Merge pull request #61 from agentic-labs/caching

robmck1995 · web-flow · commit 8031ea34a1c5 · 2025-01-14T09:44:45.000-05:00
Cache the checkout
diff --git a/lsproxy/client.py b/lsproxy/client.py
@@ -1,11 +1,8 @@
 import json
 import httpx
 import time
-from typing import List, TYPE_CHECKING, Optional
+from typing import List, Optional
 
-# Only import type hints for Modal if type checking
-if TYPE_CHECKING:
-    import modal
 
 from .models import (
     DefinitionResponse,
@@ -19,9 +16,6 @@
     IdentifierResponse,
 )
 
-from .auth import create_jwt
-
-
 class Lsproxy:
     """Client for interacting with the lsproxy API."""
 
@@ -151,100 +145,20 @@ def initialize_with_modal(
             ImportError: If Modal or PyJWT are not installed
             ValueError: If repository cloning fails
         """
+
         try:
-            import modal
-            import secrets
+            from .modal import ModalSandbox
         except ImportError:
             raise ImportError(
                 "Modal and PyJWT are required for this feature. "
                 "Install them with: pip install 'lsproxy-sdk[modal]'"
             )
 
-        app = modal.App.lookup("lsproxy-app", create_if_missing=True)
-
-        # Generate a secure random secret
-        jwt_secret = secrets.token_urlsafe(32)
-
-        # Create JWT token with 24-hour expiration
-        payload = {
-            "sub": "lsproxy-client",
-            "iat": int(time.time()),
-            "exp": int(time.time()) + 86400,  # 24 hour expiration
-        }
-        token = create_jwt(payload, jwt_secret)
-
-        lsproxy_image = modal.Image.from_registry(f"agenticlabs/lsproxy:{version}").env(
-            {"JWT_SECRET": jwt_secret}
-        )
-
-        sandbox_config = {
-            "image": lsproxy_image,
-            "app": app,
-            "encrypted_ports": [4444],
-        }
-
-        if timeout is not None:
-            sandbox_config["timeout"] = timeout
-
-        print("Starting sandbox...")
-        sandbox = modal.Sandbox.create(**sandbox_config)
-
-        tunnel_url = sandbox.tunnels()[4444].url
-
-        # Clone repository with token if provided
-        print(f"Cloning {repo_url}...")
-        if git_token:
-            # Insert token into URL for private repo access
-            url_parts = repo_url.split("://")
-            if len(url_parts) != 2:
-                raise ValueError("Invalid repository URL format")
-            auth_url = f"{url_parts[0]}://x-access-token:{git_token}@{url_parts[1]}"
-            clone_url = auth_url
-        else:
-            clone_url = repo_url
-
-        try:
-            p = sandbox.exec(
-                "git", "config", "--global", "--add", "safe.directory", "/mnt/workspace"
-            )
-            p.wait()
-
-            p = sandbox.exec(
-                "git", "clone", clone_url, "--depth", "1", "/mnt/workspace"
-            )
-            exit_code = p.wait()
-            if exit_code != 0:
-                raise ValueError(
-                    "Failed to clone repository. Please check:\n"
-                    "- The repository URL is correct\n"
-                    "- You have access to the repository\n"
-                    "- If it's a private repository, you've provided a valid git token"
-                )
-            if sha is not None:
-                # Checkout the specific commit
-                p = sandbox.exec(
-                    "bash", "-c", f"cd /mnt/workspace && git fetch origin {sha}"
-                )
-                exit_code = p.wait()
-                if exit_code != 0:
-                    raise ValueError(
-                        f"Failed to fetch SHA ({sha}). Please check it is valid"
-                    )
-
-                p = sandbox.exec(
-                    "bash", "-c", f"cd /mnt/workspace && git checkout {sha}"
-                )
-                p.wait()
-
-        except Exception as e:
-            sandbox.terminate()
-            raise ValueError(f"Repository cloning failed: {str(e)}")
 
-        # Start lsproxy
-        p = sandbox.exec("lsproxy")
+        sandbox = ModalSandbox(repo_url, git_token, sha, timeout, version)
 
         # Wait for server to be ready
-        client = cls(base_url=f"{tunnel_url}/v1", auth_token=token)
+        client = cls(base_url=f"{sandbox.tunnel_url}/v1", auth_token=sandbox.jwt_token)
 
         print("Waiting for server start up (make take a minute)...")
         for attempt in range(180):
diff --git a/lsproxy/modal.py b/lsproxy/modal.py
@@ -0,0 +1,125 @@
+import time
+import json
+import hashlib
+import subprocess
+
+from typing import TYPE_CHECKING
+from .auth import create_jwt
+
+# Only import type hints for Modal if type checking
+if TYPE_CHECKING:
+    import modal
+
+def create_named_modal_secret(
+    env: dict[str, str | None],
+    secret_name: str,
+):
+    """
+    modal secret create [OPTIONS] SECRET_NAME KEYVALUES...
+
+    SECRET_NAME: [required]
+    KEYVALUES...: Space-separated KEY=VALUE items [required]
+
+    1) filter out None values
+    2) stable JSON stringify
+    3) take SHA256 hash of the string to get the SECRET_NAME
+    4) assemble KEYVALUES using shlex.quote
+
+    """
+    try:
+        import modal
+    except ImportError:
+        raise ImportError(
+            "Modal and PyJWT are required for this feature. "
+            "Install them with: pip install 'lsproxy-sdk[modal]'"
+        )
+    filtered_env = {k: v for k, v in env.items() if v is not None}
+
+    # subprocess.run already handles quoting
+    keyvalues = [f"{k}={v}" for k, v in filtered_env.items()]
+    print(f"Creating Modal secret {secret_name} with {len(keyvalues)} keyvalues")
+    result = subprocess.run(
+        ["modal", "secret", "create", "--force", secret_name, *keyvalues],
+        capture_output=True,
+        text=True,
+    )
+    if result.returncode != 0:
+        raise Exception(f"Error creating Modal secret {secret_name}: {result.stderr}")
+    return modal.Secret.from_name(secret_name)
+
+class ModalSandbox:
+    def __init__(self, repo_url: str, git_token: str, sha: str, timeout: int, version: str):
+        try:
+            import modal
+            import secrets
+        except ImportError:
+            raise ImportError(
+                "Modal and PyJWT are required for this feature. "
+                "Install them with: pip install 'lsproxy-sdk[modal]'"
+            )
+
+        app = modal.App.lookup("lsproxy-app", create_if_missing=True)
+
+        # Generate a secure random secret
+        jwt_secret = secrets.token_urlsafe(32)
+
+        # Create JWT token with 24-hour expiration
+        payload = {
+            "sub": "lsproxy-client",
+            "iat": int(time.time()),
+            "exp": int(time.time()) + 86400,  # 24 hour expiration
+        }
+        self.jwt_token = create_jwt(payload, jwt_secret)
+
+
+        if git_token:
+            # We want the github secret to be named, because that allows us to cache the layers (for the same sha) even as the token changes!
+            repo_id = hashlib.md5(repo_url.encode()).hexdigest()
+            gh_secret = create_named_modal_secret(
+                {"GITHUB_IAT": git_token},
+                f"gh-iat-token-{repo_id}"
+            )
+            url_parts = repo_url.split("://")
+            lsproxy_image = modal.Image.from_registry(f"agenticlabs/lsproxy:{version}")
+            lsproxy_image = lsproxy_image.run_commands(
+                [
+                    "git config --global --add safe.directory /mnt/workspace",
+                    f"git clone --depth 1 {url_parts[0]}://x-access-token:$GITHUB_IAT@{url_parts[1]} /mnt/workspace"
+                ],
+                secrets=[
+                    gh_secret
+                ],  # sneaky, cache the layers (for the same sha) even as the token changes!
+            )
+            if sha:
+                lsproxy_image = lsproxy_image.run_commands([
+                        f"cd /mnt/workspace && git fetch origin {sha} && git checkout {sha}"
+                    ]
+                )
+        else:
+            lsproxy_image = modal.Image.from_registry(f"agenticlabs/lsproxy:{version}").run_commands(
+                [
+                    f"git clone --depth 1 {repo_url} /mnt/workspace"
+                ]
+            )
+
+        jwt_secret = modal.Secret.from_dict({"JWT_SECRET": jwt_secret})
+        sandbox_config = {
+            "image": lsproxy_image,
+            "app": app,
+            "encrypted_ports": [4444],
+            "secrets": [jwt_secret],
+        }
+
+        if timeout is not None:
+            sandbox_config["timeout"] = timeout
+
+        print("Starting sandbox...")
+
+        self.sandbox = modal.Sandbox.create(**sandbox_config)
+        self.tunnel_url = self.sandbox.tunnels()[4444].url
+
+        # Start lsproxy
+        p = self.sandbox.exec(f"lsproxy")
+    
+    def terminate(self):
+        self.sandbox.terminate()
