@blaxel/core 0.2.76 → 0.2.77

package/dist/cjs-browser/client/sdk.gen.js

@@ -256,7 +256,7 @@ const listDrives = (options) => {
 exports.listDrives = listDrives;
 /**
  * Create a drive
- * Creates a new drive in the workspace. Drives are backed by SeaweedFS buckets and can be mounted at runtime to sandboxes.
+ * Creates a new drive in the workspace. Drives can be buckets and can be mounted at runtime to sandboxes.
  */
 const createDrive = (options) => {
     return (options.client ?? client_gen_1.client).post({
@@ -332,7 +332,7 @@ const updateDrive = (options) => {
 exports.updateDrive = updateDrive;
 /**
  * Create drive access token
- * Issues a short-lived JWT access token scoped to a specific drive. The token can be used as Bearer authentication for direct S3 operations against the drive's SeaweedFS bucket.
+ * Issues a short-lived JWT access token scoped to a specific drive. The token can be used as Bearer authentication for direct S3 operations against the drive's bucket.
  */
 const createDriveAccessToken = (options) => {
     return (options.client ?? client_gen_1.client).post({
@@ -349,7 +349,7 @@ const createDriveAccessToken = (options) => {
 exports.createDriveAccessToken = createDriveAccessToken;
 /**
  * Get drive token JWKS
- * Returns the JSON Web Key Set containing the Ed25519 public key used to verify drive access tokens. SeaweedFS or other S3-compatible storage can use this endpoint to validate Bearer tokens.
+ * Returns the JSON Web Key Set containing the Ed25519 public key used to verify drive access tokens. Other S3-compatible storage can use this endpoint to validate Bearer tokens.
  */
 const getDriveJwks = (options) => {
     return (options?.client ?? client_gen_1.client).get({

package/dist/cjs-browser/common/settings.js

@@ -9,8 +9,8 @@ const index_js_1 = require("../authentication/index.js");
 const env_js_1 = require("../common/env.js");
 const node_js_1 = require("../common/node.js");
 // Build info - these placeholders are replaced at build time by build:replace-imports
-const BUILD_VERSION = "0.2.76";
-const BUILD_COMMIT = "c20b61b130cca1692f6feaa2da8ad675f2aee770";
+const BUILD_VERSION = "0.2.77";
+const BUILD_COMMIT = "3d5932081fba211232402513e9765d0a776cd5d4";
 const BUILD_SENTRY_DSN = "https://fd5e60e1c9820e1eef5ccebb84a07127@o4508714045276160.ingest.us.sentry.io/4510465864564736";
 // Cache for config.yaml tracking value
 let configTrackingValue = null;

package/dist/cjs-browser/sandbox/drive/drive.js

@@ -64,7 +64,16 @@ class SandboxDrive extends action_js_1.SandboxAction {
             throw new Error(`Failed to list drives: ${errorText}`);
         }
         const data = await response.json();
-        return data.mounts || [];
+        console.log("[drives.list] raw response:", JSON.stringify(data));
+        // Normalise whichever shape the API returns
+        const raw = Array.isArray(data)
+            ? data
+            : (data?.mounts ?? data?.drives ?? data?.data ?? []);
+        return raw.map((m) => ({
+            driveName: m.driveName ?? m.drive_name ?? m.name ?? "",
+            mountPath: m.mountPath ?? m.mount_path ?? "",
+            drivePath: m.drivePath ?? m.drive_path ?? "/",
+        }));
     }
 }
 exports.SandboxDrive = SandboxDrive;

package/dist/cjs-browser/types/client/sdk.gen.d.ts

@@ -80,7 +80,7 @@ export declare const verifyCustomDomain: <ThrowOnError extends boolean = false>(
 export declare const listDrives: <ThrowOnError extends boolean = false>(options?: Options<ListDrivesData, ThrowOnError>) => import("@hey-api/client-fetch").RequestResult<import("./types.gen.js").Drive[], unknown, ThrowOnError>;
 /**
  * Create a drive
- * Creates a new drive in the workspace. Drives are backed by SeaweedFS buckets and can be mounted at runtime to sandboxes.
+ * Creates a new drive in the workspace. Drives can be buckets and can be mounted at runtime to sandboxes.
  */
 export declare const createDrive: <ThrowOnError extends boolean = false>(options: Options<CreateDriveData, ThrowOnError>) => import("@hey-api/client-fetch").RequestResult<import("./types.gen.js").Drive, unknown, ThrowOnError>;
 /**
@@ -103,7 +103,7 @@ export declare const getDrive: <ThrowOnError extends boolean = false>(options: O
 export declare const updateDrive: <ThrowOnError extends boolean = false>(options: Options<UpdateDriveData, ThrowOnError>) => import("@hey-api/client-fetch").RequestResult<import("./types.gen.js").Drive, unknown, ThrowOnError>;
 /**
  * Create drive access token
- * Issues a short-lived JWT access token scoped to a specific drive. The token can be used as Bearer authentication for direct S3 operations against the drive's SeaweedFS bucket.
+ * Issues a short-lived JWT access token scoped to a specific drive. The token can be used as Bearer authentication for direct S3 operations against the drive's bucket.
  */
 export declare const createDriveAccessToken: <ThrowOnError extends boolean = false>(options: Options<CreateDriveAccessTokenData, ThrowOnError>) => import("@hey-api/client-fetch").RequestResult<{
     access_token?: string;
@@ -112,7 +112,7 @@ export declare const createDriveAccessToken: <ThrowOnError extends boolean = fal
 }, unknown, ThrowOnError>;
 /**
  * Get drive token JWKS
- * Returns the JSON Web Key Set containing the Ed25519 public key used to verify drive access tokens. SeaweedFS or other S3-compatible storage can use this endpoint to validate Bearer tokens.
+ * Returns the JSON Web Key Set containing the Ed25519 public key used to verify drive access tokens. Other S3-compatible storage can use this endpoint to validate Bearer tokens.
  */
 export declare const getDriveJwks: <ThrowOnError extends boolean = false>(options?: Options<GetDriveJwksData, ThrowOnError>) => import("@hey-api/client-fetch").RequestResult<{
     keys?: Array<{

package/dist/cjs-browser/types/client/types.gen.d.ts

@@ -58,10 +58,15 @@ export type AgentSpec = {
      * When true, the agent is publicly accessible without authentication. Only available for mk3 generation.
      */
     public?: boolean;
+    /**
+     * Region where the agent should be deployed (e.g. us-pdx-1, eu-lon-1). Required when volumes are attached.
+     */
+    region?: string;
     repository?: Repository;
     revision?: RevisionConfiguration;
     runtime?: AgentRuntime;
     triggers?: Triggers;
+    volumes?: VolumeAttachments;
 };
 /**
  * Configuration for an AI agent including runtime settings, repository source, and deployment triggers
@@ -76,10 +81,15 @@ export type AgentSpecWritable = {
      * When true, the agent is publicly accessible without authentication. Only available for mk3 generation.
      */
     public?: boolean;
+    /**
+     * Region where the agent should be deployed (e.g. us-pdx-1, eu-lon-1). Required when volumes are attached.
+     */
+    region?: string;
     repository?: Repository;
     revision?: RevisionConfiguration;
     runtime?: AgentRuntime;
     triggers?: TriggersWritable;
+    volumes?: VolumeAttachments;
 };
 /**
  * Long-lived API key for accessing Blaxel
@@ -415,7 +425,7 @@ export type CustomDomainSpecWritable = {
     };
 };
 /**
- * Drive providing persistent storage that can be attached to agents, functions, and sandboxes. Drives are backed by SeaweedFS buckets and can be mounted at runtime via the sbx API.
+ * Drive providing persistent storage that can be attached to agents, functions, and sandboxes. Drives can be mounted at runtime via the sbx API.
  */
 export type Drive = {
     events?: CoreEvents;
@@ -428,13 +438,13 @@ export type Drive = {
     readonly status?: string;
 };
 /**
- * Drive providing persistent storage that can be attached to agents, functions, and sandboxes. Drives are backed by SeaweedFS buckets and can be mounted at runtime via the sbx API.
+ * Drive providing persistent storage that can be attached to agents, functions, and sandboxes. Drives can be mounted at runtime via the sbx API.
  */
 export type DriveWritable = {
     events?: CoreEventsWritable;
     metadata: MetadataWritable;
     spec: DriveSpecWritable;
-    state?: DriveState;
+    state?: DriveStateWritable;
 };
 /**
  * Immutable drive configuration set at creation time
@@ -475,6 +485,23 @@ export type DriveState = {
      */
     readonly s3Url?: string;
 };
+/**
+ * Egress configuration for routing sandbox outbound traffic through a dedicated IP gateway
+ */
+export type EgressConfig = {
+    /**
+     * Name of the egress gateway to route traffic through. The gateway must exist in the default VPC.
+     */
+    gateway?: string;
+    /**
+     * Egress mode. Use 'dedicated' for a dedicated egress IP.
+     */
+    mode?: string;
+    /**
+     * Per-destination egress policies (not yet supported)
+     */
+    policies?: Array<EgressPolicy>;
+};
 /**
  * An egress gateway that manages outbound traffic routing within a VPC. Multiple egress IPs can be allocated from a single gateway.
  */
@@ -614,6 +641,23 @@ export type EgressIpSpecWritable = {
      */
     ipFamily: 'IPv4' | 'IPv6';
 };
+/**
+ * Egress policy routing specific destinations through dedicated or shared gateways (not yet supported)
+ */
+export type EgressPolicy = {
+    /**
+     * Destination domains or IPs this policy applies to
+     */
+    destinations?: Array<string>;
+    /**
+     * Egress mode for these destinations (dedicated or shared)
+     */
+    mode?: string;
+    /**
+     * Name of this egress policy
+     */
+    name?: string;
+};
 /**
  * Entrypoint of the artifact
  */
@@ -792,6 +836,10 @@ export type FunctionSpec = {
      * When true, the function is publicly accessible without authentication. Only available for mk3 generation.
      */
     public?: boolean;
+    /**
+     * Region where the function should be deployed (e.g. us-pdx-1, eu-lon-1). If not specified, the function is deployed based on policy locations.
+     */
+    region?: string;
     revision?: RevisionConfiguration;
     runtime?: FunctionRuntime;
     triggers?: Triggers;
@@ -810,10 +858,27 @@ export type FunctionSpecWritable = {
      * When true, the function is publicly accessible without authentication. Only available for mk3 generation.
      */
     public?: boolean;
+    /**
+     * Region where the function should be deployed (e.g. us-pdx-1, eu-lon-1). If not specified, the function is deployed based on policy locations.
+     */
+    region?: string;
     revision?: RevisionConfiguration;
     runtime?: FunctionRuntime;
     triggers?: TriggersWritable;
 };
+/**
+ * Mapping between an IdP group and a workspace role for directory sync
+ */
+export type GroupWorkspaceMapping = {
+    /**
+     * Name of the IdP group (e.g. "Engineering", "Platform")
+     */
+    groupName?: string;
+    /**
+     * Role to assign in this workspace (admin or member)
+     */
+    role?: 'admin' | 'member';
+};
 export type Image = {
     metadata: ImageMetadata;
     spec: ImageSpec;
@@ -1446,6 +1511,10 @@ export type JobExecutionTaskStatus = 'unspecified' | 'pending' | 'reconciling' |
  * Runtime configuration defining how batch job tasks are executed with parallelism and retry settings
  */
 export type JobRuntime = {
+    /**
+     * Percentage of VM RAM allocated for disk storage (tmpfs overlay). Valid range 10-95, default 50. Only applies to mk3.1 (microVM) generation.
+     */
+    diskPercent?: number;
     /**
      * Environment variables injected into job tasks. Supports Kubernetes EnvVar format with valueFrom references.
      */
@@ -1775,6 +1844,15 @@ export type ModelSpec = {
      */
     sandbox?: boolean;
 };
+/**
+ * Firewall configuration restricting which external domains the sandbox can access
+ */
+export type NetworkFirewall = {
+    /**
+     * List of allowed external domains. Supports wildcards (e.g. *.s3.amazonaws.com).
+     */
+    allowedDomains?: Array<string>;
+};
 /**
  * OAuth of the artifact
  */
@@ -1811,6 +1889,10 @@ export type PendingInvitation = TimeFields & OwnerFields & {
      * User email
      */
     email?: string;
+    /**
+     * The date and time when the invitation expires
+     */
+    expiresAt?: string;
     /**
      * User sub
      */
@@ -1832,6 +1914,10 @@ export type PendingInvitationWritable = TimeFields & OwnerFields & {
      * User email
      */
     email?: string;
+    /**
+     * The date and time when the invitation expires
+     */
+    expiresAt?: string;
     /**
      * User sub
      */
@@ -1873,6 +1959,10 @@ export type PendingInvitationRender = {
      * User email
      */
     email?: string;
+    /**
+     * The date and time when the invitation expires
+     */
+    expiresAt?: string;
     /**
      * Invitation date
      */
@@ -2273,6 +2363,46 @@ export type PrivateLocation = {
      */
     name?: string;
 };
+/**
+ * Proxy configuration for routing sandbox HTTP traffic through the platform proxy with MITM inspection and per-destination header/body injection
+ */
+export type ProxyConfig = {
+    /**
+     * Domains that bypass the proxy entirely via the NO_PROXY directive. Traffic to these destinations goes direct, not through the CONNECT tunnel. Supports wildcards. Note that localhost, private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), 169.254.169.254, .local and .internal are always bypassed by default.
+     */
+    bypass?: Array<string>;
+    /**
+     * Per-destination routing rules with header/body injection and secrets. Use destinations ["*"] for global rules that apply to all destinations.
+     */
+    routing?: Array<ProxyTarget>;
+};
+/**
+ * Routing rule that injects headers and body fields into requests matching the given destinations. Use destinations ["*"] for a global rule that applies to all proxied traffic.
+ */
+export type ProxyTarget = {
+    /**
+     * Body fields to inject into matching requests. Values may contain {{SECRET:name}} references resolved from this rule's secrets.
+     */
+    body?: {
+        [key: string]: string;
+    };
+    /**
+     * Destination domains this rule applies to. Use ["*"] for a global rule that matches all destinations.
+     */
+    destinations?: Array<string>;
+    /**
+     * Headers to inject into matching requests. Values may contain {{SECRET:name}} references resolved from this rule's secrets.
+     */
+    headers?: {
+        [key: string]: string;
+    };
+    /**
+     * Named secret values for this routing rule, referenced in headers/body via {{SECRET:name}}. Stored encrypted at rest. Write-only: never returned in API responses.
+     */
+    secrets?: {
+        [key: string]: string;
+    };
+};
 export type PublicIp = {
     /**
      * Description of the region/location
@@ -2332,6 +2462,10 @@ export type Region = {
      * Region name
      */
     name?: string;
+    /**
+     * Proxy availability status - indicates if the proxy plane is configured for the region
+     */
+    proxyAvailable?: boolean;
 };
 /**
  * Repository
@@ -2429,6 +2563,118 @@ export type RevisionMetadataWritable = {
      */
     trafficPercent?: number;
 };
+/**
+ * SSO domain for SAML-based Single Sign-On
+ * An SSO domain links an email domain (e.g., acme.com) to a workspace so that
+ * users with that email domain are redirected to the workspace's
+ * SSO/SAML identity provider during login.
+ */
+export type SsoDomain = {
+    metadata: SsoDomainMetadata;
+    spec: SsoDomainSpec;
+};
+/**
+ * SSO domain for SAML-based Single Sign-On
+ * An SSO domain links an email domain (e.g., acme.com) to a workspace so that
+ * users with that email domain are redirected to the workspace's
+ * SSO/SAML identity provider during login.
+ */
+export type SsoDomainWritable = {
+    metadata: SsoDomainMetadataWritable;
+    spec: SsoDomainSpecWritable;
+};
+/**
+ * SSO domain metadata
+ */
+export type SsoDomainMetadata = TimeFields & OwnerFields & {
+    /**
+     * Account ID
+     */
+    accountId?: string;
+    /**
+     * Display name for the SSO domain
+     */
+    displayName?: string;
+    /**
+     * Domain name (e.g., "acme.com")
+     */
+    name?: string;
+};
+/**
+ * SSO domain metadata
+ */
+export type SsoDomainMetadataWritable = TimeFields & OwnerFields & {
+    /**
+     * Account ID
+     */
+    accountId?: string;
+    /**
+     * Display name for the SSO domain
+     */
+    displayName?: string;
+    /**
+     * Domain name (e.g., "acme.com")
+     */
+    name?: string;
+};
+/**
+ * SSO domain specification
+ */
+export type SsoDomainSpec = {
+    /**
+     * List of allowed login methods for this domain. When set, users with this email domain can only use the specified methods. Possible values are google, saml, email. Empty list means no restriction.
+     */
+    allowedAuthMethods?: Array<string>;
+    /**
+     * List of workspace names where users with this domain auto-join on login
+     */
+    autoJoinWorkspaces?: Array<string>;
+    /**
+     * The authentication method last used by a user with this domain (google, saml, email)
+     */
+    readonly lastUsedAuthMethod?: string;
+    /**
+     * Timestamp of when the last authentication method was used
+     */
+    readonly lastUsedAuthMethodAt?: string;
+    /**
+     * Last verification attempt timestamp
+     */
+    readonly lastVerifiedAt?: string;
+    /**
+     * Current verification status of the domain (pending, verified, failed)
+     */
+    status?: 'pending' | 'verified' | 'failed';
+    /**
+     * DNS TXT record name that must be created for verification
+     */
+    readonly txtRecordName?: string;
+    /**
+     * DNS TXT record value that must be set for verification
+     */
+    readonly txtRecordValue?: string;
+    /**
+     * Error message if verification failed
+     */
+    readonly verificationError?: string;
+};
+/**
+ * SSO domain specification
+ */
+export type SsoDomainSpecWritable = {
+    /**
+     * List of allowed login methods for this domain. When set, users with this email domain can only use the specified methods. Possible values are google, saml, email. Empty list means no restriction.
+     */
+    allowedAuthMethods?: Array<string>;
+    /**
+     * List of workspace names where users with this domain auto-join on login
+     */
+    autoJoinWorkspaces?: Array<string>;
+    /**
+     * Current verification status of the domain (pending, verified, failed)
+     */
+    status?: 'pending' | 'verified' | 'failed';
+};
 /**
  * Lightweight virtual machine for secure AI code execution. Sandboxes resume from standby in under 25ms and automatically scale to zero after inactivity, preserving memory state including running processes and filesystem.
  */
@@ -2562,19 +2808,25 @@ export type SandboxLifecycle = {
      * List of expiration policies. Multiple policies can be combined; whichever condition is met first triggers the action.
      */
     expirationPolicies?: Array<ExpirationPolicy>;
+    /**
+     * Duration to keep the sandbox record after termination for log access (e.g., '1h', '24h', '7d'). Defaults to 5m. Subject to maximum quota limits.
+     */
+    terminatedRetention?: string;
 };
 /**
- * Network configuration for a sandbox including egress IP binding. All three fields (vpcName, egressGatewayName, egressIpName) must be specified together to assign a dedicated IP.
+ * Network configuration for a sandbox including domain filtering, egress IP binding, and proxy settings
  */
 export type SandboxNetwork = {
     /**
-     * Name of the egress gateway in the VPC. Must be specified together with vpcName and egressIpName.
+     * List of allowed external domains (allowlist). When set, only these domains are reachable. Supports wildcards (e.g. *.s3.amazonaws.com).
      */
-    egressGatewayName: string;
+    allowedDomains?: Array<string>;
+    egress?: EgressConfig;
     /**
-     * Name of the VPC where the egress gateway is provisioned. Must be specified together with egressGatewayName and egressIpName.
+     * List of forbidden external domains (denylist). When set, all domains except these are reachable. Supports wildcards (e.g. *.malware.com). If both allowedDomains and forbiddenDomains are set, allowedDomains takes precedence.
      */
-    vpcName: string;
+    forbiddenDomains?: Array<string>;
+    proxy?: ProxyConfig;
 };
 /**
  * Runtime configuration defining how the sandbox VM is provisioned and its resource limits
@@ -3091,6 +3343,10 @@ export type Workspace = TimeFields & OwnerFields & {
      * Workspace display name
      */
     displayName?: string;
+    /**
+     * Group-to-role mappings for directory sync (SCIM) group membership
+     */
+    groupMappings?: Array<GroupWorkspaceMapping>;
     /**
      * Autogenerated unique workspace id
      */
@@ -3126,6 +3382,10 @@ export type WorkspaceWritable = TimeFields & OwnerFields & {
      * Workspace display name
      */
     displayName?: string;
+    /**
+     * Group-to-role mappings for directory sync (SCIM) group membership
+     */
+    groupMappings?: Array<GroupWorkspaceMapping>;
     labels?: MetadataLabels;
     /**
      * Workspace name
@@ -3166,6 +3426,10 @@ export type WorkspaceUser = {
      * Whether the user's email has been verified
      */
     email_verified?: boolean;
+    /**
+     * Whether the invitation has expired
+     */
+    expired?: boolean;
     /**
      * Workspace user family name
      */
@@ -3178,6 +3442,10 @@ export type WorkspaceUser = {
      * Workspace user role
      */
     role?: string;
+    /**
+     * Source of the user provisioning
+     */
+    source?: 'directory_sync' | 'invitation' | 'domain_capture';
     /**
      * Workspace user identifier
      */
@@ -3731,7 +3999,12 @@ export type TestFeatureFlagData = {
          */
         featureKey: string;
     };
-    query?: never;
+    query?: {
+        /**
+         * Account ID to check feature flags for. When provided, evaluates the feature flag at the account level instead of the workspace level.
+         */
+        account?: string;
+    };
     url: '/features/{featureKey}';
 };
 export type TestFeatureFlagErrors = {
@@ -6385,3 +6658,4 @@ export type CheckWorkspaceAvailabilityResponse = CheckWorkspaceAvailabilityRespo
 export type ClientOptions = {
     baseUrl: 'https://api.blaxel.ai/v0' | 'https://run.blaxel.ai' | (string & {});
 };
+export type DriveStateWritable = DriveState;