@cloudflare/sandbox 0.10.3 → 0.12.0

package/dist/{sandbox-B-MUmsli.js → sandbox-Duj2gvUC.js}

@@ -1,6 +1,6 @@
 import { _ as GitLogger, b as getEnvString, c as parseSSEFrames, d as createNoOpLogger, f as TraceContext, g as DEFAULT_GIT_CLONE_TIMEOUT_MS, h as ResultImpl, i as isWSStreamChunk, l as shellEscape, m as Execution, n as isWSError, p as logCanonicalEvent, r as isWSResponse, t as generateRequestId, u as createLogger, v as extractRepoName, x as partitionEnvVars, y as filterEnvVars } from "./dist-B_eXrP83.js";
-import { n as getHttpStatus, r as ErrorCode, t as getSuggestion } from "./errors-8Hvune8K.js";
-import { Container, getContainer, switchPort } from "@cloudflare/containers";
+import { n as getHttpStatus, r as ErrorCode, t as getSuggestion } from "./errors-aRUdk9K8.js";
+import { Container, ContainerProxy, getContainer, switchPort } from "@cloudflare/containers";
 import { AwsClient } from "aws4fetch";
 import { RpcSession, RpcTarget } from "capnweb";
 import path from "node:path/posix";
@@ -231,7 +231,7 @@ var SessionTerminatedError = class extends SandboxError {
 	}
 };
 /**
-* Error thrown when a port is already exposed
+* Compatibility error for legacy port exposure registry responses.
 */
 var PortAlreadyExposedError = class extends SandboxError {
 	constructor(errorResponse) {
@@ -246,7 +246,7 @@ var PortAlreadyExposedError = class extends SandboxError {
 	}
 };
 /**
-* Error thrown when a port is not exposed
+* Compatibility error for legacy port exposure registry responses.
 */
 var PortNotExposedError = class extends SandboxError {
 	constructor(errorResponse) {
@@ -629,42 +629,6 @@ var BackupRestoreError = class extends SandboxError {
 		return this.context.backupId;
 	}
 };
-var DesktopNotStartedError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopNotStartedError";
-	}
-};
-var DesktopStartFailedError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopStartFailedError";
-	}
-};
-var DesktopUnavailableError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopUnavailableError";
-	}
-};
-var DesktopProcessCrashedError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopProcessCrashedError";
-	}
-};
-var DesktopInvalidOptionsError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopInvalidOptionsError";
-	}
-};
-var DesktopInvalidCoordinatesError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopInvalidCoordinatesError";
-	}
-};
 /**
 * Raised when the capnweb WebSocket session itself fails on the SDK side.
 * Unlike the rest of the SandboxError tree, the container never produces
@@ -746,12 +710,6 @@ function createErrorFromResponse(errorResponse, options) {
 		case ErrorCode.INTERPRETER_NOT_READY: return new InterpreterNotReadyError(errorResponse);
 		case ErrorCode.CONTEXT_NOT_FOUND: return new ContextNotFoundError(errorResponse);
 		case ErrorCode.CODE_EXECUTION_ERROR: return new CodeExecutionError(errorResponse);
-		case ErrorCode.DESKTOP_NOT_STARTED: return new DesktopNotStartedError(errorResponse);
-		case ErrorCode.DESKTOP_START_FAILED: return new DesktopStartFailedError(errorResponse);
-		case ErrorCode.DESKTOP_UNAVAILABLE: return new DesktopUnavailableError(errorResponse);
-		case ErrorCode.DESKTOP_PROCESS_CRASHED: return new DesktopProcessCrashedError(errorResponse);
-		case ErrorCode.DESKTOP_INVALID_OPTIONS: return new DesktopInvalidOptionsError(errorResponse);
-		case ErrorCode.DESKTOP_INVALID_COORDINATES: return new DesktopInvalidCoordinatesError(errorResponse);
 		case ErrorCode.RPC_TRANSPORT_ERROR: return new RPCTransportError(errorResponse, options);
 		case ErrorCode.VALIDATION_FAILED: return new ValidationFailedError(errorResponse);
 		case ErrorCode.INVALID_JSON_RESPONSE:
@@ -1590,21 +1548,21 @@ var BaseHttpClient = class {
 			body: JSON.stringify(data),
 			...requestOptions
 		});
-		return this.handleResponse(response, responseHandler);
+		return await this.handleResponse(response, responseHandler);
 	}
 	/**
 	* Make a GET request
 	*/
 	async get(endpoint, responseHandler) {
 		const response = await this.doFetch(endpoint, { method: "GET" });
-		return this.handleResponse(response, responseHandler);
+		return await this.handleResponse(response, responseHandler);
 	}
 	/**
 	* Make a DELETE request
 	*/
 	async delete(endpoint, responseHandler) {
 		const response = await this.doFetch(endpoint, { method: "DELETE" });
-		return this.handleResponse(response, responseHandler);
+		return await this.handleResponse(response, responseHandler);
 	}
 	/**
 	* Handle HTTP response with error checking and parsing
@@ -1673,7 +1631,7 @@ var BaseHttpClient = class {
 			headers: { "Content-Type": "application/json" },
 			body: body && method === "POST" ? JSON.stringify(body) : void 0
 		});
-		return this.handleStreamResponse(response);
+		return await this.handleStreamResponse(response);
 	}
 };
 
@@ -1782,240 +1740,6 @@ var CommandClient = class extends BaseHttpClient {
 	}
 };
 
-//#endregion
-//#region src/clients/desktop-client.ts
-/**
-* Decode a base64-encoded screenshot payload into a Uint8Array.
-* Shared with the RPC client wrapper, which receives base64 over the
-* wire and needs the same `format: 'bytes'` convenience.
-*/
-function base64ToBytes(data) {
-	const binaryString = atob(data);
-	const bytes = new Uint8Array(binaryString.length);
-	for (let i = 0; i < binaryString.length; i++) bytes[i] = binaryString.charCodeAt(i);
-	return bytes;
-}
-/**
-* Client for desktop environment lifecycle, input, and screen operations
-*/
-var DesktopClient = class extends BaseHttpClient {
-	/**
-	* Start the desktop environment with optional resolution and DPI.
-	*/
-	async start(options) {
-		try {
-			const data = {
-				...options?.resolution !== void 0 && { resolution: options.resolution },
-				...options?.dpi !== void 0 && { dpi: options.dpi }
-			};
-			return await this.post("/api/desktop/start", data);
-		} catch (error) {
-			this.options.onError?.(error instanceof Error ? error.message : String(error));
-			throw error;
-		}
-	}
-	/**
-	* Stop the desktop environment and all related processes.
-	*/
-	async stop() {
-		try {
-			return await this.post("/api/desktop/stop", {});
-		} catch (error) {
-			this.options.onError?.(error instanceof Error ? error.message : String(error));
-			throw error;
-		}
-	}
-	/**
-	* Get desktop lifecycle and process health status.
-	*/
-	async status() {
-		return await this.get("/api/desktop/status");
-	}
-	async screenshot(options) {
-		const wantsBytes = options?.format === "bytes";
-		const data = {
-			format: "base64",
-			...options?.imageFormat !== void 0 && { imageFormat: options.imageFormat },
-			...options?.quality !== void 0 && { quality: options.quality },
-			...options?.showCursor !== void 0 && { showCursor: options.showCursor }
-		};
-		const response = await this.post("/api/desktop/screenshot", data);
-		if (wantsBytes) return {
-			...response,
-			data: base64ToBytes(response.data)
-		};
-		return response;
-	}
-	async screenshotRegion(region, options) {
-		const wantsBytes = options?.format === "bytes";
-		const data = {
-			region,
-			format: "base64",
-			...options?.imageFormat !== void 0 && { imageFormat: options.imageFormat },
-			...options?.quality !== void 0 && { quality: options.quality },
-			...options?.showCursor !== void 0 && { showCursor: options.showCursor }
-		};
-		const response = await this.post("/api/desktop/screenshot/region", data);
-		if (wantsBytes) return {
-			...response,
-			data: base64ToBytes(response.data)
-		};
-		return response;
-	}
-	/**
-	* Single-click at the given coordinates.
-	*/
-	async click(x, y, options) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: options?.button ?? "left",
-			clickCount: 1
-		});
-	}
-	/**
-	* Double-click at the given coordinates.
-	*/
-	async doubleClick(x, y, options) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: options?.button ?? "left",
-			clickCount: 2
-		});
-	}
-	/**
-	* Triple-click at the given coordinates.
-	*/
-	async tripleClick(x, y, options) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: options?.button ?? "left",
-			clickCount: 3
-		});
-	}
-	/**
-	* Right-click at the given coordinates.
-	*/
-	async rightClick(x, y) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: "right",
-			clickCount: 1
-		});
-	}
-	/**
-	* Middle-click at the given coordinates.
-	*/
-	async middleClick(x, y) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: "middle",
-			clickCount: 1
-		});
-	}
-	/**
-	* Press and hold a mouse button.
-	*/
-	async mouseDown(x, y, options) {
-		await this.post("/api/desktop/mouse/down", {
-			...x !== void 0 && { x },
-			...y !== void 0 && { y },
-			button: options?.button ?? "left"
-		});
-	}
-	/**
-	* Release a held mouse button.
-	*/
-	async mouseUp(x, y, options) {
-		await this.post("/api/desktop/mouse/up", {
-			...x !== void 0 && { x },
-			...y !== void 0 && { y },
-			button: options?.button ?? "left"
-		});
-	}
-	/**
-	* Move the mouse cursor to coordinates.
-	*/
-	async moveMouse(x, y) {
-		await this.post("/api/desktop/mouse/move", {
-			x,
-			y
-		});
-	}
-	/**
-	* Drag from start coordinates to end coordinates.
-	*/
-	async drag(startX, startY, endX, endY, options) {
-		await this.post("/api/desktop/mouse/drag", {
-			startX,
-			startY,
-			endX,
-			endY,
-			button: options?.button ?? "left"
-		});
-	}
-	/**
-	* Scroll at coordinates in the specified direction.
-	*/
-	async scroll(x, y, direction, amount = 3) {
-		await this.post("/api/desktop/mouse/scroll", {
-			x,
-			y,
-			direction,
-			amount
-		});
-	}
-	/**
-	* Get the current cursor coordinates.
-	*/
-	async getCursorPosition() {
-		return await this.get("/api/desktop/mouse/position");
-	}
-	/**
-	* Type text into the focused element.
-	*/
-	async type(text, options) {
-		await this.post("/api/desktop/keyboard/type", {
-			text,
-			...options?.delayMs !== void 0 && { delayMs: options.delayMs }
-		});
-	}
-	/**
-	* Press and release a key or key combination.
-	*/
-	async press(key) {
-		await this.post("/api/desktop/keyboard/press", { key });
-	}
-	/**
-	* Press and hold a key.
-	*/
-	async keyDown(key) {
-		await this.post("/api/desktop/keyboard/down", { key });
-	}
-	/**
-	* Release a held key.
-	*/
-	async keyUp(key) {
-		await this.post("/api/desktop/keyboard/up", { key });
-	}
-	/**
-	* Get the active desktop screen size.
-	*/
-	async getScreenSize() {
-		return await this.get("/api/desktop/screen/size");
-	}
-	/**
-	* Get health status for a specific desktop process.
-	*/
-	async getProcessStatus(name) {
-		return this.get(`/api/desktop/process/${encodeURIComponent(name)}/status`);
-	}
-};
-
 //#endregion
 //#region src/clients/file-client.ts
 /**
@@ -2365,40 +2089,9 @@ var InterpreterClient = class extends BaseHttpClient {
 //#endregion
 //#region src/clients/port-client.ts
 /**
-* Client for port management and preview URL operations
+* Client for port readiness operations.
 */
 var PortClient = class extends BaseHttpClient {
-	/**
-	* Expose a port and get a preview URL
-	* @param port - Port number to expose
-	* @param sessionId - The session ID for this operation
-	* @param name - Optional name for the port
-	*/
-	async exposePort(port, sessionId, name) {
-		const data = {
-			port,
-			sessionId,
-			name
-		};
-		return await this.post("/api/expose-port", data);
-	}
-	/**
-	* Unexpose a port and remove its preview URL
-	* @param port - Port number to unexpose
-	* @param sessionId - The session ID for this operation
-	*/
-	async unexposePort(port, sessionId) {
-		const url = `/api/exposed-ports/${port}?session=${encodeURIComponent(sessionId)}`;
-		return await this.delete(url);
-	}
-	/**
-	* Get all currently exposed ports
-	* @param sessionId - The session ID for this operation
-	*/
-	async getExposedPorts(sessionId) {
-		const url = `/api/exposed-ports?session=${encodeURIComponent(sessionId)}`;
-		return await this.get(url);
-	}
 	/**
 	* Watch a port for readiness via SSE stream
 	* @param request - Port watch configuration
@@ -2649,7 +2342,6 @@ var SandboxClient = class {
 	git;
 	interpreter;
 	utils;
-	desktop;
 	watch;
 	/**
 	* Tunnels are RPC-only — the route-based transport does not implement them.
@@ -2682,7 +2374,6 @@ var SandboxClient = class {
 		this.git = new GitClient(clientOptions);
 		this.interpreter = new InterpreterClient(clientOptions);
 		this.utils = new UtilityClient(clientOptions);
-		this.desktop = new DesktopClient(clientOptions);
 		this.watch = new WatchClient(clientOptions);
 	}
 	/**
@@ -2703,7 +2394,6 @@ var SandboxClient = class {
 			this.git.setRetryTimeoutMs(ms);
 			this.interpreter.setRetryTimeoutMs(ms);
 			this.utils.setRetryTimeoutMs(ms);
-			this.desktop.setRetryTimeoutMs(ms);
 			this.watch.setRetryTimeoutMs(ms);
 		}
 	}
@@ -3332,32 +3022,6 @@ var ContainerControlClient = class {
 	get backup() {
 		return wrapStub(this.getConnection().rpc().backup, this.renewActivity);
 	}
-	get desktop() {
-		const stub = wrapStub(this.getConnection().rpc().desktop, this.renewActivity);
-		const wire = stub;
-		return new Proxy(stub, { get(target, prop, receiver) {
-			if (prop === "screenshot") return async (options) => {
-				const { format, ...rest } = options ?? {};
-				const result = await wire.screenshot(rest);
-				return format === "bytes" ? {
-					...result,
-					data: base64ToBytes(result.data)
-				} : result;
-			};
-			if (prop === "screenshotRegion") return async (region, options) => {
-				const { format, ...rest } = options ?? {};
-				const result = await wire.screenshotRegion({
-					region,
-					...rest
-				});
-				return format === "bytes" ? {
-					...result,
-					data: base64ToBytes(result.data)
-				} : result;
-			};
-			return Reflect.get(target, prop, receiver);
-		} });
-	}
 	get watch() {
 		return wrapStub(this.getConnection().rpc().watch, this.renewActivity);
 	}
@@ -3390,6 +3054,89 @@ var ContainerControlClient = class {
 	}
 };
 
+//#endregion
+//#region src/current-runtime-identity.ts
+const CURRENT_RUNTIME_IDENTITY_STORAGE_KEY = "currentRuntimeIdentity";
+var RuntimeIdentityInactiveError = class extends Error {
+	constructor() {
+		super("Runtime identity is no longer active");
+		this.name = "RuntimeIdentityInactiveError";
+	}
+};
+var RuntimeIdentity = class {
+	id;
+	constructor(record) {
+		this.id = record.id;
+	}
+	owns(record) {
+		return record.runtimeIdentityID === this.id;
+	}
+	scope(value) {
+		return {
+			...value,
+			runtimeIdentityID: this.id
+		};
+	}
+};
+var CurrentRuntimeIdentity = class {
+	/**
+	* Runtime identity is stored in Durable Object storage so a reconstructed DO
+	* can still recognize the live container runtime it owns. In-memory state is
+	* only a cache and cannot define runtime-scoped correctness.
+	*/
+	constructor(storage, getContainerState, isContainerRunning) {
+		this.storage = storage;
+		this.getContainerState = getContainerState;
+		this.isContainerRunning = isContainerRunning;
+	}
+	async get() {
+		const status = await this.getStatus();
+		return status.status === "active" ? status.runtime : null;
+	}
+	async getStatus() {
+		const state = await this.getContainerState();
+		if (state.status !== "healthy") return {
+			status: "inactive",
+			reason: "runtime-not-healthy",
+			containerStatus: state.status
+		};
+		if (!this.isContainerRunning()) return {
+			status: "inactive",
+			reason: "runtime-not-running",
+			containerStatus: state.status
+		};
+		const runtime = await this.getStored();
+		if (!runtime) return {
+			status: "inactive",
+			reason: "missing-runtime-id",
+			containerStatus: state.status
+		};
+		return {
+			status: "active",
+			runtime,
+			containerStatus: state.status
+		};
+	}
+	async getStored(storage = this.storage) {
+		const record = await storage.get(CURRENT_RUNTIME_IDENTITY_STORAGE_KEY) ?? null;
+		return record ? new RuntimeIdentity(record) : null;
+	}
+	async markStarted() {
+		const record = { id: crypto.randomUUID() };
+		await this.storage.put(CURRENT_RUNTIME_IDENTITY_STORAGE_KEY, record);
+		return new RuntimeIdentity(record);
+	}
+	async clear() {
+		await this.storage.delete(CURRENT_RUNTIME_IDENTITY_STORAGE_KEY);
+	}
+	async isActive(runtime) {
+		return (await this.get())?.id === runtime.id;
+	}
+	async assertActive(runtime) {
+		if (!await this.isActive(runtime)) throw new RuntimeIdentityInactiveError();
+	}
+};
+
 //#endregion
 //#region src/file-stream.ts
 /**
@@ -3582,6 +3329,32 @@ function validateLanguage(language) {
 	const normalized = language.toLowerCase();
 	if (!supportedLanguages.includes(normalized)) throw new SandboxSecurityError(`Unsupported language '${language}'. Supported languages: python, javascript, typescript`, "INVALID_LANGUAGE");
 }
+/**
+* Validates a single DNS label for use as a Cloudflare Tunnel hostname.
+*
+* Used by `sandbox.tunnels.get(port, { name })` to reject obviously-bad
+* input client-side before any network call. Whether the chosen label is
+* actually available under the configured zone is left to the Cloudflare
+* API (returned as a typed error).
+*
+* Rules:
+* - 1–63 characters
+* - Lowercase letters, digits, and internal hyphens only
+* - No leading or trailing hyphen
+* - No dots — multi-label hostnames need a delegated subdomain zone or
+*   Advanced Certificate Manager, which are out of scope for this
+*   feature. Universal SSL only covers `<label>.<zone>`.
+*
+* Throws `SandboxSecurityError` on any violation. Designed to be called
+* before any other tunnel work so callers see a fast, deterministic
+* failure.
+*/
+const TUNNEL_NAME_REGEX = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;
+function validateTunnelName(name) {
+	if (typeof name !== "string") throw new SandboxSecurityError(`Tunnel name must be a string. Received: ${typeof name}`, "INVALID_TUNNEL_NAME");
+	if (name.length === 0 || name.length > 63) throw new SandboxSecurityError(`Tunnel name '${name}' must be 1–63 characters long.`, "INVALID_TUNNEL_NAME_LENGTH");
+	if (!TUNNEL_NAME_REGEX.test(name)) throw new SandboxSecurityError(`Tunnel name '${name}' is not a valid DNS label. Use lowercase letters, digits, and internal hyphens only (no dots, no leading/trailing hyphens).`, "INVALID_TUNNEL_NAME_FORMAT");
+}
 
 //#endregion
 //#region src/interpreter.ts
@@ -4237,118 +4010,138 @@ function base64ToUint8Array(base64) {
 }
 
 //#endregion
-//#region src/pty/proxy.ts
-async function proxyTerminal(stub, sessionId, request, options) {
-	if (!sessionId || typeof sessionId !== "string") throw new Error("sessionId is required for terminal access");
-	if (request.headers.get("Upgrade")?.toLowerCase() !== "websocket") throw new Error("terminal() requires a WebSocket upgrade request");
-	const params = new URLSearchParams({ sessionId });
-	if (options?.cols) params.set("cols", String(options.cols));
-	if (options?.rows) params.set("rows", String(options.rows));
-	if (options?.shell) params.set("shell", options.shell);
-	const ptyUrl = `http://localhost/ws/pty?${params}`;
-	const ptyRequest = new Request(ptyUrl, request);
-	return stub.fetch(switchPort(ptyRequest, 3e3));
-}
-
-//#endregion
-//#region src/request-handler.ts
-async function proxyToSandbox(request, env$1) {
-	const logger = createLogger({
-		component: "sandbox-do",
-		traceId: TraceContext.fromHeaders(request.headers) || TraceContext.generate(),
-		operation: "proxy"
-	});
+//#region src/preview-forwarding.ts
+async function forwardPreviewRequest(tcpPort, request, lifecycle) {
+	const containerURL = request.url.replace("https:", "http:");
+	const settleForward = lifecycle.beginForward();
 	try {
-		const url = new URL(request.url);
-		const routeInfo = extractSandboxRoute(url);
-		if (!routeInfo) return null;
-		const { sandboxId, port, path: path$1, token } = routeInfo;
-		const sandbox = getSandbox(env$1.Sandbox, sandboxId, { normalizeId: true });
-		if (port !== 3e3) {
-			if (!await sandbox.validatePortToken(port, token)) {
-				logger.warn("Invalid token access blocked", {
-					port,
-					sandboxId,
-					path: path$1,
-					hostname: url.hostname,
-					url: request.url,
-					method: request.method,
-					userAgent: request.headers.get("User-Agent") || "unknown"
-				});
-				return new Response(JSON.stringify({
-					error: `Access denied: Invalid token or port not exposed`,
-					code: "INVALID_TOKEN"
-				}), {
-					status: 404,
-					headers: { "Content-Type": "application/json" }
-				});
-			}
+		const response = await tcpPort.fetch(containerURL, request);
+		if (response.webSocket !== null) return {
+			status: "response",
+			response: bridgePreviewWebSocket(response, lifecycle, settleForward)
+		};
+		if (response.body !== null) {
+			const { readable, writable } = new TransformStream();
+			response.body.pipeTo(writable).finally(settleForward).catch(() => {});
+			return {
+				status: "response",
+				response: new Response(readable, response)
+			};
 		}
-		if (request.headers.get("Upgrade")?.toLowerCase() === "websocket") return await sandbox.fetch(switchPort(request, port));
-		let proxyUrl;
-		if (port !== 3e3) proxyUrl = `http://localhost:${port}${path$1}${url.search}`;
-		else proxyUrl = `http://localhost:3000${path$1}${url.search}`;
-		const headers = {
-			"X-Original-URL": request.url,
-			"X-Forwarded-Host": url.hostname,
-			"X-Forwarded-Proto": url.protocol.replace(":", ""),
-			"X-Sandbox-Name": sandboxId
+		settleForward();
+		return {
+			status: "response",
+			response
 		};
-		request.headers.forEach((value, key) => {
-			headers[key] = value;
-		});
-		const proxyRequest = new Request(proxyUrl, {
-			method: request.method,
-			headers,
-			body: request.body,
-			duplex: "half",
-			redirect: "manual"
-		});
-		return await sandbox.containerFetch(proxyRequest, port);
 	} catch (error) {
-		logger.error("Proxy routing error", error instanceof Error ? error : new Error(String(error)));
-		return new Response("Proxy routing error", { status: 500 });
-	}
-}
-function extractSandboxRoute(url) {
-	const dotIndex = url.hostname.indexOf(".");
-	if (dotIndex === -1) return null;
-	const subdomain = url.hostname.slice(0, dotIndex);
-	url.hostname.slice(dotIndex + 1);
-	const firstHyphen = subdomain.indexOf("-");
-	if (firstHyphen === -1) return null;
-	const portStr = subdomain.slice(0, firstHyphen);
-	if (!/^\d{4,5}$/.test(portStr)) return null;
-	const port = parseInt(portStr, 10);
-	if (!validatePort(port)) return null;
-	const rest = subdomain.slice(firstHyphen + 1);
-	const lastHyphen = rest.lastIndexOf("-");
-	if (lastHyphen === -1) return null;
-	const sandboxId = rest.slice(0, lastHyphen);
-	const token = rest.slice(lastHyphen + 1);
-	if (!/^[a-z0-9_]+$/.test(token) || token.length === 0 || token.length > 63) return null;
-	if (sandboxId.length === 0 || sandboxId.length > 63) return null;
-	let sanitizedSandboxId;
-	try {
-		sanitizedSandboxId = sanitizeSandboxId(sandboxId);
-	} catch {
-		return null;
+		settleForward();
+		if (error instanceof Error && error.message.includes("Network connection lost.")) return { status: "network-lost" };
+		throw error;
 	}
-	return {
-		port,
-		sandboxId: sanitizedSandboxId,
-		path: url.pathname || "/",
-		token
+}
+function bridgePreviewWebSocket(response, lifecycle, settleForward) {
+	const containerWebSocket = response.webSocket;
+	if (containerWebSocket === null) {
+		settleForward();
+		return response;
+	}
+	const [client, server] = Object.values(new WebSocketPair());
+	let settled = false;
+	const settle = () => {
+		if (!settled) {
+			settled = true;
+			settleForward();
+		}
 	};
+	containerWebSocket.accept();
+	server.accept();
+	server.addEventListener("message", async (event) => {
+		lifecycle.renewActivity();
+		try {
+			const data = event.data instanceof Blob ? await event.data.arrayBuffer() : event.data;
+			containerWebSocket.send(data);
+		} catch {
+			server.close(1011, "Failed to forward message to container");
+		}
+	});
+	containerWebSocket.addEventListener("message", async (event) => {
+		lifecycle.renewActivity();
+		try {
+			const data = event.data instanceof Blob ? await event.data.arrayBuffer() : event.data;
+			server.send(data);
+		} catch {
+			containerWebSocket.close(1011, "Failed to forward message to client");
+		}
+	});
+	server.addEventListener("close", (event) => {
+		settle();
+		const code = event.code === 1005 || event.code === 1006 ? 1e3 : event.code;
+		containerWebSocket.close(code, event.reason);
+	});
+	containerWebSocket.addEventListener("close", (event) => {
+		settle();
+		const code = event.code === 1005 || event.code === 1006 ? 1e3 : event.code;
+		server.close(code, event.reason);
+	});
+	server.addEventListener("error", () => {
+		settle();
+		containerWebSocket.close(1011, "Client WebSocket error");
+	});
+	containerWebSocket.addEventListener("error", () => {
+		settle();
+		server.close(1011, "Container WebSocket error");
+	});
+	return new Response(null, {
+		status: response.status,
+		webSocket: client,
+		headers: response.headers
+	});
 }
+
+//#endregion
+//#region src/preview-proxy-protocol.ts
+/** @internal */
+const PREVIEW_PROXY_HEADER = "x-sandbox-preview-proxy";
+/** @internal */
+const PREVIEW_PROXY_PORT_HEADER = "x-sandbox-preview-port";
+/** @internal */
+const PREVIEW_PROXY_TOKEN_HEADER = "x-sandbox-preview-token";
+/** @internal */
+const PREVIEW_PROXY_SANDBOX_ID_HEADER = "x-sandbox-preview-sandbox-id";
+/** @internal */
+const PREVIEW_PROXY_HEADERS = [
+	PREVIEW_PROXY_HEADER,
+	PREVIEW_PROXY_PORT_HEADER,
+	PREVIEW_PROXY_TOKEN_HEADER,
+	PREVIEW_PROXY_SANDBOX_ID_HEADER
+];
+
+//#endregion
+//#region src/preview-url.ts
 function isLocalhostPattern(hostname) {
-	if (hostname.startsWith("[")) if (hostname.includes("]:")) return hostname.substring(0, hostname.indexOf("]:") + 1) === "[::1]";
-	else return hostname === "[::1]";
+	if (hostname.startsWith("[")) {
+		if (hostname.includes("]:")) return hostname.substring(0, hostname.indexOf("]:") + 1) === "[::1]";
+		return hostname === "[::1]";
+	}
 	if (hostname === "::1") return true;
 	const hostPart = hostname.split(":")[0];
 	return hostPart === "localhost" || hostPart === "127.0.0.1" || hostPart === "0.0.0.0";
 }
 
+//#endregion
+//#region src/pty/proxy.ts
+async function proxyTerminal(stub, sessionId, request, options) {
+	if (!sessionId || typeof sessionId !== "string") throw new Error("sessionId is required for terminal access");
+	if (request.headers.get("Upgrade")?.toLowerCase() !== "websocket") throw new Error("terminal() requires a WebSocket upgrade request");
+	const params = new URLSearchParams({ sessionId });
+	if (options?.cols) params.set("cols", String(options.cols));
+	if (options?.rows) params.set("rows", String(options.rows));
+	if (options?.shell) params.set("shell", options.shell);
+	const ptyUrl = `http://localhost/ws/pty?${params}`;
+	const ptyRequest = new Request(ptyUrl, request);
+	return stub.fetch(switchPort(ptyRequest, 3e3));
+}
+
 //#endregion
 //#region src/storage-mount/r2-egress-handler.ts
 const XML_NS = "xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\"";
@@ -4678,11 +4471,590 @@ const r2EgressHandler = async (request, env$1, ctx) => {
 };
 
 //#endregion
-//#region src/tunnels/sandbox-control-callback.ts
-var SandboxControlCallbackImpl = class extends RpcTarget {
-	constructor(getHandler, logger) {
-		super();
-		this.getHandler = getHandler;
+//#region src/storage-mount/s3-credential-proxy-handler.ts
+const PER_MOUNT_SUFFIX = ".s3-credential-proxy.internal";
+const SELF_TEST_PATH = "/__sandbox_credential_proxy_self_test__";
+const DIAGNOSTICS_PATH = "/__sandbox_credential_proxy_diagnostics__";
+const DEFAULT_SLOW_REQUEST_MS = 1e3;
+const ERROR_RESPONSE_BODY_LIMIT = 2048;
+const MAX_DIAGNOSTIC_EVENTS = 500;
+const DUMMY_AUTH_HEADERS = new Set([
+	"authorization",
+	"x-amz-date",
+	"x-amz-content-sha256",
+	"x-amz-security-token",
+	"x-goog-date",
+	"x-goog-content-sha256"
+]);
+const sigV4ClientCache = /* @__PURE__ */ new Map();
+const directoryMarkerCache = /* @__PURE__ */ new Map();
+const credentialProxyDiagnosticEvents = [];
+let credentialProxyDiagnosticEventCount = 0;
+function evictSigV4ClientCacheEntry(mountId) {
+	sigV4ClientCache.delete(mountId);
+}
+function evictDirectoryMarkerCacheForMount(mountId) {
+	const prefix = `${mountId}:`;
+	for (const key of directoryMarkerCache.keys()) if (key.startsWith(prefix)) directoryMarkerCache.delete(key);
+}
+function toHex(buffer) {
+	return Array.from(new Uint8Array(buffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function sha256Hex(data) {
+	return toHex(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(data)));
+}
+async function hmacSHA256(key, data) {
+	const cryptoKey = await crypto.subtle.importKey("raw", key, {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	return crypto.subtle.sign("HMAC", cryptoKey, new TextEncoder().encode(data));
+}
+function detectS3Region(provider, endpoint) {
+	if (provider === "r2") return "auto";
+	try {
+		const host = new URL(endpoint).hostname;
+		const m = host.match(/s3[.-]([a-z0-9-]+)\.amazonaws\.com/);
+		if (m && m[1] !== "amazonaws") return m[1];
+		if (host === "s3.amazonaws.com") return "us-east-1";
+	} catch {}
+	return "auto";
+}
+function buildCleanHeaders(original) {
+	const clean = new Headers();
+	for (const [k, v] of original) {
+		const lower = k.toLowerCase();
+		if (!DUMMY_AUTH_HEADERS.has(lower) && lower !== "host") clean.set(k, v);
+	}
+	const contentSHA256 = original.get("x-amz-content-sha256");
+	if (contentSHA256 && isValidContentSHA256(contentSHA256)) clean.set("x-amz-content-sha256", contentSHA256);
+	return clean;
+}
+function isValidContentSHA256(value) {
+	return value === "UNSIGNED-PAYLOAD" || /^[a-fA-F0-9]{64}$/.test(value);
+}
+function getCredentialProxyDebugConfig(env$1) {
+	const envRecord = env$1;
+	const enabled = envRecord.SANDBOX_CREDENTIAL_PROXY_DEBUG === "true";
+	const diagnosticsEndpointEnabled = envRecord.SANDBOX_CREDENTIAL_PROXY_DIAGNOSTICS_ENDPOINT === "true";
+	const configuredSlowRequestMs = Number(envRecord.SANDBOX_CREDENTIAL_PROXY_SLOW_REQUEST_MS);
+	return {
+		diagnosticsEndpointEnabled,
+		enabled,
+		slowRequestMs: Number.isFinite(configuredSlowRequestMs) && configuredSlowRequestMs >= 0 ? configuredSlowRequestMs : DEFAULT_SLOW_REQUEST_MS
+	};
+}
+function recordCredentialProxyDiagnosticEvent(event) {
+	credentialProxyDiagnosticEvents.push(event);
+	credentialProxyDiagnosticEventCount++;
+	while (credentialProxyDiagnosticEvents.length > MAX_DIAGNOSTIC_EVENTS) credentialProxyDiagnosticEvents.shift();
+}
+function getCredentialProxyDiagnosticsResponse(url, containerId) {
+	const since = Number(url.searchParams.get("since") ?? "0");
+	const bufferStartCount = credentialProxyDiagnosticEventCount - credentialProxyDiagnosticEvents.length;
+	const events = credentialProxyDiagnosticEvents.filter((event, index) => {
+		if (event.containerId !== containerId) return false;
+		return !Number.isFinite(since) || bufferStartCount + index >= since;
+	});
+	return Response.json({
+		nextCursor: credentialProxyDiagnosticEventCount,
+		events
+	});
+}
+async function withCredentialProxyDiagnostics(requestInfo, debugConfig, containerId, path$1, operation) {
+	const started = Date.now();
+	try {
+		const response = await operation();
+		const durationMs = Date.now() - started;
+		if (debugConfig.enabled) recordCredentialProxyDiagnosticEvent({
+			...requestInfo,
+			containerId,
+			durationMs,
+			ok: response.ok,
+			path: path$1,
+			status: response.status,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		if (debugConfig.enabled || durationMs >= debugConfig.slowRequestMs) console.info("sandbox.s3_credential_proxy.request", {
+			...requestInfo,
+			durationMs,
+			ok: response.ok,
+			status: response.status,
+			responseContentLength: response.headers.get("content-length")
+		});
+		if (!response.ok) {
+			const responseForLog = response.clone();
+			const requestInfoSnapshot = { ...requestInfo };
+			responseForLog.text().then((body) => {
+				console.warn("sandbox.s3_credential_proxy.upstream_error", {
+					...requestInfoSnapshot,
+					durationMs,
+					status: response.status,
+					statusText: response.statusText,
+					errorBody: body.slice(0, ERROR_RESPONSE_BODY_LIMIT)
+				});
+			}).catch(() => {});
+		}
+		return response;
+	} catch (error) {
+		const durationMs = Date.now() - started;
+		console.warn("sandbox.s3_credential_proxy.request_error", {
+			...requestInfo,
+			durationMs,
+			error: error instanceof Error ? error.message : String(error)
+		});
+		throw error;
+	}
+}
+function getSigV4Client(mountId, endpoint, provider, credentials, region) {
+	const cached = sigV4ClientCache.get(mountId);
+	if (cached && cached.accessKeyId === credentials.accessKeyId && cached.secretAccessKey === credentials.secretAccessKey && cached.endpoint === endpoint && cached.provider === provider && cached.region === region) return cached.client;
+	const client = new AwsClient({
+		accessKeyId: credentials.accessKeyId,
+		secretAccessKey: credentials.secretAccessKey,
+		service: "s3",
+		region,
+		retries: 0
+	});
+	sigV4ClientCache.set(mountId, {
+		client,
+		accessKeyId: credentials.accessKeyId,
+		secretAccessKey: credentials.secretAccessKey,
+		endpoint,
+		provider,
+		region
+	});
+	return client;
+}
+function encodeCanonicalQueryPart(value) {
+	return encodeURIComponent(value).replace(/[!'()*]/g, (char) => `%${char.charCodeAt(0).toString(16).toUpperCase()}`);
+}
+function getCanonicalURI(url) {
+	return url.pathname.split("/").map((segment) => segment.split(/(%[0-9A-Fa-f]{2})/g).map((part) => /^%[0-9A-Fa-f]{2}$/.test(part) ? part.toUpperCase() : encodeCanonicalQueryPart(part)).join("")).join("/");
+}
+function getCanonicalQueryString(url) {
+	const query = url.search.startsWith("?") ? url.search.slice(1) : url.search;
+	if (!query) return "";
+	return query.split("&").map((part) => {
+		const separatorIndex = part.indexOf("=");
+		if (separatorIndex === -1) return [part, ""];
+		return [part.slice(0, separatorIndex), part.slice(separatorIndex + 1)];
+	}).map(([key, value]) => [encodeCanonicalQueryPart(decodeURIEncodedQueryPart(key)), encodeCanonicalQueryPart(decodeURIEncodedQueryPart(value))]).sort(([leftKey, leftValue], [rightKey, rightValue]) => {
+		if (leftKey < rightKey) return -1;
+		if (leftKey > rightKey) return 1;
+		if (leftValue < rightValue) return -1;
+		if (leftValue > rightValue) return 1;
+		return 0;
+	}).map(([key, value]) => `${key}=${value}`).join("&");
+}
+function decodeURIEncodedQueryPart(value) {
+	try {
+		return decodeURIComponent(value);
+	} catch {
+		return value;
+	}
+}
+function getSigV4PayloadHash(headers) {
+	const existingHash = headers.get("x-amz-content-sha256");
+	if (existingHash && existingHash !== "UNSIGNED-PAYLOAD") return {
+		hash: existingHash,
+		mode: "signed"
+	};
+	return {
+		hash: "UNSIGNED-PAYLOAD",
+		mode: "unsigned"
+	};
+}
+function isZeroLengthDirectoryMarkerPUT(request, realPath) {
+	return request.method.toUpperCase() === "PUT" && request.headers.get("content-length") === "0" && realPath.endsWith("/");
+}
+function isDirectoryMarkerHEAD(request) {
+	return request.method.toUpperCase() === "HEAD";
+}
+function getDirectoryMarkerCacheKey(mountId, realPath) {
+	return `${mountId}:${realPath.replace(/\/+$/, "")}`;
+}
+function getDirectoryMarkerResponseHeaders(request) {
+	const headers = [
+		["Accept-Ranges", "bytes"],
+		["Content-Length", "0"],
+		["ETag", "\"d41d8cd98f00b204e9800998ecf8427e\""],
+		["Last-Modified", (/* @__PURE__ */ new Date()).toUTCString()]
+	];
+	const contentType = request.headers.get("content-type");
+	if (contentType) headers.push(["Content-Type", contentType]);
+	for (const [name, value] of request.headers) if (name.toLowerCase().startsWith("x-amz-meta-")) headers.push([name, value]);
+	return headers;
+}
+function normalizePrefix(prefix) {
+	if (!prefix) return void 0;
+	return prefix.replace(/^\/+/, "").replace(/\/+$/, "");
+}
+function getObjectKeyForPath(realPath, bucket) {
+	const pathSegments = realPath.split("/").filter(Boolean);
+	if (pathSegments[0] !== bucket) return null;
+	return pathSegments.slice(1).join("/");
+}
+function isObjectKeyWithinPrefix(objectKey, prefix) {
+	const normalizedPrefix = normalizePrefix(prefix);
+	if (!normalizedPrefix) return true;
+	return objectKey === normalizedPrefix || objectKey.startsWith(`${normalizedPrefix}/`);
+}
+function isRequestWithinMountScope(realPath, url, bucket, prefix) {
+	const objectKey = getObjectKeyForPath(realPath, bucket);
+	if (objectKey === null) return false;
+	const requestedPrefix = url.searchParams.get("prefix");
+	if (objectKey !== "" && !isObjectKeyWithinPrefix(objectKey, prefix)) return false;
+	if (objectKey === "" && normalizePrefix(prefix) !== void 0 && url.search !== "" && requestedPrefix === null) return false;
+	if (requestedPrefix !== null) return isObjectKeyWithinPrefix(requestedPrefix, prefix);
+	return true;
+}
+function isBucketRootProbe(request, realPath, url, bucket) {
+	const method = request.method.toUpperCase();
+	return (method === "GET" || method === "HEAD") && url.search === "" && getObjectKeyForPath(realPath, bucket) === "";
+}
+function deleteDirectoryMarkerCacheEntry(mountId, realPath) {
+	directoryMarkerCache.delete(getDirectoryMarkerCacheKey(mountId, realPath));
+}
+function getContentLength(request) {
+	const contentLength = request.headers.get("content-length");
+	if (contentLength === null) return null;
+	const parsed = Number(contentLength);
+	if (!Number.isSafeInteger(parsed) || parsed < 0) return null;
+	return parsed;
+}
+function getSigV4ForwardInit(request) {
+	const contentLength = getContentLength(request);
+	if (contentLength === 0) return { body: new Uint8Array(0) };
+	if (contentLength === null || request.body === null) return {};
+	const { readable, writable } = new FixedLengthStream(contentLength);
+	request.body.pipeTo(writable).catch((error) => {
+		writable.abort(error).catch(() => {});
+	});
+	return { body: readable };
+}
+function getGCSHeaders(request) {
+	const headers = new Headers();
+	for (const [k, v] of request.headers) {
+		const lower = k.toLowerCase();
+		if (DUMMY_AUTH_HEADERS.has(lower) || lower === "host" || lower === "content-length" || lower === "expect") continue;
+		if (lower.startsWith("x-amz-meta-")) {
+			headers.set(`x-goog-meta-${lower.slice(11)}`, v);
+			continue;
+		}
+		if (lower.startsWith("x-amz-")) continue;
+		headers.set(k, v);
+	}
+	return headers;
+}
+async function signAndForwardSigV4(request, mountId, endpoint, provider, credentials, requestInfo) {
+	const signingStarted = Date.now();
+	const region = detectS3Region(provider, endpoint);
+	const payload = getSigV4PayloadHash(request.headers);
+	const client = getSigV4Client(mountId, endpoint, provider, credentials, region);
+	requestInfo.payloadHashMode = payload.mode;
+	requestInfo.clientSetupMs = Date.now() - signingStarted;
+	const upstreamStarted = Date.now();
+	const forwardInit = getSigV4ForwardInit(request);
+	requestInfo.bodyPresent = forwardInit?.body !== void 0 || request.body !== null;
+	const response = await client.fetch(request, forwardInit);
+	requestInfo.upstreamMs = Date.now() - upstreamStarted;
+	return response;
+}
+async function signAndForwardGCS(request, credentials, requestInfo) {
+	const url = new URL(request.url);
+	const gcsHeaders = getGCSHeaders(request);
+	const dateStr = `${(/* @__PURE__ */ new Date()).toISOString().replace(/[:-]/g, "").replace(/\.\d+Z$/, "")}Z`;
+	const dateOnly = dateStr.slice(0, 8);
+	const location = "auto";
+	const service = "storage";
+	const credentialScope = `${dateOnly}/${location}/${service}/goog4_request`;
+	const bodyHash = "UNSIGNED-PAYLOAD";
+	const headerEntries = [
+		["host", url.host],
+		["x-goog-content-sha256", bodyHash],
+		["x-goog-date", dateStr]
+	];
+	for (const [k, v] of gcsHeaders) headerEntries.push([k.toLowerCase(), v.trim()]);
+	headerEntries.sort((a, b) => a[0].localeCompare(b[0]));
+	const signedHeaders = headerEntries.map(([k]) => k).join(";");
+	const canonicalHeaders = headerEntries.map(([k, v]) => `${k}:${v}\n`).join("");
+	const stringToSign = [
+		"GOOG4-HMAC-SHA256",
+		dateStr,
+		credentialScope,
+		await sha256Hex([
+			request.method,
+			getCanonicalURI(url),
+			getCanonicalQueryString(url),
+			canonicalHeaders,
+			signedHeaders,
+			bodyHash
+		].join("\n"))
+	].join("\n");
+	const signature = toHex(await hmacSHA256(await hmacSHA256(await hmacSHA256(await hmacSHA256(await hmacSHA256(new TextEncoder().encode(`GOOG4${credentials.secretAccessKey}`), dateOnly), location), service), "goog4_request"), stringToSign));
+	const authorization = `GOOG4-HMAC-SHA256 Credential=${credentials.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+	const newHeaders = new Headers(gcsHeaders);
+	newHeaders.set("x-goog-date", dateStr);
+	newHeaders.set("x-goog-content-sha256", bodyHash);
+	newHeaders.set("Authorization", authorization);
+	const gcsBody = getContentLength(request) === 0 ? new Uint8Array(0) : request.body;
+	const upstreamStarted = Date.now();
+	const response = await fetch(new Request(request.url, {
+		method: request.method,
+		headers: newHeaders,
+		body: gcsBody
+	}));
+	requestInfo.upstreamMs = Date.now() - upstreamStarted;
+	return response;
+}
+const s3CredentialProxyHandler = async (request, env$1, ctx) => {
+	const url = new URL(request.url);
+	if (url.pathname === SELF_TEST_PATH) return new Response("OK", { status: 200 });
+	const debugConfig = getCredentialProxyDebugConfig(env$1);
+	if (url.pathname === DIAGNOSTICS_PATH) {
+		if (!debugConfig.enabled || !debugConfig.diagnosticsEndpointEnabled) return new Response("Not Found", { status: 404 });
+		return getCredentialProxyDiagnosticsResponse(url, ctx.containerId);
+	}
+	const segments = url.pathname.split("/").filter(Boolean);
+	const hostname = url.hostname;
+	let mountId;
+	let realPath;
+	if (hostname.endsWith(PER_MOUNT_SUFFIX)) {
+		mountId = hostname.slice(0, -29);
+		realPath = url.pathname;
+	} else {
+		mountId = segments[0] ?? null;
+		realPath = mountId ? url.pathname.slice(`/${mountId}`.length) || "/" : "/";
+	}
+	if (!mountId) return new Response("Bad Request: missing mount ID", { status: 400 });
+	const mount = ctx.params?.mounts[mountId];
+	if (!mount) return new Response(`Forbidden: unknown mount ID "${mountId}"`, { status: 403 });
+	if (mount.readOnly) {
+		const method = request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") return new Response("Forbidden: bucket mount is read-only", { status: 403 });
+	}
+	const realUrl = new URL(realPath + (url.search || ""), mount.endpoint);
+	if (isBucketRootProbe(request, realPath, url, mount.bucket)) return new Response(null, { status: 200 });
+	if (!isRequestWithinMountScope(realPath, url, mount.bucket, mount.prefix)) return new Response("Forbidden: request is outside mounted bucket scope", { status: 403 });
+	const cleanHeaders = buildCleanHeaders(request.headers);
+	const cleanRequest = new Request(realUrl.toString(), {
+		method: request.method,
+		headers: cleanHeaders,
+		body: request.body
+	});
+	const requestInfo = {
+		authStrategy: mount.authStrategy,
+		bucket: mount.bucket,
+		contentLength: request.headers.get("content-length"),
+		method: request.method,
+		mountId,
+		query: [...url.searchParams.keys()].sort()
+	};
+	if (isZeroLengthDirectoryMarkerPUT(cleanRequest, realPath)) {
+		const responseHeaders = getDirectoryMarkerResponseHeaders(cleanRequest);
+		requestInfo.bodyPresent = request.body !== null;
+		if (mount.authStrategy === "s3-sigv4") requestInfo.payloadHashMode = getSigV4PayloadHash(cleanRequest.headers).mode;
+		return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, async () => {
+			const response = mount.authStrategy === "gcs" ? await signAndForwardGCS(cleanRequest, mount.credentials, requestInfo) : await signAndForwardSigV4(cleanRequest, mountId, mount.endpoint, mount.provider, mount.credentials, requestInfo);
+			if (response.ok) directoryMarkerCache.set(getDirectoryMarkerCacheKey(mountId, realPath), responseHeaders);
+			return response;
+		});
+	}
+	if (isDirectoryMarkerHEAD(cleanRequest)) {
+		const responseHeaders = directoryMarkerCache.get(getDirectoryMarkerCacheKey(mountId, realPath));
+		if (responseHeaders) {
+			requestInfo.bodyPresent = false;
+			if (mount.authStrategy === "s3-sigv4") requestInfo.payloadHashMode = getSigV4PayloadHash(cleanRequest.headers).mode;
+			return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, () => Promise.resolve(new Response(null, {
+				status: 200,
+				headers: responseHeaders
+			})));
+		}
+	}
+	if (cleanRequest.method.toUpperCase() !== "HEAD") deleteDirectoryMarkerCacheEntry(mountId, realPath);
+	if (mount.authStrategy === "gcs") return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, () => signAndForwardGCS(cleanRequest, mount.credentials, requestInfo));
+	return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, () => signAndForwardSigV4(cleanRequest, mountId, mount.endpoint, mount.provider, mount.credentials, requestInfo));
+};
+
+//#endregion
+//#region src/tunnels/credentials.ts
+/**
+* Resolve a Cloudflare account id from environment with documented
+* precedence. Used by features that need to address a specific account
+* (Cloudflare Tunnel, R2 backup) to find their account id without
+* forcing every caller to set the same env var.
+*
+* Precedence (first non-empty wins):
+*   1. The feature-specific override env var (e.g. `CLOUDFLARE_TUNNEL_ACCOUNT_ID`).
+*   2. `CLOUDFLARE_ACCOUNT_ID`.
+*   3. The single account `CLOUDFLARE_API_TOKEN` is scoped to, via
+*      `GET /user/tokens/verify`. Multi-account tokens are rejected.
+*
+* The resolver is feature-agnostic; only the `overrideKey` differs per
+* caller. Throws on any failure with a message that names the env vars
+* the caller can set to fix it.
+*/
+const TOKEN_VERIFY_URL = "https://api.cloudflare.com/client/v4/user/tokens/verify";
+const ACCOUNTS_LIST_URL = "https://api.cloudflare.com/client/v4/accounts";
+/**
+* Per-request timeout for the credential introspection calls below.
+* Without one a hung Cloudflare control-plane call wedges every
+* first-time named-tunnel `get()` on the DO (the resolver promises are
+* memoised on `Sandbox`, so the first caller's hang is everyone's hang).
+*/
+const CREDENTIALS_TIMEOUT_MS = 1e4;
+/**
+* Fetch wrapper that adds an `AbortSignal.timeout` and surfaces a
+* timeout as a labelled `Error` so the caller can blame the right URL.
+*/
+async function fetchWithTimeout(fetcher, url, init, timeoutMs = CREDENTIALS_TIMEOUT_MS) {
+	try {
+		return await fetcher(url, {
+			...init,
+			signal: AbortSignal.timeout(timeoutMs)
+		});
+	} catch (err) {
+		if (err instanceof Error && err.name === "TimeoutError") throw new Error(`Cloudflare API request to ${url} timed out after ${timeoutMs}ms`);
+		throw err;
+	}
+}
+/**
+* Cloudflare error code returned by `GET /user/tokens/verify` when the
+* presented token is an account-owned (`cfat-`) token rather than a
+* user-owned one. Matches the heuristic wrangler uses in
+* `src/user/whoami.ts` (`getTokenType`).
+*/
+const ACCOUNT_OWNED_TOKEN_CODE = 1e3;
+async function resolveAccountId(env$1, options) {
+	const override = getEnvString(env$1, options.overrideKey);
+	if (override) return override;
+	const generic = getEnvString(env$1, "CLOUDFLARE_ACCOUNT_ID");
+	if (generic) return generic;
+	const token = getEnvString(env$1, "CLOUDFLARE_API_TOKEN");
+	if (!token) throw new Error(`Cloudflare account id could not be resolved. Set one of: ${options.overrideKey}, CLOUDFLARE_ACCOUNT_ID, or CLOUDFLARE_API_TOKEN (a token scoped to a single account).`);
+	const fetcher = options.fetcher ?? fetch;
+	const response = await fetchWithTimeout(fetcher, TOKEN_VERIFY_URL, {
+		method: "GET",
+		headers: {
+			authorization: `Bearer ${token}`,
+			"content-type": "application/json"
+		}
+	});
+	let body;
+	try {
+		body = await response.json();
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Cloudflare token verification returned malformed JSON: ${message}`);
+	}
+	if (response.ok && body?.success) {
+		const derived = body.result_info?.account?.id;
+		if (!derived) throw new Error(`Cloudflare token is not scoped to a single account (ambiguous). Set ${options.overrideKey} or CLOUDFLARE_ACCOUNT_ID explicitly.`);
+		return derived;
+	}
+	if (body?.errors?.some((e) => e.code === ACCOUNT_OWNED_TOKEN_CODE)) return await deriveAccountIdViaAccountToken(token, fetcher, options);
+	throw new Error(`Cloudflare token verification failed with status ${response.status}. Check that CLOUDFLARE_API_TOKEN is valid or set ${options.overrideKey} / CLOUDFLARE_ACCOUNT_ID explicitly.`);
+}
+/**
+* Account-owned token (cfat-) fallback: list the accounts the token can
+* see, and — if there's exactly one — confirm with the account-scoped
+* verify endpoint before returning the id.
+*
+* Common failure modes get specific, actionable error messages:
+*   - `/accounts` 403 (token lacks `account:read`): tell the caller to
+*     set `CLOUDFLARE_ACCOUNT_ID` explicitly.
+*   - multiple accounts: same.
+*   - zero accounts: same.
+*   - confirm step fails: surface the API error code verbatim.
+*/
+async function deriveAccountIdViaAccountToken(token, fetcher, options) {
+	const listResponse = await fetchWithTimeout(fetcher, `${ACCOUNTS_LIST_URL}?per_page=2`, {
+		method: "GET",
+		headers: {
+			authorization: `Bearer ${token}`,
+			"content-type": "application/json"
+		}
+	});
+	let listBody;
+	try {
+		listBody = await listResponse.json();
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Cloudflare account-owned token: /accounts returned malformed JSON: ${message}`);
+	}
+	if (!listResponse.ok || !listBody?.success) throw new Error(`Cloudflare account-owned token (cfat-...) detected, but /accounts returned status ${listResponse.status}. The token may lack account:read scope. Set CLOUDFLARE_ACCOUNT_ID explicitly to skip introspection.`);
+	const accounts = listBody.result ?? [];
+	if (accounts.length === 0) throw new Error("Cloudflare account-owned token has access to no accounts. Set CLOUDFLARE_ACCOUNT_ID explicitly.");
+	if (accounts.length > 1) throw new Error("Cloudflare account-owned token has access to multiple accounts (ambiguous). Set CLOUDFLARE_ACCOUNT_ID explicitly to disambiguate.");
+	const accountId = accounts[0]?.id;
+	if (!accountId) throw new Error("Cloudflare /accounts returned a result without an id field.");
+	const verifyResponse = await fetchWithTimeout(fetcher, `${ACCOUNTS_LIST_URL}/${encodeURIComponent(accountId)}/tokens/verify`, {
+		method: "GET",
+		headers: {
+			authorization: `Bearer ${token}`,
+			"content-type": "application/json"
+		}
+	});
+	let verifyBody;
+	try {
+		verifyBody = await verifyResponse.json();
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Cloudflare account token verify returned malformed JSON: ${message}`);
+	}
+	if (!verifyResponse.ok || !verifyBody?.success) {
+		const detail = verifyBody?.errors?.map((e) => `${e.code}: ${e.message}`).join("; ") ?? `HTTP ${verifyResponse.status}`;
+		throw new Error(`Cloudflare account token verify failed for account ${accountId}: ${detail}`);
+	}
+	return accountId;
+}
+const ZONES_LIST_URL = "https://api.cloudflare.com/client/v4/zones";
+/**
+* Resolve a Cloudflare zone id.
+*
+* Precedence:
+*   1. `CLOUDFLARE_ZONE_ID` env var.
+*   2. The single zone the token can see under `accountId`, via
+*      `GET /zones?account.id=<accountId>&per_page=2`.
+*
+* Step 2 deliberately fetches at most two results: one is the happy path,
+* two (or more) means the token is ambiguous and we refuse to guess.
+* Multi-zone tokens must set `CLOUDFLARE_ZONE_ID` explicitly so the
+* caller's intent is unambiguous.
+*/
+async function resolveZoneId(env$1, options) {
+	const envZone = getEnvString(env$1, "CLOUDFLARE_ZONE_ID");
+	if (envZone) return envZone;
+	const response = await fetchWithTimeout(options.fetcher ?? fetch, `${ZONES_LIST_URL}?account.id=${encodeURIComponent(options.accountId)}&per_page=2`, {
+		method: "GET",
+		headers: {
+			authorization: `Bearer ${options.token}`,
+			"content-type": "application/json"
+		}
+	});
+	if (!response.ok) throw new Error(`Cloudflare zones lookup failed with status ${response.status}. Set CLOUDFLARE_ZONE_ID explicitly or grant the API token Zone:Read.`);
+	let body;
+	try {
+		body = await response.json();
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Cloudflare zones lookup returned malformed JSON: ${message}`);
+	}
+	const zones = body.result ?? [];
+	if (zones.length === 0) throw new Error(`Cloudflare API token has access to no zones in account ${options.accountId}. Set CLOUDFLARE_ZONE_ID explicitly or grant the token Zone:Read on the intended zone.`);
+	if (zones.length > 1) throw new Error(`Cloudflare API token has access to multiple zones in account ${options.accountId} (ambiguous). Set CLOUDFLARE_ZONE_ID explicitly to disambiguate.`);
+	const zoneId = zones[0]?.id;
+	if (!zoneId) throw new Error("Cloudflare zones lookup returned a result without an id field.");
+	return zoneId;
+}
+
+//#endregion
+//#region src/tunnels/sandbox-control-callback.ts
+var SandboxControlCallbackImpl = class extends RpcTarget {
+	constructor(getHandler, logger) {
+		super();
+		this.getHandler = getHandler;
 		this.logger = logger;
 	}
 	async onTunnelExit(id, port, exitCode) {
@@ -4699,6 +5071,229 @@ var SandboxControlCallbackImpl = class extends RpcTarget {
 	}
 };
 
+//#endregion
+//#region src/tunnels/cloudflare-api.ts
+/**
+* Cloudflare API client for named-tunnel orchestration.
+*
+* Design notes:
+*
+* - The Cloudflare API envelope is `{ success, result, errors }`. We
+*   unwrap `result` on success and surface a thrown `Error` with the
+*   API error code/message on failure. Transport-level errors
+*   propagate unchanged.
+* - Delete endpoints are idempotent from the caller's perspective:
+*   a 404 (already gone) resolves successfully so destroy() can run
+*   without special-casing.
+* - `upsertCNAME` is the most subtle wrapper: it lists existing
+*   records, reuses a matching one, and refuses to mutate a record
+*   whose content differs from what we want. This is the fence that
+*   stops two sandboxes from racing on the same hostname.
+*/
+const API_BASE = "https://api.cloudflare.com/client/v4";
+/**
+* Default request timeout. Cloudflare API P99 latency is well under
+* this; values much smaller risk false positives on cold control-plane
+* paths (e.g. first `cfd_tunnel` POST in a new account).
+*/
+const DEFAULT_TIMEOUT_MS = 1e4;
+/**
+* Internal request helper. Centralises auth header, JSON encoding,
+* timeout enforcement, and envelope unwrapping so each wrapper above
+* stays declarative.
+*/
+async function cfRequest(url, token, fetcher, options = {}) {
+	const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+	const init = {
+		method: options.method ?? "GET",
+		headers: {
+			authorization: `Bearer ${token}`,
+			"content-type": "application/json"
+		},
+		signal: AbortSignal.timeout(timeoutMs)
+	};
+	if (options.body !== void 0) init.body = JSON.stringify(options.body);
+	let response;
+	try {
+		response = await fetcher(url, init);
+	} catch (err) {
+		if (err instanceof Error && err.name === "TimeoutError") throw new Error(`Cloudflare API request to ${url} timed out after ${timeoutMs}ms`);
+		throw err;
+	}
+	if (options.acceptStatuses?.includes(response.status)) return;
+	let envelope;
+	try {
+		envelope = await response.json();
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		throw new Error(`Cloudflare API returned non-JSON response (status ${response.status}): ${message}`);
+	}
+	if (!response.ok || envelope.success === false) {
+		const errs = envelope.errors ?? [];
+		const summary = errs.length ? errs.map((e) => `${e.code ?? "???"}: ${e.message ?? "unknown"}`).join(", ") : `HTTP ${response.status}`;
+		throw new Error(`Cloudflare API error: ${summary}`);
+	}
+	return envelope.result;
+}
+/**
+* Heuristic for the "tags are an Enterprise-only feature" error class.
+* Empirically grounded against a non-Enterprise account:
+*
+*   - DNS create with `tags: [...]` on a non-Enterprise zone rejects with
+*     Cloudflare error code 9300 and the message "DNS record has N tags,
+*     exceeding the quota of 0.". The error string `cfRequest` constructs
+*     embeds both the code and the message, so we match on either signal.
+*   - Tunnel create with `tags: [...]` silently succeeds and drops the
+*     field on the floor (no error to retry on). The fallback wrapper
+*     therefore costs nothing on tunnel writes.
+*
+* Generic "requires Enterprise" phrasing is also matched as a forward-
+* compatibility hedge in case Cloudflare changes the response shape on
+* future endpoints.
+*/
+function isEnterpriseOnlyTagError(error) {
+	if (!(error instanceof Error)) return false;
+	const msg = error.message.toLowerCase();
+	if (msg.includes("9300") && msg.includes("tag")) return true;
+	if (!msg.includes("tag")) return false;
+	return msg.includes("quota") || msg.includes("enterprise") || msg.includes("not allowed") || msg.includes("not entitled") || msg.includes("not available") || msg.includes("not supported");
+}
+/**
+* Build the `tags` field attached to created Cloudflare resources. The
+* tag is `sandboxId:<id>`, the same key used in DNS comments / tunnel
+* metadata; together they let an operator find every resource a given
+* sandbox owns from the Cloudflare dashboard.
+*
+* Tags are an Enterprise-only feature. The wrapper `createWithTagFallback`
+* automatically retries the request without tags on the documented
+* "requires Enterprise" error so non-enterprise accounts succeed without
+* any configuration.
+*/
+function buildSandboxTags(sandboxId) {
+	if (!sandboxId) return void 0;
+	return [`sandboxId:${sandboxId}`];
+}
+/**
+* Wrap a tagged-create request with an automatic tag-strip retry. The
+* callback receives `tags`: pass it through to the request body as-is on
+* the first call (`undefined` on the retry). The retry only fires for
+* the Enterprise-only tag error class; any other failure surfaces
+* verbatim.
+*/
+async function createWithTagFallback(sandboxId, send) {
+	const tags = buildSandboxTags(sandboxId);
+	if (!tags) return send(void 0);
+	try {
+		return await send(tags);
+	} catch (err) {
+		if (!isEnterpriseOnlyTagError(err)) throw err;
+		return send(void 0);
+	}
+}
+async function createTunnel(args) {
+	const fetcher = args.fetcher ?? fetch;
+	const result = await createWithTagFallback(args.metadata.sandboxId, (tags) => cfRequest(`${API_BASE}/accounts/${encodeURIComponent(args.accountId)}/cfd_tunnel`, args.token, fetcher, {
+		method: "POST",
+		body: {
+			name: args.tunnelName,
+			config_src: "cloudflare",
+			metadata: args.metadata,
+			...tags ? { tags } : {}
+		}
+	}));
+	if (!result) throw new Error("Cloudflare tunnel create returned no result body");
+	return {
+		id: result.id,
+		token: result.token
+	};
+}
+/**
+* Look up an existing tunnel by exact name match. Filters out tunnels
+* marked `deleted_at != null` defensively in case the API ignores the
+* `is_deleted=false` query parameter.
+*
+* When `expectedSandboxId` is provided, also verify that the tunnel's
+* `metadata.sandboxId` tag matches — this is the authoritative "this
+* resource was created by this sandbox" check, and the tag is set by
+* `createTunnel`. Mismatches are treated as "not found" so the caller
+* falls through to creating a fresh tunnel.
+*/
+async function findTunnelByName(args) {
+	const fetcher = args.fetcher ?? fetch;
+	const result = await cfRequest(`${API_BASE}/accounts/${encodeURIComponent(args.accountId)}/cfd_tunnel?name=${encodeURIComponent(args.tunnelName)}&is_deleted=false`, args.token, fetcher);
+	if (!result) return null;
+	const live = result.find((t) => !t.deleted_at);
+	if (!live) return null;
+	if (args.expectedSandboxId !== void 0) {
+		if (live.metadata?.sandboxId !== args.expectedSandboxId) return null;
+	}
+	return {
+		id: live.id,
+		name: live.name
+	};
+}
+async function deleteTunnel(args) {
+	const fetcher = args.fetcher ?? fetch;
+	await cfRequest(`${API_BASE}/accounts/${encodeURIComponent(args.accountId)}/cfd_tunnel/${encodeURIComponent(args.tunnelId)}`, args.token, fetcher, {
+		method: "DELETE",
+		acceptStatuses: [404]
+	});
+}
+/**
+* Fetch the opaque `--token` for an existing tunnel. Used on the retry
+* path: when `findTunnelByName` discovers a tunnel left behind from a
+* previous failed attempt, we need its token to run `cloudflared` again.
+*
+* The Cloudflare API returns the token as a bare quoted string in the
+* `result` envelope (e.g. `"<base64-token>"`).
+*/
+async function getTunnelToken(args) {
+	const fetcher = args.fetcher ?? fetch;
+	const result = await cfRequest(`${API_BASE}/accounts/${encodeURIComponent(args.accountId)}/cfd_tunnel/${encodeURIComponent(args.tunnelId)}/token`, args.token, fetcher);
+	if (typeof result !== "string" || result.length === 0) throw new Error(`Cloudflare did not return a token for tunnel ${args.tunnelId}`);
+	return result;
+}
+async function getZoneName(args) {
+	const fetcher = args.fetcher ?? fetch;
+	const result = await cfRequest(`${API_BASE}/zones/${encodeURIComponent(args.zoneId)}`, args.token, fetcher);
+	if (!result?.name) throw new Error(`Cloudflare zone ${args.zoneId} did not return a name`);
+	return result.name;
+}
+async function upsertCNAME(args) {
+	const fetcher = args.fetcher ?? fetch;
+	const existing = (await cfRequest(`${API_BASE}/zones/${encodeURIComponent(args.zoneId)}/dns_records?type=CNAME&name=${encodeURIComponent(args.hostname)}`, args.token, fetcher) ?? []).find((r) => r.type === "CNAME" && r.name === args.hostname);
+	if (existing) {
+		if (existing.content === args.cnameTarget) return {
+			recordId: existing.id,
+			reused: true
+		};
+		throw new Error(`DNS record for ${args.hostname} already exists with different content (owned by you, not us): existing content="${existing.content}", existing comment="${existing.comment ?? ""}". Delete the record manually to allow the sandbox to manage it.`);
+	}
+	const createResult = await createWithTagFallback(args.sandboxId, (tags) => cfRequest(`${API_BASE}/zones/${encodeURIComponent(args.zoneId)}/dns_records`, args.token, fetcher, {
+		method: "POST",
+		body: {
+			type: "CNAME",
+			name: args.hostname,
+			content: args.cnameTarget,
+			proxied: true,
+			comment: args.comment,
+			...tags ? { tags } : {}
+		}
+	}));
+	if (!createResult) throw new Error("Cloudflare DNS create returned no result body");
+	return {
+		recordId: createResult.id,
+		reused: false
+	};
+}
+async function deleteDNSRecord(args) {
+	const fetcher = args.fetcher ?? fetch;
+	await cfRequest(`${API_BASE}/zones/${encodeURIComponent(args.zoneId)}/dns_records/${encodeURIComponent(args.recordId)}`, args.token, fetcher, {
+		method: "DELETE",
+		acceptStatuses: [404]
+	});
+}
+
 //#endregion
 //#region src/tunnels/tunnels-handler.ts
 /**
@@ -4713,6 +5308,14 @@ var SandboxControlCallbackImpl = class extends RpcTarget {
 */
 /** DO storage key for the `port → TunnelInfo` map. */
 const STORAGE_KEY = "tunnels";
+/**
+* Sidecar storage key for per-port metadata the handler needs but the
+* public `TunnelInfo` shape does not carry: the options hash used to
+* detect divergent retries, and (for named tunnels) the DNS record id
+* needed for cleanup. Kept under a separate key so the existing
+* `tunnels` shape remains a clean `Record<port, TunnelInfo>`.
+*/
+const META_STORAGE_KEY = "tunnels:meta";
 function validateTunnelPort(port) {
 	if (!validatePort(port)) throw new SandboxSecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding reserved ports.`);
 }
@@ -4722,47 +5325,142 @@ function shortId() {
 	crypto.getRandomValues(buf);
 	return Array.from(buf).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
+/**
+* Match a structured SandboxError code anywhere on the error — translated
+* SandboxErrors expose the code both as a top-level `code` field and on
+* the nested `errorResponse.code`. Used for the few error codes the SDK
+* recognises and recovers from (TUNNEL_NOT_FOUND, TUNNEL_ALREADY_RUNNING).
+*
+* Previous versions matched by substring on `error.message`, which
+* false-positived on any error whose message merely quoted the literal
+* code token.
+*/
+function hasErrorCode(error, code) {
+	if (!error || typeof error !== "object") return false;
+	const e = error;
+	if (e.code === code) return true;
+	if (e.errorResponse?.code === code) return true;
+	return false;
+}
 function isTunnelNotFoundError(error) {
-	return (error instanceof Error ? error.message : String(error)).includes("TUNNEL_NOT_FOUND");
+	return hasErrorCode(error, "TUNNEL_NOT_FOUND");
+}
+function isTunnelAlreadyRunningError(error) {
+	return hasErrorCode(error, "TUNNEL_ALREADY_RUNNING");
 }
 async function readMap(storage) {
 	return await storage.get(STORAGE_KEY) ?? {};
 }
+async function readMetaMap(storage) {
+	return await storage.get(META_STORAGE_KEY) ?? {};
+}
 /**
-* Concrete `TunnelsHandler` implementation. Extends `RpcTarget` so it
-* can cross the Workers RPC boundary: the Sandbox DO is reachable from
-* Workers via Workers RPC (`stub.tunnels.get(port)`), and only
-* `RpcTarget` instances are passed by reference across that boundary.
+* Stable hash of `options`. Empty/undefined options collapse to the same
+* hash so `get(port)`, `get(port, {})`, and `get(port, { name: undefined })`
+* all hit the same cache entry. Named tunnels hash on `name` alone (the
+* only option today).
+*
+* The `v1:` prefix exists so a future addition of a second option (e.g.
+* `subdomain`) can change the canonical form without colliding with an
+* older record's hash. Comparison goes through `optionsHashesEqual`, which
+* normalises legacy unversioned hashes (`quick`, `named:foo`) to their v1
+* form before equality, so upgrading does not invalidate cached records.
+*/
+function computeOptionsHash(options) {
+	if (!options || !options.name) return "v1:quick";
+	return `v1:named:${options.name}`;
+}
+/** Strip the optional `v1:` prefix so legacy hashes compare equal. */
+function normaliseHash(hash) {
+	return hash.startsWith("v1:") ? hash.slice(3) : hash;
+}
+function optionsHashesEqual(a, b) {
+	return normaliseHash(a) === normaliseHash(b);
+}
+/**
+* Concrete `TunnelsHandler` implementation.
+*
+* Extends `RpcTarget` for forward compatibility with direct Workers RPC
+* pipelining (`stub.tunnels.get(port)`): only `RpcTarget` instances may
+* be passed by reference across the Workers RPC boundary. Today the
+* public `sandbox.tunnels` proxy in `getSandbox()` dispatches through
+* `stub.callTunnels(method, args)` instead — pipelining through
+* property getters is broken under the vite-plugin runtime — so the
+* `RpcTarget` base is not on the hot call path. It is retained so the
+* pipelining shape works once that constraint lifts.
 */
 var TunnelsRpcTarget = class extends RpcTarget$1 {
 	#host;
 	#withPortLock;
+	/**
+	* Memoised zone name (e.g. `'example.com'`) for the configured
+	* `CLOUDFLARE_ZONE_ID`. Filled in lazily on the first named-tunnel
+	* `get()` so quick-tunnel callers never hit the zone-lookup endpoint.
+	*
+	* Only successful resolutions are cached: a rejected lookup clears
+	* the slot so the next caller retries, instead of permanently
+	* poisoning every subsequent named-tunnel `get()` on the DO with the
+	* same transient error.
+	*/
+	#zoneNamePromise = null;
 	constructor(host, withPortLock) {
 		super();
 		this.#host = host;
 		this.#withPortLock = withPortLock;
 	}
-	async get(port) {
+	/**
+	* Resolve the zone name for the configured zone id. Memoised for the
+	* lifetime of this handler; the zone name doesn't change while a DO
+	* is alive, and one extra GET on first use is cheaper than threading
+	* the value through the host.
+	*
+	* On failure the cached promise is cleared so the next caller retries.
+	* Without that, a transient 5xx on the first call would permanently
+	* poison every subsequent named-tunnel `get()` until the DO restarts.
+	*/
+	async #getZoneName(config) {
+		if (!this.#zoneNamePromise) {
+			const pending = getZoneName({
+				token: config.token,
+				zoneId: config.zoneId,
+				fetcher: this.#host.fetcher
+			});
+			this.#zoneNamePromise = pending;
+			pending.catch(() => {
+				if (this.#zoneNamePromise === pending) this.#zoneNamePromise = null;
+			});
+		}
+		return this.#zoneNamePromise;
+	}
+	async get(port, options) {
 		const startTime = Date.now();
 		let outcome = "error";
 		let cacheState = "miss";
 		let caughtError;
 		try {
 			validateTunnelPort(port);
+			if (options?.name !== void 0) validateTunnelName(options.name);
+			const requestedHash = computeOptionsHash(options);
 			const info = await this.#withPortLock(port, async () => {
 				const existing = (await readMap(this.#host.storage))[port.toString()];
 				if (existing) {
+					const metaEntry = (await readMetaMap(this.#host.storage))[port.toString()];
+					if (!optionsHashesEqual(metaEntry?.optionsHash ?? (existing.name ? `v1:named:${existing.name}` : "v1:quick"), requestedHash)) throw new Error(`Tunnel on port ${port} was created with different options. Call destroy(${port}) before changing tunnel options.`);
+					if (metaEntry?.needsRespawn && existing.name) return await this.#provisionNamedTunnel(port, existing.name);
+					if (existing.name && this.#host.getNamedTunnelConfig) {
+						const currentConfig = await this.#host.getNamedTunnelConfig();
+						const storedAccountId = metaEntry?.accountId;
+						const storedZoneId = metaEntry?.zoneId;
+						if (storedAccountId !== void 0 && storedAccountId !== currentConfig.accountId || storedZoneId !== void 0 && storedZoneId !== currentConfig.zoneId) {
+							this.#zoneNamePromise = null;
+							return await this.#provisionNamedTunnel(port, existing.name);
+						}
+					}
 					cacheState = "hit";
 					return existing;
 				}
-				const id = `quick-${shortId()}`;
-				const spawned = await this.#host.client.tunnels.runQuickTunnel(id, port);
-				await this.#host.storage.transaction(async (txn) => {
-					const nextMap = await readMap(txn);
-					nextMap[port.toString()] = spawned;
-					await txn.put(STORAGE_KEY, nextMap);
-				});
-				return spawned;
+				if (options?.name) return await this.#provisionNamedTunnel(port, options.name);
+				return await this.#provisionQuickTunnel(port);
 			});
 			outcome = "success";
 			return info;
@@ -4780,6 +5478,129 @@ var TunnelsRpcTarget = class extends RpcTarget$1 {
 			});
 		}
 	}
+	/**
+	* Provision a fresh quick tunnel and persist it. Caller holds the
+	* per-port lock.
+	*
+	* Quick-tunnel ids are minted from a 32-bit random source. Collisions
+	* are astronomically unlikely, but if the container happens to already
+	* have one running under the freshly-minted id it rejects with
+	* TUNNEL_ALREADY_RUNNING. Mint a fresh id and try again rather than
+	* surfacing the confusing error — the retry budget caps the loop so a
+	* persistent failure still surfaces.
+	*/
+	async #provisionQuickTunnel(port) {
+		const MAX_ID_RETRIES = 3;
+		let lastError;
+		for (let attempt = 0; attempt < MAX_ID_RETRIES; attempt += 1) {
+			const id = `quick-${shortId()}`;
+			try {
+				const spawned = await this.#host.client.tunnels.runQuickTunnel(id, port);
+				await this.#host.storage.transaction(async (txn) => {
+					const nextMap = await readMap(txn);
+					nextMap[port.toString()] = spawned;
+					await txn.put(STORAGE_KEY, nextMap);
+					const nextMeta = await readMetaMap(txn);
+					nextMeta[port.toString()] = { optionsHash: "v1:quick" };
+					await txn.put(META_STORAGE_KEY, nextMeta);
+				});
+				return spawned;
+			} catch (err) {
+				if (!isTunnelAlreadyRunningError(err)) throw err;
+				lastError = err;
+			}
+		}
+		throw lastError ?? /* @__PURE__ */ new Error("Failed to mint a unique quick-tunnel id");
+	}
+	/**
+	* Provision a named tunnel end-to-end:
+	*   1. resolve credentials + zone name
+	*   2. reuse or create the Cloudflare tunnel resource
+	*   3. upsert the proxied CNAME (or reuse a matching one)
+	*   4. spawn cloudflared inside the container
+	*   5. persist the record + meta
+	*
+	* Failure between (2) and (5) intentionally leaves the Cloudflare-side
+	* resources in place so a retry can re-discover them via
+	* `findTunnelByName` and the DNS reuse path. See
+	* `.plans/09-named-tunnel-api.md § Retry-friendly failure model`.
+	*/
+	async #provisionNamedTunnel(port, name) {
+		if (!this.#host.sandboxId) throw new Error("Named tunnels require host.sandboxId on the tunnels handler.");
+		if (!this.#host.getNamedTunnelConfig) throw new Error("Named tunnels require host.getNamedTunnelConfig on the tunnels handler.");
+		const config = await this.#host.getNamedTunnelConfig();
+		const hostname = `${name}.${await this.#getZoneName({
+			token: config.token,
+			zoneId: config.zoneId
+		})}`;
+		const sandboxId = this.#host.sandboxId;
+		const tunnelName = `sandbox-${sandboxId}-${name}`;
+		let tunnelId;
+		let tunnelToken;
+		const existingTunnel = await findTunnelByName({
+			token: config.token,
+			accountId: config.accountId,
+			tunnelName,
+			expectedSandboxId: sandboxId,
+			fetcher: this.#host.fetcher
+		});
+		if (existingTunnel) {
+			tunnelId = existingTunnel.id;
+			tunnelToken = await getTunnelToken({
+				token: config.token,
+				accountId: config.accountId,
+				tunnelId,
+				fetcher: this.#host.fetcher
+			});
+		} else {
+			const created = await createTunnel({
+				token: config.token,
+				accountId: config.accountId,
+				tunnelName,
+				metadata: {
+					sandboxId,
+					createdBy: "sandbox-sdk",
+					name,
+					port
+				},
+				fetcher: this.#host.fetcher
+			});
+			tunnelId = created.id;
+			tunnelToken = created.token;
+		}
+		const dnsResult = await upsertCNAME({
+			token: config.token,
+			zoneId: config.zoneId,
+			hostname,
+			cnameTarget: `${tunnelId}.cfargotunnel.com`,
+			comment: `sandbox-${sandboxId}`,
+			sandboxId,
+			fetcher: this.#host.fetcher
+		});
+		await this.#host.client.tunnels.runNamedTunnel(tunnelId, tunnelToken, port);
+		const info = {
+			id: tunnelId,
+			port,
+			name,
+			hostname,
+			url: `https://${hostname}`,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		};
+		await this.#host.storage.transaction(async (txn) => {
+			const nextMap = await readMap(txn);
+			nextMap[port.toString()] = info;
+			await txn.put(STORAGE_KEY, nextMap);
+			const nextMeta = await readMetaMap(txn);
+			nextMeta[port.toString()] = {
+				optionsHash: computeOptionsHash({ name }),
+				dnsRecordId: dnsResult.recordId,
+				accountId: config.accountId,
+				zoneId: config.zoneId
+			};
+			await txn.put(META_STORAGE_KEY, nextMeta);
+		});
+		return info;
+	}
 	async destroy(portOrInfo) {
 		const port = typeof portOrInfo === "number" ? portOrInfo : portOrInfo.port;
 		const startTime = Date.now();
@@ -4791,16 +5612,68 @@ var TunnelsRpcTarget = class extends RpcTarget$1 {
 				const existing = (await readMap(this.#host.storage))[port.toString()];
 				if (!existing) return;
 				tunnelId = existing.id;
+				const metaBefore = (await readMetaMap(this.#host.storage))[port.toString()];
 				await this.#host.storage.transaction(async (txn) => {
 					const current = await readMap(txn);
 					delete current[port.toString()];
 					await txn.put(STORAGE_KEY, current);
+					const currentMeta = await readMetaMap(txn);
+					delete currentMeta[port.toString()];
+					await txn.put(META_STORAGE_KEY, currentMeta);
 				});
 				try {
 					await this.#host.client.tunnels.destroyTunnel(existing.id);
 				} catch (error) {
-					if (!isTunnelNotFoundError(error)) throw error;
+					if (isTunnelNotFoundError(error)) {} else if (metaBefore?.dnsRecordId) this.#host.logger.warn("tunnel.destroy: container tunnel cleanup failed", {
+						port,
+						tunnelId,
+						error: error instanceof Error ? error.message : String(error)
+					});
+					else throw error;
+				}
+				if (!metaBefore?.dnsRecordId) return;
+				if (!this.#host.getNamedTunnelConfig) return;
+				let config;
+				try {
+					config = await this.#host.getNamedTunnelConfig();
+				} catch (err) {
+					this.#host.logger.warn("tunnel.destroy: skipping CF cleanup, credentials unavailable", {
+						port,
+						tunnelId,
+						dnsRecordId: metaBefore.dnsRecordId,
+						error: err instanceof Error ? err.message : String(err)
+					});
+					return;
 				}
+				const fetcher = this.#host.fetcher;
+				const accountId = metaBefore.accountId ?? config.accountId;
+				const zoneId = metaBefore.zoneId ?? config.zoneId;
+				await Promise.allSettled([metaBefore.dnsRecordId ? deleteDNSRecord({
+					token: config.token,
+					zoneId,
+					recordId: metaBefore.dnsRecordId,
+					fetcher
+				}).catch((err) => {
+					this.#host.logger.warn("tunnel.destroy: dns delete failed", {
+						port,
+						tunnelId,
+						recordId: metaBefore.dnsRecordId,
+						zoneId,
+						error: err instanceof Error ? err.message : String(err)
+					});
+				}) : Promise.resolve(), deleteTunnel({
+					token: config.token,
+					accountId,
+					tunnelId: existing.id,
+					fetcher
+				}).catch((err) => {
+					this.#host.logger.warn("tunnel.destroy: tunnel delete failed", {
+						port,
+						tunnelId,
+						accountId,
+						error: err instanceof Error ? err.message : String(err)
+					});
+				})]);
 			});
 			outcome = "success";
 		} catch (error) {
@@ -4832,29 +5705,126 @@ function createTunnelsHandler(host) {
 	const tunnels = new TunnelsRpcTarget(host, withPortLock);
 	const handleTunnelExit = async (id, port, exitCode) => {
 		const startTime = Date.now();
-		await withPortLock(port, async () => {
-			await host.storage.transaction(async (txn) => {
-				const map = await readMap(txn);
-				if (map[port.toString()]?.id === id) {
+		let outcome = "error";
+		let caughtError;
+		try {
+			await withPortLock(port, async () => {
+				await host.storage.transaction(async (txn) => {
+					const map = await readMap(txn);
+					const existing = map[port.toString()];
+					if (existing?.id !== id) return;
+					if (existing.name) {
+						const meta$1 = await readMetaMap(txn);
+						meta$1[port.toString()] = {
+							...meta$1[port.toString()],
+							optionsHash: meta$1[port.toString()]?.optionsHash ?? `v1:named:${existing.name}`,
+							needsRespawn: true
+						};
+						await txn.put(META_STORAGE_KEY, meta$1);
+						return;
+					}
 					delete map[port.toString()];
 					await txn.put(STORAGE_KEY, map);
-				}
+					const meta = await readMetaMap(txn);
+					delete meta[port.toString()];
+					await txn.put(META_STORAGE_KEY, meta);
+				});
 			});
+			outcome = "success";
+		} catch (error) {
+			caughtError = error instanceof Error ? error : new Error(String(error));
+			throw error;
+		} finally {
 			logCanonicalEvent(host.logger, {
 				event: "tunnel.exit",
-				outcome: "success",
+				outcome,
 				port,
 				tunnelId: id,
 				exitCode: exitCode ?? void 0,
-				durationMs: Date.now() - startTime
+				durationMs: Date.now() - startTime,
+				error: caughtError
 			});
-		});
+		}
+	};
+	/**
+	* Iterate every stored tunnel and call `tunnels.destroy(port)` on it,
+	* sequentially. Each `destroy()` already swallows container-side
+	* TUNNEL_NOT_FOUND and best-effort-logs Cloudflare-side failures; we
+	* wrap the call in catch-and-log here too so a transport-level error
+	* on one port can't poison the rest of the teardown.
+	*
+	* Each port is processed sequentially: this caps the *number of
+	* concurrent ports* in flight at one. Note that an individual
+	* destroy() still fans the DNS-delete and tunnel-delete out via
+	* `Promise.allSettled` internally — so "sequential" here means
+	* "one port at a time", not "one Cloudflare API call at a time".
+	* The handful of ports we expect in the common case makes the
+	* trade-off cheap.
+	*/
+	const destroyAll = async () => {
+		const map = await readMap(host.storage);
+		const ports = Object.keys(map).map((p) => Number(p));
+		for (const port of ports) try {
+			await tunnels.destroy(port);
+		} catch (err) {
+			host.logger.warn("tunnels.destroyAll: destroy(port) failed", {
+				port,
+				error: err instanceof Error ? err.message : String(err)
+			});
+		}
 	};
 	return {
 		tunnels,
-		handleTunnelExit
+		handleTunnelExit,
+		destroyAll
 	};
 }
+/**
+* Reconcile storage with a fresh container.
+*
+* Called from `Sandbox.onStart()` after every container restart. The
+* `cloudflared` processes the container was running all died with it, so
+* any stored record is *not* currently backed by a running tunnel.
+*
+* Two tunnel flavours, two recovery stories:
+*
+*   - Quick tunnels: the `*.trycloudflare.com` URL is bound to the dead
+*     `cloudflared` process. Nothing on Cloudflare's side outlives the
+*     container, and the URL is unrecoverable. Drop the record from both
+*     maps so the next `get(port)` takes the miss branch and mints a new
+*     URL.
+*   - Named tunnels: the Cloudflare-side tunnel + DNS record survive.
+*     The hostname is stable, the DNS still resolves to
+*     `<tunnelId>.cfargotunnel.com`, and the next caller can reuse both
+*     by walking the same `findTunnelByName` / `upsertCNAME` path the
+*     SDK uses for retries. Keep the record in storage and mark the
+*     meta entry `needsRespawn: true`; the next `get(port, { name })`
+*     cache hit falls through to `#provisionNamedTunnel` to respawn
+*     `cloudflared`.
+*
+* Crucially, named-tunnel metadata (including `dnsRecordId`) is
+* preserved so `destroy(port)` and `sandbox.destroy()` can still clean
+* up the Cloudflare-side resources after a restart. Wiping meta
+* unconditionally — the previous behaviour — silently leaked the tunnel
+* and DNS record on every restart.
+*/
+async function pruneTunnelsForRestart(storage) {
+	await storage.transaction(async (txn) => {
+		const map = await readMap(txn);
+		const meta = await readMetaMap(txn);
+		const nextMap = {};
+		const nextMeta = {};
+		for (const [portKey, info] of Object.entries(map)) if (info.name) {
+			nextMap[portKey] = info;
+			nextMeta[portKey] = {
+				...meta[portKey] ?? { optionsHash: `v1:named:${info.name}` },
+				needsRespawn: true
+			};
+		}
+		await txn.put(STORAGE_KEY, nextMap);
+		await txn.put(META_STORAGE_KEY, nextMeta);
+	});
+}
 
 //#endregion
 //#region src/version.ts
@@ -4863,14 +5833,47 @@ function createTunnelsHandler(host) {
 * This file is auto-updated by .github/changeset-version.ts during releases
 * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
 */
-const SDK_VERSION = "0.10.3";
+const SDK_VERSION = "0.12.0";
 
 //#endregion
 //#region src/sandbox.ts
-const R2_EGRESS_PROXY_TARGET_CLASS_NAME = "CloudflareSandboxR2EgressProxyTarget";
-var R2EgressProxyTarget = class extends Container {};
-Object.defineProperty(R2EgressProxyTarget, "name", { value: R2_EGRESS_PROXY_TARGET_CLASS_NAME });
-R2EgressProxyTarget.outboundHandlers = { r2EgressMount: r2EgressHandler };
+const PORT_TOKENS_STORAGE_KEY = "portTokens";
+const ACTIVE_PREVIEW_PORTS_STORAGE_KEY = "activePreviewPorts";
+const CONTAINER_PROXY_CLASS_NAME = "ContainerProxy";
+const S3_CREDENTIAL_PROXY_HOST = "s3-credential-proxy.internal";
+const S3_CREDENTIAL_PROXY_DIAGNOSTIC_HOST = "s3-credential-proxy.sandbox.test";
+var ContainerProxyOutboundTarget = class extends Container {};
+Object.defineProperty(ContainerProxyOutboundTarget, "name", { value: CONTAINER_PROXY_CLASS_NAME });
+ContainerProxyOutboundTarget.outboundHandlers = {
+	r2EgressMount: r2EgressHandler,
+	s3CredentialProxyMount: s3CredentialProxyHandler
+};
+/**
+* SDK-level ContainerProxy that directly dispatches SDK-internal mount hosts
+* (r2.internal, s3-credential-proxy.internal) without relying on
+* outboundHandlersRegistry lookups, which are NOT shared between the Durable
+* Object's execution context and the ContainerProxy WorkerEntrypoint context.
+*
+* Users must export this class from their Worker entrypoint so the Sandbox DO
+* can create outbound-interception fetchers that reference it.
+*/
+var ContainerProxy$1 = class extends ContainerProxy {
+	async fetch(request) {
+		const hostname = new URL(request.url).hostname;
+		const props = this.ctx.props;
+		const override = props.outboundByHostOverrides?.[hostname];
+		if (override) {
+			const handlerCtx = {
+				containerId: props.containerId ?? "",
+				className: props.className ?? "",
+				params: override.params
+			};
+			if (override.method === "r2EgressMount") return r2EgressHandler(request, this.env, handlerCtx);
+			if (override.method === "s3CredentialProxyMount") return s3CredentialProxyHandler(request, this.env, handlerCtx);
+		}
+		return super.fetch(request);
+	}
+};
 function isFetcher(value) {
 	return typeof value === "object" && value !== null && "fetch" in value && typeof value.fetch === "function";
 }
@@ -4880,6 +5883,8 @@ const R2_DEFAULT_S3FS_OPTIONS = {
 	enable_noobj_cache: true,
 	multipart_size: "5"
 };
+const R2_DEFAULT_S3FS_OPTION_ENTRIES = Object.entries(R2_DEFAULT_S3FS_OPTIONS).map(([key, value]) => value === true ? key : `${key}=${value}`);
+const S3FS_DISABLE_EXPECT_HEADER_CONFIG = " Expect:\n";
 const BACKUP_DEFAULT_TTL_SECONDS = 259200;
 const BACKUP_MAX_NAME_LENGTH = 256;
 const BACKUP_CONTAINER_DIR = "/var/backups";
@@ -5071,10 +6076,6 @@ function getSandbox(ns, id, options) {
 		}),
 		terminal: (request, opts) => proxyTerminal(stub, defaultSessionId, request, opts),
 		wsConnect: connect(stub),
-		desktop: new Proxy({}, { get(_, method) {
-			if (typeof method !== "string" || method === "then") return void 0;
-			return (...args) => stub.callDesktop(method, args);
-		} }),
 		tunnels: new Proxy({}, { get: (_, method) => {
 			if (typeof method !== "string" || method === "then") return void 0;
 			return (...args) => stub.callTunnels(method, args);
@@ -5106,6 +6107,7 @@ var Sandbox = class Sandbox extends Container {
 	sandboxName = null;
 	tunnelsHandler = null;
 	tunnelExitHandler = null;
+	destroyAllTunnels = null;
 	controlCallback;
 	normalizeId = false;
 	defaultSession = null;
@@ -5115,6 +6117,8 @@ var Sandbox = class Sandbox extends Container {
 	logger;
 	keepAliveEnabled = false;
 	activeMounts = /* @__PURE__ */ new Map();
+	mountOperationQueue = Promise.resolve();
+	currentRuntime;
 	transport = "http";
 	/**
 	* True once transport has been written to storage at least once (either
@@ -5140,8 +6144,23 @@ var Sandbox = class Sandbox extends Container {
 	r2SecretAccessKey = null;
 	r2AccountId = null;
 	backupBucketName = null;
+	backupBucketEndpoint = null;
 	r2Client = null;
 	/**
+	* Lazily-resolved Cloudflare account id for named-tunnel provisioning.
+	* Resolved on first access via `tunnels/credentials.ts` and cached for
+	* the lifetime of this DO instance. See the credentials helper for
+	* the precedence chain.
+	*/
+	tunnelAccountIdPromise = null;
+	/**
+	* Lazily-resolved Cloudflare zone id for named-tunnel provisioning.
+	* Falls back to the single zone the token can see under the resolved
+	* account id when `CLOUDFLARE_ZONE_ID` is not set. Cached for the
+	* lifetime of this DO instance.
+	*/
+	tunnelZoneIdPromise = null;
+	/**
 	* Default container startup timeouts (conservative for production)
 	* Based on Cloudflare docs: "Containers take several minutes to provision"
 	*/
@@ -5165,56 +6184,6 @@ var Sandbox = class Sandbox extends Container {
 	*/
 	hasStoredContainerTimeouts = false;
 	/**
-	* Desktop environment operations.
-	* Within the DO, this getter provides direct access to DesktopClient.
-	* Over RPC, the getSandbox() proxy intercepts this property and routes
-	* calls through callDesktop() instead.
-	*/
-	get desktop() {
-		return this.client.desktop;
-	}
-	/**
-	* Allowed desktop methods — derived from the Desktop interface.
-	* Restricts callDesktop() to a known set of operations.
-	*/
-	static DESKTOP_METHODS = new Set([
-		"start",
-		"stop",
-		"status",
-		"screenshot",
-		"screenshotRegion",
-		"click",
-		"doubleClick",
-		"tripleClick",
-		"rightClick",
-		"middleClick",
-		"mouseDown",
-		"mouseUp",
-		"moveMouse",
-		"drag",
-		"scroll",
-		"getCursorPosition",
-		"type",
-		"press",
-		"keyDown",
-		"keyUp",
-		"getScreenSize",
-		"getProcessStatus"
-	]);
-	/**
-	* Dispatch method for desktop operations.
-	* Called by the client-side proxy created in getSandbox() to provide
-	* the `sandbox.desktop.status()` API without relying on RPC pipelining
-	* through property getters which is broken when using vite-plugin.
-	*/
-	async callDesktop(method, args) {
-		if (!Sandbox.DESKTOP_METHODS.has(method)) throw new Error(`Unknown desktop method: ${method}`);
-		const client = this.client.desktop;
-		const fn = client[method];
-		if (typeof fn !== "function") throw new Error(`sandbox.desktop missing method: ${method}`);
-		return fn.apply(client, args);
-	}
-	/**
 	* Dispatch method for tunnel operations.
 	* Called by the client-side proxy created in getSandbox() to provide
 	* the `sandbox.tunnels` API without relying on RPC pipelining
@@ -5300,16 +6269,64 @@ var Sandbox = class Sandbox extends Container {
 			component: "sandbox-do",
 			sandboxId: this.ctx.id.toString()
 		});
+		this.currentRuntime = new CurrentRuntimeIdentity(this.ctx.storage, () => this.getState(), () => this.ctx.container?.running === true);
 		const transportEnv = envObj?.SANDBOX_TRANSPORT;
 		if (transportEnv === "websocket" || transportEnv === "rpc") this.transport = transportEnv;
 		else if (transportEnv != null && transportEnv !== "http") this.logger.warn(`Invalid SANDBOX_TRANSPORT value: "${transportEnv}". Must be "http", "websocket", or "rpc". Defaulting to "http".`);
 		this.logger.info(`Using ${this.transport} transport`);
 		const backupBucket = envObj?.BACKUP_BUCKET;
 		if (isR2Bucket(backupBucket)) this.backupBucket = backupBucket;
-		this.r2AccountId = getEnvString(envObj, "CLOUDFLARE_ACCOUNT_ID") ?? null;
+		this.r2AccountId = getEnvString(envObj, "CLOUDFLARE_R2_ACCOUNT_ID") ?? getEnvString(envObj, "CLOUDFLARE_ACCOUNT_ID") ?? null;
 		this.r2AccessKeyId = getEnvString(envObj, "R2_ACCESS_KEY_ID") ?? null;
 		this.r2SecretAccessKey = getEnvString(envObj, "R2_SECRET_ACCESS_KEY") ?? null;
 		this.backupBucketName = getEnvString(envObj, "BACKUP_BUCKET_NAME") ?? null;
+		const rawEndpoint = getEnvString(envObj, "BACKUP_BUCKET_ENDPOINT") ?? null;
+		if (rawEndpoint !== null) {
+			let parsed;
+			try {
+				parsed = new URL(rawEndpoint);
+			} catch {
+				const msg = `BACKUP_BUCKET_ENDPOINT is not a valid URL: "${rawEndpoint}". Expected format: https://<account_id>.eu.r2.cloudflarestorage.com`;
+				throw new InvalidBackupConfigError({
+					message: msg,
+					code: ErrorCode.INVALID_BACKUP_CONFIG,
+					httpStatus: 400,
+					context: { reason: msg },
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+			}
+			if (parsed.protocol !== "https:") {
+				const msg = `BACKUP_BUCKET_ENDPOINT must use https://, got "${parsed.protocol.slice(0, -1)}://"`;
+				throw new InvalidBackupConfigError({
+					message: msg,
+					code: ErrorCode.INVALID_BACKUP_CONFIG,
+					httpStatus: 400,
+					context: { reason: msg },
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+			}
+			if (parsed.pathname !== "/") {
+				const msg = `BACKUP_BUCKET_ENDPOINT must not include a path (got "${parsed.pathname}"). Provide only the origin, e.g. https://<account_id>.eu.r2.cloudflarestorage.com`;
+				throw new InvalidBackupConfigError({
+					message: msg,
+					code: ErrorCode.INVALID_BACKUP_CONFIG,
+					httpStatus: 400,
+					context: { reason: msg },
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+			}
+			if (parsed.search !== "" || parsed.hash !== "") {
+				const msg = "BACKUP_BUCKET_ENDPOINT must not include query parameters or fragments. Provide only the origin, e.g. https://<account_id>.eu.r2.cloudflarestorage.com";
+				throw new InvalidBackupConfigError({
+					message: msg,
+					code: ErrorCode.INVALID_BACKUP_CONFIG,
+					httpStatus: 400,
+					context: { reason: msg },
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+			}
+			this.backupBucketEndpoint = parsed.origin;
+		} else this.backupBucketEndpoint = null;
 		if (this.r2AccessKeyId && this.r2SecretAccessKey) this.r2Client = new AwsClient({
 			accessKeyId: this.r2AccessKeyId,
 			secretAccessKey: this.r2SecretAccessKey
@@ -5344,6 +6361,7 @@ var Sandbox = class Sandbox extends Container {
 				this.codeInterpreter = new CodeInterpreter(() => this.client.interpreter);
 				this.tunnelsHandler = null;
 				this.tunnelExitHandler = null;
+				this.destroyAllTunnels = null;
 				previousClient.disconnect();
 			}
 			if (storedTransport) this.hasStoredTransport = true;
@@ -5425,6 +6443,7 @@ var Sandbox = class Sandbox extends Container {
 		this.codeInterpreter = new CodeInterpreter(() => this.client.interpreter);
 		this.tunnelsHandler = null;
 		this.tunnelExitHandler = null;
+		this.destroyAllTunnels = null;
 		previousClient.disconnect();
 		this.renewActivityTimeout();
 		this.logger.debug("Transport updated", { transport });
@@ -5469,6 +6488,24 @@ var Sandbox = class Sandbox extends Container {
 	* @throws InvalidMountConfigError if bucket name, mount path, or endpoint is invalid
 	*/
 	async mountBucket(bucket, mountPath, options) {
+		return this.runMountOperation(async () => {
+			await this.mountBucketUnlocked(bucket, mountPath, options);
+		});
+	}
+	async runMountOperation(operation) {
+		const previous = this.mountOperationQueue;
+		let release;
+		this.mountOperationQueue = new Promise((resolve) => {
+			release = resolve;
+		});
+		await previous.catch(() => {});
+		try {
+			await operation();
+		} finally {
+			release();
+		}
+	}
+	async mountBucketUnlocked(bucket, mountPath, options) {
 		if (options.prefix !== void 0) validatePrefix(options.prefix);
 		if ("localBucket" in options && options.localBucket) {
 			await this.mountBucketLocal(bucket, mountPath, options);
@@ -5508,6 +6545,7 @@ var Sandbox = class Sandbox extends Container {
 				logger: this.logger
 			});
 			const mountInfo = {
+				mountId: crypto.randomUUID(),
 				mountType: "local-sync",
 				bucket,
 				mountPath,
@@ -5548,14 +6586,37 @@ var Sandbox = class Sandbox extends Container {
 		};
 		return { buckets };
 	}
-	validateR2EgressS3fsOptions(options) {
+	validateProtectedS3fsOptions(options, mountLabel, extraProtected = []) {
 		if (!options) return;
-		const protectedOptions = new Set(["passwd_file", "url"]);
+		const protectedOptions = new Set([
+			"passwd_file",
+			"url",
+			...extraProtected
+		]);
 		for (const option of options) {
 			const [key] = option.split("=");
-			if (protectedOptions.has(key)) throw new InvalidMountConfigError(`s3fs option "${key}" cannot be overridden for R2 binding mounts`);
+			if (protectedOptions.has(key)) throw new InvalidMountConfigError(`s3fs option "${key}" cannot be overridden for ${mountLabel} mounts`);
 		}
 	}
+	getS3CredentialProxyParams(options) {
+		const mounts = {};
+		for (const [, m] of this.activeMounts) if (m.mountType === "fuse" && m.credentialProxy) {
+			if (m.mountId === options?.excludeMountId) continue;
+			mounts[m.mountId] = {
+				endpoint: m.credentialProxy.endpoint,
+				bucket: m.credentialProxy.bucket,
+				...m.credentialProxy.prefix !== void 0 ? { prefix: m.credentialProxy.prefix } : {},
+				credentials: m.credentialProxy.credentials,
+				readOnly: m.credentialProxy.readOnly,
+				provider: m.credentialProxy.provider,
+				authStrategy: m.credentialProxy.authStrategy
+			};
+		}
+		return { mounts };
+	}
+	resolveCredentialProxyAuthStrategy(provider) {
+		return provider === "gcs" ? "gcs" : "s3-sigv4";
+	}
 	/**
 	* Credential-less R2 mount: egress interception routes s3fs requests to the
 	* R2 binding. No S3 credentials are needed in the container or Worker env.
@@ -5565,24 +6626,30 @@ var Sandbox = class Sandbox extends Container {
 		const prefix = options.prefix;
 		let mountOutcome = "error";
 		let mountError;
+		let passwordFilePath;
+		let additionalHeaderFilePath;
 		try {
 			validateBucketBindingName(bucket, mountPath);
 			this.validateMountPath(mountPath);
-			this.validateR2EgressS3fsOptions(options.s3fsOptions);
+			this.validateProtectedS3fsOptions(options.s3fsOptions, "R2 binding");
 			for (const [existingMountPath, mountInfo$1] of this.activeMounts) {
 				if (mountInfo$1.mountType === "r2-egress" && mountInfo$1.bucket === bucket && mountInfo$1.prefix !== prefix) throw new InvalidMountConfigError(`R2 binding "${bucket}" is already mounted at ${existingMountPath} with a different prefix. Mount the same binding only once, or use the same prefix for additional mounts.`);
 				if (mountInfo$1.mountType === "r2-egress" && mountInfo$1.bucket === bucket && mountInfo$1.readOnly !== (options.readOnly ?? false)) throw new InvalidMountConfigError(`R2 binding "${bucket}" is already mounted at ${existingMountPath} with a different readOnly setting. Mount the same binding only once, or use the same readOnly value for additional mounts.`);
 			}
-			const passwordFilePath = this.generatePasswordFilePath();
+			passwordFilePath = this.generatePasswordFilePath();
+			additionalHeaderFilePath = this.generateS3FSAdditionalHeaderFilePath();
 			await this.createPasswordFile(passwordFilePath, bucket, {
 				accessKeyId: "x",
 				secretAccessKey: "x"
 			});
+			await this.createDisableExpectHeaderFile(additionalHeaderFilePath);
 			const mountInfo = {
+				mountId: crypto.randomUUID(),
 				mountType: "r2-egress",
 				bucket,
 				mountPath,
 				passwordFilePath,
+				additionalHeaderFilePath,
 				mounted: false,
 				prefix,
 				readOnly: options.readOnly ?? false
@@ -5597,6 +6664,7 @@ var Sandbox = class Sandbox extends Container {
 				...parseS3fsOptions(resolveS3fsOptions("r2", options.s3fsOptions)),
 				use_path_request_style: true,
 				url: "http://r2.internal",
+				ahbe_conf: additionalHeaderFilePath,
 				...options.readOnly ? { ro: true } : {}
 			}));
 			const mountCmd = `s3fs ${shellEscape(s3fsSource)} ${shellEscape(mountPath)} -o ${optionsStr}`;
@@ -5620,7 +6688,13 @@ var Sandbox = class Sandbox extends Container {
 			mountError = error instanceof Error ? error : new Error(String(error));
 			const failedMount = this.activeMounts.get(mountPath);
 			this.activeMounts.delete(mountPath);
-			if (failedMount?.mountType === "r2-egress") await this.deletePasswordFile(failedMount.passwordFilePath).catch(() => {});
+			if (failedMount?.mountType === "r2-egress") {
+				await this.deletePasswordFile(failedMount.passwordFilePath).catch(() => {});
+				if (failedMount.additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(failedMount.additionalHeaderFilePath).catch(() => {});
+			} else {
+				if (passwordFilePath) await this.deletePasswordFile(passwordFilePath).catch(() => {});
+				if (additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(additionalHeaderFilePath).catch(() => {});
+			}
 			const remainingParams = this.getR2EgressParams();
 			await this.configureR2EgressOutbound(remainingParams).catch(() => {});
 			throw error;
@@ -5646,6 +6720,7 @@ var Sandbox = class Sandbox extends Container {
 		let mountOutcome = "error";
 		let mountError;
 		let passwordFilePath;
+		let additionalHeaderFilePath;
 		let provider = null;
 		let dirExisted = true;
 		try {
@@ -5667,33 +6742,81 @@ var Sandbox = class Sandbox extends Container {
 				R2_SECRET_ACCESS_KEY: this.r2SecretAccessKey || void 0,
 				...this.envVars
 			});
+			const credentialProxyEnabled = options.credentialProxy === true;
+			if (credentialProxyEnabled) this.validateProtectedS3fsOptions(options.s3fsOptions, "credential proxy", ["ahbe_conf", "use_path_request_style"]);
 			passwordFilePath = this.generatePasswordFilePath();
+			if (credentialProxyEnabled) additionalHeaderFilePath = this.generateS3FSAdditionalHeaderFilePath();
+			const mountId = crypto.randomUUID();
 			const mountInfo = {
+				mountId,
 				mountType: "fuse",
 				bucket: s3fsSource,
 				mountPath,
 				endpoint: options.endpoint,
 				provider,
 				passwordFilePath,
-				mounted: false
+				...additionalHeaderFilePath ? { additionalHeaderFilePath } : {},
+				mounted: false,
+				...credentialProxyEnabled ? { credentialProxy: {
+					endpoint: options.endpoint,
+					bucket,
+					...prefix !== void 0 ? { prefix } : {},
+					credentials,
+					readOnly: options.readOnly ?? false,
+					provider,
+					authStrategy: this.resolveCredentialProxyAuthStrategy(provider)
+				} } : {}
 			};
 			this.activeMounts.set(mountPath, mountInfo);
-			await this.createPasswordFile(passwordFilePath, bucket, credentials);
+			await this.createPasswordFile(passwordFilePath, bucket, credentialProxyEnabled ? {
+				accessKeyId: "x",
+				secretAccessKey: "x"
+			} : credentials);
+			if (credentialProxyEnabled) {
+				if (additionalHeaderFilePath) await this.createDisableExpectHeaderFile(additionalHeaderFilePath);
+				await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams());
+			}
 			dirExisted = (await this.execInternal(`test -d ${shellEscape(mountPath)}`)).exitCode === 0;
 			await this.execInternal(`mkdir -p ${shellEscape(mountPath)}`);
-			await this.executeS3FSMount(s3fsSource, mountPath, options, provider, passwordFilePath);
+			const effectiveOptions = credentialProxyEnabled ? {
+				...options,
+				endpoint: `http://${S3_CREDENTIAL_PROXY_HOST}/${mountId}`,
+				s3fsOptions: [
+					...provider === "r2" ? R2_DEFAULT_S3FS_OPTION_ENTRIES : [],
+					...options.s3fsOptions ?? [],
+					...additionalHeaderFilePath ? [`ahbe_conf=${additionalHeaderFilePath}`] : [],
+					"use_path_request_style"
+				]
+			} : options;
+			await this.executeS3FSMount(s3fsSource, mountPath, effectiveOptions, provider, passwordFilePath);
 			mountInfo.mounted = true;
 			mountOutcome = "success";
 		} catch (error) {
 			mountError = error instanceof Error ? error : new Error(String(error));
-			if (passwordFilePath) await this.deletePasswordFile(passwordFilePath);
 			try {
 				await this.execInternal(`mountpoint -q ${shellEscape(mountPath)} && fusermount -u ${shellEscape(mountPath)}`);
 			} catch {}
+			if (passwordFilePath) await this.deletePasswordFile(passwordFilePath);
+			if (additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(additionalHeaderFilePath);
 			if (!dirExisted) try {
 				await this.execInternal(`rmdir ${shellEscape(mountPath)} 2>/dev/null`);
 			} catch {}
-			this.activeMounts.delete(mountPath);
+			const failedMount = this.activeMounts.get(mountPath);
+			if (failedMount?.mountType === "fuse" && failedMount.credentialProxy) try {
+				await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams({ excludeMountId: failedMount.mountId }));
+				this.activeMounts.delete(mountPath);
+				evictSigV4ClientCacheEntry(failedMount.mountId);
+				evictDirectoryMarkerCacheForMount(failedMount.mountId);
+			} catch (cleanupError) {
+				this.logger.warn("credential proxy cleanup failed", {
+					mountPath,
+					error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
+				});
+				this.activeMounts.delete(mountPath);
+				evictSigV4ClientCacheEntry(failedMount.mountId);
+				evictDirectoryMarkerCacheForMount(failedMount.mountId);
+			}
+			else this.activeMounts.delete(mountPath);
 			throw error;
 		} finally {
 			logCanonicalEvent(this.logger, {
@@ -5715,6 +6838,11 @@ var Sandbox = class Sandbox extends Container {
 	* @throws InvalidMountConfigError if mount path doesn't exist or isn't mounted
 	*/
 	async unmountBucket(mountPath) {
+		return this.runMountOperation(async () => {
+			await this.unmountBucketUnlocked(mountPath);
+		});
+	}
+	async unmountBucketUnlocked(mountPath) {
 		const unmountStartTime = Date.now();
 		let unmountOutcome = "error";
 		let unmountError;
@@ -5725,30 +6853,75 @@ var Sandbox = class Sandbox extends Container {
 				await mountInfo.syncManager.stop();
 				mountInfo.mounted = false;
 				this.activeMounts.delete(mountPath);
-			} else try {
-				const result = await this.execInternal(`fusermount -u ${shellEscape(mountPath)}`);
-				if (result.exitCode !== 0) {
-					const stderr = result.stderr || "unknown error";
-					throw new BucketUnmountError(`fusermount -u failed (exit ${result.exitCode}): ${stderr}`);
-				}
-				mountInfo.mounted = false;
-				this.activeMounts.delete(mountPath);
-				if (mountInfo.mountType === "r2-egress") await this.configureR2EgressOutbound(this.getR2EgressParams());
+			} else if (mountInfo.mountType === "fuse" && mountInfo.credentialProxy && !mountInfo.mounted) {
 				try {
-					const cleanup = await this.execInternal(`mountpoint -q ${shellEscape(mountPath)} || rmdir ${shellEscape(mountPath)}`);
-					if (cleanup.exitCode !== 0) this.logger.warn("mount directory removal failed", {
-						mountPath,
-						exitCode: cleanup.exitCode,
-						stderr: cleanup.stderr
-					});
-				} catch (err) {
-					this.logger.warn("mount directory removal failed", {
+					await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams({ excludeMountId: mountInfo.mountId }));
+				} catch (cleanupError) {
+					this.logger.warn("credential proxy outbound reconfiguration failed on unmount", {
 						mountPath,
-						error: err instanceof Error ? err.message : String(err)
+						error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
 					});
 				}
-			} finally {
-				await this.deletePasswordFile(mountInfo.passwordFilePath);
+				this.activeMounts.delete(mountPath);
+				evictSigV4ClientCacheEntry(mountInfo.mountId);
+				evictDirectoryMarkerCacheForMount(mountInfo.mountId);
+			} else {
+				let unmounted = false;
+				try {
+					const result = await this.execInternal(`fusermount -u ${shellEscape(mountPath)}`);
+					if (result.exitCode !== 0) {
+						const stderr = result.stderr || "unknown error";
+						throw new BucketUnmountError(`fusermount -u failed (exit ${result.exitCode}): ${stderr}`);
+					}
+					unmounted = true;
+					mountInfo.mounted = false;
+					if (mountInfo.mountType === "r2-egress") {
+						const remainingBuckets = {};
+						for (const [, activeMount] of this.activeMounts) if (activeMount.mountType === "r2-egress" && activeMount.mountId !== mountInfo.mountId) remainingBuckets[activeMount.bucket] = {
+							prefix: activeMount.prefix,
+							readOnly: activeMount.readOnly
+						};
+						try {
+							await this.configureR2EgressOutbound({ buckets: remainingBuckets });
+						} catch (cleanupError) {
+							this.logger.warn("r2 egress outbound reconfiguration failed on unmount", {
+								mountPath,
+								error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
+							});
+						}
+						this.activeMounts.delete(mountPath);
+					} else if (mountInfo.mountType === "fuse" && mountInfo.credentialProxy) {
+						try {
+							await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams({ excludeMountId: mountInfo.mountId }));
+						} catch (cleanupError) {
+							this.logger.warn("credential proxy outbound reconfiguration failed on unmount", {
+								mountPath,
+								error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
+							});
+						}
+						this.activeMounts.delete(mountPath);
+						evictSigV4ClientCacheEntry(mountInfo.mountId);
+						evictDirectoryMarkerCacheForMount(mountInfo.mountId);
+					} else this.activeMounts.delete(mountPath);
+					try {
+						const cleanup = await this.execInternal(`mountpoint -q ${shellEscape(mountPath)} || rmdir ${shellEscape(mountPath)}`);
+						if (cleanup.exitCode !== 0) this.logger.warn("mount directory removal failed", {
+							mountPath,
+							exitCode: cleanup.exitCode,
+							stderr: cleanup.stderr
+						});
+					} catch (err) {
+						this.logger.warn("mount directory removal failed", {
+							mountPath,
+							error: err instanceof Error ? err.message : String(err)
+						});
+					}
+				} finally {
+					if (unmounted) {
+						await this.deletePasswordFile(mountInfo.passwordFilePath);
+						if (mountInfo.additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(mountInfo.additionalHeaderFilePath);
+					}
+				}
 			}
 			unmountOutcome = "success";
 		} catch (error) {
@@ -5791,6 +6964,20 @@ var Sandbox = class Sandbox extends Container {
 		return `/tmp/.passwd-s3fs-${crypto.randomUUID()}`;
 	}
 	/**
+	* Generate unique ahbe_conf file path for s3fs additional header config
+	*/
+	generateS3FSAdditionalHeaderFilePath() {
+		return `/tmp/.s3fs-ahbe-${crypto.randomUUID()}.conf`;
+	}
+	/**
+	* Create s3fs ahbe_conf file that suppresses the Expect: 100-continue header.
+	* Restricted to 0600 so s3fs will accept it (same requirement as passwd files).
+	*/
+	async createDisableExpectHeaderFile(headerFilePath) {
+		await this.client.files.writeFile(headerFilePath, S3FS_DISABLE_EXPECT_HEADER_CONFIG, DISABLE_SESSION_TOKEN);
+		await this.execInternal(`chmod 0600 ${shellEscape(headerFilePath)}`);
+	}
+	/**
 	* Create password file with s3fs credentials
 	* Format: bucket:accessKeyId:secretAccessKey
 	*/
@@ -5812,6 +6999,16 @@ var Sandbox = class Sandbox extends Container {
 			});
 		}
 	}
+	async deleteAdditionalHeaderFile(headerFilePath) {
+		try {
+			await this.execInternal(`rm -f ${shellEscape(headerFilePath)}`);
+		} catch (error) {
+			this.logger.warn("s3fs additional header file cleanup failed", {
+				headerFilePath,
+				error: error instanceof Error ? error.message : String(error)
+			});
+		}
+	}
 	/**
 	* Execute S3FS mount command
 	*/
@@ -5896,9 +7093,9 @@ var Sandbox = class Sandbox extends Container {
 		let outcome = "error";
 		let caughtError;
 		try {
-			if (this.ctx.container?.running) try {
-				await this.client.desktop.stop();
-			} catch {}
+			await this.ctx.storage.delete(PORT_TOKENS_STORAGE_KEY);
+			await this.clearActivePreviewPorts();
+			await this.currentRuntime.clear();
 			for (const [mountPath, mountInfo] of this.activeMounts.entries()) {
 				mountsProcessed++;
 				if (mountInfo.mountType === "local-sync") try {
@@ -5918,10 +7115,17 @@ var Sandbox = class Sandbox extends Container {
 						this.logger.warn(`Failed to unmount bucket ${mountInfo.bucket} from ${mountPath}: ${errorMsg}`);
 					}
 					await this.deletePasswordFile(mountInfo.passwordFilePath);
+					if (mountInfo.additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(mountInfo.additionalHeaderFilePath);
 				}
 			}
-			await this.ctx.storage.delete("portTokens");
+			try {
+				this.ensureTunnelsBuilt();
+				await this.destroyAllTunnels?.();
+			} catch (error) {
+				this.logger.warn("Failed to tear down tunnels during destroy()", { error: error instanceof Error ? error.message : String(error) });
+			}
 			await this.ctx.storage.delete("tunnels");
+			await this.ctx.storage.delete("tunnels:meta");
 			this.client.disconnect();
 			outcome = "success";
 			await super.destroy();
@@ -5941,74 +7145,20 @@ var Sandbox = class Sandbox extends Container {
 	}
 	async onStart() {
 		this.logger.debug("Sandbox started");
+		await this.currentRuntime.markStarted();
 		this.checkVersionCompatibility().catch((error) => {
 			this.logger.error("Version compatibility check failed", error instanceof Error ? error : new Error(String(error)));
 		});
 		try {
-			await this.restoreExposedPorts();
-		} catch (error) {
-			this.logger.error("Failed to restore exposed ports after container start", error instanceof Error ? error : new Error(String(error)));
-		}
-		try {
-			await this.ctx.storage.delete("tunnels");
+			await pruneTunnelsForRestart(this.ctx.storage);
 		} catch (error) {
-			this.logger.error("Failed to clear tunnel storage after container start", error instanceof Error ? error : new Error(String(error)));
+			this.logger.error("Failed to reconcile tunnel storage after container start", error instanceof Error ? error : new Error(String(error)));
 		}
 	}
-	/**
-	* Re-expose ports on the container runtime using tokens persisted in DO
-	* storage. Called from onStart() after a container (re)start.
-	*
-	* The DO storage holds the source of truth for which ports should be
-	* exposed, which tokens authorize them, and the friendly name (if any)
-	* that the caller set when first exposing the port. If a port is already
-	* exposed on the container this is a no-op for that port. Individual port
-	* failures are logged but do not abort the overall restore — a transient
-	* failure for one port must not prevent the others from being restored.
-	*/
-	async restoreExposedPorts() {
-		const savedTokens = await this.readPortTokens();
-		const portEntries = Object.entries(savedTokens);
-		if (portEntries.length === 0) return;
-		const startTime = Date.now();
-		let restored = 0;
-		let skipped = 0;
-		let failed = 0;
-		const exposedSet = await this.client.ports.getExposedPorts(DISABLE_SESSION_TOKEN).then((response) => new Set(response.ports.map((p) => p.port))).catch((error) => {
-			this.logger.warn("Failed to fetch exposed ports for restore; assuming none exposed", { error: error instanceof Error ? error.message : String(error) });
-			return /* @__PURE__ */ new Set();
-		});
-		for (const [portStr, entry] of portEntries) {
-			const port = Number.parseInt(portStr, 10);
-			if (!Number.isFinite(port) || !validatePort(port)) {
-				this.logger.warn("Skipping restore of invalid port in storage", { port: portStr });
-				failed++;
-				continue;
-			}
-			if (exposedSet.has(port)) {
-				skipped++;
-				continue;
-			}
-			try {
-				await this.client.ports.exposePort(port, DISABLE_SESSION_TOKEN, entry.name);
-				restored++;
-			} catch (error) {
-				failed++;
-				this.logger.warn("Failed to re-expose port on container restart", {
-					port,
-					error: error instanceof Error ? error.message : String(error)
-				});
-			}
-		}
-		logCanonicalEvent(this.logger, {
-			event: "port.restore",
-			outcome: failed === 0 ? "success" : "error",
-			durationMs: Date.now() - startTime,
-			restored,
-			skipped,
-			failed,
-			total: portEntries.length
-		});
+	async stop(signal) {
+		await this.currentRuntime.clear();
+		await this.clearActivePreviewPorts();
+		await super.stop(signal);
 	}
 	/**
 	* Read the `portTokens` map from DO storage, normalizing the legacy
@@ -6016,12 +7166,32 @@ var Sandbox = class Sandbox extends Container {
 	* ({ token, name? }). The legacy format predates port-name persistence and
 	* can appear on any DO whose storage was written before that change.
 	*/
-	async readPortTokens() {
-		const raw = await this.ctx.storage.get("portTokens") ?? {};
+	async readPortTokens(storage = this.ctx.storage) {
+		const raw = await storage.get(PORT_TOKENS_STORAGE_KEY) ?? {};
 		const normalized = {};
 		for (const [port, value] of Object.entries(raw)) normalized[port] = typeof value === "string" ? { token: value } : value;
 		return normalized;
 	}
+	async readActivePreviewPorts(storage = this.ctx.storage) {
+		return await storage.get(ACTIVE_PREVIEW_PORTS_STORAGE_KEY) ?? {};
+	}
+	async writeActivePreviewPorts(activations, storage = this.ctx.storage) {
+		if (Object.keys(activations).length === 0) {
+			await storage.delete(ACTIVE_PREVIEW_PORTS_STORAGE_KEY);
+			return;
+		}
+		await storage.put(ACTIVE_PREVIEW_PORTS_STORAGE_KEY, activations);
+	}
+	async readPreviewState(storage = this.ctx.storage) {
+		const [tokens, activations] = await Promise.all([this.readPortTokens(storage), this.readActivePreviewPorts(storage)]);
+		return {
+			tokens,
+			activations
+		};
+	}
+	async clearActivePreviewPorts() {
+		await this.ctx.storage.delete(ACTIVE_PREVIEW_PORTS_STORAGE_KEY);
+	}
 	/**
 	* Check if the container version matches the SDK version
 	* Logs a warning if there's a mismatch
@@ -6054,11 +7224,25 @@ var Sandbox = class Sandbox extends Container {
 		this.containerGeneration++;
 		this.defaultSession = null;
 		this.defaultSessionInit = null;
+		await this.currentRuntime.clear();
+		await this.clearActivePreviewPorts();
+		try {
+			await pruneTunnelsForRestart(this.ctx.storage);
+		} catch (error) {
+			this.logger.error("Failed to reconcile tunnel storage after container stop", error instanceof Error ? error : new Error(String(error)));
+		}
 		this.client.disconnect();
 		let hadR2EgressMount = false;
+		let hadCredentialProxyMount = false;
 		for (const [, m] of this.activeMounts) if (m.mountType === "local-sync") await m.syncManager.stop().catch(() => {});
 		else if (m.mountType === "r2-egress") hadR2EgressMount = true;
+		else if (m.mountType === "fuse" && m.credentialProxy) {
+			hadCredentialProxyMount = true;
+			evictSigV4ClientCacheEntry(m.mountId);
+			evictDirectoryMarkerCacheForMount(m.mountId);
+		}
 		if (hadR2EgressMount) await this.configureR2EgressOutbound({ buckets: {} }).catch(() => {});
+		if (hadCredentialProxyMount) await this.configureS3CredentialProxyOutbound({ mounts: {} }).catch(() => {});
 		this.activeMounts.clear();
 		await this.ctx.storage.delete("defaultSession");
 	}
@@ -6275,6 +7459,99 @@ var Sandbox = class Sandbox extends Container {
 			await super.onActivityExpired();
 		}
 	}
+	isPreviewProxyRequest(request) {
+		return request.headers.get(PREVIEW_PROXY_HEADER) === "1";
+	}
+	invalidPreviewTokenResponse() {
+		return new Response(JSON.stringify({
+			error: "Access denied: Invalid token or port not exposed",
+			code: "INVALID_TOKEN"
+		}), {
+			status: 404,
+			headers: { "Content-Type": "application/json" }
+		});
+	}
+	stalePreviewURLResponse() {
+		return new Response(JSON.stringify({
+			error: "Preview URL is stale because the sandbox runtime is not active",
+			code: "STALE_PREVIEW_URL"
+		}), {
+			status: 410,
+			headers: { "Content-Type": "application/json" }
+		});
+	}
+	getPreviewForwardingContainer() {
+		return this.ctx.container;
+	}
+	beginPreviewForward() {
+		const lifecycle = this;
+		lifecycle.inflightRequests = (lifecycle.inflightRequests ?? 0) + 1;
+		this.renewActivityTimeout();
+		let settled = false;
+		return () => {
+			if (settled) return;
+			settled = true;
+			lifecycle.inflightRequests = Math.max(0, (lifecycle.inflightRequests ?? 0) - 1);
+			if (lifecycle.inflightRequests === 0) this.renewActivityTimeout();
+		};
+	}
+	async fetchPreviewIfRunning(request, port, runtime) {
+		const container = this.getPreviewForwardingContainer();
+		const state = await this.getState();
+		if (!container?.running || state.status !== "healthy") return this.stalePreviewURLResponse();
+		if (!await this.currentRuntime.isActive(runtime)) return this.stalePreviewURLResponse();
+		const result = await forwardPreviewRequest(container.getTcpPort(port), request, {
+			beginForward: () => this.beginPreviewForward(),
+			renewActivity: () => this.renewActivityTimeout()
+		});
+		if (result.status === "network-lost") {
+			if (!await this.currentRuntime.isActive(runtime)) return this.stalePreviewURLResponse();
+			return new Response("Container suddenly disconnected, try again", { status: 500 });
+		}
+		return result.response;
+	}
+	buildPreviewProxyRequest(request, port, sandboxId) {
+		const url = new URL(request.url);
+		const proxyUrl = `http://localhost:${port}${url.pathname}${url.search}`;
+		const headers = new Headers(request.headers);
+		for (const header of PREVIEW_PROXY_HEADERS) headers.delete(header);
+		headers.set("X-Original-URL", request.url);
+		headers.set("X-Forwarded-Host", url.hostname);
+		headers.set("X-Forwarded-Proto", url.protocol.replace(":", ""));
+		headers.set("X-Sandbox-Name", this.sandboxName ?? sandboxId);
+		if (request.headers.get("Upgrade")?.toLowerCase() === "websocket") return new Request(request, {
+			headers,
+			redirect: "manual"
+		});
+		return new Request(proxyUrl, {
+			method: request.method,
+			headers,
+			body: request.body,
+			duplex: "half",
+			redirect: "manual"
+		});
+	}
+	async proxyPreviewRequest(request) {
+		const portValue = request.headers.get(PREVIEW_PROXY_PORT_HEADER);
+		const token = request.headers.get(PREVIEW_PROXY_TOKEN_HEADER);
+		const sandboxId = request.headers.get(PREVIEW_PROXY_SANDBOX_ID_HEADER);
+		const port = portValue === null ? NaN : Number.parseInt(portValue, 10);
+		if (!Number.isFinite(port) || !validatePort(port) || !token || !sandboxId) return this.invalidPreviewTokenResponse();
+		const proxyRequest = this.buildPreviewProxyRequest(request, port, sandboxId);
+		const validation = await this.validatePreviewURLForRuntime(port, token);
+		if (validation.status === "invalid") return this.invalidPreviewTokenResponse();
+		if (validation.status === "stale") {
+			this.logger.warn("Stale preview URL blocked", {
+				port,
+				sandboxId,
+				containerStatus: validation.containerStatus,
+				reason: validation.reason,
+				method: request.method
+			});
+			return this.stalePreviewURLResponse();
+		}
+		return await this.fetchPreviewIfRunning(proxyRequest, port, validation.runtime);
+	}
 	async fetch(request) {
 		const traceId = TraceContext.fromHeaders(request.headers) || TraceContext.generate();
 		const requestLogger = this.logger.child({
@@ -6282,6 +7559,7 @@ var Sandbox = class Sandbox extends Container {
 			operation: "fetch"
 		});
 		const url = new URL(request.url);
+		if (this.isPreviewProxyRequest(request)) return await this.proxyPreviewRequest(request);
 		if (!this.sandboxName && request.headers.has("X-Sandbox-Name")) {
 			const name = request.headers.get("X-Sandbox-Name");
 			this.sandboxName = name;
@@ -7002,40 +8280,6 @@ var Sandbox = class Sandbox extends Container {
 		return this.client.files.exists(path$1, session);
 	}
 	/**
-	* Get the noVNC preview URL for browser-based desktop viewing.
-	* Confirms desktop is active, then uses exposePort() to generate
-	* a token-authenticated preview URL for the noVNC port (6080).
-	*
-	* @param hostname - The custom domain hostname for preview URLs
-	*   (e.g., 'preview.example.com'). Required because preview URLs
-	*   use subdomain patterns that .workers.dev doesn't support.
-	* @param options - Optional settings
-	* @param options.token - Reuse an existing token instead of generating a new one
-	* @returns The authenticated noVNC preview URL
-	*/
-	async getDesktopStreamUrl(hostname, options) {
-		if ((await this.client.desktop.status()).status === "inactive") throw new Error("Desktop is not running. Call sandbox.desktop.start() first.");
-		let url;
-		try {
-			url = (await this.exposePort(6080, {
-				hostname,
-				token: options?.token
-			})).url;
-		} catch {
-			const existingEntry = (await this.readPortTokens())["6080"];
-			if (existingEntry && this.sandboxName) url = this.constructPreviewUrl(6080, this.sandboxName, hostname, existingEntry.token);
-			else throw new Error("Failed to get desktop stream URL: port 6080 could not be exposed and no existing token found.");
-		}
-		try {
-			await this.waitForPort({
-				portToCheck: 6080,
-				retries: 30,
-				waitInterval: 500
-			});
-		} catch {}
-		return { url };
-	}
-	/**
 	* Watch a directory for file system changes using native inotify.
 	*
 	* The returned promise resolves only after the watcher is established on the
@@ -7084,11 +8328,10 @@ var Sandbox = class Sandbox extends Container {
 	/**
 	* Expose a port and get a preview URL for accessing services running in the sandbox
 	*
-	* Preview URLs survive transient container restarts: the token and any
-	* friendly name are persisted in Durable Object storage, and the port is
-	* automatically re-exposed on the container when it comes back up. Tokens
-	* are cleared only on explicit `unexposePort()` or full sandbox
-	* `destroy()`.
+	* Preview URL authorization survives transient container restarts, but
+	* forwarding is active only for the runtime where `exposePort()` was last
+	* called. Call `exposePort()` again after a restart to reactivate an
+	* existing URL for the current runtime.
 	*
 	* @param port - Port number to expose (1024-65535)
 	* @param options - Configuration options
@@ -7125,27 +8368,33 @@ var Sandbox = class Sandbox extends Container {
 				timestamp: (/* @__PURE__ */ new Date()).toISOString()
 			});
 			if (!this.sandboxName) throw new Error("Sandbox name not available. Ensure sandbox is accessed through getSandbox()");
-			let token;
-			if (options.token !== void 0) {
-				this.validateCustomToken(options.token);
-				token = options.token;
-			} else token = this.generatePortToken();
-			const tokens = await this.readPortTokens();
-			const existingPort = Object.entries(tokens).find(([p, entry]) => entry.token === token && p !== port.toString());
-			if (existingPort) throw new SandboxSecurityError(`Token '${token}' is already in use by port ${existingPort[0]}. Please use a different token.`);
-			const sessionId = this.serializeExecutionContext(await this.resolveExecution());
-			await this.client.ports.exposePort(port, sessionId, options?.name);
-			tokens[port.toString()] = {
-				token,
-				name: options?.name
-			};
-			await this.ctx.storage.put("portTokens", tokens);
+			if (options.token !== void 0) this.validateCustomToken(options.token);
+			await this.ensureDefaultSession();
+			let runtime = await this.currentRuntime.get();
+			runtime = runtime ?? await this.currentRuntime.markStarted();
+			await this.currentRuntime.assertActive(runtime);
+			const token = await this.ctx.storage.transaction(async (txn) => {
+				const tokens = await this.readPortTokens(txn);
+				const existingEntry = tokens[port.toString()];
+				const nextToken = options.token ?? existingEntry?.token ?? this.generatePortToken();
+				const existingPort = Object.entries(tokens).find(([p, entry]) => entry.token === nextToken && p !== port.toString());
+				if (existingPort) throw new SandboxSecurityError(`Token '${nextToken}' is already in use by port ${existingPort[0]}. Please use a different token.`);
+				const activations = await this.readActivePreviewPorts(txn);
+				tokens[port.toString()] = {
+					token: nextToken,
+					name: options.name
+				};
+				activations[port.toString()] = runtime.scope({ token: nextToken });
+				await Promise.all([txn.put(PORT_TOKENS_STORAGE_KEY, tokens), this.writeActivePreviewPorts(activations, txn)]);
+				return nextToken;
+			});
+			await this.currentRuntime.assertActive(runtime);
 			const url = this.constructPreviewUrl(port, this.sandboxName, options.hostname, token);
 			outcome = "success";
 			return {
 				url,
 				port,
-				name: options?.name
+				name: options.name
 			};
 		} catch (error) {
 			caughtError = error instanceof Error ? error : new Error(String(error));
@@ -7156,29 +8405,37 @@ var Sandbox = class Sandbox extends Container {
 				outcome,
 				port,
 				durationMs: Date.now() - exposeStartTime,
-				name: options?.name,
+				name: options.name,
 				hostname: options.hostname,
 				error: caughtError
 			});
 		}
 	}
+	/**
+	* Revoke preview URL authorization and current-runtime activation for a port.
+	*
+	* Revocation is idempotent: calling this for a port with no preview state is
+	* still successful. The operation clears Durable Object-owned preview state
+	* only and does not contact, probe, wake, or clean up the container runtime.
+	*/
 	async unexposePort(port) {
 		const unexposeStartTime = Date.now();
 		let outcome = "error";
 		let caughtError;
 		try {
 			if (!validatePort(port)) throw new SandboxSecurityError(`Invalid port number: ${port}. Must be 1024-65535, excluding 3000 (sandbox control plane).`);
-			const tokens = await this.readPortTokens();
-			if (tokens[port.toString()]) {
-				delete tokens[port.toString()];
-				await this.ctx.storage.put("portTokens", tokens);
-			}
-			const sessionId = this.serializeExecutionContext(await this.resolveExecution());
-			try {
-				await this.client.ports.unexposePort(port, sessionId);
-			} catch (error) {
-				if (!(error instanceof PortNotExposedError)) throw error;
-			}
+			await this.ctx.storage.transaction(async (txn) => {
+				const tokens = await this.readPortTokens(txn);
+				if (tokens[port.toString()]) {
+					delete tokens[port.toString()];
+					await txn.put(PORT_TOKENS_STORAGE_KEY, tokens);
+				}
+				const activations = await this.readActivePreviewPorts(txn);
+				if (activations[port.toString()]) {
+					delete activations[port.toString()];
+					await this.writeActivePreviewPorts(activations, txn);
+				}
+			});
 			outcome = "success";
 		} catch (error) {
 			caughtError = error instanceof Error ? error : new Error(String(error));
@@ -7193,23 +8450,17 @@ var Sandbox = class Sandbox extends Container {
 			});
 		}
 	}
+	/**
+	* Returns preview URLs that are currently forwardable in the active runtime.
+	* Durable authorization without current-runtime activation is omitted.
+	*/
 	async getExposedPorts(hostname) {
-		const sessionId = this.serializeExecutionContext(await this.resolveExecution());
-		const response = await this.client.ports.getExposedPorts(sessionId);
 		if (!this.sandboxName) throw new Error("Sandbox name not available. Ensure sandbox is accessed through getSandbox()");
-		const tokens = await this.readPortTokens();
-		return response.ports.flatMap((port) => {
-			const entry = tokens[port.port.toString()];
-			if (!entry) {
-				this.logger.warn("Port exposed on container but no token in storage; omitting from preview URL list", { port: port.port });
-				return [];
-			}
-			return [{
-				url: this.constructPreviewUrl(port.port, this.sandboxName, hostname, entry.token),
-				port: port.port,
-				status: port.status
-			}];
-		});
+		return (await this.getCurrentPreviewPorts()).map(({ port, entry }) => ({
+			url: this.constructPreviewUrl(port, this.sandboxName, hostname, entry.token),
+			port,
+			status: "active"
+		}));
 	}
 	/**
 	* Namespaced tunnel API. Quick tunnels are zero-config preview URLs
@@ -7245,26 +8496,172 @@ var Sandbox = class Sandbox extends Container {
 		const built = createTunnelsHandler({
 			client: this.client,
 			storage: this.ctx.storage,
-			logger: this.logger
+			logger: this.logger,
+			sandboxId: this.ctx.id.toString(),
+			getNamedTunnelConfig: async () => {
+				const envObj = this.env;
+				const token = getEnvString(envObj, "CLOUDFLARE_API_TOKEN");
+				if (!token) throw new Error("Named tunnels require CLOUDFLARE_API_TOKEN. Set it as a secret in your wrangler.jsonc.");
+				const accountId = await this.getTunnelAccountId();
+				return {
+					token,
+					accountId,
+					zoneId: await this.getTunnelZoneId(token, accountId)
+				};
+			}
 		});
 		this.tunnelsHandler = built.tunnels;
 		this.tunnelExitHandler = built.handleTunnelExit;
+		this.destroyAllTunnels = built.destroyAll;
 	}
-	async isPortExposed(port) {
-		try {
-			const sessionId = this.serializeExecutionContext(await this.resolveExecution());
-			return (await this.client.ports.getExposedPorts(sessionId)).ports.some((exposedPort) => exposedPort.port === port);
-		} catch (error) {
-			this.logger.error("Error checking if port is exposed", error instanceof Error ? error : new Error(String(error)), { port });
-			return false;
+	/**
+	* Resolve the Cloudflare account id used for named-tunnel provisioning.
+	*
+	* Memoised for the lifetime of this DO instance. The first call may hit
+	* `GET /user/tokens/verify` to derive the account id from the configured
+	* `CLOUDFLARE_API_TOKEN`; subsequent calls return the cached promise.
+	*
+	* Only successful resolutions are cached: a rejected lookup clears the
+	* slot so the next caller retries. Otherwise a transient failure on
+	* first use would permanently poison every later named-tunnel `get()`
+	* on this DO instance.
+	*/
+	getTunnelAccountId() {
+		if (!this.tunnelAccountIdPromise) {
+			const pending = resolveAccountId(this.env, { overrideKey: "CLOUDFLARE_TUNNEL_ACCOUNT_ID" });
+			this.tunnelAccountIdPromise = pending;
+			pending.catch(() => {
+				if (this.tunnelAccountIdPromise === pending) this.tunnelAccountIdPromise = null;
+			});
+		}
+		return this.tunnelAccountIdPromise;
+	}
+	/**
+	* Resolve the Cloudflare zone id used for named-tunnel provisioning.
+	*
+	* Memoised for the lifetime of this DO instance. Falls back to the
+	* single zone the token can see under `accountId` via `GET /zones`
+	* when `CLOUDFLARE_ZONE_ID` is not set. Failed lookups clear the cache
+	* so the next caller retries — see `getTunnelAccountId` for the
+	* rationale.
+	*/
+	getTunnelZoneId(token, accountId) {
+		if (!this.tunnelZoneIdPromise) {
+			const pending = resolveZoneId(this.env, {
+				token,
+				accountId
+			});
+			this.tunnelZoneIdPromise = pending;
+			pending.catch(() => {
+				if (this.tunnelZoneIdPromise === pending) this.tunnelZoneIdPromise = null;
+			});
 		}
+		return this.tunnelZoneIdPromise;
 	}
+	/**
+	* Returns whether a port is currently preview-forwardable.
+	* This checks Durable Object-owned auth and runtime activation without
+	* contacting or waking the container.
+	*/
+	async isPortExposed(port) {
+		if (!validatePort(port)) return false;
+		return (await this.getCurrentPreviewPorts()).some((activePort) => activePort.port === port);
+	}
+	/**
+	* Checks durable preview URL authorization for a port/token pair.
+	*
+	* This does not check whether the port is activated for the current runtime
+	* and is not sufficient to decide whether preview traffic may forward.
+	*/
 	async validatePortToken(port, token) {
 		const entry = (await this.readPortTokens())[port.toString()];
 		if (!entry) return false;
+		return this.previewTokensMatch(entry.token, token);
+	}
+	async validatePreviewURLForRuntime(port, token) {
+		const containerState = await this.getState();
+		const containerRunning = this.ctx.container?.running === true;
+		const { tokens, activations, runtime } = await this.ctx.storage.transaction(async (txn) => {
+			const [previewState, runtime$1] = await Promise.all([this.readPreviewState(txn), this.currentRuntime.getStored(txn)]);
+			return {
+				...previewState,
+				runtime: runtime$1
+			};
+		});
+		const entry = tokens[port.toString()];
+		if (!entry) return { status: "invalid" };
+		if (!this.previewTokensMatch(entry.token, token)) return { status: "invalid" };
+		if (containerState.status !== "healthy") return {
+			status: "stale",
+			reason: "runtime-not-healthy",
+			containerStatus: containerState.status
+		};
+		if (!containerRunning) return {
+			status: "stale",
+			reason: "runtime-not-running",
+			containerStatus: containerState.status
+		};
+		if (!runtime) return {
+			status: "stale",
+			reason: "missing-runtime-id",
+			containerStatus: containerState.status
+		};
+		const activation = activations[port.toString()];
+		if (!activation) return {
+			status: "stale",
+			reason: "missing-activation",
+			containerStatus: containerState.status
+		};
+		if (!runtime.owns(activation)) return {
+			status: "stale",
+			reason: "runtime-mismatch",
+			containerStatus: containerState.status
+		};
+		if (!this.previewTokensMatch(activation.token, token)) {
+			this.logger.warn("Preview URL activation token mismatch", {
+				port,
+				runtimeIdentityID: runtime.id
+			});
+			return {
+				status: "stale",
+				reason: "token-mismatch",
+				containerStatus: containerState.status
+			};
+		}
+		return {
+			status: "active",
+			runtime
+		};
+	}
+	async getCurrentPreviewPorts() {
+		const containerState = await this.getState();
+		const containerRunning = this.ctx.container?.running === true;
+		const { tokens, activations, runtime } = await this.ctx.storage.transaction(async (txn) => {
+			const [previewState, runtime$1] = await Promise.all([this.readPreviewState(txn), this.currentRuntime.getStored(txn)]);
+			return {
+				...previewState,
+				runtime: runtime$1
+			};
+		});
+		if (containerState.status !== "healthy" || !containerRunning || !runtime) return [];
+		const activePorts = [];
+		for (const [portKey, activation] of Object.entries(activations)) {
+			const port = Number.parseInt(portKey, 10);
+			const entry = tokens[portKey];
+			if (!entry || !Number.isInteger(port) || !validatePort(port)) continue;
+			if (!runtime.owns(activation)) continue;
+			if (!this.previewTokensMatch(entry.token, activation.token)) continue;
+			activePorts.push({
+				port,
+				entry
+			});
+		}
+		return activePorts.sort((a, b) => a.port - b.port);
+	}
+	previewTokensMatch(expected, actual) {
 		const encoder = new TextEncoder();
-		const a = encoder.encode(entry.token);
-		const b = encoder.encode(token);
+		const a = encoder.encode(expected);
+		const b = encoder.encode(actual);
 		try {
 			return crypto.subtle.timingSafeEqual(a, b);
 		} catch {
@@ -7596,10 +8993,10 @@ var Sandbox = class Sandbox extends Container {
 	* Returns validated presigned URL configuration or throws if not configured.
 	* All credential fields plus the R2 binding are required for backup to work.
 	*/
-	requirePresignedUrlSupport() {
+	requirePresignedURLSupport() {
 		if (!this.r2Client || !this.r2AccountId || !this.backupBucketName) {
 			const missing = [];
-			if (!this.r2AccountId) missing.push("CLOUDFLARE_ACCOUNT_ID");
+			if (!this.r2AccountId) missing.push("CLOUDFLARE_R2_ACCOUNT_ID or CLOUDFLARE_ACCOUNT_ID");
 			if (!this.r2AccessKeyId) missing.push("R2_ACCESS_KEY_ID");
 			if (!this.r2SecretAccessKey) missing.push("R2_SECRET_ACCESS_KEY");
 			if (!this.backupBucketName) missing.push("BACKUP_BUCKET_NAME");
@@ -7617,15 +9014,21 @@ var Sandbox = class Sandbox extends Container {
 			bucketName: this.backupBucketName
 		};
 	}
+	getBackupBucketEndpoint(accountId) {
+		return this.backupBucketEndpoint ?? `https://${accountId}.r2.cloudflarestorage.com`;
+	}
+	getBackupObjectURL(accountId, bucketName, r2Key) {
+		const encodedBucket = encodeURIComponent(bucketName);
+		const encodedKey = r2Key.split("/").map((seg) => encodeURIComponent(seg)).join("/");
+		return new URL(`${this.getBackupBucketEndpoint(accountId)}/${encodedBucket}/${encodedKey}`);
+	}
 	/**
 	* Generate a presigned GET URL for downloading an object from R2.
 	* The container can curl this URL directly without credentials.
 	*/
-	async generatePresignedGetUrl(r2Key) {
-		const { client, accountId, bucketName } = this.requirePresignedUrlSupport();
-		const encodedBucket = encodeURIComponent(bucketName);
-		const encodedKey = r2Key.split("/").map((seg) => encodeURIComponent(seg)).join("/");
-		const url = new URL(`https://${accountId}.r2.cloudflarestorage.com/${encodedBucket}/${encodedKey}`);
+	async generatePresignedGetURL(r2Key) {
+		const { client, accountId, bucketName } = this.requirePresignedURLSupport();
+		const url = this.getBackupObjectURL(accountId, bucketName, r2Key);
 		url.searchParams.set("X-Amz-Expires", String(Sandbox.PRESIGNED_URL_EXPIRY_SECONDS));
 		return (await client.sign(new Request(url), { aws: { signQuery: true } })).url;
 	}
@@ -7633,11 +9036,9 @@ var Sandbox = class Sandbox extends Container {
 	* Generate a presigned PUT URL for uploading an object to R2.
 	* The container can curl PUT to this URL directly without credentials.
 	*/
-	async generatePresignedPutUrl(r2Key) {
-		const { client, accountId, bucketName } = this.requirePresignedUrlSupport();
-		const encodedBucket = encodeURIComponent(bucketName);
-		const encodedKey = r2Key.split("/").map((seg) => encodeURIComponent(seg)).join("/");
-		const url = new URL(`https://${accountId}.r2.cloudflarestorage.com/${encodedBucket}/${encodedKey}`);
+	async generatePresignedPutURL(r2Key) {
+		const { client, accountId, bucketName } = this.requirePresignedURLSupport();
+		const url = this.getBackupObjectURL(accountId, bucketName, r2Key);
 		url.searchParams.set("X-Amz-Expires", String(Sandbox.PRESIGNED_URL_EXPIRY_SECONDS));
 		return (await client.sign(new Request(url, { method: "PUT" }), { aws: { signQuery: true } })).url;
 	}
@@ -7647,7 +9048,7 @@ var Sandbox = class Sandbox extends Container {
 	* ~24 MB/s throughput vs ~0.6 MB/s for base64 readFile.
 	*/
 	async uploadBackupPresigned(archivePath, r2Key, archiveSize, backupId, dir, backupSession) {
-		const presignedUrl = await this.generatePresignedPutUrl(r2Key);
+		const presignedURL = await this.generatePresignedPutURL(r2Key);
 		const curlCmd = [
 			"curl -sSf",
 			"-X PUT",
@@ -7657,7 +9058,7 @@ var Sandbox = class Sandbox extends Container {
 			"--retry 2",
 			"--retry-max-time 60",
 			`-T ${shellEscape(archivePath)}`,
-			shellEscape(presignedUrl)
+			shellEscape(presignedURL)
 		].join(" ");
 		const result = await this.execWithSession(curlCmd, backupSession, {
 			timeout: 181e4,
@@ -7691,11 +9092,9 @@ var Sandbox = class Sandbox extends Container {
 	/**
 	* Generate a presigned PUT URL for a single part in a multipart upload.
 	*/
-	async generatePresignedPartUrl(r2Key, uploadId, partNumber) {
-		const { client, accountId, bucketName } = this.requirePresignedUrlSupport();
-		const encodedBucket = encodeURIComponent(bucketName);
-		const encodedKey = r2Key.split("/").map((seg) => encodeURIComponent(seg)).join("/");
-		const url = new URL(`https://${accountId}.r2.cloudflarestorage.com/${encodedBucket}/${encodedKey}`);
+	async generatePresignedPartURL(r2Key, uploadId, partNumber) {
+		const { client, accountId, bucketName } = this.requirePresignedURLSupport();
+		const url = this.getBackupObjectURL(accountId, bucketName, r2Key);
 		url.searchParams.set("X-Amz-Expires", String(Sandbox.PRESIGNED_URL_EXPIRY_SECONDS));
 		url.searchParams.set("partNumber", String(partNumber));
 		url.searchParams.set("uploadId", uploadId);
@@ -7710,9 +9109,9 @@ var Sandbox = class Sandbox extends Container {
 		const targetParts = calculatePartCount(sizeBytes, BACKUP_MULTIPART_TARGET_PARTS, BACKUP_MULTIPART_MAX_PARTS);
 		const numParts = Math.min(targetParts, Math.floor(sizeBytes / BACKUP_MULTIPART_MIN_PART_SIZE));
 		if (numParts <= 1) return this.uploadBackupPresigned(archivePath, r2Key, sizeBytes, backupId, dir, backupSession);
-		const { client, accountId, bucketName } = this.requirePresignedUrlSupport();
-		const objectUrl = `https://${accountId}.r2.cloudflarestorage.com/${encodeURIComponent(bucketName)}/${r2Key.split("/").map((seg) => encodeURIComponent(seg)).join("/")}`;
-		const createResp = await client.fetch(`${objectUrl}?uploads`, { method: "POST" });
+		const { client, accountId, bucketName } = this.requirePresignedURLSupport();
+		const objectURL = this.getBackupObjectURL(accountId, bucketName, r2Key).toString();
+		const createResp = await client.fetch(`${objectURL}?uploads`, { method: "POST" });
 		if (!createResp.ok) throw new BackupCreateError({
 			message: `Failed to initiate multipart upload: HTTP ${createResp.status}`,
 			code: ErrorCode.BACKUP_CREATE_FAILED,
@@ -7735,7 +9134,7 @@ var Sandbox = class Sandbox extends Container {
 			timestamp: (/* @__PURE__ */ new Date()).toISOString()
 		});
 		const abortMultipart = async () => {
-			await client.fetch(`${objectUrl}?uploadId=${encodeURIComponent(uploadId)}`, { method: "DELETE" }).catch(() => {});
+			await client.fetch(`${objectURL}?uploadId=${encodeURIComponent(uploadId)}`, { method: "DELETE" }).catch(() => {});
 		};
 		try {
 			const partSize = Math.ceil(sizeBytes / numParts);
@@ -7746,7 +9145,7 @@ var Sandbox = class Sandbox extends Container {
 				size: i === numParts - 1 ? sizeBytes - i * partSize : partSize
 			})).map(async (part) => ({
 				...part,
-				url: await this.generatePresignedPartUrl(r2Key, uploadId, part.partNumber)
+				url: await this.generatePresignedPartURL(r2Key, uploadId, part.partNumber)
 			})));
 			let uploadResult;
 			try {
@@ -7777,7 +9176,7 @@ var Sandbox = class Sandbox extends Container {
 				...uploadResult.parts.map((p) => `<Part><PartNumber>${p.partNumber}</PartNumber><ETag>${p.etag}</ETag></Part>`),
 				"</CompleteMultipartUpload>"
 			].join("");
-			const completeResp = await client.fetch(`${objectUrl}?uploadId=${encodeURIComponent(uploadId)}`, {
+			const completeResp = await client.fetch(`${objectURL}?uploadId=${encodeURIComponent(uploadId)}`, {
 				method: "POST",
 				headers: { "Content-Type": "application/xml" },
 				body: completeXml
@@ -7819,7 +9218,7 @@ var Sandbox = class Sandbox extends Container {
 	* with dd using byte offsets, then atomically moved to the final path.
 	*/
 	async downloadBackupParallel(archivePath, r2Key, expectedSize, backupId, dir, backupSession) {
-		const presignedUrl = await this.generatePresignedGetUrl(r2Key);
+		const presignedURL = await this.generatePresignedGetURL(r2Key);
 		await this.execWithSession(`mkdir -p ${BACKUP_CONTAINER_DIR}`, backupSession, { origin: "internal" });
 		const tmpPath = `${archivePath}.tmp`;
 		if (expectedSize < BACKUP_DOWNLOAD_PARALLEL_MIN_SIZE) {
@@ -7830,7 +9229,7 @@ var Sandbox = class Sandbox extends Container {
 				"--retry 2",
 				"--retry-max-time 60",
 				`-o ${shellEscape(tmpPath)}`,
-				shellEscape(presignedUrl)
+				shellEscape(presignedURL)
 			].join(" ");
 			const result = await this.execWithSession(curlCmd, backupSession, {
 				timeout: 181e4,
@@ -7863,7 +9262,7 @@ var Sandbox = class Sandbox extends Container {
 				"--connect-timeout 10",
 				"--max-time 1800",
 				`-H ${shellEscape(`Range: bytes=${range}`)}`,
-				shellEscape(presignedUrl),
+				shellEscape(presignedURL),
 				"|",
 				"dd",
 				`of=${shellEscape(tmpPath)}`,
@@ -7936,10 +9335,13 @@ var Sandbox = class Sandbox extends Container {
 	* create-archive → read → upload (or mount → extract) flow
 	* is not interleaved with another backup operation on the same directory.
 	*/
-	enqueueBackupOp(fn) {
-		const next = this.backupInProgress.then(fn, () => fn());
+	async enqueueBackupOp(fn) {
+		try {
+			await this.backupInProgress;
+		} catch {}
+		const next = fn();
 		this.backupInProgress = next.catch(() => {});
-		return next;
+		return await next;
 	}
 	/**
 	* Create a backup of a directory and upload it to R2.
@@ -7963,13 +9365,13 @@ var Sandbox = class Sandbox extends Container {
 	* under the `backups/` prefix after the desired retention period.
 	*/
 	async createBackup(options) {
-		if (options.localBucket) return this.enqueueBackupOp(() => this.doCreateBackupLocal(options));
+		if (options.localBucket) return await this.enqueueBackupOp(() => this.doCreateBackupLocal(options));
 		this.requireBackupBucket();
-		return this.enqueueBackupOp(() => this.doCreateBackup(options));
+		return await this.enqueueBackupOp(() => this.doCreateBackup(options));
 	}
 	async doCreateBackup(options) {
 		const bucket = this.requireBackupBucket();
-		this.requirePresignedUrlSupport();
+		this.requirePresignedURLSupport();
 		const { dir, name, ttl = BACKUP_DEFAULT_TTL_SECONDS, gitignore = false, excludes = [], compression, multipart = true } = options;
 		const backupStartTime = Date.now();
 		let backupId;
@@ -8262,14 +9664,14 @@ var Sandbox = class Sandbox extends Container {
 	* Concurrent backup/restore calls on the same sandbox are serialized.
 	*/
 	async restoreBackup(backup) {
-		if (backup.localBucket) return this.enqueueBackupOp(() => this.doRestoreBackupLocal(backup));
+		if (backup.localBucket) return await this.enqueueBackupOp(() => this.doRestoreBackupLocal(backup));
 		this.requireBackupBucket();
-		return this.enqueueBackupOp(() => this.doRestoreBackup(backup));
+		return await this.enqueueBackupOp(() => this.doRestoreBackup(backup));
 	}
 	async doRestoreBackup(backup) {
 		const restoreStartTime = Date.now();
 		const bucket = this.requireBackupBucket();
-		this.requirePresignedUrlSupport();
+		this.requirePresignedURLSupport();
 		const { id, dir } = backup;
 		let outcome = "error";
 		let caughtError;
@@ -8524,10 +9926,18 @@ var Sandbox = class Sandbox extends Container {
 		const ctx = this.ctx;
 		if (!ctx.container?.interceptOutboundHttp) throw new InvalidMountConfigError("R2 binding mounts require container outbound interception support");
 		if (!ctx.exports?.ContainerProxy) throw new InvalidMountConfigError("R2 binding mounts require exporting ContainerProxy from the Worker entrypoint");
+		this.constructor.outboundHandlers = { r2EgressMount: r2EgressHandler };
+		if (Object.keys(params.buckets).length > 0) await this.setOutboundByHost("r2.internal", "r2EgressMount", params);
+		else await this.removeOutboundByHost("r2.internal");
+		this.logger.debug("r2 egress: registering host interception", {
+			host: "r2.internal",
+			method: "r2EgressMount",
+			targetClassName: CONTAINER_PROXY_CLASS_NAME
+		});
 		const fetcher = ctx.exports.ContainerProxy({ props: {
 			enableInternet: this.enableInternet,
 			containerId: this.ctx.id.toString(),
-			className: R2_EGRESS_PROXY_TARGET_CLASS_NAME,
+			className: CONTAINER_PROXY_CLASS_NAME,
 			outboundByHostOverrides: { "r2.internal": {
 				method: "r2EgressMount",
 				params
@@ -8536,8 +9946,42 @@ var Sandbox = class Sandbox extends Container {
 		if (!isFetcher(fetcher)) throw new InvalidMountConfigError("R2 binding mounts require ContainerProxy to return a valid Fetcher");
 		await ctx.container.interceptOutboundHttp("r2.internal", fetcher);
 	}
+	async configureS3CredentialProxyOutbound(params) {
+		const ctx = this.ctx;
+		if (!ctx.container?.interceptOutboundHttp) throw new InvalidMountConfigError("Credential proxy bucket mounts require container outbound interception support");
+		if (!ctx.exports?.ContainerProxy) throw new InvalidMountConfigError("Credential proxy bucket mounts require exporting ContainerProxy from the Worker entrypoint");
+		const hosts = [S3_CREDENTIAL_PROXY_HOST, S3_CREDENTIAL_PROXY_DIAGNOSTIC_HOST];
+		this.constructor.outboundHandlers = { s3CredentialProxyMount: s3CredentialProxyHandler };
+		if (Object.keys(params.mounts).length > 0) for (const host of hosts) await this.setOutboundByHost(host, "s3CredentialProxyMount", params);
+		else for (const host of hosts) await this.removeOutboundByHost(host);
+		const hostOverrides = {};
+		for (const host of hosts) hostOverrides[host] = {
+			method: "s3CredentialProxyMount",
+			params
+		};
+		this.logger.debug("s3 credential proxy: registering host interception", {
+			hosts,
+			method: "s3CredentialProxyMount",
+			targetClassName: CONTAINER_PROXY_CLASS_NAME
+		});
+		const fetcher = ctx.exports.ContainerProxy({ props: {
+			enableInternet: this.enableInternet,
+			containerId: this.ctx.id.toString(),
+			className: CONTAINER_PROXY_CLASS_NAME,
+			outboundByHostOverrides: hostOverrides
+		} });
+		if (!isFetcher(fetcher)) throw new InvalidMountConfigError("Credential proxy bucket mounts require ContainerProxy to return a valid Fetcher");
+		try {
+			const selfTest = await fetcher.fetch(new Request(`http://${S3_CREDENTIAL_PROXY_HOST}${SELF_TEST_PATH}`));
+			await selfTest.text();
+			this.logger.debug("s3 credential proxy: fetcher self-test complete", { status: selfTest.status });
+		} catch (error) {
+			this.logger.warn("s3 credential proxy: fetcher self-test failed", { error: error instanceof Error ? error.message : String(error) });
+		}
+		for (const host of hosts) await ctx.container.interceptOutboundHttp(host, fetcher);
+	}
 };
 
 //#endregion
-export { DesktopInvalidOptionsError as A, CommandClient as C, BackupNotFoundError as D, BackupExpiredError as E, InvalidBackupConfigError as F, ProcessExitedBeforeReadyError as I, ProcessReadyTimeoutError as L, DesktopProcessCrashedError as M, DesktopStartFailedError as N, BackupRestoreError as O, DesktopUnavailableError as P, RPCTransportError as R, DesktopClient as S, BackupCreateError as T, UtilityClient as _, BucketMountError as a, GitClient as b, MissingCredentialsError as c, parseSSEStream as d, responseToAsyncIterable as f, SandboxClient as g, streamFile as h, proxyTerminal as i, DesktopNotStartedError as j, DesktopInvalidCoordinatesError as k, S3FSMountError as l, collectFile as m, getSandbox as n, BucketUnmountError as o, CodeInterpreter as p, proxyToSandbox as r, InvalidMountConfigError as s, Sandbox as t, asyncIterableToSSEStream as u, ProcessClient as v, BackupClient as w, FileClient as x, PortClient as y, SessionTerminatedError as z };
-//# sourceMappingURL=sandbox-B-MUmsli.js.map
+export { FileClient as A, RPCTransportError as B, collectFile as C, ProcessClient as D, UtilityClient as E, BackupNotFoundError as F, BackupRestoreError as I, InvalidBackupConfigError as L, BackupClient as M, BackupCreateError as N, PortClient as O, BackupExpiredError as P, ProcessExitedBeforeReadyError as R, validateTunnelName as S, SandboxClient as T, SessionTerminatedError as V, responseToAsyncIterable as _, PREVIEW_PROXY_HEADER as a, sanitizeSandboxId as b, PREVIEW_PROXY_SANDBOX_ID_HEADER as c, BucketUnmountError as d, InvalidMountConfigError as f, parseSSEStream as g, asyncIterableToSSEStream as h, proxyTerminal as i, CommandClient as j, GitClient as k, PREVIEW_PROXY_TOKEN_HEADER as l, S3FSMountError as m, Sandbox as n, PREVIEW_PROXY_HEADERS as o, MissingCredentialsError as p, getSandbox as r, PREVIEW_PROXY_PORT_HEADER as s, ContainerProxy$1 as t, BucketMountError as u, CodeInterpreter as v, streamFile as w, validatePort as x, SandboxSecurityError as y, ProcessReadyTimeoutError as z };
+//# sourceMappingURL=sandbox-Duj2gvUC.js.map