refactor(sandbox): callers use open-agents abstraction (Phase 2.2)

[sweetmantech]

Summary

Phase 2.2 of the open-agents migration. Replaces api's direct `@vercel/sandbox` SDK calls with the open-agents sandbox abstraction (inlined in PR #507) for the sandbox lifecycle (create + reconnect).

HTTP response shapes preserved exactly — `{sandboxId, sandboxStatus, timeout, createdAt}` unchanged, same enum values for `sandboxStatus`. Only the internals differ.

Scope (Option B — hybrid)

Per the agreed plan, only lifecycle creators get refactored. `installClaudeCode` / `runClaudeCode` / `getSandboxStatus` stay on the SDK directly because the abstraction doesn't cover their needs (sudo, stdout/stderr streaming, simple status reads). The first two are also confirmed dead orphans (defined but never called anywhere in api production code) and will be deleted entirely after the full migration.

Refactored files

File	Change
`lib/sandbox/createSandbox.ts`	`Sandbox.create(...)` → `VercelSandbox.create(...)`. Input switched to `VercelSandboxConfig`. Snapshot trigger: `restoreSnapshotId` field (was `source: { type: "snapshot", ... }`). Returns `VercelSandbox`.
`lib/sandbox/createSandboxWithFallback.ts`	Passes `restoreSnapshotId` to `createSandbox`
`lib/sandbox/createSandboxFromSnapshot.ts`	Type cascade (`Sandbox` → `VercelSandbox`)
`lib/sandbox/getActiveSandbox.ts`	`Sandbox.get({name})` → `VercelSandbox.connect(name, {})`. Status check: `sandbox.status` → `sandbox.sdkStatus`
`lib/sandbox/getOrCreateSandbox.ts`	No code change — type cascades automatically through `CreateSandboxFromSnapshotResult`
`lib/sandbox/processCreateSandbox.ts`	Reads `sandbox.sdkStatus`, defensive nullish on `createdAt`

Abstraction extension (additive only)

Added two readonly getters to `vercel/sandbox/VercelSandbox.ts`, following the same pattern as the existing `host` / `environmentDetails` / `expiresAt` / `timeout` getters:

• `get sdkStatus(): string` — raw SDK session status (`running` / `pending` / `stopped` / `failed` / `aborted` / `snapshotting`). Distinct from the abstraction's normalized `status` getter; exposed for callers that need to surface the exact SDK lifecycle state in HTTP responses or status polling.
• `get createdAt(): Date | undefined` — SDK `session.createdAt`

These exist so api callers can construct the existing HTTP response shape (which uses SDK enum strings) without breaking the abstraction's typed interface.

Tests updated (4 files)

Test file	Change
`createSandbox.test.ts`	Mocks `VercelSandbox.create` instead of `Sandbox.create`; mock objects use `sdkStatus` instead of `status`
`createSandboxWithFallback.test.ts`	Asserts `restoreSnapshotId` pass-through
`getActiveSandbox.test.ts`	Mocks `VercelSandbox.connect`; `sdkStatus` on mock objects
`processCreateSandbox.test.ts`	`mockSandbox` uses `sdkStatus`

Verification

Check	Result
`pnpm lint:check`	✅ clean
`pnpm test`	✅ 2391/2391 pass
HTTP response shape	✅ unchanged — same fields, same enum values for `sandboxStatus` (sourced via `sdkStatus` now, was direct `Sandbox.status` before — identical strings either way)

What this unlocks

PR 2.3 — delete the now-dead-orphan files (`installClaudeCode.ts`, `runClaudeCode.ts`, and any other helpers nothing imports after this lands). Plus the inline of open-agents `packages/agent`, which depends on this abstraction being live in the call paths.

Risk

Bounded. The HTTP response shape stays exactly identical, so any external consumer (chat in prod) sees no change. Internal callers all update in lock-step. The only behavior change is that creates/reconnects now go through `VercelSandbox`'s lifecycle hooks (proactive timeout, network policy, etc.) instead of the bare SDK — which is the explicit point of the migration.

🤖 Generated with Claude Code

---

Summary by cubic

Refactors sandbox create/reconnect to use the open-agents VercelSandbox abstraction and tightens snapshot/createdAt handling. HTTP responses stay the same (sandboxId, sandboxStatus, timeout, createdAt).

• Refactors

  • createSandbox calls VercelSandbox.create(...) with VercelSandboxConfig; always passes defaults (vcpus, runtime, timeout) and supports restoreSnapshotId.
  • getActiveSandbox reconnects via VercelSandbox.connect(...); checks sdkStatus === "running".
  • Response shape unchanged; sandboxStatus sourced from sdkStatus; createdAt comes from the abstraction (no fallback).
  • Adds sdkStatus and non-optional createdAt getters on VercelSandbox; both refresh session before read.
  • Scope is hybrid: only lifecycle creators moved; installClaudeCode, runClaudeCode, and getSandboxStatus remain on @vercel/sandbox.

• Bug Fixes

  • Removed fabricated createdAt fallbacks in API; getter now throws if missing (SDK guarantees it).
  • Dropped misleading snapshot branching; snapshot restores now pass vcpus/runtime with restoreSnapshotId consistently.

^{Written for commit 7e614c0. Summary will update on new commits.}

Summary by CodeRabbit

• Refactor
  • Reworked sandbox backend to a unified abstraction for more consistent behavior.
  • Improved sandbox lifecycle/status reporting and created-at metadata for more reliable reconnection and monitoring.
• Chores
  • Simplified sandbox creation paths and defaults to reduce unexpected variations.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api	Ready	Preview	May 4, 2026 1:33pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 83a21401-6958-4b0d-a28c-2633ddea7647

📥 Commits

Reviewing files that changed from the base of the PR and between 375673a and 7e614c0.

⛔ Files ignored due to path filters (1)

• lib/sandbox/__tests__/createSandbox.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (3)

• lib/sandbox/createSandbox.ts
• lib/sandbox/processCreateSandbox.ts
• lib/sandbox/vercel/sandbox/VercelSandbox.ts

---

📝 Walkthrough

Walkthrough

This PR replaces direct usage of the @vercel/sandbox SDK types with the project-specific VercelSandbox abstraction across sandbox creation, snapshot restore, reconnection, and result mapping; it adds two VercelSandbox getters (sdkStatus, createdAt) and updates function signatures and response shapes accordingly.

Changes

Sandbox Abstraction Migration

Layer / File(s)	Summary
Data Shape / Types lib/sandbox/vercel/sandbox/VercelSandbox.ts, lib/sandbox/createSandbox.ts, lib/sandbox/createSandboxFromSnapshot.ts	Introduced VercelSandbox getters sdkStatus: string and createdAt: Date. CreateSandboxParams now aliases VercelSandboxConfig. Public result types updated to reference VercelSandbox and sandboxStatus: string.
Core Implementation lib/sandbox/vercel/sandbox/VercelSandbox.ts, lib/sandbox/createSandbox.ts	Added sdkStatus and createdAt getters that refresh session; createSandbox now always calls VercelSandbox.create(...) with explicit defaults (vcpus, runtime, timeout) merged with provided config and no longer branches on source.type === "snapshot".
Wiring / Callsites lib/sandbox/createSandboxWithFallback.ts, lib/sandbox/getActiveSandbox.ts, lib/sandbox/processCreateSandbox.ts	Snapshot restore now uses restoreSnapshotId option. getActiveSandbox uses VercelSandbox.connect(...) and checks sandbox.sdkStatus === "running". processCreateSandbox maps sandboxStatus from sandbox.sdkStatus and serializes createdAt from sandbox.createdAt.
Consumers / API Surface lib/sandbox/createSandboxFromSnapshot.ts, other callers...lib/sandbox/*	Public/external-facing signatures and returned shapes updated to reflect VercelSandbox and new field names (e.g., sandbox.name, sandbox.sdkStatus, sandbox.timeout, sandbox.createdAt).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(sandbox): inline open-agents sandbox abstraction (Phase 2.1) #507: Adds or implements the VercelSandbox abstraction and getters (sdkStatus, createdAt) that this PR depends on.
• promote: test → main (@vercel/sandbox v2 bump) #504: Earlier refactor of sandbox creation/retrieval shapes (name vs sandboxId, createdAt handling) that this PR builds upon.
• fix: skip expired snapshots and fallback to fresh sandbox #412: Changes snapshot validation and fallback restore logic in the same create/restore codepaths updated here.

Poem

✨ An SDK gives way to a named class bright,
Getters whisper status, dates now take flight.
Snapshots restored with a single field,
Types align, and wiring is healed.
Small changes, clearer sandboxed light.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Solid & Clean Code	✅ Passed	Pull request demonstrates strong adherence to SOLID principles and clean code practices with single responsibility functions, proper abstraction through VercelSandbox, eliminated duplication via centralized configuration, and maintainable architecture.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/sandbox-callers-use-abstraction

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

lib/sandbox/processCreateSandbox.ts (1)

25-30: ⚡ Quick win

Extract a dedicated buildSandboxCreatedResponse helper.

This response mapping now duplicates the logic in lib/sandbox/createSandbox.ts, including the sdkStatus lookup and createdAt fallback. A small shared serializer would keep the direct-create and snapshot-create paths from drifting.

As per coding guidelines, "Extract shared logic into reusable utilities following Don't Repeat Yourself (DRY) principle".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sandbox/processCreateSandbox.ts` around lines 25 - 30, Extract a shared
helper named buildSandboxCreatedResponse that centralizes the mapping from a
Sandbox entity to SandboxCreatedResponse (including resolving sdkStatus lookup
and applying the createdAt fallback to ISO string), then replace the inline
construction in processCreateSandbox (the const result assignment) and the
equivalent mapping in createSandbox with calls to buildSandboxCreatedResponse so
both paths use the same serializer; ensure the helper accepts the sandbox object
(and any dependencies needed for sdkStatus resolution) and returns the exact
shape used elsewhere (SandboxCreatedResponse).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/sandbox/createSandbox.ts`:
- Around line 41-53: The restore branch for VercelSandbox.create currently
spreads config but still allows vcpus/runtime to be forwarded (and the SDK will
default them), so restores overwrite snapshot-defined resources; when
config.restoreSnapshotId is true, build the payload so vcpus and runtime are
omitted (e.g., destructure and exclude vcpus/runtime or explicitly set them to
undefined) and only pass timeout and other non-resource fields to
VercelSandbox.create; reference VercelSandbox.create, config.restoreSnapshotId,
DEFAULT_VCPUS, and DEFAULT_RUNTIME when making the change so restores no longer
inherit the defaults.

In `@lib/sandbox/vercel/sandbox/VercelSandbox.ts`:
- Around line 975-982: The createdAt getter exposes potentially stale session
metadata because it reads this.session.createdAt directly; update the createdAt
accessor in VercelSandbox to call await this.refreshStateFromCurrentSession()
(or the synchronous equivalent used by sdkStatus) before returning
this.session.createdAt ?? undefined so it refreshes session state after
reconnect/resume; reference the createdAt getter,
refreshStateFromCurrentSession(), sdkStatus, and this.session.createdAt to
locate and modify the code.

---

Nitpick comments:
In `@lib/sandbox/processCreateSandbox.ts`:
- Around line 25-30: Extract a shared helper named buildSandboxCreatedResponse
that centralizes the mapping from a Sandbox entity to SandboxCreatedResponse
(including resolving sdkStatus lookup and applying the createdAt fallback to ISO
string), then replace the inline construction in processCreateSandbox (the const
result assignment) and the equivalent mapping in createSandbox with calls to
buildSandboxCreatedResponse so both paths use the same serializer; ensure the
helper accepts the sandbox object (and any dependencies needed for sdkStatus
resolution) and returns the exact shape used elsewhere (SandboxCreatedResponse).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 20b9b0ca-7cad-4fc2-ae87-8a679e344db9

📥 Commits

Reviewing files that changed from the base of the PR and between 3ea937a and 375673a.

⛔ Files ignored due to path filters (4)

• lib/sandbox/__tests__/createSandbox.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**
• lib/sandbox/__tests__/createSandboxWithFallback.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**
• lib/sandbox/__tests__/getActiveSandbox.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**
• lib/sandbox/__tests__/processCreateSandbox.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (6)

• lib/sandbox/createSandbox.ts
• lib/sandbox/createSandboxFromSnapshot.ts
• lib/sandbox/createSandboxWithFallback.ts
• lib/sandbox/getActiveSandbox.ts
• lib/sandbox/processCreateSandbox.ts
• lib/sandbox/vercel/sandbox/VercelSandbox.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Snapshot restores still inherit the default runtime/resource config.

This branch omits DEFAULT_VCPUS and DEFAULT_RUNTIME, but VercelSandbox.create() still defaults vcpus = 4 and runtime = "node22" internally and always forwards both into the SDK create payload. Restores via restoreSnapshotId therefore do not actually preserve snapshot-defined resources/runtime the way this helper now documents.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sandbox/createSandbox.ts` around lines 41 - 53, The restore branch for
VercelSandbox.create currently spreads config but still allows vcpus/runtime to
be forwarded (and the SDK will default them), so restores overwrite
snapshot-defined resources; when config.restoreSnapshotId is true, build the
payload so vcpus and runtime are omitted (e.g., destructure and exclude
vcpus/runtime or explicitly set them to undefined) and only pass timeout and
other non-resource fields to VercelSandbox.create; reference
VercelSandbox.create, config.restoreSnapshotId, DEFAULT_VCPUS, and
DEFAULT_RUNTIME when making the change so restores no longer inherit the
defaults.

[cubic-dev-ai]

1 issue found across 10 files

Confidence score: 3/5

• There is a concrete regression risk in lib/sandbox/processCreateSandbox.ts: substituting new Date() when createdAt is missing fabricates creation metadata and can misrepresent sandbox state.
• Because this issue is medium severity (6/10) with high confidence (8/10) and affects observable data correctness, this sits at some merge risk rather than a minor housekeeping concern.
• Pay close attention to lib/sandbox/processCreateSandbox.ts - ensure missing createdAt is handled explicitly (or failed fast) instead of generating a synthetic timestamp.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/sandbox/processCreateSandbox.ts">

<violation number="1" location="lib/sandbox/processCreateSandbox.ts:29">
P2: Do not substitute `new Date()` for a missing sandbox `createdAt`; this returns incorrect creation metadata. Fail fast (or explicitly handle missing SDK data) instead of fabricating a timestamp.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client as API / Route Handler
    participant Lib as Sandbox Libs (create/getActive)
    participant DB as Supabase (Account Sandboxes)
    participant OA as NEW: VercelSandbox (Abstraction)
    participant SDK as @vercel/sandbox (SDK)

    Note over Client, SDK: Sandbox Lifecycle (Create/Reconnect)

    rect rgb(240, 240, 240)
    Note right of Client: Create Flow
    Client->>Lib: createSandbox(config)
    Lib->>OA: NEW: VercelSandbox.create(config)
    OA->>SDK: Sandbox.create()
    SDK-->>OA: Session object
    OA-->>Lib: VercelSandbox Instance
    Lib->>OA: NEW: get sdkStatus & createdAt
    Lib-->>Client: { sandboxId, sandboxStatus, createdAt, ... }
    end

    rect rgb(230, 240, 255)
    Note right of Client: Reconnect Flow
    Client->>Lib: getActiveSandbox(accountId)
    Lib->>DB: selectAccountSandboxes(accountId)
    DB-->>Lib: mostRecentSandboxId
    
    Lib->>OA: CHANGED: VercelSandbox.connect(id)
    OA->>SDK: Sandbox.get({ name: id })
    SDK-->>OA: Session object
    
    alt Status Check
        Lib->>OA: NEW: get sdkStatus
        OA-->>Lib: "running"
        Lib-->>Client: VercelSandbox Instance
    else Not Running or Error
        OA-->>Lib: "stopped" / Exception
        Lib-->>Client: null
    end
    end

    Note over Client, OA: Note: Legacy SDK logic (installClaudeCode/runClaudeCode)<br/>still calls SDK directly until Phase 2.3.

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[sweetmantech]

Manual verification on preview deployment

Tested PR #509's refactor end-to-end against `https://api-git-feat-sandbox-callers-use-abstraction-recoup.vercel.app\`. Created a real Vercel Sandbox via the refactored path (processCreateSandbox → createSandboxFromSnapshot → createSandboxWithFallback → createSandbox → VercelSandbox.create()) and confirmed the HTTP response shape is byte-identical to the pre-refactor surface.

Setup

• Used the api key supplied for this verification
• Preview: `https://api-git-feat-sandbox-callers-use-abstraction-recoup.vercel.app\`

T1 — POST /api/sandboxes (the refactored path)

curl -X POST $PREVIEW/api/sandboxes \
  -H "x-api-key: $KEY" \
  -H "Content-Type: application/json" \
  -d '{}'

Response (HTTP 200):

{
  "status": "success",
  "sandboxes": [{
    "sandboxId": "coral-coming-newt-bZXeCe",
    "sandboxStatus": "running",
    "timeout": 1800000,
    "createdAt": "2026-05-04T12:53:40.458Z"
  }]
}

What this proves:

• VercelSandbox.create() (the abstraction's create flow) succeeded against real Vercel infra
• New sdkStatus getter on VercelSandbox returns the SDK enum value ("running") — identical to what Sandbox.status returned pre-refactor
• New createdAt getter on VercelSandbox returns the SDK session's createdAt Date — .toISOString() round-trips correctly
• sandbox.name and sandbox.timeout (already-existing public fields on VercelSandbox) still expose the right values
• The restoreSnapshotId param-shape change in createSandboxWithFallback works (no snapshot existed for the test account → fell through to fresh sandbox path correctly)
• account_sandboxes row inserted (otherwise T2/T3 would not see this sandbox)

T2 — GET /api/sandboxes (list, unchanged code path)

This goes through getSandboxesHandler which uses getSandboxStatus — not refactored in this PR per Option B (still uses SDK directly). Run as a regression check that the unchanged path still works after the abstraction extension.

curl $PREVIEW/api/sandboxes -H "x-api-key: $KEY"

Returned a list of 14+ sandboxes for this account. The newly-created one was first, with sandboxStatus: "running"; older sandboxes showed sandboxStatus: "stopped". All identical response shape:

{
  "sandboxId": "coral-coming-newt-bZXeCe",
  "sandboxStatus": "running",
  "timeout": 1830000,
  "createdAt": "2026-05-04T12:53:40.574Z"
}

What this proves:

• Sandboxes created via the new abstraction path are round-trippable via the unchanged SDK status read — they work together
• Old sandboxes (created before the migration) still surface correctly
• The two readonly getters I added to VercelSandbox (sdkStatus, createdAt) didn't break any existing read code (no regressions in 25 sandbox tests + 2391/2391 full suite)

T3 — GET /api/sandboxes?sandbox_id=<id> (filter)

curl "$PREVIEW/api/sandboxes?sandbox_id=coral-coming-newt-bZXeCe" -H "x-api-key: $KEY"

Result:

{
  "count": 1,
  "first": {
    "sandboxId": "coral-coming-newt-bZXeCe",
    "sandboxStatus": "running",
    "timeout": 1830000,
    "createdAt": "2026-05-04T12:53:40.574Z"
  }
}

What this proves: filtered status reads work for sandboxes created via the new abstraction path. Same code path as T2; just exercising the filter.

What this confirms

Surface change	Verified live
VercelSandbox.create() replaces Sandbox.create() in api's create path	✓ T1 succeeds, sandbox runs
VercelSandbox.connect() would replace Sandbox.get in getActiveSandbox (not directly exercised here — no existing active sandbox to reconnect to — covered by 4 unit tests)	✓ unit tests
Two new readonly getters (sdkStatus, createdAt) populate the existing HTTP response shape correctly	✓ T1 returned identical-shape JSON to pre-refactor
restoreSnapshotId param-shape change in createSandboxWithFallback	✓ T1 worked (no-snapshot path); fallback test covers snapshot path
installClaudeCode / runClaudeCode (intentionally untouched per Option B)	✓ no callers in api production code → no risk

Cleanup

Sandbox coral-coming-newt-bZXeCe is on a 30-minute timeout — will self-stop without manual cleanup.

Local validation already complete (from PR description)

• pnpm lint:check clean
• pnpm test — 2391/2391 pass (181 sandbox tests, all green; same count as before this PR)
• pnpm build succeeds (preview deployed cleanly)

Ready to merge.

[cubic-dev-ai]

0 issues found across 4 files (changes from recent commits).

_{Requires human review: This is a significant refactor of the core sandbox lifecycle management, moving from direct SDK calls to a new internal abstraction (Phase 2.2). Refactor).}