feat(sandbox): implement cross-platform support with Windows fallback

- Add conditional compilation for Unix-specific gaol sandbox functionality
- Implement Windows-compatible SandboxExecutor with no-op sandboxing
- Update ProfileBuilder to handle both Unix and Windows platforms
- Add platform-specific dependency declaration for gaol crate
- Modify agent and claude commands to use appropriate sandbox implementation
- Update test modules with conditional compilation for Unix-only tests
- Ensure graceful degradation on Windows with logging warnings

This change enables the application to build and run on Windows while
maintaining full sandbox security on Unix-like systems.

Author: mufeedvh

src-tauri/Cargo.toml

@@ -50,6 +50,9 @@ zstd = "0.13"
 uuid = { version = "1.6", features = ["v4", "serde"] }
 walkdir = "2"
 
+[target.'cfg(unix)'.dependencies]
+gaol = "0.2"
+
 [target.'cfg(target_os = "macos")'.dependencies]
 cocoa = "0.26"
 objc = "0.2"

src-tauri/src/commands/agents.rs

@@ -996,12 +996,20 @@ pub async fn execute_agent(
                     Ok(build_result) => {
 
                         // Create the enhanced sandbox executor
+                        #[cfg(unix)]
                         let executor = crate::sandbox::executor::SandboxExecutor::new_with_serialization(
                             build_result.profile,
                             project_path_buf.clone(),
                             build_result.serialized
                         );
 
+                        #[cfg(not(unix))]
+                        let executor = crate::sandbox::executor::SandboxExecutor::new_with_serialization(
+                            (),
+                            project_path_buf.clone(),
+                            build_result.serialized
+                        );
+                        
                         // Prepare the sandboxed command
                         let args = vec![
                             "-p", &task,

src-tauri/src/commands/claude.rs

@@ -1021,7 +1021,14 @@ fn create_sandboxed_claude_command(app: &AppHandle, project_path: &str) -> Resul
 
                             // Use the helper function to create sandboxed command
                             let claude_path = find_claude_binary(app)?;
-                            Ok(create_sandboxed_command(&claude_path, &[], &project_path_buf, profile, project_path_buf.clone()))
+                            #[cfg(unix)]
+                            return Ok(create_sandboxed_command(&claude_path, &[], &project_path_buf, profile, project_path_buf.clone()));
+                            
+                            #[cfg(not(unix))]
+                            {
+                                log::warn!("Sandboxing not supported on Windows, using regular command");
+                                Ok(create_command_with_env(&claude_path))
+                            }
                         }
                         Err(e) => {
                             log::error!("Failed to build sandbox profile: {}, falling back to non-sandboxed", e);

src-tauri/src/sandbox/executor.rs

@@ -1,4 +1,5 @@
 use anyhow::{Context, Result};
+#[cfg(unix)]
 use gaol::sandbox::{ChildSandbox, ChildSandboxMethods, Command as GaolCommand, Sandbox, SandboxMethods};
 use log::{info, warn, error, debug};
 use std::env;
@@ -8,11 +9,13 @@ use tokio::process::Command;
 
 /// Sandbox executor for running commands in a sandboxed environment
 pub struct SandboxExecutor {
+    #[cfg(unix)]
     profile: gaol::profile::Profile,
     project_path: PathBuf,
     serialized_profile: Option<SerializedProfile>,
 }
 
+#[cfg(unix)]
 impl SandboxExecutor {
     /// Create a new sandbox executor with the given profile
     pub fn new(profile: gaol::profile::Profile, project_path: PathBuf) -> Self {
@@ -267,12 +270,76 @@ impl SandboxExecutor {
     }
 }
 
+// Windows implementation - no sandboxing
+#[cfg(not(unix))]
+impl SandboxExecutor {
+    /// Create a new sandbox executor (no-op on Windows)
+    pub fn new(_profile: (), project_path: PathBuf) -> Self {
+        Self {
+            project_path,
+            serialized_profile: None,
+        }
+    }
+    
+    /// Create a new sandbox executor with serialized profile (no-op on Windows)
+    pub fn new_with_serialization(
+        _profile: (), 
+        project_path: PathBuf,
+        serialized_profile: SerializedProfile
+    ) -> Self {
+        Self {
+            project_path,
+            serialized_profile: Some(serialized_profile),
+        }
+    }
+
+    /// Execute a command in the sandbox (Windows - no sandboxing)
+    pub fn execute_sandboxed_spawn(&self, command: &str, args: &[&str], cwd: &Path) -> Result<std::process::Child> {
+        info!("Executing command without sandbox on Windows: {} {:?}", command, args);
+        
+        std::process::Command::new(command)
+            .args(args)
+            .current_dir(cwd)
+            .stdin(Stdio::piped())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::piped())
+            .spawn()
+            .context("Failed to spawn process")
+    }
+
+    /// Prepare a sandboxed tokio Command (Windows - no sandboxing)
+    pub fn prepare_sandboxed_command(&self, command: &str, args: &[&str], cwd: &Path) -> Command {
+        info!("Preparing command without sandbox on Windows: {} {:?}", command, args);
+        
+        let mut cmd = Command::new(command);
+        cmd.args(args)
+            .current_dir(cwd)
+            .stdin(Stdio::null())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::piped());
+        
+        cmd
+    }
+    
+    /// Extract sandbox rules (no-op on Windows)
+    fn extract_sandbox_rules(&self) -> Result<SerializedProfile> {
+        Ok(SerializedProfile { operations: vec![] })
+    }
+    
+    /// Activate sandbox in child process (no-op on Windows)
+    pub fn activate_sandbox_in_child() -> Result<()> {
+        debug!("Sandbox activation skipped on Windows");
+        Ok(())
+    }
+}
+
 /// Check if the current process should activate sandbox
 pub fn should_activate_sandbox() -> bool {
     env::var("GAOL_SANDBOX_ACTIVE").unwrap_or_default() == "1"
 }
 
 /// Helper to create a sandboxed tokio Command
+#[cfg(unix)]
 pub fn create_sandboxed_command(
     command: &str, 
     args: &[&str], 
@@ -300,6 +367,7 @@ pub enum SerializedOperation {
     SystemInfoRead,
 }
 
+#[cfg(unix)]
 fn deserialize_profile(serialized: SerializedProfile, project_path: &Path) -> Result<gaol::profile::Profile> {
     let mut operations = Vec::new();
 
@@ -366,6 +434,7 @@ fn deserialize_profile(serialized: SerializedProfile, project_path: &Path) -> Re
         })
 }
 
+#[cfg(unix)]
 fn create_minimal_profile(project_path: PathBuf) -> Result<gaol::profile::Profile> {
     let operations = vec![
         gaol::profile::Operation::FileReadAll(