fix(core): sniff MCP image MIME types

[sjh9714]

Summary

Fixes #27731.

Correct MCP image payloads whose declared MIME type does not match their base64 bytes, so WebP data reported as image/png is sent to the model as image/webp instead.

Details

Adds local image signature sniffing for PNG, JPEG, GIF, and WebP data when transforming MCP image blocks and embedded binary resource blocks into inline data. Audio blocks continue to use their declared MIME type.

Related Issues

Fixes #27731.

How to Validate

• From packages/core: npm run test -- src/tools/mcp-tool.test.ts
• From repo root: npx eslint packages/core/src/tools/mcp-tool.ts packages/core/src/tools/mcp-tool.test.ts
• From repo root: npx prettier --check packages/core/src/tools/mcp-tool.ts packages/core/src/tools/mcp-tool.test.ts
• From repo root: npm run typecheck --workspace @google/gemini-cli-core
• From repo root: git diff --check

I did not run the full npm run preflight; the checks above cover the touched core transform path and types.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

Note: I used Codex while preparing this change, reviewed the final diff, and ran the listed checks locally.

[github-actions]

🛑 Action Required: Evaluation Approval

Steering changes have been detected in this PR. To prevent regressions, a maintainer must approve the evaluation run before this PR can be merged.

Maintainers:

1. Go to the Workflow Run Summary.
2. Click the yellow 'Review deployments' button.
3. Select the 'eval-gate' environment and click 'Approve'.

Once approved, the evaluation results will be posted here automatically.

[github-actions]

📊 PR Size: size/M

• Lines changed: 138
• Additions: +131
• Deletions: -7
• Files changed: 2

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a robust mechanism to sniff and validate the MIME types of image data within MCP blocks. By inspecting the binary signatures of base64-encoded payloads, the system can now automatically correct discrepancies where the declared MIME type does not match the actual image format, ensuring better compatibility and reliability when interacting with models.

Highlights

• MIME Type Sniffing: Implemented local image signature detection for PNG, JPEG, GIF, and WebP formats to validate and correct declared MIME types in MCP image and resource blocks.
• Data Integrity: Ensures that base64-encoded image data is correctly identified before being sent to the model, preventing mismatches between declared types and actual binary content.
• Testing: Added comprehensive unit tests to verify that mislabeled WebP image and resource blocks are correctly identified and processed.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces automatic MIME type detection for base64-encoded image data and embedded resources in MCP tools, correcting mislabeled MIME types (such as WebP) based on their file signatures. Feedback highlights a performance concern in detectImageMimeTypeFromBase64, where decoding the entire base64 string of potentially large images is inefficient, and suggests slicing and decoding only the first 32 characters instead.

[gemini-code-assist]

Decoding the entire base64 string of a potentially large image (which can be several megabytes) into a Buffer just to check the first few bytes is highly inefficient. This function is also called multiple times for the same image block (once during transformation and once during display stringification), leading to redundant CPU and memory overhead.

Since we only need at most 12 bytes to detect all supported image signatures (PNG, JPEG, GIF, WebP), we can slice the first 32 characters of the base64 string (which decodes to 24 bytes) and decode only that prefix.

Suggested change

	const buffer = Buffer.from(data, 'base64');
	const prefix = data.slice(0, 32);
	const buffer = Buffer.from(prefix, 'base64');

[sjh9714]

Updated to decode only the base64 prefix before MIME signature checks.

Ran:

• npm run test --workspace @google/gemini-cli-core -- mcp-tool.test.ts
• npm run typecheck --workspace @google/gemini-cli-core
• npm run lint --workspace @google/gemini-cli-core
• git diff --check

[Dasoam]

Testing & Validation

I also independently identified and fixed this issue locally using the same approach (magic byte signature detection). I can confirm this solution works well for the Figma MCP integration with WebP images.

I've tested the signature detection for:

• ✅ WebP images (RIFF...WEBP pattern)
• ✅ PNG images (89 50 4E 47 signature)
• ✅ JPEG images (FF D8 FF signature)
• ✅ GIF images (GIF87a/GIF89a)

Performance note: The optimization to decode only the base64 prefix (first 32 chars = 24 bytes) is excellent - this avoids decoding potentially multi-megabyte images just to check a few bytes. This matches industry best practices for MIME sniffing.

For issue #27731: This fix resolves the Figma MCP integration failure where WebP images were mislabeled as image/png, causing HTTP 400 errors. The solution correctly detects the actual format and sends the proper MIME type to the Gemini API.

Great work on this fix! Ready to help test if needed.

[gemini-cli]

Hi there! Thank you for your interest in contributing to Gemini CLI.

To ensure we maintain high code quality and focus on our prioritized roadmap, we only guarantee review and consideration of pull requests for issues that are explicitly labeled as 'help wanted'.

This PR will be closed in 7 days if it remains without that designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding.