[codex] Fix SDK packaging and runtime robustness

[shrisukhani]

Summary

This PR fixes a set of SDK packaging and runtime reliability issues found during a repo-wide review.

What changed

• Clean dist before builds and import services/web/index explicitly so published root imports load the current WebService implementation.
• Move declaration-only runtime type dependencies into dependencies so TypeScript consumers can compile against the published package without installing extra @types/* packages.
• Fix runtimeProxyOverride handling so an override without an explicit port does not inherit the runtime service port.
• Refresh runtime websocket auth once after a 401 handshake, matching the HTTP runtime retry behavior.
• Pass the configured timeout through websocket handshakes.
• Treat empty successful JSON responses as {} instead of parse failures.
• Remove an upload stream error handler that could throw outside the uploadFile promise.
• Treat stopped as a terminal status in polling helpers and expose it in relevant job status unions.
• Use POSIX path handling for sandbox file-watch event names.
• Add a test typecheck script and gate it in the npm publish workflow.

Root cause

Several issues came from drift between source and published artifacts: tsc does not remove stale files, and the package publishes the whole dist folder. Runtime issues were mostly parity gaps between HTTP transport behavior and websocket transport behavior.

Validation

• yarn build
• yarn lint
• yarn typecheck:tests
• yarn -s vitest run tests/sandbox/e2e/runtime-transport.test.ts tests/sandbox/e2e/sandbox-contract.test.ts tests/sandbox/e2e/process-api.test.ts
• npm pack --dry-run --json
• Clean temp consumer TypeScript compile against the packed tarball
• Clean temp runtime check that new HyperbrowserClient(...).web.crawl is present

Note: full yarn test still requires a local sandbox control plane at http://localhost:8080; without it, the live e2e suites fail with ECONNREFUSED.

---

Note

Medium Risk
Touches SDK build/publish pipeline and runtime HTTP/WebSocket transport behavior (auth refresh, proxy URL rewriting, timeouts), which could affect production connectivity despite being reliability-focused.

Overview
Improves SDK publish correctness by cleaning dist before tsc, explicitly importing WebService via services/web/index, moving @types/* packages to runtime dependencies, and gating npm releases with a new typecheck:tests step.

Hardens control/runtime networking by treating empty JSON responses as {}, fixing runtimeProxyOverride port handling, adding websocket handshake timeouts, and refreshing runtime websocket auth once on 401 (terminal + file watch). It also treats stopped as a terminal job status across scrape/crawl/extract/web jobs and removes a stream error handler that could throw outside the uploadFile promise.

^{Reviewed by Cursor Bugbot for commit 033eb08. Bugbot is set up for automated code reviews on this repo. Configure here.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 6 additional findings.

[shrisukhani]

bugbot review

[shrisukhani]

@claude please review this PR and see if you can find any problems with it or it's ok to merge

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 033eb08. Configure here.}