feat(admin): Implement admin allowlist for MCP server configurations

[skeshive]

Summary

This PR introduces admin allowlist mechanism for MCP server configurations. When admin.mcp.config is enabled and configured, the CLI will filter locally defined MCP servers, only allowing those present in the admin allowlist. For allowed servers, local command, args, env, and cwd fields will be cleared for security, and admin-defined tool filters will take precedence.

Details

• If admin.mcp.config is set, only servers explicitly listed in this configuration will be considered.
• For servers present in both local and admin configurations, admin settings for url, type, and trust will be applied, while local executable-related fields (command, args, env, cwd) will be nullified to prevent local overrides of secure admin configurations.
• Admin-defined includeTools and excludeTools will override local settings for tool filtering, ensuring consistent tool exposure. If admin does not define tool filters, local tool filters will still be used.

Related Issues

https://github.com/google-gemini/maintainers-gemini-cli/issues/1178

[gemini-cli]

Hi @skeshive, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello @skeshive, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and manageability of MCP server configurations within the CLI. By introducing an admin allowlist, it centralizes control over which MCP servers can be used and how they are executed, preventing unauthorized or insecure local configurations. This change ensures that critical server parameters and tool filtering policies are consistently applied as defined by administrators, thereby improving the overall integrity and security posture of the system.

Highlights

• Admin Allowlist for MCP Servers: Introduced a mechanism to filter locally defined MCP servers based on an administrator-defined allowlist, ensuring only approved servers are considered.
• Security Enhancements: For servers present in the admin allowlist, local executable-related fields (command, args, env, cwd) are cleared to prevent security vulnerabilities from local overrides.
• Tool Filter Precedence: Admin-defined includeTools and excludeTools now take precedence over local settings for tool filtering, ensuring consistent policy enforcement.
• Configuration Merging Logic: Implemented logic to merge admin and local MCP server configurations, prioritizing admin settings for critical fields (url, type, trust) while retaining other local settings.

Changelog

• packages/cli/src/config/config.test.ts
  • Added comprehensive unit tests for the new admin.mcp.config functionality, covering scenarios like empty allowlists, server filtering, clearing of sensitive local fields, and tool filter precedence.
  • Imported MCPServerConfig type for use in tests.
• packages/cli/src/config/config.ts
  • Implemented the core logic within loadCliConfig for processing the admin.mcp.config allowlist.
  • Added filtering of local MCP servers, nullifying local executable paths (command, args, env, cwd), and applying admin-defined tool filters.
  • Updated the Config constructor to receive the potentially modified mcpServerCommand and mcpServers.
• packages/cli/src/config/settings.test.ts
  • Added a test to confirm that remote admin MCP server configurations are correctly un-nested and applied to the admin.mcp.config setting.
  • Imported MCPServerConfig type for use in tests.
• packages/cli/src/config/settings.ts
  • Modified the setRemoteAdminSettings method within the LoadedSettings class to correctly parse and store the mcpConfig from remote admin settings into the admin.mcp.config property.
• packages/cli/src/config/settingsSchema.ts
  • Updated the settings schema to include the new config property under admin.mcp, defining its structure and merge strategy for admin-configured MCP servers.

Activity

• No human activity (comments, reviews, etc.) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an admin allowlist for MCP server configurations, a valuable security enhancement. However, a critical flaw exists in the loadCliConfig merge logic, allowing users to bypass the intended security control by overriding admin-provided server URLs using deprecated fields like httpUrl. Additionally, there's a potential issue where merging tool-filtering settings might unintentionally clear local exclusion lists, and an additional test case would be beneficial to cover this scenario.

[github-actions]

Size Change: -4.02 kB (-0.02%)

Total Size: 23.7 MB

Filename	Size	Change
./bundle/gemini.js	23.7 MB	-4.02 kB (-0.02%)

ℹ️ View Unchanged

Filename	Size
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB

_{compressed-size-action}