fix(security): address MCP security findings (MCPSafe Grade F)

[gemini-cli]

fix(security): address MCP security findings (MCPSafe Grade F)

This PR addresses high and medium severity security findings related to MCP server integration, as reported by MCPSafe.

Changes:

1. Shell Heuristics Enforcement: Updated PolicyEngine to apply shell heuristics (e.g., redirection detection) to any tool containing a command argument, not just those explicitly named in SHELL_TOOL_NAMES. This prevents security bypasses where MCP tools executing shell commands could skip safety checks.
2. MCP Output Sanitization: Implemented delimiters and HTML escaping for MCP tool text and resource outputs. This prevents prompt injection attacks where malicious tool output could be mistaken for system instructions by the LLM.
3. Default Folder Trust: Enabled folder trust by default in the CLI configuration. This ensures that the CLI verifies workspace trust before executing sensitive operations like loading local stdio MCP servers from project configuration.
4. Type Safety: Updated McpResourceBlock type to include the uri property, aligning with the MCP specification and fixing a TypeScript compilation error.

These changes significantly harden the gemini-cli against common attack vectors in the MCP ecosystem.

cc @mcpsafe-gh for visibility on the fixes.
cc @google-gemini-mcp-experts

Labels: bot-fix, area/security, kind/bug

[github-actions]

Size Change: +674 B (0%)

Total Size: 34.1 MB

Filename	Size	Change
./bundle/chunk-42JR4WLW.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-CCSO23GC.js	0 B	-19.5 kB (removed)	🏆
./bundle/chunk-EV5PPWLZ.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-H3O76JRP.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-RH463YWX.js	0 B	-14.8 MB (removed)	🏆
./bundle/chunk-SAKTCNAD.js	0 B	-1.97 MB (removed)	🏆
./bundle/chunk-VWOZ6L4G.js	0 B	-12.5 kB (removed)	🏆
./bundle/chunk-XJBBKKCW.js	0 B	-659 kB (removed)	🏆
./bundle/chunk-YX6RJJSH.js	0 B	-2.78 MB (removed)	🏆
./bundle/core-OYZWILN4.js	0 B	-49.3 kB (removed)	🏆
./bundle/devtoolsService-HO7XWOGP.js	0 B	-28 kB (removed)	🏆
./bundle/gemini-54QJ35OC.js	0 B	-587 kB (removed)	🏆
./bundle/interactiveCli-AIUFTVNP.js	0 B	-1.3 MB (removed)	🏆
./bundle/liteRtServerManager-XWT5ENCC.js	0 B	-2.11 kB (removed)	🏆
./bundle/oauth2-provider-4PM3QRSQ.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-6LK3YDQK.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-7RT4XLZB.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-BU4KKD2U.js	2.78 MB	+2.78 MB (new file)	🆕
./bundle/chunk-ELRV47TI.js	12.5 kB	+12.5 kB (new file)	🆕
./bundle/chunk-IKKKQR7D.js	19.5 kB	+19.5 kB (new file)	🆕
./bundle/chunk-M66BQNXA.js	14.8 MB	+14.8 MB (new file)	🆕
./bundle/chunk-MXOZ7S4G.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-RE6LGLYY.js	659 kB	+659 kB (new file)	🆕
./bundle/chunk-ZIAOVPYQ.js	1.98 MB	+1.98 MB (new file)	🆕
./bundle/core-MYTAMHW4.js	49.3 kB	+49.3 kB (new file)	🆕
./bundle/devtoolsService-FN6RCE2D.js	28 kB	+28 kB (new file)	🆕
./bundle/gemini-W7KMC3E3.js	587 kB	+587 kB (new file)	🆕
./bundle/interactiveCli-2AY65574.js	1.3 MB	+1.3 MB (new file)	🆕
./bundle/liteRtServerManager-YOMWEAJY.js	2.11 kB	+2.11 kB (new file)	🆕
./bundle/oauth2-provider-WFQDAMFV.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-AZBP346C.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	5.1 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-QD2WWMTN.js	0 B	-980 B (removed)	🏆
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-QQAQIDPJ.js	0 B	-652 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-L4X7SNVU.js	932 B	+932 B (new file)	🆕
./bundle/memoryDiscovery-XCABYPQF.js	980 B	+980 B (new file)	🆕
./bundle/start-YQRBYB6P.js	652 B	+652 B (new file)	🆕

_{compressed-size-action}