@cloudflare/sandbox 0.0.0-d55b0f4 → 0.0.0-d670ba2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/CHANGELOG.md +153 -0
  2. package/Dockerfile +43 -19
  3. package/README.md +899 -0
  4. package/container_src/bun.lock +76 -0
  5. package/container_src/circuit-breaker.ts +121 -0
  6. package/container_src/control-process.ts +784 -0
  7. package/container_src/handler/exec.ts +99 -251
  8. package/container_src/handler/file.ts +253 -640
  9. package/container_src/handler/git.ts +28 -80
  10. package/container_src/handler/process.ts +443 -515
  11. package/container_src/handler/session.ts +92 -0
  12. package/container_src/index.ts +363 -123
  13. package/container_src/interpreter-service.ts +276 -0
  14. package/container_src/isolation.ts +1213 -0
  15. package/container_src/mime-processor.ts +255 -0
  16. package/container_src/package.json +9 -0
  17. package/container_src/runtime/executors/javascript/node_executor.ts +123 -0
  18. package/container_src/runtime/executors/python/ipython_executor.py +338 -0
  19. package/container_src/runtime/executors/typescript/ts_executor.ts +138 -0
  20. package/container_src/runtime/process-pool.ts +464 -0
  21. package/container_src/shell-escape.ts +42 -0
  22. package/container_src/startup.sh +11 -0
  23. package/container_src/types.ts +42 -14
  24. package/package.json +2 -2
  25. package/src/client.ts +244 -234
  26. package/src/errors.ts +219 -0
  27. package/src/file-stream.ts +162 -0
  28. package/src/index.ts +76 -15
  29. package/src/interpreter-client.ts +352 -0
  30. package/src/interpreter-types.ts +390 -0
  31. package/src/interpreter.ts +150 -0
  32. package/src/sandbox.ts +511 -401
  33. package/src/types.ts +209 -24
package/CHANGELOG.md CHANGED
@@ -1,5 +1,158 @@
1
1
  # @cloudflare/sandbox
2
2
 
3
+ ## 0.3.6
4
+
5
+ ### Patch Changes
6
+
7
+ - [#90](https://github.com/cloudflare/sandbox-sdk/pull/90) [`66cc85b`](https://github.com/cloudflare/sandbox-sdk/commit/66cc85b679b466b3ffb1f00fbd697670fc186f06) Thanks [@eastlondoner](https://github.com/eastlondoner)! - set bun idletimeout
8
+
9
+ ## 0.3.5
10
+
11
+ ### Patch Changes
12
+
13
+ - [#88](https://github.com/cloudflare/sandbox-sdk/pull/88) [`46eb4e6`](https://github.com/cloudflare/sandbox-sdk/commit/46eb4e6b6c671b682fc74f83563ccf5f316011cb) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Add binary file support with automatic MIME detection and streaming
14
+
15
+ ## 0.3.4
16
+
17
+ ### Patch Changes
18
+
19
+ - [#86](https://github.com/cloudflare/sandbox-sdk/pull/86) [`feafd32`](https://github.com/cloudflare/sandbox-sdk/commit/feafd32a51f50dfaf4994bddcbfb56d46cada622) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Fix session reuse to reuse existing healthy session
20
+
21
+ ## 0.3.3
22
+
23
+ ### Patch Changes
24
+
25
+ - [#83](https://github.com/cloudflare/sandbox-sdk/pull/83) [`eec5bb6`](https://github.com/cloudflare/sandbox-sdk/commit/eec5bb6203dd5d775b4b54e91c26de25eeb767ce) Thanks [@mikenomitch](https://github.com/mikenomitch)! - Bump containers package version
26
+
27
+ ## 0.3.2
28
+
29
+ ### Patch Changes
30
+
31
+ - [#76](https://github.com/cloudflare/sandbox-sdk/pull/76) [`ef9e320`](https://github.com/cloudflare/sandbox-sdk/commit/ef9e320dcef30e57797fef6ebd9a9383fa9720d9) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Replace Jupyter with lightweight interpreters for >90% faster cold starts for `.runCode` calls, while maintaining full code execution capabilities and rich output support.
32
+
33
+ ## 0.3.1
34
+
35
+ ### Patch Changes
36
+
37
+ - [#71](https://github.com/cloudflare/sandbox-sdk/pull/71) [`fb3c9c2`](https://github.com/cloudflare/sandbox-sdk/commit/fb3c9c22242d9d4f157c26f547f1e697ef7875f9) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Bump containers package version
38
+
39
+ - [#70](https://github.com/cloudflare/sandbox-sdk/pull/70) [`e1fa354`](https://github.com/cloudflare/sandbox-sdk/commit/e1fa354ab1bc7b0e89db4901b67028ebf1a93d0a) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Fix escaped quotes in file write operations
40
+
41
+ - [#68](https://github.com/cloudflare/sandbox-sdk/pull/68) [`69b91d1`](https://github.com/cloudflare/sandbox-sdk/commit/69b91d1a8f6afb63262cc381ea93e94a033ed5e8) Thanks [@CyrusNuevoDia](https://github.com/CyrusNuevoDia)! - Configurable timeouts via environment variables in isolation.ts
42
+
43
+ - [#66](https://github.com/cloudflare/sandbox-sdk/pull/66) [`eca93b9`](https://github.com/cloudflare/sandbox-sdk/commit/eca93b97e40fa0d3bd9dc27af2cc214ec355b696) Thanks [@peterp](https://github.com/peterp)! - Determine if the port is specified in the URL.
44
+
45
+ ## 0.3.0
46
+
47
+ ### Minor Changes
48
+
49
+ - [#59](https://github.com/cloudflare/sandbox-sdk/pull/59) [`b6757f7`](https://github.com/cloudflare/sandbox-sdk/commit/b6757f730c34381d5a70d513944bbf9840f598ab) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Add process isolation for sandbox commands
50
+
51
+ Implements PID namespace isolation to protect control plane processes (Jupyter, Bun) from sandboxed code. Commands executed via `exec()` now run in isolated namespaces that cannot see or interact with system processes.
52
+
53
+ **Key security improvements:**
54
+
55
+ - Control plane processes are hidden from sandboxed commands
56
+ - Platform secrets in `/proc/1/environ` are inaccessible
57
+ - Ports 8888 (Jupyter) and 3000 (Bun) are protected from hijacking
58
+
59
+ **Breaking changes:**
60
+
61
+ 1. **Removed `sessionId` parameter**: The `sessionId` parameter has been removed from all methods (`exec()`, `execStream()`, `startProcess()`, etc.). Each sandbox now maintains its own persistent session automatically.
62
+
63
+ ```javascript
64
+ // Before: manual session management
65
+ await sandbox.exec("cd /app", { sessionId: "my-session" });
66
+
67
+ // After: automatic session per sandbox
68
+ await sandbox.exec("cd /app");
69
+ ```
70
+
71
+ 2. **Commands now maintain state**: Commands within the same sandbox now share state (working directory, environment variables, background processes). Previously each command was stateless.
72
+
73
+ ```javascript
74
+ // Before: each exec was independent
75
+ await sandbox.exec("cd /app");
76
+ await sandbox.exec("pwd"); // Output: /workspace
77
+
78
+ // After: state persists in session
79
+ await sandbox.exec("cd /app");
80
+ await sandbox.exec("pwd"); // Output: /app
81
+ ```
82
+
83
+ **Migration guide:**
84
+
85
+ - Remove `sessionId` from all method calls - each sandbox maintains its own session
86
+ - If you need isolated execution contexts within the same sandbox, use `sandbox.createSession()`:
87
+ ```javascript
88
+ // Create independent sessions with different environments
89
+ const buildSession = await sandbox.createSession({
90
+ name: "build",
91
+ env: { NODE_ENV: "production" },
92
+ cwd: "/build",
93
+ });
94
+ const testSession = await sandbox.createSession({
95
+ name: "test",
96
+ env: { NODE_ENV: "test" },
97
+ cwd: "/test",
98
+ });
99
+ ```
100
+ - Environment variables set in one command persist to the next
101
+ - Background processes remain active until explicitly killed
102
+ - Requires CAP_SYS_ADMIN (available in production, falls back gracefully in dev)
103
+
104
+ ### Patch Changes
105
+
106
+ - [#62](https://github.com/cloudflare/sandbox-sdk/pull/62) [`4bedc3a`](https://github.com/cloudflare/sandbox-sdk/commit/4bedc3aba347f3d4090a6efe2c9778bac00ce74a) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Fix broken build due to bun lockfile not being used
107
+
108
+ ## 0.2.4
109
+
110
+ ### Patch Changes
111
+
112
+ - [#57](https://github.com/cloudflare/sandbox-sdk/pull/57) [`12bbd12`](https://github.com/cloudflare/sandbox-sdk/commit/12bbd1229c07ef8c1c0bf58a4235a27938155b08) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Add listFiles method
113
+
114
+ ## 0.2.3
115
+
116
+ ### Patch Changes
117
+
118
+ - [#53](https://github.com/cloudflare/sandbox-sdk/pull/53) [`c87db11`](https://github.com/cloudflare/sandbox-sdk/commit/c87db117693a86cfb667bf09fb7720d6a6e0524d) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Improve jupyterlab config to speed up startup
119
+
120
+ ## 0.2.2
121
+
122
+ ### Patch Changes
123
+
124
+ - [#51](https://github.com/cloudflare/sandbox-sdk/pull/51) [`4aceb32`](https://github.com/cloudflare/sandbox-sdk/commit/4aceb3215c836f59afcb88b2b325016b3f623f46) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Handle intermittent interpreter failures and decouple jupyter startup
125
+
126
+ ## 0.2.1
127
+
128
+ ### Patch Changes
129
+
130
+ - [#49](https://github.com/cloudflare/sandbox-sdk/pull/49) [`d81d2a5`](https://github.com/cloudflare/sandbox-sdk/commit/d81d2a563c9af8947d5444019ed4d6156db563e3) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Implement code interpreter API
131
+
132
+ ## 0.2.0
133
+
134
+ ### Minor Changes
135
+
136
+ - [#47](https://github.com/cloudflare/sandbox-sdk/pull/47) [`8a93d0c`](https://github.com/cloudflare/sandbox-sdk/commit/8a93d0cae18a25bda6506b8b0a08d9e9eb3bb290) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Change default directory to a clean /workspace
137
+
138
+ ## 0.1.4
139
+
140
+ ### Patch Changes
141
+
142
+ - [#46](https://github.com/cloudflare/sandbox-sdk/pull/46) [`7de28be`](https://github.com/cloudflare/sandbox-sdk/commit/7de28be482d9634551572d548c7c4b5842df812d) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Update README
143
+
144
+ - [#44](https://github.com/cloudflare/sandbox-sdk/pull/44) [`215ab49`](https://github.com/cloudflare/sandbox-sdk/commit/215ab494427d7e2a92bb9a25384cb493a221c200) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Update example to use env & cwd
145
+
146
+ - [#42](https://github.com/cloudflare/sandbox-sdk/pull/42) [`bb72193`](https://github.com/cloudflare/sandbox-sdk/commit/bb72193ad75695979bd1132206f481e91fe37325) Thanks [@jonasnobile](https://github.com/jonasnobile)! - Propagate `cwd` and `env` options in `executeCommand`
147
+
148
+ - [#27](https://github.com/cloudflare/sandbox-sdk/pull/27) [`fd5ec7f`](https://github.com/cloudflare/sandbox-sdk/commit/fd5ec7f34bc12b06320a89356c4af07801f52d64) Thanks [@threepointone](https://github.com/threepointone)! - remove yarn and pnpm from the image
149
+
150
+ ## 0.1.3
151
+
152
+ ### Patch Changes
153
+
154
+ - [#32](https://github.com/cloudflare/sandbox-sdk/pull/32) [`1a42464`](https://github.com/cloudflare/sandbox-sdk/commit/1a4246479369c5d0160705caf192aa1816540d52) Thanks [@ghostwriternr](https://github.com/ghostwriternr)! - Bring back package README
155
+
3
156
  ## 0.1.2
4
157
 
5
158
  ### Patch Changes
package/Dockerfile CHANGED
@@ -13,6 +13,7 @@ RUN apt-get update && apt-get install -y \
13
13
  git \
14
14
  unzip \
15
15
  zip \
16
+ file \
16
17
  # Process management
17
18
  procps \
18
19
  htop \
@@ -31,23 +32,19 @@ RUN apt-get update && apt-get install -y \
31
32
  python3.11 \
32
33
  python3.11-dev \
33
34
  python3-pip \
35
+ python3.11-venv \
34
36
  # Other useful tools
35
- sudo \
36
37
  ca-certificates \
37
38
  gnupg \
38
39
  lsb-release \
40
+ strace \
39
41
  && rm -rf /var/lib/apt/lists/*
40
42
 
41
43
  # Set Python 3.11 as default python3
42
44
  RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 1
43
45
 
44
- # Install Node.js 22 LTS
45
- # Using the official NodeSource repository setup script
46
- RUN apt-get update && apt-get install -y ca-certificates curl gnupg \
47
- && mkdir -p /etc/apt/keyrings \
48
- && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
49
- && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
50
- && apt-get update \
46
+ # Install Node.js 20 LTS using official NodeSource setup script
47
+ RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
51
48
  && apt-get install -y nodejs \
52
49
  && rm -rf /var/lib/apt/lists/*
53
50
 
@@ -55,25 +52,52 @@ RUN apt-get update && apt-get install -y ca-certificates curl gnupg \
55
52
  COPY --from=bun-source /usr/local/bin/bun /usr/local/bin/bun
56
53
  COPY --from=bun-source /usr/local/bin/bunx /usr/local/bin/bunx
57
54
 
58
- # Install global npm packages as root
59
- RUN npm install -g yarn pnpm
55
+ # Install essential Python packages for code execution
56
+ RUN pip3 install --no-cache-dir \
57
+ matplotlib \
58
+ numpy \
59
+ pandas \
60
+ ipython
60
61
 
61
- # Set up working directory
62
- WORKDIR /app
62
+ # Set up container server directory
63
+ WORKDIR /container-server
63
64
 
64
65
  # Verify installations
65
66
  RUN python3 --version && \
66
67
  node --version && \
67
68
  npm --version && \
68
- bun --version && \
69
- yarn --version && \
70
- pnpm --version
69
+ bun --version
70
+
71
+ # Copy container source files to server directory
72
+ COPY container_src/package.json container_src/bun.lock ./
73
+ RUN bun install --frozen-lockfile
71
74
 
72
- # Copy container source files
73
75
  COPY container_src/ ./
74
76
 
75
- # Expose the application port
77
+ # Compile TypeScript files using the locally installed TypeScript
78
+ RUN npx tsc control-process.ts --outDir . --module commonjs --target es2020 --esModuleInterop --skipLibCheck
79
+ RUN cd runtime/executors/javascript && npx tsc node_executor.ts --module commonjs --target es2020 --esModuleInterop --skipLibCheck
80
+ RUN cd runtime/executors/typescript && npx tsc ts_executor.ts --module commonjs --target es2020 --esModuleInterop --skipLibCheck
81
+
82
+ # Configure process pool sizes (can be overridden at runtime)
83
+ ENV PYTHON_POOL_MIN_SIZE=3
84
+ ENV PYTHON_POOL_MAX_SIZE=15
85
+ ENV JAVASCRIPT_POOL_MIN_SIZE=3
86
+ ENV JAVASCRIPT_POOL_MAX_SIZE=10
87
+ ENV TYPESCRIPT_POOL_MIN_SIZE=3
88
+ ENV TYPESCRIPT_POOL_MAX_SIZE=10
89
+
90
+ # Create clean workspace directory for user code
91
+ # Architecture:
92
+ # /container-server/ - SDK infrastructure (server, executors, dependencies)
93
+ # /workspace/ - User's clean workspace for their code
94
+ RUN mkdir -p /workspace
95
+
96
+ # Expose the application port (3000 for control)
76
97
  EXPOSE 3000
77
98
 
78
- # Run the application
79
- CMD ["bun", "index.ts"]
99
+ # Make startup script executable
100
+ RUN chmod +x startup.sh
101
+
102
+ # Use startup script
103
+ CMD ["./startup.sh"]