What happened?
WindowsSandboxManager (packages/core/src/services/windowsSandboxManager.ts, 228 lines) was introduced in #21807 with only 3 basic tests covering prepareCommand happy paths. Several critical behaviors are completely untested:
- Non-win32 platform: manager constructed with
linux/darwin should skip icacls calls entirely
allowedPaths in config: when req.config.allowedPaths is provided, those paths should appear correctly in command construction- No config provided:
prepareCommand with undefined config should use safe defaults (network disabled, redaction enabled)
- Empty args: command with no args should produce
[networkFlag, cwd, command] with no trailing entries
- System directory guard in
grantLowIntegrityAccess: paths under SystemRoot and ProgramFiles should be silently skipped without calling icacls
- Low integrity cache deduplication: calling
prepareCommand twice with the same cwd should not invoke icacls twice for the same resolved path
WindowsSandboxManager is a security-critical component — untested edge cases in sandbox managers can silently break isolation guarantees.
What did you expect to happen?
All the above behaviors should have corresponding unit tests in packages/core/src/services/windowsSandboxManager.test.ts.
Client information
Not applicable — this is a test coverage gap, not a runtime issue.
Login information
No response
Anything else we need to know?
Will follow this issue with a PR adding the missing tests.
What happened?
WindowsSandboxManager(packages/core/src/services/windowsSandboxManager.ts, 228 lines) was introduced in #21807 with only 3 basic tests coveringprepareCommandhappy paths. Several critical behaviors are completely untested:linux/darwinshould skipicaclscalls entirelyallowedPathsin config: whenreq.config.allowedPathsis provided, those paths should appear correctly in command constructionprepareCommandwithundefinedconfig should use safe defaults (network disabled, redaction enabled)[networkFlag, cwd, command]with no trailing entriesgrantLowIntegrityAccess: paths underSystemRootandProgramFilesshould be silently skipped without callingicaclsprepareCommandtwice with the samecwdshould not invokeicaclstwice for the same resolved pathWindowsSandboxManageris a security-critical component — untested edge cases in sandbox managers can silently break isolation guarantees.What did you expect to happen?
All the above behaviors should have corresponding unit tests in
packages/core/src/services/windowsSandboxManager.test.ts.Client information
Not applicable — this is a test coverage gap, not a runtime issue.
Login information
No response
Anything else we need to know?
Will follow this issue with a PR adding the missing tests.