Add keepAlive flag to prevent scale-to-zero during process execution (#176)

* Add lifecycle management for sandbox processes

Introduces new lifecycle features to the sandbox API, including the ability to force stop processes and retrieve the current sandbox status. The `/stop` endpoint allows for immediate or scheduled removal of the keepAlive flag from running processes, enabling auto-hibernation. The `/status` endpoint provides information on the current state of the sandbox and active keepAlive processes.

Additionally, integrates the lifecycle management with the MCP tools, enhancing the overall process control and monitoring capabilities. The scale-to-zero functionality is also improved with crash recovery mechanisms.

Updates include:
- New `LifecycleHandler` for managing lifecycle operations.
- API documentation updates for new endpoints.
- Integration of keepAlive functionality in process management.
- Comprehensive tests for lifecycle features and MCP integration.

* Enhance scale-to-zero functionality with improved error handling and logging

* Remove lifecycle management endpoints and related functionality

This commit removes the `/stop` and `/status` endpoints from the sandbox API, along with the associated `LifecycleHandler` and related data structures. The lifecycle management features, including the ability to force stop processes and retrieve the current sandbox status, have been deprecated.

Updates include:
- Deletion of lifecycle-related API routes and handlers.
- Removal of lifecycle management types and structures from the codebase.
- Adjustments to documentation to reflect the removal of these features.

This change simplifies the API and focuses on core process management functionalities.

* Fix PR

* Fix bug introduce with AI check

* Implement keepAlive timeout handling for restarted processes

This commit introduces functionality to manage timeouts for processes with the keepAlive flag enabled. If a process is restarted and keepAlive is active with a specified timeout, a goroutine is initiated to monitor the timeout and kill the process if it exceeds the limit. For processes with an infinite timeout, the goroutine simply waits for the process to complete. This enhancement improves process management and ensures better resource handling.

* Fix some recommendation from AI

* Enhance logging in ProcessManager to include process name in scale-to-zero warnings and timeout messages. Clear KeepAlive state before killing processes to prevent double ScaleEnable calls. Refactor related log messages for consistency.

* Refactor logging in ProcessManager to use structured log entries for KeepAlive events. Enhance clarity by including process details in log messages for scale-to-zero operations and timeout handling. This improves consistency and debuggability of process management logs.

* Sanitize user-provided values in log entries to prevent log injection (CWE-117)

Add sanitizeLogValue() helper that escapes newlines and control characters.
Replace structured logging (logrus.WithFields) with simple logrus.Infof/Warnf
calls that use sanitized values - clearer and more readable.
Addresses all CodeQL 'Log entries created from user input' warnings.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* Improve sanitizeLogValue to strip all control characters (CWE-117)

Replace strings.NewReplacer with byte-level filtering that strips all
control characters (< 0x20) including newlines. This provides more
thorough sanitization against log injection.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* Use strings.NewReplacer as CodeQL-recognized sanitizer for log injection (CWE-117)

Replace custom byte-level loop with package-level strings.NewReplacer
variable (logSanitizer). CodeQL explicitly recognizes strings.Replacer.Replace
as a sanitizer for go/log-injection since github/codeql#11910.
Call logSanitizer.Replace() directly at each log site.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* Use %q format directive for user-provided values in log entries (CWE-117)

CodeQL's SafeFormatArgumentSanitizer explicitly recognizes %q as safe
because it escapes newline characters. This is the simplest and most
idiomatic fix - no helper functions or variables needed.

Removes the logSanitizer variable entirely. User-provided values (name,
command) are now logged with %q which produces Go-syntax quoted strings,
making any control characters visible in the output.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* Revert sanitize/log changes - restore original structured logging

Reverts commits 6902a62, 16773fb, 4eeb6f7, 3a5b776 which added
log sanitization for CWE-117. Keeps all other agent recommendations
(structured logging with logrus.WithFields, race condition fix, etc).

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* Fix StopProcess keepAlive leak and KeepAlive data race

- StopProcess (SIGTERM path) now clears KeepAlive and calls ScaleEnable,
  preventing the scale-to-zero counter from leaking when a keepAlive
  process is gracefully stopped.

- All reads/writes of process.KeepAlive are now synchronized via pm.mu:
  KillProcess and StopProcess write under Lock(), completion goroutines
  read under RLock(). This eliminates the data race between the kill/stop
  path and the completion goroutine.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* Fix data race on oldProcess.KeepAlive read in restartProcess

Protect the read of oldProcess.KeepAlive and oldProcess.Timeout in
restartProcess with pm.mu.RLock(), matching the synchronization used
by KillProcess/StopProcess which write under pm.mu.Lock().

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

---------

Co-authored-by: cploujoux <ch.ploujoux@gmail.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: 3 people

sandbox-api/docs/LIFECYCLE.md

@@ -0,0 +1,82 @@
+# Process KeepAlive
+
+This document describes the process `keepAlive` feature that controls the sandbox's auto-hibernation behavior.
+
+## Overview
+
+When launching a process with `keepAlive: true`, the sandbox will stay awake (auto-hibernation disabled) until the process completes or times out.
+
+## How It Works
+
+The sandbox uses a **counter-based scale-to-zero** system:
+
+| Counter | Effect |
+|---------|--------|
+| > 0 | Auto-hibernation disabled (sandbox stays awake) |
+| = 0 | Auto-hibernation enabled (sandbox can sleep) |
+
+When a `keepAlive` process starts, the counter is incremented. When it ends, the counter is decremented.
+
+## API Usage
+
+**POST /process**
+
+```json
+{
+  "command": "npm run dev",
+  "workingDir": "/app",
+  "keepAlive": true,
+  "timeout": 600
+}
+```
+
+## Parameters
+
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `keepAlive` | boolean | `false` | When true, disables auto-hibernation while the process runs |
+| `timeout` | integer | `600` | Timeout in seconds. Set to `0` for infinite (no timeout) |
+
+## Timeout Behavior
+
+- **timeout > 0**: Process will be automatically killed after the specified seconds
+- **timeout = 0**: Process runs indefinitely (infinite timeout)
+- **timeout not specified with keepAlive=true**: Defaults to 600 seconds (10 minutes)
+
+## Logging
+
+All keepAlive events are logged:
+
+```
+[KeepAlive] Started process 12345 (name: my-app, command: npm run dev) with timeout 600s
+[KeepAlive] Stopped process 12345 (name: my-app, status: completed, exit_code: 0)
+```
+
+Scale operations:
+
+```
+[Scale] Disabled scale-to-zero (wrote '+', counter now: 1) - sandbox staying AWAKE
+[Scale] Enabled scale-to-zero (wrote '-', counter now: 0) - sandbox can AUTO-HIBERNATE
+```
+
+## Crash Recovery
+
+On startup, the sandbox-api resets the scale-to-zero counter to 0, ensuring the sandbox doesn't get stuck awake if the API crashed while keepAlive processes were running.
+
+## Examples
+
+### Run a dev server that keeps sandbox awake
+
+```bash
+curl -X POST http://localhost:8080/process \
+  -H "Content-Type: application/json" \
+  -d '{"command": "npm run dev", "workingDir": "/app", "keepAlive": true}'
+```
+
+### Run a process with infinite timeout
+
+```bash
+curl -X POST http://localhost:8080/process \
+  -H "Content-Type: application/json" \
+  -d '{"command": "python server.py", "keepAlive": true, "timeout": 0}'
+```

sandbox-api/docs/docs.go

@@ -2185,6 +2185,11 @@ const docTemplate = `{
                         "{\"PORT\"": " \"3000\"}"
                     }
                 },
+                "keepAlive": {
+                    "description": "Disable scale-to-zero while process runs. Default timeout is 600s (10 minutes). Set timeout to 0 for infinite.",
+                    "type": "boolean",
+                    "example": false
+                },
                 "maxRestarts": {
                     "type": "integer",
                     "example": 3
@@ -2198,6 +2203,7 @@ const docTemplate = `{
                     "example": true
                 },
                 "timeout": {
+                    "description": "Timeout in seconds. When keepAlive is true, defaults to 600s (10 minutes). Set to 0 for infinite (no auto-kill).",
                     "type": "integer",
                     "example": 30
                 },
@@ -2249,6 +2255,11 @@ const docTemplate = `{
                     "type": "integer",
                     "example": 0
                 },
+                "keepAlive": {
+                    "description": "Whether scale-to-zero is disabled for this process",
+                    "type": "boolean",
+                    "example": false
+                },
                 "logs": {
                     "type": "string",
                     "example": "logs output"

sandbox-api/docs/openapi.yml

@@ -1772,6 +1772,10 @@ components:
           example:
             "{\"PORT\"": ' "3000"}'
           type: object
+        keepAlive:
+          description: Disable scale-to-zero while process runs. Default timeout is 600s (10 minutes). Set timeout to 0 for infinite.
+          example: false
+          type: boolean
         maxRestarts:
           example: 3
           type: integer
@@ -1782,6 +1786,7 @@ components:
           example: true
           type: boolean
         timeout:
+          description: Timeout in seconds. When keepAlive is true, defaults to 600s (10 minutes). Set to 0 for infinite (no auto-kill).
           example: 30
           type: integer
         waitForCompletion:
@@ -1811,6 +1816,10 @@ components:
         exitCode:
           example: 0
           type: integer
+        keepAlive:
+          description: Whether scale-to-zero is disabled for this process
+          example: false
+          type: boolean
         logs:
           example: logs output
           type: string

sandbox-api/main.go

@@ -15,6 +15,7 @@ import (
 	"github.com/blaxel-ai/sandbox-api/docs" // swagger generated docs
 	"github.com/blaxel-ai/sandbox-api/src/api"
 	"github.com/blaxel-ai/sandbox-api/src/handler/process"
+	"github.com/blaxel-ai/sandbox-api/src/lib/blaxel"
 	"github.com/blaxel-ai/sandbox-api/src/lib/networking"
 	"github.com/blaxel-ai/sandbox-api/src/mcp"
 	"github.com/gin-gonic/gin"
@@ -45,6 +46,13 @@ func main() {
 		logrus.WithError(err).Warn("WireGuard initialization failed - the sandbox will NOT have outbound internet connectivity (no egress). Inbound connections to the sandbox will still work. You can check the tunnel status via the /network/tunnel endpoints.")
 	}
 
+	// Reset scale-to-zero counter on startup (crash recovery)
+	// If sandbox-api crashed while keepAlive processes were running,
+	// the counter would be left in a bad state - this resets it to 0
+	if err := blaxel.ScaleReset(); err != nil {
+		logrus.Warnf("Failed to reset scale-to-zero counter on startup: %v", err)
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 

sandbox-api/src/handler/process.go

@@ -52,10 +52,11 @@ type ProcessRequest struct {
 	WorkingDir        string            `json:"workingDir" example:"/home/user"`
 	Env               map[string]string `json:"env" example:"{\"PORT\": \"3000\"}"`
 	WaitForCompletion bool              `json:"waitForCompletion" example:"false"`
-	Timeout           int               `json:"timeout" example:"30"`
+	Timeout           *int              `json:"timeout,omitempty" example:"30"`
 	WaitForPorts      []int             `json:"waitForPorts" example:"3000,8080"`
 	RestartOnFailure  bool              `json:"restartOnFailure" example:"true"`
 	MaxRestarts       int               `json:"maxRestarts" example:"3"`
+	KeepAlive         bool              `json:"keepAlive" example:"false"`
 } // @name ProcessRequest
 
 // ProcessResponse is the response body for a process
@@ -74,6 +75,7 @@ type ProcessResponse struct {
 	RestartOnFailure bool    `json:"restartOnFailure" example:"true"`
 	MaxRestarts      int     `json:"maxRestarts" example:"3"`
 	RestartCount     int     `json:"restartCount" example:"2"`
+	KeepAlive        bool    `json:"keepAlive" example:"false"`
 } // @name ProcessResponse
 
 type ProcessResponseWithLogs struct {
@@ -87,8 +89,8 @@ type ProcessKillRequest struct {
 } // @name ProcessKillRequest
 
 // ExecuteProcess executes a process
-func (h *ProcessHandler) ExecuteProcess(command string, workingDir string, name string, env map[string]string, waitForCompletion bool, timeout int, waitForPorts []int, restartOnFailure bool, maxRestarts int) (ProcessResponse, error) {
-	processInfo, err := h.processManager.ExecuteProcess(command, workingDir, name, env, waitForCompletion, timeout, waitForPorts, restartOnFailure, maxRestarts)
+func (h *ProcessHandler) ExecuteProcess(command string, workingDir string, name string, env map[string]string, waitForCompletion bool, timeout int, waitForPorts []int, restartOnFailure bool, maxRestarts int, keepAlive bool) (ProcessResponse, error) {
+	processInfo, err := h.processManager.ExecuteProcess(command, workingDir, name, env, waitForCompletion, timeout, waitForPorts, restartOnFailure, maxRestarts, keepAlive)
 
 	// If processInfo is nil (process failed to start), return empty response with error
 	if processInfo == nil {
@@ -117,6 +119,7 @@ func (h *ProcessHandler) ExecuteProcess(command string, workingDir string, name
 		RestartOnFailure: processInfo.RestartOnFailure,
 		MaxRestarts:      processInfo.MaxRestarts,
 		RestartCount:     processInfo.RestartCount,
+		KeepAlive:        processInfo.KeepAlive,
 	}, err
 }
 
@@ -158,6 +161,7 @@ func (h *ProcessHandler) ListProcesses() []ProcessResponse {
 			RestartOnFailure: p.RestartOnFailure,
 			MaxRestarts:      p.MaxRestarts,
 			RestartCount:     p.RestartCount,
+			KeepAlive:        p.KeepAlive,
 		})
 	}
 	return result
@@ -202,6 +206,7 @@ func (h *ProcessHandler) GetProcess(identifier string) (ProcessResponse, error)
 		RestartOnFailure: processInfo.RestartOnFailure,
 		MaxRestarts:      processInfo.MaxRestarts,
 		RestartCount:     processInfo.RestartCount,
+		KeepAlive:        processInfo.KeepAlive,
 	}, nil
 }
 
@@ -293,8 +298,18 @@ func (h *ProcessHandler) HandleExecuteCommand(c *gin.Context) {
 		"working-dir": req.WorkingDir,
 	})
 
+	// Timeout of 0 means infinite (no auto-kill)
+	// When keepAlive is true and timeout is not specified (nil) or negative, default to 600s
+	timeout := 0
+	if req.Timeout != nil {
+		timeout = *req.Timeout
+	}
+	if req.KeepAlive && (req.Timeout == nil || timeout < 0) {
+		timeout = 600 // Default 10 minutes
+	}
+
 	// Execute the process
-	processInfo, err := h.ExecuteProcess(req.Command, req.WorkingDir, req.Name, req.Env, req.WaitForCompletion, req.Timeout, req.WaitForPorts, req.RestartOnFailure, req.MaxRestarts)
+	processInfo, err := h.ExecuteProcess(req.Command, req.WorkingDir, req.Name, req.Env, req.WaitForCompletion, timeout, req.WaitForPorts, req.RestartOnFailure, req.MaxRestarts, req.KeepAlive)
 	if err != nil {
 		h.SendError(c, http.StatusUnprocessableEntity, err)
 		return
@@ -335,6 +350,16 @@ func (h *ProcessHandler) handleExecuteCommandStream(c *gin.Context) {
 		"working-dir": req.WorkingDir,
 	})
 
+	// Timeout of 0 means infinite (no auto-kill)
+	// When keepAlive is true and timeout is not specified (nil) or negative, default to 600s
+	timeout := 0
+	if req.Timeout != nil {
+		timeout = *req.Timeout
+	}
+	if req.KeepAlive && (req.Timeout == nil || timeout < 0) {
+		timeout = 600 // Default 10 minutes
+	}
+
 	// Set headers for streaming JSON events
 	c.Writer.Header().Set("Content-Type", "application/x-ndjson")
 	c.Writer.Header().Set("Cache-Control", "no-cache")
@@ -346,7 +371,7 @@ func (h *ProcessHandler) handleExecuteCommandStream(c *gin.Context) {
 	jw := &JSONStreamWriter{gin: c}
 
 	// Execute the process without waiting for completion (we'll handle waiting ourselves)
-	processInfo, err := h.ExecuteProcess(req.Command, req.WorkingDir, req.Name, req.Env, false, req.Timeout, req.WaitForPorts, req.RestartOnFailure, req.MaxRestarts)
+	processInfo, err := h.ExecuteProcess(req.Command, req.WorkingDir, req.Name, req.Env, false, timeout, req.WaitForPorts, req.RestartOnFailure, req.MaxRestarts, req.KeepAlive)
 	if err != nil {
 		jw.WriteEvent("error", err.Error())
 		return