@cloudflare/sandbox 0.11.0 → 0.12.0

package/dist/{sandbox-DQxTkLyY.js → sandbox-Duj2gvUC.js}

@@ -1,6 +1,6 @@
 import { _ as GitLogger, b as getEnvString, c as parseSSEFrames, d as createNoOpLogger, f as TraceContext, g as DEFAULT_GIT_CLONE_TIMEOUT_MS, h as ResultImpl, i as isWSStreamChunk, l as shellEscape, m as Execution, n as isWSError, p as logCanonicalEvent, r as isWSResponse, t as generateRequestId, u as createLogger, v as extractRepoName, x as partitionEnvVars, y as filterEnvVars } from "./dist-B_eXrP83.js";
-import { n as getHttpStatus, r as ErrorCode, t as getSuggestion } from "./errors-COsTRno_.js";
-import { Container, getContainer, switchPort } from "@cloudflare/containers";
+import { n as getHttpStatus, r as ErrorCode, t as getSuggestion } from "./errors-aRUdk9K8.js";
+import { Container, ContainerProxy, getContainer, switchPort } from "@cloudflare/containers";
 import { AwsClient } from "aws4fetch";
 import { RpcSession, RpcTarget } from "capnweb";
 import path from "node:path/posix";
@@ -629,42 +629,6 @@ var BackupRestoreError = class extends SandboxError {
 		return this.context.backupId;
 	}
 };
-var DesktopNotStartedError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopNotStartedError";
-	}
-};
-var DesktopStartFailedError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopStartFailedError";
-	}
-};
-var DesktopUnavailableError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopUnavailableError";
-	}
-};
-var DesktopProcessCrashedError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopProcessCrashedError";
-	}
-};
-var DesktopInvalidOptionsError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopInvalidOptionsError";
-	}
-};
-var DesktopInvalidCoordinatesError = class extends SandboxError {
-	constructor(errorResponse) {
-		super(errorResponse);
-		this.name = "DesktopInvalidCoordinatesError";
-	}
-};
 /**
 * Raised when the capnweb WebSocket session itself fails on the SDK side.
 * Unlike the rest of the SandboxError tree, the container never produces
@@ -746,12 +710,6 @@ function createErrorFromResponse(errorResponse, options) {
 		case ErrorCode.INTERPRETER_NOT_READY: return new InterpreterNotReadyError(errorResponse);
 		case ErrorCode.CONTEXT_NOT_FOUND: return new ContextNotFoundError(errorResponse);
 		case ErrorCode.CODE_EXECUTION_ERROR: return new CodeExecutionError(errorResponse);
-		case ErrorCode.DESKTOP_NOT_STARTED: return new DesktopNotStartedError(errorResponse);
-		case ErrorCode.DESKTOP_START_FAILED: return new DesktopStartFailedError(errorResponse);
-		case ErrorCode.DESKTOP_UNAVAILABLE: return new DesktopUnavailableError(errorResponse);
-		case ErrorCode.DESKTOP_PROCESS_CRASHED: return new DesktopProcessCrashedError(errorResponse);
-		case ErrorCode.DESKTOP_INVALID_OPTIONS: return new DesktopInvalidOptionsError(errorResponse);
-		case ErrorCode.DESKTOP_INVALID_COORDINATES: return new DesktopInvalidCoordinatesError(errorResponse);
 		case ErrorCode.RPC_TRANSPORT_ERROR: return new RPCTransportError(errorResponse, options);
 		case ErrorCode.VALIDATION_FAILED: return new ValidationFailedError(errorResponse);
 		case ErrorCode.INVALID_JSON_RESPONSE:
@@ -1590,21 +1548,21 @@ var BaseHttpClient = class {
 			body: JSON.stringify(data),
 			...requestOptions
 		});
-		return this.handleResponse(response, responseHandler);
+		return await this.handleResponse(response, responseHandler);
 	}
 	/**
 	* Make a GET request
 	*/
 	async get(endpoint, responseHandler) {
 		const response = await this.doFetch(endpoint, { method: "GET" });
-		return this.handleResponse(response, responseHandler);
+		return await this.handleResponse(response, responseHandler);
 	}
 	/**
 	* Make a DELETE request
 	*/
 	async delete(endpoint, responseHandler) {
 		const response = await this.doFetch(endpoint, { method: "DELETE" });
-		return this.handleResponse(response, responseHandler);
+		return await this.handleResponse(response, responseHandler);
 	}
 	/**
 	* Handle HTTP response with error checking and parsing
@@ -1673,7 +1631,7 @@ var BaseHttpClient = class {
 			headers: { "Content-Type": "application/json" },
 			body: body && method === "POST" ? JSON.stringify(body) : void 0
 		});
-		return this.handleStreamResponse(response);
+		return await this.handleStreamResponse(response);
 	}
 };
 
@@ -1782,240 +1740,6 @@ var CommandClient = class extends BaseHttpClient {
 	}
 };
 
-//#endregion
-//#region src/clients/desktop-client.ts
-/**
-* Decode a base64-encoded screenshot payload into a Uint8Array.
-* Shared with the RPC client wrapper, which receives base64 over the
-* wire and needs the same `format: 'bytes'` convenience.
-*/
-function base64ToBytes(data) {
-	const binaryString = atob(data);
-	const bytes = new Uint8Array(binaryString.length);
-	for (let i = 0; i < binaryString.length; i++) bytes[i] = binaryString.charCodeAt(i);
-	return bytes;
-}
-/**
-* Client for desktop environment lifecycle, input, and screen operations
-*/
-var DesktopClient = class extends BaseHttpClient {
-	/**
-	* Start the desktop environment with optional resolution and DPI.
-	*/
-	async start(options) {
-		try {
-			const data = {
-				...options?.resolution !== void 0 && { resolution: options.resolution },
-				...options?.dpi !== void 0 && { dpi: options.dpi }
-			};
-			return await this.post("/api/desktop/start", data);
-		} catch (error) {
-			this.options.onError?.(error instanceof Error ? error.message : String(error));
-			throw error;
-		}
-	}
-	/**
-	* Stop the desktop environment and all related processes.
-	*/
-	async stop() {
-		try {
-			return await this.post("/api/desktop/stop", {});
-		} catch (error) {
-			this.options.onError?.(error instanceof Error ? error.message : String(error));
-			throw error;
-		}
-	}
-	/**
-	* Get desktop lifecycle and process health status.
-	*/
-	async status() {
-		return await this.get("/api/desktop/status");
-	}
-	async screenshot(options) {
-		const wantsBytes = options?.format === "bytes";
-		const data = {
-			format: "base64",
-			...options?.imageFormat !== void 0 && { imageFormat: options.imageFormat },
-			...options?.quality !== void 0 && { quality: options.quality },
-			...options?.showCursor !== void 0 && { showCursor: options.showCursor }
-		};
-		const response = await this.post("/api/desktop/screenshot", data);
-		if (wantsBytes) return {
-			...response,
-			data: base64ToBytes(response.data)
-		};
-		return response;
-	}
-	async screenshotRegion(region, options) {
-		const wantsBytes = options?.format === "bytes";
-		const data = {
-			region,
-			format: "base64",
-			...options?.imageFormat !== void 0 && { imageFormat: options.imageFormat },
-			...options?.quality !== void 0 && { quality: options.quality },
-			...options?.showCursor !== void 0 && { showCursor: options.showCursor }
-		};
-		const response = await this.post("/api/desktop/screenshot/region", data);
-		if (wantsBytes) return {
-			...response,
-			data: base64ToBytes(response.data)
-		};
-		return response;
-	}
-	/**
-	* Single-click at the given coordinates.
-	*/
-	async click(x, y, options) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: options?.button ?? "left",
-			clickCount: 1
-		});
-	}
-	/**
-	* Double-click at the given coordinates.
-	*/
-	async doubleClick(x, y, options) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: options?.button ?? "left",
-			clickCount: 2
-		});
-	}
-	/**
-	* Triple-click at the given coordinates.
-	*/
-	async tripleClick(x, y, options) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: options?.button ?? "left",
-			clickCount: 3
-		});
-	}
-	/**
-	* Right-click at the given coordinates.
-	*/
-	async rightClick(x, y) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: "right",
-			clickCount: 1
-		});
-	}
-	/**
-	* Middle-click at the given coordinates.
-	*/
-	async middleClick(x, y) {
-		await this.post("/api/desktop/mouse/click", {
-			x,
-			y,
-			button: "middle",
-			clickCount: 1
-		});
-	}
-	/**
-	* Press and hold a mouse button.
-	*/
-	async mouseDown(x, y, options) {
-		await this.post("/api/desktop/mouse/down", {
-			...x !== void 0 && { x },
-			...y !== void 0 && { y },
-			button: options?.button ?? "left"
-		});
-	}
-	/**
-	* Release a held mouse button.
-	*/
-	async mouseUp(x, y, options) {
-		await this.post("/api/desktop/mouse/up", {
-			...x !== void 0 && { x },
-			...y !== void 0 && { y },
-			button: options?.button ?? "left"
-		});
-	}
-	/**
-	* Move the mouse cursor to coordinates.
-	*/
-	async moveMouse(x, y) {
-		await this.post("/api/desktop/mouse/move", {
-			x,
-			y
-		});
-	}
-	/**
-	* Drag from start coordinates to end coordinates.
-	*/
-	async drag(startX, startY, endX, endY, options) {
-		await this.post("/api/desktop/mouse/drag", {
-			startX,
-			startY,
-			endX,
-			endY,
-			button: options?.button ?? "left"
-		});
-	}
-	/**
-	* Scroll at coordinates in the specified direction.
-	*/
-	async scroll(x, y, direction, amount = 3) {
-		await this.post("/api/desktop/mouse/scroll", {
-			x,
-			y,
-			direction,
-			amount
-		});
-	}
-	/**
-	* Get the current cursor coordinates.
-	*/
-	async getCursorPosition() {
-		return await this.get("/api/desktop/mouse/position");
-	}
-	/**
-	* Type text into the focused element.
-	*/
-	async type(text, options) {
-		await this.post("/api/desktop/keyboard/type", {
-			text,
-			...options?.delayMs !== void 0 && { delayMs: options.delayMs }
-		});
-	}
-	/**
-	* Press and release a key or key combination.
-	*/
-	async press(key) {
-		await this.post("/api/desktop/keyboard/press", { key });
-	}
-	/**
-	* Press and hold a key.
-	*/
-	async keyDown(key) {
-		await this.post("/api/desktop/keyboard/down", { key });
-	}
-	/**
-	* Release a held key.
-	*/
-	async keyUp(key) {
-		await this.post("/api/desktop/keyboard/up", { key });
-	}
-	/**
-	* Get the active desktop screen size.
-	*/
-	async getScreenSize() {
-		return await this.get("/api/desktop/screen/size");
-	}
-	/**
-	* Get health status for a specific desktop process.
-	*/
-	async getProcessStatus(name) {
-		return this.get(`/api/desktop/process/${encodeURIComponent(name)}/status`);
-	}
-};
-
 //#endregion
 //#region src/clients/file-client.ts
 /**
@@ -2618,7 +2342,6 @@ var SandboxClient = class {
 	git;
 	interpreter;
 	utils;
-	desktop;
 	watch;
 	/**
 	* Tunnels are RPC-only — the route-based transport does not implement them.
@@ -2651,7 +2374,6 @@ var SandboxClient = class {
 		this.git = new GitClient(clientOptions);
 		this.interpreter = new InterpreterClient(clientOptions);
 		this.utils = new UtilityClient(clientOptions);
-		this.desktop = new DesktopClient(clientOptions);
 		this.watch = new WatchClient(clientOptions);
 	}
 	/**
@@ -2672,7 +2394,6 @@ var SandboxClient = class {
 			this.git.setRetryTimeoutMs(ms);
 			this.interpreter.setRetryTimeoutMs(ms);
 			this.utils.setRetryTimeoutMs(ms);
-			this.desktop.setRetryTimeoutMs(ms);
 			this.watch.setRetryTimeoutMs(ms);
 		}
 	}
@@ -3301,32 +3022,6 @@ var ContainerControlClient = class {
 	get backup() {
 		return wrapStub(this.getConnection().rpc().backup, this.renewActivity);
 	}
-	get desktop() {
-		const stub = wrapStub(this.getConnection().rpc().desktop, this.renewActivity);
-		const wire = stub;
-		return new Proxy(stub, { get(target, prop, receiver) {
-			if (prop === "screenshot") return async (options) => {
-				const { format, ...rest } = options ?? {};
-				const result = await wire.screenshot(rest);
-				return format === "bytes" ? {
-					...result,
-					data: base64ToBytes(result.data)
-				} : result;
-			};
-			if (prop === "screenshotRegion") return async (region, options) => {
-				const { format, ...rest } = options ?? {};
-				const result = await wire.screenshotRegion({
-					region,
-					...rest
-				});
-				return format === "bytes" ? {
-					...result,
-					data: base64ToBytes(result.data)
-				} : result;
-			};
-			return Reflect.get(target, prop, receiver);
-		} });
-	}
 	get watch() {
 		return wrapStub(this.getConnection().rpc().watch, this.renewActivity);
 	}
@@ -4775,6 +4470,413 @@ const r2EgressHandler = async (request, env$1, ctx) => {
 	}
 };
 
+//#endregion
+//#region src/storage-mount/s3-credential-proxy-handler.ts
+const PER_MOUNT_SUFFIX = ".s3-credential-proxy.internal";
+const SELF_TEST_PATH = "/__sandbox_credential_proxy_self_test__";
+const DIAGNOSTICS_PATH = "/__sandbox_credential_proxy_diagnostics__";
+const DEFAULT_SLOW_REQUEST_MS = 1e3;
+const ERROR_RESPONSE_BODY_LIMIT = 2048;
+const MAX_DIAGNOSTIC_EVENTS = 500;
+const DUMMY_AUTH_HEADERS = new Set([
+	"authorization",
+	"x-amz-date",
+	"x-amz-content-sha256",
+	"x-amz-security-token",
+	"x-goog-date",
+	"x-goog-content-sha256"
+]);
+const sigV4ClientCache = /* @__PURE__ */ new Map();
+const directoryMarkerCache = /* @__PURE__ */ new Map();
+const credentialProxyDiagnosticEvents = [];
+let credentialProxyDiagnosticEventCount = 0;
+function evictSigV4ClientCacheEntry(mountId) {
+	sigV4ClientCache.delete(mountId);
+}
+function evictDirectoryMarkerCacheForMount(mountId) {
+	const prefix = `${mountId}:`;
+	for (const key of directoryMarkerCache.keys()) if (key.startsWith(prefix)) directoryMarkerCache.delete(key);
+}
+function toHex(buffer) {
+	return Array.from(new Uint8Array(buffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function sha256Hex(data) {
+	return toHex(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(data)));
+}
+async function hmacSHA256(key, data) {
+	const cryptoKey = await crypto.subtle.importKey("raw", key, {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	return crypto.subtle.sign("HMAC", cryptoKey, new TextEncoder().encode(data));
+}
+function detectS3Region(provider, endpoint) {
+	if (provider === "r2") return "auto";
+	try {
+		const host = new URL(endpoint).hostname;
+		const m = host.match(/s3[.-]([a-z0-9-]+)\.amazonaws\.com/);
+		if (m && m[1] !== "amazonaws") return m[1];
+		if (host === "s3.amazonaws.com") return "us-east-1";
+	} catch {}
+	return "auto";
+}
+function buildCleanHeaders(original) {
+	const clean = new Headers();
+	for (const [k, v] of original) {
+		const lower = k.toLowerCase();
+		if (!DUMMY_AUTH_HEADERS.has(lower) && lower !== "host") clean.set(k, v);
+	}
+	const contentSHA256 = original.get("x-amz-content-sha256");
+	if (contentSHA256 && isValidContentSHA256(contentSHA256)) clean.set("x-amz-content-sha256", contentSHA256);
+	return clean;
+}
+function isValidContentSHA256(value) {
+	return value === "UNSIGNED-PAYLOAD" || /^[a-fA-F0-9]{64}$/.test(value);
+}
+function getCredentialProxyDebugConfig(env$1) {
+	const envRecord = env$1;
+	const enabled = envRecord.SANDBOX_CREDENTIAL_PROXY_DEBUG === "true";
+	const diagnosticsEndpointEnabled = envRecord.SANDBOX_CREDENTIAL_PROXY_DIAGNOSTICS_ENDPOINT === "true";
+	const configuredSlowRequestMs = Number(envRecord.SANDBOX_CREDENTIAL_PROXY_SLOW_REQUEST_MS);
+	return {
+		diagnosticsEndpointEnabled,
+		enabled,
+		slowRequestMs: Number.isFinite(configuredSlowRequestMs) && configuredSlowRequestMs >= 0 ? configuredSlowRequestMs : DEFAULT_SLOW_REQUEST_MS
+	};
+}
+function recordCredentialProxyDiagnosticEvent(event) {
+	credentialProxyDiagnosticEvents.push(event);
+	credentialProxyDiagnosticEventCount++;
+	while (credentialProxyDiagnosticEvents.length > MAX_DIAGNOSTIC_EVENTS) credentialProxyDiagnosticEvents.shift();
+}
+function getCredentialProxyDiagnosticsResponse(url, containerId) {
+	const since = Number(url.searchParams.get("since") ?? "0");
+	const bufferStartCount = credentialProxyDiagnosticEventCount - credentialProxyDiagnosticEvents.length;
+	const events = credentialProxyDiagnosticEvents.filter((event, index) => {
+		if (event.containerId !== containerId) return false;
+		return !Number.isFinite(since) || bufferStartCount + index >= since;
+	});
+	return Response.json({
+		nextCursor: credentialProxyDiagnosticEventCount,
+		events
+	});
+}
+async function withCredentialProxyDiagnostics(requestInfo, debugConfig, containerId, path$1, operation) {
+	const started = Date.now();
+	try {
+		const response = await operation();
+		const durationMs = Date.now() - started;
+		if (debugConfig.enabled) recordCredentialProxyDiagnosticEvent({
+			...requestInfo,
+			containerId,
+			durationMs,
+			ok: response.ok,
+			path: path$1,
+			status: response.status,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		if (debugConfig.enabled || durationMs >= debugConfig.slowRequestMs) console.info("sandbox.s3_credential_proxy.request", {
+			...requestInfo,
+			durationMs,
+			ok: response.ok,
+			status: response.status,
+			responseContentLength: response.headers.get("content-length")
+		});
+		if (!response.ok) {
+			const responseForLog = response.clone();
+			const requestInfoSnapshot = { ...requestInfo };
+			responseForLog.text().then((body) => {
+				console.warn("sandbox.s3_credential_proxy.upstream_error", {
+					...requestInfoSnapshot,
+					durationMs,
+					status: response.status,
+					statusText: response.statusText,
+					errorBody: body.slice(0, ERROR_RESPONSE_BODY_LIMIT)
+				});
+			}).catch(() => {});
+		}
+		return response;
+	} catch (error) {
+		const durationMs = Date.now() - started;
+		console.warn("sandbox.s3_credential_proxy.request_error", {
+			...requestInfo,
+			durationMs,
+			error: error instanceof Error ? error.message : String(error)
+		});
+		throw error;
+	}
+}
+function getSigV4Client(mountId, endpoint, provider, credentials, region) {
+	const cached = sigV4ClientCache.get(mountId);
+	if (cached && cached.accessKeyId === credentials.accessKeyId && cached.secretAccessKey === credentials.secretAccessKey && cached.endpoint === endpoint && cached.provider === provider && cached.region === region) return cached.client;
+	const client = new AwsClient({
+		accessKeyId: credentials.accessKeyId,
+		secretAccessKey: credentials.secretAccessKey,
+		service: "s3",
+		region,
+		retries: 0
+	});
+	sigV4ClientCache.set(mountId, {
+		client,
+		accessKeyId: credentials.accessKeyId,
+		secretAccessKey: credentials.secretAccessKey,
+		endpoint,
+		provider,
+		region
+	});
+	return client;
+}
+function encodeCanonicalQueryPart(value) {
+	return encodeURIComponent(value).replace(/[!'()*]/g, (char) => `%${char.charCodeAt(0).toString(16).toUpperCase()}`);
+}
+function getCanonicalURI(url) {
+	return url.pathname.split("/").map((segment) => segment.split(/(%[0-9A-Fa-f]{2})/g).map((part) => /^%[0-9A-Fa-f]{2}$/.test(part) ? part.toUpperCase() : encodeCanonicalQueryPart(part)).join("")).join("/");
+}
+function getCanonicalQueryString(url) {
+	const query = url.search.startsWith("?") ? url.search.slice(1) : url.search;
+	if (!query) return "";
+	return query.split("&").map((part) => {
+		const separatorIndex = part.indexOf("=");
+		if (separatorIndex === -1) return [part, ""];
+		return [part.slice(0, separatorIndex), part.slice(separatorIndex + 1)];
+	}).map(([key, value]) => [encodeCanonicalQueryPart(decodeURIEncodedQueryPart(key)), encodeCanonicalQueryPart(decodeURIEncodedQueryPart(value))]).sort(([leftKey, leftValue], [rightKey, rightValue]) => {
+		if (leftKey < rightKey) return -1;
+		if (leftKey > rightKey) return 1;
+		if (leftValue < rightValue) return -1;
+		if (leftValue > rightValue) return 1;
+		return 0;
+	}).map(([key, value]) => `${key}=${value}`).join("&");
+}
+function decodeURIEncodedQueryPart(value) {
+	try {
+		return decodeURIComponent(value);
+	} catch {
+		return value;
+	}
+}
+function getSigV4PayloadHash(headers) {
+	const existingHash = headers.get("x-amz-content-sha256");
+	if (existingHash && existingHash !== "UNSIGNED-PAYLOAD") return {
+		hash: existingHash,
+		mode: "signed"
+	};
+	return {
+		hash: "UNSIGNED-PAYLOAD",
+		mode: "unsigned"
+	};
+}
+function isZeroLengthDirectoryMarkerPUT(request, realPath) {
+	return request.method.toUpperCase() === "PUT" && request.headers.get("content-length") === "0" && realPath.endsWith("/");
+}
+function isDirectoryMarkerHEAD(request) {
+	return request.method.toUpperCase() === "HEAD";
+}
+function getDirectoryMarkerCacheKey(mountId, realPath) {
+	return `${mountId}:${realPath.replace(/\/+$/, "")}`;
+}
+function getDirectoryMarkerResponseHeaders(request) {
+	const headers = [
+		["Accept-Ranges", "bytes"],
+		["Content-Length", "0"],
+		["ETag", "\"d41d8cd98f00b204e9800998ecf8427e\""],
+		["Last-Modified", (/* @__PURE__ */ new Date()).toUTCString()]
+	];
+	const contentType = request.headers.get("content-type");
+	if (contentType) headers.push(["Content-Type", contentType]);
+	for (const [name, value] of request.headers) if (name.toLowerCase().startsWith("x-amz-meta-")) headers.push([name, value]);
+	return headers;
+}
+function normalizePrefix(prefix) {
+	if (!prefix) return void 0;
+	return prefix.replace(/^\/+/, "").replace(/\/+$/, "");
+}
+function getObjectKeyForPath(realPath, bucket) {
+	const pathSegments = realPath.split("/").filter(Boolean);
+	if (pathSegments[0] !== bucket) return null;
+	return pathSegments.slice(1).join("/");
+}
+function isObjectKeyWithinPrefix(objectKey, prefix) {
+	const normalizedPrefix = normalizePrefix(prefix);
+	if (!normalizedPrefix) return true;
+	return objectKey === normalizedPrefix || objectKey.startsWith(`${normalizedPrefix}/`);
+}
+function isRequestWithinMountScope(realPath, url, bucket, prefix) {
+	const objectKey = getObjectKeyForPath(realPath, bucket);
+	if (objectKey === null) return false;
+	const requestedPrefix = url.searchParams.get("prefix");
+	if (objectKey !== "" && !isObjectKeyWithinPrefix(objectKey, prefix)) return false;
+	if (objectKey === "" && normalizePrefix(prefix) !== void 0 && url.search !== "" && requestedPrefix === null) return false;
+	if (requestedPrefix !== null) return isObjectKeyWithinPrefix(requestedPrefix, prefix);
+	return true;
+}
+function isBucketRootProbe(request, realPath, url, bucket) {
+	const method = request.method.toUpperCase();
+	return (method === "GET" || method === "HEAD") && url.search === "" && getObjectKeyForPath(realPath, bucket) === "";
+}
+function deleteDirectoryMarkerCacheEntry(mountId, realPath) {
+	directoryMarkerCache.delete(getDirectoryMarkerCacheKey(mountId, realPath));
+}
+function getContentLength(request) {
+	const contentLength = request.headers.get("content-length");
+	if (contentLength === null) return null;
+	const parsed = Number(contentLength);
+	if (!Number.isSafeInteger(parsed) || parsed < 0) return null;
+	return parsed;
+}
+function getSigV4ForwardInit(request) {
+	const contentLength = getContentLength(request);
+	if (contentLength === 0) return { body: new Uint8Array(0) };
+	if (contentLength === null || request.body === null) return {};
+	const { readable, writable } = new FixedLengthStream(contentLength);
+	request.body.pipeTo(writable).catch((error) => {
+		writable.abort(error).catch(() => {});
+	});
+	return { body: readable };
+}
+function getGCSHeaders(request) {
+	const headers = new Headers();
+	for (const [k, v] of request.headers) {
+		const lower = k.toLowerCase();
+		if (DUMMY_AUTH_HEADERS.has(lower) || lower === "host" || lower === "content-length" || lower === "expect") continue;
+		if (lower.startsWith("x-amz-meta-")) {
+			headers.set(`x-goog-meta-${lower.slice(11)}`, v);
+			continue;
+		}
+		if (lower.startsWith("x-amz-")) continue;
+		headers.set(k, v);
+	}
+	return headers;
+}
+async function signAndForwardSigV4(request, mountId, endpoint, provider, credentials, requestInfo) {
+	const signingStarted = Date.now();
+	const region = detectS3Region(provider, endpoint);
+	const payload = getSigV4PayloadHash(request.headers);
+	const client = getSigV4Client(mountId, endpoint, provider, credentials, region);
+	requestInfo.payloadHashMode = payload.mode;
+	requestInfo.clientSetupMs = Date.now() - signingStarted;
+	const upstreamStarted = Date.now();
+	const forwardInit = getSigV4ForwardInit(request);
+	requestInfo.bodyPresent = forwardInit?.body !== void 0 || request.body !== null;
+	const response = await client.fetch(request, forwardInit);
+	requestInfo.upstreamMs = Date.now() - upstreamStarted;
+	return response;
+}
+async function signAndForwardGCS(request, credentials, requestInfo) {
+	const url = new URL(request.url);
+	const gcsHeaders = getGCSHeaders(request);
+	const dateStr = `${(/* @__PURE__ */ new Date()).toISOString().replace(/[:-]/g, "").replace(/\.\d+Z$/, "")}Z`;
+	const dateOnly = dateStr.slice(0, 8);
+	const location = "auto";
+	const service = "storage";
+	const credentialScope = `${dateOnly}/${location}/${service}/goog4_request`;
+	const bodyHash = "UNSIGNED-PAYLOAD";
+	const headerEntries = [
+		["host", url.host],
+		["x-goog-content-sha256", bodyHash],
+		["x-goog-date", dateStr]
+	];
+	for (const [k, v] of gcsHeaders) headerEntries.push([k.toLowerCase(), v.trim()]);
+	headerEntries.sort((a, b) => a[0].localeCompare(b[0]));
+	const signedHeaders = headerEntries.map(([k]) => k).join(";");
+	const canonicalHeaders = headerEntries.map(([k, v]) => `${k}:${v}\n`).join("");
+	const stringToSign = [
+		"GOOG4-HMAC-SHA256",
+		dateStr,
+		credentialScope,
+		await sha256Hex([
+			request.method,
+			getCanonicalURI(url),
+			getCanonicalQueryString(url),
+			canonicalHeaders,
+			signedHeaders,
+			bodyHash
+		].join("\n"))
+	].join("\n");
+	const signature = toHex(await hmacSHA256(await hmacSHA256(await hmacSHA256(await hmacSHA256(await hmacSHA256(new TextEncoder().encode(`GOOG4${credentials.secretAccessKey}`), dateOnly), location), service), "goog4_request"), stringToSign));
+	const authorization = `GOOG4-HMAC-SHA256 Credential=${credentials.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+	const newHeaders = new Headers(gcsHeaders);
+	newHeaders.set("x-goog-date", dateStr);
+	newHeaders.set("x-goog-content-sha256", bodyHash);
+	newHeaders.set("Authorization", authorization);
+	const gcsBody = getContentLength(request) === 0 ? new Uint8Array(0) : request.body;
+	const upstreamStarted = Date.now();
+	const response = await fetch(new Request(request.url, {
+		method: request.method,
+		headers: newHeaders,
+		body: gcsBody
+	}));
+	requestInfo.upstreamMs = Date.now() - upstreamStarted;
+	return response;
+}
+const s3CredentialProxyHandler = async (request, env$1, ctx) => {
+	const url = new URL(request.url);
+	if (url.pathname === SELF_TEST_PATH) return new Response("OK", { status: 200 });
+	const debugConfig = getCredentialProxyDebugConfig(env$1);
+	if (url.pathname === DIAGNOSTICS_PATH) {
+		if (!debugConfig.enabled || !debugConfig.diagnosticsEndpointEnabled) return new Response("Not Found", { status: 404 });
+		return getCredentialProxyDiagnosticsResponse(url, ctx.containerId);
+	}
+	const segments = url.pathname.split("/").filter(Boolean);
+	const hostname = url.hostname;
+	let mountId;
+	let realPath;
+	if (hostname.endsWith(PER_MOUNT_SUFFIX)) {
+		mountId = hostname.slice(0, -29);
+		realPath = url.pathname;
+	} else {
+		mountId = segments[0] ?? null;
+		realPath = mountId ? url.pathname.slice(`/${mountId}`.length) || "/" : "/";
+	}
+	if (!mountId) return new Response("Bad Request: missing mount ID", { status: 400 });
+	const mount = ctx.params?.mounts[mountId];
+	if (!mount) return new Response(`Forbidden: unknown mount ID "${mountId}"`, { status: 403 });
+	if (mount.readOnly) {
+		const method = request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") return new Response("Forbidden: bucket mount is read-only", { status: 403 });
+	}
+	const realUrl = new URL(realPath + (url.search || ""), mount.endpoint);
+	if (isBucketRootProbe(request, realPath, url, mount.bucket)) return new Response(null, { status: 200 });
+	if (!isRequestWithinMountScope(realPath, url, mount.bucket, mount.prefix)) return new Response("Forbidden: request is outside mounted bucket scope", { status: 403 });
+	const cleanHeaders = buildCleanHeaders(request.headers);
+	const cleanRequest = new Request(realUrl.toString(), {
+		method: request.method,
+		headers: cleanHeaders,
+		body: request.body
+	});
+	const requestInfo = {
+		authStrategy: mount.authStrategy,
+		bucket: mount.bucket,
+		contentLength: request.headers.get("content-length"),
+		method: request.method,
+		mountId,
+		query: [...url.searchParams.keys()].sort()
+	};
+	if (isZeroLengthDirectoryMarkerPUT(cleanRequest, realPath)) {
+		const responseHeaders = getDirectoryMarkerResponseHeaders(cleanRequest);
+		requestInfo.bodyPresent = request.body !== null;
+		if (mount.authStrategy === "s3-sigv4") requestInfo.payloadHashMode = getSigV4PayloadHash(cleanRequest.headers).mode;
+		return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, async () => {
+			const response = mount.authStrategy === "gcs" ? await signAndForwardGCS(cleanRequest, mount.credentials, requestInfo) : await signAndForwardSigV4(cleanRequest, mountId, mount.endpoint, mount.provider, mount.credentials, requestInfo);
+			if (response.ok) directoryMarkerCache.set(getDirectoryMarkerCacheKey(mountId, realPath), responseHeaders);
+			return response;
+		});
+	}
+	if (isDirectoryMarkerHEAD(cleanRequest)) {
+		const responseHeaders = directoryMarkerCache.get(getDirectoryMarkerCacheKey(mountId, realPath));
+		if (responseHeaders) {
+			requestInfo.bodyPresent = false;
+			if (mount.authStrategy === "s3-sigv4") requestInfo.payloadHashMode = getSigV4PayloadHash(cleanRequest.headers).mode;
+			return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, () => Promise.resolve(new Response(null, {
+				status: 200,
+				headers: responseHeaders
+			})));
+		}
+	}
+	if (cleanRequest.method.toUpperCase() !== "HEAD") deleteDirectoryMarkerCacheEntry(mountId, realPath);
+	if (mount.authStrategy === "gcs") return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, () => signAndForwardGCS(cleanRequest, mount.credentials, requestInfo));
+	return withCredentialProxyDiagnostics(requestInfo, debugConfig, ctx.containerId, realPath, () => signAndForwardSigV4(cleanRequest, mountId, mount.endpoint, mount.provider, mount.credentials, requestInfo));
+};
+
 //#endregion
 //#region src/tunnels/credentials.ts
 /**
@@ -5731,16 +5833,47 @@ async function pruneTunnelsForRestart(storage) {
 * This file is auto-updated by .github/changeset-version.ts during releases
 * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
 */
-const SDK_VERSION = "0.11.0";
+const SDK_VERSION = "0.12.0";
 
 //#endregion
 //#region src/sandbox.ts
 const PORT_TOKENS_STORAGE_KEY = "portTokens";
 const ACTIVE_PREVIEW_PORTS_STORAGE_KEY = "activePreviewPorts";
-const R2_EGRESS_PROXY_TARGET_CLASS_NAME = "CloudflareSandboxR2EgressProxyTarget";
-var R2EgressProxyTarget = class extends Container {};
-Object.defineProperty(R2EgressProxyTarget, "name", { value: R2_EGRESS_PROXY_TARGET_CLASS_NAME });
-R2EgressProxyTarget.outboundHandlers = { r2EgressMount: r2EgressHandler };
+const CONTAINER_PROXY_CLASS_NAME = "ContainerProxy";
+const S3_CREDENTIAL_PROXY_HOST = "s3-credential-proxy.internal";
+const S3_CREDENTIAL_PROXY_DIAGNOSTIC_HOST = "s3-credential-proxy.sandbox.test";
+var ContainerProxyOutboundTarget = class extends Container {};
+Object.defineProperty(ContainerProxyOutboundTarget, "name", { value: CONTAINER_PROXY_CLASS_NAME });
+ContainerProxyOutboundTarget.outboundHandlers = {
+	r2EgressMount: r2EgressHandler,
+	s3CredentialProxyMount: s3CredentialProxyHandler
+};
+/**
+* SDK-level ContainerProxy that directly dispatches SDK-internal mount hosts
+* (r2.internal, s3-credential-proxy.internal) without relying on
+* outboundHandlersRegistry lookups, which are NOT shared between the Durable
+* Object's execution context and the ContainerProxy WorkerEntrypoint context.
+*
+* Users must export this class from their Worker entrypoint so the Sandbox DO
+* can create outbound-interception fetchers that reference it.
+*/
+var ContainerProxy$1 = class extends ContainerProxy {
+	async fetch(request) {
+		const hostname = new URL(request.url).hostname;
+		const props = this.ctx.props;
+		const override = props.outboundByHostOverrides?.[hostname];
+		if (override) {
+			const handlerCtx = {
+				containerId: props.containerId ?? "",
+				className: props.className ?? "",
+				params: override.params
+			};
+			if (override.method === "r2EgressMount") return r2EgressHandler(request, this.env, handlerCtx);
+			if (override.method === "s3CredentialProxyMount") return s3CredentialProxyHandler(request, this.env, handlerCtx);
+		}
+		return super.fetch(request);
+	}
+};
 function isFetcher(value) {
 	return typeof value === "object" && value !== null && "fetch" in value && typeof value.fetch === "function";
 }
@@ -5750,6 +5883,8 @@ const R2_DEFAULT_S3FS_OPTIONS = {
 	enable_noobj_cache: true,
 	multipart_size: "5"
 };
+const R2_DEFAULT_S3FS_OPTION_ENTRIES = Object.entries(R2_DEFAULT_S3FS_OPTIONS).map(([key, value]) => value === true ? key : `${key}=${value}`);
+const S3FS_DISABLE_EXPECT_HEADER_CONFIG = " Expect:\n";
 const BACKUP_DEFAULT_TTL_SECONDS = 259200;
 const BACKUP_MAX_NAME_LENGTH = 256;
 const BACKUP_CONTAINER_DIR = "/var/backups";
@@ -5941,10 +6076,6 @@ function getSandbox(ns, id, options) {
 		}),
 		terminal: (request, opts) => proxyTerminal(stub, defaultSessionId, request, opts),
 		wsConnect: connect(stub),
-		desktop: new Proxy({}, { get(_, method) {
-			if (typeof method !== "string" || method === "then") return void 0;
-			return (...args) => stub.callDesktop(method, args);
-		} }),
 		tunnels: new Proxy({}, { get: (_, method) => {
 			if (typeof method !== "string" || method === "then") return void 0;
 			return (...args) => stub.callTunnels(method, args);
@@ -5986,6 +6117,7 @@ var Sandbox = class Sandbox extends Container {
 	logger;
 	keepAliveEnabled = false;
 	activeMounts = /* @__PURE__ */ new Map();
+	mountOperationQueue = Promise.resolve();
 	currentRuntime;
 	transport = "http";
 	/**
@@ -6052,56 +6184,6 @@ var Sandbox = class Sandbox extends Container {
 	*/
 	hasStoredContainerTimeouts = false;
 	/**
-	* Desktop environment operations.
-	* Within the DO, this getter provides direct access to DesktopClient.
-	* Over RPC, the getSandbox() proxy intercepts this property and routes
-	* calls through callDesktop() instead.
-	*/
-	get desktop() {
-		return this.client.desktop;
-	}
-	/**
-	* Allowed desktop methods — derived from the Desktop interface.
-	* Restricts callDesktop() to a known set of operations.
-	*/
-	static DESKTOP_METHODS = new Set([
-		"start",
-		"stop",
-		"status",
-		"screenshot",
-		"screenshotRegion",
-		"click",
-		"doubleClick",
-		"tripleClick",
-		"rightClick",
-		"middleClick",
-		"mouseDown",
-		"mouseUp",
-		"moveMouse",
-		"drag",
-		"scroll",
-		"getCursorPosition",
-		"type",
-		"press",
-		"keyDown",
-		"keyUp",
-		"getScreenSize",
-		"getProcessStatus"
-	]);
-	/**
-	* Dispatch method for desktop operations.
-	* Called by the client-side proxy created in getSandbox() to provide
-	* the `sandbox.desktop.status()` API without relying on RPC pipelining
-	* through property getters which is broken when using vite-plugin.
-	*/
-	async callDesktop(method, args) {
-		if (!Sandbox.DESKTOP_METHODS.has(method)) throw new Error(`Unknown desktop method: ${method}`);
-		const client = this.client.desktop;
-		const fn = client[method];
-		if (typeof fn !== "function") throw new Error(`sandbox.desktop missing method: ${method}`);
-		return fn.apply(client, args);
-	}
-	/**
 	* Dispatch method for tunnel operations.
 	* Called by the client-side proxy created in getSandbox() to provide
 	* the `sandbox.tunnels` API without relying on RPC pipelining
@@ -6406,6 +6488,24 @@ var Sandbox = class Sandbox extends Container {
 	* @throws InvalidMountConfigError if bucket name, mount path, or endpoint is invalid
 	*/
 	async mountBucket(bucket, mountPath, options) {
+		return this.runMountOperation(async () => {
+			await this.mountBucketUnlocked(bucket, mountPath, options);
+		});
+	}
+	async runMountOperation(operation) {
+		const previous = this.mountOperationQueue;
+		let release;
+		this.mountOperationQueue = new Promise((resolve) => {
+			release = resolve;
+		});
+		await previous.catch(() => {});
+		try {
+			await operation();
+		} finally {
+			release();
+		}
+	}
+	async mountBucketUnlocked(bucket, mountPath, options) {
 		if (options.prefix !== void 0) validatePrefix(options.prefix);
 		if ("localBucket" in options && options.localBucket) {
 			await this.mountBucketLocal(bucket, mountPath, options);
@@ -6445,6 +6545,7 @@ var Sandbox = class Sandbox extends Container {
 				logger: this.logger
 			});
 			const mountInfo = {
+				mountId: crypto.randomUUID(),
 				mountType: "local-sync",
 				bucket,
 				mountPath,
@@ -6485,13 +6586,36 @@ var Sandbox = class Sandbox extends Container {
 		};
 		return { buckets };
 	}
-	validateR2EgressS3fsOptions(options) {
+	validateProtectedS3fsOptions(options, mountLabel, extraProtected = []) {
 		if (!options) return;
-		const protectedOptions = new Set(["passwd_file", "url"]);
+		const protectedOptions = new Set([
+			"passwd_file",
+			"url",
+			...extraProtected
+		]);
 		for (const option of options) {
 			const [key] = option.split("=");
-			if (protectedOptions.has(key)) throw new InvalidMountConfigError(`s3fs option "${key}" cannot be overridden for R2 binding mounts`);
+			if (protectedOptions.has(key)) throw new InvalidMountConfigError(`s3fs option "${key}" cannot be overridden for ${mountLabel} mounts`);
+		}
+	}
+	getS3CredentialProxyParams(options) {
+		const mounts = {};
+		for (const [, m] of this.activeMounts) if (m.mountType === "fuse" && m.credentialProxy) {
+			if (m.mountId === options?.excludeMountId) continue;
+			mounts[m.mountId] = {
+				endpoint: m.credentialProxy.endpoint,
+				bucket: m.credentialProxy.bucket,
+				...m.credentialProxy.prefix !== void 0 ? { prefix: m.credentialProxy.prefix } : {},
+				credentials: m.credentialProxy.credentials,
+				readOnly: m.credentialProxy.readOnly,
+				provider: m.credentialProxy.provider,
+				authStrategy: m.credentialProxy.authStrategy
+			};
 		}
+		return { mounts };
+	}
+	resolveCredentialProxyAuthStrategy(provider) {
+		return provider === "gcs" ? "gcs" : "s3-sigv4";
 	}
 	/**
 	* Credential-less R2 mount: egress interception routes s3fs requests to the
@@ -6502,24 +6626,30 @@ var Sandbox = class Sandbox extends Container {
 		const prefix = options.prefix;
 		let mountOutcome = "error";
 		let mountError;
+		let passwordFilePath;
+		let additionalHeaderFilePath;
 		try {
 			validateBucketBindingName(bucket, mountPath);
 			this.validateMountPath(mountPath);
-			this.validateR2EgressS3fsOptions(options.s3fsOptions);
+			this.validateProtectedS3fsOptions(options.s3fsOptions, "R2 binding");
 			for (const [existingMountPath, mountInfo$1] of this.activeMounts) {
 				if (mountInfo$1.mountType === "r2-egress" && mountInfo$1.bucket === bucket && mountInfo$1.prefix !== prefix) throw new InvalidMountConfigError(`R2 binding "${bucket}" is already mounted at ${existingMountPath} with a different prefix. Mount the same binding only once, or use the same prefix for additional mounts.`);
 				if (mountInfo$1.mountType === "r2-egress" && mountInfo$1.bucket === bucket && mountInfo$1.readOnly !== (options.readOnly ?? false)) throw new InvalidMountConfigError(`R2 binding "${bucket}" is already mounted at ${existingMountPath} with a different readOnly setting. Mount the same binding only once, or use the same readOnly value for additional mounts.`);
 			}
-			const passwordFilePath = this.generatePasswordFilePath();
+			passwordFilePath = this.generatePasswordFilePath();
+			additionalHeaderFilePath = this.generateS3FSAdditionalHeaderFilePath();
 			await this.createPasswordFile(passwordFilePath, bucket, {
 				accessKeyId: "x",
 				secretAccessKey: "x"
 			});
+			await this.createDisableExpectHeaderFile(additionalHeaderFilePath);
 			const mountInfo = {
+				mountId: crypto.randomUUID(),
 				mountType: "r2-egress",
 				bucket,
 				mountPath,
 				passwordFilePath,
+				additionalHeaderFilePath,
 				mounted: false,
 				prefix,
 				readOnly: options.readOnly ?? false
@@ -6534,6 +6664,7 @@ var Sandbox = class Sandbox extends Container {
 				...parseS3fsOptions(resolveS3fsOptions("r2", options.s3fsOptions)),
 				use_path_request_style: true,
 				url: "http://r2.internal",
+				ahbe_conf: additionalHeaderFilePath,
 				...options.readOnly ? { ro: true } : {}
 			}));
 			const mountCmd = `s3fs ${shellEscape(s3fsSource)} ${shellEscape(mountPath)} -o ${optionsStr}`;
@@ -6557,7 +6688,13 @@ var Sandbox = class Sandbox extends Container {
 			mountError = error instanceof Error ? error : new Error(String(error));
 			const failedMount = this.activeMounts.get(mountPath);
 			this.activeMounts.delete(mountPath);
-			if (failedMount?.mountType === "r2-egress") await this.deletePasswordFile(failedMount.passwordFilePath).catch(() => {});
+			if (failedMount?.mountType === "r2-egress") {
+				await this.deletePasswordFile(failedMount.passwordFilePath).catch(() => {});
+				if (failedMount.additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(failedMount.additionalHeaderFilePath).catch(() => {});
+			} else {
+				if (passwordFilePath) await this.deletePasswordFile(passwordFilePath).catch(() => {});
+				if (additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(additionalHeaderFilePath).catch(() => {});
+			}
 			const remainingParams = this.getR2EgressParams();
 			await this.configureR2EgressOutbound(remainingParams).catch(() => {});
 			throw error;
@@ -6583,6 +6720,7 @@ var Sandbox = class Sandbox extends Container {
 		let mountOutcome = "error";
 		let mountError;
 		let passwordFilePath;
+		let additionalHeaderFilePath;
 		let provider = null;
 		let dirExisted = true;
 		try {
@@ -6604,33 +6742,81 @@ var Sandbox = class Sandbox extends Container {
 				R2_SECRET_ACCESS_KEY: this.r2SecretAccessKey || void 0,
 				...this.envVars
 			});
+			const credentialProxyEnabled = options.credentialProxy === true;
+			if (credentialProxyEnabled) this.validateProtectedS3fsOptions(options.s3fsOptions, "credential proxy", ["ahbe_conf", "use_path_request_style"]);
 			passwordFilePath = this.generatePasswordFilePath();
+			if (credentialProxyEnabled) additionalHeaderFilePath = this.generateS3FSAdditionalHeaderFilePath();
+			const mountId = crypto.randomUUID();
 			const mountInfo = {
+				mountId,
 				mountType: "fuse",
 				bucket: s3fsSource,
 				mountPath,
 				endpoint: options.endpoint,
 				provider,
 				passwordFilePath,
-				mounted: false
+				...additionalHeaderFilePath ? { additionalHeaderFilePath } : {},
+				mounted: false,
+				...credentialProxyEnabled ? { credentialProxy: {
+					endpoint: options.endpoint,
+					bucket,
+					...prefix !== void 0 ? { prefix } : {},
+					credentials,
+					readOnly: options.readOnly ?? false,
+					provider,
+					authStrategy: this.resolveCredentialProxyAuthStrategy(provider)
+				} } : {}
 			};
 			this.activeMounts.set(mountPath, mountInfo);
-			await this.createPasswordFile(passwordFilePath, bucket, credentials);
+			await this.createPasswordFile(passwordFilePath, bucket, credentialProxyEnabled ? {
+				accessKeyId: "x",
+				secretAccessKey: "x"
+			} : credentials);
+			if (credentialProxyEnabled) {
+				if (additionalHeaderFilePath) await this.createDisableExpectHeaderFile(additionalHeaderFilePath);
+				await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams());
+			}
 			dirExisted = (await this.execInternal(`test -d ${shellEscape(mountPath)}`)).exitCode === 0;
 			await this.execInternal(`mkdir -p ${shellEscape(mountPath)}`);
-			await this.executeS3FSMount(s3fsSource, mountPath, options, provider, passwordFilePath);
+			const effectiveOptions = credentialProxyEnabled ? {
+				...options,
+				endpoint: `http://${S3_CREDENTIAL_PROXY_HOST}/${mountId}`,
+				s3fsOptions: [
+					...provider === "r2" ? R2_DEFAULT_S3FS_OPTION_ENTRIES : [],
+					...options.s3fsOptions ?? [],
+					...additionalHeaderFilePath ? [`ahbe_conf=${additionalHeaderFilePath}`] : [],
+					"use_path_request_style"
+				]
+			} : options;
+			await this.executeS3FSMount(s3fsSource, mountPath, effectiveOptions, provider, passwordFilePath);
 			mountInfo.mounted = true;
 			mountOutcome = "success";
 		} catch (error) {
 			mountError = error instanceof Error ? error : new Error(String(error));
-			if (passwordFilePath) await this.deletePasswordFile(passwordFilePath);
 			try {
 				await this.execInternal(`mountpoint -q ${shellEscape(mountPath)} && fusermount -u ${shellEscape(mountPath)}`);
 			} catch {}
+			if (passwordFilePath) await this.deletePasswordFile(passwordFilePath);
+			if (additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(additionalHeaderFilePath);
 			if (!dirExisted) try {
 				await this.execInternal(`rmdir ${shellEscape(mountPath)} 2>/dev/null`);
 			} catch {}
-			this.activeMounts.delete(mountPath);
+			const failedMount = this.activeMounts.get(mountPath);
+			if (failedMount?.mountType === "fuse" && failedMount.credentialProxy) try {
+				await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams({ excludeMountId: failedMount.mountId }));
+				this.activeMounts.delete(mountPath);
+				evictSigV4ClientCacheEntry(failedMount.mountId);
+				evictDirectoryMarkerCacheForMount(failedMount.mountId);
+			} catch (cleanupError) {
+				this.logger.warn("credential proxy cleanup failed", {
+					mountPath,
+					error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
+				});
+				this.activeMounts.delete(mountPath);
+				evictSigV4ClientCacheEntry(failedMount.mountId);
+				evictDirectoryMarkerCacheForMount(failedMount.mountId);
+			}
+			else this.activeMounts.delete(mountPath);
 			throw error;
 		} finally {
 			logCanonicalEvent(this.logger, {
@@ -6652,6 +6838,11 @@ var Sandbox = class Sandbox extends Container {
 	* @throws InvalidMountConfigError if mount path doesn't exist or isn't mounted
 	*/
 	async unmountBucket(mountPath) {
+		return this.runMountOperation(async () => {
+			await this.unmountBucketUnlocked(mountPath);
+		});
+	}
+	async unmountBucketUnlocked(mountPath) {
 		const unmountStartTime = Date.now();
 		let unmountOutcome = "error";
 		let unmountError;
@@ -6662,30 +6853,75 @@ var Sandbox = class Sandbox extends Container {
 				await mountInfo.syncManager.stop();
 				mountInfo.mounted = false;
 				this.activeMounts.delete(mountPath);
-			} else try {
-				const result = await this.execInternal(`fusermount -u ${shellEscape(mountPath)}`);
-				if (result.exitCode !== 0) {
-					const stderr = result.stderr || "unknown error";
-					throw new BucketUnmountError(`fusermount -u failed (exit ${result.exitCode}): ${stderr}`);
-				}
-				mountInfo.mounted = false;
-				this.activeMounts.delete(mountPath);
-				if (mountInfo.mountType === "r2-egress") await this.configureR2EgressOutbound(this.getR2EgressParams());
+			} else if (mountInfo.mountType === "fuse" && mountInfo.credentialProxy && !mountInfo.mounted) {
 				try {
-					const cleanup = await this.execInternal(`mountpoint -q ${shellEscape(mountPath)} || rmdir ${shellEscape(mountPath)}`);
-					if (cleanup.exitCode !== 0) this.logger.warn("mount directory removal failed", {
-						mountPath,
-						exitCode: cleanup.exitCode,
-						stderr: cleanup.stderr
-					});
-				} catch (err) {
-					this.logger.warn("mount directory removal failed", {
+					await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams({ excludeMountId: mountInfo.mountId }));
+				} catch (cleanupError) {
+					this.logger.warn("credential proxy outbound reconfiguration failed on unmount", {
 						mountPath,
-						error: err instanceof Error ? err.message : String(err)
+						error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
 					});
 				}
-			} finally {
-				await this.deletePasswordFile(mountInfo.passwordFilePath);
+				this.activeMounts.delete(mountPath);
+				evictSigV4ClientCacheEntry(mountInfo.mountId);
+				evictDirectoryMarkerCacheForMount(mountInfo.mountId);
+			} else {
+				let unmounted = false;
+				try {
+					const result = await this.execInternal(`fusermount -u ${shellEscape(mountPath)}`);
+					if (result.exitCode !== 0) {
+						const stderr = result.stderr || "unknown error";
+						throw new BucketUnmountError(`fusermount -u failed (exit ${result.exitCode}): ${stderr}`);
+					}
+					unmounted = true;
+					mountInfo.mounted = false;
+					if (mountInfo.mountType === "r2-egress") {
+						const remainingBuckets = {};
+						for (const [, activeMount] of this.activeMounts) if (activeMount.mountType === "r2-egress" && activeMount.mountId !== mountInfo.mountId) remainingBuckets[activeMount.bucket] = {
+							prefix: activeMount.prefix,
+							readOnly: activeMount.readOnly
+						};
+						try {
+							await this.configureR2EgressOutbound({ buckets: remainingBuckets });
+						} catch (cleanupError) {
+							this.logger.warn("r2 egress outbound reconfiguration failed on unmount", {
+								mountPath,
+								error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
+							});
+						}
+						this.activeMounts.delete(mountPath);
+					} else if (mountInfo.mountType === "fuse" && mountInfo.credentialProxy) {
+						try {
+							await this.configureS3CredentialProxyOutbound(this.getS3CredentialProxyParams({ excludeMountId: mountInfo.mountId }));
+						} catch (cleanupError) {
+							this.logger.warn("credential proxy outbound reconfiguration failed on unmount", {
+								mountPath,
+								error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError)
+							});
+						}
+						this.activeMounts.delete(mountPath);
+						evictSigV4ClientCacheEntry(mountInfo.mountId);
+						evictDirectoryMarkerCacheForMount(mountInfo.mountId);
+					} else this.activeMounts.delete(mountPath);
+					try {
+						const cleanup = await this.execInternal(`mountpoint -q ${shellEscape(mountPath)} || rmdir ${shellEscape(mountPath)}`);
+						if (cleanup.exitCode !== 0) this.logger.warn("mount directory removal failed", {
+							mountPath,
+							exitCode: cleanup.exitCode,
+							stderr: cleanup.stderr
+						});
+					} catch (err) {
+						this.logger.warn("mount directory removal failed", {
+							mountPath,
+							error: err instanceof Error ? err.message : String(err)
+						});
+					}
+				} finally {
+					if (unmounted) {
+						await this.deletePasswordFile(mountInfo.passwordFilePath);
+						if (mountInfo.additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(mountInfo.additionalHeaderFilePath);
+					}
+				}
 			}
 			unmountOutcome = "success";
 		} catch (error) {
@@ -6728,6 +6964,20 @@ var Sandbox = class Sandbox extends Container {
 		return `/tmp/.passwd-s3fs-${crypto.randomUUID()}`;
 	}
 	/**
+	* Generate unique ahbe_conf file path for s3fs additional header config
+	*/
+	generateS3FSAdditionalHeaderFilePath() {
+		return `/tmp/.s3fs-ahbe-${crypto.randomUUID()}.conf`;
+	}
+	/**
+	* Create s3fs ahbe_conf file that suppresses the Expect: 100-continue header.
+	* Restricted to 0600 so s3fs will accept it (same requirement as passwd files).
+	*/
+	async createDisableExpectHeaderFile(headerFilePath) {
+		await this.client.files.writeFile(headerFilePath, S3FS_DISABLE_EXPECT_HEADER_CONFIG, DISABLE_SESSION_TOKEN);
+		await this.execInternal(`chmod 0600 ${shellEscape(headerFilePath)}`);
+	}
+	/**
 	* Create password file with s3fs credentials
 	* Format: bucket:accessKeyId:secretAccessKey
 	*/
@@ -6749,6 +6999,16 @@ var Sandbox = class Sandbox extends Container {
 			});
 		}
 	}
+	async deleteAdditionalHeaderFile(headerFilePath) {
+		try {
+			await this.execInternal(`rm -f ${shellEscape(headerFilePath)}`);
+		} catch (error) {
+			this.logger.warn("s3fs additional header file cleanup failed", {
+				headerFilePath,
+				error: error instanceof Error ? error.message : String(error)
+			});
+		}
+	}
 	/**
 	* Execute S3FS mount command
 	*/
@@ -6836,9 +7096,6 @@ var Sandbox = class Sandbox extends Container {
 			await this.ctx.storage.delete(PORT_TOKENS_STORAGE_KEY);
 			await this.clearActivePreviewPorts();
 			await this.currentRuntime.clear();
-			if (this.ctx.container?.running) try {
-				await this.client.desktop.stop();
-			} catch {}
 			for (const [mountPath, mountInfo] of this.activeMounts.entries()) {
 				mountsProcessed++;
 				if (mountInfo.mountType === "local-sync") try {
@@ -6858,6 +7115,7 @@ var Sandbox = class Sandbox extends Container {
 						this.logger.warn(`Failed to unmount bucket ${mountInfo.bucket} from ${mountPath}: ${errorMsg}`);
 					}
 					await this.deletePasswordFile(mountInfo.passwordFilePath);
+					if (mountInfo.additionalHeaderFilePath) await this.deleteAdditionalHeaderFile(mountInfo.additionalHeaderFilePath);
 				}
 			}
 			try {
@@ -6975,9 +7233,16 @@ var Sandbox = class Sandbox extends Container {
 		}
 		this.client.disconnect();
 		let hadR2EgressMount = false;
+		let hadCredentialProxyMount = false;
 		for (const [, m] of this.activeMounts) if (m.mountType === "local-sync") await m.syncManager.stop().catch(() => {});
 		else if (m.mountType === "r2-egress") hadR2EgressMount = true;
+		else if (m.mountType === "fuse" && m.credentialProxy) {
+			hadCredentialProxyMount = true;
+			evictSigV4ClientCacheEntry(m.mountId);
+			evictDirectoryMarkerCacheForMount(m.mountId);
+		}
 		if (hadR2EgressMount) await this.configureR2EgressOutbound({ buckets: {} }).catch(() => {});
+		if (hadCredentialProxyMount) await this.configureS3CredentialProxyOutbound({ mounts: {} }).catch(() => {});
 		this.activeMounts.clear();
 		await this.ctx.storage.delete("defaultSession");
 	}
@@ -8015,33 +8280,6 @@ var Sandbox = class Sandbox extends Container {
 		return this.client.files.exists(path$1, session);
 	}
 	/**
-	* Get the noVNC preview URL for browser-based desktop viewing.
-	* Confirms desktop is active, then uses exposePort() to generate
-	* a token-authenticated preview URL for the noVNC port (6080).
-	*
-	* @param hostname - The custom domain hostname for preview URLs
-	*   (e.g., 'preview.example.com'). Required because preview URLs
-	*   use subdomain patterns that .workers.dev doesn't support.
-	* @param options - Optional settings
-	* @param options.token - Reuse an existing token instead of generating a new one
-	* @returns The authenticated noVNC preview URL
-	*/
-	async getDesktopStreamUrl(hostname, options) {
-		if ((await this.client.desktop.status()).status === "inactive") throw new Error("Desktop is not running. Call sandbox.desktop.start() first.");
-		const url = (await this.exposePort(6080, {
-			hostname,
-			token: options?.token
-		})).url;
-		try {
-			await this.waitForPort({
-				portToCheck: 6080,
-				retries: 30,
-				waitInterval: 500
-			});
-		} catch {}
-		return { url };
-	}
-	/**
 	* Watch a directory for file system changes using native inotify.
 	*
 	* The returned promise resolves only after the watcher is established on the
@@ -9097,10 +9335,13 @@ var Sandbox = class Sandbox extends Container {
 	* create-archive → read → upload (or mount → extract) flow
 	* is not interleaved with another backup operation on the same directory.
 	*/
-	enqueueBackupOp(fn) {
-		const next = this.backupInProgress.then(fn, () => fn());
+	async enqueueBackupOp(fn) {
+		try {
+			await this.backupInProgress;
+		} catch {}
+		const next = fn();
 		this.backupInProgress = next.catch(() => {});
-		return next;
+		return await next;
 	}
 	/**
 	* Create a backup of a directory and upload it to R2.
@@ -9124,9 +9365,9 @@ var Sandbox = class Sandbox extends Container {
 	* under the `backups/` prefix after the desired retention period.
 	*/
 	async createBackup(options) {
-		if (options.localBucket) return this.enqueueBackupOp(() => this.doCreateBackupLocal(options));
+		if (options.localBucket) return await this.enqueueBackupOp(() => this.doCreateBackupLocal(options));
 		this.requireBackupBucket();
-		return this.enqueueBackupOp(() => this.doCreateBackup(options));
+		return await this.enqueueBackupOp(() => this.doCreateBackup(options));
 	}
 	async doCreateBackup(options) {
 		const bucket = this.requireBackupBucket();
@@ -9423,9 +9664,9 @@ var Sandbox = class Sandbox extends Container {
 	* Concurrent backup/restore calls on the same sandbox are serialized.
 	*/
 	async restoreBackup(backup) {
-		if (backup.localBucket) return this.enqueueBackupOp(() => this.doRestoreBackupLocal(backup));
+		if (backup.localBucket) return await this.enqueueBackupOp(() => this.doRestoreBackupLocal(backup));
 		this.requireBackupBucket();
-		return this.enqueueBackupOp(() => this.doRestoreBackup(backup));
+		return await this.enqueueBackupOp(() => this.doRestoreBackup(backup));
 	}
 	async doRestoreBackup(backup) {
 		const restoreStartTime = Date.now();
@@ -9685,10 +9926,18 @@ var Sandbox = class Sandbox extends Container {
 		const ctx = this.ctx;
 		if (!ctx.container?.interceptOutboundHttp) throw new InvalidMountConfigError("R2 binding mounts require container outbound interception support");
 		if (!ctx.exports?.ContainerProxy) throw new InvalidMountConfigError("R2 binding mounts require exporting ContainerProxy from the Worker entrypoint");
+		this.constructor.outboundHandlers = { r2EgressMount: r2EgressHandler };
+		if (Object.keys(params.buckets).length > 0) await this.setOutboundByHost("r2.internal", "r2EgressMount", params);
+		else await this.removeOutboundByHost("r2.internal");
+		this.logger.debug("r2 egress: registering host interception", {
+			host: "r2.internal",
+			method: "r2EgressMount",
+			targetClassName: CONTAINER_PROXY_CLASS_NAME
+		});
 		const fetcher = ctx.exports.ContainerProxy({ props: {
 			enableInternet: this.enableInternet,
 			containerId: this.ctx.id.toString(),
-			className: R2_EGRESS_PROXY_TARGET_CLASS_NAME,
+			className: CONTAINER_PROXY_CLASS_NAME,
 			outboundByHostOverrides: { "r2.internal": {
 				method: "r2EgressMount",
 				params
@@ -9697,8 +9946,42 @@ var Sandbox = class Sandbox extends Container {
 		if (!isFetcher(fetcher)) throw new InvalidMountConfigError("R2 binding mounts require ContainerProxy to return a valid Fetcher");
 		await ctx.container.interceptOutboundHttp("r2.internal", fetcher);
 	}
+	async configureS3CredentialProxyOutbound(params) {
+		const ctx = this.ctx;
+		if (!ctx.container?.interceptOutboundHttp) throw new InvalidMountConfigError("Credential proxy bucket mounts require container outbound interception support");
+		if (!ctx.exports?.ContainerProxy) throw new InvalidMountConfigError("Credential proxy bucket mounts require exporting ContainerProxy from the Worker entrypoint");
+		const hosts = [S3_CREDENTIAL_PROXY_HOST, S3_CREDENTIAL_PROXY_DIAGNOSTIC_HOST];
+		this.constructor.outboundHandlers = { s3CredentialProxyMount: s3CredentialProxyHandler };
+		if (Object.keys(params.mounts).length > 0) for (const host of hosts) await this.setOutboundByHost(host, "s3CredentialProxyMount", params);
+		else for (const host of hosts) await this.removeOutboundByHost(host);
+		const hostOverrides = {};
+		for (const host of hosts) hostOverrides[host] = {
+			method: "s3CredentialProxyMount",
+			params
+		};
+		this.logger.debug("s3 credential proxy: registering host interception", {
+			hosts,
+			method: "s3CredentialProxyMount",
+			targetClassName: CONTAINER_PROXY_CLASS_NAME
+		});
+		const fetcher = ctx.exports.ContainerProxy({ props: {
+			enableInternet: this.enableInternet,
+			containerId: this.ctx.id.toString(),
+			className: CONTAINER_PROXY_CLASS_NAME,
+			outboundByHostOverrides: hostOverrides
+		} });
+		if (!isFetcher(fetcher)) throw new InvalidMountConfigError("Credential proxy bucket mounts require ContainerProxy to return a valid Fetcher");
+		try {
+			const selfTest = await fetcher.fetch(new Request(`http://${S3_CREDENTIAL_PROXY_HOST}${SELF_TEST_PATH}`));
+			await selfTest.text();
+			this.logger.debug("s3 credential proxy: fetcher self-test complete", { status: selfTest.status });
+		} catch (error) {
+			this.logger.warn("s3 credential proxy: fetcher self-test failed", { error: error instanceof Error ? error.message : String(error) });
+		}
+		for (const host of hosts) await ctx.container.interceptOutboundHttp(host, fetcher);
+	}
 };
 
 //#endregion
-export { DesktopClient as A, DesktopProcessCrashedError as B, streamFile as C, PortClient as D, ProcessClient as E, BackupNotFoundError as F, ProcessReadyTimeoutError as G, DesktopUnavailableError as H, BackupRestoreError as I, RPCTransportError as K, DesktopInvalidCoordinatesError as L, BackupClient as M, BackupCreateError as N, GitClient as O, BackupExpiredError as P, DesktopInvalidOptionsError as R, collectFile as S, UtilityClient as T, InvalidBackupConfigError as U, DesktopStartFailedError as V, ProcessExitedBeforeReadyError as W, CodeInterpreter as _, PREVIEW_PROXY_HEADERS as a, validatePort as b, PREVIEW_PROXY_TOKEN_HEADER as c, InvalidMountConfigError as d, MissingCredentialsError as f, responseToAsyncIterable as g, parseSSEStream as h, PREVIEW_PROXY_HEADER as i, CommandClient as j, FileClient as k, BucketMountError as l, asyncIterableToSSEStream as m, getSandbox as n, PREVIEW_PROXY_PORT_HEADER as o, S3FSMountError as p, SessionTerminatedError as q, proxyTerminal as r, PREVIEW_PROXY_SANDBOX_ID_HEADER as s, Sandbox as t, BucketUnmountError as u, SandboxSecurityError as v, SandboxClient as w, validateTunnelName as x, sanitizeSandboxId as y, DesktopNotStartedError as z };
-//# sourceMappingURL=sandbox-DQxTkLyY.js.map
+export { FileClient as A, RPCTransportError as B, collectFile as C, ProcessClient as D, UtilityClient as E, BackupNotFoundError as F, BackupRestoreError as I, InvalidBackupConfigError as L, BackupClient as M, BackupCreateError as N, PortClient as O, BackupExpiredError as P, ProcessExitedBeforeReadyError as R, validateTunnelName as S, SandboxClient as T, SessionTerminatedError as V, responseToAsyncIterable as _, PREVIEW_PROXY_HEADER as a, sanitizeSandboxId as b, PREVIEW_PROXY_SANDBOX_ID_HEADER as c, BucketUnmountError as d, InvalidMountConfigError as f, parseSSEStream as g, asyncIterableToSSEStream as h, proxyTerminal as i, CommandClient as j, GitClient as k, PREVIEW_PROXY_TOKEN_HEADER as l, S3FSMountError as m, Sandbox as n, PREVIEW_PROXY_HEADERS as o, MissingCredentialsError as p, getSandbox as r, PREVIEW_PROXY_PORT_HEADER as s, ContainerProxy$1 as t, BucketMountError as u, CodeInterpreter as v, streamFile as w, validatePort as x, SandboxSecurityError as y, ProcessReadyTimeoutError as z };
+//# sourceMappingURL=sandbox-Duj2gvUC.js.map