Gabi

This commit introduces a **bug fix** to the **container activity tracking** mechanism, specifically within the `isActivityExpired` method in `src/lib/container.ts`. It ensures that if a container's activity is detected as expired, but there are still active, inflight requests associated with it, the activity timeout is **renewed**. This prevents the **premature expiration** of containers that are actively processing work, thereby improving the stability and responsiveness of containerized services. The change addresses a potential race condition or incorrect state management that could lead to containers being shut down while still in use.

This commit performs a significant **refactoring** of the **`containers` API** to prevent naming collisions with standard library macros. It **renames** `stdin`, `stdout`, and `stderr` properties and methods to more specific identifiers like `stdinStream`, `stdoutWriter`, and `stdoutBytes` across the C++ implementation, **Cap'n Proto schema**, and TypeScript type definitions. Additionally, `ExecOptions` properties are now prefixed with `$` to further avoid conflicts. This ensures the robustness and correctness of the **container execution subsystem** by eliminating potential macro interference and improving clarity.

This commit introduces a **new capability** to the **`workerd` containers subsystem**, implementing **local Docker `exec` functionality**. It provides the necessary infrastructure within `ContainerClient` to create, start, and inspect Docker `exec` sessions, including new classes like `BufferedAsyncIoStream` for efficient I/O and `DockerProcessHandle` for managing executed processes. This enables `workerd` to execute commands inside running Docker containers, primarily supporting **local development environments**. The change also updates Cap'n Proto schemas for Docker API interactions, refines `ExecProcess::output` behavior, and includes comprehensive new tests to validate the functionality.

This commit introduces a **new capability** by implementing the `exec()` method within the **Workerd container API**, enabling the **execution of arbitrary processes inside a container**. It defines new types such as `ExecOutput`, `ExecOptions`, and `ExecProcess` to manage the process lifecycle and handle I/O streams like `stdin`, `stdout`, and `stderr`. This **feature enhancement** to the **container management subsystem** is exposed via the **Cap'n Proto interface** defined in `src/workerd/io/container.capnp`, significantly expanding the interactive capabilities with container instances.

This commit **introduces new documentation** by adding the `AGENTS.md` file, which provides essential guidelines and an overview for AI agents. This new resource specifically targets agents interacting with the **`@cloudflare/containers`** package, aiming to standardize their operations and understanding. It represents a **new capability** in the project's documentation, serving as a **maintenance** effort to improve the efficiency and consistency of automated processes working with this module.

This commit introduces a **new feature** by adding a **GitHub Actions workflow** named `bonk.yml`. This workflow is designed to **automate interactions** within the repository by triggering an **AI assistant** whenever new comments are made on issues or pull requests. The primary impact is to enhance community engagement and support through automated responses, streamlining communication for contributors and maintainers.

This commit performs a significant **maintenance upgrade**, updating all **example applications** to utilize **Wrangler version 4.77.0**. Beyond dependency bumps in `package.json` files across various examples, it includes **feature adaptations** and **refinements** to ensure compatibility and showcase new capabilities. Notably, the **`egress-interception` example** is updated with renamed components and modified `MyContainer` properties like `sleepAfter` and `enableInternet`, while the **`websocket` example** receives substantial **feature updates** to its `WebSocketTestContainer` and WebSocket handling logic, including a new `onStop` method. Additionally, the `multiple-ports` example benefits from minor **refactoring** by removing unused imports and an **improved test assertion**, collectively ensuring all examples are current and demonstrate best practices with the latest `wrangler` release.

This commit introduces a **new feature** to robustly track activity within **WebSocket connections** and **streamed responses** using `pipeTo`. It enhances the **container management** logic by implementing new mechanisms to monitor inflight requests, preventing premature container shutdowns. Specifically, the `src/lib/container.ts` module now correctly manages activity timeouts for these long-lived operations, ensuring the system remains active as long as work is being performed. This improvement prevents scenarios where containers might terminate prematurely due to perceived inactivity during active streaming or WebSocket communication, thereby increasing system stability.

This commit primarily provides **documentation** for the newly introduced **outbound hooks** feature, specifically within the **container class**. It adds a new changeset file, `set-outbound-hooks.md`, detailing this functionality. Concurrently, the `CHANGELOG.md` is updated to mark a new **minor version `0.2.0`**, officially documenting the support for these outbound hooks. This **documentation update** ensures users are informed about this **new capability** within the **container class**'s event handling.

This commit introduces **experimental support for intercepting outbound HTTPS requests** from within **Workerd containers**. It adds a new `interceptOutboundHttps` method to the **Container API**, allowing developers to configure custom handling for secure egress traffic. The implementation involves significant changes to the **container-client server logic** to manage HTTPS egress, including injecting CA certificates and modifying egress services to support TLS, alongside updates to the Cap'n Proto interface for `setEgressHttps`. Comprehensive **new tests** and a dedicated test application endpoint (`/intercept-https`) have been added to validate both standard HTTPS egress and WebSocket HTTPS interception, ensuring the robustness of this **new capability**.

This commit **upgrades** the `proxy-everything` container image used for egress interception within the **`containers`** subsystem. The primary **new capability** introduced is the support for **domain-based filtering** when intercepting outbound HTTP requests, enhancing the `interceptOutboundHttp` functionality. This update modifies the `DEFAULT_CONTAINER_EGRESS_INTERCEPTOR_IMAGE` in `packages/containers-shared/src/images.ts`, ensuring that new deployments or updates leverage this more granular control over network traffic. This provides improved security and policy enforcement by allowing precise control over which domains containerized applications can access.

This commit introduces a **new capability** to the **`workerd` container**, enabling users to specify **hostname globs** for `interceptOutboundHttp`. This **feature enhancement** allows for more granular control over which outbound HTTP traffic is intercepted by a Worker during **local development**, with the system now performing DNS resolution for these specified hostnames. The change also ensures that `interceptAllOutboundHttp` correctly intercepts all outbound traffic, including non-existent domains, by properly handling these hostname globs. This significantly improves the flexibility and power of **network interception** within the **local development environment** for Workers.

This commit performs a **maintenance update** by bumping the version of the `cloudflare/proxy-everything` Docker image. Specifically, it updates the `DEFAULT_CONTAINER_EGRESS_INTERCEPTOR_IMAGE` constant within the **`@cloudflare/containers-shared`** package to reference the newest `cloudflare/proxy-everything` image. This **chore** ensures that the `workerd` runtime environment utilizes the latest image for **container egress interception**, aligning with recent upstream changes. The update is documented as a minor version bump for the `@cloudflare/containers-shared` package, potentially bringing stability or performance improvements to the egress interception mechanism.

This commit **introduces a new HTTP CONNECT ingress mechanism** for containers in local development, eliminating the need for `EXPOSE` directives in Dockerfiles. It **refactors the `ContainerClient`** to make the egress/ingress sidecar mandatory and always run it, simplifying container setup and port management. The **`WorkerService`** is updated to enforce this sidecar, and the **Docker API definitions** are adjusted for sidecar communication. This **new capability** streamlines container networking by centralizing ingress through an agreed-upon port with `proxy-everything`, improving the overall **container management and networking subsystem**.

This commit introduces a **new capability** to pass parameters to **outbound handlers** within Durable Objects, significantly enhancing their configurability. It also ensures that **outbound configuration is persisted across Durable Object restarts**, improving reliability and state management. The `src/index.ts` file now **exports new types and the `outboundParams` helper function** to facilitate this, while the core interception logic in `src/lib/container.ts` has been **refactored** for better maintainability. The `egress-interception` example has been updated to demonstrate the use of these new parameters and the `OutboundHandlerContext`.

This commit **stabilizes the container egress interception feature** by **removing the experimental flag requirement**. It **refactors** the `containers-shared` package to update the default interceptor image and eliminates conditional checks related to the flag within `prepareContainerImagesForDev`. Consequently, `Miniflare`'s core plugin, `Vite` plugins for dev and preview, and `Wrangler`'s runtime controllers are updated to remove the `compatibilityFlags` parameter from functions like `getContainerEngine` and `prepareContainerImagesForDev`. This change makes egress interception a standard, generally available capability, simplifying its adoption for containerized applications without needing experimental opt-ins.

This commit primarily **refactors the core outbound interception API** within `src/lib/container.ts` to enhance clarity and consistency by renaming internal registries, static properties, and instance methods like `setOutboundHandler` and `setOutboundByHost`. The **egress interception example** in `examples/egress-interception/src/index.ts` is updated to utilize this refined API, incorporating new error handling. Additionally, the `README.md` is updated with **comprehensive documentation** for the new outbound interception feature, including configuration examples. Minor **maintenance** tasks include refactoring the example's Dockerfile for improved build efficiency and updating development dependencies.

This commit performs **maintenance** and **bug fixes** within the `workerd` **container-client test suite** to improve test stability and concurrency. It corrects the usage of `AbortSignal` in `fetch` calls, ensuring the `signal` property is used instead of `abort` for proper request cancellation. A new `getRandomDurableObjectName` function is introduced to generate unique Durable Object names, preventing resource contention and flakiness during **concurrent test execution**. These changes, along with an adjusted default timeout, ensure more reliable and independent integration tests for `workerd`'s container functionality.

This commit **promotes** the **HTTP outbound interception** capabilities of the `Container` API, making `interceptOutboundHttp` and `interceptAllOutboundHttp` methods generally available. By **removing the experimental flag check** in `src/workerd/api/container.h`, this **API stabilization** allows developers to reliably intercept and modify outbound HTTP requests originating from within a container. The change also updates the **TypeScript type definitions** for the `Container` interface, ensuring the API surface is correctly reflected for consumers. This significantly expands the stable API for **network control** within `workerd` environments.

This change enhances `workerd`'s container client, ensuring `WorkerEntrypoints` are correctly upserted during egress interception. This improves the reliability of egress interception for `workerd` containers, especially when HTTP connections are reused.