feat: Accept defaultValue from settings when installing an extension

[dandye]

Summary

Implemented support for defaultValue in extension settings configuration. This ensures a smoother user experience by pre-filling reasonable defaults (masked if sensitive) and utilizing them when the user provides no input.

Details

• Added defaultValue property to the ExtensionSetting interface in extensionSettings.ts.
• Updated ConfigExtensionDialog to:
  • Display default values in the prompt (e.g., [default: ******] for sensitive, [default: context] for others).
  • Improved TextInput to handle masking correctly when a default value is present but not yet accepted.
  • Fallback to defaultValue if the user submits an empty value.
• Added comprehensive tests in ConfigExtensionDialog.test.tsx covering rendering, masking, and fallback logic.

Related Issues

Fixes #18447

How to Validate

1. Run the tests to verify the logic:

   npm test -w packages/cli -- src/ui/components/ConfigExtensionDialog.test.tsx

2. Integration test

   npm start -- extension install /tmp/temp/google-secops

Test Evidence

$ npm test -w packages/cli -- src/ui/components/ConfigExtensionDialog.test.tsx

> @google/gemini-cli@0.29.0-nightly.20260203.71f46f116 test
> vitest run src/ui/components/ConfigExtensionDialog.test.tsx


 RUN  v3.2.4 /Users/dandye/Projects/gemini-cli__worktrees/ext_config_default_value/packages/cli
      Coverage enabled with v8

 ✓ src/ui/components/ConfigExtensionDialog.test.tsx (5 tests) 179ms
   ✓ ConfigExtensionDialog > should display default value in prompt 28ms
   ✓ ConfigExtensionDialog > should mask sensitive default value in prompt 4ms
   ✓ ConfigExtensionDialog > should use default value when input is empty 4ms
   ✓ ConfigExtensionDialog > should use input value even if default exists 71ms
   ✓ ConfigExtensionDialog > should work normally without default value 72ms

 Test Files  1 passed (1)
      Tests  5 passed (5)
   Start at  12:18:26
   Duration  3.99s (transform 819ms, setup 17ms, collect 2.46s, tests 179ms, environment 0ms, prepare 60ms)

JUNIT report written to /Users/dandye/Projects/gemini-cli__worktrees/ext_config_default_value/packages/cli/junit.xml
 % Coverage report from v8

2. Manual Validation:
   • Run the CLI and configure an extension with default values (if any exist, or mocked).
   • Observe that the default value is shown in the prompt.
   • Press Enter without typing anything and verify the default value is saved.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

Screenshots

Before

After

Pressing enter writes the default to:

cat ~/.gemini/extensions/google-secops/.env
PROJECT_ID=secops-demo-env

[gemini-code-assist]

Summary of Changes

Hello @dandye, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the user experience for configuring extensions by integrating default values into the settings configuration process. Users will now see suggested default values directly in the prompts, with sensitive data appropriately masked. Furthermore, the system will automatically apply these defaults if no explicit input is provided, streamlining the setup of extensions and reducing the need for manual input for common settings.

Highlights

• Default Value Support: Introduced support for defaultValue in extension settings, allowing extensions to provide pre-filled, reasonable defaults for configuration.
• Enhanced User Experience: The ConfigExtensionDialog now displays default values in the prompt, masking sensitive information, and automatically uses the default if the user submits an empty input.
• Improved Prompting Logic: The promptForSetting utility function has been updated to incorporate defaultValue handling, both for display and as an initial input value.
• Comprehensive Testing: New tests have been added for ConfigExtensionDialog to ensure correct rendering of default values, proper masking of sensitive data, and accurate fallback logic when inputs are empty.

Changelog

• packages/cli/src/commands/extensions/utils.ts
  • The promptForSetting function was moved into this file.
  • Updated promptForSetting to include defaultValue in the prompt message, displaying [default: <value>] and masking sensitive values.
  • The prompts call within promptForSetting now uses setting.defaultValue as its initial value.
• packages/cli/src/config/extensions/extensionSettings.ts
  • Added an optional defaultValue property of type string to the ExtensionSetting interface.
  • Updated the promptForSetting function in this file to pass setting.defaultValue as the initial value to the prompts library.
• packages/cli/src/ui/components/ConfigExtensionDialog.test.tsx
  • Added a new test file for ConfigExtensionDialog to validate the new default value functionality.
  • Tests confirm that default values are correctly displayed in the prompt, including proper masking for sensitive settings.
  • Tests verify that submitting an empty input correctly falls back to using the defaultValue.
  • Tests ensure that explicit user input correctly overrides any existing defaultValue.
• packages/cli/src/ui/components/ConfigExtensionDialog.tsx
  • Modified the UI to display the defaultValue in the prompt description, showing [default: ******] for sensitive values and the actual value for others.
  • Updated the TextInput component's onSubmit handler to automatically use state.setting.defaultValue if the submitted value is an empty string.

Activity

• The author has implemented support for defaultValue in extension settings.
• The ConfigExtensionDialog has been updated to display and utilize default values.
• Comprehensive tests have been added in ConfigExtensionDialog.test.tsx to cover the new functionality.
• Validation steps have been provided, including running new tests and manual CLI verification.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for "defaultValue" in extension settings. While aiming to enhance user experience, the current implementation for sensitive settings presents a significant security risk across both CLI and UI components: masking or hiding default values allows malicious extensions to inject dangerous payloads without user awareness. It is crucial to either disallow default values for sensitive settings or ensure full transparency during setup. Additionally, a duplicated and inconsistent "promptForSetting" function in "packages/cli/src/config/extensions/extensionSettings.ts" needs to be addressed for code consistency and to prevent confusing user behavior, aligning with the principle that functionally similar components should be consistent.

[gemini-code-assist]

This "promptForSetting" function presents a security vulnerability: it uses "defaultValue" as the "initial" prompt value without displaying it, particularly for sensitive settings. This allows malicious extensions to inject unintended values if a user accepts the default without awareness. Furthermore, this function is inconsistent with the version in "packages/cli/src/commands/extensions/utils.ts". It should either be removed if it's a leftover from refactoring or updated to ensure default values are clearly visible and consistent with other implementations.

export async function promptForSetting(
  setting: ExtensionSetting,
): Promise<string> {
  let description = setting.description;
  if (setting.defaultValue !== undefined) {
    const displayValue = setting.sensitive ? '******' : setting.defaultValue;
    description += ` [default: ${displayValue}]`;
  }

  const response = await prompts({
    type: setting.sensitive ? 'password' : 'text',
    name: 'value',
    message: `${setting.name}\n${description}`,
    initial: setting.defaultValue,
  });
  return response.value;
}

References

1. Functionally similar prompt sections like 'planningWorkflow' and 'primaryWorkflows' should be located in the same spot for consistency, as security or other concerns for one likely apply to both.

[gemini-code-assist]

Masking the defaultValue for sensitive settings in the prompt message prevents users from verifying the value they are about to accept. If a malicious extension provides a default value containing command injection sequences (e.g., ; malicious_command), a user might unknowingly execute it by simply pressing Enter. Sensitive settings should either not have default values, or the default values should be transparently displayed during the initial configuration prompt.

[gemini-code-assist]

In the interactive UI, masking the defaultValue for sensitive settings (line 273) and then falling back to it if the user submits an empty string (line 283) creates a security risk. A user cannot see the value they are accepting, which could allow a malicious extension to smuggle commands or other malicious data into the configuration. Consider disabling default values for sensitive settings or ensuring they are visible during the first-time configuration.