add claude code example

[deathbyknowledge]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3b659c4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

PR Review: Add Claude Code Example

This PR adds a valuable example showing Claude Code integration with Sandbox SDK. However, there are critical security issues that must be addressed.

Critical Issues

1. Command Injection Vulnerability (src/index.ts:35)

The code directly interpolates user input into shell commands without sanitization. The 'name' variable from repo URL and 'task' parameter are vulnerable to command injection attacks. The replaceAll only handles quotes, not other shell metacharacters.

Recommendation: Add strict input validation for repo URLs and sanitize all user inputs.

2. Version Inconsistency

• Dockerfile uses cloudflare/sandbox:0.4.7
• package.json uses @cloudflare/sandbox:^0.4.3

These should be aligned.

Important Issues

3. Error Handling (src/index.ts:40-42)

The catch block swallows all errors with a generic message. This makes debugging difficult.

Recommendation: Log errors properly and return specific error messages.

4. Missing Input Validation

The code does not verify git operations succeeded or that the repository exists before proceeding.

5. HTTP Method Validation

Should return 405 Method Not Allowed instead of generic 404 for non-POST requests.

6. README Typo (line 2)

Remove 'for' from: 'Run Claude Code for on Cloudflare Sandboxes'

Additional Improvements

• No tests included - consider adding unit and integration tests
• Missing usage documentation (how to setup .dev.vars, example curl commands)
• Response format does not indicate success/failure explicitly
• No timeout handling documentation
• Missing changeset (required by bot)

Summary

Great integration concept, but the command injection vulnerability is a blocker. Please address the security issues before merging.

Priority: Fix command injection (CRITICAL), align versions (CRITICAL), improve error handling, add input validation, fix typo, add changeset.

[claude]

Claude Code Review

Issues Found:

1. Security: Command injection vulnerability (index.ts:40) - The task parameter is embedded directly in a shell command with only basic quote escaping. The current approach is insufficient as attackers can inject commands using backticks or dollar-paren substitution. Fix: Use SDK exec with proper argument passing or more robust escaping.

2. Error handling loses context (index.ts:45-46) - The catch block returns generic invalid body for all errors (network, sandbox, git, exec failures). This makes debugging difficult. Fix: Add proper error logging and return specific error messages.

3. Type safety issue (index.ts:3) - CmdOutput type duplicates SDK actual return type and could drift. Fix: Import the actual type from SDK.

4. Version mismatch in Dockerfile (lines 1 and 7) - Line 1 uses version 0.4.7 but comment on line 7 references 0.4.4. Per CLAUDE.md: Docker image version MUST match npm package version. Fix: Update comment to reference 0.4.7 or remove it.

5. README typo (README.md:2) - Run Claude Code for on Cloudflare should be Run Claude Code on Cloudflare.

Minor observations: No changeset included (acceptable if this is just an example addition). The example demonstrates good use of the SDK API patterns.

Security concern #1 should be addressed before merging.