packages/core/src/services/sandboxManager.ts

/**
 * @license
 * Copyright 2026 Google LLC
 * SPDX-License-Identifier: Apache-2.0
 */

import os from 'node:os';
import {
  sanitizeEnvironment,
  getSecureSanitizationConfig,
  type EnvironmentSanitizationConfig,
} from './environmentSanitization.js';
import { LinuxSandboxManager } from '../sandbox/linux/LinuxSandboxManager.js';
import { MacOsSandboxManager } from '../sandbox/macos/MacOsSandboxManager.js';

/**
 * Request for preparing a command to run in a sandbox.
 */
export interface SandboxRequest {
  /** The program to execute. */
  command: string;
  /** Arguments for the program. */
  args: string[];
  /** The working directory. */
  cwd: string;
  /** Environment variables to be passed to the program. */
  env: NodeJS.ProcessEnv;
  /** Optional sandbox-specific configuration. */
  config?: {
    sanitizationConfig?: Partial<EnvironmentSanitizationConfig>;
  };
}

/**
 * A command that has been prepared for sandboxed execution.
 */
export interface SandboxedCommand {
  /** The program or wrapper to execute. */
  program: string;
  /** Final arguments for the program. */
  args: string[];
  /** Sanitized environment variables. */
  env: NodeJS.ProcessEnv;
  /** The working directory. */
  cwd?: string;
}

/**
 * Interface for a service that prepares commands for sandboxed execution.
 */
export interface SandboxManager {
  /**
   * Prepares a command to run in a sandbox, including environment sanitization.
   */
  prepareCommand(req: SandboxRequest): Promise<SandboxedCommand>;
}

/**
 * A no-op implementation of SandboxManager that silently passes commands
 * through while applying environment sanitization.
 */
export class NoopSandboxManager implements SandboxManager {
  /**
   * Prepares a command by sanitizing the environment and passing through
   * the original program and arguments.
   */
  async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {
    const sanitizationConfig = getSecureSanitizationConfig(
      req.config?.sanitizationConfig,
    );

    const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);

    return {
      program: req.command,
      args: req.args,
      env: sanitizedEnv,
    };
  }
}

/**
 * SandboxManager that implements actual sandboxing.
 */
export class LocalSandboxManager implements SandboxManager {
  async prepareCommand(_req: SandboxRequest): Promise<SandboxedCommand> {
    throw new Error('Tool sandboxing is not yet implemented.');
  }
}

/**
 * Creates a sandbox manager based on the provided settings.
 */
export function createSandboxManager(
  sandboxingEnabled: boolean,
  workspace: string,
): SandboxManager {
  if (sandboxingEnabled) {
    if (os.platform() === 'linux') {
      return new LinuxSandboxManager({ workspace });
    }
    if (os.platform() === 'darwin') {
      return new MacOsSandboxManager({ workspace });
    }
    return new LocalSandboxManager();
  }
  return new NoopSandboxManager();
}
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`/**`
			`* @license`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00			`* Copyright 2026 Google LLC`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`* SPDX-License-Identifier: Apache-2.0`
			`*/`

Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`import os from 'node:os';`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`import {`
			`sanitizeEnvironment,`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`getSecureSanitizationConfig,`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`type EnvironmentSanitizationConfig,`
			`} from './environmentSanitization.js';`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`import { LinuxSandboxManager } from '../sandbox/linux/LinuxSandboxManager.js';`
feat(core): implement strict macOS sandboxing using Seatbelt allowlist (#22832 ) 2026-03-18 16:07:54 -04:00			`import { MacOsSandboxManager } from '../sandbox/macos/MacOsSandboxManager.js';`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00
			`/**`
			`* Request for preparing a command to run in a sandbox.`
			`*/`
			`export interface SandboxRequest {`
			`/** The program to execute. */`
			`command: string;`
			`/** Arguments for the program. */`
			`args: string[];`
			`/** The working directory. */`
			`cwd: string;`
			`/** Environment variables to be passed to the program. */`
			`env: NodeJS.ProcessEnv;`
			`/** Optional sandbox-specific configuration. */`
			`config?: {`
			`sanitizationConfig?: Partial<EnvironmentSanitizationConfig>;`
			`};`
			`}`

			`/**`
			`* A command that has been prepared for sandboxed execution.`
			`*/`
			`export interface SandboxedCommand {`
			`/** The program or wrapper to execute. */`
			`program: string;`
			`/** Final arguments for the program. */`
			`args: string[];`
			`/** Sanitized environment variables. */`
			`env: NodeJS.ProcessEnv;`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00			`/** The working directory. */`
			`cwd?: string;`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`}`

			`/**`
			`* Interface for a service that prepares commands for sandboxed execution.`
			`*/`
			`export interface SandboxManager {`
			`/**`
			`* Prepares a command to run in a sandbox, including environment sanitization.`
			`*/`
			`prepareCommand(req: SandboxRequest): Promise<SandboxedCommand>;`
			`}`

			`/**`
			`* A no-op implementation of SandboxManager that silently passes commands`
			`* through while applying environment sanitization.`
			`*/`
			`export class NoopSandboxManager implements SandboxManager {`
			`/**`
			`* Prepares a command by sanitizing the environment and passing through`
			`* the original program and arguments.`
			`*/`
			`async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`const sanitizationConfig = getSecureSanitizationConfig(`
			`req.config?.sanitizationConfig,`
			`);`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00
			`const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);`

			`return {`
			`program: req.command,`
			`args: req.args,`
			`env: sanitizedEnv,`
			`};`
			`}`
			`}`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00
			`/**`
			`* SandboxManager that implements actual sandboxing.`
			`*/`
			`export class LocalSandboxManager implements SandboxManager {`
			`async prepareCommand(_req: SandboxRequest): Promise<SandboxedCommand> {`
			`throw new Error('Tool sandboxing is not yet implemented.');`
			`}`
			`}`

			`/**`
			`* Creates a sandbox manager based on the provided settings.`
			`*/`
			`export function createSandboxManager(`
			`sandboxingEnabled: boolean,`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`workspace: string,`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00			`): SandboxManager {`
			`if (sandboxingEnabled) {`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`if (os.platform() === 'linux') {`
			`return new LinuxSandboxManager({ workspace });`
			`}`
feat(core): implement strict macOS sandboxing using Seatbelt allowlist (#22832 ) 2026-03-18 16:07:54 -04:00			`if (os.platform() === 'darwin') {`
			`return new MacOsSandboxManager({ workspace });`
			`}`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00			`return new LocalSandboxManager();`
			`}`
			`return new NoopSandboxManager();`
			`}`