Conversation
Summary of ChangesHello @mkagenius, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly expands the CodeRunner project's integration capabilities and local execution options. It introduces a dedicated Claude Code CLI plugin, allowing users to leverage CodeRunner's sandboxed execution environment directly from the Claude Code interface. Furthermore, it adds a suite of REST API endpoints to the CodeRunner server, providing compatibility with the InstaVM SDK for local execution of code and browser interactions, thereby enabling a more versatile and self-contained development experience. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several enhancements and additions to the CodeRunner project, focusing on improving its integration with Claude Code and expanding its capabilities. The changes include updates to the Dockerfile, modifications to the README.md file to include instructions for Claude Code CLI, the addition of new plugin files for InstaVM CodeRunner, updates to the installation script, and modifications to the server.py file to enhance security and add REST API endpoints for sandbox client compatibility. The review focuses on identifying potential issues and suggesting improvements to maintain code quality and clarity.
| async def api_execute(request: Request): | ||
| """ | ||
| REST API endpoint for executing Python code (compatible with InstaVM SDK). | ||
|
|
||
| Request body (JSON): | ||
| { | ||
| "command": "print('hello world')", | ||
| "session_id": "optional-ignored-for-local", | ||
| "language": "python", // optional, only python supported | ||
| "timeout": 300 // optional, not used in local execution | ||
| } | ||
|
|
||
| Response (JSON) - matches api.instavm.io/execute format: | ||
| { | ||
| "stdout": "hello world\\n", | ||
| "stderr": "", | ||
| "execution_time": 0.39, | ||
| "cpu_time": 0.03 | ||
| } | ||
| """ | ||
| import time | ||
| start_time = time.time() | ||
|
|
||
| try: | ||
| # Parse request body | ||
| body = await request.json() | ||
|
|
||
| # SDK sends "code" field, direct API calls use "command" | ||
| command = body.get("code") or body.get("command") | ||
|
|
||
| if not command: | ||
| return JSONResponse({ | ||
| "stdout": "", | ||
| "stderr": "Missing 'code' or 'command' field in request body", | ||
| "execution_time": 0.0, | ||
| "cpu_time": 0.0 | ||
| }, status_code=400) | ||
|
|
||
| # Create mock context for progress reporting | ||
| ctx = MockContext() | ||
|
|
||
| # Execute the code | ||
| result = await execute_python_code(command, ctx) | ||
|
|
||
| # Calculate execution time | ||
| execution_time = time.time() - start_time | ||
|
|
||
| # Check if result contains an error | ||
| if result.startswith("Error:"): | ||
| return JSONResponse({ | ||
| "stdout": "", | ||
| "stderr": result, | ||
| "execution_time": execution_time, | ||
| "cpu_time": execution_time # Approximate CPU time as execution time | ||
| }) | ||
|
|
||
| # For compatibility with api.instavm.io, return stdout/stderr format | ||
| # Since execute_python_code returns combined output, we put it all in stdout | ||
| return JSONResponse({ | ||
| "stdout": result, | ||
| "stderr": "", | ||
| "execution_time": execution_time, | ||
| "cpu_time": execution_time # Approximate CPU time as execution time | ||
| }) | ||
|
|
||
| except Exception as e: | ||
| logger.error(f"Error in /execute endpoint: {e}", exc_info=True) | ||
| execution_time = time.time() - start_time | ||
| return JSONResponse({ | ||
| "stdout": "", | ||
| "stderr": f"Error: {str(e)}", | ||
| "execution_time": execution_time, | ||
| "cpu_time": execution_time | ||
| }, status_code=500) |
There was a problem hiding this comment.
The api_execute function implements a REST API endpoint for executing Python code. It's crucial to validate and sanitize the input command to prevent code injection vulnerabilities. Implement robust input validation to ensure that only safe and expected commands are executed.
| # Configure DNS rebinding protection to allow coderunner.local | ||
| mcp = FastMCP( | ||
| "CodeRunner", | ||
| transport_security=TransportSecuritySettings( | ||
| enable_dns_rebinding_protection=True, | ||
| allowed_hosts=[ | ||
| "localhost:*", | ||
| "127.0.0.1:*", | ||
| "coderunner.local:*", | ||
| "0.0.0.0:*", | ||
| ], | ||
| allowed_origins=[ | ||
| "http://localhost:*", | ||
| "http://127.0.0.1:*", | ||
| "http://coderunner.local:*", | ||
| ], | ||
| ) | ||
| ) |
There was a problem hiding this comment.
The addition of DNS rebinding protection is a critical security enhancement. Ensure that the allowed hosts and origins are correctly configured to prevent unauthorized access. Also, consider adding logging to track when DNS rebinding protection is triggered to monitor potential attacks.
| # Start the FastAPI application | ||
| # CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8002", "--workers", "1", "--no-access-log"] | ||
|
|
||
| RUN apt-get --fix-broken install |
There was a problem hiding this comment.
The apt-get --fix-broken install command is removed. While it might seem like a cleanup, ensure that there are no broken packages that this command was intended to fix. If broken packages are expected, consider adding a comment explaining why this command is not needed or if the issue is handled elsewhere.
| ### Option 2: Claude Code CLI | ||
|
|
||
| <details> | ||
| <summary>Use CodeRunner with Claude Code CLI for terminal-based AI assistance:</summary> | ||
|
|
||
|  | ||
|
|
||
| **Quick Start:** | ||
|
|
||
| ```bash | ||
| # 1. Install and start CodeRunner (one-time setup) | ||
| git clone https://github.com/instavm/coderunner.git | ||
| cd coderunner | ||
| sudo ./install.sh | ||
|
|
||
| # 2. Install the Claude Code plugin | ||
| claude plugin marketplace add github:BandarLabs/coderunner/instavm-coderunner-plugin | ||
| claude plugin install instavm-coderunner@instavm-plugins | ||
|
|
||
| # 3. Reconnect to MCP servers | ||
| /mcp | ||
| ``` | ||
|
|
||
| That's it! Claude Code now has access to all CodeRunner tools: | ||
| - **execute_python_code** - Run Python code in persistent Jupyter kernel | ||
| - **navigate_and_get_all_visible_text** - Web scraping with Playwright | ||
| - **list_skills** - List available skills (docx, xlsx, pptx, pdf, image processing, etc.) | ||
| - **get_skill_info** - Get documentation for specific skills | ||
| - **get_skill_file** - Read skill files and examples | ||
|
|
||
| **Learn more:** See [instavm-coderunner-plugin/README.md](instavm-coderunner-plugin/README.md) for detailed documentation. | ||
|
|
||
| </details> |
There was a problem hiding this comment.
The addition of the Claude Code CLI section is a good enhancement. However, ensure that the instructions are clear and easy to follow for users with varying levels of technical expertise. Consider adding more context or explanations for each step, especially for those unfamiliar with command-line interfaces or plugin installations.
| fi | ||
|
|
||
| download_url="https://github.com/apple/container/releases/download/0.5.0/container-0.5.0-installer-signed.pkg" | ||
| download_url="https://github.com/apple/container/releases/download/0.8.0/container-installer-signed.pkg" |
There was a problem hiding this comment.
The download URL for the container installer is updated. Verify that the new version (0.8.0) is compatible with all existing configurations and that it has been thoroughly tested. Also, consider adding a comment explaining why the version was updated.
| ctx = MockContext() | ||
|
|
||
| # Execute the code | ||
| result = await execute_python_code(command, ctx) |
There was a problem hiding this comment.
Consider adding error handling around the execute_python_code call to gracefully handle exceptions and provide informative error messages to the client.
| if result.startswith("Error:"): | ||
| return JSONResponse({ | ||
| "stdout": "", | ||
| "stderr": result, | ||
| "execution_time": execution_time, | ||
| "cpu_time": execution_time # Approximate CPU time as execution time | ||
| }) |
There was a problem hiding this comment.
When result.startswith("Error:"), the function returns a JSON response with the error. Ensure that this error message is properly formatted and provides enough context for debugging. Consider including additional information such as the stack trace or error code.
| except Exception as e: | ||
| logger.error(f"Error in /execute endpoint: {e}", exc_info=True) | ||
| execution_time = time.time() - start_time | ||
| return JSONResponse({ | ||
| "stdout": "", | ||
| "stderr": f"Error: {str(e)}", | ||
| "execution_time": execution_time, | ||
| "cpu_time": execution_time | ||
| }, status_code=500) |
There was a problem hiding this comment.
The error handling in the api_execute function logs the error and returns a JSON response with a 500 status code. Ensure that the error message is properly formatted and provides enough context for debugging. Consider including additional information such as the stack trace or error code.
| if not url: | ||
| return JSONResponse({ | ||
| "status": "error", | ||
| "error": "Missing 'url' field in request body" | ||
| }) |
There was a problem hiding this comment.
The error response for a missing 'url' field returns a JSON response. Ensure that all other error conditions also return appropriate HTTP status codes to provide meaningful feedback to the client.
| "error": "Missing 'url' field in request body (required for local execution)" | ||
| }) |
There was a problem hiding this comment.
The error response for a missing 'url' field returns a JSON response. Ensure that all other error conditions also return appropriate HTTP status codes to provide meaningful feedback to the client.
1 participant
No description provided.