Implementation of sandbox "Write-Protected" Governance Files (#23139)

Co-authored-by: Abhi <43648792+abhipatel12@users.noreply.github.com>

packages/core/src/services/sandboxManager.ts

@@ -76,6 +76,16 @@ export interface SandboxManager {
   prepareCommand(req: SandboxRequest): Promise<SandboxedCommand>;
 }
 
+/**
+ * Files that represent the governance or "constitution" of the repository
+ * and should be write-protected in any sandbox.
+ */
+export const GOVERNANCE_FILES = [
+  { path: '.gitignore', isDirectory: false },
+  { path: '.geminiignore', isDirectory: false },
+  { path: '.git', isDirectory: true },
+] as const;
+
 /**
  * A no-op implementation of SandboxManager that silently passes commands
  * through while applying environment sanitization.