seamless sandboxing (just set GEMINI_CODE_SANDBOX=true in .env) (#76)

2025-04-21 07:50:18 -07:00 · 2025-04-21 07:50:18 -07:00 · 39bdedab9c
parent bfb064024e
commit 39bdedab9c
7 changed files with 89 additions and 28 deletions
--- a/package.json
+++ b/package.json
@ -7,8 +7,8 @@
    "packages/*"
  ],
  "scripts": {
-    "build": "npm run build --workspaces",
-    "clean": "rm -rf node_modules && npm run clean --workspaces",
+    "build": "scripts/build.sh",
+    "clean": "scripts/clean.sh",
    "test": "npm run test --workspaces",
    "start": "scripts/start.sh",
    "debug": "scripts/debug.sh",
--- a/scripts/build.sh
+++ b/scripts/build.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+set -euo pipefail
+
+# npm install if node_modules was removed (e.g. via npm run clean or scripts/clean.sh)
+if [ ! -d "node_modules" ]; then
+    npm install
+fi
+
+# build all workspaces/packages
+npm run build --workspaces
+
+# also build container image if GEMINI_CODE_SANDBOX is set (can be in .env file)
+# skip (-s) npm install + build since we did that above
+if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; then
+    scripts/build_sandbox.sh -s
+fi
--- a/scripts/build_container.sh
+++ b/scripts/build_container.sh
@ -1,23 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-IMAGE=gemini-code-sandbox
-
-# use docker if installed, otherwise try to use podman instead
-if command -v docker &> /dev/null; then
-    CMD=docker
-elif command -v podman &> /dev/null; then
-    CMD=podman
-else
-    echo "ERROR: docker or podman must be installed"
-    exit 1
-fi
-
-npm install
-npm run build
-rm -f packages/cli/dist/gemini-code-cli-*.tgz
-npm pack -w @gemini-code/cli --pack-destination ./packages/cli/dist
-rm -f packages/server/dist/gemini-code-server-*.tgz
-npm pack -w @gemini-code/server --pack-destination ./packages/server/dist
-
-$CMD build -t "$IMAGE" .
--- a/scripts/build_sandbox.sh
+++ b/scripts/build_sandbox.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+set -euo pipefail
+
+IMAGE=gemini-code-sandbox
+
+SKIP_NPM_INSTALL_BUILD=false
+while getopts "s" opt; do
+    case ${opt} in
+        s) SKIP_NPM_INSTALL_BUILD=true ;;
+        \?)
+            echo "usage: $(basename "$0") [-s]"
+            echo "  -s: skip npm install + npm run build"
+            exit 1
+            ;;
+    esac
+done
+shift $((OPTIND - 1))
+
+# use docker if installed, otherwise try to use podman instead
+if command -v docker &> /dev/null; then
+    CMD=docker
+elif command -v podman &> /dev/null; then
+    CMD=podman
+else
+    echo "ERROR: missing docker or podman for sandboxing"
+    exit 1
+fi
+echo "using $CMD for sandboxing"
+
+# npm install + npm run build unless skipping via -s option
+if [ "$SKIP_NPM_INSTALL_BUILD" = false ]; then
+    npm install
+    npm run build
+fi
+
+# pack cli
+echo "packing @gemini-code/cli ..."
+rm -f packages/cli/dist/gemini-code-cli-*.tgz
+npm pack -w @gemini-code/cli --pack-destination ./packages/cli/dist &> /dev/null
+
+# pack server
+echo "packing @gemini-code/server ..."
+rm -f packages/server/dist/gemini-code-server-*.tgz
+npm pack -w @gemini-code/server --pack-destination ./packages/server/dist &> /dev/null
+
+# build container image & prune older unused images
+# use empty --authfile to skip unnecessary auth refresh overhead
+echo "building $IMAGE ... (can be slow first time)"
+$CMD build --authfile <(echo '{}') -t "$IMAGE" . >/dev/null
+$CMD image prune -f
+echo "built $IMAGE"
--- a/scripts/clean.sh
+++ b/scripts/clean.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+set -euo pipefail
+
+# remove npm install/build artifacts
+rm -rf node_modules
+npm run clean --workspaces
--- a/scripts/start.sh
+++ b/scripts/start.sh
@ -1,5 +1,14 @@
 #!/bin/bash
 set -euo pipefail

+# check build status, write warnings to file for app to display if needed
 node ./scripts/check-build-status.js
-node node_modules/@gemini-code/cli "$@"
+
+# if GEMINI_CODE_SANDBOX is set (can be in .env file), start in sandbox container
+if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; then
+    echo "Running in sandbox container ..."
+    scripts/start_sandbox.sh "$@"
+else
+    echo "WARNING: running outside of sandbox. Set GEMINI_CODE_SANDBOX to enable sandbox."
+    node node_modules/@gemini-code/cli "$@"
+fi
--- a/scripts/start_container.sh
+++ b/scripts/start_container.sh
@ -11,8 +11,10 @@ if command -v docker &> /dev/null; then
 elif command -v podman &> /dev/null; then
    CMD=podman
 else
-    echo "ERROR: docker or podman must be installed"
+    echo "ERROR: missing docker or podman for sandboxing"
    exit 1
 fi

-$CMD run -it --rm -v"$PWD:$WORKDIR" --workdir "$WORKDIR" "$IMAGE" node "$CLI_DIST"
+# run gemini-code in sandbox container
+# use empty --authfile to skip unnecessary auth refresh overhead
+$CMD run -it --rm --authfile <(echo '{}') -v"$PWD:$WORKDIR" --workdir "$WORKDIR" "$IMAGE" node "$CLI_DIST"