fix: Pool 模式下 Pod 被删除后 BatchSandbox 不会重新分配新 Pod

.github/workflows/publish-components.yml

@@ -22,6 +22,7 @@ on:
           - egress
           - controller
           - task-executor
+          - image-committer
         default: 'execd'
       image_tag:
         description: 'Docker image tag'
@@ -35,6 +36,7 @@ on:
       - 'docker/egress/**'
       - 'k8s/controller/**'
       - 'k8s/task-executor/**'
+      - 'k8s/image-committer/**'
 
 jobs:
   publish:
@@ -117,6 +119,8 @@ jobs:
             cd kubernetes
           elif [ "$COMPONENT" == "task-executor" ]; then
             cd kubernetes
+          elif [ "$COMPONENT" == "image-committer" ]; then
+            cd kubernetes
           else
             cd sandboxes/$COMPONENT
           fi

.github/workflows/publish-js-sdks.yml

@@ -42,14 +42,13 @@ jobs:
       - name: Set up pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: latest
-
-      - name: Enable corepack
-        run: corepack enable
+          version: 9.15.0
+          run_install: false
 
       - name: Get pnpm store path
         id: pnpm-store
-        run: echo "STORE_PATH=$(corepack pnpm store path)" >> "$GITHUB_OUTPUT"
+        working-directory: sdks
+        run: echo "STORE_PATH=$(pnpm store path)" >> "$GITHUB_OUTPUT"
 
       - name: Cache pnpm store
         uses: actions/cache@v5
@@ -60,11 +59,11 @@ jobs:
 
       - name: Install workspace dependencies
         working-directory: sdks
-        run: corepack pnpm install --frozen-lockfile
+        run: pnpm install --frozen-lockfile
 
       - name: Build SDK
         working-directory: sdks
-        run: corepack pnpm --filter ${{ matrix.sdk.packageName }}... --sort run build
+        run: pnpm --filter ${{ matrix.sdk.packageName }}... --sort run build
 
       - name: Pack SDK
         if: startsWith(github.ref, format('refs/tags/js/{0}/v', matrix.sdk.tagPrefix))
@@ -74,7 +73,7 @@ jobs:
           set -euo pipefail
           PACK_DIR="${GITHUB_WORKSPACE}/dist/npm/${{ matrix.sdk.name }}"
           mkdir -p "$PACK_DIR"
-          corepack pnpm pack --pack-destination "$PACK_DIR"
+          pnpm pack --pack-destination "$PACK_DIR"
           PACKAGE_TARBALL="$(find "$PACK_DIR" -maxdepth 1 -name '*.tgz' -print -quit)"
           if [[ -z "$PACKAGE_TARBALL" ]]; then
             echo "No package tarball was produced in $PACK_DIR" >&2
@@ -93,4 +92,4 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
-          corepack pnpm publish "${{ steps.pack.outputs.tarball }}" --access public --no-git-checks
+          pnpm publish "${{ steps.pack.outputs.tarball }}" --access public --no-git-checks

README.md

@@ -122,6 +122,7 @@ Quick start:
 osb config init
 osb config set connection.domain localhost:8080
 osb config set connection.protocol http
+osb config set connection.api_key <your-api-key>
 osb sandbox create --image python:3.12 --timeout 30m -o json
 osb command run <sandbox-id> -o raw -- python -c "print(1 + 1)"
 ```

cli/README.md

@@ -50,6 +50,7 @@ opensandbox-server
 osb config init
 osb config set connection.domain localhost:8080
 osb config set connection.protocol http
+osb config set connection.api_key <your-api-key>
 osb config show -o json
 ```
 

components/egress/docs/mitmproxy-transparent.md

@@ -30,8 +30,8 @@ By default, mitmproxy listens on `18081` and transparent redirect rules are set
 # Optional: change listening port (default: 18081)
 export OPENSANDBOX_EGRESS_MITMPROXY_PORT=18081
 
-# Optional: enable mitm addon script (e.g., inject request headers)
-export OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT=/opt/opensandbox/mitmscripts/add_header.py
+# Optional: load an additional user-defined mitm addon (loaded after the system addon)
+export OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT=/path/to/your/addon.py
 
 # Optional: bypass decryption for selected domains (semicolon-separated regex list)
 export OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS='.*\.log\.aliyuncs\.com;.*\.example\.internal'
@@ -43,7 +43,7 @@ export OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS='.*\.log\.aliyuncs\.com;.*\.exa
 |------|----------|------|--------|
 | `OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT` | Yes | Enable transparent mitmproxy (`1/true/on`, etc.) | Disabled |
 | `OPENSANDBOX_EGRESS_MITMPROXY_PORT` | No | mitmdump listen port; `iptables` redirects `80/443` here | `18081` |
-| `OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT` | No | mitm addon script path (`-s`) | Empty |
+| `OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT` | No | Additional user mitm addon script path (`-s`); loaded after the system addon | Empty |
 | `OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS` | No | Host/IP regex list for TLS pass-through (`;` separated) | Empty |
 | `OPENSANDBOX_EGRESS_MITMPROXY_CONFDIR` | No | mitm config and CA directory (passed as `--set confdir=`, also used as `HOME`) | Default directory under `/var/lib/mitmproxy` |
 | `OPENSANDBOX_EGRESS_MITMPROXY_UPSTREAM_TRUST_DIR` | No | Trust directory for upstream TLS verification (OpenSSL style) | `/etc/ssl/certs` |
@@ -62,23 +62,31 @@ Notes:
 export OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=true
 ```
 
-### 2) Enable with Header Injection
+### 2) System Addon (Always On)
+
+The bundled system addon at `/var/egress/mitmscripts/system.py` is shipped in the egress image and loaded automatically whenever transparent mode is enabled. It stays wire-transparent (no headers added or altered) and currently provides:
+
+- Forces streaming (`flow.response.stream = True`) for SSE (`text/event-stream`) and chunked responses, so each chunk is forwarded immediately instead of being buffered up to the `stream_large_bodies=1m` threshold (critical for LLM streaming UX).
+
+The system addon is always loaded and cannot be disabled via configuration. To override its behavior, supply a user addon via `OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT`; user addons are loaded after the system addon and may observe or override its hooks.
+
+### 3) Add a User Addon Alongside the System Addon
 
 ```bash
 export OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=true
-export OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT=/opt/opensandbox/mitmscripts/add_header.py
+export OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT=/path/to/your/addon.py
 ```
 
-Built-in example script: `/opt/opensandbox/mitmscripts/add_header.py` (adds `X-OpenSandbox-Egress: 1`).
+The user addon is loaded after the system addon (`-s system.py -s user.py`), so user hooks observe and may override system behavior.
 
-### 3) Bypass Decryption for Specific Domains (e.g. log upload)
+### 4) Bypass Decryption for Specific Domains (e.g. log upload)
 
 ```bash
 export OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT=true
 export OPENSANDBOX_EGRESS_MITMPROXY_IGNORE_HOSTS='.*\.log\.aliyuncs\.com'
 ```
 
-### 4) Use a Fixed CA (consistent fingerprint across replicas)
+### 5) Use a Fixed CA (consistent fingerprint across replicas)
 
 If CA files already exist in `confdir`, mitmproxy reuses them instead of regenerating on each startup. Typical paths:
 

components/egress/mitmscripts/system.py

@@ -0,0 +1,36 @@
+# Copyright 2026 Alibaba Group Holding Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# OpenSandbox egress system addon.
+#
+# Always loaded by the egress mitmproxy launcher. Stays transparent on the
+# wire (does not add or alter headers that would reveal the proxy to peers).
+#
+# Behavior:
+#   Forces streaming for SSE / chunked responses so each chunk is forwarded
+#   immediately, bypassing the stream_large_bodies=1m buffer set in launch.go
+#   (which otherwise stalls LLM-style small-chunk streams).
+#
+# User-defined addons can be loaded alongside this script via
+# OPENSANDBOX_EGRESS_MITMPROXY_SCRIPT.
+from mitmproxy import http
+
+
+def responseheaders(flow: http.HTTPFlow) -> None:
+    if flow.response is None:
+        return
+    content_type = flow.response.headers.get("content-type", "").lower()
+    transfer_encoding = flow.response.headers.get("transfer-encoding", "").lower()
+    if "text/event-stream" in content_type or "chunked" in transfer_encoding:
+        flow.response.stream = True

components/egress/pkg/mitmproxy/launch.go

@@ -34,11 +34,16 @@ const RunAsUser = "mitmproxy"
 // Loopback: transparent mode receives via REDIRECT; do not listen on 0.0.0.0 in the netns.
 const listenHostLoopback = "127.0.0.1"
 
+// systemScriptPath: bundled system addon shipped via the egress Dockerfile
+// (COPY components/egress/mitmscripts /var/egress/mitmscripts). Always loaded.
+const systemScriptPath = "/var/egress/mitmscripts/system.py"
+
 // Config: mitmdump --mode transparent; UserName must match iptables ! --uid-owner, ConfDir is mitm state/CA.
 type Config struct {
 	ListenPort int
 	UserName   string
 	ConfDir    string
+	// ScriptPath is an optional user-supplied addon, loaded after the system addon.
 	ScriptPath string
 	// OnExit is called (if non-nil) when mitmdump exits. Called from a background goroutine.
 	OnExit func(error)
@@ -120,8 +125,10 @@ func Launch(cfg Config) (*Running, error) {
 		args = append(args, "--set", "confdir="+cd)
 		homeEnv = cd
 	}
-	if strings.TrimSpace(cfg.ScriptPath) != "" {
-		args = append(args, "-s", strings.TrimSpace(cfg.ScriptPath))
+	// Load the system addon first so user addons can observe / override its hooks.
+	args = append(args, "-s", systemScriptPath)
+	if user := strings.TrimSpace(cfg.ScriptPath); user != "" {
+		args = append(args, "-s", user)
 	}
 
 	// Upstream passthrough: each pattern becomes --set ignore_hosts= (regex; IP ranges are practical in transparent mode).

components/egress/policy_server.go

@@ -147,8 +147,10 @@ func (s *policyServer) handlePolicy(w http.ResponseWriter, r *http.Request) {
 		s.handlePost(w, r)
 	case http.MethodPatch:
 		s.handlePatch(w, r)
+	case http.MethodDelete:
+		s.handleDelete(w, r)
 	default:
-		w.Header().Set("Allow", "GET, POST, PUT, PATCH")
+		w.Header().Set("Allow", "GET, POST, PUT, PATCH, DELETE")
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 	}
 }
@@ -222,15 +224,16 @@ func (s *policyServer) handlePatch(w http.ResponseWriter, r *http.Request) {
 	defer s.mu.Unlock()
 
 	raw, err := readPolicyRequestBody(r)
-	if err != nil || raw == "" {
-		if err != nil {
-			logEgressUpdateFailedWarn(fmt.Sprintf("failed to read body: %v", err))
-		} else {
-			logEgressUpdateFailedWarn("empty patch body")
-		}
+	if err != nil {
+		logEgressUpdateFailedWarn(fmt.Sprintf("failed to read body: %v", err))
 		http.Error(w, fmt.Sprintf("failed to read body: %v", err), http.StatusBadRequest)
 		return
 	}
+	if raw == "" {
+		logEgressUpdateFailedWarn("empty patch body")
+		http.Error(w, "empty body", http.StatusBadRequest)
+		return
+	}
 
 	var patchRules []policy.EgressRule
 	if err := json.Unmarshal([]byte(raw), &patchRules); err != nil {
@@ -268,6 +271,84 @@ func (s *policyServer) handlePatch(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
+func (s *policyServer) handleDelete(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	raw, err := readPolicyRequestBody(r)
+	if err != nil {
+		logEgressUpdateFailedWarn(fmt.Sprintf("failed to read body: %v", err))
+		http.Error(w, fmt.Sprintf("failed to read body: %v", err), http.StatusBadRequest)
+		return
+	}
+	if raw == "" {
+		logEgressUpdateFailedWarn("empty delete body")
+		http.Error(w, "empty body", http.StatusBadRequest)
+		return
+	}
+
+	var targets []string
+	if err := json.Unmarshal([]byte(raw), &targets); err != nil {
+		logEgressUpdateFailedWarn(fmt.Sprintf("invalid delete targets: %v", err))
+		http.Error(w, fmt.Sprintf("invalid delete targets: %v", err), http.StatusBadRequest)
+		return
+	}
+	if len(targets) == 0 {
+		logEgressUpdateFailedWarn("empty delete targets array")
+		http.Error(w, "invalid delete targets: empty array", http.StatusBadRequest)
+		return
+	}
+
+	base := s.proxy.CurrentPolicy()
+	if base == nil {
+		base = policy.DefaultDenyPolicy()
+	}
+	oldCount := len(base.Egress)
+	newEgress, removedRules := removeRulesByTarget(base.Egress, targets)
+	removed := oldCount - len(newEgress)
+
+	if removed == 0 {
+		mode := modeFromPolicy(base)
+		writeJSON(w, http.StatusOK, policyStatusResponse{
+			Status:          "ok",
+			Mode:            mode,
+			EnforcementMode: s.enforcementMode,
+			Reason:          "no matching targets found",
+		})
+		return
+	}
+
+	rawMerged, err := json.Marshal(policy.NetworkPolicy{
+		DefaultAction: base.DefaultAction,
+		Egress:        newEgress,
+	})
+	if err != nil {
+		logEgressUpdateFailedError(fmt.Sprintf("failed to marshal updated policy: %v", err))
+		http.Error(w, fmt.Sprintf("internal error: %v", err), http.StatusInternalServerError)
+		return
+	}
+	newPolicy, err := policy.ParsePolicy(string(rawMerged))
+	if err != nil {
+		logEgressUpdateFailedError(fmt.Sprintf("invalid policy after delete: %v", err))
+		http.Error(w, fmt.Sprintf("internal error: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	mode := modeFromPolicy(newPolicy)
+	log.Infof("policy API: deleting %d egress rule(s) by target, removed=%d, mode=%s, enforcement=%s", len(targets), removed, mode, s.enforcementMode)
+	if !s.commitPolicy(r.Context(), w, newPolicy, "delete") {
+		return
+	}
+	logEgressUpdated(newPolicy.DefaultAction, removedRules)
+	log.Infof("policy API: delete applied successfully")
+	writeJSON(w, http.StatusOK, policyStatusResponse{
+		Status:          "ok",
+		Mode:            mode,
+		EnforcementMode: s.enforcementMode,
+	})
+}
+
 // commitPolicy applies one logical change: optional disk persist → merge always file rules → nft
 // static (with nameserver allow-IPs) → then update in-memory user policy (POST/PATCH/GET view).
 func (s *policyServer) commitPolicy(ctx context.Context, w http.ResponseWriter, pol *policy.NetworkPolicy, op string) bool {