Enforce preview URL runtime activation#708
Draft
ghostwriternr wants to merge 4 commits into
Draft
Conversation
🦋 Changeset detectedLatest commit: 105c825 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
This was referenced May 19, 2026
commit: |
Contributor
🐳 Docker Images Published
Usage: FROM cloudflare/sandbox:0.0.0-pr-708-105c825Version: 📦 Standalone BinaryFor arbitrary Dockerfiles: COPY --from=cloudflare/sandbox:0.0.0-pr-708-105c825 /container-server/sandbox /sandbox
ENTRYPOINT ["/sandbox"]Download via GitHub CLI: gh run download 26225396088 -n sandbox-binaryExtract from Docker: docker run --rm cloudflare/sandbox:0.0.0-pr-708-105c825 cat /container-server/sandbox > sandbox && chmod +x sandbox |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Contributor
|
@ghostwriternr can we break the dependency on @cloudflare/containers here and update the code if/when the patch lands upstream. |
ghostwriternr
force-pushed
the
preview-stack-v2/01-preview-runtime-activation
branch
from
ccfb032 to
61c6d64
Compare
The default E2E sandbox app can hit its 50-instance cap when the three transport jobs run file-parallel Vitest suites. Raise the cap modestly to match observed CI demand while keeping capacity bounded.
Make lifecycle synchronization wait for terminal container states and keep preview URL tests closer to public SDK flows. This avoids relying on transitional stop states or hand-edited preview hostnames.
Declare warm pool sizing in the test worker config instead of mutating every container app after deploy. This keeps variant images from reserving unused warm capacity during stacked PR CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Preview URLs currently mix two different concepts: persistent token authorization and live container runtime state. A preview URL token can survive container restart, but the user process serving that port does not. That means an old preview URL can start the container or reach a later container instance that never called
exposePort()for that port.This change separates token validity from current-runtime activation.
In this stack, “current runtime” means the currently running container instance/generation. A preview URL is active only if
exposePort()was called for that port in that current container runtime.portTokensremains persistent token authorization: it records whether a preview URL token is valid for a sandbox port across container restarts. That token staying valid does not mean a live process is currently serving the port, or that the URL may forward traffic in a later container runtime.Preview URL traffic now enters the Sandbox Durable Object before forwarding. The Durable Object checks persistent token authorization and current-runtime activation, strips spoofed internal preview headers, then forwards only through
Container.fetchIfRunning(), which does not start a stopped container.Preview state updates use Durable Object storage transactions so concurrent expose/unexpose operations read and write coherent token and activation snapshots.
The response contract becomes:
404 INVALID_TOKEN;410 STALE_PREVIEW_URL;410 STALE_PREVIEW_URLif the current container is no longer running and healthy;exposePort()is now the explicit preview action that activates a port for the current runtime. Restarting a service on the same port is not enough to revive an old preview URL; callers must expose the port again.The desktop preview integration now also goes through
exposePort()activation. It can no longer synthesize a URL from a persisted token when current-runtime activation fails.This PR only adds a runtime identity used to fence preview URL activation. It does not introduce a general lifecycle manager and does not change sessions, processes, interpreters, mounts, or backups.
Preview route parsing details are kept internal rather than exported as public API.
This PR depends on
@cloudflare/containerssupport forContainer.fetchIfRunning(). The dependency currently points at the preview package from cloudflare/containers#212 and must be replaced with a published version before this stack can merge.The changeset is intentionally
minorbecause preview URLs that previously auto-survived restart now return410 STALE_PREVIEW_URLuntil the port is exposed again in the new runtime.This is part 1 of 3 in the preview URL lifecycle stack:
main