Release Notes
2025-05-30
New Features
- TTY support —
execStreamnow acceptstty: trueto allocate a pseudo-terminal, enabling interactive programs and terminal UIs inside a sandbox. - Exec event stream — sandbox events now include
exec.requestandexec.responsetypes so the Inspector and audit log can trace every command invocation. - Snapshots — configure
snapshotinSandboxConfigwithrestore_key,write_key, andincludeglob patterns. The runtime captures a snapshot on shutdown and restores it on the next start, eliminating cold-start overhead for stateful workloads.
Improvements
getEventsStreamauto-resumes across disconnects using exponential backoff (up to 30 s). Callers never miss events across transient network blips — the iterator reconnects with the last observed event ID.applyConfigreturns a structuredApplyResultwithapplied, the post-applyconfig, achangesdiff (added/removedfsentries and egress rules), and any non-fatalwarnings.SandboxErrornow carriesstatus,operation, and the upstreambody(withdetails) so callers can switch on structured error context without re-parsing.
Bug Fixes
- Fixed a race where
execStreamcould drop the first bytes of stdout if the SSE reader started before the process was registered on the server side. The client now awaits the 200 response headers before yielding theExecProcesshandle. getOrCreateSandboxretries once on connection-refused to handle the case where the controller process is still starting.
2025-04-15
New Features
- File operations — three new
Sandboxmethods for interacting with mounted file systems:uploadFile(destination, filename, content)— write a file into a mount.downloadFile(path)— fetch raw bytes from any agent-visible path.listDirectory(path)— enumerate immediate children withname,path,is_dir, andsize.
- Egress rules with overrides —
EgressRulenow supportshost,ports,methods, andpathsfiltering. An optionaloverrideblock injects query parameters or headers into matching outbound requests without exposing the values to the agent. - ACLs on file system mounts — each
FileSystementry accepts anaclsarray ofACLRuleobjects (path+access: "rw" | "ro" | "deny"), evaluated longest-prefix-first with deny as the default when no rule matches. - GCS backend — added
GCSFileSystem(backend: "gcs") withgcs_bucket, optionalgcs_prefix, andgcs_service_account_json(falls back to Application Default Credentials when omitted).
Improvements
listSandboxesreturns fully constructedSandboxhandles rather than raw refs, so callers can immediately callexec,getConfig, etc. on any running sandbox.SandboxConfigvalidatesfsmount paths at schema-parse time (must be absolute) and enforces thatsnapshotkeys match[A-Za-z0-9_-]{1,64}.- All controller functions (
getOrCreateSandbox,listSandboxes,shutdown) accept atimeoutMsoption that applies to every fetch and to the readiness-polling loop. Pass0to disable timeouts entirely.
Bug Fixes
shutdownnow returns cleanly on HTTP 204 (no content) without throwing.applyConfigvalidates the config locally before sending, so a malformed request fails fast on the client side instead of producing a 400 from the server.
2025-03-01
New Features
- TypeScript client — initial release of the
@hive-run/sdkpackage with:getOrCreateSandbox(id, config)— idempotent sandbox provisioning viaPUT /v1/sandboxes/{id}. Polls until the sandbox is reachable before returning.listSandboxes()— enumerate all running sandboxes.shutdown(sandbox)— stop and remove a sandbox container.
sandbox.exec— run a command and await bufferedstdout,stderr, andexit_code.sandbox.execStream— run a command and receive anExecProcesshandle with:pipes— async iterable of{ stdout?, stderr? }chunks streamed in real time.exitCode— promise that resolves to the process exit code.writeStdin(data)— send input to the running process.
sandbox.getEventsStream— long-lived async iterator over structuredSandboxEvents. Event types:config.apply,egress.request,egress.response,fs.request,fs.response,stdio,resource.usage,exec.request,exec.response.sandbox.applyConfig/getConfig— read and live-update sandbox configuration without restarting the container.SandboxConfig— full configuration schema covering:imageandentrypoint— custom Docker image and entrypoint override.env— environment variables injected at start time.ttl— idle timeout in seconds (reset bysandbox.ping()); use0to disable.fs— one or more file system mounts withlocal,gdrive, andgcsbackends, each supportingacls.egress— ordered list of egress rules with host/port/method/path filtering andoverrideinjection.snapshot— save/restore sandbox state withrestore_key,write_key, andincludepatterns.
- Custom Docker images — specify any OCI-compatible image in
SandboxConfig.image. - Google Drive backend —
GDriveFileSystemsupports OAuth tokens, refresh tokens, and service account credentials. Scope to a specific folder withgdrive_folder_id.
Improvements
HIVE_API_KEYis read automatically from the environment in all SDK operations.- Schema validation runs on the client before any network request, giving immediate feedback on malformed configs.
Back to Introduction