feat(admin): apply MCP allowlist to extensions & gemini mcp list command

[skeshive]

TLDR

• Core Logic: A new applyAdminAllowlist utility in @google/gemini-cli-core centralizes the filtering and merging of local MCP server configurations with admin-defined allowlist rules. It removes local connection details (command, args, env, cwd) when an admin configuration is present.
• Integration across CLI:
  • The main CLI configuration loader (packages/cli/src/config/config.ts) now applies this allowlist during startup.
  • The ExtensionManager also uses the allowlist to filter MCP servers provided by extensions.
  • The mcp list command (packages/cli/src/commands/mcp/list.ts) is updated to show only allowed servers and provide user-friendly warnings for any servers blocked by policy.
• Messaging: A new getAdminBlockedMcpServersMessage provides consistent messaging for users when servers are blocked.
• Deferred Commands: The deferred.ts utility is updated to pass the fully merged settings object to deferred command handlers, ensuring that commands like mcp list can access the admin-filtered settings.

[gemini-cli]

Hi there! Thank you for your contribution to Gemini CLI.

To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md.

This pull request is being closed because it is not currently linked to an issue. Once you have updated the description of this PR to link an issue (e.g., by adding Fixes #123 or Related to #123), it will be automatically reopened.

How to link an issue:
Add a keyword followed by the issue number (e.g., Fixes #123) in the description of your pull request. For more details on supported keywords and how linking works, please refer to the GitHub Documentation on linking pull requests to issues.

Thank you for your understanding and for being a part of our community!

[gemini-cli]

Hi @skeshive, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello @skeshive, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces robust administrative control over Model Context Protocol (MCP) server configurations within the Gemini CLI. By implementing a centralized allowlisting mechanism, it ensures that only explicitly approved MCP servers can be configured and used, both directly by the CLI and through extensions. This significantly enhances the security posture and compliance of the tool by preventing unauthorized server connections and providing clear feedback to users when servers are blocked by policy.

Highlights

• Centralized MCP Allowlisting: Introduced applyAdminAllowlist in @google/gemini-cli-core to centralize filtering and merging of local MCP server configurations with admin-defined allowlist rules.
• Security Enforcement: Local connection details (command, args, env, cwd) are now removed when an admin configuration is present, enhancing security.
• CLI Integration: The main CLI configuration loader (packages/cli/src/config/config.ts) now applies the allowlist during startup.
• Extension Filtering: The ExtensionManager utilizes the allowlist to filter MCP servers provided by extensions.
• mcp list Command Update: The mcp list command (packages/cli/src/commands/mcp/list.ts) now displays only allowed servers and provides warnings for blocked ones.
• Consistent Messaging: A new getAdminBlockedMcpServersMessage function ensures uniform user messaging for blocked servers.
• Deferred Command Support: The deferred.ts utility now passes the fully merged settings object to deferred command handlers, enabling them to access admin-filtered settings.

Changelog

• packages/cli/src/commands/mcp/list.test.ts
  • Mocked applyAdminAllowlist to control test behavior.
  • Added a new test case to verify that the mcp list command correctly filters servers based on the admin allowlist provided in settings.
• packages/cli/src/commands/mcp/list.ts
  • Imported applyAdminAllowlist and getAdminBlockedMcpServersMessage for use in the command.
  • Modified getMcpServersFromConfig to accept optional MergedSettings and return both allowed MCP servers and a list of blocked server names after applying the admin allowlist.
  • Updated listMcpServers to display a warning message for any servers blocked by the admin allowlist.
  • Adjusted the listCommand handler to pass the settings object to listMcpServers.
• packages/cli/src/config/config.test.ts
  • Added a mock for applyAdminAllowlist to ensure consistent test environments.
• packages/cli/src/config/config.ts
  • Integrated applyAdminAllowlist and getAdminBlockedMcpServersMessage.
  • Refactored the logic for applying admin allowlist to MCP servers, replacing manual filtering with the new applyAdminAllowlist utility and emitting console warnings for blocked servers.
• packages/cli/src/config/extension-manager.ts
  • Imported applyAdminAllowlist and getAdminBlockedMcpServersMessage.
  • Applied the admin allowlist to MCP servers provided by extensions, filtering out unapproved servers and logging warnings.
• packages/cli/src/config/mcp/mcpServerEnablement.ts
  • Imported applyAdminAllowlist, getAdminErrorMessage, and MCPServerConfig.
  • Enhanced the canLoadServer function to perform an early check against the admin allowlist, preventing unapproved servers from being loaded.
• packages/cli/src/deferred.ts
  • Modified runDeferredCommand to inject the MergedSettings object into the argv passed to deferred command handlers, ensuring they have access to the full configuration.
• packages/core/src/code_assist/admin/admin_controls.ts
  • Added a new utility function getAdminBlockedMcpServersMessage to generate a standardized, user-friendly message for MCP servers blocked by administrative policy.
• packages/core/src/code_assist/admin/mcpUtils.test.ts
  • New file: Contains comprehensive unit tests for the applyAdminAllowlist utility, covering scenarios such as no allowlist, empty allowlist, filtering unallowed servers, overriding connection details, and applying tool restrictions.
• packages/core/src/code_assist/admin/mcpUtils.ts
  • New file: Introduced the applyAdminAllowlist utility function. This function takes local MCP server configurations and an admin allowlist, filters out servers not in the allowlist, merges admin-defined properties (url, type, trust), and removes local execution-specific details (command, args, env, cwd).
• packages/core/src/index.ts
  • Exported the newly created mcpUtils.ts module to make applyAdminAllowlist available throughout the core package.

Activity

• The pull request introduces a new core utility for admin allowlisting, applyAdminAllowlist, along with its dedicated test suite.
• It integrates this new utility across key configuration loading paths in the CLI, including the main config loader and the extension manager.
• The mcp list command has been updated to reflect these new administrative policies, providing user feedback.
• Support for deferred commands has been enhanced to ensure they operate with the correct, admin-filtered settings.
• A new messaging utility getAdminBlockedMcpServersMessage was added for consistent user communication.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a robust administrative allowlist mechanism for MCP servers, centralizing the filtering and merging logic within applyAdminAllowlist. While the overall design aims to improve security by allowing administrators to restrict and override MCP server configurations, a critical vulnerability was identified in the merging logic of the applyAdminAllowlist utility. Specifically, the function fails to sanitize several sensitive fields from the local configuration, which could allow users to bypass admin-defined authentication and connection policies for allowlisted servers. Additionally, the review highlights the need for consistent case-insensitive matching for server IDs across configurations and suggests removing outdated comments for improved code clarity. The utility is integrated across the CLI's configuration loader, extension manager, and the mcp list command, ensuring only approved servers are active, and includes necessary updates to deferred.ts along with comprehensive unit tests.

[github-actions]

Size Change: +2.71 kB (+0.01%)

Total Size: 23.8 MB

Filename	Size	Change
./bundle/gemini.js	23.8 MB	+2.71 kB (+0.01%)

ℹ️ View Unchanged

Filename	Size
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB

_{compressed-size-action}

[abhipatel12]

LGTM with a couple nits about the date

[abhipatel12]

nit 2026

[abhipatel12]

2026