refactor(core): standardize OS-specific sandbox tests and extract linux helper methods

[ehedlund]

Summary

Standardizes the organization and logical grouping of the OS-specific sandbox unit tests across Linux, Windows, and macOS, while also refactoring LinuxSandboxManager for better readability.

Details

• LinuxSandboxManager: Extracted inline bwrap argument construction logic in prepareCommand into focused helper methods (getBaseArgs, getNetworkArgs, getGovernanceArgs, getAllowedPathsArgs, getForbiddenPathsArgs, getMaskArgs).
• Test Standardization: Reorganized LinuxSandboxManager.test.ts, WindowsSandboxManager.test.ts, and MacOsSandboxManager.test.ts to utilize the exact same nested describe blocks (prepareCommand, governance files, allowedPaths, forbiddenPaths) and identical it assertions.
• Coverage: Fixed missing assertions for req.cwd propagation in Windows and Linux managers, ensuring consistent behavior across all supported OS sandboxes.

Related Issues

Related to #1550

How to Validate

1. Run the core sandbox tests: npm test -w @google/gemini-cli-core -- src/sandbox/
2. All 40 tests across the 4 test suites should pass cleanly in parallel.
3. Review the code structure in packages/core/src/sandbox/ to verify structural parallelism between the .test.ts files.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-cli]

Hi @ehedlund, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the maintainability and consistency of the core sandbox functionality. It modularizes the Linux sandbox argument generation and standardizes the testing approach across all operating systems, ensuring robust and predictable behavior, particularly for critical aspects like current working directory propagation.

Highlights

• Linux Sandbox Manager Refactoring: The LinuxSandboxManager has been refactored to enhance readability and maintainability by extracting the bwrap argument construction logic into focused helper methods.
• Test Standardization: Unit test suites for Linux, Windows, and macOS sandbox managers have been reorganized to use a consistent structure with identical nested describe blocks and it assertions, improving test clarity and consistency across platforms.
• Coverage Improvement: Missing assertions for req.cwd (current working directory) propagation were fixed in both Windows and Linux sandbox managers, ensuring consistent behavior for cwd handling across all supported OS sandboxes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the prepareCommand method in LinuxSandboxManager by extracting its logic into several new private helper methods (getNetworkArgs, getBaseArgs, getGovernanceArgs, getAllowedPathsArgs, getForbiddenPathsArgs, and getMaskArgs) to improve modularity and testability. Corresponding unit tests for Linux, macOS, and Windows sandbox managers have been reorganized into describe blocks and expanded to cover network access, governance files, allowed paths, and forbidden paths. A minor update was also made to include cwd in the prepareCommand return for Windows. I have no feedback to provide.

[github-actions]

Size Change: +861 B (0%)

Total Size: 26.3 MB

Filename	Size	Change
./bundle/chunk-4P6GOYKP.js	0 B	-14.6 MB (removed)	🏆
./bundle/chunk-MIL2PRWT.js	0 B	-3.64 MB (removed)	🏆
./bundle/chunk-TBBUPHNU.js	0 B	-3.4 kB (removed)	🏆
./bundle/core-GEVLNPEG.js	0 B	-43.4 kB (removed)	🏆
./bundle/devtoolsService-6N2GQPP2.js	0 B	-27.7 kB (removed)	🏆
./bundle/gemini-RRSFKTHA.js	0 B	-521 kB (removed)	🏆
./bundle/interactiveCli-3CEOZLOL.js	0 B	-1.62 MB (removed)	🏆
./bundle/oauth2-provider-WP2RU4MV.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-2P4VP6IM.js	3.4 kB	+3.4 kB (new file)	🆕
./bundle/chunk-ATXAXMDO.js	14.6 MB	+14.6 MB (new file)	🆕
./bundle/chunk-BU2R6UBV.js	3.64 MB	+3.64 MB (new file)	🆕
./bundle/core-FHOM6PBZ.js	43.4 kB	+43.4 kB (new file)	🆕
./bundle/devtoolsService-C3EY3O2P.js	27.7 kB	+27.7 kB (new file)	🆕
./bundle/gemini-234D3PDW.js	521 kB	+521 kB (new file)	🆕
./bundle/interactiveCli-TETNII7O.js	1.62 MB	+1.62 MB (new file)	🆕
./bundle/oauth2-provider-TJ2JF76M.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-GWQRIYMB.js	1.96 MB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-VLY5MMIU.js	0 B	-856 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/gemini.js	2.06 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-GX6HE5X5.js	922 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-742BIY25.js	856 B	+856 B (new file)	🆕

_{compressed-size-action}