Implemented unified secrets sanitization and env. redaction options (#15348)

2026-03-19 02:20:42 -07:00 · 2025-12-22 19:18:27 -08:00
parent 2ac9fe08f7
commit 3b1dbcd42d
18 changed files with 817 additions and 103 deletions
--- a/packages/cli/src/commands/mcp/list.ts
+++ b/packages/cli/src/commands/mcp/list.ts
@@ -59,10 +59,23 @@ async function testMCPConnection(
    version: '0.0.1',
  });

+  const settings = loadSettings();
+  const sanitizationConfig = {
+    enableEnvironmentVariableRedaction: true,
+    allowedEnvironmentVariables: [],
+    blockedEnvironmentVariables:
+      settings.merged.advanced?.excludedEnvVars || [],
+  };
+
  let transport;
  try {
    // Use the same transport creation logic as core
-    transport = await createTransport(serverName, config, false);
+    transport = await createTransport(
+      serverName,
+      config,
+      false,
+      sanitizationConfig,
+    );
  } catch (_error) {
    await client.close();
    return MCPServerStatus.DISCONNECTED;
--- a/packages/cli/src/config/config.ts
+++ b/packages/cli/src/config/config.ts
@@ -619,8 +619,12 @@ export async function loadCliConfig(
    mcpServers: settings.mcpServers,
    allowedMcpServers: argv.allowedMcpServerNames ?? settings.mcp?.allowed,
    blockedMcpServers: argv.allowedMcpServerNames
-      ? [] // explicitly allowed servers overrides everything
+      ? undefined
      : settings.mcp?.excluded,
+    blockedEnvironmentVariables:
+      settings.security?.environmentVariableRedaction?.blocked,
+    enableEnvironmentVariableRedaction:
+      settings.security?.environmentVariableRedaction?.enabled,
    userMemory: memoryContent,
    geminiMdFileCount: fileCount,
    geminiMdFilePaths: filePaths,
--- a/packages/cli/src/config/settingsSchema.ts
+++ b/packages/cli/src/config/settingsSchema.ts
@@ -1203,6 +1203,48 @@ const SETTINGS_SCHEMA = {
          },
        },
      },
+      environmentVariableRedaction: {
+        type: 'object',
+        label: 'Environment Variable Redaction',
+        category: 'Security',
+        requiresRestart: false,
+        default: {},
+        description: 'Settings for environment variable redaction.',
+        showInDialog: false,
+        properties: {
+          allowed: {
+            type: 'array',
+            label: 'Allowed Environment Variables',
+            category: 'Security',
+            requiresRestart: true,
+            default: [] as string[],
+            description:
+              'Environment variables to always allow (bypass redaction).',
+            showInDialog: false,
+            items: { type: 'string' },
+          },
+          blocked: {
+            type: 'array',
+            label: 'Blocked Environment Variables',
+            category: 'Security',
+            requiresRestart: true,
+            default: [] as string[],
+            description: 'Environment variables to always redact.',
+            showInDialog: false,
+            items: { type: 'string' },
+          },
+          enabled: {
+            type: 'boolean',
+            label: 'Enable Environment Variable Redaction',
+            category: 'Security',
+            requiresRestart: true,
+            default: false,
+            description:
+              'Enable redaction of environment variables that may contain secrets.',
+            showInDialog: true,
+          },
+        },
+      },
      auth: {
        type: 'object',
        label: 'Authentication',
--- a/packages/cli/src/ui/AppContainer.tsx
+++ b/packages/cli/src/ui/AppContainer.tsx
@@ -899,6 +899,7 @@ Logging in with Google... Restarting Gemini CLI to continue.
    ),
    pager: settings.merged.tools?.shell?.pager,
    showColor: settings.merged.tools?.shell?.showColor,
+    sanitizationConfig: config.sanitizationConfig,
  });

  const isFocused = useFocus();