npm - @cloudflare/sandbox - Versions diffs - 0.0.0-d81d2a5 → 0.0.0-d951819 - Mend

@cloudflare/sandbox 0.0.0-d81d2a5 → 0.0.0-d951819

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/CHANGELOG.md +129 -0
package/Dockerfile +34 -27
package/README.md +127 -12
package/container_src/bun.lock +31 -77
package/container_src/circuit-breaker.ts +121 -0
package/container_src/control-process.ts +784 -0
package/container_src/handler/exec.ts +99 -254
package/container_src/handler/file.ts +253 -640
package/container_src/handler/git.ts +28 -80
package/container_src/handler/process.ts +443 -515
package/container_src/handler/session.ts +92 -0
package/container_src/index.ts +289 -219
package/container_src/interpreter-service.ts +276 -0
package/container_src/isolation.ts +1213 -0
package/container_src/mime-processor.ts +1 -1
package/container_src/package.json +4 -4
package/container_src/runtime/executors/javascript/node_executor.ts +123 -0
package/container_src/runtime/executors/python/ipython_executor.py +338 -0
package/container_src/runtime/executors/typescript/ts_executor.ts +138 -0
package/container_src/runtime/process-pool.ts +464 -0
package/container_src/shell-escape.ts +42 -0
package/container_src/startup.sh +6 -47
package/container_src/types.ts +35 -12
package/package.json +2 -2
package/src/client.ts +214 -187
package/src/errors.ts +219 -0
package/src/file-stream.ts +162 -0
package/src/index.ts +66 -14
package/src/interpreter-client.ts +352 -0
package/src/interpreter-types.ts +102 -95
package/src/interpreter.ts +8 -8
package/src/sandbox.ts +315 -337
package/src/types.ts +194 -24
package/container_src/jupyter-server.ts +0 -336
package/src/jupyter-client.ts +0 -266

package/container_src/index.ts CHANGED Viewed

@@ -1,11 +1,15 @@
-import { randomBytes } from "node:crypto";
 import { serve } from "bun";
-import { handleExecuteRequest, handleStreamingExecuteRequest } from "./handler/exec";
+import {
+  handleExecuteRequest,
+  handleStreamingExecuteRequest,
+} from "./handler/exec";
 import {
   handleDeleteFileRequest,
+  handleListFilesRequest,
   handleMkdirRequest,
   handleMoveFileRequest,
   handleReadFileRequest,
+  handleReadFileStreamRequest,
   handleRenameFileRequest,
   handleWriteFileRequest,
 } from "./handler/file";
@@ -25,58 +29,65 @@ import {
   handleStartProcessRequest,
   handleStreamProcessLogsRequest,
 } from "./handler/process";
-import { type CreateContextRequest, JupyterServer } from "./jupyter-server";
-import type { ProcessRecord, SessionData } from "./types";
-// In-memory session storage (in production, you'd want to use a proper database)
-const sessions = new Map<string, SessionData>();
+import { handleCreateSession, handleListSessions } from "./handler/session";
+import type { CreateContextRequest } from "./interpreter-service";
+import {
+  InterpreterNotReadyError,
+  InterpreterService,
+} from "./interpreter-service";
+import { hasNamespaceSupport, SessionManager } from "./isolation";
 // In-memory storage for exposed ports
 const exposedPorts = new Map<number, { name?: string; exposedAt: Date }>();
-// In-memory process storage - cleared on container restart
-const processes = new Map<string, ProcessRecord>();
-// Generate a unique session ID using cryptographically secure randomness
-function generateSessionId(): string {
-  return `session_${Date.now()}_${randomBytes(6).toString('hex')}`;
-}
-// Clean up old sessions (older than 1 hour)
-function cleanupOldSessions() {
-  const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000);
-  for (const [sessionId, session] of sessions.entries()) {
-    if (session.createdAt < oneHourAgo && !session.activeProcess) {
-      sessions.delete(sessionId);
-      console.log(`[Server] Cleaned up old session: ${sessionId}`);
-    }
-  }
-}
-// Run cleanup every 10 minutes
-setInterval(cleanupOldSessions, 10 * 60 * 1000);
-// Initialize Jupyter server
-const jupyterServer = new JupyterServer();
-let jupyterInitialized = false;
-// Initialize Jupyter immediately since startup.sh ensures it's ready
-(async () => {
-  try {
-    await jupyterServer.initialize();
-    jupyterInitialized = true;
-    console.log("[Container] Jupyter integration initialized successfully");
-  } catch (error) {
-    console.error("[Container] Failed to initialize Jupyter:", error);
-    // Log more details to help debug
-    if (error instanceof Error) {
-      console.error("[Container] Error details:", error.message);
-      console.error("[Container] Stack trace:", error.stack);
-    }
-  }
-})();
+// Check isolation capabilities on startup
+const isolationAvailable = hasNamespaceSupport();
+console.log(
+  `[Container] Process isolation: ${
+    isolationAvailable
+      ? "ENABLED (production mode)"
+      : "DISABLED (development mode)"
+  }`
+);
+// Session manager for secure execution with isolation
+const sessionManager = new SessionManager();
+// Graceful shutdown handler
+const SHUTDOWN_GRACE_PERIOD_MS = 5000; // Grace period for cleanup (5 seconds for proper async cleanup)
+process.on("SIGTERM", async () => {
+  console.log("[Container] SIGTERM received, cleaning up sessions...");
+  await sessionManager.destroyAll();
+  setTimeout(() => {
+    process.exit(0);
+  }, SHUTDOWN_GRACE_PERIOD_MS);
+});
+process.on("SIGINT", async () => {
+  console.log("[Container] SIGINT received, cleaning up sessions...");
+  await sessionManager.destroyAll();
+  setTimeout(() => {
+    process.exit(0);
+  }, SHUTDOWN_GRACE_PERIOD_MS);
+});
+// Cleanup on uncaught exceptions (log but still exit)
+process.on("uncaughtException", async (error) => {
+  console.error("[Container] Uncaught exception:", error);
+  await sessionManager.destroyAll();
+  process.exit(1);
+});
+// Initialize interpreter service
+const interpreterService = new InterpreterService();
+// No initialization needed - service is ready immediately!
+console.log("[Container] Interpreter service ready - no cold start!");
+console.log("[Container] All API endpoints available immediately");
 const server = serve({
+  idleTimeout: 255,
   async fetch(req: Request) {
     const url = new URL(req.url);
     const pathname = url.pathname;
@@ -110,109 +121,42 @@ const server = serve({
         case "/api/session/create":
           if (req.method === "POST") {
-            const sessionId = generateSessionId();
-            const sessionData: SessionData = {
-              activeProcess: null,
-              createdAt: new Date(),
-              sessionId,
-            };
-            sessions.set(sessionId, sessionData);
-            console.log(`[Server] Created new session: ${sessionId}`);
-            return new Response(
-              JSON.stringify({
-                message: "Session created successfully",
-                sessionId,
-                timestamp: new Date().toISOString(),
-              }),
-              {
-                headers: {
-                  "Content-Type": "application/json",
-                  ...corsHeaders,
-                },
-              }
-            );
+            return handleCreateSession(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/session/list":
           if (req.method === "GET") {
-            const sessionList = Array.from(sessions.values()).map(
-              (session) => ({
-                createdAt: session.createdAt.toISOString(),
-                hasActiveProcess: !!session.activeProcess,
-                sessionId: session.sessionId,
-              })
-            );
-            return new Response(
-              JSON.stringify({
-                count: sessionList.length,
-                sessions: sessionList,
-                timestamp: new Date().toISOString(),
-              }),
-              {
-                headers: {
-                  "Content-Type": "application/json",
-                  ...corsHeaders,
-                },
-              }
-            );
+            return handleListSessions(corsHeaders, sessionManager);
           }
           break;
         case "/api/execute":
           if (req.method === "POST") {
-            return handleExecuteRequest(sessions, req, corsHeaders);
+            return handleExecuteRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/execute/stream":
           if (req.method === "POST") {
-            return handleStreamingExecuteRequest(sessions, req, corsHeaders);
+            return handleStreamingExecuteRequest(
+              req,
+              sessionManager,
+              corsHeaders
+            );
           }
           break;
         case "/api/ping":
           if (req.method === "GET") {
+            const health = await interpreterService.getHealthStatus();
             return new Response(
               JSON.stringify({
                 message: "pong",
                 timestamp: new Date().toISOString(),
-                jupyter: jupyterInitialized ? "ready" : "not ready",
-              }),
-              {
-                headers: {
-                  "Content-Type": "application/json",
-                  ...corsHeaders,
-                },
-              }
-            );
-          }
-          break;
-        case "/api/commands":
-          if (req.method === "GET") {
-            return new Response(
-              JSON.stringify({
-                availableCommands: [
-                  "ls",
-                  "pwd",
-                  "echo",
-                  "cat",
-                  "grep",
-                  "find",
-                  "whoami",
-                  "date",
-                  "uptime",
-                  "ps",
-                  "top",
-                  "df",
-                  "du",
-                  "free",
-                ],
-                timestamp: new Date().toISOString(),
+                system: "interpreter (70x faster)",
+                status: health.ready ? "ready" : "initializing",
+                progress: health.progress,
               }),
               {
                 headers: {
@@ -226,43 +170,55 @@ const server = serve({
         case "/api/git/checkout":
           if (req.method === "POST") {
-            return handleGitCheckoutRequest(sessions, req, corsHeaders);
+            return handleGitCheckoutRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/mkdir":
           if (req.method === "POST") {
-            return handleMkdirRequest(sessions, req, corsHeaders);
+            return handleMkdirRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/write":
           if (req.method === "POST") {
-            return handleWriteFileRequest(req, corsHeaders);
+            return handleWriteFileRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/read":
           if (req.method === "POST") {
-            return handleReadFileRequest(req, corsHeaders);
+            return handleReadFileRequest(req, corsHeaders, sessionManager);
+          }
+          break;
+        case "/api/read/stream":
+          if (req.method === "POST") {
+            return handleReadFileStreamRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/delete":
           if (req.method === "POST") {
-            return handleDeleteFileRequest(req, corsHeaders);
+            return handleDeleteFileRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/rename":
           if (req.method === "POST") {
-            return handleRenameFileRequest(req, corsHeaders);
+            return handleRenameFileRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/move":
           if (req.method === "POST") {
-            return handleMoveFileRequest(req, corsHeaders);
+            return handleMoveFileRequest(req, corsHeaders, sessionManager);
+          }
+          break;
+        case "/api/list-files":
+          if (req.method === "POST") {
+            return handleListFilesRequest(req, corsHeaders, sessionManager);
           }
           break;
@@ -286,49 +242,38 @@ const server = serve({
         case "/api/process/start":
           if (req.method === "POST") {
-            return handleStartProcessRequest(processes, req, corsHeaders);
+            return handleStartProcessRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/process/list":
           if (req.method === "GET") {
-            return handleListProcessesRequest(processes, req, corsHeaders);
+            return handleListProcessesRequest(req, corsHeaders, sessionManager);
           }
           break;
         case "/api/process/kill-all":
           if (req.method === "DELETE") {
-            return handleKillAllProcessesRequest(processes, req, corsHeaders);
+            return handleKillAllProcessesRequest(
+              req,
+              corsHeaders,
+              sessionManager
+            );
           }
           break;
-        // Code interpreter endpoints
         case "/api/contexts":
           if (req.method === "POST") {
-            if (!jupyterInitialized) {
-              return new Response(
-                JSON.stringify({
-                  error: "Jupyter server is not ready. Please try again in a moment."
-                }),
-                {
-                  status: 503,
-                  headers: {
-                    "Content-Type": "application/json",
-                    ...corsHeaders,
-                  },
-                }
-              );
-            }
             try {
-              const body = await req.json() as CreateContextRequest;
-              const context = await jupyterServer.createContext(body);
+              const body = (await req.json()) as CreateContextRequest;
+              const context = await interpreterService.createContext(body);
               return new Response(
                 JSON.stringify({
                   id: context.id,
                   language: context.language,
                   cwd: context.cwd,
                   createdAt: context.createdAt,
-                  lastUsed: context.lastUsed
+                  lastUsed: context.lastUsed,
                 }),
                 {
                   headers: {
@@ -338,10 +283,62 @@ const server = serve({
                 }
               );
             } catch (error) {
+              if (error instanceof InterpreterNotReadyError) {
+                console.log(
+                  `[Container] Request timed out waiting for interpreter (${error.progress}% complete)`
+                );
+                return new Response(
+                  JSON.stringify({
+                    error: error.message,
+                    status: "initializing",
+                    progress: error.progress,
+                  }),
+                  {
+                    status: 503,
+                    headers: {
+                      "Content-Type": "application/json",
+                      "Retry-After": String(error.retryAfter),
+                      ...corsHeaders,
+                    },
+                  }
+                );
+              }
+              // Check if it's a circuit breaker error
+              if (
+                error instanceof Error &&
+                error.message.includes("Circuit breaker is open")
+              ) {
+                console.log(
+                  "[Container] Circuit breaker is open:",
+                  error.message
+                );
+                return new Response(
+                  JSON.stringify({
+                    error:
+                      "Service temporarily unavailable due to high error rate. Please try again later.",
+                    status: "circuit_open",
+                    details: error.message,
+                  }),
+                  {
+                    status: 503,
+                    headers: {
+                      "Content-Type": "application/json",
+                      "Retry-After": "60",
+                      ...corsHeaders,
+                    },
+                  }
+                );
+              }
+              // Only log actual errors with stack traces
               console.error("[Container] Error creating context:", error);
               return new Response(
                 JSON.stringify({
-                  error: error instanceof Error ? error.message : "Failed to create context"
+                  error:
+                    error instanceof Error
+                      ? error.message
+                      : "Failed to create context",
                 }),
                 {
                   status: 500,
@@ -353,54 +350,75 @@ const server = serve({
               );
             }
           } else if (req.method === "GET") {
-            if (!jupyterInitialized) {
-              return new Response(
-                JSON.stringify({ contexts: [] }),
-                {
-                  headers: {
-                    "Content-Type": "application/json",
-                    ...corsHeaders,
-                  },
-                }
-              );
-            }
-            const contexts = await jupyterServer.listContexts();
-            return new Response(
-              JSON.stringify({ contexts }),
-              {
-                headers: {
-                  "Content-Type": "application/json",
-                  ...corsHeaders,
-                },
-              }
-            );
+            const contexts = await interpreterService.listContexts();
+            return new Response(JSON.stringify({ contexts }), {
+              headers: {
+                "Content-Type": "application/json",
+                ...corsHeaders,
+              },
+            });
           }
           break;
         case "/api/execute/code":
           if (req.method === "POST") {
-            if (!jupyterInitialized) {
-              return new Response(
-                JSON.stringify({
-                  error: "Jupyter server is not ready. Please try again in a moment."
-                }),
-                {
-                  status: 503,
-                  headers: {
-                    "Content-Type": "application/json",
-                    ...corsHeaders,
-                  },
-                }
-              );
-            }
             try {
-              const body = await req.json() as { context_id: string; code: string; language?: string };
-              return await jupyterServer.executeCode(body.context_id, body.code, body.language);
+              const body = (await req.json()) as {
+                context_id: string;
+                code: string;
+                language?: string;
+              };
+              return await interpreterService.executeCode(
+                body.context_id,
+                body.code,
+                body.language
+              );
             } catch (error) {
-              console.error("[Container] Error executing code:", error);
+              // Check if it's a circuit breaker error
+              if (
+                error instanceof Error &&
+                error.message.includes("Circuit breaker is open")
+              ) {
+                console.log(
+                  "[Container] Circuit breaker is open for code execution:",
+                  error.message
+                );
+                return new Response(
+                  JSON.stringify({
+                    error:
+                      "Service temporarily unavailable due to high error rate. Please try again later.",
+                    status: "circuit_open",
+                    details: error.message,
+                  }),
+                  {
+                    status: 503,
+                    headers: {
+                      "Content-Type": "application/json",
+                      "Retry-After": "30",
+                      ...corsHeaders,
+                    },
+                  }
+                );
+              }
+              // Don't log stack traces for expected initialization state
+              if (
+                error instanceof Error &&
+                error.message.includes("initializing")
+              ) {
+                console.log(
+                  "[Container] Code execution deferred - service still initializing"
+                );
+              } else {
+                console.error("[Container] Error executing code:", error);
+              }
+              // Error response is already handled by service.executeCode for not ready state
               return new Response(
                 JSON.stringify({
-                  error: error instanceof Error ? error.message : "Failed to execute code"
+                  error:
+                    error instanceof Error
+                      ? error.message
+                      : "Failed to execute code",
                 }),
                 {
                   status: 500,
@@ -416,27 +434,54 @@ const server = serve({
         default:
           // Handle dynamic routes for contexts
-          if (pathname.startsWith("/api/contexts/") && pathname.split('/').length === 4) {
-            const contextId = pathname.split('/')[3];
+          if (
+            pathname.startsWith("/api/contexts/") &&
+            pathname.split("/").length === 4
+          ) {
+            const contextId = pathname.split("/")[3];
             if (req.method === "DELETE") {
               try {
-                await jupyterServer.deleteContext(contextId);
-                return new Response(
-                  JSON.stringify({ success: true }),
-                  {
-                    headers: {
-                      "Content-Type": "application/json",
-                      ...corsHeaders,
-                    },
-                  }
-                );
+                await interpreterService.deleteContext(contextId);
+                return new Response(JSON.stringify({ success: true }), {
+                  headers: {
+                    "Content-Type": "application/json",
+                    ...corsHeaders,
+                  },
+                });
               } catch (error) {
+                if (error instanceof InterpreterNotReadyError) {
+                  console.log(
+                    `[Container] Request timed out waiting for interpreter (${error.progress}% complete)`
+                  );
+                  return new Response(
+                    JSON.stringify({
+                      error: error.message,
+                      status: "initializing",
+                      progress: error.progress,
+                    }),
+                    {
+                      status: 503,
+                      headers: {
+                        "Content-Type": "application/json",
+                        "Retry-After": "5",
+                        ...corsHeaders,
+                      },
+                    }
+                  );
+                }
                 return new Response(
                   JSON.stringify({
-                    error: error instanceof Error ? error.message : "Failed to delete context"
+                    error:
+                      error instanceof Error
+                        ? error.message
+                        : "Failed to delete context",
                   }),
                   {
-                    status: error instanceof Error && error.message.includes("not found") ? 404 : 500,
+                    status:
+                      error instanceof Error &&
+                      error.message.includes("not found")
+                        ? 404
+                        : 500,
                     headers: {
                       "Content-Type": "application/json",
                       ...corsHeaders,
@@ -446,22 +491,42 @@ const server = serve({
               }
             }
           }
           // Handle dynamic routes for individual processes
           if (pathname.startsWith("/api/process/")) {
-            const segments = pathname.split('/');
+            const segments = pathname.split("/");
             if (segments.length >= 4) {
               const processId = segments[3];
               const action = segments[4]; // Optional: logs, stream, etc.
               if (!action && req.method === "GET") {
-                return handleGetProcessRequest(processes, req, corsHeaders, processId);
+                return handleGetProcessRequest(
+                  req,
+                  corsHeaders,
+                  processId,
+                  sessionManager
+                );
               } else if (!action && req.method === "DELETE") {
-                return handleKillProcessRequest(processes, req, corsHeaders, processId);
+                return handleKillProcessRequest(
+                  req,
+                  corsHeaders,
+                  processId,
+                  sessionManager
+                );
               } else if (action === "logs" && req.method === "GET") {
-                return handleGetProcessLogsRequest(processes, req, corsHeaders, processId);
+                return handleGetProcessLogsRequest(
+                  req,
+                  corsHeaders,
+                  processId,
+                  sessionManager
+                );
               } else if (action === "stream" && req.method === "GET") {
-                return handleStreamProcessLogsRequest(processes, req, corsHeaders, processId);
+                return handleStreamProcessLogsRequest(
+                  req,
+                  corsHeaders,
+                  processId,
+                  sessionManager
+                );
               }
             }
           }
@@ -477,7 +542,10 @@ const server = serve({
           });
       }
     } catch (error) {
-      console.error(`[Container] Error handling ${req.method} ${pathname}:`, error);
+      console.error(
+        `[Container] Error handling ${req.method} ${pathname}:`,
+        error
+      );
       return new Response(
         JSON.stringify({
           error: "Internal server error",
@@ -496,7 +564,7 @@ const server = serve({
   hostname: "0.0.0.0",
   port: 3000,
   // We don't need this, but typescript complains
-  websocket: { async message() { } },
+  websocket: { async message() {} },
 });
 console.log(`🚀 Bun server running on http://0.0.0.0:${server.port}`);
@@ -509,6 +577,7 @@ console.log(`   POST /api/git/checkout - Checkout a git repository`);
 console.log(`   POST /api/mkdir - Create a directory`);
 console.log(`   POST /api/write - Write a file`);
 console.log(`   POST /api/read - Read a file`);
+console.log(`   POST /api/read/stream - Stream a file (SSE)`);
 console.log(`   POST /api/delete - Delete a file`);
 console.log(`   POST /api/rename - Rename a file`);
 console.log(`   POST /api/move - Move a file`);
@@ -526,6 +595,7 @@ console.log(`   GET  /proxy/{port}/* - Proxy requests to exposed ports`);
 console.log(`   POST /api/contexts - Create a code execution context`);
 console.log(`   GET  /api/contexts - List all contexts`);
 console.log(`   DELETE /api/contexts/{id} - Delete a context`);
-console.log(`   POST /api/execute/code - Execute code in a context (streaming)`);
+console.log(
+  `   POST /api/execute/code - Execute code in a context (streaming)`
+);
 console.log(`   GET  /api/ping - Health check`);
-console.log(`   GET  /api/commands - List available commands`);