feat(core): implement windows sandbox expansion and denial detection (#24027)

2026-04-11 05:41:08 -07:00 · 2026-03-27 15:35:01 -07:00
parent 4034c030e7
commit 9e74a7ec18
5 changed files with 175 additions and 22 deletions
--- a/packages/core/src/services/sandboxManager.test.ts
+++ b/packages/core/src/services/sandboxManager.test.ts
@@ -10,7 +10,6 @@ import fsPromises from 'node:fs/promises';
 import { afterEach, describe, expect, it, vi, beforeEach } from 'vitest';
 import {
  NoopSandboxManager,
-  LocalSandboxManager,
  sanitizePaths,
  findSecretFiles,
  isSecretFile,
@@ -374,6 +373,7 @@ describe('SandboxManager', () => {
    it.each([
      { platform: 'linux', expected: LinuxSandboxManager },
      { platform: 'darwin', expected: MacOsSandboxManager },
+      { platform: 'win32', expected: WindowsSandboxManager },
    ] as const)(
      'should return $expected.name if sandboxing is enabled and platform is $platform',
      ({ platform, expected }) => {
@@ -385,23 +385,5 @@ describe('SandboxManager', () => {
        expect(manager).toBeInstanceOf(expected);
      },
    );
-
-    it("should return WindowsSandboxManager if sandboxing is enabled with 'windows-native' command on win32", () => {
-      vi.spyOn(os, 'platform').mockReturnValue('win32');
-      const manager = createSandboxManager(
-        { enabled: true, command: 'windows-native' },
-        { workspace: '/workspace' },
-      );
-      expect(manager).toBeInstanceOf(WindowsSandboxManager);
-    });
-
-    it('should return LocalSandboxManager on win32 if command is not windows-native', () => {
-      vi.spyOn(os, 'platform').mockReturnValue('win32');
-      const manager = createSandboxManager(
-        { enabled: true, command: 'docker' as unknown as 'windows-native' },
-        { workspace: '/workspace' },
-      );
-      expect(manager).toBeInstanceOf(LocalSandboxManager);
-    });
  });
 });
--- a/packages/core/src/services/sandboxManagerFactory.ts
+++ b/packages/core/src/services/sandboxManagerFactory.ts
@@ -33,7 +33,7 @@ export function createSandboxManager(
  }

  if (sandbox?.enabled) {
-    if (os.platform() === 'win32' && sandbox?.command === 'windows-native') {
+    if (os.platform() === 'win32') {
      return new WindowsSandboxManager(options);
    } else if (os.platform() === 'linux') {
      return new LinuxSandboxManager(options);