chore(github): require prompt approvers for agent prompt files

[gundermanc]

Summary

Adds @google-gemini/gemini-cli-prompt-approvers as a required reviewer for files that contain content included in the agent prompt, specifically snippets.ts, snippets.legacy.ts, and the tool definitions in packages/core/src/tools/.

Details

Updating the .github/CODEOWNERS file to enforce review policies on prompt-related files. This ensures that changes to the core prompt and tools used by the AI agent are properly vetted by the prompt approvers.

Related Issues

How to Validate

1. Check the .github/CODEOWNERS file for the new entries.
2. Verify that changes to the specified files in a test PR trigger the review requirement.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request strengthens the review process for critical AI agent components by introducing a dedicated group of prompt approvers. It ensures that any modifications to the core prompt content and tool definitions undergo rigorous scrutiny, thereby maintaining the quality and integrity of the agent's behavior and preventing unintended changes to its core functionality.

Highlights

• CODEOWNERS Update: Added @google-gemini/gemini-cli-prompt-approvers as required reviewers for files containing agent prompt content (snippets.ts, snippets.legacy.ts) and tool definitions (packages/core/src/tools/).
• Enhanced Review Policy: Implemented a new review policy to ensure that changes to core AI agent prompts and tools are properly vetted by a dedicated group of prompt approvers.

Changelog

• .github/CODEOWNERS
  • Added new entries to require @google-gemini/gemini-cli-prompt-approvers for prompt-related files and tool definitions.

Activity

• No activity has occurred on this pull request since its creation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the .github/CODEOWNERS file to require reviews from prompt approvers for files related to agent prompts. While the PR correctly identifies snippets.ts, snippets.legacy.ts, and the /packages/core/src/tools/ directory as critical, the protection is incomplete as it misses core prompt orchestration logic in promptProvider.ts and prompt-registry.ts. Furthermore, the files being protected contain critical prompt injection vulnerabilities in how user memory is handled, which could lead to Remote Code Execution (RCE) if a user is tricked into using malicious project-specific configuration files. These vulnerabilities should be addressed alongside the access control improvements to ensure a more complete and secure review process.

[gemini-code-assist]

The file packages/core/src/prompts/snippets.ts (which is now being protected by this rule) contains a critical prompt injection vulnerability in the renderUserMemory function (line 442). User-provided memory content is concatenated into the system prompt without sanitization of the </loaded_context> tag. An attacker can use this tag to break out of the context and inject arbitrary instructions into the system prompt. Since the agent has access to the shell tool, this can lead to Remote Code Execution (RCE). The memory content should be sanitized to remove or escape the closing tag before concatenation.

[gemini-code-assist]

The file packages/core/src/prompts/snippets.legacy.ts (which is now being protected by this rule) contains a critical prompt injection vulnerability in the renderUserMemory function (line 367). User-provided memory content is concatenated into the system prompt without sanitization of the </loaded_context> tag. An attacker can use this tag to break out of the context and inject arbitrary instructions into the system prompt. Since the agent has access to the shell tool, this can lead to Remote Code Execution (RCE). The memory content should be sanitized to remove or escape the closing tag before concatenation.

[gemini-code-assist]

The CODEOWNERS rules for prompt-related files are incomplete. While snippets.ts and snippets.legacy.ts are protected, promptProvider.ts (which contains the core logic for building the system prompt and handles the GEMINI_SYSTEM_MD override) and prompt-registry.ts are not included. An attacker could modify the prompt construction logic in promptProvider.ts to bypass the review of prompt approvers, posing a security risk. To ensure comprehensive coverage and proper vetting of all prompt-related logic and content, it is recommended to protect the entire /packages/core/src/prompts/ directory.

/packages/core/src/prompts/ @google-gemini/gemini-cli-prompt-approvers
/packages/core/src/tools/ @google-gemini/gemini-cli-prompt-approvers

[github-actions]

Size Change: -2 B (0%)

Total Size: 25.8 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	25.3 MB	-2 B (0%)
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request is a valuable step towards safeguarding the agent's core behavior by enforcing reviews from prompt approvers on critical prompt-related files, introducing a necessary security control. However, the current .github/CODEOWNERS implementation is too narrow, specifically omitting promptProvider.ts. This creates a vulnerability where an attacker could modify the prompt assembly logic in promptProvider.ts to bypass safety instructions. To ensure comprehensive security and future-proof the review process, it's recommended to expand the ownership rule to cover the entire packages/core/src/prompts/ directory, encompassing all prompt-related logic and files.