Files
wehub-resource-sync e0e362d700
SDK Tests / changes (push) Waiting to run
SDK Tests / Python SDK Tests (sandbox) (push) Blocked by required conditions
SDK Tests / CLI Quality (push) Blocked by required conditions
SDK Tests / CLI Tests (push) Blocked by required conditions
SDK Tests / Python SDK Quality (code-interpreter) (push) Blocked by required conditions
SDK Tests / Python SDK Quality (sandbox) (push) Blocked by required conditions
SDK Tests / Python SDK Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / JavaScript SDK Quality And Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / JavaScript SDK Quality And Tests (sandbox) (push) Blocked by required conditions
Deploy Docs Pages / build (push) Waiting to run
Deploy Docs Pages / deploy (push) Blocked by required conditions
Real E2E Tests / changes (push) Waiting to run
Real E2E Tests / Python E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / Java E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / JavaScript E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / C# E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / Go E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / Real E2E CI (push) Blocked by required conditions
SDK Tests / Kotlin SDK Quality And Tests (sandbox) (push) Blocked by required conditions
SDK Tests / Kotlin SDK Quality And Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / C# SDK Quality And Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / C# SDK Quality And Tests (sandbox) (push) Blocked by required conditions
SDK Tests / Go SDK Quality And Tests (push) Blocked by required conditions
SDK Tests / SDK CI (push) Blocked by required conditions
chore: import upstream snapshot with attribution
2026-07-13 13:39:33 +08:00

9.1 KiB

title, description
title description
API Specifications OpenAPI specification documents defining the complete API interfaces and data models for OpenSandbox.

OpenSandbox API Specifications

This section contains the OpenAPI specification documents for the OpenSandbox project, defining the complete API interfaces and data models. Use the server base URLs defined in each spec (for example, http://localhost:8080/v1 for the lifecycle API, http://localhost:44772 for execd, and http://localhost:18080 for egress) when constructing requests.

Specification Files

1. sandbox-lifecycle.yml

Sandbox Lifecycle Management API

Defines the complete lifecycle interfaces for creating, managing, and destroying sandbox environments from container images or snapshots.

Core Features:

  • Sandbox Management: Create, list, query, and delete sandbox instances with metadata filters and pagination
  • State Control: Pause and resume sandbox execution
  • Lifecycle States: Supports transitions across Pending -> Running -> Pausing -> Paused -> Stopping -> Terminated, and error handling with Failed
  • Resource & Runtime Configuration: Specify CPU/memory/GPU resource limits, image startup entrypoint, optional secureAccess, environment variables, and opaque extensions
  • Image Support: Create sandboxes from public or private registries, including registry auth
  • Timeout Management: Optional timeout on creation (omit or set to null to disable automatic expiration) with explicit renewal via API
  • Endpoint Access: Retrieve public access endpoints for services running inside sandboxes, including required headers when secured access is enabled
  • Snapshot Management: Create snapshots from sandboxes, list snapshots, and delete snapshots

Main Endpoints (base path /v1):

  • POST /sandboxes - Create a sandbox from an image or snapshot with timeout and resource limits
  • GET /sandboxes - List sandboxes with state/metadata filters and pagination
  • GET /sandboxes/{sandboxId} - Get full sandbox details (including startup source and entrypoint)
  • DELETE /sandboxes/{sandboxId} - Delete a sandbox
  • POST /sandboxes/{sandboxId}/snapshots - Create a snapshot from a sandbox
  • GET /snapshots - List snapshots with optional sandbox filtering and pagination
  • GET /snapshots/{snapshotId} - Get snapshot state and metadata
  • DELETE /snapshots/{snapshotId} - Delete a snapshot
  • POST /sandboxes/{sandboxId}/pause - Pause a sandbox (asynchronous)
  • POST /sandboxes/{sandboxId}/resume - Resume a paused sandbox
  • POST /sandboxes/{sandboxId}/renew-expiration - Renew sandbox expiration (TTL)
  • PATCH /sandboxes/{sandboxId}/metadata - Patch sandbox metadata (JSON Merge Patch, RFC 7396)
  • GET /sandboxes/{sandboxId}/endpoints/{port} - Get an access endpoint for a service port

Authentication:

  • HTTP Header: OPEN-SANDBOX-API-KEY: your-api-key
  • Environment Variable: OPEN_SANDBOX_API_KEY (for SDK clients)

2. diagnostic-api.yml

Sandbox Diagnostics API

Defines best-effort troubleshooting descriptors for sandbox diagnostic logs and events. The descriptors either embed plain-text diagnostic content inline or return a download URL for the content. This spec does not define a structured audit or observability model.

Main Endpoints (base path /v1):

  • GET /sandboxes/{sandboxId}/diagnostics/logs - Retrieve a diagnostic log content descriptor for an optional scope
  • GET /sandboxes/{sandboxId}/diagnostics/events - Retrieve a diagnostic event content descriptor for an optional scope

Authentication:

  • HTTP Header: OPEN-SANDBOX-API-KEY: your-api-key
  • Environment Variable: OPEN_SANDBOX_API_KEY (for SDK clients)

3. execd-api.yaml

Code Execution API Inside Sandbox

Defines interfaces for executing code, commands, and file operations within sandbox environments, providing complete code interpreter and filesystem management capabilities. All endpoints require the X-EXECD-ACCESS-TOKEN header.

Core Features:

  • Code Execution: Stateful code execution supporting Python, JavaScript, and other languages with context lifecycle management
  • Command Execution: Shell command execution with foreground/background modes and polling endpoints for status/output
  • File Operations: Complete CRUD operations for files and directories
  • Real-time Streaming: Real-time output streaming via SSE (Server-Sent Events)
  • System Monitoring: Real-time monitoring of CPU and memory metrics
  • Access Control: Token-based API authentication via X-EXECD-ACCESS-TOKEN

Main Endpoint Categories:

Health Check:

  • GET /ping - Service health check

Code Interpreter:

  • GET /code/contexts - List active code execution contexts (filterable by language)
  • DELETE /code/contexts - Delete all contexts for a language
  • DELETE /code/contexts/{context_id} - Delete a specific context
  • POST /code/context - Create a code execution context
  • POST /code - Execute code in a context (streaming output)
  • DELETE /code - Interrupt code execution

Command Execution:

  • POST /command - Execute shell command (streaming output)
  • DELETE /command - Interrupt command execution
  • GET /command/status/{id} - Get foreground/background command status
  • GET /command/{id}/logs - Fetch accumulated stdout/stderr for a background command

Bash Session:

  • POST /session - Create a bash session
  • POST /session/{sessionId}/run - Run command in a bash session (streaming output)
  • DELETE /session/{sessionId} - Delete a bash session

Filesystem:

  • GET /files/info - Get metadata for files
  • DELETE /files - Delete files (not directories)
  • POST /files/permissions - Change file permissions
  • POST /files/mv - Move/rename files
  • GET /files/search - Search files (supports glob patterns)
  • POST /files/replace - Batch replace file content
  • POST /files/upload - Upload files (multipart)
  • GET /files/download - Download files (supports range requests)

Directory Operations:

  • GET /directories/list - List directory contents with optional depth control
  • POST /directories - Create directories with permissions (mkdir -p semantics)
  • DELETE /directories - Recursively delete directories

System Metrics:

  • GET /metrics - Get system resource metrics
  • GET /metrics/watch - Watch system metrics in real-time (SSE stream)

Isolated Execution (base path /v1/isolated):

  • POST /session - Create an isolated bash session
  • GET /capabilities - Get isolator capabilities
  • GET /session/{sessionId} - Get isolated session state
  • DELETE /session/{sessionId} - Delete an isolated session
  • POST /session/{sessionId}/run - Run code in an isolated session (SSE streaming)
  • GET /session/{sessionId}/diff - Download upper directory diff
  • POST /session/{sessionId}/commit - Commit upper changes to workspace
  • GET /session/{sessionId}/files/info - Get file information
  • GET /session/{sessionId}/files/download - Download a file
  • POST /session/{sessionId}/files/upload - Upload a file
  • DELETE /session/{sessionId}/files - Remove files
  • POST /session/{sessionId}/files/mv - Rename or move files
  • POST /session/{sessionId}/files/permissions - Change file permissions
  • POST /session/{sessionId}/files/replace - Replace file content
  • GET /session/{sessionId}/files/search - Search files
  • GET /session/{sessionId}/directories/list - List directory contents
  • POST /session/{sessionId}/directories - Create directories
  • DELETE /session/{sessionId}/directories - Delete directories

4. egress-api.yaml

Sandbox Egress Runtime API

Defines the runtime egress policy interface exposed directly by the egress sidecar inside a sandbox. Unlike lifecycle operations, this API is reached by first resolving the sandbox endpoint for the egress port and then calling the sidecar endpoint directly.

Core Features:

  • Policy Inspection: Retrieve the currently enforced egress policy and derived runtime mode
  • Policy Mutation: Patch egress rules at runtime using sidecar merge semantics
  • Direct Sidecar Access: Access via sandbox endpoint resolution instead of server-side lifecycle forwarding
  • Optional Sidecar Auth: Supports endpoint-specific headers when the egress sidecar requires auth

Main Endpoints:

  • GET /policy - Get the current egress policy
  • PATCH /policy - Merge new egress rules into the current policy
  • DELETE /policy - Remove specific egress rules from the current policy by target

Technical Features

Streaming Output (Server-Sent Events)

Code execution and command execution interfaces use SSE for real-time streaming output, supporting the following event types:

  • init - Initialization event
  • status - Status update
  • stdout / stderr - Standard output/error streams
  • result - Execution result
  • execution_complete - Execution completed
  • execution_count - Execution count
  • error - Error information

Resource Limits

Supports flexible resource configuration (similar to Kubernetes):

{
  "cpu": "500m",
  "memory": "512Mi",
  "gpu": "1"
}

File Permissions

Supports Unix-style file permission management:

  • Owner
  • Group
  • Permission mode values such as 644 or 755