Add API for "full" container snapshots

[gpanders]

This is part 2 of the containers snapshot API, following up from #6376 which implemented snapshotDirectory() to create a "directory snapshot". This PR implements snapshotContainer() to create a "full container" snapshot.

Conceptually, a "directory snapshot" can be thought of as an (immutable) Docker volume which can be mounted (restored) to other containers. More than one directory snapshot can be restored to a container.

A "full container snapshot" can be thought of as creating a new Docker image based on the current state of the container (this is how it is even implemented in local dev, using the Docker commit API). Only one full container snapshot can be restored into a new container, which effectively replaces the image of the container.

Directory snapshots can be restored alongside a full container snapshot.

cc @IRCody @spahl

[ask-bonk]

I'm Bonk, and I've done a quick review of your PR.

This PR adds snapshotContainer() API and local dev Docker implementation for full container snapshots, alongside renaming the existing directory snapshot fields for clarity.

1. [MEDIUM] No stale container snapshot image cleanup: warnAboutStaleSnapshotVolumes handles stale Docker volumes for directory snapshots, but there's no equivalent mechanism for stale workerd-container-snap-* images. Over time in local dev, these could accumulate. Not blocking, but worth tracking.
2. [LOW] Missing KJ_LOG in snapshotContainer: snapshotDirectory logs KJ_LOG(INFO, "created snapshot volume", ...) on success, but snapshotContainer has no corresponding log entry. Minor consistency/debugging gap.

---

This review was generated by an AI assistant and may contain inaccuracies.

[ask-bonk]

I'm Bonk, and I've done a quick review of your PR.

This PR adds snapshotContainer() API and local dev Docker implementation for full container snapshots, alongside renaming the existing directory snapshot fields for clarity.

Summary of findings posted to PR #6430:

1. [MEDIUM] No stale container snapshot image cleanup — There's a warnAboutStaleSnapshotVolumes mechanism for directory snapshot volumes, but no equivalent for workerd-container-snap-* Docker images that could accumulate over time in local dev.

2. [LOW] Missing KJ_LOG in snapshotContainer — snapshotDirectory logs on success for observability, but snapshotContainer doesn't. Posted a suggestion comment with the fix.

3. [LOW] User-facing error message — When restoring a container snapshot with a non-existent ID, the error from inspectImage ("Failed to inspect Docker image") is less clear than the directory snapshot equivalent. Posted an inline comment.

Things that looked good:

• Cap'n Proto schema changes are wire-compatible (ordinals preserved, struct renames don't affect wire format, new fields/methods are additive)
• The KJ_DEFER cleanup logic in snapshotContainer is correct — it protects the window between commitContainer and the end of the function
• parseSnapshotId using UUID::fromString is a good tightening vs. the old ad-hoc hex validation
• The validateSnapshotSize refactor eliminates duplication
• Test coverage is thorough — round-trip, named, memory unsupported, non-existent ID, directory overlay, exclude mounts, relayer, and cross-DO scenarios
• TypeScript types are correctly generated with proper experimental gating

github run

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 131 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.89%. Comparing base (9a696e4) to head (4b14c9d).
⚠️ Report is 41 commits behind head on main.

Files with missing lines	Patch %	Lines
src/workerd/server/container-client.c++	0.00%	90 Missing ⚠️
src/workerd/api/container.c++	0.00%	41 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6430      +/-   ##
==========================================
+ Coverage   70.70%   70.89%   +0.19%     
==========================================
  Files         427      428       +1     
  Lines      117263   119644    +2381     
  Branches    18903    18962      +59     
==========================================
+ Hits        82905    84819    +1914     
- Misses      23102    23556     +454     
- Partials    11256    11269      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gpanders]

Split out the local dev (container-client.c++) implementation, so this PR only adds the API. Will open a separate PR for the local dev implementation for when the Windows compile errors are resolved.

[github-actions]

The generated output of @cloudflare/workers-types matches the snapshot in types/generated-snapshot 🎉

[gpanders]

Split out the local dev (container-client.c++) implementation, so this PR only adds the API. Will open a separate PR for the local dev implementation for when the Windows compile errors are resolved.

Since @fhanau resolved the Windows release build issues, I've added the container-client.c++ modifications back into this PR so that we have the local dev implementation now.

[kentonv]

API looks good.