SANDBOX_PORTS env var (#204)

packages/cli/src/gemini.ts

@@ -203,6 +203,16 @@ async function start_sandbox(sandbox: string) {
     nodeArgs.push(`--inspect-brk=0.0.0.0:${debugPort}`);
   }
 
+  // open additional ports if SANDBOX_PORTS is set
+  if (process.env.SANDBOX_PORTS) {
+    for (let port of process.env.SANDBOX_PORTS.split(',')) {
+      if ((port = port.trim())) {
+        console.log(`SANDBOX_PORTS: ${port}`);
+        args.push('-p', `${port}:${port}`);
+      }
+    }
+  }
+
   // append remaining args (image, node, node args, cli path, cli args)
   args.push(image, 'node', ...nodeArgs, cliPath, ...process.argv.slice(2));
 

scripts/start_sandbox.sh

@@ -40,7 +40,8 @@ if ! $CMD images -q "$IMAGE" | grep -q .; then
 fi
 
 # use interactive tty mode and auto-remove container on exit
-run_args=(-it --rm)
+# run init binary inside container to forward signals & reap zombies
+run_args=(-it --rm --init --workdir "$WORKDIR")
 
 # mount current directory as $WORKDIR inside container
 run_args+=(-v "$PWD:$WORKDIR")
@@ -133,10 +134,21 @@ if [ -n "${DEBUG:-}" ]; then
 fi
 node_args+=("$CLI_PATH" "$@")
 
+# open additional ports if SANDBOX_PORTS is set
+if [ -n "${SANDBOX_PORTS:-}" ]; then
+    ports=$(echo "$SANDBOX_PORTS" | tr ',' '\n')
+    for port in $ports; do
+        if [ -n "$port" ]; then
+            echo "SANDBOX_PORTS: $port"
+            run_args+=(-p "$port:$port")
+        fi
+    done
+fi
+
 # run gemini-code in sandbox container
 if [[ "$CMD" == "podman" ]]; then
     # use empty --authfile to skip unnecessary auth refresh overhead
-    $CMD run "${run_args[@]}" --init --authfile <(echo '{}') --workdir "$WORKDIR" "$IMAGE" node "${node_args[@]}"
+    $CMD run "${run_args[@]}" --authfile <(echo '{}') "$IMAGE" node "${node_args[@]}"
 else
-    $CMD run "${run_args[@]}" --init --workdir "$WORKDIR" "$IMAGE" node "${node_args[@]}"
+    $CMD run "${run_args[@]}" "$IMAGE" node "${node_args[@]}"
 fi