feat: add E2B API compatibility layer and Templates API support

[MahaoAlex]

/kind feature

What this PR does / why we need it:

This PR introduces full E2B API compatibility to AgentCube, enabling seamless migration from E2B services. It consists of two major parts:

1. E2B API Compatibility Layer - Adds E2B-compatible REST API endpoints to the Router for
   sandbox lifecycle management, including creating, listing, getting details, deleting,
   setting timeout, and refreshing sandboxes. Implements Kubernetes Informer-based API key
   authentication with real-time cache updates, rate limiting, and local cache fallback.
2. E2B Templates API Support - Adds full Templates API compatibility with CRUD operations
   for templates, template builds lifecycle management, aliases support, and public/private
   visibility controls. Maps templates to AgentCube CRDs (CodeInterpreter/AgentRuntime).

Which issue(s) this PR fixes:
Fixes #257

Special notes for your reviewer:

• The E2B API implementation is located under pkg/router/e2b/.
• API key authentication uses a K8s Secret informer with a 5-minute background refresh
  fallback.
• Template API maps E2B templates to existing CodeInterpreter/AgentRuntime CRDs.
• Please review the test coverage in pkg/router/e2b/*_test.go and
  test/e2e/templates_test.go.

Does this PR introduce a user-facing change?:
Add E2B API compatibility layer and Templates API support to AgentCube Router, enabling E2B
SDK users to migrate seamlessly.

[gemini-code-assist]

Code Review

This pull request introduces an E2B-compatible API layer to AgentCube, enabling seamless migration from E2B services by supporting sandbox lifecycle management and template operations. It includes new API handlers, models, and authentication mechanisms, along with comprehensive E2E tests. My feedback highlights opportunities to simplify error handling logic in the router, decouple informer initialization for better testability, and refactor the wildcard routing logic in the templates handler to improve maintainability.

[gemini-code-assist]

The error handling logic here is overly complex for a simple status code mapping. It is better to map the error type directly to the status code using a helper function or a map to improve readability and maintainability.

[gemini-code-assist]

The informer initialization logic is tightly coupled with the server's configuration. Consider moving the informer setup to a factory or a dedicated initialization function to improve testability and modularity.

[gemini-code-assist]

The wildcard handler is doing too much routing logic. This should be refactored into a more structured routing approach, perhaps by defining specific routes for builds and template operations separately, to avoid complex string parsing and manual path manipulation.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 61.64193% with 827 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.00%. Comparing base (57f6d84) to head (193353f).
⚠️ Report is 70 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/router/e2b/auth.go	52.66%	185 Missing and 19 partials ⚠️
pkg/router/e2b/templates_handlers.go	46.70%	181 Missing and 21 partials ⚠️
pkg/picod/envd_filesystem.go	55.15%	64 Missing and 36 partials ⚠️
pkg/router/e2b/handlers.go	63.15%	47 Missing and 16 partials ⚠️
pkg/router/handlers.go	1.58%	62 Missing ⚠️
pkg/picod/envd_process.go	40.69%	44 Missing and 7 partials ⚠️
pkg/picod/process_registry.go	83.11%	30 Missing and 8 partials ⚠️
pkg/router/e2b/e2b_server.go	69.66%	19 Missing and 8 partials ⚠️
pkg/store/store_valkey.go	70.42%	12 Missing and 9 partials ⚠️
pkg/store/store_redis.go	70.96%	9 Missing and 9 partials ⚠️
... and 5 more
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #275       +/-   ##
===========================================
+ Coverage   43.37%   56.00%   +12.62%     
===========================================
  Files          30       44       +14     
  Lines        2610     4907     +2297     
===========================================
+ Hits         1132     2748     +1616     
- Misses       1355     1861      +506     
- Partials      123      298      +175     

Flag	Coverage Δ
unittests	56.00% <61.64%> (+12.62%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adds an E2B-compatible API surface to the AgentCube Router (templates + sandboxes) and augments CI/e2e coverage and docs so E2B SDK users can migrate to AgentCube with minimal changes.

Changes:

• Register E2B-compatible /templates and /sandboxes routes in the Router and add E2B models/helpers (mapper, rate limiter, error mapping).
• Add/extend E2E + black-box tests (Go + optional Python E2B SDK) and update scripts/workflows to run them.
• Add Templates API and E2B API documentation, examples, and Helm/RBAC adjustments for deployment.

Reviewed changes

Copilot reviewed 51 out of 53 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
test/e2e/test_templates.yaml	Adds CodeInterpreter CRs used as templates for E2E coverage.
test/e2e/test_e2b_sdk.py	Adds Python E2B SDK-based compatibility E2E tests.
test/e2e/run_e2e.sh	Updates e2e runner to configure E2B API keys and run tagged e2e tests + optional SDK tests.
test/e2e/e2e_test.go	Adds e2e build tag and minor constant refactor for CI control.
test/e2e/README_E2B_SDK.md	Documents how to run the E2B SDK compatibility tests.
test/e2b/lifecycle_test.go	Adds black-box lifecycle tests for the E2B sandbox API.
test/e2b/TEST_REPORT.md	Adds test report documentation for E2B API black-box tests.
test/e2b/TEST_PLAN.md	Adds test plan documentation for E2B API black-box tests.
pkg/workloadmanager/client_cache_test.go	Minor formatting change in constants alignment.
pkg/workloadmanager/auth_test.go	Minor formatting/indentation cleanup in tests.
pkg/router/server.go	Registers E2B route group at root and wires it into the Router.
pkg/router/jwt_test.go	Makes RSA private-key equality assertion resilient across Go versions.
pkg/router/handlers_test.go	Switches Router tests to use miniredis instead of a real Redis endpoint.
pkg/router/handlers.go	Improves endpoint URL parsing and adjusts error status selection.
pkg/router/e2b/templates_models_test.go	Adds unit tests for Templates API models serialization/validation.
pkg/router/e2b/templates_models.go	Adds Templates API request/response models and validation helpers.
pkg/router/e2b/ratelimiter_test.go	Adds tests for a token-bucket rate limiter used by auth/cache logic.
pkg/router/e2b/ratelimiter.go	Implements an in-memory token-bucket rate limiter.
pkg/router/e2b/models.go	Adds E2B sandbox API request/response models and error codes.
pkg/router/e2b/mapper_test.go	Adds tests for mapping between AgentCube SandboxInfo and E2B models.
pkg/router/e2b/mapper.go	Implements mapping logic and template-id validation/expiry helpers.
pkg/router/e2b/handlers.go	Implements E2B sandbox endpoints: create/list/get/delete/timeout/refresh.
pkg/router/e2b/errors_test.go	Adds unit tests for E2B error mapping + Gin error responses.
pkg/router/e2b/errors.go	Implements E2B error formatting and error-to-code mapping.
pkg/router/e2b/e2b_server.go	Adds an E2B server that registers sandbox + template routes and auth middleware.
manifests/charts/base/values.yaml	Adds templates-related Helm values (currently not wired into templates).
manifests/charts/base/templates/rbac-router.yaml	Expands Router RBAC rules for runtime API resources.
hack/setup-local-env.sh	Adds a local dev helper to stand up Kind + AgentCube + port-forwards.
hack/setup-kind-cluster.sh	Adds a Kind cluster setup script with agent-sandbox + Redis provisioning.
go.mod	Adds an indirect dependency (objx) pulled by the new test stack.
examples/templates/python_sdk_example.py	Adds a Python example for using Templates API via an SDK.
examples/templates/list_templates.sh	Adds a curl example for listing templates.
examples/templates/create_template.sh	Adds a curl example for creating a template and polling state.
docs/tutorials/e2b-api-guide.md	Adds an E2B API usage guide (Chinese) with curl/SDK examples.
docs/api/templates-api.md	Adds Templates API reference documentation.
docs/api/e2b-openapi.yaml	Adds an OpenAPI document for the E2B-compatible sandbox API.
docs/api-comparison.md	Adds/updates a comparison doc positioning AgentCube vs E2B/OpenKruise.
README.md	Updates README to mention E2B compatibility + adds feature tables/quick example.
.github/workflows/templates-api-tests.yml	Adds a workflow to run Templates-specific unit/integration tests.
.github/workflows/e2e.yml	Updates e2e workflow to set E2B API key env/config before running e2e.
.github/workflows/e2b-api.yml	Adds a dedicated Kind-based workflow for E2B API + SDK compatibility testing.
.github/workflows/code-quality.yml	Adds a comprehensive code-quality workflow (fmt/vet/lint/tests/build/tidy/generate).

[Copilot]

handleListSandboxes is using ListExpiredSandboxes(time.Now()+365d) to approximate “list all sandboxes”. This will include already-expired sessions and will also silently omit sessions with ExpiresAt beyond that arbitrary window. Consider adding a store method to list active sandboxes (e.g., ZRANGEBYSCORE expiryIndexKey from now..+inf) and use that here so the endpoint matches “running sandboxes” semantics.

[Copilot]

handleSetTimeout updates ExpiresAt and persists via UpdateSandbox, but UpdateSandbox doesn’t update the expiry index (ZSet). This means the new timeout won’t be reflected in expiration/GC behavior. Please update the expiry index together with the stored object (likely via a new store API that does both atomically).

[Copilot]

handleCreateSandbox parses template_id but never validates its format, even though validateTemplateID exists and other template endpoints use it. Without validation, template_id values with extra slashes or invalid characters can flow into K8s names and fail in confusing ways. Consider validating template_id up-front and returning ErrInvalidRequest on bad input.

[Copilot]

The router E2B Templates handlers create/read CodeInterpreter CRDs, but this Role grants access only to "codeinterpreterbuilds"/"agentruntimebuilds". Those resources don’t exist in this repo’s runtime API types, and the router will still lack permissions for "codeinterpreters"/"agentruntimes" (and lists/watches) needed for template CRUD. Please adjust the RBAC resources to the actual CRDs being accessed.

Suggested change

	resources: ["codeinterpreterbuilds", "agentruntimebuilds"]
	resources: ["codeinterpreters", "agentruntimes"]

[Copilot]

concurrencyLimitMiddleware() allocates a new semaphore channel each time it’s called. By applying it to both v1 and E2B groups, the effective global concurrency cap becomes ~2× MaxConcurrentRequests (one pool per group). If the intent is a single global limit, store the semaphore on Server and reuse the same middleware instance across groups.

[Copilot]

Refresh semantics don’t match the API docs/comments: when a timeout is provided, this sets ExpiresAt = now + timeout rather than extending from the current expiration. For a true “refresh/keep-alive”, it should usually add to max(now, current ExpiresAt) so repeated refreshes monotonically extend the lifetime.

[Copilot]

This logic determines HTTP status by substring-matching err.Error() ("invalid endpoint URL"). That’s brittle and couples behavior to error text. Prefer a sentinel/typed error (e.g., var ErrInvalidEndpointURL) or wrapping with errors.Is, then branch on errors.Is(err, ErrInvalidEndpointURL) to decide between 404 vs 500.

[Copilot]

The JSON field names in this example (memoryMB, cpuCount, startCommand) don’t match the server’s Templates API models, which use snake_case (memory_mb, vcpu_count, start_command). Also the response parsing looks for "templateID" but the server returns "template_id". As written, this script will fail against the current implementation—please align the field names with the API.

[Copilot]

The OpenAPI schema and examples here use camelCase (templateID/clientID/sandboxID, envVars, autoPause), but the router’s E2B models use snake_case JSON tags (template_id/client_id/sandbox_id, env_vars, auto_pause). Please align the OpenAPI spec field names (and defaults like timeout) with the actual implementation so the spec is usable.

[Copilot]

The integration test step runs go test ./test/e2e/... without -tags e2e, but test/e2e/e2e_test.go now has //go:build e2e and will be excluded. This can make the workflow pass while running no meaningful E2E tests. Add -tags e2e (consistent with run_e2e.sh) to ensure the intended tests execute.

Suggested change

	go test -v ./test/e2e/... -run "Template" -timeout 10m
	go test -tags e2e -v ./test/e2e/... -run "Template" -timeout 10m

[acsoto]

Still WIP?

[acsoto]

This duplicates the check that already exists in the main branch

[MahaoAlex]

Still work in progcess, I’ll check

[acsoto]

This overlaps with e2e

[acsoto]

I think this is also need to be removed

[acsoto]

seem to be a lot of unnecessary files

[acsoto]

Same above

[Copilot]

Pull request overview

Copilot reviewed 51 out of 53 changed files in this pull request and generated 8 comments.

[Copilot]

The “Phase 1 限制说明” section states that /templates/* is not supported, but this PR adds Templates API routes under pkg/router/e2b and registers them in the router. This creates contradictory guidance for users. Please update the Phase 1 limitations list (and any examples) to reflect the current supported endpoints.

[Copilot]

test/e2b is presented as “black-box” E2B API tests, but NewTestServer defines its own in-memory Gin handlers (not the router’s pkg/router/e2b implementation) and the tests exercise those local handlers. This means the suite can pass even if the real router implementation is broken. If the intent is to validate AgentCube’s E2B compatibility, consider turning these into integration tests that hit the actual router (e.g., start pkg/router with a mock store/session manager, or run against a real router instance via HTTP).

[Copilot]

In handleCreateSandbox / handleSetTimeout / handleRefreshSandbox, the code updates sandbox.ExpiresAt and then calls storeClient.UpdateSandbox(...). However pkg/store’s UpdateSandbox explicitly does not update the expiry ZSET index (session:expiry), so TTL extensions won’t be reflected in GC / expiry-based queries. This will make /sandboxes/{id}/timeout and refresh-with-timeout appear to succeed but not actually extend lifetime. Consider adding a store method that updates both the sandbox object and the expiry index (e.g., UpdateSandboxExpiry / UpdateSandboxAndIndexes) and use that here, or update the store implementation so UpdateSandbox updates the expiry/last-activity indices when those fields change.

[Copilot]

concurrencyLimitMiddleware() allocates a new semaphore channel each time it’s called. Since it’s applied separately to the /v1 group and the root E2B group, the router effectively allows up to 2 * MaxConcurrentRequests concurrent requests (one limit per group), which defeats the intent of a global cap. Consider creating the semaphore once on Server (e.g., s.concurrencySem) and returning a handler that uses that shared semaphore so the limit is enforced across all routes.

[Copilot]

TestCalculateExpiry uses t.Run(string(rune(tt.timeout)), ...) as the subtest name. Converting an int timeout to a rune produces non-printable/duplicate names (e.g., 60 becomes '<'), which makes test output confusing and can collide. Use a stable string like fmt.Sprintf("timeout_%d", tt.timeout) instead.

[Copilot]

This script uses camelCase field names (memoryMB, cpuCount, startCommand) and parses templateID from the response, but the Templates API models in pkg/router/e2b/templates_models.go use snake_case JSON (memory_mb, vcpu_count, start_command, template_id). As written, the request won’t bind as intended and TEMPLATE_ID extraction will fail. Update the payload keys and the response parsing to match the actual API field names (or adjust the API to accept both formats if compatibility requires it).

[Copilot]

handleListSandboxes uses ListExpiredSandboxes with a timestamp 1 year in the future to approximate “list all active sandboxes”. ListExpiredSandboxes returns sandboxes whose ExpiresAt is before the provided time, so this will include already-expired sandboxes as well. It also relies on the expiry index being accurate (which UpdateSandbox doesn’t maintain). To match E2B semantics (list running/active sandboxes), consider adding a store query for non-expired sessions (score >= now), or filtering the returned items by ExpiresAt.After(time.Now()) after fetching IDs from a proper index.

[Copilot]

The Templates API documentation examples use camelCase JSON fields (templateID, createdAt, memoryMB, cpuCount, etc.), but the actual API structs serialize/deserialize snake_case (template_id, created_at, memory_mb, vcpu_count, ...). This mismatch will cause clients following the doc to send the wrong payload and misinterpret responses. Please align the docs with the implemented JSON field names (or explicitly document/implement dual-format support). Also, the CRD example uses apiVersion: runtime.agentcube.io/v1alpha1, but the actual group in this repo is runtime.agentcube.volcano.sh/v1alpha1.

[Copilot]

Pull request overview

Copilot reviewed 51 out of 53 changed files in this pull request and generated 5 comments.

[Copilot]

handleCreateSandbox parses template_id via parseTemplateID but does not validate it. This allows IDs with multiple slashes or invalid characters (e.g., a/b/c becomes name b/c), which will likely fail later when mapping to Kubernetes resource names and may surface as 5xx errors. You already have validateTemplateID; please call it early and return a 400 on validation failure.

[Copilot]

This OpenAPI spec documents camelCase fields like templateID, clientID, envdVersion, etc., but the router implementation structs use snake_case JSON tags (e.g., template_id, client_id, envd_version). This mismatch will break generated clients and mislead SDK users. Please align the OpenAPI schema and examples with the actual wire format (or update the server to accept/emit the documented casing consistently).

[Copilot]

The Templates API docs use camelCase fields (e.g., templateID, createdAt, memoryMB, cpuCount, startCommand) but the implementation and tests for templates use snake_case JSON (e.g., template_id, created_at, memory_mb, vcpu_count, start_command). Please update the documentation examples and field lists to match the actual API responses/requests to avoid confusing users and breaking copy/paste snippets.

[Copilot]

forwardToSandbox determines whether to return 500 vs 404 by checking strings.Contains(err.Error(), "invalid endpoint URL"). This is brittle (changes to error wording or wrapping will change behavior). Since buildURL is the source of this condition, consider returning a typed/sentinel error (or wrapping with a known value) and using errors.Is/As here to map to the correct status code reliably.

[Copilot]

Router tests rely on store.Storage() (a singleton guarded by sync.Once) inside NewServer(). Because the store singleton is initialized only once per test process, whichever test runs first will lock in REDIS_ADDR for all subsequent tests. With handlers_test.go now using miniredis and server_test.go still setting REDIS_ADDR=localhost:6379, the suite becomes order-dependent and can fail when the singleton is initialized with a non-running Redis. A robust fix is to ensure all tests initialize the store with the same miniredis address before any NewServer() call (e.g., via TestMain), and/or add a test-only reset hook in pkg/store to reinitialize the singleton between tests.

[Copilot]

Copilot wasn't able to review any files in this pull request.

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hzxuzhonghu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 58 out of 63 changed files in this pull request and generated 7 comments.

[hzxuzhonghu]

Thanks for this large feature! The overall structure (separate E2B port, Informer-based auth, envd compatibility in PicoD) is solid. A few issues worth addressing before merging — most critical is the store atomicity bug.

[hzxuzhonghu]

Bug: partial write on E2B ID conflict. By this point the pipeline has already written: the session JSON (SetNX at line ~186), the expiry ZAdd, the last-activity ZAdd, and the API-key SAdd. Returning ErrIDConflict here leaves those entries orphaned — the session JSON stays in Redis forever (no TTL on it), and the ZSet/Set entries are stale.

Fix: if the e2b ID SetNX fails, clean up the session key and remove from both ZSets before returning. Alternatively, wrap the whole thing in a Lua script or use MULTI/EXEC+WATCH for true atomicity.

[hzxuzhonghu]

The "try UpdateSandbox first, fall back to StoreSandbox" pattern is confusing: UpdateSandbox on a non-existent key will always fail, so this is really always StoreSandbox on first call. Consider checking existence explicitly or just always calling StoreSandbox for new sandbox creation and UpdateSandbox only for updates. The three-level retry with ErrIDConflict adds cognitive overhead.

[hzxuzhonghu]

Rate limiter is 1.0 rps, burst 1 — extremely tight. A single failed auth check consumes the entire per-second token, so any burst (e.g. parallel sandbox creates from one client) will see 429s. Consider at least 10 rps / burst 10 or make this configurable.

[hzxuzhonghu]

Security concern: E2B_API_KEYS stores raw (plaintext) API keys in the env var, but the K8s Secret path stores SHA-256 hashes. Env var path bypasses the hash protection — if the env is leaked the raw keys are exposed. Either hash them on load here too, or drop the env var fallback for production and keep it dev-only with a clear warning comment.

[hzxuzhonghu]

Default E2BSandboxDomain is sb.e2b.app — that's the commercial E2B SaaS domain. This will silently generate sandbox access URLs pointing at an external third-party service for any user who doesn't override it. Change the default to something like "" (empty, require explicit config) or a generic placeholder.

[hzxuzhonghu]

Missing build tag. test/e2e/*.go use //go:build e2e so they're excluded from go test ./..., but these test/e2b/*.go files have no tag and will be included. Add //go:build e2b (+ the old-style // +build e2b for Go 1.16 compat) if these need live infra, or confirm they compile/pass in CI without any setup.