refactor: extract performEarlyInit to deduplicate config+auth logic

bzqzheng · bzqzheng · commit 51865fdab866 · 2026-04-08T12:50:52.000-04:00
The sandbox and non-relaunch code paths had identical ~40-line blocks
for loadCliConfig, refreshAuth, getRemoteAdminSettings, and
runDeferredCommand. Extract into performEarlyInit() which returns
{ partialConfig, authFailed } so callers can choose their error
handling strategy.

Behavioral change: the else block (SANDBOX env / command mode) now
tracks authFailed (previously it silently swallowed auth errors).
This is safe because the fallback path at line ~507 handles auth
independently — the early failure just means the pre-init attempt
didn't succeed.
diff --git a/packages/cli/src/gemini.tsx b/packages/cli/src/gemini.tsx
@@ -357,115 +357,7 @@ export async function main() {
       ? getNodeMemoryArgs(isDebugMode)
       : [];
 
-  if (!process.env['SANDBOX'] && !argv.isCommand) {
-    const sandboxConfig = await loadSandboxConfig(settings.merged, argv);
-
-    if (sandboxConfig) {
-      // Sandbox path: needs full config + auth before entering sandbox because
-      // the sandbox will interfere with the OAuth2 web redirect.
-      const partialConfig = await loadCliConfig(
-        settings.merged,
-        sessionId,
-        argv,
-        {
-          projectHooks: settings.workspace.settings.hooks,
-        },
-      );
-      adminControlsListner.setConfig(partialConfig);
-
-      let initialAuthFailed = false;
-      if (!settings.merged.security.auth.useExternal) {
-        try {
-          if (
-            partialConfig.isInteractive() &&
-            settings.merged.security.auth.selectedType
-          ) {
-            const err = validateAuthMethod(
-              settings.merged.security.auth.selectedType,
-            );
-            if (err) {
-              throw new Error(err);
-            }
-
-            await partialConfig.refreshAuth(
-              settings.merged.security.auth.selectedType,
-            );
-          } else if (!partialConfig.isInteractive()) {
-            const authType = await validateNonInteractiveAuth(
-              settings.merged.security.auth.selectedType,
-              settings.merged.security.auth.useExternal,
-              partialConfig,
-              settings,
-            );
-            await partialConfig.refreshAuth(authType);
-          }
-        } catch (err) {
-          if (err instanceof ValidationCancelledError) {
-            await runExitCleanup();
-            process.exit(ExitCodes.SUCCESS);
-          }
-
-          if (!(err instanceof ValidationRequiredError)) {
-            debugLogger.error('Error authenticating:', err);
-            initialAuthFailed = true;
-          }
-        }
-      }
-
-      const remoteAdminSettings = partialConfig.getRemoteAdminSettings();
-      if (remoteAdminSettings) {
-        settings.setRemoteAdminSettings(remoteAdminSettings);
-      }
-
-      await runDeferredCommand(settings.merged);
-
-      if (initialAuthFailed) {
-        await runExitCleanup();
-        process.exit(ExitCodes.FATAL_AUTHENTICATION_ERROR);
-      }
-      let stdinData = '';
-      if (!process.stdin.isTTY) {
-        stdinData = await readStdin();
-      }
-
-      // This function is a copy of the one from sandbox.ts
-      // It is moved here to decouple sandbox.ts from the CLI's argument structure.
-      const injectStdinIntoArgs = (
-        args: string[],
-        stdinData?: string,
-      ): string[] => {
-        const finalArgs = [...args];
-        if (stdinData) {
-          const promptIndex = finalArgs.findIndex(
-            (arg) => arg === '--prompt' || arg === '-p',
-          );
-          if (promptIndex > -1 && finalArgs.length > promptIndex + 1) {
-            finalArgs[promptIndex + 1] =
-              `${stdinData}\n\n${finalArgs[promptIndex + 1]}`;
-          } else {
-            finalArgs.push('--prompt', stdinData);
-          }
-        }
-        return finalArgs;
-      };
-
-      const sandboxArgs = injectStdinIntoArgs(process.argv, stdinData);
-
-      await relaunchOnExitCode(() =>
-        start_sandbox(sandboxConfig, memoryArgs, partialConfig, sandboxArgs),
-      );
-      await runExitCleanup();
-      process.exit(ExitCodes.SUCCESS);
-    } else {
-      // Non-sandbox path: skip loadCliConfig + refreshAuth entirely.
-      // The child process handles all initialization on its own.
-      // This eliminates ~500-1000ms of duplicated work (extensions loading,
-      // hierarchical memory search, policy engine, and 3-5 network calls).
-      await relaunchAppInChildProcess(memoryArgs, []);
-    }
-  } else {
-    // Non-relaunch path (sandbox env or command mode): auth is needed here
-    // because we won't be relaunching.
+  async function performEarlyInit() {
     const partialConfig = await loadCliConfig(
       settings.merged,
       sessionId,
@@ -476,6 +368,7 @@ export async function main() {
     );
     adminControlsListner.setConfig(partialConfig);
 
+    let authFailed = false;
     if (!settings.merged.security.auth.useExternal && !argv.isCommand) {
       try {
         if (
@@ -509,6 +402,7 @@ export async function main() {
 
         if (!(err instanceof ValidationRequiredError)) {
           debugLogger.error('Error authenticating:', err);
+          authFailed = true;
         }
       }
     }
@@ -519,6 +413,58 @@ export async function main() {
     }
 
     await runDeferredCommand(settings.merged);
+
+    return { partialConfig, authFailed };
+  }
+
+  if (!process.env['SANDBOX'] && !argv.isCommand) {
+    const sandboxConfig = await loadSandboxConfig(settings.merged, argv);
+
+    if (sandboxConfig) {
+      const { partialConfig, authFailed } = await performEarlyInit();
+
+      if (authFailed) {
+        await runExitCleanup();
+        process.exit(ExitCodes.FATAL_AUTHENTICATION_ERROR);
+      }
+      let stdinData = '';
+      if (!process.stdin.isTTY) {
+        stdinData = await readStdin();
+      }
+
+      // This function is a copy of the one from sandbox.ts
+      // It is moved here to decouple sandbox.ts from the CLI's argument structure.
+      const injectStdinIntoArgs = (
+        args: string[],
+        stdinData?: string,
+      ): string[] => {
+        const finalArgs = [...args];
+        if (stdinData) {
+          const promptIndex = finalArgs.findIndex(
+            (arg) => arg === '--prompt' || arg === '-p',
+          );
+          if (promptIndex > -1 && finalArgs.length > promptIndex + 1) {
+            finalArgs[promptIndex + 1] =
+              `${stdinData}\n\n${finalArgs[promptIndex + 1]}`;
+          } else {
+            finalArgs.push('--prompt', stdinData);
+          }
+        }
+        return finalArgs;
+      };
+
+      const sandboxArgs = injectStdinIntoArgs(process.argv, stdinData);
+
+      await relaunchOnExitCode(() =>
+        start_sandbox(sandboxConfig, memoryArgs, partialConfig, sandboxArgs),
+      );
+      await runExitCleanup();
+      process.exit(ExitCodes.SUCCESS);
+    } else {
+      await relaunchAppInChildProcess(memoryArgs, []);
+    }
+  } else {
+    await performEarlyInit();
   }
 
   // We are now past the logic handling potentially launching a child process
