What's New
✨ Features
- Isolation convenience APIs —
sandbox.isolation.run_once(code, workspace=...)for one-shot create → run → delete flows, andasync with sandbox.isolation.session(req)/with ... session(req)for scoped multi-run workflows. Cleanup is best-effort so it never masks the original exception. Available on both async and sync clients. (#1222) - List isolated sessions —
sandbox.isolation.list()(async + sync). (#1269) - Isolated bind mounts —
CreateIsolatedSessionRequest.bindsacceptsBindMount(source, dest, readonly)for arbitrary host→namespace path mappings; also exposes the previously missinguid_mode. Threaded through therun_oncehelper as well. (#1264) - Sandbox pool destroy —
SandboxPoolManagerFORCE-destroy support withDESTROYINGfence +DESTROYEDtombstone; both in-memory and Redis stores implement the new tombstone semantics. Failed destroys leave the pool inDESTROYINGso callers can retry safely. (#1225) - Credential Vault placeholder substitutions — opt-in placeholders for
path/query/header/bodyrequest surfaces (incl.passthroughbindings). (#1251) - Endpoint cache with inflight dedup — cache
(sandbox_id, port, use_server_proxy) → Endpointto avoid repeated HTTP roundtrips. Default on: TTL 600s, MaxSize 1024, configurable viaConnectionConfig;kill()actively invalidates cached entries. (#1133) - Sandbox
extensionsin lifecycle responses —CreateSandboxResponseandSandboxmodels now exposeextensions, restoring Kubernetesopensandbox.io/extensions.*annotations asopensandbox.extensions.*in response data. (#1112) IsolationService/IsolationServiceSyncprotocols now includerun_onceandsession— built-in adapters inherit default implementations viaIsolationServiceMixin, but custom protocol implementations must satisfy the extended contract. (#1222)CredentialMatch.portsremoved; intercept port is derived from scheme (http→80,https→443). Drop anyports=[...]arguments. (#1189)PoolStateStoreContentionErrorremoved (never actually raised by in-memory or Redis stores). (#1198)
🐛 Bug Fixes
- Handled adapter warnings/errors are demoted so they no longer surface as noisy tracebacks, while still remaining visible in logs.
- Python SDK logging unified to f-strings.
🔒 Security
- Patch 21 Dependabot CVEs — bumps
pydantic-settings→ 2.14.2,python-multipart→ 0.0.32,starlette→ 1.3.1,cryptography→ 49.0.0,pyjwt→ 2.13.0 viapyproject.tomllower bounds and[tool.uv] constraint-dependenciesfor transitive deps. Resolves all open Dependabot alerts for Python packages. (#1145)
📦 Misc
- Removed unused server-side
PendingSandboxasync provisioning path and corrected thePOST /sandboxes202 spec — both Docker and K8s provision synchronously and returnRunningdirectly, so no polling loop is needed. Regenerated Python API clients accordingly. (#1178) - Repository metadata URLs in
pyproject.tomlnow point atopensandbox-group/OpenSandbox. (#1135) - Bumped the Python sandbox SDK
fallback_versionto0.1.14and aligned the defaultUser-Agent(OpenSandbox-Python-SDK/0.1.14, async + sync) which had drifted behind the released version. A regression test now locks the User-Agent to the package version. (#1248)