fix(sdks): handle signed URL expiration edge cases in upload/download URLs

[mishushakov]

Summary

• Python upload_url/download_url now raise InvalidArgumentException when use_signature_expiration is passed for an unsecured sandbox, matching the JS SDK (which now throws InvalidArgumentError instead of a plain Error).
• A signature expiration of 0 was treated as falsy and silently produced a never-expiring signed URL; it now produces an immediately expiring URL in both SDKs.
• Adds unit tests mirrored across both SDKs (tests/sandbox/urls.test.ts ↔ tests/test_sandbox_urls.py) plus a changeset.

Usage

sbx = Sandbox()  # not secure=True
sbx.download_url("a.txt", use_signature_expiration=120)  # now raises InvalidArgumentException instead of silently ignoring the expiration

const sbx = await Sandbox.create({ secure: true })
await sbx.downloadUrl('a.txt', { useSignatureExpiration: 0 })  // URL now expires immediately instead of never

🤖 Generated with Claude Code

[changeset-bot]

🦋 Changeset detected

Latest commit: 996f4ed

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@e2b/python-sdk	Patch
e2b	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[cursor]

PR Summary

Medium Risk
Changes signed URL semantics and adds a new error path for unsecured sandboxes; callers relying on silent ignore or 0 meaning “no expiry” will break, but the fix tightens security-related URL behavior.

Overview
Fixes signed file URL edge cases in both JS and Python SDKs for uploadUrl/downloadUrl (and upload_url/download_url).

Unsecured sandboxes: Passing useSignatureExpiration / use_signature_expiration without a secured sandbox (no envd access token) now fails fast instead of being ignored. Python raises InvalidArgumentException; JS switches from generic Error to InvalidArgumentError.

Zero expiration: Signature helpers now treat 0 as a valid TTL (expirationInSeconds != null / expiration_in_seconds is not None) so 0 means expire immediately rather than falling through to a never-expiring signed URL.

Adds mirrored unit tests in urls.test.ts and test_sandbox_urls.py, plus a patch changeset for both packages.

^{Reviewed by Cursor Bugbot for commit 996f4ed. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Package Artifacts

Built from 8625e72. Download artifacts from this workflow run.

JS SDK (e2b@2.29.2-mishushakov-fix-signed-url-expiration.0):

npm install ./e2b-2.29.2-mishushakov-fix-signed-url-expiration.0.tgz

CLI (@e2b/cli@2.11.2-mishushakov-fix-signed-url-expiration.0):

npm install ./e2b-cli-2.11.2-mishushakov-fix-signed-url-expiration.0.tgz

Python SDK (e2b==2.28.2+mishushakov-fix-signed-url-expiration):

pip install ./e2b-2.28.2+mishushakov.fix.signed.url.expiration-py3-none-any.whl