@cloudflare/sandbox 0.11.0 → 0.12.1

package/Dockerfile

@@ -284,61 +284,6 @@ EXPOSE 4096
 
 ENTRYPOINT ["/container-server/sandbox"]
 
-# ============================================================================
-# Desktop variant — full Linux desktop with robotgo native control
-# ============================================================================
-FROM golang:1.25-bookworm AS go-builder
-
-RUN mkdir -p /usr/local/share/ca-certificates
-RUN --mount=type=secret,id=wrangler_ca \
-    apt-get update && apt-get install -y --no-install-recommends ca-certificates && \
-    if [ -f /run/secrets/wrangler_ca ] && [ -s /run/secrets/wrangler_ca ]; then \
-        cp /run/secrets/wrangler_ca /usr/local/share/ca-certificates/wrangler-dev-ca.crt; \
-    fi && \
-    update-ca-certificates && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    gcc libx11-dev libxtst-dev libxinerama-dev libpng-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY packages/sandbox-container/native/desktop-wrapper/ /build/
-WORKDIR /build
-RUN go mod tidy && go build -buildmode=c-shared -o /usr/lib/desktop.so .
-
-FROM runtime-base AS desktop
-
-# Install display stack
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    rm -f /etc/apt/apt.conf.d/docker-clean && \
-    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache && \
-    apt-get update && apt-get install -y --no-install-recommends \
-    xvfb x11vnc novnc websockify \
-    xfce4 xfce4-terminal dbus-x11 \
-    libx11-6 libxrandr2 libxext6 libxrender1 libxfixes3 \
-    libxss1 libxtst6 libxi6 libxinerama1 \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY --from=go-builder /usr/lib/desktop.so /usr/lib/desktop.so
-COPY --from=go-builder /usr/lib/desktop.h /usr/lib/desktop.h
-
-COPY --from=builder /app/packages/sandbox-container/dist/sandbox /container-server/sandbox
-COPY --from=builder /app/packages/sandbox-container/dist/workers/ /container-server/workers/
-
-# Install koffi for FFI worker thread
-WORKDIR /container-server
-RUN npm init -y && npm install koffi
-
-EXPOSE 6080
-
-ENV DISPLAY=:99
-ENV PYTHON_POOL_MIN_SIZE=0
-ENV JAVASCRIPT_POOL_MIN_SIZE=0
-ENV TYPESCRIPT_POOL_MIN_SIZE=0
-
-ENTRYPOINT ["/container-server/sandbox"]
-
 # ============================================================================
 # Stage 5d: Musl image - Alpine-based with musl-linked binary
 # ============================================================================

package/README.md

@@ -200,6 +200,7 @@ See the [examples directory](./examples) for complete working examples:
 - [Claude Code](./examples/claude-code) - Run [Claude Code](https://claude.ai/code) headless on any repo
 - [OpenAI Agents](./examples/openai-agents) - `Shell` and `Editor` tools for [OpenAI Agents SDK](https://openai.github.io/openai-agents-js/)
 - [OpenCode](./examples/opencode) - [OpenCode](https://github.com/sst/opencode) web UI or [SDK](https://opencode.ai/docs/sdk/) in a sandbox
+- [Git Repo Per Sandbox](./examples/git-repo-per-sandbox) - One Artifacts Git repo per sandbox
 - [TypeScript Validator](./examples/typescript-validator) - Build with npm in sandbox, execute in [isolates](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/)
 
 ## Status

package/dist/bridge/index.js

@@ -1,6 +1,6 @@
 import "../dist-B_eXrP83.js";
-import "../errors-COsTRno_.js";
-import { C as streamFile, b as validatePort, n as getSandbox, v as SandboxSecurityError, x as validateTunnelName } from "../sandbox-DQxTkLyY.js";
+import "../errors-aRUdk9K8.js";
+import { S as validateTunnelName, r as getSandbox, w as streamFile, x as validatePort, y as SandboxSecurityError } from "../sandbox-DKG3H156.js";
 import { DurableObject, env } from "cloudflare:workers";
 import { Hono } from "hono";
 
@@ -228,6 +228,11 @@ const OPENAPI_SCHEMA = {
 						$ref: "#/components/schemas/MountBucketCredentials",
 						description: "Explicit credentials. When omitted, the SDK auto-detects from Worker secrets (R2_ACCESS_KEY_ID / R2_SECRET_ACCESS_KEY or AWS equivalents)."
 					},
+					credentialProxy: {
+						type: "boolean",
+						description: "Keep credentials in the Durable Object and sign intercepted s3fs requests from the Worker. Credentials may be explicit or auto-detected from Worker secrets.",
+						default: false
+					},
 					s3fsOptions: {
 						type: "array",
 						items: { type: "string" },
@@ -1800,6 +1805,7 @@ function validateMountOptions(options, binding) {
 	if (options.s3fsOptions !== void 0 && !isStringArray(options.s3fsOptions)) return errorJson("options.s3fsOptions must be an array of strings when provided", "invalid_request", 400);
 	if (options.readOnly !== void 0 && typeof options.readOnly !== "boolean") return errorJson("options.readOnly must be a boolean when provided", "invalid_request", 400);
 	if (options.prefix !== void 0 && typeof options.prefix !== "string") return errorJson("options.prefix must be a string when provided", "invalid_request", 400);
+	if ("credentialProxy" in options && options.credentialProxy !== void 0 && typeof options.credentialProxy !== "boolean") return errorJson("options.credentialProxy must be a boolean when provided", "invalid_request", 400);
 	if ("credentials" in options && options.credentials !== void 0 && (typeof options.credentials !== "object" || options.credentials === null || typeof options.credentials.accessKeyId !== "string" || typeof options.credentials.secretAccessKey !== "string")) return errorJson("options.credentials must include string accessKeyId and secretAccessKey", "invalid_request", 400);
 	return null;
 }
@@ -1821,6 +1827,7 @@ function toSDKMountOptions(options) {
 			secretAccessKey: options.credentials.secretAccessKey
 		};
 		if (options.s3fsOptions !== void 0) remoteOptions.s3fsOptions = options.s3fsOptions;
+		if ("credentialProxy" in options && typeof options.credentialProxy === "boolean") remoteOptions.credentialProxy = options.credentialProxy;
 		return remoteOptions;
 	}
 	const r2BindingOptions = {};