test(core): improve sandbox integration test coverage and fix OS-specific failures

[ehedlund]

Summary

This PR significantly improves the integration test coverage for the sandbox environments across all major operating systems (Linux, macOS, Windows). In the process of expanding this test suite to rigorously verify sandbox boundaries and policies, several OS-specific failures were identified and resolved, including initialization inefficiencies and a Bubblewrap permission bug on Linux.

Details

Test Coverage Enhancements (Primary)

• Expanded sandboxManager.integration.test.ts to comprehensively exercise sandbox boundaries across Linux, macOS, and Windows.
• Added explicit verification for edge cases including recursive directory protection, symlink traversal restrictions, and governance file modification prevention.
• Added explicit verification for writing to authorized paths when the workspace is otherwise read-only (Plan Mode).
• Refactored Workspace Setup: Migrated the integration test suite from beforeAll to beforeEach for workspace initialization. Each test case now receives a fresh, isolated temporary directory to prevent state leakage (critical for Windows ACL checks). Added an afterEach cleanup block that specifically tracks and removes isolated test directories, drastically reducing the disk footprint during testing.
• Improved unit testing for bwrapArgsBuilder (Linux) and MacOsSandboxManager (macOS).

Sandbox Logic Fixes (Secondary)

• Linux (bwrap) Security:
  • Fixed a bug where write access to policy-authorized paths was incorrectly denied if the path did not yet exist and the command was not explicitly recognized as a write command.
  • The builder now grants read-write access (--bind-try) to any path in policyAllowed and its parent directory, unless the command is an explicit read-only virtual command (__read), in which case the parent directory is safely bound as read-only.
• Linux (bwrap) & Windows Optimization:
  • Refactored sandbox initialization (ensureGovernanceFilesExist) to ensure that governance files (e.g., .git, .gitignore) are secured and verified exactly once per session workspace, rather than redundantly on every single command execution. This reduces disk I/O and improves performance for long-running sessions.
• Windows:
  • Updated tests to pass pre-existing parent directories to policy.allowedPaths instead of non-existent target files, satisfying the Windows Sandbox requirement that granular access can only be granted to existing filesystem objects.
  • Refactored the native C# helper compilation (ensureHelperCompiled) to be a globally static initialization, ensuring it only compiles once per Node process.

Related Issues

Fixes #24932.

How to Validate

Windows, Linux, macOS

Run integration tests:

npm run test -w @google/gemini-cli-core -- src/services/sandboxManager.integration.test.ts

Linux

Verify unit tests:

npm run test -w @google/gemini-cli-core -- src/sandbox/linux/bwrapArgsBuilder.test.ts

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the robustness of the Linux sandbox environment by introducing comprehensive integration tests and fixing a critical bug. The bug previously prevented write access to policy-authorized paths if they did not yet exist and the command was not explicitly recognized as a write operation, leading to read-only file system errors. The changes ensure that the sandbox consistently grants appropriate write permissions for allowed paths, aligning with the defined execution policy and improving overall sandbox reliability.

Highlights

• Improved Linux Sandbox Integration Test Coverage: Expanded integration tests to rigorously exercise Linux-specific sandbox boundaries, focusing on path authorized writes and Plan Mode transitions.
• Bubblewrap Argument Builder Fix: Resolved EROFS (Read-only file system) errors by modifying the bwrap argument builder to consistently grant read-write access (--bind-try) to any policy-allowed path and its parent directory, regardless of whether the path exists or the command is explicitly a write command.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +617 B (0%)

Total Size: 34.1 MB

Filename	Size	Change
./bundle/chunk-5QH5OA4A.js	0 B	-3.54 MB (removed)	🏆
./bundle/chunk-IWJMJ65W.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-O2CPKRMA.js	0 B	-14.9 MB (removed)	🏆
./bundle/core-767S4EZ2.js	0 B	-46.5 kB (removed)	🏆
./bundle/devtoolsService-FAPNKVYS.js	0 B	-28.4 kB (removed)	🏆
./bundle/gemini-RB6EBDCZ.js	0 B	-553 kB (removed)	🏆
./bundle/interactiveCli-74VRSG7V.js	0 B	-1.29 MB (removed)	🏆
./bundle/oauth2-provider-4YD5GUGR.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-EXNN4ZFM.js	3.54 MB	+3.54 MB (new file)	🆕
./bundle/chunk-FK25WSS6.js	14.9 MB	+14.9 MB (new file)	🆕
./bundle/chunk-LVPJQMRA.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/core-YBW6TSR2.js	46.5 kB	+46.5 kB (new file)	🆕
./bundle/devtoolsService-MY3HMAJZ.js	28.4 kB	+28.4 kB (new file)	🆕
./bundle/gemini-7VJOT34A.js	553 kB	+553 kB (new file)	🆕
./bundle/interactiveCli-OFJGNGN2.js	1.29 MB	+1.29 MB (new file)	🆕
./bundle/oauth2-provider-WNKBSSZH.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-QM5IP3NK.js	1.97 MB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-TA2H66X6.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/gemini.js	4.97 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-MYQ3ZWKM.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-X7B2ZAOF.js	932 B	+932 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request simplifies the Linux sandbox argument building by removing the isWriteCommand flag and consistently using --bind-try for parent directories of non-existent paths. Additionally, it significantly enhances the integration test suite for the SandboxManager, introducing comprehensive coverage for virtual commands, environment sanitization, sandbox mode transitions, recursive forbidden path protection, git worktree metadata security, and network access policies. I have no feedback to provide as no issues were identified in the changes.

[Jordanwaslistening]

Sent with Notion Mail <https://www.notion.so/product/mail> On Apr 13, 2026 at 11:29 AM gemini-code-assist[bot] < ***@***.***> wrote: ***@***.***[bot]* commented on this pull request. Code Review This pull request simplifies the Linux sandbox argument building by removing the isWriteCommand flag and consistently using --bind-try for parent directories of non-existent paths. Additionally, it significantly enhances the integration test suite for the SandboxManager, introducing comprehensive coverage for virtual commands, environment sanitization, sandbox mode transitions, recursive forbidden path protection, git worktree metadata security, and network access policies. I have no feedback to provide as no issues were identified in the changes. — Reply to this email directly, view it on GitHub <#25307 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A6DTLFPMTQQKAG56A5QGA7L4VUPX3AVCNFSM6AAAAACXXVS2YCVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DCMBQGY4DQMBQGY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[galz10]

Code Review

Scope: Pull Request #25307

This pull request significantly improves the sandbox integration tests by introducing better isolation (fresh workspace per test) and increasing coverage for various sandbox features (virtual commands, environment sanitization, etc.). It also addresses platform-specific bugs, notably by ensuring "governance files" are initialized on macOS to allow the Seatbelt profile to target them effectively, and by simplifying the Linux Bubblewrap argument builder.

Metadata Review

• Title/Description: The title test(core): improve sandbox integration test coverage and fix OS-specific failures is accurate but slightly undersells the impact, as it also includes core logic changes in the SandboxManager implementations for parity and reliability. The description is clear and explains the motivation for the changes well.

Concerns (Action Required)

• [MacOsSandboxManager.ts]: Workspace Pollution: The PR adds logic to automatically create .git, .gitignore, and .geminiignore in the workspace on every command preparation if they don't already exist. While this ensures Seatbelt can protect these paths, it results in hidden files/folders being created in any directory where the CLI is run (e.g., a user's home directory or downloads folder).

  • Suggestion: Consider creating these files only if they are missing and the security policy specifically requires their presence, or document this behavior clearly. Alternatively, if Seatbelt can block creation using (deny file-write-create ...) on the literal path even if it doesn't exist, that would be preferable to "touching" the files.

• [bwrapArgsBuilder.ts]: Linux Security Regression: By removing the isWriteCommand check and always using --bind-try for the parent directory of non-existent allowed paths, the sandbox now grants read-write access to the parent directory even for supposedly read-only commands.

  • Suggestion: If a command is explicitly intended to be read-only (e.g., a __read virtual command), we should use --ro-bind-try for the parent directory instead of --bind-try. This preserves the principle of least privilege.

• [MacOsSandboxManager.ts]: Initialization Inefficiency: The governance file initialization loop (calling touch) runs inside prepareCommand. For long-running sessions with many tool calls, this results in redundant lstat calls and filesystem checks for every single command.

  • Suggestion: Move the initialization to the SandboxManager constructor or a one-time initialize method, or cache the fact that initialization has already been performed for the current workspace.

• [sandboxManager.integration.test.ts]: Temporary Directory Cleanup: The refactor to beforeEach for workspace creation is excellent for isolation. However, since cleanup happens in afterAll, all temporary workspaces for every test in the file will persist on disk until the entire suite finishes.

  • Suggestion: Move the rmSync logic for the current workspace into an afterEach block to keep the disk footprint minimal during test execution, while keeping afterAll as a fail-safe for other temporary directories created via createTempDir.

Nits (Suggestions)

• [MacOsSandboxManager.ts]: touch Implementation: The check if (fs.lstatSync(filePath)) return; is slightly redundant because lstatSync will either throw or return a truthy Stats object. A simpler try { fs.lstatSync(filePath); return; } catch {} is sufficient and avoids the unnecessary truthiness check.
• [MacOsSandboxManager.ts]: touch Error Handling: The catch block in touch ignores all errors. It would be safer to specifically catch ENOENT and let other errors (like EACCES) bubble up to help diagnose permission issues in the test environment.
• [bwrapArgsBuilder.ts]: Comment Accuracy: The comment "Bind the parent directory as read-write" is correct given the implementation change, but it highlights the security concern mentioned above.

[ehedlund]

• Initialization Efficiency: Optimized both Windows and Linux implementations to initialize governance files exactly once per workspace session instead of on every command execution.
• Linux Security: Introduced an isReadOnlyCommand check to grant read-write access to parent directories for normal shell commands while strictly enforcing read-only access for the virtual __read command.
• Mac Workspace Pollution: Removed automatic governance file creation on macOS, as Seatbelt rules protect those paths natively even if they don't exist.
• Test Suite Reliability: Streamlined integration tests by migrating to a per-test isolated workspace setup with an automated afterEach cleanup block to prevent state leakage and reduce disk footprint.
• Code Parity & Quality: Harmonized the touch and ensureGovernanceFilesExist logic and naming across OS-specific managers.

[DavidAPierce]

LGTM. Thanks for tackling this!

Comments addressed, David gave approval