Add Cloudflare Sandbox provider#431
Conversation
Add the Cloudflare Sandbox delegated-run provider skeleton, registration, bridge client contract, read-only doctor, and secret-safe config/flag plumbing. Runtime lifecycle and command execution remain explicit unsupported stubs for the follow-up runtime plan.
Add Cloudflare Sandbox delegated run, sync, lifecycle, cleanup, and env-stripping behavior behind the existing provider contract.\n\nThe runtime uses fake bridge tests for create, archive upload/extract, SSE/buffered exec output, retained claims, status/list/stop/cleanup, and provider-auth env stripping so Plan 02 stays deterministic without live Cloudflare writes.
Record the bridge-returned sandbox ID in the local lease claim so bridges that generate IDs and echo request metadata remain usable. Verify persisted ownership metadata before writing local claims, decode streamed SSE output only when the frame declares base64 encoding, fail doctor on unhealthy bridge or OpenAPI readiness failures, serialize reused lifecycle operations, classify missing sandboxes only from typed HTTP 404 responses, and strip legacy Cloudflare credential environment variables before remote execution.
8fc2b37 to
8964edc
Compare
|
Codex review: needs real behavior proof before merge. Reviewed June 23, 2026, 8:45 PM ET / 00:45 UTC. Summary Reproducibility: yes. from source inspection: the PR client request structs and routes differ from the Cloudflare Sandbox SDK bridge source and worker README, so a real bridge would reject or misparse core operations. Review metrics: 1 noteworthy metric.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Align the provider with the official Cloudflare Sandbox bridge or explicitly define a maintainer-approved Crabbox bridge extension, then require redacted live bridge proof before merge. Do we have a high-confidence way to reproduce the issue? Yes from source inspection: the PR client request structs and routes differ from the Cloudflare Sandbox SDK bridge source and worker README, so a real bridge would reject or misparse core operations. Is this the best way to solve the issue? No; the separated delegated-run provider shape is plausible, but the implementation must first match the official bridge contract or intentionally document and test a maintainer-approved Crabbox bridge extension. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 1468e704228e. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Closes #368
Summary
cloudflare-sandboxdelegated-run provider backed by the Cloudflare Sandbox bridge contract/workspaceworkdir confinement, secret stripping, remote metadata validation, and redacted repository metadataVerification
go test ./internal/providers/cloudflaresandbox ./internal/providers/all ./internal/clinode scripts/check-provider-matrix.mjsgo vet ./...scripts/check-docs.shgit diff --checkgo test ./...Notes