@cloudflare/sandbox 0.10.2 → 0.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/Dockerfile +51 -20
  2. package/README.md +0 -2
  3. package/dist/bridge/index.js +1 -1
  4. package/dist/index.d.ts +1 -1
  5. package/dist/index.js +1 -1
  6. package/dist/openai/index.d.ts +1 -1
  7. package/dist/opencode/index.d.ts +1 -1
  8. package/dist/opencode/index.d.ts.map +1 -1
  9. package/dist/{sandbox-BcEq4aUF.js → sandbox-B-MUmsli.js} +228 -89
  10. package/dist/sandbox-B-MUmsli.js.map +1 -0
  11. package/dist/{sandbox-KdzTTnWq.d.ts → sandbox-CwcSm_60.d.ts} +59 -32
  12. package/dist/sandbox-CwcSm_60.d.ts.map +1 -0
  13. package/package.json +2 -2
  14. package/dist/sandbox-BcEq4aUF.js.map +0 -1
  15. package/dist/sandbox-KdzTTnWq.d.ts.map +0 -1
package/Dockerfile CHANGED
@@ -2,9 +2,53 @@
2
2
  ARG BUN_VERSION=1
3
3
  # Node version — override via --build-arg NODE_VERSION=24
4
4
  ARG NODE_VERSION=24
5
+ # cloudflared release — shared across glibc and musl image variants.
6
+ # Bump this together with the architecture-specific checksums below.
7
+ ARG CLOUDFLARED_VERSION=2026.3.0
5
8
  FROM oven/bun:${BUN_VERSION} AS bun-binary
6
9
  FROM node:${NODE_VERSION}-slim AS node-runtime
7
10
 
11
+ # ============================================================================
12
+ # cloudflared (Cloudflare Tunnel daemon) — enables sandbox.tunnels.*
13
+ # Version pin lives at the top of this Dockerfile as a global ARG, shared
14
+ # by every image variant so they ship the same release.
15
+ # ============================================================================
16
+ FROM alpine:3.21 AS cloudflared-binary
17
+
18
+ ARG TARGETARCH
19
+ ARG CLOUDFLARED_VERSION
20
+ ARG CLOUDFLARED_SHA256_AMD64=4a9e50e6d6d798e90fcd01933151a90bf7edd99a0a55c28ad18f2e16263a5c30
21
+ ARG CLOUDFLARED_SHA256_ARM64=0755ba4cbab59980e6148367fcf53a8f3ec85a97deefd63c2420cf7850769bee
22
+
23
+ # Inject the host's extra CA bundle when downloading behind a TLS-intercepting
24
+ # proxy (e.g. Cloudflare WARP / Zero Trust). No-op when the secret isn't passed.
25
+ RUN --mount=type=secret,id=wrangler_ca \
26
+ if [ -f /run/secrets/wrangler_ca ] && [ -s /run/secrets/wrangler_ca ]; then \
27
+ cat /run/secrets/wrangler_ca >> /etc/ssl/certs/ca-certificates.crt; \
28
+ mkdir -p /usr/local/share/ca-certificates && \
29
+ cp /run/secrets/wrangler_ca /usr/local/share/ca-certificates/wrangler-dev-ca.crt; \
30
+ fi && \
31
+ apk add --no-cache ca-certificates curl && \
32
+ if [ -f /usr/local/share/ca-certificates/wrangler-dev-ca.crt ]; then \
33
+ update-ca-certificates; \
34
+ fi
35
+
36
+ RUN set -eux; \
37
+ arch="${TARGETARCH:-}"; \
38
+ if [ -z "$arch" ]; then \
39
+ arch="$(apk --print-arch)"; \
40
+ fi; \
41
+ case "$arch" in \
42
+ amd64|x86_64) suffix=amd64; sha="${CLOUDFLARED_SHA256_AMD64}" ;; \
43
+ arm64|aarch64) suffix=arm64; sha="${CLOUDFLARED_SHA256_ARM64}" ;; \
44
+ *) echo "Unsupported arch for cloudflared: $arch" >&2; exit 1 ;; \
45
+ esac; \
46
+ url="https://github.com/cloudflare/cloudflared/releases/download/${CLOUDFLARED_VERSION}/cloudflared-linux-${suffix}"; \
47
+ curl -fsSL -o /cloudflared "$url"; \
48
+ echo "$sha /cloudflared" | sha256sum -c -; \
49
+ chmod +x /cloudflared; \
50
+ /cloudflared --version
51
+
8
52
  # Sandbox container images (default and python variants)
9
53
  # Multi-stage build optimized for Turborepo monorepo
10
54
 
@@ -152,26 +196,8 @@ COPY --from=builder /app/packages/sandbox-container/dist/runtime/executors/javas
152
196
  # Users with custom startup scripts that call `bun /container-server/dist/index.js` need this
153
197
  COPY --from=builder /app/packages/sandbox-container/dist/index.js ./dist/
154
198
 
155
- # ============================================================================
156
- # cloudflared (Cloudflare Tunnel daemon) — enables sandbox.tunnels.*
157
- # Pinned version with sha256 verification per architecture.
158
- # Skipped in the musl/Alpine stage (no musl prebuilt).
159
- # ============================================================================
160
- ARG CLOUDFLARED_VERSION=2026.3.0
161
- ARG CLOUDFLARED_SHA256_AMD64=4a9e50e6d6d798e90fcd01933151a90bf7edd99a0a55c28ad18f2e16263a5c30
162
- ARG CLOUDFLARED_SHA256_ARM64=0755ba4cbab59980e6148367fcf53a8f3ec85a97deefd63c2420cf7850769bee
163
- RUN set -eux; \
164
- arch="$(dpkg --print-architecture)"; \
165
- case "$arch" in \
166
- amd64) suffix=amd64; sha="${CLOUDFLARED_SHA256_AMD64}" ;; \
167
- arm64) suffix=arm64; sha="${CLOUDFLARED_SHA256_ARM64}" ;; \
168
- *) echo "Unsupported arch for cloudflared: $arch" >&2; exit 1 ;; \
169
- esac; \
170
- url="https://github.com/cloudflare/cloudflared/releases/download/${CLOUDFLARED_VERSION}/cloudflared-linux-${suffix}"; \
171
- curl -fsSL -o /usr/local/bin/cloudflared "$url"; \
172
- echo "$sha /usr/local/bin/cloudflared" | sha256sum -c -; \
173
- chmod +x /usr/local/bin/cloudflared; \
174
- cloudflared --version
199
+ COPY --from=cloudflared-binary /cloudflared /usr/local/bin/cloudflared
200
+ RUN cloudflared --version
175
201
 
176
202
  # Inject the host's extra CA bundle when running locally behind a TLS-
177
203
  # intercepting proxy (e.g. Cloudflare WARP / Zero Trust). See
@@ -338,6 +364,11 @@ RUN apk add --no-cache bash file git curl libstdc++ libgcc s3fs-fuse fuse
338
364
 
339
365
  RUN sed -i 's/#user_allow_other/user_allow_other/' /etc/fuse.conf
340
366
 
367
+ # The Alpine variant uses the same cloudflared release asset as the glibc
368
+ # variants. It is a static binary that runs on musl without gcompat.
369
+ COPY --from=cloudflared-binary /cloudflared /usr/local/bin/cloudflared
370
+ RUN cloudflared --version
371
+
341
372
  COPY --from=builder /app/packages/sandbox-container/dist/sandbox-musl /container-server/sandbox
342
373
 
343
374
  WORKDIR /container-server
package/README.md CHANGED
@@ -137,8 +137,6 @@ Notes:
137
137
  seconds while DNS propagates, even after `get()` resolves.
138
138
  - `*.trycloudflare.com` buffers `text/event-stream` responses.
139
139
  WebSockets work fine.
140
- - The musl/Alpine image variant does not ship cloudflared (no upstream
141
- musl prebuilt); `sandbox.tunnels` is unavailable on that variant.
142
140
  - Local builds behind a TLS-intercepting proxy (e.g. Cloudflare WARP)
143
141
  need the host CA bundle injected at build time — see
144
142
  [DOCKER_README.md](../../DOCKER_README.md).
package/dist/bridge/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import "../dist-B_eXrP83.js";
2
2
  import "../errors-8Hvune8K.js";
3
- import { h as streamFile, n as getSandbox } from "../sandbox-BcEq4aUF.js";
3
+ import { h as streamFile, n as getSandbox } from "../sandbox-B-MUmsli.js";
4
4
  import { DurableObject, env } from "cloudflare:workers";
5
5
  import { Hono } from "hono";
6
6
 
package/dist/index.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { $ as StartProcessRequest, A as DesktopStopResponse, At as ProcessOptions, B as ExecuteResponse, Bt as WaitForPortOptions, C as ClickOptions, Ct as PortListResult, D as DesktopStartOptions, Dt as ProcessKillResult, E as DesktopClient, Et as ProcessInfoResult, F as ScreenshotRegion, Ft as SandboxOptions, G as HttpClientOptions, Gt as PtyOptions, H as BaseApiResponse, Ht as isExecResult, I as ScreenshotResponse, It as SandboxTransport, J as SessionRequest, Jt as Execution, K as RequestConfig, Kt as CodeContext, L as ScrollDirection, Lt as SessionOptions, M as ScreenSizeResponse, Mt as ProcessStatus, N as ScreenshotBytesResponse, Nt as RemoteMountBucketOptions, O as DesktopStartResponse, Ot as ProcessListResult, P as ScreenshotOptions, Pt as RestoreBackupResult, Q as ExposePortRequest, R as TypeOptions, Rt as StreamOptions, S as WriteFileRequest, St as PortExposeResult, T as Desktop, Tt as ProcessCleanupResult, U as ContainerStub, Ut as isProcess, V as BackupClient, Vt as WatchOptions, W as ErrorResponse, Wt as isProcessStatus, X as TunnelInfo, Xt as RunCodeOptions, Y as SandboxInterpreterAPI, Yt as ExecutionResult, Z as ExecuteRequest, _ as GitClient, _t as ListFilesOptions, a as CreateSessionRequest, at as CheckChangesResult, b as MkdirRequest, bt as MountBucketOptions, c as DeleteSessionResponse, ct as ExecOptions, d as ProcessClient, dt as FileChunk, et as BackupOptions, f as PortClient, ft as FileMetadata, g as GitCheckoutRequest, gt as ISandbox, h as InterpreterClient, ht as GitCheckoutResult, i as CommandsResponse, it as CheckChangesOptions, j as KeyInput, jt as ProcessStartResult, k as DesktopStatusResponse, kt as ProcessLogsResult, l as PingResponse, lt as ExecResult, m as ExecutionCallbacks, mt as FileWatchSSEEvent, n as getSandbox, nt as BucketCredentials, o as CreateSessionResponse, ot as DirectoryBackup, p as UnexposePortRequest, pt as FileStreamEvent, q as ResponseHandler, qt as CreateContextOptions, r as SandboxClient, rt as BucketProvider, s as DeleteSessionRequest, st as ExecEvent, t as Sandbox, tt as BaseExecOptions, u as UtilityClient, ut as ExecutionSession, v as FileClient, vt as LocalMountBucketOptions, w as CursorPositionResponse, wt as Process, x as ReadFileRequest, xt as PortCloseResult, y as FileOperationRequest, yt as LogEvent, z as CommandClient, zt as WaitForLogResult } from "./sandbox-KdzTTnWq.js";
1
+ import { $ as StartProcessRequest, A as DesktopStopResponse, At as ProcessOptions, B as ExecuteResponse, Bt as WaitForPortOptions, C as ClickOptions, Ct as PortListResult, D as DesktopStartOptions, Dt as ProcessKillResult, E as DesktopClient, Et as ProcessInfoResult, F as ScreenshotRegion, Ft as SandboxOptions, G as HttpClientOptions, Gt as PtyOptions, H as BaseApiResponse, Ht as isExecResult, I as ScreenshotResponse, It as SandboxTransport, J as SessionRequest, Jt as Execution, K as RequestConfig, Kt as CodeContext, L as ScrollDirection, Lt as SessionOptions, M as ScreenSizeResponse, Mt as ProcessStatus, N as ScreenshotBytesResponse, Nt as RemoteMountBucketOptions, O as DesktopStartResponse, Ot as ProcessListResult, P as ScreenshotOptions, Pt as RestoreBackupResult, Q as ExposePortRequest, R as TypeOptions, Rt as StreamOptions, S as WriteFileRequest, St as PortExposeResult, T as Desktop, Tt as ProcessCleanupResult, U as ContainerStub, Ut as isProcess, V as BackupClient, Vt as WatchOptions, W as ErrorResponse, Wt as isProcessStatus, X as TunnelInfo, Xt as RunCodeOptions, Y as SandboxInterpreterAPI, Yt as ExecutionResult, Z as ExecuteRequest, _ as GitClient, _t as ListFilesOptions, a as CreateSessionRequest, at as CheckChangesResult, b as MkdirRequest, bt as MountBucketOptions, c as DeleteSessionResponse, ct as ExecOptions, d as ProcessClient, dt as FileChunk, et as BackupOptions, f as PortClient, ft as FileMetadata, g as GitCheckoutRequest, gt as ISandbox, h as InterpreterClient, ht as GitCheckoutResult, i as CommandsResponse, it as CheckChangesOptions, j as KeyInput, jt as ProcessStartResult, k as DesktopStatusResponse, kt as ProcessLogsResult, l as PingResponse, lt as ExecResult, m as ExecutionCallbacks, mt as FileWatchSSEEvent, n as getSandbox, nt as BucketCredentials, o as CreateSessionResponse, ot as DirectoryBackup, p as UnexposePortRequest, pt as FileStreamEvent, q as ResponseHandler, qt as CreateContextOptions, r as SandboxClient, rt as BucketProvider, s as DeleteSessionRequest, st as ExecEvent, t as Sandbox, tt as BaseExecOptions, u as UtilityClient, ut as ExecutionSession, v as FileClient, vt as LocalMountBucketOptions, w as CursorPositionResponse, wt as Process, x as ReadFileRequest, xt as PortCloseResult, y as FileOperationRequest, yt as LogEvent, z as CommandClient, zt as WaitForLogResult } from "./sandbox-CwcSm_60.js";
2
2
  import { a as DesktopCoordinateErrorContext, d as RPCTransportContext, f as RPCTransportErrorKind, g as ErrorCode, h as OperationType, i as BackupRestoreContext, l as ProcessExitedBeforeReadyContext, m as ErrorResponse$1, n as BackupExpiredContext, o as DesktopErrorContext, p as SessionTerminatedContext, r as BackupNotFoundContext, s as InvalidBackupConfigContext, t as BackupCreateContext, u as ProcessReadyTimeoutContext } from "./contexts-D_shbnJs.js";
3
3
  import { ContainerProxy } from "@cloudflare/containers";
4
4
 
package/dist/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import { a as isExecResult, o as isProcess, s as isProcessStatus } from "./dist-B_eXrP83.js";
2
2
  import "./errors-8Hvune8K.js";
3
- import { A as DesktopInvalidOptionsError, C as CommandClient, D as BackupNotFoundError, E as BackupExpiredError, F as InvalidBackupConfigError, I as ProcessExitedBeforeReadyError, L as ProcessReadyTimeoutError, M as DesktopProcessCrashedError, N as DesktopStartFailedError, O as BackupRestoreError, P as DesktopUnavailableError, R as RPCTransportError, S as DesktopClient, T as BackupCreateError, _ as UtilityClient, a as BucketMountError, b as GitClient, c as MissingCredentialsError, d as parseSSEStream, f as responseToAsyncIterable, g as SandboxClient, h as streamFile, i as proxyTerminal, j as DesktopNotStartedError, k as DesktopInvalidCoordinatesError, l as S3FSMountError, m as collectFile, n as getSandbox, o as BucketUnmountError, p as CodeInterpreter, r as proxyToSandbox, s as InvalidMountConfigError, t as Sandbox, u as asyncIterableToSSEStream, v as ProcessClient, w as BackupClient, x as FileClient, y as PortClient, z as SessionTerminatedError } from "./sandbox-BcEq4aUF.js";
3
+ import { A as DesktopInvalidOptionsError, C as CommandClient, D as BackupNotFoundError, E as BackupExpiredError, F as InvalidBackupConfigError, I as ProcessExitedBeforeReadyError, L as ProcessReadyTimeoutError, M as DesktopProcessCrashedError, N as DesktopStartFailedError, O as BackupRestoreError, P as DesktopUnavailableError, R as RPCTransportError, S as DesktopClient, T as BackupCreateError, _ as UtilityClient, a as BucketMountError, b as GitClient, c as MissingCredentialsError, d as parseSSEStream, f as responseToAsyncIterable, g as SandboxClient, h as streamFile, i as proxyTerminal, j as DesktopNotStartedError, k as DesktopInvalidCoordinatesError, l as S3FSMountError, m as collectFile, n as getSandbox, o as BucketUnmountError, p as CodeInterpreter, r as proxyToSandbox, s as InvalidMountConfigError, t as Sandbox, u as asyncIterableToSSEStream, v as ProcessClient, w as BackupClient, x as FileClient, y as PortClient, z as SessionTerminatedError } from "./sandbox-B-MUmsli.js";
4
4
  import { ContainerProxy } from "@cloudflare/containers";
5
5
 
6
6
  export { BackupClient, BackupCreateError, BackupExpiredError, BackupNotFoundError, BackupRestoreError, BucketMountError, BucketUnmountError, CodeInterpreter, CommandClient, ContainerProxy, DesktopClient, DesktopInvalidCoordinatesError, DesktopInvalidOptionsError, DesktopNotStartedError, DesktopProcessCrashedError, DesktopStartFailedError, DesktopUnavailableError, FileClient, GitClient, InvalidBackupConfigError, InvalidMountConfigError, MissingCredentialsError, PortClient, ProcessClient, ProcessExitedBeforeReadyError, ProcessReadyTimeoutError, RPCTransportError, S3FSMountError, Sandbox, SandboxClient, SessionTerminatedError, UtilityClient, asyncIterableToSSEStream, collectFile, getSandbox, isExecResult, isProcess, isProcessStatus, parseSSEStream, proxyTerminal, proxyToSandbox, responseToAsyncIterable, streamFile };
package/dist/openai/index.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { t as Sandbox } from "../sandbox-KdzTTnWq.js";
1
+ import { t as Sandbox } from "../sandbox-CwcSm_60.js";
2
2
  import { ApplyPatchOperation, ApplyPatchResult, Editor as Editor$1, Shell as Shell$1, ShellAction, ShellResult } from "@openai/agents";
3
3
 
4
4
  //#region src/openai/index.d.ts
package/dist/opencode/index.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { t as Sandbox } from "../sandbox-KdzTTnWq.js";
1
+ import { t as Sandbox } from "../sandbox-CwcSm_60.js";
2
2
  import { c as OpencodeStartupContext } from "../contexts-D_shbnJs.js";
3
3
  import { OpencodeClient } from "@opencode-ai/sdk/v2/client";
4
4
  import { Config } from "@opencode-ai/sdk/v2";
package/dist/opencode/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","names":[],"sources":["../../src/opencode/types.ts","../../src/opencode/opencode.ts"],"sourcesContent":[],"mappings":";;;;;;;;;AAOiB,UAAA,eAAA,CAMN;EAQM;EAaA,IAAA,CAAA,EAAA,MAAA;EAAyB;EAEhC,SAAA,CAAA,EAAA,MAAA;EAEA;EAAc,MAAA,CAAA,EAzBb,MAyBa;EAMX;EAEc,GAAA,CAAA,EA/BnB,MA+BmB,CAAA,MAAA,EAAA,MAAA,CAAA;;;;;UAzBV,cAAA;;;ECsSK;EACX,GAAA,EAAA,MAAA;EACC;EACD,KAAA,EAAA,EDnSA,OCmSA,CAAA,IAAA,CAAA;;;AAqEX;;;AAEY,UDnWK,cCmWL,CAAA,UDnW8B,cCmW9B,CAAA,CAAA;EACc;EAAf,MAAA,EDlWD,OCkWC;EAAR;EAAO,MAAA,EDhWA,cCgWA;AA0BV;;;;AAIW,cDxXE,oBAAA,SAA6B,KAAA,CCwX/B;EAAR,SAAA,IAAA,EAAA,yBAAA;EAAO,SAAA,OAAA,EDtXiB,sBCsXjB;EAmDM,WAAA,CAAA,OAAe,EAAA,MAAA,EAAA,OAAA,EDralB,sBCqakB,EAAA,OAAA,CAAA,EDpajB,YCoaiB;;;;;;;ADhd/B;AAcA;AAaA;;;;;AAUA;;;;;;;;;AC+QA;;;;;;AAwEA;;;;;;;;AA6BA;;;;;;;AAuDA;;;;;;AAIc,iBAhKQ,oBAAA,CAgKR,OAAA,EA/JH,OA+JG,CAAA,OAAA,CAAA,EAAA,OAAA,CAAA,EA9JF,eA8JE,CAAA,EA7JX,OA6JW,CA7JH,cA6JG,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAxFQ,yBAAyB,yBACpC,4BACC,kBACT,QAAQ,eAAe;;;;;;;;iBA0BV,qBAAA,UACL,kBACA,0BACD,iBACP,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmDK,eAAA,UACL,kBACA,0BACD,iBACP,WAAW,QAAQ"}
1
+ {"version":3,"file":"index.d.ts","names":[],"sources":["../../src/opencode/types.ts","../../src/opencode/opencode.ts"],"sourcesContent":[],"mappings":";;;;;;;;;AAOiB,UAAA,eAAA,CAAe;EAcf;EAaA,IAAA,CAAA,EAAA,MAAA;EAAyB;EAEhC,SAAA,CAAA,EAAA,MAAA;EAEA;EAAc,MAAA,CAAA,EAzBb,MAyBa;EAMX;EAEc,GAAA,CAAA,EA/BnB,MA+BmB,CAAA,MAAA,EAAA,MAAA,CAAA;;;;;UAzBV,cAAA;;;ECsSK;EACX,GAAA,EAAA,MAAA;EACC;EACD,KAAA,EAAA,EDnSA,OCmSA,CAAA,IAAA,CAAA;;;AAqEX;;;AAEY,UDnWK,cCmWL,CAAA,UDnW8B,cCmW9B,CAAA,CAAA;EACc;EAAf,MAAA,EDlWD,OCkWC;EAAR;EAAO,MAAA,EDhWA,cCgWA;AA0BV;;;;AAIW,cDxXE,oBAAA,SAA6B,KAAA,CCwX/B;EAAR,SAAA,IAAA,EAAA,yBAAA;EAAO,SAAA,OAAA,EDtXiB,sBCsXjB;EAmDM,WAAA,CAAA,OAAe,EAAA,MAAA,EAAA,OAAA,EDralB,sBCqakB,EAAA,OAAA,CAAA,EDpajB,YCoaiB;;;;;;;ADhd/B;AAcA;AAaA;;;;;AAUA;;;;;;;;;AC+QA;;;;;;AAwEA;;;;;;;;AA6BA;;;;;;;AAuDA;;;;;;AAIc,iBAhKQ,oBAAA,CAgKR,OAAA,EA/JH,OA+JG,CAAA,OAAA,CAAA,EAAA,OAAA,CAAA,EA9JF,eA8JE,CAAA,EA7JX,OA6JW,CA7JH,cA6JG,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAxFQ,yBAAyB,yBACpC,4BACC,kBACT,QAAQ,eAAe;;;;;;;;iBA0BV,qBAAA,UACL,kBACA,0BACD,iBACP,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmDK,eAAA,UACL,kBACA,0BACD,iBACP,WAAW,QAAQ"}