feat(admin): Admin settings should only apply if adminControlsApplicable = true and fetch errors should be fatal

[skeshive]

Update admin controls fetching logic such that:

1. Admin controls are only applicable when adminControlsApplicable = true (backend was updated to set this field instead of returning 403 error)

2. Any errors in fetching the admin settings should be fatal for auth and surfaced to the user

3. Fix bug where changing auth type was using cached admin settings

[gemini-cli]

Hi @skeshive, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-cli]

Hi there! Thank you for your contribution to Gemini CLI.

To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md.

This pull request is being closed because it is not currently linked to an issue. Once you have updated the description of this PR to link an issue (e.g., by adding Fixes #123 or Related to #123), it will be automatically reopened.

How to link an issue:
Add a keyword followed by the issue number (e.g., Fixes #123) in the description of your pull request. For more details on supported keywords and how linking works, please refer to the GitHub Documentation on linking pull requests to issues.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello @skeshive, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the handling of administrative settings by introducing a new adminControlsApplicable flag to govern their activation. It also implements a more robust error handling strategy for fetching these settings, ensuring that critical failures are propagated. Additionally, a caching issue related to authentication type changes has been addressed to prevent the use of stale administrative configurations.

Highlights

• Admin Controls Applicability: Admin controls fetching logic now explicitly checks for adminControlsApplicable: true from the backend. If this flag is not true, admin controls are not applied, and polling for updates is stopped.
• Fatal Fetch Errors: Errors encountered during the initial fetch of admin settings are now treated as fatal, causing the authentication process to fail and surfacing the error to the user. Previously, these errors would result in an empty settings object and continued polling.
• Auth Type Change Bug Fix: A bug was resolved where cached admin settings were incorrectly used when the authentication type was changed. The remote admin settings are now explicitly cleared upon modification of the authentication type.

Changelog

• packages/cli/src/ui/AppContainer.tsx
  • Added config.setRemoteAdminSettings(undefined) to clear cached admin settings when the authentication type is changed.
• packages/core/src/code_assist/admin/admin_controls.test.ts
  • Updated mock server responses in tests to include the adminControlsApplicable: true field.
  • Modified tests to assert that fetchAdminControls throws an error on fetch failures and does not initiate polling.
  • Adjusted tests to check for adminControlsApplicable: false in the response to stop polling, replacing the previous 403 HTTP status check.
  • Updated fetchAdminControlsOnce tests to expect errors to be thrown on fetch failures.
  • Ensured adminControlsApplicable: true is present in mock responses for polling tests.
• packages/core/src/code_assist/admin/admin_controls.ts
  • Removed the isGaxiosError utility function.
  • Implemented logic in fetchAdminControls to stop polling and return an empty object if adminControlsApplicable is not true.
  • Changed error handling in fetchAdminControls to re-throw exceptions instead of returning an empty object and starting polling.
  • Modified fetchAdminControlsOnce to return an empty object if adminControlsApplicable is not true.
  • Updated fetchAdminControlsOnce to re-throw exceptions on fetch failures.
  • Integrated adminControlsApplicable check within the startAdminControlsPolling interval to stop polling if the flag becomes false.
• packages/core/src/code_assist/types.ts
  • Added adminControlsApplicable: z.boolean().optional() to the FetchAdminControlsResponseSchema.
• packages/core/src/config/config.ts
  • Updated the setRemoteAdminSettings method signature to accept AdminControlsSettings | undefined.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the admin controls fetching logic. While the changes correctly make the initial fetch of admin settings a fatal operation for authentication and update the logic to use the adminControlsApplicable flag from the backend, a critical security issue was identified. Sensitive information, specifically OAuth tokens, could be leaked into debug logs when a fetch error occurs because the entire error object, which often contains request headers, is logged directly. Additionally, a bug where admin settings were cached across authentication type changes has been fixed, with corresponding tests updated to reflect these new behaviors.

[github-actions]

Size Change: -79 B (0%)

Total Size: 24.5 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	24.5 MB	-79 B (0%)
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B

_{compressed-size-action}

[skeshive]

/patch

[github-actions]

✅ Patch workflow(s) dispatched successfully!

📋 Details:

• Channels: stable,preview
• Commit: 261788cf911c5ea1dd67b1e4084c40b11063a185
• Workflows Created: 2

🔗 Track Progress:

• View patch workflows
• This workflow run

[github-actions]

🚀 Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: preview → will publish to npm tag preview
• Commit: 261788cf911c5ea1dd67b1e4084c40b11063a185
• Hotfix Branch: hotfix/v0.30.0-preview.0/0.30.0-preview.1/preview/cherry-pick-261788c/pr-19453
• Hotfix PR: #19490

📝 Next Steps:

1. Review and approve the hotfix PR: #19490
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #19490

[github-actions]

🚀 Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: stable → will publish to npm tag latest
• Commit: 261788cf911c5ea1dd67b1e4084c40b11063a185
• Hotfix Branch: hotfix/v0.29.1/0.29.2/stable/cherry-pick-261788c/pr-19453
• Hotfix PR: #19491

📝 Next Steps:

1. Review and approve the hotfix PR: #19491
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #19491

[github-actions]

🚀 Patch Release Started!

📋 Release Details:

• Environment: prod
• Channel: stable → publishing to npm tag latest
• Version: v0.29.1
• Hotfix PR: Merged ✅
• Release Branch: release/v0.29.1-pr-19453

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow

[github-actions]

🚀 Patch Release Started!

📋 Release Details:

• Environment: prod
• Channel: preview → publishing to npm tag preview
• Version: v0.30.0-preview.0
• Hotfix PR: Merged ✅
• Release Branch: release/v0.30.0-preview.0-pr-19453

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow

[github-actions]

✅ Patch Release Complete!

📦 Release Details:

• Version: 0.29.2
• NPM Tag: latest
• Channel: stable
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.29.2
• NPM Package: npm install @google/gemini-cli@latest

🔗 Links:

• GitHub Release
• Workflow Run

[github-actions]

✅ Patch Release Complete!

📦 Release Details:

• Version: 0.30.0-preview.1
• NPM Tag: preview
• Channel: preview
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.30.0-preview.1
• NPM Package: npm install @google/gemini-cli@preview

🔗 Links:

• GitHub Release
• Workflow Run