npm - @sentry/junior - Versions diffs - 0.43.0 → 0.44.0 - Mend

@sentry/junior 0.43.0 → 0.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/app.js +75 -85
package/dist/{chunk-YSXHRIWR.js → chunk-QAMTCT2R.js} +3 -0
package/dist/cli/snapshot-warmup.js +1 -1
package/package.json +1 -1

package/dist/app.js CHANGED Viewed

@@ -31,7 +31,7 @@ import {
   runNonInteractiveCommand,
   sandboxSkillDir,
   sandboxSkillFile
-} from "./chunk-YSXHRIWR.js";
+} from "./chunk-QAMTCT2R.js";
 import {
   CredentialUnavailableError,
   buildOAuthTokenRequest,
@@ -8622,26 +8622,28 @@ function resolveSandboxEgressProviderForHost(host) {
     (entry) => entry.domains.some((domain) => matchesSandboxEgressDomain(host, domain))
   )?.provider;
 }
-function proxyUrl(sandboxId) {
+function proxyUrl(egressId) {
   const baseUrl = resolveBaseUrl();
   if (!baseUrl) {
     return void 0;
   }
   const url = new URL(
-    `${SANDBOX_EGRESS_PROXY_PATH}/${encodeURIComponent(sandboxId)}`,
+    `${SANDBOX_EGRESS_PROXY_PATH}/${encodeURIComponent(egressId)}`,
     baseUrl
   );
   return url.toString();
 }
-function buildSandboxEgressNetworkPolicy(sandboxId) {
-  const forwardURL = proxyUrl(sandboxId);
-  if (!forwardURL) {
-    return void 0;
-  }
+function buildSandboxEgressNetworkPolicy(egressId) {
   const entries = providerEntries();
   if (entries.length === 0) {
     return void 0;
   }
+  const forwardURL = proxyUrl(egressId);
+  if (!forwardURL) {
+    throw new Error(
+      "Cannot determine base URL for sandbox credential egress (set JUNIOR_BASE_URL or deploy to Vercel)"
+    );
+  }
   const allow = {
     "*": []
   };
@@ -8671,11 +8673,11 @@ import { randomUUID as randomUUID3 } from "crypto";
 var SANDBOX_EGRESS_SESSION_PREFIX = "sandbox-egress-session";
 var SANDBOX_EGRESS_LEASE_PREFIX = "sandbox-egress-lease";
 var DEFAULT_SESSION_TTL_MS = 30 * 60 * 1e3;
-function sessionKey2(sandboxId) {
-  return `${SANDBOX_EGRESS_SESSION_PREFIX}:${sandboxId}`;
+function sessionKey2(egressId) {
+  return `${SANDBOX_EGRESS_SESSION_PREFIX}:${egressId}`;
 }
-function leaseKey(sandboxId, provider, session) {
-  return `${SANDBOX_EGRESS_LEASE_PREFIX}:${sandboxId}:${provider}:${session.requesterId}:${session.activationId}`;
+function leaseKey(egressId, provider, session) {
+  return `${SANDBOX_EGRESS_LEASE_PREFIX}:${egressId}:${provider}:${session.requesterId}:${session.activationId}`;
 }
 function parseSession(value) {
   if (!value || typeof value !== "object") {
@@ -8730,19 +8732,19 @@ async function upsertSandboxEgressSession(input) {
     expiresAtMs: now + ttlMs,
     activationId: randomUUID3()
   };
-  await state.set(sessionKey2(input.sandboxId), session, ttlMs);
+  await state.set(sessionKey2(input.egressId), session, ttlMs);
 }
-async function clearSandboxEgressSession(sandboxId) {
+async function clearSandboxEgressSession(egressId) {
   const state = getStateAdapter();
   await state.connect();
-  await state.delete(sessionKey2(sandboxId));
+  await state.delete(sessionKey2(egressId));
 }
-async function getSandboxEgressSession(sandboxId) {
+async function getSandboxEgressSession(egressId) {
   const state = getStateAdapter();
   await state.connect();
-  return parseSession(await state.get(sessionKey2(sandboxId)));
+  return parseSession(await state.get(sessionKey2(egressId)));
 }
-async function setSandboxEgressCredentialLease(sandboxId, session, lease) {
+async function setSandboxEgressCredentialLease(egressId, session, lease) {
   const leaseExpiresAtMs = Date.parse(lease.expiresAt);
   if (!Number.isFinite(leaseExpiresAtMs) || leaseExpiresAtMs <= Date.now()) {
     return;
@@ -8753,17 +8755,17 @@ async function setSandboxEgressCredentialLease(sandboxId, session, lease) {
   );
   const state = getStateAdapter();
   await state.connect();
-  await state.set(leaseKey(sandboxId, lease.provider, session), lease, ttlMs);
+  await state.set(leaseKey(egressId, lease.provider, session), lease, ttlMs);
 }
-async function getSandboxEgressCredentialLease(sandboxId, provider, session) {
+async function getSandboxEgressCredentialLease(egressId, provider, session) {
   const state = getStateAdapter();
   await state.connect();
-  return parseLease(await state.get(leaseKey(sandboxId, provider, session)));
+  return parseLease(await state.get(leaseKey(egressId, provider, session)));
 }
-async function clearSandboxEgressCredentialLease(sandboxId, provider, session) {
+async function clearSandboxEgressCredentialLease(egressId, provider, session) {
   const state = getStateAdapter();
   await state.connect();
-  await state.delete(leaseKey(sandboxId, provider, session));
+  await state.delete(leaseKey(egressId, provider, session));
 }
 // src/chat/sandbox/http-error-details.ts
@@ -9620,10 +9622,10 @@ function createSandboxSessionManager(options) {
     appliedNetworkPolicyKey = void 0;
   };
   const createSandboxName = () => `${SANDBOX_NAME_PREFIX}${randomUUID4()}`;
-  const rememberNetworkPolicy = (networkPolicy) => {
-    appliedNetworkPolicyKey = networkPolicy ? JSON.stringify(networkPolicy) : void 0;
+  const preflightNetworkPolicy = (sandboxName) => {
+    return options?.createNetworkPolicy?.(sandboxName);
   };
-  const rememberSandbox = async (nextSandbox, rememberOptions) => {
+  const rememberSandbox = async (nextSandbox) => {
     sandbox = nextSandbox;
     sandboxIdHint = nextSandbox.sandboxId;
     toolExecutors = void 0;
@@ -9632,11 +9634,6 @@ function createSandboxSessionManager(options) {
       ...dependencyProfileHash ? { sandboxDependencyProfileHash: dependencyProfileHash } : {}
     };
     await options?.onSandboxAcquired?.(acquired);
-    if (rememberOptions?.recordNetworkPolicy) {
-      rememberNetworkPolicy(
-        options?.createNetworkPolicy?.(nextSandbox.sandboxId)
-      );
-    }
     return nextSandbox;
   };
   const failSetup = (error) => {
@@ -9653,7 +9650,7 @@ function createSandboxSessionManager(options) {
   };
   const refreshNetworkPolicy = async (targetSandbox) => {
     const networkPolicy = options?.createNetworkPolicy?.(
-      targetSandbox.sandboxId
+      targetSandbox.sandboxEgressId
     );
     if (!networkPolicy) {
       return;
@@ -9709,7 +9706,7 @@ function createSandboxSessionManager(options) {
   const createSandboxFromSnapshot = async (snapshotId, sandboxCredentials, initialSandboxName) => {
     for (let attempt = 0; attempt < SNAPSHOT_BOOT_RETRY_COUNT; attempt += 1) {
       const sandboxName = attempt === 0 ? initialSandboxName : createSandboxName();
-      const networkPolicy = options?.createNetworkPolicy?.(sandboxName);
+      const networkPolicy = preflightNetworkPolicy(sandboxName);
       try {
         return createSandboxInstance(
           await Sandbox.create({
@@ -9748,7 +9745,7 @@ function createSandboxSessionManager(options) {
   const createSandboxFromResolvedSnapshot = async (params) => {
     const { runtime, snapshot, sandboxCredentials, sandboxName } = params;
     if (!snapshot.snapshotId) {
-      const networkPolicy = options?.createNetworkPolicy?.(sandboxName);
+      const networkPolicy = preflightNetworkPolicy(sandboxName);
       return createSandboxInstance(
         await Sandbox.create({
           timeout: timeoutMs,
@@ -9819,11 +9816,12 @@ function createSandboxSessionManager(options) {
       return failSetup(error);
     }
     try {
+      await refreshNetworkPolicy(createdSandbox);
       await syncSkills(createdSandbox);
     } catch (error) {
       return failSetup(error);
     }
-    return await rememberSandbox(createdSandbox, { recordNetworkPolicy: true });
+    return await rememberSandbox(createdSandbox);
   };
   const discardHintIfProfileChanged = () => {
     if (sandbox || !sandboxIdHint || dependencyProfileHash === options?.sandboxDependencyProfileHash) {
@@ -9976,7 +9974,8 @@ function createSandboxSessionManager(options) {
     }
     return {
       bash: async (input) => {
-        await options?.beforeCommand?.(activeSandboxId);
+        const commandEgressId = sandboxInstance.sandboxEgressId;
+        await options?.beforeCommand?.(commandEgressId);
         let timedOut = false;
         let timeoutId;
         let commandFinished = false;
@@ -9985,7 +9984,7 @@ function createSandboxSessionManager(options) {
             return;
           }
           commandFinished = true;
-          await options?.afterCommand?.(activeSandboxId);
+          await options?.afterCommand?.(commandEgressId);
         };
         const finishCommandBestEffort = async () => {
           try {
@@ -10126,15 +10125,15 @@ function createSandboxExecutor(options) {
   let referenceFiles = [];
   const traceContext = options?.traceContext ?? {};
   const credentialEgress = options?.credentialEgress;
-  const syncSandboxEgressSession = credentialEgress ? async (sandboxId) => {
+  const syncSandboxEgressSession = credentialEgress ? async (egressId) => {
     await upsertSandboxEgressSession({
-      sandboxId,
+      egressId,
       requesterId: credentialEgress.requesterId,
       ttlMs: options?.timeoutMs
     });
   } : void 0;
-  const clearSandboxEgressSessionForCommand = credentialEgress ? async (sandboxId) => {
-    await clearSandboxEgressSession(sandboxId);
+  const clearSandboxEgressSessionForCommand = credentialEgress ? async (egressId) => {
+    await clearSandboxEgressSession(egressId);
   } : void 0;
   const sessionManager = createSandboxSessionManager({
     sandboxId: options?.sandboxId,
@@ -14724,41 +14723,21 @@ async function getJwks(issuer) {
   });
   return jwks;
 }
-function expectedVercelOidcAudience() {
-  const audience = process.env.VERCEL_OIDC_AUDIENCE?.trim();
-  if (!audience) {
-    throw new Error("VERCEL_OIDC_AUDIENCE is required for sandbox egress OIDC");
-  }
-  return audience;
-}
-function validateVercelSandboxOidcClaims(payload, sandboxId) {
-  const expectedTeamId = process.env.VERCEL_TEAM_ID?.trim();
-  const expectedProjectId = process.env.VERCEL_PROJECT_ID?.trim();
-  if (!expectedProjectId) {
-    throw new Error("VERCEL_PROJECT_ID is required for sandbox egress OIDC");
-  }
-  if (expectedTeamId && (typeof payload.owner_id !== "string" || payload.owner_id !== expectedTeamId)) {
-    throw new Error("Vercel OIDC token belongs to a different team");
-  }
-  if (typeof payload.project_id !== "string" || payload.project_id !== expectedProjectId) {
-    throw new Error("Vercel OIDC token belongs to a different project");
-  }
-  if (payload.sandbox_id !== sandboxId) {
+function validateSandboxClaim(payload, egressId) {
+  if (payload.sandbox_id !== egressId) {
     throw new Error("Vercel OIDC token belongs to a different sandbox");
   }
 }
-async function verifyVercelSandboxOidcToken(token, sandboxId) {
+async function verifyVercelSandboxOidcToken(token, egressId) {
   const unverified = decodeJwt(token);
   if (typeof unverified.iss !== "string") {
     throw new Error("Vercel OIDC token did not include an issuer");
   }
-  const audience = expectedVercelOidcAudience();
   const jwks = await getJwks(unverified.iss);
   const verified = await jwtVerify(token, jwks, {
-    issuer: unverified.iss,
-    audience
+    issuer: unverified.iss
   });
-  validateVercelSandboxOidcClaims(verified.payload, sandboxId);
+  validateSandboxClaim(verified.payload, egressId);
   return verified.payload;
 }
@@ -14810,9 +14789,9 @@ function normalizePort(value) {
   const port = Number.parseInt(trimmed, 10);
   return port >= 1 && port <= 65535 ? trimmed : void 0;
 }
-function upstreamPath(request, sandboxId) {
+function upstreamPath(request, egressId) {
   const url = new URL(request.url);
-  const prefix = `${ROUTE_PREFIX}/${encodeURIComponent(sandboxId)}`;
+  const prefix = `${ROUTE_PREFIX}/${encodeURIComponent(egressId)}`;
   if (url.pathname === prefix) {
     return `/${url.search}`;
   }
@@ -14821,7 +14800,7 @@ function upstreamPath(request, sandboxId) {
   }
   return void 0;
 }
-function buildUpstreamUrl(request, sandboxId) {
+function buildUpstreamUrl(request, egressId) {
   const forwardedHost = request.headers.get(FORWARDED_HOST_HEADER);
   if (!forwardedHost?.trim()) {
     return { ok: false, error: "Missing forwarded host" };
@@ -14843,7 +14822,7 @@ function buildUpstreamUrl(request, sandboxId) {
   if (forwardedPort && !port) {
     return { ok: false, error: "Invalid forwarded port" };
   }
-  const path11 = upstreamPath(request, sandboxId);
+  const path11 = upstreamPath(request, egressId);
   if (!path11) {
     return { ok: false, error: "Invalid egress route" };
   }
@@ -14889,9 +14868,9 @@ function responseHeaders(upstream) {
   });
   return headers;
 }
-async function credentialLease(sandboxId, provider, session) {
+async function credentialLease(egressId, provider, session) {
   const cached = await getSandboxEgressCredentialLease(
-    sandboxId,
+    egressId,
     provider,
     session
   );
@@ -14914,7 +14893,7 @@ async function credentialLease(sandboxId, provider, session) {
     expiresAt: lease.expiresAt,
     headerTransforms
   };
-  await setSandboxEgressCredentialLease(sandboxId, session, cachedLease);
+  await setSandboxEgressCredentialLease(egressId, session, cachedLease);
   return cachedLease;
 }
 function hasTransformForHost(lease, host) {
@@ -14922,7 +14901,7 @@ function hasTransformForHost(lease, host) {
     (transform) => matchesSandboxEgressDomain(host, transform.domain)
   );
 }
-async function proxySandboxEgressRequest(request, sandboxId, deps = {}) {
+async function proxySandboxEgressRequest(request, egressId, deps = {}) {
   const oidcToken = request.headers.get(OIDC_TOKEN_HEADER)?.trim();
   if (!oidcToken) {
     return jsonError("Missing Vercel Sandbox OIDC token", 401);
@@ -14930,7 +14909,7 @@ async function proxySandboxEgressRequest(request, sandboxId, deps = {}) {
   try {
     await (deps.verifyOidc ?? verifyVercelSandboxOidcToken)(
       oidcToken,
-      sandboxId
+      egressId
     );
   } catch (error) {
     logWarn(
@@ -14943,7 +14922,7 @@ async function proxySandboxEgressRequest(request, sandboxId, deps = {}) {
     );
     return jsonError("Invalid Vercel Sandbox OIDC token", 401);
   }
-  const upstreamResult = buildUpstreamUrl(request, sandboxId);
+  const upstreamResult = buildUpstreamUrl(request, egressId);
   if (!upstreamResult.ok) {
     return jsonError(upstreamResult.error, 400);
   }
@@ -14952,13 +14931,13 @@ async function proxySandboxEgressRequest(request, sandboxId, deps = {}) {
   if (!provider) {
     return jsonError("No provider owns forwarded host", 403);
   }
-  const session = await getSandboxEgressSession(sandboxId);
+  const session = await getSandboxEgressSession(egressId);
   if (!session) {
     return jsonError("Sandbox egress session is not authorized", 403);
   }
   let lease;
   try {
-    lease = await credentialLease(sandboxId, provider, session);
+    lease = await credentialLease(egressId, provider, session);
   } catch (error) {
     if (error instanceof CredentialUnavailableError) {
       return new Response(
@@ -14983,7 +14962,18 @@ ${error.message}`,
     redirect: "manual"
   });
   if (AUTH_REJECTION_STATUS.has(upstream.status)) {
-    await clearSandboxEgressCredentialLease(sandboxId, provider, session);
+    logWarn(
+      "sandbox_egress_upstream_auth_rejected",
+      {},
+      {
+        "app.credential.provider": provider,
+        "http.request.method": request.method,
+        "http.response.status_code": upstream.status,
+        "server.address": upstreamUrl.hostname
+      },
+      "Sandbox egress upstream auth rejected"
+    );
+    await clearSandboxEgressCredentialLease(egressId, provider, session);
   }
   return new Response(upstream.body, {
     status: upstream.status,
@@ -14993,8 +14983,8 @@ ${error.message}`,
 }
 // src/handlers/sandbox-egress-proxy.ts
-async function ALL(request, sandboxId) {
-  return await proxySandboxEgressRequest(request, sandboxId);
+async function ALL(request, egressId) {
+  return await proxySandboxEgressRequest(request, egressId);
 }
 // src/chat/slack/context.ts
@@ -18373,11 +18363,11 @@ async function createApp(options) {
   app.post("/api/internal/turn-resume", (c) => {
     return POST(c.req.raw, waitUntil);
   });
-  app.all("/api/internal/sandbox-egress/:sandboxId", (c) => {
-    return ALL(c.req.raw, c.req.param("sandboxId"));
+  app.all("/api/internal/sandbox-egress/:egressId", (c) => {
+    return ALL(c.req.raw, c.req.param("egressId"));
   });
-  app.all("/api/internal/sandbox-egress/:sandboxId/*", (c) => {
-    return ALL(c.req.raw, c.req.param("sandboxId"));
+  app.all("/api/internal/sandbox-egress/:egressId/*", (c) => {
+    return ALL(c.req.raw, c.req.param("egressId"));
   });
   app.post("/api/webhooks/:platform", (c) => {
     return POST2(c.req.raw, c.req.param("platform"), waitUntil);

package/dist/{chunk-YSXHRIWR.js → chunk-QAMTCT2R.js} RENAMED Viewed

@@ -563,6 +563,9 @@ function getVercelSandboxCredentials() {
 function createSandboxInstance(sandbox) {
   return {
     sandboxId: sandbox.name,
+    get sandboxEgressId() {
+      return sandbox.currentSession().sessionId;
+    },
     fs: sandbox.fs,
     extendTimeout(duration) {
       return sandbox.extendTimeout(duration);

package/dist/cli/snapshot-warmup.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import {
   disconnectStateAdapter,
   resolveRuntimeDependencySnapshot
-} from "../chunk-YSXHRIWR.js";
+} from "../chunk-QAMTCT2R.js";
 import {
   getPluginProviders,
   getPluginRuntimeDependencies,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/junior",
-  "version": "0.43.0",
+  "version": "0.44.0",
   "private": false,
   "publishConfig": {
     "access": "public"