fix(core): batch macOS seatbelt rules into a profile file to prevent ARG_MAX errors (#24255)

packages/core/src/services/sandboxManager.ts

@@ -104,6 +104,8 @@ export interface SandboxedCommand {
   env: NodeJS.ProcessEnv;
   /** The working directory. */
   cwd?: string;
+  /** An optional cleanup function to be called after the command terminates. */
+  cleanup?: () => void;
 }
 
 /**

packages/core/src/services/shellExecutionService.ts

@@ -367,8 +367,9 @@ export class ShellExecutionService {
   ): Promise<{
     program: string;
     args: string[];
-    env: Record<string, string | undefined>;
+    env: NodeJS.ProcessEnv;
     cwd: string;
+    cleanup?: () => void;
   }> {
     const sandboxManager =
       shellExecutionConfig.sandboxManager ?? new NoopSandboxManager();
@@ -474,6 +475,7 @@ export class ShellExecutionService {
       args: sandboxedCommand.args,
       env: sandboxedCommand.env,
       cwd: sandboxedCommand.cwd ?? cwd,
+      cleanup: sandboxedCommand.cleanup,
     };
   }
 
@@ -493,6 +495,7 @@ export class ShellExecutionService {
         args: finalArgs,
         env: finalEnv,
         cwd: finalCwd,
+        cleanup: cmdCleanup,
       } = await this.prepareExecution(
         commandToExecute,
         cwd,
@@ -661,6 +664,7 @@ export class ShellExecutionService {
         signal: NodeJS.Signals | null,
       ) => {
         cleanup();
+        cmdCleanup?.();
 
         let combinedOutput = state.output;
         if (state.truncated) {
@@ -810,6 +814,7 @@ export class ShellExecutionService {
         args: finalArgs,
         env: finalEnv,
         cwd: finalCwd,
+        cleanup: cmdCleanup,
       } = await this.prepareExecution(
         commandToExecute,
         cwd,
@@ -1104,6 +1109,7 @@ export class ShellExecutionService {
 
           const finalize = () => {
             render(true);
+            cmdCleanup?.();
 
             const event: ShellOutputEvent = {
               type: 'exit',