@sentry/junior 0.41.0 → 0.43.0

package/dist/{chunk-SCE5C645.js → chunk-BCG3I2T2.js}

@@ -1347,7 +1347,7 @@ var stringMapSchema = z.record(z.string(), z.unknown()).transform((record, ctx)
   }
   return result;
 });
-var apiDomainsSchema = z.array(z.unknown()).min(1, {
+var domainsSchema = z.array(z.unknown()).min(1, {
   error: "must be a non-empty array of strings"
 }).transform((domains, ctx) => {
   return domains.map((rawDomain) => {
@@ -1370,7 +1370,7 @@ var apiDomainsSchema = z.array(z.unknown()).min(1, {
   });
 });
 var baseCredentialsSchema = z.object({
-  "api-domains": apiDomainsSchema,
+  domains: domainsSchema.optional(),
   "api-headers": stringMapSchema.optional(),
   "auth-token-env": envVarString,
   "auth-token-placeholder": nonEmptyTrimmedString.optional()
@@ -1438,7 +1438,7 @@ var manifestSourceSchema = z.object({
   "config-keys": z.array(z.string(), {
     error: "must be an array when provided"
   }).optional(),
-  "api-domains": apiDomainsSchema.optional(),
+  domains: domainsSchema.optional(),
   "api-headers": stringMapSchema.optional(),
   "command-env": stringMapSchema.optional(),
   credentials: z.record(z.string(), z.unknown(), {
@@ -1493,9 +1493,13 @@ function normalizeStringMap(value, prefix, options = {}) {
   }
   return value;
 }
+function envReferences(value) {
+  return Array.from(value.matchAll(ENV_PLACEHOLDER_RE), (match) => {
+    return match[1];
+  });
+}
 function assertDeclaredEnvReferences(value, envVars, context) {
-  for (const match of value.matchAll(ENV_PLACEHOLDER_RE)) {
-    const name = match[1];
+  for (const name of envReferences(value)) {
     if (!Object.prototype.hasOwnProperty.call(envVars, name)) {
       throw new Error(
         `${context} references env var ${name} which is not declared in env-vars`
@@ -1518,21 +1522,25 @@ function normalizeRequiredApiHeaders(value, prefix, envVars) {
   }
   return apiHeaders;
 }
-function assertCommandEnvReferencesArePublic(value, envVars, context) {
-  for (const match of value.matchAll(ENV_PLACEHOLDER_RE)) {
-    const name = match[1];
+function assertCommandEnvReferencesDeclared(value, envVars, context) {
+  for (const name of envReferences(value)) {
     if (!Object.prototype.hasOwnProperty.call(envVars, name)) {
       throw new Error(
         `${context} references env var ${name} which is not declared in env-vars`
       );
     }
-    if (envVars[name]?.default === void 0) {
-      throw new Error(
-        `${context} references env var ${name}, but command-env env vars must declare defaults`
-      );
-    }
   }
 }
+function expandCommandEnvPlaceholders(template, envVars, context) {
+  return template.replace(ENV_PLACEHOLDER_RE, (match, name) => {
+    const varName = name;
+    const declaration = envVars[varName];
+    if (declaration?.default === void 0) {
+      return match;
+    }
+    return expandEnvPlaceholders(match, envVars, context);
+  });
+}
 function normalizeCommandEnv(value, prefix, envVars) {
   const env = normalizeStringMap(value, prefix);
   if (!env) {
@@ -1542,15 +1550,47 @@ function normalizeCommandEnv(value, prefix, envVars) {
     if (!ENV_VAR_NAME_RE.test(key)) {
       throw new Error(`${prefix}.${key} must be an uppercase env var name`);
     }
-    assertCommandEnvReferencesArePublic(envValue, envVars, `${prefix}.${key}`);
+    assertCommandEnvReferencesDeclared(envValue, envVars, `${prefix}.${key}`);
   }
   return Object.fromEntries(
     Object.entries(env).map(([key, envValue]) => [
       key,
-      expandEnvPlaceholders(envValue, envVars, `${prefix}.${key}`)
+      expandCommandEnvPlaceholders(envValue, envVars, `${prefix}.${key}`)
     ])
   );
 }
+function assertCommandEnvDoesNotExposeHostSecretRefs(commandEnv, apiHeaders, credentials, oauth, pluginName) {
+  if (!commandEnv) {
+    return;
+  }
+  const hostOnlyRefs = /* @__PURE__ */ new Set();
+  for (const value of Object.values(apiHeaders ?? {})) {
+    for (const name of envReferences(value)) {
+      hostOnlyRefs.add(name);
+    }
+  }
+  if (credentials) {
+    hostOnlyRefs.add(credentials.authTokenEnv);
+    if (credentials.type === "github-app") {
+      hostOnlyRefs.add(credentials.appIdEnv);
+      hostOnlyRefs.add(credentials.privateKeyEnv);
+      hostOnlyRefs.add(credentials.installationIdEnv);
+    }
+  }
+  if (oauth) {
+    hostOnlyRefs.add(oauth.clientIdEnv);
+    hostOnlyRefs.add(oauth.clientSecretEnv);
+  }
+  for (const [key, value] of Object.entries(commandEnv)) {
+    for (const name of envReferences(value)) {
+      if (hostOnlyRefs.has(name)) {
+        throw new Error(
+          `Plugin ${pluginName} command-env.${key} references env var ${name}, but credential/API header env vars must stay host-only`
+        );
+      }
+    }
+  }
+}
 function normalizeCredentials(data, name) {
   const schema = data.type === "oauth-bearer" ? oauthBearerCredentialsSchema : data.type === "github-app" ? githubAppCredentialsSchema : void 0;
   if (!schema) {
@@ -1562,6 +1602,10 @@ function normalizeCredentials(data, name) {
   if (!result.success) {
     throw new Error(issueMessage(result.error, `Plugin ${name} credentials`));
   }
+  if (!result.data.domains) {
+    throw new Error(`Plugin ${name} credentials requires domains`);
+  }
+  const domains = result.data.domains;
   if (result.data.type === "oauth-bearer") {
     const apiHeaders2 = result.data["api-headers"] ? normalizeStringMap(
       result.data["api-headers"],
@@ -1570,7 +1614,7 @@ function normalizeCredentials(data, name) {
     ) : void 0;
     return {
       type: "oauth-bearer",
-      apiDomains: result.data["api-domains"],
+      domains,
       ...apiHeaders2 ? { apiHeaders: apiHeaders2 } : {},
       authTokenEnv: result.data["auth-token-env"],
       ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {}
@@ -1583,7 +1627,7 @@ function normalizeCredentials(data, name) {
   ) : void 0;
   return {
     type: "github-app",
-    apiDomains: result.data["api-domains"],
+    domains,
     ...apiHeaders ? { apiHeaders } : {},
     authTokenEnv: result.data["auth-token-env"],
     ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {},
@@ -1722,7 +1766,7 @@ var envVarDeclarationSchema = z.preprocess(
   (value) => value === null || value === void 0 ? {} : value,
   z.object({
     default: z.string().optional()
-  }).passthrough()
+  }).strict()
 );
 function normalizeEnvVars(data, pluginName) {
   const normalized = {};
@@ -1825,9 +1869,9 @@ function parsePluginManifest(raw, dir) {
         `Plugin ${parsedYaml.name ?? "unknown"} config-keys must be an array when provided`
       );
     }
-    if (path3 === "api-domains") {
+    if (path3 === "domains") {
       throw new Error(
-        `Plugin ${parsedYaml.name ?? "unknown"} api-domains must be a non-empty array of domains`
+        `Plugin ${parsedYaml.name ?? "unknown"} ${path3} must be a non-empty array of domains`
       );
     }
     if (path3 === "api-headers") {
@@ -1898,11 +1942,14 @@ function parsePluginManifest(raw, dir) {
     `Plugin ${data.name} api-headers`,
     envVars
   ) : void 0;
-  if (apiHeaders && !data["api-domains"]) {
-    throw new Error(`Plugin ${data.name} api-headers requires api-domains`);
+  const domains = data.domains;
+  if (apiHeaders && !domains) {
+    throw new Error(`Plugin ${data.name} api-headers requires domains`);
   }
-  if (data["api-domains"] && !apiHeaders) {
-    throw new Error(`Plugin ${data.name} api-domains requires api-headers`);
+  if (domains && !apiHeaders && !data.credentials) {
+    throw new Error(
+      `Plugin ${data.name} domains requires credentials or api-headers`
+    );
   }
   const commandEnv = data["command-env"] ? normalizeCommandEnv(
     data["command-env"],
@@ -1923,7 +1970,7 @@ function parsePluginManifest(raw, dir) {
     description: data.description,
     capabilities,
     configKeys,
-    ...data["api-domains"] ? { apiDomains: data["api-domains"] } : {},
+    ...domains ? { domains } : {},
     ...apiHeaders ? { apiHeaders } : {},
     ...commandEnv ? { commandEnv } : {},
     ...Object.keys(envVars).length > 0 ? { envVars } : {},
@@ -1970,6 +2017,13 @@ function parsePluginManifest(raw, dir) {
       ...tokenExtraHeaders ? { tokenExtraHeaders } : {}
     };
   }
+  assertCommandEnvDoesNotExposeHostSecretRefs(
+    data["command-env"],
+    apiHeaders,
+    credentials,
+    manifest.oauth,
+    data.name
+  );
   if (data.target) {
     const result = targetSourceSchema.safeParse(data.target);
     if (!result.success) {
@@ -2023,14 +2077,45 @@ function mergeHeaderTransforms(transforms) {
   }));
 }
 
+// src/chat/plugins/command-env.ts
+var ENV_PLACEHOLDER_RE2 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+function resolveValue(manifest, value) {
+  let missing = false;
+  const resolved = value.replace(ENV_PLACEHOLDER_RE2, (match, name) => {
+    const envName = name;
+    const declaration = manifest.envVars?.[envName];
+    if (!declaration || declaration.default !== void 0) {
+      return match;
+    }
+    const hostValue = process.env[envName];
+    if (hostValue === void 0 || hostValue === "") {
+      missing = true;
+      return "";
+    }
+    return hostValue;
+  });
+  return missing ? void 0 : resolved;
+}
+function resolvePluginCommandEnv(manifest) {
+  const env = {};
+  for (const [key, value] of Object.entries(manifest.commandEnv ?? {})) {
+    const resolved = resolveValue(manifest, value);
+    if (resolved === void 0) {
+      continue;
+    }
+    env[key] = resolved;
+  }
+  return env;
+}
+
 // src/chat/plugins/auth/api-headers-broker.ts
 import { randomUUID } from "crypto";
 var MAX_LEASE_MS = 60 * 60 * 1e3;
-var ENV_PLACEHOLDER_RE2 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+var ENV_PLACEHOLDER_RE3 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
 function resolveHeaders(provider, headers) {
   return Object.fromEntries(
     Object.entries(headers).map(([key, value]) => {
-      const resolved = value.replace(ENV_PLACEHOLDER_RE2, (_match, name) => {
+      const resolved = value.replace(ENV_PLACEHOLDER_RE3, (_match, name) => {
         const envName = name;
         const envValue = process.env[envName]?.trim();
         if (!envValue) {
@@ -2045,12 +2130,12 @@ function resolveHeaders(provider, headers) {
   );
 }
 function resolveApiHeaderTransforms(manifest) {
-  const { apiDomains, apiHeaders } = manifest;
-  if (!apiDomains || !apiHeaders) {
+  const { domains, apiHeaders } = manifest;
+  if (!domains || !apiHeaders) {
     return [];
   }
   const resolvedHeaders = resolveHeaders(manifest.name, apiHeaders);
-  return apiDomains.map((domain) => ({
+  return domains.map((domain) => ({
     domain,
     headers: resolvedHeaders
   }));
@@ -2066,7 +2151,7 @@ function createApiHeadersBroker(manifest) {
       return {
         id: randomUUID(),
         provider,
-        env: { ...manifest.commandEnv ?? {} },
+        env: resolvePluginCommandEnv(manifest),
         headerTransforms,
         expiresAt: new Date(Date.now() + MAX_LEASE_MS).toISOString(),
         metadata: {
@@ -2145,6 +2230,13 @@ function createAppJwt(appId, privateKeyEnv) {
   const signature = signer.sign(getPrivateKey(privateKeyEnv)).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
   return `${signingInput}.${signature}`;
 }
+function resolveAppId(appIdEnv) {
+  const appId = process.env[appIdEnv]?.trim();
+  if (!appId) {
+    throw new Error(`Missing ${appIdEnv}`);
+  }
+  return appId;
+}
 async function githubRequest(apiBase, path3, params) {
   const response = await fetch(`${apiBase}${path3}`, {
     method: params.method ?? "GET",
@@ -2171,6 +2263,16 @@ async function githubRequest(apiBase, path3, params) {
   }
   return parsed;
 }
+function resolveGitHubApiDomain(credentials) {
+  const apiDomain = credentials.domains.find((domain) => {
+    const normalizedDomain = domain.toLowerCase();
+    return normalizedDomain === "api.github.com" || normalizedDomain.startsWith("api.");
+  });
+  if (!apiDomain) {
+    throw new Error("GitHub App provider requires an API domain");
+  }
+  return apiDomain;
+}
 var KNOWN_SCOPES = /* @__PURE__ */ new Set([
   "actions",
   "administration",
@@ -2220,37 +2322,60 @@ function capabilitiesToPermissions(capabilities, pluginName) {
   return permissions;
 }
 function createGitHubAppBroker(manifest, credentials) {
-  const tokenCache = /* @__PURE__ */ new Map();
   const provider = manifest.name;
   const {
-    apiDomains,
+    domains,
     apiHeaders,
     authTokenEnv,
     appIdEnv,
     privateKeyEnv,
     installationIdEnv
   } = credentials;
-  const apiBase = `https://${apiDomains[0]}`;
+  const apiDomain = resolveGitHubApiDomain(credentials);
+  const apiBase = `https://${apiDomain}`;
   const placeholder = resolveAuthTokenPlaceholder(credentials);
   const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
-  const GIT_DOMAIN = "github.com";
-  const GIT_CAPABILITIES = /* @__PURE__ */ new Set([
-    `${provider}.contents.read`,
-    `${provider}.contents.write`
-  ]);
-  const leaseDomains = manifest.capabilities.some(
-    (capability) => GIT_CAPABILITIES.has(capability)
-  ) ? [...apiDomains, GIT_DOMAIN] : apiDomains;
+  const leaseDomains = [...new Set(domains)];
   function authorizationFor(domain, token) {
-    if (domain === GIT_DOMAIN) {
+    if (isGitSmartHttpDomain(domain)) {
       return `Basic ${Buffer.from(`x-access-token:${token}`).toString("base64")}`;
     }
     return `Bearer ${token}`;
   }
+  function isGitSmartHttpDomain(domain) {
+    const normalizedDomain = domain.toLowerCase();
+    const normalizedApiDomain = apiDomain.toLowerCase();
+    return normalizedDomain === "github.com" || normalizedApiDomain.startsWith("api.") && normalizedDomain === normalizedApiDomain.slice("api.".length);
+  }
   const permissions = capabilitiesToPermissions(
     manifest.capabilities,
     provider
   );
+  function createLease(params) {
+    return {
+      id: randomUUID2(),
+      provider,
+      env: {
+        ...resolvePluginCommandEnv(manifest),
+        [authTokenEnv]: placeholder
+      },
+      headerTransforms: mergeHeaderTransforms([
+        ...pluginHeaderTransforms(),
+        ...leaseDomains.map((domain) => ({
+          domain,
+          headers: {
+            ...apiHeaders ?? {},
+            Authorization: authorizationFor(domain, params.token)
+          }
+        }))
+      ]),
+      expiresAt: new Date(params.expiresAtMs).toISOString(),
+      metadata: {
+        installationId: String(params.installationId),
+        reason: params.reason
+      }
+    };
+  }
   function resolveInstallationId() {
     const installationIdRaw = process.env[installationIdEnv]?.trim();
     if (!installationIdRaw) {
@@ -2265,38 +2390,10 @@ function createGitHubAppBroker(manifest, credentials) {
   return {
     async issue(input) {
       const installationId = resolveInstallationId();
-      const cacheKey = String(installationId);
-      const cached = tokenCache.get(cacheKey);
-      const now = Date.now();
-      if (cached && cached.expiresAt - now > 2 * 60 * 1e3) {
-        return {
-          id: randomUUID2(),
-          provider,
-          env: { ...manifest.commandEnv ?? {}, [authTokenEnv]: placeholder },
-          headerTransforms: mergeHeaderTransforms([
-            ...pluginHeaderTransforms(),
-            ...leaseDomains.map((domain) => ({
-              domain,
-              headers: {
-                ...apiHeaders ?? {},
-                Authorization: authorizationFor(domain, cached.token)
-              }
-            }))
-          ]),
-          expiresAt: new Date(cached.expiresAt).toISOString(),
-          metadata: {
-            installationId: String(cached.installationId),
-            reason: input.reason
-          }
-        };
-      }
       const tokenRequestBody = {
         permissions
       };
-      const appId = process.env[appIdEnv];
-      if (!appId) {
-        throw new Error(`Missing ${appIdEnv}`);
-      }
+      const appId = resolveAppId(appIdEnv);
       const appJwt = createAppJwt(appId, privateKeyEnv);
       const accessTokenResponse = await githubRequest(apiBase, `/app/installations/${installationId}/access_tokens`, {
         method: "POST",
@@ -2308,34 +2405,12 @@ function createGitHubAppBroker(manifest, credentials) {
         providerExpiresAtMs,
         Date.now() + MAX_LEASE_MS2
       );
-      tokenCache.set(cacheKey, {
+      return createLease({
         installationId,
         token: accessTokenResponse.token,
-        expiresAt: expiresAtMs
+        expiresAtMs,
+        reason: input.reason
       });
-      return {
-        id: randomUUID2(),
-        provider,
-        env: { ...manifest.commandEnv ?? {}, [authTokenEnv]: placeholder },
-        headerTransforms: mergeHeaderTransforms([
-          ...pluginHeaderTransforms(),
-          ...leaseDomains.map((domain) => ({
-            domain,
-            headers: {
-              ...apiHeaders ?? {},
-              Authorization: authorizationFor(
-                domain,
-                accessTokenResponse.token
-              )
-            }
-          }))
-        ]),
-        expiresAt: new Date(expiresAtMs).toISOString(),
-        metadata: {
-          installationId: String(installationId),
-          reason: input.reason
-        }
-      };
     }
   };
 }
@@ -2488,7 +2563,7 @@ function getLeaseExpiry(expiresAt) {
 }
 function createOAuthBearerBroker(manifest, credentials, deps) {
   const provider = manifest.name;
-  const { apiDomains, apiHeaders, authTokenEnv } = credentials;
+  const { domains, apiHeaders, authTokenEnv } = credentials;
   const authTokenPlaceholder = resolveAuthTokenPlaceholder(credentials);
   const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
   function buildLease(token, expiresAtMs, reason) {
@@ -2496,12 +2571,12 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
       id: randomUUID3(),
       provider,
       env: {
-        ...manifest.commandEnv ?? {},
+        ...resolvePluginCommandEnv(manifest),
         [authTokenEnv]: authTokenPlaceholder
       },
       headerTransforms: mergeHeaderTransforms([
         ...pluginHeaderTransforms(),
-        ...apiDomains.map((domain) => ({
+        ...domains.map((domain) => ({
           domain,
           headers: { ...apiHeaders ?? {}, Authorization: `Bearer ${token}` }
         }))
@@ -2616,15 +2691,24 @@ function createLoadedPluginState(signature) {
     signature,
     pluginDefinitions: [],
     capabilityToPlugin: /* @__PURE__ */ new Map(),
+    domainToPlugin: /* @__PURE__ */ new Map(),
     pluginConfigKeys: /* @__PURE__ */ new Set(),
     pluginsByName: /* @__PURE__ */ new Map(),
     packageSkillRoots: /* @__PURE__ */ new Set()
   };
 }
+function providerDomains(manifest) {
+  return [
+    .../* @__PURE__ */ new Set([
+      ...manifest.credentials?.domains ?? [],
+      ...manifest.domains ?? []
+    ])
+  ].sort((left, right) => left.localeCompare(right));
+}
 function registerPluginManifest(state, raw, pluginDir) {
   const manifest = parsePluginManifest(raw, pluginDir);
   if (state.pluginsByName.has(manifest.name)) {
-    return;
+    throw new Error(`Duplicate plugin name "${manifest.name}"`);
   }
   for (const cap of manifest.capabilities) {
     if (state.capabilityToPlugin.has(cap)) {
@@ -2633,6 +2717,14 @@ function registerPluginManifest(state, raw, pluginDir) {
       );
     }
   }
+  for (const domain of providerDomains(manifest)) {
+    const owner = state.domainToPlugin.get(domain);
+    if (owner) {
+      throw new Error(
+        `Duplicate provider domain "${domain}" in plugin "${manifest.name}" already declared by plugin "${owner}"`
+      );
+    }
+  }
   const definition = {
     manifest,
     dir: pluginDir,
@@ -2646,6 +2738,9 @@ function registerPluginManifest(state, raw, pluginDir) {
   for (const key of manifest.configKeys) {
     state.pluginConfigKeys.add(key);
   }
+  for (const domain of providerDomains(manifest)) {
+    state.domainToPlugin.set(domain, manifest.name);
+  }
 }
 function normalizePluginRoots(roots) {
   const resolved = [];
@@ -2967,6 +3062,7 @@ export {
   extractGenAiUsageSummary,
   extractGenAiUsageAttributes,
   mergeHeaderTransforms,
+  resolvePluginCommandEnv,
   resolveAuthTokenPlaceholder,
   parsePluginManifest,
   CredentialUnavailableError,

package/dist/{chunk-Y3UO7NR6.js → chunk-YSXHRIWR.js}

@@ -7,7 +7,7 @@ import {
   serializeGenAiAttribute,
   setSpanAttributes,
   withSpan
-} from "./chunk-SCE5C645.js";
+} from "./chunk-BCG3I2T2.js";
 
 // src/chat/state/adapter.ts
 import { createMemoryState } from "@chat-adapter/state-memory";
@@ -539,12 +539,13 @@ function buildNonInteractiveCommand(input) {
     ]
   };
 }
-async function runNonInteractiveCommand(runner, input) {
-  return await runner.runCommand({
+async function runNonInteractiveCommand(sandbox, input) {
+  const command = {
     ...buildNonInteractiveCommand(input),
     ...input.cwd ? { cwd: input.cwd } : {},
     ...input.sudo !== void 0 ? { sudo: input.sudo } : {}
-  });
+  };
+  return await sandbox.runCommand(command);
 }
 
 // src/chat/sandbox/credentials.ts
@@ -558,6 +559,39 @@ function getVercelSandboxCredentials() {
   return void 0;
 }
 
+// src/chat/sandbox/workspace.ts
+function createSandboxInstance(sandbox) {
+  return {
+    sandboxId: sandbox.name,
+    fs: sandbox.fs,
+    extendTimeout(duration) {
+      return sandbox.extendTimeout(duration);
+    },
+    mkDir(path) {
+      return sandbox.mkDir(path);
+    },
+    readFileToBuffer(input) {
+      return sandbox.readFileToBuffer(input);
+    },
+    runCommand(input) {
+      return sandbox.runCommand(input);
+    },
+    async snapshot() {
+      const snapshot = await sandbox.snapshot();
+      return { snapshotId: snapshot.snapshotId };
+    },
+    stop() {
+      return sandbox.stop();
+    },
+    update(params) {
+      return sandbox.update(params);
+    },
+    writeFiles(files) {
+      return sandbox.writeFiles(files);
+    }
+  };
+}
+
 // src/chat/sandbox/paths.ts
 function normalizeWorkspaceRoot(input) {
   const candidate = (input ?? "").trim();
@@ -906,11 +940,13 @@ async function createDependencySnapshot(profile, runtime, timeoutMs) {
     },
     async () => {
       const sandboxCredentials = getVercelSandboxCredentials();
-      const sandbox = await Sandbox.create({
-        timeout: timeoutMs,
-        runtime,
-        ...sandboxCredentials ?? {}
-      });
+      const sandbox = createSandboxInstance(
+        await Sandbox.create({
+          timeout: timeoutMs,
+          runtime,
+          ...sandboxCredentials ?? {}
+        })
+      );
       try {
         await installRuntimeDependencies(sandbox, profile.dependencies);
         await runRuntimePostinstall(sandbox, profile.postinstall);
@@ -927,7 +963,7 @@ async function createDependencySnapshot(profile, runtime, timeoutMs) {
         );
       } finally {
         try {
-          await sandbox.stop({ blocking: true });
+          await sandbox.stop();
         } catch {
         }
       }
@@ -1144,6 +1180,7 @@ export {
   buildNonInteractiveShellScript,
   runNonInteractiveCommand,
   getVercelSandboxCredentials,
+  createSandboxInstance,
   getRuntimeDependencyProfileHash,
   resolveRuntimeDependencySnapshot,
   isSnapshotMissingError

package/dist/{chunk-7QYONRLH.js → chunk-ZUUJTQ2H.js}

@@ -2,7 +2,7 @@ import {
   getPluginForSkillPath,
   getPluginSkillRoots,
   logWarn
-} from "./chunk-SCE5C645.js";
+} from "./chunk-BCG3I2T2.js";
 import {
   skillRoots
 } from "./chunk-XPXD3FCE.js";