GSoC 2026: [Idea #9]Interactive Security Policy / Sandbox Wizard (with policy visualization)

[Thankyou-Cheems]

Hi team,

I’m Ruikang (Karl) @Thankyou-Cheems

I studied Computer Science and Industrial Design, and previously worked as a Functional Safety Engineer in automotive electronics (ISO 26262). I recently left my job and am preparing to start my MS in Computer Engineering at Northwestern University this fall. This gives me full-time availability for GSoC.

I’d really like to work on Idea 9: the Interactive Security Policy / Sandbox Wizard.

Over the past year I’ve tried a lot of “coding agent” style tools, including very popular ones in China like Qwen CLI and OpenClaw. I’m active in several WeChat groups for these tools, and I’ve noticed that many users there are new to programming. They often just follow the most viewed tutorials step by step without really understanding concepts like Docker or sandboxing. It’s very easy for them to just click “allow” and keep going when security prompts feel abstract.

I also run a small homelab on an old rooted Android phone (Termux + chroot). While testing lightweight assistants imitate this workflow, I noticed some could read .env files by default. That kind of silent behavior is easy for beginners to miss, but the security impact is real.

I’m relatively new to the open source community, I used to only dabble occasionally. Recently I’ve been putting a lot of energy into contributing: I’m working on my own project Bomana, participating in Steve’s beads development, and have submitted some PRs. I find the open source community really charming and am excited to get more involved. This makes me especially eager to help Gemini CLI build friendly, educational secure defaults.

I want to build

An Ink-based guided workflow around the gemini sandbox-setup command that stays fully aligned with the current Gemini CLI code paths and Idea 9’s expected outcomes.

Hope my initial plan fits the 90-hour scope nicely:

This is just my intuitive version of the plan so far. The project feels quite complex with a large and diverse user base, so I'm sure it will evolve as I learn more!

• Build a shared validation and conflict-detection layer first, then expose it through sandbox-setup validate, sandbox-setup audit, and helpful profile templates (with clean JSON output and CI-friendly exit codes).
• Add interactive sandbox-setup init/edit wizard screens using Ink that create per-project .gemini/policy.json files and run real-time checks before anything is applied.
• Finish with an ASCII-first permission dashboard for easy sandbox review (safe zones, mounts, network mode, and clear risk warnings), treating richer rendering as a fun stretch goal.

I’m also interested in Idea 12 (Generative Architecture & UI Visualization). If I get selected for either Idea 9 or Idea 12, I’d actively reach out to communicate and collaborate with the contributor working on the other one!

Questions for mentors

@galz10

For the Idea 9 MVP, should .gemini/policy.json be the single source for project policy, and how much TOML interoperability is expected?

For TOML, do you prefer migration-only (TOML → policy.json), or some round-trip capability?

Does this milestone order feel right for validate/audit/templates first, wizard second, dashboard third?

Which conflict checks are mandatory for acceptance, like allow/deny overlap?

Which current issues would you recommend as the best first PRs to learn the codebase, coding style, and review process?

Thanks so much! Looking forward to your feedback and hopefully working together.

I’ve already signed the Google CLA.

Ruikang (Karl)

[Thankyou-Cheems]

Hi everyone again! 👋

It's really nice to see so many people discussing the GSoC ideas here. I'm fairly new to the Gemini CLI community and have been digging this repo over the past few days.

I went through quite a lot of issues and PRs in the repository. It might be useful to share a quick reference list here for anyone else exploring this idea as well!

Help Wanted means we can claim it using /assign (most of the recent issues aren't yet).
Assigned means someone is currently assigned to the issue.
Maintainer Only means work intended mainly for maintainers or core contributors.

Issues (26)

#850 (closed)
Help Wanted: No | Assigned: mattKorwel | Maintainer Only: No
On macOS, running the CLI via npx can fail to locate the bundled Seatbelt profile file, which breaks sandbox startup.

#2168 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
GOOGLE_*_BASE_URL environment variables are not passed into the sandbox, which causes inconsistencies in network configuration.

#5140 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
An early discussion about making sandbox creation easier. The thread is stale but still provides some historical context.

#14484 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Suggestion to support docker-compatible tools like nerdctl or finch as alternative container backends.

#15270 (open)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Discussion about integrating enterprise hooks with the policy engine.

#15383 (open)
Help Wanted: Yes | Assigned: kotaitos | Maintainer Only: No
The policy documentation does not fully match the actual runtime behavior.

#16012 (open)
Help Wanted: Yes | Assigned: ChandanKT-git | Maintainer Only: No
Regression where --allowed-tools fails in non-interactive mode.

#16363 (open)
Help Wanted: Yes | Assigned: bryantinsley | Maintainer Only: No
Bug: When SEATBELT_PROFILE points to a missing or invalid profile, sandbox startup effectively fails without a clear, user-facing error, so it’s hard to see why sandboxing is disabled.

#16665 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Proposal to allow additional policy files to be layered through CLI arguments.

#17575 (open)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Suggestion to restrict file operations strictly to the current project directory.

#18134 (open)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Request for a permanent approval capability for ExitPlanMode.

#18186 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Workspace policies/*.toml files are currently not taking effect as expected.

#18329 (open)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Discussion about automatically executing MCP read-only tools.

#18397 (open)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Proposal to auto-add approvals into per‑workspace policy files instead of the global user policy.

#18398 (open)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Proposal to automatically accept tools based on the readOnlyHint attribute.

#18750 (open)
Help Wanted: No | Assigned: Jynx2004 | Maintainer Only: No
A list of improvements needed for the policy engine documentation.

#19275 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Usability issue related to the macOS strict-open sandbox profile.

#19762 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Security bug: argsPattern was matched against the JSON‑stringified args object, so nested properties could be used to bypass policy checks; this was fixed by adding targeted argName‑based matching.

#19919 (open)
Help Wanted: Yes | Assigned: Solventerritory | Maintainer Only: No
The error message when policy persistence fails lacks enough diagnostic information.

#20058 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Headless policy behavior issues. closed as duplicate of #20469.

#20060 (open)
Help Wanted: No | Assigned: mahimashanware | Maintainer Only: Yes
Policy scenarios for the Conductor planning workflow.

#20281 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Policy files referenced through symlinks are silently ignored.

#20327 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Feature request for dynamic pipelines and negative filter support.

#20444 (open)
Help Wanted: Yes | Assigned: sripasg, deadsmash07 | Maintainer Only: No
Missing TERM and COLORTERM variables cause terminal tools to malfunction in sandbox environments.

#20469 (open)
Help Wanted: Yes | Assigned: EricRahm | Maintainer Only: No
In auto_edit non-interactive mode, policy rules are sometimes ignored.

#20595 (closed)
Help Wanted: No | Assigned: jerop | Maintainer Only: Yes
Refactoring to remove manual synchronization of plan tools and rely on policy as the single source of truth.

PRs (34)

#863 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Historical rollforward fix related to the sandbox execution pipeline.

#2036 (closed)
Help Wanted: No | Assigned: mattKorwel | Maintainer Only: No
Introduced SANDBOX_FLAGS to allow custom container parameters.

#12567 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Adds scrolling and virtualization support in Ink.

#14499 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Attempt to support docker-compatible CLI commands. This PR was not merged.

#15395 (closed)
Help Wanted: Yes | Assigned: allenhutchison | Maintainer Only: No
Fixes the semantics of commandRegex matching.

#16284 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Updates the Ink dependency.

#16362 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Improvements to custom profile handling and error reporting (not merged).

#17806 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Allows restricted .env loading inside untrusted directories.

#18213 (open)
Help Wanted: Yes | Assigned: None | Maintainer Only: No
Improves tool name matching when interacting with MCP.

#18682 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Adds support for project-level policies.

#19492 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Improves folder trust detection with configuration discovery and warnings.

#19703 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Enforces trust checks when installing local extensions.

#19707 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Persists “Always Allow” permissions at the workspace level.

#19763 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Strengthens the security and robustness of commandRegex.

#19921 (open)
Help Wanted: Yes | Assigned: None | Maintainer Only: No
Improves diagnostic output when policy persistence fails.

#20024 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Adds wildcard matching support for MCP tools.

#20029 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Adds support for matching tool annotations.

#20048 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Improves error messages when .env files are skipped in untrusted directories.

#20083 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Passes MCP annotations through the policy system.

#20178 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Centralizes plan mode tool visibility inside the policy engine.

#20289 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Allows policy files to be loaded via symlinks.

#20351 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Hides workspace policy update dialog and auto-accepts by default.

#20397 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Adds a sandbox network proxy with domain filtering support.

#20440 (open)
Help Wanted: Yes | Assigned: None | Maintainer Only: No
Ensures the TERM variable is passed through to editors and shells.

#20514 (open)
Help Wanted: Yes | Assigned: None | Maintainer Only: No
Adds TERM and COLORTERM to the environment sanitization whitelist.

#20518 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Fixes a flaky test related to ToolResultDisplay overflow.

#20523 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Adds a temporary flag to disable workspace policies.

#20531 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: No
Reverts automatic saving of policies to user space.

#20596 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Converts plan tool synchronization into declarative policy rules.

#20639 (open)
Help Wanted: Yes | Assigned: None | Maintainer Only: No
Moves non-interactive tool exclusion logic into the policy engine.

#20673 (open)
Help Wanted: No | Assigned: None | Maintainer Only: No
Stabilizes the CLI footer architecture and improves UX.

#20745 (closed)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Standardizes semantic focus colors and history visibility.

#20762 (open)
Help Wanted: Yes | Assigned: None | Maintainer Only: No
Fixes name matching issues in --allowed-tools.

#20806 (open)
Help Wanted: No | Assigned: None | Maintainer Only: Yes
Demo PR for a broader CLI UX refresh.

If I missed any issues or PRs that are relevant to Idea 9, feel free to add them here. I'm still learning how the sandbox and policy pieces fit together, corrections or suggestions from maintainers are very welcome 🙂

[aniruddhaadak80]

From my point of view, this idea stands out because it is grounded in how beginners actually experience security prompts rather than only in backend architecture. The most important first step feels like making policy.json the canonical source while keeping the wizard explanations plain enough that a new user understands the consequences of each choice. If the visualization helps people compare safe defaults against risky overrides, it could become one of the most educational parts of the whole workflow.