@mastra/daytona 0.3.0-alpha.0 → 0.4.0-alpha.0

package/CHANGELOG.md

@@ -1,5 +1,53 @@
 # @mastra/daytona
 
+## 0.4.0-alpha.0
+
+### Minor Changes
+
+- Added Azure Blob sandbox mount support via blobfuse2 in @mastra/e2b and @mastra/daytona. `sandbox.mount(azureBlobFilesystem, '/data')` now works for Azure containers, matching the existing s3fs (S3) and gcsfuse (GCS) integration. Supports authentication via accountKey, sasToken, connectionString, or managed identity/default credentials, and preserves AzureBlobFilesystem prefixes when mounting. ([#15874](https://github.com/mastra-ai/mastra/pull/15874))
+
+  ```ts
+  import { E2BSandbox } from '@mastra/e2b';
+  import { AzureBlobFilesystem } from '@mastra/azure/blob';
+
+  const azureFs = new AzureBlobFilesystem({ container: 'my-data', connectionString: '...' });
+  const sandbox = new E2BSandbox();
+  await sandbox.mount(azureFs, '/data');
+  // Sandbox processes can now read/write /data/* directly against the Azure container.
+  ```
+
+### Patch Changes
+
+- Updated dependencies [[`512a013`](https://github.com/mastra-ai/mastra/commit/512a013f285aa9c0aa8f08a35b2ce09f9938b017), [`e9becde`](https://github.com/mastra-ai/mastra/commit/e9becdeed9176b9f8392e557bde12b933f99cf7a)]:
+  - @mastra/core@1.29.1-alpha.2
+
+## 0.3.0
+
+### Minor Changes
+
+- Added S3 prefix (subdirectory) mount support. You can now mount a specific folder within an S3 bucket instead of the entire bucket by setting the `prefix` option on your S3 filesystem. ([#15171](https://github.com/mastra-ai/mastra/pull/15171))
+
+  **Example:**
+
+  ```typescript
+  const fs = new S3Filesystem({
+    bucket: 'my-bucket',
+    region: 'us-east-1',
+    prefix: 'workspace/data',
+    accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
+    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
+  });
+  ```
+
+  When mounted in a sandbox, only the contents under `workspace/data/` in the bucket will be visible at the mount path. This uses the s3fs `bucket:/path` syntax under the hood.
+
+  Closes #15147.
+
+### Patch Changes
+
+- Updated dependencies [[`f112db1`](https://github.com/mastra-ai/mastra/commit/f112db179557ae9b5a0f1d25dc47f928d7d61cd9), [`21d9706`](https://github.com/mastra-ai/mastra/commit/21d970604d89eee970cbf8013d26d7551aff6ea5), [`0a0aa94`](https://github.com/mastra-ai/mastra/commit/0a0aa94729592e99885af2efb90c56aaada62247), [`ed07df3`](https://github.com/mastra-ai/mastra/commit/ed07df32a9d539c8261e892fc1bade783f5b41a6), [`01a7d51`](https://github.com/mastra-ai/mastra/commit/01a7d513493d21562f677f98550f7ceb165ba78c)]:
+  - @mastra/core@1.27.0
+
 ## 0.3.0-alpha.0
 
 ### Minor Changes

package/README.md

@@ -2,7 +2,7 @@
 
 Daytona cloud sandbox provider for [Mastra](https://mastra.ai) workspaces.
 
-Implements the `WorkspaceSandbox` interface using [Daytona](https://www.daytona.io/) sandboxes. Supports multiple runtimes, resource configuration, volumes, snapshots, streaming output, sandbox reconnection, and filesystem mounting (S3, GCS).
+Implements the `WorkspaceSandbox` interface using [Daytona](https://www.daytona.io/) sandboxes. Supports multiple runtimes, resource configuration, volumes, snapshots, streaming output, sandbox reconnection, and filesystem mounting (S3, GCS, Azure Blob).
 
 ## Install
 
@@ -10,7 +10,7 @@ Implements the `WorkspaceSandbox` interface using [Daytona](https://www.daytona.
 pnpm add @mastra/daytona @mastra/core
 
 # For filesystem mounting (optional)
-pnpm add @mastra/s3 @mastra/gcs
+pnpm add @mastra/s3 @mastra/gcs @mastra/azure
 ```
 
 ## Usage
@@ -101,7 +101,7 @@ console.log(result.stdout); // "session 1"
 
 ### Filesystem mounting
 
-Mount S3 or GCS buckets as local directories inside the sandbox.
+Mount S3, GCS, or Azure Blob containers as local directories inside the sandbox.
 
 #### Via workspace mounts config
 
@@ -112,6 +112,7 @@ import { Workspace } from '@mastra/core/workspace';
 import { DaytonaSandbox } from '@mastra/daytona';
 import { GCSFilesystem } from '@mastra/gcs';
 import { S3Filesystem } from '@mastra/s3';
+import { AzureBlobFilesystem } from '@mastra/azure/blob';
 
 const workspace = new Workspace({
   mounts: {
@@ -127,6 +128,11 @@ const workspace = new Workspace({
       projectId: 'my-project-id',
       credentials: JSON.parse(process.env.GCS_SERVICE_ACCOUNT_KEY!),
     }),
+    '/azure-data': new AzureBlobFilesystem({
+      container: process.env.AZURE_STORAGE_CONTAINER!,
+      connectionString: process.env.AZURE_STORAGE_CONNECTION_STRING,
+      prefix: 'workspace/data',
+    }),
   },
   sandbox: new DaytonaSandbox({ language: 'python' }),
 });
@@ -194,6 +200,21 @@ await sandbox.mount(
 );
 ```
 
+#### Azure Blob
+
+```typescript
+import { AzureBlobFilesystem } from '@mastra/azure/blob';
+
+await sandbox.mount(
+  new AzureBlobFilesystem({
+    container: process.env.AZURE_STORAGE_CONTAINER!,
+    connectionString: process.env.AZURE_STORAGE_CONNECTION_STRING,
+    prefix: 'workspace/data',
+  }),
+  '/data',
+);
+```
+
 ### Network isolation
 
 Restrict outbound network access:
@@ -270,7 +291,7 @@ console.log(response.text);
 
 ## Mount Configuration
 
-Pass `S3Filesystem` or `GCSFilesystem` instances via the workspace `mounts` config or directly to `sandbox.mount()`.
+Pass `S3Filesystem`, `GCSFilesystem`, or `AzureBlobFilesystem` instances via the workspace `mounts` config or directly to `sandbox.mount()`.
 
 ### S3 environment variables
 
@@ -289,9 +310,16 @@ Pass `S3Filesystem` or `GCSFilesystem` instances via the workspace `mounts` conf
 | `GCS_BUCKET`              | Bucket name                                             |
 | `GCS_SERVICE_ACCOUNT_KEY` | Service account key JSON (full JSON string, not a path) |
 
+### Azure Blob environment variables
+
+| Variable                          | Description               |
+| --------------------------------- | ------------------------- |
+| `AZURE_STORAGE_CONTAINER`         | Container name            |
+| `AZURE_STORAGE_CONNECTION_STRING` | Storage connection string |
+
 ### Reducing cold start latency with a snapshot
 
-By default, `s3fs` and `gcsfuse` are installed at first mount via `apt`, which adds startup time. To eliminate this, prebake them into a Daytona snapshot and pass the snapshot name via the `snapshot` option.
+By default, `s3fs`, `gcsfuse`, and `blobfuse2` are installed at first mount, which adds startup time. To eliminate this, prebake them into a Daytona snapshot and pass the snapshot name via the `snapshot` option.
 
 Create the snapshot once:
 
@@ -321,6 +349,8 @@ await daytona.snapshot.create(
 );
 ```
 
+If you use Azure Blob mounts, also pre-install `blobfuse2` in the snapshot using Azure's supported package for your base image. See Azure's [BlobFuse2 installation guide](https://learn.microsoft.com/en-us/azure/storage/blobs/blobfuse2-how-to-deploy) for supported install options.
+
 Then use the snapshot name in your sandbox config:
 
 ```typescript

package/dist/index.cjs

@@ -268,6 +268,250 @@ Sandbox network response: ${checkOutput}` : "")
     throw new Error(`Failed to mount GCS bucket: ${result.stderr || result.stdout}`);
   }
 }
+var SAFE_CONTAINER_NAME = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
+var BLOBFUSE2_GITHUB_DEB = "https://github.com/Azure/azure-storage-fuse/releases/download/blobfuse2-2.5.1/blobfuse2-2.5.1-Ubuntu-22.04.x86_64.deb";
+function validateContainerName(name) {
+  if (!SAFE_CONTAINER_NAME.test(name) || name.includes("--")) {
+    throw new Error(
+      `Invalid Azure container name: "${name}". Container names must be 3-63 lowercase alphanumeric characters or hyphens, with no consecutive hyphens.`
+    );
+  }
+}
+function parseConnectionString(cs) {
+  const out = {};
+  for (const part of cs.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1) continue;
+    const key = part.slice(0, eq).trim();
+    const value = part.slice(eq + 1).trim();
+    if (!value) continue;
+    if (key === "AccountName") out.accountName = value;
+    else if (key === "AccountKey") out.accountKey = value;
+    else if (key === "SharedAccessSignature") out.sasToken = value;
+    else if (key === "BlobEndpoint") out.endpoint = value;
+    else if (key === "EndpointSuffix") out.endpointSuffix = value;
+    else if (key === "DefaultEndpointsProtocol") out.protocol = value;
+  }
+  if (!out.endpoint && out.accountName) {
+    out.endpoint = `${out.protocol || "https"}://${out.accountName}.blob.${out.endpointSuffix || "core.windows.net"}`;
+  }
+  return out;
+}
+function yamlString(value) {
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+function parseOsRelease(output) {
+  const values = {};
+  for (const line of output.split("\n")) {
+    const eq = line.indexOf("=");
+    if (eq === -1) continue;
+    const key = line.slice(0, eq);
+    const value = line.slice(eq + 1).trim().replace(/^"|"$/g, "");
+    values[key] = value;
+  }
+  return values;
+}
+function resolveMicrosoftAptRepos(osReleaseOutput) {
+  const osRelease = parseOsRelease(osReleaseOutput);
+  const distroId = osRelease.ID || "ubuntu";
+  const codename = osRelease.VERSION_CODENAME || (distroId === "debian" ? "bookworm" : "jammy");
+  const versionId = osRelease.VERSION_ID || (distroId === "debian" ? "12" : "22.04");
+  if (!/^[a-z0-9][a-z0-9-]*$/.test(codename)) {
+    throw new Error(`Invalid distro codename for blobfuse2 repo: "${codename}"`);
+  }
+  if (!/^\d+(?:\.\d+)?$/.test(versionId)) {
+    throw new Error(`Invalid distro version for blobfuse2 repo: "${versionId}"`);
+  }
+  if (distroId === "debian") {
+    const repos = [
+      { repoUrl: `https://packages.microsoft.com/debian/${versionId.split(".")[0]}/prod`, suite: codename }
+    ];
+    if (versionId.split(".")[0] !== "12" || codename !== "bookworm") {
+      repos.push({ repoUrl: "https://packages.microsoft.com/debian/12/prod", suite: "bookworm" });
+    }
+    return repos;
+  }
+  if (distroId === "ubuntu") {
+    const repos = [{ repoUrl: `https://packages.microsoft.com/ubuntu/${versionId}/prod`, suite: codename }];
+    if (versionId !== "24.04" || codename !== "noble") {
+      repos.push({ repoUrl: "https://packages.microsoft.com/ubuntu/24.04/prod", suite: "noble" });
+    }
+    if (versionId !== "22.04" || codename !== "jammy") {
+      repos.push({ repoUrl: "https://packages.microsoft.com/ubuntu/22.04/prod", suite: "jammy" });
+    }
+    return repos;
+  }
+  throw new Error(`Unsupported distro for blobfuse2 runtime installation: "${distroId}"`);
+}
+function resolveAuth(config) {
+  let accountName = config.accountName;
+  let accountKey = config.accountKey;
+  let sasToken = config.sasToken;
+  let endpoint = config.endpoint;
+  if (config.connectionString) {
+    const parsed = parseConnectionString(config.connectionString);
+    accountName = accountName ?? parsed.accountName;
+    accountKey = accountKey ?? parsed.accountKey;
+    sasToken = sasToken ?? parsed.sasToken;
+    endpoint = endpoint ?? parsed.endpoint;
+  }
+  let mode;
+  if (config.useDefaultCredential) {
+    mode = "msi";
+  } else if (sasToken) {
+    mode = "sas";
+  } else if (accountKey) {
+    mode = "key";
+  } else {
+    throw new Error(
+      "Azure Blob mount requires credentials: provide connectionString, accountKey + accountName, sasToken + accountName, or useDefaultCredential."
+    );
+  }
+  if (!accountName) {
+    throw new Error("Azure Blob mount requires an accountName (either explicitly or via connectionString).");
+  }
+  if (endpoint) {
+    validateEndpoint(endpoint);
+  }
+  return { mode, accountName, accountKey, sasToken, endpoint };
+}
+function buildBlobfuseConfig(container, auth, cachePath, readOnly) {
+  const lines = [
+    "allow-other: true",
+    "foreground: false",
+    `read-only: ${readOnly ? "true" : "false"}`,
+    "logging:",
+    "  type: silent",
+    "components:",
+    "  - libfuse",
+    "  - file_cache",
+    "  - attr_cache",
+    "  - azstorage",
+    "libfuse:",
+    "  attribute-expiration-sec: 240",
+    "  entry-expiration-sec: 240",
+    "  negative-entry-expiration-sec: 120",
+    "file_cache:",
+    `  path: ${yamlString(cachePath)}`,
+    "  timeout-sec: 120",
+    "attr_cache:",
+    "  timeout-sec: 7200",
+    "azstorage:",
+    `  mode: ${auth.mode}`,
+    `  account-name: ${yamlString(auth.accountName)}`,
+    `  container: ${yamlString(container)}`
+  ];
+  if (auth.mode === "key" && auth.accountKey) {
+    lines.push(`  account-key: ${yamlString(auth.accountKey)}`);
+  } else if (auth.mode === "sas" && auth.sasToken) {
+    lines.push(`  sas: ${yamlString(auth.sasToken)}`);
+  }
+  if (auth.endpoint) {
+    lines.push(`  endpoint: ${yamlString(auth.endpoint.replace(/\/$/, ""))}`);
+  }
+  return lines.join("\n") + "\n";
+}
+async function mountAzure(mountPath, config, ctx) {
+  const { run, writeFile, logger } = ctx;
+  validateContainerName(config.container);
+  const auth = resolveAuth(config);
+  const prefix = config.prefix ? validatePrefix(config.prefix) : void 0;
+  const quotedMountPath = shellQuote(mountPath);
+  const curlCheck = await run('which curl 2>/dev/null || echo "not found"', 3e4);
+  if (curlCheck.stdout.includes("not found")) {
+    const curlInstall = await run("sudo apt-get update -qq 2>&1 && sudo apt-get install -y curl 2>&1", 12e4);
+    if (curlInstall.exitCode !== 0) {
+      throw new Error(
+        `Failed to install curl for Azure Blob reachability check: ${curlInstall.stderr || curlInstall.stdout}`
+      );
+    }
+  }
+  const probeUrl = auth.endpoint ? auth.endpoint.replace(/\/$/, "") : `https://${auth.accountName}.blob.core.windows.net`;
+  const connectivityCheck = await run(`curl -sS --max-time 5 ${shellQuote(probeUrl)} 2>&1`, 1e4);
+  const checkOutput = connectivityCheck.stdout.trim();
+  if (connectivityCheck.exitCode !== 0 || checkOutput.toLowerCase().includes("restricted") || checkOutput.toLowerCase().includes("blocked")) {
+    throw new Error(
+      `Cannot reach ${probeUrl} from this sandbox. Azure Blob mounting requires network access to the storage endpoint, which may be blocked on Daytona's restricted tiers. Upgrade to a tier with unrestricted internet access, or contact Daytona support to remove the network restriction.` + (checkOutput ? `
+
+Sandbox network response: ${checkOutput}` : "")
+    );
+  }
+  const checkResult = await run('which blobfuse2 2>/dev/null || echo "not found"', 3e4);
+  if (checkResult.stdout.includes("not found")) {
+    logger.warn(`${LOG_PREFIX} blobfuse2 not found, attempting runtime installation...`);
+    logger.info(`${LOG_PREFIX} Tip: For faster startup, pre-install blobfuse2 in your sandbox image`);
+    await run("sudo apt-get update -qq 2>&1", 6e4);
+    const prepResult = await run("sudo apt-get install -y curl gnupg 2>&1", 12e4);
+    if (prepResult.exitCode !== 0) {
+      throw new Error(
+        `Failed to install blobfuse2 prerequisites (curl, gnupg): ${prepResult.stderr || prepResult.stdout}`
+      );
+    }
+    const osReleaseResult = await run("cat /etc/os-release 2>/dev/null || true", 3e4);
+    const repos = resolveMicrosoftAptRepos(osReleaseResult.stdout);
+    const repoSetup = await run(
+      "sudo mkdir -p /etc/apt/keyrings && curl --retry 3 --retry-all-errors --retry-delay 2 -fsSL https://packages.microsoft.com/keys/microsoft.asc -o /tmp/ms-key.asc && sudo gpg --batch --yes --dearmor -o /etc/apt/keyrings/microsoft.gpg /tmp/ms-key.asc",
+      3e4
+    );
+    let installResult;
+    if (repoSetup.exitCode === 0) {
+      for (const { repoUrl, suite } of repos) {
+        await run(
+          `echo "deb [signed-by=/etc/apt/keyrings/microsoft.gpg] ${repoUrl} ${suite} main" | sudo tee /etc/apt/sources.list.d/microsoft-prod.list`,
+          3e4
+        );
+        await run("sudo apt-get update -qq 2>&1 || true", 6e4);
+        installResult = await run("sudo apt-get install -y blobfuse2 fuse3 2>&1", 12e4);
+        if (installResult.exitCode === 0) break;
+        logger.warn(`${LOG_PREFIX} blobfuse2 install failed for ${repoUrl} ${suite}, trying fallback if available`);
+      }
+    } else {
+      logger.warn(`${LOG_PREFIX} Failed to set up Microsoft apt repository, trying GitHub release fallback`);
+    }
+    let verifyResult = await run("which blobfuse2 && blobfuse2 --version", 3e4);
+    if (verifyResult.exitCode !== 0) {
+      installResult = await run(
+        `sudo apt-get update -qq 2>&1 || true && sudo apt-get install -y fuse3 ca-certificates curl 2>&1 && curl -L --retry 3 --retry-all-errors --retry-delay 2 -fSLo /tmp/blobfuse2.deb ${BLOBFUSE2_GITHUB_DEB} && sudo dpkg -i /tmp/blobfuse2.deb 2>&1 && sudo bash -c 'lib=$(find /usr/lib -name "libfuse3.so.3.*" | head -1); [ -z "$lib" ] || ln -sf "$lib" /usr/lib/x86_64-linux-gnu/libfuse3.so.3'`,
+        18e4
+      );
+      verifyResult = await run("which blobfuse2 && blobfuse2 --version", 3e4);
+    }
+    if (!installResult || verifyResult.exitCode !== 0) {
+      throw new Error(
+        `Failed to install blobfuse2: ${verifyResult.stderr || verifyResult.stdout || installResult?.stderr || installResult?.stdout || "unknown error"}`
+      );
+    }
+  }
+  const idResult = await run("id -u && id -g", 3e4);
+  const [uid, gid] = idResult.stdout.trim().split("\n");
+  const validUidGid = uid && gid && /^\d+$/.test(uid) && /^\d+$/.test(gid);
+  await run(
+    `sudo chmod a+rw /dev/fuse 2>/dev/null || true; sudo bash -c 'grep -q "^user_allow_other" /etc/fuse.conf 2>/dev/null || echo "user_allow_other" >> /etc/fuse.conf' 2>/dev/null || true`
+  );
+  const mountHash = crypto.createHash("md5").update(mountPath).digest("hex").slice(0, 8);
+  const configPath = `/tmp/.blobfuse2-config-${mountHash}.yaml`;
+  const cachePath = `/tmp/blobfuse2-cache-${mountHash}`;
+  const yaml = buildBlobfuseConfig(config.container, auth, cachePath, !!config.readOnly);
+  await run(`sudo rm -f ${shellQuote(configPath)}`, 3e4);
+  await writeFile(configPath, yaml);
+  await run(`chmod 600 ${shellQuote(configPath)}`, 3e4);
+  await run(`sudo rm -rf ${shellQuote(cachePath)} && mkdir -p ${shellQuote(cachePath)}`, 3e4);
+  if (validUidGid) {
+    await run(`sudo chown ${uid}:${gid} ${shellQuote(cachePath)} 2>/dev/null || true`, 3e4);
+  }
+  const prefixFlags = prefix ? ` --virtual-directory=true --subdirectory=${shellQuote(prefix)}` : "";
+  const mountCmd = `blobfuse2 mount ${quotedMountPath} --config-file=${shellQuote(configPath)}${prefixFlags}`;
+  logger.debug(`${LOG_PREFIX} Mounting Azure Blob:`, mountCmd);
+  const result = await run(mountCmd, 6e4);
+  logger.debug(`${LOG_PREFIX} blobfuse2 result:`, {
+    exitCode: result.exitCode,
+    stdout: result.stdout,
+    stderr: result.stderr
+  });
+  if (result.exitCode !== 0) {
+    throw new Error(`Failed to mount Azure Blob container: ${result.stderr || result.stdout}`);
+  }
+}
 var DaytonaProcessHandle = class extends workspace.ProcessHandle {
   pid;
   _cmdId;
@@ -840,6 +1084,11 @@ var DaytonaSandbox = class _DaytonaSandbox extends workspace.MastraSandbox {
           await mountGCS(mountPath, config, mountCtx);
           this.logger.debug(`${LOG_PREFIX} Mounted GCS bucket at ${mountPath}`);
           break;
+        case "azure-blob":
+          this.logger.debug(`${LOG_PREFIX} Mounting Azure Blob at "${mountPath}"...`);
+          await mountAzure(mountPath, config, mountCtx);
+          this.logger.debug(`${LOG_PREFIX} Mounted Azure Blob container at ${mountPath}`);
+          break;
         default: {
           const error = `Unsupported mount type: ${config.type}`;
           this.mounts.set(mountPath, { filesystem, state: "unsupported", config, error });
@@ -909,7 +1158,7 @@ var DaytonaSandbox = class _DaytonaSandbox extends workspace.MastraSandbox {
     try {
       const mountsResult = await runCommand(
         sandbox,
-        `grep -E 'fuse\\.(s3fs|gcsfuse)' /proc/mounts | awk '{print $2}'`,
+        `grep -E 'fuse\\.(s3fs|gcsfuse|blobfuse2)' /proc/mounts | awk '{print $2}'`,
         { timeout: MOUNT_COMMAND_TIMEOUT_MS }
       );
       currentMounts = mountsResult.output.trim().split("\n").filter((p) => p.length > 0);