feat(context): add remote configuration for tool output masking thresholds

[abhipatel12]

Summary

Transitioned previously hardcoded tool output masking thresholds to a remotely configurable system using the Experiments framework. This allows for dynamic context window optimization without requiring client updates.

Details

• Remote Config: Added official experiment flag IDs 45758817, 45758818, and 45758819 to flagNames.ts.
• Config Loader: Updated Config.ts to fetch these values asynchronously from the experiments service.
• Service Integration: Modified ToolOutputMaskingService to await the resolved configuration before processing.
• Fail-safe: Maintained existing local defaults as fallbacks if flags are missing or server-side communication fails.

Related Issues

Related to tool output masking and context optimization.

How to Validate

1. Run the targeted unit tests:

   npm test -w @google/gemini-cli-core -- src/services/toolOutputMaskingService.test.ts

2. Verify that the new test case should respect remote configuration overrides correctly simulates and validates dynamic threshold changes.
3. (Optional) Run npm run preflight to confirm overall workspace health.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello @abhipatel12, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request transitions the tool output masking thresholds from hardcoded values to a remotely configurable system using the Experiments framework. This enhancement allows for dynamic optimization of the context window without requiring client-side updates, improving flexibility and responsiveness to changing model requirements.

Highlights

• Remote Configuration for Masking Thresholds: Introduced three new experiment flags (MASKING_PROTECTION_THRESHOLD, MASKING_PRUNABLE_THRESHOLD, MASKING_PROTECT_LATEST_TURN) in flagNames.ts to enable remote configuration of tool output masking thresholds.
• Asynchronous Configuration Loading: Updated Config.ts to asynchronously load these new experiment flags, allowing ToolOutputMaskingConfig values to be fetched dynamically from the experiments service.
• Service Integration and Fallbacks: Modified ToolOutputMaskingService to await the remote configuration before applying masking logic, ensuring dynamic threshold adjustments while maintaining existing local defaults as fallbacks.
• New Test Case for Remote Overrides: Added a new unit test in toolOutputMaskingService.test.ts to specifically verify that the service correctly respects and applies remote configuration overrides.

Changelog

• packages/core/src/code_assist/experiments/flagNames.ts
  • Added MASKING_PROTECTION_THRESHOLD, MASKING_PRUNABLE_THRESHOLD, and MASKING_PROTECT_LATEST_TURN experiment flag IDs.
• packages/core/src/config/config.ts
  • Changed getToolOutputMaskingConfig to an async method.
  • Implemented logic to fetch MASKING_PROTECTION_THRESHOLD, MASKING_PRUNABLE_THRESHOLD, and MASKING_PROTECT_LATEST_TURN values from the experiments service.
  • Ensured local defaults are used as fallbacks if remote configurations are unavailable.
• packages/core/src/services/toolOutputMaskingService.test.ts
  • Updated the mock for getToolOutputMaskingConfig to be async.
  • Added a new test case, should respect remote configuration overrides, to validate the dynamic application of remote thresholds.
• packages/core/src/services/toolOutputMaskingService.ts
  • Modified the mask method to await the getToolOutputMaskingConfig call.
  • Integrated the fetched maskingConfig to control the masking logic, including enabling/disabling and determining the scan start index.

Activity

• The author has completed the pre-merge checklist items for updating documentation/README and adding/updating tests.
• Validation has been performed on MacOS using npm run.
• A new unit test was added to toolOutputMaskingService.test.ts to specifically validate remote configuration overrides.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +1.19 kB (0%)

Total Size: 23.9 MB

Filename	Size	Change
./bundle/gemini.js	23.8 MB	+1.19 kB (0%)

ℹ️ View Unchanged

Filename	Size
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request transitions the tool output masking thresholds to a remote configuration system, a positive step towards dynamic optimization. However, a high-severity security vulnerability has been identified in the offloading mechanism (writing masked outputs to disk) due to insecure temporary file handling with default permissions and predictable filenames, which could expose sensitive tool outputs and enable symlink attacks. Additionally, a critical issue in config.ts involves non-robust parsing of remote configuration values, potentially leading to NaN values and unpredictable behavior.