@cloudflare/sandbox 0.8.9 → 0.8.10

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-import { $ as CheckChangesOptions, A as DesktopStopResponse, At as SandboxOptions, B as ExecuteResponse, Bt as ExposePortRequest, C as ClickOptions, Ct as ProcessListResult, D as DesktopStartOptions, Dt as ProcessStatus, E as DesktopClient, Et as ProcessStartResult, F as ScreenshotRegion, Ft as WatchOptions, G as HttpClientOptions, Gt as Execution, H as BaseApiResponse, Ht as PtyOptions, I as ScreenshotResponse, It as isExecResult, J as SessionRequest, K as RequestConfig, Kt as ExecutionResult, L as ScrollDirection, Lt as isProcess, M as ScreenSizeResponse, Mt as StreamOptions, N as ScreenshotBytesResponse, Nt as WaitForLogResult, O as DesktopStartResponse, Ot as RemoteMountBucketOptions, P as ScreenshotOptions, Pt as WaitForPortOptions, Q as BucketProvider, R as TypeOptions, Rt as isProcessStatus, S as WriteFileRequest, St as ProcessKillResult, T as Desktop, Tt as ProcessOptions, U as ContainerStub, Ut as CodeContext, V as BackupClient, Vt as StartProcessRequest, W as ErrorResponse, Wt as CreateContextOptions, X as BaseExecOptions, Y as BackupOptions, Z as BucketCredentials, _ as GitClient, _t as PortExposeResult, a as CreateSessionRequest, at as ExecutionSession, b as MkdirRequest, bt as ProcessCleanupResult, c as DeleteSessionResponse, ct as FileStreamEvent, d as ProcessClient, dt as ISandbox, et as CheckChangesResult, f as PortClient, ft as ListFilesOptions, g as GitCheckoutRequest, gt as PortCloseResult, h as InterpreterClient, ht as MountBucketOptions, i as CommandsResponse, it as ExecResult, j as KeyInput, jt as SessionOptions, k as DesktopStatusResponse, kt as RestoreBackupResult, l as PingResponse, lt as FileWatchSSEEvent, m as ExecutionCallbacks, mt as LogEvent, n as getSandbox, nt as ExecEvent, o as CreateSessionResponse, ot as FileChunk, p as UnexposePortRequest, pt as LocalMountBucketOptions, q as ResponseHandler, qt as RunCodeOptions, r as SandboxClient, rt as ExecOptions, s as DeleteSessionRequest, st as FileMetadata, t as Sandbox, tt as DirectoryBackup, u as UtilityClient, ut as GitCheckoutResult, v as FileClient, vt as PortListResult, w as CursorPositionResponse, wt as ProcessLogsResult, x as ReadFileRequest, xt as ProcessInfoResult, y as FileOperationRequest, yt as Process, z as CommandClient, zt as ExecuteRequest } from "./sandbox-KLljXK8V.js";
+import { $ as CheckChangesOptions, A as DesktopStopResponse, At as SandboxOptions, B as ExecuteResponse, Bt as ExposePortRequest, C as ClickOptions, Ct as ProcessListResult, D as DesktopStartOptions, Dt as ProcessStatus, E as DesktopClient, Et as ProcessStartResult, F as ScreenshotRegion, Ft as WatchOptions, G as HttpClientOptions, Gt as Execution, H as BaseApiResponse, Ht as PtyOptions, I as ScreenshotResponse, It as isExecResult, J as SessionRequest, K as RequestConfig, Kt as ExecutionResult, L as ScrollDirection, Lt as isProcess, M as ScreenSizeResponse, Mt as StreamOptions, N as ScreenshotBytesResponse, Nt as WaitForLogResult, O as DesktopStartResponse, Ot as RemoteMountBucketOptions, P as ScreenshotOptions, Pt as WaitForPortOptions, Q as BucketProvider, R as TypeOptions, Rt as isProcessStatus, S as WriteFileRequest, St as ProcessKillResult, T as Desktop, Tt as ProcessOptions, U as ContainerStub, Ut as CodeContext, V as BackupClient, Vt as StartProcessRequest, W as ErrorResponse, Wt as CreateContextOptions, X as BaseExecOptions, Y as BackupOptions, Z as BucketCredentials, _ as GitClient, _t as PortExposeResult, a as CreateSessionRequest, at as ExecutionSession, b as MkdirRequest, bt as ProcessCleanupResult, c as DeleteSessionResponse, ct as FileStreamEvent, d as ProcessClient, dt as ISandbox, et as CheckChangesResult, f as PortClient, ft as ListFilesOptions, g as GitCheckoutRequest, gt as PortCloseResult, h as InterpreterClient, ht as MountBucketOptions, i as CommandsResponse, it as ExecResult, j as KeyInput, jt as SessionOptions, k as DesktopStatusResponse, kt as RestoreBackupResult, l as PingResponse, lt as FileWatchSSEEvent, m as ExecutionCallbacks, mt as LogEvent, n as getSandbox, nt as ExecEvent, o as CreateSessionResponse, ot as FileChunk, p as UnexposePortRequest, pt as LocalMountBucketOptions, q as ResponseHandler, qt as RunCodeOptions, r as SandboxClient, rt as ExecOptions, s as DeleteSessionRequest, st as FileMetadata, t as Sandbox, tt as DirectoryBackup, u as UtilityClient, ut as GitCheckoutResult, v as FileClient, vt as PortListResult, w as CursorPositionResponse, wt as ProcessLogsResult, x as ReadFileRequest, xt as ProcessInfoResult, y as FileOperationRequest, yt as Process, z as CommandClient, zt as ExecuteRequest } from "./sandbox-CbGbomnq.js";
 import { a as DesktopCoordinateErrorContext, d as ErrorResponse$1, f as OperationType, i as BackupRestoreContext, l as ProcessExitedBeforeReadyContext, n as BackupExpiredContext, o as DesktopErrorContext, p as ErrorCode, r as BackupNotFoundContext, s as InvalidBackupConfigContext, t as BackupCreateContext, u as ProcessReadyTimeoutContext } from "./contexts-DqnVW04M.js";
 import { ContainerProxy } from "@cloudflare/containers";
 

package/dist/index.js

@@ -3702,7 +3702,7 @@ function buildS3fsSource(bucket, prefix) {
 * This file is auto-updated by .github/changeset-version.ts during releases
 * DO NOT EDIT MANUALLY - Changes will be overwritten on the next version bump
 */
-const SDK_VERSION = "0.8.9";
+const SDK_VERSION = "0.8.10";
 
 //#endregion
 //#region src/sandbox.ts
@@ -4327,7 +4327,7 @@ var Sandbox = class Sandbox extends Container {
 	/**
 	* Execute S3FS mount command
 	*/
-	async executeS3FSMount(bucket, mountPath, options, provider, passwordFilePath) {
+	async executeS3FSMount(bucket, mountPath, options, provider, passwordFilePath, sessionId) {
 		const resolvedOptions = resolveS3fsOptions(provider, options.s3fsOptions);
 		const s3fsArgs = [];
 		s3fsArgs.push(`passwd_file=${passwordFilePath}`);
@@ -4336,7 +4336,7 @@ var Sandbox = class Sandbox extends Container {
 		s3fsArgs.push(`url=${options.endpoint}`);
 		const optionsStr = shellEscape(s3fsArgs.join(","));
 		const mountCmd = `s3fs ${shellEscape(bucket)} ${shellEscape(mountPath)} -o ${optionsStr}`;
-		const result = await this.execInternal(mountCmd);
+		const result = sessionId ? await this.execWithSession(mountCmd, sessionId, { origin: "internal" }) : await this.execInternal(mountCmd);
 		if (result.exitCode !== 0) throw new S3FSMountError(`S3FS mount failed: ${result.stderr || result.stdout || "Unknown error"}`);
 	}
 	/**
@@ -5803,74 +5803,54 @@ var Sandbox = class Sandbox extends Container {
 		}
 	}
 	/**
-	* Download a backup archive via presigned GET URL.
-	* The container curls the archive directly from R2, bypassing the DO.
-	* ~93 MB/s throughput vs ~0.6 MB/s for base64 writeFile.
+	* Mount a backup archive from R2 via s3fs so squashfuse can read it lazily.
 	*/
-	async downloadBackupPresigned(archivePath, r2Key, expectedSize, backupId, dir, backupSession) {
-		const presignedUrl = await this.generatePresignedGetUrl(r2Key);
-		await this.execWithSession("mkdir -p /var/backups", backupSession, { origin: "internal" });
-		const tmpPath = `${archivePath}.tmp`;
-		const curlCmd = [
-			"curl -sSf",
-			"--connect-timeout 10",
-			"--max-time 1800",
-			"--retry 2",
-			"--retry-max-time 60",
-			`-o ${shellEscape(tmpPath)}`,
-			shellEscape(presignedUrl)
-		].join(" ");
-		const result = await this.execWithSession(curlCmd, backupSession, {
-			timeout: 181e4,
-			origin: "internal"
+	async mountBackupR2(mountPath, prefix, backupSession) {
+		const { accountId, bucketName } = this.requirePresignedUrlSupport();
+		const endpoint = `https://${accountId}.r2.cloudflarestorage.com`;
+		const normalizedPrefix = prefix.startsWith("/") ? prefix : `/${prefix}`;
+		const options = {
+			endpoint,
+			provider: "r2",
+			readOnly: true,
+			prefix: normalizedPrefix,
+			s3fsOptions: ["use_path_request_style"]
+		};
+		const passwordFilePath = this.generatePasswordFilePath();
+		const s3fsSource = buildS3fsSource(bucketName, normalizedPrefix);
+		const envObj = this.env;
+		const credentials = detectCredentials(options, {
+			AWS_ACCESS_KEY_ID: getEnvString(envObj, "AWS_ACCESS_KEY_ID"),
+			AWS_SECRET_ACCESS_KEY: getEnvString(envObj, "AWS_SECRET_ACCESS_KEY"),
+			R2_ACCESS_KEY_ID: this.r2AccessKeyId || void 0,
+			R2_SECRET_ACCESS_KEY: this.r2SecretAccessKey || void 0,
+			...this.envVars
 		});
-		if (result.exitCode !== 0) {
-			await this.execWithSession(`rm -f ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			throw new BackupRestoreError({
-				message: `Presigned URL download failed (exit code ${result.exitCode}): ${result.stderr}`,
-				code: ErrorCode.BACKUP_RESTORE_FAILED,
-				httpStatus: 500,
-				context: {
-					dir,
-					backupId
-				},
-				timestamp: (/* @__PURE__ */ new Date()).toISOString()
-			});
-		}
-		const sizeCheck = await this.execWithSession(`stat -c %s ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" });
-		const actualSize = parseInt(sizeCheck.stdout.trim(), 10);
-		if (actualSize !== expectedSize) {
-			await this.execWithSession(`rm -f ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			throw new BackupRestoreError({
-				message: `Downloaded archive size mismatch: expected ${expectedSize}, got ${actualSize}`,
-				code: ErrorCode.BACKUP_RESTORE_FAILED,
-				httpStatus: 500,
-				context: {
-					dir,
-					backupId
-				},
-				timestamp: (/* @__PURE__ */ new Date()).toISOString()
-			});
-		}
-		const mvResult = await this.execWithSession(`mv ${shellEscape(tmpPath)} ${shellEscape(archivePath)}`, backupSession, { origin: "internal" });
-		if (mvResult.exitCode !== 0) {
-			await this.execWithSession(`rm -f ${shellEscape(tmpPath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			throw new BackupRestoreError({
-				message: `Failed to finalize downloaded archive: ${mvResult.stderr}`,
-				code: ErrorCode.BACKUP_RESTORE_FAILED,
-				httpStatus: 500,
-				context: {
-					dir,
-					backupId
-				},
-				timestamp: (/* @__PURE__ */ new Date()).toISOString()
-			});
+		const mountInfo = {
+			mountType: "fuse",
+			bucket: s3fsSource,
+			mountPath,
+			endpoint,
+			provider: "r2",
+			passwordFilePath,
+			mounted: false
+		};
+		this.activeMounts.set(mountPath, mountInfo);
+		try {
+			await this.createPasswordFile(passwordFilePath, bucketName, credentials);
+			await this.execWithSession(`mkdir -p ${shellEscape(mountPath)}`, backupSession, { origin: "internal" });
+			await this.executeS3FSMount(s3fsSource, mountPath, options, "r2", passwordFilePath, backupSession);
+			mountInfo.mounted = true;
+		} catch (error) {
+			await this.deletePasswordFile(passwordFilePath);
+			this.activeMounts.delete(mountPath);
+			throw error;
 		}
 	}
 	/**
 	* Serialize backup operations on this sandbox instance.
 	* Concurrent backup/restore calls are queued so the multi-step
-	* create-archive → read → upload (or download → write → extract) flow
+	* create-archive → read → upload (or mount → extract) flow
 	* is not interleaved with another backup operation on the same directory.
 	*/
 	enqueueBackupOp(fn) {
@@ -6017,7 +5997,7 @@ var Sandbox = class Sandbox extends Container {
 	*
 	* Flow:
 	*   1. DO reads metadata from R2 and checks TTL
-	*   2. Container downloads the archive directly from R2 via presigned URL
+	*   2. Container mounts the backup archive from R2 via s3fs
 	*   3. Container mounts the squashfs archive with FUSE overlayfs
 	*
 	* The target directory becomes an overlay mount with the backup as a
@@ -6101,8 +6081,7 @@ var Sandbox = class Sandbox extends Container {
 				timestamp: (/* @__PURE__ */ new Date()).toISOString()
 			});
 			const r2Key = `backups/${id}/data.sqsh`;
-			const archiveHead = await bucket.head(r2Key);
-			if (!archiveHead) throw new BackupNotFoundError({
+			if (!await bucket.head(r2Key)) throw new BackupNotFoundError({
 				message: `Backup archive not found in R2: ${id}. The archive may have been deleted by R2 lifecycle rules.`,
 				code: ErrorCode.BACKUP_NOT_FOUND,
 				httpStatus: 404,
@@ -6110,12 +6089,19 @@ var Sandbox = class Sandbox extends Container {
 				timestamp: (/* @__PURE__ */ new Date()).toISOString()
 			});
 			backupSession = await this.ensureBackupSession();
-			const archivePath = `/var/backups/${id}.sqsh`;
-			const mountGlob = `/var/backups/mounts/${id}`;
+			const r2MountPath = `/var/backups/r2mount/${id}`;
+			const archivePath = `${r2MountPath}/data.sqsh`;
+			const mountGlob = `/var/backups/mounts/r2mount/${id}/data`;
 			await this.execWithSession(`/usr/bin/fusermount3 -uz ${shellEscape(dir)} 2>/dev/null || true`, backupSession, { origin: "internal" }).catch(() => {});
 			await this.execWithSession(`for d in ${shellEscape(mountGlob)}_*/lower ${shellEscape(mountGlob)}/lower; do [ -d "$d" ] && /usr/bin/fusermount3 -uz "$d" 2>/dev/null; done; true`, backupSession, { origin: "internal" }).catch(() => {});
-			const sizeCheck = await this.execWithSession(`stat -c %s ${shellEscape(archivePath)} 2>/dev/null || echo 0`, backupSession, { origin: "internal" }).catch(() => ({ stdout: "0" }));
-			if (Number.parseInt((sizeCheck.stdout ?? "0").trim(), 10) !== archiveHead.size) await this.downloadBackupPresigned(archivePath, r2Key, archiveHead.size, id, dir, backupSession);
+			await this.execWithSession(`/usr/bin/fusermount3 -u ${shellEscape(r2MountPath)} 2>/dev/null; /usr/bin/fusermount3 -uz ${shellEscape(r2MountPath)} 2>/dev/null; true`, backupSession, { origin: "internal" }).catch(() => {});
+			const previousBackupMount = this.activeMounts.get(r2MountPath);
+			if (previousBackupMount?.mountType === "fuse") {
+				previousBackupMount.mounted = false;
+				this.activeMounts.delete(r2MountPath);
+				await this.deletePasswordFile(previousBackupMount.passwordFilePath);
+			}
+			await this.mountBackupR2(r2MountPath, `backups/${id}/`, backupSession);
 			if (!(await this.client.backup.restoreArchive(dir, archivePath, backupSession)).success) throw new BackupRestoreError({
 				message: "Container failed to restore backup archive",
 				code: ErrorCode.BACKUP_RESTORE_FAILED,
@@ -6134,10 +6120,6 @@ var Sandbox = class Sandbox extends Container {
 			};
 		} catch (error) {
 			caughtError = error instanceof Error ? error : new Error(String(error));
-			if (id && backupSession) {
-				const archivePath = `/var/backups/${id}.sqsh`;
-				await this.execWithSession(`rm -f ${shellEscape(archivePath)}`, backupSession, { origin: "internal" }).catch(() => {});
-			}
 			throw error;
 		} finally {
 			if (backupSession) await this.client.utils.deleteSession(backupSession).catch(() => {});