perf: skip loadCliConfig + refreshAuth in parent for non-sandbox startup

bzqzheng · bzqzheng · commit 0370de79e787 · 2026-04-08T12:50:52.000-04:00
In the common non-sandbox case, the parent process now skips expensive initialization (loadCliConfig, refreshAuth) and relaunches immediately. The child process handles all initialization on its own. Previously, the parent loaded full config (extensions, hierarchical memory search, policy engine) and made 3-5 network calls (OAuth, quota, experiments, admin controls) only to discard everything when spawning the child — which then repeated the same work. This eliminates ~500-1000ms of duplicated work on every startup. The sandbox path is completely unchanged. Closes #24776
diff --git a/packages/cli/src/gemini.tsx b/packages/cli/src/gemini.tsx
@@ -348,79 +348,77 @@ export async function main() {
     }
   }
 
-  const partialConfig = await loadCliConfig(settings.merged, sessionId, argv, {
-    projectHooks: settings.workspace.settings.hooks,
-  });
-  adminControlsListner.setConfig(partialConfig);
-
-  // Refresh auth to fetch remote admin settings from CCPA and before entering
-  // the sandbox because the sandbox will interfere with the Oauth2 web
-  // redirect.
-  let initialAuthFailed = false;
-  if (!settings.merged.security.auth.useExternal && !argv.isCommand) {
-    try {
-      if (
-        partialConfig.isInteractive() &&
-        settings.merged.security.auth.selectedType
-      ) {
-        const err = validateAuthMethod(
-          settings.merged.security.auth.selectedType,
-        );
-        if (err) {
-          throw new Error(err);
-        }
+  // Determine memory args and sandbox config early — these are needed
+  // regardless of whether we take the fast (relaunch) or full (sandbox) path.
+  const memoryArgs =
+    !process.env['SANDBOX'] &&
+    !argv.isCommand &&
+    settings.merged.advanced.autoConfigureMemory
+      ? getNodeMemoryArgs(isDebugMode)
+      : [];
 
-        await partialConfig.refreshAuth(
-          settings.merged.security.auth.selectedType,
-        );
-      } else if (!partialConfig.isInteractive()) {
-        const authType = await validateNonInteractiveAuth(
-          settings.merged.security.auth.selectedType,
-          settings.merged.security.auth.useExternal,
-          partialConfig,
-          settings,
-        );
-        await partialConfig.refreshAuth(authType);
-      }
-    } catch (err) {
-      if (err instanceof ValidationCancelledError) {
-        // User cancelled verification, exit immediately.
-        await runExitCleanup();
-        process.exit(ExitCodes.SUCCESS);
-      }
+  if (!process.env['SANDBOX'] && !argv.isCommand) {
+    const sandboxConfig = await loadSandboxConfig(settings.merged, argv);
 
-      // If validation is required, we don't treat it as a fatal failure.
-      // We allow the app to start, and the React-based ValidationDialog
-      // will handle it.
-      if (!(err instanceof ValidationRequiredError)) {
-        debugLogger.error('Error authenticating:', err);
-        initialAuthFailed = true;
-      }
-    }
-  }
+    if (sandboxConfig) {
+      // Sandbox path: needs full config + auth before entering sandbox because
+      // the sandbox will interfere with the OAuth2 web redirect.
+      const partialConfig = await loadCliConfig(
+        settings.merged,
+        sessionId,
+        argv,
+        {
+          projectHooks: settings.workspace.settings.hooks,
+        },
+      );
+      adminControlsListner.setConfig(partialConfig);
 
-  const remoteAdminSettings = partialConfig.getRemoteAdminSettings();
-  // Set remote admin settings if returned from CCPA.
-  if (remoteAdminSettings) {
-    settings.setRemoteAdminSettings(remoteAdminSettings);
-  }
+      let initialAuthFailed = false;
+      if (!settings.merged.security.auth.useExternal) {
+        try {
+          if (
+            partialConfig.isInteractive() &&
+            settings.merged.security.auth.selectedType
+          ) {
+            const err = validateAuthMethod(
+              settings.merged.security.auth.selectedType,
+            );
+            if (err) {
+              throw new Error(err);
+            }
+
+            await partialConfig.refreshAuth(
+              settings.merged.security.auth.selectedType,
+            );
+          } else if (!partialConfig.isInteractive()) {
+            const authType = await validateNonInteractiveAuth(
+              settings.merged.security.auth.selectedType,
+              settings.merged.security.auth.useExternal,
+              partialConfig,
+              settings,
+            );
+            await partialConfig.refreshAuth(authType);
+          }
+        } catch (err) {
+          if (err instanceof ValidationCancelledError) {
+            await runExitCleanup();
+            process.exit(ExitCodes.SUCCESS);
+          }
 
-  // Run deferred command now that we have admin settings.
-  await runDeferredCommand(settings.merged);
+          if (!(err instanceof ValidationRequiredError)) {
+            debugLogger.error('Error authenticating:', err);
+            initialAuthFailed = true;
+          }
+        }
+      }
 
-  // hop into sandbox if we are outside and sandboxing is enabled
-  if (!process.env['SANDBOX'] && !argv.isCommand) {
-    const memoryArgs = settings.merged.advanced.autoConfigureMemory
-      ? getNodeMemoryArgs(isDebugMode)
-      : [];
-    const sandboxConfig = await loadSandboxConfig(settings.merged, argv);
-    // We intentionally omit the list of extensions here because extensions
-    // should not impact auth or setting up the sandbox.
-    // TODO(jacobr): refactor loadCliConfig so there is a minimal version
-    // that only initializes enough config to enable refreshAuth or find
-    // another way to decouple refreshAuth from requiring a config.
+      const remoteAdminSettings = partialConfig.getRemoteAdminSettings();
+      if (remoteAdminSettings) {
+        settings.setRemoteAdminSettings(remoteAdminSettings);
+      }
+
+      await runDeferredCommand(settings.merged);
 
-    if (sandboxConfig) {
       if (initialAuthFailed) {
         await runExitCleanup();
         process.exit(ExitCodes.FATAL_AUTHENTICATION_ERROR);
@@ -442,11 +440,9 @@ export async function main() {
             (arg) => arg === '--prompt' || arg === '-p',
           );
           if (promptIndex > -1 && finalArgs.length > promptIndex + 1) {
-            // If there's a prompt argument, prepend stdin to it
             finalArgs[promptIndex + 1] =
               `${stdinData}\n\n${finalArgs[promptIndex + 1]}`;
           } else {
-            // If there's no prompt argument, add stdin as the prompt
             finalArgs.push('--prompt', stdinData);
           }
         }
@@ -461,10 +457,68 @@ export async function main() {
       await runExitCleanup();
       process.exit(ExitCodes.SUCCESS);
     } else {
-      // Relaunch app so we always have a child process that can be internally
-      // restarted if needed.
-      await relaunchAppInChildProcess(memoryArgs, [], remoteAdminSettings);
+      // Non-sandbox path: skip loadCliConfig + refreshAuth entirely.
+      // The child process handles all initialization on its own.
+      // This eliminates ~500-1000ms of duplicated work (extensions loading,
+      // hierarchical memory search, policy engine, and 3-5 network calls).
+      await relaunchAppInChildProcess(memoryArgs, []);
+    }
+  } else {
+    // Non-relaunch path (sandbox env or command mode): auth is needed here
+    // because we won't be relaunching.
+    const partialConfig = await loadCliConfig(
+      settings.merged,
+      sessionId,
+      argv,
+      {
+        projectHooks: settings.workspace.settings.hooks,
+      },
+    );
+    adminControlsListner.setConfig(partialConfig);
+
+    if (!settings.merged.security.auth.useExternal && !argv.isCommand) {
+      try {
+        if (
+          partialConfig.isInteractive() &&
+          settings.merged.security.auth.selectedType
+        ) {
+          const err = validateAuthMethod(
+            settings.merged.security.auth.selectedType,
+          );
+          if (err) {
+            throw new Error(err);
+          }
+
+          await partialConfig.refreshAuth(
+            settings.merged.security.auth.selectedType,
+          );
+        } else if (!partialConfig.isInteractive()) {
+          const authType = await validateNonInteractiveAuth(
+            settings.merged.security.auth.selectedType,
+            settings.merged.security.auth.useExternal,
+            partialConfig,
+            settings,
+          );
+          await partialConfig.refreshAuth(authType);
+        }
+      } catch (err) {
+        if (err instanceof ValidationCancelledError) {
+          await runExitCleanup();
+          process.exit(ExitCodes.SUCCESS);
+        }
+
+        if (!(err instanceof ValidationRequiredError)) {
+          debugLogger.error('Error authenticating:', err);
+        }
+      }
     }
+
+    const remoteAdminSettings = partialConfig.getRemoteAdminSettings();
+    if (remoteAdminSettings) {
+      settings.setRemoteAdminSettings(remoteAdminSettings);
+    }
+
+    await runDeferredCommand(settings.merged);
   }
 
   // We are now past the logic handling potentially launching a child process
