sandbox

Summary This PR adds 1Password support to the Sandbox SDK and CLI. You pass 1Password secret references () in when creating or getting a sandbox. The SDK resolves them client-side with the 1Password SDK (using a service account token or the desktop app) and injects the resolved values into the environment for every runCommand call. The CLI’s exec command also supports op:// refs in --env, so you can run commands with secrets resolved from 1Password without putting them in your shell environment. Changes SDK New option on and : a map of env var names to . Refs are resolved client-side with the 1Password JavaScript SDK at create/get time. Resolved values are merged into the env for each . CLI sandbox exec with accepts values that are op:// refs. They are resolved before the command runs (). Example : creates a sandbox with a secret from 1Password and runs a command that uses it. This is a minimal demo to show the flow. We're open to feedback from Vercel's team on example structure or additional examples. Documentation updates Root README and packages/vercel-sandbox/README.md: 1Password section with integrations.onePassword.secrets, service account vs desktop app, Vercel (link env to project), and local setup. examples/onepassword-secrets/README.md: Prerequisites, how to run, troubleshooting. examples/README.md: 1Password example listed and described. How it works 1. Caller passes to Sandbox.create() or Sandbox.get(). 2. SDK uses (or for desktop) to call the 1Password SDK and resolve each ref. 3. Resolved values are stored as default env on the sandbox instance and merged into env for every . How to test Prerequisites A 1Password vault item with a field you can reference (). A 1Password service account with access to that vault (or the 1Password desktop app with the Developer setting enabled for ). See https://developer.1password.com/docs/sdks/ for more info. Run the example From repo root run thenand Create .env.local with: OP_SERVICE_ACCOUNT_TOKEN= OP_REF=op://Your Vault/Your Item/field name Run: You should see output indicating the secret is set (e.g. MY_SECRET is set: yes and a non-zero length). If you see length 0, check OP_REF and token/vault access. CLI exec with op refs Create a sandbox ensure the 1Password token is available (... or run with --env-file .env.local). Run:

Summary The JS SDK supports when creating sandboxes, but the CLI had no way to set this. Adds a flag to (and by inheritance) so users can allocate more compute from the CLI. Usage Each vCPU includes 2048 MB of memory. Omitting the flag preserves existing default behavior. Changes — New reusable arg definition with positive integer validation — Wire the arg through to as inherits from 's args, no changes needed Testing Verify with then — the and columns should reflect the requested resources.