api

package
v0.1.19 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 14, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultCPUs                   = 1
	DefaultMemoryMB               = 512
	DefaultDiskSizeMB             = 5120
	DefaultTimeoutSeconds         = 300
	DefaultGracefulShutdownPeriod = 0
)
View Source 
const DefaultWorkspace = "/workspace"

DefaultWorkspace is the default mount point for the VFS in the guest

Variables

View Source 
var (
	ErrBlocked        = errors.New("request blocked by policy")
	ErrHostNotAllowed = errors.New("host not in allowlist")
	ErrSecretLeak     = errors.New("secret placeholder sent to unauthorized host")
	ErrVMNotRunning   = errors.New("VM is not running")
	ErrVMNotFound     = errors.New("VM not found")
	ErrTimeout        = errors.New("operation timed out")
	ErrInvalidConfig  = errors.New("invalid configuration")

	ErrInvalidVolumeFormat = errors.New("expected format host:guest or host:guest:ro")
	ErrResolvePath         = errors.New("failed to resolve path")
	ErrHostPathNotExist    = errors.New("host path does not exist")
	ErrUnknownMountOption  = errors.New("unknown option")
	ErrGuestPathNotAbs     = errors.New("guest path must be absolute")
	ErrGuestPathOutside    = errors.New("guest path must be within workspace")

	ErrEnvNameEmpty   = errors.New("environment variable name cannot be empty")
	ErrEnvNameInvalid = errors.New("environment variable name is invalid")
	ErrEnvVarNotSet   = errors.New("environment variable is not set")
	ErrReadEnvFile    = errors.New("read env file")
	ErrEnvFileLine    = errors.New("parse env file line")
)
View Source 
var DefaultDNSServers = []string{"8.8.8.8", "8.8.4.4"}

DefaultDNSServers are used when no custom DNS servers are configured.

Functions

func ParseEnvFile added in v0.1.19 

func ParseEnvFile(path string) (map[string]string, error)

ParseEnvFile parses an env file with one variable per line using the same semantics as ParseEnvVar. Blank lines and lines starting with '#' are ignored.

func ParseEnvVar added in v0.1.19 

func ParseEnvVar(spec string) (string, string, error)

ParseEnvVar parses an environment variable in Docker-style format: "KEY=VALUE" (inline value) or "KEY" (read from host environment).

func ParseEnvs added in v0.1.19 

func ParseEnvs(envSpecs []string, envFiles []string) (map[string]string, error)

ParseEnvs merges env files and explicit env flags into one map. Later values override earlier ones: 1) env files in provided order, then 2) explicit env specs in provided order.

func ParseVolumeMount 

func ParseVolumeMount(vol string, workspace string) (hostPath, guestPath string, readonly bool, err error)

ParseVolumeMount parses a volume mount string in format "host:guest" or "host:guest:ro". Guest paths are resolved within workspace; absolute guest paths must already be under workspace.

func ShellQuoteArgs added in v0.1.1 

func ShellQuoteArgs(args []string) string

ShellQuoteArgs joins command arguments into a single shell-safe string using POSIX shell quoting rules.

func ValidateGuestMount added in v0.1.6 

func ValidateGuestMount(path string) error

ValidateGuestMount checks that a guest mount path is safe for use in kernel cmdline args and shell scripts.

func ValidateGuestPathWithinWorkspace added in v0.1.19 

func ValidateGuestPathWithinWorkspace(guestPath string, workspace string) error

ValidateGuestPathWithinWorkspace checks that guestPath is absolute and inside workspace.

func ValidateVFSMountsWithinWorkspace added in v0.1.19 

func ValidateVFSMountsWithinWorkspace(mounts map[string]MountConfig, workspace string) error

ValidateVFSMountsWithinWorkspace checks that all VFS mount paths are valid guest paths under the configured workspace.

Types

type Config 

type Config struct {
	Image      string            `json:"image,omitempty"`
	Privileged bool              `json:"privileged,omitempty"`
	Resources  *Resources        `json:"resources,omitempty"`
	Network    *NetworkConfig    `json:"network,omitempty"`
	VFS        *VFSConfig        `json:"vfs,omitempty"`
	Env        map[string]string `json:"env,omitempty"`
	ExtraDisks []DiskMount       `json:"extra_disks,omitempty"`
	ImageCfg   *ImageConfig      `json:"image_config,omitempty"`
}

func DefaultConfig 

func DefaultConfig() *Config

func ParseConfig 

func ParseConfig(data []byte) (*Config, error)

func (*Config) GetWorkspace 

func (c *Config) GetWorkspace() string

GetWorkspace returns the workspace path from config, or default if not set

func (*Config) Merge 

func (c *Config) Merge(other *Config) *Config

type DirectMount 

type DirectMount struct {
	HostPath string `json:"host_path"`
	Readonly bool   `json:"readonly,omitempty"`
}

type DiskMount added in v0.1.6 

type DiskMount struct {
	HostPath   string `json:"host_path"`
	GuestMount string `json:"guest_mount"`
	ReadOnly   bool   `json:"readonly,omitempty"`
}

DiskMount describes a persistent ext4 disk image to attach as a block device.

type Event 

type Event struct {
	Type      string        `json:"type"`
	Timestamp int64         `json:"timestamp"`
	Network   *NetworkEvent `json:"network,omitempty"`
	File      *FileEvent    `json:"file,omitempty"`
	Exec      *ExecEvent    `json:"exec,omitempty"`
}

type ExecEvent 

type ExecEvent struct {
	Command  string `json:"command"`
	ExitCode int    `json:"exit_code"`
}

type ExecOptions 

type ExecOptions struct {
	WorkingDir string
	Env        map[string]string
	Stdin      io.Reader
	Stdout     io.Writer
	Stderr     io.Writer
	User       string // "uid", "uid:gid", or username — resolved in guest
}

type ExecResult 

type ExecResult struct {
	ExitCode   int           `json:"exit_code"`
	Stdout     []byte        `json:"stdout,omitempty"`
	Stderr     []byte        `json:"stderr,omitempty"`
	DurationMS int64         `json:"duration_ms"`
	Duration   time.Duration `json:"-"`
}

type FileEvent 

type FileEvent struct {
	Op   string `json:"op"`
	Path string `json:"path"`
	Size int64  `json:"size"`
	Mode uint32 `json:"mode,omitempty"`
	UID  int    `json:"uid,omitempty"`
	GID  int    `json:"gid,omitempty"`
}

type FileInfo 

type FileInfo struct {
	Name    string    `json:"name"`
	Size    int64     `json:"size"`
	Mode    uint32    `json:"mode"`
	ModTime time.Time `json:"mod_time"`
	IsDir   bool      `json:"is_dir"`
}

type HTTPHooks 

type HTTPHooks struct {
	OnRequest  func(req *http.Request) (*http.Request, error)
	OnResponse func(resp *http.Response, req *http.Request) (*http.Response, error)
}

type ImageConfig added in v0.1.10 

type ImageConfig struct {
	User       string            `json:"user,omitempty"`
	WorkingDir string            `json:"working_dir,omitempty"`
	Entrypoint []string          `json:"entrypoint,omitempty"`
	Cmd        []string          `json:"cmd,omitempty"`
	Env        map[string]string `json:"env,omitempty"`
}

func (*ImageConfig) ComposeCommand added in v0.1.10 

func (ic *ImageConfig) ComposeCommand(userArgs []string) []string

ComposeCommand builds a shell command from image ENTRYPOINT/CMD and user-provided args. Follows Docker semantics: if user provides args, they replace CMD; ENTRYPOINT is always prepended.

type MountConfig 

type MountConfig struct {
	Type     string       `json:"type"`
	HostPath string       `json:"host_path,omitempty"`
	Readonly bool         `json:"readonly,omitempty"`
	Upper    *MountConfig `json:"upper,omitempty"`
	Lower    *MountConfig `json:"lower,omitempty"`
}

type NetworkConfig 

type NetworkConfig struct {
	AllowedHosts    []string          `json:"allowed_hosts,omitempty"`
	BlockPrivateIPs bool              `json:"block_private_ips,omitempty"`
	Secrets         map[string]Secret `json:"secrets,omitempty"`
	PolicyScript    string            `json:"policy_script,omitempty"`
	DNSServers      []string          `json:"dns_servers,omitempty"`
}

func (*NetworkConfig) GetDNSServers added in v0.1.7 

func (n *NetworkConfig) GetDNSServers() []string

GetDNSServers returns the configured DNS servers or defaults.

type NetworkEvent 

type NetworkEvent struct {
	Method        string `json:"method"`
	URL           string `json:"url"`
	Host          string `json:"host"`
	StatusCode    int    `json:"status_code"`
	RequestBytes  int64  `json:"request_bytes"`
	ResponseBytes int64  `json:"response_bytes"`
	DurationMS    int64  `json:"duration_ms"`
	Blocked       bool   `json:"blocked"`
	BlockReason   string `json:"block_reason,omitempty"`
}

type Resources 

type Resources struct {
	CPUs           int           `json:"cpus,omitempty"`
	MemoryMB       int           `json:"memory_mb,omitempty"`
	DiskSizeMB     int           `json:"disk_size_mb,omitempty"`
	TimeoutSeconds int           `json:"timeout_seconds,omitempty"`
	Timeout        time.Duration `json:"-"`
}

type Secret 

type Secret struct {
	Value       string   `json:"value"`
	Placeholder string   `json:"placeholder,omitempty"`
	Hosts       []string `json:"hosts"`
}

func ParseSecret added in v0.1.1 

func ParseSecret(s string) (string, Secret, error)

ParseSecret parses a secret string in the format "NAME=VALUE@host1,host2" or "NAME@host1,host2". When no inline value is provided, the value is read from the environment variable $NAME.

type VFSConfig 

type VFSConfig struct {
	Workspace    string                 `json:"workspace,omitempty"`
	DirectMounts map[string]DirectMount `json:"direct_mounts,omitempty"`
	Mounts       map[string]MountConfig `json:"mounts,omitempty"`
	Interception *VFSInterceptionConfig `json:"interception,omitempty"`
}

func (*VFSConfig) GetWorkspace 

func (v *VFSConfig) GetWorkspace() string

GetWorkspace returns the configured workspace path or the default

type VFSHookRule added in v0.1.19 

type VFSHookRule struct {
	Name string `json:"name,omitempty"`

	// Phase is either "before" or "after".
	// Empty defaults to "before".
	Phase string `json:"phase,omitempty"`

	// Ops filters operations (for example: read, write, create, open).
	// Empty matches all operations.
	Ops []string `json:"ops,omitempty"`

	// Path is a filepath-style glob pattern (for example: /workspace/*).
	// Empty matches all paths.
	Path string `json:"path,omitempty"`

	// Action is one of: allow, block.
	Action string `json:"action"`

	// TimeoutMS is interpreted by SDK-local callback execution and ignored by
	// host wire rules.
	TimeoutMS int `json:"timeout_ms,omitempty"`
}

VFSHookRule describes a single interception rule.

type VFSHooks 

type VFSHooks struct {
	BeforeOpen  func(path string, flags int) error
	AfterRead   func(path string, n int)
	AfterWrite  func(path string, n int)
	BeforeClose func(path string)
}

type VFSInterceptionConfig added in v0.1.19 

type VFSInterceptionConfig struct {
	// EmitEvents enables file-operation event notifications.
	EmitEvents bool `json:"emit_events,omitempty"`

	Rules []VFSHookRule `json:"rules,omitempty"`
}

VFSInterceptionConfig configures host-side VFS interception rules.

type VM 

type VM interface {
	ID() string
	Config() *Config
	Start(ctx context.Context) error
	Stop(ctx context.Context) error
	Exec(ctx context.Context, command string, opts *ExecOptions) (*ExecResult, error)
	WriteFile(ctx context.Context, path string, content []byte, mode uint32) error
	ReadFile(ctx context.Context, path string) ([]byte, error)
	ListFiles(ctx context.Context, path string) ([]FileInfo, error)
	Events() <-chan Event
	Close() error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.