components/execd 1.0.19

What's New

✨ Features

• PTY session takeover for device handoff. New ?takeover=1 query parameter on GET /pty/:sessionId/ws lets a second client reclaim a live PTY session instead of getting 409 ALREADY_CONNECTED. The existing holder is evicted with close code 4001 (TAKEN_OVER), the shell process keeps running untouched, and the new client can replay scrollback via ?since=<offset> for seamless screen restore. Enables desktop ⇄ mobile session handoff without restarting the shell. Fully backward compatible — without the flag, behavior is unchanged. (#997)

• PTY custom command execution. POST /pty now accepts an optional command field. When set, the PTY session runs bash -c <command> for one-shot terminal I/O instead of an interactive shell. When omitted, behavior is unchanged (interactive bash). (#1032)

• Directory listing endpoint. New GET /directories/list endpoint with depth-controlled directory traversal (default depth=1 for immediate children). Also adds a type field (file, directory, symlink, other) to FileInfo responses — /files/info now uses Lstat so symlinks are reported as symlinks instead of being resolved to their target type. Supported across all five SDKs. (#1001)

• Line-based file reading. GET /files/download now supports offset (1-based line number) and limit (line count) query parameters for line-based reads, mutually exclusive with the existing Range header. Uses streaming bufio.Reader without buffering the entire file. Updated across OpenAPI spec and all SDKs. (#1030)

• Replace file content feedback. POST /files/replace now returns a replacedCount per file, so callers can detect no-match (replacedCount=0) and multi-match scenarios. Response going from empty body to JSON is non-breaking; old SDKs ignoring the body continue to work. Updated across all SDKs and MCP server. (#991)

• OTLP endpoint auto-discovery. When neither OTEL_EXPORTER_OTLP_METRICS_ENDPOINT nor OTEL_EXPORTER_OTLP_ENDPOINT is set, execd now resolves the node IP from HOST_IP env var or /etc/hostinfo and points the OTLP/HTTP exporter at <node-ip>:4318. Eliminates the need for callers to template the full endpoint URL. (#963)

• Supervisor binary in container image. The opensandbox-supervisor binary (built from components/internal/cmd/supervisor) is now included in the execd runtime image for future process management use. (#1056)

🐛 Bug Fixes

• GET /files/info now returns 404 for missing paths instead of 500. Two cooperating bugs — fmt.Errorf using %s instead of %w (stripping the os.ErrNotExist sentinel) and os.IsNotExist not walking wrapped errors — made the 404 branch in handleFileError unreachable. Both fixed. (#1026)

• POST /files/mv now returns 404 for missing source instead of 500. Same sentinel-stripping pattern as #1026 in RenameFile — %s → %w fixes the error chain so handleFileError reaches its 404 branch. (#1028)

• MakeDir no longer chmod/chown pre-existing directories. Previously MakeDir applied ChmodFile unconditionally, which could change permissions on directories that already existed. Now checks existence first and only applies permissions to newly created dirs. SetFileOwnership also returns nil when both owner and group are empty. (#1025)

📦 Misc

• Modernize all os.IsNotExist calls to errors.Is(err, fs.ErrNotExist) across 7 callsites in 5 files, matching Go's recommended idiom. Also fixes a pre-emptive %s → %w sentinel loss in ValidateWorkingDir. (#1029)

👥 Contributors

Thanks to these contributors ❤️

• @andrewjamesbrown
• @asiudgufgbukbsa
• @ferponse
• @Pangjiping
• @504097723

---

• Docker Hub: opensandbox/execd:v1.0.19
• Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/execd:v1.0.19

components/egress 1.1.0

What's New

⚠️ Breaking Changes

• Mitmproxy static options moved from hardcoded flags to config.yaml — all static mitmproxy options (mode, listen_host, stream_large_bodies, ssl_verify_upstream_trusted_confdir, ignore_hosts) are now declared in a baked-in config.yaml under the standard mitm confdir layout. launch.go retains only per-deployment dynamic flags (--set driven by env vars). This change fixes two latent bugs: stream_large_bodies was set to 1m in launch.go but overridden to 10m by custom.py (the launch.go value was dead code), and ignore_hosts with multiple entries was silently truncated to only the last value because each --set on a list option replaces the entire list. Two environment variables have been removed:

  • OPENSANDBOX_EGRESS_MITMPROXY_CONFDIR — removed because it would break config.yaml discovery.
  • OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS — replaced by the yaml-native list in config.yaml (the env-based path was the root cause of the silent-overwrite bug).

  Migration: if you relied on OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS, add entries directly to the ignore_hosts list in config.yaml. Override paths: (1) downstream image COPY over the baked-in path, (2) K8s ConfigMap subPath mount, or (3) single-option --set via the documented dynamic env vars. A /egress symlink → /opt/opensandbox-egress/egress is preserved for tooling that references the pre-#951 path. (#975)

✨ Features

• Credential vault support — egress now participates in the new credential vault injection pipeline. Sandboxes can receive injected credentials (API keys, tokens, OAuth) via the vault system, with egress handling the network-policy side of credential-bearing outbound requests. Part of a cross-cutting feature spanning server, egress, SDKs, and Kubernetes. (#1009)

📝 Documentation

• Supervisor and API documentation overhaul — added a dedicated opensandbox-supervisor README covering all flags, backoff behavior, crashloop breaker, hooks, and event log schema. Egress README updated with correct Go version (1.24 → 1.25), added PUT/DELETE/healthz endpoint docs, always-rules file reference, DNS upstream env vars, and SSL_INSECURE documentation. Supervisor section now links to the internal supervisor docs. (#984)

👥 Contributors

Thanks to these contributors ❤️

• @Pangjiping
• @jwx0925

---

• Docker Hub: opensandbox/egress:v1.1.0
• Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.1.0

sandboxes/code-interpreter 1.1.0

What's New

⚠️ Breaking Changes

• Migrate code-interpreter paths from /opt/opensandbox to /opt/code-interpreter — all code-interpreter entrypoint, env script, and log paths have moved from /opt/opensandbox/ to /opt/code-interpreter/. Consumers who hardcode the entrypoint /opt/opensandbox/code-interpreter.sh must update to /opt/code-interpreter/code-interpreter.sh. Users who pin a specific tag (e.g., v1.0.2) are unaffected — existing tagged images remain immutable. See the full migration guide in (#1012)

✨ Features

• Sign and attest release artifacts — code-interpreter Docker images are now signed with Sigstore/cosign keyless signing and published with GitHub attestations. Supports verification of image authenticity and integrity. (#827)
• Add seccomp-based clone3 fallback in execd — inside the sandbox, execd now falls back from clone3 to clone when the seccomp profile blocks clone3, improving compatibility with older kernels and restrictive seccomp policies. (#518)

🐛 Bug Fixes

• Skip repeated tslab install on startup — the code-interpreter startup script now checks whether tslab and its Jupyter kernelspecs are already installed before re-running npm install -g tslab and tslab install, reducing cold-start time for pre-built images. (#960)

📦 Misc

• Add Dockerfile.dockerignore to reduce build context — shrinks the Docker build context sent to the builder, speeding up image builds. (#718)

👥 Contributors

Thanks to these contributors ❤️

• @Pangjiping
• @Gujiassh
• @hittyt

---

• Docker Hub: opensandbox/code-interpreter:v1.1.0
• Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/code-interpreter:v1.1.0

go/sandbox 1.0.2

What's New

Features

• Added skipAccumulation support for execution handlers. When enabled, stdout/stderr events are still delivered to callbacks but are not appended to accumulated execution logs, preventing unbounded memory growth for long-running streamed commands. #990
• Added PlatformSpec support to sandbox creation APIs, including CreateSandboxRequest.Platform, SandboxInfo.Platform, and SandboxCreateOptions.Platform. This lets Go callers request specific OS/architecture targets such as Windows sandboxes. #921
• Added SDK model support for PVC auto-provisioning fields. #749
• Added SecureAccess support for sandbox creation. This is opt-in and currently supported by Kubernetes ingress gateway mode. #745

Misc

• Lowered the Go module target to Go 1.20 and slimmed test dependencies. #707

Contributors

• @Pangjiping
• @zpzjzj
• @ninan-nn

python/sandbox 0.1.10

What's New

Behavior Changes

• Sandbox Pool now skips idle sandboxes that are too close to expiry before returning them from pool.acquire(). This avoids a race where checkReady can time out because the selected sandbox expires server-side before it can be renewed. The default threshold is min(60s, idle_timeout / 2) and can be disabled with acquire_min_remaining_ttl=timedelta(0). #986

Features

• Added skip_accumulation support for execution handlers. When enabled, stdout/stderr events are still delivered to callbacks but are not appended to ExecutionLogs, allowing long-running or high-output executions to stream with constant memory. #990
• Added SDK model support for PVC auto-provisioning fields. #749
• Added secure_access support for sandbox creation and endpoint access headers. This is opt-in and currently supported by Kubernetes ingress gateway mode. #745

Bug Fixes

• The Python SSE parser now tolerates traceback: null from older or mixed execd deployments, keeping command-start error handling compatible across versions. #701
• Pool warmup now renews sandboxes before returning them to idle state, keeping store TTL and server-side TTL aligned. #986

Misc

• Updated dependency lockfiles, including idna and pytest updates from Dependabot.

Contributors

• @Aboysky
• @Pangjiping
• @asiudgufgbukbsa
• @ninan-nn

js/sandbox 0.1.8

What's New

Features

• Added skipAccumulation support for execution handlers. When enabled, stdout/stderr events are still delivered to callbacks but are not appended to accumulated execution logs, preventing unbounded memory growth for long-running streamed commands. #990
• Added SDK model support for PVC auto-provisioning fields. #749
• Added secureAccess support for sandbox creation and endpoint access headers. This is opt-in and currently supported by Kubernetes ingress gateway mode. #745

Bug Fixes

• The /ping health check now treats an empty HTTP 200 response body as healthy while preserving existing error mapping for non-2xx responses. #905

Security

• Pinned the transitive fast-uri dependency to 3.1.2 to address high-severity advisories GHSA-q3j6-qgpj-74h6 and GHSA-v39h-62p7-jpjc. #909

Contributors

• @Gujiassh
• @Pangjiping
• @ninan-nn

java/sandbox 1.0.12

What's New

Behavior Changes

• Sandbox Pool now skips idle sandboxes that are too close to expiry before returning them from pool.acquire(). This avoids a race where checkReady can time out because the selected sandbox expires server-side before it can be renewed. The default threshold is min(60s, idleTimeout / 2) and can be disabled with Duration.ZERO. #986

Features

• Added skipAccumulation support for execution handlers. When enabled, stdout/stderr events are still delivered to callbacks but are not appended to accumulated execution logs, preventing unbounded memory growth for long-running streamed commands. #990
• Added SDK model support for PVC auto-provisioning fields. #749
• Added secureAccess support to sandbox builders and pool creation specs, including endpoint header propagation and log redaction. This is opt-in and currently supported by Kubernetes ingress gateway mode. #745

Bug Fixes

• Command timeout APIs now use java.time.Duration as the primary public type for better Java interoperability. Deprecated kotlin.time.Duration overloads remain for migration. #928
• Expected FILE_NOT_FOUND responses from filesystem reads now log at DEBUG instead of ERROR, while still propagating the same exception to callers. #923
• Pool idle TTL handling now goes through a state-store hook so in-memory pool TTL and configured idle timeout stay aligned. #708

Contributors

• @hittyt
• @Pangjiping
• @asiudgufgbukbsa
• @ninan-nn

java/code-interpreter 1.0.12

What's New

Compatibility

• Bumped the Kotlin Code Interpreter package to 1.0.12 and aligned its Kotlin Sandbox SDK dependency to 1.0.12, matching the latest sandbox release train.

Contributors

• @ninan-nn

csharp/sandbox 0.1.2

What's New

Features

• Added skipAccumulation support for execution handlers. When enabled, stdout/stderr events are still delivered to callbacks but are not appended to accumulated execution logs, preventing unbounded memory growth for long-running streamed commands. #990
• Added SDK model support for PVC auto-provisioning fields. #749
• Added SecureAccess support for sandbox creation and endpoint access headers. This is opt-in and currently supported by Kubernetes ingress gateway mode. #745

Contributors

• @Pangjiping
• @ninan-nn

components/egress 1.0.13

What's New

✨ Features

• DELETE /policy endpoint for removing egress rules — new DELETE /policy handler accepts a JSON array of target strings and removes matching rules case-insensitively. Targets not found are silently ignored (idempotent). API spec and README updated. (#864)

• Supervisor + cleanup hook — egress now runs under a dedicated single-worker supervisor (opensandbox-supervisor). Previously, a hard crash left stale iptables/nft rules and a zombie mitmdump holding port 18081; restarting the container would accumulate duplicate rules while the new mitmdump failed to bind, sending the in-process watchdog (#942) into a retry loop. The supervisor provides exponential backoff with jitter, a crashloop circuit breaker, JSONL event logging, and SIGTERM forwarding with a configurable grace period (20 s) before SIGKILL. A new cleanup.sh script runs as both pre-start and post-exit hook, idempotently resetting iptables DNS REDIRECT rules, transparent-HTTP rules, the nftables opensandbox table, and stray mitmdump processes. The script never exits non-zero so a misbehaving cleanup cannot block restarts. (#951)

• OTLP endpoint auto-discovery from node IP — when neither OTEL_EXPORTER_OTLP_METRICS_ENDPOINT nor OTEL_EXPORTER_OTLP_ENDPOINT is set, egress now resolves the node IP from the HOST_IP env var (then /etc/hostinfo as fallback) and points the OTLP/HTTP exporter at <node-ip>:4318 over plaintext. No need to template the full endpoint URL in environments where only a node IP is available. (#963)

🐛 Bug Fixes

• Retry mitmdump restart with backoff instead of giving up — previously, if Launch or WaitListenPort failed during a restart (e.g. under node memory pressure that just OOM-killed mitmdump), the watchdog goroutine would log "giving up" and return, leaving egress in a silent dead state with no future restarts. Replaced the one-shot restart with restartWithBackoff: retry forever with exponential backoff (1 s → 30 s), kill half-launched processes, drain stale exit signals on success, and respect context cancellation. The readiness gate stays false across the retry window so Kubernetes drains traffic until mitmdump is healthy again. (#942)

📦 Misc

• Reduced outbound log verbosity. (#964)

👥 Contributors

Thanks to these contributors ❤️

• @Pangjiping

---

• Docker Hub: opensandbox/egress:v1.0.13
• Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opensandbox/egress:v1.0.13