feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231)

packages/core/src/tools/grep.ts

@@ -1,6 +1,6 @@
 /**
  * @license
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
 
@@ -301,15 +301,41 @@ class GrepToolInvocation extends BaseToolInvocation<
    * @param {string} command The command name (e.g., 'git', 'grep').
    * @returns {Promise<boolean>} True if the command is available, false otherwise.
    */
-  private isCommandAvailable(command: string): Promise<boolean> {
-    return new Promise((resolve) => {
-      const checkCommand = process.platform === 'win32' ? 'where' : 'command';
-      const checkArgs =
-        process.platform === 'win32' ? [command] : ['-v', command];
-      try {
-        const child = spawn(checkCommand, checkArgs, {
+  private async isCommandAvailable(command: string): Promise<boolean> {
+    const checkCommand = process.platform === 'win32' ? 'where' : 'command';
+    const checkArgs =
+      process.platform === 'win32' ? [command] : ['-v', command];
+    try {
+      const sandboxManager = this.config.sandboxManager;
+
+      let finalCommand = checkCommand;
+      let finalArgs = checkArgs;
+      let finalEnv = process.env;
+
+      if (sandboxManager) {
+        try {
+          const prepared = await sandboxManager.prepareCommand({
+            command: checkCommand,
+            args: checkArgs,
+            cwd: process.cwd(),
+            env: process.env,
+          });
+          finalCommand = prepared.program;
+          finalArgs = prepared.args;
+          finalEnv = prepared.env;
+        } catch (err) {
+          debugLogger.debug(
+            `[GrepTool] Sandbox preparation failed for '${command}':`,
+            err,
+          );
+        }
+      }
+
+      return await new Promise((resolve) => {
+        const child = spawn(finalCommand, finalArgs, {
           stdio: 'ignore',
           shell: true,
+          env: finalEnv,
         });
         child.on('close', (code) => resolve(code === 0));
         child.on('error', (err) => {
@@ -319,10 +345,10 @@ class GrepToolInvocation extends BaseToolInvocation<
           );
           resolve(false);
         });
-      } catch {
-        resolve(false);
-      }
-    });
+      });
+    } catch {
+      return false;
+    }
   }
 
   /**
@@ -381,6 +407,7 @@ class GrepToolInvocation extends BaseToolInvocation<
             cwd: absolutePath,
             signal: options.signal,
             allowedExitCodes: [0, 1],
+            sandboxManager: this.config.sandboxManager,
           });
 
           const results: GrepMatch[] = [];
@@ -452,6 +479,7 @@ class GrepToolInvocation extends BaseToolInvocation<
             cwd: absolutePath,
             signal: options.signal,
             allowedExitCodes: [0, 1],
+            sandboxManager: this.config.sandboxManager,
           });
 
           for await (const line of generator) {