MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-04-23 19:44:30 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(core): implement native Windows sandboxing with restricted tokens

Browse Source
This commit is contained in:
mkorwel
2026-03-09 19:27:28 -07:00
parent 002a57efeb
commit 1cb703b405
8 changed files with 580 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/cli/src/config/sandboxConfig.ts
+5 -1
View File
@@ -29,6 +29,7 @@ const VALID_SANDBOX_COMMANDS: ReadonlyArray<SandboxConfig['command']> = [
'sandbox-exec',
'runsc',
'lxc',
'windows-native',
];
function isSandboxCommand(
@@ -95,6 +96,8 @@ function getSandboxCommand(
// note: runsc is NOT auto-detected, it must be explicitly specified
if (os.platform() === 'darwin' && commandExists.sync('sandbox-exec')) {
return 'sandbox-exec';
} else if (os.platform() === 'win32') {
return 'windows-native';
} else if (commandExists.sync('docker') && sandbox === true) {
return 'docker';
} else if (commandExists.sync('podman') && sandbox === true) {
@@ -128,7 +131,8 @@ export async function loadSandboxConfig(
process.env['GEMINI_SANDBOX_IMAGE_DEFAULT'] ??
packageJson?.config?.sandboxImageUri;
return command && image
return command &&
(image || command === 'sandbox-exec' || command === 'windows-native')
? { enabled: true, allowedPaths: [], networkAccess: false, command, image }
: undefined;
}