opencomputer-sdk 0.4.8__tar.gz → 0.5.2__tar.gz

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/.gitignore

@@ -31,6 +31,7 @@ dist/
 # Compiled binaries
 bin/
 opensandbox-worker
+/worker
 
 # Worker env (secrets)
 worker.env
@@ -57,3 +58,7 @@ deploy/ec2/*.pem
 *.tmp
 *.log
 delme
+deploy/azure/.dev-env-state-*
+deploy/azure/.dev-env-secrets*
+!deploy/azure/.dev-env-secrets.example
+/server

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: opencomputer-sdk
-Version: 0.4.8
+Version: 0.5.2
 Summary: Python SDK for OpenComputer - cloud sandbox platform
 Project-URL: Homepage, https://github.com/diggerhq/opensandbox
 Project-URL: Repository, https://github.com/diggerhq/opensandbox
@@ -33,7 +33,7 @@ Python SDK for [OpenComputer](https://github.com/diggerhq/opensandbox) — cloud
 ## Install
 
 ```bash
-pip install opencomputer
+pip install opencomputer-sdk
 ```
 
 ## Quick Start

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/README.md

@@ -5,7 +5,7 @@ Python SDK for [OpenComputer](https://github.com/diggerhq/opensandbox) — cloud
 ## Install
 
 ```bash
-pip install opencomputer
+pip install opencomputer-sdk
 ```
 
 ## Quick Start

opencomputer_sdk-0.5.2/examples/test_large_files.py

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+"""
+Large File Streaming Test
+
+Tests:
+  1. Write/read 100MB file via SDK
+  2. Download 100MB file via signed URL
+  3. Upload 100MB file via signed URL
+  4. read_stream / write_stream 50MB
+
+Usage:
+  python examples/test_large_files.py
+"""
+
+import asyncio
+import hashlib
+import sys
+import time
+
+import httpx
+
+from opencomputer import Sandbox
+
+GREEN = "\033[32m"
+RED = "\033[31m"
+BOLD = "\033[1m"
+DIM = "\033[2m"
+RESET = "\033[0m"
+
+passed = 0
+failed = 0
+
+
+def green(msg: str) -> None:
+    print(f"{GREEN}✓ {msg}{RESET}")
+
+
+def red(msg: str) -> None:
+    print(f"{RED}✗ {msg}{RESET}")
+
+
+def bold(msg: str) -> None:
+    print(f"{BOLD}{msg}{RESET}")
+
+
+def dim(msg: str) -> None:
+    print(f"{DIM}  {msg}{RESET}")
+
+
+def check(desc: str, condition: bool, detail: str = "") -> None:
+    global passed, failed
+    if condition:
+        green(desc)
+        passed += 1
+    else:
+        red(f"{desc} ({detail})" if detail else desc)
+        failed += 1
+
+
+def generate_data(size_mb: int) -> bytes:
+    """Generate deterministic data: repeating 256-byte pattern."""
+    pattern = bytes(range(256))
+    repeats = (size_mb * 1024 * 1024) // 256
+    return pattern * repeats
+
+
+def sha256(data: bytes) -> str:
+    return hashlib.sha256(data).hexdigest()
+
+
+async def collect_stream(stream) -> bytes:
+    """Collect an async byte iterator into a single bytes object."""
+    chunks = []
+    async for chunk in stream:
+        chunks.append(chunk)
+    return b"".join(chunks)
+
+
+async def byte_chunks(data: bytes, chunk_size: int = 256 * 1024):
+    """Yield data in chunks as an async iterator."""
+    for i in range(0, len(data), chunk_size):
+        yield data[i : i + chunk_size]
+
+
+async def main() -> None:
+    global passed, failed
+
+    bold("\n╔══════════════════════════════════════════════════╗")
+    bold("║       Large File Streaming Test (Python)         ║")
+    bold("╚══════════════════════════════════════════════════╝\n")
+
+    sandbox = None
+
+    try:
+        sandbox = await Sandbox.create(template="base", timeout=300)
+        green(f"Created sandbox: {sandbox.sandbox_id}")
+        print()
+
+        # ── Test 1: Write/read 100MB ─────────────────────────────
+        bold("━━━ Test 1: Write/read 100MB file via SDK ━━━\n")
+
+        data100 = generate_data(100)
+        hash100 = sha256(data100)
+        dim(f"Generated 100MB data, SHA-256: {hash100[:16]}...")
+
+        t0 = time.time()
+        await sandbox.files.write("/root/large100.bin", data100)
+        write_s = time.time() - t0
+        dim(f"Write took {write_s:.1f}s ({100 / write_s:.1f} MB/s)")
+        green("100MB write completed")
+
+        t1 = time.time()
+        read_back = await sandbox.files.read_bytes("/root/large100.bin")
+        read_s = time.time() - t1
+        dim(f"Read took {read_s:.1f}s ({100 / read_s:.1f} MB/s)")
+
+        check(
+            "Read returns correct size",
+            len(read_back) == len(data100),
+            f"got {len(read_back)}, expected {len(data100)}",
+        )
+        read_hash = sha256(read_back)
+        check("SHA-256 matches after read", read_hash == hash100)
+        print()
+
+        # ── Test 2: Download 100MB via signed URL ────────────────
+        bold("━━━ Test 2: Download 100MB via signed URL ━━━\n")
+
+        dl_url = await sandbox.download_url("/root/large100.bin", expires_in=300)
+        dim("Download URL generated")
+
+        t2 = time.time()
+        async with httpx.AsyncClient(timeout=120.0) as http:
+            dl_resp = await http.get(dl_url)
+        check("Signed URL returns 200", dl_resp.status_code == 200)
+
+        content_length = dl_resp.headers.get("content-length")
+        dim(f"Content-Length: {content_length}")
+        check("Content-Length is 100MB", content_length == str(len(data100)))
+
+        dl_data = dl_resp.content
+        dl_s = time.time() - t2
+        dim(f"Download took {dl_s:.1f}s ({100 / dl_s:.1f} MB/s)")
+
+        check("Downloaded size correct", len(dl_data) == len(data100))
+        dl_hash = sha256(dl_data)
+        check("SHA-256 matches via signed URL download", dl_hash == hash100)
+        print()
+
+        # ── Test 3: Upload 100MB via signed URL ──────────────────
+        bold("━━━ Test 3: Upload 100MB via signed URL ━━━\n")
+
+        up_url = await sandbox.upload_url("/root/uploaded100.bin")
+        dim("Upload URL generated")
+
+        t3 = time.time()
+        async with httpx.AsyncClient(timeout=120.0) as http:
+            up_resp = await http.put(up_url, content=data100)
+        up_s = time.time() - t3
+        dim(f"Upload took {up_s:.1f}s ({100 / up_s:.1f} MB/s)")
+        check("Upload returns 204", up_resp.status_code == 204)
+
+        up_read_back = await sandbox.files.read_bytes("/root/uploaded100.bin")
+        check("Uploaded file size correct", len(up_read_back) == len(data100))
+        up_hash = sha256(up_read_back)
+        check("SHA-256 matches after signed URL upload", up_hash == hash100)
+        print()
+
+        # ── Test 4: read_stream / write_stream (50MB) ────────────
+        bold("━━━ Test 4: read_stream / write_stream 50MB ━━━\n")
+
+        data50 = generate_data(50)
+        hash50 = sha256(data50)
+        dim(f"Generated 50MB data, SHA-256: {hash50[:16]}...")
+
+        # write_stream
+        t4 = time.time()
+        await sandbox.files.write_stream("/root/stream50.bin", byte_chunks(data50))
+        ws_s = time.time() - t4
+        dim(f"write_stream took {ws_s:.1f}s")
+        green("50MB write_stream completed")
+
+        # read_stream
+        t5 = time.time()
+        stream = await sandbox.files.read_stream("/root/stream50.bin")
+        stream_data = await collect_stream(stream)
+        rs_s = time.time() - t5
+        dim(f"read_stream took {rs_s:.1f}s")
+
+        check(
+            "read_stream returns correct size",
+            len(stream_data) == len(data50),
+            f"got {len(stream_data)}, expected {len(data50)}",
+        )
+        stream_hash = sha256(stream_data)
+        check("SHA-256 matches via read_stream", stream_hash == hash50)
+        print()
+
+    except Exception as e:
+        red(f"Fatal error: {e}")
+        import traceback
+
+        traceback.print_exc()
+        failed += 1
+    finally:
+        if sandbox:
+            await sandbox.kill()
+            green("Sandbox killed")
+
+    # --- Summary ---
+    bold("========================================")
+    bold(f" Results: {passed} passed, {failed} failed")
+    bold("========================================\n")
+    if failed > 0:
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

opencomputer_sdk-0.5.2/examples/test_secret_store_fork.py

@@ -0,0 +1,333 @@
+#!/usr/bin/env python3
+"""
+Test secret store inheritance on fork / create_from_checkpoint.
+
+Creates two secret stores, a sandbox with store A, checkpoints it,
+then forks with store B attached. Also tests snapshot + secretStore path.
+Verifies:
+  1. Secret env vars from both stores are present (layered merge)
+  2. Secrets are sealed in-guest (osb_sealed_* tokens, not plaintext)
+  3. Actual secret VALUES resolve correctly through the proxy (httpbin echo)
+  4. Store B's value wins on collision (SHARED_KEY override)
+  5. Snapshot + secretStore path works end-to-end
+
+Usage:
+  OPENCOMPUTER_API_URL=... OPENCOMPUTER_API_KEY=... python examples/test_secret_store_fork.py
+"""
+
+import asyncio
+import os
+import sys
+import time
+
+from opencomputer import Sandbox, SecretStore, Snapshots, Image
+
+GREEN = "\033[32m"
+RED = "\033[31m"
+BOLD = "\033[1m"
+DIM = "\033[2m"
+RESET = "\033[0m"
+
+passed = 0
+failed = 0
+
+
+def green(msg: str) -> None:
+    print(f"{GREEN}\u2713 {msg}{RESET}")
+
+
+def red(msg: str, detail: str = "") -> None:
+    suffix = f" \u2014 {detail}" if detail else ""
+    print(f"{RED}\u2717 {msg}{suffix}{RESET}")
+
+
+def bold(msg: str) -> None:
+    print(f"{BOLD}{msg}{RESET}")
+
+
+def dim(msg: str) -> None:
+    print(f"{DIM}  {msg}{RESET}")
+
+
+def check(desc: str, condition: bool, detail: str = "") -> None:
+    global passed, failed
+    if condition:
+        green(desc)
+        passed += 1
+    else:
+        red(desc, detail)
+        failed += 1
+
+
+async def main() -> None:
+    global passed, failed
+
+    suffix = int(time.time() * 1000)
+    store_a_name = f"fork-test-a-{suffix}"
+    store_b_name = f"fork-test-b-{suffix}"
+
+    # Random-ish values for httpbin verification
+    git_token_val = f"git_{os.urandom(12).hex()}"
+    shared_key_a_val = f"shared_a_{os.urandom(12).hex()}"
+    shared_key_b_val = f"shared_b_{os.urandom(12).hex()}"
+    api_key_val = f"api_{os.urandom(12).hex()}"
+
+    store_a_id: str | None = None
+    store_b_id: str | None = None
+    base_sandbox: Sandbox | None = None
+    forked_sandbox: Sandbox | None = None
+    snapshot_sandbox: Sandbox | None = None
+    snapshot_name: str | None = None
+
+    try:
+        # -- Setup: two secret stores -----------------------------------------
+        bold("\n=== 1. Setup: create two secret stores ===\n")
+
+        store_a = await SecretStore.create(
+            name=store_a_name,
+            egress_allowlist=["github.com", "httpbin.org"],
+        )
+        store_a_id = store_a["id"]
+        print(f"  Store A: {store_a_id} ({store_a_name})")
+
+        await SecretStore.set_secret(store_a_id, "GIT_TOKEN", git_token_val,
+                                     allowed_hosts=["github.com", "httpbin.org"])
+        await SecretStore.set_secret(store_a_id, "SHARED_KEY", shared_key_a_val,
+                                     allowed_hosts=["httpbin.org"])
+        dim(f"GIT_TOKEN = {git_token_val}")
+        dim(f"SHARED_KEY(A) = {shared_key_a_val}")
+        green("Store A created: GIT_TOKEN + SHARED_KEY, egress=[github.com, httpbin.org]")
+
+        store_b = await SecretStore.create(
+            name=store_b_name,
+            egress_allowlist=["api.anthropic.com", "httpbin.org"],
+        )
+        store_b_id = store_b["id"]
+        print(f"  Store B: {store_b_id} ({store_b_name})")
+
+        await SecretStore.set_secret(store_b_id, "API_KEY", api_key_val,
+                                     allowed_hosts=["api.anthropic.com", "httpbin.org"])
+        await SecretStore.set_secret(store_b_id, "SHARED_KEY", shared_key_b_val,
+                                     allowed_hosts=["httpbin.org"])
+        dim(f"API_KEY = {api_key_val}")
+        dim(f"SHARED_KEY(B) = {shared_key_b_val} (should override A)")
+        green("Store B created: API_KEY + SHARED_KEY(override), egress=[api.anthropic.com, httpbin.org]")
+
+        # -- Layer 1: sandbox with store A -------------------------------------
+        bold("\n=== 2. Create base sandbox with store A ===\n")
+
+        base_sandbox = await Sandbox.create(secret_store=store_a_name, timeout=120)
+        print(f"  Base sandbox: {base_sandbox.sandbox_id}")
+        await asyncio.sleep(5)
+
+        env_base = (await base_sandbox.exec.run("env")).stdout
+        check("Base has GIT_TOKEN", "GIT_TOKEN" in env_base)
+        check("Base has SHARED_KEY", "SHARED_KEY" in env_base)
+        check("Base does NOT have API_KEY", "API_KEY" not in env_base)
+
+        # Verify sealed
+        base_git_echo = (await base_sandbox.exec.run('printf %s "$GIT_TOKEN"')).stdout.strip()
+        check(
+            "Base: GIT_TOKEN is sealed (not plaintext)",
+            base_git_echo.startswith("osb_sealed_") and git_token_val not in base_git_echo,
+            f'got "{base_git_echo[:40]}..."',
+        )
+
+        # Verify values via httpbin
+        base_httpbin = (await base_sandbox.exec.run(
+            'curl -sS -m 10 https://httpbin.org/headers '
+            '-H "X-Git: $GIT_TOKEN" -H "X-Shared: $SHARED_KEY"'
+        )).stdout
+        check("Base: GIT_TOKEN value resolves via httpbin",
+              git_token_val in base_httpbin,
+              f"httpbin did not echo back {git_token_val}")
+        check("Base: SHARED_KEY(A) value resolves via httpbin",
+              shared_key_a_val in base_httpbin,
+              f"httpbin did not echo back {shared_key_a_val}")
+
+        # -- Checkpoint --------------------------------------------------------
+        bold("\n=== 3. Create checkpoint from base ===\n")
+
+        cp = await base_sandbox.create_checkpoint("fork-test-cp")
+        print(f"  Checkpoint: {cp['id']}")
+
+        for _ in range(30):
+            cps = await base_sandbox.list_checkpoints()
+            found = next((c for c in cps if c["id"] == cp["id"]), None)
+            if found and found.get("status") == "ready":
+                break
+            await asyncio.sleep(2)
+        green("Checkpoint ready")
+
+        # -- Layer 2: fork with store B ----------------------------------------
+        bold("\n=== 4. Fork from checkpoint with store B (secretStore inheritance) ===\n")
+
+        forked_sandbox = await Sandbox.create_from_checkpoint(
+            cp["id"],
+            secret_store=store_b_name,
+            timeout=120,
+        )
+        print(f"  Forked sandbox: {forked_sandbox.sandbox_id}")
+        await asyncio.sleep(5)
+
+        # -- 4a. Check env vars exist ------------------------------------------
+        bold("\n=== 4a. Verify secret env vars present ===\n")
+
+        env_fork = (await forked_sandbox.exec.run("env")).stdout
+        check("Fork has GIT_TOKEN (inherited from store A)", "GIT_TOKEN" in env_fork)
+        check("Fork has API_KEY (from store B)", "API_KEY" in env_fork)
+        check("Fork has SHARED_KEY (merged)", "SHARED_KEY" in env_fork)
+        check("Fork has HTTP_PROXY (secrets proxy active)", "HTTP_PROXY" in env_fork)
+
+        sealed_count = env_fork.count("osb_sealed_")
+        check(
+            f"Fork has 3 sealed secrets (got {sealed_count})",
+            sealed_count == 3,
+            "expected GIT_TOKEN(A) + SHARED_KEY(B override) + API_KEY(B)",
+        )
+
+        # -- 4b. Verify secrets are sealed -------------------------------------
+        bold("\n=== 4b. Verify secrets are sealed in-guest ===\n")
+
+        fork_git_echo = (await forked_sandbox.exec.run('printf %s "$GIT_TOKEN"')).stdout.strip()
+        check("Fork: GIT_TOKEN is sealed",
+              fork_git_echo.startswith("osb_sealed_") and git_token_val not in fork_git_echo,
+              f'got "{fork_git_echo[:40]}..."')
+
+        fork_api_echo = (await forked_sandbox.exec.run('printf %s "$API_KEY"')).stdout.strip()
+        check("Fork: API_KEY is sealed",
+              fork_api_echo.startswith("osb_sealed_") and api_key_val not in fork_api_echo,
+              f'got "{fork_api_echo[:40]}..."')
+
+        fork_shared_echo = (await forked_sandbox.exec.run('printf %s "$SHARED_KEY"')).stdout.strip()
+        check("Fork: SHARED_KEY is sealed",
+              fork_shared_echo.startswith("osb_sealed_") and shared_key_b_val not in fork_shared_echo,
+              f'got "{fork_shared_echo[:40]}..."')
+
+        # -- 4c. Verify actual VALUES via httpbin ------------------------------
+        bold("\n=== 4c. Verify actual secret values via httpbin (proxy substitution) ===\n")
+
+        fork_httpbin = (await forked_sandbox.exec.run(
+            'curl -sS -m 10 https://httpbin.org/headers '
+            '-H "X-Git: $GIT_TOKEN" '
+            '-H "X-Api: $API_KEY" '
+            '-H "X-Shared: $SHARED_KEY"'
+        )).stdout
+        dim(f"httpbin response (first 500 chars):")
+        dim(fork_httpbin.replace("\n", " ")[:500])
+
+        check("Fork: GIT_TOKEN value correct (inherited from A)",
+              git_token_val in fork_httpbin,
+              f"httpbin did not echo back {git_token_val}")
+        check("Fork: API_KEY value correct (from B)",
+              api_key_val in fork_httpbin,
+              f"httpbin did not echo back {api_key_val}")
+        check("Fork: SHARED_KEY has B's value (B override wins on collision)",
+              shared_key_b_val in fork_httpbin,
+              f"httpbin did not echo back B's value {shared_key_b_val}")
+        check("Fork: SHARED_KEY does NOT have A's value (overridden by B)",
+              shared_key_a_val not in fork_httpbin,
+              f"httpbin echoed A's value {shared_key_a_val} -- override did not work")
+
+        # -- 5. Snapshot/template path -----------------------------------------
+        bold("\n=== 5. Create snapshot template, fork with secretStore ===\n")
+
+        snapshots = Snapshots()
+        snapshot_name = f"fork-secret-test-{suffix}"
+        dim(f'Creating snapshot "{snapshot_name}" from base image...')
+        await snapshots.create(
+            name=snapshot_name,
+            image=Image.base().run_commands("echo 'template-ready' > /home/sandbox/marker.txt"),
+        )
+
+        for _ in range(30):
+            info = await snapshots.get(snapshot_name)
+            if info.get("status") == "ready":
+                break
+            await asyncio.sleep(2)
+        green(f'Snapshot "{snapshot_name}" ready')
+
+        snapshot_sandbox = await Sandbox.create(
+            snapshot=snapshot_name,
+            secret_store=store_b_name,
+            timeout=120,
+        )
+        print(f"  Snapshot-forked sandbox: {snapshot_sandbox.sandbox_id}")
+        await asyncio.sleep(5)
+
+        # Verify template content
+        marker = (await snapshot_sandbox.exec.run("cat /home/sandbox/marker.txt")).stdout.strip()
+        check("Snapshot fork: template content present (/home/sandbox/marker.txt)",
+              marker == "template-ready",
+              f'got "{marker}"')
+
+        # Verify secrets
+        env_snap = (await snapshot_sandbox.exec.run("env")).stdout
+        check("Snapshot fork: has API_KEY (from store B)", "API_KEY" in env_snap)
+        check("Snapshot fork: has SHARED_KEY (from store B)", "SHARED_KEY" in env_snap)
+        check("Snapshot fork: has HTTP_PROXY (secrets proxy active)", "HTTP_PROXY" in env_snap)
+
+        snap_api_echo = (await snapshot_sandbox.exec.run('printf %s "$API_KEY"')).stdout.strip()
+        check("Snapshot fork: API_KEY is sealed",
+              snap_api_echo.startswith("osb_sealed_") and api_key_val not in snap_api_echo,
+              f'got "{snap_api_echo[:40]}..."')
+
+        # Verify values via httpbin
+        snap_httpbin = (await snapshot_sandbox.exec.run(
+            'curl -sS -m 10 https://httpbin.org/headers '
+            '-H "X-Api: $API_KEY" '
+            '-H "X-Shared: $SHARED_KEY"'
+        )).stdout
+        dim(f"httpbin response (first 500 chars):")
+        dim(snap_httpbin.replace("\n", " ")[:500])
+
+        check("Snapshot fork: API_KEY value correct via httpbin",
+              api_key_val in snap_httpbin,
+              f"httpbin did not echo back {api_key_val}")
+        check("Snapshot fork: SHARED_KEY has B's value via httpbin",
+              shared_key_b_val in snap_httpbin,
+              f"httpbin did not echo back {shared_key_b_val}")
+
+        # -- Summary -----------------------------------------------------------
+        bold(f"\n=== Results: {passed} passed, {failed} failed ===\n")
+
+    finally:
+        bold("=== Cleanup ===")
+        if snapshot_sandbox:
+            try:
+                await snapshot_sandbox.kill()
+            except Exception:
+                pass
+        if forked_sandbox:
+            try:
+                await forked_sandbox.kill()
+            except Exception:
+                pass
+        if base_sandbox:
+            try:
+                await base_sandbox.kill()
+            except Exception:
+                pass
+        if snapshot_name:
+            try:
+                s = Snapshots()
+                await s.delete(snapshot_name)
+            except Exception:
+                pass
+        if store_b_id:
+            try:
+                await SecretStore.delete(store_b_id)
+            except Exception:
+                pass
+        if store_a_id:
+            try:
+                await SecretStore.delete(store_a_id)
+            except Exception:
+                pass
+        green("Cleanup done")
+
+    sys.exit(1 if failed > 0 else 0)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/opencomputer/__init__.py

@@ -28,4 +28,4 @@ __all__ = [
     "Snapshots",
 ]
 
-__version__ = "0.5.1"
+__version__ = "0.5.2"

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/opencomputer/filesystem.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
+from typing import AsyncIterator
 
 import httpx
 
@@ -42,9 +43,12 @@ class Filesystem:
         resp.raise_for_status()
         return resp.content
 
-    async def write(self, path: str, content: str | bytes) -> None:
-        """Write content to a file."""
-        data = content if isinstance(content, bytes) else content.encode()
+    async def write(self, path: str, content: str | bytes | AsyncIterator[bytes]) -> None:
+        """Write content to a file. Accepts str, bytes, or an async iterator of bytes for streaming."""
+        if isinstance(content, (str, bytes)):
+            data: str | bytes | AsyncIterator[bytes] = content if isinstance(content, bytes) else content.encode()
+        else:
+            data = content
         resp = await self._client.put(
             f"/sandboxes/{self._sandbox_id}/files",
             params={"path": path},

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/opencomputer/sandbox.py

@@ -70,7 +70,9 @@ class Sandbox:
         if key:
             headers["X-API-Key"] = key
 
-        use_sse = on_build_log is not None and (image is not None or snapshot is not None)
+        # Always use SSE for image/snapshot creation to keep the connection alive
+        # through proxies (Cloudflare has a 100s idle timeout).
+        use_sse = image is not None or snapshot is not None
         if use_sse:
             headers["Accept"] = "text/event-stream"
 
@@ -185,9 +187,8 @@ class Sandbox:
 
     @property
     def _ops_client(self) -> httpx.AsyncClient:
-        """Return the client for data operations (direct worker if available, else CP)."""
-        if self._data_client is not None:
-            return self._data_client
+        """Return the client for data operations. Always goes through the CP,
+        which handles readiness waiting and proxies to workers."""
         return self._client
 
     async def kill(self) -> None:
@@ -217,6 +218,38 @@ class Sandbox:
         )
         resp.raise_for_status()
 
+    async def download_url(self, path: str, *, expires_in: int = 3600) -> str:
+        """Generate a signed download URL for a sandbox file.
+
+        The URL can be used by anyone (e.g. in a browser) without an API key.
+
+        Args:
+            path: Absolute path inside the sandbox.
+            expires_in: URL validity in seconds (default: 3600, max: 86400).
+        """
+        resp = await self._client.post(
+            f"/sandboxes/{self.sandbox_id}/files/download-url",
+            json={"path": path, "expiresIn": expires_in},
+        )
+        resp.raise_for_status()
+        return resp.json()["url"]
+
+    async def upload_url(self, path: str, *, expires_in: int = 3600) -> str:
+        """Generate a signed upload URL for a sandbox file.
+
+        The URL can be used by anyone to PUT file content without an API key.
+
+        Args:
+            path: Absolute path inside the sandbox.
+            expires_in: URL validity in seconds (default: 3600, max: 86400).
+        """
+        resp = await self._client.post(
+            f"/sandboxes/{self.sandbox_id}/files/upload-url",
+            json={"path": path, "expiresIn": expires_in},
+        )
+        resp.raise_for_status()
+        return resp.json()["url"]
+
     @property
     def agent(self) -> Agent:
         """Access Claude Agent SDK sessions."""
@@ -302,6 +335,8 @@ class Sandbox:
         timeout: int = 300,
         api_key: str | None = None,
         api_url: str | None = None,
+        envs: dict[str, str] | None = None,
+        secret_store: str | None = None,
     ) -> Sandbox:
         """Create a new sandbox from an existing checkpoint (fork).
 
@@ -310,6 +345,10 @@ class Sandbox:
             timeout: Sandbox timeout in seconds (default 300).
             api_key: API key (or OPENCOMPUTER_API_KEY env var).
             api_url: API URL (or OPENCOMPUTER_API_URL env var).
+            envs: Environment variables to override on the fork.
+            secret_store: Secret store name to attach. If the checkpoint
+                already has a store, secrets are merged (new store wins
+                on collision, egress allowlists aggregate).
         """
         url = api_url or os.environ.get("OPENCOMPUTER_API_URL", "https://app.opencomputer.dev")
         url = url.rstrip("/")
@@ -323,9 +362,15 @@ class Sandbox:
 
         client = httpx.AsyncClient(base_url=api_base, headers=headers, timeout=120.0)
 
+        body: dict[str, Any] = {"timeout": timeout}
+        if envs:
+            body["envs"] = envs
+        if secret_store:
+            body["secretStore"] = secret_store
+
         resp = await client.post(
             f"/sandboxes/from-checkpoint/{checkpoint_id}",
-            json={"timeout": timeout},
+            json=body,
         )
         resp.raise_for_status()
         data = resp.json()

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/opencomputer/snapshot.py

@@ -66,21 +66,19 @@ class Snapshots:
         """
         body = {"name": name, "image": image.to_dict()}
 
-        if on_build_logs is not None:
-            headers = {**self._headers, "Accept": "text/event-stream"}
-            client = httpx.AsyncClient(
-                base_url=self._api_base, headers=headers, timeout=300.0,
-            )
-            try:
-                async with client.stream("POST", "/snapshots", json=body) as resp:
-                    resp.raise_for_status()
-                    return await parse_sse_stream(resp, on_build_logs)
-            finally:
-                await client.aclose()
-
-        resp = await self._client.post("/snapshots", json=body)
-        resp.raise_for_status()
-        return resp.json()
+        # Always use SSE streaming — builds can take minutes and
+        # non-streaming requests will hit Cloudflare 524 timeouts.
+        headers = {**self._headers, "Accept": "text/event-stream"}
+        log_fn = on_build_logs if on_build_logs is not None else lambda _: None
+        client = httpx.AsyncClient(
+            base_url=self._api_base, headers=headers, timeout=600.0,
+        )
+        try:
+            async with client.stream("POST", "/snapshots", json=body) as resp:
+                resp.raise_for_status()
+                return await parse_sse_stream(resp, log_fn)
+        finally:
+            await client.aclose()
 
     async def list(self) -> list[dict[str, Any]]:
         """List all named snapshots for the current org."""

{opencomputer_sdk-0.4.8 → opencomputer_sdk-0.5.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "opencomputer-sdk"
-version = "0.4.8"
+version = "0.5.2"
 description = "Python SDK for OpenComputer - cloud sandbox platform"
 readme = "README.md"
 requires-python = ">=3.10"