fix(cli): allow restricted .env loading in untrusted sandboxed folders (#17806)

packages/cli/src/test-utils/render.tsx

@@ -10,7 +10,7 @@ import type React from 'react';
 import { vi } from 'vitest';
 import { act, useState } from 'react';
 import os from 'node:os';
-import { LoadedSettings, type Settings } from '../config/settings.js';
+import { LoadedSettings } from '../config/settings.js';
 import { KeypressProvider } from '../ui/contexts/KeypressContext.js';
 import { SettingsContext } from '../ui/contexts/SettingsContext.js';
 import { ShellFocusContext } from '../ui/contexts/ShellFocusContext.js';
@@ -32,6 +32,7 @@ import { TerminalProvider } from '../ui/contexts/TerminalContext.js';
 import { makeFakeConfig, type Config } from '@google/gemini-cli-core';
 import { FakePersistentState } from './persistentStateFake.js';
 import { AppContext, type AppState } from '../ui/contexts/AppContext.js';
+import { createMockSettings } from './settings.js';
 
 export const persistentStateMock = new FakePersistentState();
 
@@ -135,20 +136,6 @@ export const mockSettings = new LoadedSettings(
   [],
 );
 
-export const createMockSettings = (
-  overrides: Partial<Settings>,
-): LoadedSettings => {
-  const settings = overrides as Settings;
-  return new LoadedSettings(
-    { path: '', settings: {}, originalSettings: {} },
-    { path: '', settings: {}, originalSettings: {} },
-    { path: '', settings, originalSettings: settings },
-    { path: '', settings: {}, originalSettings: {} },
-    true,
-    [],
-  );
-};
-
 // A minimal mock UIState to satisfy the context provider.
 // Tests that need specific UIState values should provide their own.
 const baseMockUiState = {

packages/cli/src/test-utils/settings.ts

@@ -0,0 +1,79 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+import {
+  LoadedSettings,
+  createTestMergedSettings,
+  type SettingsError,
+} from '../config/settings.js';
+
+export interface MockSettingsFile {
+  settings: any;
+  originalSettings: any;
+  path: string;
+}
+
+interface CreateMockSettingsOptions {
+  system?: MockSettingsFile;
+  systemDefaults?: MockSettingsFile;
+  user?: MockSettingsFile;
+  workspace?: MockSettingsFile;
+  isTrusted?: boolean;
+  errors?: SettingsError[];
+  merged?: any;
+  [key: string]: any;
+}
+
+/**
+ * Creates a mock LoadedSettings object for testing.
+ *
+ * @param overrides - Partial settings or LoadedSettings properties to override.
+ *                   If 'merged' is provided, it overrides the computed merged settings.
+ *                   Any functions in overrides are assigned directly to the LoadedSettings instance.
+ */
+export const createMockSettings = (
+  overrides: CreateMockSettingsOptions = {},
+): LoadedSettings => {
+  const {
+    system,
+    systemDefaults,
+    user,
+    workspace,
+    isTrusted,
+    errors,
+    merged: mergedOverride,
+    ...settingsOverrides
+  } = overrides;
+
+  const loaded = new LoadedSettings(
+    (system as any) || { path: '', settings: {}, originalSettings: {} },
+    (systemDefaults as any) || { path: '', settings: {}, originalSettings: {} },
+    (user as any) || {
+      path: '',
+      settings: settingsOverrides,
+      originalSettings: settingsOverrides,
+    },
+    (workspace as any) || { path: '', settings: {}, originalSettings: {} },
+    isTrusted ?? true,
+    errors || [],
+  );
+
+  if (mergedOverride) {
+    // @ts-expect-error - overriding private field for testing
+    loaded._merged = createTestMergedSettings(mergedOverride);
+  }
+
+  // Assign any function overrides (e.g., vi.fn() for methods)
+  for (const key in overrides) {
+    if (typeof overrides[key] === 'function') {
+      (loaded as any)[key] = overrides[key];
+    }
+  }
+
+  return loaded;
+};