fix(cli): improve mcp list UX in untrusted folders

[Adib234]

Summary

This PR improves the UX of the gemini mcp list command when run in untrusted folders. It ensures that all configured MCP servers (including project-scoped ones) are visible and explicitly marked as Disabled, accompanied by a clear warning message explaining why they are not active.

Details

• LoadedSettings Enhancement: Added getMergedSettingsAsIfTrusted() to packages/cli/src/config/settings.ts. This allows the CLI to peek into project-scoped settings even when folder trust is not yet established, purely for informational commands like list.
• mcp list Logic: Updated packages/cli/src/commands/mcp/list.ts to use the "as-if-trusted" settings to identify configured servers. It now prints a warning when in an untrusted folder and forces the status of all servers to Disabled without attempting connection.
• Improved Consistency: Previously, project-scoped servers were completely hidden, and user-scoped servers were shown as "Connected" (if they could connect) even though they were suppressed in the interactive shell. This change makes the list command's output consistent with the actual execution environment's restrictions.

Related Issues

Fixes #24258

How to Validate

1. Create a new directory and don't trust it.
2. Add an MCP server to the project settings: gemini mcp add -t http -s project test-remote https://example.com/mcp
3. Run gemini mcp list.
   • Expected: A warning message appears, and test-remote is listed as ○ test-remote: https://example.com/mcp (http) - Disabled.
4. Trust the folder: gemini trust (or follow the prompt in the shell).
5. Run gemini mcp list again.
   • Expected: No warning, and test-remote shows its actual connection status (e.g., ✓ Connected).

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the user experience for the MCP server listing command by providing better visibility into configured servers when working in untrusted directories. By allowing the CLI to peek at project-scoped settings, it ensures that users are aware of all configured servers while maintaining security by explicitly marking them as disabled and providing clear guidance on the current trust state.

Highlights

• Improved MCP List UX: The gemini mcp list command now displays all configured MCP servers, including project-scoped ones, even when in an untrusted folder.
• Clearer Security Feedback: Added a warning message when running the command in untrusted folders to explain why servers are marked as 'Disabled'.
• Settings Access Enhancement: Introduced getMergedSettingsAsIfTrusted() to allow the CLI to inspect project-scoped settings for informational purposes without requiring folder trust.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the mcp list command to improve visibility when working in untrusted folders. It now displays all configured MCP servers, including project-scoped ones, as 'Disabled' with a warning message, rather than suppressing them. A security-related feedback suggests using activeSettings instead of allSettings when determining server status to ensure that untrusted workspace configurations cannot override global security policies in the list output.

[github-actions]

Size Change: +919 B (0%)

Total Size: 34 MB

Filename	Size	Change
./bundle/chunk-55CS7NAR.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-IJHZROUS.js	0 B	-2.73 MB (removed)	🏆
./bundle/chunk-J7W3UT2S.js	0 B	-658 kB (removed)	🏆
./bundle/chunk-JHBKXMFS.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-NMBD3GXT.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-RS3XYLFZ.js	0 B	-19.5 kB (removed)	🏆
./bundle/chunk-U6J56TRB.js	0 B	-12.5 kB (removed)	🏆
./bundle/chunk-VYEX2YDM.js	0 B	-14.7 MB (removed)	🏆
./bundle/core-F7XKBN7W.js	0 B	-48.7 kB (removed)	🏆
./bundle/devtoolsService-UTKVZEAS.js	0 B	-28 kB (removed)	🏆
./bundle/gemini-NH76B3YP.js	0 B	-583 kB (removed)	🏆
./bundle/interactiveCli-NDHHFUHJ.js	0 B	-1.33 MB (removed)	🏆
./bundle/liteRtServerManager-Z3B34EY7.js	0 B	-2.11 kB (removed)	🏆
./bundle/oauth2-provider-3FTJX62R.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-BC566WXM.js	14.7 MB	+14.7 MB (new file)	🆕
./bundle/chunk-FBLEFY2N.js	19.5 kB	+19.5 kB (new file)	🆕
./bundle/chunk-KDJVO36P.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-MYYQROHO.js	12.5 kB	+12.5 kB (new file)	🆕
./bundle/chunk-NJPOMLBS.js	658 kB	+658 kB (new file)	🆕
./bundle/chunk-O6LAKS7N.js	2.73 MB	+2.73 MB (new file)	🆕
./bundle/chunk-Q5JX7PWS.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-RHSUGA5D.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/core-HITLFYRY.js	48.7 kB	+48.7 kB (new file)	🆕
./bundle/devtoolsService-HKP4VAZQ.js	28 kB	+28 kB (new file)	🆕
./bundle/gemini-2CO5BKE6.js	584 kB	+584 kB (new file)	🆕
./bundle/interactiveCli-N2XM2JWU.js	1.33 MB	+1.33 MB (new file)	🆕
./bundle/liteRtServerManager-V6TEKXM5.js	2.11 kB	+2.11 kB (new file)	🆕
./bundle/oauth2-provider-7ZVQSF5G.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-ECNYAST2.js	1.97 MB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-QSVIWAB7.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	5.1 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-FB7MMKTA.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-HLP2GCBO.js	0 B	-652 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-LB4XCVST.js	932 B	+932 B (new file)	🆕
./bundle/start-XTQSTLKT.js	652 B	+652 B (new file)	🆕

_{compressed-size-action}

[Adib234]

/gemini review

[gemini-code-assist]

Code Review

This pull request updates the mcp list command to display configured MCP servers as 'Disabled' in untrusted folders, accompanied by a warning message, rather than showing them as 'Disconnected'. It introduces a getMergedSettingsAsIfTrusted method in the settings configuration to allow the CLI to retrieve configured servers for informational purposes without compromising security. I have no feedback to provide.

[devr0306]

From /review-frontend

Thanks for the PR! The UX improvements look solid and you've safely handled the untrusted folder constraints.

I just have one minor code quality observation regarding testing:

Defensive check for test mocks
In packages/cli/src/commands/mcp/list.ts, you have:

  const allSettings =
    !loadedSettings.isTrusted && loadedSettings.getMergedSettingsAsIfTrusted
      ? loadedSettings.getMergedSettingsAsIfTrusted()
      : activeSettings;

Since loadedSettings is an instance of LoadedSettings in production, it will always have getMergedSettingsAsIfTrusted. The check && loadedSettings.getMergedSettingsAsIfTrusted seems to have been added purely because the existing tests in list.test.ts return a partial raw object mock.

Instead of polluting the production code with a defensive check for tests, please remove && loadedSettings.getMergedSettingsAsIfTrusted and update the test mocks in packages/cli/src/commands/mcp/list.test.ts to include the method, or ideally refactor them to use createMockSettings() from packages/cli/src/test-utils/settings.ts.

Otherwise, everything looks great!