add interactive gateway demo

[ericcurtin]

Introduces demos/gateway/ with a step-by-step shell demo for the model-cli gateway command. Each step pauses for Enter, types commands character-by-character as 'docker model gateway', and covers health, auth, chat completions, streaming, embeddings, load balancing, fallbacks, and OpenAI SDK compatibility.

[sourcery-ai]

Hey - I've left some high level feedback:

• The demo script assumes the model-cli binary exists at a hard-coded path (${REPO_ROOT}/model-cli/target/release/model-cli); consider either checking for its existence with a helpful error message or allowing an override via an environment variable (e.g., MODEL_CLI_BIN).
• Several steps depend on python3 and the openai package being available; you already skip the SDK step when openai is missing, but it may be more robust to add an early prerequisite check (for python3 and core Python usage) and exit with a clear message if they are not installed.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The demo script assumes the `model-cli` binary exists at a hard-coded path (`${REPO_ROOT}/model-cli/target/release/model-cli`); consider either checking for its existence with a helpful error message or allowing an override via an environment variable (e.g., `MODEL_CLI_BIN`).
- Several steps depend on `python3` and the `openai` package being available; you already skip the SDK step when `openai` is missing, but it may be more robust to add an early prerequisite check (for `python3` and core Python usage) and exit with a clear message if they are not installed.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request introduces a new interactive demo for the model-cli gateway command, providing configuration examples and a bash script to walk users through features like load balancing, retries, and fallbacks. The review identified a critical security issue regarding the use of eval in the demo script's run_step function, which should be refactored to avoid potential command injection.

[gemini-code-assist]

The run_step function uses eval on a command string that has had variables expanded into it. This is a critical security and correctness issue. If a variable (like $API_KEY) contains shell metacharacters (e.g., a single quote), it can break the command syntax or lead to arbitrary code execution.

According to the repository style guide, which prioritizes security, eval should be avoided.

I recommend removing this function and inlining its logic at its two call sites (in Step 3 and Step 4). This will make variable handling explicit and safe for each command, which is consistent with how more complex commands are handled in other steps of this script.

Here is an example of how the health check in Step 3 could be rewritten safely:

section "Step 3 — Health check"

local description="The gateway exposes /health — no auth required"
local command="curl -s http://localhost:${GATEWAY_PORT}/health | python3 -m json.tool"

echo
printf "${dim}# %s\n" "$description"
printf "${bold}${green}\\$${reset} "
typewrite "$command" 0.035
printf "${dim} ▌${reset}"   # blinking-cursor illusion

# Wait for Enter
read -r -s _
printf "\r${bold}${green}\\$${reset} ${white}%s${reset}\n" "$command"

# Actually run it
curl -s "http://localhost:${GATEWAY_PORT}/health" | python3 -m json.tool

References

1. The use of eval presents a significant security risk (potential for command injection), which goes against the security principles outlined in the style guide. The guide states a priority on security, asking "What are the threat surfaces? Are trust boundaries respected? ... Think about the OWASP top 10..." ^(link)