§
    ãFj±  ã            	       ó^  — U d Z ddlZddlZddlZddlZddlZddlZddlZddlm	Z	 ddl
mZ ddlmZmZ ddlmZ  ej        e¦  «        Zg d¢Zdaee         ed<    ej        d	¦  «        Zd
ee         dz  dee         fd„Zdedz  deeef         fd„Zdeeef         fd„Z ej        d¦  «        Zdedefd„Z defd„Z!ddddœde"dedz  dedz  de"fd„Z#dedefd„Z$dee         fd„Z%g d¢Z&g d¢Z'de(dee         fd „Z)dee         fd!„Z*da+ee(         ed"<   d&d#„Z, G d$„ d%e¦  «        Z-dS )'zçDocker execution environment for sandboxed command execution.

Security hardened (cap-drop ALL, no-new-privileges, PID limits),
configurable resource limits (CPU, memory, disk), and optional filesystem
persistence via bind mounts.
é    N)ÚPath)ÚOptional)ÚBaseEnvironmentÚ_popen_bash)Ú_HERMES_PROVIDER_ENV_BLOCKLIST)z/usr/local/bin/dockerz/opt/homebrew/bin/dockerz6/Applications/Docker.app/Contents/Resources/bin/dockerÚ_docker_executablez^[A-Za-z_][A-Za-z0-9_]*$Úforward_envÚreturnc                 óŽ  — g }t          ¦   «         }| pg D ]¯}t          |t          ¦  «        st                               d|¦  «         Œ3|                     ¦   «         }|sŒJt                               |¦  «        st                               d|¦  «         Œ€||v rŒ…|                     |¦  «         | 	                    |¦  «         Œ°|S )z?Return a deduplicated list of valid environment variable names.z0Ignoring non-string docker_forward_env entry: %rz-Ignoring invalid docker_forward_env entry: %r)
ÚsetÚ
isinstanceÚstrÚloggerÚwarningÚstripÚ_ENV_VAR_NAME_REÚmatchÚaddÚappend)r	   Ú
normalizedÚseenÚitemÚkeys        ú8/usr/local/lib/hermes-agent/tools/environments/docker.pyÚ_normalize_forward_env_namesr   %   sÌ   € à€JÝ‘U”U€DàÐ!˜rð ð ˆÝ˜$¥Ñ$Ô$ð 	ÝNŠNÐMÈtÑTÔTÐTØàjŠj‰lŒlˆØð 	ØÝ×%Ò% cÑ*Ô*ð 	ÝNŠNÐJÈDÑQÔQÐQØØ$ˆ;ˆ;ØàŠ‰ŒˆØ×Ò˜#ÑÔÐÐàÐó    Úenvc                 ó^  — | si S t          | t          ¦  «        st                               d| ¦  «         i S i }|                      ¦   «         D ]ß\  }}t          |t
          ¦  «        r,t                               |                     ¦   «         ¦  «        st                               d|¦  «         Œb|                     ¦   «         }t          |t
          ¦  «        sOt          |t          t          t          f¦  «        rt          |¦  «        }nt                               d||¦  «         ŒÚ|||<   Œà|S )z‡Validate and normalize a docker_env dict to {str: str}.

    Filters out entries with invalid variable names or non-string values.
    zdocker_env is not a dict: %rz#Ignoring invalid docker_env key: %rz/Ignoring non-string docker_env value for %r: %r)r   Údictr   r   Úitemsr   r   r   r   ÚintÚfloatÚbool)r   r   r   Úvalues       r   Ú_normalize_env_dictr%   >   s  € ð
 ð Øˆ	Ýc4Ñ Ô ð ÝŠÐ5°sÑ;Ô;Ð;Øˆ	à!#€JØ—i’i‘k”kð  ð  ‰
ˆˆUÝ˜#sÑ#Ô#ð 	Õ+;×+AÒ+AÀ#Ç)Â)Á+Ä+Ñ+NÔ+Nð 	ÝNŠNÐ@À#ÑFÔFÐFØØiŠi‰kŒkˆÝ˜%¥Ñ%Ô%ð 	õ ˜%¥#¥u­dÐ!3Ñ4Ô4ð Ý˜E™
œ
å—’ÐPÐRUÐW\Ñ]Ô]Ð]ØØˆ
3‰ˆàÐr   c                  óL   — 	 ddl m}   | ¦   «         pi S # t          $ r i cY S w xY w)zDLoad ~/.hermes/.env values without failing Docker command execution.r   ©Úload_env)Úhermes_cli.configr(   Ú	Exceptionr'   s    r   Ú_load_hermes_env_varsr+   \   sN   € ðØ.Ð.Ð.Ð.Ð.Ð.àˆx‰zŒzÐ˜RÐøÝð ð ð Øˆ	ˆ	ˆ	ðøøøs   ‚ ”#¢#z[^A-Za-z0-9_.-]r$   c                 ó†   — t          | t          ¦  «        r| sdS t                               d| ¦  «        }|dd…         pd}|S )u  Coerce *value* into a Docker label-safe form (alnum + ``_.-``, â‰¤63 chars).

    Empty or all-invalid inputs collapse to ``"unknown"`` so the resulting
    label is always queryable. Used at container-create time; never round-trip
    a sanitized value back into application logic.
    ÚunknownÚ_Né?   )r   r   Ú_LABEL_VALUE_OK_REÚsub)r$   Úcleaneds     r   Ú_sanitize_label_valuer3   l   sN   € õ eSÑ!Ô!ð ¨ð ØˆyÝ ×$Ò$ S¨%Ñ0Ô0€GØcrcŒlÐ'˜i€GØ€Nr   c                  óJ   — 	 ddl m}   | ¦   «         pdS # t          $ r Y dS w xY w)a   Return the active Hermes profile name, or ``"default"`` on any error.

    Resolved at container-create time so a single container is permanently
    tagged with the profile that created it. Profile switches inside the
    same process don't retroactively relabel running containers.
    r   ©Úget_active_profile_nameÚdefault)Úhermes_cli.profilesr6   r*   r5   s    r   Ú_get_active_profile_namer9   z   sO   € ðØ?Ð?Ð?Ð?Ð?Ð?à&Ð&Ñ(Ô(Ð5¨IÐ5øÝð ð ð Øˆyˆyðøøøs   ‚ ”
"¡"iX  )Úmax_age_secondsÚprofile_filterÚ
docker_exer:   r;   r<   c                 ó¨  — |pt          ¦   «         pd}g d¢}|r'|                     ddt          |¦  «        › g¦  «         	 t          j        |ddg|¢d‘d‘d	d	d
d¬¦  «        }n?# t          j        t          f$ r&}t                               d|¦  «         Y d}~dS d}~ww xY w|j	        dk    r:t                               d|j	        |j
                             ¦   «         ¦  «         dS d„ |j                             ¦   «         D ¦   «         }|sdS ddl}|j                             |j        j        ¦  «        }	d}
|D ]}t%          ||¦  «        }|€Œ|	|z
                       ¦   «         }|| k     rŒ4	 t          j        |dd|gd	d	d¬¦  «        }|j	        dk    r7|
dz  }
t                               d|dd…         t+          |¦  «        ¦  «         n;t                               d|dd…         |j
                             ¦   «         ¦  «         ŒÏ# t          j        t          f$ r/}t                               d|dd…         |¦  «         Y d}~Œd}~ww xY w|
S )u{  Remove stale hermes-tagged containers left behind by prior processes.

    Targets containers that match all of:

    * ``label=hermes-agent=1`` (created by this codebase)
    * ``status=exited`` (running containers are NEVER reaped â€” they may
      belong to a sibling Hermes process whose reuse path will pick them
      up; killing them would crash the sibling mid-command)
    * (optional) ``label=hermes-profile=<profile_filter>`` (sweep only the
      caller's profile by default; a hermes process in profile A must not
      tear down profile B's containers)
    * ``State.FinishedAt`` older than *max_age_seconds* ago (so a sibling
      process that just exited and is about to be replaced doesn't get
      its container yanked out from under it)

    Returns the number of containers removed. Best-effort: any failure
    (docker daemon unreachable, slow inspect, parse error) is logged at
    debug level and the function returns whatever it managed before the
    failure. Safe to call repeatedly; idempotent.

    Issue #20561 â€” this is the safety net for SIGKILL / OOM / crashed
    terminal exits that bypass the ``atexit`` cleanup hook. Without it,
    even with the cleanup-fix in the prior commit, a hard-killed Hermes
    process leaves its container behind permanently because there's no
    subsequent Hermes process scheduled to reuse that exact (task, profile)
    pair.
    Údocker)ú--filterúlabel=hermes-agent=1r?   zstatus=exitedr?   úlabel=hermes-profile=Úpsú-aú--formatz{{.ID}}Té   F©Úcapture_outputÚtextÚtimeoutÚcheckz"orphan reaper docker ps failed: %sNr   z'orphan reaper docker ps returned %d: %sc                 ó^   — g | ]*}|                      ¦   «         ¯|                      ¦   «         ‘Œ+S © ©r   ©Ú.0Úlns     r   ú
<listcomp>z*reap_orphan_containers.<locals>.<listcomp>¾   s-   € ÐTÐTÐT BÈÏÊÉÌÐTR—X’X‘Z”ZÐTÐTÐTr   Úrmú-fé   ©rG   rH   rI   é   z2Reaped orphan container %s (exited %d seconds ago)é   údocker rm -f %s failed: %sz%orphan reaper docker rm %s failed: %s)Úfind_dockerÚextendr3   Ú
subprocessÚrunÚTimeoutExpiredÚOSErrorr   ÚdebugÚ
returncodeÚstderrr   ÚstdoutÚ
splitlinesÚdatetimeÚnowÚtimezoneÚutcÚ_container_finished_atÚtotal_secondsÚinfor!   )r:   r;   r<   r>   ÚfiltersÚlistingÚeÚcandidate_idsrd   re   ÚremovedÚcidÚfinished_atÚageÚresults                  r   Úreap_orphan_containersrt   ‰   sÝ  € ðB Ð4;™=œ=Ð4¨H€FØOÐOÐO€GØð fØŠ˜
Ð$cÕ<QÐR`Ñ<aÔ<aÐ$cÐ$cÐdÑeÔeÐeðÝ”.ØT˜4ÐA 'ÐA¨:ÐA°yÐAØ d°B¸eð
ñ 
ô 
ˆˆøõ Ô%¥wÐ/ð ð ð ÝŠÐ9¸1Ñ=Ô=Ð=Øˆqˆqˆqˆqˆqøøøøðøøøð Ô˜QÒÐÝŠØ5ØÔ ¤× 4Ò 4Ñ 6Ô 6ñ	
ô 	
ð 	
ð ˆqàTÐT¨'¬.×*CÒ*CÑ*EÔ*EÐTÑTÔT€MØð Øˆqð
 €O€O€OØ
Ô
×
Ò
 Ô 1Ô 5Ñ
6Ô
6€CØ€GØð Oñ OˆÝ,¨V°SÑ9Ô9ˆØÐàØ[Ñ ×/Ò/Ñ1Ô1ˆØÒ Ð Øð	OÝ”^Ø˜˜t SÐ)Ø#¨$¸ðñ ô ˆFð Ô  AÒ%Ð%Ø˜1‘Ý—’ØHØ˜˜˜”Hc #™hœhñô ð ð õ
 —’Ø0Ø˜˜˜”H˜fœm×1Ò1Ñ3Ô3ñô ð øøõ Ô)­7Ð3ð 	Oð 	Oð 	OÝLŠLÐ@À#ÀcÀrÀcÄ(ÈAÑNÔNÐNÐNÐNÐNÐNÑNøøøøð	Oøøøà€Ns1   Á"A$ Á$B Á:BÂB Å0BH
È
IÈ $I
É
IÚcontainer_idc                 ój  — 	 t          j        | ddd|gdddd¬¦  «        }nH# t           j        t          f$ r/}t                               d|d	d
…         |¦  «         Y d	}~d	S d	}~ww xY w|j        dk    rd	S |j                             ¦   «         }|r| 	                    d¦  «        rd	S dd	l
}|                     dd|¦  «        }|                     dd¦  «        }	 dd	l}|j                             |¦  «        S # t          $ r0}t                               d||d	d
…         |¦  «         Y d	}~d	S d	}~ww xY w)u@  Parse ``docker inspect`` FinishedAt for *container_id*.

    Returns a timezone-aware datetime, or ``None`` if the field is missing,
    unparseable, or the zero-value ``0001-01-01T00:00:00Z`` Docker emits
    for never-finished containers. ``None`` means "don't reap" â€” the caller
    leaves the container alone.
    ÚinspectrD   z{{.State.FinishedAt}}Té
   FrF   z*orphan reaper docker inspect %s failed: %sNrW   r   z
0001-01-01z(\.\d{6})\d+z\1ÚZz+00:00z(could not parse FinishedAt %r for %s: %s)r[   r\   r]   r^   r   r_   r`   rb   r   Ú
startswithÚrer1   Úreplacerd   ÚfromisoformatÚ
ValueError)r<   ru   rs   rm   ÚrawÚ_rerd   s          r   rh   rh   å   s†  € ðÝ”Ø˜ JÐ0GÈÐVØ d°B¸eð
ñ 
ô 
ˆˆøõ Ô%¥wÐ/ð ð ð ÝŠÐAÀ<ÐPSÐQSÐPSÔCTÐVWÑXÔXÐXØˆtˆtˆtˆtˆtøøøøðøøøð Ô˜AÒÐØˆtØ
Œ-×
Ò
Ñ
Ô
€CØð #—.’. Ñ.Ô.ð Øˆtð ÐÐÐØ
'Š'/ 5¨#Ñ
.Ô
.€CØ
+Š+c˜8Ñ
$Ô
$€CðØˆˆˆØÔ ×.Ò.¨sÑ3Ô3Ð3øÝð ð ð ÝŠÐ?ÀÀlÐSVÐTVÐSVÔFWÐYZÑ[Ô[Ð[Øˆtˆtˆtˆtˆtøøøøðøøøs,   ‚! ¡A&·$A!Á!A&ÃC8 Ã8
D2Ä%D-Ä-D2c                  óx  — t           t           S t          j        d¦  «        } | r]t          j                             | ¦  «        r>t          j        | t          j        ¦  «        r| a t                               d| ¦  «         | S t          j
        d¦  «        }|r|a |S t          j
        d¦  «        }|r|a t                               d|¦  «         |S t          D ]a}t          j                             |¦  «        r@t          j        |t          j        ¦  «        r!|a t                               d|¦  «         |c S ŒbdS )u‚  Locate the docker (or podman) CLI binary.

    Resolution order:
    1. ``HERMES_DOCKER_BINARY`` env var â€” explicit override (e.g. ``/usr/bin/podman``)
    2. ``docker`` on PATH via ``shutil.which``
    3. ``podman`` on PATH via ``shutil.which``
    4. Well-known macOS Docker Desktop install locations

    Returns the absolute path, or ``None`` if neither runtime can be found.
    NÚHERMES_DOCKER_BINARYz'Using HERMES_DOCKER_BINARY override: %sr>   Úpodmanz%Using podman as container runtime: %sz%Found docker at non-PATH location: %s)r   ÚosÚgetenvÚpathÚisfileÚaccessÚX_OKr   rj   ÚshutilÚwhichÚ_DOCKER_SEARCH_PATHS)ÚoverrideÚfoundr†   s      r   rY   rY     s7  € õ Ð%Ý!Ð!õ ŒyÐ/Ñ0Ô0€HØð •B”G—N’N 8Ñ,Ô,ð µ´¸8ÅRÄWÑ1MÔ1Mð Ø%ÐÝŠÐ=¸xÑHÔHÐHØˆõ ŒL˜Ñ"Ô"€EØð Ø"ÐØˆõ ŒL˜Ñ"Ô"€EØð Ø"ÐÝŠÐ;¸UÑCÔCÐCØˆõ %ð ð ˆÝŒ7>Š>˜$ÑÔð 	¥B¤I¨dµB´GÑ$<Ô$<ð 	Ø!%ÐÝKŠKÐ?ÀÑFÔFÐFØˆKˆKˆKøàˆ4r   )z
--cap-dropÚALLú	--cap-addÚDAC_OVERRIDEr   ÚCHOWNr   ÚFOWNERz--security-optzno-new-privilegesz--pids-limitÚ256ú--tmpfsz/tmp:rw,nosuid,size=512mr•   z#/var/tmp:rw,noexec,nosuid,size=256mr•   z/run:rw,noexec,nosuid,size=64m)r   ÚSETUIDr   ÚSETGIDÚrun_as_host_userc                 ó€   — | rt          t          ¦  «        S t          t          ¦  «        t          t          ¦  «        z   S )zBReturn the security/cap/tmpfs args tailored to the privilege mode.)ÚlistÚ_BASE_SECURITY_ARGSÚ_PRIVDROP_CAP_ARGS)r˜   s    r   Ú_build_security_argsr   Y  s6   € àð )ÝÕ'Ñ(Ô(Ð(ÝÕ#Ñ$Ô$¥tÕ,>Ñ'?Ô'?Ñ?Ð?r   c                  ó¸   — t          t          dd¦  «        } t          t          dd¦  «        }| |€dS 	  | ¦   «         › d |¦   «         › S # t          $ r Y dS w xY w)au  Return ``<uid>:<gid>`` for the current host user, or ``None`` on platforms
    where this is not meaningful (e.g. Windows without posix ids).

    We intentionally read ``os.getuid()``/``os.getgid()`` directly rather than
    going through ``getpass``/``pwd`` so this stays cheap and never raises on
    nameless UIDs (nss lookups can fail inside sandboxed launchers).
    ÚgetuidNÚgetgidú:)Úgetattrr„   r*   )Úget_uidÚget_gids     r   Ú_resolve_host_user_specr¥   `  s{   € õ •b˜( DÑ)Ô)€GÝ•b˜( DÑ)Ô)€GØ€˜'˜/ØˆtðØ'‘)”)Ð)Ð)˜g˜g™iœiÐ)Ð)Ð)øÝð ð ð Øˆtˆtðøøøs   ´A Á
AÁAÚ_storage_opt_okc                  óˆ  — t          ¦   «         } | s)t                               d¦  «         t          d¦  «        ‚	 t	          j        | dgddd¬¦  «        }|j        dk    rHt                               d| |j        |j                             ¦   «         ¦  «         t          d	¦  «        ‚dS # t          $ r- t                               d
| d¬¦  «         t          d¦  «        ‚t          j
        $ r- t                               d| d¬¦  «         t          d¦  «        ‚t          $ r t                               dd¬¦  «         ‚ w xY w)zàBest-effort check that the docker CLI is available before use.

    Reuses ``find_docker()`` so this preflight stays consistent with the rest of
    the Docker backend, including known non-PATH Docker Desktop locations.
    z–Docker backend selected but no docker executable was found in PATH or known install locations. Install Docker Desktop and ensure the CLI is available.z|Docker executable not found in PATH or known install locations. Install Docker and ensure the 'docker' command is available.ÚversionTé   rU   r   zIDocker backend selected but '%s version' failed (exit code %d, stderr=%s)zXDocker command is available but 'docker version' failed. Check your Docker installation.zVDocker backend selected but the resolved docker executable '%s' could not be executed.)Úexc_infozHDocker executable could not be executed. Check your Docker installation.zYDocker backend selected but '%s version' timed out. The Docker daemon may not be running.zHDocker daemon is not responding. Ensure Docker is running and try again.z4Unexpected error while checking Docker availability.N)rY   r   ÚerrorÚRuntimeErrorr[   r\   r`   ra   r   ÚFileNotFoundErrorr]   r*   )r<   rs   s     r   Ú_ensure_docker_availabler®   u  sÅ  € õ ‘”€JØð 	
ÝŠð ñ	
ô 	
ð 	
õ
 ðKñ
ô 
ð 	
ð
-Ý”Ø˜Ð#ØØØð	
ñ 
ô 
ˆðB Ô Ò!Ð!ÝLŠLð,àØÔ!Ø”×#Ò#Ñ%Ô%ñô ð õ ð2ñô ð ð "Ð!øõ7 ð 	
ð 	
ð 	
ÝŠðàØð	 	ñ 	
ô 	
ð 	
õ ØVñ
ô 
ð 	
õ Ô$ð 	
ð 	
ð 	
ÝŠð4àØð	 	ñ 	
ô 	
ð 	
õ ØVñ
ô 
ð 	
õ ð ð ð ÝŠØBØð 	ñ 	
ô 	
ð 	
ð 	ðøøøs   »B* Â*BEc            #       ó`  ‡ — e Zd ZdZ	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 	 d,d	ed
ededededededededee         dz  de	dz  dedededededef"ˆ fd„Z
dee         fd„Zddddœded eded!edz  dej        f
d"„Zedefd#„¦   «         Zd$ed%edeeeef                  fd&„Zdd'œd(efd)„Zd-dedefd+„Zˆ xZS ).ÚDockerEnvironmentuñ  Hardened Docker container execution with resource limits and persistence.

    Security: all capabilities dropped, no privilege escalation, PID limits,
    size-limited tmpfs for scratch dirs. The container itself is the security
    boundary â€” the filesystem inside is writable so agents can install packages
    (pip, npm, apt) as needed. Writable workspace via tmpfs or bind mounts.

    Persistence: when enabled, bind mounts preserve /workspace and /root
    across container restarts.
    ú/rooté<   r   Fr7   NTÚimageÚcwdrI   ÚcpuÚmemoryÚdiskÚpersistent_filesystemÚtask_idÚvolumesr	   r   ÚnetworkÚhost_cwdÚauto_mount_cwdr˜   Ú
extra_argsÚpersist_across_processesc                 óþ  •— |dk    rd}t          ¦   «                              ||¬¦  «         || _        || _        || _        t          |
¦  «        | _        t          |¦  «        | _        d | _	        i | _
        t                               d|	› ¦  «         |	4t          |	t          ¦  «        st                               d|	›¦  «         g }	t!          ¦   «          g }|dk    r$|                     dt%          |¦  «        g¦  «         |dk    r|                     d|› d	g¦  «         |dk    rZt&          j        d
k    rJ|                      ¦   «         r|                     dd|› d	g¦  «         nt                               d¦  «         |s|                     d¦  «         ddlm} g }d}|	pg D ]Œ}t          |t$          ¦  «        st                               d|›¦  «         Œ5|                     ¦   «         }|sŒLd|v r|                     d|g¦  «         d|v rd}Œnt                               d|› d¦  «         Œ|r<t4          j                             t4          j                             |¦  «        ¦  «        nd}|o0t=          |¦  «        o!t4          j                             |¦  «        o| }|r>|r<t4          j                             |¦  «        st                                d|› ¦  «         d | _!        d | _"        g }| j        r· |¦   «         dz  |z  }t%          |dz  ¦  «        | _"        t5          j#        | j"        d¬¦  «         |                     d| j"        › dg¦  «         |sS|sQt%          |dz  ¦  «        | _!        t5          j#        | j!        d¬¦  «         |                     d| j!        › dg¦  «         n2|s|s|                     dd g¦  «         |                     g d!¢¦  «         |r't                               d"|› ¦  «         d|› dg|¢}n|rt                                d#¦  «         	 dd$l$m%}m&}m'}  |¦   «         D ]È}tQ          |d%         ¦  «        }| )                    ¦   «         rt                               d&|¦  «         ŒG| *                    ¦   «         st                               d'|¦  «         Œw|                     d|d%         › d|d(         › d)g¦  «         t                               d*|d%         |d(         ¦  «         ŒÉ |¦   «         D ]˜} tQ          | d%         ¦  «        }| )                    ¦   «         st                               d+|¦  «         ŒG|                     d| d%         › d| d(         › d)g¦  «         t                               d,| d%         | d(         ¦  «         Œ™ |¦   «         D ]˜}!tQ          |!d%         ¦  «        }| )                    ¦   «         st                               d-|¦  «         ŒG|                     d|!d%         › d|!d(         › d)g¦  «         t                               d.|!d%         |!d(         ¦  «         Œ™n2# tV          $ r%}"t                                d/|"¦  «         Y d }"~"nd }"~"ww xY wg }#tY          | j        ¦  «        D ])}$|#                     d0|$› d1| j        |$         › g¦  «         Œ*g }%|rJt[          ¦   «         }&|& d2|&g}%t                               d3|&¦  «         nt                               d4¦  «         t]          |ot=          |%¦  «        ¦  «        }'t                               d5|› ¦  «         g }(|pg D ]H})t          |)t$          ¦  «        st                               d6|)¦  «         Œ3|(                     |)¦  «         ŒI|'|%z   |z   |z   |z   |#z   |(z   }*t                               d7|*› ¦  «         t_          ¦   «         pd| _0        d8tc          j2        ¦   «         j3        d d9…         › }+ti          tk          ¦   «         ¦  «        },ti          |¦  «        }-d:d;d:d<|-› d:d=|,› g}.d>|-|,d?œ| _
        d}/|rÐ|  6                    |-|,¦  «        }0|0¸|0\  }1}2|1| _	        |2d@k    rw	 to          j8        | j0        dA|1gdddBd¬C¦  «         nT# tn          j9        tn          j:        f$ r6}"t                               dD|1d dE…         |2|"¦  «         d | _	        Y d }"~"nd }"~"ww xY w| j	        r(t                               dF|1d dE…         |-|,|2¦  «         d}/|/s°| j0        dGdHdIdJ|+g|.¢dK‘|‘|*¢|‘dL‘dM‘}3t                                dNdO ;                    |3¦  «        › ¦  «         to          j8        |3dddPd¬C¦  «        }4|4j<                             ¦   «         | _	        t                               dQ|+› dR| j	        d dE…         › dS¦  «         |  =                    ¦   «         | _>        |  ?                    ¦   «          d S )TNÚ~r±   )r´   rI   zDockerEnvironment volumes: z%docker_volumes config is not a list: r   z--cpusz--memoryÚmÚdarwinú--storage-optzsize=zDocker storage driver does not support per-container disk limits (requires overlay2 on XFS with pquota). Container will run without disk quota.z--network=none)Úget_sandbox_dirFz%Docker volume entry is not a string: r¡   z-vz:/workspaceTzDocker volume 'z' missing colon, skippingÚ z>Skipping docker cwd mount: host_cwd is not a valid directory: r>   Úhome)Úexist_okz:/rootÚ	workspacer•   z/workspace:rw,exec,size=10g)r•   z/home:rw,exec,size=1gr•   z/root:rw,exec,size=1gz,Mounting configured host cwd to /workspace: zDSkipping docker cwd mount: /workspace already mounted by user config)Úget_credential_file_mountsÚget_skills_directory_mountÚget_cache_directory_mountsÚ	host_pathug   Docker: skipping credential mount â€” source is a directory (likely Docker-in-Docker auto-creation): %su:   Docker: skipping credential mount â€” source not found: %sÚcontainer_pathz:roz$Docker: mounting credential %s -> %su?   Docker: skipping skills mount â€” source is not a directory: %sz$Docker: mounting skills dir %s -> %su>   Docker: skipping cache mount â€” source is not a directory: %sz#Docker: mounting cache dir %s -> %sz1Docker: could not load credential file mounts: %sú-eÚ=z--userz)Docker: running container as host user %szƒdocker_run_as_host_user is enabled but this platform does not expose POSIX uid/gid; container will start as its image default user.zDocker volume_args: z/Ignoring non-string docker_extra_args entry: %rzDocker run_args: zhermes-é   z--labelzhermes-agent=1zhermes-task-id=zhermes-profile=Ú1)zhermes-agentzhermes-task-idzhermes-profileÚrunningÚstartrT   rF   u[   Failed to start existing container %s (state=%s): %s â€” falling back to a fresh container.rW   z:Reusing container %s (task=%s, profile=%s, prior state=%s)r\   z-dz--initz--namez-wÚsleepÚinfinityzStarting container: Ú éx   zStarted container z (ú))@ÚsuperÚ__init__Ú_persistentÚ_persist_across_processesÚ_task_idr   Ú_forward_envr%   Ú_envÚ_container_idÚ_labelsr   rj   r   rš   r   r®   rZ   r   ÚsysÚplatformÚ_storage_opt_supportedr   Útools.environments.baserÅ   r   r„   r†   ÚabspathÚ
expanduserr#   Úisdirr_   Ú_workspace_dirÚ	_home_dirÚmakedirsÚtools.credential_filesrÊ   rË   rÌ   r   Úis_dirÚis_filer*   Úsortedr¥   r   rY   Ú_docker_exeÚuuidÚuuid4Úhexr3   r9   Ú_find_reusable_containerr[   r\   ÚCalledProcessErrorr]   Újoinrb   Ú_build_init_env_argsÚ_init_env_argsÚinit_session)6Úselfr³   r´   rI   rµ   r¶   r·   r¸   r¹   rº   r	   r   r»   r¼   r½   r˜   r¾   r¿   Úresource_argsrÅ   Úvolume_argsÚworkspace_explicitly_mountedÚvolÚhost_cwd_absÚbind_host_cwdÚwritable_argsÚsandboxrÊ   rË   rÌ   Úmount_entryÚsrcÚskills_mountÚcache_mountrm   Úenv_argsr   Ú	user_argsÚ	user_specÚsecurity_argsÚvalidated_extraÚargÚall_run_argsÚcontainer_nameÚprofile_nameÚ
task_labelÚ
label_argsÚreusedÚexistingru   ÚstateÚrun_cmdrs   Ú	__class__s6                                                        €r   rÛ   zDockerEnvironment.__init__Ã  s¨  ø€ ð( #Š:ˆ:ØˆCÝ‰Œ×Ò˜S¨'ÐÑ2Ô2Ð2Ø0ˆÔØ)AˆÔ&ØˆŒÝ8¸ÑEÔEˆÔÝ'¨Ñ,Ô,ˆŒ	Ø,0ˆÔØ')ˆŒÝŠÐ;°'Ð;Ð;Ñ<Ô<Ð<àÐ¥z°'½4Ñ'@Ô'@ÐÝNŠNÐNÀ7ÐNÐNÑOÔOÐOØˆGõ 	!Ñ"Ô"Ð"ð ˆØŠ7ˆ7Ø× Ò  (­C°©H¬HÐ!5Ñ6Ô6Ð6ØAŠ:ˆ:Ø× Ò  *°¨l¨l¨lÐ!;Ñ<Ô<Ð<Ø!Š8ˆ8œ¨Ò0Ð0Ø×*Ò*Ñ,Ô,ð Ø×$Ò$ o°¸t°°°Ð%GÑHÔHÐHÐHå—’ðeñô ð ð ð 	3Ø× Ò Ð!1Ñ2Ô2Ð2ð
 	<Ð;Ð;Ð;Ð;Ð;ð ˆØ',Ð$ØM˜rð 	Qð 	QˆCÝ˜c¥3Ñ'Ô'ð Ý—’ÐNÀsÐNÐNÑOÔOÐOØØ—)’)‘+”+ˆCØð ØØcˆzˆzØ×"Ò" D¨# ;Ñ/Ô/Ð/Ø  CÐ'Ð'Ø37Ð0øå—’ÐO°ÐOÐOÐOÑPÔPÐPÐPàHPÐX•r”w—’¥r¤w×'9Ò'9¸(Ñ'CÔ'CÑDÔDÐDÐVXˆàð 1Ý\Ñ"Ô"ð1å”—’˜lÑ+Ô+ð1ð 1Ð0ð	 	ð ð 	f˜hð 	f­r¬w¯}ª}¸\Ñ/JÔ/Jð 	fÝLŠLÐdÐZbÐdÐdÑeÔeÐeà-1ˆÔØ(,ˆŒØˆØÔð 	Ø%oÑ'Ô'¨(Ñ2°WÑ<ˆGÝ  ¨6Ñ!1Ñ2Ô2ˆDŒNÝŒK˜œ°Ð6Ñ6Ô6Ð6Ø× Ò Ø˜œÐ/Ð/Ð/ð"ñ ô ð ð !ð Ð)Eð Ý&)¨'°KÑ*?Ñ&@Ô&@Ô#Ý”˜DÔ/¸$Ð?Ñ?Ô?Ð?Ø×$Ò$Ø˜TÔ0Ð=Ð=Ð=ð&ñ ô ð øð !ð Ð)Eð Ø×$Ò$ØÐ<ð&ñ ô ð ð × Ò ð "ð "ð "ñ ô ð ð
 ð 	aÝKŠKÐUÀ|ÐUÐUÑVÔVÐVØ LÐ!=Ð!=Ð!=ÐLÀÐLˆKˆKØ)ð 	aÝLŠLÐ_Ñ`Ô`Ð`ðL	Qðð ð ð ð ð ð ð ð ð ð  :Ð9Ñ;Ô;ð ð Ý˜; {Ô3Ñ4Ô4Ø—:’:‘<”<ð 	õ —N’NðFàñô ð ð
 Ø—{’{‘}”}ð Ý—N’NØTÐVYñô ð ð Ø×"Ò"ØØ" ;Ô/ÐTÐT°+Ð>NÔ2OÐTÐTÐTð$ñ ô ð õ —’Ø:Ø Ô,ØÐ 0Ô1ñô ð ð ð !;Ð :Ñ <Ô <ð ð Ý˜<¨Ô4Ñ5Ô5Ø—z’z‘|”|ð Ý—N’NØYØñô ð ð Ø×"Ò"ØØ# KÔ0ÐVÐV°<Ð@PÔ3QÐVÐVÐVð$ñ ô ð õ —’Ø:Ø  Ô-Ø Ð!1Ô2ñô ð ð ð  :Ð9Ñ;Ô;ð ð Ý˜; {Ô3Ñ4Ô4Ø—z’z‘|”|ð Ý—N’NØXØñô ð ð Ø×"Ò"ØØ" ;Ô/ÐTÐT°+Ð>NÔ2OÐTÐTÐTð$ñ ô ð õ —’Ø9Ø Ô,ØÐ 0Ô1ñô ð ð ðøõ" ð 	Qð 	Qð 	QÝLŠLÐLÈaÑPÔPÐPÐPÐPÐPÐPÐPøøøøð	Qøøøð
 ˆÝ˜$œ)Ñ$Ô$ð 	?ð 	?ˆCØOŠO˜T cÐ#<Ð#<¨D¬I°c¬NÐ#<Ð#<Ð=Ñ>Ô>Ð>Ð>ð  "ˆ	Øð 
	Ý/Ñ1Ô1ˆIØÐ$Ø% yÐ1	Ý—’ÐGÈÑSÔSÐSÐSå—’ð*ñô ð õ -Ð-=Ð-QÅ$ÀyÁ/Ä/ÑRÔRˆåŠÐ8¨;Ð8Ð8Ñ9Ô9Ð9ð ˆØÐ$ "ð 	(ð 	(ˆCÝ˜c¥3Ñ'Ô'ð Ý—’ÐPÐRUÑVÔVÐVØØ×"Ò" 3Ñ'Ô'Ð'Ð'ð Øñàñð ñð ñ	ð
 ñð ñð 	õ 	ŠÐ6¨Ð6Ð6Ñ7Ô7Ð7õ '™=œ=Ð4¨HˆÔð :¥4¤:¡<¤<Ô#3°B°Q°BÔ#7Ð9Ð9ˆõ -Õ-EÑ-GÔ-GÑHÔHˆÝ*¨7Ñ3Ô3ˆ
àÐ'ØÐ5¨Ð5Ð5ØÐ7¨Ð7Ð7ð
ˆ
ð  Ø(Ø*ð
ð 
ˆŒð$ ˆØ#ð 	"Ø×4Ò4°ZÀÑNÔNˆHØÐ#Ø&.Ñ#˜eØ%1Ô"Ø˜IÒ%Ð%ð2Ý"œØ!Ô-¨w¸ÐEØ+/Ø!%Ø$&Ø"&ðñ ô ð ð øõ 'Ô9½:Ô;TÐUð 2ð 2ð 2ÝŸšðHà(¨¨"¨Ô-¨u°añô ð ð
 .2˜Ô*Ð*Ð*Ð*Ð*Ð*øøøøð2øøøð Ô%ð "Ý—K’KØTØ$ S b SÔ)¨:°|ÀUñô ð ð "Fàð 	[àÔ  %¨ØØ˜.ð	ð ð		ð
 ð	ð
 ð	ð ð	ð ð	ð ð	ð $ð	ˆGõ LŠLÐC°·²¸Ñ0AÔ0AÐCÐCÑDÔDÐDÝ”^ØØ#ØØØðñ ô ˆFð "(¤×!4Ò!4Ñ!6Ô!6ˆDÔÝKŠKÐY¨^ÐYÐY¸tÔ?QÐRUÐSUÐRUÔ?VÐYÐYÐYÑZÔZÐZð
 #×7Ò7Ñ9Ô9ˆÔð 	×ÒÑÔÐÐÐs1   Ð0H#Y Ù
ZÙY>Ù>Zá9!b âc,â6,c'ã'c,r
   c                 ó  — t          | j        ¦  «        }t          | j        ¦  «        }t          ¦   «         }	 ddlm} t           |¦   «         ¦  «        }n# t          $ r Y nw xY w||t          z
  z  }|rt          ¦   «         ni }t          |¦  «        D ]4}t          j        |¦  «        }|€|                     |¦  «        }||||<   Œ5g }	t          |¦  «        D ]$}|	                     d|› d||         › g¦  «         Œ%|	S )zîBuild -e KEY=VALUE args for injecting host env vars into init_session.

        These are used once during init_session() so that export -p captures
        them into the snapshot.  Subsequent execute() calls don't need -e flags.
        r   )Úget_all_passthroughNrÏ   rÐ   )r   rà   r   rß   Útools.env_passthroughr  r*   r   r+   rð   r„   r…   ÚgetrZ   )
rû   Úexec_envÚexplicit_forward_keysÚpassthrough_keysr  Úforward_keysÚ
hermes_envr   r$   Úargss
             r   rø   z&DockerEnvironment._build_init_env_args  s>  € õ $(¨¬	¡?¤?ˆå # DÔ$5Ñ 6Ô 6ÐÝ%(¡U¤UÐð	ØAÐAÐAÐAÐAÐAÝ"Ð#6Ð#6Ñ#8Ô#8Ñ9Ô9ÐÐøÝð 	ð 	ð 	ØˆDð	øøøð
 -Ð0@ÕCaÑ0aÑbˆØ0<ÐDÕ*Ñ,Ô,Ð,À"ˆ
Ý˜,Ñ'Ô'ð 	&ð 	&ˆCÝ”I˜c‘N”NˆEØˆ}Ø"Ÿš sÑ+Ô+ØÐ Ø %˜‘øàˆÝ˜(Ñ#Ô#ð 	:ð 	:ˆCØKŠK˜ #Ð7Ð7¨°¬Ð7Ð7Ð8Ñ9Ô9Ð9Ð9Øˆs   ¸A Á
A#Á"A#rØ   )ÚloginrI   Ú
stdin_dataÚ
cmd_stringr"  r#  c                óZ  — | j         s
J d¦   «         ‚| j        dg}||                     d¦  «         |r|                     | j        ¦  «         |                     | j         g¦  «         |r|                     ddd|g¦  «         n|                     dd|g¦  «         t          ||¦  «        S )z1Spawn a bash process inside the Docker container.zContainer not startedÚexecNz-iÚbashz-lz-c)rá   rñ   r   rZ   rù   r   )rû   r$  r"  rI   r#  Úcmds         r   Ú	_run_bashzDockerEnvironment._run_bash;  sÇ   € ð Ô!Ð:Ð:Ð#:Ñ:Ô:Ð!ØÔ Ð(ˆØÐ!ØJŠJtÑÔÐð ð 	,ØJŠJtÔ*Ñ+Ô+Ð+à
Š
DÔ&Ð'Ñ(Ô(Ð(àð 	3ØJŠJ˜  d¨JÐ7Ñ8Ô8Ð8Ð8àJŠJ˜  jÐ1Ñ2Ô2Ð2å˜3 
Ñ+Ô+Ð+r   c                  ó  — t           t           S 	 t          ¦   «         pd} t          j        | dddgddd¬¦  «        }|j                             ¦   «                              ¦   «         }|d	k    rd
a d
S t          j        | ddddgddd¬¦  «        }|j        dk    r8|j                             ¦   «         }|rt          j        | d|gdd¬¦  «         da nd
a n# t          $ r d
a Y nw xY wt           
                    dt           ¦  «         t           S )zìCheck if Docker's storage driver supports --storage-opt size=.
        
        Only overlay2 on XFS with pquota supports per-container disk quotas.
        Ubuntu (and most distros) default to ext4, where this flag errors out.
        Nr>   rj   rD   z{{.Driver}}Trx   rU   Úoverlay2FÚcreaterÄ   zsize=1mzhello-worldrE   r   rR   r©   ©rG   rI   z Docker --storage-opt support: %s)r¦   rY   r[   r\   rb   r   Úlowerr`   r*   r   r_   )r>   rs   ÚdriverÚproberu   s        r   rå   z(DockerEnvironment._storage_opt_supportedR  sR  € õ Ð&Ý"Ð"ð	$Ý ‘]”]Ð. hˆFÝ”^Ø˜ ¨]Ð;Ø#¨$¸ðñ ô ˆFð ”]×(Ò(Ñ*Ô*×0Ò0Ñ2Ô2ˆFØ˜Ò#Ð#Ø"'Øuõ ”NØ˜ ?°I¸}ÐMØ#¨$¸ðñ ô ˆEð Ô 1Ò$Ð$à$œ|×1Ò1Ñ3Ô3Øð CÝ”N F¨D°,Ð#?Ø26ÀðCñ Cô Cð Cà"&à"'øøÝð 	$ð 	$ð 	$Ø#ˆOˆOˆOð	$øøøåŠÐ7½ÑIÔIÐIÝÐs   AC Á1A"C ÃC#Ã"C#r  Úprofile_labelc                 ó  — 	 t          j        | j        dddddd|› dd|› ddgd	d	d
d¬¦  «        }n?# t           j        t          f$ r&}t
                               d|¦  «         Y d}~dS d}~ww xY w|j        dk    r:t
                               d|j        |j         	                    ¦   «         ¦  «         dS d„ |j
                             ¦   «         D ¦   «         }|sdS d}d}|D ]`}|                     dd¦  «        }	t          |	¦  «        dk    rŒ,|	d         |	d                              ¦   «         }}
|€|
|f}|dk    r|€|
|f}Œa|p|S )uƒ  Look for an existing container labeled for this (task, profile).

        Returns ``(container_id, state)`` on hit, ``None`` on miss / on any
        failure (including ``docker ps`` itself failing). State is one of the
        values Docker reports via ``{{.State}}`` â€” e.g. ``running``, ``exited``,
        ``created``, ``paused``, ``restarting``, ``dead``. The caller decides
        whether the state warrants ``docker start`` before reuse.

        Restricted to the docker-stored label set this class creates; never
        matches containers that happened to be named ``hermes-*`` but were
        started by some other tool.
        rB   rC   r?   r@   zlabel=hermes-task-id=rA   rD   z{{.ID}}	{{.State}}Trx   FrF   u;   docker ps probe failed: %s â€” will start a fresh containerNr   u@   docker ps probe returned %d: %s â€” will start a fresh containerc                 ó^   — g | ]*}|                      ¦   «         ¯|                      ¦   «         ‘Œ+S rL   rM   rN   s     r   rQ   z>DockerEnvironment._find_reusable_container.<locals>.<listcomp>ž  s-   € ÐOÐOÐO ÀBÇHÂHÁJÄJÐO—’‘”ÐOÐOÐOr   ú	rV   é   rÓ   )r[   r\   rñ   r]   r^   r   r_   r`   ra   r   rb   rc   ÚsplitÚlenr.  )rû   r  r1  rs   rm   ÚlinesrÓ   ÚfirstrP   Úpartsrp   r  s               r   rõ   z*DockerEnvironment._find_reusable_containerz  s±  € ð	Ý”^àÔ$ d¨DØÐ 6ØÐ D¸
Ð DÐ DØÐ G¸Ð GÐ GØÐ 5ðð  $ØØØðñ ô ˆFˆFøõ Ô)­7Ð3ð 	ð 	ð 	ÝLŠLÐVÐXYÑZÔZÐZØ44444øøøøð	øøøð Ô Ò!Ð!ÝLŠLØRØÔ! 6¤=×#6Ò#6Ñ#8Ô#8ñô ð ð 4ØOÐO f¤m×&>Ò&>Ñ&@Ô&@ÐOÑOÔOˆØð 	Ø4ð ˆØˆØð 	'ð 	'ˆBØ—H’H˜T 1Ñ%Ô%ˆEÝ5‰zŒz˜QŠˆØØ˜qœ 5¨¤8§>¢>Ñ#3Ô#3ˆCØˆ}Ø˜e˜Ø˜	Ò!Ð! g oØ ˜,øØÐ˜%Ðs   ‚/2 ²A.ÁA)Á)A.)Úforce_remover;  c                óà  ‡‡‡‡	‡
— | j         Š‰s2| j        s)| j        | j        fD ]}|rt	          j        |d¬¦  «         ŒdS |rdŠ
dŠ	n| j        r	d| _         dS dŠ
dŠ	| j        Š‰dd…         Šd
ˆˆˆˆ	ˆ
fd„}ddl}| 	                    |dd‰› ¬	¦  «        }| 
                    ¦   «          || _        d| _         ‰	r0| j        s+| j        | j        fD ]}|rt	          j        |d¬¦  «         ŒdS dS dS )u}	  Tear down the container according to persist mode and *force_remove*.

        Persist-mode (``persist_across_processes=True``, the default) leaves the
        container **running** untouched. The docs promise "ONE long-lived
        container shared across sessions" and stopping it on every Hermes exit
        breaks that promise:

        * Background processes inside the container (``npm run dev``, watchers,
          long-running pytest) get killed every time the user runs ``/quit``.
        * Every reuse requires ``docker start`` + waiting for the container to
          come back up, adding 1â€“2s to the first tool call of the new session.
        * The user-visible difference between "ONE long-lived container" and
          "a new container that happens to share state" is exactly this:
          processes survive in the former, die in the latter.

        Resource reclamation for the persist-mode case lives in the
        ``reap_orphan_containers()`` path (see issue #20561 commit 3): if no
        Hermes process touches a labeled container for ``2 Ã— lifetime_seconds``
        it gets ``docker rm -f``'d at the next Hermes startup. That covers the
        SIGKILL / OOM / abandoned-laptop cases without us needing to stop the
        container on every graceful exit.

        Opt-out mode (``persist_across_processes=False``) still does
        ``docker stop`` + ``docker rm -f`` on every cleanup, matching the
        pre-PR behavior for users who explicitly want per-process isolation.

        ``force_remove=True`` overrides persist mode and always tears the
        container down (``docker stop`` + ``docker rm -f``). This is the
        explicit-teardown path for ``/reset``, ``cleanup_vm(task_id)``-driven
        resets, or any caller that wants a guaranteed fresh container on next
        ``DockerEnvironment(task_id=...)``. No current caller passes
        ``force_remove=True``; the parameter is here so the explicit-teardown
        semantics can be wired up later without changing this method's
        signature.

        Cleanup runs on a daemon thread with bounded ``subprocess.run`` calls
        (not the racy ``Popen(... &)`` pattern from before PR #33645). The
        atexit hook in ``tools/terminal_tool.py`` waits up to 15s for the
        thread to finish before the interpreter exits, so ``docker stop`` /
        ``docker rm`` actually completes when we do trigger it.
        T)Úignore_errorsNrW   r
   c                  ó†  •— ‰r]	 t          j        ‰ddd‰gdd¬¦  «         n?# t           j        t          f$ r&} t                               d‰| ¦  «         Y d } ~ nd } ~ ww xY w‰r^	 t          j        ‰dd	‰gdd¬¦  «         d S # t           j        t          f$ r'} t                               d
‰| ¦  «         Y d } ~ d S d } ~ ww xY wd S )NÚstopz-tÚ10TrT   r-  z%docker stop %s timed out / failed: %srR   rS   rX   )r[   r\   r]   r^   r   r   )rm   ru   r<   Úlog_idÚshould_removeÚshould_stops    €€€€€r   Ú_do_cleanupz.DockerEnvironment.cleanup.<locals>._do_cleanup  s<  ø€ Øð WðWÝ”NØ# V¨T°4¸ÐFØ'+°Rðñ ô ð ð øõ #Ô1µ7Ð;ð Wð Wð WÝ—N’NÐ#JÈFÐTUÑVÔVÐVÐVÐVÐVÐVÐVøøøøðWøøøàð LðLÝ”NØ# T¨4°Ð>Ø'+°Rðñ ô ð ð ð øõ #Ô1µ7Ð;ð Lð Lð LÝ—N’NÐ#?ÀÈÑKÔKÐKÐKÐKÐKÐKÐKÐKøøøøðLøøøðLð Ls,   …" ¢A¸AÁAÁ$B ÂB>ÂB9Â9B>r   zhermes-cleanup-)ÚtargetÚdaemonÚname©r
   N)rá   rÜ   rê   rë   rŠ   ÚrmtreerÝ   rñ   Ú	threadingÚThreadrÔ   Ú_cleanup_thread)rû   r;  ÚdrD  rJ  Útru   r<   rA  rB  rC  s         @@@@@r   ÚcleanupzDockerEnvironment.cleanup³  s©  øøøøø€ ðT Ô)ˆØð 	ð Ô#ð =ØÔ-¨t¬~Ð>ð =ð =AØð =Ýœ a°tÐ<Ñ<Ô<Ð<øØˆFð ð 	!ØˆKØ ˆMˆMØÔ+ð 	!ð "&ˆDÔØˆFàˆKØ ˆMð Ô%ˆ
Ø˜c˜r˜cÔ"ˆð	Lð 	Lð 	Lð 	Lð 	Lð 	Lð 	Lð 	Lð 	Lð 	Lð0 	ÐÐÐØ×Ò K¸ÐC]ÐU[ÐC]ÐC]ÐÑ^Ô^ˆØ	Š‰	Œ	ˆ	Ø ˆÔØ!ˆÔð
 ð 	9 Ô!1ð 	9ØÔ)¨4¬>Ð:ð 9ð 9Øð 9Ý”M !°4Ð8Ñ8Ô8Ð8øð	9ð 	9ð 	9ð 	9ð9ð 9r   ç      >@c                 óª   — t          | dd¦  «        }||                     ¦   «         sdS |                     |¬¦  «         |                     ¦   «          S )uÀ  Block up to *timeout* seconds for the cleanup worker thread.

        Returns ``True`` if the thread finished (or no thread was started),
        ``False`` on timeout. The atexit hook in terminal_tool.py calls this
        on every active environment so docker stop/rm actually completes
        before the Python process exits â€” without this, ``hermes /quit``
        races the interpreter shutdown and leaves stopped containers behind.
        rL  NT)rI   )r¢   Úis_aliver÷   )rû   rI   Úthreads      r   Úwait_for_cleanupz"DockerEnvironment.wait_for_cleanup(  sU   € õ ˜Ð0°$Ñ7Ô7ˆØˆ> §¢Ñ!2Ô!2ˆ>Ø4ØŠ˜GˆÑ$Ô$Ð$Ø—?’?Ñ$Ô$Ð$Ð$r   )r±   r²   r   r   r   Fr7   NNNTNFFNT)rP  )Ú__name__Ú
__module__Ú__qualname__Ú__doc__r   r!   r"   r#   rš   r   rÛ   rø   r[   ÚPopenr)  Ústaticmethodrå   r   Útuplerõ   rO  rT  Ú__classcell__)r  s   @r   r°   r°   ·  s€  ø€ € € € € ð	ð 	ð ØØØØØ&+Ø ØØ(,ØØØØ$Ø!&ØØ)-ð%Vð VàðVð ðVð ð	Vð
 ðVð ðVð ðVð  $ðVð ðVð ðVð ˜#”Y Ñ%ðVð D‰[ðVð ðVð ðVð ðVð  ð!Vð" ð#Vð$ #'ð%Vð Vð Vð Vð Vð Vðp
 d¨3¤ið ð ð ð ð@ ;@Ø!$Ø+/ð,ð ,ð , Cð ,°4ð ,Øð,à! D™jð,à4>Ô4Dð,ð ,ð ,ð ,ð. ð% Dð %ð %ð %ñ „\ð%ðN7 °3ð 7 Àsð 7 ÈxÐX]Ð^aÐcfÐ^fÔXgÔOhð 7 ð 7 ð 7 ð 7 ðr /4ð s9ð s9ð s9 tð s9ð s9ð s9ð s9ðj%ð %¨ð %¸ð %ð %ð %ð %ð %ð %ð %ð %r   r°   rH  ).rX  Úloggingr„   r{   rŠ   r[   rã   rò   Úpathlibr   Útypingr   ræ   r   r   Útools.environments.localr   Ú	getLoggerrU  r   rŒ   r   r   Ú__annotations__Úcompiler   rš   r   r   r%   r+   r0   r3   r9   r!   rt   rh   rY   r›   rœ   r#   r   r¥   r¦   r®   r°   rL   r   r   ú<module>rd     sC  ððð ð ð €€€Ø 	€	€	€	Ø 	€	€	€	Ø €€€Ø Ð Ð Ð Ø 
€
€
€
Ø €€€Ø Ð Ð Ð Ð Ð Ø Ð Ð Ð Ð Ð à @Ð @Ð @Ð @Ð @Ð @Ð @Ð @Ø CÐ CÐ CÐ CÐ CÐ Cà	ˆÔ	˜8Ñ	$Ô	$€ðð ð Ð ð %)Ð H˜S”MÐ (Ð (Ñ (Ø2”:Ð9Ñ:Ô:Ð ð¨d°3¬i¸$Ñ.>ð À4ÈÄ9ð ð ð ð ð2˜T D™[ð ¨T°#°s°(¬^ð ð ð ð ð<˜t C¨ Hœ~ð ð ð ð ð  R”ZÐ 2Ñ3Ô3Ð ð ð ¨ð ð ð ð ð #ð ð ð ð ð" Ø!%Ø!ð	Yð Yð YàðYð ˜$‘JðYð d‘
ð	Yð
 	ðYð Yð Yð Yðx sð ¸#ð ð ð ð ðD*X˜c”]ð *ð *ð *ð *ðx
ð 
ð 
Ð ð ð ð Ð ð@¨4ð @°D¸´Ið @ð @ð @ð @ð ¨#¤ð ð ð ð ð$ #'€˜$”Ð &Ð &Ñ &ð?ð ?ð ?ð ?ðD~	%ð ~	%ð ~	%ð ~	%ð ~	%˜ñ ~	%ô ~	%ð ~	%ð ~	%ð ~	%r   