sandbox::catalog::list
functionList bootable images: bundled presets plus operator-registered custom_images. Call this before sandbox::create when you don't know what's available.
imagesobject[]*required
Every image the daemon will accept on `sandbox::create.image`. Presets come first in stable order; custom entries follow, sorted by `name` for determinism so an agent that diffs two `catalog::list` responses sees stable output.
kindone of*required
one of (2)
variant 1
valuestringenum: preset
variant 2
valuestringenum: custom
Create an ephemeral sandbox VM. `image` must be a preset (`"python"`, `"node"`) or a `custom_images` key from iii.config.yaml; OCI refs are NOT accepted unless they match a catalog key. `env` accepts both `Vec<"K=V">` and `{ K: V }` map shapes.
cpusinteger· uint32min 0
vCPU count; daemon/image default applies when omitted.
envall of
Environment entries injected into the VM. Accepts either a `Vec<"K=V">` (original wire shape) or a `{ K: V }` map. `handle_create` normalises to the `Vec<String>` shape the boot path expects before invoking the launcher.
idle_timeout_secsinteger· uint64min 0
Auto-stop the VM after this many seconds of inactivity; daemon default applies when omitted.
imagestring*required
Catalog name of the image to boot. Bundled presets are `"python"` and `"node"`; pass either string verbatim. The only other accepted values are the literal keys of `sandbox.custom_images` in `iii.config.yaml` — set by the operator. Do NOT pass an OCI ref like `"ghcr.io/iii-hq/node:latest"` or `"docker.io/library/node:20"` unless that exact string is the catalog key. Unknown values return S100 with the allowed set in the error message.
memory_mbinteger· uint32min 0
Memory cap in MiB; daemon/image default applies when omitted.
namestring
Human label surfaced by `sandbox::list`; not an identifier.
networkboolean
Whether the VM gets outbound networking; daemon default when omitted.
sandbox_idstring*required
Execute a command inside a live sandbox. `cmd` accepts three shapes: (1) a shell-style line that gets shlex-split (`cmd: "node -v"`), (2) `cmd` + `args` (the POSIX shape, `cmd: "node", args: ["-v"]`), (3) an `argv` array (`argv: ["node", "-v"]`). Shell metacharacters in the shell-line shape are NOT interpreted; use `sandbox::run` with `lang: "shell"` for bash semantics. `env` accepts both `Vec<"K=V">` and `{ K: V }` map shapes.
argsstring[]
Argv tail passed to `cmd` (each entry is one argv slot).
argvstring[]
Alternative input shape: a single argv array where the first element is the binary and the rest are arguments. Mutually exclusive with `cmd` having whitespace OR `args` being set.
cmdstring
The binary to execute. Accepts three shapes (`handle_exec` picks one and normalises `cmd`/`args` before passing to the runner):
1. **Shell line**: `cmd: "node /home/app/index.js"`. If `cmd` contains whitespace AND `args` is empty AND `argv` is empty, `cmd` is shlex-split into `(head, tail)` and `head` becomes the binary while `tail` becomes the argv. 2. **cmd + args**: `cmd: "node", args: ["-v"]`. The classic POSIX shape; unchanged from earlier versions. 3. **argv array**: `argv: ["node", "/home/app/index.js"]`. Wins over `cmd`/`args` if non-empty; the first element is the binary, the rest are arguments.
Shlex is NOT bash. Shell metacharacters (`;`, `|`, `&&`, `>`, pipes, redirects, variable expansion) inside the shell-line shape are split as text, not interpreted. Use `sandbox::run` with `lang: "shell"` if you need bash semantics.
envall of
Environment entries added to the child. Accepts either a `Vec<"K=V">` (the original wire shape) or a `{ K: V }` map. `handle_exec` normalises to `Vec<String>` before invoking the runner.
sandbox_idstring*required
UUID returned by `sandbox::create`.
stdinstring
Base64-encoded bytes piped to the child's stdin.
timeout_msinteger· uint64min 0
Kill-after window in ms. Defaults to 300_000 (5 minutes) — sized for cold `npm install` / `pip install` / `cargo build`. Pass a smaller value (e.g. 10_000) for probes and version checks.
workdirstring
Working directory inside the sandbox; image default when omitted.
duration_msinteger· uint64*requiredmin 0
timed_outboolean*required
sandbox::fs::chmod
functionChange file permissions (and optionally owner) inside a sandbox. Example: { sandbox_id: "...", path: "/home/app/script.sh", mode: "0755" }
gidinteger· uint32min 0
Optional GID to chown to. Pair with `uid` for a full chown.
modestring*required
Octal permissions (e.g. `"0644"`, `"0755"`).
pathstring*required
Absolute path to modify inside the sandbox guest.
recursiveboolean
Apply recursively to all entries under `path`.
sandbox_idstring*required
UUID returned by `sandbox::create`.
uidinteger· uint32min 0
Optional UID to chown to. Pair with `gid` for a full chown.
updatedinteger· uint64*requiredmin 0
sandbox::fs::grep
functionSearch for a regex pattern in files inside a sandbox. Walks `path` recursively by default. Example: { sandbox_id: "...", path: "/home/app/src", pattern: "TODO" }
exclude_globstring[]
Gitignore-style exclude filter applied relative to `path`.
ignore_caseboolean
Case-insensitive match.
include_globstring[]
Gitignore-style include filter applied relative to `path`.
max_line_bytesinteger· uint64min 0
Maximum bytes per matched line before content is truncated with `…`. Default 4096.
max_matchesinteger· uint64min 0
Maximum number of matches before truncation. Default 10_000.
pathstring*required
Root path to search inside the sandbox guest. Treated as a directory when `recursive: true`, else as a single file.
patternstring*required
Regex pattern (Rust regex syntax, anchored fragments allowed).
recursiveboolean
Descend into subdirectories under `path`. Defaults to true.
sandbox_idstring*required
UUID returned by `sandbox::create`.
matchesobject[]*required
lineinteger· uint64*requiredmin 0
truncatedboolean*required
List directory contents inside a sandbox. Example: { sandbox_id: "...", path: "/home/app" }
pathstring*required
Absolute path of the directory to list inside the sandbox guest.
sandbox_idstring*required
UUID returned by `sandbox::create`.
entriesobject[]*required
is_symlinkboolean*required
mtimeinteger· int64*required
sizeinteger· uint64*requiredmin 0
sandbox::fs::mkdir
functionCreate a directory inside a sandbox. Pass `parents:true` to make missing parents like `mkdir -p`. Example: { sandbox_id: "...", path: "/home/app/cache", mode: "0755", parents: true }
modestring
Octal permissions for the new directory (e.g. `"0755"`).
parentsboolean
Create intermediate parent directories like `mkdir -p`.
pathstring*required
Absolute path of the directory to create inside the sandbox guest.
sandbox_idstring*required
UUID returned by `sandbox::create`.
Move or rename a path inside a sandbox. Pass `overwrite:true` to clobber an existing destination. Example: { sandbox_id: "...", src: "/home/app/old.js", dst: "/home/app/new.js" }
dststring*required
Destination absolute path inside the sandbox guest.
overwriteboolean
Allow overwriting `dst` if it already exists.
sandbox_idstring*required
UUID returned by `sandbox::create`.
srcstring*required
Source absolute path inside the sandbox guest.
sandbox::fs::read
functionRead a file from a sandbox. Always returns `content`: a StreamChannelRef callers can subscribe to for the full file bytes. For UTF-8 text files under 1 MiB, the response also carries an inline `body` string so callers can short-circuit the subscription. Example: { sandbox_id: "...", path: "/home/app/index.js" }
pathstring*required
Absolute path to read inside the sandbox guest.
sandbox_idstring*required
UUID returned by `sandbox::create`.
bodystring
Inline UTF-8 body. Populated for text files under [`INLINE_BUFFER_CAP`] (1 MiB) that decode cleanly as UTF-8. `None` for large or binary files; subscribe to `content` instead. When `Some`, the same bytes are also delivered through `content` so legacy callers keep working — new callers can use `body` directly and skip the channel subscription.
contentall of*required
Channel ref for the file body. Always set; callers can subscribe to receive the full file contents as bytes. Preserved for wire compatibility with peers that statically type this field as `StreamChannelRef`.
all of (1)
variant 1
access_keystring*required
channel_idstring*required
directionstring*requiredenum: read, write
mtimeinteger· int64*required
sizeinteger· uint64*requiredmin 0
Remove a file or directory inside a sandbox. Pass `recursive:true` to remove directories with contents. Example: { sandbox_id: "...", path: "/home/app/temp", recursive: true }
pathstring*required
Absolute path to remove inside the sandbox guest.
recursiveboolean
Remove directories and their contents recursively (like `rm -rf`).
sandbox_idstring*required
UUID returned by `sandbox::create`.
Find-and-replace in files inside a sandbox. Pass either `path` (walked like grep) OR `files` (explicit list), not both. Example: { sandbox_id: "...", path: "/home/app/src", pattern: "foo", replacement: "bar" }
exclude_globstring[]
Gitignore-style exclude filter applied to paths relative to `path`. Only meaningful with `path`.
filesstring[]
Legacy form: explicit list of paths to rewrite.
include_globstring[]
Gitignore-style include filter applied to paths relative to `path`. Only meaningful with `path`.
pathstring
New form: walk `path` like grep does. May be a directory or a single file. Mutually exclusive with `files`.
recursiveboolean
Whether to descend into subdirectories. Only meaningful with `path`. Defaults to `true` so the path-form behaves like grep.
replacementstring*required
sandbox_idstring*required
UUID returned by `sandbox::create`.
resultsobject[]*required
replacementsinteger· uint64*requiredmin 0
total_replacementsinteger· uint64*requiredmin 0
sandbox::fs::stat
functionStat a path inside a sandbox. Example: { sandbox_id: "...", path: "/home/app/index.js" }
pathstring*required
Absolute path to inspect inside the sandbox guest.
sandbox_idstring*required
UUID returned by `sandbox::create`.
is_symlinkboolean*required
mtimeinteger· int64*required
sizeinteger· uint64*requiredmin 0
sandbox::fs::write
functionWrite a file into a sandbox. `content` accepts a UTF-8 string (recommended for source/text), a StreamChannelRef object (for large uploads), or use `content_b64` for small binary. Example: { sandbox_id: "...", path: "/home/app/index.js", content: "console.log('hi')\n" }
contentany of
File body. Pass a UTF-8 string for source/text (the agent-natural form), or a `StreamChannelRef` object for streaming large/binary uploads. Mutually exclusive with `content_b64`; exactly one of the two must be set.
any of (2)
variant 1
any of (2)
variant 2
all of (1)
variant 1
access_keystring*required
channel_idstring*required
directionstring*requiredenum: read, write
content_b64string
Base64-encoded inline body for small binary payloads. Mutually exclusive with `content`.
modestring
Octal permissions for the new file (default `"0644"`).
parentsboolean
Create missing parent directories before writing.
pathstring*required
Absolute destination path inside the sandbox guest.
sandbox_idstring*required
UUID returned by `sandbox::create`.
bytes_writteninteger· uint64*requiredmin 0
List active sandboxes
sandboxesobject[]*required
age_secsinteger· uint64*requiredmin 0
exec_in_progressboolean*required
sandbox_idstring*required
Run code in an ephemeral sandbox in ONE call. Composes create + fs::write + exec + stop. `lang` selects the interpreter (`node`, `python`, `shell`, or a custom binary path). Sandbox auto-stops on success and on failure unless `keep_sandbox: true`. Example: { image: "node", code: "console.log('hi')", lang: "node" }
codestring*required
The actual code to run. Written to a `/tmp/run.{ext}` file inside the sandbox; the chosen interpreter runs that file.
envall of
Env vars exposed to the interpreter. Accepts both `Vec<"K=V">` and `{ K: V }` map shapes (same as `sandbox::exec.env`).
filesobject[]
Optional sibling files (extra source modules, config, fixtures).
contentstring*required
UTF-8 file body. Streaming and base64 are not supported here; callers needing those should use `sandbox::create` + repeated `sandbox::fs::write` calls instead.
pathstring*required
Absolute path inside the sandbox guest where the file lands.
imagestring*required
Catalog name of the image to boot (preset or `custom_images` key). Same value space as `sandbox::create`.
keep_sandboxboolean
If true, the sandbox is NOT stopped after the run completes; `sandbox_id` is returned so the caller can poke around. Default false (the sandbox is torn down on either success or failure).
langstring*required
Selects the interpreter and file extension. Required. Built-in values: `"node"`, `"python"`, `"shell"`. Any other string is treated as a literal interpreter binary path inside the VM and the file is written to `/tmp/run.txt`. There is no default — there's no honest universal answer to "what language is this code", and silently defaulting to shell makes Python or JS code produce confusing line-by-line failures.
stdinstring
Base64-encoded bytes piped to the interpreter's stdin.
timeout_msinteger· uint64min 0
Kill-after window for the interpreter, in ms. Defaults to 300_000 (5 minutes); pass a smaller value to fail fast on quick probes.
duration_msinteger· uint64*requiredmin 0
sandbox_idstring
Present only if `keep_sandbox: true` was set on the request. Otherwise null (sandbox auto-stopped).
timed_outboolean*required
Stop and remove a running sandbox. Set `wait: true` to block until the VM process exits and resources are reclaimed.
sandbox_idstring*required
waitboolean
Block until the VM is fully reaped before returning.
sandbox_idstring*required