fix(core): resolve windows symlink bypass and stabilize sandbox integration tests

[ehedlund]

Summary

This PR resolves persistent flakiness and 60-second timeouts in the sandboxManager.integration.test.ts suite on Windows CI runners, and fixes a critical vulnerability where Windows sandboxed processes could bypass forbiddenPaths restrictions by accessing files via symlinks.

To achieve this, we optimized the test workspace isolation strategy and fundamentally refactored how the sandbox manages path resolution across all operating systems to ensure symlink targets are explicitly evaluated and secured.

Details

1. Centralized Path Resolution Architecture:

• Introduced ResolvedSandboxPaths, a structured interface that acts as the "Source of Truth" for all sandbox boundaries (workspace, global includes, policy-allowed paths, and dynamic read/write permissions).
• Refactored resolveSandboxPaths to centralize all symlink expansion, absolute path enforcement, and deduplication logic. Every path category now automatically yields both the symlink and its real target, preventing bypasses across all OS sandbox engines.
• Streamlined WindowsSandboxManager to fully consume the pre-resolved struct, eliminating redundant local loops and improving the robustness of ACL applications (e.g., distinguishing between files and directories for inheritance flags).
• Note: macOS and Linux managers have been minimally updated to consume the new interface fields. A follow-up PR will fully refactor their internal profile builders to remove remaining redundant path logic.

2. Stabilized Sandbox Integration Tests:

• Isolated Workspaces: Replaced process.cwd() with isolated temporary directories. This prevents false positives and massively speeds up icacls execution on Windows runners by using os.tmpdir().
• Standardized Execution: Eliminated dependencies on native shell utilities (powershell.exe, touch, curl). The Platform test helper now exclusively uses process.execPath (node -e), which resolved a specific Windows hang caused by launching powershell.exe from the %TEMP% directory with a Low Mandatory Level token.
• Refined Assertions: Split read/write inheritance tests into distinct assertions and added an assertResult helper to bundle command context directly into failure messages.

Related Issues

How to Validate

1. Ensure you are on a Windows machine or VM.
2. Run the core integration tests: npm test -w @google/gemini-cli-core -- src/services/sandboxManager.integration.test.ts
3. Verify that all tests pass rapidly (without 60s timeouts) and that the test output confirms the symlink write-block assertions are succeeding.
4. Run npm run preflight to ensure cross-platform path resolution typing is fully sound.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-cli]

Hi @ehedlund, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[github-actions]

Size Change: +1.14 kB (0%)

Total Size: 34 MB

Filename	Size	Change
./bundle/chunk-N5XQ3T2L.js	0 B	-3.16 MB (removed)	🏆
./bundle/chunk-TM32B5P4.js	0 B	-14.8 MB (removed)	🏆
./bundle/core-EKTGXYQG.js	0 B	-45.5 kB (removed)	🏆
./bundle/devtoolsService-DX5MBUTI.js	0 B	-28.4 kB (removed)	🏆
./bundle/interactiveCli-F3CYUOF2.js	0 B	-1.65 MB (removed)	🏆
./bundle/oauth2-provider-YVSA66HC.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-WNGFM6M3.js	3.16 MB	+3.16 MB (new file)	🆕
./bundle/chunk-YOF7EIGU.js	14.8 MB	+14.8 MB (new file)	🆕
./bundle/core-KQYTZQED.js	45.5 kB	+45.5 kB (new file)	🆕
./bundle/devtoolsService-4OZWAJXC.js	28.4 kB	+28.4 kB (new file)	🆕
./bundle/interactiveCli-G6NVY35S.js	1.65 MB	+1.65 MB (new file)	🆕
./bundle/oauth2-provider-IR4XIISW.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size
./bundle/bundled/third_party/index.js	8 MB
./bundle/chunk-34MYV7JD.js	2.45 kB
./bundle/chunk-5AUYMPVF.js	858 B
./bundle/chunk-5PS3AYFU.js	1.18 kB
./bundle/chunk-664ZODQF.js	124 kB
./bundle/chunk-DAHVX5MI.js	206 kB
./bundle/chunk-IUUIT4SU.js	56.5 kB
./bundle/chunk-OGWWODAT.js	1.96 MB
./bundle/chunk-RJTRUG2J.js	39.8 kB
./bundle/devtools-36NN55EP.js	696 kB
./bundle/dist-T73EYRDX.js	356 B
./bundle/events-XB7DADIJ.js	418 B
./bundle/gemini.js	554 kB
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB
./bundle/memoryDiscovery-JNNGTYL3.js	980 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB
./bundle/src-QVCVGIUX.js	47 kB
./bundle/tree-sitter-7U6MW5PS.js	274 kB
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB

_{compressed-size-action}

[github-actions]

✅ 62 tests passed successfully on gemini-3-flash-preview.

🧠 Model Steering Guidance

This PR modifies files that affect the model's behavior (prompts, tools, or instructions).

• ⚠️ Consider adding Evals: No behavioral evaluations (evals/*.eval.ts) were added or updated in this PR. Consider adding a test case to verify the new behavior and prevent regressions.
• 🚀 Maintainer Reminder: Please ensure that these changes do not regress results on benchmark evals before merging.

---

This is an automated guidance message triggered by steering logic signatures.

[DavidAPierce]

LGMT. I also ran it through the CLI and got a minor nit from it, here's its full review if you want it:

Summary:
This PR significantly improves the reliability and execution speed of the sandboxManager.integration.test.ts suite. The primary fix correctly identifies that the previous approach of sandboxing against process.cwd() was
extremely slow on Windows, causing Vitest timeouts. It replaces this with a much cleaner tracking mechanism using isolated, platform-appropriate temporary directories and introduces a robust assertResult helper.

Findings:

• Correctness & Efficiency: The core fix is excellent. By using os.tmpdir() for Windows and Linux, the sandbox no longer attempts to evaluate or lock down the entire massive monorepo during every single command
  iteration (which was spawning slow recursive operations). The fallback to process.cwd() uniquely for macOS is a smart workaround for Apple's Seatbelt profiles, which implicitly allow access to the global temp folder
  and would thus generate false positives in these tests.
• Maintainability & Readability: The introduction of the assertResult helper drastically improves test failure diagnostics. By printing the command, cwd, expected/actual status, and conditional stdout/stderr only when
  relevant, you've ensured that future CI flakes will actually have actionable context rather than a generic "expected 0, got 1" message.
• Cleanup & Testability: Tracking generated tempDirectories in an array and utilizing afterAll to clean them up is good practice and prevents temporary file accumulation on CI runners.

Improvements:

• (Minor) In the afterAll block cleanup, fs.rmSync(dir, { recursive: true, force: true }) handles the deletion perfectly. The enclosing fs.existsSync(dir) check is technically redundant since force: true inherently
  ignores the error if the directory doesn't exist, but it doesn't harm anything.

Conclusion: Approved ✅
The logic is sound, explicitly targets the identified flake, significantly improves test speed/robustness on Windows, and leaves behind far superior diagnostic logging for future debugging. All CI and preflight checks
passed perfectly.