agentkernel 0.18.1

Run AI coding agents in secure, isolated microVMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521

//! Apple Containers backend implementing the Sandbox trait (macOS 26+ only).

use anyhow::{Context, Result, bail};
use async_trait::async_trait;
use std::process::Command;
use std::sync::atomic::{AtomicBool, Ordering};

use super::{BackendType, ExecResult, Sandbox, SandboxConfig};

/// Cached flag indicating if system is already verified running
static SYSTEM_VERIFIED: AtomicBool = AtomicBool::new(false);

/// Check if Apple container system service is running
pub fn apple_system_running() -> bool {
    // Fast path: if we've already verified, skip the command
    if SYSTEM_VERIFIED.load(Ordering::Relaxed) {
        return true;
    }

    let running = Command::new("container")
        .args(["system", "status"])
        .output()
        .map(|o| o.status.success() && String::from_utf8_lossy(&o.stdout).contains("is running"))
        .unwrap_or(false);

    if running {
        SYSTEM_VERIFIED.store(true, Ordering::Relaxed);
    }

    running
}

/// Start the Apple container system service
pub fn start_apple_system() -> Result<()> {
    // Fast path: if already verified running, skip everything
    if SYSTEM_VERIFIED.load(Ordering::Relaxed) {
        return Ok(());
    }

    if apple_system_running() {
        return Ok(());
    }

    eprintln!("Starting Apple container system...");

    // Use echo "Y" to auto-accept kernel download prompt
    let output = Command::new("sh")
        .args(["-c", "echo 'Y' | container system start"])
        .output()
        .context("Failed to start Apple container system")?;

    if !output.status.success() {
        let stderr = String::from_utf8_lossy(&output.stderr);
        if !stderr.contains("already") {
            bail!("Failed to start Apple container system: {}", stderr);
        }
    }

    // Only sleep on first start, not when already running
    std::thread::sleep(std::time::Duration::from_millis(500));
    SYSTEM_VERIFIED.store(true, Ordering::Relaxed);
    Ok(())
}

/// Check if Apple containers is available
pub fn apple_containers_available() -> bool {
    Command::new("container")
        .arg("--version")
        .output()
        .map(|o| o.status.success())
        .unwrap_or(false)
}

/// Check macOS version (needs 26+)
pub fn macos_version_supported() -> bool {
    let output = Command::new("sw_vers").arg("-productVersion").output().ok();

    if let Some(output) = output
        && let Ok(version) = String::from_utf8(output.stdout)
        && let Some(major) = version.trim().split('.').next()
        && let Ok(major_num) = major.parse::<u32>()
    {
        return major_num >= 26;
    }

    false
}

/// Check whether an image tag refers to a local-only image that should never be
/// pulled from a remote registry (e.g. snapshot images created via `docker commit`).
fn is_local_image(image: &str) -> bool {
    image.starts_with("agentkernel-snap:")
        || (image.starts_with("agentkernel-")
            && !image.contains('/')
            && !image.contains(".io")
            && !image.contains(".com"))
}

/// Check if an image exists in the Apple container image store.
fn apple_image_exists(image: &str) -> bool {
    Command::new("container")
        .args(["image", "inspect", image])
        .output()
        .map(|o| o.status.success())
        .unwrap_or(false)
}

/// Import a Docker-local image into the Apple container image store.
///
/// Uses `docker save <tag> | container image load` to transfer images that
/// exist in Docker (e.g. from `docker commit`) but not in the Apple store.
fn import_image_from_docker(image: &str) -> Result<()> {
    use std::process::Stdio;

    // Verify the image exists in Docker first
    let docker_check = Command::new("docker")
        .args(["image", "inspect", image])
        .output()
        .context("Failed to check Docker for image")?;

    if !docker_check.status.success() {
        bail!(
            "Image '{}' not found in Docker or Apple container stores. \
             Was the snapshot created on this machine?",
            image
        );
    }

    eprintln!(
        "Importing image '{}' from Docker into Apple containers...",
        image
    );

    // Pipe: docker save <image> | container image load
    let docker_save = Command::new("docker")
        .args(["save", image])
        .stdout(Stdio::piped())
        .spawn()
        .context("Failed to run docker save")?;

    let load_output = Command::new("container")
        .args(["image", "load"])
        .stdin(docker_save.stdout.unwrap())
        .output()
        .context("Failed to run container image load")?;

    if !load_output.status.success() {
        let stderr = String::from_utf8_lossy(&load_output.stderr);
        bail!("Failed to import image into Apple containers: {}", stderr);
    }

    Ok(())
}

/// Get the IP address of an Apple container by parsing `container inspect` JSON.
pub fn get_container_ip(container_name: &str) -> Option<String> {
    let output = Command::new("container")
        .args(["inspect", container_name])
        .output()
        .ok()?;
    if !output.status.success() {
        return None;
    }
    // Parse the JSON array; extract .networks[0].address and strip the CIDR suffix.
    let text = String::from_utf8_lossy(&output.stdout);
    let arr: serde_json::Value = serde_json::from_str(text.trim()).ok()?;
    let addr = arr
        .get(0)?
        .get("networks")?
        .get(0)?
        .get("address")?
        .as_str()?;
    // Strip "/24" CIDR suffix if present
    Some(addr.split('/').next().unwrap_or(addr).to_string())
}

/// Apple Containers sandbox
pub struct AppleSandbox {
    name: String,
    /// Whether we started this container (controls Drop cleanup)
    running: bool,
    /// Whether this sandbox should persist after Drop (like Docker)
    persistent: bool,
}

impl AppleSandbox {
    /// Create a new Apple sandbox
    pub fn new(name: &str) -> Self {
        Self {
            name: name.to_string(),
            running: false,
            persistent: false,
        }
    }

    /// Create a new persistent Apple sandbox (won't be cleaned up on Drop)
    pub fn new_persistent(name: &str) -> Self {
        Self {
            name: name.to_string(),
            running: false,
            persistent: true,
        }
    }

    /// Get the container name (always derived from sandbox name, like Docker)
    fn container_name(&self) -> String {
        format!("agentkernel-{}", self.name)
    }
}

#[async_trait]
impl Sandbox for AppleSandbox {
    async fn start(&mut self, config: &SandboxConfig) -> Result<()> {
        // Ensure system is running
        start_apple_system()?;

        let container_name = self.container_name();

        // For local/snapshot images (e.g. "agentkernel-snap:my-snap"), ensure the
        // image is available in the Apple container store. These images are created
        // via `docker commit` and live only in Docker's image store, so Apple's
        // `container run` would try (and fail) to pull them from a registry.
        if is_local_image(&config.image) && !apple_image_exists(&config.image) {
            import_image_from_docker(&config.image)?;
        }

        // Remove any existing container
        let _ = Command::new("container")
            .args(["delete", "-f", &container_name])
            .output();

        // Build container arguments
        let mut args = vec![
            "run".to_string(),
            "-d".to_string(),
            "--name".to_string(),
            container_name.clone(),
        ];

        // Resource limits
        args.push("--cpus".to_string());
        args.push(config.vcpus.to_string());
        args.push("--memory".to_string());
        args.push(format!("{}M", config.memory_mb));

        // Mount working directory if requested
        if config.mount_cwd
            && let Some(ref work_dir) = config.work_dir
        {
            args.push("-v".to_string());
            args.push(format!("{}:/workspace", work_dir));
            args.push("-w".to_string());
            args.push("/workspace".to_string());
        }

        // Mount home directory if requested
        if config.mount_home
            && let Some(home) = std::env::var_os("HOME")
        {
            args.push("-v".to_string());
            args.push(format!("{}:/home/user:ro", home.to_string_lossy()));
        }

        // Add environment variables
        for (key, value) in &config.env {
            args.push("-e".to_string());
            args.push(format!("{}={}", key, value));
        }

        // Note: Apple containers don't support --read-only flag directly
        // Image and command to keep container running
        args.push(config.image.clone());
        args.push("sleep".to_string());
        args.push("infinity".to_string());

        // Run the container
        let output = Command::new("container")
            .args(&args)
            .output()
            .context("Failed to start Apple container")?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            bail!("Failed to start container: {}", stderr);
        }

        self.running = true;
        Ok(())
    }

    async fn exec(&mut self, cmd: &[&str]) -> Result<ExecResult> {
        self.exec_with_env(cmd, &[]).await
    }

    async fn exec_with_env(&mut self, cmd: &[&str], env: &[String]) -> Result<ExecResult> {
        let container_name = self.container_name();

        let mut args = vec!["exec".to_string()];

        // Add environment variables
        for e in env {
            args.push("-e".to_string());
            args.push(e.clone());
        }

        args.push(container_name);
        args.extend(cmd.iter().map(|s| s.to_string()));

        // Use tokio::process::Command so exec doesn't block the tokio runtime.
        // This is critical for the secret proxy: the proxy runs as a tokio task,
        // and blocking with std::process::Command would starve it when the exec'd
        // process makes requests through the proxy (deadlock).
        let output = tokio::process::Command::new("container")
            .args(&args)
            .output()
            .await
            .context("Failed to run command in Apple container")?;

        let stdout = String::from_utf8_lossy(&output.stdout).to_string();
        let stderr = String::from_utf8_lossy(&output.stderr).to_string();
        let exit_code = output.status.code().unwrap_or(-1);

        Ok(ExecResult {
            exit_code,
            stdout,
            stderr,
        })
    }

    async fn stop(&mut self) -> Result<()> {
        let container_name = self.container_name();

        // Stop with short timeout — use tokio to avoid blocking forever
        // if the VM process is stuck (e.g. spinning at 100%+ CPU).
        let stop_timeout = std::time::Duration::from_secs(10);
        let mut stop_child = tokio::process::Command::new("container")
            .args(["stop", "-t", "1", &container_name])
            .stdout(std::process::Stdio::null())
            .stderr(std::process::Stdio::null())
            .spawn()
            .ok();
        if let Some(ref mut child) = stop_child {
            match tokio::time::timeout(stop_timeout, child.wait()).await {
                Ok(_) => {}
                Err(_) => {
                    // Timed out — kill the stop process itself
                    let _ = child.kill().await;
                }
            }
        }

        // Force delete (also with timeout)
        let mut del_child = tokio::process::Command::new("container")
            .args(["delete", "-f", &container_name])
            .stdout(std::process::Stdio::null())
            .stderr(std::process::Stdio::null())
            .spawn()
            .ok();
        if let Some(ref mut child) = del_child {
            match tokio::time::timeout(stop_timeout, child.wait()).await {
                Ok(_) => {}
                Err(_) => {
                    let _ = child.kill().await;
                }
            }
        }

        self.running = false;
        Ok(())
    }

    fn name(&self) -> &str {
        &self.name
    }

    fn backend_type(&self) -> BackendType {
        BackendType::Apple
    }

    fn is_running(&self) -> bool {
        // Check container directly — don't rely on internal state since
        // we might be reconnecting to an existing container.
        // Note: Apple's `container ls` doesn't support --filter, so we
        // list all containers and check if ours is present.
        let container_name = self.container_name();
        Command::new("container")
            .args(["ls"])
            .output()
            .map(|o| String::from_utf8_lossy(&o.stdout).contains(&container_name))
            .unwrap_or(false)
    }

    async fn write_file_unchecked(&mut self, path: &str, content: &[u8]) -> Result<()> {
        let container_name = self.container_name();

        // Ensure parent directory exists in container
        let parent = std::path::Path::new(path)
            .parent()
            .map(|p| p.to_string_lossy().to_string())
            .unwrap_or_else(|| "/".to_string());

        let _ = Command::new("container")
            .args(["exec", &container_name, "mkdir", "-p", &parent])
            .output();

        // Write file via exec: pipe base64-encoded content through sh -c
        use base64::{Engine, engine::general_purpose::STANDARD};
        let encoded = STANDARD.encode(content);
        let decode_cmd = format!("echo '{}' | base64 -d > '{}'", encoded, path);
        let output = Command::new("container")
            .args(["exec", &container_name, "sh", "-c", &decode_cmd])
            .output()
            .context("Failed to write file in container")?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            bail!("Failed to write file: {}", stderr);
        }

        Ok(())
    }

    async fn read_file_unchecked(&mut self, path: &str) -> Result<Vec<u8>> {
        let container_name = self.container_name();

        // Read file via exec: base64-encode the content and decode on host
        let output = Command::new("container")
            .args(["exec", &container_name, "base64", path])
            .output()
            .context("Failed to read file from container")?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            bail!("Failed to read file: {}", stderr);
        }

        use base64::{Engine, engine::general_purpose::STANDARD};
        let decoded = STANDARD
            .decode(String::from_utf8_lossy(&output.stdout).trim())
            .context("Failed to decode base64 file content")?;

        Ok(decoded)
    }

    async fn remove_file_unchecked(&mut self, path: &str) -> Result<()> {
        let container_name = self.container_name();

        let output = Command::new("container")
            .args(["exec", &container_name, "rm", "-f", path])
            .output()
            .context("Failed to remove file in container")?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            bail!("rm failed: {}", stderr);
        }

        Ok(())
    }

    async fn mkdir_unchecked(&mut self, path: &str, recursive: bool) -> Result<()> {
        let container_name = self.container_name();

        let mut args = vec!["exec", &container_name, "mkdir"];
        if recursive {
            args.push("-p");
        }
        args.push(path);

        let output = Command::new("container")
            .args(&args)
            .output()
            .context("Failed to create directory in container")?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            bail!("mkdir failed: {}", stderr);
        }

        Ok(())
    }
}

impl Drop for AppleSandbox {
    fn drop(&mut self) {
        // Only clean up if running and not marked as persistent
        if self.running && !self.persistent {
            let container_name = self.container_name();
            let _ = Command::new("container")
                .args(["delete", "-f", &container_name])
                .output();
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_is_local_image_snapshot_tags() {
        assert!(is_local_image("agentkernel-snap:test-snap"));
        assert!(is_local_image("agentkernel-snap:my-snapshot"));
        assert!(is_local_image("agentkernel-snap:v1"));
    }

    #[test]
    fn test_is_local_image_other_agentkernel_tags() {
        assert!(is_local_image("agentkernel-my-tools"));
        assert!(is_local_image("agentkernel-custom:latest"));
    }

    #[test]
    fn test_is_local_image_rejects_registry_images() {
        assert!(!is_local_image("alpine:3.20"));
        assert!(!is_local_image("python:3.12-alpine"));
        assert!(!is_local_image("docker.io/library/alpine"));
        assert!(!is_local_image("ghcr.io/user/image:latest"));
        assert!(!is_local_image("registry.example.com/foo"));
    }
}