e0e362d700
SDK Tests / SDK CI (push) Blocked by required conditions
SDK Tests / changes (push) Successful in 2m29s
Real E2E Tests / changes (push) Successful in 2m29s
SDK Tests / Python SDK Tests (sandbox) (push) Waiting to run
SDK Tests / CLI Quality (push) Waiting to run
SDK Tests / CLI Tests (push) Waiting to run
SDK Tests / Python SDK Quality (code-interpreter) (push) Waiting to run
SDK Tests / Python SDK Quality (sandbox) (push) Waiting to run
SDK Tests / Python SDK Tests (code-interpreter) (push) Waiting to run
SDK Tests / JavaScript SDK Quality And Tests (code-interpreter) (push) Waiting to run
SDK Tests / JavaScript SDK Quality And Tests (sandbox) (push) Waiting to run
SDK Tests / Kotlin SDK Quality And Tests (sandbox) (push) Waiting to run
SDK Tests / Kotlin SDK Quality And Tests (code-interpreter) (push) Waiting to run
SDK Tests / C# SDK Quality And Tests (code-interpreter) (push) Waiting to run
SDK Tests / C# SDK Quality And Tests (sandbox) (push) Waiting to run
SDK Tests / Go SDK Quality And Tests (push) Waiting to run
Deploy Docs Pages / build (push) Has been cancelled
Deploy Docs Pages / deploy (push) Has been cancelled
Real E2E Tests / JavaScript E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Python E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Java E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / C# E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Go E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Real E2E CI (push) Has been cancelled
187 lines
9.1 KiB
Markdown
187 lines
9.1 KiB
Markdown
---
|
|
title: API Specifications
|
|
description: OpenAPI specification documents defining the complete API interfaces and data models for OpenSandbox.
|
|
---
|
|
|
|
# OpenSandbox API Specifications
|
|
|
|
This section contains the OpenAPI specification documents for the OpenSandbox project, defining the complete API interfaces and data models. Use the server base URLs defined in each spec (for example, `http://localhost:8080/v1` for the lifecycle API, `http://localhost:44772` for execd, and `http://localhost:18080` for egress) when constructing requests.
|
|
|
|
## Specification Files
|
|
|
|
### 1. sandbox-lifecycle.yml
|
|
|
|
**Sandbox Lifecycle Management API**
|
|
|
|
Defines the complete lifecycle interfaces for creating, managing, and destroying sandbox environments from container images or snapshots.
|
|
|
|
**Core Features:**
|
|
- **Sandbox Management**: Create, list, query, and delete sandbox instances with metadata filters and pagination
|
|
- **State Control**: Pause and resume sandbox execution
|
|
- **Lifecycle States**: Supports transitions across Pending -> Running -> Pausing -> Paused -> Stopping -> Terminated, and error handling with `Failed`
|
|
- **Resource & Runtime Configuration**: Specify CPU/memory/GPU resource limits, image startup `entrypoint`, optional `secureAccess`, environment variables, and opaque `extensions`
|
|
- **Image Support**: Create sandboxes from public or private registries, including registry auth
|
|
- **Timeout Management**: Optional `timeout` on creation (omit or set to `null` to disable automatic expiration) with explicit renewal via API
|
|
- **Endpoint Access**: Retrieve public access endpoints for services running inside sandboxes, including required headers when secured access is enabled
|
|
- **Snapshot Management**: Create snapshots from sandboxes, list snapshots, and delete snapshots
|
|
|
|
**Main Endpoints (base path `/v1`):**
|
|
- `POST /sandboxes` - Create a sandbox from an image or snapshot with timeout and resource limits
|
|
- `GET /sandboxes` - List sandboxes with state/metadata filters and pagination
|
|
- `GET /sandboxes/{sandboxId}` - Get full sandbox details (including startup source and entrypoint)
|
|
- `DELETE /sandboxes/{sandboxId}` - Delete a sandbox
|
|
- `POST /sandboxes/{sandboxId}/snapshots` - Create a snapshot from a sandbox
|
|
- `GET /snapshots` - List snapshots with optional sandbox filtering and pagination
|
|
- `GET /snapshots/{snapshotId}` - Get snapshot state and metadata
|
|
- `DELETE /snapshots/{snapshotId}` - Delete a snapshot
|
|
- `POST /sandboxes/{sandboxId}/pause` - Pause a sandbox (asynchronous)
|
|
- `POST /sandboxes/{sandboxId}/resume` - Resume a paused sandbox
|
|
- `POST /sandboxes/{sandboxId}/renew-expiration` - Renew sandbox expiration (TTL)
|
|
- `PATCH /sandboxes/{sandboxId}/metadata` - Patch sandbox metadata (JSON Merge Patch, RFC 7396)
|
|
- `GET /sandboxes/{sandboxId}/endpoints/{port}` - Get an access endpoint for a service port
|
|
|
|
**Authentication:**
|
|
- HTTP Header: `OPEN-SANDBOX-API-KEY: your-api-key`
|
|
- Environment Variable: `OPEN_SANDBOX_API_KEY` (for SDK clients)
|
|
|
|
### 2. diagnostic-api.yml
|
|
|
|
**Sandbox Diagnostics API**
|
|
|
|
Defines best-effort troubleshooting descriptors for sandbox diagnostic logs and events. The descriptors either embed plain-text diagnostic content inline or return a download URL for the content. This spec does not define a structured audit or observability model.
|
|
|
|
**Main Endpoints (base path `/v1`):**
|
|
- `GET /sandboxes/{sandboxId}/diagnostics/logs` - Retrieve a diagnostic log content descriptor for an optional scope
|
|
- `GET /sandboxes/{sandboxId}/diagnostics/events` - Retrieve a diagnostic event content descriptor for an optional scope
|
|
|
|
**Authentication:**
|
|
- HTTP Header: `OPEN-SANDBOX-API-KEY: your-api-key`
|
|
- Environment Variable: `OPEN_SANDBOX_API_KEY` (for SDK clients)
|
|
|
|
### 3. execd-api.yaml
|
|
|
|
**Code Execution API Inside Sandbox**
|
|
|
|
Defines interfaces for executing code, commands, and file operations within sandbox environments, providing complete code interpreter and filesystem management capabilities. All endpoints require the `X-EXECD-ACCESS-TOKEN` header.
|
|
|
|
**Core Features:**
|
|
- **Code Execution**: Stateful code execution supporting Python, JavaScript, and other languages with context lifecycle management
|
|
- **Command Execution**: Shell command execution with foreground/background modes and polling endpoints for status/output
|
|
- **File Operations**: Complete CRUD operations for files and directories
|
|
- **Real-time Streaming**: Real-time output streaming via SSE (Server-Sent Events)
|
|
- **System Monitoring**: Real-time monitoring of CPU and memory metrics
|
|
- **Access Control**: Token-based API authentication via `X-EXECD-ACCESS-TOKEN`
|
|
|
|
**Main Endpoint Categories:**
|
|
|
|
**Health Check:**
|
|
- `GET /ping` - Service health check
|
|
|
|
**Code Interpreter:**
|
|
- `GET /code/contexts` - List active code execution contexts (filterable by language)
|
|
- `DELETE /code/contexts` - Delete all contexts for a language
|
|
- `DELETE /code/contexts/{context_id}` - Delete a specific context
|
|
- `POST /code/context` - Create a code execution context
|
|
- `POST /code` - Execute code in a context (streaming output)
|
|
- `DELETE /code` - Interrupt code execution
|
|
|
|
**Command Execution:**
|
|
- `POST /command` - Execute shell command (streaming output)
|
|
- `DELETE /command` - Interrupt command execution
|
|
- `GET /command/status/{id}` - Get foreground/background command status
|
|
- `GET /command/{id}/logs` - Fetch accumulated stdout/stderr for a background command
|
|
|
|
**Bash Session:**
|
|
- `POST /session` - Create a bash session
|
|
- `POST /session/{sessionId}/run` - Run command in a bash session (streaming output)
|
|
- `DELETE /session/{sessionId}` - Delete a bash session
|
|
|
|
**Filesystem:**
|
|
- `GET /files/info` - Get metadata for files
|
|
- `DELETE /files` - Delete files (not directories)
|
|
- `POST /files/permissions` - Change file permissions
|
|
- `POST /files/mv` - Move/rename files
|
|
- `GET /files/search` - Search files (supports glob patterns)
|
|
- `POST /files/replace` - Batch replace file content
|
|
- `POST /files/upload` - Upload files (multipart)
|
|
- `GET /files/download` - Download files (supports range requests)
|
|
|
|
**Directory Operations:**
|
|
- `GET /directories/list` - List directory contents with optional depth control
|
|
- `POST /directories` - Create directories with permissions (mkdir -p semantics)
|
|
- `DELETE /directories` - Recursively delete directories
|
|
|
|
**System Metrics:**
|
|
- `GET /metrics` - Get system resource metrics
|
|
- `GET /metrics/watch` - Watch system metrics in real-time (SSE stream)
|
|
|
|
**Isolated Execution (base path `/v1/isolated`):**
|
|
- `POST /session` - Create an isolated bash session
|
|
- `GET /capabilities` - Get isolator capabilities
|
|
- `GET /session/{sessionId}` - Get isolated session state
|
|
- `DELETE /session/{sessionId}` - Delete an isolated session
|
|
- `POST /session/{sessionId}/run` - Run code in an isolated session (SSE streaming)
|
|
- `GET /session/{sessionId}/diff` - Download upper directory diff
|
|
- `POST /session/{sessionId}/commit` - Commit upper changes to workspace
|
|
- `GET /session/{sessionId}/files/info` - Get file information
|
|
- `GET /session/{sessionId}/files/download` - Download a file
|
|
- `POST /session/{sessionId}/files/upload` - Upload a file
|
|
- `DELETE /session/{sessionId}/files` - Remove files
|
|
- `POST /session/{sessionId}/files/mv` - Rename or move files
|
|
- `POST /session/{sessionId}/files/permissions` - Change file permissions
|
|
- `POST /session/{sessionId}/files/replace` - Replace file content
|
|
- `GET /session/{sessionId}/files/search` - Search files
|
|
- `GET /session/{sessionId}/directories/list` - List directory contents
|
|
- `POST /session/{sessionId}/directories` - Create directories
|
|
- `DELETE /session/{sessionId}/directories` - Delete directories
|
|
|
|
### 4. egress-api.yaml
|
|
|
|
**Sandbox Egress Runtime API**
|
|
|
|
Defines the runtime egress policy interface exposed directly by the [egress sidecar](/components/egress)
|
|
inside a sandbox. Unlike lifecycle operations, this API is reached by first resolving
|
|
the sandbox endpoint for the egress port and then calling the sidecar endpoint directly.
|
|
|
|
**Core Features:**
|
|
- **Policy Inspection**: Retrieve the currently enforced egress policy and derived runtime mode
|
|
- **Policy Mutation**: Patch egress rules at runtime using sidecar merge semantics
|
|
- **Direct Sidecar Access**: Access via sandbox endpoint resolution instead of server-side lifecycle forwarding
|
|
- **Optional Sidecar Auth**: Supports endpoint-specific headers when the egress sidecar requires auth
|
|
|
|
**Main Endpoints:**
|
|
- `GET /policy` - Get the current egress policy
|
|
- `PATCH /policy` - Merge new egress rules into the current policy
|
|
- `DELETE /policy` - Remove specific egress rules from the current policy by target
|
|
|
|
## Technical Features
|
|
|
|
### Streaming Output (Server-Sent Events)
|
|
|
|
Code execution and command execution interfaces use SSE for real-time streaming output, supporting the following event types:
|
|
- `init` - Initialization event
|
|
- `status` - Status update
|
|
- `stdout` / `stderr` - Standard output/error streams
|
|
- `result` - Execution result
|
|
- `execution_complete` - Execution completed
|
|
- `execution_count` - Execution count
|
|
- `error` - Error information
|
|
|
|
### Resource Limits
|
|
|
|
Supports flexible resource configuration (similar to Kubernetes):
|
|
```json
|
|
{
|
|
"cpu": "500m",
|
|
"memory": "512Mi",
|
|
"gpu": "1"
|
|
}
|
|
```
|
|
|
|
### File Permissions
|
|
|
|
Supports Unix-style file permission management:
|
|
- Owner
|
|
- Group
|
|
- Permission mode values such as 644 or 755
|