+ i8fRt^RIt^RIt^RIt^RIt^RIt^RIt^RIt^RIt^RI t ^RI H t ^RI H t HtHt^RIHt^RIHt^RIHt]P,!]4t]!4R, tRR ltR R ltR R ltRRltRRltRRlt]P@!4t!RRRllt"!RR]4t#R#)aSingularity/Apptainer persistent container environment. Security-hardened with --containall, --no-home, capability dropping. Supports configurable resource limits and optional filesystem persistence via writable overlay directories that survive across sessions. NPath)AnyDictOptional)get_hermes_home)BaseEnvironment)is_interruptedzsingularity_snapshots.jsonc$V^8dQhR\/#returnstr)formats";/home/ubuntu/hermes-agent/tools/environments/singularity.py __annotate__rscc\P!R4'dR#\P!R4'dR#\R4h)zLocate the apptainer or singularity CLI binary. Returns the executable name (``"apptainer"`` or ``"singularity"``). Raises ``RuntimeError`` with install instructions if neither is found. apptainer singularityzNeither 'apptainer' nor 'singularity' was found in PATH. Install Apptainer (https://apptainer.org/docs/admin/main/installation.html) or Singularity and ensure the CLI is available.)shutilwhich RuntimeErrorrr_find_singularity_executablers: ||K   ||M""  : rc$V^8dQhR\/#r r)rs"rrr.ssrcv\4p\P!VR.RR^ R7pTP ^8wd@TPP4R,p\ RT R TP R T 24hT# \d\ RT R24h\P d\ RT R24hi;i) zPreflight check: resolve the executable and verify it responds. Returns the executable name on success. Raises ``RuntimeError`` with an actionable message on failure. versionTcapture_outputtexttimeoutz:Singularity backend selected but the resolved executable 'z1' could not be executed. Check your installation.'z6 version' timed out. The runtime may be misconfigured.:NNz version' failed (exit code z): ) r subprocessrunFileNotFoundErrorrTimeoutExpired returncodestderrstrip)exeresultr*s r_ensure_singularity_availabler..s ' (C  )    A$$&t,u01B1B0C3vh O   J!  HN> >    $ $ uJ K   sA::,B8'B8cFV^8dQhR\\\3,/#r rr)rs"rrrPsc3hrc\P4'd*\P!\P 44#/# \ d/#i;iN)_SNAPSHOT_STOREexistsjsonloads read_text Exceptionrrr_load_snapshotsr9PsN ::o779: : I   I s'A AAcJV^8dQhR\\\3,RR/#)r datar Nr0)rs"rrrYs";;$sCx.;T;rc\PPRRR7\P\P !V^R74R#)Tparentsexist_ok)indentN)r3parentmkdir write_textr5dumps)r;s&r_save_snapshotsrEYs4   =tzz$q9:rc$V^8dQhR\/#r r)rs"rrrbs$rc\P!R4pV'd!\V4pVPRRR7V#^RIHpV!4R, p\R4pVP 4'd|\P!V\P4'dQV\P!RR4, R , pVPRRR7\PR V4V#VPRRR7V#) aGet the best directory for Singularity sandboxes. Resolution order: 1. TERMINAL_SCRATCH_DIR (explicit override) 2. TERMINAL_SANDBOX_DIR / singularity (shared sandbox root) 3. /scratch (common on HPC clusters) 4. ~/.hermes/sandboxes/singularity (fallback) TERMINAL_SCRATCH_DIRTr=)get_sandbox_dirrz/scratchUSERhermesz hermes-agentz Using /scratch for sandboxes: %s) osgetenvrrBtools.environments.baserIr4accessW_OKloggerinfo)custom_scratch scratch_pathrIsandboxscratch user_scratchs r_get_scratch_dirrXbsYY56NN+ 4$77-/G:G~~BIIgrww7768!<<~M 4$7 6 E MM$M. Nrc$V^8dQhR\/#r r)rs"rrrs  $ rc\P!R4pV'd!\V4pVPRRR7V#\ 4pVR, pVPRRR7V#)z1Get the Apptainer cache directory for SIF images.APPTAINER_CACHEDIRTr=z .apptainer)rLrMrrBrX) cache_dir cache_pathrVs r_get_apptainer_cache_dirr^sa ./I)_ 5 G<'JTD1 rc<V^8dQhR\R\R\/#)r image executabler r)rs"rrrs!33S3c3C3rc VPR4'd"\V4P4'dV#VPR4'gV#VP RR4P RR4P RR4p\ 4pW2 R2, pVP4'd \ V4#\;_uu_4VP4'd\ V4uuRRR4#\PR4\PR V4\PR V4VR , pVPR R R 7\PP4p\ V4VR&\ V4VR&\P!VR\ V4V.R R RVR7pVP ^8wdI\P#R4\P#RVP$R,4VuuRRR4#\PR4\ V4uuRRR4# \P&dK\P#R4TP4'dTP)4TuuuRRR4#\*d-p\P#RT4TuRp?uuRRR4#Rp?ii;i +'giR#;i)zGet or build a SIF image from a docker:// URL. Returns the path unchanged if it's already a .sif file. For docker:// URLs, checks the cache and builds if needed. z.sifz docker:///-:Nz&Building SIF image (one-time setup)...z Source: %sz Target: %stmpTr=APPTAINER_TMPDIRr[buildiX)r r!r"envz/SIF build failed, falling back to docker:// URLz Error: %s:NiNzSIF image built successfullyz2SIF build timed out, falling back to docker:// URLz2SIF build error: %s, falling back to docker:// URL)endswithrr4 startswithreplacer^r_sif_build_lockrQrRrBrLenvironcopyr%r&r)warningr*r(unlinkr8) r`ra image_namer\sif_pathtmp_dirrjr-es && r_get_or_build_sifrws+  ~~f$u+"4"4"6"6   K ( ( {B/77SAII#sSJ(*I\..H8}  ??  x=   <= NE* NH-e# dT 2jjoo"%g, $' N ! ^^Wc(mU;#$F  A%PQ}fmmD.AB/ 0 KK6 7x=3 4((  NNO P  !L= >  NNOQR SLC > ? s\!K4BK A6H7 H77?K 7K  KK K K6K 7KK  K K ctaa]tRt^toRtR V3RlV3RllltRtR RRRR/V3RlR llltR tR t Vt V;t #)SingularityEnvironmentaHardened Singularity/Apptainer container with resource limits and persistence. Security: --containall (isolated PID/IPC/mount namespaces, no host home mount), --no-home, writable-tmpfs for scratch space. The container cannot see or modify the host filesystem outside of explicitly bound paths. Persistence: when enabled, the writable overlay directory is preserved across sessions so installed packages and files survive cleanup/restore. cJ<V^8dQhRS[RS[RS[RS[RS[RS[RS[RS[/#) r r`cwdr"cpumemorydiskpersistent_filesystemtask_id)rintfloatbool)r __classdict__s"rr#SingularityEnvironment.__annotate__s[      $rc  <\S V`W#R7\4Vn\ WP4VnR\ P!4PR, 2Vn RVn Wpn Wn RVn W@nWPnVP'dS\!4R, p V P#RRR7V RV 2, Vn VPP#RRR7VP%4R#) )r{r"hermes_:N NFNzhermes-overlaysTr=zoverlay-)super__init__r.rarwr`uuiduuid4hex instance_id_instance_started _persistent_task_id _overlay_dir_cpu_memoryrXrB_start_instance) selfr`r{r"r|r}r~rr overlay_base __class__s &&&&&&&&& rrSingularityEnvironment.__init__s S279&uoo> $TZZ\%5%5c%:$;<!&0 ,0      +-0AAL   td  ; ,'/C CD     # #D4 # @ rc>VPRR.pVPRR.4VP'd:VP'd(VPR\ VP4.4MVP R4^RIHpHpV!4FOpVPRVR, R VR , R 2.4\PR VR,VR ,4KQ V!4FOpVPRVR, R VR , R 2.4\PR VR,VR ,4KQ VP^8d!VPRVP R2.4VP^8d'VPR\ VP4.4VP\ VP4VP .4\"P$!VRR^xR7pVP&^8wd\)RVP* 24hRVn\PRVP VP4R# \d"p\PRT4Rp?EL7Rp?ii;i \"P.d \)R4hi;i)instancestartz --containallz --no-homez --overlayz--writable-tmpfs)get_credential_file_mountsget_skills_directory_mountz--bind host_pathrfcontainer_pathz:roz(Singularity: binding credential %s -> %sz(Singularity: binding skills dir %s -> %sz8Singularity: could not load credential/skills mounts: %sNz--memoryMz--cpusTrzFailed to start instance: z/Singularity instance %s started (persistent=%s)zInstance start timed out)raextendrrrappendtools.credential_filesrrrQrRr8debugrrr`rr%r&r)rr*rr()rcmdrr mount_entry skills_mountrvr-s& rr&SingularityEnvironment._start_instancesA G4 NK01     1 1 1 JJ S):):%;< = JJ) * X e9;  H[)A(B!KP`DaCbbe&fgh > , 01 <!; <  Hk)B(C1\RbEcDddg&hij > - !12!= <._drainXs6 $ &--d3!, s $) 88)targetdaemon)r"rcz [Command interrupted]g?zSingularity execution error: )!rr"r{_prepare_commandrlshlexquoterartimer%PopenPIPESTDOUTDEVNULLrwritecloser8 threadingThreadr monotonicpollr terminatewaitr(killjoin_timeout_resultsleepr))rrr{r"reffective_timeoutwork_dir exec_command sudo_stdineffective_stdinr_timerreaderdeadlinervrrs&&&$$ @@rexecuteSingularityEnvironment.execute)s%%%4lBG G#33t||??$((#'#8#8#A   !j&<(5O  #(O(O s?%l^4LH   & &"5;;x|#<"=T,PLHT--./t\+0 T N##!z/@/@)8jooj>P>P D JJ$$_5JJ$$& %%VDAF LLN(+<LLL L"LL"L"c VP'd[\P!VPRRVP.RR^R7\ P RVP4RVnVP'dMVP'd9\4p\VP4W P&\V4R#R#R# \d,p\ PRTPT4Rp?LRp?ii;i) zMStop the instance. If persistent, the overlay dir survives for next creation.rstopTrzSingularity instance %s stoppedz*Failed to stop Singularity instance %s: %sNF)rr%r&rarrQrRr8rqrrr9rrrE)rrv snapshotss& rcleanupSingularityEnvironment.cleanupzs  ! ! ! b__j&$:J:JK#'dB =t?O?OP&+D "     1 1 1')I'*4+<+<'=Imm $ I &!2   bKTM]M]_`aa bsAC D!C>>D) rrrrrrrar`r)r<rrFdefault)rc) __name__ __module__ __qualname____firstlineno____doc__rrrr__static_attributes____classdictcell__ __classcell__)rrs@@rryrysHB2;hOT&*OT)-OTOTb''rry)r)$rr5loggingrLrrr%tempfilerrpathlibrtypingrrrhermes_constantsrrNrtools.interruptr getLoggerrrQr3rr.r9rErXr^Lockrnrwryrrrrs   &&,3*   8 $!#&BB"D;: .."3tB'_B'r