fix(core): support symlinks for policies

[kschaab]

Summary

Updates the policy TOML loader to correctly follow symlinked files and directories. This ensures that users can symbolically link policies across workspaces or fallback paths without the loader failing.

Key changes:

• Refactored readPolicyFiles to follow symlinks using fs.realpath.
• Added recursion for symlinked directories with a visitedPaths tracker to prevent infinite circular traversal.
• Added error handling within the directory scanning loop to catch and ignore ENOENT errors, ensuring that broken symlinks do not silently abort the loading of other valid policies in the same directory.
• Added comprehensive unit tests for standard symlink behavior, circular symlink protection, and broken symlink resilience.
• Updated mocked fs calls in tests to support realpath.

Related Issues

Fixes #20281, #21031

How to Validate

To validate locally using this branch, the following test case should work assuming you already have policy files in ~/.gemini/policies:

• Move ~/.gemini/policies to a new location
• Symlink ~/.gemini/policies to the new location, eg ln -s ~/tmp/redirected/policies ~/.gemini/policies
• Validate the policies load when using npm run start

Additional tests to run is symlinking a policy file, creating nested symlinks, and creating a cycle of symlinks (symlinking the parent real path inside itself).

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[github-actions]

Size Change: +468 B (0%)

Total Size: 34.1 MB

Filename	Size	Change
./bundle/chunk-33UIFPTA.js	0 B	-3.54 MB (removed)	🏆
./bundle/chunk-6I76Y3RE.js	0 B	-14.9 MB (removed)	🏆
./bundle/chunk-HBMSOQ7Y.js	0 B	-3.8 kB (removed)	🏆
./bundle/core-YAMYRDWY.js	0 B	-46.5 kB (removed)	🏆
./bundle/devtoolsService-3JECW5A3.js	0 B	-28.4 kB (removed)	🏆
./bundle/gemini-ZUI6AOP4.js	0 B	-553 kB (removed)	🏆
./bundle/interactiveCli-A3VCBUJ7.js	0 B	-1.29 MB (removed)	🏆
./bundle/oauth2-provider-OUQQVSXE.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-P4G4ETUJ.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-UYQAMYIQ.js	3.54 MB	+3.54 MB (new file)	🆕
./bundle/chunk-WE2NVCBY.js	14.9 MB	+14.9 MB (new file)	🆕
./bundle/core-NDGDNXBS.js	46.5 kB	+46.5 kB (new file)	🆕
./bundle/devtoolsService-VLH6KYMT.js	28.4 kB	+28.4 kB (new file)	🆕
./bundle/gemini-4O53CALO.js	553 kB	+553 kB (new file)	🆕
./bundle/interactiveCli-KOKKBOHB.js	1.29 MB	+1.29 MB (new file)	🆕
./bundle/oauth2-provider-ASNOZAFD.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-QM5IP3NK.js	1.97 MB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-E6EPHKUQ.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/gemini.js	4.97 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-MYQ3ZWKM.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-N45AOEFI.js	932 B	+932 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the policy TOML loader by introducing robust support for symbolic links. It ensures that policy files and directories can be correctly resolved and loaded even when they are symlinked, which is crucial for flexible workspace configurations. The changes prevent common issues like infinite loops from circular symlinks and gracefully handle non-existent targets, making the policy loading mechanism more resilient and user-friendly.

Highlights

• Symlink Support: Refactored the readPolicyFiles function to correctly follow symbolic links using fs.realpath for both files and directories.
• Circular Symlink Prevention: Implemented a visitedPaths tracker to prevent infinite recursion when encountering circular symbolic links during directory traversal.
• Robust Error Handling: Added error handling within the directory scanning loop to gracefully ignore ENOENT errors, ensuring that broken symlinks do not halt the loading of other valid policies.
• Comprehensive Testing: Introduced extensive unit tests covering various symlink scenarios, including loading symlinked files and directories, recursive symlinks, circular symlinks, and resilience to broken symlinks.
• Test Infrastructure Update: Updated mocked fs calls in existing tests to properly support fs.realpath for consistent testing of file system interactions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for symlinks and recursive directory traversal when loading policy files. It includes circularity detection to prevent infinite loops and updates the test suite to cover these new scenarios. A security concern was raised regarding the potential for path traversal or local file inclusion (LFI) because symlinks are followed without verifying if the target resides within an allowed boundary, which could lead to the exposure of sensitive system files.

[gemini-code-assist]

The readPolicyFiles function follows symbolic links when scanning for policy files and does not verify if the link target is within the intended directory. A malicious repository could include a symlink named with a .toml extension (e.g., exploit.toml) that points to a sensitive file on the user's machine (such as ~/.ssh/id_rsa or ~/.bash_history). When a user runs the tool within such a repository, the tool will attempt to read and parse the linked file. If the file is not a valid TOML, the resulting error message—which is emitted to the user's terminal—may contain portions of the sensitive file's content, leading to information exposure.

To mitigate this, consider restricting symlink following for workspace-level policies, or implement a check to ensure the target of a symlink is within an allowed boundary (e.g., the same directory or the project root).