@cloudflare/sandbox 0.3.7 → 0.4.2

package/dist/{chunk-6UAWTJ5S.js.map → chunk-Z532A7QC.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/security.ts"],"sourcesContent":["/**\n * Security utilities for URL construction and input validation\n *\n * This module contains critical security functions to prevent:\n * - URL injection attacks\n * - SSRF (Server-Side Request Forgery) attacks\n * - DNS rebinding attacks\n * - Host header injection\n * - Open redirect vulnerabilities\n */\n\nexport class SecurityError extends Error {\n  constructor(message: string, public readonly code?: string) {\n    super(message);\n    this.name = 'SecurityError';\n  }\n}\n\n/**\n * Validates port numbers for sandbox services\n * Only allows non-system ports to prevent conflicts and security issues\n */\nexport function validatePort(port: number): boolean {\n  // Must be a valid integer\n  if (!Number.isInteger(port)) {\n    return false;\n  }\n\n  // Only allow non-system ports (1024-65535)\n  if (port < 1024 || port > 65535) {\n    return false;\n  }\n\n  // Exclude ports reserved by our system\n  const reservedPorts = [\n    3000, // Control plane port\n    8787, // Common wrangler dev port\n  ];\n\n  if (reservedPorts.includes(port)) {\n    return false;\n  }\n\n  return true;\n}\n\n/**\n * Sanitizes and validates sandbox IDs for DNS compliance and security\n * Only enforces critical requirements - allows maximum developer flexibility\n */\nexport function sanitizeSandboxId(id: string): string {\n  // Basic validation: not empty, reasonable length limit (DNS subdomain limit is 63 chars)\n  if (!id || id.length > 63) {\n    throw new SecurityError(\n      'Sandbox ID must be 1-63 characters long.',\n      'INVALID_SANDBOX_ID_LENGTH'\n    );\n  }\n\n  // DNS compliance: cannot start or end with hyphens (RFC requirement)\n  if (id.startsWith('-') || id.endsWith('-')) {\n    throw new SecurityError(\n      'Sandbox ID cannot start or end with hyphens (DNS requirement).',\n      'INVALID_SANDBOX_ID_HYPHENS'\n    );\n  }\n\n  // Prevent reserved names that cause technical conflicts\n  const reservedNames = [\n    'www', 'api', 'admin', 'root', 'system',\n    'cloudflare', 'workers'\n  ];\n\n  const lowerCaseId = id.toLowerCase();\n  if (reservedNames.includes(lowerCaseId)) {\n    throw new SecurityError(\n      `Reserved sandbox ID '${id}' is not allowed.`,\n      'RESERVED_SANDBOX_ID'\n    );\n  }\n\n  return id;\n}\n\n\n/**\n * Logs security events for monitoring\n */\nexport function logSecurityEvent(\n  event: string,\n  details: Record<string, any>,\n  severity: 'low' | 'medium' | 'high' | 'critical' = 'medium'\n): void {\n  const logEntry = {\n    timestamp: new Date().toISOString(),\n    event,\n    severity,\n    ...details\n  };\n\n  switch (severity) {\n    case 'critical':\n    case 'high':\n      console.error(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));\n      break;\n    case 'medium':\n      console.warn(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));\n      break;\n    case 'low':\n      console.info(`[SECURITY:${severity.toUpperCase()}] ${event}:`, JSON.stringify(logEntry));\n      break;\n  }\n}\n"],"mappings":";AAWO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YAAY,SAAiC,MAAe;AAC1D,UAAM,OAAO;AAD8B;AAE3C,SAAK,OAAO;AAAA,EACd;AACF;AAMO,SAAS,aAAa,MAAuB;AAElD,MAAI,CAAC,OAAO,UAAU,IAAI,GAAG;AAC3B,WAAO;AAAA,EACT;AAGA,MAAI,OAAO,QAAQ,OAAO,OAAO;AAC/B,WAAO;AAAA,EACT;AAGA,QAAM,gBAAgB;AAAA,IACpB;AAAA;AAAA,IACA;AAAA;AAAA,EACF;AAEA,MAAI,cAAc,SAAS,IAAI,GAAG;AAChC,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAMO,SAAS,kBAAkB,IAAoB;AAEpD,MAAI,CAAC,MAAM,GAAG,SAAS,IAAI;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAGA,MAAI,GAAG,WAAW,GAAG,KAAK,GAAG,SAAS,GAAG,GAAG;AAC1C,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB;AAAA,IACpB;AAAA,IAAO;AAAA,IAAO;AAAA,IAAS;AAAA,IAAQ;AAAA,IAC/B;AAAA,IAAc;AAAA,EAChB;AAEA,QAAM,cAAc,GAAG,YAAY;AACnC,MAAI,cAAc,SAAS,WAAW,GAAG;AACvC,UAAM,IAAI;AAAA,MACR,wBAAwB,EAAE;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAMO,SAAS,iBACd,OACA,SACA,WAAmD,UAC7C;AACN,QAAM,WAAW;AAAA,IACf,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC;AAAA,IACA;AAAA,IACA,GAAG;AAAA,EACL;AAEA,UAAQ,UAAU;AAAA,IAChB,KAAK;AAAA,IACL,KAAK;AACH,cAAQ,MAAM,aAAa,SAAS,YAAY,CAAC,KAAK,KAAK,KAAK,KAAK,UAAU,QAAQ,CAAC;AACxF;AAAA,IACF,KAAK;AACH,cAAQ,KAAK,aAAa,SAAS,YAAY,CAAC,KAAK,KAAK,KAAK,KAAK,UAAU,QAAQ,CAAC;AACvF;AAAA,IACF,KAAK;AACH,cAAQ,KAAK,aAAa,SAAS,YAAY,CAAC,KAAK,KAAK,KAAK,KAAK,UAAU,QAAQ,CAAC;AACvF;AAAA,EACJ;AACF;","names":[]}
+{"version":3,"sources":["../src/security.ts"],"sourcesContent":["/**\n * Security utilities for URL construction and input validation\n *\n * This module contains critical security functions to prevent:\n * - URL injection attacks\n * - SSRF (Server-Side Request Forgery) attacks\n * - DNS rebinding attacks\n * - Host header injection\n * - Open redirect vulnerabilities\n */\n\nexport class SecurityError extends Error {\n  constructor(message: string, public readonly code?: string) {\n    super(message);\n    this.name = 'SecurityError';\n  }\n}\n\n/**\n * Validates port numbers for sandbox services\n * Only allows non-system ports to prevent conflicts and security issues\n */\nexport function validatePort(port: number): boolean {\n  // Must be a valid integer\n  if (!Number.isInteger(port)) {\n    return false;\n  }\n\n  // Only allow non-system ports (1024-65535)\n  if (port < 1024 || port > 65535) {\n    return false;\n  }\n\n  // Exclude ports reserved by our system\n  const reservedPorts = [\n    3000, // Control plane port\n    8787, // Common wrangler dev port\n  ];\n\n  if (reservedPorts.includes(port)) {\n    return false;\n  }\n\n  return true;\n}\n\n/**\n * Sanitizes and validates sandbox IDs for DNS compliance and security\n * Only enforces critical requirements - allows maximum developer flexibility\n */\nexport function sanitizeSandboxId(id: string): string {\n  // Basic validation: not empty, reasonable length limit (DNS subdomain limit is 63 chars)\n  if (!id || id.length > 63) {\n    throw new SecurityError(\n      'Sandbox ID must be 1-63 characters long.',\n      'INVALID_SANDBOX_ID_LENGTH'\n    );\n  }\n\n  // DNS compliance: cannot start or end with hyphens (RFC requirement)\n  if (id.startsWith('-') || id.endsWith('-')) {\n    throw new SecurityError(\n      'Sandbox ID cannot start or end with hyphens (DNS requirement).',\n      'INVALID_SANDBOX_ID_HYPHENS'\n    );\n  }\n\n  // Prevent reserved names that cause technical conflicts\n  const reservedNames = [\n    'www', 'api', 'admin', 'root', 'system',\n    'cloudflare', 'workers'\n  ];\n\n  const lowerCaseId = id.toLowerCase();\n  if (reservedNames.includes(lowerCaseId)) {\n    throw new SecurityError(\n      `Reserved sandbox ID '${id}' is not allowed.`,\n      'RESERVED_SANDBOX_ID'\n    );\n  }\n\n  return id;\n}\n\n\n/**\n * Validates language for code interpreter\n * Only allows supported languages\n */\nexport function validateLanguage(language: string | undefined): void {\n  if (!language) {\n    return; // undefined is valid, will default to python\n  }\n\n  const supportedLanguages = ['python', 'python3', 'javascript', 'js', 'node', 'typescript', 'ts'];\n  const normalized = language.toLowerCase();\n\n  if (!supportedLanguages.includes(normalized)) {\n    throw new SecurityError(\n      `Unsupported language '${language}'. Supported languages: python, javascript, typescript`,\n      'INVALID_LANGUAGE'\n    );\n  }\n}\n"],"mappings":";AAWO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YAAY,SAAiC,MAAe;AAC1D,UAAM,OAAO;AAD8B;AAE3C,SAAK,OAAO;AAAA,EACd;AACF;AAMO,SAAS,aAAa,MAAuB;AAElD,MAAI,CAAC,OAAO,UAAU,IAAI,GAAG;AAC3B,WAAO;AAAA,EACT;AAGA,MAAI,OAAO,QAAQ,OAAO,OAAO;AAC/B,WAAO;AAAA,EACT;AAGA,QAAM,gBAAgB;AAAA,IACpB;AAAA;AAAA,IACA;AAAA;AAAA,EACF;AAEA,MAAI,cAAc,SAAS,IAAI,GAAG;AAChC,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAMO,SAAS,kBAAkB,IAAoB;AAEpD,MAAI,CAAC,MAAM,GAAG,SAAS,IAAI;AACzB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAGA,MAAI,GAAG,WAAW,GAAG,KAAK,GAAG,SAAS,GAAG,GAAG;AAC1C,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB;AAAA,IACpB;AAAA,IAAO;AAAA,IAAO;AAAA,IAAS;AAAA,IAAQ;AAAA,IAC/B;AAAA,IAAc;AAAA,EAChB;AAEA,QAAM,cAAc,GAAG,YAAY;AACnC,MAAI,cAAc,SAAS,WAAW,GAAG;AACvC,UAAM,IAAI;AAAA,MACR,wBAAwB,EAAE;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,iBAAiB,UAAoC;AACnE,MAAI,CAAC,UAAU;AACb;AAAA,EACF;AAEA,QAAM,qBAAqB,CAAC,UAAU,WAAW,cAAc,MAAM,QAAQ,cAAc,IAAI;AAC/F,QAAM,aAAa,SAAS,YAAY;AAExC,MAAI,CAAC,mBAAmB,SAAS,UAAU,GAAG;AAC5C,UAAM,IAAI;AAAA,MACR,yBAAyB,QAAQ;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;","names":[]}

package/dist/file-stream.d.ts

@@ -1,63 +1,41 @@
-import { FileChunk, FileMetadata } from './types.js';
-import './interpreter-types.js';
+import { FileChunk, FileMetadata } from '@repo/shared';
 
 /**
- * File streaming utilities for reading binary and text files
- * Provides simple AsyncIterable API over SSE stream with automatic base64 decoding
- */
-
-/**
- * Convert ReadableStream of SSE file events to AsyncIterable of file chunks
- * Automatically decodes base64 for binary files and provides metadata
+ * Stream a file from the sandbox with automatic base64 decoding for binary files
  *
- * @param stream - The SSE ReadableStream from readFileStream()
- * @param signal - Optional AbortSignal for cancellation
- * @returns AsyncIterable that yields file chunks (string for text, Uint8Array for binary)
+ * @param stream - The ReadableStream from readFileStream()
+ * @returns AsyncGenerator that yields FileChunk (string for text, Uint8Array for binary)
  *
  * @example
- * ```typescript
+ * ```ts
  * const stream = await sandbox.readFileStream('/path/to/file.png');
- *
  * for await (const chunk of streamFile(stream)) {
  *   if (chunk instanceof Uint8Array) {
- *     // Binary chunk - already decoded from base64
- *     console.log('Binary chunk:', chunk.byteLength, 'bytes');
+ *     // Binary chunk
+ *     console.log('Binary chunk:', chunk.length, 'bytes');
  *   } else {
  *     // Text chunk
  *     console.log('Text chunk:', chunk);
  *   }
  * }
- *
- * // Access metadata
- * const iter = streamFile(stream);
- * for await (const chunk of iter) {
- *   console.log('MIME type:', iter.metadata?.mimeType);
- *   // process chunk...
- * }
  * ```
  */
-declare function streamFile(stream: ReadableStream<Uint8Array>, signal?: AbortSignal): AsyncGenerator<FileChunk, void, undefined>;
+declare function streamFile(stream: ReadableStream<Uint8Array>): AsyncGenerator<FileChunk, FileMetadata>;
 /**
- * Helper to collect entire file from stream into memory
- * Useful for smaller files where you want the complete content at once
+ * Collect an entire file into memory from a stream
  *
- * @param stream - The SSE ReadableStream from readFileStream()
- * @param signal - Optional AbortSignal for cancellation
- * @returns Object with content (string or Uint8Array) and metadata
+ * @param stream - The ReadableStream from readFileStream()
+ * @returns Object containing the file content and metadata
  *
  * @example
- * ```typescript
- * const stream = await sandbox.readFileStream('/path/to/image.png');
+ * ```ts
+ * const stream = await sandbox.readFileStream('/path/to/file.txt');
  * const { content, metadata } = await collectFile(stream);
- *
- * if (content instanceof Uint8Array) {
- *   console.log('Binary file:', metadata.mimeType, content.byteLength, 'bytes');
- * } else {
- *   console.log('Text file:', metadata.mimeType, content.length, 'chars');
- * }
+ * console.log('Content:', content);
+ * console.log('MIME type:', metadata.mimeType);
  * ```
  */
-declare function collectFile(stream: ReadableStream<Uint8Array>, signal?: AbortSignal): Promise<{
+declare function collectFile(stream: ReadableStream<Uint8Array>): Promise<{
     content: string | Uint8Array;
     metadata: FileMetadata;
 }>;

package/dist/file-stream.js

@@ -1,8 +1,7 @@
 import {
   collectFile,
   streamFile
-} from "./chunk-5DILEXGY.js";
-import "./chunk-NNGBXDMY.js";
+} from "./chunk-BFVUNTP4.js";
 export {
   collectFile,
   streamFile

package/dist/index.d.ts

@@ -1,8 +1,9 @@
-export { CodeExecutionError, ContainerNotReadyError, ContextNotFoundError, InterpreterNotReadyError, InterpreterNotReadyError as JupyterNotReadyError, SandboxError, SandboxErrorResponse, SandboxNetworkError, ServiceUnavailableError, isInterpreterNotReadyError, isInterpreterNotReadyError as isJupyterNotReadyError, isRetryableError, isSandboxError, parseErrorResponse } from './errors.js';
-export { ChartData, CodeContext, CreateContextOptions, Execution, ExecutionError, OutputMessage, Result, ResultImpl, RunCodeOptions } from './interpreter-types.js';
+export { B as BaseApiResponse, C as CommandClient, f as CommandExecuteResponse, c as CommandsResponse, d as ContainerStub, E as ErrorResponse, e as ExecuteRequest, p as ExecutionCallbacks, h as ExposePortRequest, F as FileClient, i as FileOperationRequest, j as GitCheckoutRequest, G as GitClient, I as InterpreterClient, M as MkdirRequest, k as PingResponse, P as PortClient, a as ProcessClient, R as ReadFileRequest, l as RequestConfig, m as ResponseHandler, b as Sandbox, S as SandboxClient, H as SandboxClientOptions, n as SessionRequest, o as UnexposePortRequest, U as UtilityClient, W as WriteFileRequest, g as getSandbox } from './sandbox-D9K2ypln.js';
+export * from '@repo/shared';
+export { BaseExecOptions, ExecEvent, ExecOptions, ExecResult, FileChunk, FileMetadata, FileStreamEvent, GitCheckoutResult, ISandbox, LogEvent, PortCloseResult, PortExposeResult, PortListResult, Process, ProcessCleanupResult, ProcessInfoResult, ProcessKillResult, ProcessListResult, ProcessLogsResult, ProcessOptions, ProcessStartResult, ProcessStatus, StartProcessRequest, StreamOptions, isExecResult, isProcess, isProcessStatus } from '@repo/shared';
+export { collectFile, streamFile } from './file-stream.js';
+export { CodeInterpreter } from './interpreter.js';
 export { RouteInfo, SandboxEnv, proxyToSandbox } from './request-handler.js';
-export { S as Sandbox, g as getSandbox } from './client-B3RUab0s.js';
 export { asyncIterableToSSEStream, parseSSEStream, responseToAsyncIterable } from './sse-parser.js';
-export { collectFile, streamFile } from './file-stream.js';
-export { DeleteFileResponse, ExecEvent, ExecOptions, ExecResult, ExecuteResponse, ExecutionSession, FileChunk, FileMetadata, FileStream, FileStreamEvent, GitCheckoutResponse, ISandbox, ListFilesResponse, LogEvent, MkdirResponse, MoveFileResponse, Process, ProcessOptions, ProcessStatus, ReadFileResponse, RenameFileResponse, StreamOptions, WriteFileResponse } from './types.js';
+import 'cloudflare:workers';
 import '@cloudflare/containers';

package/dist/index.js

@@ -1,59 +1,66 @@
 import {
   collectFile,
   streamFile
-} from "./chunk-5DILEXGY.js";
-import {
-  asyncIterableToSSEStream,
-  parseSSEStream,
-  responseToAsyncIterable
-} from "./chunk-NNGBXDMY.js";
+} from "./chunk-BFVUNTP4.js";
 import {
+  CommandClient,
+  FileClient,
+  GitClient,
+  PortClient,
+  ProcessClient,
   Sandbox,
+  SandboxClient,
+  UtilityClient,
   getSandbox,
   proxyToSandbox
-} from "./chunk-SQLJNZ3K.js";
-import "./chunk-6UAWTJ5S.js";
-import "./chunk-D3U63BZP.js";
-import "./chunk-32UDXUPC.js";
+} from "./chunk-53JFOF7F.js";
 import {
-  CodeExecutionError,
-  ContainerNotReadyError,
-  ContextNotFoundError,
-  InterpreterNotReadyError,
-  SandboxError,
-  SandboxNetworkError,
-  ServiceUnavailableError,
-  isInterpreterNotReadyError,
-  isRetryableError,
-  isSandboxError,
-  parseErrorResponse
-} from "./chunk-FXYPFGOZ.js";
-import "./chunk-JTKON2SH.js";
+  CodeInterpreter,
+  Execution,
+  LogLevel,
+  ResultImpl,
+  TraceContext,
+  createLogger,
+  createNoOpLogger,
+  getLogger,
+  isExecResult,
+  isProcess,
+  isProcessStatus,
+  runWithLogger
+} from "./chunk-JXZMAU2C.js";
+import "./chunk-Z532A7QC.js";
 import {
-  ResultImpl
-} from "./chunk-W7TVRPBG.js";
+  asyncIterableToSSEStream,
+  parseSSEStream,
+  responseToAsyncIterable
+} from "./chunk-EKSWCBCA.js";
 export {
-  CodeExecutionError,
-  ContainerNotReadyError,
-  ContextNotFoundError,
-  InterpreterNotReadyError,
-  InterpreterNotReadyError as JupyterNotReadyError,
+  CodeInterpreter,
+  CommandClient,
+  Execution,
+  FileClient,
+  GitClient,
+  LogLevel as LogLevelEnum,
+  PortClient,
+  ProcessClient,
   ResultImpl,
   Sandbox,
-  SandboxError,
-  SandboxNetworkError,
-  ServiceUnavailableError,
+  SandboxClient,
+  TraceContext,
+  UtilityClient,
   asyncIterableToSSEStream,
   collectFile,
+  createLogger,
+  createNoOpLogger,
+  getLogger,
   getSandbox,
-  isInterpreterNotReadyError,
-  isInterpreterNotReadyError as isJupyterNotReadyError,
-  isRetryableError,
-  isSandboxError,
-  parseErrorResponse,
+  isExecResult,
+  isProcess,
+  isProcessStatus,
   parseSSEStream,
   proxyToSandbox,
   responseToAsyncIterable,
+  runWithLogger,
   streamFile
 };
 //# sourceMappingURL=index.js.map

package/dist/interpreter.d.ts

@@ -1,6 +1,6 @@
-import { CreateContextOptions, CodeContext, RunCodeOptions, Execution } from './interpreter-types.js';
-import { S as Sandbox } from './client-B3RUab0s.js';
-import './types.js';
+import { CreateContextOptions, CodeContext, RunCodeOptions, Execution } from '@repo/shared';
+import { b as Sandbox } from './sandbox-D9K2ypln.js';
+import 'cloudflare:workers';
 import '@cloudflare/containers';
 
 declare class CodeInterpreter {

package/dist/interpreter.js

@@ -1,7 +1,7 @@
 import {
   CodeInterpreter
-} from "./chunk-JTKON2SH.js";
-import "./chunk-W7TVRPBG.js";
+} from "./chunk-JXZMAU2C.js";
+import "./chunk-Z532A7QC.js";
 export {
   CodeInterpreter
 };

package/dist/request-handler.d.ts

@@ -1,6 +1,6 @@
-import { S as Sandbox } from './client-B3RUab0s.js';
-import './types.js';
-import './interpreter-types.js';
+import { b as Sandbox } from './sandbox-D9K2ypln.js';
+import '@repo/shared';
+import 'cloudflare:workers';
 import '@cloudflare/containers';
 
 interface SandboxEnv {
@@ -10,6 +10,7 @@ interface RouteInfo {
     port: number;
     sandboxId: string;
     path: string;
+    token: string;
 }
 declare function proxyToSandbox<E extends SandboxEnv>(request: Request, env: E): Promise<Response | null>;
 declare function isLocalhostPattern(hostname: string): boolean;

package/dist/request-handler.js

@@ -1,13 +1,10 @@
 import {
   isLocalhostPattern,
   proxyToSandbox
-} from "./chunk-SQLJNZ3K.js";
-import "./chunk-6UAWTJ5S.js";
-import "./chunk-D3U63BZP.js";
-import "./chunk-32UDXUPC.js";
-import "./chunk-FXYPFGOZ.js";
-import "./chunk-JTKON2SH.js";
-import "./chunk-W7TVRPBG.js";
+} from "./chunk-53JFOF7F.js";
+import "./chunk-JXZMAU2C.js";
+import "./chunk-Z532A7QC.js";
+import "./chunk-EKSWCBCA.js";
 export {
   isLocalhostPattern,
   proxyToSandbox