fix(sandbox): auto-bypass CSB free-tier trust interstitial and guard preload script race

[Fizza-Mukhtar]

Description

Two separate issues were causing the Penpal connection to time out when using
Onlook with a free-tier CodeSandbox account:

1. The CSB free-tier trust interstitial ("You are opening a CodeSandbox preview,
   do you want to continue?") was never auto-dismissed. The code to click
   #btn-answer-yes existed in project.ts but was commented out, leaving the
   iframe stuck on the interstitial page so the Penpal handshake never started.

2. A race condition in preload script injection — if ensurePreloadScriptExists()
   failed on first attempt (sandbox not ready yet), there was no retry and
   preloadScriptState stayed NOT_INJECTED permanently. The iframe would load
   before the preload script was ready, so the child-side Penpal connect never fired.

Changes made:

• project.ts — Uncommented and activated csbFreeActions, passing
  { type: 'click', selector: '#btn-answer-yes' } as actions to Firecrawl
  scrapeUrl so the trust interstitial is auto-dismissed on screenshot capture.

• sandbox/index.ts — On preload script injection failure, schedules a single
  retry after 3s to handle the race where the sandbox is not yet fully ready on
  first attempt.

• view.tsx — Added a guard in setupPenpalConnection that skips the connection
  attempt if activeSandbox.preloadScriptState === LOADING, waiting for the next
  onLoad event instead of connecting too early.

Related Issues

Fixes #3087

Type of Change

• Bug fix
• New feature
• Documentation
• Refactor
• Other (please describe):

Testing

1. Self-host Onlook against a free-tier CodeSandbox account
2. Create or import a Next.js project
3. Open the project page and navigate to any route
4. Verify the iframe loads the app directly — no trust interstitial appears
5. Verify Penpal connection set appears in browser console with no timeout error
6. Regression check: verify a paid CSB account (no interstitial) still connects normally

Screenshots (if applicable)

N/A — bug manifested as a console timeout error, not a visual UI change.

Additional Notes

The csbFreeActions fix only affects the captureScreenshot mutation which uses
Firecrawl to scrape the preview URL. The preload script retry and LOADING guard
together fix the deeper race condition that caused timeouts even after manually
dismissing the interstitial.

Summary by CodeRabbit

• Bug Fixes & Improvements
  • Prevented editor connection attempts while the sandbox preload script is still loading to avoid premature initialization
  • Added automatic retry for failed preload script injection with 3-second intervals and improved cleanup of retry timers
  • Enabled automated interaction during project scraping for free-tier workflows to streamline scraping operations

[vercel]

@Fizza-Mukhtar is attempting to deploy a commit to the Onlook Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs-onlook	Skipped		Mar 6, 2026 5:11pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 844d681a-d9b1-49d3-a539-2f419b29c5c9

📥 Commits

Reviewing files that changed from the base of the PR and between 86fa4ed and cfc5c93.

📒 Files selected for processing (1)

• apps/web/client/src/components/store/editor/sandbox/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/web/client/src/components/store/editor/sandbox/index.ts

---

📝 Walkthrough

Walkthrough

Adds a CSB interstitial auto-click during scraping, prevents starting the Penpal connection while the sandbox preload script is still LOADING, and adds a 3s retry for failed preload script injection attempts.

Changes

Cohort / File(s)	Summary
Preload injection & retry apps/web/client/src/components/store/editor/sandbox/index.ts	Adds preloadRetryTimeoutId field, marks state NOT_INJECTED on injection failure, schedules a 3s retry invoking ensurePreloadScriptExists, and clears the timer in clear().
Penpal connection guard apps/web/client/src/app/project/[id]/_components/canvas/frame/view.tsx	Imports PreloadScriptState and early-exits from setupPenpalConnection when preload state is LOADING, logging and avoiding Penpal setup until ready.
CSB interstitial bypass apps/web/client/src/server/api/routers/project/project.ts	Enables csbFreeActions with a click for #btn-answer-yes and passes it into scrapeUrl to auto-dismiss the CodeSandbox free-tier trust prompt during scraping.

Sequence Diagram(s)

sequenceDiagram
  participant Browser
  participant Server
  participant SandboxIframe
  participant SandboxManager
  participant ParentApp

  Browser->>Server: Request project page / scrape
  Server-->>SandboxIframe: Respond with iframe URL (+csbFreeActions)
  SandboxIframe->>SandboxManager: load → inject preload script
  SandboxManager-->>SandboxManager: on inject failure → set NOT_INJECTED, start 3s retry
  SandboxManager->>SandboxIframe: (retry) ensurePreloadScriptExists → inject preload
  SandboxIframe->>ParentApp: preload script loaded → signal READY
  ParentApp->>ParentApp: check PreloadScriptState
  ParentApp-->>ParentApp: if LOADING → log & skip Penpal setup
  ParentApp->>SandboxIframe: when READY → establish Penpal connection
  ParentApp->>SandboxIframe: Penpal handshake completes

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix: iframe and sandbox retry mechanism #2986: Touches preload-script and Penpal connection handling in the same files; likely overlapping changes.
• feat: improve index caching #2827: Modifies SandboxManager implementation; related to preload injection/retry logic.
• fix: iframe retry connection #2968: Reworks Penpal/iframe connection and retry logic in the canvas frame component.

Suggested reviewers

• Kitenite

Poem

🐰 A hop, a tick, a gentle try—
I click the prompt and watch the sky.
If preload sleeps, I wait and play,
Retry in three, then start the day.
Handshake snug—our frames can fly. 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the two main fixes: auto-bypassing the CSB free-tier trust interstitial and guarding against a preload script race condition.
Description check	✅ Passed	The description comprehensively covers all required sections: clear explanation of both issues, changes made to three files, related issue link, bug fix classification, detailed testing steps, and additional context.
Linked Issues check	✅ Passed	All coding requirements from issue #3087 are met: auto-dismiss interstitial via csbFreeActions [project.ts], implement preload script retry on injection failure [sandbox/index.ts], and add connection guard for LOADING state [view.tsx].
Out of Scope Changes check	✅ Passed	All three file changes directly address the linked issue #3087: CSB interstitial bypass, preload script retry mechanism, and Penpal connection guard—no out-of-scope modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/client/src/components/store/editor/sandbox/index.ts`:
- Around line 113-119: The setTimeout started in the constructor/initializer can
fire after the manager is disposed — store its ID (e.g., a new field like
preloadRetryTimeoutId) when calling setTimeout around the block that checks
this.preloadScriptState and calls void this.ensurePreloadScriptExists(), and
then clear that timeout in the class clear() method (use
clearTimeout(this.preloadRetryTimeoutId) and null the field) so the retry
callback cannot run against a cleared SandboxManager.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e83d5184-e326-45f8-a64e-263b4db1768d

📥 Commits

Reviewing files that changed from the base of the PR and between a242be5 and 86fa4ed.

📒 Files selected for processing (3)

• apps/web/client/src/app/project/[id]/_components/canvas/frame/view.tsx
• apps/web/client/src/components/store/editor/sandbox/index.ts
• apps/web/client/src/server/api/routers/project/project.ts