Implement sandbox exec through command router - Go

[ehdr]

Same as #238 but for Go.

---

Note

Moves Sandbox exec I/O off the control plane to a dedicated Task Command Router with auth refresh, retries, and deadline-aware streaming.

• New TaskCommandRouterClient (task_command_router_client.go) with JWT parsing/refresh, retry/backoff, stdio streaming, ExecStart/Wait/Poll, mount/snapshot helpers, and custom TLS creds (optional insecure via MODAL_TASK_COMMAND_ROUTER_INSECURE); applies 64 MiB gRPC window sizes and 100 MiB message limits
• Sandbox.Exec rewritten to use the router (per-exec exec_id, deadline propagation); ContainerProcess stdin/stdout/stderr and Wait now use router APIs
• Adds Sandbox.Detach() and adjusts Terminate(); output streams refactored; prevents ARG_MAX issues via ValidateExecArgs; new ExecTimeoutError; richer TaskExecStart request (stdout/stderr config, PTY, workdir, timeout)
• Config expands Profile with TaskCommandRouterInsecure and env var override; client sets initial window sizes
• Tests: extensive unit/integration coverage for exec proto, timeouts, stdin/stdout, detach/idempotency, snapshot flow; JS SDK parity updates (Exec timeout error, detach, retryable codes, flow-control options)

^{Written by Cursor Bugbot for commit bf4118f. This will update automatically on new commits. Configure here.}

[thomasjpfan]

This is a first pass through the implementation.

[thomasjpfan]

The sandbox could still be running after close:

Suggested change

	// This should be called when the Sandbox is no longer needed.
	// This should be called when the Sandbox is no longer needed
	// in the local client. The sandbox can still be running and
	// accessed in other clients.

[thomasjpfan]

Closing the command router here is different from Python, although I think it's okay to do.

[thomasjpfan]

@freider Would you be okay with closing in sandbox.Terminate?

My intuition is that if you are terminating a sandbox, then you also want to clean up any open streams. If you only want to close the streams and continue to use the sandbox, you can run sandbox.Close and use the sandbox in other clients.

Note, in Python, we wanted to call this method sandbox.cleanup. In go, the naming of sb.Close, does not immediately give the impression of "closing streams". An alternative is sandbox.Disconnect, which is more explicit about what it is actually doing.

[freider]

I think termination and disconnection might need to be mutually distinct:

• you may need to disconnect from a sandbox that you want to keep running (resume in a later session etc)
• you may want to terminate a sandbox but still read buffered output streams from it. This is probably less common but I can see this being required in some cases (eg termination of the entrypoint triggers some output to be written that you want to read)

For Python I'm envisioning something like a context manager for "sandbox interaction" which doesn't terminate the sandbox but terminates all connections/resources when exiting, outside of which you can't read associated streams or do exec etc. For go I guess the same would be accomplished with a "detach" in a defer statement. For full control/granularity I suppose we should also have a detach for ContainerProcess but that feels less critical imo (we also lack terminate for those)

[thomasjpfan]

Can we include a comment about what interface that tlsCredsNoALPN is implementing? I suspect it's https://pkg.go.dev/google.golang.org/grpc@v1.78.0/credentials#TransportCredentials

[thomasjpfan]

Should this match the python decoder, which uses urlsafe_b64decode?

[thomasjpfan]

Should we introduce an error like Python's ExecTimeoutError here too?

[thomasjpfan]

Should the caller set context.WithDeadline such that deadline does not need to passed in here anymore?

[ehdr]

Thanks @thomasjpfan ! Pushed fixes and added comments now.

[thomasjpfan]

This feels a little hard to follow because of how resp is mutated in the inner scope and then returned in the outer scope.

I opened a PR targeting your branch to showcase the approach. This way ExecStart can be written as:

// ExecStart starts a command execution.
func (c *TaskCommandRouterClient) ExecStart(ctx context.Context, request *pb.TaskExecStartRequest) (*pb.TaskExecStartResponse, error) {
	return callWithRetriesOnTransientErrors(ctx, func() (*pb.TaskExecStartResponse, error) {
		return callWithAuthRetry(ctx, c, func(authCtx context.Context) (*pb.TaskExecStartResponse, error) {
			return c.stub.TaskExecStart(authCtx, request)
		})
	}, defaultRetryOptions())
}

[ehdr]

Very nice! Merged!

[thomasjpfan]

Does calling commandRouterClient.Close also end all the goroutines spawned by ExecStdioRead?

[ehdr]

Pushed a change in 3769bc8 now that propagates cancellation.

[thomasjpfan]

@freider Would you be okay with closing in sandbox.Terminate?

My intuition is that if you are terminating a sandbox, then you also want to clean up any open streams. If you only want to close the streams and continue to use the sandbox, you can run sandbox.Close and use the sandbox in other clients.

Note, in Python, we wanted to call this method sandbox.cleanup. In go, the naming of sb.Close, does not immediately give the impression of "closing streams". An alternative is sandbox.Disconnect, which is more explicit about what it is actually doing.

[thomasjpfan]

Should this also close the streams associated with sb.Stdout and sb.Stderr?

[ehdr]

I think yes, pushed a fix now!

[thomasjpfan]

I think we do not need to do the stdout == "" part with:

switch params.Stdout {
    case Pipe, "":

[ehdr]

✅

[thomasjpfan]

Nit: Looking at this with fresh eyes, I kind of wished that SandboxExecParams.Stdout was a pointer, so we can use nil as the default.

[ehdr]

Yeah, good point... it breaks the public interface though, so perhaps best to push it to a separate PR?

[thomasjpfan]

Yea, let's not break public API.

[thomasjpfan]

To match the Python SDK, I do not think we can close the commandRouterClient here?

[ehdr]

Yeah I'm for aligning it, but is there a point in having an active client if the SB is terminated?

[thomasjpfan]

If any of the close errors, should we return the error up from Detach?

[ehdr]

✅

[thomasjpfan]

Is this protecting the ExecStdinWrite and not just the offset? If it's just the offset, can we use an atomic uint64?

[ehdr]

Good point, updated the comment now

[thomasjpfan]

Currently, parseJwtExpiration does not return an error if jwt is malformed and return nil. I suspect that we'll no longer be able to communicate to the task command router.

Should we return an error if jwt is malformed?

[ehdr]

Yeah good point. This used to fall back to the server path, but we won't have that in Go. I'll think of something!

[thomasjpfan]

From the failing tests, I guess we can not terminate then detach.

Looking at the backend, we can not SandboxStdinWrite on a terminated sandbox, but we need SandboxStdinWrite to send the EOF.

[ehdr]

Yeah, I just know this test passed on Dec. 26, so was meaning to figure out if/why this changed! Will look into it tomorrow.

[saltzm]

Looks good! Just a few comments/questions

[saltzm]

Seems like there's nothing to prevent someone from doing a new exec on the same sandbox object after calling Detach(), is that intended? (Note: I didn't follow the detach implementation in Python so don't have all the context) Seems like you'd want future exec calls to fail with some error

[saltzm]

Just saw there are explicit test cases for this. Do you know the context there?

[ehdr]

Changing this behavior so exec after detach is reported as an error instead, as discussed offline!

[saltzm]

Hmm... I don't think we would expect ContainerProcess APIs to be thread-safe would we?

[saltzm]

In other words, I wouldn't expect a user to be able to call stdin.write from multiple threads simultaneously - that'd be a weird thing to do I think. So I don't think there's a need for a mutex?

[ehdr]

Good point, removed it!

[saltzm]

Could we add some tests for retries on auth errors?

[cursor]

Missing FailedPrecondition handling in cpStdin.Close

Low Severity

The sbStdin.Close() method was updated with FailedPrecondition error handling to gracefully return nil when the sandbox has already terminated or stdin is closed. However, cpStdin.Close() does not have equivalent handling and will return errors when called after an exec has terminated. This inconsistency means closing exec stdin after process termination returns an error while closing sandbox stdin in the same scenario returns nil.

Additional Locations (1)

• modal-go/sandbox.go#L1064-L1067

 

[cursor]

PR Summary

Migrates Sandbox exec to a dedicated Task Command Router with JWT auth, retry/backoff, and deadline-aware stdio streaming.

• Adds TaskCommandRouterClient (Go) with custom TLS (no-ALPN), token refresh, transient error retries, ExecStart/Wait/Poll/StdioRead, stdin offset writes, and directory mount/snapshot helpers
• Refactors Sandbox.Exec/ContainerProcess to use router (per-exec exec_id, stdout/stderr pipes, stdin offsets, deadline handling) and closes router on Terminate; introduces ExecTimeoutError and ValidateExecArgs
• Config: new task_command_router_insecure (and MODAL_TASK_COMMAND_ROUTER_INSECURE) to skip TLS verify; increases gRPC initial window sizes
• JS parity: adds ExecTimeoutError, centralizes auth retry (callWithAuthRetry), shares retryable codes, sets flow-control window, and updates tests
• Extensive unit/integration tests for request building, retries/auth refresh, stdio, timeouts, and filesystem snapshot via exec

^{Written by Cursor Bugbot for commit 9918b08. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Race condition allows exec after sandbox detach

Medium Severity

The Exec method checks sb.detached under lock at lines 565-570, then releases the lock before calling getOrCreateCommandRouterClient. The getOrCreateCommandRouterClient function doesn't re-check the detached flag. If Detach is called concurrently between the check and getOrCreateCommandRouterClient, a new command router client will be created and the exec will proceed despite the sandbox being detached. This is a TOCTOU (time-of-check-time-of-use) race condition.

Additional Locations (1)

• modal-go/sandbox.go#L695-L717

 

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Sandbox termination blocked by local client close failure

Medium Severity

In Terminate(), if closeTaskCommandRouterClient() returns an error (which can happen if the gRPC connection close fails), the function returns early without calling SandboxTerminate on the server. This means the sandbox won't actually be terminated, contradicting user expectations. The JS implementation doesn't have this issue because its close() method is void and always proceeds to call sandboxTerminate. The server-side termination should proceed regardless of whether closing the local client connection succeeds.