CLI Sandbox Integration (#354)

Author: nsosio

.cursor/rules/general.mdc

@@ -452,7 +452,7 @@ const { data } = useQuery({
 - Sensitive data (passwords, tokens, API keys)
 - Real-time data (notifications, live counts)
 - Temporary search/filter results
-Configured globally in `src/app/providers.tsx` with `PersistQueryClientProvider`.
+  Configured globally in `src/app/providers.tsx` with `PersistQueryClientProvider`.
 
 **staleTime vs gcTime:**
 
@@ -785,6 +785,164 @@ export const usedFunction = () => {}; // Keep
 // Ignore "unlisted dependencies" warnings
 ```
 
+## Background Jobs & BullMQ Worker Pattern - MANDATORY
+
+**Use factory functions for workers to avoid module-level side effects.**
+
+### The Problem: Accidental Worker Initialization
+
+When workers are created at module level, importing the module immediately starts workers:
+
+```typescript
+// ❌ BAD - Worker starts on import (side effect)
+export const buildWorker = createWorker(...);
+const events = createQueueEvents(...);
+events.on('completed', ...);
+console.log('Worker initialized'); // Runs immediately!
+```
+
+**Consequence:** Importing this module in API routes accidentally starts workers in the Next.js container.
+
+### The Solution: Factory Functions
+
+Use factory functions that only initialize workers when explicitly called:
+
+```typescript
+// ✅ GOOD - No side effects, safe to import anywhere
+export function createBuildWorker() {
+  const worker = createWorker(...);
+  const events = createQueueEvents(...);
+  events.on('completed', ...);
+  console.log('Worker initialized'); // Only runs when called
+  return worker;
+}
+```
+
+### Implementation Pattern
+
+**Worker Module** (`src/lib/queue/workers/build.ts`):
+
+```typescript
+/**
+ * Build Worker - Factory function (no side effects)
+ */
+
+async function processBuildJob(job: { data: BuildJobData }): Promise<BuildJobResult> {
+  // Job processing logic
+}
+
+/**
+ * Create and initialize build worker
+ * Factory function - NO side effects until called
+ */
+export function createBuildWorker() {
+  const worker = createWorker<BuildJobData>(QUEUE_NAMES.BUILD, processBuildJob, {
+    concurrency: 1,
+  });
+
+  const events = createQueueEvents(QUEUE_NAMES.BUILD);
+
+  events.on('completed', ({ jobId, returnvalue }) => {
+    console.log(`[WORKER] ✅ Job ${jobId} completed`);
+  });
+
+  events.on('failed', ({ jobId, failedReason }) => {
+    console.error(`[WORKER] ❌ Job ${jobId} failed:`, failedReason);
+  });
+
+  console.log('[WORKER] 🚀 Build Worker Initialized');
+
+  return worker;
+}
+```
+
+**Worker Process** (`src/worker.ts`):
+
+```typescript
+import { createBuildWorker } from '@/lib/queue/workers/build';
+import { createPreviewWorker } from '@/lib/queue/workers/previews';
+
+async function main() {
+  console.log('[WORKER] 🚀 Starting BullMQ worker process...\n');
+
+  // Initialize workers (explicit - no side effects on import)
+  const previewWorker = createPreviewWorker();
+  const buildWorker = createBuildWorker();
+
+  // Graceful shutdown handlers
+  process.on('SIGTERM', async () => {
+    await gracefulShutdown([previewWorker, buildWorker], [previewQueue, buildQueue]);
+    process.exit(0);
+  });
+}
+
+main();
+```
+
+**Barrel Export** (`src/lib/queue/index.ts`):
+
+```typescript
+/**
+ * BullMQ Queue Module
+ * Safe to import anywhere - worker factories have NO side effects
+ */
+
+// Queues (for enqueueing jobs in API routes)
+export { buildQueue, type BuildJobData, type BuildJobResult } from './queues/build';
+export { previewQueue, schedulePreviewCleanup } from './queues/previews';
+
+// Worker factories (for worker process only, but safe to import anywhere)
+export { createBuildWorker } from './workers/build';
+export { createPreviewWorker } from './workers/previews';
+
+// Helpers
+export async function enqueueBuild(data: BuildJobData): Promise<void> {
+  const { buildQueue } = await import('./queues/build');
+  await buildQueue.add('process-build', data);
+}
+```
+
+### Usage Patterns
+
+**In API Routes** (enqueue jobs):
+
+```typescript
+import { buildQueue, enqueueBuild } from '@/lib/queue';
+
+// Enqueue a build job
+await enqueueBuild({
+  buildJobId: 'abc123',
+  projectId: 'proj-1',
+  sessionId: 'sess-1',
+  ticketsPath: 'tickets/2024-01-01.json',
+});
+```
+
+**In Worker Process** (process jobs):
+
+```typescript
+import { createBuildWorker, createPreviewWorker } from '@/lib/queue';
+
+// Explicit initialization - only in worker process
+const buildWorker = createBuildWorker();
+const previewWorker = createPreviewWorker();
+```
+
+### Benefits
+
+✅ **No accidental worker initialization** - Workers only run when explicitly called
+✅ **Safe barrel exports** - Can export factory functions without side effects
+✅ **Clear initialization** - Worker lifecycle is visible and controllable
+✅ **Better testing** - Can test worker logic without starting actual workers
+✅ **Explicit control** - Worker lifecycle is visible in `src/worker.ts`
+
+### Rules
+
+- ❌ **NEVER** create workers at module level with `export const worker = createWorker(...)`
+- ✅ **ALWAYS** use factory functions: `export function createWorker() { return createWorker(...); }`
+- ✅ **ALWAYS** call worker factories explicitly in `src/worker.ts`
+- ✅ **NEVER** call worker factories in API routes (only import queues)
+
 ## TypeScript and Type Safety Guidelines
 
 - Never use the `any` type - it defeats TypeScript's type checking
@@ -816,7 +974,6 @@ export const usedFunction = () => {}; // Keep
 2. **Domain Extension Types** - Only define in `lib/types/` when extending base types AND actively used
 3. **Infrastructure Types** - API utilities, errors, and configurations in `lib/api/`
 
-
 ### Type Naming Conventions
 
 - Base types: `User`, `UserSubscription`, `Task` (match schema exports)
@@ -826,7 +983,6 @@ export const usedFunction = () => {}; // Keep
 - Input types: Infer from router input `RouterInput['tasks']['create']`
 - Statistics: `UserStats`, `BillingStats` (computed aggregations)
 
-
 ## Centralized Type Organization Rules - MANDATORY
 
 **NEVER define types inside hooks, components, or utility functions. ALL types must be centralized.**
@@ -872,7 +1028,6 @@ export interface AsyncOperationOptions {
   onSuccess?: () => void;
   onError?: (error: Error) => void;
 }
-
 ```
 
 ### ❌ WRONG - Manual type definitions
@@ -953,7 +1108,6 @@ import { tasks } from '@/lib/db/schema'; // OK in database queries
 
 **Sitemap** only includes legal pages in `app/sitemap.ts`.
 
-
 ## GitHub Actions Workflow Notifications - MANDATORY
 
 **When creating new GitHub Actions workflows, ALWAYS add Slack notifications for success and failure outcomes.**

.env.local

@@ -14,9 +14,6 @@ NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL=/projects
 NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
 NEXT_PUBLIC_CLERK_SIGN_UP_FALLBACK_REDIRECT_URL=/projects
 
-# AI Models
-# ------------------------------------------------------------------------------------
-NEXT_PUBLIC_DEFAULT_MODEL=claude-haiku-4-5
 
 # Ghost
 # ------------------------------------------------------------------------------------
@@ -69,6 +66,9 @@ CLERK_SECRET_KEY=replace-me
 # AI Provider
 # ------------------------------------------------------------------------------------
 ANTHROPIC_API_KEY=replace-me
+ANTHROPIC_MODEL=claude-haiku-4-5-20251001
+GOOGLE_API_KEY=replace-me
+GOOGLE_MODEL=gemini-2.0-flash
 AGENT_MAX_TURNS=25
 
 # Docker Related
@@ -85,7 +85,7 @@ PREVIEW_RESEND_API_KEY=replace-me
 
 # Sandbox
 # ------------------------------------------------------------------------------------
-SANDBOX_IMAGE=ghcr.io/kosuke-org/kosuke-sandbox:latest
+SANDBOX_IMAGE=kosuke-sandbox-local:latest
 SANDBOX_NETWORK=kosuke_network
 TRAEFIK_ENABLED=false
 SANDBOX_PORT_RANGE_START=4000
@@ -94,6 +94,9 @@ SANDBOX_MEMORY_LIMIT=4294967296 # 4GB
 SANDBOX_CPU_SHARES=512
 SANDBOX_PIDS_LIMIT=4096
 SANDBOX_AGENT_PORT=9000
+SANDBOX_BUN_PORT=3000
+SANDBOX_PYTHON_PORT=8000
+SANDBOX_PLAN_TEST=false
 
 # GitHub App Authentication
 # ------------------------------------------------------------------------------------

.env.prod

@@ -14,6 +14,9 @@ CLERK_SECRET_KEY=${CLERK_SECRET_KEY}
 # AI Provider
 # ------------------------------------------------------------------------------------
 ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
+ANTHROPIC_MODEL=claude-sonnet-4-5-20250929
+GOOGLE_API_KEY=${GOOGLE_API_KEY}
+GOOGLE_MODEL=gemini-2.0-flash
 AGENT_MAX_TURNS=25
 
 # Docker Related
@@ -39,6 +42,9 @@ SANDBOX_MEMORY_LIMIT=4294967296 # 4GB
 SANDBOX_CPU_SHARES=512
 SANDBOX_PIDS_LIMIT=4096
 SANDBOX_AGENT_PORT=9000
+SANDBOX_BUN_PORT=3000
+SANDBOX_PYTHON_PORT=8000
+SANDBOX_PLAN_TEST=false
 
 # GitHub App Authentication
 # ------------------------------------------------------------------------------------

.env.prod.public

@@ -12,10 +12,6 @@ NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL=/projects
 NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
 NEXT_PUBLIC_CLERK_SIGN_UP_FALLBACK_REDIRECT_URL=/projects
 
-# AI Models
-# ------------------------------------------------------------------------------------
-NEXT_PUBLIC_DEFAULT_MODEL=claude-haiku-4-5
-
 # Ghost
 # ------------------------------------------------------------------------------------
 NEXT_PUBLIC_GHOST_CONTENT_API_KEY=8541e6ab3021f8dbb7a329e2fe

.env.stage

@@ -14,6 +14,9 @@ CLERK_SECRET_KEY=${CLERK_SECRET_KEY}
 # AI Provider
 # ------------------------------------------------------------------------------------
 ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
+ANTHROPIC_MODEL=claude-sonnet-4-5-20250929
+GOOGLE_API_KEY=${GOOGLE_API_KEY}
+GOOGLE_MODEL=gemini-2.0-flash
 AGENT_MAX_TURNS=25
 
 # Docker Related
@@ -39,6 +42,9 @@ SANDBOX_MEMORY_LIMIT=4294967296 # 4GB
 SANDBOX_CPU_SHARES=512
 SANDBOX_PIDS_LIMIT=4096
 SANDBOX_AGENT_PORT=9000
+SANDBOX_BUN_PORT=3000
+SANDBOX_PYTHON_PORT=8000
+SANDBOX_PLAN_TEST=false
 
 # GitHub App Authentication
 # ------------------------------------------------------------------------------------

.env.stage.public

@@ -12,10 +12,6 @@ NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL=/projects
 NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
 NEXT_PUBLIC_CLERK_SIGN_UP_FALLBACK_REDIRECT_URL=/projects
 
-# AI Models
-# ------------------------------------------------------------------------------------
-NEXT_PUBLIC_DEFAULT_MODEL=claude-haiku-4-5
-
 # Ghost
 # ------------------------------------------------------------------------------------
 NEXT_PUBLIC_GHOST_CONTENT_API_KEY=

.github/workflows/build-sandbox-image.yml

@@ -24,17 +24,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v6
 
-      - name: Set up Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: '1.3.1'
-
-      - name: Build Agent Server
-        run: |
-          cd sandbox/agent
-          bun install --frozen-lockfile
-          bun run build
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -65,6 +54,11 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            KOSUKE_CLI_MODE=production
+            INSTALL_CHROMIUM=false
+          secrets: |
+            npm_token=${{ secrets.GITHUB_TOKEN }}
 
       - name: Notify Slack - Success
         if: success()

.github/workflows/ci.yml

@@ -23,16 +23,13 @@ jobs:
         uses: actions/cache@v5
         with:
           path: ~/.bun/install/cache
-          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock', 'sandbox/agent/bun.lock') }}
+          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}
           restore-keys: |
             ${{ runner.os }}-bun-
 
       - name: Install dependencies
         run: bun install
 
-      - name: Install agent dependencies
-        run: cd sandbox/agent && bun install
-
       - name: Copy environment variables
         run: cp .env.local .env
 

.gitignore

@@ -62,3 +62,6 @@ public/uploads/*
 # sandbox agent
 sandbox/agent/node_modules/
 sandbox/agent/dist/
+
+# kosuke-cli - separate git repo (nested inside sandbox/)
+sandbox/kosuke-cli/

.prettierignore

@@ -14,6 +14,7 @@ dist/
 templates/
 roo-code/
 venv/
+sandbox/kosuke-cli/
 
 # Cache
 .npm