feat(sandbox): dynamic macOS sandbox expansion and worktree support (#23301)

integration-tests/policy-headless.test.ts

@@ -183,11 +183,17 @@ describe('Policy Engine Headless Mode', () => {
       responsesFile: 'policy-headless-shell-denied.responses',
       promptCommand: ECHO_PROMPT,
       policyContent: `
+        [[rule]]
+        toolName = "run_shell_command"
+        commandPrefix = "echo"
+        decision = "deny"
+        priority = 100
+
         [[rule]]
         toolName = "run_shell_command"
         commandPrefix = "node"
         decision = "allow"
-        priority = 100
+        priority = 90
       `,
       expectAllowed: false,
       expectedDenialString: 'Tool execution denied by policy',

integration-tests/run_shell_command.test.ts

@@ -58,12 +58,18 @@ function getDisallowedFileReadCommand(testFile: string): {
   const quotedPath = `"${testFile}"`;
   switch (shell) {
     case 'powershell':
-      return { command: `Get-Content ${quotedPath}`, tool: 'Get-Content' };
+      return {
+        command: `powershell -Command "Get-Content ${quotedPath}"`,
+        tool: 'powershell',
+      };
     case 'cmd':
-      return { command: `type ${quotedPath}`, tool: 'type' };
+      return { command: `cmd /c type ${quotedPath}`, tool: 'cmd' };
     case 'bash':
     default:
-      return { command: `cat ${quotedPath}`, tool: 'cat' };
+      return {
+        command: `node -e "console.log(require('fs').readFileSync('${testFile}', 'utf8'))"`,
+        tool: 'node',
+      };
   }
 }