fix(cli): don't crash when an @-mention captures a non-path blob

[ifitisit]

Summary

Pasting JSON-like content into the interactive prompt (or having a model hallucinate a tool call whose path argument got concatenated with source code) crashed the CLI with an unhandled promise rejection:

Error: ENAMETOOLONG: name too long, lstat '/Users/.../test.cl",
                      "municipality": "Comuna"
                  },
                  "invoice_number": "54", ...'
  at robustRealpath (paths.ts:422)
  at resolveToRealPath (paths.ts:412)
  at checkPermissions (atCommandProcessor.ts:191)

The @-command regex in atCommandProcessor is greedy — it captures everything up to the next ASCII delimiter, including pasted JSON containing / and ". checkPermissions then fed that multi-kilobyte string into resolveToRealPath → fs.realpathSync, which threw ENAMETOOLONG. Nothing caught it, and the entire interactive session died.

Details

Wrap the resolveToRealPath call in checkPermissions with a try/catch and skip the entry on failure. Permission gating is a pre-flight check (it answers "does the user need to approve a read?"), so "can't resolve a path" is the right signal to drop it. If the user really did mean a real file, downstream rendering will surface a clearer error than a crash.

The paths.ts behavior is intentionally left unchanged — robustRealpath still throws on ENAMETOOLONG/EINVAL, so other internal callers (which receive paths from controlled config sources, not raw user input) keep their strict semantics.

Related Issues

Fixes #22029
Refs #25910, #25923

How to Validate

1. Check out this branch and build core: npm install && npm run build --workspace=@google/gemini-cli-core
2. Run the new regression tests:

   cd packages/cli
   npx vitest run --no-coverage src/ui/hooks/atCommandProcessor.test.ts -t "checkPermissions"

   Both tests should pass. Reverting just the try/catch in atCommandProcessor.ts makes the first test fail with the exact ENAMETOOLONG: name too long, lstat … from Pasting something and throwing me error #22029.
3. Manual repro (no build needed beyond npm start): launch the CLI, paste an @ followed by a multi-line JSON blob (e.g. the snippet from Pasting something and throwing me error #22029), submit. Before this PR the session crashed; after, the prompt submits cleanly and the bogus mention is just dropped.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed) — n/a, behavior fix
• Added/updated tests (if needed) — two regression tests on checkPermissions, the first of which fails on main
• Noted breaking changes (if any) — none
• Validated on required platforms/methods:
  • MacOS
    • npm run

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a stability issue where the CLI would crash due to an unhandled promise rejection when an @-mention incorrectly captured non-path content, such as a large JSON blob. By wrapping the path resolution process in a safety check, the application now gracefully skips invalid inputs instead of terminating the interactive session.

Highlights

• Error Handling: Added a try/catch block around the path resolution logic in checkPermissions to prevent the CLI from crashing when encountering invalid or excessively long paths.
• Regression Testing: Added new test cases to atCommandProcessor.test.ts to ensure that malformed @-mentions are safely ignored without affecting valid file references.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request improves the robustness of the @-command processing by wrapping path resolution in a try-catch block. This prevents the CLI from crashing when the greedy regex captures long, non-path strings such as pasted JSON blobs, which previously triggered ENAMETOOLONG errors. Corresponding regression tests have been added to ensure that invalid paths are skipped while valid file references continue to work correctly. I have no feedback to provide as there were no review comments to evaluate.