import { createRequire } from "node:module"; import type { NetworkConfig } from "../network-config.js"; import type { NetworkPolicy } from "../policy/types.js"; import { msbPath } from "./resolve-binary.js"; // Resolve the bundled runtime binary once and push it into the Rust // resolver's SDK tier. User-provided MSB_PATH still wins — Rust reads it // natively as its highest-precedence tier — so we don't duplicate the // env-var read here. const resolvedMsbPath = msbPath(); const require = createRequire(import.meta.url); // eslint-disable-next-line @typescript-eslint/no-require-imports const native = require("../../native/index.cjs") as NativeBindings; if (resolvedMsbPath) native.setRuntimeMsbPath?.(resolvedMsbPath); export const napi = native; // The native binding's true types are emitted into native/index.d.ts. We // declare a hand-rolled subset of what the TS layer actually calls so we // can keep the FFI boundary cleanly typed without introducing a circular // dependency on the generated d.ts. export interface NativeBindings { readonly setRuntimeMsbPath?: (path: string) => void; readonly setDefaultBackend?: ( kind: string, url?: string, apiKey?: string, profile?: string, ) => void; readonly pushDefaultBackend?: ( kind: string, url?: string, apiKey?: string, profile?: string, ) => number; readonly popDefaultBackend?: (token: number) => void; readonly defaultBackendKind?: () => "local" | "cloud"; readonly Sandbox: NapiSandboxStatic; readonly SandboxBuilder: NapiSandboxBuilderCtor; readonly Volume: NapiVolumeStatic; readonly VolumeBuilder: NapiVolumeBuilderCtor; readonly Snapshot: NapiSnapshotStatic; readonly SnapshotBuilder: NapiSnapshotBuilderCtor; readonly ExecOptionsBuilder: NapiExecOptionsBuilderCtor; readonly InitOptionsBuilder: NapiInitOptionsBuilderCtor; readonly AttachOptionsBuilder: NapiAttachOptionsBuilderCtor; readonly DnsBuilder: NapiBuilderCtor; readonly TlsBuilder: NapiBuilderCtor; readonly SecretBuilder: NapiBuilderCtor; readonly ViolationActionBuilder: NapiBuilderCtor; readonly NetworkBuilder: NapiBuilderCtor; readonly NetworkPolicyBuilder: NapiBuilderCtor; readonly RuleBuilder: NapiBuilderCtor; readonly RuleDestinationBuilder: NapiBuilderCtor; readonly InterfaceOverridesBuilder: NapiBuilderCtor; readonly PullProgressStream: { prototype: NapiPullProgressStream }; readonly PullProgressCreate: { prototype: NapiPullProgressCreate }; readonly MountBuilder: new (guestPath: string) => NapiMountBuilder; readonly PatchBuilder: NapiBuilderCtor; readonly RegistryConfigBuilder: NapiBuilderCtor; readonly ImageBuilder: NapiBuilderCtor; readonly Setup: new () => NapiSetup; readonly imageGet: (reference: string) => Promise; readonly imageList: () => Promise; readonly imageInspect: (reference: string) => Promise; readonly imageRemove: (reference: string, force?: boolean) => Promise; readonly imagePrune: () => Promise; readonly install: () => Promise; readonly isInstalled: () => boolean; readonly allSandboxMetrics: () => Promise>; readonly AgentClient: NapiAgentClientStatic; } export interface NapiAgentClientStatic { connectSandbox(name: string, opts?: AgentConnectOptions): Promise; connect(path: string, opts?: AgentConnectOptions): Promise; socketPath(name: string): string; } export interface AgentConnectOptions { timeoutMs?: number; } export interface NapiRawFrame { id: number; flags: number; body: Buffer; } export interface NapiStreamOpenResult { id: number; handle: bigint; } export interface NapiAgentClient { request(flags: number, body: Buffer): Promise; streamOpen(flags: number, body: Buffer): Promise; streamNext(handle: bigint): Promise; streamClose(handle: bigint): Promise; send(id: number, flags: number, body: Buffer): Promise; readyBytes(): Buffer; close(): Promise; } export type NapiBuilderCtor = new () => T; export type NapiSandboxConfig = Record; export interface NapiSandboxListFilter { labels?: Record; } export interface NapiSandboxStatic { start(name: string): Promise; startDetached(name: string): Promise; get(name: string): Promise; list(): Promise; listWith(filter: NapiSandboxListFilter): Promise; remove(name: string): Promise; } export type NapiSandboxBuilderCtor = new (name: string) => NapiSandboxBuilder; /** The auto-generated native SandboxBuilder class. Each setter mutates * in place and returns `this`; closure-callback sub-builders are typed * loosely as `(b: any) => any` here because their full type is the * generated one in `native/index.d.ts`. The TS public surface * (`Sandbox.builder(...)`) re-types this with the real shapes. * * Split intentionally into a setters-only base and a terminals * interface. The TS-side `SandboxBuilder` (in `src/sandbox.ts`) * extends the setters base directly so polymorphic `this` rebinds to * the wrapper type through chained calls — `Omit<...> & {...}` would * not preserve `this` correctly. */ export interface NapiSandboxBuilderSetters { image(s: string): this; fromSnapshot(pathOrName: string): this; // eslint-disable-next-line @typescript-eslint/no-explicit-any imageWith(configure: (b: any) => any): this; cpus(n: number): this; memory(mib: number): this; logLevel(level: string): this; quietLogs(): this; detached(enabled: boolean): this; ephemeral(enabled: boolean): this; metricsSampleIntervalMs(ms: number): this; disableMetricsSample(): this; workdir(path: string): this; shell(shell: string): this; security(profile: "default" | "restricted"): this; // eslint-disable-next-line @typescript-eslint/no-explicit-any registry(configure: (b: any) => any): this; replace(): this; replaceWithTimeout(timeoutMs: number): this; entrypoint(cmd: string[]): this; init(cmd: string, args?: string[]): this; // eslint-disable-next-line @typescript-eslint/no-explicit-any initWith(cmd: string, configure: (b: any) => any): this; hostname(name: string): this; libkrunfwPath(path: string): this; user(user: string): this; pullPolicy(policy: string): this; disableNetwork(): this; // eslint-disable-next-line @typescript-eslint/no-explicit-any network(configure: (b: any) => any): this; port(host: number, guest: number): this; portBind(bind: string, host: number, guest: number): this; portUdp(host: number, guest: number): this; portUdpBind(bind: string, host: number, guest: number): this; // eslint-disable-next-line @typescript-eslint/no-explicit-any secret(configure: (b: any) => any): this; secretEnv(envVar: string, value: string, allowedHost: string): this; env(key: string, value: string): this; envs(vars: Record): this; label(key: string, value: string): this; labels(labels: Record): this; rlimit(resource: string, limit: number): this; rlimitRange(resource: string, soft: number, hard: number): this; script(name: string, content: string): this; scripts(scripts: Record): this; maxDuration(secs: number): this; idleTimeout(secs: number): this; // eslint-disable-next-line @typescript-eslint/no-explicit-any volume(guest: string, configure: (b: any) => any): this; // eslint-disable-next-line @typescript-eslint/no-explicit-any patch(configure: (b: any) => any): this; build(): Promise; } export interface NapiSandboxBuilder extends NapiSandboxBuilderSetters { create(): Promise; createWithPullProgress(): Promise; } export interface NapiSandbox { configJson(): Promise; exec(cmd: string, args?: string[]): Promise; execWithBuilder(cmd: string, builder: NapiExecOptionsBuilder): Promise; execStream(cmd: string, args?: string[]): Promise; execStreamWithBuilder(cmd: string, builder: NapiExecOptionsBuilder): Promise; shell(script: string): Promise; shellStream(script: string): Promise; fs(): NapiSandboxFsOps; sshConnect(opts?: NapiSshClientOptions): Promise; sshServer(opts?: NapiSshServerOptions): Promise; metrics(): Promise; metricsStream(intervalMs: number): Promise; attach(cmd: string, args?: string[]): Promise; attachWithBuilder(cmd: string, builder: NapiAttachOptionsBuilder): Promise; attachShell(): Promise; stop(): Promise; requestStop(): Promise; stopWithTimeout(timeoutMs: number): Promise; kill(): Promise; requestKill(): Promise; killWithTimeout(timeoutMs: number): Promise; requestDrain(): Promise; waitUntilStopped(): Promise; detach(): Promise; logs(opts?: LogOptions): Promise; logStream(opts?: LogStreamOptions): Promise; } export interface NapiSandboxHandle { readonly name: string; readonly status: string; readonly configJson: string; readonly createdAt: number | null; readonly updatedAt: number | null; refresh(): Promise; metrics(): Promise; start(): Promise; startDetached(): Promise; connect(): Promise; connectWithTimeout(timeoutMs: number): Promise; stop(): Promise; requestStop(): Promise; stopWithTimeout(timeoutMs: number): Promise; kill(): Promise; requestKill(): Promise; killWithTimeout(timeoutMs: number): Promise; requestDrain(): Promise; waitUntilStopped(): Promise; remove(): Promise; logs(opts?: LogOptions): Promise; logStream(opts?: LogStreamOptions): Promise; snapshot(name: string): Promise; snapshotTo(path: string): Promise; } export interface NapiSandboxStopResult { readonly name: string; readonly status: string; readonly exitCode: number | null; readonly signal: number | null; readonly observedAt: number; readonly source: string | null; } /** Native shape returned by `Sandbox.logs()` / `SandboxHandle.logs()`. */ export interface LogEntry { readonly timestampMs: number; readonly source: string; readonly sessionId: number | null; readonly data: Buffer; readonly cursor: string; } /** Native filter object accepted by `logs()`. */ export interface LogOptions { tail?: number; sinceMs?: number; untilMs?: number; sources?: string[]; } /** Native option object accepted by `logStream()`. */ export interface LogStreamOptions { sources?: string[]; sinceMs?: number; fromCursor?: string; untilMs?: number; follow?: boolean; } /** Native stream returned by `logStream()`. */ export interface NapiLogStream extends AsyncIterable { recv(): Promise; } export interface NapiSshOutput { readonly status: number; readonly stdout: Buffer; readonly stderr: Buffer; } export interface NapiSshClientOptions { user?: string; term?: string; sftp?: boolean; } export interface NapiSshExecOptions { tty?: boolean; } export interface NapiSshAttachOptions { term?: string; detachKeys?: string; } export interface NapiSshServerOptions { hostKeyPath?: string; authorizedKeysPath?: string; user?: string; sftp?: boolean; } export interface NapiSshClient { exec(command: string, opts?: NapiSshExecOptions): Promise; attach(opts?: NapiSshAttachOptions): Promise; sftp(): Promise; close(): Promise; } export interface NapiSftpClient { read(path: string): Promise; write(path: string, data: Buffer): Promise; mkdir(path: string): Promise; removeFile(path: string): Promise; removeDir(path: string): Promise; rename(oldPath: string, newPath: string): Promise; realPath(path: string): Promise; readLink(path: string): Promise; symlink(target: string, linkPath: string): Promise; close(): Promise; } export interface NapiSshServer { serveConnection(): Promise; close(): Promise; } export interface NapiVolumeStatic { get(name: string): Promise; list(): Promise; remove(name: string): Promise; } export type NapiVolumeBuilderCtor = new (name: string) => NapiVolumeBuilder; // Same setters/terminal split as `NapiSandboxBuilder` — see comment // there for why. export interface NapiVolumeBuilderSetters { directory(): this; disk(): this; quota(mib: number): this; size(mib: number): this; label(key: string, value: string): this; build(): NapiVolumeConfig; } export interface NapiVolumeBuilder extends NapiVolumeBuilderSetters { create(): Promise; } export interface NapiVolume { readonly name: string; readonly path: string; fs(): NapiVolumeFs; } export interface NapiVolumeConfig { readonly name: string; readonly kind: string; readonly quotaMib?: number | null; readonly capacityMib?: number | null; readonly labels: Record; } export interface NapiVolumeHandle { readonly name: string; readonly kind: string; readonly quotaMib: number | null | undefined; readonly usedBytes: number; readonly capacityBytes: number | null | undefined; readonly diskFormat: string | null | undefined; readonly diskFstype: string | null | undefined; readonly labels: Record; readonly createdAt: number | null | undefined; fs(): NapiVolumeFs; remove(): Promise; } export interface NapiVolumeFs { read(path: string): Promise; readString(path: string): Promise; readStream(path: string): Promise; write(path: string, data: Buffer): Promise; writeStream(path: string): Promise; list(path: string): Promise; mkdir(path: string): Promise; removeDir(path: string): Promise; remove(path: string): Promise; copy(from: string, to: string): Promise; rename(from: string, to: string): Promise; stat(path: string): Promise; exists(path: string): Promise; } export interface NapiVolumeFsReadStream extends AsyncIterable { recv(): Promise; } export interface NapiVolumeFsWriteSink { write(data: Buffer): Promise; close(): Promise; } export interface NapiVolumeInfo { readonly name: string; readonly kind: string; readonly quotaMib: number | null | undefined; readonly usedBytes: number; readonly capacityBytes: number | null | undefined; readonly diskFormat: string | null | undefined; readonly diskFstype: string | null | undefined; readonly labels: Record; readonly createdAt: number | null | undefined; } //----------------------------------------------------------------------------- // Snapshot //----------------------------------------------------------------------------- export interface NapiSnapshotStatic { open(pathOrName: string): Promise; get(nameOrDigest: string): Promise; list(): Promise; listDir(dir: string): Promise; remove(pathOrName: string, opts?: NapiSnapshotRemoveOptions): Promise; reindex(dir?: string): Promise; export(name: string, out: string, opts?: NapiExportOpts): Promise; import(archive: string, dest?: string): Promise; } export type NapiSnapshotBuilderCtor = new (sourceSandbox: string) => NapiSnapshotBuilder; export interface NapiSnapshotBuilderSetters { name(name: string): this; path(path: string): this; label(key: string, value: string): this; force(): this; recordIntegrity(): this; } export interface NapiSnapshotBuilder extends NapiSnapshotBuilderSetters { create(): Promise; } export interface NapiSnapshot { readonly path: string; readonly digest: string; readonly sizeBytes: bigint; readonly imageRef: string; readonly imageManifestDigest: string; readonly format: string; // "raw" | "qcow2" readonly fstype: string; readonly parent: string | null | undefined; readonly createdAt: string; // RFC 3339 UTC readonly labels: Record; readonly sourceSandbox: string | null | undefined; verify(): Promise; } export interface NapiSnapshotHandle { readonly digest: string; readonly name: string | null | undefined; readonly parentDigest: string | null | undefined; readonly imageRef: string; readonly format: string; readonly sizeBytes: bigint | null | undefined; readonly createdAt: number; readonly path: string; open(): Promise; remove(opts?: NapiSnapshotRemoveOptions): Promise; } export interface NapiSnapshotInfo { readonly digest: string; readonly name: string | null | undefined; readonly parentDigest: string | null | undefined; readonly imageRef: string; readonly format: string; readonly sizeBytes: number | null | undefined; readonly createdAt: number; readonly path: string; } export interface NapiExportOpts { withParents?: boolean; withImage?: boolean; plainTar?: boolean; } export interface NapiSnapshotRemoveOptions { force?: boolean; } export interface NapiSnapshotVerifyReport { readonly digest: string; readonly path: string; readonly upperKind: string; // "notRecorded" | "verified" readonly upperAlgorithm: string | null | undefined; readonly upperDigest: string | null | undefined; } export interface NapiImageHandle { readonly reference: string; readonly sizeBytes: number | null | undefined; readonly manifestDigest: string | null | undefined; readonly architecture: string | null | undefined; readonly os: string | null | undefined; readonly layerCount: number; readonly lastUsedAt: number | null | undefined; readonly createdAt: number | null | undefined; } export interface NapiImageInfo { readonly reference: string; readonly manifestDigest: string | null | undefined; readonly architecture: string | null | undefined; readonly os: string | null | undefined; readonly layerCount: number; readonly sizeBytes: number | null | undefined; readonly createdAt: number | null | undefined; readonly lastUsedAt: number | null | undefined; } export interface NapiImageConfigDetail { readonly digest: string; readonly env: string[]; readonly cmd: string[] | null | undefined; readonly entrypoint: string[] | null | undefined; readonly workingDir: string | null | undefined; readonly user: string | null | undefined; readonly labelsJson: string | null | undefined; readonly stopSignal: string | null | undefined; } export interface NapiImageLayerDetail { readonly diffId: string; readonly blobDigest: string; readonly mediaType: string | null | undefined; readonly compressedSizeBytes: number | null | undefined; readonly erofsSizeBytes: number | null | undefined; readonly position: number; } export interface NapiImageDetail extends NapiImageInfo { readonly config: NapiImageConfigDetail | null | undefined; readonly layers: NapiImageLayerDetail[]; } export interface NapiImagePruneReport { readonly imageRefsRemoved: number; readonly manifestsRemoved: number; readonly layersRemoved: number; readonly fsmetaRemoved: number; readonly vmdkRemoved: number; readonly bytesReclaimed: number | null | undefined; } export interface NapiSetup { baseDir(path: string): NapiSetup; version(version: string): NapiSetup; skipVerify(enabled: boolean): NapiSetup; force(enabled: boolean): NapiSetup; install(): Promise; } export interface NapiExecHandle extends AsyncIterable { readonly id: Promise; recv(): Promise; takeStdin(): Promise; wait(): Promise; collect(): Promise; signal(signal: number): Promise; kill(): Promise; } export interface NapiExecOutput { readonly code: number; readonly success: boolean; stdout(): string; stderr(): string; stdoutBytes(): Buffer; stderrBytes(): Buffer; status(): NapiExitStatus; } export interface NapiExecSink { write(data: Buffer): Promise; close(): Promise; } export interface NapiExecEvent { readonly eventType: "started" | "stdout" | "stderr" | "exited"; readonly pid?: number; readonly data?: Buffer; readonly code?: number; } export interface NapiExitStatus { readonly code: number; readonly success: boolean; } export interface NapiSandboxFsOps { read(path: string): Promise; readString(path: string): Promise; write(path: string, data: Buffer): Promise; list(path: string): Promise; mkdir(path: string): Promise; removeDir(path: string): Promise; remove(path: string): Promise; copy(from: string, to: string): Promise; rename(from: string, to: string): Promise; stat(path: string): Promise; exists(path: string): Promise; copyFromHost(hostPath: string, guestPath: string): Promise; copyToHost(guestPath: string, hostPath: string): Promise; readStream(path: string): Promise; writeStream(path: string): Promise; } export interface NapiFsReadStream extends AsyncIterable { recv(): Promise; } export interface NapiFsWriteSink { write(data: Buffer): Promise; close(): Promise; } export interface NapiFsEntry { readonly path: string; readonly kind: string; readonly size: number; readonly mode: number; readonly modified?: number; } export interface NapiFsMetadata { readonly kind: string; readonly size: number; readonly mode: number; readonly readonly: boolean; readonly modified?: number; readonly created?: number; } export interface NapiSandboxMetrics { readonly cpuPercent: number; readonly vcpuTimeNs: number; readonly memoryBytes: number; readonly memoryAvailableBytes?: number; readonly memoryHostResidentBytes?: number; readonly memoryLimitBytes: number; readonly diskReadBytes: number; readonly diskWriteBytes: number; readonly netRxBytes: number; readonly netTxBytes: number; readonly upperUsedBytes?: number; readonly upperFreeBytes?: number; readonly upperHostAllocatedBytes?: number; readonly uptimeMs: number; readonly timestampMs: number; } export interface NapiMetricsStream extends AsyncIterable { recv(): Promise; } // Builder classes — opaque from the TS layer's POV. Setters return // `this`. The full method shapes are in `native/index.d.ts`; we use // loose typing here to keep this file decoupled from the generated d.ts. export type NapiExecOptionsBuilderCtor = new () => NapiExecOptionsBuilder; export interface NapiExecOptionsBuilder { arg(arg: string): this; args(args: string[]): this; cwd(cwd: string): this; user(user: string): this; env(key: string, value: string): this; envs(vars: Record): this; timeout(ms: number): this; stdinNull(): this; stdinPipe(): this; stdinBytes(data: Buffer): this; tty(enabled: boolean): this; rlimit(resource: string, limit: number): this; rlimitRange(resource: string, soft: number, hard: number): this; } export type NapiInitOptionsBuilderCtor = new () => NapiInitOptionsBuilder; export interface NapiInitOptionsBuilder { arg(arg: string): this; args(args: string[]): this; env(key: string, value: string): this; envs(vars: Record): this; } export type NapiAttachOptionsBuilderCtor = new () => NapiAttachOptionsBuilder; export interface NapiAttachOptionsBuilder { arg(arg: string): this; args(args: string[]): this; cwd(cwd: string): this; user(user: string): this; env(key: string, value: string): this; envs(vars: Record): this; detachKeys(spec: string): this; rlimit(resource: string, limit: number): this; rlimitRange(resource: string, soft: number, hard: number): this; } export interface NapiDnsBuilder { rebindProtection(enabled: boolean): this; nameservers(servers: string[]): this; queryTimeoutMs(ms: number): this; build(): NapiDnsConfig; } export interface NapiDnsConfig { readonly rebindProtection: boolean; readonly nameservers: string[]; readonly queryTimeoutMs: number; } export interface NapiTlsBuilder { bypass(pattern: string): this; verifyUpstream(verify: boolean): this; interceptedPorts(ports: number[]): this; blockQuic(block: boolean): this; upstreamCaCert(path: string): this; interceptCaCert(path: string): this; interceptCaKey(path: string): this; build(): NapiTlsConfig; } export interface NapiTlsConfig { readonly enabled: boolean; readonly bypass: string[]; readonly verifyUpstream: boolean; readonly interceptedPorts: number[]; readonly blockQuic: boolean; readonly upstreamCaCertPaths: string[]; readonly interceptCaCertPath: string | null; readonly interceptCaKeyPath: string | null; } export interface NapiSecretBuilder { env(varName: string): this; value(value: string): this; placeholder(placeholder: string): this; allowHost(host: string): this; allowHostPattern(pattern: string): this; allowAnyHostDangerous(iUnderstand: boolean): this; requireTlsIdentity(enabled: boolean): this; injectHeaders(enabled: boolean): this; injectBasicAuth(enabled: boolean): this; injectQuery(enabled: boolean): this; injectBody(enabled: boolean): this; onViolation( configure: (b: NapiViolationActionBuilder) => NapiViolationActionBuilder, ): this; build(): NapiSecretEntry; } export interface NapiSecretEntry { readonly envVar: string; readonly value: string; readonly placeholder: string; readonly allowedHosts: string[]; readonly allowedHostPatterns: string[]; readonly allowAnyHost: boolean; readonly requireTlsIdentity: boolean; readonly injection: NapiSecretInjection; } export interface NapiSecretInjection { readonly headers: boolean; readonly basicAuth: boolean; readonly queryParams: boolean; readonly body: boolean; } export interface NapiNetworkBuilder { enabled(enabled: boolean): this; port(host: number, guest: number): this; portBind(bind: string, host: number, guest: number): this; portUdp(host: number, guest: number): this; portUdpBind(bind: string, host: number, guest: number): this; policy(policy: NetworkPolicy | NapiNetworkPolicyBuilder): this; policyJson(json: string): this; policyFromBuilder(builder: NapiNetworkPolicyBuilder): this; dns(configure: (b: NapiDnsBuilder) => NapiDnsBuilder): this; tls(configure: (b: NapiTlsBuilder) => NapiTlsBuilder): this; secret(configure: (b: NapiSecretBuilder) => NapiSecretBuilder): this; secretEnv(envVar: string, value: string, placeholder: string, allowedHost: string): this; secretEnvSimple(envVar: string, value: string, allowedHost: string): this; interface( configure: (b: NapiInterfaceOverridesBuilder) => NapiInterfaceOverridesBuilder, ): this; onSecretViolation( configure: (b: NapiViolationActionBuilder) => NapiViolationActionBuilder, ): this; maxConnections(max: number): this; ipv4Pool(pool: string): this; ipv6Pool(pool: string): this; trustHostCAs(enabled: boolean): this; build(): NetworkConfig; } export interface NapiInterfaceOverridesBuilder { mac(mac: string): this; mtu(mtu: number): this; ipv4(address: string): this; ipv6(address: string): this; } export interface NapiViolationActionBuilder { block(): this; blockAndLog(): this; blockAndTerminate(): this; passthroughHost(host: string): this; passthroughHostPattern(pattern: string): this; passthroughAllHosts(iUnderstand: boolean): this; } export interface NapiPullProgressEvent { readonly kind: string; readonly reference?: string; readonly manifestDigest?: string; readonly layerCount?: number; readonly totalDownloadBytes?: number; readonly layerIndex?: number; readonly digest?: string; readonly diffId?: string; readonly downloadedBytes?: number; readonly totalBytes?: number; readonly bytesRead?: number; } export interface NapiPullProgressStream extends AsyncIterable { recv(): Promise; } export interface NapiPullProgressCreate { readonly progress: NapiPullProgressStream; awaitSandbox(): Promise; } export interface NapiNetworkPolicyBuilder { defaultAllow(): this; defaultDeny(): this; defaultEgress(action: string): this; defaultIngress(action: string): this; rule(configure: (rb: NapiRuleBuilder) => NapiRuleBuilder): this; egress(configure: (rb: NapiRuleBuilder) => NapiRuleBuilder): this; ingress(configure: (rb: NapiRuleBuilder) => NapiRuleBuilder): this; any(configure: (rb: NapiRuleBuilder) => NapiRuleBuilder): this; build(): NapiBuiltNetworkPolicy; } export interface NapiRuleBuilder { egress(): this; ingress(): this; any(): this; tcp(): this; udp(): this; icmpv4(): this; icmpv6(): this; port(port: number): this; portRange(lo: number, hi: number): this; ports(ports: number[]): this; allowPublic(): this; denyPublic(): this; allowPrivate(): this; denyPrivate(): this; allowLoopback(): this; denyLoopback(): this; allowLinkLocal(): this; denyLinkLocal(): this; allowMeta(): this; denyMeta(): this; allowMulticast(): this; denyMulticast(): this; allowHost(): this; denyHost(): this; allowLocal(): this; denyLocal(): this; allowDomain(name: string): this; denyDomain(name: string): this; allowDomains(names: string[]): this; denyDomains(names: string[]): this; allowDomainSuffix(suffix: string): this; denyDomainSuffix(suffix: string): this; allowDomainSuffixes(suffixes: string[]): this; denyDomainSuffixes(suffixes: string[]): this; allow(configure: (d: NapiRuleDestinationBuilder) => NapiRuleDestinationBuilder): this; deny(configure: (d: NapiRuleDestinationBuilder) => NapiRuleDestinationBuilder): this; } export interface NapiRuleDestinationBuilder { ip(ip: string): this; cidr(cidr: string): this; domain(domain: string): this; domainSuffix(suffix: string): this; group(group: string): this; any(): this; } export interface NapiBuiltNetworkPolicy { readonly defaultEgress: string; readonly defaultIngress: string; readonly rules: readonly NapiBuiltNetworkPolicyRule[]; } export interface NapiBuiltNetworkPolicyRule { readonly direction: string; readonly destination: NapiBuiltNetworkPolicyDestination; readonly protocols: readonly string[]; readonly ports: readonly { readonly start: number; readonly end: number }[]; readonly action: string; } export interface NapiBuiltNetworkPolicyDestination { readonly kind: string; readonly cidr?: string; readonly domain?: string; readonly suffix?: string; readonly group?: string; } export interface NapiMountBuilder { bind(host: string): this; named(name: string): this; namedWith( name: string, mode?: "existing" | "create" | "ensure-exists", kind?: "dir" | "directory" | "disk", sizeMib?: number, quotaMib?: number, ): this; tmpfs(): this; disk(host: string): this; format(format: string): this; fstype(fstype: string): this; readonly(): this; noexec(): this; nosuid(): this; nodev(): this; size(mib: number): this; statVirtualization(policy: string): this; hostPermissions(policy: string): this; build(): NapiVolumeMount; } export interface NapiVolumeMount { readonly kind: "bind" | "named" | "tmpfs" | "disk"; readonly guest: string; readonly readonly: boolean; readonly noexec: boolean; readonly nosuid: boolean; readonly nodev: boolean; readonly host?: string; readonly name?: string; readonly sizeMib?: number; readonly format?: string; readonly fstype?: string; readonly statVirtualization?: string; readonly hostPermissions?: string; } export interface NapiPatchBuilder { text(path: string, content: string, opts?: { mode?: number; replace?: boolean }): this; file(path: string, content: Buffer, opts?: { mode?: number; replace?: boolean }): this; copyFile(src: string, dst: string, opts?: { mode?: number; replace?: boolean }): this; copyDir(src: string, dst: string, opts?: { replace?: boolean }): this; symlink(target: string, link: string, opts?: { replace?: boolean }): this; mkdir(path: string, opts?: { mode?: number }): this; remove(path: string): this; append(path: string, content: string): this; build(): NapiBuiltPatch[]; } export interface NapiBuiltPatch { readonly kind: string; readonly path?: string; readonly src?: string; readonly dst?: string; readonly target?: string; readonly link?: string; readonly content?: string; readonly contentBytes?: Buffer; readonly mode?: number; readonly replace?: boolean; } export interface NapiRegistryConfigBuilder { auth(auth: { kind: string; username?: string; password?: string }): this; insecure(): this; caCerts(pem: Buffer): this; } export interface NapiImageBuilder { oci(reference: string): this; upperSize(sizeMiB: number): this; disk(path: string): this; fstype(fstype: string): this; }