opensandbox-group
diff --git a/‎.github/workflows/publish-components.yml‎
Lines changed: 18 additions & 0 deletions b/‎.github/workflows/publish-components.yml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.github/workflows/publish-helm-chart.yml‎
Lines changed: 148 additions & 0 deletions b/‎.github/workflows/publish-helm-chart.yml‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎.github/workflows/real-e2e.yml‎
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/real-e2e.yml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/sandbox-k8s-e2e.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/sandbox-k8s-e2e.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/server-test.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/server-test.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/README_zh.md‎
Lines changed: 3 additions & 2 deletions b/‎docs/README_zh.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎examples/README.md‎
Lines changed: 1 addition & 0 deletions b/‎examples/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/nullclaw/README.md‎
Lines changed: 71 additions & 0 deletions b/‎examples/nullclaw/README.md‎
Lines changed: 71 additions & 0 deletions
@@ -17,6 +17,8 @@ on:
           - code-interpreter
           - ingress
           - egress
+          - controller
+          - task-executor
         default: 'execd'
       image_tag:
         description: 'Docker image tag'
@@ -28,6 +30,8 @@ on:
       - 'docker/code-interpreter/**'
       - 'docker/ingress/**'
       - 'docker/egress/**'
+      - 'k8s/controller/**'
+      - 'k8s/task-executor/**'
 
 jobs:
   publish:
@@ -65,6 +69,15 @@ jobs:
             COMPONENT=$(echo "$TAG_PATH" | cut -d'/' -f2)
             IMAGE_TAG=$(echo "$TAG_PATH" | cut -d'/' -f3)
 
+            echo "component=$COMPONENT" >> $GITHUB_OUTPUT
+            echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+          elif [[ "${{ github.ref }}" == refs/tags/k8s/* ]]; then
+            TAG_PATH="${{ github.ref }}"
+            TAG_PATH="${TAG_PATH#refs/tags/}"
+
+            COMPONENT=$(echo "$TAG_PATH" | cut -d'/' -f2)
+            IMAGE_TAG=$(echo "$TAG_PATH" | cut -d'/' -f3)
+
             echo "component=$COMPONENT" >> $GITHUB_OUTPUT
             echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
           else
@@ -90,11 +103,16 @@ jobs:
             cd components/ingress
           elif [ "$COMPONENT" == "egress" ]; then
             cd components/egress
+          elif [ "$COMPONENT" == "controller" ]; then
+            cd kubernetes
+          elif [ "$COMPONENT" == "task-executor" ]; then
+            cd kubernetes
           else
             cd sandboxes/$COMPONENT
           fi
 
           export TAG=$IMAGE_TAG
+          export COMPONENT=$COMPONENT
           chmod +x build.sh
           ./build.sh
 
 
@@ -0,0 +1,148 @@
+name: Publish Helm Chart
+
+on:
+  workflow_dispatch:
+    inputs:
+      component:
+        description: 'Component to release'
+        required: true
+        type: choice
+        options:
+          - opensandbox-controller
+        default: 'opensandbox-controller'
+      app_version:
+        description: 'App version (without v prefix, e.g., 0.1.0)'
+        required: true
+        default: '0.1.0'
+  push:
+    tags:
+      - 'helm/**'  # Format: helm/<component>/<app_version>, e.g., helm/opensandbox-controller/0.1.0
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'latest'
+
+      - name: Parse tag and set variables
+        id: parse_tag
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/helm/* ]]; then
+            TAG_PATH="${{ github.ref }}"
+            TAG_PATH="${TAG_PATH#refs/tags/}"
+            
+            COMPONENT=$(echo "$TAG_PATH" | cut -d'/' -f2)
+            VERSION=$(echo "$TAG_PATH" | cut -d'/' -f3)
+            
+            # Remove 'v' prefix if present
+            VERSION=${VERSION#v}
+            
+            echo "component=$COMPONENT" >> $GITHUB_OUTPUT
+            echo "app_version=$VERSION" >> $GITHUB_OUTPUT
+          else
+            echo "component=${{ inputs.component }}" >> $GITHUB_OUTPUT
+            echo "app_version=${{ inputs.app_version }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set chart path
+        id: chart_path
+        run: |
+          COMPONENT="${{ steps.parse_tag.outputs.component }}"
+          
+          if [ "$COMPONENT" == "opensandbox-controller" ]; then
+            CHART_PATH="kubernetes/charts/opensandbox-controller"
+          else
+            echo "Error: Unknown component: $COMPONENT"
+            exit 1
+          fi
+          
+          echo "path=$CHART_PATH" >> $GITHUB_OUTPUT
+
+      - name: Get chart version from Chart.yaml
+        id: chart_version
+        run: |
+          CHART_PATH="${{ steps.chart_path.outputs.path }}"
+          CHART_VERSION=$(grep '^version:' $CHART_PATH/Chart.yaml | awk '{print $2}')
+          echo "version=$CHART_VERSION" >> $GITHUB_OUTPUT
+          echo "Chart version: $CHART_VERSION"
+
+      - name: Update Chart.yaml with app version
+        run: |
+          APP_VERSION="${{ steps.parse_tag.outputs.app_version }}"
+          CHART_PATH="${{ steps.chart_path.outputs.path }}"
+          
+          # Only update appVersion, keep chart version as-is in Chart.yaml
+          sed -i "s/^appVersion:.*/appVersion: \"$APP_VERSION\"/" $CHART_PATH/Chart.yaml
+          
+          echo "Updated Chart.yaml:"
+          cat $CHART_PATH/Chart.yaml
+
+      - name: Lint Helm chart
+        run: |
+          CHART_PATH="${{ steps.chart_path.outputs.path }}"
+          helm lint $CHART_PATH
+
+      - name: Package Helm chart
+        run: |
+          CHART_PATH="${{ steps.chart_path.outputs.path }}"
+          helm package $CHART_PATH
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: helm/${{ steps.parse_tag.outputs.component }}/${{ steps.parse_tag.outputs.app_version }}
+          name: Helm Chart ${{ steps.parse_tag.outputs.component }} ${{ steps.chart_version.outputs.version }} (App v${{ steps.parse_tag.outputs.app_version }})
+          body: |
+            ## ${{ steps.parse_tag.outputs.component }} Helm Chart
+            
+            **Chart Version:** ${{ steps.chart_version.outputs.version }}
+            **App Version:** ${{ steps.parse_tag.outputs.app_version }}
+            
+            ### Installation
+            
+            直接从 GitHub Release 安装:
+            
+            ```bash
+            helm install opensandbox \
+              https://github.com/${{ github.repository }}/releases/download/helm/${{ steps.parse_tag.outputs.component }}/${{ steps.parse_tag.outputs.app_version }}/${{ steps.parse_tag.outputs.component }}-${{ steps.chart_version.outputs.version }}.tgz \
+              --namespace opensandbox-system \
+              --create-namespace
+            ```
+            
+            或者先下载后安装:
+            
+            ```bash
+            # 下载
+            wget https://github.com/${{ github.repository }}/releases/download/helm/${{ steps.parse_tag.outputs.component }}/${{ steps.parse_tag.outputs.app_version }}/${{ steps.parse_tag.outputs.component }}-${{ steps.chart_version.outputs.version }}.tgz
+            
+            # 安装
+            helm install opensandbox ./${{ steps.parse_tag.outputs.component }}-${{ steps.chart_version.outputs.version }}.tgz \
+              --namespace opensandbox-system \
+              --create-namespace
+            ```
+            
+            ### What's Changed
+            
+            - Chart version: ${{ steps.chart_version.outputs.version }}
+            - App version: ${{ steps.parse_tag.outputs.app_version }}
+          files: |
+            ${{ steps.parse_tag.outputs.component }}-*.tgz
+          draft: false
+          prerelease: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -7,9 +7,8 @@ on:
   pull_request:
     branches: [ main ]
     paths:
-      - 'server/**'
+      - 'server/src/**'
       - 'components/execd/**'
-      - 'sandboxes/**'
       - 'sdks/code-interpreter/**'
       - 'sdks/sandbox/**'
       - 'tests/**'
 
@@ -22,7 +22,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s-version: ["1.22.4", "1.24.4", "1.26.4", "1.28.6", "1.30.4", "1.32.2", "1.34.2"]
+        k8s-version: ["1.21.1", "1.22.4", "1.24.4", "1.26.4", "1.28.6", "1.30.4", "1.32.2", "1.34.2"]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
 
@@ -4,7 +4,8 @@ on:
   pull_request:
     branches: [ main ]
     paths:
-      - 'server/**'
+      - 'server/src/**'
+      - 'server/tests/**'
 
 permissions:
   contents: read
 
@@ -11,7 +11,7 @@
     <img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki" />
   </a>
   <a href="https://www.apache.org/licenses/LICENSE-2.0.html">
-    <img src="https://img.shields.io/github/license/alibaba/OpenSandbox.svg" alt="license" />
+    <img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="license" />
   </a>
   <a href="https://badge.fury.io/py/opensandbox">
     <img src="https://badge.fury.io/py/opensandbox.svg" alt="PyPI version" />
@@ -159,6 +159,7 @@ OpenSandbox provides rich examples demonstrating sandbox usage in different scen
 - **[iflow-cli](examples/iflow-cli/README.md)** - Run iFLow CLI inside OpenSandbox.
 - **[langgraph](examples/langgraph/README.md)** - LangGraph state-machine workflow that creates/runs a sandbox job with fallback retry.
 - **[google-adk](examples/google-adk/README.md)** - Google ADK agent using OpenSandbox tools to write/read files and run commands.
+- **[nullclaw](examples/nullclaw/README.md)** - Launch a [Nullclaw](https://github.com/nullclaw/nullclaw) Gateway inside a sandbox.
 - **[openclaw](examples/openclaw/README.md)** - Launch an OpenClaw Gateway inside a sandbox.
 
 #### 🌐 Browser and Desktop Environments
@@ -229,4 +230,3 @@ This project is open source under the [Apache 2.0 License](LICENSE).
 ## Star History
 
 [![Star History Chart](https://api.star-history.com/svg?repos=alibaba/OpenSandbox&type=date&legend=top-left)](https://www.star-history.com/#alibaba/OpenSandbox&type=date&legend=top-left)
-
@@ -11,7 +11,7 @@
     <img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki" />
   </a>
   <a href="https://www.apache.org/licenses/LICENSE-2.0.html">
-    <img src="https://img.shields.io/github/license/alibaba/OpenSandbox.svg" alt="license" />
+    <img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="license" />
   </a>
   <a href="https://badge.fury.io/py/opensandbox">
     <img src="https://badge.fury.io/py/opensandbox.svg" alt="PyPI version" />
@@ -161,7 +161,8 @@ OpenSandbox 提供了丰富的示例来演示不同场景下的沙箱使用方
 - **[iflow-cli](../examples/iflow-cli/README.md)** - 在 OpenSandbox 中运行 iFlow CLI。
 - **[langgraph](../examples/langgraph/README.md)** - 基于 LangGraph 状态机编排沙箱任务与回退重试。
 - **[google-adk](../examples/google-adk/README.md)** - 使用 Google ADK 通过 OpenSandbox 工具读写文件并执行命令。
-- **[openclaw](../examples/openclaw/README.md)** - 在沙箱中启动 OpenClaw Gateway。
+- **[nullclaw](../examples/nullclaw/README.md)** - 在沙箱中启动 Nullclaw Gateway。
+- **[openclaw](../examples/openclaw/README_zh.md)** - 在沙箱中启动 OpenClaw Gateway。
 
 #### 🌐 浏览器与桌面环境
 
 
@@ -15,6 +15,7 @@ Examples for common OpenSandbox use cases. Each subdirectory contains runnable c
 - <img src="https://www.kimi.com/favicon.ico" alt="Kimi" width="16" height="16" style="display:inline-block;width:16px;height:16px;vertical-align:middle;margin-right:4px;" /> [**kimi-cli**](kimi-cli): Call Kimi Code CLI (Moonshot AI) within the sandbox
 - <img src="https://img.shields.io/badge/-%20-1C3C3C?logo=langgraph&logoColor=white&style=flat-square" alt="LangGraph" width="16" height="16" style="display:inline-block;width:16px;height:16px;vertical-align:middle;margin-right:4px;" /> [**langgraph**](langgraph): LangGraph agent orchestrating sandbox lifecycle + tools
 - <img src="https://google.github.io/adk-docs/assets/agent-development-kit.png" alt="Google ADK" width="16" height="16" style="display:inline-block;width:16px;height:16px;vertical-align:middle;margin-right:4px;" /> [**google-adk**](google-adk): Google ADK agent calling OpenSandbox tools
+- 🦞 [**nullclaw**](nullclaw): Launch a Nullclaw Gateway inside a sandbox
 - 🦞 [**openclaw**](openclaw): Run an OpenClaw Gateway inside a sandbox
 - 🖥️ [**desktop**](desktop): Launch VNC desktop (Xvfb + x11vnc) for VNC client connections
 - <img src="https://playwright.dev/img/playwright-logo.svg" alt="Playwright" width="16" height="16" style="display:inline-block;width:16px;height:16px;vertical-align:middle;margin-right:4px;" /> [**playwright**](playwright): Launch headless browser (Playwright + Chromium) to scrape web content
 
@@ -0,0 +1,71 @@
+# Nullclaw Gateway Example
+
+Launch a [Nullclaw](https://github.com/nullclaw/nullclaw) Gateway inside an OpenSandbox instance and expose its HTTP endpoint. The script polls the gateway health check until it returns HTTP 200, then prints the reachable endpoint.
+
+## Start OpenSandbox server [local]
+
+You can find the latest Nullclaw container image [here](https://github.com/nullclaw/nullclaw/pkgs/container/nullclaw).
+
+### Notes (Docker runtime requirement)
+
+The server uses `runtime.type = "docker"` by default, so it **must** be able to reach a running Docker daemon.
+
+- **Docker Desktop**: ensure Docker Desktop is running, then verify with `docker version`.
+- **Colima (macOS)**: start it first (`colima start`) and export the socket before starting the server:
+
+```shell
+export DOCKER_HOST="unix://${HOME}/.colima/default/docker.sock"
+```
+
+Pre-pull the Nullclaw image:
+
+```shell
+docker pull ghcr.io/nullclaw/nullclaw:latest
+```
+
+Start the OpenSandbox server (logs will stay in the terminal):
+
+```shell
+uv pip install opensandbox-server
+opensandbox-server init-config ~/.sandbox.toml --example docker
+opensandbox-server
+```
+
+If you see errors like `FileNotFoundError: [Errno 2] No such file or directory` from `docker/transport/unixconn.py`, it usually means the Docker unix socket is missing or Docker is not running.
+
+## Create and Access the Nullclaw Sandbox
+
+This example is hard-coded for a quick start:
+- OpenSandbox server: `http://localhost:8080`
+- Image: `ghcr.io/nullclaw/nullclaw:latest`
+- Gateway port: `3000`
+- Timeout: `3600s`
+
+Install dependencies from the project root:
+
+```shell
+uv pip install opensandbox requests
+```
+
+Run the example:
+
+```shell
+uv run python examples/nullclaw/main.py
+```
+
+You should see output similar to:
+
+```text
+Creating nullclaw sandbox with image=ghcr.io/nullclaw/nullclaw:latest on OpenSandbox server http://localhost:8080...
+[check] sandbox ready after 0.3s
+Nullclaw gateway started. Please refer to 127.0.0.1:56234
+```
+
+The endpoint printed at the end (e.g., `127.0.0.1:56234`) is the Nullclaw Gateway address exposed from the sandbox.
+
+By default, Nullclaw requires pairing before authenticated endpoints (for example, `/webhook`) can be used. The `/health` endpoint remains publicly accessible.
+
+## References
+- [Nullclaw](https://github.com/nullclaw/nullclaw) — Minimal AI assistant runtime (678 KB static Zig binary)
+- [Nullclaw Documentation](https://nullclaw.github.io) — Full documentation
+- [OpenSandbox Python SDK](https://pypi.org/project/opensandbox/)