docs: update sandboxing documentation and toolSandboxing settings (#24655)

docs/cli/sandbox.md

@@ -136,6 +136,58 @@ gemini -p "build the snap"
   absolute path — the path must be writable inside the container.
 - Used with tools like Snapcraft or Rockcraft that require a full system.
 
+## Tool sandboxing
+
+Tool-level sandboxing provides granular isolation for individual tool executions
+(like `shell_exec` and `write_file`) instead of sandboxing the entire Gemini CLI
+process.
+
+This approach offers better integration with your local environment for non-tool
+tasks (like UI rendering and configuration loading) while still providing
+security for tool-driven operations.
+
+### How to turn off tool sandboxing
+
+If you experience issues with tool sandboxing or prefer full-process isolation,
+you can disable it by setting `security.toolSandboxing` to `false` in your
+`settings.json` file.
+
+```json
+{
+  "security": {
+    "toolSandboxing": false
+  }
+}
+```
+
+<!-- prettier-ignore -->
+> [!NOTE]
+> Changing the `security.toolSandboxing` setting requires a restart of Gemini
+> CLI to take effect.
+
+## Sandbox expansion
+
+Sandbox expansion is a dynamic permission system that lets Gemini CLI request
+additional permissions for a command when needed.
+
+When a sandboxed command fails due to permission restrictions (like restricted
+file paths or network access), or when a command is proactively identified as
+requiring extra permissions (like `npm install`), Gemini CLI will present you
+with a "Sandbox Expansion Request."
+
+### How sandbox expansion works
+
+1.  **Detection**: Gemini CLI detects a sandbox denial or proactively identifies
+    a command that requires extra permissions.
+2.  **Request**: A modal dialog is shown, explaining which additional
+    permissions (e.g., specific directories or network access) are required.
+3.  **Approval**: If you approve the expansion, the command is executed with the
+    extended permissions for that specific run.
+
+This mechanism ensures you don't have to manually re-run commands with more
+permissive sandbox settings, while still maintaining control over what the AI
+can access.
+
 ## Quickstart
 
 ```bash

docs/cli/settings.md

@@ -140,7 +140,7 @@ they appear in the UI.
 
 | UI Label                              | Setting                                         | Description                                                                                                                                                                                                                          | Default |
 | ------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
-| Tool Sandboxing                       | `security.toolSandboxing`                       | Experimental tool-level sandboxing (implementation in progress).                                                                                                                                                                     | `false` |
+| Tool Sandboxing                       | `security.toolSandboxing`                       | Tool-level sandboxing. Isolates individual tools instead of the entire CLI process.                                                                                                                                                  | `false` |
 | Disable YOLO Mode                     | `security.disableYoloMode`                      | Disable YOLO mode, even if enabled by a flag.                                                                                                                                                                                        | `false` |
 | Disable Always Allow                  | `security.disableAlwaysAllow`                   | Disable "Always allow" options in tool confirmation dialogs.                                                                                                                                                                         | `false` |
 | Allow Permanent Tool Approval         | `security.enablePermanentToolApproval`          | Enable the "Allow for all future sessions" option in tool confirmation dialogs.                                                                                                                                                      | `false` |

docs/reference/configuration.md

@@ -1492,9 +1492,10 @@ their corresponding top-level category object in your `settings.json` file.
 #### `security`
 
 - **`security.toolSandboxing`** (boolean):
-  - **Description:** Experimental tool-level sandboxing (implementation in
+  - **Description:** Tool-level sandboxing. Isolates individual tools instead of
-    progress).
+    the entire CLI process.
   - **Default:** `false`
+  - **Requires restart:** Yes
 
 - **`security.disableYoloMode`** (boolean):
   - **Description:** Disable YOLO mode, even if enabled by a flag.

packages/cli/src/config/settingsSchema.ts

@@ -1711,10 +1711,10 @@ const SETTINGS_SCHEMA = {
         type: 'boolean',
         label: 'Tool Sandboxing',
         category: 'Security',
-        requiresRestart: false,
+        requiresRestart: true,
         default: false,
         description:
-          'Experimental tool-level sandboxing (implementation in progress).',
+          'Tool-level sandboxing. Isolates individual tools instead of the entire CLI process.',
         showInDialog: true,
       },
       disableYoloMode: {

schemas/settings.schema.json

@@ -2574,8 +2574,8 @@
       "properties": {
         "toolSandboxing": {
           "title": "Tool Sandboxing",
-          "description": "Experimental tool-level sandboxing (implementation in progress).",
+          "description": "Tool-level sandboxing. Isolates individual tools instead of the entire CLI process.",
-          "markdownDescription": "Experimental tool-level sandboxing (implementation in progress).\n\n- Category: `Security`\n- Requires restart: `no`\n- Default: `false`",
+          "markdownDescription": "Tool-level sandboxing. Isolates individual tools instead of the entire CLI process.\n\n- Category: `Security`\n- Requires restart: `yes`\n- Default: `false`",
           "default": false,
           "type": "boolean"
         },