@cloudflare/sandbox 0.0.0-598205f → 0.0.0-5d101e6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +210 -0
- package/Dockerfile +118 -54
- package/README.md +90 -490
- package/dist/chunk-BFVUNTP4.js +104 -0
- package/dist/chunk-BFVUNTP4.js.map +1 -0
- package/dist/chunk-E3RB3JOS.js +7 -0
- package/dist/chunk-E3RB3JOS.js.map +1 -0
- package/dist/chunk-EKSWCBCA.js +86 -0
- package/dist/chunk-EKSWCBCA.js.map +1 -0
- package/dist/chunk-I6PJN47O.js +2456 -0
- package/dist/chunk-I6PJN47O.js.map +1 -0
- package/dist/chunk-JXZMAU2C.js +559 -0
- package/dist/chunk-JXZMAU2C.js.map +1 -0
- package/dist/chunk-Z532A7QC.js +78 -0
- package/dist/chunk-Z532A7QC.js.map +1 -0
- package/dist/file-stream.d.ts +43 -0
- package/dist/file-stream.js +9 -0
- package/dist/file-stream.js.map +1 -0
- package/dist/index.d.ts +9 -0
- package/dist/index.js +67 -0
- package/dist/index.js.map +1 -0
- package/dist/interpreter.d.ts +33 -0
- package/dist/interpreter.js +8 -0
- package/dist/interpreter.js.map +1 -0
- package/dist/request-handler.d.ts +18 -0
- package/dist/request-handler.js +13 -0
- package/dist/request-handler.js.map +1 -0
- package/dist/sandbox-DWQVgVTY.d.ts +603 -0
- package/dist/sandbox.d.ts +4 -0
- package/dist/sandbox.js +13 -0
- package/dist/sandbox.js.map +1 -0
- package/dist/security.d.ts +31 -0
- package/dist/security.js +13 -0
- package/dist/security.js.map +1 -0
- package/dist/sse-parser.d.ts +28 -0
- package/dist/sse-parser.js +11 -0
- package/dist/sse-parser.js.map +1 -0
- package/dist/version.d.ts +8 -0
- package/dist/version.js +7 -0
- package/dist/version.js.map +1 -0
- package/package.json +13 -5
- package/src/clients/base-client.ts +280 -0
- package/src/clients/command-client.ts +115 -0
- package/src/clients/file-client.ts +295 -0
- package/src/clients/git-client.ts +92 -0
- package/src/clients/index.ts +64 -0
- package/src/clients/interpreter-client.ts +329 -0
- package/src/clients/port-client.ts +105 -0
- package/src/clients/process-client.ts +177 -0
- package/src/clients/sandbox-client.ts +41 -0
- package/src/clients/types.ts +84 -0
- package/src/clients/utility-client.ts +119 -0
- package/src/errors/adapter.ts +180 -0
- package/src/errors/classes.ts +469 -0
- package/src/errors/index.ts +105 -0
- package/src/file-stream.ts +164 -0
- package/src/index.ts +85 -12
- package/src/interpreter.ts +159 -0
- package/src/request-handler.ts +80 -44
- package/src/sandbox.ts +657 -290
- package/src/security.ts +14 -23
- package/src/sse-parser.ts +4 -8
- package/src/version.ts +6 -0
- package/startup.sh +3 -0
- package/tests/base-client.test.ts +328 -0
- package/tests/command-client.test.ts +407 -0
- package/tests/file-client.test.ts +719 -0
- package/tests/file-stream.test.ts +306 -0
- package/tests/get-sandbox.test.ts +110 -0
- package/tests/git-client.test.ts +328 -0
- package/tests/port-client.test.ts +301 -0
- package/tests/process-client.test.ts +658 -0
- package/tests/request-handler.test.ts +240 -0
- package/tests/sandbox.test.ts +554 -0
- package/tests/sse-parser.test.ts +290 -0
- package/tests/utility-client.test.ts +332 -0
- package/tests/version.test.ts +16 -0
- package/tests/wrangler.jsonc +35 -0
- package/tsconfig.json +9 -1
- package/vitest.config.ts +31 -0
- package/container_src/handler/exec.ts +0 -337
- package/container_src/handler/file.ts +0 -844
- package/container_src/handler/git.ts +0 -182
- package/container_src/handler/ports.ts +0 -314
- package/container_src/handler/process.ts +0 -640
- package/container_src/index.ts +0 -361
- package/container_src/package.json +0 -9
- package/container_src/types.ts +0 -103
- package/src/client.ts +0 -1038
- package/src/types.ts +0 -386
package/src/sandbox.ts
CHANGED
|
@@ -1,67 +1,108 @@
|
|
|
1
|
+
import type { DurableObject } from 'cloudflare:workers';
|
|
1
2
|
import { Container, getContainer } from "@cloudflare/containers";
|
|
2
|
-
import { HttpClient } from "./client";
|
|
3
|
-
import { isLocalhostPattern } from "./request-handler";
|
|
4
|
-
import {
|
|
5
|
-
logSecurityEvent,
|
|
6
|
-
SecurityError,
|
|
7
|
-
sanitizeSandboxId,
|
|
8
|
-
validatePort
|
|
9
|
-
} from "./security";
|
|
10
3
|
import type {
|
|
4
|
+
CodeContext,
|
|
5
|
+
CreateContextOptions,
|
|
6
|
+
ExecEvent,
|
|
11
7
|
ExecOptions,
|
|
12
8
|
ExecResult,
|
|
9
|
+
ExecutionResult,
|
|
10
|
+
ExecutionSession,
|
|
13
11
|
ISandbox,
|
|
14
12
|
Process,
|
|
15
13
|
ProcessOptions,
|
|
16
14
|
ProcessStatus,
|
|
15
|
+
RunCodeOptions,
|
|
16
|
+
SandboxOptions,
|
|
17
|
+
SessionOptions,
|
|
17
18
|
StreamOptions
|
|
18
|
-
} from "
|
|
19
|
+
} from "@repo/shared";
|
|
20
|
+
import { createLogger, runWithLogger, TraceContext } from "@repo/shared";
|
|
21
|
+
import { type ExecuteResponse, SandboxClient } from "./clients";
|
|
22
|
+
import type { ErrorResponse } from './errors';
|
|
23
|
+
import { CustomDomainRequiredError, ErrorCode } from './errors';
|
|
24
|
+
import { CodeInterpreter } from "./interpreter";
|
|
25
|
+
import { isLocalhostPattern } from "./request-handler";
|
|
19
26
|
import {
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
27
|
+
SecurityError,
|
|
28
|
+
sanitizeSandboxId,
|
|
29
|
+
validatePort
|
|
30
|
+
} from "./security";
|
|
31
|
+
import { parseSSEStream } from "./sse-parser";
|
|
32
|
+
import { SDK_VERSION } from "./version";
|
|
33
|
+
|
|
34
|
+
export function getSandbox(
|
|
35
|
+
ns: DurableObjectNamespace<Sandbox>,
|
|
36
|
+
id: string,
|
|
37
|
+
options?: SandboxOptions
|
|
38
|
+
) {
|
|
25
39
|
const stub = getContainer(ns, id);
|
|
26
40
|
|
|
27
41
|
// Store the name on first access
|
|
28
42
|
stub.setSandboxName?.(id);
|
|
29
43
|
|
|
44
|
+
if (options?.baseUrl) {
|
|
45
|
+
stub.setBaseUrl(options.baseUrl);
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
if (options?.sleepAfter !== undefined) {
|
|
49
|
+
stub.setSleepAfter(options.sleepAfter);
|
|
50
|
+
}
|
|
51
|
+
|
|
30
52
|
return stub;
|
|
31
53
|
}
|
|
32
54
|
|
|
33
55
|
export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
34
56
|
defaultPort = 3000; // Default port for the container's Bun server
|
|
35
|
-
sleepAfter = "
|
|
36
|
-
|
|
57
|
+
sleepAfter: string | number = "10m"; // Sleep the sandbox if no requests are made in this timeframe
|
|
58
|
+
|
|
59
|
+
client: SandboxClient;
|
|
60
|
+
private codeInterpreter: CodeInterpreter;
|
|
37
61
|
private sandboxName: string | null = null;
|
|
62
|
+
private baseUrl: string | null = null;
|
|
63
|
+
private portTokens: Map<number, string> = new Map();
|
|
64
|
+
private defaultSession: string | null = null;
|
|
65
|
+
envVars: Record<string, string> = {};
|
|
66
|
+
private logger: ReturnType<typeof createLogger>;
|
|
38
67
|
|
|
39
|
-
constructor(ctx:
|
|
68
|
+
constructor(ctx: DurableObject['ctx'], env: Env) {
|
|
40
69
|
super(ctx, env);
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
70
|
+
|
|
71
|
+
const envObj = env as any;
|
|
72
|
+
// Set sandbox environment variables from env object
|
|
73
|
+
const sandboxEnvKeys = ['SANDBOX_LOG_LEVEL', 'SANDBOX_LOG_FORMAT'] as const;
|
|
74
|
+
sandboxEnvKeys.forEach(key => {
|
|
75
|
+
if (envObj?.[key]) {
|
|
76
|
+
this.envVars[key] = envObj[key];
|
|
77
|
+
}
|
|
78
|
+
});
|
|
79
|
+
|
|
80
|
+
this.logger = createLogger({
|
|
81
|
+
component: 'sandbox-do',
|
|
82
|
+
sandboxId: this.ctx.id.toString()
|
|
83
|
+
});
|
|
84
|
+
|
|
85
|
+
this.client = new SandboxClient({
|
|
86
|
+
logger: this.logger,
|
|
58
87
|
port: 3000, // Control plane port
|
|
59
88
|
stub: this,
|
|
60
89
|
});
|
|
61
90
|
|
|
62
|
-
//
|
|
91
|
+
// Initialize code interpreter - pass 'this' after client is ready
|
|
92
|
+
// The CodeInterpreter extracts client.interpreter from the sandbox
|
|
93
|
+
this.codeInterpreter = new CodeInterpreter(this);
|
|
94
|
+
|
|
95
|
+
// Load the sandbox name, port tokens, and default session from storage on initialization
|
|
63
96
|
this.ctx.blockConcurrencyWhile(async () => {
|
|
64
97
|
this.sandboxName = await this.ctx.storage.get<string>('sandboxName') || null;
|
|
98
|
+
this.defaultSession = await this.ctx.storage.get<string>('defaultSession') || null;
|
|
99
|
+
const storedTokens = await this.ctx.storage.get<Record<string, string>>('portTokens') || {};
|
|
100
|
+
|
|
101
|
+
// Convert stored tokens back to Map
|
|
102
|
+
this.portTokens = new Map();
|
|
103
|
+
for (const [portStr, token] of Object.entries(storedTokens)) {
|
|
104
|
+
this.portTokens.set(parseInt(portStr, 10), token);
|
|
105
|
+
}
|
|
65
106
|
});
|
|
66
107
|
}
|
|
67
108
|
|
|
@@ -70,55 +111,156 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
70
111
|
if (!this.sandboxName) {
|
|
71
112
|
this.sandboxName = name;
|
|
72
113
|
await this.ctx.storage.put('sandboxName', name);
|
|
73
|
-
console.log(`[Sandbox] Stored sandbox name via RPC: ${name}`);
|
|
74
114
|
}
|
|
75
115
|
}
|
|
76
116
|
|
|
117
|
+
// RPC method to set the base URL
|
|
118
|
+
async setBaseUrl(baseUrl: string): Promise<void> {
|
|
119
|
+
if (!this.baseUrl) {
|
|
120
|
+
this.baseUrl = baseUrl;
|
|
121
|
+
await this.ctx.storage.put('baseUrl', baseUrl);
|
|
122
|
+
} else {
|
|
123
|
+
if(this.baseUrl !== baseUrl) {
|
|
124
|
+
throw new Error('Base URL already set and different from one previously provided');
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
|
|
129
|
+
// RPC method to set the sleep timeout
|
|
130
|
+
async setSleepAfter(sleepAfter: string | number): Promise<void> {
|
|
131
|
+
this.sleepAfter = sleepAfter;
|
|
132
|
+
}
|
|
133
|
+
|
|
77
134
|
// RPC method to set environment variables
|
|
78
135
|
async setEnvVars(envVars: Record<string, string>): Promise<void> {
|
|
136
|
+
// Update local state for new sessions
|
|
79
137
|
this.envVars = { ...this.envVars, ...envVars };
|
|
80
|
-
|
|
138
|
+
|
|
139
|
+
// If default session already exists, update it directly
|
|
140
|
+
if (this.defaultSession) {
|
|
141
|
+
// Set environment variables by executing export commands in the existing session
|
|
142
|
+
for (const [key, value] of Object.entries(envVars)) {
|
|
143
|
+
const escapedValue = value.replace(/'/g, "'\\''");
|
|
144
|
+
const exportCommand = `export ${key}='${escapedValue}'`;
|
|
145
|
+
|
|
146
|
+
const result = await this.client.commands.execute(exportCommand, this.defaultSession);
|
|
147
|
+
|
|
148
|
+
if (result.exitCode !== 0) {
|
|
149
|
+
throw new Error(`Failed to set ${key}: ${result.stderr || 'Unknown error'}`);
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
|
|
155
|
+
/**
|
|
156
|
+
* Cleanup and destroy the sandbox container
|
|
157
|
+
*/
|
|
158
|
+
override async destroy(): Promise<void> {
|
|
159
|
+
this.logger.info('Destroying sandbox container');
|
|
160
|
+
await super.destroy();
|
|
81
161
|
}
|
|
82
162
|
|
|
83
163
|
override onStart() {
|
|
84
|
-
|
|
164
|
+
this.logger.debug('Sandbox started');
|
|
165
|
+
|
|
166
|
+
// Check version compatibility asynchronously (don't block startup)
|
|
167
|
+
this.checkVersionCompatibility().catch(error => {
|
|
168
|
+
this.logger.error('Version compatibility check failed', error instanceof Error ? error : new Error(String(error)));
|
|
169
|
+
});
|
|
85
170
|
}
|
|
86
171
|
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
172
|
+
/**
|
|
173
|
+
* Check if the container version matches the SDK version
|
|
174
|
+
* Logs a warning if there's a mismatch
|
|
175
|
+
*/
|
|
176
|
+
private async checkVersionCompatibility(): Promise<void> {
|
|
177
|
+
try {
|
|
178
|
+
// Get the SDK version (imported from version.ts)
|
|
179
|
+
const sdkVersion = SDK_VERSION;
|
|
180
|
+
|
|
181
|
+
// Get container version
|
|
182
|
+
const containerVersion = await this.client.utils.getVersion();
|
|
183
|
+
|
|
184
|
+
// If container version is unknown, it's likely an old container without the endpoint
|
|
185
|
+
if (containerVersion === 'unknown') {
|
|
186
|
+
this.logger.warn(
|
|
187
|
+
'Container version check: Container version could not be determined. ' +
|
|
188
|
+
'This may indicate an outdated container image. ' +
|
|
189
|
+
'Please update your container to match SDK version ' + sdkVersion
|
|
190
|
+
);
|
|
191
|
+
return;
|
|
192
|
+
}
|
|
193
|
+
|
|
194
|
+
// Check if versions match
|
|
195
|
+
if (containerVersion !== sdkVersion) {
|
|
196
|
+
const message =
|
|
197
|
+
`Version mismatch detected! SDK version (${sdkVersion}) does not match ` +
|
|
198
|
+
`container version (${containerVersion}). This may cause compatibility issues. ` +
|
|
199
|
+
`Please update your container image to version ${sdkVersion}`;
|
|
200
|
+
|
|
201
|
+
// Log warning - we can't reliably detect dev vs prod environment in Durable Objects
|
|
202
|
+
// so we always use warning level as requested by the user
|
|
203
|
+
this.logger.warn(message);
|
|
204
|
+
} else {
|
|
205
|
+
this.logger.debug('Version check passed', { sdkVersion, containerVersion });
|
|
206
|
+
}
|
|
207
|
+
} catch (error) {
|
|
208
|
+
// Don't fail the sandbox initialization if version check fails
|
|
209
|
+
this.logger.debug('Version compatibility check encountered an error', {
|
|
210
|
+
error: error instanceof Error ? error.message : String(error)
|
|
211
|
+
});
|
|
91
212
|
}
|
|
92
213
|
}
|
|
93
214
|
|
|
215
|
+
override onStop() {
|
|
216
|
+
this.logger.debug('Sandbox stopped');
|
|
217
|
+
}
|
|
218
|
+
|
|
94
219
|
override onError(error: unknown) {
|
|
95
|
-
|
|
220
|
+
this.logger.error('Sandbox error', error instanceof Error ? error : new Error(String(error)));
|
|
96
221
|
}
|
|
97
222
|
|
|
98
223
|
// Override fetch to route internal container requests to appropriate ports
|
|
99
224
|
override async fetch(request: Request): Promise<Response> {
|
|
100
|
-
|
|
225
|
+
// Extract or generate trace ID from request
|
|
226
|
+
const traceId = TraceContext.fromHeaders(request.headers) || TraceContext.generate();
|
|
101
227
|
|
|
102
|
-
//
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
228
|
+
// Create request-specific logger with trace ID
|
|
229
|
+
const requestLogger = this.logger.child({ traceId, operation: 'fetch' });
|
|
230
|
+
|
|
231
|
+
return await runWithLogger(requestLogger, async () => {
|
|
232
|
+
const url = new URL(request.url);
|
|
233
|
+
|
|
234
|
+
// Capture and store the sandbox name from the header if present
|
|
235
|
+
if (!this.sandboxName && request.headers.has('X-Sandbox-Name')) {
|
|
236
|
+
const name = request.headers.get('X-Sandbox-Name')!;
|
|
237
|
+
this.sandboxName = name;
|
|
238
|
+
await this.ctx.storage.put('sandboxName', name);
|
|
239
|
+
}
|
|
109
240
|
|
|
110
|
-
|
|
111
|
-
|
|
241
|
+
// Detect WebSocket upgrade request
|
|
242
|
+
const upgradeHeader = request.headers.get('Upgrade');
|
|
243
|
+
const isWebSocket = upgradeHeader?.toLowerCase() === 'websocket';
|
|
112
244
|
|
|
113
|
-
|
|
114
|
-
|
|
245
|
+
if (isWebSocket) {
|
|
246
|
+
// WebSocket path: Let parent Container class handle WebSocket proxying
|
|
247
|
+
// This bypasses containerFetch() which uses JSRPC and cannot handle WebSocket upgrades
|
|
248
|
+
return await super.fetch(request);
|
|
249
|
+
}
|
|
250
|
+
|
|
251
|
+
// Non-WebSocket: Use existing port determination and HTTP routing logic
|
|
252
|
+
const port = this.determinePort(url);
|
|
253
|
+
|
|
254
|
+
// Route to the appropriate port
|
|
255
|
+
return await this.containerFetch(request, port);
|
|
256
|
+
});
|
|
115
257
|
}
|
|
116
258
|
|
|
117
259
|
private determinePort(url: URL): number {
|
|
118
260
|
// Extract port from proxy requests (e.g., /proxy/8080/*)
|
|
119
261
|
const proxyMatch = url.pathname.match(/^\/proxy\/(\d+)/);
|
|
120
262
|
if (proxyMatch) {
|
|
121
|
-
return parseInt(proxyMatch[1]);
|
|
263
|
+
return parseInt(proxyMatch[1], 10);
|
|
122
264
|
}
|
|
123
265
|
|
|
124
266
|
// All other requests go to control plane on port 3000
|
|
@@ -126,9 +268,62 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
126
268
|
return 3000;
|
|
127
269
|
}
|
|
128
270
|
|
|
271
|
+
/**
|
|
272
|
+
* Ensure default session exists - lazy initialization
|
|
273
|
+
* This is called automatically by all public methods that need a session
|
|
274
|
+
*
|
|
275
|
+
* The session is persisted to Durable Object storage to survive hot reloads
|
|
276
|
+
* during development. If a session already exists in the container after reload,
|
|
277
|
+
* we reuse it instead of trying to create a new one.
|
|
278
|
+
*/
|
|
279
|
+
private async ensureDefaultSession(): Promise<string> {
|
|
280
|
+
if (!this.defaultSession) {
|
|
281
|
+
const sessionId = `sandbox-${this.sandboxName || 'default'}`;
|
|
282
|
+
|
|
283
|
+
try {
|
|
284
|
+
// Try to create session in container
|
|
285
|
+
await this.client.utils.createSession({
|
|
286
|
+
id: sessionId,
|
|
287
|
+
env: this.envVars || {},
|
|
288
|
+
cwd: '/workspace',
|
|
289
|
+
});
|
|
290
|
+
|
|
291
|
+
this.defaultSession = sessionId;
|
|
292
|
+
// Persist to storage so it survives hot reloads
|
|
293
|
+
await this.ctx.storage.put('defaultSession', sessionId);
|
|
294
|
+
this.logger.debug('Default session initialized', { sessionId });
|
|
295
|
+
} catch (error: any) {
|
|
296
|
+
// If session already exists (e.g., after hot reload), reuse it
|
|
297
|
+
if (error?.message?.includes('already exists')) {
|
|
298
|
+
this.logger.debug('Reusing existing session after reload', { sessionId });
|
|
299
|
+
this.defaultSession = sessionId;
|
|
300
|
+
// Persist to storage in case it wasn't saved before
|
|
301
|
+
await this.ctx.storage.put('defaultSession', sessionId);
|
|
302
|
+
} else {
|
|
303
|
+
// Re-throw other errors
|
|
304
|
+
throw error;
|
|
305
|
+
}
|
|
306
|
+
}
|
|
307
|
+
}
|
|
308
|
+
return this.defaultSession;
|
|
309
|
+
}
|
|
310
|
+
|
|
129
311
|
// Enhanced exec method - always returns ExecResult with optional streaming
|
|
130
312
|
// This replaces the old exec method to match ISandbox interface
|
|
131
313
|
async exec(command: string, options?: ExecOptions): Promise<ExecResult> {
|
|
314
|
+
const session = await this.ensureDefaultSession();
|
|
315
|
+
return this.execWithSession(command, session, options);
|
|
316
|
+
}
|
|
317
|
+
|
|
318
|
+
/**
|
|
319
|
+
* Internal session-aware exec implementation
|
|
320
|
+
* Used by both public exec() and session wrappers
|
|
321
|
+
*/
|
|
322
|
+
private async execWithSession(
|
|
323
|
+
command: string,
|
|
324
|
+
sessionId: string,
|
|
325
|
+
options?: ExecOptions
|
|
326
|
+
): Promise<ExecResult> {
|
|
132
327
|
const startTime = Date.now();
|
|
133
328
|
const timestamp = new Date().toISOString();
|
|
134
329
|
|
|
@@ -145,16 +340,13 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
145
340
|
|
|
146
341
|
if (options?.stream && options?.onOutput) {
|
|
147
342
|
// Streaming with callbacks - we need to collect the final result
|
|
148
|
-
result = await this.executeWithStreaming(command, options, startTime, timestamp);
|
|
343
|
+
result = await this.executeWithStreaming(command, sessionId, options, startTime, timestamp);
|
|
149
344
|
} else {
|
|
150
|
-
// Regular execution
|
|
151
|
-
const response = await this.client.execute(
|
|
152
|
-
command,
|
|
153
|
-
options?.sessionId
|
|
154
|
-
);
|
|
345
|
+
// Regular execution with session
|
|
346
|
+
const response = await this.client.commands.execute(command, sessionId);
|
|
155
347
|
|
|
156
348
|
const duration = Date.now() - startTime;
|
|
157
|
-
result = this.mapExecuteResponseToExecResult(response, duration,
|
|
349
|
+
result = this.mapExecuteResponseToExecResult(response, duration, sessionId);
|
|
158
350
|
}
|
|
159
351
|
|
|
160
352
|
// Call completion callback if provided
|
|
@@ -177,6 +369,7 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
177
369
|
|
|
178
370
|
private async executeWithStreaming(
|
|
179
371
|
command: string,
|
|
372
|
+
sessionId: string,
|
|
180
373
|
options: ExecOptions,
|
|
181
374
|
startTime: number,
|
|
182
375
|
timestamp: string
|
|
@@ -185,10 +378,9 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
185
378
|
let stderr = '';
|
|
186
379
|
|
|
187
380
|
try {
|
|
188
|
-
const stream = await this.client.
|
|
189
|
-
const { parseSSEStream } = await import('./sse-parser');
|
|
381
|
+
const stream = await this.client.commands.executeStream(command, sessionId);
|
|
190
382
|
|
|
191
|
-
for await (const event of parseSSEStream<
|
|
383
|
+
for await (const event of parseSSEStream<ExecEvent>(stream)) {
|
|
192
384
|
// Check for cancellation
|
|
193
385
|
if (options.signal?.aborted) {
|
|
194
386
|
throw new Error('Operation was aborted');
|
|
@@ -212,20 +404,20 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
212
404
|
case 'complete': {
|
|
213
405
|
// Use result from complete event if available
|
|
214
406
|
const duration = Date.now() - startTime;
|
|
215
|
-
return
|
|
216
|
-
success: event.exitCode === 0,
|
|
217
|
-
exitCode: event.exitCode
|
|
407
|
+
return {
|
|
408
|
+
success: (event.exitCode ?? 0) === 0,
|
|
409
|
+
exitCode: event.exitCode ?? 0,
|
|
218
410
|
stdout,
|
|
219
411
|
stderr,
|
|
220
412
|
command,
|
|
221
413
|
duration,
|
|
222
414
|
timestamp,
|
|
223
|
-
sessionId
|
|
415
|
+
sessionId
|
|
224
416
|
};
|
|
225
417
|
}
|
|
226
418
|
|
|
227
419
|
case 'error':
|
|
228
|
-
throw new Error(event.
|
|
420
|
+
throw new Error(event.data || 'Command execution failed');
|
|
229
421
|
}
|
|
230
422
|
}
|
|
231
423
|
|
|
@@ -241,7 +433,7 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
241
433
|
}
|
|
242
434
|
|
|
243
435
|
private mapExecuteResponseToExecResult(
|
|
244
|
-
response:
|
|
436
|
+
response: ExecuteResponse,
|
|
245
437
|
duration: number,
|
|
246
438
|
sessionId?: string
|
|
247
439
|
): ExecResult {
|
|
@@ -257,57 +449,68 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
257
449
|
};
|
|
258
450
|
}
|
|
259
451
|
|
|
452
|
+
/**
|
|
453
|
+
* Create a Process domain object from HTTP client DTO
|
|
454
|
+
* Centralizes process object creation with bound methods
|
|
455
|
+
* This eliminates duplication across startProcess, listProcesses, getProcess, and session wrappers
|
|
456
|
+
*/
|
|
457
|
+
private createProcessFromDTO(
|
|
458
|
+
data: {
|
|
459
|
+
id: string;
|
|
460
|
+
pid?: number;
|
|
461
|
+
command: string;
|
|
462
|
+
status: ProcessStatus;
|
|
463
|
+
startTime: string | Date;
|
|
464
|
+
endTime?: string | Date;
|
|
465
|
+
exitCode?: number;
|
|
466
|
+
},
|
|
467
|
+
sessionId: string
|
|
468
|
+
): Process {
|
|
469
|
+
return {
|
|
470
|
+
id: data.id,
|
|
471
|
+
pid: data.pid,
|
|
472
|
+
command: data.command,
|
|
473
|
+
status: data.status,
|
|
474
|
+
startTime: typeof data.startTime === 'string' ? new Date(data.startTime) : data.startTime,
|
|
475
|
+
endTime: data.endTime ? (typeof data.endTime === 'string' ? new Date(data.endTime) : data.endTime) : undefined,
|
|
476
|
+
exitCode: data.exitCode,
|
|
477
|
+
sessionId,
|
|
478
|
+
|
|
479
|
+
kill: async (signal?: string) => {
|
|
480
|
+
await this.killProcess(data.id, signal);
|
|
481
|
+
},
|
|
482
|
+
|
|
483
|
+
getStatus: async () => {
|
|
484
|
+
const current = await this.getProcess(data.id);
|
|
485
|
+
return current?.status || 'error';
|
|
486
|
+
},
|
|
487
|
+
|
|
488
|
+
getLogs: async () => {
|
|
489
|
+
const logs = await this.getProcessLogs(data.id);
|
|
490
|
+
return { stdout: logs.stdout, stderr: logs.stderr };
|
|
491
|
+
}
|
|
492
|
+
};
|
|
493
|
+
}
|
|
494
|
+
|
|
260
495
|
|
|
261
496
|
// Background process management
|
|
262
|
-
async startProcess(command: string, options?: ProcessOptions): Promise<Process> {
|
|
497
|
+
async startProcess(command: string, options?: ProcessOptions, sessionId?: string): Promise<Process> {
|
|
263
498
|
// Use the new HttpClient method to start the process
|
|
264
499
|
try {
|
|
265
|
-
const
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
timeout: options?.timeout,
|
|
269
|
-
env: options?.env,
|
|
270
|
-
cwd: options?.cwd,
|
|
271
|
-
encoding: options?.encoding,
|
|
272
|
-
autoCleanup: options?.autoCleanup
|
|
500
|
+
const session = sessionId ?? await this.ensureDefaultSession();
|
|
501
|
+
const response = await this.client.processes.startProcess(command, session, {
|
|
502
|
+
processId: options?.processId
|
|
273
503
|
});
|
|
274
504
|
|
|
275
|
-
const
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
startTime: new Date(process.startTime),
|
|
505
|
+
const processObj = this.createProcessFromDTO({
|
|
506
|
+
id: response.processId,
|
|
507
|
+
pid: response.pid,
|
|
508
|
+
command: response.command,
|
|
509
|
+
status: 'running' as ProcessStatus,
|
|
510
|
+
startTime: new Date(),
|
|
282
511
|
endTime: undefined,
|
|
283
|
-
exitCode: undefined
|
|
284
|
-
|
|
285
|
-
|
|
286
|
-
async kill(): Promise<void> {
|
|
287
|
-
throw new Error('Method will be replaced');
|
|
288
|
-
},
|
|
289
|
-
async getStatus(): Promise<ProcessStatus> {
|
|
290
|
-
throw new Error('Method will be replaced');
|
|
291
|
-
},
|
|
292
|
-
async getLogs(): Promise<{ stdout: string; stderr: string }> {
|
|
293
|
-
throw new Error('Method will be replaced');
|
|
294
|
-
}
|
|
295
|
-
};
|
|
296
|
-
|
|
297
|
-
// Bind context properly
|
|
298
|
-
processObj.kill = async (signal?: string) => {
|
|
299
|
-
await this.killProcess(process.id, signal);
|
|
300
|
-
};
|
|
301
|
-
|
|
302
|
-
processObj.getStatus = async () => {
|
|
303
|
-
const current = await this.getProcess(process.id);
|
|
304
|
-
return current?.status || 'error';
|
|
305
|
-
};
|
|
306
|
-
|
|
307
|
-
processObj.getLogs = async () => {
|
|
308
|
-
const logs = await this.getProcessLogs(process.id);
|
|
309
|
-
return { stdout: logs.stdout, stderr: logs.stderr };
|
|
310
|
-
};
|
|
512
|
+
exitCode: undefined
|
|
513
|
+
}, session);
|
|
311
514
|
|
|
312
515
|
// Call onStart callback if provided
|
|
313
516
|
if (options?.onStart) {
|
|
@@ -325,108 +528,68 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
325
528
|
}
|
|
326
529
|
}
|
|
327
530
|
|
|
328
|
-
async listProcesses(): Promise<Process[]> {
|
|
329
|
-
const
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
},
|
|
344
|
-
|
|
345
|
-
getStatus: async () => {
|
|
346
|
-
const current = await this.getProcess(processData.id);
|
|
347
|
-
return current?.status || 'error';
|
|
348
|
-
},
|
|
349
|
-
|
|
350
|
-
getLogs: async () => {
|
|
351
|
-
const logs = await this.getProcessLogs(processData.id);
|
|
352
|
-
return { stdout: logs.stdout, stderr: logs.stderr };
|
|
353
|
-
}
|
|
354
|
-
}));
|
|
531
|
+
async listProcesses(sessionId?: string): Promise<Process[]> {
|
|
532
|
+
const session = sessionId ?? await this.ensureDefaultSession();
|
|
533
|
+
const response = await this.client.processes.listProcesses();
|
|
534
|
+
|
|
535
|
+
return response.processes.map(processData =>
|
|
536
|
+
this.createProcessFromDTO({
|
|
537
|
+
id: processData.id,
|
|
538
|
+
pid: processData.pid,
|
|
539
|
+
command: processData.command,
|
|
540
|
+
status: processData.status,
|
|
541
|
+
startTime: processData.startTime,
|
|
542
|
+
endTime: processData.endTime,
|
|
543
|
+
exitCode: processData.exitCode
|
|
544
|
+
}, session)
|
|
545
|
+
);
|
|
355
546
|
}
|
|
356
547
|
|
|
357
|
-
async getProcess(id: string): Promise<Process | null> {
|
|
358
|
-
const
|
|
548
|
+
async getProcess(id: string, sessionId?: string): Promise<Process | null> {
|
|
549
|
+
const session = sessionId ?? await this.ensureDefaultSession();
|
|
550
|
+
const response = await this.client.processes.getProcess(id);
|
|
359
551
|
if (!response.process) {
|
|
360
552
|
return null;
|
|
361
553
|
}
|
|
362
554
|
|
|
363
555
|
const processData = response.process;
|
|
364
|
-
return {
|
|
556
|
+
return this.createProcessFromDTO({
|
|
365
557
|
id: processData.id,
|
|
366
558
|
pid: processData.pid,
|
|
367
559
|
command: processData.command,
|
|
368
560
|
status: processData.status,
|
|
369
|
-
startTime:
|
|
370
|
-
endTime: processData.endTime
|
|
371
|
-
exitCode: processData.exitCode
|
|
372
|
-
|
|
373
|
-
|
|
374
|
-
kill: async (signal?: string) => {
|
|
375
|
-
await this.killProcess(processData.id, signal);
|
|
376
|
-
},
|
|
377
|
-
|
|
378
|
-
getStatus: async () => {
|
|
379
|
-
const current = await this.getProcess(processData.id);
|
|
380
|
-
return current?.status || 'error';
|
|
381
|
-
},
|
|
382
|
-
|
|
383
|
-
getLogs: async () => {
|
|
384
|
-
const logs = await this.getProcessLogs(processData.id);
|
|
385
|
-
return { stdout: logs.stdout, stderr: logs.stderr };
|
|
386
|
-
}
|
|
387
|
-
};
|
|
561
|
+
startTime: processData.startTime,
|
|
562
|
+
endTime: processData.endTime,
|
|
563
|
+
exitCode: processData.exitCode
|
|
564
|
+
}, session);
|
|
388
565
|
}
|
|
389
566
|
|
|
390
|
-
async killProcess(id: string,
|
|
391
|
-
|
|
392
|
-
|
|
393
|
-
|
|
394
|
-
} catch (error) {
|
|
395
|
-
if (error instanceof Error && error.message.includes('Process not found')) {
|
|
396
|
-
throw new ProcessNotFoundError(id);
|
|
397
|
-
}
|
|
398
|
-
throw new SandboxError(
|
|
399
|
-
`Failed to kill process ${id}: ${error instanceof Error ? error.message : 'Unknown error'}`,
|
|
400
|
-
'KILL_PROCESS_FAILED'
|
|
401
|
-
);
|
|
402
|
-
}
|
|
567
|
+
async killProcess(id: string, signal?: string, sessionId?: string): Promise<void> {
|
|
568
|
+
// Note: signal parameter is not currently supported by the HttpClient implementation
|
|
569
|
+
// The HTTP client already throws properly typed errors, so we just let them propagate
|
|
570
|
+
await this.client.processes.killProcess(id);
|
|
403
571
|
}
|
|
404
572
|
|
|
405
|
-
async killAllProcesses(): Promise<number> {
|
|
406
|
-
const response = await this.client.killAllProcesses();
|
|
407
|
-
return response.
|
|
573
|
+
async killAllProcesses(sessionId?: string): Promise<number> {
|
|
574
|
+
const response = await this.client.processes.killAllProcesses();
|
|
575
|
+
return response.cleanedCount;
|
|
408
576
|
}
|
|
409
577
|
|
|
410
|
-
async cleanupCompletedProcesses(): Promise<number> {
|
|
578
|
+
async cleanupCompletedProcesses(sessionId?: string): Promise<number> {
|
|
411
579
|
// For now, this would need to be implemented as a container endpoint
|
|
412
580
|
// as we no longer maintain local process storage
|
|
413
581
|
// We'll return 0 as a placeholder until the container endpoint is added
|
|
414
582
|
return 0;
|
|
415
583
|
}
|
|
416
584
|
|
|
417
|
-
async getProcessLogs(id: string): Promise<{ stdout: string; stderr: string }> {
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
}
|
|
425
|
-
if (error instanceof Error && error.message.includes('Process not found')) {
|
|
426
|
-
throw new ProcessNotFoundError(id);
|
|
427
|
-
}
|
|
428
|
-
throw error;
|
|
429
|
-
}
|
|
585
|
+
async getProcessLogs(id: string, sessionId?: string): Promise<{ stdout: string; stderr: string; processId: string }> {
|
|
586
|
+
// The HTTP client already throws properly typed errors, so we just let them propagate
|
|
587
|
+
const response = await this.client.processes.getProcessLogs(id);
|
|
588
|
+
return {
|
|
589
|
+
stdout: response.stdout,
|
|
590
|
+
stderr: response.stderr,
|
|
591
|
+
processId: response.processId
|
|
592
|
+
};
|
|
430
593
|
}
|
|
431
594
|
|
|
432
595
|
|
|
@@ -437,11 +600,21 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
437
600
|
throw new Error('Operation was aborted');
|
|
438
601
|
}
|
|
439
602
|
|
|
440
|
-
|
|
441
|
-
|
|
603
|
+
const session = await this.ensureDefaultSession();
|
|
604
|
+
// Get the stream from CommandClient
|
|
605
|
+
return this.client.commands.executeStream(command, session);
|
|
606
|
+
}
|
|
442
607
|
|
|
443
|
-
|
|
444
|
-
|
|
608
|
+
/**
|
|
609
|
+
* Internal session-aware execStream implementation
|
|
610
|
+
*/
|
|
611
|
+
private async execStreamWithSession(command: string, sessionId: string, options?: StreamOptions): Promise<ReadableStream<Uint8Array>> {
|
|
612
|
+
// Check for cancellation
|
|
613
|
+
if (options?.signal?.aborted) {
|
|
614
|
+
throw new Error('Operation was aborted');
|
|
615
|
+
}
|
|
616
|
+
|
|
617
|
+
return this.client.commands.executeStream(command, sessionId);
|
|
445
618
|
}
|
|
446
619
|
|
|
447
620
|
async streamProcessLogs(processId: string, options?: { signal?: AbortSignal }): Promise<ReadableStream<Uint8Array>> {
|
|
@@ -450,69 +623,122 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
450
623
|
throw new Error('Operation was aborted');
|
|
451
624
|
}
|
|
452
625
|
|
|
453
|
-
|
|
454
|
-
const stream = await this.client.streamProcessLogs(processId);
|
|
455
|
-
|
|
456
|
-
// Return the ReadableStream directly - can be converted to AsyncIterable by consumers
|
|
457
|
-
return stream;
|
|
626
|
+
return this.client.processes.streamProcessLogs(processId);
|
|
458
627
|
}
|
|
459
628
|
|
|
460
629
|
async gitCheckout(
|
|
461
630
|
repoUrl: string,
|
|
462
|
-
options: { branch?: string; targetDir?: string }
|
|
631
|
+
options: { branch?: string; targetDir?: string; sessionId?: string }
|
|
463
632
|
) {
|
|
464
|
-
|
|
633
|
+
const session = options.sessionId ?? await this.ensureDefaultSession();
|
|
634
|
+
return this.client.git.checkout(repoUrl, session, {
|
|
635
|
+
branch: options.branch,
|
|
636
|
+
targetDir: options.targetDir
|
|
637
|
+
});
|
|
465
638
|
}
|
|
466
639
|
|
|
467
640
|
async mkdir(
|
|
468
641
|
path: string,
|
|
469
|
-
options: { recursive?: boolean } = {}
|
|
642
|
+
options: { recursive?: boolean; sessionId?: string } = {}
|
|
470
643
|
) {
|
|
471
|
-
|
|
644
|
+
const session = options.sessionId ?? await this.ensureDefaultSession();
|
|
645
|
+
return this.client.files.mkdir(path, session, { recursive: options.recursive });
|
|
472
646
|
}
|
|
473
647
|
|
|
474
648
|
async writeFile(
|
|
475
649
|
path: string,
|
|
476
650
|
content: string,
|
|
477
|
-
options: { encoding?: string } = {}
|
|
651
|
+
options: { encoding?: string; sessionId?: string } = {}
|
|
478
652
|
) {
|
|
479
|
-
|
|
653
|
+
const session = options.sessionId ?? await this.ensureDefaultSession();
|
|
654
|
+
return this.client.files.writeFile(path, content, session, { encoding: options.encoding });
|
|
480
655
|
}
|
|
481
656
|
|
|
482
|
-
async deleteFile(path: string) {
|
|
483
|
-
|
|
657
|
+
async deleteFile(path: string, sessionId?: string) {
|
|
658
|
+
const session = sessionId ?? await this.ensureDefaultSession();
|
|
659
|
+
return this.client.files.deleteFile(path, session);
|
|
484
660
|
}
|
|
485
661
|
|
|
486
662
|
async renameFile(
|
|
487
663
|
oldPath: string,
|
|
488
|
-
newPath: string
|
|
664
|
+
newPath: string,
|
|
665
|
+
sessionId?: string
|
|
489
666
|
) {
|
|
490
|
-
|
|
667
|
+
const session = sessionId ?? await this.ensureDefaultSession();
|
|
668
|
+
return this.client.files.renameFile(oldPath, newPath, session);
|
|
491
669
|
}
|
|
492
670
|
|
|
493
671
|
async moveFile(
|
|
494
672
|
sourcePath: string,
|
|
495
|
-
destinationPath: string
|
|
673
|
+
destinationPath: string,
|
|
674
|
+
sessionId?: string
|
|
496
675
|
) {
|
|
497
|
-
|
|
676
|
+
const session = sessionId ?? await this.ensureDefaultSession();
|
|
677
|
+
return this.client.files.moveFile(sourcePath, destinationPath, session);
|
|
498
678
|
}
|
|
499
679
|
|
|
500
680
|
async readFile(
|
|
501
681
|
path: string,
|
|
502
|
-
options: { encoding?: string } = {}
|
|
682
|
+
options: { encoding?: string; sessionId?: string } = {}
|
|
683
|
+
) {
|
|
684
|
+
const session = options.sessionId ?? await this.ensureDefaultSession();
|
|
685
|
+
return this.client.files.readFile(path, session, { encoding: options.encoding });
|
|
686
|
+
}
|
|
687
|
+
|
|
688
|
+
/**
|
|
689
|
+
* Stream a file from the sandbox using Server-Sent Events
|
|
690
|
+
* Returns a ReadableStream that can be consumed with streamFile() or collectFile() utilities
|
|
691
|
+
* @param path - Path to the file to stream
|
|
692
|
+
* @param options - Optional session ID
|
|
693
|
+
*/
|
|
694
|
+
async readFileStream(
|
|
695
|
+
path: string,
|
|
696
|
+
options: { sessionId?: string } = {}
|
|
697
|
+
): Promise<ReadableStream<Uint8Array>> {
|
|
698
|
+
const session = options.sessionId ?? await this.ensureDefaultSession();
|
|
699
|
+
return this.client.files.readFileStream(path, session);
|
|
700
|
+
}
|
|
701
|
+
|
|
702
|
+
async listFiles(
|
|
703
|
+
path: string,
|
|
704
|
+
options?: { recursive?: boolean; includeHidden?: boolean }
|
|
503
705
|
) {
|
|
504
|
-
|
|
706
|
+
const session = await this.ensureDefaultSession();
|
|
707
|
+
return this.client.files.listFiles(path, session, options);
|
|
708
|
+
}
|
|
709
|
+
|
|
710
|
+
async exists(path: string, sessionId?: string) {
|
|
711
|
+
const session = sessionId ?? await this.ensureDefaultSession();
|
|
712
|
+
return this.client.files.exists(path, session);
|
|
505
713
|
}
|
|
506
714
|
|
|
507
715
|
async exposePort(port: number, options: { name?: string; hostname: string }) {
|
|
508
|
-
|
|
716
|
+
// Check if hostname is workers.dev domain (doesn't support wildcard subdomains)
|
|
717
|
+
if (options.hostname.endsWith('.workers.dev')) {
|
|
718
|
+
const errorResponse: ErrorResponse = {
|
|
719
|
+
code: ErrorCode.CUSTOM_DOMAIN_REQUIRED,
|
|
720
|
+
message: `Port exposure requires a custom domain. .workers.dev domains do not support wildcard subdomains required for port proxying.`,
|
|
721
|
+
context: { originalError: options.hostname },
|
|
722
|
+
httpStatus: 400,
|
|
723
|
+
timestamp: new Date().toISOString()
|
|
724
|
+
};
|
|
725
|
+
throw new CustomDomainRequiredError(errorResponse);
|
|
726
|
+
}
|
|
727
|
+
|
|
728
|
+
const sessionId = await this.ensureDefaultSession();
|
|
729
|
+
await this.client.ports.exposePort(port, sessionId, options?.name);
|
|
509
730
|
|
|
510
731
|
// We need the sandbox name to construct preview URLs
|
|
511
732
|
if (!this.sandboxName) {
|
|
512
733
|
throw new Error('Sandbox name not available. Ensure sandbox is accessed through getSandbox()');
|
|
513
734
|
}
|
|
514
735
|
|
|
515
|
-
|
|
736
|
+
// Generate and store token for this port
|
|
737
|
+
const token = this.generatePortToken();
|
|
738
|
+
this.portTokens.set(port, token);
|
|
739
|
+
await this.persistPortTokens();
|
|
740
|
+
|
|
741
|
+
const url = this.constructPreviewUrl(port, this.sandboxName, options.hostname, token);
|
|
516
742
|
|
|
517
743
|
return {
|
|
518
744
|
url,
|
|
@@ -523,58 +749,101 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
523
749
|
|
|
524
750
|
async unexposePort(port: number) {
|
|
525
751
|
if (!validatePort(port)) {
|
|
526
|
-
logSecurityEvent('INVALID_PORT_UNEXPOSE', {
|
|
527
|
-
port
|
|
528
|
-
}, 'high');
|
|
529
752
|
throw new SecurityError(`Invalid port number: ${port}. Must be between 1024-65535 and not reserved.`);
|
|
530
753
|
}
|
|
531
754
|
|
|
532
|
-
await this.
|
|
755
|
+
const sessionId = await this.ensureDefaultSession();
|
|
756
|
+
await this.client.ports.unexposePort(port, sessionId);
|
|
533
757
|
|
|
534
|
-
|
|
535
|
-
|
|
536
|
-
|
|
758
|
+
// Clean up token for this port
|
|
759
|
+
if (this.portTokens.has(port)) {
|
|
760
|
+
this.portTokens.delete(port);
|
|
761
|
+
await this.persistPortTokens();
|
|
762
|
+
}
|
|
537
763
|
}
|
|
538
764
|
|
|
539
765
|
async getExposedPorts(hostname: string) {
|
|
540
|
-
const
|
|
766
|
+
const sessionId = await this.ensureDefaultSession();
|
|
767
|
+
const response = await this.client.ports.getExposedPorts(sessionId);
|
|
541
768
|
|
|
542
769
|
// We need the sandbox name to construct preview URLs
|
|
543
770
|
if (!this.sandboxName) {
|
|
544
771
|
throw new Error('Sandbox name not available. Ensure sandbox is accessed through getSandbox()');
|
|
545
772
|
}
|
|
546
773
|
|
|
547
|
-
return response.ports.map(port =>
|
|
548
|
-
|
|
549
|
-
|
|
550
|
-
|
|
551
|
-
|
|
552
|
-
|
|
774
|
+
return response.ports.map(port => {
|
|
775
|
+
// Get token for this port - must exist for all exposed ports
|
|
776
|
+
const token = this.portTokens.get(port.port);
|
|
777
|
+
if (!token) {
|
|
778
|
+
throw new Error(`Port ${port.port} is exposed but has no token. This should not happen.`);
|
|
779
|
+
}
|
|
780
|
+
|
|
781
|
+
return {
|
|
782
|
+
url: this.constructPreviewUrl(port.port, this.sandboxName!, hostname, token),
|
|
783
|
+
port: port.port,
|
|
784
|
+
status: port.status,
|
|
785
|
+
};
|
|
786
|
+
});
|
|
553
787
|
}
|
|
554
788
|
|
|
555
789
|
|
|
556
|
-
|
|
790
|
+
async isPortExposed(port: number): Promise<boolean> {
|
|
791
|
+
try {
|
|
792
|
+
const sessionId = await this.ensureDefaultSession();
|
|
793
|
+
const response = await this.client.ports.getExposedPorts(sessionId);
|
|
794
|
+
return response.ports.some(exposedPort => exposedPort.port === port);
|
|
795
|
+
} catch (error) {
|
|
796
|
+
this.logger.error('Error checking if port is exposed', error instanceof Error ? error : new Error(String(error)), { port });
|
|
797
|
+
return false;
|
|
798
|
+
}
|
|
799
|
+
}
|
|
800
|
+
|
|
801
|
+
async validatePortToken(port: number, token: string): Promise<boolean> {
|
|
802
|
+
// First check if port is exposed
|
|
803
|
+
const isExposed = await this.isPortExposed(port);
|
|
804
|
+
if (!isExposed) {
|
|
805
|
+
return false;
|
|
806
|
+
}
|
|
807
|
+
|
|
808
|
+
// Get stored token for this port - must exist for all exposed ports
|
|
809
|
+
const storedToken = this.portTokens.get(port);
|
|
810
|
+
if (!storedToken) {
|
|
811
|
+
// This should not happen - all exposed ports must have tokens
|
|
812
|
+
this.logger.error('Port is exposed but has no token - bug detected', undefined, { port });
|
|
813
|
+
return false;
|
|
814
|
+
}
|
|
815
|
+
|
|
816
|
+
// Constant-time comparison to prevent timing attacks
|
|
817
|
+
return storedToken === token;
|
|
818
|
+
}
|
|
819
|
+
|
|
820
|
+
private generatePortToken(): string {
|
|
821
|
+
// Generate cryptographically secure 16-character token using Web Crypto API
|
|
822
|
+
// Available in Cloudflare Workers runtime
|
|
823
|
+
const array = new Uint8Array(12); // 12 bytes = 16 base64url chars (after padding removal)
|
|
824
|
+
crypto.getRandomValues(array);
|
|
825
|
+
|
|
826
|
+
// Convert to base64url format (URL-safe, no padding, lowercase)
|
|
827
|
+
const base64 = btoa(String.fromCharCode(...array));
|
|
828
|
+
return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '').toLowerCase();
|
|
829
|
+
}
|
|
830
|
+
|
|
831
|
+
private async persistPortTokens(): Promise<void> {
|
|
832
|
+
// Convert Map to plain object for storage
|
|
833
|
+
const tokensObj: Record<string, string> = {};
|
|
834
|
+
for (const [port, token] of this.portTokens.entries()) {
|
|
835
|
+
tokensObj[port.toString()] = token;
|
|
836
|
+
}
|
|
837
|
+
await this.ctx.storage.put('portTokens', tokensObj);
|
|
838
|
+
}
|
|
839
|
+
|
|
840
|
+
private constructPreviewUrl(port: number, sandboxId: string, hostname: string, token: string): string {
|
|
557
841
|
if (!validatePort(port)) {
|
|
558
|
-
logSecurityEvent('INVALID_PORT_REJECTED', {
|
|
559
|
-
port,
|
|
560
|
-
sandboxId,
|
|
561
|
-
hostname
|
|
562
|
-
}, 'high');
|
|
563
842
|
throw new SecurityError(`Invalid port number: ${port}. Must be between 1024-65535 and not reserved.`);
|
|
564
843
|
}
|
|
565
844
|
|
|
566
|
-
|
|
567
|
-
|
|
568
|
-
sanitizedSandboxId = sanitizeSandboxId(sandboxId);
|
|
569
|
-
} catch (error) {
|
|
570
|
-
logSecurityEvent('INVALID_SANDBOX_ID_REJECTED', {
|
|
571
|
-
sandboxId,
|
|
572
|
-
port,
|
|
573
|
-
hostname,
|
|
574
|
-
error: error instanceof Error ? error.message : 'Unknown error'
|
|
575
|
-
}, 'high');
|
|
576
|
-
throw error;
|
|
577
|
-
}
|
|
845
|
+
// Validate sandbox ID (will throw SecurityError if invalid)
|
|
846
|
+
const sanitizedSandboxId = sanitizeSandboxId(sandboxId);
|
|
578
847
|
|
|
579
848
|
const isLocalhost = isLocalhostPattern(hostname);
|
|
580
849
|
|
|
@@ -586,28 +855,12 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
586
855
|
// Use URL constructor for safe URL building
|
|
587
856
|
try {
|
|
588
857
|
const baseUrl = new URL(`http://${host}:${mainPort}`);
|
|
589
|
-
// Construct subdomain safely
|
|
590
|
-
const subdomainHost = `${port}-${sanitizedSandboxId}.${host}`;
|
|
858
|
+
// Construct subdomain safely with mandatory token
|
|
859
|
+
const subdomainHost = `${port}-${sanitizedSandboxId}-${token}.${host}`;
|
|
591
860
|
baseUrl.hostname = subdomainHost;
|
|
592
861
|
|
|
593
|
-
|
|
594
|
-
|
|
595
|
-
logSecurityEvent('PREVIEW_URL_CONSTRUCTED', {
|
|
596
|
-
port,
|
|
597
|
-
sandboxId: sanitizedSandboxId,
|
|
598
|
-
hostname,
|
|
599
|
-
resultUrl: finalUrl,
|
|
600
|
-
environment: 'localhost'
|
|
601
|
-
}, 'low');
|
|
602
|
-
|
|
603
|
-
return finalUrl;
|
|
862
|
+
return baseUrl.toString();
|
|
604
863
|
} catch (error) {
|
|
605
|
-
logSecurityEvent('URL_CONSTRUCTION_FAILED', {
|
|
606
|
-
port,
|
|
607
|
-
sandboxId: sanitizedSandboxId,
|
|
608
|
-
hostname,
|
|
609
|
-
error: error instanceof Error ? error.message : 'Unknown error'
|
|
610
|
-
}, 'high');
|
|
611
864
|
throw new SecurityError(`Failed to construct preview URL: ${error instanceof Error ? error.message : 'Unknown error'}`);
|
|
612
865
|
}
|
|
613
866
|
}
|
|
@@ -618,29 +871,143 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
|
|
|
618
871
|
const protocol = "https";
|
|
619
872
|
const baseUrl = new URL(`${protocol}://${hostname}`);
|
|
620
873
|
|
|
621
|
-
// Construct subdomain safely
|
|
622
|
-
const subdomainHost = `${port}-${sanitizedSandboxId}.${hostname}`;
|
|
874
|
+
// Construct subdomain safely with mandatory token
|
|
875
|
+
const subdomainHost = `${port}-${sanitizedSandboxId}-${token}.${hostname}`;
|
|
623
876
|
baseUrl.hostname = subdomainHost;
|
|
624
877
|
|
|
625
|
-
|
|
626
|
-
|
|
627
|
-
logSecurityEvent('PREVIEW_URL_CONSTRUCTED', {
|
|
628
|
-
port,
|
|
629
|
-
sandboxId: sanitizedSandboxId,
|
|
630
|
-
hostname,
|
|
631
|
-
resultUrl: finalUrl,
|
|
632
|
-
environment: 'production'
|
|
633
|
-
}, 'low');
|
|
634
|
-
|
|
635
|
-
return finalUrl;
|
|
878
|
+
return baseUrl.toString();
|
|
636
879
|
} catch (error) {
|
|
637
|
-
logSecurityEvent('URL_CONSTRUCTION_FAILED', {
|
|
638
|
-
port,
|
|
639
|
-
sandboxId: sanitizedSandboxId,
|
|
640
|
-
hostname,
|
|
641
|
-
error: error instanceof Error ? error.message : 'Unknown error'
|
|
642
|
-
}, 'high');
|
|
643
880
|
throw new SecurityError(`Failed to construct preview URL: ${error instanceof Error ? error.message : 'Unknown error'}`);
|
|
644
881
|
}
|
|
645
882
|
}
|
|
883
|
+
|
|
884
|
+
// ============================================================================
|
|
885
|
+
// Session Management - Advanced Use Cases
|
|
886
|
+
// ============================================================================
|
|
887
|
+
|
|
888
|
+
/**
|
|
889
|
+
* Create isolated execution session for advanced use cases
|
|
890
|
+
* Returns ExecutionSession with full sandbox API bound to specific session
|
|
891
|
+
*/
|
|
892
|
+
async createSession(options?: SessionOptions): Promise<ExecutionSession> {
|
|
893
|
+
const sessionId = options?.id || `session-${Date.now()}`;
|
|
894
|
+
|
|
895
|
+
// Create session in container
|
|
896
|
+
await this.client.utils.createSession({
|
|
897
|
+
id: sessionId,
|
|
898
|
+
env: options?.env,
|
|
899
|
+
cwd: options?.cwd,
|
|
900
|
+
});
|
|
901
|
+
|
|
902
|
+
// Return wrapper that binds sessionId to all operations
|
|
903
|
+
return this.getSessionWrapper(sessionId);
|
|
904
|
+
}
|
|
905
|
+
|
|
906
|
+
/**
|
|
907
|
+
* Get an existing session by ID
|
|
908
|
+
* Returns ExecutionSession wrapper bound to the specified session
|
|
909
|
+
*
|
|
910
|
+
* This is useful for retrieving sessions across different requests/contexts
|
|
911
|
+
* without storing the ExecutionSession object (which has RPC lifecycle limitations)
|
|
912
|
+
*
|
|
913
|
+
* @param sessionId - The ID of an existing session
|
|
914
|
+
* @returns ExecutionSession wrapper bound to the session
|
|
915
|
+
*/
|
|
916
|
+
async getSession(sessionId: string): Promise<ExecutionSession> {
|
|
917
|
+
// No need to verify session exists in container - operations will fail naturally if it doesn't
|
|
918
|
+
return this.getSessionWrapper(sessionId);
|
|
919
|
+
}
|
|
920
|
+
|
|
921
|
+
/**
|
|
922
|
+
* Internal helper to create ExecutionSession wrapper for a given sessionId
|
|
923
|
+
* Used by both createSession and getSession
|
|
924
|
+
*/
|
|
925
|
+
private getSessionWrapper(sessionId: string): ExecutionSession {
|
|
926
|
+
return {
|
|
927
|
+
id: sessionId,
|
|
928
|
+
|
|
929
|
+
// Command execution - delegate to internal session-aware methods
|
|
930
|
+
exec: (command, options) => this.execWithSession(command, sessionId, options),
|
|
931
|
+
execStream: (command, options) => this.execStreamWithSession(command, sessionId, options),
|
|
932
|
+
|
|
933
|
+
// Process management
|
|
934
|
+
startProcess: (command, options) => this.startProcess(command, options, sessionId),
|
|
935
|
+
listProcesses: () => this.listProcesses(sessionId),
|
|
936
|
+
getProcess: (id) => this.getProcess(id, sessionId),
|
|
937
|
+
killProcess: (id, signal) => this.killProcess(id, signal),
|
|
938
|
+
killAllProcesses: () => this.killAllProcesses(),
|
|
939
|
+
cleanupCompletedProcesses: () => this.cleanupCompletedProcesses(),
|
|
940
|
+
getProcessLogs: (id) => this.getProcessLogs(id),
|
|
941
|
+
streamProcessLogs: (processId, options) => this.streamProcessLogs(processId, options),
|
|
942
|
+
|
|
943
|
+
// File operations - pass sessionId via options or parameter
|
|
944
|
+
writeFile: (path, content, options) => this.writeFile(path, content, { ...options, sessionId }),
|
|
945
|
+
readFile: (path, options) => this.readFile(path, { ...options, sessionId }),
|
|
946
|
+
readFileStream: (path) => this.readFileStream(path, { sessionId }),
|
|
947
|
+
mkdir: (path, options) => this.mkdir(path, { ...options, sessionId }),
|
|
948
|
+
deleteFile: (path) => this.deleteFile(path, sessionId),
|
|
949
|
+
renameFile: (oldPath, newPath) => this.renameFile(oldPath, newPath, sessionId),
|
|
950
|
+
moveFile: (sourcePath, destPath) => this.moveFile(sourcePath, destPath, sessionId),
|
|
951
|
+
listFiles: (path, options) => this.client.files.listFiles(path, sessionId, options),
|
|
952
|
+
exists: (path) => this.exists(path, sessionId),
|
|
953
|
+
|
|
954
|
+
// Git operations
|
|
955
|
+
gitCheckout: (repoUrl, options) => this.gitCheckout(repoUrl, { ...options, sessionId }),
|
|
956
|
+
|
|
957
|
+
// Environment management - needs special handling
|
|
958
|
+
setEnvVars: async (envVars: Record<string, string>) => {
|
|
959
|
+
try {
|
|
960
|
+
// Set environment variables by executing export commands
|
|
961
|
+
for (const [key, value] of Object.entries(envVars)) {
|
|
962
|
+
const escapedValue = value.replace(/'/g, "'\\''");
|
|
963
|
+
const exportCommand = `export ${key}='${escapedValue}'`;
|
|
964
|
+
|
|
965
|
+
const result = await this.client.commands.execute(exportCommand, sessionId);
|
|
966
|
+
|
|
967
|
+
if (result.exitCode !== 0) {
|
|
968
|
+
throw new Error(`Failed to set ${key}: ${result.stderr || 'Unknown error'}`);
|
|
969
|
+
}
|
|
970
|
+
}
|
|
971
|
+
} catch (error) {
|
|
972
|
+
this.logger.error('Failed to set environment variables', error instanceof Error ? error : new Error(String(error)), { sessionId });
|
|
973
|
+
throw error;
|
|
974
|
+
}
|
|
975
|
+
},
|
|
976
|
+
|
|
977
|
+
// Code interpreter methods - delegate to sandbox's code interpreter
|
|
978
|
+
createCodeContext: (options) => this.codeInterpreter.createCodeContext(options),
|
|
979
|
+
runCode: async (code, options) => {
|
|
980
|
+
const execution = await this.codeInterpreter.runCode(code, options);
|
|
981
|
+
return execution.toJSON();
|
|
982
|
+
},
|
|
983
|
+
runCodeStream: (code, options) => this.codeInterpreter.runCodeStream(code, options),
|
|
984
|
+
listCodeContexts: () => this.codeInterpreter.listCodeContexts(),
|
|
985
|
+
deleteCodeContext: (contextId) => this.codeInterpreter.deleteCodeContext(contextId),
|
|
986
|
+
};
|
|
987
|
+
}
|
|
988
|
+
|
|
989
|
+
// ============================================================================
|
|
990
|
+
// Code interpreter methods - delegate to CodeInterpreter wrapper
|
|
991
|
+
// ============================================================================
|
|
992
|
+
|
|
993
|
+
async createCodeContext(options?: CreateContextOptions): Promise<CodeContext> {
|
|
994
|
+
return this.codeInterpreter.createCodeContext(options);
|
|
995
|
+
}
|
|
996
|
+
|
|
997
|
+
async runCode(code: string, options?: RunCodeOptions): Promise<ExecutionResult> {
|
|
998
|
+
const execution = await this.codeInterpreter.runCode(code, options);
|
|
999
|
+
return execution.toJSON();
|
|
1000
|
+
}
|
|
1001
|
+
|
|
1002
|
+
async runCodeStream(code: string, options?: RunCodeOptions): Promise<ReadableStream> {
|
|
1003
|
+
return this.codeInterpreter.runCodeStream(code, options);
|
|
1004
|
+
}
|
|
1005
|
+
|
|
1006
|
+
async listCodeContexts(): Promise<CodeContext[]> {
|
|
1007
|
+
return this.codeInterpreter.listCodeContexts();
|
|
1008
|
+
}
|
|
1009
|
+
|
|
1010
|
+
async deleteCodeContext(contextId: string): Promise<void> {
|
|
1011
|
+
return this.codeInterpreter.deleteCodeContext(contextId);
|
|
1012
|
+
}
|
|
646
1013
|
}
|