fix(plan): sandbox path resolution in Plan Mode to prevent hallucinations

[Adib234]

Summary

Fixes LLM path hallucinations during Plan Mode by sandboxing path resolution directly to the active session's designated plansDir.

Details

• Renamed plan_path to plan_filename in the exit_plan_mode tool schema and internal interfaces to instruct the LLM against producing absolute paths.
• Updated exit_plan_mode, write_file, and edit (replace) tools so that when isPlanMode() is true, they automatically extract the path.basename from the LLM's input and attach it safely to the plansDir.
• Removed legacy targetDir resolution logic from validatePlanPath as paths are now inherently restricted to plansDir.

Related Issues

Fixes #22307
Fixes #20549
Fixes #21359
Fixes #22933

How to Validate

Plan mode should always successfully write in the plans directory

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and reliability of file operations within the application's Plan Mode. By implementing strict sandboxing for path resolution, it ensures that all interactions with the file system are confined to a designated directory, effectively preventing potential directory traversal attacks and improving the accuracy of LLM-generated file paths. The changes streamline path handling and reinforce the integrity of the planning process.

Highlights

• Enhanced Security in Plan Mode: Implemented sandboxed path resolution for file operations within Plan Mode, strictly confining all file writes and plan exits to the active session's designated plansDir. This prevents directory traversal vulnerabilities and mitigates LLM path hallucinations.
• Tool Schema and Interface Updates: The exit_plan_mode tool's parameter plan_path was renamed to plan_filename across its schema and internal interfaces. This change guides the LLM to provide only filenames, not absolute paths.
• Safe Path Handling for Tools: The exit_plan_mode, write_file, and edit tools now automatically extract the base filename from LLM input and safely join it with the plansDir when operating in Plan Mode, ensuring all file interactions are secure.
• Simplified Path Validation: Removed legacy targetDir resolution logic from the validatePlanPath utility, as paths are now inherently restricted and validated against the plansDir.

Changelog

• packages/cli/src/ui/components/ExitPlanModeDialog.tsx
  • Removed config.getTargetDir() from validatePlanPath call.
• packages/core/src/config/config.ts
  • Added isPlanMode() method to check if the current approval mode is PLAN.
• packages/core/src/tools/confirmation-policy.test.ts
  • Added isPlanMode property to the mock configuration for testing purposes.
• packages/core/src/tools/definitions/snapshots/coreToolsModelSnapshots.test.ts.snap
  • Updated tool definition snapshots to reflect the plan_path to plan_filename rename for exit_plan_mode.
• packages/core/src/tools/definitions/base-declarations.ts
  • Renamed EXIT_PLAN_PARAM_PLAN_PATH constant to EXIT_PLAN_PARAM_PLAN_FILENAME.
• packages/core/src/tools/definitions/coreTools.ts
  • Updated import statement for EXIT_PLAN_PARAM_PLAN_FILENAME.
  • Modified getExitPlanModeDefinition to no longer accept plansDir as a parameter.
• packages/core/src/tools/definitions/coreToolsModelSnapshots.test.ts
  • Updated the call to getExitPlanModeDefinition to remove the plansDir argument.
• packages/core/src/tools/definitions/dynamic-declaration-helpers.ts
  • Updated import statement for EXIT_PLAN_PARAM_PLAN_FILENAME.
  • Modified getExitPlanModeDeclaration signature to remove the plansDir parameter.
  • Updated the exit_plan_mode tool's parameter schema to use plan_filename and adjusted its description.
• packages/core/src/tools/definitions/model-family-sets/default-legacy.ts
  • Updated the exit_plan_mode tool definition to call getExitPlanModeDeclaration() without arguments.
• packages/core/src/tools/definitions/model-family-sets/gemini-3.ts
  • Updated the exit_plan_mode tool definition to call getExitPlanModeDeclaration() without arguments.
• packages/core/src/tools/definitions/types.ts
  • Updated the type signature for exit_plan_mode in CoreToolSet to no longer accept plansDir.
• packages/core/src/tools/edit.test.ts
  • Added isPlanMode property to the mock configuration for testing purposes.
• packages/core/src/tools/edit.ts
  • Modified EditToolInvocation to sandbox file_path to plansDir when in Plan Mode, using path.basename for safety.
• packages/core/src/tools/exit-plan-mode.test.ts
  • Updated tests to use plan_filename instead of plan_path in tool invocations.
  • Removed targetDir argument from validatePlanPath calls in tests.
  • Removed a test case that checked for path traversal during tool build, as this is now handled differently.
  • Adjusted error message expectations for path validation to match the new dynamic message.
• packages/core/src/tools/exit-plan-mode.ts
  • Renamed plan_path to plan_filename in the ExitPlanModeParams interface.
  • Updated the constructor to call getExitPlanModeDefinition() without plansDir.
  • Modified validateToolParamValues to use plan_filename, extract its basename, and join with plansDir for validation.
  • Updated getSchema to call getExitPlanModeDefinition() without plansDir.
  • Modified shouldConfirmExecute to pass plan_filename to validatePlanPath and removed targetDir argument.
  • Updated getDescription to reference plan_filename.
  • Modified getResolvedPlanPath to use path.basename and path.join with plansDir.
• packages/core/src/tools/line-endings.test.ts
  • Added isPlanMode and storage.getPlansDir properties to the mock configuration.
• packages/core/src/tools/tool-names.ts
  • Updated import and export statements for EXIT_PLAN_PARAM_PLAN_FILENAME.
• packages/core/src/tools/write-file.test.ts
  • Added isPlanMode property to the mock configuration for testing purposes.
• packages/core/src/tools/write-file.ts
  • Modified WriteFileToolInvocation to sandbox file_path to plansDir when in Plan Mode, using path.basename for safety.
• packages/core/src/utils/planUtils.test.ts
  • Updated validatePlanPath calls in tests to remove the targetDir argument.
  • Removed a test case specifically for path traversal, as the new logic handles it implicitly.
  • Adjusted the expected error message for access denied to match the new dynamic message.
• packages/core/src/utils/planUtils.ts
  • Modified PlanErrorMessages.PATH_ACCESS_DENIED to be a function that provides more detailed context.
  • Updated validatePlanPath to remove the targetDir parameter and use path.basename to construct the resolved path within plansDir.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a critical security fix to prevent directory traversal vulnerabilities in Plan Mode. By renaming plan_path to plan_filename and consistently using path.basename to sanitize file paths provided by the LLM, the changes effectively sandbox file operations to the designated plansDir. The removal of targetDir from validatePlanPath and the addition of the isPlanMode check in file-writing tools are well-implemented and align with the goal of hardening the CLI against path-based attacks. I have one suggestion to improve consistency in path resolution.

_{Note: Security Review did not run due to the size of the PR.}

[github-actions]

Size Change: +604 B (0%)

Total Size: 26.1 MB

Filename	Size	Change
./bundle/chunk-5WHECDMU.js	0 B	-1.95 MB (removed)	🏆
./bundle/chunk-SWWVACJN.js	0 B	-14.5 MB (removed)	🏆
./bundle/chunk-UJHZAZE5.js	0 B	-3.64 MB (removed)	🏆
./bundle/core-7Q77A6NS.js	0 B	-42.4 kB (removed)	🏆
./bundle/devtoolsService-H3ONIWEV.js	0 B	-27.7 kB (removed)	🏆
./bundle/interactiveCli-I5N2ZULX.js	0 B	-1.62 MB (removed)	🏆
./bundle/oauth2-provider-6RRWJKYC.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-7YK7R2YX.js	1.95 MB	+1.95 MB (new file)	🆕
./bundle/chunk-H6XOT4IJ.js	3.64 MB	+3.64 MB (new file)	🆕
./bundle/chunk-Y65SOKDD.js	14.5 MB	+14.5 MB (new file)	🆕
./bundle/core-TY2Q4WIK.js	42.4 kB	+42.4 kB (new file)	🆕
./bundle/devtoolsService-XWR6AQE6.js	27.7 kB	+27.7 kB (new file)	🆕
./bundle/interactiveCli-GEIV7VQ2.js	1.62 MB	+1.62 MB (new file)	🆕
./bundle/oauth2-provider-IXVB6MZ4.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/gemini.js	519 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-DL6LDUAP.js	0 B	-922 B (removed)	🏆
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/memoryDiscovery-UJ736XJ4.js	922 B	+922 B (new file)	🆕

_{compressed-size-action}

[Adib234]

Currently running evals with bench-hub to see if exit plan mode calls fail

[github-actions]

🧠 Model Steering Guidance

This PR modifies files that affect the model's behavior (prompts, tools, or instructions).

• 🚀 Maintainer Reminder: Please ensure that these changes do not regress results on benchmark evals before merging.

---

This is an automated guidance message triggered by steering logic signatures.

[Adib234]

/patch stable

[github-actions]

🚀 [Step 1/4] Patch workflow(s) waiting for approval!

📋 Details:

• Channels: stable
• Commit: dcedc429798ab85500b53bb1a29159fa8090e740
• Workflows Created: 1

⏳ Status: The patch creation workflow has been triggered and is waiting for deployment approval. Please visit the specific workflow links below and approve the runs.

🔗 Track Progress:

• View dispatched workflow run
• View patch workflow history
• This trigger workflow run