@cloudflare/sandbox 0.8.8 → 0.8.10

package/dist/index.js

@@ -1,5 +1,5 @@
-import { _ as extractRepoName, a as isExecResult, b as partitionEnvVars, c as parseSSEFrames, d as createNoOpLogger, f as TraceContext, g as GitLogger, h as ResultImpl, i as isWSStreamChunk, l as shellEscape, m as Execution, n as isWSError, o as isProcess, p as logCanonicalEvent, r as isWSResponse, s as isProcessStatus, t as generateRequestId, u as createLogger, v as filterEnvVars, y as getEnvString } from "./dist-CmfvOT-w.js";
-import { t as ErrorCode } from "./errors-CaSfB5Bm.js";
+import { _ as GitLogger, a as isExecResult, b as getEnvString, c as parseSSEFrames, d as createNoOpLogger, f as TraceContext, g as DEFAULT_GIT_CLONE_TIMEOUT_MS, h as ResultImpl, i as isWSStreamChunk, l as shellEscape, m as Execution, n as isWSError, o as isProcess, p as logCanonicalEvent, r as isWSResponse, s as isProcessStatus, t as generateRequestId, u as createLogger, v as extractRepoName, x as partitionEnvVars, y as filterEnvVars } from "./dist-CR1a2zcN.js";
+import { t as ErrorCode } from "./errors-DJtO4mmS.js";
 import { Container, ContainerProxy, getContainer, switchPort } from "@cloudflare/containers";
 import { AwsClient } from "aws4fetch";
 import path from "node:path/posix";
@@ -938,7 +938,7 @@ var WebSocketTransport = class extends BaseTransport {
 		const method = options?.method || "GET";
 		const body = this.parseBody(options?.body);
 		const headers = this.normalizeHeaders(options?.headers);
-		const result = await this.request(method, path$1, body, headers);
+		const result = await this.request(method, path$1, body, headers, options?.requestTimeoutMs);
 		return new Response(JSON.stringify(result.body), {
 			status: result.status,
 			headers: { "Content-Type": "application/json" }
@@ -1094,7 +1094,7 @@ var WebSocketTransport = class extends BaseTransport {
 	* the case where the WebSocket was closed between `doFetch` and `request`
 	* (idle disconnect).
 	*/
-	async request(method, path$1, body, headers) {
+	async request(method, path$1, body, headers, requestTimeoutMs) {
 		await this.connect();
 		this.clearIdleDisconnectTimer();
 		const id = generateRequestId();
@@ -1107,7 +1107,7 @@ var WebSocketTransport = class extends BaseTransport {
 			headers
 		};
 		return new Promise((resolve, reject) => {
-			const timeoutMs = this.config.requestTimeoutMs ?? DEFAULT_REQUEST_TIMEOUT_MS;
+			const timeoutMs = requestTimeoutMs ?? this.config.requestTimeoutMs ?? DEFAULT_REQUEST_TIMEOUT_MS;
 			const timeoutId = setTimeout(() => {
 				this.pendingRequests.delete(id);
 				this.scheduleIdleDisconnect();
@@ -1534,11 +1534,12 @@ var BaseHttpClient = class {
 	/**
 	* Make a POST request with JSON body
 	*/
-	async post(endpoint, data, responseHandler) {
+	async post(endpoint, data, responseHandler, requestOptions) {
 		const response = await this.doFetch(endpoint, {
 			method: "POST",
 			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify(data)
+			body: JSON.stringify(data),
+			...requestOptions
 		});
 		return this.handleResponse(response, responseHandler);
 	}
@@ -2218,7 +2219,8 @@ var FileClient = class extends BaseHttpClient {
 /**
 * Client for Git repository operations
 */
-var GitClient = class extends BaseHttpClient {
+var GitClient = class GitClient extends BaseHttpClient {
+	static REQUEST_TIMEOUT_BUFFER_MS = 3e4;
 	constructor(options = {}) {
 		super(options);
 		this.logger = new GitLogger(this.logger);
@@ -2227,10 +2229,11 @@ var GitClient = class extends BaseHttpClient {
 	* Clone a Git repository
 	* @param repoUrl - URL of the Git repository to clone
 	* @param sessionId - The session ID for this operation
-	* @param options - Optional settings (branch, targetDir, depth)
+	* @param options - Optional settings (branch, targetDir, depth, timeoutMs)
 	*/
 	async checkout(repoUrl, sessionId, options) {
 		try {
+			const timeoutMs = options?.timeoutMs ?? DEFAULT_GIT_CLONE_TIMEOUT_MS;
 			let targetDir = options?.targetDir;
 			if (!targetDir) targetDir = `/workspace/${extractRepoName(repoUrl)}`;
 			const data = {
@@ -2243,7 +2246,9 @@ var GitClient = class extends BaseHttpClient {
 				if (!Number.isInteger(options.depth) || options.depth <= 0) throw new Error(`Invalid depth value: ${options.depth}. Must be a positive integer (e.g., 1, 5, 10).`);
 				data.depth = options.depth;
 			}
-			return await this.post("/api/git/checkout", data);
+			if (!Number.isInteger(timeoutMs) || timeoutMs <= 0) throw new Error(`Invalid timeout value: ${timeoutMs}. Must be a positive integer number of milliseconds.`);
+			data.timeoutMs = timeoutMs;
+			return await this.post("/api/git/checkout", data, void 0, { requestTimeoutMs: timeoutMs + GitClient.REQUEST_TIMEOUT_BUFFER_MS });
 		} catch (error) {
 			throw error;
 		}
@@ -3529,10 +3534,11 @@ function isLocalhostPattern(hostname) {
 //#endregion
 //#region src/storage-mount/errors.ts
 /**
-* Bucket mounting error classes
+* Bucket mount and unmount error classes
 *
-* These are SDK-side validation errors that follow the same pattern as SecurityError.
-* They are thrown before any container interaction occurs.
+* Validation errors (InvalidMountConfigError, MissingCredentialsError) are thrown
+* before any container interaction. BucketUnmountError is thrown after a failed
+* fusermount call inside the container.
 */
 /**
 * Base error for bucket mounting operations
@@ -3555,6 +3561,15 @@ var S3FSMountError = class extends BucketMountError {
 	}
 };
 /**
+* Thrown when fusermount -u fails to unmount a FUSE filesystem
+*/
+var BucketUnmountError = class extends BucketMountError {
+	constructor(message) {
+		super(message, ErrorCode.BUCKET_UNMOUNT_ERROR);
+		this.name = "BucketUnmountError";
+	}
+};
+/**
 * Thrown when no credentials found in environment
 */
 var MissingCredentialsError = class extends BucketMountError {
@@ -3687,7 +3702,7 @@ function buildS3fsSource(bucket, prefix) {
 * This file is auto-updated by .github/changeset-version.ts during releases
 * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
 */
-const SDK_VERSION = "0.8.8";
+const SDK_VERSION = "0.8.10";
 
 //#endregion
 //#region src/sandbox.ts
@@ -4229,9 +4244,26 @@ var Sandbox = class Sandbox extends Container {
 				mountInfo.mounted = false;
 				this.activeMounts.delete(mountPath);
 			} else try {
-				await this.execInternal(`fusermount -u ${shellEscape(mountPath)}`);
+				const result = await this.execInternal(`fusermount -u ${shellEscape(mountPath)}`);
+				if (result.exitCode !== 0) {
+					const stderr = result.stderr || "unknown error";
+					throw new BucketUnmountError(`fusermount -u failed (exit ${result.exitCode}): ${stderr}`);
+				}
 				mountInfo.mounted = false;
 				this.activeMounts.delete(mountPath);
+				try {
+					const cleanup = await this.execInternal(`mountpoint -q ${shellEscape(mountPath)} || rmdir ${shellEscape(mountPath)}`);
+					if (cleanup.exitCode !== 0) this.logger.warn("mount directory removal failed", {
+						mountPath,
+						exitCode: cleanup.exitCode,
+						stderr: cleanup.stderr
+					});
+				} catch (err) {
+					this.logger.warn("mount directory removal failed", {
+						mountPath,
+						error: err instanceof Error ? err.message : String(err)
+					});
+				}
 			} finally {
 				await this.deletePasswordFile(mountInfo.passwordFilePath);
 			}
@@ -4295,7 +4327,7 @@ var Sandbox = class Sandbox extends Container {
 	/**
 	* Execute S3FS mount command
 	*/
-	async executeS3FSMount(bucket, mountPath, options, provider, passwordFilePath) {
+	async executeS3FSMount(bucket, mountPath, options, provider, passwordFilePath, sessionId) {
 		const resolvedOptions = resolveS3fsOptions(provider, options.s3fsOptions);
 		const s3fsArgs = [];
 		s3fsArgs.push(`passwd_file=${passwordFilePath}`);
@@ -4304,7 +4336,7 @@ var Sandbox = class Sandbox extends Container {
 		s3fsArgs.push(`url=${options.endpoint}`);
 		const optionsStr = shellEscape(s3fsArgs.join(","));
 		const mountCmd = `s3fs ${shellEscape(bucket)} ${shellEscape(mountPath)} -o ${optionsStr}`;
-		const result = await this.execInternal(mountCmd);
+		const result = sessionId ? await this.execWithSession(mountCmd, sessionId, { origin: "internal" }) : await this.execInternal(mountCmd);
 		if (result.exitCode !== 0) throw new S3FSMountError(`S3FS mount failed: ${result.stderr || result.stdout || "Unknown error"}`);
 	}
 	/**
@@ -5171,7 +5203,8 @@ var Sandbox = class Sandbox extends Container {
 		return this.client.git.checkout(repoUrl, session, {
 			branch: options?.branch,
 			targetDir: options?.targetDir,
-			depth: options?.depth
+			depth: options?.depth,
+			timeoutMs: options?.cloneTimeoutMs
 		});
 	}
 	async mkdir(path$1, options = {}) {
@@ -5770,74 +5803,54 @@ var Sandbox = class Sandbox extends Container {
 		}
 	}
 	/**
-	* Download a backup archive via presigned GET URL.
-	* The container curls the archive directly from R2, bypassing the DO.
-	* ~93 MB/s throughput vs ~0.6 MB/s for base64 writeFile.
+	* Mount a backup archive from R2 via s3fs so squashfuse can read it lazily.
 	*/
-	async downloadBackupPresigned(archivePath, r2Key, expectedSize, backupId, dir, backupSession) {
-		const presignedUrl = await this.generatePresignedGetUrl(r2Key);
-		await this.execWithSession("mkdir -p /var/backups", backupSession, { origin: "internal" });
-		const tmpPath = `${archivePath}.tmp`;
-		const curlCmd = [
-			"curl -sSf",
-			"--connect-timeout 10",
-			"--max-time 1800",
-			"--retry 2",
-			"--retry-max-time 60",
-			`-o ${shellEscape(tmpPath)}`,
-			shellEscape(presignedUrl)
-		].join(" ");
-		const result = await this.execWithSession(curlCmd, backupSession, {
-			timeout: 181e4,
-			origin: "internal"
+	async mountBackupR2(mountPath, prefix, backupSession) {
+		const { accountId, bucketName } = this.requirePresignedUrlSupport();
+		const endpoint = `https://${accountId}.r2.cloudflarestorage.com`;
+		const normalizedPrefix = prefix.startsWith("/") ? prefix : `/${prefix}`;
+		const options = {
+			endpoint,
+			provider: "r2",
+			readOnly: true,
+			prefix: normalizedPrefix,
+			s3fsOptions: ["use_path_request_style"]
+		};
+		const passwordFilePath = this.generatePasswordFilePath();
+		const s3fsSource = buildS3fsSource(bucketName, normalizedPrefix);
+		const envObj = this.env;
+		const credentials = detectCredentials(options, {
+			AWS_ACCESS_KEY_ID: getEnvString(envObj, "AWS_ACCESS_KEY_ID"),
+			AWS_SECRET_ACCESS_KEY: getEnvString(envObj, "AWS_SECRET_ACCESS_KEY"),
+			R2_ACCESS_KEY_ID: this.r2AccessKeyId || void 0,
+			R2_SECRET_ACCESS_KEY: this.r2SecretAccessKey || void 0,
+			...this.envVars
 		});
-		if (result.exitCode !== 0) {
-			await this.execWithSession(`rm -f ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			throw new BackupRestoreError({
-				message: `Presigned URL download failed (exit code ${result.exitCode}): ${result.stderr}`,
-				code: ErrorCode.BACKUP_RESTORE_FAILED,
-				httpStatus: 500,
-				context: {
-					dir,
-					backupId
-				},
-				timestamp: (/* @__PURE__ */ new Date()).toISOString()
-			});
-		}
-		const sizeCheck = await this.execWithSession(`stat -c %s ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" });
-		const actualSize = parseInt(sizeCheck.stdout.trim(), 10);
-		if (actualSize !== expectedSize) {
-			await this.execWithSession(`rm -f ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			throw new BackupRestoreError({
-				message: `Downloaded archive size mismatch: expected ${expectedSize}, got ${actualSize}`,
-				code: ErrorCode.BACKUP_RESTORE_FAILED,
-				httpStatus: 500,
-				context: {
-					dir,
-					backupId
-				},
-				timestamp: (/* @__PURE__ */ new Date()).toISOString()
-			});
-		}
-		const mvResult = await this.execWithSession(`mv ${shellEscape(tmpPath)} ${shellEscape(archivePath)}`, backupSession, { origin: "internal" });
-		if (mvResult.exitCode !== 0) {
-			await this.execWithSession(`rm -f ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			throw new BackupRestoreError({
-				message: `Failed to finalize downloaded archive: ${mvResult.stderr}`,
-				code: ErrorCode.BACKUP_RESTORE_FAILED,
-				httpStatus: 500,
-				context: {
-					dir,
-					backupId
-				},
-				timestamp: (/* @__PURE__ */ new Date()).toISOString()
-			});
+		const mountInfo = {
+			mountType: "fuse",
+			bucket: s3fsSource,
+			mountPath,
+			endpoint,
+			provider: "r2",
+			passwordFilePath,
+			mounted: false
+		};
+		this.activeMounts.set(mountPath, mountInfo);
+		try {
+			await this.createPasswordFile(passwordFilePath, bucketName, credentials);
+			await this.execWithSession(`mkdir -p ${shellEscape(mountPath)}`, backupSession, { origin: "internal" });
+			await this.executeS3FSMount(s3fsSource, mountPath, options, "r2", passwordFilePath, backupSession);
+			mountInfo.mounted = true;
+		} catch (error) {
+			await this.deletePasswordFile(passwordFilePath);
+			this.activeMounts.delete(mountPath);
+			throw error;
 		}
 	}
 	/**
 	* Serialize backup operations on this sandbox instance.
 	* Concurrent backup/restore calls are queued so the multi-step
-	* create-archive → read → upload (or download → write → extract) flow
+	* create-archive → read → upload (or mount → extract) flow
 	* is not interleaved with another backup operation on the same directory.
 	*/
 	enqueueBackupOp(fn) {
@@ -5984,7 +5997,7 @@ var Sandbox = class Sandbox extends Container {
 	*
 	* Flow:
 	*   1. DO reads metadata from R2 and checks TTL
-	*   2. Container downloads the archive directly from R2 via presigned URL
+	*   2. Container mounts the backup archive from R2 via s3fs
 	*   3. Container mounts the squashfs archive with FUSE overlayfs
 	*
 	* The target directory becomes an overlay mount with the backup as a
@@ -6068,8 +6081,7 @@ var Sandbox = class Sandbox extends Container {
 				timestamp: (/* @__PURE__ */ new Date()).toISOString()
 			});
 			const r2Key = `backups/${id}/data.sqsh`;
-			const archiveHead = await bucket.head(r2Key);
-			if (!archiveHead) throw new BackupNotFoundError({
+			if (!await bucket.head(r2Key)) throw new BackupNotFoundError({
 				message: `Backup archive not found in R2: ${id}. The archive may have been deleted by R2 lifecycle rules.`,
 				code: ErrorCode.BACKUP_NOT_FOUND,
 				httpStatus: 404,
@@ -6077,12 +6089,19 @@ var Sandbox = class Sandbox extends Container {
 				timestamp: (/* @__PURE__ */ new Date()).toISOString()
 			});
 			backupSession = await this.ensureBackupSession();
-			const archivePath = `/var/backups/${id}.sqsh`;
-			const mountGlob = `/var/backups/mounts/${id}`;
+			const r2MountPath = `/var/backups/r2mount/${id}`;
+			const archivePath = `${r2MountPath}/data.sqsh`;
+			const mountGlob = `/var/backups/mounts/r2mount/${id}/data`;
 			await this.execWithSession(`/usr/bin/fusermount3 -uz ${shellEscape(dir)} 2>/dev/null || true`, backupSession, { origin: "internal" }).catch(() => {});
 			await this.execWithSession(`for d in ${shellEscape(mountGlob)}_*/lower ${shellEscape(mountGlob)}/lower; do [ -d "$d" ] && /usr/bin/fusermount3 -uz "$d" 2>/dev/null; done; true`, backupSession, { origin: "internal" }).catch(() => {});
-			const sizeCheck = await this.execWithSession(`stat -c %s ${shellEscape(archivePath)} 2>/dev/null || echo 0`, backupSession, { origin: "internal" }).catch(() => ({ stdout: "0" }));
-			if (Number.parseInt((sizeCheck.stdout ?? "0").trim(), 10) !== archiveHead.size) await this.downloadBackupPresigned(archivePath, r2Key, archiveHead.size, id, dir, backupSession);
+			await this.execWithSession(`/usr/bin/fusermount3 -u ${shellEscape(r2MountPath)} 2>/dev/null; /usr/bin/fusermount3 -uz ${shellEscape(r2MountPath)} 2>/dev/null; true`, backupSession, { origin: "internal" }).catch(() => {});
+			const previousBackupMount = this.activeMounts.get(r2MountPath);
+			if (previousBackupMount?.mountType === "fuse") {
+				previousBackupMount.mounted = false;
+				this.activeMounts.delete(r2MountPath);
+				await this.deletePasswordFile(previousBackupMount.passwordFilePath);
+			}
+			await this.mountBackupR2(r2MountPath, `backups/${id}/`, backupSession);
 			if (!(await this.client.backup.restoreArchive(dir, archivePath, backupSession)).success) throw new BackupRestoreError({
 				message: "Container failed to restore backup archive",
 				code: ErrorCode.BACKUP_RESTORE_FAILED,
@@ -6101,10 +6120,6 @@ var Sandbox = class Sandbox extends Container {
 			};
 		} catch (error) {
 			caughtError = error instanceof Error ? error : new Error(String(error));
-			if (id && backupSession) {
-				const archivePath = `/var/backups/${id}.sqsh`;
-				await this.execWithSession(`rm -f ${shellEscape(archivePath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			}
 			throw error;
 		} finally {
 			if (backupSession) await this.client.utils.deleteSession(backupSession).catch(() => {});
@@ -6243,5 +6258,5 @@ async function collectFile(stream) {
 }
 
 //#endregion
-export { BackupClient, BackupCreateError, BackupExpiredError, BackupNotFoundError, BackupRestoreError, BucketMountError, CodeInterpreter, CommandClient, ContainerProxy, DesktopClient, DesktopInvalidCoordinatesError, DesktopInvalidOptionsError, DesktopNotStartedError, DesktopProcessCrashedError, DesktopStartFailedError, DesktopUnavailableError, FileClient, GitClient, InvalidBackupConfigError, InvalidMountConfigError, MissingCredentialsError, PortClient, ProcessClient, ProcessExitedBeforeReadyError, ProcessReadyTimeoutError, S3FSMountError, Sandbox, SandboxClient, UtilityClient, asyncIterableToSSEStream, collectFile, getSandbox, isExecResult, isProcess, isProcessStatus, parseSSEStream, proxyTerminal, proxyToSandbox, responseToAsyncIterable, streamFile };
+export { BackupClient, BackupCreateError, BackupExpiredError, BackupNotFoundError, BackupRestoreError, BucketMountError, BucketUnmountError, CodeInterpreter, CommandClient, ContainerProxy, DesktopClient, DesktopInvalidCoordinatesError, DesktopInvalidOptionsError, DesktopNotStartedError, DesktopProcessCrashedError, DesktopStartFailedError, DesktopUnavailableError, FileClient, GitClient, InvalidBackupConfigError, InvalidMountConfigError, MissingCredentialsError, PortClient, ProcessClient, ProcessExitedBeforeReadyError, ProcessReadyTimeoutError, S3FSMountError, Sandbox, SandboxClient, UtilityClient, asyncIterableToSSEStream, collectFile, getSandbox, isExecResult, isProcess, isProcessStatus, parseSSEStream, proxyTerminal, proxyToSandbox, responseToAsyncIterable, streamFile };
 //# sourceMappingURL=index.js.map