updating docs

Author: thisisjofrank

sandboxes/getting_started.md

@@ -1,4 +1,10 @@
-## title: "Getting started" description: "Step-by-step walkthrough for enabling Sandboxes, creating your first microVM, running commands, exposing services, and managing secrets."
+---
+title: "Getting started"
+description: "Step-by-step walkthrough for enabling Sandboxes, creating your first microVM, running commands, exposing services, and managing secrets."
+---
+
+To use Sandboxes, you need a Deno Deploy account. If you do not have one yet you
+can sign up for a free account at [app.deno.com](https://app.deno.com).
 
 ## 1. Access the Sandboxes dashboard
 
@@ -21,7 +27,7 @@ and store it securely. Then export it in your local shell or CI job:
 export DENO_DEPLOY_TOKEN=<your-token>
 ```
 
-::: Tip Token security
+:::tip Token security
 
 Treat this token like any other production secret. Rotate it from the dashboard
 if it is ever exposed.
@@ -33,15 +39,18 @@ if it is ever exposed.
 The SDK works in both Deno and Node.js environments.
 
 ```bash
-# Deno
+# Using Deno
 deno add jsr:@deno/sandbox
 
-# npm
+# Using npm
 npm install @deno/sandbox
-```
 
-For Node.js 22 or earlier, replace `await using` with a `try`/`finally` block
-when the docs use explicit resource management.
+# Using pnpm
+pnpm install jsr:@deno/sandbox
+
+# Using yarn
+yarn add jsr:@deno/sandbox
+```
 
 ## 4. Create your first sandbox
 
@@ -61,13 +70,18 @@ from that VM.
 
 ## 5. Run commands and scripts
 
-Sandboxes expose familiar filesystem and process APIs.
+Sandboxes expose familiar filesystem and process APIs to run commands, upload files,
+and spawn long-running services.
 
-```tsx
-// List files, just like a normal server
+You can for example list files in the root directory:
+
+```ts
 await sandbox.sh`ls -lh /`;
+```
 
-// Upload source and run it
+Or upload a script and run it:
+
+```ts
 await sandbox.writeTextFile("hello.ts", "console.log('Hello from a sandbox')");
 const proc = await sandbox.spawn("deno", {
   args: ["run", "hello.ts"],
@@ -82,24 +96,6 @@ await proc.status;
 You can keep state between commands, stream stdout and stderr, or open an
 interactive REPL with `sandbox.repl()` for agent-style workflows.
 
-## 6. Expose HTTP services (optional)
-
-Run dev servers, preview apps, or framework CLIs on any port and publish them
-instantly:
-
-```tsx
-await sandbox.writeTextFile(
-  "server.js",
-  "Deno.serve(() => new Response('Hello from Sandboxes'));",
-);
-const runtime = await sandbox.createJsRuntime({ entrypoint: "server.js" });
-const publicUrl = await sandbox.exposeHttp({ port: 8080 });
-console.log(publicUrl); // https://<random>.sandbox.deno.net
-```
-
-The URL stays live for the sandbox lifetime, making it perfect for short-lived
-QA links or agent generated previews.
-
 ## 7. Keep secrets and policies tight
 
 Secrets never appear inside `/proc` or the sandbox environment variables.

sandboxes/index.md

@@ -3,9 +3,6 @@ title: "About Sandboxes"
 description: "Overview of the Sandboxes microVM platform on Deploy, including capabilities, security model, and ideal use cases."
 ---
 
-<a href="https://app.deno.com/" class="docs-cta deploy-cta">Launch the Sandboxes
-dashboard</a>
-
 Sandboxes bring real Linux microVMs directly to the Deploy global edge. Each
 sandbox boots in under a second, is API driven from the `@deno/sandbox` SDK, and
 is torn down as soon as you are done. The result is on-demand compute that feels
@@ -49,7 +46,7 @@ Every sandbox launches with a strict outbound allow list. `allowNet` constrains
 the VM at the hypervisor boundary, so even if user code attempts to exfiltrate
 data it can only talk to the hosts you approve.
 
-## Run real workloads inside
+## Run real workloads
 
 Once the sandbox exists, you get a full Linux environment with files, processes,
 package managers, and background services:
@@ -93,6 +90,59 @@ Together, Deno Deploy and Sandboxes form a single workflow: code is created,
 proved safe in a sandbox, and deployed globally without new infrastructure or
 orchestration layers.
 
+## Runtime support
+
+The Sandboxes SDK is tested and supported on:
+
+- **Deno:** Latest stable version
+- **Node.js:** Version 24+
+
+You can use Sandboxes from any environment that can import the `@deno/sandbox`
+package and make outbound HTTPS requests to the Deploy API, meaning you can use
+Sandboxes in your Node projects, Deno Deploy apps, or even browser-based tools.
+
+:::note await using support
+
+The `await using` syntax requires Node.js 24+. If your project uses earlier
+Node.js versions, use try/finally blocks instead:
+
+```ts
+import { Sandbox } from "@deno/sandbox";
+
+const sandbox = await Sandbox.create();
+try {
+  // ... use sandbox ...
+} finally {
+  await sandbox.close();
+}
+```
+
+:::
+
+## Limits
+
+Sandboxes have the following limits:
+
+- **Memory:** 768 MB to 4096 MB, configurable per sandbox
+- **CPU:** 2 vCPU, subject to noisy neighbor effects
+- **Network:** Outbound only, restricted to `allowNet` hosts
+- **Lifetime:** Configurable per sandbox, up to 15 minutes by default
+- **Disk**: 10 GB of ephemeral storage
+
+Exceeding these limits may result in throttling or termination of your sandbox.
+
+## Regions
+
+You can specify the region where the sandbox will be created when creating a new sandbox:
+
+```tsx
+import { Sandbox } from "@deno/sandbox";
+
+await using sandbox = await Sandbox.create({ region: "ams" });
+```
+
+If not specified, the sandbox will be created in the default region.
+
 ## Learn more
 
 Ready to try it? Follow the [`Getting started` guide](./getting_started.md) to

sandboxes/reference/TODO.md

@@ -0,0 +1,83 @@
+---
+title: "Create a Sandbox"
+description: "Learn how to provision a sandbox with the static Sandbox.create() method and configure runtime, network, and lifecycle options."
+---
+
+The `Sandbox.create()` static method is the primary entry point for provisioning
+an isolated Linux microVM on the Deploy edge. It returns a connected `Sandbox`
+instance that you can use to run commands, upload files, expose HTTP endpoints,
+or request SSH access.
+
+```tsx
+import { Sandbox } from "@deno/sandbox";
+
+await using sandbox = await Sandbox.create();
+```
+
+By default, this creates an ephemeral sandbox in the closest Deploy region with
+768 MB of RAM, no outbound network access, and a lifetime bound to the current
+process. You can tailor the sandbox by passing an options object.
+
+## Available options
+
+| Option     | Type                     | Description                                                                                                             |
+| ---------- | ------------------------ | ----------------------------------------------------------------------------------------------------------------------- |
+| `allowNet` | `string[]`               | Outbound allow list enforced at the hypervisor level. Hosts not listed are unreachable, blocking data exfiltration.     |
+| `region`   | `"sjc"                   | "ams"                                                                                                                   |
+| `memoryMb` | `number`                 | Allocate between 768 and 4096 MB of RAM for memory-heavy tasks or tighter budgets.                                      |
+| `lifetime` | `"session"               | "5m"                                                                                                                    |
+| `id`       | `string`                 | Reconnect to an existing sandbox instead of creating a new one (used with `Sandbox.connect`).                           |
+| `metadata` | `Record<string, string>` | Attach arbitrary key/value tags to help identify sandboxes in logs or telemetry.                                        |
+| `env`      | `Record<string, string>` | Set initial environment variables inside the sandbox. Secrets should still be managed via Deploy’s secret substitution. |
+
+
+## Example configurations
+
+### Allow outbound traffic to specific APIs
+
+```tsx
+const sandbox = await Sandbox.create({
+  allowNet: ["api.openai.com", "api.stripe.com"],
+});
+```
+
+### Run in a specific region with more memory
+
+```tsx
+const sandbox = await Sandbox.create({
+  region: "ams",
+  memoryMb: 2048,
+});
+```
+
+### Keep the sandbox alive for later inspection
+
+```tsx
+const sandbox = await Sandbox.create({ lifetime: "10m" });
+const id = sandbox.id;
+await sandbox.close(); // disconnect but leave VM running
+
+// ...later...
+const reconnected = await Sandbox.connect({ id });
+```
+
+### Provide default environment variables
+
+```tsx
+const sandbox = await Sandbox.create({
+  env: {
+    NODE_ENV: "development",
+    FEATURE_FLAG: "agents",
+  },
+});
+```
+
+## Tips
+
+- Keep `allowNet` as narrow as possible to block exfiltration attempts.
+- Use metadata keys such as `agentId` or `customerId` to trace sandboxes in the
+  Deploy dashboard.
+- Remember to call `await sandbox.kill()` (or rely on `await using`) when the
+  sandbox is no longer needed; resources are billed until it shuts down.
+- For long-lived services, migrate from sandboxes to a Deploy app once the code
+  stabilizes.

sandboxes/reference/create.md

@@ -0,0 +1,117 @@
+---
+title: "Expose HTTP"
+description: "Learn how to expose HTTP endpoints from Deno Sandboxes, enabling you to run web servers, APIs, and preview environments at the edge."
+---
+
+You can run dev servers, preview apps, webhook receivers, or framework CLIs on
+any port and publish them instantly to a secure, random HTTPS URL.
+
+```tsx
+await sandbox.writeTextFile(
+  "server.js",
+  "Deno.serve(() => new Response('Hello from Sandboxes'));",
+);
+const runtime = await sandbox.createJsRuntime({ entrypoint: "server.js" });
+const publicUrl = await sandbox.exposeHttp({ port: 8080 });
+console.log(publicUrl); // https://<random>.sandbox.deno.net
+```
+
+The URL stays live for the sandbox lifetime, making it perfect for short-lived
+QA links or agent generated previews.
+
+## When to expose HTTP
+
+Expose HTTP whenever you need to share the sandbox with teammates, bots, or
+external services:
+
+- Preview links for AI-generated web apps or instant demos
+- Webhook receivers that must be reachable from Stripe, GitHub, etc.
+- Framework dev servers (`next dev`, `astro dev`, `deno task dev`) that should
+  be inspected from a browser
+- Temporary APIs, health checks, or observability probes
+
+Because sandboxes are ephemeral, you do not need to manage DNS or certificates.
+Each call to `exposeHttp()` returns a unique hostname under `*.sandbox.deno.net`
+with TLS automatically configured.
+
+## Step-by-step
+
+1. **Start a server inside the sandbox.** Listen on any unprivileged port (e.g.,
+   `3000`, `8080`).
+2. **Expose the port:** `const url = await sandbox.exposeHttp({ port: 3000 });`
+3. **Share or fetch from the URL.** Requests enter through Deploy’s global edge
+   and are tunneled directly to your sandbox.
+
+Multiple ports can be exposed simultaneously by calling `exposeHttp()` for each
+port. You can also re-use the same exposed URL after restarting your server, as
+long as the sandbox itself remains alive.
+
+## Observing traffic
+
+Requests routed through the exposed URL show up alongside your Deploy logs and
+traces. Use the dashboard to:
+
+- Filter logs by sandbox ID or time range
+- Inspect request traces to track latency between the edge and your VM
+- Cancel or restart the sandbox if a preview misbehaves
+
+## Security and networking
+
+- Exposed URLs are long, random subdomains that are hard to guess.
+- TLS termination happens at the Deploy edge; traffic is encrypted end-to-end.
+- Combine `exposeHttp()` with `allowNet` so your sandbox can only reach the API
+  hosts it truly needs.
+- Secrets are substituted only when the sandbox reaches an approved host, so
+  dumping environment variables from inside the VM will never reveal them.
+
+## Cleanup and limits
+
+- An exposed URL stops accepting traffic when the sandbox lifetime ends or when
+  you call `await sandbox.kill()`.
+- Call `exposeHttp({ port, keepAlive: true })` (coming soon) to opt into longer
+  previews once available.
+- For persistent services, graduate the code into a Deploy app rather than
+  relying on a long-running sandbox.
+
+## Full example with a framework
+
+```tsx
+import { Sandbox } from "@deno/sandbox";
+
+await using sandbox = await Sandbox.create();
+
+// Install dependencies
+await sandbox.writeTextFile(
+  "package.json",
+  JSON.stringify(
+    {
+      private: true,
+      scripts: { dev: "next dev" },
+      dependencies: {
+        next: "^15.0.0",
+        react: "^19.0.0",
+        "react-dom": "^19.0.0",
+      },
+    },
+    null,
+    2,
+  ),
+);
+await sandbox.sh`npm install`;
+
+// Start the dev server
+const server = await sandbox.spawn("npm", {
+  args: ["run", "dev"],
+  stdout: "inherit",
+  stderr: "inherit",
+});
+
+// Publish it
+const previewUrl = await sandbox.exposeHttp({ port: 3000 });
+console.log(`Preview ready at ${previewUrl}`);
+
+await server.status; // keep running until the process exits
+```
+
+This pattern lets agents or developers spin up high-fidelity previews, share
+them for feedback, and tear everything down with a single `Ctrl+C`.