Files
sandbox-runtime/test/helpers
ig e76cf5d704 feat(windows): single-source proxy env — TS owns generateProxyEnvVars, srt-win exec passthrough
Make the TypeScript generateProxyEnvVars the single source of truth for
proxy environment on Windows, matching macOS/Linux. srt-win exec no
longer synthesizes proxy variables or accepts --http-proxy/--socks-proxy;
it forwards its own environment to the sandboxed child verbatim, so the
caller must supply the desired proxy set.

- launch.rs: build_env_block() now passes std::env::vars() through
  unchanged (sorted for block ordering, no add/strip/dedup) plus the
  broker PID the self-protect smoke test reads. Drop the ExecSpec
  http_proxy/socks_proxy fields.
- main.rs: remove the --http-proxy/--socks-proxy flags from exec.
- windows-sandbox-utils.ts: wrapCommandWithSandboxWindows returns
  { argv, env }, where env merges generateProxyEnvVars(http, socks) over
  process.env. The child inherits the full proxy set (HTTP/HTTPS/ALL_PROXY
  plus DOCKER_*, GRPC_*, ...) through the spawn.
- sandbox-manager.ts / cli.ts: wrapWithSandboxArgv returns { argv, env }
  and the spawn sites pass env through; macOS/Linux return process.env
  unchanged (proxy env stays baked into the wrapped command there).
- tests: assert the proxy set rides in env, not argv flags; spawn helper
  forwards env; smoke-exec E5 now proves exec forwards the broker env to
  the child verbatim.

Also filter the generated TMPDIR (a POSIX path meant for the macOS/Linux
FS sandbox) out of the Windows child env, and route the smoke-exec
env-passthrough rows through a shared Invoke-WithEnv helper.
2026-05-28 23:32:00 -04:00
..