fix(patch): cherry-pick 3627f47 to release/v0.41.0-pr-26542 to patch version v0.41.0 and create version 0.41.1

[gemini-cli-robot]

This PR automatically cherry-picks commit 3627f47 to patch version v0.41.0 in the stable release to create version 0.41.1.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request cherry-picks a fix into the v0.41.0 release branch to address an issue where redirected shell commands were incorrectly triggering user approval prompts in trusted modes. By removing the dependency on sandbox status for these specific approval modes, the engine now consistently respects the intended behavior of YOLO and AUTO_EDIT configurations.

Highlights

• Policy Engine Logic Update: Modified the policy engine to prevent downgrading to ASK_USER for redirected commands when in AUTO_EDIT or YOLO modes, regardless of whether sandboxing is enabled.
• Regression Testing: Added a new test case to verify that redirected shell commands in YOLO mode correctly maintain an ALLOW decision even when no sandbox is present.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the PolicyEngine to prevent downgrading redirected shell commands to ASK_USER when in AUTO_EDIT or YOLO modes, regardless of whether a sandbox is enabled. A security concern was raised regarding the removal of the sandbox check for AUTO_EDIT mode, as it could allow an agent to perform unauthorized file writes on the host system; a code suggestion was provided to maintain the sandbox requirement for AUTO_EDIT while allowing the bypass for YOLO mode.

[gemini-code-assist]

The removal of the sandboxEnabled check in shouldDowngradeForRedirection allows shell commands with redirections to be automatically allowed in AUTO_EDIT mode even when no sandbox is present. This enables an agent to perform arbitrary file writes on the host system by using redirections (e.g., >) with otherwise 'safe' commands. While dangerous commands are intentionally allowed in YOLO mode without a sandbox, AUTO_EDIT should still require a sandbox or user approval for such operations to maintain a secure posture.

Suggested change

	if (
	sandboxEnabled &&
	(this.approvalMode === ApprovalMode.AUTO_EDIT ||
	this.approvalMode === ApprovalMode.YOLO)
	this.approvalMode === ApprovalMode.AUTO_EDIT ||
	this.approvalMode === ApprovalMode.YOLO
	) {
	return false;
	}
	const sandboxEnabled = !(this.sandboxManager instanceof NoopSandboxManager);
	if (
	this.approvalMode === ApprovalMode.YOLO ||
	(sandboxEnabled && this.approvalMode === ApprovalMode.AUTO_EDIT)
	) {
	return false;
	}

References

1. In YOLO mode, dangerous commands are intentionally allowed to proceed with an 'ALLOW' decision, even when no sandbox is active. This overrides the default behavior of forcing an 'ASK_USER' decision for such commands.

[github-actions]

Size Change: -105 B (0%)

Total Size: 33.9 MB

Filename	Size	Change
./bundle/chunk-7IQQQZYQ.js	0 B	-2.73 MB (removed)	🏆
./bundle/chunk-B7WIHWFO.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-GIGMGBPH.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-RGFTEJYF.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-SCBLSDIF.js	0 B	-14.7 MB (removed)	🏆
./bundle/chunk-XWCN4HUN.js	0 B	-674 kB (removed)	🏆
./bundle/core-WJ6KMJ2A.js	0 B	-48.1 kB (removed)	🏆
./bundle/devtoolsService-EXO6V2G6.js	0 B	-28 kB (removed)	🏆
./bundle/gemini-FJ4Q73Y6.js	0 B	-575 kB (removed)	🏆
./bundle/interactiveCli-GWCGB3DE.js	0 B	-1.31 MB (removed)	🏆
./bundle/liteRtServerManager-QIWIHY3O.js	0 B	-2.08 kB (removed)	🏆
./bundle/oauth2-provider-QVFSQ5GD.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-6B4AEKOA.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-FBNTK4EH.js	14.7 MB	+14.7 MB (new file)	🆕
./bundle/chunk-IIKMMWZL.js	674 kB	+674 kB (new file)	🆕
./bundle/chunk-KP7JO72I.js	2.73 MB	+2.73 MB (new file)	🆕
./bundle/chunk-NABOBNG7.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-U7NXGW4J.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/core-S2F6BIC7.js	48.1 kB	+48.1 kB (new file)	🆕
./bundle/devtoolsService-ROVEJBPG.js	28 kB	+28 kB (new file)	🆕
./bundle/gemini-UINAVTYR.js	575 kB	+575 kB (new file)	🆕
./bundle/interactiveCli-2B6ONLUQ.js	1.31 MB	+1.31 MB (new file)	🆕
./bundle/liteRtServerManager-PJTRCXY7.js	2.08 kB	+2.08 kB (new file)	🆕
./bundle/oauth2-provider-UDJUEJGC.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/chunk-XRLFHCHC.js	1.97 MB	0 B
./bundle/cleanup-UL7OXGHA.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	4.97 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-FN3IAPBT.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-4XZMJUYH.js	0 B	-622 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-EL5NVUCJ.js	932 B	+932 B (new file)	🆕
./bundle/start-EBQ2CGAF.js	622 B	+622 B (new file)	🆕

_{compressed-size-action}