fix(browser-agent): enable "Allow all server tools" session policy

[cynthialong0-0]

Summary

This PR fixes an issue where selecting Allow all server tools for this session had no effect for the browser agent. It ensures browser agent tools are correctly identified as MCP-style tools and qualify for server-wide policy matching.

Details

The browser agent uses tools that lacked the standard metadata and naming conventions required by the PolicyEngine for wildcard matching. This PR addresses this through the following changes:

• Added BROWSER_AGENT_SERVER_NAME and replace hard coded browser-agent to make sure it uses the same value across all settings
• Ensured McpDeclarativeTool include _serverName in the toolAnnotations.
• Updated the browser agent's tool invocations to use qualified names (e.g., mcp_browser-agent_click). This allows the PolicyEngine to match them against mcp_browser-agent_* wildcard rules while maintaining strict security checks.
• Modified the policy updater in packages/core/src/policy/config.ts to correctly pass the mcpName when adding dynamic rules, ensuring approvals are securely scoped to the specific server.

Related Issues

fixes #22342

How to Validate

1. Run core tests: npm run test -w @google/gemini-cli-core
2. Manual verification: Enable the browser agent, trigger a tool that requires confirmation, select "Always allow", and verify that subsequent calls
   to tools from the same server are auto-approved.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed) - Verified existing docs cover the supported syntax.
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on MacOS (Darwin)
  • npm run test

[cynthialong0-0]

/gemini review

[gemini-code-assist]

Code Review

This pull request effectively centralizes MCP policy updates and enhances tool server attribution. However, critical security vulnerabilities have been identified: a flaw in the policy priority hierarchy allows dynamic 'Always allow' rules to override explicit security exclusions, potentially leading to policy bypass, and a function signature mismatch between the scheduler and the policy update logic breaks the policy narrowing mechanism for standard tools, resulting in overly broad permission rules. Additionally, there's a regression in the logic for persisting MCP tool policies, which will cause incorrect rules to be saved. These issues need to be addressed to ensure the integrity of the security framework and correct policy persistence.

[github-actions]

Size Change: +385 B (0%)

Total Size: 26.2 MB

Filename	Size	Change
./bundle/chunk-75U6Q2DZ.js	0 B	-13.5 MB (removed)	🏆
./bundle/chunk-WAERQK5T.js	0 B	-3.63 MB (removed)	🏆
./bundle/core-JEPRDYIM.js	0 B	-41.6 kB (removed)	🏆
./bundle/devtoolsService-OPODRGIL.js	0 B	-27.7 kB (removed)	🏆
./bundle/interactiveCli-PG6MIHW5.js	0 B	-1.61 MB (removed)	🏆
./bundle/oauth2-provider-42LKKSUY.js	0 B	-9.19 kB (removed)	🏆
./bundle/chunk-OT32QK46.js	13.5 MB	+13.5 MB (new file)	🆕
./bundle/chunk-ZXJCKSJV.js	3.63 MB	+3.63 MB (new file)	🆕
./bundle/core-CQCKJMZL.js	41.6 kB	+41.6 kB (new file)	🆕
./bundle/devtoolsService-ICZMGM5L.js	27.7 kB	+27.7 kB (new file)	🆕
./bundle/interactiveCli-YVNYLOHV.js	1.61 MB	+1.61 MB (new file)	🆕
./bundle/oauth2-provider-P23KAVOW.js	9.19 kB	+9.19 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size
./bundle/chunk-34MYV7JD.js	2.45 kB
./bundle/chunk-37ZTTFQF.js	966 kB
./bundle/chunk-5AUYMPVF.js	858 B
./bundle/chunk-664ZODQF.js	124 kB
./bundle/chunk-DAHVX5MI.js	206 kB
./bundle/chunk-G4TMH6EN.js	1.95 MB
./bundle/chunk-IUUIT4SU.js	56.5 kB
./bundle/chunk-RJTRUG2J.js	39.8 kB
./bundle/devtools-36NN55EP.js	696 kB
./bundle/dist-T73EYRDX.js	356 B
./bundle/gemini.js	697 kB
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB
./bundle/memoryDiscovery-KKSSU3SI.js	922 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB
./bundle/src-QVCVGIUX.js	47 kB
./bundle/tree-sitter-7U6MW5PS.js	274 kB
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB
./bundle/undici-4X2YZID5.js	360 B

_{compressed-size-action}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue where the 'Allow all server tools for this session' policy was not effectively applied to the browser agent. It achieves this by standardizing the identification and naming conventions for browser agent tools, ensuring they are properly recognized and managed by the PolicyEngine, thereby enabling correct application of server-wide policies.

Highlights

• Standardized Browser Agent Tool Identification: Introduced a dedicated constant, BROWSER_AGENT_SERVER_NAME, and ensured browser agent tools are consistently identified as MCP-style tools with proper metadata for policy matching.
• Qualified Tool Naming: Updated browser agent tool invocations to use qualified names (e.g., mcp_browser-agent_click), allowing the PolicyEngine to match them against wildcard rules while maintaining security.
• Enhanced Policy Engine Integration: Modified the policy updater to correctly pass the mcpName when adding dynamic rules, ensuring that tool approvals are securely scoped to the specific server.

Changelog

• packages/core/src/agents/browser/browserAgentDefinition.ts
  • Added a new constant, BROWSER_AGENT_SERVER_NAME, to define the server name for browser agent tools in policy rules.
• packages/core/src/agents/browser/mcpToolWrapper.ts
  • Imported MCP_TOOL_PREFIX and BROWSER_AGENT_SERVER_NAME.
  • Updated the constructors for McpToolInvocation and TypeTextInvocation to generate qualified tool names using the new constants.
  • Replaced hardcoded 'browser-agent' strings with BROWSER_AGENT_SERVER_NAME in getConfirmationOptions and getPolicyUpdateOptions for both invocation classes.
  • Overrode the toolAnnotations getter in McpDeclarativeTool and TypeTextDeclarativeTool to include the _serverName.
• packages/core/src/policy/config.ts
  • Modified the createPolicyUpdater function to include the mcpName when creating dynamic policy rules, ensuring approvals are securely scoped.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly fixes an issue where session-wide policies for browser agent tools were not working by using fully qualified tool names and ensuring the policy engine can identify the server. A security audit found no high or critical vulnerabilities, and the changes enhance the security posture by enabling more precise policy enforcement. However, the newly added toolAnnotations are not being propagated to the tool invocation objects, making that part of the change ineffective.

[lesteral]

I think this should also fix #20594