@kokorolx/ai-sandbox-wrapper 1.0.0

package/lib/install-codex.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -e
+
+# Codex CLI installer: OpenAI's terminal coding agent
+TOOL="codex"
+
+echo "Installing $TOOL (OpenAI Codex CLI)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile (extends base image for faster builds)
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+USER root
+RUN mkdir -p /usr/local/lib/codex && \
+    cd /usr/local/lib/codex && \
+    bun init -y && \
+    bun add @openai/codex && \
+    ln -s /usr/local/lib/codex/node_modules/.bin/codex /usr/local/bin/codex
+USER agent
+ENTRYPOINT ["codex"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+echo ""
+echo "Features:"
+echo "  ✓ OpenAI's official terminal agent"
+echo "  ✓ GPT-4 and Codex models"
+echo "  ✓ Multi-file code generation"
+echo "  ✓ Terminal command execution"
+echo ""
+echo "Usage: ai-run codex"
+echo "Auth: Set OPENAI_API_KEY environment variable"

package/lib/install-droid.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -e
+
+echo "Installing droid (Factory CLI)..."
+
+# Create directories
+mkdir -p "dockerfiles/droid"
+mkdir -p "$HOME/.ai-cache/droid"
+mkdir -p "$HOME/.ai-home/droid"
+
+# Create Dockerfile with curl install
+cat <<'EOF' > "dockerfiles/droid/Dockerfile"
+FROM ai-base:latest
+USER root
+RUN mkdir -p /home/agent/.factory && \
+    bash -c "curl -fsSL https://app.factory.ai/cli | sh" && \
+    mv /home/agent/.local/bin/droid /usr/local/bin/droid && \
+    chown -R agent:agent /home/agent/.factory
+USER agent
+ENTRYPOINT ["bash", "-c", "exec droid \"$@\"", "--"]
+EOF
+
+# Build image
+echo "Building Docker image for droid..."
+docker build -t "ai-droid:latest" "dockerfiles/droid"
+
+echo "✅ droid installed"

package/lib/install-gemini.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -e
+
+# Gemini CLI installer: Google's AI coding agent
+TOOL="gemini"
+
+echo "Installing $TOOL (Google Gemini CLI)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile (extends base image for faster builds)
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+USER root
+RUN mkdir -p /usr/local/lib/gemini && \
+    cd /usr/local/lib/gemini && \
+    bun init -y && \
+    bun add @google/gemini-cli && \
+    ln -s /usr/local/lib/gemini/node_modules/.bin/gemini /usr/local/bin/gemini
+USER agent
+ENTRYPOINT ["gemini"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+echo ""
+echo "Features:"
+echo "  ✓ Free tier with Gemini 2.5 Pro"
+echo "  ✓ MCP (Model Context Protocol) support"
+echo "  ✓ Google Search grounding"
+echo ""
+echo "Usage: ai-run gemini"
+echo "Auth: Set GOOGLE_API_KEY or use 'gemini auth'"

package/lib/install-jules.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -e
+
+# Jules CLI installer: Google's AI coding assistant
+TOOL="jules"
+
+echo "Installing $TOOL (Google Jules CLI)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+USER root
+
+# Install Jules CLI to a non-shadowed path
+RUN mkdir -p /usr/local/lib/jules && \
+    cd /usr/local/lib/jules && \
+    bun init -y && \
+    bun add @google/jules && \
+    ln -s /usr/local/lib/jules/node_modules/.bin/jules /usr/local/bin/jules
+
+USER agent
+ENTRYPOINT ["jules"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+echo ""
+echo "Usage: ai-run jules"

package/lib/install-kilo.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -e
+
+# Kilo Code installer: Multi-model AI coding agent
+# Note: Uses npm instead of bun due to cheerio dependency resolution issue
+TOOL="kilo"
+
+echo "Installing $TOOL (Kilo Code CLI)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile - use Node.js for this tool due to Bun compatibility issue
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM node:22-slim
+
+# Install dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    ssh \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Kilo Code CLI as root
+RUN npm install -g @kilocode/cli
+
+# Create workspace
+WORKDIR /workspace
+
+# Create worker user
+RUN useradd -m -u 1001 -d /home/agent agent && \
+    chown -R agent:agent /workspace
+
+USER agent
+ENV HOME=/home/agent
+
+# Kilo uses 'kilocode' as entrypoint
+ENTRYPOINT ["kilocode"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+echo ""
+echo "Features:"
+echo "  ✓ 500+ AI models supported"
+echo "  ✓ Parallel agents with git worktrees"
+echo "  ✓ Orchestrator mode for complex tasks"
+echo "  ✓ Multiple modes: ask, architect, code, debug"
+echo ""
+echo "Usage: ai-run kilo"
+echo "Modes: ai-run kilo --mode architect"

package/lib/install-opencode.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -e
+
+# OpenCode installer: Open-source AI coding tool (Native Go Binary)
+TOOL="opencode"
+
+echo "Installing $TOOL (OpenCode AI - Native Go Binary)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile using official native installer (Go binary)
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+
+USER root
+# Install OpenCode using official native installer
+RUN curl -fsSL https://opencode.ai/install | bash && \
+    mv /home/agent/.opencode/bin/opencode /usr/local/bin/opencode && \
+    rm -rf /home/agent/.opencode
+
+USER agent
+ENTRYPOINT ["opencode"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL (native binary)..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed (Native Go Binary)"
+echo ""
+echo "Features:"
+echo "  ✓ Native Go binary (no Node.js)"
+echo "  ✓ Multi-model flexibility"
+echo "  ✓ Terminal-based TUI workflow"
+echo ""
+echo "Usage: ai-run opencode"

package/lib/install-qoder.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -e
+
+# Qoder CLI installer: Qoder's AI coding assistant
+TOOL="qoder"
+
+echo "Installing $TOOL (Qoder AI CLI)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+USER root
+
+# Install Qoder CLI to a non-shadowed path
+RUN mkdir -p /usr/local/lib/qoder && \
+    cd /usr/local/lib/qoder && \
+    bun init -y && \
+    bun add @qoder-ai/qodercli && \
+    ln -s /usr/local/lib/qoder/node_modules/.bin/qodercli /usr/local/bin/qoder
+
+USER agent
+ENTRYPOINT ["qoder"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+echo ""
+echo "Usage: ai-run qoder"
+echo "Auth: Set QODER_API_KEY environment variable"

package/lib/install-qwen.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -e
+
+# Qwen Code installer: Alibaba's AI coding agent
+TOOL="qwen"
+
+echo "Installing $TOOL (Alibaba Qwen Code CLI)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile (extends base image for faster builds)
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+USER root
+# Install qwen-code in a dedicated directory and symlink to /usr/local/bin
+RUN mkdir -p /usr/local/lib/qwen && \
+    cd /usr/local/lib/qwen && \
+    bun init -y && \
+    bun add @qwen-code/qwen-code@latest tiktoken && \
+    ln -s /usr/local/lib/qwen/node_modules/.bin/qwen /usr/local/bin/qwen
+USER agent
+ENTRYPOINT ["qwen"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+echo ""
+echo "Features:"
+echo "  ✓ Qwen3-Coder model (1M context)"
+echo "  ✓ Agentic programming workflows"
+echo "  ✓ Multi-file code editing"
+echo ""
+echo "Usage: ai-run qwen"
+echo "Auth: Set DASHSCOPE_API_KEY or configure endpoint"

package/lib/install-shai.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -e
+
+# SHAI CLI installer: OVHcloud's AI agent
+TOOL="shai"
+
+echo "Installing $TOOL (OVHcloud SHAI)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+USER root
+
+# Install SHAI native binary and relocate to /usr/local/bin
+RUN curl -fsSL https://raw.githubusercontent.com/ovh/shai/main/install.sh | bash && \
+    mv /home/agent/.local/bin/shai /usr/local/bin/shai
+
+USER agent
+ENTRYPOINT ["shai"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+echo ""
+echo "Usage: ai-run shai"

package/lib/install-tool.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -e
+
+# Generic tool installer: ./install-tool.sh <tool> <npm-package> <entrypoint>
+# Uses Bun runtime for 2x faster startup
+TOOL="$1"
+NPM_PACKAGE="$2"
+ENTRYPOINT="${3:-$TOOL}"
+
+if [[ -z "$TOOL" || -z "$NPM_PACKAGE" ]]; then
+  echo "Usage: $0 <tool> <npm-package> [entrypoint]"
+  exit 1
+fi
+
+echo "Installing $TOOL..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile using Bun
+cat <<EOF > "dockerfiles/$TOOL/Dockerfile"
+FROM ai-base:latest
+USER root
+RUN mkdir -p /usr/local/lib/$TOOL && \
+    cd /usr/local/lib/$TOOL && \
+    bun init -y && \
+    bun add $NPM_PACKAGE && \
+    ln -s /usr/local/lib/$TOOL/node_modules/.bin/$ENTRYPOINT /usr/local/bin/$ENTRYPOINT
+USER agent
+ENTRYPOINT ["$ENTRYPOINT"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed"
+

package/lib/install-vscode.sh

@@ -0,0 +1,219 @@
+#!/usr/bin/env bash
+set -e
+
+# VSCode Server installer: Headless VSCode in browser
+TOOL="vscode"
+VSCODE_PORT="${VSCODE_PORT:-8000}"
+
+echo "Installing $TOOL (VSCode Server - browser-based)..."
+
+# Create directories
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-cache/$TOOL"
+mkdir -p "$HOME/.ai-home/$TOOL"
+
+# Create Dockerfile for VSCode Desktop (with X11 forwarding)
+cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install VSCode Desktop dependencies (GTK, X11, OpenGL, and other required libraries)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    wget \
+    ca-certificates \
+    gnupg2 \
+    libgtk-3-0 \
+    libgbm1 \
+    libnss3 \
+    libxss1 \
+    libasound2 \
+    libx11-xcb1 \
+    libxcb-dri3-0 \
+    libdrm2 \
+    libxshmfence1 \
+    libxkbfile1 \
+    libsecret-1-0 \
+    libatk1.0-0 \
+    libatk-bridge2.0-0 \
+    libcups2 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxrandr2 \
+    libpango-1.0-0 \
+    libcairo2 \
+    libxfixes3 \
+    libnotify4 \
+    fonts-liberation \
+    xdg-utils \
+    libgl1 \
+    libegl1 \
+    libgl1-mesa-dri \
+    libglx-mesa0 \
+    mesa-utils \
+    dbus \
+    dbus-x11 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download and install VSCode Desktop
+RUN ARCH=$(dpkg --print-architecture) && \
+    echo "Downloading VSCode Desktop for ${ARCH}..." && \
+    wget -q -O /tmp/vscode.deb "https://code.visualstudio.com/sha/download?build=stable&os=linux-deb-${ARCH}" && \
+    apt-get update && apt-get install -y /tmp/vscode.deb && \
+    rm /tmp/vscode.deb && \
+    rm -rf /var/lib/apt/lists/* && \
+    echo "VSCode Desktop installed successfully"
+
+# Create directories
+RUN mkdir -p /workspace /tmp /home/vscode/.config/Code /run/dbus
+WORKDIR /workspace
+
+# Non-root user (use UID 1001 to avoid conflicts)
+RUN useradd -m -u 1001 -d /home/vscode vscode && \
+    chown -R vscode:vscode /workspace /tmp /home/vscode
+
+USER vscode
+
+# Set home directory
+ENV HOME=/home/vscode
+
+# Start VSCode Desktop with software rendering (no GPU)
+ENTRYPOINT ["/usr/share/code/code", "--no-sandbox", "--disable-gpu"]
+CMD ["/workspace"]
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+# Create wrapper script
+cat <<'EOF' > "$HOME/bin/vscode-run"
+#!/usr/bin/env bash
+# VSCode Desktop launcher with X11 forwarding
+
+set -e
+
+WORKSPACES_FILE="$HOME/.ai-workspaces"
+CONTAINER_NAME="ai-vscode-sandbox-$$"
+
+if [ ! -f "$WORKSPACES_FILE" ]; then
+    echo "Error: No workspaces configured. Run setup.sh first." >&2
+    exit 1
+fi
+
+# Detect OS for X11 setup
+OS_TYPE=$(uname -s)
+
+# Build volume mounts from whitelisted workspaces
+VOLUME_MOUNTS=""
+WS_INDEX=0
+while IFS= read -r ws; do
+    if [ -n "$ws" ] && [ -d "$ws" ]; then
+        VOLUME_MOUNTS="$VOLUME_MOUNTS -v $ws:/workspace/workspace-$WS_INDEX"
+        WS_INDEX=$((WS_INDEX + 1))
+    fi
+done < "$WORKSPACES_FILE"
+
+if [ $WS_INDEX -eq 0 ]; then
+    echo "Error: No valid workspaces found in $WORKSPACES_FILE" >&2
+    exit 1
+fi
+
+echo "🔒 Starting containerized VSCode Desktop (strict sandbox)..."
+echo ""
+echo "Mounted workspaces:"
+WS_INDEX=0
+while IFS= read -r ws; do
+    if [ -n "$ws" ] && [ -d "$ws" ]; then
+        echo "  ✓ $ws → /workspace/workspace-$WS_INDEX"
+        WS_INDEX=$((WS_INDEX + 1))
+    fi
+done < "$WORKSPACES_FILE"
+echo ""
+
+# Setup X11 forwarding based on OS
+X11_OPTS=""
+if [ "$OS_TYPE" = "Darwin" ]; then
+    # macOS: Check if XQuartz is running
+    if ! pgrep -q Xquartz 2>/dev/null && ! pgrep -q X11 2>/dev/null; then
+        echo "⚠️  XQuartz not detected. Starting XQuartz..."
+        open -a XQuartz
+        sleep 3
+    fi
+
+    # Configure XQuartz to allow network connections (needed for Docker)
+    defaults write org.xquartz.X11 nolisten_tcp -bool false 2>/dev/null || true
+
+    # Allow connections from localhost
+    xhost + localhost 2>/dev/null || true
+    xhost + 127.0.0.1 2>/dev/null || true
+
+    # Use TCP connection for X11 (Docker Desktop on macOS can't use Unix sockets)
+    X11_OPTS="-e DISPLAY=host.docker.internal:0"
+
+elif [ "$OS_TYPE" = "Linux" ]; then
+    # Linux: Use host X11 socket directly
+    X11_OPTS="-v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY=$DISPLAY"
+
+    # Allow local Docker connections
+    xhost +local:docker 2>/dev/null || true
+fi
+
+echo "🚀 Launching VSCode Desktop in sandbox container..."
+echo ""
+
+# STRICT SANDBOX SECURITY:
+# - Read-only filesystem (except /workspace, /tmp, /home/vscode)
+# - No host environment variables (except DISPLAY)
+# - No access to host files outside volumes
+# - Non-root user
+
+docker run \
+    --rm \
+    --name "$CONTAINER_NAME" \
+    $VOLUME_MOUNTS \
+    $X11_OPTS \
+    --tmpfs /tmp:exec \
+    --tmpfs /run \
+    --tmpfs /home/vscode/.config:uid=1001,gid=1001 \
+    --tmpfs /home/vscode/.vscode:uid=1001,gid=1001 \
+    -e HOME=/home/vscode \
+    -e PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+    -u 1001:1001 \
+    -w /workspace \
+    "ai-vscode:latest"
+
+echo ""
+echo "✅ VSCode Desktop closed"
+echo "🧹 Sandbox cleaned up"
+EOF
+
+chmod +x "$HOME/bin/vscode-run"
+
+echo "✅ $TOOL installed (VSCode Desktop with X11)"
+echo ""
+echo "Created files:"
+echo "  - Docker image: ai-$TOOL:latest"
+echo "  - Wrapper script: $HOME/bin/vscode-run"
+echo ""
+echo "Requirements (macOS):"
+echo "  - XQuartz: brew install xquartz"
+echo "  - Log out and log back in after installing XQuartz"
+echo ""
+echo "Security Features:"
+echo "  ✓ No host environment variables visible (except DISPLAY)"
+echo "  ✓ No access to host filesystem outside volumes"
+echo "  ✓ Runs as non-root user"
+echo "  ✓ Terminal in VSCode is sandboxed"
+echo ""
+echo "Usage:"
+echo "  vscode-run"
+echo "  # Opens VSCode Desktop in a sandboxed container"
+echo ""
+echo "Whitelisted Workspaces:"
+while IFS= read -r ws; do
+    if [ -n "$ws" ] && [ -d "$ws" ]; then
+        echo "  - $ws"
+    fi
+done < "$WORKSPACES_FILE"
+