fix(proxy): route custom ports through Rocklet instead of direct connect

[alibabarock]

Problem

When users specify a custom port (not the default 8080) in HTTP or WebSocket proxy requests via Path/Header/Query parameters, the proxy attempts to connect directly to host_ip:{custom_port}. This fails because arbitrary container ports are not mapped to the host network.

Root Cause

In sandbox_proxy_service.py:

• http_proxy(): When a custom port is specified, it constructs target_url = f"http://{host_ip}:{port}/..." directly
• get_sandbox_websocket_url(): Same issue for WebSocket connections

However, only the default SERVER port (8080) is mapped from container to host. Custom ports like 9000, 3000 exist inside the container but are not accessible via host_ip:9000 from outside.

Solution

1. Add proxy endpoints to Rocklet (rock/rocklet/local_api.py)

• /proxy/{port}/{path} for HTTP requests
• /proxy/{port}/{path} for WebSocket connections

These endpoints run inside the container on Port.PROXY (22555) and can access localhost:{custom_port} reliably.

2. Modify sandbox_proxy_service.py to route custom ports through Rocklet

• When port is None or 8080: use direct connection (backward compatible)
• When port is custom (e.g. 9000): route through {rocklet_port}/proxy/{port}/{path}

3. Add tests

Comprehensive tests for routing logic in tests/unit/sandbox/test_proxy_custom_port_routing.py.

Impact

Users can now expose services running on arbitrary ports inside sandboxes to external clients, not just the default 8080 port. This enables scenarios like running multiple services on different ports within a single sandbox.

Testing

• Verified routing logic with mock tests
• Tested with actual sandbox on vpc-sg-a cluster
• Default port (8080) behavior unchanged (backward compatible)
• Custom ports (9000, 3000, etc.) now route through Rocklet successfully

fixes #1092

[CLAassistant]

All committers have signed the CLA.