Use prebuilt provider base images

2026-04-15 11:02:20 +00:00 · 2026-03-15 20:17:18 -07:00 · 2026-03-15 20:17:18 -07:00 · c2e5dd6038
commit c2e5dd6038
parent 5a3e185d1c
4 changed files with 209 additions and 79 deletions
--- a/examples/shared/src/docker.ts
+++ b/examples/shared/src/docker.ts
@ -6,10 +6,10 @@ import { PassThrough } from "node:stream";
 import { fileURLToPath } from "node:url";

 const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const EXAMPLE_IMAGE = "sandbox-agent-examples:latest";
-const EXAMPLE_IMAGE_DEV = "sandbox-agent-examples-dev:latest";
-const DOCKERFILE_DIR = path.resolve(__dirname, "..");
-const REPO_ROOT = path.resolve(DOCKERFILE_DIR, "../..");
+const REPO_ROOT = path.resolve(__dirname, "..", "..", "..");
+
+/** Pre-built Docker image with all agents installed. */
+export const FULL_IMAGE = "rivetdev/sandbox-agent:0.3.1-full";

 export interface DockerSandboxOptions {
  /** Container port used by sandbox-agent inside Docker. */
@ -18,7 +18,7 @@ export interface DockerSandboxOptions {
  hostPort?: number;
  /** Additional shell commands to run before starting sandbox-agent. */
  setupCommands?: string[];
-  /** Docker image to use. Defaults to the pre-built sandbox-agent-examples image. */
+  /** Docker image to use. Defaults to the pre-built full image. */
  image?: string;
 }

@ -131,33 +131,44 @@ function stripAnsi(value: string): string {
  return value.replace(/[\u001B\u009B][[\]()#;?]*(?:(?:[a-zA-Z\d]*(?:;[a-zA-Z\d]*)*)?\u0007|(?:\d{1,4}(?:;\d{0,4})*)?[0-9A-ORZcf-nqry=><])/g, "");
 }

-async function ensureExampleImage(_docker: Docker): Promise<string> {
-  const dev = !!process.env.SANDBOX_AGENT_DEV;
-  const imageName = dev ? EXAMPLE_IMAGE_DEV : EXAMPLE_IMAGE;
+async function ensureImage(docker: Docker, image: string): Promise<void> {
+  const buildFromSource = () => {
+    console.log("  Building sandbox image from source (may take a while)...");
+    try {
+      execFileSync("docker", ["build", "-t", image, "-f", path.join(REPO_ROOT, "docker/runtime/Dockerfile.full"), REPO_ROOT], {
+        stdio: "inherit",
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new Error(`Failed to build sandbox image: ${message}`);
+    }
+  };

-  if (dev) {
-    console.log("  Building sandbox image from source (may take a while, only runs once)...");
-    try {
-      execFileSync("docker", ["build", "-t", imageName, "-f", path.join(DOCKERFILE_DIR, "Dockerfile.dev"), REPO_ROOT], {
-        stdio: ["ignore", "ignore", "pipe"],
-      });
-    } catch (err: unknown) {
-      const stderr = err instanceof Error && "stderr" in err ? String((err as { stderr: unknown }).stderr) : "";
-      throw new Error(`Failed to build sandbox image: ${stderr}`);
-    }
-  } else {
-    console.log("  Building sandbox image (may take a while, only runs once)...");
-    try {
-      execFileSync("docker", ["build", "-t", imageName, DOCKERFILE_DIR], {
-        stdio: ["ignore", "ignore", "pipe"],
-      });
-    } catch (err: unknown) {
-      const stderr = err instanceof Error && "stderr" in err ? String((err as { stderr: unknown }).stderr) : "";
-      throw new Error(`Failed to build sandbox image: ${stderr}`);
-    }
+  if (process.env.SANDBOX_AGENT_DEV) {
+    buildFromSource();
+    return;
  }

-  return imageName;
+  try {
+    await docker.getImage(image).inspect();
+    return;
+  } catch {}
+
+  console.log(`  Pulling ${image}...`);
+  const pulled = await new Promise<boolean>((resolve) => {
+    docker.pull(image, (err: Error | null, stream: NodeJS.ReadableStream) => {
+      if (err) {
+        resolve(false);
+        return;
+      }
+      docker.modem.followProgress(stream, (progressErr: Error | null) => resolve(!progressErr));
+    });
+  });
+
+  if (!pulled) {
+    console.log(`  Could not pull ${image}; falling back to a local full-image build.`);
+    buildFromSource();
+  }
 }

 /**
@ -166,8 +177,7 @@ async function ensureExampleImage(_docker: Docker): Promise<string> {
 */
 export async function startDockerSandbox(opts: DockerSandboxOptions): Promise<DockerSandbox> {
  const { port, hostPort } = opts;
-  const useCustomImage = !!opts.image;
-  let image = opts.image ?? EXAMPLE_IMAGE;
+  const image = opts.image ?? FULL_IMAGE;
  // TODO: Replace setupCommands shell bootstrapping with native sandbox-agent exec API once available.
  const setupCommands = [...(opts.setupCommands ?? [])];
  const credentialEnv = collectCredentialEnv();
@ -197,27 +207,13 @@ export async function startDockerSandbox(opts: DockerSandboxOptions): Promise<Do

  const docker = new Docker({ socketPath: "/var/run/docker.sock" });

-  if (useCustomImage) {
-    try {
-      await docker.getImage(image).inspect();
-    } catch {
-      console.log(`  Pulling ${image}...`);
-      await new Promise<void>((resolve, reject) => {
-        docker.pull(image, (err: Error | null, stream: NodeJS.ReadableStream) => {
-          if (err) return reject(err);
-          docker.modem.followProgress(stream, (err: Error | null) => (err ? reject(err) : resolve()));
-        });
-      });
-    }
-  } else {
-    image = await ensureExampleImage(docker);
-  }
+  await ensureImage(docker, image);

  const bootCommands = [...setupCommands, `sandbox-agent server --no-token --host 0.0.0.0 --port ${port}`];

  const container = await docker.createContainer({
    Image: image,
-    WorkingDir: "/root",
+    WorkingDir: "/home/sandbox",
    Cmd: ["sh", "-c", bootCommands.join(" && ")],
    Env: [...Object.entries(credentialEnv).map(([key, value]) => `${key}=${value}`), ...Object.entries(bootstrapEnv).map(([key, value]) => `${key}=${value}`)],
    ExposedPorts: { [`${port}/tcp`]: {} },
--- a/examples/shared/src/sandbox-agent-client.ts
+++ b/examples/shared/src/sandbox-agent-client.ts
@ -4,9 +4,21 @@
 */

 export const SANDBOX_AGENT_INSTALL_VERSION = "0.3.1";
+export const SANDBOX_AGENT_IMAGE = `rivetdev/sandbox-agent:${SANDBOX_AGENT_INSTALL_VERSION}`;

 export type SandboxAgentComponent = "claude" | "codex" | "opencode" | "amp";

+const DIRECT_CREDENTIAL_KEYS = [
+  "ANTHROPIC_API_KEY",
+  "CLAUDE_API_KEY",
+  "CLAUDE_CODE_OAUTH_TOKEN",
+  "ANTHROPIC_AUTH_TOKEN",
+  "OPENAI_API_KEY",
+  "CODEX_API_KEY",
+  "CEREBRAS_API_KEY",
+  "OPENCODE_API_KEY",
+] as const;
+
 export function generateInstallCommand({
  version = SANDBOX_AGENT_INSTALL_VERSION,
  components = [],
@ -22,6 +34,45 @@ export function generateInstallCommand({
  ].join(" && ");
 }

+export function getPreinstallComponents(agent: string): SandboxAgentComponent[] {
+  return ["claude", "codex", "opencode", "amp"].includes(agent) ? [agent as SandboxAgentComponent] : [];
+}
+
+export function generateBaseImageDockerfile({
+  image = SANDBOX_AGENT_IMAGE,
+  components = [],
+}: {
+  image?: string;
+  components?: SandboxAgentComponent[];
+} = {}): string {
+  const uniqueComponents = [...new Set(components)];
+  const lines = [`FROM ${image}`];
+
+  if (uniqueComponents.includes("codex")) {
+    lines.push("USER root");
+    lines.push("RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y npm && rm -rf /var/lib/apt/lists/*");
+    lines.push("USER sandbox");
+  }
+
+  lines.push("WORKDIR /home/sandbox");
+  for (const component of uniqueComponents) {
+    lines.push(`RUN sandbox-agent install-agent ${component}`);
+  }
+
+  return `${lines.join("\n")}\n`;
+}
+
+export function buildCredentialEnv(): Record<string, string> {
+  const env: Record<string, string> = {};
+  for (const key of DIRECT_CREDENTIAL_KEYS) {
+    const value = process.env[key];
+    if (value) {
+      env[key] = value;
+    }
+  }
+  return env;
+}
+
 function normalizeBaseUrl(baseUrl: string): string {
  return baseUrl.replace(/\/+$/, "");
 }