Skip to content

refactor(sandbox): move sandbox state management server-side (ENG-4287)#381

Draft
huv1k wants to merge 5 commits into
mainfrom
move-sandbox-state-management-server-side-eng-4287
Draft

refactor(sandbox): move sandbox state management server-side (ENG-4287)#381
huv1k wants to merge 5 commits into
mainfrom
move-sandbox-state-management-server-side-eng-4287

Conversation

@huv1k

@huv1k huv1k commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Moves sandbox state management server-side so the user's account-level access token is no longer exposed to browser JS — previously the filesystem inspector and dashboard terminal embedded that token into client-side Sandbox.connect/create calls via sandboxManagementAuth.

  • Filesystem inspector builds an envd-only SDK client from the sandbox-scoped envdAccessToken already returned by the sandbox.details query (new shared createEnvdSandbox helper — no control-plane call, no account token).
  • Terminal create/connect now runs through a sandbox.openTerminal tRPC mutation (protectedTeamProcedure, alongside killTerminalPty); the client receives only sandbox-scoped credentials. The vanilla tRPC client is injected into openTerminalSandbox, the return type is inferred from the router, and connect timeouts are surfaced as TRPCError('TIMEOUT') that the client maps back to a TimeoutError so the attach-retry logic still fires.
  • The now-unused sandbox-management-auth modules are deleted; origin/main is merged in (integrating its terminal attach-retry refactor).

Tests: 289 passing; typecheck/lint clean on changed files. Not yet verified live: the manual browser check (open a running sandbox's filesystem + terminal, confirm file-watch/PTY work, and confirm via DevTools that requests carry only X-Access-Token with no account token).

@huv1k
refactor(sandbox): move sandbox state management server-side (ENG-4287)
3c56184 
Stop exposing the user's account-level access token to browser JS. The
filesystem inspector and dashboard terminal previously embedded the
account token into client-side Sandbox.connect/create calls via
sandboxManagementAuth.

Now only the sandbox-scoped envdAccessToken reaches the client:
- Add createEnvdSandbox helper that builds an envd-only Sandbox client
  from sandbox-scoped credentials (no control-plane call, no account
  token).
- Filesystem inspector builds its client from the envd creds already
  returned by the sandbox.details query.
- Terminal create/connect moves into the openTerminalSandboxAction
  server action; the client builds an envd-only client from the result.
- Delete the now-unused sandbox-management-auth modules.
@linear-code

linear-code Bot commented Jun 10, 2026

Copy link
Copy Markdown

ENG-4287

@cla-bot cla-bot Bot added the cla-signed label Jun 10, 2026
@vercel

vercel Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web Ready Ready Preview, Comment Jun 11, 2026 10:14pm
web-juliett Error Error Jun 11, 2026 10:14pm

Request Review

@huv1k
Merge origin/main into move-sandbox-state-management-server-side-eng-…
dc8a9de 
…4287

Resolved conflicts in the terminal feature, integrating main's terminal
refactor (attach-retry, useTerminalInstance, launchTarget, killTerminalPty)
with this branch's server-side sandbox state management:
- Terminal acquisition still runs through openTerminalSandboxAction +
  createEnvdSandbox (no account token in the browser), now forwarding
  main's requestTimeoutMs and preserving TimeoutError so attach-retry works.
- Dropped sandboxManagementAuth from DashboardTerminal in favor of
  teamSlug + userId; kept main's launchTarget/getSandbox/sandboxScoped props.
- Merged the unit tests (action/createEnvdSandbox mocks + attach-retry suite).
@huv1k
refactor(terminal): use tRPC mutation instead of server action (ENG-4…
6561817 
…287 variant)

Alternative to the next-safe-action server action: terminal create/connect
now runs through a `sandbox.openTerminal` tRPC mutation (protectedTeamProcedure,
alongside killTerminalPty). The vanilla tRPC client is injected into
openTerminalSandbox from the component, the return type is inferred from the
router, and timeouts are signaled via a TRPCError('TIMEOUT') the client maps
back to a TimeoutError so attach-retry still works.

This branch exists to compare the two transports; only the terminal-open path
differs from the server-action branch (the filesystem inspector is unchanged).
@huv1k huv1k mentioned this pull request Jun 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ben-fornefeld ben-fornefeld Awaiting requested review from ben-fornefeld ben-fornefeld will be requested when the pull request is marked ready for review ben-fornefeld is a code owner

@drankou drankou Awaiting requested review from drankou drankou will be requested when the pull request is marked ready for review drankou is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@huv1k