packages/core/src/services/sandboxManager.ts

/**
 * @license
 * Copyright 2026 Google LLC
 * SPDX-License-Identifier: Apache-2.0
 */

import os from 'node:os';
import path from 'node:path';
import {
  sanitizeEnvironment,
  getSecureSanitizationConfig,
  type EnvironmentSanitizationConfig,
} from './environmentSanitization.js';
/**
 * Security boundaries and permissions applied to a specific sandboxed execution.
 */
export interface ExecutionPolicy {
  /** Additional absolute paths to grant full read/write access to. */
  allowedPaths?: string[];
  /** Absolute paths to explicitly deny read/write access to (overrides allowlists). */
  forbiddenPaths?: string[];
  /** Whether network access is allowed. */
  networkAccess?: boolean;
  /** Rules for scrubbing sensitive environment variables. */
  sanitizationConfig?: Partial<EnvironmentSanitizationConfig>;
}

/**
 * Global configuration options used to initialize a SandboxManager.
 */
export interface GlobalSandboxOptions {
  /**
   * The primary workspace path the sandbox is anchored to.
   * This directory is granted full read and write access.
   */
  workspace: string;
}

/**
 * Request for preparing a command to run in a sandbox.
 */
export interface SandboxRequest {
  /** The program to execute. */
  command: string;
  /** Arguments for the program. */
  args: string[];
  /** The working directory. */
  cwd: string;
  /** Environment variables to be passed to the program. */
  env: NodeJS.ProcessEnv;
  /** Policy to use for this request. */
  policy?: ExecutionPolicy;
}

/**
 * A command that has been prepared for sandboxed execution.
 */
export interface SandboxedCommand {
  /** The program or wrapper to execute. */
  program: string;
  /** Final arguments for the program. */
  args: string[];
  /** Sanitized environment variables. */
  env: NodeJS.ProcessEnv;
  /** The working directory. */
  cwd?: string;
}

/**
 * Interface for a service that prepares commands for sandboxed execution.
 */
export interface SandboxManager {
  /**
   * Prepares a command to run in a sandbox, including environment sanitization.
   */
  prepareCommand(req: SandboxRequest): Promise<SandboxedCommand>;
}

/**
 * Files that represent the governance or "constitution" of the repository
 * and should be write-protected in any sandbox.
 */
export const GOVERNANCE_FILES = [
  { path: '.gitignore', isDirectory: false },
  { path: '.geminiignore', isDirectory: false },
  { path: '.git', isDirectory: true },
] as const;

/**
 * A no-op implementation of SandboxManager that silently passes commands
 * through while applying environment sanitization.
 */
export class NoopSandboxManager implements SandboxManager {
  /**
   * Prepares a command by sanitizing the environment and passing through
   * the original program and arguments.
   */
  async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {
    const sanitizationConfig = getSecureSanitizationConfig(
      req.policy?.sanitizationConfig,
    );

    const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);

    return {
      program: req.command,
      args: req.args,
      env: sanitizedEnv,
    };
  }
}

/**
 * SandboxManager that implements actual sandboxing.
 */
export class LocalSandboxManager implements SandboxManager {
  async prepareCommand(_req: SandboxRequest): Promise<SandboxedCommand> {
    throw new Error('Tool sandboxing is not yet implemented.');
  }
}

/**
 * Sanitizes an array of paths by deduplicating them and ensuring they are absolute.
 */
export function sanitizePaths(paths?: string[]): string[] | undefined {
  if (!paths) return undefined;

  // We use a Map to deduplicate paths based on their normalized,
  // platform-specific identity e.g. handling case-insensitivity on Windows)
  // while preserving the original string casing.
  const uniquePathsMap = new Map<string, string>();
  for (const p of paths) {
    if (!path.isAbsolute(p)) {
      throw new Error(`Sandbox path must be absolute: ${p}`);
    }

    // Normalize the path (resolves slashes and redundant components)
    let key = path.normalize(p);

    // Windows file systems are case-insensitive, so we lowercase the key for
    // deduplication
    if (os.platform() === 'win32') {
      key = key.toLowerCase();
    }

    if (!uniquePathsMap.has(key)) {
      uniquePathsMap.set(key, p);
    }
  }

  return Array.from(uniquePathsMap.values());
}
export { createSandboxManager } from './sandboxManagerFactory.js';
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`/**`
			`* @license`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00			`* Copyright 2026 Google LLC`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`* SPDX-License-Identifier: Apache-2.0`
			`*/`

feat(core): refactor SandboxManager to a stateless architecture and introduce explicit Deny interface (#23141 ) 2026-03-23 11:43:58 -04:00			`import os from 'node:os';`
			`import path from 'node:path';`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`import {`
			`sanitizeEnvironment,`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`getSecureSanitizationConfig,`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`type EnvironmentSanitizationConfig,`
			`} from './environmentSanitization.js';`
feat(core): refactor SandboxManager to a stateless architecture and introduce explicit Deny interface (#23141 ) 2026-03-23 11:43:58 -04:00			`/**`
			`* Security boundaries and permissions applied to a specific sandboxed execution.`
			`*/`
			`export interface ExecutionPolicy {`
			`/** Additional absolute paths to grant full read/write access to. */`
			`allowedPaths?: string[];`
			`/** Absolute paths to explicitly deny read/write access to (overrides allowlists). */`
			`forbiddenPaths?: string[];`
			`/** Whether network access is allowed. */`
			`networkAccess?: boolean;`
			`/** Rules for scrubbing sensitive environment variables. */`
			`sanitizationConfig?: Partial<EnvironmentSanitizationConfig>;`
			`}`

			`/**`
			`* Global configuration options used to initialize a SandboxManager.`
			`*/`
			`export interface GlobalSandboxOptions {`
			`/**`
			`* The primary workspace path the sandbox is anchored to.`
			`* This directory is granted full read and write access.`
			`*/`
			`workspace: string;`
			`}`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00
			`/**`
			`* Request for preparing a command to run in a sandbox.`
			`*/`
			`export interface SandboxRequest {`
			`/** The program to execute. */`
			`command: string;`
			`/** Arguments for the program. */`
			`args: string[];`
			`/** The working directory. */`
			`cwd: string;`
			`/** Environment variables to be passed to the program. */`
			`env: NodeJS.ProcessEnv;`
feat(core): refactor SandboxManager to a stateless architecture and introduce explicit Deny interface (#23141 ) 2026-03-23 11:43:58 -04:00			`/** Policy to use for this request. */`
			`policy?: ExecutionPolicy;`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`}`

			`/**`
			`* A command that has been prepared for sandboxed execution.`
			`*/`
			`export interface SandboxedCommand {`
			`/** The program or wrapper to execute. */`
			`program: string;`
			`/** Final arguments for the program. */`
			`args: string[];`
			`/** Sanitized environment variables. */`
			`env: NodeJS.ProcessEnv;`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00			`/** The working directory. */`
			`cwd?: string;`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`}`

			`/**`
			`* Interface for a service that prepares commands for sandboxed execution.`
			`*/`
			`export interface SandboxManager {`
			`/**`
			`* Prepares a command to run in a sandbox, including environment sanitization.`
			`*/`
			`prepareCommand(req: SandboxRequest): Promise<SandboxedCommand>;`
			`}`

Implementation of sandbox "Write-Protected" Governance Files (#23139 ) 2026-03-24 04:04:17 +00:00			`/**`
			`* Files that represent the governance or "constitution" of the repository`
			`* and should be write-protected in any sandbox.`
			`*/`
			`export const GOVERNANCE_FILES = [`
			`{ path: '.gitignore', isDirectory: false },`
			`{ path: '.geminiignore', isDirectory: false },`
			`{ path: '.git', isDirectory: true },`
			`] as const;`

feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00			`/**`
			`* A no-op implementation of SandboxManager that silently passes commands`
			`* through while applying environment sanitization.`
			`*/`
			`export class NoopSandboxManager implements SandboxManager {`
			`/**`
			`* Prepares a command by sanitizing the environment and passing through`
			`* the original program and arguments.`
			`*/`
			`async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`const sanitizationConfig = getSecureSanitizationConfig(`
feat(core): refactor SandboxManager to a stateless architecture and introduce explicit Deny interface (#23141 ) 2026-03-23 11:43:58 -04:00			`req.policy?.sanitizationConfig,`
Linux sandbox bubblewrap (#22680 ) 2026-03-16 21:34:48 +00:00			`);`
feat(core): implement SandboxManager interface and config schema (#21774 ) 2026-03-11 14:42:50 -07:00
			`const sanitizedEnv = sanitizeEnvironment(req.env, sanitizationConfig);`

			`return {`
			`program: req.command,`
			`args: req.args,`
			`env: sanitizedEnv,`
			`};`
			`}`
			`}`
feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231 ) 2026-03-13 14:11:51 -07:00
			`/**`
			`* SandboxManager that implements actual sandboxing.`
			`*/`
			`export class LocalSandboxManager implements SandboxManager {`
			`async prepareCommand(_req: SandboxRequest): Promise<SandboxedCommand> {`
			`throw new Error('Tool sandboxing is not yet implemented.');`
			`}`
			`}`

feat(core): refactor SandboxManager to a stateless architecture and introduce explicit Deny interface (#23141 ) 2026-03-23 11:43:58 -04:00			`/**`
			`* Sanitizes an array of paths by deduplicating them and ensuring they are absolute.`
			`*/`
			`export function sanitizePaths(paths?: string[]): string[] \| undefined {`
			`if (!paths) return undefined;`

			`// We use a Map to deduplicate paths based on their normalized,`
			`// platform-specific identity e.g. handling case-insensitivity on Windows)`
			`// while preserving the original string casing.`
			`const uniquePathsMap = new Map<string, string>();`
			`for (const p of paths) {`
			`if (!path.isAbsolute(p)) {`
			throw new Error(`Sandbox path must be absolute: ${p}`);
			`}`

			`// Normalize the path (resolves slashes and redundant components)`
			`let key = path.normalize(p);`

			`// Windows file systems are case-insensitive, so we lowercase the key for`
			`// deduplication`
			`if (os.platform() === 'win32') {`
			`key = key.toLowerCase();`
			`}`

			`if (!uniquePathsMap.has(key)) {`
			`uniquePathsMap.set(key, p);`
			`}`
			`}`

			`return Array.from(uniquePathsMap.values());`
			`}`
feat(core): implement native Windows sandboxing (#21807 ) 2026-03-19 15:25:22 -07:00			`export { createSandboxManager } from './sandboxManagerFactory.js';`