Skip to content

fix(patch): cherry-pick 85566a7 to release/v0.43.0-preview.0-pr-27073 [CONFLICTS]#27256

Merged
kschaab merged 2 commits into
release/v0.43.0-preview.0-pr-27073from
hotfix/v0.43.0-preview.0/0.43.0-preview.1/preview/cherry-pick-85566a7/pr-27073
May 19, 2026
Merged

fix(patch): cherry-pick 85566a7 to release/v0.43.0-preview.0-pr-27073 [CONFLICTS]#27256
kschaab merged 2 commits into
release/v0.43.0-preview.0-pr-27073from
hotfix/v0.43.0-preview.0/0.43.0-preview.1/preview/cherry-pick-85566a7/pr-27073

Conversation

@gemini-cli-robot

@gemini-cli-robot gemini-cli-robot commented May 19, 2026

Copy link
Copy Markdown
Collaborator

This PR automatically cherry-picks commit 85566a7 to patch version v0.43.0-preview.0 in the preview release to create version 0.43.0-preview.1.

⚠️ Merge Conflicts Detected

This cherry-pick resulted in merge conflicts that need manual resolution.

🔧 Next Steps:

  1. Review the conflicts: Check out this branch and review the conflict markers
  2. Resolve conflicts: Edit the affected files to resolve the conflicts
  3. Test the changes: Ensure the patch works correctly after resolution
  4. Update this PR: Push your conflict resolution

📋 Files with conflicts:

The commit has been created with conflict markers for easier manual resolution.

🚨 Important:

  • Do not merge this PR until conflicts are resolved
  • The automated patch release will trigger once this PR is merged

@kschaab @gemini-cli-robot
fix(a2a-server): Implement default policy loading for parity with CLI (
37b1734 
…#27073)

# Conflicts:
#	packages/a2a-server/src/config/config.test.ts
@gemini-cli-robot gemini-cli-robot requested a review from a team as a code owner May 19, 2026 17:35
@github-actions github-actions Bot mentioned this pull request May 19, 2026
Merged
18 tasks
@gemini-code-assist

gemini-code-assist Bot commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements critical security enhancements for the a2a-server by introducing workspace trust verification and restricting configuration overrides. These changes align the server's policy engine configuration with the existing CLI behavior, ensuring consistent security posture. Additionally, the build process has been updated to include necessary policy assets, supporting reliable bundled execution.

Highlights

  • Workspace Trust Implementation: Introduced workspace trust verification in a2a-server to ensure secure configuration loading and prevent unauthorized overrides.
  • Policy Engine Integration: Integrated createPolicyEngineConfig into the configuration loading flow to achieve parity with the CLI's security model.
  • Security Restrictions: Restricted workspace-level configuration overrides for policy paths to prevent malicious path injection.
  • Build Asset Updates: Updated build scripts to ensure policy files are correctly copied to the a2a-server distribution directory.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 19, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements workspace trust verification and default policy loading for the a2a-server to ensure parity with the CLI. Key changes include introducing an isTrusted flag across the configuration and execution flow, updating loadSettings to enforce security-sensitive paths, and adding comprehensive tests for these security features. The review identified critical merge conflict markers in the test files that must be resolved, as well as a potential issue regarding the default policy directory configuration.

Comment thread packages/a2a-server/src/config/config.test.ts Outdated
expect((config as any).fileFiltering.customIgnoreFilePaths).toEqual([]);
});

<<<<<<< HEAD

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Unresolved merge conflict markers detected. This will cause syntax errors and prevent the tests from running. Please resolve the conflicts by removing the markers and ensuring the test blocks are correctly closed.

Comment thread packages/a2a-server/src/config/config.test.ts Outdated
respectGitIgnore: false,
respectGeminiIgnore: undefined,
customIgnoreFilePaths: [testPath],
=======

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This conflict marker should be replaced with the closing braces for the preceding it block to restore valid syntax.

    });
  });

Comment thread packages/a2a-server/src/config/config.test.ts Outdated
undefined,
true,
);
>>>>>>> 85566a73f (fix(a2a-server): Implement default policy loading for parity with CLI (#27073))

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Unresolved merge conflict marker detected. Please remove this line.

Comment thread packages/a2a-server/src/config/config.ts
const policyEngineConfig = await createPolicyEngineConfig(
policySettings,
approvalMode,
undefined,

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The defaultPoliciesDir is passed as undefined. In the A2A server context, this will likely prevent the policy engine from finding and loading the default security policies (such as those allowing read_file), as they are located in a specific directory (dist/policies) relative to the server's execution path. You should provide the explicit path to the policies directory here to ensure parity with the CLI's security model and ensure policy paths are loaded from trusted configuration.

References
  1. Security-sensitive settings, such as policy paths, must be loaded from trusted configuration and not be overridable by untrusted sources.

@gemini-cli gemini-cli Bot added the status/need-issue Pull requests that need to have an associated issue. label May 19, 2026
@kschaab kschaab enabled auto-merge (squash) May 19, 2026 18:21
@github-actions

github-actions Bot commented May 19, 2026

Copy link
Copy Markdown

Size Change: -4 B (0%)

Total Size: 34.1 MB

Filename Size Change
./bundle/chunk-2A24BJYA.js 0 B -3.8 kB (removed) 🏆
./bundle/chunk-2UVDSGAD.js 0 B -12.5 kB (removed) 🏆
./bundle/chunk-EBFCNOVR.js 0 B -659 kB (removed) 🏆
./bundle/chunk-HDPJFFQ6.js 0 B -3.43 kB (removed) 🏆
./bundle/chunk-O6OQHELE.js 0 B -14.8 MB (removed) 🏆
./bundle/chunk-PCPDPPVI.js 0 B -2.78 MB (removed) 🏆
./bundle/chunk-T4ANQ2WV.js 0 B -19.5 kB (removed) 🏆
./bundle/chunk-WPBOB46E.js 0 B -49.2 kB (removed) 🏆
./bundle/core-ZDBYJANE.js 0 B -49.3 kB (removed) 🏆
./bundle/devtoolsService-QOFVPJFS.js 0 B -28 kB (removed) 🏆
./bundle/gemini-COP3LLIW.js 0 B -587 kB (removed) 🏆
./bundle/interactiveCli-UIBAXSL3.js 0 B -1.3 MB (removed) 🏆
./bundle/liteRtServerManager-ETZQI47P.js 0 B -2.11 kB (removed) 🏆
./bundle/oauth2-provider-X6USTY2Z.js 0 B -9.16 kB (removed) 🏆
./bundle/chunk-BIMSDYTT.js 3.8 kB +3.8 kB (new file) 🆕
./bundle/chunk-EXZ5YZ5D.js 12.5 kB +12.5 kB (new file) 🆕
./bundle/chunk-FVLPKE3Z.js 49.2 kB +49.2 kB (new file) 🆕
./bundle/chunk-G2WLLHIA.js 3.43 kB +3.43 kB (new file) 🆕
./bundle/chunk-O3NSSK7I.js 2.78 MB +2.78 MB (new file) 🆕
./bundle/chunk-Q2GZUEKL.js 659 kB +659 kB (new file) 🆕
./bundle/chunk-TRKIS37E.js 14.8 MB +14.8 MB (new file) 🆕
./bundle/chunk-X7CBL3LR.js 19.5 kB +19.5 kB (new file) 🆕
./bundle/core-GP7FODQC.js 49.3 kB +49.3 kB (new file) 🆕
./bundle/devtoolsService-AGPKYJKF.js 28 kB +28 kB (new file) 🆕
./bundle/gemini-JDHSSHN2.js 587 kB +587 kB (new file) 🆕
./bundle/interactiveCli-MTGOEKX2.js 1.3 MB +1.3 MB (new file) 🆕
./bundle/liteRtServerManager-VPGHUJXB.js 2.11 kB +2.11 kB (new file) 🆕
./bundle/oauth2-provider-K6IFBFXF.js 9.16 kB +9.16 kB (new file) 🆕
ℹ️ View Unchanged
Filename Size Change
./bundle/bundled/third_party/index.js 8 MB 0 B
./bundle/chunk-34MYV7JD.js 2.45 kB 0 B
./bundle/chunk-5AUYMPVF.js 858 B 0 B
./bundle/chunk-5PS3AYFU.js 1.18 kB 0 B
./bundle/chunk-664ZODQF.js 124 kB 0 B
./bundle/chunk-DAHVX5MI.js 206 kB 0 B
./bundle/chunk-IUUIT4SU.js 56.5 kB 0 B
./bundle/chunk-N6QYTC2T.js 1.97 MB 0 B
./bundle/chunk-RJTRUG2J.js 39.8 kB 0 B
./bundle/cleanup-JFM4TVT7.js 0 B -932 B (removed) 🏆
./bundle/devtools-36NN55EP.js 696 kB 0 B
./bundle/dist-T73EYRDX.js 356 B 0 B
./bundle/events-XB7DADIJ.js 418 B 0 B
./bundle/examples/hooks/scripts/on-start.js 188 B 0 B
./bundle/examples/mcp-server/example.js 1.43 kB 0 B
./bundle/gemini.js 5.1 kB 0 B
./bundle/getMachineId-bsd-TXG52NKR.js 1.55 kB 0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js 1.55 kB 0 B
./bundle/getMachineId-linux-SHIFKOOX.js 1.34 kB 0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js 1.06 kB 0 B
./bundle/getMachineId-win-6KLLGOI4.js 1.72 kB 0 B
./bundle/memoryDiscovery-SJ7P6RCN.js 980 B 0 B
./bundle/multipart-parser-KPBZEGQU.js 11.7 kB 0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js 222 kB 0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js 229 kB 0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js 13.4 kB 0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js 132 B 0 B
./bundle/sandbox-macos-permissive-open.sb 890 B 0 B
./bundle/sandbox-macos-permissive-proxied.sb 1.31 kB 0 B
./bundle/sandbox-macos-restrictive-open.sb 3.36 kB 0 B
./bundle/sandbox-macos-restrictive-proxied.sb 3.56 kB 0 B
./bundle/sandbox-macos-strict-open.sb 4.82 kB 0 B
./bundle/sandbox-macos-strict-proxied.sb 5.02 kB 0 B
./bundle/src-QVCVGIUX.js 47 kB 0 B
./bundle/start-F6KYTVE5.js 0 B -652 B (removed) 🏆
./bundle/tree-sitter-7U6MW5PS.js 274 kB 0 B
./bundle/tree-sitter-bash-34ZGLXVX.js 1.84 MB 0 B
./bundle/cleanup-GWZPKTQI.js 932 B +932 B (new file) 🆕
./bundle/start-RWLCV76R.js 652 B +652 B (new file) 🆕

compressed-size-action

@kschaab kschaab merged commit 31ea2a8 into release/v0.43.0-preview.0-pr-27073 May 19, 2026
25 checks passed
@kschaab kschaab deleted the hotfix/v0.43.0-preview.0/0.43.0-preview.1/preview/cherry-pick-85566a7/pr-27073 branch May 19, 2026 18:43
@gemini-code-assist gemini-code-assist Bot mentioned this pull request May 20, 2026
Merged
@sripasg sripasg added the size/l A large sized PR label Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kschaab kschaab kschaab approved these changes
+1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/l A large sized PR status/need-issue Pull requests that need to have an associated issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gemini-cli-robot @kschaab @sripasg