WayCup Engine

Developer Sandboxes & Cost Isolation SOP

4 min read

🛡️ Developer Sandboxes & Cost Isolation SOP

To prevent massive $100+ daily cost spikes and provide transparent, real-time cost tracking, WayCup uses Multi-Project Sandbox Isolation. Each developer works within their own dedicated Google Cloud Platform (GCP) sandbox project.

🏗️ Sandbox Project Architecture

All developer projects roll up to the main WayCup Billing Account, but are completely segregated as separate project nodes.

  • Kevin’s Project: waycup-kevin-sandbox
  • Brenn’s Project: waycup-brenn-sandbox

This ensures that on your monthly GCP invoice, or in your live Billing Console under the Cost Table, you can instantly see a dollar-for-dollar breakdown of who is consuming what.

🔑 Secret Registry & 1Password Integration

API keys for the sandboxes must be stored in 1Password and accessed dynamically via the op CLI. Do NOT paste raw keys into local files.

Secret Name1Password URITarget Project
GEMINI_API_KEY_KEVINop://WayCup Security/Gemini API Sandbox - Kevin/credentialwaycup-kevin-sandbox
GEMINI_API_KEY_BRENNop://WayCup Security/Gemini API Sandbox - Brenn/credentialwaycup-brenn-sandbox

🛡️ API Key Restrictions (Mandatory for June 19, 2026)

Google requires all API keys to have restricted scopes starting June 19, 2026. Unrestricted keys will automatically stop working after this date.

How to Restrict Your Sandbox Key:

  1. Open the GCP API Credentials page and select your sandbox project (waycup-kevin-sandbox or waycup-brenn-sandbox).
  2. Click on your active API key (e.g., Gemini API Sandbox Key).
  3. Scroll down to API Restrictions and select Restrict key.
  4. In the dropdown list, find and select Generative Language API (generativelanguage.googleapis.com).
  5. Click Save.

(Note: API key restrictions can take up to 5 minutes to propagate globally before taking effect).

🛠️ How to Load Your Sandbox Key (Brenn’s Environmental Steps)

Depending on your local workflow preferences inside WSL2, choose one of these two methods to persist your GEMINI_API_KEY so that your local tools and agents pick it up automatically:

Method A: The WayCup Standard (Dynamic 1Password CLI)

Best for credential safety and keeping keys off your local hard drive.

  1. Open your 1Password app or run the 1Password CLI inside WSL2.
  2. Create a new Secure Note or Password item in your WayCup Security Vault:
    • Title: Gemini API Sandbox - Brenn
    • Field Name / Value: Save your API Key (AIzaSyCvNCGStfVirU1NRQBiK4TSmY--V9q3MwU) inside the credential field.
  3. Fetch the item’s URI (it should look like op://WayCup Security/Gemini API Sandbox - Brenn/credential or similar depending on field mapping).
  4. Open your WSL2 terminal profile (nano ~/.bashrc or nano ~/.zshrc) and append the following line at the bottom: 
    # Dynamically load Brenn's sandbox key from 1Password on startup
export GEMINI_API_KEY=$(op read "op://WayCup Security/Gemini API Sandbox - Brenn/credential")
  5. Save, close, and reload your terminal: source ~/.bashrc

Method B: Direct Profile Injection (Fast & Simple)

Best if you do not want to trigger 1Password CLI authorization on every terminal session.

  1. Open your WSL2 terminal.
  2. Edit your shell profile: nano ~/.bashrc (or nano ~/.zshrc if using Zsh).
  3. Scroll to the very bottom and add your key directly as an environment variable: 
    # Brenn's Dedicated Sandbox Gemini API Key
export GEMINI_API_KEY="AIzaSyCvNCGStfVirU1NRQBiK4TSmY--V9q3MwU"
  4. Save and close the editor (Press Ctrl+O, Enter, Ctrl+X in nano).
  5. Reload your profile: 
    source ~/.bashrc
  6. Verify your key is active by running: echo $GEMINI_API_KEY

📉 Brenn’s Spend Optimization Guide (For Brenn Almario)

Brenn, to keep our workspace running lean, mean, and “Weightless,” please follow these three rules:

1. Watch the “128k Context Wall” (The Double-Price Rule)

Google bills Gemini Pro models at double rates when a single prompt context crosses 128,000 tokens.

  • Action: Do NOT feed entire codebase directories, unchunked media transcripts, or large datasets into a single prompt.
  • Method: Chunk your files or utilize precision vector searches (RAG) instead of a raw “read-all” command.

2. Copy the Universal Ignore List

Always verify that your local workspaces have a valid .geminiignore file in the root. If one is missing, copy it from /home/kevindockman/.geminiignore.

  • Action: This prevents automated agents or CLI scrapers from reading heavy binaries (.png, .pdf, .zip, .mp4) or deep build directories (node_modules/, .next/, dist/), saving millions of unwanted input tokens.

3. Flash-First Default

Use Gemini 1.5/3 Flash for all high-frequency, iterative tasks (like running tests, code formatting, and simple diagnostics). Reserve Gemini Pro for complex architectural designs, deep debugging, and multi-file code synthesis.

Because billing account actions require Billing Administrator IAM roles, these steps must be taken manually in the Google Cloud Console:

  1. Open the GCP Billing Console.
  2. Click on “Account Management” in the sidebar.
  3. Find your active billing account.
  4. Under the “Projects Linked to this Billing Account” tab, click “Link Project”.
  5. Select waycup-kevin-sandbox and waycup-brenn-sandbox, and click “Link”.

Graph View