fix(core): allow redirection in YOLO and AUTO_EDIT modes without sandboxing

[galz10]

Summary

Fixed a regression where commands with redirection (pipes, redirects) were being downgraded to ASK_USER in YOLO and AUTO_EDIT modes when sandboxing was disabled.

Details

In PolicyEngine.shouldDowngradeForRedirection, the logic was checking if sandboxing was enabled before allowing YOLO/AUTO_EDIT modes to bypass the redirection safeguard. This caused unnecessary approval prompts in environments where sandboxing is disabled (e.g., certain git worktrees or specific OS configurations). The fix removes the sandboxEnabled requirement for these trusted modes.

Related Issues

Fixes the reported regression where commands like npm test ... 2>&1 | tail -80 prompted for approval in YOLO mode.

How to Validate

Run the new regression test:
npm test -w @google/gemini-cli-core -- src/policy/policy-engine.test.ts
The test should NOT downgrade to ASK_USER for redirected commands in YOLO mode even without sandbox verifies the fix.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • Seatbelt

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a regression in the policy engine where shell commands involving redirection were being unnecessarily downgraded to require user approval. By removing the dependency on sandboxing status for trusted execution modes, the engine now correctly respects the YOLO and AUTO_EDIT configurations, ensuring a smoother user experience in environments where sandboxing is disabled.

Highlights

• Policy Engine Logic Update: Modified the policy engine to allow command redirection in YOLO and AUTO_EDIT modes regardless of whether sandboxing is enabled.
• Regression Fix: Resolved an issue where commands containing pipes or redirects were incorrectly triggering approval prompts in trusted modes when sandboxing was disabled.
• Regression Testing: Added a new test case to verify that redirected commands remain allowed in YOLO mode even when using a NoopSandboxManager.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: -105 B (0%)

Total Size: 34 MB

Filename	Size	Change
./bundle/chunk-2KV5MEJA.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-57KM6YND.js	0 B	-2.78 MB (removed)	🏆
./bundle/chunk-ASRU6KWB.js	0 B	-658 kB (removed)	🏆
./bundle/chunk-H2G2F75F.js	0 B	-14.7 MB (removed)	🏆
./bundle/chunk-KIXZ2FCH.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-NKU7TUNE.js	0 B	-19.5 kB (removed)	🏆
./bundle/chunk-VF2E5OO3.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-VYNU6FEB.js	0 B	-12.5 kB (removed)	🏆
./bundle/core-SM75YMGM.js	0 B	-48.8 kB (removed)	🏆
./bundle/devtoolsService-3FA3XYXG.js	0 B	-28 kB (removed)	🏆
./bundle/gemini-N5PF7HCL.js	0 B	-583 kB (removed)	🏆
./bundle/interactiveCli-AKPXIBTN.js	0 B	-1.29 MB (removed)	🏆
./bundle/liteRtServerManager-3USJIXPG.js	0 B	-2.11 kB (removed)	🏆
./bundle/oauth2-provider-WTI6KIQJ.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-522PKDAU.js	658 kB	+658 kB (new file)	🆕
./bundle/chunk-5W6ZXLUU.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-6Y6KCQ2X.js	14.7 MB	+14.7 MB (new file)	🆕
./bundle/chunk-CSJLIN2J.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-F6EPALVL.js	2.78 MB	+2.78 MB (new file)	🆕
./bundle/chunk-QNWKMWJJ.js	12.5 kB	+12.5 kB (new file)	🆕
./bundle/chunk-TWIJMMOJ.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-VKITJN5K.js	19.5 kB	+19.5 kB (new file)	🆕
./bundle/core-BJG3PHI6.js	48.8 kB	+48.8 kB (new file)	🆕
./bundle/devtoolsService-6BNIWUCH.js	28 kB	+28 kB (new file)	🆕
./bundle/gemini-34GCBKMD.js	583 kB	+583 kB (new file)	🆕
./bundle/interactiveCli-JDH4CCHK.js	1.29 MB	+1.29 MB (new file)	🆕
./bundle/liteRtServerManager-LVNQXMI4.js	2.11 kB	+2.11 kB (new file)	🆕
./bundle/oauth2-provider-OWTCC6NX.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/chunk-VJSUVOZ4.js	1.97 MB	0 B
./bundle/cleanup-O7FPPK6O.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	5.1 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-NGHTMHWQ.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-ZKA2MUE3.js	0 B	-652 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-KQAATZ57.js	932 B	+932 B (new file)	🆕
./bundle/start-L43PMD6M.js	652 B	+652 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request updates the PolicyEngine to ensure that redirected commands are not downgraded to ASK_USER in AUTO_EDIT or YOLO modes, regardless of whether sandboxing is enabled. This change simplifies the logic by removing the dependency on the sandbox status for these specific approval modes. Additionally, a new test case was added to policy-engine.test.ts to confirm that YOLO mode correctly allows redirected commands even when using a NoopSandboxManager. I have no feedback to provide.

[jacob314]

[galz10]

/patch both

[github-actions]

🚀 [Step 1/4] Patch workflow(s) waiting for approval!

📋 Details:

• Channels: stable,preview
• Commit: 3627f4777fae1852b33d6c80853540776573255a
• Workflows Created: 2

⏳ Status: The patch creation workflow has been triggered and is waiting for deployment approval. Please visit the specific workflow links below and approve the runs.

🔗 Track Progress:

• View dispatched workflow run
• View dispatched workflow run
• View patch workflow history
• This trigger workflow run

[github-actions]

🚀 [Step 2/4] Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: preview → will publish to npm tag preview
• Commit: 3627f4777fae1852b33d6c80853540776573255a
• Hotfix Branch: hotfix/v0.42.0-preview.0/0.42.0-preview.1/preview/cherry-pick-3627f47/pr-26542
• Hotfix PR: #26544

📝 Next Steps:

1. Review and approve the hotfix PR: #26544
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #26544
• This patch creation workflow run

[github-actions]

🚀 [Step 2/4] Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: stable → will publish to npm tag latest
• Commit: 3627f4777fae1852b33d6c80853540776573255a
• Hotfix Branch: hotfix/v0.41.0/0.41.1/stable/cherry-pick-3627f47/pr-26542
• Hotfix PR: #26545

📝 Next Steps:

1. Review and approve the hotfix PR: #26545
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #26545
• This patch creation workflow run

[github-actions]

🚀 [Step 3/4] Patch Release Waiting for Approval!

📋 Release Details:

• Environment: prod
• Channel: preview → publishing to npm tag preview
• Version: v0.42.0-preview.0
• Hotfix PR: Merged ✅
• Release Branch: release/v0.42.0-preview.0-pr-26542

⏳ Status: The patch release has been triggered and is waiting for deployment approval. Please visit the specific workflow run link below and approve the deployment. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow history
• This trigger workflow run

[github-actions]

🚀 [Step 3/4] Patch Release Waiting for Approval!

📋 Release Details:

• Environment: prod
• Channel: stable → publishing to npm tag latest
• Version: v0.41.0
• Hotfix PR: Merged ✅
• Release Branch: release/v0.41.0-pr-26542

⏳ Status: The patch release has been triggered and is waiting for deployment approval. Please visit the specific workflow run link below and approve the deployment. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow history
• This trigger workflow run

[github-actions]

✅ [Step 4/4] Patch Release Complete!

📦 Release Details:

• Version: 0.41.1
• NPM Tag: latest
• Channel: stable
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.41.1
• NPM Package: npm install @google/gemini-cli@latest

🔗 Links:

• GitHub Release
• This release workflow run
• Workflow History

[github-actions]

✅ [Step 4/4] Patch Release Complete!

📦 Release Details:

• Version: 0.42.0-preview.1
• NPM Tag: preview
• Channel: preview
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.42.0-preview.1
• NPM Package: npm install @google/gemini-cli@preview

🔗 Links:

• GitHub Release
• This release workflow run
• Workflow History