MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-04-05 19:01:12 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(core): add support for admin-forced MCP server installations (#23163)

Browse Source
This commit is contained in:
Gaurav
2026-03-19 15:32:43 -07:00
committed by GitHub
parent c9a336976b
commit 8615315711
13 changed files with 609 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packages/cli/src/commands/mcp/list.test.ts
View File

@@ -264,6 +264,7 @@ describe('mcp list command', () => {
config: {
'allowed-server': { url: 'http://allowed' },
},
requiredConfig: {},
},
};

20
packages/cli/src/config/config.ts
View File

@@ -36,6 +36,7 @@ import {
Config,
resolveToRealPath,
applyAdminAllowlist,
applyRequiredServers,
getAdminBlockedMcpServersMessage,
type HookDefinition,
type HookEventName,
@@ -750,6 +751,25 @@ export async function loadCliConfig(
}
}
// Apply admin-required MCP servers (injected regardless of allowlist)
if (mcpEnabled) {
const requiredMcpConfig = settings.admin?.mcp?.requiredConfig;
if (requiredMcpConfig && Object.keys(requiredMcpConfig).length > 0) {
const requiredResult = applyRequiredServers(
mcpServers ?? {},
requiredMcpConfig,
);
mcpServers = requiredResult.mcpServers;
if (requiredResult.requiredServerNames.length > 0) {
coreEvents.emitConsoleLog(
'info',
`Admin-required MCP servers injected: ${requiredResult.requiredServerNames.join(', ')}`,
);
}
}
}
const isAcpMode = !!argv.acp || !!argv.experimentalAcp;
let clientName: string | undefined = undefined;
if (isAcpMode) {

22
packages/cli/src/config/settings.test.ts
View File

@@ -2751,6 +2751,28 @@ describe('Settings Loading and Merging', () => {
expect(loadedSettings.merged.admin?.mcp?.config).toEqual(mcpServers);
});
it('should map requiredMcpConfig from remote settings', () => {
const loadedSettings = loadSettings(MOCK_WORKSPACE_DIR);
const requiredMcpConfig = {
'corp-tool': {
url: 'https://mcp.corp/tool',
type: 'http' as const,
trust: true,
},
};
loadedSettings.setRemoteAdminSettings({
mcpSetting: {
mcpEnabled: true,
requiredMcpConfig,
},
});
expect(loadedSettings.merged.admin?.mcp?.requiredConfig).toEqual(
requiredMcpConfig,
);
});
it('should set skills based on unmanagedCapabilitiesEnabled', () => {
const loadedSettings = loadSettings();
loadedSettings.setRemoteAdminSettings({

1
packages/cli/src/config/settings.ts
View File

@@ -480,6 +480,7 @@ export class LoadedSettings {
admin.mcp = {
enabled: mcpSetting?.mcpEnabled,
config: mcpSetting?.mcpConfig?.mcpServers,
requiredConfig: mcpSetting?.requiredMcpConfig,
};
admin.extensions = {
enabled: cliFeatureSetting?.extensionsSetting?.extensionsEnabled,

89
packages/cli/src/config/settingsSchema.ts
View File

@@ -12,7 +12,9 @@
import {
DEFAULT_TRUNCATE_TOOL_OUTPUT_THRESHOLD,
DEFAULT_MODEL_CONFIGS,
AuthProviderType,
type MCPServerConfig,
type RequiredMcpServerConfig,
type BugCommandSettings,
type TelemetrySettings,
type AuthType,
@@ -2435,7 +2437,7 @@ const SETTINGS_SCHEMA = {
category: 'Admin',
requiresRestart: false,
default: {} as Record<string, MCPServerConfig>,
description: 'Admin-configured MCP servers.',
description: 'Admin-configured MCP servers (allowlist).',
showInDialog: false,
mergeStrategy: MergeStrategy.REPLACE,
additionalProperties: {
@@ -2443,6 +2445,20 @@ const SETTINGS_SCHEMA = {
ref: 'MCPServerConfig',
},
},
requiredConfig: {
type: 'object',
label: 'Required MCP Config',
category: 'Admin',
requiresRestart: false,
default: {} as Record<string, RequiredMcpServerConfig>,
description: 'Admin-required MCP servers that are always injected.',
showInDialog: false,
mergeStrategy: MergeStrategy.REPLACE,
additionalProperties: {
type: 'object',
ref: 'RequiredMcpServerConfig',
},
},
},
},
skills: {
@@ -2567,11 +2583,72 @@ export const SETTINGS_SCHEMA_DEFINITIONS: Record<
type: 'string',
description:
'Authentication provider used for acquiring credentials (for example `dynamic_discovery`).',
enum: [
'dynamic_discovery',
'google_credentials',
'service_account_impersonation',
],
enum: Object.values(AuthProviderType),
},
targetAudience: {
type: 'string',
description:
'OAuth target audience (CLIENT_ID.apps.googleusercontent.com).',
},
targetServiceAccount: {
type: 'string',
description:
'Service account email to impersonate (name@project.iam.gserviceaccount.com).',
},
},
},
RequiredMcpServerConfig: {
type: 'object',
description:
'Admin-required MCP server configuration (remote transports only).',
additionalProperties: false,
properties: {
url: {
type: 'string',
description: 'URL for the required MCP server.',
},
type: {
type: 'string',
description: 'Transport type for the required server.',
enum: ['sse', 'http'],
},
headers: {
type: 'object',
description: 'Additional HTTP headers sent to the server.',
additionalProperties: { type: 'string' },
},
timeout: {
type: 'number',
description: 'Timeout in milliseconds for MCP requests.',
},
trust: {
type: 'boolean',
description:
'Marks the server as trusted. Defaults to true for admin-required servers.',
},
description: {
type: 'string',
description: 'Human-readable description of the server.',
},
includeTools: {
type: 'array',
description: 'Subset of tools enabled for this server.',
items: { type: 'string' },
},
excludeTools: {
type: 'array',
description: 'Tools disabled for this server.',
items: { type: 'string' },
},
oauth: {
type: 'object',
description: 'OAuth configuration for authenticating with the server.',
additionalProperties: true,
},
authProviderType: {
type: 'string',
description: 'Authentication provider used for acquiring credentials.',
enum: Object.values(AuthProviderType),
},
targetAudience: {
type: 'string',