev/null || true; \\
+      printf '%s\\n' '::sysinit:/sbin/openrc sysinit' '::sysinit:/sbin/openrc boot' '::wait:/sbin/openrc default' '::shutdown:/sbin/openrc shutdown' 'ttyS0::respawn:/sbin/getty 115200 ttyS0' > /etc/inittab; \\
+    fi; \\
+    if command -v systemctl >/dev/null 2>&1; then systemctl enable sshd 2>/dev/null || systemctl enable ssh 2>/dev/null || true; fi
+`;
+}
+function verifyDocker() {
+	try {
+		execSync("docker info", { stdio: "pipe" });
+	} catch {
+		throw dockerUnavailableError();
+	}
+}
+function buildImageRootfs(imageRef, cacheDir) {
+	const ext4Path = join(cacheDir, "rootfs.ext4");
+	verifyDocker();
+	const buildTag = `vmsan-rootfs-${imageRef.name.replace(/[^a-z0-9._-]/gi, "-")}:${imageRef.tag}`;
+	const containerName = `vmsan-export-${Date.now()}`;
+	const tmpTar = join(cacheDir, "rootfs.tar");
+	mkdirSync(cacheDir, { recursive: true });
+	try {
+		consola.start(`Building image from ${imageRef.full}...`);
+		execSync(`docker build -t "${buildTag}" -f - . <<'DOCKERFILE'\n${generateDockerfile(imageRef.full)}\nDOCKERFILE`, {
+			stdio: "pipe",
+			shell: "/bin/bash"
+		});
+		consola.start("Exporting filesystem...");
+		execSync(`docker create --name "${containerName}" "${buildTag}"`, { stdio: "pipe" });
+		execSync(`docker export "${containerName}" -o "${tmpTar}"`, { stdio: "pipe" });
+		consola.start("Converting to ext4...");
+		const tarSizeOutput = execSync(`stat -c %s "${tmpTar}"`, { encoding: "utf-8" }).trim();
+		const tarMb = Number(tarSizeOutput) / 1024 / 1024;
+		const imageSizeMb = Math.max(1024, Math.ceil(tarMb + 512));
+		execSync(`dd if=/dev/zero of="${ext4Path}" bs=1M count=${imageSizeMb} 2>/dev/null`, { stdio: "pipe" });
+		execSync(`mkfs.ext4 -q "${ext4Path}"`, { stdio: "pipe" });
+		execSync(`tune2fs -m 0 "${ext4Path}"`, { stdio: "pipe" });
+		const tmpMount = join(cacheDir, "mnt");
+		mkdirSync(tmpMount, { recursive: true });
+		execSync(`mount -o loop "${ext4Path}" "${tmpMount}"`, { stdio: "pipe" });
+		try {
+			execSync(`tar -xf "${tmpTar}" -C "${tmpMount}"`, { stdio: "pipe" });
+		} finally {
+			execSync(`umount "${tmpMount}"`, { stdio: "pipe" });
+			execSync(`rm -rf "${tmpMount}"`, { stdio: "pipe" });
+		}
+		writeFileSync(join(cacheDir, "metadata.json"), JSON.stringify({
+			image: imageRef.full,
+			builtAt: (/* @__PURE__ */ new Date()).toISOString()
+		}, null, 2));
+		consola.success(`Rootfs built from ${imageRef.full} (${imageSizeMb} MB)`);
+		return ext4Path;
+	} finally {
+		try {
+			execSync(`docker rm -f "${containerName}" 2>/dev/null`, { stdio: "pipe" });
+		} catch {}
+		try {
+			execSync(`rm -f "${tmpTar}"`, { stdio: "pipe" });
+		} catch {}
+	}
+}
+function resolveImageRootfs(imageRef, registryDir) {
+	const cacheDir = join(registryDir, imageRef.cacheKey);
+	const ext4Path = join(cacheDir, "rootfs.ext4");
+	if (existsSync(ext4Path)) {
+		consola.info(`Using cached rootfs for ${imageRef.full}`);
+		return ext4Path;
+	}
+	return buildImageRootfs(imageRef, cacheDir);
+}
+export { buildInitialVmState as a, buildCreateSummaryLines as i, compileSeccompFilter as n, parseCreateInput as o, ensureSeccompFilter as r, resolveImageRootfs as t };