langsmith 0.7.8 → 0.7.10

package/dist/experimental/vercel/telemetry.js

@@ -1,6 +1,6 @@
 import { isRunTree, RunTree } from "../../run_trees.js";
 import { getCurrentRunTree, withRunTree } from "../../singletons/traceable.js";
-import { isTracingEnabled } from "../../env.js";
+import { isEnvTracingEnabled } from "../../env.js";
 import { convertMessageToTracedFormat } from "./utils.js";
 import { setUsageMetadataOnRunTree } from "./utils.js";
 import { isPrimitive, isRecord } from "../../utils/types.js";
@@ -107,7 +107,7 @@ export function LangSmithTelemetry(config) {
     /** Per-generation state keyed by AI SDK `callId` (stable across nested calls). */
     const invocationsByCallId = new Map();
     const onStart = async (event) => {
-        if (!isTracingEnabled(tracingEnabled))
+        if (!isEnvTracingEnabled(tracingEnabled))
             return;
         if (!("callId" in event) || typeof event.callId !== "string")
             return;

package/dist/index.cjs

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.LS_MESSAGE_VIEW_EXCLUDE = exports.__version__ = exports.promptCacheSingleton = exports.configureGlobalPromptCache = exports.PromptCache = exports.Cache = exports.uuid7FromTime = exports.uuid7 = exports.getDefaultProjectName = exports.overrideFetchImplementation = exports.RunTree = exports.Client = void 0;
+exports.LS_MESSAGE_VIEW_EXCLUDE = exports.__version__ = exports.promptCacheSingleton = exports.configureGlobalPromptCache = exports.PromptCache = exports.Cache = exports.isTracingEnabled = exports.uuid7FromTime = exports.uuid7 = exports.getDefaultProjectName = exports.overrideFetchImplementation = exports.RunTree = exports.Client = void 0;
 var client_js_1 = require("./client.cjs");
 Object.defineProperty(exports, "Client", { enumerable: true, get: function () { return client_js_1.Client; } });
 var run_trees_js_1 = require("./run_trees.cjs");
@@ -12,12 +12,14 @@ Object.defineProperty(exports, "getDefaultProjectName", { enumerable: true, get:
 var uuid_js_1 = require("./uuid.cjs");
 Object.defineProperty(exports, "uuid7", { enumerable: true, get: function () { return uuid_js_1.uuid7; } });
 Object.defineProperty(exports, "uuid7FromTime", { enumerable: true, get: function () { return uuid_js_1.uuid7FromTime; } });
+var guard_js_1 = require("./utils/guard.cjs");
+Object.defineProperty(exports, "isTracingEnabled", { enumerable: true, get: function () { return guard_js_1.isTracingEnabled; } });
 var index_js_1 = require("./utils/prompt_cache/index.cjs");
 Object.defineProperty(exports, "Cache", { enumerable: true, get: function () { return index_js_1.Cache; } });
 Object.defineProperty(exports, "PromptCache", { enumerable: true, get: function () { return index_js_1.PromptCache; } });
 Object.defineProperty(exports, "configureGlobalPromptCache", { enumerable: true, get: function () { return index_js_1.configureGlobalPromptCache; } });
 Object.defineProperty(exports, "promptCacheSingleton", { enumerable: true, get: function () { return index_js_1.promptCacheSingleton; } });
 // Update using pnpm bump-version
-exports.__version__ = "0.7.8";
+exports.__version__ = "0.7.10";
 // Metadata key to hide a traced run from LangSmith's Messages View.
 exports.LS_MESSAGE_VIEW_EXCLUDE = "ls_message_view_exclude";

package/dist/index.d.ts

@@ -4,6 +4,7 @@ export { RunTree, type RunTreeConfig } from "./run_trees.js";
 export { overrideFetchImplementation } from "./singletons/fetch.js";
 export { getDefaultProjectName } from "./utils/project.js";
 export { uuid7, uuid7FromTime } from "./uuid.js";
+export { isTracingEnabled } from "./utils/guard.js";
 export { Cache, PromptCache, type CacheConfig, type CacheMetrics, configureGlobalPromptCache, promptCacheSingleton, } from "./utils/prompt_cache/index.js";
-export declare const __version__ = "0.7.8";
+export declare const __version__ = "0.7.10";
 export declare const LS_MESSAGE_VIEW_EXCLUDE: "ls_message_view_exclude";

package/dist/index.js

@@ -3,8 +3,9 @@ export { RunTree } from "./run_trees.js";
 export { overrideFetchImplementation } from "./singletons/fetch.js";
 export { getDefaultProjectName } from "./utils/project.js";
 export { uuid7, uuid7FromTime } from "./uuid.js";
+export { isTracingEnabled } from "./utils/guard.js";
 export { Cache, PromptCache, configureGlobalPromptCache, promptCacheSingleton, } from "./utils/prompt_cache/index.js";
 // Update using pnpm bump-version
-export const __version__ = "0.7.8";
+export const __version__ = "0.7.10";
 // Metadata key to hide a traced run from LangSmith's Messages View.
 export const LS_MESSAGE_VIEW_EXCLUDE = "ls_message_view_exclude";

package/dist/run_trees.cjs

@@ -836,7 +836,7 @@ class RunTree {
         let parentRun;
         let projectName;
         let client;
-        let tracingEnabled = (0, env_js_1.isTracingEnabled)();
+        let tracingEnabled = (0, env_js_1.isEnvTracingEnabled)();
         if (callbackManager) {
             const parentRunId = callbackManager?.getParentRunId?.() ?? "";
             const langChainTracer = callbackManager?.handlers?.find((handler) => handler?.name == "langchain_tracer");

package/dist/run_trees.js

@@ -1,5 +1,5 @@
 import { Client } from "./client.js";
-import { isTracingEnabled } from "./env.js";
+import { isEnvTracingEnabled } from "./env.js";
 import { isConflictingEndpointsError, ConflictingEndpointsError, } from "./utils/error.js";
 import { _LC_CONTEXT_VARIABLES_KEY, _REPLICA_TRACE_ROOTS_KEY, } from "./singletons/constants.js";
 import { getContextVar, setContextVar } from "./utils/context_vars.js";
@@ -830,7 +830,7 @@ export class RunTree {
         let parentRun;
         let projectName;
         let client;
-        let tracingEnabled = isTracingEnabled();
+        let tracingEnabled = isEnvTracingEnabled();
         if (callbackManager) {
             const parentRunId = callbackManager?.getParentRunId?.() ?? "";
             const langChainTracer = callbackManager?.handlers?.find((handler) => handler?.name == "langchain_tracer");

package/dist/sandbox/client.cjs

@@ -10,6 +10,7 @@ const async_caller_js_1 = require("../utils/async_caller.cjs");
 const sandbox_js_1 = require("./sandbox.cjs");
 const errors_js_1 = require("./errors.cjs");
 const helpers_js_1 = require("./helpers.cjs");
+const proxy_config_js_1 = require("./proxy_config.cjs");
 const index_js_1 = require("../utils/uuid/src/index.cjs");
 /**
  * Sleep that can be interrupted by an AbortSignal.
@@ -367,10 +368,13 @@ class SandboxClient {
         const resolvedOptions = typeof snapshotIdOrOptions === "object" && snapshotIdOrOptions !== null
             ? snapshotIdOrOptions
             : options;
-        const { snapshotName, name, timeout = 30, waitForReady = true, idleTtlSeconds, deleteAfterStopSeconds, vCpus, memBytes, fsCapacityBytes, proxyConfig, } = resolvedOptions;
+        const { snapshotName, name, timeout = 30, waitForReady = true, idleTtlSeconds, deleteAfterStopSeconds, vCpus, memBytes, fsCapacityBytes, mountConfig, proxyConfig, } = resolvedOptions;
         if (snapshotId && snapshotName) {
             throw new errors_js_1.LangSmithValidationError("At most one of snapshotId or options.snapshotName may be set", "snapshotId");
         }
+        if ("mounts" in resolvedOptions) {
+            throw new errors_js_1.LangSmithValidationError("mounts is not a public createSandbox option; use mountConfig", "mounts");
+        }
         (0, helpers_js_1.validateTtl)(idleTtlSeconds, "idleTtlSeconds");
         (0, helpers_js_1.validateTtl)(deleteAfterStopSeconds, "deleteAfterStopSeconds");
         const url = `${this._baseUrl}/boxes`;
@@ -404,8 +408,12 @@ class SandboxClient {
         if (fsCapacityBytes !== undefined) {
             payload.fs_capacity_bytes = fsCapacityBytes;
         }
-        if (proxyConfig !== undefined) {
-            payload.proxy_config = proxyConfig;
+        const effectiveProxyConfig = (0, proxy_config_js_1.mergeProxyConfigs)(mountConfig?.proxyConfig, proxyConfig);
+        if (mountConfig !== undefined) {
+            payload.mounts = mountConfig.mounts;
+        }
+        if (effectiveProxyConfig !== undefined) {
+            payload.proxy_config = effectiveProxyConfig;
         }
         const httpTimeout = waitForReady ? (timeout + 30) * 1000 : 30 * 1000;
         const response = await this._fetch(url, {

package/dist/sandbox/client.js

@@ -7,6 +7,7 @@ import { AsyncCaller } from "../utils/async_caller.js";
 import { Sandbox } from "./sandbox.js";
 import { LangSmithResourceCreationError, LangSmithResourceNameConflictError, LangSmithResourceNotFoundError, LangSmithResourceTimeoutError, LangSmithSandboxAPIError, LangSmithValidationError, } from "./errors.js";
 import { handleClientHttpError, handleSandboxCreationError, validateTtl, } from "./helpers.js";
+import { mergeProxyConfigs } from "./proxy_config.js";
 import { v4 as uuidv4 } from "../utils/uuid/src/index.js";
 /**
  * Sleep that can be interrupted by an AbortSignal.
@@ -364,10 +365,13 @@ export class SandboxClient {
         const resolvedOptions = typeof snapshotIdOrOptions === "object" && snapshotIdOrOptions !== null
             ? snapshotIdOrOptions
             : options;
-        const { snapshotName, name, timeout = 30, waitForReady = true, idleTtlSeconds, deleteAfterStopSeconds, vCpus, memBytes, fsCapacityBytes, proxyConfig, } = resolvedOptions;
+        const { snapshotName, name, timeout = 30, waitForReady = true, idleTtlSeconds, deleteAfterStopSeconds, vCpus, memBytes, fsCapacityBytes, mountConfig, proxyConfig, } = resolvedOptions;
         if (snapshotId && snapshotName) {
             throw new LangSmithValidationError("At most one of snapshotId or options.snapshotName may be set", "snapshotId");
         }
+        if ("mounts" in resolvedOptions) {
+            throw new LangSmithValidationError("mounts is not a public createSandbox option; use mountConfig", "mounts");
+        }
         validateTtl(idleTtlSeconds, "idleTtlSeconds");
         validateTtl(deleteAfterStopSeconds, "deleteAfterStopSeconds");
         const url = `${this._baseUrl}/boxes`;
@@ -401,8 +405,12 @@ export class SandboxClient {
         if (fsCapacityBytes !== undefined) {
             payload.fs_capacity_bytes = fsCapacityBytes;
         }
-        if (proxyConfig !== undefined) {
-            payload.proxy_config = proxyConfig;
+        const effectiveProxyConfig = mergeProxyConfigs(mountConfig?.proxyConfig, proxyConfig);
+        if (mountConfig !== undefined) {
+            payload.mounts = mountConfig.mounts;
+        }
+        if (effectiveProxyConfig !== undefined) {
+            payload.proxy_config = effectiveProxyConfig;
         }
         const httpTimeout = waitForReady ? (timeout + 30) * 1000 : 30 * 1000;
         const response = await this._fetch(url, {

package/dist/sandbox/index.cjs

@@ -29,7 +29,7 @@
  * @packageDocumentation
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.LangSmithDataplaneNotConfiguredError = exports.LangSmithCommandTimeoutError = exports.LangSmithSandboxOperationError = exports.LangSmithSandboxNotReadyError = exports.LangSmithSandboxCreationError = exports.LangSmithResourceCreationError = exports.LangSmithQuotaExceededError = exports.LangSmithValidationError = exports.LangSmithResourceNameConflictError = exports.LangSmithResourceAlreadyExistsError = exports.LangSmithResourceInUseError = exports.LangSmithResourceTimeoutError = exports.LangSmithResourceNotFoundError = exports.LangSmithSandboxServerReloadError = exports.LangSmithSandboxConnectionError = exports.LangSmithSandboxAuthenticationError = exports.LangSmithSandboxAPIError = exports.LangSmithSandboxError = exports.workspaceSecret = exports.opaqueSecret = exports.awsAuthProxyConfig = exports.CommandHandle = exports.Sandbox = exports.SandboxClient = void 0;
+exports.LangSmithDataplaneNotConfiguredError = exports.LangSmithCommandTimeoutError = exports.LangSmithSandboxOperationError = exports.LangSmithSandboxNotReadyError = exports.LangSmithSandboxCreationError = exports.LangSmithResourceCreationError = exports.LangSmithQuotaExceededError = exports.LangSmithValidationError = exports.LangSmithResourceNameConflictError = exports.LangSmithResourceAlreadyExistsError = exports.LangSmithResourceInUseError = exports.LangSmithResourceTimeoutError = exports.LangSmithResourceNotFoundError = exports.LangSmithSandboxServerReloadError = exports.LangSmithSandboxConnectionError = exports.LangSmithSandboxAuthenticationError = exports.LangSmithSandboxAPIError = exports.LangSmithSandboxError = exports.s3Mount = exports.mountConfig = exports.gcsMount = exports.workspaceSecret = exports.proxyConfig = exports.opaqueSecret = exports.gcpAuth = exports.awsAuth = exports.CommandHandle = exports.Sandbox = exports.SandboxClient = void 0;
 // Main classes
 var client_js_1 = require("./client.cjs");
 Object.defineProperty(exports, "SandboxClient", { enumerable: true, get: function () { return client_js_1.SandboxClient; } });
@@ -38,9 +38,15 @@ Object.defineProperty(exports, "Sandbox", { enumerable: true, get: function () {
 var command_handle_js_1 = require("./command_handle.cjs");
 Object.defineProperty(exports, "CommandHandle", { enumerable: true, get: function () { return command_handle_js_1.CommandHandle; } });
 var proxy_config_js_1 = require("./proxy_config.cjs");
-Object.defineProperty(exports, "awsAuthProxyConfig", { enumerable: true, get: function () { return proxy_config_js_1.awsAuthProxyConfig; } });
+Object.defineProperty(exports, "awsAuth", { enumerable: true, get: function () { return proxy_config_js_1.awsAuth; } });
+Object.defineProperty(exports, "gcpAuth", { enumerable: true, get: function () { return proxy_config_js_1.gcpAuth; } });
 Object.defineProperty(exports, "opaqueSecret", { enumerable: true, get: function () { return proxy_config_js_1.opaqueSecret; } });
+Object.defineProperty(exports, "proxyConfig", { enumerable: true, get: function () { return proxy_config_js_1.proxyConfig; } });
 Object.defineProperty(exports, "workspaceSecret", { enumerable: true, get: function () { return proxy_config_js_1.workspaceSecret; } });
+var mounts_js_1 = require("./mounts.cjs");
+Object.defineProperty(exports, "gcsMount", { enumerable: true, get: function () { return mounts_js_1.gcsMount; } });
+Object.defineProperty(exports, "mountConfig", { enumerable: true, get: function () { return mounts_js_1.mountConfig; } });
+Object.defineProperty(exports, "s3Mount", { enumerable: true, get: function () { return mounts_js_1.s3Mount; } });
 // Errors
 var errors_js_1 = require("./errors.cjs");
 // Base and connection errors

package/dist/sandbox/index.d.ts

@@ -30,6 +30,7 @@
 export { SandboxClient } from "./client.js";
 export { Sandbox } from "./sandbox.js";
 export { CommandHandle } from "./command_handle.js";
-export { awsAuthProxyConfig, opaqueSecret, workspaceSecret, } from "./proxy_config.js";
-export type { ExecutionResult, OutputChunk, WsMessage, WsRunOptions, ResourceStatus, Snapshot, SandboxData, SandboxClientConfig, RunOptions, CreateSandboxOptions, SandboxAccessControl, SandboxAwsAuthRule, SandboxProxyConfig, SandboxProxySecret, CreateSnapshotOptions, CreateDockerfileSnapshotOptions, CaptureSnapshotOptions, ListSnapshotsOptions, WaitForSnapshotOptions, StartSandboxOptions, UpdateSandboxOptions, WaitForSandboxOptions, } from "./types.js";
+export { awsAuth, gcpAuth, opaqueSecret, proxyConfig, workspaceSecret, } from "./proxy_config.js";
+export { gcsMount, mountConfig, s3Mount } from "./mounts.js";
+export type { ExecutionResult, OutputChunk, WsMessage, WsRunOptions, ResourceStatus, Snapshot, SandboxData, SandboxClientConfig, RunOptions, CreateSandboxOptions, SandboxAccessControl, SandboxAwsAuthRule, SandboxGcpAuthRule, SandboxMountConfig, SandboxProxyConfig, SandboxProxyRule, SandboxProxySecret, SandboxMount, MountCacheConfig, GCSMountConfig, GCSMountSpec, S3MountConfig, S3MountSpec, CreateSnapshotOptions, CreateDockerfileSnapshotOptions, CaptureSnapshotOptions, ListSnapshotsOptions, WaitForSnapshotOptions, StartSandboxOptions, UpdateSandboxOptions, WaitForSandboxOptions, } from "./types.js";
 export { LangSmithSandboxError, LangSmithSandboxAPIError, LangSmithSandboxAuthenticationError, LangSmithSandboxConnectionError, LangSmithSandboxServerReloadError, LangSmithResourceNotFoundError, LangSmithResourceTimeoutError, LangSmithResourceInUseError, LangSmithResourceAlreadyExistsError, LangSmithResourceNameConflictError, LangSmithValidationError, LangSmithQuotaExceededError, LangSmithResourceCreationError, LangSmithSandboxCreationError, LangSmithSandboxNotReadyError, LangSmithSandboxOperationError, LangSmithCommandTimeoutError, LangSmithDataplaneNotConfiguredError, } from "./errors.js";

package/dist/sandbox/index.js

@@ -31,7 +31,8 @@
 export { SandboxClient } from "./client.js";
 export { Sandbox } from "./sandbox.js";
 export { CommandHandle } from "./command_handle.js";
-export { awsAuthProxyConfig, opaqueSecret, workspaceSecret, } from "./proxy_config.js";
+export { awsAuth, gcpAuth, opaqueSecret, proxyConfig, workspaceSecret, } from "./proxy_config.js";
+export { gcsMount, mountConfig, s3Mount } from "./mounts.js";
 // Errors
 export { 
 // Base and connection errors

package/dist/sandbox/mounts.cjs

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.s3Mount = s3Mount;
+exports.gcsMount = gcsMount;
+exports.mountConfig = mountConfig;
+const proxy_config_js_1 = require("./proxy_config.cjs");
+function requireNonEmptyString(value, field) {
+    if (typeof value !== "string" || value.trim() === "") {
+        throw new Error(`${field} must be a non-empty string`);
+    }
+    return value.trim();
+}
+function s3Mount({ id, mountPath, bucket, region = "us-east-1", prefix, endpointUrl = "https://s3.amazonaws.com", pathStyle = false, readOnly, cache, }) {
+    const mount = {
+        id: requireNonEmptyString(id, "id"),
+        type: "s3",
+        mount_path: requireNonEmptyString(mountPath, "mountPath"),
+        s3: {
+            endpoint_url: requireNonEmptyString(endpointUrl, "endpointUrl"),
+            region: requireNonEmptyString(region, "region"),
+            bucket: requireNonEmptyString(bucket, "bucket"),
+            path_style: pathStyle,
+        },
+    };
+    if (prefix !== undefined) {
+        mount.s3.prefix = requireNonEmptyString(prefix, "prefix");
+    }
+    if (readOnly !== undefined) {
+        mount.read_only = readOnly;
+    }
+    if (cache !== undefined) {
+        mount.cache = { ...cache };
+    }
+    return mount;
+}
+function gcsMount({ id, mountPath, bucket, prefix, readOnly, cache, }) {
+    const mount = {
+        id: requireNonEmptyString(id, "id"),
+        type: "gcs",
+        mount_path: requireNonEmptyString(mountPath, "mountPath"),
+        gcs: {
+            bucket: requireNonEmptyString(bucket, "bucket"),
+        },
+    };
+    if (prefix !== undefined) {
+        mount.gcs.prefix = requireNonEmptyString(prefix, "prefix");
+    }
+    if (readOnly !== undefined) {
+        mount.read_only = readOnly;
+    }
+    if (cache !== undefined) {
+        mount.cache = { ...cache };
+    }
+    return mount;
+}
+function normalizeMounts(mounts) {
+    if (!Array.isArray(mounts) || mounts.length === 0) {
+        throw new Error("mounts must be a non-empty array of mount objects");
+    }
+    return mounts.map((mount) => {
+        if (mount === null || typeof mount !== "object" || Array.isArray(mount)) {
+            throw new Error("mounts must be a non-empty array of mount objects");
+        }
+        if (mount.type !== "s3" && mount.type !== "gcs") {
+            throw new Error("mountConfig only supports s3 and gcs mounts");
+        }
+        return mount;
+    });
+}
+function normalizeAuthRules(auth) {
+    if (!Array.isArray(auth)) {
+        throw new Error("auth must be an array of provider auth rules");
+    }
+    const byProvider = {};
+    for (const rule of auth) {
+        if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
+            throw new Error("auth must be an array of provider auth rules");
+        }
+        const provider = rule.type;
+        if (provider !== "aws" && provider !== "gcp") {
+            throw new Error("mountConfig auth only supports aws and gcp rules");
+        }
+        if (byProvider[provider] !== undefined) {
+            throw new Error(`duplicate ${provider} auth rule in mountConfig`);
+        }
+        byProvider[provider] = rule;
+    }
+    return byProvider;
+}
+function mountConfig({ auth, mounts, }) {
+    const normalizedMounts = normalizeMounts(mounts);
+    const authByProvider = normalizeAuthRules(auth);
+    const mountProviders = new Set(normalizedMounts.map((mount) => mount.type));
+    if (mountProviders.has("s3") && authByProvider.aws === undefined) {
+        throw new Error("s3 mounts require aws auth in mountConfig");
+    }
+    if (mountProviders.has("gcs") && authByProvider.gcp === undefined) {
+        throw new Error("gcs mounts require gcp auth in mountConfig");
+    }
+    if (authByProvider.aws !== undefined && !mountProviders.has("s3")) {
+        throw new Error("aws auth requires at least one s3 mount in mountConfig");
+    }
+    if (authByProvider.gcp !== undefined && !mountProviders.has("gcs")) {
+        throw new Error("gcp auth requires at least one gcs mount in mountConfig");
+    }
+    return {
+        mounts: normalizedMounts,
+        proxyConfig: (0, proxy_config_js_1.proxyConfig)({
+            rules: ["aws", "gcp"]
+                .map((provider) => authByProvider[provider])
+                .filter((rule) => rule !== undefined),
+        }),
+    };
+}

package/dist/sandbox/mounts.d.ts

@@ -0,0 +1,24 @@
+import type { GCSMountSpec, MountCacheConfig, S3MountSpec, SandboxMount, SandboxMountConfig, SandboxProxyRule } from "./types.js";
+export declare function s3Mount({ id, mountPath, bucket, region, prefix, endpointUrl, pathStyle, readOnly, cache, }: {
+    id: string;
+    mountPath: string;
+    bucket: string;
+    region?: string;
+    prefix?: string;
+    endpointUrl?: string;
+    pathStyle?: boolean;
+    readOnly?: boolean;
+    cache?: MountCacheConfig;
+}): S3MountSpec;
+export declare function gcsMount({ id, mountPath, bucket, prefix, readOnly, cache, }: {
+    id: string;
+    mountPath: string;
+    bucket: string;
+    prefix?: string;
+    readOnly?: boolean;
+    cache?: MountCacheConfig;
+}): GCSMountSpec;
+export declare function mountConfig({ auth, mounts, }: {
+    auth: SandboxProxyRule[];
+    mounts: SandboxMount[];
+}): SandboxMountConfig;

package/dist/sandbox/mounts.js

@@ -0,0 +1,109 @@
+import { proxyConfig } from "./proxy_config.js";
+function requireNonEmptyString(value, field) {
+    if (typeof value !== "string" || value.trim() === "") {
+        throw new Error(`${field} must be a non-empty string`);
+    }
+    return value.trim();
+}
+export function s3Mount({ id, mountPath, bucket, region = "us-east-1", prefix, endpointUrl = "https://s3.amazonaws.com", pathStyle = false, readOnly, cache, }) {
+    const mount = {
+        id: requireNonEmptyString(id, "id"),
+        type: "s3",
+        mount_path: requireNonEmptyString(mountPath, "mountPath"),
+        s3: {
+            endpoint_url: requireNonEmptyString(endpointUrl, "endpointUrl"),
+            region: requireNonEmptyString(region, "region"),
+            bucket: requireNonEmptyString(bucket, "bucket"),
+            path_style: pathStyle,
+        },
+    };
+    if (prefix !== undefined) {
+        mount.s3.prefix = requireNonEmptyString(prefix, "prefix");
+    }
+    if (readOnly !== undefined) {
+        mount.read_only = readOnly;
+    }
+    if (cache !== undefined) {
+        mount.cache = { ...cache };
+    }
+    return mount;
+}
+export function gcsMount({ id, mountPath, bucket, prefix, readOnly, cache, }) {
+    const mount = {
+        id: requireNonEmptyString(id, "id"),
+        type: "gcs",
+        mount_path: requireNonEmptyString(mountPath, "mountPath"),
+        gcs: {
+            bucket: requireNonEmptyString(bucket, "bucket"),
+        },
+    };
+    if (prefix !== undefined) {
+        mount.gcs.prefix = requireNonEmptyString(prefix, "prefix");
+    }
+    if (readOnly !== undefined) {
+        mount.read_only = readOnly;
+    }
+    if (cache !== undefined) {
+        mount.cache = { ...cache };
+    }
+    return mount;
+}
+function normalizeMounts(mounts) {
+    if (!Array.isArray(mounts) || mounts.length === 0) {
+        throw new Error("mounts must be a non-empty array of mount objects");
+    }
+    return mounts.map((mount) => {
+        if (mount === null || typeof mount !== "object" || Array.isArray(mount)) {
+            throw new Error("mounts must be a non-empty array of mount objects");
+        }
+        if (mount.type !== "s3" && mount.type !== "gcs") {
+            throw new Error("mountConfig only supports s3 and gcs mounts");
+        }
+        return mount;
+    });
+}
+function normalizeAuthRules(auth) {
+    if (!Array.isArray(auth)) {
+        throw new Error("auth must be an array of provider auth rules");
+    }
+    const byProvider = {};
+    for (const rule of auth) {
+        if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
+            throw new Error("auth must be an array of provider auth rules");
+        }
+        const provider = rule.type;
+        if (provider !== "aws" && provider !== "gcp") {
+            throw new Error("mountConfig auth only supports aws and gcp rules");
+        }
+        if (byProvider[provider] !== undefined) {
+            throw new Error(`duplicate ${provider} auth rule in mountConfig`);
+        }
+        byProvider[provider] = rule;
+    }
+    return byProvider;
+}
+export function mountConfig({ auth, mounts, }) {
+    const normalizedMounts = normalizeMounts(mounts);
+    const authByProvider = normalizeAuthRules(auth);
+    const mountProviders = new Set(normalizedMounts.map((mount) => mount.type));
+    if (mountProviders.has("s3") && authByProvider.aws === undefined) {
+        throw new Error("s3 mounts require aws auth in mountConfig");
+    }
+    if (mountProviders.has("gcs") && authByProvider.gcp === undefined) {
+        throw new Error("gcs mounts require gcp auth in mountConfig");
+    }
+    if (authByProvider.aws !== undefined && !mountProviders.has("s3")) {
+        throw new Error("aws auth requires at least one s3 mount in mountConfig");
+    }
+    if (authByProvider.gcp !== undefined && !mountProviders.has("gcs")) {
+        throw new Error("gcp auth requires at least one gcs mount in mountConfig");
+    }
+    return {
+        mounts: normalizedMounts,
+        proxyConfig: proxyConfig({
+            rules: ["aws", "gcp"]
+                .map((provider) => authByProvider[provider])
+                .filter((rule) => rule !== undefined),
+        }),
+    };
+}

package/dist/sandbox/proxy_config.cjs

@@ -2,13 +2,41 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.workspaceSecret = workspaceSecret;
 exports.opaqueSecret = opaqueSecret;
-exports.awsAuthProxyConfig = awsAuthProxyConfig;
+exports.proxyConfig = proxyConfig;
+exports.mergeProxyConfigs = mergeProxyConfigs;
+exports.awsAuth = awsAuth;
+exports.gcpAuth = gcpAuth;
+const DEFAULT_GCP_AUTH_MATCH_HOSTS = [
+    "storage.googleapis.com",
+    "www.googleapis.com",
+];
+const PROVIDER_RULE_TYPES = new Set(["aws", "gcp"]);
 function requireNonEmptyString(value, field) {
     if (typeof value !== "string" || value.trim() === "") {
         throw new Error(`${field} must be a non-empty string`);
     }
     return value.trim();
 }
+function requireNonEmptyStringArray(values, field) {
+    if (!Array.isArray(values) || values.length === 0) {
+        throw new Error(`${field} must be a non-empty array of strings`);
+    }
+    return values.map((value) => requireNonEmptyString(value, field));
+}
+function requireProxyRules(rules) {
+    if (rules === undefined) {
+        return [];
+    }
+    if (!Array.isArray(rules)) {
+        throw new Error("rules must be an array of proxy rule objects");
+    }
+    return rules.map((rule) => {
+        if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
+            throw new Error("rules must be an array of proxy rule objects");
+        }
+        return rule;
+    });
+}
 /** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
 function workspaceSecret(name) {
     const normalized = requireNonEmptyString(name, "name");
@@ -32,9 +60,54 @@ function opaqueSecret(value) {
         value: requireNonEmptyString(value, "value"),
     };
 }
-/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
-function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }) {
-    const rule = {
+/** Build a sandbox proxy config from one or more proxy rules. */
+function proxyConfig({ rules, noProxy, accessControl, } = {}) {
+    const config = {
+        rules: requireProxyRules(rules),
+    };
+    if (noProxy !== undefined) {
+        config.no_proxy = requireNonEmptyStringArray(noProxy, "noProxy");
+    }
+    if (accessControl !== undefined) {
+        config.access_control = { ...accessControl };
+    }
+    return config;
+}
+function providerRuleTypes(config) {
+    const providers = new Set();
+    for (const rule of config.rules ?? []) {
+        if (rule === null || typeof rule !== "object" || Array.isArray(rule)) {
+            continue;
+        }
+        const ruleType = rule.type;
+        if (typeof ruleType === "string" && PROVIDER_RULE_TYPES.has(ruleType)) {
+            providers.add(ruleType);
+        }
+    }
+    return providers;
+}
+function mergeProxyConfigs(generatedConfig, explicitConfig) {
+    if (generatedConfig === undefined) {
+        return explicitConfig;
+    }
+    if (explicitConfig === undefined) {
+        return generatedConfig;
+    }
+    const generatedProviders = providerRuleTypes(generatedConfig);
+    for (const provider of providerRuleTypes(explicitConfig)) {
+        if (generatedProviders.has(provider)) {
+            throw new Error(`${provider} auth cannot be provided in both mountConfig and proxyConfig`);
+        }
+    }
+    return {
+        ...generatedConfig,
+        ...explicitConfig,
+        rules: [...(generatedConfig.rules ?? []), ...(explicitConfig.rules ?? [])],
+    };
+}
+/** Build a sandbox proxy rule that signs AWS HTTPS requests with SigV4. */
+function awsAuth({ accessKeyId, secretAccessKey, name = "aws", enabled = true, }) {
+    return {
         name: requireNonEmptyString(name, "name"),
         type: "aws",
         enabled,
@@ -43,5 +116,17 @@ function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name = "aws", enable
             secret_access_key: secretAccessKey,
         },
     };
-    return { rules: [rule] };
+}
+/** Build a sandbox proxy rule that injects GCP OAuth bearer auth. */
+function gcpAuth({ serviceAccountJson, scopes, matchHosts = DEFAULT_GCP_AUTH_MATCH_HOSTS, name = "gcp", enabled = true, }) {
+    return {
+        name: requireNonEmptyString(name, "name"),
+        type: "gcp",
+        enabled,
+        match_hosts: requireNonEmptyStringArray(matchHosts, "matchHosts"),
+        gcp: {
+            service_account_json: serviceAccountJson,
+            scopes: requireNonEmptyStringArray(scopes, "scopes"),
+        },
+    };
 }

package/dist/sandbox/proxy_config.d.ts

@@ -1,12 +1,27 @@
-import type { SandboxProxyConfig, SandboxProxySecret } from "./types.js";
+import type { SandboxAccessControl, SandboxAwsAuthRule, SandboxGcpAuthRule, SandboxProxyConfig, SandboxProxyRule, SandboxProxySecret } from "./types.js";
 /** Reference a LangSmith workspace secret in a sandbox proxy configuration. */
 export declare function workspaceSecret(name: string): SandboxProxySecret;
 /** Provide a write-only secret value for a sandbox proxy configuration. */
 export declare function opaqueSecret(value: string): SandboxProxySecret;
-/** Build a sandbox proxy config that signs AWS HTTPS requests with SigV4. */
-export declare function awsAuthProxyConfig({ accessKeyId, secretAccessKey, name, enabled, }: {
+/** Build a sandbox proxy config from one or more proxy rules. */
+export declare function proxyConfig({ rules, noProxy, accessControl, }?: {
+    rules?: SandboxProxyRule[];
+    noProxy?: string[];
+    accessControl?: SandboxAccessControl;
+}): SandboxProxyConfig;
+export declare function mergeProxyConfigs(generatedConfig: SandboxProxyConfig | undefined, explicitConfig: SandboxProxyConfig | undefined): SandboxProxyConfig | undefined;
+/** Build a sandbox proxy rule that signs AWS HTTPS requests with SigV4. */
+export declare function awsAuth({ accessKeyId, secretAccessKey, name, enabled, }: {
     accessKeyId: SandboxProxySecret;
     secretAccessKey: SandboxProxySecret;
     name?: string;
     enabled?: boolean;
-}): SandboxProxyConfig;
+}): SandboxAwsAuthRule;
+/** Build a sandbox proxy rule that injects GCP OAuth bearer auth. */
+export declare function gcpAuth({ serviceAccountJson, scopes, matchHosts, name, enabled, }: {
+    serviceAccountJson: SandboxProxySecret;
+    scopes: string[];
+    matchHosts?: string[];
+    name?: string;
+    enabled?: boolean;
+}): SandboxGcpAuthRule;