feat(core): integrate SandboxManager to sandbox all process-spawning tools

- Integrate `SandboxManager` into `Config` and `AgentLoopContext`.
- Refactor `ShellExecutionService` to use sandboxing for PTY and child process spawns.
- Update `GrepTool`, `ShellTool`, and `ToolRegistry` to execute commands via `SandboxManager`.
- Ensure consistent environment sanitization in `spawnAsync` and `execStreaming` utilities.
- Address PR review feedback and fix compilation/lint errors:
    - Respect user redaction settings in `NoopSandboxManager`.
    - Use idiomatic `async/await` in `GrepTool` availability checks.
    - Update license headers to 2026.
    - Fix cross-package build errors and exports.
    - Resolve all TypeScript and ESLint warnings/errors.
- Update `sandboxConfig.test.ts` to match new `SandboxConfig` schema.

packages/a2a-server/src/commands/memory.ts

@@ -102,6 +102,7 @@ export class AddMemoryCommand implements Command {
       const signal = abortController.signal;
       await tool.buildAndExecute(result.toolArgs, signal, undefined, {
         sanitizationConfig: DEFAULT_SANITIZATION_CONFIG,
+        sandboxManager: context.config.sandboxManager,
       });
       await refreshMemory(context.config);
       return {

packages/a2a-server/src/utils/testing_utils.ts

@@ -20,6 +20,7 @@ import {
   tmpdir,
   type Config,
   type Storage,
+  NoopSandboxManager,
 } from '@google/gemini-cli-core';
 import { createMockMessageBus } from '@google/gemini-cli-core/src/test-utils/mock-message-bus.js';
 import { expect, vi } from 'vitest';
@@ -73,6 +74,14 @@ export function createMockConfig(
     }),
     getGitService: vi.fn(),
     validatePathAccess: vi.fn().mockReturnValue(undefined),
+    getShellExecutionConfig: vi.fn().mockReturnValue({
+      sandboxManager: new NoopSandboxManager(),
+      sanitizationConfig: {
+        allowedEnvironmentVariables: [],
+        blockedEnvironmentVariables: [],
+        enableEnvironmentVariableRedaction: false,
+      },
+    }),
     ...overrides,
   } as unknown as Config;