Revert unintended credentials exposure

[Adib234]

Summary

Reverts #17311

Details

Related Issues

How to Validate

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-cli]

Hi @Adib234, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello @Adib234, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request reverts previous changes related to environment variable sanitization and redaction for MCP servers. The primary impact is that certain sensitive API keys will no longer be automatically redacted when spawning MCP servers, and the associated security warnings and documentation have been removed. This streamlines the environment configuration but shifts the responsibility for sensitive variable handling more directly to the user.

Highlights

• Environment Variable Redaction Removed: The automatic redaction of sensitive environment variables, including GEMINI_API_KEY, GOOGLE_API_KEY, and GOOGLE_APPLICATION_CREDENTIALS, has been removed from the MCP server environment sanitization process.
• Security Warnings and Documentation Updated: Related security warnings in the CLI's mcp add command and documentation regarding environment variable handling and untrusted servers have been removed.
• Extension Environment Handling Simplified: The logic for incorporating extension-specific environment variables into MCP server processes has been removed, simplifying the environment setup.
• Test Cases Removed/Modified: Corresponding test cases for sensitive environment variable redaction and extension environment inclusion have been removed or updated to reflect these changes.

Changelog

• docs/tools/mcp-server.md
  • Removed security recommendations and warnings related to environment variable redaction and untrusted servers.
• packages/cli/src/commands/mcp/add.ts
  • Removed a security warning log displayed when running MCP servers with stdio transport.
• packages/core/src/services/environmentSanitization.test.ts
  • Removed test cases specifically checking the redaction of GEMINI_API_KEY, GOOGLE_API_KEY, and GOOGLE_APPLICATION_CREDENTIALS.
• packages/core/src/services/environmentSanitization.ts
  • Removed GEMINI_API_KEY, GOOGLE_API_KEY, and GOOGLE_APPLICATION_CREDENTIALS from the list of NEVER_ALLOWED_ENVIRONMENT_VARIABLES.
• packages/core/src/tools/mcp-client.test.ts
  • Updated an environment variable name in a test case from GEMINI_CLI_FOO to FOO.
  • Removed test cases for redacting sensitive environment variables and including extension settings in the environment.
• packages/core/src/tools/mcp-client.ts
  • Removed the import for GeminiCLIExtension.
  • Simplified the environment variable construction for StdioClientTransport by removing explicit extension environment handling and the enableEnvironmentVariableRedaction flag.
  • Removed the getExtensionEnvironment helper function.

Activity

• The pull request description contains a standard template, indicating no specific human activity or comments have been added yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: -1.07 kB (0%)

Total Size: 24.3 MB

Filename	Size	Change
./bundle/gemini.js	24.3 MB	-1.07 kB (0%)

ℹ️ View Unchanged

Filename	Size
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request reverts several security-related features concerning MCP server integration, specifically removing the automatic redaction of sensitive environment variables (like API keys) for stdio transports, deleting security warnings, and removing related security documentation. These changes introduce a critical security vulnerability, potentially leading to credential leakage to MCP server subprocesses. I strongly advise against merging this PR in its current state.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/core/src/services/environmentSanitization.ts (106-108)

These environment variables should not be removed from the denylist. Removing them introduces a critical security vulnerability by allowing sensitive credentials like API keys to be leaked to MCP server subprocesses. Please revert this part of the change.

packages/core/src/tools/mcp-client.ts (1901-1904)

This change introduces two critical security issues. First, it makes environment variable redaction opt-in (defaulting to false) instead of forcing it on for stdio transports. Second, it applies mcpServerConfig.env after sanitization, allowing these user-provided variables to bypass security checks entirely. This could lead to credential leakage. The environment for the subprocess should be constructed from all sources and then sanitized as a whole.

      env: sanitizeEnvironment(
        {
          ...process.env,
          ...(mcpServerConfig.env || {}),
        },
        {
          ...sanitizationConfig,
          enableEnvironmentVariableRedaction: true,
        },
      ) as Record<string, string>,

docs/tools/mcp-server.md (742-756)

This change removes crucial security documentation about environment variable redaction, explicit environment variable passing, and the risks of untrusted servers. This information is vital for users to securely configure and use MCP servers. Please restore these sections to ensure users are aware of the potential security implications.

packages/cli/src/commands/mcp/add.ts (131-136)

Removing this security warning is a regression in user security awareness. Users should be explicitly warned about the risks of running stdio MCP servers, as they can inherit and potentially expose sensitive environment variables. Please restore this warning.

[skeshive]

/patch preview

[github-actions]

✅ Patch workflow(s) dispatched successfully!

📋 Details:

• Channels: preview
• Commit: e9a94748107ac24a05f51b4c5b0c0a8952374285
• Workflows Created: 1

🔗 Track Progress:

• View patch workflows
• This workflow run

[github-actions]

🚀 Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: preview → will publish to npm tag preview
• Commit: e9a94748107ac24a05f51b4c5b0c0a8952374285
• Hotfix Branch: hotfix/v0.29.0-preview.0/0.29.0-preview.1/preview/cherry-pick-e9a9474/pr-18840
• Hotfix PR: #18841

📝 Next Steps:

1. Review and approve the hotfix PR: #18841
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #18841

[github-actions]

🚀 Patch Release Started!

📋 Release Details:

• Environment: prod
• Channel: preview → publishing to npm tag preview
• Version: v0.29.0-preview.0
• Hotfix PR: Merged ✅
• Release Branch: release/v0.29.0-preview.0-pr-18840

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow

[github-actions]

❌ Patch Release Failed!

📋 Details:

• Version: 0.29.0-preview.1
• Channel: preview
• Error: The patch release workflow encountered an error

🔍 Next Steps:

1. Check the workflow logs for detailed error information
2. The maintainers have been notified via automatic issue creation
3. You may need to retry the patch once the issue is resolved

🔗 Troubleshooting:

• View workflow run
• View workflow logs

[skeshive]

/patch stable

[github-actions]

✅ Patch workflow(s) dispatched successfully!

📋 Details:

• Channels: stable
• Commit: e9a94748107ac24a05f51b4c5b0c0a8952374285
• Workflows Created: 1

🔗 Track Progress:

• View patch workflows
• This workflow run

[github-actions]

🚀 Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: stable → will publish to npm tag latest
• Commit: e9a94748107ac24a05f51b4c5b0c0a8952374285
• Hotfix Branch: hotfix/v0.28.1/0.28.2/stable/cherry-pick-e9a9474/pr-18840
• Hotfix PR: #18847
• ⚠️ Status: Cherry-pick conflicts detected - manual resolution required

📝 Next Steps:

1. ⚠️ Resolve conflicts in the hotfix PR first: #18847
2. Test your changes after resolving conflicts
3. Once merged, the patch release will automatically trigger
4. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #18847

[github-actions]

🚀 Patch Release Started!

📋 Release Details:

• Environment: prod
• Channel: stable → publishing to npm tag latest
• Version: v0.28.1
• Hotfix PR: Merged ✅
• Release Branch: release/v0.28.1-pr-18840

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow

[github-actions]

✅ Patch Release Complete!

📦 Release Details:

• Version: 0.28.2
• NPM Tag: latest
• Channel: stable
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.28.2
• NPM Package: npm install @google/gemini-cli@latest

🔗 Links:

• GitHub Release
• Workflow Run