From 109a7dc531b1bd92f8cd1688dae2b2f8affe3c65 Mon Sep 17 00:00:00 2001
From: Emily Hedlund <ehedlund@google.com>
Date: Wed, 25 Mar 2026 10:29:46 -0400
Subject: [PATCH] test(core): install bubblewrap on Linux CI for sandbox
 integration tests (#23583)

---
 .github/workflows/ci.yml                      |  6 +++++
 .../sandboxManager.integration.test.ts        | 26 ++++++++++++-------
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 973d88f5f8..1e1f329d5a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -158,6 +158,12 @@ jobs:
       - name: 'Build project'
         run: 'npm run build'
 
+      - name: 'Install system dependencies'
+        run: |
+          sudo apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq bubblewrap
+          # Ubuntu 24.04+ requires this to allow bwrap to function in CI
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+
       - name: 'Install dependencies for testing'
         run: 'npm ci'
 
diff --git a/packages/core/src/services/sandboxManager.integration.test.ts b/packages/core/src/services/sandboxManager.integration.test.ts
index 4cf894cc17..c4bc2f1cc5 100644
--- a/packages/core/src/services/sandboxManager.integration.test.ts
+++ b/packages/core/src/services/sandboxManager.integration.test.ts
@@ -95,26 +95,34 @@ async function runCommand(command: SandboxedCommand) {
 
 /**
  * Determines if the system has the necessary binaries to run the sandbox.
+ * Throws an error if a supported platform is missing its required tools.
  */
-function isSandboxAvailable(): boolean {
-  if (os.platform() === 'win32') {
+function ensureSandboxAvailable(): boolean {
+  const platform = os.platform();
+
+  if (platform === 'win32') {
     // Windows sandboxing relies on icacls, which is a core system utility and
     // always available.
     return true;
   }
 
-  if (os.platform() === 'darwin') {
-    return fs.existsSync('/usr/bin/sandbox-exec');
+  if (platform === 'darwin') {
+    if (fs.existsSync('/usr/bin/sandbox-exec')) {
+      return true;
+    }
+    throw new Error(
+      'Sandboxing tests on macOS require /usr/bin/sandbox-exec to be present.',
+    );
   }
 
-  if (os.platform() === 'linux') {
-    // TODO: Install bubblewrap (bwrap) in Linux CI environments to enable full
-    // integration testing.
+  if (platform === 'linux') {
     try {
       execSync('which bwrap', { stdio: 'ignore' });
       return true;
     } catch {
-      return false;
+      throw new Error(
+        'Sandboxing tests on Linux require bubblewrap (bwrap) to be installed.',
+      );
     }
   }
 
@@ -129,7 +137,7 @@ describe('SandboxManager Integration', () => {
   const shouldSkip =
     manager instanceof NoopSandboxManager ||
     manager instanceof LocalSandboxManager ||
-    !isSandboxAvailable();
+    !ensureSandboxAvailable();
 
   describe.skipIf(shouldSkip)('Cross-platform Sandbox Behavior', () => {
     describe('Basic Execution', () => {