fix: address review feedback in gateway demo script

ericcurtin · ericcurtin · commit 3b5b0011bd3b · 2026-04-08T15:01:25.000+01:00
- Replace eval in run_step with inlined call sites for steps 3 and 4,
  eliminating the risk of command injection from variable expansion
- Allow MODEL_CLI_BIN env var to override the binary path
- Add early prerequisite checks for the model-cli binary and python3,
  exiting with a clear error message if either is missing
diff --git a/demos/gateway/demo.sh b/demos/gateway/demo.sh
@@ -18,7 +18,7 @@ set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
-BIN="${REPO_ROOT}/model-cli/target/release/model-cli"
+BIN="${MODEL_CLI_BIN:-${REPO_ROOT}/model-cli/target/release/model-cli}"
 GATEWAY_PORT=4000
 GATEWAY_URL="http://localhost:${GATEWAY_PORT}"
 API_KEY="demo-secret"
@@ -35,6 +35,20 @@ cyan='\033[0;36m'
 red='\033[0;31m'
 white='\033[0;37m'
 
+# ── prerequisite checks ───────────────────────────────────────────────────────
+
+if [[ ! -x "${BIN}" ]]; then
+    printf '%sError:%s model-cli binary not found at %s\n' "${red}" "${reset}" "${BIN}" >&2
+    printf 'Build it with: cargo build --release (in model-cli/)\n' >&2
+    printf 'Or set MODEL_CLI_BIN=/path/to/model-cli to override.\n' >&2
+    exit 1
+fi
+
+if ! command -v python3 >/dev/null 2>&1; then
+    printf '%sError:%s python3 is required but not found in PATH.\n' "${red}" "${reset}" >&2
+    exit 1
+fi
+
 # ── helpers ───────────────────────────────────────────────────────────────────
 
 # Simulate typing a command character by character
@@ -49,25 +63,7 @@ typewrite() {
     done
 }
 
-# Print a fake prompt then type-animate the command, then wait for Enter
-# After Enter is pressed the command is actually run.
-run_step() {
-    local description="$1"
-    local command="$2"
-
-    echo
-    printf '%s# %s%s\n' "${dim}" "$description" "${reset}"
-    printf '%s%s$%s ' "${bold}" "${green}" "${reset}"
-    typewrite "$command" 0.035
-    printf '%s ▌%s' "${dim}" "${reset}"   # blinking-cursor illusion
-
-    # Wait for Enter
-    read -r -s _
-    printf "\r${bold}${green}\$${reset} ${white}%s${reset}\n" "$command"
 
-    # Actually run it
-    eval "$command"
-}
 
 # A pause with a brief explanatory comment — no command executed
 pause_comment() {
@@ -207,19 +203,32 @@ ok "Gateway listening on http://localhost:${GATEWAY_PORT}"
 
 section "Step 3 — Health check"
 
-run_step \
-    "The gateway exposes /health — no auth required" \
-    "curl -s http://localhost:${GATEWAY_PORT}/health | python3 -m json.tool"
+echo
+printf '%s# The gateway exposes /health — no auth required%s\n' "${dim}" "${reset}"
+printf '%s%s$%s ' "${bold}" "${green}" "${reset}"
+typewrite "curl -s http://localhost:${GATEWAY_PORT}/health | python3 -m json.tool" 0.035
+printf '%s ▌%s' "${dim}" "${reset}"
+read -r -s _
+printf '\r%s%s$%s %scurl -s http://localhost:%s/health | python3 -m json.tool%s\n' \
+    "${bold}" "${green}" "${reset}" "${white}" "${GATEWAY_PORT}" "${reset}"
+curl -s "http://localhost:${GATEWAY_PORT}/health" | python3 -m json.tool
 
 # ─────────────────────────────────────────────────────────────────────────────
 # STEP 4 — list models
 # ─────────────────────────────────────────────────────────────────────────────
 
 section "Step 4 — List models  (/v1/models)"
 
-run_step \
-    "OpenAI-compatible model list — clients see gateway aliases, not backend details" \
-    "curl -s http://localhost:${GATEWAY_PORT}/v1/models -H 'Authorization: Bearer ${API_KEY}' | python3 -m json.tool"
+echo
+printf '%s# OpenAI-compatible model list — clients see gateway aliases, not backend details%s\n' "${dim}" "${reset}"
+printf '%s%s$%s ' "${bold}" "${green}" "${reset}"
+typewrite "curl -s http://localhost:${GATEWAY_PORT}/v1/models -H 'Authorization: Bearer ${API_KEY}' | python3 -m json.tool" 0.035
+printf '%s ▌%s' "${dim}" "${reset}"
+read -r -s _
+printf '\r%s%s$%s %scurl -s http://localhost:%s/v1/models -H '\''Authorization: Bearer %s'\'' | python3 -m json.tool%s\n' \
+    "${bold}" "${green}" "${reset}" "${white}" "${GATEWAY_PORT}" "${API_KEY}" "${reset}"
+curl -s "http://localhost:${GATEWAY_PORT}/v1/models" \
+    -H "Authorization: Bearer ${API_KEY}" | python3 -m json.tool
 
 # ─────────────────────────────────────────────────────────────────────────────
 # STEP 5 — auth rejection
