google-gemini
diff --git a/‎packages/core/src/config/config.ts‎
Lines changed: 2 additions & 8 deletions b/‎packages/core/src/config/config.ts‎
Lines changed: 2 additions & 8 deletions
diff --git a/‎packages/core/src/policy/policy-engine.test.ts‎
Lines changed: 37 additions & 3 deletions b/‎packages/core/src/policy/policy-engine.test.ts‎
Lines changed: 37 additions & 3 deletions
diff --git a/‎packages/core/src/policy/policy-engine.ts‎
Lines changed: 20 additions & 26 deletions b/‎packages/core/src/policy/policy-engine.ts‎
Lines changed: 20 additions & 26 deletions
diff --git a/‎packages/core/src/policy/types.ts‎
Lines changed: 3 additions & 6 deletions b/‎packages/core/src/policy/types.ts‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎packages/core/src/sandbox/linux/LinuxSandboxManager.ts‎
Lines changed: 13 additions & 0 deletions b/‎packages/core/src/sandbox/linux/LinuxSandboxManager.ts‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎packages/core/src/sandbox/macos/MacOsSandboxManager.test.ts‎
Lines changed: 1 addition & 1 deletion b/‎packages/core/src/sandbox/macos/MacOsSandboxManager.test.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/core/src/sandbox/macos/MacOsSandboxManager.ts‎
Lines changed: 21 additions & 55 deletions b/‎packages/core/src/sandbox/macos/MacOsSandboxManager.ts‎
Lines changed: 21 additions & 55 deletions
@@ -1197,10 +1197,7 @@ export class Config implements McpContext, AgentLoopContext {
         ...params.policyEngineConfig,
         approvalMode: engineApprovalMode,
         disableAlwaysAllow: this.disableAlwaysAllow,
-        toolSandboxEnabled: this.getSandboxEnabled(),
-        sandboxApprovedTools:
-          this.sandboxPolicyManager?.getModeConfig(engineApprovalMode)
-            ?.approvedTools ?? [],
+        sandboxManager: this._sandboxManager,
       },
       checkerRunner,
     );
@@ -2392,10 +2389,7 @@ export class Config implements McpContext, AgentLoopContext {
       );
     }
 
-    this.policyEngine.setApprovalMode(
-      mode,
-      this.sandboxPolicyManager?.getModeConfig(mode)?.approvedTools ?? [],
-    );
+    this.policyEngine.setApprovalMode(mode);
     this.refreshSandboxManager();
 
     const isPlanModeTransition =
 
@@ -22,6 +22,11 @@ import { SafetyCheckDecision } from '../safety/protocol.js';
 import type { CheckerRunner } from '../safety/checker-runner.js';
 import { initializeShellParsers } from '../utils/shell-utils.js';
 import { buildArgsPatterns } from './utils.js';
+import {
+  NoopSandboxManager,
+  LocalSandboxManager,
+  type SandboxManager,
+} from '../services/sandboxManager.js';
 
 // Mock shell-utils to ensure consistent behavior across platforms (especially Windows CI)
 // We want to test PolicyEngine logic, not the shell parser's ability to parse commands
@@ -96,7 +101,10 @@ describe('PolicyEngine', () => {
       runChecker: vi.fn(),
     } as unknown as CheckerRunner;
     engine = new PolicyEngine(
-      { approvalMode: ApprovalMode.DEFAULT },
+      {
+        approvalMode: ApprovalMode.DEFAULT,
+        sandboxManager: new NoopSandboxManager(),
+      },
       mockCheckerRunner,
     );
   });
@@ -332,7 +340,7 @@ describe('PolicyEngine', () => {
       engine = new PolicyEngine({
         rules,
         approvalMode: ApprovalMode.AUTO_EDIT,
-        toolSandboxEnabled: true,
+        sandboxManager: new LocalSandboxManager(),
       });
       expect((await engine.check({ name: 'edit' }, undefined)).decision).toBe(
         PolicyDecision.ALLOW,
@@ -345,6 +353,29 @@ describe('PolicyEngine', () => {
       );
     });
 
+    it('should respect tools approved by the SandboxManager', async () => {
+      const mockSandboxManager = {
+        enabled: true,
+        prepareCommand: vi.fn(),
+        isDangerousCommand: vi.fn().mockReturnValue(false),
+        isKnownSafeCommand: vi
+          .fn()
+          .mockImplementation((args) => args[0] === 'npm'),
+      } as unknown as SandboxManager;
+
+      engine = new PolicyEngine({
+        sandboxManager: mockSandboxManager,
+        defaultDecision: PolicyDecision.ASK_USER,
+      });
+
+      const { decision } = await engine.check(
+        { name: 'run_shell_command', args: { command: 'npm install' } },
+        undefined,
+      );
+
+      expect(decision).toBe(PolicyDecision.ALLOW);
+    });
+
     it('should return ALLOW by default in YOLO mode when no rules match', async () => {
       engine = new PolicyEngine({ approvalMode: ApprovalMode.YOLO });
 
@@ -1576,7 +1607,10 @@ describe('PolicyEngine', () => {
         },
       ];
 
-      engine = new PolicyEngine({ rules, toolSandboxEnabled: true });
+      engine = new PolicyEngine({
+        rules,
+        sandboxManager: new LocalSandboxManager(),
+      });
       engine.setApprovalMode(ApprovalMode.AUTO_EDIT);
 
       const result = await engine.check(
 
@@ -6,9 +6,12 @@
 
 import { type FunctionCall } from '@google/genai';
 import {
-  isDangerousCommand,
-  isKnownSafeCommand,
-} from '../sandbox/macos/commandSafety.js';
+  SHELL_TOOL_NAMES,
+  initializeShellParsers,
+  splitCommands,
+  hasRedirection,
+  extractStringFromParseEntry,
+} from '../utils/shell-utils.js';
 import { parse as shellParse } from 'shell-quote';
 import {
   PolicyDecision,
@@ -24,12 +27,6 @@ import { stableStringify } from './stable-stringify.js';
 import { debugLogger } from '../utils/debugLogger.js';
 import type { CheckerRunner } from '../safety/checker-runner.js';
 import { SafetyCheckDecision } from '../safety/protocol.js';
-import {
-  SHELL_TOOL_NAMES,
-  initializeShellParsers,
-  splitCommands,
-  hasRedirection,
-} from '../utils/shell-utils.js';
 import { getToolAliases } from '../tools/tool-names.js';
 import {
   MCP_TOOL_PREFIX,
@@ -38,6 +35,10 @@ import {
   formatMcpToolName,
   isMcpToolName,
 } from '../tools/mcp-tool.js';
+import {
+  type SandboxManager,
+  NoopSandboxManager,
+} from '../services/sandboxManager.js';
 
 function isWildcardPattern(name: string): boolean {
   return name === '*' || name.includes('*');
@@ -197,8 +198,7 @@ export class PolicyEngine {
   private readonly disableAlwaysAllow: boolean;
   private readonly checkerRunner?: CheckerRunner;
   private approvalMode: ApprovalMode;
-  private toolSandboxEnabled: boolean;
-  private sandboxApprovedTools: string[];
+  private readonly sandboxManager: SandboxManager;
 
   constructor(config: PolicyEngineConfig = {}, checkerRunner?: CheckerRunner) {
     this.rules = (config.rules ?? []).sort(
@@ -249,18 +249,14 @@ export class PolicyEngine {
     this.disableAlwaysAllow = config.disableAlwaysAllow ?? false;
     this.checkerRunner = checkerRunner;
     this.approvalMode = config.approvalMode ?? ApprovalMode.DEFAULT;
-    this.toolSandboxEnabled = config.toolSandboxEnabled ?? false;
-    this.sandboxApprovedTools = config.sandboxApprovedTools ?? [];
+    this.sandboxManager = config.sandboxManager ?? new NoopSandboxManager();
   }
 
   /**
    * Update the current approval mode.
    */
-  setApprovalMode(mode: ApprovalMode, sandboxApprovedTools?: string[]): void {
+  setApprovalMode(mode: ApprovalMode): void {
     this.approvalMode = mode;
-    if (sandboxApprovedTools !== undefined) {
-      this.sandboxApprovedTools = sandboxApprovedTools;
-    }
   }
 
   /**
@@ -285,8 +281,9 @@ export class PolicyEngine {
     if (!hasRedirection(command)) return false;
 
     // Do not downgrade (do not ask user) if sandboxing is enabled and in AUTO_EDIT or YOLO
+    const sandboxEnabled = !(this.sandboxManager instanceof NoopSandboxManager);
     if (
-      this.toolSandboxEnabled &&
+      sandboxEnabled &&
       (this.approvalMode === ApprovalMode.AUTO_EDIT ||
         this.approvalMode === ApprovalMode.YOLO)
     ) {
@@ -299,27 +296,24 @@ export class PolicyEngine {
   /**
    * Check if a shell command is allowed.
    */
-
   private async applyShellHeuristics(
     command: string,
     decision: PolicyDecision,
   ): Promise<PolicyDecision> {
     await initializeShellParsers();
     try {
       const parsedObjArgs = shellParse(command);
-      if (parsedObjArgs.some((arg) => typeof arg === 'object')) return decision;
-      const parsedArgs = parsedObjArgs.map(String);
-      if (isDangerousCommand(parsedArgs)) {
+      const parsedArgs = parsedObjArgs.map(extractStringFromParseEntry);
+
+      if (this.sandboxManager.isDangerousCommand(parsedArgs)) {
         debugLogger.debug(
           `[PolicyEngine.check] Command evaluated as dangerous, forcing ASK_USER: ${command}`,
         );
         return PolicyDecision.ASK_USER;
       }
-      const isApprovedBySandbox =
-        this.toolSandboxEnabled &&
-        this.sandboxApprovedTools.includes(parsedArgs[0]);
+
       if (
-        (isKnownSafeCommand(parsedArgs) || isApprovedBySandbox) &&
+        this.sandboxManager.isKnownSafeCommand(parsedArgs) &&
         decision === PolicyDecision.ASK_USER
       ) {
         debugLogger.debug(
 
@@ -5,6 +5,7 @@
  */
 
 import type { SafetyCheckInput } from '../safety/protocol.js';
+import type { SandboxManager } from '../services/sandboxManager.js';
 
 export enum PolicyDecision {
   ALLOW = 'allow',
@@ -311,13 +312,9 @@ export interface PolicyEngineConfig {
   approvalMode?: ApprovalMode;
 
   /**
-   * Whether tool sandboxing is enabled.
+   * The sandbox manager instance.
    */
-  toolSandboxEnabled?: boolean;
-  /**
-   * List of tools approved by the sandbox policy for the current mode.
-   */
-  sandboxApprovedTools?: string[];
+  sandboxManager?: SandboxManager;
 }
 
 export interface PolicySettings {
 
@@ -99,12 +99,25 @@ function touch(filePath: string, isDirectory: boolean) {
   }
 }
 
+import {
+  isKnownSafeCommand,
+  isDangerousCommand,
+} from '../macos/commandSafety.js';
+
 /**
  * A SandboxManager implementation for Linux that uses Bubblewrap (bwrap).
  */
 export class LinuxSandboxManager implements SandboxManager {
   constructor(private readonly options: GlobalSandboxOptions) {}
 
+  isKnownSafeCommand(args: string[]): boolean {
+    return isKnownSafeCommand(args);
+  }
+
+  isDangerousCommand(args: string[]): boolean {
+    return isDangerousCommand(args);
+  }
+
   async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {
     const sanitizationConfig = getSecureSanitizationConfig(
       req.policy?.sanitizationConfig,
 
@@ -69,7 +69,7 @@ describe('MacOsSandboxManager', () => {
         allowedPaths: mockAllowedPaths,
         networkAccess: mockNetworkAccess,
         forbiddenPaths: undefined,
-        workspaceWrite: false,
+        workspaceWrite: true,
         additionalPermissions: {
           fileSystem: {
             read: [],
 
@@ -14,23 +14,20 @@ import {
 import {
   sanitizeEnvironment,
   getSecureSanitizationConfig,
-  type EnvironmentSanitizationConfig,
 } from '../../services/environmentSanitization.js';
 import { buildSeatbeltArgs } from './seatbeltArgsBuilder.js';
 import {
-  getCommandRoots,
   initializeShellParsers,
-  splitCommands,
-  stripShellWrapper,
+  getCommandName,
 } from '../../utils/shell-utils.js';
-import { isKnownSafeCommand } from './commandSafety.js';
-import { parse as shellParse } from 'shell-quote';
+import {
+  isKnownSafeCommand,
+  isDangerousCommand,
+  isStrictlyApproved,
+} from './commandSafety.js';
 import { type SandboxPolicyManager } from '../../policy/sandboxPolicyManager.js';
-import path from 'node:path';
 
 export interface MacOsSandboxOptions extends GlobalSandboxOptions {
-  /** Optional base sanitization config. */
-  sanitizationConfig?: EnvironmentSanitizationConfig;
   /** The current sandbox mode behavior from config. */
   modeConfig?: {
     readonly?: boolean;
@@ -48,52 +45,17 @@ export interface MacOsSandboxOptions extends GlobalSandboxOptions {
 export class MacOsSandboxManager implements SandboxManager {
   constructor(private readonly options: MacOsSandboxOptions) {}
 
-  private async isStrictlyApproved(req: SandboxRequest): Promise<boolean> {
-    const approvedTools = this.options.modeConfig?.approvedTools;
-    if (!approvedTools || approvedTools.length === 0) {
-      return false;
-    }
-
-    await initializeShellParsers();
-
-    const fullCmd = [req.command, ...req.args].join(' ');
-    const stripped = stripShellWrapper(fullCmd);
-
-    const roots = getCommandRoots(stripped);
-    if (roots.length === 0) return false;
-
-    const allRootsApproved = roots.every((root) =>
-      approvedTools.includes(root),
-    );
-    if (allRootsApproved) {
+  isKnownSafeCommand(args: string[]): boolean {
+    const toolName = args[0];
+    const approvedTools = this.options.modeConfig?.approvedTools ?? [];
+    if (toolName && approvedTools.includes(toolName)) {
       return true;
     }
-
-    const pipelineCommands = splitCommands(stripped);
-    if (pipelineCommands.length === 0) return false;
-
-    // For safety, every command in the pipeline must be considered safe.
-    for (const cmdString of pipelineCommands) {
-      const parsedArgs = shellParse(cmdString).map(String);
-      if (!isKnownSafeCommand(parsedArgs)) {
-        return false;
-      }
-    }
-
-    return true;
+    return isKnownSafeCommand(args);
   }
 
-  private async getCommandName(req: SandboxRequest): Promise<string> {
-    await initializeShellParsers();
-    const fullCmd = [req.command, ...req.args].join(' ');
-    const stripped = stripShellWrapper(fullCmd);
-    const roots = getCommandRoots(stripped).filter(
-      (r) => r !== 'shopt' && r !== 'set',
-    );
-    if (roots.length > 0) {
-      return roots[0];
-    }
-    return path.basename(req.command);
+  isDangerousCommand(args: string[]): boolean {
+    return isDangerousCommand(args);
   }
 
   async prepareCommand(req: SandboxRequest): Promise<SandboxedCommand> {
@@ -122,15 +84,19 @@ export class MacOsSandboxManager implements SandboxManager {
 
     // If not in readonly mode OR it's a strictly approved pipeline, allow workspace writes
     const isApproved = allowOverrides
-      ? await this.isStrictlyApproved(req)
+      ? await isStrictlyApproved(
+          req.command,
+          req.args,
+          this.options.modeConfig?.approvedTools,
+        )
       : false;
 
     const workspaceWrite = !isReadonlyMode || isApproved;
-    const networkAccess =
+    const defaultNetwork =
       this.options.modeConfig?.network ?? req.policy?.networkAccess ?? false;
 
     // Fetch persistent approvals for this command
-    const commandName = await this.getCommandName(req);
+    const commandName = await getCommandName(req.command, req.args);
     const persistentPermissions = allowOverrides
       ? this.options.policyManager?.getCommandPermissions(commandName)
       : undefined;
@@ -148,7 +114,7 @@ export class MacOsSandboxManager implements SandboxManager {
         ],
       },
       network:
-        networkAccess ||
+        defaultNetwork ||
         persistentPermissions?.network ||
         req.policy?.additionalPermissions?.network ||
         false,