)j$%LdZddlZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddl mZmZmZmZejeZe dz Zdefd Zdefd Zdefd Zd eddfd ZdefdZdefdZejZddededefdZ GddeZ!dS)aSingularity/Apptainer persistent container environment. Security-hardened with --containall, --no-home, capability dropping. Supports configurable resource limits and optional filesystem persistence via writable overlay directories that survive across sessions. N)Path)Optional)get_hermes_home)BaseEnvironment_load_json_store _popen_bash_save_json_storezsingularity_snapshots.jsonreturncxtjdrdStjdrdStd)z/Locate the apptainer or singularity CLI binary. apptainer singularityzNeither 'apptainer' nor 'singularity' was found in PATH. Install Apptainer (https://apptainer.org/docs/admin/main/installation.html) or Singularity and ensure the CLI is available.)shutilwhich RuntimeErrorC/home/ubuntu/.hermes/hermes-agent/tools/environments/singularity.py_find_singularity_executablersG |K  { |M""}  :  rct} tj|dgdddtj}nB#t$rt d|dtj$rt d|dwxYw|jd kr>|j d d }t d|d |jd ||S)z?Preflight check: resolve the executable and verify it responds.versionT capture_outputtexttimeoutstdinz"Singularity backend selected but 'z' could not be executed.'z version' timed out.rNz version' failed (exit code z): ) r subprocessrunDEVNULLFileNotFoundErrorrTimeoutExpired returncodestderrstrip)exeresultr%s r_ensure_singularity_availabler)+s & ( (C : ) Tb$        N N N N     $:::8s888999:A$$&&tt,^s^^@Q^^V\^^___ Js %6?A5c*ttSN)r_SNAPSHOT_STORErrr_load_snapshotsr-@s O , ,,rdatac0tt|dSr+)r r,)r.s r_save_snapshotsr0Ds_d+++++rctjd}|r(t|}|dd|Sddlm}|dz }td}|rntj|tjrO|tjdd z d z }|ddt d ||S|dd|S) NTERMINAL_SCRATCH_DIRTparentsexist_okr)get_sandbox_dirr z/scratchUSERhermesz hermes-agentz Using /scratch for sandboxes: %s) osgetenvrmkdirtools.environments.baser6existsaccessW_OKloggerinfo)custom_scratch scratch_pathr6sandboxscratch user_scratchs r_get_scratch_dirrGHsY566NN++ 4$777777777o-/G:G~~BIgrw7768!|dr#t|r|S|ds|S|dddddd}t }||dz }|rt |St5|rt |cdddSt dt d|t d ||d z }| d d tj }t ||d <t ||d< tj|dt ||gd d d|tj}|jdkrPtdtd|jdd|cdddSt dt |cdddS#tj$rStd|r||cYcdddSt,$r3}td||cYd}~cdddSd}~wwxYw#1swxYwYdS)Nz.sifz docker:///-:z&Building SIF image (one-time setup)...z Source: %sz Target: %stmpTr3APPTAINER_TMPDIRrIbuildiX)rrrenvrrz/SIF build failed, falling back to docker:// URLz Error: %sizSIF image built successfullyz2SIF build timed out, falling back to docker:// URLz2SIF build error: %s, falling back to docker:// URL)endswithrr= startswithreplacerLstr_sif_build_lockr@rAr;r9environcopyrr r!r$warningr%r#unlink Exception) rMrN image_namerJsif_pathtmp_dirrWr(es r_get_or_build_sifrfls ~~f$u++"4"4"6"6   K ( ( {B//77SAAII#sSSJ(**Ij....H8}} "" ??   !x==""""""""  <=== NE*** NH---e# dT 222joo"%g,, $' NN ! ^Wc(mmU;#$ (F  A%%PQQQ}fmDSD.ABBB1""""""""2 KK6 7 7 7x==5""""""""6(    NNO P P P   "!!!LL?""""""""@    NNOQR S S SLLLLLE""""""""@ A""""""""""sW#L>B.L-BI2=(I22ALL LL 8L9L LLLLceZdZdZ ddeded ed ed ed ed edeffd ZdZ dddddeded ededzde j f dZ dZ xZS)SingularityEnvironmentaHardened Singularity/Apptainer container with resource limits and persistence. Spawn-per-call: every execute() spawns a fresh ``apptainer exec ... bash -c`` process. Session snapshot preserves env vars across calls. CWD persists via in-band stdout markers. ~<rFdefaultrMcwdrcpumemorydiskpersistent_filesystemtask_idc Lt||t|_t ||j|_dt jjdd|_ d|_ ||_ ||_ d|_ ||_||_|j rQt!dz } | dd| d|z |_ |j dd||dS) N)rlrhermes_ Fzhermes-overlaysTr3zoverlay-)super__init__r)rNrfrMuuiduuid4hex instance_id_instance_started _persistent_task_id _overlay_dir_cpu_memoryrGr;_start_instance init_session) selfrMrlrrmrnrorprq overlay_base __class__s rrvzSingularityEnvironment.__init__s# S'222799&udo>> !;!;!;F;@!$+/,,,C,4,,!Dj,4>4D,,,, '''''''rrh)r )"rloggingr9rr threadingrwpathlibrtypingrhermes_constantsrr<rrrr getLoggerrr@r,r[rr)dictr-r0rGrLLockr\rfrhrrrrs   ,,,,,,  8 $ $!/##&BB c    s*-----,$,4,,,,$* $    !).""//S/c/C////dk'k'k'k'k'_k'k'k'k'k'r