diff --git a/packages/cli/src/gemini.ts b/packages/cli/src/gemini.ts
index 77069e40..b8bfbc60 100644
--- a/packages/cli/src/gemini.ts
+++ b/packages/cli/src/gemini.ts
@@ -21,6 +21,11 @@ async function main() {
   const config = loadCliConfig();
   let input = config.getQuestion();
 
+  if (process.env.GEMINI_CODE_SANDBOX && !process.env.SANDBOX) {
+    console.log('WARNING: sandboxing is enabled, but still OUTSIDE sandbox');
+    // TODO: get inside sandbox
+  }
+
   // Render UI, passing necessary config values. Check that there is no command line question.
   if (process.stdin.isTTY && input?.length === 0) {
     const readUpResult = await readPackageUp({ cwd: __dirname });
diff --git a/scripts/sandbox_command.sh b/scripts/sandbox_command.sh
index 81775db6..03163458 100755
--- a/scripts/sandbox_command.sh
+++ b/scripts/sandbox_command.sh
@@ -32,7 +32,17 @@ shift $((OPTIND - 1))
 
 
 # if GEMINI_CODE_SANDBOX is not set, try to source .env in case set there
-if [ -z "${GEMINI_CODE_SANDBOX:-}" ] && [ -f .env ]; then source .env; fi
+# allow .env to be in any ancestor directory (same as findEnvFile in config.ts)
+if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then
+    current_dir=$(pwd)
+    while [ "$current_dir" != "/" ]; do
+        if [ -f "$current_dir/.env" ]; then
+            source "$current_dir/.env"
+            break
+        fi
+        current_dir=$(dirname "$current_dir")
+    done
+fi
 
 # if GEMINI_CODE_SANDBOX is still not set, then exit immediately w/ code 1
 if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then exit 1; fi
@@ -40,6 +50,7 @@ if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then exit 1; fi
 # lowercase GEMINI_CODE_SANDBOX
 GEMINI_CODE_SANDBOX=$(echo "${GEMINI_CODE_SANDBOX:-}" | tr '[:upper:]' '[:lower:]')
 
+# if GEMINI_CODE_SANDBOX is set to 0 or false, then exit immediately w/ code 1
 if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(0|false)$ ]]; then
     exit 1
 fi
diff --git a/scripts/start_sandbox.sh b/scripts/start_sandbox.sh
index ac8fe6e7..2146a0c8 100755
--- a/scripts/start_sandbox.sh
+++ b/scripts/start_sandbox.sh
@@ -42,16 +42,27 @@ while $CMD ps -a --format "{{.Names}}" | grep -q "$IMAGE-$INDEX"; do
 done
 run_args+=(--name "$IMAGE-$INDEX" --hostname "$IMAGE-$INDEX")
 
-# also set SANDBOX environment variable as container name
-run_args+=(--env "SANDBOX=$IMAGE-$INDEX")
+# if .env exists, source it before variable existence checks below
+# allow .env to be in any ancestor directory (same as findEnvFile in config.ts)
+current_dir=$(pwd)
+while [ "$current_dir" != "/" ]; do
+    if [ -f "$current_dir/.env" ]; then
+        source "$current_dir/.env"
+        break
+    fi
+    current_dir=$(dirname "$current_dir")
+done
+
+# if GEMINI_API_KEY is set, copy into container
+if [ -n "${GEMINI_API_KEY:-}" ]; then run_args+=(--env GEMINI_API_KEY="$GEMINI_API_KEY"); fi
 
 # pass TERM and COLORTERM to container to maintain terminal colors
-run_args+=(--env TERM --env COLORTERM)
+if [ -n "${TERM:-}" ]; then run_args+=(--env TERM="$TERM"); fi
+if [ -n "${COLORTERM:-}" ]; then run_args+=(--env COLORTERM="$COLORTERM"); fi
 
-# set GEMINI_API_KEY environment variable if it exists
-if [ -n "${GEMINI_API_KEY:-}" ]; then
-    run_args+=(--env GEMINI_API_KEY)
-fi
+# set SANDBOX environment variable as container name
+# this is the preferred mechanism to detect if inside container/sandbox
+run_args+=(--env "SANDBOX=$IMAGE-$INDEX")
 
 # enable debugging via node --inspect-brk (and $DEBUG_PORT) if DEBUG is set
 node_args=()