+ ӃiYLaRt!0tRt^RIt^RIt^RIt^RIt^RIt^RIt^RIt^RI t ^RI t ^RI t ^RI H t ^RIHt^RIHt]P$!]4t.ROtRs]^k]P.!R4tRRltRR ltR R ltR R lt.ROtRs]^kRRlt!RR]4t R#)zDocker execution environment for sandboxed command execution. Security hardened (cap-drop ALL, no-new-privileges, PID limits), configurable resource limits (CPU, memory, disk), and optional filesystem persistence via bind mounts. N)Optional)BaseEnvironment)is_interruptedz^[A-Za-z_][A-Za-z0-9_]*$cjV^8dQhR\\,R,R\\,/#) forward_envNreturn)liststr)formats"6/home/ubuntu/hermes-agent/tools/environments/docker.py __annotate__r 's'd3i$.>49c.p\4pT;'g.Fp\V\4'g\P RV4K1VP 4pV'gKK\ PV4'g\P RV4K~WB9dKVPV4VPV4K V#)z?Return a deduplicated list of valid environment variable names.z0Ignoring non-string docker_forward_env entry: %rz-Ignoring invalid docker_forward_env entry: %r) set isinstancer loggerwarningstrip_ENV_VAR_NAME_REmatchaddappend)r normalizedseenitemkeys& r _normalize_forward_env_namesr'sJUD!!r!$$$ NNMt T jjl %%c** NNJD Q  ;   #"" rc`V^8dQhR\R,R\\\3,/#)renvNrdictr )r s"r r r @s&TD[T#s(^rc8V'g/#\V\4'g\PRV4/#/pVP 4Fwr#\V\ 4'd*\ PVP44'g\PRV4K\VP4p\V\ 4'gF\V\\\34'd \ V4pM\PRW#4KW1V&K V#)zValidate and normalize a docker_env dict to {str: str}. Filters out entries with invalid variable names or non-string values. zdocker_env is not a dict: %rz#Ignoring invalid docker_env key: %rz/Ignoring non-string docker_env value for %r: %r) rr!rritemsr rrrintfloatbool)rrrvalues& r _normalize_env_dictr(@s  c4 5s; !#Jiik #s##+;+A+A#))++N+N NN@# F iik%%%%#ud!344E PRU]3" rcFV^8dQhR\\\3,/#rrr )r s"r r r ^stCH~rcX^RIHpV!4;'g/# \d/u#i;i)zDLoad ~/.hermes/.env values without failing Docker command execution.load_env)hermes_cli.configr- Exceptionr,s r _load_hermes_env_varsr0^s..zR  s ))c:V^8dQhR\\,/#r*)rr )r s"r r r hsXc]rc\\e\#\P!R4pV'dVsV#\Fqp\P P V4'gK*\P!V\P4'gKWVs\PRV4Vu# R#)a!Locate the docker CLI binary. Checks ``shutil.which`` first (respects PATH), then probes well-known install locations on macOS where Docker Desktop may not be in PATH (e.g. when running as a gateway service via launchd). Returns the absolute path, or ``None`` if docker cannot be found. Ndockerz%Found docker at non-PATH location: %s) _docker_executableshutilwhich_DOCKER_SEARCH_PATHSospathisfileaccessX_OKrinfo)foundr9s r find_dockerr?hs|%!! LL "E " $ 77>>$  BIIdBGG$<$\2P4P=V4'g\P?RV 24RVn RVn!.pVP'dV!4R, V, p\#VR, 4Vn!\2PD!VPBRR7VP!RVPB R2.4V'gbV'gZ\#VR, 4Vn \2PD!VP@RR7VP!RVP@ R2.4M6V'gV'gVP!RR.4VP!.R=O4V'd#\PR V 24RV R2.VOpMV'd\P?R!4^R"I#H$pH%pH&pV!4FOpVP!RVR#, RVR$, R%2.4\PR&VR#,VR$,4KQ V!4FOpVP!RVR#, RVR$, R%2.4\PR'VR#,VR$,4KQ V!4FOpVP!RVR#, RVR$, R%2.4\PR(VR#,VR$,4KQ .p\QVP4F,p VP!R*V R+VPV , 2.4K. \PR,V 24\\R4V,V,V,V,p!\PR-V! 24\U4;'gRVn+R.\XPZ!4P\R/, 2p"VPVR0R1R2V"R3V.V!OVNR4NR5Np#\P?R6R7P_V#4 24\`Pb!V#RR^xRR87p$V$PdP14Vn \PR9V" R:VPR;, R<24R# \Nd"p\P?R)T4Rp?ELRp?ii;i)>~/root)rXrGNzDockerEnvironment volumes: z%docker_volumes config is not a list: z--cpusz--memorymdarwin --storage-optzsize=zDocker storage driver does not support per-container disk limits (requires overlay2 on XFS with pquota). Container will run without disk quota.z--network=none)get_sandbox_dirFz%Docker volume entry is not a string: :z-vz :/workspaceTzDocker volume 'z' missing colon, skippingz>Skipping docker cwd mount: host_cwd is not a valid directory: r3home)exist_okz:/root workspace--tmpfsz/workspace:rw,exec,size=10gz,Mounting configured host cwd to /workspace: zDSkipping docker cwd mount: /workspace already mounted by user config)get_credential_file_mountsget_skills_directory_mountget_cache_directory_mounts host_pathcontainer_pathz:roz$Docker: mounting credential %s -> %sz$Docker: mounting skills dir %s -> %sz#Docker: mounting cache dir %s -> %sz1Docker: could not load credential file mounts: %s-e=zDocker volume_args: zDocker run_args: zhermes-:NNrLz-dz--name-wsleep2hzStarting container:  )rErFrGcheckzStarted container z (:N N))rpz/home:rw,exec,size=1grpz/root:rw,exec,size=1g)3super__init__ _base_image _persistent_task_idr _forward_envr(_env _container_idrr=rr rrSextendr sysplatform_storage_opt_supportedrtools.environments.baserjrr8r9abspath expanduserr&isdirdebug_workspace_dir _home_dirmakedirstools.credential_filesrqrrrsr/sorted_SECURITY_ARGSr? _docker_exeuuiduuid4hexjoinrKrLstdout)&selfrWrXrGrYrZr[r\r]r^rrr_r`ra resource_argsrj volume_argsworkspace_explicitly_mountedvol host_cwd_abs bind_host_cwd writable_argssandboxrqrrrs mount_entry skills_mount cache_mounteenv_argsr all_run_argscontainer_namerun_cmdrR __class__s&&&&&&&&&&&&&&&& r rDockerEnvironment.__init__s" #:C S2 0 8E', ,0 1';<  z'4'@'@ NNB7+N OG !" 7  (CH!5 6 A:  *l!; < !8 0**,,$$otfA%GHe  !1 2 < ',$MMrMCc3''!FsgNO))+Ccz""D#;/ C'370(5NOP"IQrwwrww'9'9('CDVX  1 1\" 1 1 l+ 1 110  hrww}}\/J/J LLYZbYcd e-1(,    %'(2W!=L LK ) LL_ `. Q   :; """;/0+>N2O1PPST$ : , 01 <!; < ""#K01<@P3Q2RRUV$ : - !12 != :; """;/0+>N2O1PPST$ 9 , 01 <$))$C OOTcU!DIIcN+;#<= >%  *;-89N+m;mKkY\dd  ' ~67'=44H#4::<#3#3B#7"89   eT n #           +CHHW,=+>?@   $]]002 ((84;M;Mc;R:SSTUVI Q LLLa P P Qs#D\ \6\11\6c <V^8dQhRS[/#r*)r&)r rbs"r r rcs%%D%rc 8\e\#\4;'gRp\P!VRRR.RR^ R7pVPP 4P 4pVR8wdRsR#\P!VR R R R .RR^R7pVP^8XdBVPP 4pV'd\P!VR V.R^R7RsMRs\PR\4\# \dRsL/i;i)zCheck if Docker's storage driver supports --storage-opt size=. Only overlay2 on XFS with pquota supports per-container disk quotas. Ubuntu (and most distros) default to ext4, where this flag errors out. r3r=z--formatz {{.Driver}}TrDoverlay2Fcreaterizsize=1mz hello-worldrm)rErGz Docker --storage-opt support: %s) _storage_opt_okr?rKrLrrlowerrMr/rr)r3rRdriverprobe container_ids r r(DockerEnvironment._storage_opt_supporteds  &" " $ ]..hF^^];#$F]]((*002F#"'NN?I}M#$E1$$||113 NNFD,#?26C"&"'  7I $#O $s*D AD 5AD D &D DDrG stdin_datac T<V^8dQhRS[RS[RS[R,RS[R,RS[/#)rcommandrXrGNrr)r r$r!)r rbs"r r rcsIcOcOscOcOtcO$JcO26cOrcaaVPV4wrVT;'g VPpT;'g VPpVeVe Wd,p M VeTp MTp VR8Xd RV 2pRpM!VRR7pVPA4\BPD!4V,pSPG4f\I4'dRSPK4SPM^R7VPS^R7RRPSS4R,R^/#\BPD!4V8d4SPQ4VPS^R7VPUV4#\BPV!R4KVPS^R7RRPSS4RSPX/# \ dELi;i \ dELti;i \,PNdSPQ4ELi;i \ dpRRT 2R^/uRp?#Rp?ii;i)Nrezcd ~ && /z~/zcd ~/:rNNz && zContainer not startedexecz-iry)get_all_passthroughrvrwbashz-lcT)rrNstdinrFcv<SPFpSPV4K R# \dR#i;i)N)rrr/)line_output_chunksprocs r _drain)DockerEnvironment.execute.._drains6 $ &--d3!, s $) 88)targetdaemon)rGoutputrlz [Command interrupted]rMg?zDocker execution error: )-_prepare_commandrXrG startswithshlexquoterrrrr!rrrtools.env_passthroughrr/r0rr8getenvgetrKPopenPIPESTDOUTDEVNULLrwriteclose threadingThreadstarttime monotonicpollr terminatewaitrPkillr_timeout_resultrzrM)rrrXrGr exec_command sudo_stdinwork_direffective_timeouteffective_stdincmdexec_env forward_keysr hermes_envrr'rreaderdeadlinerrrs&&&$$ @@r executeDockerEnvironment.executes$(#8#8#A ??$((#33t||  !j&<(5O  #(O(O s?%l^4LH   & &"5;;x|#<"=T,PLH!!!:#::!(  & JJt  D(#$$( ?4,,-   A /1 1L1=*," ,'CIIcNE}"s+ % ((#C JJQx}o67 8$ D&&|DE/ ON##!z/@/@)8jooj>P>P D JJ$$_5JJ$$& %%VDAF LLN~~'*;;H))+%!##NN$$ ! ,KKK* "''."9>#h.IIKKKK*//0ABB 3 KKK "bggn5|T__U Uw   4!&&44$ $ O 8+P93P>9P>c  VP'dRVP RVP RVP RVP R2 p\P!VRR7VP'g5\P!R VP RVP R 2RR7R VnVP'gDVPVP3F%pV'gK \P!VRR 7K' R #R # \d,p\ P RTPT4R p?LR p?ii;i \dLi;i) zJStop and remove the container. Bind-mount dirs persist if persistent=True.z (timeout 60 z stop z || z rm -f z) >/dev/null 2>&1 &T)shellzFailed to stop container %s: %sNz sleep 3 && z >/dev/null 2>&1 &) ignore_errors) rrrKrr/rrrrrr5rmtree)rstop_cmdrds& r cleanupDockerEnvironment.cleanup>s:     Y#4#3#3"4F4;M;M:Nd''(0B0B/CCVX  6###$$%d&6&6%7wt?Q?Q>RRde" "&D ))4>>:1MM!48;  Y@$BTBTVWXX Y!s*AD63E D=!D88D= E E) rrrrrrrrr) rf<rrFdefaultNNNTNF)rl) __name__ __module__ __qualname____firstlineno____doc__r staticmethodrrr__static_attributes____classdictcell__ __classcell__)rrbs@@r rUrUs[ GWGWR%%NcO&*cO)-cOcOJ99rrUcV^8dQh/^\9d\\,;R&^\9d\\,;R&#)rr4r)__conditional_annotations__rr r&)r s"r r r s<D)(HSM(El'&$&mr)z/usr/local/bin/dockerz/opt/homebrew/bin/dockerz6/Applications/Docker.app/Contents/Resources/bin/docker)z --cap-dropALL --cap-add DAC_OVERRIDErCHOWNrFOWNERz--security-optzno-new-privilegesz --pids-limit256rpz/tmp:rw,nosuid,size=512mrpz#/var/tmp:rw,noexec,nosuid,size=256mrpz/run:rw,noexec,nosuid,size=64m)"rrloggingr8rerr5rKrrrrtypingrrrtools.interruptr getLoggerrrr7r4compilerrr(r0r?rrrSrUr )rs@r rs   3*   8 $  %)(::9:2<D #'&?D}9}9r