runInSandbox delegates the current command to a Docker sandbox. It ensures a sandbox exists (creating or recreating as needed), then executes docker agent inside it via the sandbox exec command. agentCfg, when non-nil, is the parsed agent config already loaded by resolveSandboxDefault and is used t
(ctx context.Context, cmd *cobra.Command, args []string, runConfig *config.RuntimeConfig, template string, preferSbx, noKit bool, agentCfg *latestcfg.Config)
| 117 | // resolveSandboxDefault and is used to read runtime.network_allowlist |
| 118 | // without re-resolving the ref. |
| 119 | func runInSandbox(ctx context.Context, cmd *cobra.Command, args []string, runConfig *config.RuntimeConfig, template string, preferSbx, noKit bool, agentCfg *latestcfg.Config) error { |
| 120 | if environment.InSandbox() { |
| 121 | return fmt.Errorf("already running inside a Docker sandbox (VM %s)", os.Getenv("SANDBOX_VM_ID")) |
| 122 | } |
| 123 | |
| 124 | backend := sandbox.NewBackend(preferSbx) |
| 125 | |
| 126 | if err := backend.CheckAvailable(ctx); err != nil { |
| 127 | return err |
| 128 | } |
| 129 | |
| 130 | var agentRef string |
| 131 | if len(args) > 0 { |
| 132 | agentRef = args[0] |
| 133 | } |
| 134 | |
| 135 | configDir := paths.GetConfigDir() |
| 136 | dockerAgentArgs := dockerAgentArgs(cmd, args, configDir) |
| 137 | |
| 138 | stopTokenWriter := sandbox.StartTokenWriterIfNeeded(ctx, configDir, runConfig.ModelsGateway) |
| 139 | defer stopTokenWriter() |
| 140 | |
| 141 | // Resolve wd to an absolute path so that it matches the absolute |
| 142 | // workspace paths returned by `docker sandbox ls --json`. |
| 143 | wd, err := filepath.Abs(cmp.Or(runConfig.WorkingDir, ".")) |
| 144 | if err != nil { |
| 145 | return fmt.Errorf("resolving workspace path: %w", err) |
| 146 | } |
| 147 | |
| 148 | envProvider := environment.NewDefaultProvider() |
| 149 | |
| 150 | extras := []string{sandbox.ExtraWorkspace(wd, agentRef)} |
| 151 | |
| 152 | var kitResult *kit.Result |
| 153 | if !noKit && agentRef != "" { |
| 154 | kitResult, err = kit.Build(ctx, kit.Options{ |
| 155 | AgentRef: agentRef, |
| 156 | EnvProvider: envProvider, |
| 157 | HostCwd: wd, |
| 158 | Workspace: wd, |
| 159 | }) |
| 160 | if err != nil { |
| 161 | slog.WarnContext(ctx, "docker-agent kit build failed; continuing without kit", "error", err) |
| 162 | } else { |
| 163 | kitResult.PrintSummary(cmd.OutOrStdout()) |
| 164 | extras = append(extras, kitResult.HostDir) |
| 165 | // We deliberately keep the kit on disk between runs: |
| 166 | // the docker sandbox we reuse across runs holds a hard |
| 167 | // reference to the kit's bind-mount path — deleting the |
| 168 | // dir would leave the sandbox un-startable. The kit lives |
| 169 | // in the cache dir keyed on a content hash, so the next |
| 170 | // run for the same agent overwrites it in place; disk |
| 171 | // usage is bounded by the number of distinct agents the |
| 172 | // user has run. |
| 173 | } |
| 174 | } |
| 175 | |
| 176 | agentHosts := agentNetworkAllowlist(ctx, agentCfg) |
no test coverage detected