Execute a command in a sandboxed container

POST 
/run

Pulls the image if not cached, constructs a hardened OCI bundle, and runs the command inside a gVisor sandbox. Files listed in files must be uploaded first via POST /files; each is bind-mounted read-only at /{path} inside the container (e.g. workspace/script.py → /workspace/script.py). Output files written to /output/ inside the container are captured and retrievable via GET /files?path=output/{exec_id}/{filename} only when persist=true is set; they are deleted by default.

Request

Responses

200

Command completed (any exit code is valid - check exit_code)

400

Invalid request body or file not found

408

Wall-clock timeout exceeded

500

Internal error (image pull failed, runsc error)

507

stdout or stderr exceeded the configured output limit