fix: skip expired snapshots and fallback to fresh sandbox on failure

Accounts with expired Vercel snapshots caused Sandbox.create() to throw
"Status code 400 is not ok" with no recovery path.

Changes:
- Extract getValidSnapshotId to its own lib file (SRP)
- Both processCreateSandbox and createSandboxFromSnapshot use it
- Add fallback: if snapshot creation fails, create a fresh sandbox
- DRY: processCreateSandbox uses createSandboxWithFallback helper
  so createSandbox({}) is only called once
- Add tests for getValidSnapshotId (5 tests)
- Add snapshot expiry and fallback tests to existing test files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sweetmantech

lib/sandbox/__tests__/createSandboxFromSnapshot.test.ts

@@ -3,16 +3,16 @@ import type { Sandbox } from "@vercel/sandbox";
 
 import { createSandboxFromSnapshot } from "../createSandboxFromSnapshot";
 
-const mockSelectAccountSnapshots = vi.fn();
+const mockGetValidSnapshotId = vi.fn();
 const mockInsertAccountSandbox = vi.fn();
 const mockCreateSandbox = vi.fn();
 
 vi.mock("@/lib/sandbox/createSandbox", () => ({
   createSandbox: (...args: unknown[]) => mockCreateSandbox(...args),
 }));
 
-vi.mock("@/lib/supabase/account_snapshots/selectAccountSnapshots", () => ({
-  selectAccountSnapshots: (...args: unknown[]) => mockSelectAccountSnapshots(...args),
+vi.mock("@/lib/sandbox/getValidSnapshotId", () => ({
+  getValidSnapshotId: (...args: unknown[]) => mockGetValidSnapshotId(...args),
 }));
 
 vi.mock("@/lib/supabase/account_sandboxes/insertAccountSandbox", () => ({
@@ -44,9 +44,7 @@ describe("createSandboxFromSnapshot", () => {
   });
 
   it("creates from snapshot when available", async () => {
-    mockSelectAccountSnapshots.mockResolvedValue([
-      { snapshot_id: "snap_abc", account_id: "acc_1" },
-    ]);
+    mockGetValidSnapshotId.mockResolvedValue("snap_abc");
 
     await createSandboxFromSnapshot("acc_1");
 
@@ -56,15 +54,15 @@ describe("createSandboxFromSnapshot", () => {
   });
 
   it("creates fresh sandbox when no snapshot exists", async () => {
-    mockSelectAccountSnapshots.mockResolvedValue([]);
+    mockGetValidSnapshotId.mockResolvedValue(undefined);
 
     await createSandboxFromSnapshot("acc_1");
 
     expect(mockCreateSandbox).toHaveBeenCalledWith({});
   });
 
   it("inserts account_sandbox record", async () => {
-    mockSelectAccountSnapshots.mockResolvedValue([]);
+    mockGetValidSnapshotId.mockResolvedValue(undefined);
 
     await createSandboxFromSnapshot("acc_1");
 
@@ -75,20 +73,54 @@ describe("createSandboxFromSnapshot", () => {
   });
 
   it("returns { sandbox, fromSnapshot: true } when snapshot exists", async () => {
-    mockSelectAccountSnapshots.mockResolvedValue([
-      { snapshot_id: "snap_abc", account_id: "acc_1" },
-    ]);
+    mockGetValidSnapshotId.mockResolvedValue("snap_abc");
 
     const result = await createSandboxFromSnapshot("acc_1");
 
     expect(result).toEqual({ sandbox: mockSandbox, fromSnapshot: true });
   });
 
   it("returns { sandbox, fromSnapshot: false } when no snapshot", async () => {
-    mockSelectAccountSnapshots.mockResolvedValue([]);
+    mockGetValidSnapshotId.mockResolvedValue(undefined);
 
     const result = await createSandboxFromSnapshot("acc_1");
 
     expect(result).toEqual({ sandbox: mockSandbox, fromSnapshot: false });
   });
+
+  it("skips expired snapshot (getValidSnapshotId returns undefined)", async () => {
+    mockGetValidSnapshotId.mockResolvedValue(undefined);
+
+    const result = await createSandboxFromSnapshot("acc_1");
+
+    expect(mockCreateSandbox).toHaveBeenCalledWith({});
+    expect(result).toEqual({ sandbox: mockSandbox, fromSnapshot: false });
+  });
+
+  it("falls back to fresh sandbox when snapshot creation fails", async () => {
+    mockGetValidSnapshotId.mockResolvedValue("snap_bad");
+
+    const freshSandbox = {
+      sandboxId: "sbx_fresh",
+      status: "running",
+      runCommand: vi.fn(),
+    } as unknown as Sandbox;
+
+    mockCreateSandbox
+      .mockRejectedValueOnce(new Error("Status code 400 is not ok"))
+      .mockResolvedValueOnce({
+        sandbox: freshSandbox,
+        response: {
+          sandboxId: "sbx_fresh",
+          sandboxStatus: "running",
+          timeout: 1800000,
+          createdAt: "2024-01-01T00:00:00.000Z",
+        },
+      });
+
+    const result = await createSandboxFromSnapshot("acc_1");
+
+    expect(mockCreateSandbox).toHaveBeenCalledTimes(2);
+    expect(result).toEqual({ sandbox: freshSandbox, fromSnapshot: false });
+  });
 });

lib/sandbox/__tests__/createSandboxPostHandler.test.ts

@@ -361,6 +361,97 @@ describe("createSandboxPostHandler", () => {
     expect(triggerPromptSandbox).not.toHaveBeenCalled();
   });
 
+  it("skips expired snapshot and creates fresh sandbox", async () => {
+    const pastDate = new Date(Date.now() - 86400000).toISOString();
+    vi.mocked(validateSandboxBody).mockResolvedValue({
+      accountId: "acc_123",
+      orgId: null,
+      authToken: "token",
+    });
+    vi.mocked(selectAccountSnapshots).mockResolvedValue([
+      {
+        id: "snap_record_123",
+        account_id: "acc_123",
+        snapshot_id: "snap_expired",
+        created_at: "2024-01-01T00:00:00.000Z",
+        expires_at: pastDate,
+      },
+    ]);
+    vi.mocked(createSandbox).mockResolvedValue({
+      sandbox: {} as never,
+      response: {
+        sandboxId: "sbx_fresh",
+        sandboxStatus: "running",
+        timeout: 600000,
+        createdAt: "2024-01-01T00:00:00.000Z",
+      },
+    });
+    vi.mocked(insertAccountSandbox).mockResolvedValue({
+      data: {
+        id: "record_123",
+        account_id: "acc_123",
+        sandbox_id: "sbx_fresh",
+        created_at: "2024-01-01T00:00:00.000Z",
+      },
+      error: null,
+    });
+
+    const request = createMockRequest();
+    const response = await createSandboxPostHandler(request);
+
+    expect(response.status).toBe(200);
+    expect(createSandbox).toHaveBeenCalledWith({});
+    expect(createSandbox).not.toHaveBeenCalledWith(
+      expect.objectContaining({ source: expect.anything() }),
+    );
+  });
+
+  it("falls back to fresh sandbox when snapshot creation fails", async () => {
+    const futureDate = new Date(Date.now() + 86400000).toISOString();
+    vi.mocked(validateSandboxBody).mockResolvedValue({
+      accountId: "acc_123",
+      orgId: null,
+      authToken: "token",
+    });
+    vi.mocked(selectAccountSnapshots).mockResolvedValue([
+      {
+        id: "snap_record_123",
+        account_id: "acc_123",
+        snapshot_id: "snap_bad",
+        created_at: "2024-01-01T00:00:00.000Z",
+        expires_at: futureDate,
+      },
+    ]);
+    vi.mocked(createSandbox)
+      .mockRejectedValueOnce(new Error("Status code 400 is not ok"))
+      .mockResolvedValueOnce({
+        sandbox: {} as never,
+        response: {
+          sandboxId: "sbx_fallback",
+          sandboxStatus: "running",
+          timeout: 600000,
+          createdAt: "2024-01-01T00:00:00.000Z",
+        },
+      });
+    vi.mocked(insertAccountSandbox).mockResolvedValue({
+      data: {
+        id: "record_123",
+        account_id: "acc_123",
+        sandbox_id: "sbx_fallback",
+        created_at: "2024-01-01T00:00:00.000Z",
+      },
+      error: null,
+    });
+
+    const request = createMockRequest();
+    const response = await createSandboxPostHandler(request);
+
+    expect(response.status).toBe(200);
+    expect(createSandbox).toHaveBeenCalledTimes(2);
+    const json = await response.json();
+    expect(json.sandboxes[0].sandboxId).toBe("sbx_fallback");
+  });
+
   it("returns 200 without runId when triggerPromptSandbox throws", async () => {
     vi.mocked(validateSandboxBody).mockResolvedValue({
       accountId: "acc_123",

lib/sandbox/__tests__/getValidSnapshotId.test.ts

@@ -0,0 +1,65 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+import { getValidSnapshotId } from "../getValidSnapshotId";
+
+const mockSelectAccountSnapshots = vi.fn();
+
+vi.mock("@/lib/supabase/account_snapshots/selectAccountSnapshots", () => ({
+  selectAccountSnapshots: (...args: unknown[]) => mockSelectAccountSnapshots(...args),
+}));
+
+describe("getValidSnapshotId", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("returns snapshot_id when snapshot exists and is not expired", async () => {
+    const futureDate = new Date(Date.now() + 86400000).toISOString();
+    mockSelectAccountSnapshots.mockResolvedValue([
+      { snapshot_id: "snap_abc", account_id: "acc_1", expires_at: futureDate },
+    ]);
+
+    const result = await getValidSnapshotId("acc_1");
+
+    expect(result).toBe("snap_abc");
+  });
+
+  it("returns snapshot_id when snapshot has no expires_at", async () => {
+    mockSelectAccountSnapshots.mockResolvedValue([
+      { snapshot_id: "snap_abc", account_id: "acc_1", expires_at: null },
+    ]);
+
+    const result = await getValidSnapshotId("acc_1");
+
+    expect(result).toBe("snap_abc");
+  });
+
+  it("returns undefined when snapshot is expired", async () => {
+    const pastDate = new Date(Date.now() - 86400000).toISOString();
+    mockSelectAccountSnapshots.mockResolvedValue([
+      { snapshot_id: "snap_expired", account_id: "acc_1", expires_at: pastDate },
+    ]);
+
+    const result = await getValidSnapshotId("acc_1");
+
+    expect(result).toBeUndefined();
+  });
+
+  it("returns undefined when no snapshots exist", async () => {
+    mockSelectAccountSnapshots.mockResolvedValue([]);
+
+    const result = await getValidSnapshotId("acc_1");
+
+    expect(result).toBeUndefined();
+  });
+
+  it("returns undefined when snapshot has no snapshot_id", async () => {
+    mockSelectAccountSnapshots.mockResolvedValue([
+      { snapshot_id: null, account_id: "acc_1", expires_at: null },
+    ]);
+
+    const result = await getValidSnapshotId("acc_1");
+
+    expect(result).toBeUndefined();
+  });
+});

lib/sandbox/createSandboxFromSnapshot.ts

@@ -1,6 +1,6 @@
 import type { Sandbox } from "@vercel/sandbox";
 import { createSandbox } from "@/lib/sandbox/createSandbox";
-import { selectAccountSnapshots } from "@/lib/supabase/account_snapshots/selectAccountSnapshots";
+import { getValidSnapshotId } from "@/lib/sandbox/getValidSnapshotId";
 import { insertAccountSandbox } from "@/lib/supabase/account_sandboxes/insertAccountSandbox";
 
 export interface CreateSandboxFromSnapshotResult {
@@ -9,26 +9,40 @@ export interface CreateSandboxFromSnapshotResult {
 }
 
 /**
- * Creates a new sandbox from the account's latest snapshot (or fresh if none)
- * and records it in the database.
+ * Creates a new sandbox from the account's latest valid snapshot,
+ * falling back to a fresh sandbox if the snapshot is expired or fails.
  *
  * @param accountId - The account ID to create a sandbox for
  * @returns The created Sandbox instance and whether it was created from a snapshot
  */
 export async function createSandboxFromSnapshot(
   accountId: string,
 ): Promise<CreateSandboxFromSnapshotResult> {
-  const snapshots = await selectAccountSnapshots(accountId);
-  const snapshotId = snapshots[0]?.snapshot_id;
+  const snapshotId = await getValidSnapshotId(accountId);
 
-  const { sandbox, response } = await createSandbox(
-    snapshotId ? { source: { type: "snapshot", snapshotId } } : {},
-  );
+  let sandbox: Sandbox;
+  let fromSnapshot = false;
+
+  if (snapshotId) {
+    try {
+      const result = await createSandbox({
+        source: { type: "snapshot", snapshotId },
+      });
+      sandbox = result.sandbox;
+      fromSnapshot = true;
+    } catch {
+      const result = await createSandbox({});
+      sandbox = result.sandbox;
+    }
+  } else {
+    const result = await createSandbox({});
+    sandbox = result.sandbox;
+  }
 
   await insertAccountSandbox({
     account_id: accountId,
-    sandbox_id: response.sandboxId,
+    sandbox_id: sandbox.sandboxId,
   });
 
-  return { sandbox, fromSnapshot: !!snapshotId };
+  return { sandbox, fromSnapshot };
 }

lib/sandbox/getValidSnapshotId.ts

@@ -0,0 +1,19 @@
+import { selectAccountSnapshots } from "@/lib/supabase/account_snapshots/selectAccountSnapshots";
+
+/**
+ * Returns a valid (non-expired) snapshot ID for the account, or undefined.
+ *
+ * @param accountId - The account to look up
+ * @returns The snapshot ID if it exists and has not expired
+ */
+export async function getValidSnapshotId(accountId: string): Promise<string | undefined> {
+  const accountSnapshots = await selectAccountSnapshots(accountId);
+  const snapshot = accountSnapshots[0];
+  if (!snapshot?.snapshot_id) return undefined;
+
+  if (snapshot.expires_at && new Date(snapshot.expires_at) < new Date()) {
+    return undefined;
+  }
+
+  return snapshot.snapshot_id;
+}

lib/sandbox/processCreateSandbox.ts

@@ -1,6 +1,6 @@
 import { createSandbox, type SandboxCreatedResponse } from "@/lib/sandbox/createSandbox";
+import { getValidSnapshotId } from "@/lib/sandbox/getValidSnapshotId";
 import { insertAccountSandbox } from "@/lib/supabase/account_sandboxes/insertAccountSandbox";
-import { selectAccountSnapshots } from "@/lib/supabase/account_snapshots/selectAccountSnapshots";
 import { triggerPromptSandbox } from "@/lib/trigger/triggerPromptSandbox";
 
 type ProcessCreateSandboxInput = {
@@ -9,6 +9,24 @@ type ProcessCreateSandboxInput = {
 };
 type ProcessCreateSandboxResult = SandboxCreatedResponse & { runId?: string };
 
+/**
+ * Attempts to create a sandbox from the given snapshot, falling back to a fresh sandbox on failure.
+ * If no snapshotId is provided, creates a fresh sandbox directly.
+ *
+ * @param snapshotId - Optional snapshot ID to restore from
+ * @returns The sandbox creation response
+ */
+async function createSandboxWithFallback(snapshotId: string | undefined) {
+  if (snapshotId) {
+    try {
+      return (await createSandbox({ source: { type: "snapshot", snapshotId } })).response;
+    } catch {
+      // Snapshot invalid or expired on Vercel's side — fall through to fresh
+    }
+  }
+  return (await createSandbox({})).response;
+}
+
 /**
  * Shared domain logic for creating a sandbox and optionally running a prompt.
  * Used by both POST /api/sandboxes handler and the prompt_sandbox MCP tool.
@@ -21,14 +39,8 @@ export async function processCreateSandbox(
 ): Promise<ProcessCreateSandboxResult> {
   const { accountId, prompt } = input;
 
-  // Get account's most recent snapshot if available
-  const accountSnapshots = await selectAccountSnapshots(accountId);
-  const snapshotId = accountSnapshots[0]?.snapshot_id;
-
-  // Create sandbox (from snapshot if valid, otherwise fresh)
-  const { response: result } = await createSandbox(
-    snapshotId ? { source: { type: "snapshot", snapshotId } } : {},
-  );
+  const snapshotId = await getValidSnapshotId(accountId);
+  const result = await createSandboxWithFallback(snapshotId);
 
   await insertAccountSandbox({
     account_id: accountId,