fix(core): allow environment variable expansion and explicit overrides for MCP servers

[galz10]

Summary

Fixes a regression where environment variable expansion was missing in MCP server configurations, and sanitization was redacting explicitly provided user credentials (introduced in #17311). This caused MCP servers to fail with 'Connection closed' errors when configured with dynamic secrets.

Details

PR #17311 introduced environment sanitization that merged all environment variables into a single pool before shredding them. This prevented the use of dynamic variables like $VAR in the configuration and accidentally redacted intentional secrets provided by the user.

This PR:

1. Introduces a robust expandEnvVars utility in packages/core/src/utils/envExpansion.ts that supports $VAR, ${VAR}, and %VAR%.
2. Updates createTransport in packages/core/src/tools/mcp-client.ts to expand variables in the env config using the host process environment.
3. Refines the security model to sanitize the base process environment while trusting and expanding user-provided environment variables and extension settings.
4. Updates docs/tools/mcp-server.md to document expansion and clarify security behavior for explicit variables.

Related Issues

Fixes unintended credential exposure regression from #17311.

How to Validate

1. Configure an MCP server in settings.json with an environment variable reference: "env": { "API_KEY": "$MY_SECRET" }.
2. Set MY_SECRET=1234 in the shell environment.
3. Launch the CLI and verify the MCP server connects and receives the expanded value (API_KEY=1234).
4. Configure an MCP server with a "secret-looking" key: "env": { "SECRET_KEY": "my-secret" }.
5. Verify the key is NOT redacted by the sanitizer in the debug logs (--debug).

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt

[gemini-code-assist]

Summary of Changes

Hello @galz10, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses issues where MCP servers failed to connect due to unexpanded environment variables and over-zealous sanitization of user-provided credentials. It introduces a robust environment variable expansion utility and refines the security model for passing environment variables to MCP servers. The changes ensure that user-defined variables are correctly expanded and explicitly trusted, while the base environment remains sanitized, enhancing both functionality and security.

Highlights

• Environment Variable Expansion: Enabled environment variable expansion in MCP server configurations, supporting POSIX ($VAR, ${VAR}) and Windows (%VAR%) syntaxes.
• Refined Security Model: Implemented a refined security model that sanitizes the base process.env but explicitly trusts and expands user-defined environment variables in mcpServerConfig.env and extension settings, preventing unintended redaction of explicit credentials.
• Core Logic Update: Updated the createTransport function to incorporate the new environment variable expansion logic and the refined sanitization process.
• Comprehensive Testing: Added comprehensive unit and integration tests for the new expansion utility and the mcp-client's handling of environment variables.
• Documentation Updates: Updated documentation to clearly explain environment variable expansion and the security model for MCP server configurations.

Changelog

• docs/tools/mcp-server.md
  • Updated documentation to include support for Windows-style %VAR% environment variable expansion.
  • Added a new section detailing environment variable expansion capabilities and providing examples.
  • Introduced a new section on security and environment sanitization, explaining automatic redaction and explicit overrides.
  • Revised the security considerations section to reference the new environment sanitization documentation.
• packages/core/src/tools/mcp-client.test.ts
  • Added a new test case to verify that environment variables defined in mcpServerConfig.env are correctly expanded and are not redacted.
• packages/core/src/tools/mcp-client.ts
  • Imported the new expandEnvVars utility.
  • Refactored the createTransport function to first sanitize the base process.env, then expand and merge environment variables from extensions and mcpServerConfig.env into the final environment passed to the transport.
• packages/core/src/utils/envExpansion.test.ts
  • Added a new test file containing comprehensive unit tests for the expandEnvVars utility, covering POSIX, Windows, mixed formats, missing variables, and edge cases.
• packages/core/src/utils/envExpansion.ts
  • Added a new utility function expandEnvVars that expands environment variables in a string, supporting $VAR, ${VAR}, and %VAR% syntaxes.

Activity

• No human activity (comments, reviews, etc.) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable feature for expanding environment variables in MCP server configurations and refines the environment sanitization logic. A security review found no vulnerabilities in the audited files. However, there are a couple of high-severity issues that need attention: unit tests for Windows-style paths are flawed due to improper handling of backslash characters, and the documentation includes a misleading example for default value expansion (e.g., ${VAR:-default}) which is not supported by the new expandEnvVars function.

[github-actions]

Size Change: +4.89 kB (+0.02%)

Total Size: 25.7 MB

Filename	Size	Change
./bundle/gemini.js	25.2 MB	+4.89 kB (+0.02%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}

[jacob314]

Approved once the expandEnvVars logic is hardened.
If we must keep it we should go through at least a couple iterations with Gemini 3.0 pro to harden it.

[jacob314]

[g-samroberts]

Docs LGTM