refactor(core): standardize MCP tool naming to mcp_ FQN format by abhipatel12 · Pull Request #21425 · google-gemini/gemini-cli

abhipatel12 · 2026-03-06T17:46:14Z

Summary

Standardize MCP tool names to the mcp_{server_name}_{tool_name} format,
strictly enforcing the Gemini API regex ^[a-zA-Z_][a-zA-Z0-9_\\-.:]{0,63}$.
This moves away from arbitrary string splitting based on __ in the Policy
Engine and instead relies on explicit serverName metadata to match rules,
making policy enforcement robust and preventing naming collisions or silent
bypasses due to tool name truncation.

Details

FQN Generation: Refactored generateValidName to automatically add the
mcp_ prefix and middle-truncate names longer than 63 characters with ...
to prevent silent bypasses.
Policy Engine Core: Added mcpName?: string to PolicyRule and
SafetyCheckerRule explicit server identity. Modified
matchesCompositePattern to depend on explicit serverName metadata.
Wildcard Expansion: Expanded matchesWildcard to natively parse explicit
wildcard matches like mcp_* and mcp_serverName_*.
Settings: Updated setting generation
(settings.mcp.allowed/settings.mcp.excluded) to produce valid FQN matches
seamlessly.
Feature Gap Identification: Kept tools.exclude configuration active in
settings.json because the Policy Engine's decision = "deny" was confirmed
to hide tools at the API schema level just like tools.exclude; deprecation
warnings for tools.exclude remain intact as intended.

Related Issues

N/A

How to Validate

Start the CLI with an MCP server defined in settings.
Verify through devtools or terminal output that registered tools begin with
the mcp_ prefix.
Validate that global wildcards in TOML rules such as mcpName = "my-server"
with toolName = "*" correctly allow/deny tool executions.
Verify truncated tool names (when a tool from the MCP server naturally
exceeds 63 characters) result in an ASK_USER interaction regardless of
broad allow policies.
Alternatively, run npm run preflight to confirm the full suite completes
successfully.

Pre-Merge Checklist

gemini-code-assist · 2026-03-06T17:48:49Z

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the naming convention and policy enforcement for Managed Code Platform (MCP) tools. The primary goal is to enhance the robustness and security of how MCP tools are identified and governed within the system. By introducing a standardized mcp_ prefixed naming scheme and explicit server identity in policy rules, the changes eliminate ambiguities and potential vulnerabilities associated with the previous string-splitting approach. This ensures that tool names are consistently formatted, comply with API requirements, and that policy decisions are made based on clear, explicit metadata.

Highlights

Standardized MCP Tool Naming: MCP tool names are now standardized to the mcp_{server_name}_{tool_name} format, replacing the previous server_name__tool_name convention. This change enforces a strict naming regex and improves clarity and consistency.
Explicit MCP Server Identity in Policies: Policy rules and safety checker rules now include an explicit mcpName property. This allows for more precise policy enforcement by matching against dedicated metadata rather than relying on arbitrary string splitting, preventing naming collisions and silent bypasses.
Enhanced Tool Name Generation: The generateValidName utility function has been refactored to automatically prepend the mcp_ prefix to all generated MCP tool names and to middle-truncate names exceeding 63 characters, ensuring compliance with API length limits and providing a warning upon truncation.
Updated Policy Engine Logic: The policy engine's wildcard matching (matchesWildcard) and rule matching (ruleMatches) functions have been updated to natively parse the new mcp_* and mcp_serverName_* formats, leveraging the explicit mcpName for robust and secure policy evaluation.
Deprecation of Old Naming Syntax: The use of the __ separator in MCP tool names within TOML policy files will now trigger a deprecation warning, guiding users towards the new mcp_server_tool format or the mcpName policy property.

Changelog

packages/cli/src/config/policy-engine.integration.test.ts
- Updated integration tests to reflect the new mcp_server_tool naming convention for MCP tools in policy checks.
- Modified policy rule definitions to use mcp_server_* patterns instead of server__*.
packages/core/src/agents/local-executor.test.ts
- Removed the import of MCP_QUALIFIED_NAME_SEPARATOR.
- Updated the generation of qualified MCP tool names to use the mcp_server_tool format.
packages/core/src/core/snapshots/prompts.test.ts.snap
- Updated snapshot tests to reflect the new mcp_readonly-server_read_data naming for MCP tools in system prompts.
packages/core/src/core/loggingContentGenerator.test.ts
- Updated test cases to use the mcp_myserver_search naming convention.
- Modified a test description to align with the new mcp_ prefix requirement for MCP tools.
packages/core/src/core/prompts.test.ts
- Updated expected MCP tool names in system prompts to the new mcp_server_tool format.
packages/core/src/policy/config.test.ts
- Updated policy rule definitions to use the mcpName property for server-level rules instead of toolName patterns.
- Modified tools.allowed and tools.exclude settings to use the new mcp_server_tool format.
packages/core/src/policy/config.ts
- Imported MCP_TOOL_PREFIX.
- Modified the construction of toolName for MCP-related settings (mcp.excluded, mcp.trusted, mcp.allowed) to use MCP_TOOL_PREFIX and explicitly added mcpName to policy rules.
packages/core/src/policy/policy-engine.test.ts
- Updated numerous test cases to use the mcp_server_tool naming and the mcpName property in policy rules.
- Removed tests relying on the old server__tool format and implicit server name extraction.
- Modified wildcard patterns from *__* to mcp_* and server__* to mcp_server_*.
packages/core/src/policy/policy-engine.ts
- Imported MCP_TOOL_PREFIX.
- Refactored matchesWildcard to directly handle mcp_* and mcp_serverName_* patterns, removing the matchesCompositePattern function.
- Modified ruleMatches to strictly enforce mcpName identity if specified in a rule.
- Updated the check method to derive serverName from tool annotations or by parsing the MCP_TOOL_PREFIX from the tool name.
- Adjusted getExcludedTools to use mcpName and MCP_TOOL_PREFIX for matching.
packages/core/src/policy/toml-loader.test.ts
- Updated test cases to use mcp_* and mcp_server_tool naming in TOML policy rules and added mcpName to expected rules.
- Modified validateMcpPolicyToolNames calls to align with the new naming.
packages/core/src/policy/toml-loader.ts
- Imported MCP_TOOL_PREFIX.
- Added a deprecation warning in validateToolName for the old __ syntax in MCP tool names.
- Updated logic for transforming mcpName and toolName from TOML into policy rules, using MCP_TOOL_PREFIX and explicitly setting mcpName.
- Modified validateMcpPolicyToolNames to use MCP_TOOL_PREFIX for prefix checking.
packages/core/src/policy/types.ts
- Added the mcpName?: string property to the PolicyRule and SafetyCheckerRule interfaces.
packages/core/src/prompts/promptProvider.test.ts
- Updated expected MCP tool names in prompts to reflect the new mcp_server_tool format.
packages/core/src/tools/mcp-tool.test.ts
- Updated generateValidName tests to expect the mcp_ prefix and _ separator.
- Modified DiscoveredMCPTool constructor and getFullyQualifiedName tests to reflect the new fully qualified naming.
packages/core/src/tools/mcp-tool.ts
- Changed MCP_QUALIFIED_NAME_SEPARATOR from __ to _.
- Introduced MCP_TOOL_PREFIX = 'mcp_'.
- Updated isMcpToolName to check for the MCP_TOOL_PREFIX.
- Modified DiscoveredMCPTool constructor and getFullyQualifiedPrefix to use generateValidName with the new naming convention.
- Updated generateValidName to enforce the mcp_ prefix, refine character replacement, and add a warning for name truncation.
packages/core/src/tools/tool-registry.test.ts
- Removed MCP_QUALIFIED_NAME_SEPARATOR import.
- Updated test expectations for MCP tool names to the new mcp_server_tool format.
- Modified getTool tests to reflect that MCP tools are now registered and retrieved by their full mcp_server_tool name.

Activity

The author, abhipatel12, has updated relevant documentation and README (if needed) and added/updated tests (if needed).
The author has validated the changes on MacOS using npm run.
The author has verified that registered tools begin with the mcp_ prefix.
The author has validated that global wildcards in TOML rules correctly allow/deny tool executions.
The author has verified that truncated tool names result in an ASK_USER interaction.
The author has run npm run preflight to confirm the full suite completes successfully.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

github-actions · 2026-03-06T17:50:17Z

Size Change: -147 B (0%)

Total Size: 26 MB

ℹ️ View Unchanged

Filename	Size	Change
`./bundle/gemini.js`	25.5 MB	-147 B (0%)
`./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js`	221 kB	0 B
`./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js`	227 kB	0 B
`./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js`	11.5 kB	0 B
`./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js`	132 B	0 B
`./bundle/sandbox-macos-permissive-open.sb`	890 B	0 B
`./bundle/sandbox-macos-permissive-proxied.sb`	1.31 kB	0 B
`./bundle/sandbox-macos-restrictive-open.sb`	3.36 kB	0 B
`./bundle/sandbox-macos-restrictive-proxied.sb`	3.56 kB	0 B
`./bundle/sandbox-macos-strict-open.sb`	4.82 kB	0 B
`./bundle/sandbox-macos-strict-proxied.sb`	5.02 kB	0 B

_{compressed-size-action}

gemini-code-assist

Code Review

This pull request is a significant and valuable refactoring that standardizes MCP tool naming to a fully qualified name (FQN) format, mcp_{server_name}_{tool_name}. This change improves the robustness and security of the policy engine by moving away from ambiguous string splitting and relying on explicit serverName metadata in policy rules. The changes are consistent across the codebase, including updates to tests, configuration, and core policy logic. However, I've identified a critical security vulnerability in the fallback logic for inferring a server name from an FQN string, which could lead to policy bypass. My review includes a detailed explanation of the vulnerability and a suggestion for how to resolve it.

_{Note: Security Review did not run due to the size of the PR.}

packages/core/src/policy/policy-engine.ts

gundermanc · 2026-03-06T19:47:11Z

packages/core/src/policy/policy-engine.ts

+          let serverName =
+            typeof rawServerName === 'string' ? rawServerName : undefined;
+
+          if (!serverName && toolName.startsWith(MCP_TOOL_PREFIX)) {


Can we use the proposed parseMcpToolName() function here?

gundermanc · 2026-03-06T19:47:44Z

packages/core/src/policy/policy-engine.ts

+      // Check if over-ruled by an mcpName mismatch prior
+      let serverName: string | undefined;
+      // Best-effort extraction since we lack runtime metadata for processed tools list
+      if (toolName.startsWith(MCP_TOOL_PREFIX)) {


packages/core/src/policy/toml-loader.ts

gundermanc

Approved with some suggestions.

abhipatel12

thanks for the reveiw!

packages/core/src/policy/policy-engine.ts

packages/core/src/policy/toml-loader.ts

…ions

abhipatel12 · 2026-03-06T22:32:26Z

/patch preview

github-actions · 2026-03-06T22:32:42Z

✅ Patch workflow(s) dispatched successfully!

📋 Details:

Channels: preview
Commit: 931e668b4789c9cf77733f04f460d759bc5ed14f
Workflows Created: 1

🔗 Track Progress:

# Conflicts: # integration-tests/policy-headless.test.ts # packages/core/src/tools/mcp-tool.test.ts # packages/core/src/tools/mcp-tool.ts # packages/core/src/tools/tool-registry.test.ts

github-actions · 2026-03-06T22:41:34Z

🚀 Patch PR Created!

📋 Patch Details:

Environment: prod
Channel: preview → will publish to npm tag preview
Commit: 931e668b4789c9cf77733f04f460d759bc5ed14f
Hotfix Branch: hotfix/v0.33.0-preview.4/0.33.0-preview.5/preview/cherry-pick-931e668/pr-21425
Hotfix PR: #21478
⚠️ Status: Cherry-pick conflicts detected - manual resolution required

📝 Next Steps:

⚠️ Resolve conflicts in the hotfix PR first: #21478
Test your changes after resolving conflicts
Once merged, the patch release will automatically trigger
You'll receive updates here when the release completes

🔗 Track Progress:

View hotfix PR #21478

github-actions · 2026-03-07T01:00:52Z

🚀 Patch Release Started!

📋 Release Details:

Environment: prod
Channel: preview → publishing to npm tag preview
Version: v0.33.0-preview.4
Hotfix PR: Merged ✅
Release Branch: release/v0.33.0-preview.4-pr-21425

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

View release workflow

github-actions · 2026-03-07T01:40:12Z

✅ Patch Release Complete!

📦 Release Details:

Version: 0.33.0-preview.5
NPM Tag: preview
Channel: preview
Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

GitHub Release: View release v0.33.0-preview.5
NPM Package: npm install @google/gemini-cli@preview

🔗 Links:

…e-gemini#21425)

abhipatel12 requested a review from a team as a code owner March 6, 2026 17:46

gemini-cli bot added the status/need-issue Pull requests that need to have an associated issue. label Mar 6, 2026

gemini-code-assist bot reviewed Mar 6, 2026

View reviewed changes

packages/core/src/policy/policy-engine.ts Outdated Show resolved Hide resolved