@cloudflare/sandbox 0.5.1 → 0.5.3

package/dist/index.js

@@ -1,667 +1,6 @@
-import { AsyncLocalStorage } from "node:async_hooks";
+import { a as createLogger, c as Execution, d as getEnvString, i as shellEscape, l as ResultImpl, n as isProcess, o as createNoOpLogger, r as isProcessStatus, s as TraceContext, t as isExecResult, u as GitLogger } from "./dist-gVyG2H2h.js";
 import { Container, getContainer, switchPort } from "@cloudflare/containers";
 
-//#region ../shared/dist/env.js
-/**
-* Safely extract a string value from an environment object
-*
-* @param env - Environment object with dynamic keys
-* @param key - The environment variable key to access
-* @returns The string value if present and is a string, undefined otherwise
-*/
-function getEnvString(env, key) {
-	const value = env?.[key];
-	return typeof value === "string" ? value : void 0;
-}
-
-//#endregion
-//#region ../shared/dist/git.js
-/**
-* Redact credentials from URLs for secure logging
-*
-* Replaces any credentials (username:password, tokens, etc.) embedded
-* in URLs with ****** to prevent sensitive data exposure in logs.
-* Works with URLs embedded in text (e.g., "Error: https://token@github.com/repo.git failed")
-*
-* @param text - String that may contain URLs with credentials
-* @returns String with credentials redacted from any URLs
-*/
-function redactCredentials(text) {
-	let result = text;
-	let pos = 0;
-	while (pos < result.length) {
-		const httpPos = result.indexOf("http://", pos);
-		const httpsPos = result.indexOf("https://", pos);
-		let protocolPos = -1;
-		let protocolLen = 0;
-		if (httpPos === -1 && httpsPos === -1) break;
-		if (httpPos !== -1 && (httpsPos === -1 || httpPos < httpsPos)) {
-			protocolPos = httpPos;
-			protocolLen = 7;
-		} else {
-			protocolPos = httpsPos;
-			protocolLen = 8;
-		}
-		const searchStart = protocolPos + protocolLen;
-		const atPos = result.indexOf("@", searchStart);
-		let urlEnd = searchStart;
-		while (urlEnd < result.length) {
-			const char = result[urlEnd];
-			if (/[\s"'`<>,;{}[\]]/.test(char)) break;
-			urlEnd++;
-		}
-		if (atPos !== -1 && atPos < urlEnd) {
-			result = `${result.substring(0, searchStart)}******${result.substring(atPos)}`;
-			pos = searchStart + 6;
-		} else pos = protocolPos + protocolLen;
-	}
-	return result;
-}
-/**
-* Sanitize data by redacting credentials from any strings
-* Recursively processes objects and arrays to ensure credentials are never leaked
-*/
-function sanitizeGitData(data) {
-	if (typeof data === "string") return redactCredentials(data);
-	if (data === null || data === void 0) return data;
-	if (Array.isArray(data)) return data.map((item) => sanitizeGitData(item));
-	if (typeof data === "object") {
-		const result = {};
-		for (const [key, value] of Object.entries(data)) result[key] = sanitizeGitData(value);
-		return result;
-	}
-	return data;
-}
-/**
-* Logger wrapper that automatically sanitizes git credentials
-*/
-var GitLogger = class GitLogger {
-	baseLogger;
-	constructor(baseLogger) {
-		this.baseLogger = baseLogger;
-	}
-	sanitizeContext(context) {
-		return context ? sanitizeGitData(context) : context;
-	}
-	sanitizeError(error) {
-		if (!error) return error;
-		const sanitized = new Error(redactCredentials(error.message));
-		sanitized.name = error.name;
-		if (error.stack) sanitized.stack = redactCredentials(error.stack);
-		const sanitizedRecord = sanitized;
-		const errorRecord = error;
-		for (const key of Object.keys(error)) if (key !== "message" && key !== "stack" && key !== "name") sanitizedRecord[key] = sanitizeGitData(errorRecord[key]);
-		return sanitized;
-	}
-	debug(message, context) {
-		this.baseLogger.debug(message, this.sanitizeContext(context));
-	}
-	info(message, context) {
-		this.baseLogger.info(message, this.sanitizeContext(context));
-	}
-	warn(message, context) {
-		this.baseLogger.warn(message, this.sanitizeContext(context));
-	}
-	error(message, error, context) {
-		this.baseLogger.error(message, this.sanitizeError(error), this.sanitizeContext(context));
-	}
-	child(context) {
-		const sanitized = sanitizeGitData(context);
-		return new GitLogger(this.baseLogger.child(sanitized));
-	}
-};
-
-//#endregion
-//#region ../shared/dist/interpreter-types.js
-var Execution = class {
-	code;
-	context;
-	/**
-	* All results from the execution
-	*/
-	results = [];
-	/**
-	* Accumulated stdout and stderr
-	*/
-	logs = {
-		stdout: [],
-		stderr: []
-	};
-	/**
-	* Execution error if any
-	*/
-	error;
-	/**
-	* Execution count (for interpreter)
-	*/
-	executionCount;
-	constructor(code, context) {
-		this.code = code;
-		this.context = context;
-	}
-	/**
-	* Convert to a plain object for serialization
-	*/
-	toJSON() {
-		return {
-			code: this.code,
-			logs: this.logs,
-			error: this.error,
-			executionCount: this.executionCount,
-			results: this.results.map((result) => ({
-				text: result.text,
-				html: result.html,
-				png: result.png,
-				jpeg: result.jpeg,
-				svg: result.svg,
-				latex: result.latex,
-				markdown: result.markdown,
-				javascript: result.javascript,
-				json: result.json,
-				chart: result.chart,
-				data: result.data
-			}))
-		};
-	}
-};
-var ResultImpl = class {
-	raw;
-	constructor(raw) {
-		this.raw = raw;
-	}
-	get text() {
-		return this.raw.text || this.raw.data?.["text/plain"];
-	}
-	get html() {
-		return this.raw.html || this.raw.data?.["text/html"];
-	}
-	get png() {
-		return this.raw.png || this.raw.data?.["image/png"];
-	}
-	get jpeg() {
-		return this.raw.jpeg || this.raw.data?.["image/jpeg"];
-	}
-	get svg() {
-		return this.raw.svg || this.raw.data?.["image/svg+xml"];
-	}
-	get latex() {
-		return this.raw.latex || this.raw.data?.["text/latex"];
-	}
-	get markdown() {
-		return this.raw.markdown || this.raw.data?.["text/markdown"];
-	}
-	get javascript() {
-		return this.raw.javascript || this.raw.data?.["application/javascript"];
-	}
-	get json() {
-		return this.raw.json || this.raw.data?.["application/json"];
-	}
-	get chart() {
-		return this.raw.chart;
-	}
-	get data() {
-		return this.raw.data;
-	}
-	formats() {
-		const formats = [];
-		if (this.text) formats.push("text");
-		if (this.html) formats.push("html");
-		if (this.png) formats.push("png");
-		if (this.jpeg) formats.push("jpeg");
-		if (this.svg) formats.push("svg");
-		if (this.latex) formats.push("latex");
-		if (this.markdown) formats.push("markdown");
-		if (this.javascript) formats.push("javascript");
-		if (this.json) formats.push("json");
-		if (this.chart) formats.push("chart");
-		return formats;
-	}
-};
-
-//#endregion
-//#region ../shared/dist/logger/types.js
-/**
-* Logger types for Cloudflare Sandbox SDK
-*
-* Provides structured, trace-aware logging across Worker, Durable Object, and Container.
-*/
-/**
-* Log levels (from most to least verbose)
-*/
-var LogLevel;
-(function(LogLevel$1) {
-	LogLevel$1[LogLevel$1["DEBUG"] = 0] = "DEBUG";
-	LogLevel$1[LogLevel$1["INFO"] = 1] = "INFO";
-	LogLevel$1[LogLevel$1["WARN"] = 2] = "WARN";
-	LogLevel$1[LogLevel$1["ERROR"] = 3] = "ERROR";
-})(LogLevel || (LogLevel = {}));
-
-//#endregion
-//#region ../shared/dist/logger/logger.js
-/**
-* Logger implementation
-*/
-/**
-* ANSI color codes for terminal output
-*/
-const COLORS = {
-	reset: "\x1B[0m",
-	debug: "\x1B[36m",
-	info: "\x1B[32m",
-	warn: "\x1B[33m",
-	error: "\x1B[31m",
-	dim: "\x1B[2m"
-};
-/**
-* CloudflareLogger implements structured logging with support for
-* both JSON output (production) and pretty printing (development).
-*/
-var CloudflareLogger = class CloudflareLogger {
-	baseContext;
-	minLevel;
-	pretty;
-	/**
-	* Create a new CloudflareLogger
-	*
-	* @param baseContext Base context included in all log entries
-	* @param minLevel Minimum log level to output (default: INFO)
-	* @param pretty Enable pretty printing for human-readable output (default: false)
-	*/
-	constructor(baseContext, minLevel = LogLevel.INFO, pretty = false) {
-		this.baseContext = baseContext;
-		this.minLevel = minLevel;
-		this.pretty = pretty;
-	}
-	/**
-	* Log debug-level message
-	*/
-	debug(message, context) {
-		if (this.shouldLog(LogLevel.DEBUG)) {
-			const logData = this.buildLogData("debug", message, context);
-			this.output(console.log, logData);
-		}
-	}
-	/**
-	* Log info-level message
-	*/
-	info(message, context) {
-		if (this.shouldLog(LogLevel.INFO)) {
-			const logData = this.buildLogData("info", message, context);
-			this.output(console.log, logData);
-		}
-	}
-	/**
-	* Log warning-level message
-	*/
-	warn(message, context) {
-		if (this.shouldLog(LogLevel.WARN)) {
-			const logData = this.buildLogData("warn", message, context);
-			this.output(console.warn, logData);
-		}
-	}
-	/**
-	* Log error-level message
-	*/
-	error(message, error, context) {
-		if (this.shouldLog(LogLevel.ERROR)) {
-			const logData = this.buildLogData("error", message, context, error);
-			this.output(console.error, logData);
-		}
-	}
-	/**
-	* Create a child logger with additional context
-	*/
-	child(context) {
-		return new CloudflareLogger({
-			...this.baseContext,
-			...context
-		}, this.minLevel, this.pretty);
-	}
-	/**
-	* Check if a log level should be output
-	*/
-	shouldLog(level) {
-		return level >= this.minLevel;
-	}
-	/**
-	* Build log data object
-	*/
-	buildLogData(level, message, context, error) {
-		const logData = {
-			level,
-			msg: message,
-			...this.baseContext,
-			...context,
-			timestamp: (/* @__PURE__ */ new Date()).toISOString()
-		};
-		if (error) logData.error = {
-			message: error.message,
-			stack: error.stack,
-			name: error.name
-		};
-		return logData;
-	}
-	/**
-	* Output log data to console (pretty or JSON)
-	*/
-	output(consoleFn, data) {
-		if (this.pretty) this.outputPretty(consoleFn, data);
-		else this.outputJson(consoleFn, data);
-	}
-	/**
-	* Output as JSON (production)
-	*/
-	outputJson(consoleFn, data) {
-		consoleFn(JSON.stringify(data));
-	}
-	/**
-	* Output as pretty-printed, colored text (development)
-	*
-	* Format: LEVEL [component] message (trace: tr_...) {context}
-	* Example: INFO [sandbox-do] Command started (trace: tr_7f3a9b2c) {commandId: "cmd-123"}
-	*/
-	outputPretty(consoleFn, data) {
-		const { level, msg, timestamp, traceId, component, sandboxId, sessionId, processId, commandId, operation, duration, error, ...rest } = data;
-		const levelStr = String(level || "INFO").toUpperCase();
-		const levelColor = this.getLevelColor(levelStr);
-		const componentBadge = component ? `[${component}]` : "";
-		const traceIdShort = traceId ? String(traceId).substring(0, 12) : "";
-		let logLine = `${levelColor}${levelStr.padEnd(5)}${COLORS.reset} ${componentBadge} ${msg}`;
-		if (traceIdShort) logLine += ` ${COLORS.dim}(trace: ${traceIdShort})${COLORS.reset}`;
-		const contextFields = [];
-		if (operation) contextFields.push(`operation: ${operation}`);
-		if (commandId) contextFields.push(`commandId: ${String(commandId).substring(0, 12)}`);
-		if (sandboxId) contextFields.push(`sandboxId: ${sandboxId}`);
-		if (sessionId) contextFields.push(`sessionId: ${String(sessionId).substring(0, 12)}`);
-		if (processId) contextFields.push(`processId: ${processId}`);
-		if (duration !== void 0) contextFields.push(`duration: ${duration}ms`);
-		if (contextFields.length > 0) logLine += ` ${COLORS.dim}{${contextFields.join(", ")}}${COLORS.reset}`;
-		consoleFn(logLine);
-		if (error && typeof error === "object") {
-			const errorObj = error;
-			if (errorObj.message) consoleFn(`  ${COLORS.error}Error: ${errorObj.message}${COLORS.reset}`);
-			if (errorObj.stack) consoleFn(`  ${COLORS.dim}${errorObj.stack}${COLORS.reset}`);
-		}
-		if (Object.keys(rest).length > 0) consoleFn(`  ${COLORS.dim}${JSON.stringify(rest, null, 2)}${COLORS.reset}`);
-	}
-	/**
-	* Get ANSI color code for log level
-	*/
-	getLevelColor(level) {
-		switch (level.toLowerCase()) {
-			case "debug": return COLORS.debug;
-			case "info": return COLORS.info;
-			case "warn": return COLORS.warn;
-			case "error": return COLORS.error;
-			default: return COLORS.reset;
-		}
-	}
-};
-
-//#endregion
-//#region ../shared/dist/logger/trace-context.js
-/**
-* Trace context utilities for request correlation
-*
-* Trace IDs enable correlating logs across distributed components:
-* Worker → Durable Object → Container → back
-*
-* The trace ID is propagated via the X-Trace-Id HTTP header.
-*/
-/**
-* Utility for managing trace context across distributed components
-*/
-var TraceContext = class TraceContext {
-	/**
-	* HTTP header name for trace ID propagation
-	*/
-	static TRACE_HEADER = "X-Trace-Id";
-	/**
-	* Generate a new trace ID
-	*
-	* Format: "tr_" + 16 random hex characters
-	* Example: "tr_7f3a9b2c4e5d6f1a"
-	*
-	* @returns Newly generated trace ID
-	*/
-	static generate() {
-		return `tr_${crypto.randomUUID().replace(/-/g, "").substring(0, 16)}`;
-	}
-	/**
-	* Extract trace ID from HTTP request headers
-	*
-	* @param headers Request headers
-	* @returns Trace ID if present, null otherwise
-	*/
-	static fromHeaders(headers) {
-		return headers.get(TraceContext.TRACE_HEADER);
-	}
-	/**
-	* Create headers object with trace ID for outgoing requests
-	*
-	* @param traceId Trace ID to include
-	* @returns Headers object with X-Trace-Id set
-	*/
-	static toHeaders(traceId) {
-		return { [TraceContext.TRACE_HEADER]: traceId };
-	}
-	/**
-	* Get the header name used for trace ID propagation
-	*
-	* @returns Header name ("X-Trace-Id")
-	*/
-	static getHeaderName() {
-		return TraceContext.TRACE_HEADER;
-	}
-};
-
-//#endregion
-//#region ../shared/dist/logger/index.js
-/**
-* Logger module
-*
-* Provides structured, trace-aware logging with:
-* - AsyncLocalStorage for implicit context propagation
-* - Pretty printing for local development
-* - JSON output for production
-* - Environment auto-detection
-* - Log level configuration
-*
-* Usage:
-*
-* ```typescript
-* // Create a logger at entry point
-* const logger = createLogger({ component: 'sandbox-do', traceId: 'tr_abc123' });
-*
-* // Store in AsyncLocalStorage for entire request
-* await runWithLogger(logger, async () => {
-*   await handleRequest();
-* });
-*
-* // Retrieve logger anywhere in call stack
-* const logger = getLogger();
-* logger.info('Operation started');
-*
-* // Add operation-specific context
-* const execLogger = logger.child({ operation: 'exec', commandId: 'cmd-456' });
-* await runWithLogger(execLogger, async () => {
-*   // All nested calls automatically get execLogger
-*   await executeCommand();
-* });
-* ```
-*/
-/**
-* Create a no-op logger for testing
-*
-* Returns a logger that implements the Logger interface but does nothing.
-* Useful for tests that don't need actual logging output.
-*
-* @returns No-op logger instance
-*
-* @example
-* ```typescript
-* // In tests
-* const client = new HttpClient({
-*   baseUrl: 'http://test.com',
-*   logger: createNoOpLogger() // Optional - tests can enable real logging if needed
-* });
-* ```
-*/
-function createNoOpLogger() {
-	return {
-		debug: () => {},
-		info: () => {},
-		warn: () => {},
-		error: () => {},
-		child: () => createNoOpLogger()
-	};
-}
-/**
-* AsyncLocalStorage for logger context
-*
-* Enables implicit logger propagation throughout the call stack without
-* explicit parameter passing. The logger is stored per async context.
-*/
-const loggerStorage = new AsyncLocalStorage();
-/**
-* Run a function with a logger stored in AsyncLocalStorage
-*
-* The logger is available to all code within the function via getLogger().
-* This is typically called at request entry points (fetch handler) and when
-* creating child loggers with additional context.
-*
-* @param logger Logger instance to store in context
-* @param fn Function to execute with logger context
-* @returns Result of the function
-*
-* @example
-* ```typescript
-* // At request entry point
-* async fetch(request: Request): Promise<Response> {
-*   const logger = createLogger({ component: 'sandbox-do', traceId: 'tr_abc' });
-*   return runWithLogger(logger, async () => {
-*     return await this.handleRequest(request);
-*   });
-* }
-*
-* // When adding operation context
-* async exec(command: string) {
-*   const logger = getLogger().child({ operation: 'exec', commandId: 'cmd-123' });
-*   return runWithLogger(logger, async () => {
-*     logger.info('Command started');
-*     await this.executeCommand(command); // Nested calls get the child logger
-*     logger.info('Command completed');
-*   });
-* }
-* ```
-*/
-function runWithLogger(logger, fn) {
-	return loggerStorage.run(logger, fn);
-}
-/**
-* Create a new logger instance
-*
-* @param context Base context for the logger. Must include 'component'.
-*                TraceId will be auto-generated if not provided.
-* @returns New logger instance
-*
-* @example
-* ```typescript
-* // In Durable Object
-* const logger = createLogger({
-*   component: 'sandbox-do',
-*   traceId: TraceContext.fromHeaders(request.headers) || TraceContext.generate(),
-*   sandboxId: this.id
-* });
-*
-* // In Container
-* const logger = createLogger({
-*   component: 'container',
-*   traceId: TraceContext.fromHeaders(request.headers)!,
-*   sessionId: this.id
-* });
-* ```
-*/
-function createLogger(context) {
-	const minLevel = getLogLevelFromEnv();
-	const pretty = isPrettyPrintEnabled();
-	return new CloudflareLogger({
-		...context,
-		traceId: context.traceId || TraceContext.generate(),
-		component: context.component
-	}, minLevel, pretty);
-}
-/**
-* Get log level from environment variable
-*
-* Checks SANDBOX_LOG_LEVEL env var, falls back to default based on environment.
-* Default: 'debug' for development, 'info' for production
-*/
-function getLogLevelFromEnv() {
-	switch ((getEnvVar("SANDBOX_LOG_LEVEL") || "info").toLowerCase()) {
-		case "debug": return LogLevel.DEBUG;
-		case "info": return LogLevel.INFO;
-		case "warn": return LogLevel.WARN;
-		case "error": return LogLevel.ERROR;
-		default: return LogLevel.INFO;
-	}
-}
-/**
-* Check if pretty printing should be enabled
-*
-* Checks SANDBOX_LOG_FORMAT env var, falls back to auto-detection:
-* - Local development: pretty (colored, human-readable)
-* - Production: json (structured)
-*/
-function isPrettyPrintEnabled() {
-	const format = getEnvVar("SANDBOX_LOG_FORMAT");
-	if (format) return format.toLowerCase() === "pretty";
-	return false;
-}
-/**
-* Get environment variable value
-*
-* Supports both Node.js (process.env) and Bun (Bun.env)
-*/
-function getEnvVar(name) {
-	if (typeof process !== "undefined" && process.env) return process.env[name];
-	if (typeof Bun !== "undefined") {
-		const bunEnv = Bun.env;
-		if (bunEnv) return bunEnv[name];
-	}
-}
-
-//#endregion
-//#region ../shared/dist/shell-escape.js
-/**
-* Escapes a string for safe use in shell commands using POSIX single-quote escaping.
-* Prevents command injection by wrapping the string in single quotes and escaping
-* any single quotes within the string.
-*/
-function shellEscape(str) {
-	return `'${str.replace(/'/g, "'\\''")}'`;
-}
-
-//#endregion
-//#region ../shared/dist/types.js
-function isExecResult(value) {
-	return value && typeof value.success === "boolean" && typeof value.exitCode === "number" && typeof value.stdout === "string" && typeof value.stderr === "string";
-}
-function isProcess(value) {
-	return value && typeof value.id === "string" && typeof value.command === "string" && typeof value.status === "string";
-}
-function isProcessStatus(value) {
-	return [
-		"starting",
-		"running",
-		"completed",
-		"failed",
-		"killed",
-		"error"
-	].includes(value);
-}
-
-//#endregion
 //#region ../shared/dist/errors/codes.js
 /**
 * Centralized error code registry
@@ -1495,13 +834,17 @@ var CommandClient = class extends BaseHttpClient {
 	* @param command - The command to execute
 	* @param sessionId - The session ID for this command execution
 	* @param timeoutMs - Optional timeout in milliseconds (unlimited by default)
+	* @param env - Optional environment variables for this command
+	* @param cwd - Optional working directory for this command
 	*/
-	async execute(command, sessionId, timeoutMs) {
+	async execute(command, sessionId, options) {
 		try {
 			const data = {
 				command,
 				sessionId,
-				...timeoutMs !== void 0 && { timeoutMs }
+				...options?.timeoutMs !== void 0 && { timeoutMs: options.timeoutMs },
+				...options?.env !== void 0 && { env: options.env },
+				...options?.cwd !== void 0 && { cwd: options.cwd }
 			};
 			const response = await this.post("/api/execute", data);
 			this.logSuccess("Command executed", `${command}, Success: ${response.success}`);
@@ -1517,12 +860,16 @@ var CommandClient = class extends BaseHttpClient {
 	* Execute a command and return a stream of events
 	* @param command - The command to execute
 	* @param sessionId - The session ID for this command execution
+	* @param options - Optional per-command execution settings
 	*/
-	async executeStream(command, sessionId) {
+	async executeStream(command, sessionId, options) {
 		try {
 			const data = {
 				command,
-				sessionId
+				sessionId,
+				...options?.timeoutMs !== void 0 && { timeoutMs: options.timeoutMs },
+				...options?.env !== void 0 && { env: options.env },
+				...options?.cwd !== void 0 && { cwd: options.cwd }
 			};
 			const response = await this.doFetch("/api/execute/stream", {
 				method: "POST",
@@ -2038,7 +1385,12 @@ var ProcessClient = class extends BaseHttpClient {
 			const data = {
 				command,
 				sessionId,
-				processId: options?.processId
+				...options?.processId !== void 0 && { processId: options.processId },
+				...options?.timeoutMs !== void 0 && { timeoutMs: options.timeoutMs },
+				...options?.env !== void 0 && { env: options.env },
+				...options?.cwd !== void 0 && { cwd: options.cwd },
+				...options?.encoding !== void 0 && { encoding: options.encoding },
+				...options?.autoCleanup !== void 0 && { autoCleanup: options.autoCleanup }
 			};
 			const response = await this.post("/api/process/start", data);
 			this.logSuccess("Process started", `${command} (ID: ${response.processId})`);
@@ -2703,7 +2055,7 @@ function resolveS3fsOptions(provider, userOptions) {
 * This file is auto-updated by .github/changeset-version.ts during releases
 * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
 */
-const SDK_VERSION = "0.5.1";
+const SDK_VERSION = "0.5.3";
 
 //#endregion
 //#region src/sandbox.ts
@@ -3028,8 +2380,12 @@ var Sandbox = class extends Container {
 			this.logger.debug("Version compatibility check encountered an error", { error: error instanceof Error ? error.message : String(error) });
 		}
 	}
-	onStop() {
+	async onStop() {
 		this.logger.debug("Sandbox stopped");
+		this.portTokens.clear();
+		this.defaultSession = null;
+		this.activeMounts.clear();
+		await Promise.all([this.ctx.storage.delete("portTokens"), this.ctx.storage.delete("defaultSession")]);
 	}
 	onError(error) {
 		this.logger.error("Sandbox error", error instanceof Error ? error : new Error(String(error)));
@@ -3109,28 +2465,26 @@ var Sandbox = class extends Container {
 			traceId,
 			operation: "fetch"
 		});
-		return await runWithLogger(requestLogger, async () => {
-			const url = new URL(request.url);
-			if (!this.sandboxName && request.headers.has("X-Sandbox-Name")) {
-				const name = request.headers.get("X-Sandbox-Name");
-				this.sandboxName = name;
-				await this.ctx.storage.put("sandboxName", name);
-			}
-			const upgradeHeader = request.headers.get("Upgrade");
-			const connectionHeader = request.headers.get("Connection");
-			if (upgradeHeader?.toLowerCase() === "websocket" && connectionHeader?.toLowerCase().includes("upgrade")) try {
-				requestLogger.debug("WebSocket upgrade requested", {
-					path: url.pathname,
-					port: this.determinePort(url)
-				});
-				return await super.fetch(request);
-			} catch (error) {
-				requestLogger.error("WebSocket connection failed", error instanceof Error ? error : new Error(String(error)), { path: url.pathname });
-				throw error;
-			}
-			const port = this.determinePort(url);
-			return await this.containerFetch(request, port);
-		});
+		const url = new URL(request.url);
+		if (!this.sandboxName && request.headers.has("X-Sandbox-Name")) {
+			const name = request.headers.get("X-Sandbox-Name");
+			this.sandboxName = name;
+			await this.ctx.storage.put("sandboxName", name);
+		}
+		const upgradeHeader = request.headers.get("Upgrade");
+		const connectionHeader = request.headers.get("Connection");
+		if (upgradeHeader?.toLowerCase() === "websocket" && connectionHeader?.toLowerCase().includes("upgrade")) try {
+			requestLogger.debug("WebSocket upgrade requested", {
+				path: url.pathname,
+				port: this.determinePort(url)
+			});
+			return await super.fetch(request);
+		} catch (error) {
+			requestLogger.error("WebSocket connection failed", error instanceof Error ? error : new Error(String(error)), { path: url.pathname });
+			throw error;
+		}
+		const port = this.determinePort(url);
+		return await this.containerFetch(request, port);
 	}
 	wsConnect(request, port) {
 		throw new Error("Not implemented here to avoid RPC serialization issues");
@@ -3186,7 +2540,12 @@ var Sandbox = class extends Container {
 			let result;
 			if (options?.stream && options?.onOutput) result = await this.executeWithStreaming(command, sessionId, options, startTime, timestamp);
 			else {
-				const response = await this.client.commands.execute(command, sessionId);
+				const commandOptions = options && (options.timeout !== void 0 || options.env !== void 0 || options.cwd !== void 0) ? {
+					timeoutMs: options.timeout,
+					env: options.env,
+					cwd: options.cwd
+				} : void 0;
+				const response = await this.client.commands.execute(command, sessionId, commandOptions);
 				const duration = Date.now() - startTime;
 				result = this.mapExecuteResponseToExecResult(response, duration, sessionId);
 			}
@@ -3201,7 +2560,11 @@ var Sandbox = class extends Container {
 		let stdout = "";
 		let stderr = "";
 		try {
-			const stream = await this.client.commands.executeStream(command, sessionId);
+			const stream = await this.client.commands.executeStream(command, sessionId, {
+				timeoutMs: options.timeout,
+				env: options.env,
+				cwd: options.cwd
+			});
 			for await (const event of parseSSEStream(stream)) {
 				if (options.signal?.aborted) throw new Error("Operation was aborted");
 				switch (event.type) {
@@ -3280,7 +2643,15 @@ var Sandbox = class extends Container {
 	async startProcess(command, options, sessionId) {
 		try {
 			const session = sessionId ?? await this.ensureDefaultSession();
-			const response = await this.client.processes.startProcess(command, session, { processId: options?.processId });
+			const requestOptions = {
+				...options?.processId !== void 0 && { processId: options.processId },
+				...options?.timeout !== void 0 && { timeoutMs: options.timeout },
+				...options?.env !== void 0 && { env: options.env },
+				...options?.cwd !== void 0 && { cwd: options.cwd },
+				...options?.encoding !== void 0 && { encoding: options.encoding },
+				...options?.autoCleanup !== void 0 && { autoCleanup: options.autoCleanup }
+			};
+			const response = await this.client.processes.startProcess(command, session, requestOptions);
 			const processObj = this.createProcessFromDTO({
 				id: response.processId,
 				pid: response.pid,
@@ -3344,14 +2715,22 @@ var Sandbox = class extends Container {
 	async execStream(command, options) {
 		if (options?.signal?.aborted) throw new Error("Operation was aborted");
 		const session = await this.ensureDefaultSession();
-		return this.client.commands.executeStream(command, session);
+		return this.client.commands.executeStream(command, session, {
+			timeoutMs: options?.timeout,
+			env: options?.env,
+			cwd: options?.cwd
+		});
 	}
 	/**
 	* Internal session-aware execStream implementation
 	*/
 	async execStreamWithSession(command, sessionId, options) {
 		if (options?.signal?.aborted) throw new Error("Operation was aborted");
-		return this.client.commands.executeStream(command, sessionId);
+		return this.client.commands.executeStream(command, sessionId, {
+			timeoutMs: options?.timeout,
+			env: options?.env,
+			cwd: options?.cwd
+		});
 	}
 	/**
 	* Stream logs from a background process as a ReadableStream.
@@ -3511,10 +2890,15 @@ var Sandbox = class extends Container {
 	*/
 	async createSession(options) {
 		const sessionId = options?.id || `session-${Date.now()}`;
+		const mergedEnv = {
+			...this.envVars,
+			...options?.env ?? {}
+		};
+		const envPayload = Object.keys(mergedEnv).length > 0 ? mergedEnv : void 0;
 		await this.client.utils.createSession({
 			id: sessionId,
-			env: options?.env,
-			cwd: options?.cwd
+			...envPayload && { env: envPayload },
+			...options?.cwd && { cwd: options.cwd }
 		});
 		return this.getSessionWrapper(sessionId);
 	}