@cloudflare/sandbox 0.0.0-af03394 → 0.0.0-b61841c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (90) hide show
  1. package/CHANGELOG.md +226 -0
  2. package/Dockerfile +118 -55
  3. package/README.md +162 -0
  4. package/dist/chunk-BFVUNTP4.js +104 -0
  5. package/dist/chunk-BFVUNTP4.js.map +1 -0
  6. package/dist/chunk-EKSWCBCA.js +86 -0
  7. package/dist/chunk-EKSWCBCA.js.map +1 -0
  8. package/dist/chunk-JXZMAU2C.js +559 -0
  9. package/dist/chunk-JXZMAU2C.js.map +1 -0
  10. package/dist/chunk-QHRFHK6X.js +7 -0
  11. package/dist/chunk-QHRFHK6X.js.map +1 -0
  12. package/dist/chunk-SFCV5YTY.js +2456 -0
  13. package/dist/chunk-SFCV5YTY.js.map +1 -0
  14. package/dist/chunk-Z532A7QC.js +78 -0
  15. package/dist/chunk-Z532A7QC.js.map +1 -0
  16. package/dist/file-stream.d.ts +43 -0
  17. package/dist/file-stream.js +9 -0
  18. package/dist/file-stream.js.map +1 -0
  19. package/dist/index.d.ts +9 -0
  20. package/dist/index.js +67 -0
  21. package/dist/index.js.map +1 -0
  22. package/dist/interpreter.d.ts +33 -0
  23. package/dist/interpreter.js +8 -0
  24. package/dist/interpreter.js.map +1 -0
  25. package/dist/request-handler.d.ts +18 -0
  26. package/dist/request-handler.js +13 -0
  27. package/dist/request-handler.js.map +1 -0
  28. package/dist/sandbox-DWQVgVTY.d.ts +603 -0
  29. package/dist/sandbox.d.ts +4 -0
  30. package/dist/sandbox.js +13 -0
  31. package/dist/sandbox.js.map +1 -0
  32. package/dist/security.d.ts +31 -0
  33. package/dist/security.js +13 -0
  34. package/dist/security.js.map +1 -0
  35. package/dist/sse-parser.d.ts +28 -0
  36. package/dist/sse-parser.js +11 -0
  37. package/dist/sse-parser.js.map +1 -0
  38. package/dist/version.d.ts +8 -0
  39. package/dist/version.js +7 -0
  40. package/dist/version.js.map +1 -0
  41. package/package.json +13 -4
  42. package/src/clients/base-client.ts +280 -0
  43. package/src/clients/command-client.ts +115 -0
  44. package/src/clients/file-client.ts +295 -0
  45. package/src/clients/git-client.ts +92 -0
  46. package/src/clients/index.ts +64 -0
  47. package/src/clients/interpreter-client.ts +329 -0
  48. package/src/clients/port-client.ts +105 -0
  49. package/src/clients/process-client.ts +177 -0
  50. package/src/clients/sandbox-client.ts +41 -0
  51. package/src/clients/types.ts +84 -0
  52. package/src/clients/utility-client.ts +119 -0
  53. package/src/errors/adapter.ts +180 -0
  54. package/src/errors/classes.ts +469 -0
  55. package/src/errors/index.ts +105 -0
  56. package/src/file-stream.ts +164 -0
  57. package/src/index.ts +85 -12
  58. package/src/interpreter.ts +159 -0
  59. package/src/request-handler.ts +80 -44
  60. package/src/sandbox.ts +658 -290
  61. package/src/security.ts +14 -23
  62. package/src/sse-parser.ts +4 -8
  63. package/src/version.ts +6 -0
  64. package/startup.sh +3 -0
  65. package/tests/base-client.test.ts +328 -0
  66. package/tests/command-client.test.ts +407 -0
  67. package/tests/file-client.test.ts +719 -0
  68. package/tests/file-stream.test.ts +306 -0
  69. package/tests/get-sandbox.test.ts +110 -0
  70. package/tests/git-client.test.ts +328 -0
  71. package/tests/port-client.test.ts +301 -0
  72. package/tests/process-client.test.ts +658 -0
  73. package/tests/request-handler.test.ts +240 -0
  74. package/tests/sandbox.test.ts +554 -0
  75. package/tests/sse-parser.test.ts +290 -0
  76. package/tests/utility-client.test.ts +332 -0
  77. package/tests/version.test.ts +16 -0
  78. package/tests/wrangler.jsonc +35 -0
  79. package/tsconfig.json +9 -1
  80. package/vitest.config.ts +31 -0
  81. package/container_src/handler/exec.ts +0 -337
  82. package/container_src/handler/file.ts +0 -844
  83. package/container_src/handler/git.ts +0 -182
  84. package/container_src/handler/ports.ts +0 -314
  85. package/container_src/handler/process.ts +0 -640
  86. package/container_src/index.ts +0 -361
  87. package/container_src/package.json +0 -9
  88. package/container_src/types.ts +0 -103
  89. package/src/client.ts +0 -1038
  90. package/src/types.ts +0 -386
@@ -0,0 +1,164 @@
1
+ import type { FileChunk, FileMetadata, FileStreamEvent } from '@repo/shared';
2
+
3
+ /**
4
+ * Parse SSE (Server-Sent Events) lines from a stream
5
+ */
6
+ async function* parseSSE(stream: ReadableStream<Uint8Array>): AsyncGenerator<FileStreamEvent> {
7
+ const reader = stream.getReader();
8
+ const decoder = new TextDecoder();
9
+ let buffer = '';
10
+
11
+ try {
12
+ while (true) {
13
+ const { done, value } = await reader.read();
14
+
15
+ if (done) {
16
+ break;
17
+ }
18
+
19
+ buffer += decoder.decode(value, { stream: true });
20
+ const lines = buffer.split('\n');
21
+
22
+ // Keep the last incomplete line in the buffer
23
+ buffer = lines.pop() || '';
24
+
25
+ for (const line of lines) {
26
+ if (line.startsWith('data: ')) {
27
+ const data = line.slice(6); // Remove 'data: ' prefix
28
+ try {
29
+ const event = JSON.parse(data) as FileStreamEvent;
30
+ yield event;
31
+ } catch {
32
+ // Skip invalid JSON events and continue processing
33
+ }
34
+ }
35
+ }
36
+ }
37
+ } finally {
38
+ reader.releaseLock();
39
+ }
40
+ }
41
+
42
+ /**
43
+ * Stream a file from the sandbox with automatic base64 decoding for binary files
44
+ *
45
+ * @param stream - The ReadableStream from readFileStream()
46
+ * @returns AsyncGenerator that yields FileChunk (string for text, Uint8Array for binary)
47
+ *
48
+ * @example
49
+ * ```ts
50
+ * const stream = await sandbox.readFileStream('/path/to/file.png');
51
+ * for await (const chunk of streamFile(stream)) {
52
+ * if (chunk instanceof Uint8Array) {
53
+ * // Binary chunk
54
+ * console.log('Binary chunk:', chunk.length, 'bytes');
55
+ * } else {
56
+ * // Text chunk
57
+ * console.log('Text chunk:', chunk);
58
+ * }
59
+ * }
60
+ * ```
61
+ */
62
+ export async function* streamFile(stream: ReadableStream<Uint8Array>): AsyncGenerator<FileChunk, FileMetadata> {
63
+ let metadata: FileMetadata | null = null;
64
+
65
+ for await (const event of parseSSE(stream)) {
66
+ switch (event.type) {
67
+ case 'metadata':
68
+ metadata = {
69
+ mimeType: event.mimeType,
70
+ size: event.size,
71
+ isBinary: event.isBinary,
72
+ encoding: event.encoding,
73
+ };
74
+ break;
75
+
76
+ case 'chunk':
77
+ if (!metadata) {
78
+ throw new Error('Received chunk before metadata');
79
+ }
80
+
81
+ if (metadata.isBinary && metadata.encoding === 'base64') {
82
+ // Decode base64 to Uint8Array for binary files
83
+ const binaryString = atob(event.data);
84
+ const bytes = new Uint8Array(binaryString.length);
85
+ for (let i = 0; i < binaryString.length; i++) {
86
+ bytes[i] = binaryString.charCodeAt(i);
87
+ }
88
+ yield bytes;
89
+ } else {
90
+ // Text files - yield as-is
91
+ yield event.data;
92
+ }
93
+ break;
94
+
95
+ case 'complete':
96
+ if (!metadata) {
97
+ throw new Error('Stream completed without metadata');
98
+ }
99
+ return metadata;
100
+
101
+ case 'error':
102
+ throw new Error(`File streaming error: ${event.error}`);
103
+ }
104
+ }
105
+
106
+ throw new Error('Stream ended unexpectedly');
107
+ }
108
+
109
+ /**
110
+ * Collect an entire file into memory from a stream
111
+ *
112
+ * @param stream - The ReadableStream from readFileStream()
113
+ * @returns Object containing the file content and metadata
114
+ *
115
+ * @example
116
+ * ```ts
117
+ * const stream = await sandbox.readFileStream('/path/to/file.txt');
118
+ * const { content, metadata } = await collectFile(stream);
119
+ * console.log('Content:', content);
120
+ * console.log('MIME type:', metadata.mimeType);
121
+ * ```
122
+ */
123
+ export async function collectFile(stream: ReadableStream<Uint8Array>): Promise<{
124
+ content: string | Uint8Array;
125
+ metadata: FileMetadata;
126
+ }> {
127
+ const chunks: Array<string | Uint8Array> = [];
128
+
129
+ // Iterate through the generator and get the return value (metadata)
130
+ const generator = streamFile(stream);
131
+ let result = await generator.next();
132
+
133
+ while (!result.done) {
134
+ chunks.push(result.value);
135
+ result = await generator.next();
136
+ }
137
+
138
+ const metadata = result.value;
139
+
140
+ if (!metadata) {
141
+ throw new Error('Failed to get file metadata');
142
+ }
143
+
144
+ // Combine chunks based on type
145
+ if (metadata.isBinary) {
146
+ // Binary file - combine Uint8Arrays
147
+ const totalLength = chunks.reduce((sum, chunk) =>
148
+ sum + (chunk instanceof Uint8Array ? chunk.length : 0), 0
149
+ );
150
+ const combined = new Uint8Array(totalLength);
151
+ let offset = 0;
152
+ for (const chunk of chunks) {
153
+ if (chunk instanceof Uint8Array) {
154
+ combined.set(chunk, offset);
155
+ offset += chunk.length;
156
+ }
157
+ }
158
+ return { content: combined, metadata };
159
+ } else {
160
+ // Text file - combine strings
161
+ const combined = chunks.filter(c => typeof c === 'string').join('');
162
+ return { content: combined, metadata };
163
+ }
164
+ }
package/src/index.ts CHANGED
@@ -1,20 +1,93 @@
1
- // Export types from client
1
+ // Export the main Sandbox class and utilities
2
+
3
+
4
+ // Export the new client architecture
5
+ export {
6
+ CommandClient,
7
+ FileClient,
8
+ GitClient,
9
+ PortClient,
10
+ ProcessClient,
11
+ SandboxClient,
12
+ UtilityClient
13
+ } from "./clients";
14
+ export { getSandbox, Sandbox } from "./sandbox";
15
+
16
+ // Legacy types are now imported from the new client architecture
17
+
18
+ // Export core SDK types for consumers
19
+ export type {
20
+ BaseExecOptions,
21
+ ExecEvent,
22
+ ExecOptions,
23
+ ExecResult,FileChunk, FileMetadata, FileStreamEvent,
24
+ ISandbox,
25
+ LogEvent,
26
+ Process,
27
+ ProcessOptions,
28
+ ProcessStatus,
29
+ StreamOptions
30
+ } from "@repo/shared";
31
+ export * from '@repo/shared';
32
+ // Export type guards for runtime validation
33
+ export {
34
+ isExecResult,
35
+ isProcess,
36
+ isProcessStatus
37
+ } from "@repo/shared";
38
+ // Export all client types from new architecture
2
39
  export type {
3
- DeleteFileResponse, ExecuteResponse,
4
- GitCheckoutResponse,
5
- MkdirResponse, MoveFileResponse,
6
- ReadFileResponse, RenameFileResponse, WriteFileResponse
7
- } from "./client";
40
+ BaseApiResponse,
41
+ CommandsResponse,
42
+ ContainerStub,
43
+ ErrorResponse,
44
+
45
+ // Command client types
46
+ ExecuteRequest,
47
+ ExecuteResponse as CommandExecuteResponse,
8
48
 
49
+ // Port client types
50
+ ExposePortRequest,
51
+ FileOperationRequest,
52
+
53
+ // Git client types
54
+ GitCheckoutRequest,
55
+ GitCheckoutResult,
56
+ // Base client types
57
+ HttpClientOptions as SandboxClientOptions,
58
+
59
+ // File client types
60
+ MkdirRequest,
61
+
62
+ // Utility client types
63
+ PingResponse,
64
+ PortCloseResult,
65
+ PortExposeResult,
66
+ PortListResult,
67
+ ProcessCleanupResult,
68
+ ProcessInfoResult,
69
+ ProcessKillResult,
70
+ ProcessListResult,
71
+ ProcessLogsResult,
72
+ ProcessStartResult,
73
+ ReadFileRequest,
74
+ RequestConfig,
75
+ ResponseHandler,
76
+ SessionRequest,
77
+
78
+ // Process client types
79
+ StartProcessRequest,
80
+ UnexposePortRequest,
81
+ WriteFileRequest
82
+ } from "./clients";
83
+ export type { ExecutionCallbacks, InterpreterClient } from './clients/interpreter-client.js';
84
+ // Export file streaming utilities for binary file support
85
+ export { collectFile, streamFile } from './file-stream';
86
+ // Export interpreter functionality
87
+ export { CodeInterpreter } from './interpreter.js';
9
88
  // Re-export request handler utilities
10
89
  export {
11
90
  proxyToSandbox, type RouteInfo, type SandboxEnv
12
91
  } from './request-handler';
13
-
14
- export { getSandbox, Sandbox } from "./sandbox";
15
-
16
92
  // Export SSE parser for converting ReadableStream to AsyncIterable
17
93
  export { asyncIterableToSSEStream, parseSSEStream, responseToAsyncIterable } from "./sse-parser";
18
-
19
- // Export event types for streaming
20
- export type { ExecEvent, LogEvent } from "./types";
@@ -0,0 +1,159 @@
1
+ import {
2
+ type CodeContext,
3
+ type CreateContextOptions,
4
+ Execution,
5
+ type ExecutionError,
6
+ type OutputMessage,
7
+ type Result,
8
+ ResultImpl,
9
+ type RunCodeOptions,
10
+ } from "@repo/shared";
11
+ import type { InterpreterClient } from "./clients/interpreter-client.js";
12
+ import type { Sandbox } from "./sandbox.js";
13
+ import { validateLanguage } from "./security.js";
14
+
15
+ export class CodeInterpreter {
16
+ private interpreterClient: InterpreterClient;
17
+ private contexts = new Map<string, CodeContext>();
18
+
19
+ constructor(sandbox: Sandbox) {
20
+ // In init-testing architecture, client is a SandboxClient with an interpreter property
21
+ this.interpreterClient = (sandbox.client as any).interpreter as InterpreterClient;
22
+ }
23
+
24
+ /**
25
+ * Create a new code execution context
26
+ */
27
+ async createCodeContext(
28
+ options: CreateContextOptions = {}
29
+ ): Promise<CodeContext> {
30
+ // Validate language before sending to container
31
+ validateLanguage(options.language);
32
+
33
+ const context = await this.interpreterClient.createCodeContext(options);
34
+ this.contexts.set(context.id, context);
35
+ return context;
36
+ }
37
+
38
+ /**
39
+ * Run code with optional context
40
+ */
41
+ async runCode(
42
+ code: string,
43
+ options: RunCodeOptions = {}
44
+ ): Promise<Execution> {
45
+ // Get or create context
46
+ let context = options.context;
47
+ if (!context) {
48
+ // Try to find or create a default context for the language
49
+ const language = options.language || "python";
50
+ context = await this.getOrCreateDefaultContext(language);
51
+ }
52
+
53
+ // Create execution object to collect results
54
+ const execution = new Execution(code, context);
55
+
56
+ // Stream execution
57
+ await this.interpreterClient.runCodeStream(context.id, code, options.language, {
58
+ onStdout: (output: OutputMessage) => {
59
+ execution.logs.stdout.push(output.text);
60
+ if (options.onStdout) return options.onStdout(output);
61
+ },
62
+ onStderr: (output: OutputMessage) => {
63
+ execution.logs.stderr.push(output.text);
64
+ if (options.onStderr) return options.onStderr(output);
65
+ },
66
+ onResult: async (result: Result) => {
67
+ execution.results.push(new ResultImpl(result) as any);
68
+ if (options.onResult) return options.onResult(result);
69
+ },
70
+ onError: (error: ExecutionError) => {
71
+ execution.error = error;
72
+ if (options.onError) return options.onError(error);
73
+ },
74
+ });
75
+
76
+ return execution;
77
+ }
78
+
79
+ /**
80
+ * Run code and return a streaming response
81
+ */
82
+ async runCodeStream(
83
+ code: string,
84
+ options: RunCodeOptions = {}
85
+ ): Promise<ReadableStream> {
86
+ // Get or create context
87
+ let context = options.context;
88
+ if (!context) {
89
+ const language = options.language || "python";
90
+ context = await this.getOrCreateDefaultContext(language);
91
+ }
92
+
93
+ // Create streaming response
94
+ // Note: doFetch is protected but we need direct access for raw stream response
95
+ const response = await (this.interpreterClient as any).doFetch("/api/execute/code", {
96
+ method: "POST",
97
+ headers: {
98
+ "Content-Type": "application/json",
99
+ Accept: "text/event-stream",
100
+ },
101
+ body: JSON.stringify({
102
+ context_id: context.id,
103
+ code,
104
+ language: options.language,
105
+ }),
106
+ });
107
+
108
+ if (!response.ok) {
109
+ const errorData = (await response
110
+ .json()
111
+ .catch(() => ({ error: "Unknown error" }))) as { error?: string };
112
+ throw new Error(
113
+ errorData.error || `Failed to execute code: ${response.status}`
114
+ );
115
+ }
116
+
117
+ if (!response.body) {
118
+ throw new Error("No response body for streaming execution");
119
+ }
120
+
121
+ return response.body;
122
+ }
123
+
124
+ /**
125
+ * List all code contexts
126
+ */
127
+ async listCodeContexts(): Promise<CodeContext[]> {
128
+ const contexts = await this.interpreterClient.listCodeContexts();
129
+
130
+ // Update local cache
131
+ for (const context of contexts) {
132
+ this.contexts.set(context.id, context);
133
+ }
134
+
135
+ return contexts;
136
+ }
137
+
138
+ /**
139
+ * Delete a code context
140
+ */
141
+ async deleteCodeContext(contextId: string): Promise<void> {
142
+ await this.interpreterClient.deleteCodeContext(contextId);
143
+ this.contexts.delete(contextId);
144
+ }
145
+
146
+ private async getOrCreateDefaultContext(
147
+ language: "python" | "javascript" | "typescript"
148
+ ): Promise<CodeContext> {
149
+ // Check if we have a cached context for this language
150
+ for (const context of this.contexts.values()) {
151
+ if (context.language === language) {
152
+ return context;
153
+ }
154
+ }
155
+
156
+ // Create new default context
157
+ return this.createCodeContext({ language });
158
+ }
159
+ }
@@ -1,6 +1,7 @@
1
+ import { createLogger, type LogContext, TraceContext } from "@repo/shared";
2
+ import { switchPort } from "@cloudflare/containers";
1
3
  import { getSandbox, type Sandbox } from "./sandbox";
2
4
  import {
3
- logSecurityEvent,
4
5
  sanitizeSandboxId,
5
6
  validatePort
6
7
  } from "./security";
@@ -13,12 +14,21 @@ export interface RouteInfo {
13
14
  port: number;
14
15
  sandboxId: string;
15
16
  path: string;
17
+ token: string;
16
18
  }
17
19
 
18
20
  export async function proxyToSandbox<E extends SandboxEnv>(
19
21
  request: Request,
20
22
  env: E
21
23
  ): Promise<Response | null> {
24
+ // Create logger context for this request
25
+ const traceId = TraceContext.fromHeaders(request.headers) || TraceContext.generate();
26
+ const logger = createLogger({
27
+ component: 'sandbox-do',
28
+ traceId,
29
+ operation: 'proxy'
30
+ });
31
+
22
32
  try {
23
33
  const url = new URL(request.url);
24
34
  const routeInfo = extractSandboxRoute(url);
@@ -27,9 +37,48 @@ export async function proxyToSandbox<E extends SandboxEnv>(
27
37
  return null; // Not a request to an exposed container port
28
38
  }
29
39
 
30
- const { sandboxId, port, path } = routeInfo;
40
+ const { sandboxId, port, path, token } = routeInfo;
31
41
  const sandbox = getSandbox(env.Sandbox, sandboxId);
32
42
 
43
+ // Critical security check: Validate token (mandatory for all user ports)
44
+ // Skip check for control plane port 3000
45
+ if (port !== 3000) {
46
+ // Validate the token matches the port
47
+ const isValidToken = await sandbox.validatePortToken(port, token);
48
+ if (!isValidToken) {
49
+ logger.warn('Invalid token access blocked', {
50
+ port,
51
+ sandboxId,
52
+ path,
53
+ hostname: url.hostname,
54
+ url: request.url,
55
+ method: request.method,
56
+ userAgent: request.headers.get('User-Agent') || 'unknown'
57
+ });
58
+
59
+ return new Response(
60
+ JSON.stringify({
61
+ error: `Access denied: Invalid token or port not exposed`,
62
+ code: 'INVALID_TOKEN'
63
+ }),
64
+ {
65
+ status: 404,
66
+ headers: {
67
+ 'Content-Type': 'application/json'
68
+ }
69
+ }
70
+ );
71
+ }
72
+ }
73
+
74
+ // Detect WebSocket upgrade request
75
+ const upgradeHeader = request.headers.get('Upgrade');
76
+ if (upgradeHeader?.toLowerCase() === 'websocket') {
77
+ // WebSocket path: Must use fetch() not containerFetch()
78
+ // This bypasses JSRPC serialization boundary which cannot handle WebSocket upgrades
79
+ return await sandbox.fetch(switchPort(request, port));
80
+ }
81
+
33
82
  // Build proxy request with proper headers
34
83
  let proxyUrl: string;
35
84
 
@@ -52,43 +101,33 @@ export async function proxyToSandbox<E extends SandboxEnv>(
52
101
  'X-Sandbox-Name': sandboxId, // Pass the friendly name
53
102
  },
54
103
  body: request.body,
104
+ // @ts-expect-error - duplex required for body streaming in modern runtimes
105
+ duplex: 'half',
55
106
  });
56
107
 
57
- return sandbox.containerFetch(proxyRequest, port);
108
+ return await sandbox.containerFetch(proxyRequest, port);
58
109
  } catch (error) {
59
- console.error('[Sandbox] Proxy routing error:', error);
110
+ logger.error('Proxy routing error', error instanceof Error ? error : new Error(String(error)));
60
111
  return new Response('Proxy routing error', { status: 500 });
61
112
  }
62
113
  }
63
114
 
64
115
  function extractSandboxRoute(url: URL): RouteInfo | null {
65
- // Parse subdomain pattern: port-sandboxId.domain
66
- const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*[^.-]|[^.-])\.(.+)$/);
116
+ // Parse subdomain pattern: port-sandboxId-token.domain (tokens mandatory)
117
+ // Token is always exactly 16 chars (generated by generatePortToken)
118
+ const subdomainMatch = url.hostname.match(/^(\d{4,5})-([^.-][^.]*?[^.-]|[^.-])-([a-z0-9_-]{16})\.(.+)$/);
67
119
 
68
120
  if (!subdomainMatch) {
69
- // Log malformed subdomain attempts
70
- if (url.hostname.includes('-') && url.hostname.includes('.')) {
71
- logSecurityEvent('MALFORMED_SUBDOMAIN_ATTEMPT', {
72
- hostname: url.hostname,
73
- url: url.toString()
74
- }, 'medium');
75
- }
76
121
  return null;
77
122
  }
78
123
 
79
124
  const portStr = subdomainMatch[1];
80
125
  const sandboxId = subdomainMatch[2];
81
- const domain = subdomainMatch[3];
126
+ const token = subdomainMatch[3]; // Mandatory token
127
+ const domain = subdomainMatch[4];
82
128
 
83
129
  const port = parseInt(portStr, 10);
84
130
  if (!validatePort(port)) {
85
- logSecurityEvent('INVALID_PORT_IN_SUBDOMAIN', {
86
- port,
87
- portStr,
88
- sandboxId,
89
- hostname: url.hostname,
90
- url: url.toString()
91
- }, 'high');
92
131
  return null;
93
132
  }
94
133
 
@@ -96,49 +135,46 @@ function extractSandboxRoute(url: URL): RouteInfo | null {
96
135
  try {
97
136
  sanitizedSandboxId = sanitizeSandboxId(sandboxId);
98
137
  } catch (error) {
99
- logSecurityEvent('INVALID_SANDBOX_ID_IN_SUBDOMAIN', {
100
- sandboxId,
101
- port,
102
- hostname: url.hostname,
103
- url: url.toString(),
104
- error: error instanceof Error ? error.message : 'Unknown error'
105
- }, 'high');
106
138
  return null;
107
139
  }
108
140
 
109
141
  // DNS subdomain length limit is 63 characters
110
142
  if (sandboxId.length > 63) {
111
- logSecurityEvent('SANDBOX_ID_LENGTH_VIOLATION', {
112
- sandboxId,
113
- length: sandboxId.length,
114
- port,
115
- hostname: url.hostname
116
- }, 'medium');
117
143
  return null;
118
144
  }
119
145
 
120
- logSecurityEvent('SANDBOX_ROUTE_EXTRACTED', {
121
- port,
122
- sandboxId: sanitizedSandboxId,
123
- domain,
124
- path: url.pathname || "/",
125
- hostname: url.hostname
126
- }, 'low');
127
-
128
146
  return {
129
147
  port,
130
148
  sandboxId: sanitizedSandboxId,
131
149
  path: url.pathname || "/",
150
+ token,
132
151
  };
133
152
  }
134
153
 
135
154
  export function isLocalhostPattern(hostname: string): boolean {
155
+ // Handle IPv6 addresses in brackets (with or without port)
156
+ if (hostname.startsWith('[')) {
157
+ if (hostname.includes(']:')) {
158
+ // [::1]:port format
159
+ const ipv6Part = hostname.substring(0, hostname.indexOf(']:') + 1);
160
+ return ipv6Part === '[::1]';
161
+ } else {
162
+ // [::1] format without port
163
+ return hostname === '[::1]';
164
+ }
165
+ }
166
+
167
+ // Handle bare IPv6 without brackets
168
+ if (hostname === '::1') {
169
+ return true;
170
+ }
171
+
172
+ // For IPv4 and regular hostnames, split on colon to remove port
136
173
  const hostPart = hostname.split(":")[0];
174
+
137
175
  return (
138
176
  hostPart === "localhost" ||
139
177
  hostPart === "127.0.0.1" ||
140
- hostPart === "::1" ||
141
- hostPart === "[::1]" ||
142
178
  hostPart === "0.0.0.0"
143
179
  );
144
180
  }