[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78420":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":19,"hasPages":19,"topics":21,"createdAt":9,"pushedAt":9,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":14,"starSnapshotCount":14,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},78420,"cloudsail","nkzw-tech\u002Fcloudsail","nkzw-tech","Self-hosted instant sandboxes for coding agents on Cloudflare.",null,"TypeScript",151,8,1,0,5,108,55.36,"MIT License",false,"main",[],"2026-06-12 04:01:23","# Cloudsail\n\nInstant use sandboxes for coding agents on Cloudflare with Cloudsail (_Alpha_). It runs on Cloudflare Workers, Durable Objects, Containers, and Sandboxes, and gives you a local CLI that opens an isolated remote computer for each project, PR, task, or experiment.\n\nUse it when you want to run Codex, tests, package installs, git commands, and dev servers away from your laptop while keeping each workspace separated.\n\n## Features\n\n- **Instant Sandboxes:** Create as many isolated project sandboxes as you need, then destroy them when done.\n- **Secure by Default:** GitHub and API credentials live in the Worker instead of being exposed to compromised containers.\n- **Controlled Egress:** Access GitHub, OpenAI\u002FChatGPT, and package registries by default; add docs hosts with `cs allow`.\n- **GitHub Integration:** Start with a GitHub Repo or PR URL, inspect diffs, commit, push, and open PRs.\n\n## Requirements\n\n- Node 23+\n- A Cloudflare account with Workers, Durable Objects, Containers, and Sandboxes enabled\n- Docker Desktop, or another Docker-compatible daemon, for `cs deploy`\n- Git\n\nFor Codex, either use ChatGPT subscription auth inside the sandbox or configure `OPENAI_API_KEY` as a Worker secret. For GitHub, a fine-grained token works for alpha testing; a GitHub App installation is the better long-term credential.\n\n## Install\n\n```sh\nnpm install -g cloudsail\n```\n\nLog in to Cloudflare if you have Wrangler on your PATH:\n\n```sh\nwrangler login\n```\n\nIf `wrangler` is not already on your PATH, skip that command. The Cloudsail package includes Wrangler, and `cs setup` will open Cloudflare login with the packaged copy if needed.\n\n## Deploy Your Cloudsail\n\nRun setup once:\n\n```sh\ncs setup\n```\n\n`cs setup` creates `~\u002F.config\u002Fcloudsail\u002Fconfig.json`, writes the deploy config to `~\u002F.config\u002Fcloudsail\u002Fdeploy\u002Fwrangler.jsonc`, generates a local auth token, and stores that token as the Worker secret `CLOUDSAIL_AUTH_TOKEN`.\n\nSet optional credentials. If the variable already exists in your environment, Cloudsail passes it to Wrangler; otherwise Wrangler prompts securely:\n\n```sh\ncs secret set GITHUB_TOKEN\ncs secret set OPENAI_API_KEY\n```\n\nFor GitHub App auth:\n\n```sh\ncs secret set GITHUB_APP_ID\ncs secret set GITHUB_APP_INSTALLATION_ID\nGITHUB_APP_PRIVATE_KEY=\"$(cat private-key.pem)\" cs secret set GITHUB_APP_PRIVATE_KEY\n```\n\nDeploy the Worker and container image:\n\n```sh\ncs deploy\n```\n\n`cs deploy` runs Wrangler against the packaged Worker and Dockerfile. You do not need to clone the Cloudsail repo. After deploy, it saves the deployed Worker URL into `~\u002F.config\u002Fcloudsail\u002Fconfig.json`.\n\nCheck the setup:\n\n```sh\ncs doctor\n```\n\nUseful setup commands:\n\n```sh\ncs config show\ncs config path\ncs config deploy-path\ncs secret list\ncs deploy --dry-run\n```\n\nUse a different Worker name:\n\n```sh\ncs setup --name my-cloudsail\ncs deploy --name my-cloudsail\n```\n\n## First Sandbox\n\nCreate an empty sandbox:\n\n```sh\ncs create my-task --type standard-2\ncs shell my-task\n```\n\nSeed a sandbox from a GitHub repo:\n\n```sh\ncs gh https:\u002F\u002Fgithub.com\u002Fowner\u002Frepo my-task\ncs shell my-task\n```\n\nSeed from a pull request:\n\n```sh\ncs gh https:\u002F\u002Fgithub.com\u002Fowner\u002Frepo\u002Fpull\u002F123 fix-123\ncs shell fix-123\n```\n\nInside `cs shell`, commands run in the remote sandbox:\n\n```sh\npnpm install\npnpm test\ncodex\n```\n\nJump straight into Codex:\n\n```sh\ncs codex my-task\n```\n\nRun a one-off command:\n\n```sh\ncs run my-task -- 'pwd; git status --short; pnpm test'\n```\n\n## Testing Web Apps\n\nStart a dev server in the sandbox and expose it:\n\n```sh\ncs dev my-task --port 5173 -- pnpm dev --host 0.0.0.0\ncs ports my-task\ncs open my-task 5173\n```\n\nYou can also run the dev server manually inside `cs shell`, then expose the port:\n\n```sh\npnpm dev --host 0.0.0.0\ncs expose my-task 5173\n```\n\nProduction preview URLs need a Cloudflare route that can receive the generated preview hostnames. For serious browser testing, configure `CLOUDSAIL_PREVIEW_HOST` in `~\u002F.config\u002Fcloudsail\u002Fdeploy\u002Fwrangler.jsonc` or in the Cloudflare dashboard before deploying.\n\nPreview URLs are authenticated. Open them with `cs open`, `cs dev`, or `cs expose`; the CLI mints a short-lived browser ticket and the Worker stores it as an HTTP-only cookie. Raw exposed URLs return `401` unless the request includes `CLOUDSAIL_AUTH_TOKEN` bearer auth.\n\n## Credentials\n\nCloudsail keeps Worker-owned credentials outside the remote computer. The sandbox receives a harmless placeholder `OPENAI_API_KEY` so API-key CLIs can detect that auth exists. When an approved HTTP or HTTPS request leaves the sandbox, the Worker injects the real credential at the edge.\n\n- `api.openai.com`: Worker injects `OPENAI_API_KEY`.\n- `chatgpt.com`: Codex ChatGPT subscription traffic is allowed; Cloudsail does not inject subscription credentials.\n- `github.com` and `api.github.com`: Worker injects GitHub auth only for the project's repo.\n- The container cannot read the real token from env, files, process args, or shell history.\n- Terminal WebSockets use short-lived one-time tickets.\n- Public internet is blocked by default except for the configured HTTP\u002FS allowlist.\n\nInside `cs shell`, `echo \"$OPENAI_API_KEY\"` prints the placeholder, not your real key. `git fetch`, `git push`, and OpenAI API calls still work through Worker-side injection.\n\n## Egress\n\nSandboxes start with the hosts needed for normal development: GitHub, OpenAI, ChatGPT, npm registries, and common GitHub asset hosts.\n\nAdd docs or research hosts per project:\n\n```sh\ncs egress my-task\ncs allow my-task viteplus.dev\ncs allow my-task docs.astro.build\ncs disallow my-task viteplus.dev\n```\n\nProject-added hosts are read-only. `GET`, `HEAD`, and `OPTIONS` are allowed; mutating requests are blocked.\n\n## Git Workflow\n\nUse normal git inside the sandbox:\n\n```sh\ngit status\ngit add -A\ngit commit -m \"Build feature\"\ngit push origin HEAD:cloudsail\u002Fmy-feature\n```\n\nCloudsail also includes optional helpers:\n\n```sh\ncs diff my-task\ncs changes my-task\ncs commit my-task \"Build feature\"\ncs push my-task cloudsail\u002Fmy-feature\ncs pr my-task \"Build feature\"\n```\n\n`cs changes --json` exposes commit and file before\u002Fafter data for tools such as codiff.\n\n## Lifecycle and Cost\n\nCloudsail defaults to `CLOUDSAIL_SANDBOX_SLEEP_AFTER=3h`. A sandbox can stay warm during active work, then Cloudflare can shut it down after roughly three idle hours.\n\nLive terminals and dev servers stop when the sandbox sleeps. Durable state should be in Git commits, pushed branches, or checkpoints. Cloudsail is not a durable VM unless you checkpoint or push your work.\n\nChange keepalive per sandbox:\n\n```sh\ncs keepalive my-task 3h\ncs keepalive my-task 24h\ncs keepalive my-task 7d\ncs keepalive my-task forever\ncs keepalive my-task off\n```\n\n`forever` keeps the sandbox alive until you destroy it:\n\n```sh\ncs destroy my-task\n```\n\nApproximate idle live cost for the default `standard-2` container:\n\n- `3h`: about `$0.17` per sandbox\n- `24h`: about `$1.37` per sandbox\n- `7d`: about `$9.58` per sandbox\n\nCPU usage, Workers, Durable Objects, logs, egress, and included monthly usage can change the final bill.\n\n## Project Config\n\nCloudsail stores user config at:\n\n```sh\n~\u002F.config\u002Fcloudsail\u002Fconfig.json\n```\n\nRepo-local defaults can live in `.cloudsail.json`:\n\n```sh\ncs init\n```\n\nEnvironment variables override stored config for one command:\n\n```sh\nCLOUDSAIL_URL=https:\u002F\u002Fyour-worker.workers.dev CLOUDSAIL_AUTH_TOKEN=... cs doctor\n```\n\n## Contributing\n\nClone the repo only if you want to work on Cloudsail itself:\n\n```sh\ngit clone https:\u002F\u002Fgithub.com\u002Fnkzw-tech\u002Fcloudsail.git\ncd cloudsail\npnpm install\npnpm check\npnpm test\npnpm pack:check\n```\n\nRun the local Worker during development:\n\n```sh\ncp .dev.vars.example .dev.vars\npnpm dev\n```\n\nRun a production smoke test after deploying:\n\n```sh\npnpm smoke:prod\n```\n\n## Docs\n\n- [Security policy](SECURITY.md)\n- [Architecture proposal](docs\u002Fremote-sandbox-proposal.md)\n- [Repo setup notes](docs\u002Frepo-setup.md)\n- [Next steps](docs\u002Fnext-steps.md)\n","Cloudsail 是一个基于 Cloudflare 构建的自托管即时沙箱项目，专为编码代理提供隔离环境。它利用了 Cloudflare Workers、Durable Objects、Containers 和 Sandboxes 技术，并通过本地 CLI 为每个项目、PR、任务或实验开启独立的远程计算环境。主要功能包括即时创建和销毁多个隔离的项目沙箱、默认的安全设置（如将 GitHub 和 API 凭证存储在 Worker 中而非易受攻击的容器里）、以及对 GitHub 的深度集成支持等。适用于需要在远离个人电脑的情况下运行代码测试、包安装、git 操作及开发服务器且希望保持各工作空间相互隔离的场景。",2,"2026-06-11 03:56:49","CREATED_QUERY"]