fix(core): conditionally expose additional_permissions in shell tool

[galz10]

Summary

This PR conditionally exposes the additional_permissions parameter in the run_shell_command tool's schema, making it visible to the model only when tool sandboxing is enabled in the configuration (context.config.getSandboxEnabled()). It also removes a hardcoded policy engine check for sandbox expansion requests that is no longer needed.

Details

Previously, the additional_permissions parameter was always included in the run_shell_command schema, which could cause the model to attempt to use sandbox expansion features even when the sandbox was not active. This change ensures the schema accurately reflects the available capabilities based on the runtime configuration.

Related Issues

How to Validate

1. Run the CLI with tool sandboxing disabled. The additional_permissions parameter should not be present in the run_shell_command schema.
2. Run the CLI with tool sandboxing enabled. The additional_permissions parameter should be present.
3. Verify that the unit tests pass (npm run test -w @google/gemini-cli-core).

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[github-actions]

🧠 Model Steering Guidance

This PR modifies files that affect the model's behavior (prompts, tools, or instructions).

• ⚠️ Consider adding Evals: No behavioral evaluations (evals/*.eval.ts) were added or updated in this PR. Consider adding a test case to verify the new behavior and prevent regressions.
• 🚀 Maintainer Reminder: Please ensure that these changes do not regress results on benchmark evals before merging.

---

This is an automated guidance message triggered by steering logic signatures.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the run_shell_command tool's behavior by ensuring its schema dynamically adapts to the application's sandboxing configuration. This prevents models from being presented with sandbox expansion options when sandboxing is not active, thereby improving the robustness and clarity of tool interactions. The changes also simplify the policy engine by removing an unnecessary check related to sandbox permissions.

Highlights

• Conditional Schema Exposure: The additional_permissions parameter in the run_shell_command tool's schema is now conditionally exposed, appearing only when tool sandboxing is enabled.
• Policy Engine Simplification: A redundant hardcoded policy engine check for sandbox expansion requests has been removed, streamlining policy decisions.
• Enhanced Tool Accuracy: The tool's schema now accurately reflects available sandbox capabilities based on runtime configuration, preventing models from attempting unavailable features.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +302 B (0%)

Total Size: 26.3 MB

Filename	Size	Change
./bundle/chunk-5QOMMISW.js	0 B	-14.6 MB (removed)	🏆
./bundle/chunk-CM2NYZTW.js	0 B	-3.4 kB (removed)	🏆
./bundle/chunk-IV2KUFMZ.js	0 B	-1.96 MB (removed)	🏆
./bundle/chunk-JJTBFTNB.js	0 B	-3.64 MB (removed)	🏆
./bundle/core-IVYMWU5V.js	0 B	-43.4 kB (removed)	🏆
./bundle/devtoolsService-UTHMJ653.js	0 B	-27.7 kB (removed)	🏆
./bundle/gemini-SBAEZDLB.js	0 B	-521 kB (removed)	🏆
./bundle/interactiveCli-BGQC4PS5.js	0 B	-1.62 MB (removed)	🏆
./bundle/oauth2-provider-DOFRKUK3.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-3XRRFH42.js	14.6 MB	+14.6 MB (new file)	🆕
./bundle/chunk-47O7H4C3.js	3.64 MB	+3.64 MB (new file)	🆕
./bundle/chunk-LVHQYNDV.js	3.4 kB	+3.4 kB (new file)	🆕
./bundle/chunk-QWZ2ZTVN.js	1.96 MB	+1.96 MB (new file)	🆕
./bundle/core-BEPDN7JJ.js	43.4 kB	+43.4 kB (new file)	🆕
./bundle/devtoolsService-FSKQ4AHG.js	27.7 kB	+27.7 kB (new file)	🆕
./bundle/gemini-FSTZFIRI.js	521 kB	+521 kB (new file)	🆕
./bundle/interactiveCli-6NIP6SLT.js	1.62 MB	+1.62 MB (new file)	🆕
./bundle/oauth2-provider-ZAQSVM5M.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-KFWVXNUX.js	0 B	-856 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/gemini.js	2.06 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-CXSTQXLK.js	0 B	-922 B (removed)	🏆
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-47HOXVNU.js	856 B	+856 B (new file)	🆕
./bundle/memoryDiscovery-HC34TZH7.js	922 B	+922 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request introduces an enableToolSandboxing flag to conditionally include additional_permissions in shell tool declarations, propagating this new parameter across various tool definitions and configurations. A critical security regression has been identified, as the removal of a centralized check in the PolicyEngine means that sandbox expansion requests, previously downgraded to ASK_USER, could now be ALLOWed without user intervention in non-interactive modes, potentially granting unauthorized access.