PR Summary

Medium Risk
Introduces a new sandbox lifecycle contract (Detach) and changes the Sandbox.Terminate signature, plus adds a new gRPC command-router client with custom retry/auth refresh logic; mistakes here could cause resource leaks or break sandbox interactions.

Overview
Adds a new Sandbox.Detach() lifecycle step in Go and makes Sandbox.Terminate(ctx, detach, params) optionally detach after termination; all sandbox operations now fail with a new SandboxDetached error once detached.

Introduces an internal TaskCommandRouterClient (JWT auth + refresh, transient retry) and wires it into Sandbox to support experimental dynamic directory workflows: Sandbox.ExperimentalMountImage(path, image) and Sandbox.ExperimentalSnapshotDirectory(path).

Updates gRPC client connection window sizing, refreshes examples/tests/docs/changelog for the new terminate/detach API, and adds a new sandbox image-mount example plus coverage for detach behavior and mount/snapshot APIs.

^{Written by Cursor Bugbot for commit a07297a. This will update automatically on new commits. Configure here.}

Updated PR with:

• Remove the ALPN workaround and verify that taking to the TCR still works
• Adds Detach back to both typescript and go

I updated PR:

• Disable almost every operation after Detach and added test for this behavior* (Details below)
• Removed the JS changes, the PR is already getting too big. I'll open a smaller PR to add Detach to JS.

While implementing this, I made some decisions that are debatable:

• Terminate is still allowed after Detach. It feels a little weird to not be able to terminate the sandbox after detach.
  • I'm open to changing this.
• Terminate does not mark the sandbox as detached, so you can still call sb.Wait after calling Terminate. Terminate will still close the task command routers.
  • An alternative is to allow Terminate , Wait and Poll for a detached sandbox and have Terminate mark the sandbox as detached.