From 5e34d9e2764da1251eb777f4f32e5cf1804ee949 Mon Sep 17 00:00:00 2001
From: Olcan <olcans@gmail.com>
Date: Tue, 22 Apr 2025 13:51:50 -0700
Subject: [PATCH] Refactor_sandbox_command (#121)

---
 README.md                  |  4 +--
 scripts/build.sh           |  5 ++-
 scripts/build_sandbox.sh   | 19 +++++-------
 scripts/sandbox.sh         | 17 ++++------
 scripts/sandbox_command.sh | 63 ++++++++++++++++++++++++++++++++++++++
 scripts/start.sh           |  8 ++---
 scripts/start_sandbox.sh   | 16 ++++------
 7 files changed, 90 insertions(+), 42 deletions(-)
 create mode 100755 scripts/sandbox_command.sh

diff --git a/README.md b/README.md
index 2b9a8c79..39004691 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,7 @@ Chances are you will need to manually address errors output. You can also try `n
 
 ## Sandboxing
 
-To enable sandboxing, set `GEMINI_CODE_SANDBOX=true` in your environment or `.env` file. Once enabled, `npm run build` will build a minimal container ("sandbox") image and `npm start` will launch inside a fresh instance of that container. Requires either `docker` or `podman` to be installed on host machine.
+To enable sandboxing, set `GEMINI_CODE_SANDBOX=true|docker|podman|<command>` in your environment or `.env` file. Once enabled, `npm run build` will build a minimal container ("sandbox") image and `npm start` will launch inside a fresh instance of that container. Requires the specified command (or if `true` then either `docker` or `podman`) to be available on host machine.
 
 The sandbox (container) mounts the current directory with read-write access and is started/stopped/removed automatically as you start/stop Gemini Code. You can tell you are inside the sandbox with the `cwd` being reported as `/sandbox/<project>`. Files created within the sandbox should be automatically mapped to your user/group on host machine.
 
@@ -86,4 +86,4 @@ You can customize the sandbox in `Dockerfile` (e.g. for pre-installed utilities)
 
 ### Attaching from VSCode
 
-You can have VSCode (or forks) attach to a running sandbox using the [Dev Containers](https://marketplace.cursorapi.com/items?itemName=ms-vscode-remote.remote-containers) extension. Simply use `Dev Containers: Attach to Running Container ...` command and select your container named `gemini-code-sandbox-#`. Once attached you can open the project folder at `/sandbox/<project>`. You may need the VSCode setting `dev.containers.dockerPath` to be `podman` if using `podman`. Without this setting you may be prompted to install Docker.
+You can have VSCode (or forks) attach to a running sandbox using the [Dev Containers](https://marketplace.cursorapi.com/items?itemName=ms-vscode-remote.remote-containers) extension. Simply use `Dev Containers: Attach to Running Container ...` command and select your container named `gemini-code-sandbox-#`. Once attached you can open the project folder at `/sandbox/<project>`. You may need to set the VSCode setting `dev.containers.dockerPath` (e.g. to `podman`) if you are not using Docker, and otherwise you may be prompted by the extension to install Docker if missing from your system.
diff --git a/scripts/build.sh b/scripts/build.sh
index c959f1b6..46304919 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -23,9 +23,8 @@ fi
 # build all workspaces/packages
 npm run build --workspaces
 
-# also build container image if GEMINI_CODE_SANDBOX is set (can be in .env file)
+# also build container image if sandboxing is enabled
 # skip (-s) npm install + build since we did that above
-if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || \
-   { [ -f .env ] && grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; }; then
+if scripts/sandbox_command.sh -q; then
     scripts/build_sandbox.sh -s
 fi
diff --git a/scripts/build_sandbox.sh b/scripts/build_sandbox.sh
index f1e85e24..a18af1fe 100755
--- a/scripts/build_sandbox.sh
+++ b/scripts/build_sandbox.sh
@@ -15,6 +15,14 @@
 
 set -euo pipefail
 
+if ! scripts/sandbox_command.sh -q; then
+    echo "ERROR: sandboxing disabled. See README.md to enable sandboxing."
+    exit 1
+fi
+
+CMD=$(scripts/sandbox_command.sh)
+echo "using $CMD for sandboxing"
+
 IMAGE=gemini-code-sandbox
 
 SKIP_NPM_INSTALL_BUILD=false
@@ -30,17 +38,6 @@ while getopts "s" opt; do
 done
 shift $((OPTIND - 1))
 
-# use docker if installed, otherwise try to use podman instead
-if command -v docker &> /dev/null; then
-    CMD=docker
-elif command -v podman &> /dev/null; then
-    CMD=podman
-else
-    echo "ERROR: missing docker or podman for sandboxing"
-    exit 1
-fi
-echo "using $CMD for sandboxing"
-
 # npm install + npm run build unless skipping via -s option
 if [ "$SKIP_NPM_INSTALL_BUILD" = false ]; then
     npm install
diff --git a/scripts/sandbox.sh b/scripts/sandbox.sh
index 44efe9b9..c851da08 100755
--- a/scripts/sandbox.sh
+++ b/scripts/sandbox.sh
@@ -15,6 +15,11 @@
 
 set -euo pipefail
 
+if ! scripts/sandbox_command.sh -q; then
+    echo "ERROR: sandboxing disabled. See README.md to enable sandboxing."
+    exit 1
+fi
+
 # parse flags
 interactive=false
 while getopts "i" opt; do
@@ -36,18 +41,8 @@ while getopts "i" opt; do
 done
 shift $((OPTIND - 1))
 
-
 IMAGE=gemini-code-sandbox
-
-# use docker if installed, otherwise try to use podman instead
-if command -v docker &> /dev/null; then
-    CMD=docker
-elif command -v podman &> /dev/null; then
-    CMD=podman
-else
-    echo "ERROR: missing docker or podman for sandboxing"
-    exit 1
-fi
+CMD=$(scripts/sandbox_command.sh)
 
 # list all containers running on sandbox image
 sandboxes=()
diff --git a/scripts/sandbox_command.sh b/scripts/sandbox_command.sh
new file mode 100755
index 00000000..372d0d50
--- /dev/null
+++ b/scripts/sandbox_command.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# usage: scripts/sandbox_command.sh [-q]
+#    -q: quiet mode (do not print command, just exit w/ code 0 or 1)
+
+set -euo pipefail
+
+# parse flags
+QUIET=false
+while getopts ":q" opt; do
+    case ${opt} in
+        q ) QUIET=true ;;
+        \? ) echo "Usage: $0 [-q]"
+            exit 1
+            ;;
+    esac
+done
+shift $((OPTIND - 1))
+
+
+# if GEMINI_CODE_SANDBOX is not set, try to source .env in case set there
+if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then source .env; fi
+
+# if GEMINI_CODE_SANDBOX is still not set, then exit immediately w/ code 1
+if [ -z "${GEMINI_CODE_SANDBOX:-}" ]; then exit 1; fi
+
+# lowercase GEMINI_CODE_SANDBOX
+GEMINI_CODE_SANDBOX=$(echo "${GEMINI_CODE_SANDBOX:-}" | tr '[:upper:]' '[:lower:]')
+
+# if GEMINI_CODE_SANDBOX is set to 1 or true, then try to use docker or podman
+if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]]; then
+    if command -v docker &> /dev/null; then
+        if [ "$QUIET" = false ]; then echo "docker"; fi
+        exit 0
+    elif command -v podman &> /dev/null; then
+        if [ "$QUIET" = false ]; then echo "podman"; fi
+        exit 0
+    else
+        echo "ERROR: install docker or podman or specify command in GEMINI_CODE_SANDBOX" >&2
+        exit 1
+    fi
+fi
+
+if ! command -v "$GEMINI_CODE_SANDBOX" &> /dev/null; then
+    echo "ERROR: missing sandbox command '$GEMINI_CODE_SANDBOX' (from GEMINI_CODE_SANDBOX)" >&2
+    exit 1
+fi
+
+if [ "$QUIET" = false ]; then echo "$GEMINI_CODE_SANDBOX"; fi
+exit 0
diff --git a/scripts/start.sh b/scripts/start.sh
index c4c57f3c..03c52c79 100755
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -18,13 +18,11 @@ set -euo pipefail
 # check build status, write warnings to file for app to display if needed
 node ./scripts/check-build-status.js
 
-# if GEMINI_CODE_SANDBOX is set (can be in .env file), start in sandbox container
-if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || \
-   { [ -f .env ] && grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; }; then
-    echo "Running in sandbox container ..."
+# if sandboxing is enabled, start in sandbox container
+if scripts/sandbox_command.sh -q; then
     scripts/start_sandbox.sh "$@"
 else
-    echo "WARNING: running outside of sandbox. Set GEMINI_CODE_SANDBOX to enable sandbox."
+    echo "WARNING: OUTSIDE SANDBOX. See README.md to enable sandboxing."
     if [ -n "${DEBUG:-}" ]; then
         node --inspect-brk node_modules/@gemini-code/cli "$@"
     else
diff --git a/scripts/start_sandbox.sh b/scripts/start_sandbox.sh
index 236b1621..f9b3075a 100755
--- a/scripts/start_sandbox.sh
+++ b/scripts/start_sandbox.sh
@@ -15,21 +15,17 @@
 
 set -euo pipefail
 
+if ! scripts/sandbox_command.sh -q; then
+    echo "ERROR: sandboxing disabled. See README.md to enable sandboxing."
+    exit 1
+fi
+
+CMD=$(scripts/sandbox_command.sh)
 IMAGE=gemini-code-sandbox
 WORKDIR=/sandbox/$(basename "$PWD")
 CLI_PATH=/usr/local/share/npm-global/lib/node_modules/\@gemini-code/cli
 DEBUG_PORT=9229
 
-# use docker if installed, otherwise try to use podman instead
-if command -v docker &> /dev/null; then
-    CMD=docker
-elif command -v podman &> /dev/null; then
-    CMD=podman
-else
-    echo "ERROR: missing docker or podman for sandboxing"
-    exit 1
-fi
-
 # use interactive tty mode and auto-remove container on exit
 run_args=(-it --rm)