fix(patch): cherry-pick 24adacd to release/v0.34.0-preview.2-pr-22332 to patch version v0.34.0-preview.2 and create version 0.34.0-preview.3

[gemini-cli-robot]

This PR automatically cherry-picks commit 24adacd to patch version v0.34.0-preview.2 in the preview release to create version 0.34.0-preview.3.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the token storage mechanism to enhance robustness and simplify the logic for handling secure credentials. The primary change involves centralizing the fallback from native OS keychain to encrypted file storage within the KeychainService. This was achieved by introducing a new FileKeychain implementation, which replaces the previously standalone FileTokenStorage, and modifying HybridTokenStorage to always rely on KeychainTokenStorage for its storage decisions. This ensures that the application always has a functional secure storage solution, even if native keychain services are unavailable or encounter issues.

Highlights

• Refactored Keychain Fallback: The logic for falling back from native OS keychain to encrypted file storage has been moved from HybridTokenStorage to KeychainService.
• Introduced FileKeychain: A new FileKeychain class was added to encapsulate the encrypted file-based storage mechanism, implementing the Keychain interface.
• Removed FileTokenStorage: The FileTokenStorage class and its associated test file were removed, as its functionality is now superseded by FileKeychain.
• Simplified HybridTokenStorage: The HybridTokenStorage now consistently uses KeychainTokenStorage, which internally manages the native/file-based fallback, simplifying the overall token storage selection.
• Enhanced Robustness: The KeychainService is now designed to always provide a functional storage backend, either through native keychain or the FileKeychain fallback, improving reliability.

Changelog

• packages/core/src/mcp/oauth-token-storage.test.ts
  • Updated Vitest mocking syntax for node:path and mockHybridTokenStorage.
• packages/core/src/mcp/token-storage/file-token-storage.test.ts
  • Removed the test file for FileTokenStorage.
• packages/core/src/mcp/token-storage/file-token-storage.ts
  • Removed the FileTokenStorage class.
• packages/core/src/mcp/token-storage/hybrid-token-storage.test.ts
  • Updated tests to reflect the removal of direct FileTokenStorage usage and the new isUsingFileFallback logic in KeychainTokenStorage.
• packages/core/src/mcp/token-storage/hybrid-token-storage.ts
  • Refactored initializeStorage to always use KeychainTokenStorage and query its fallback status.
• packages/core/src/mcp/token-storage/index.ts
  • Removed export of file-token-storage.js and added export of keychain-token-storage.js.
• packages/core/src/mcp/token-storage/keychain-token-storage.ts
  • Added isUsingFileFallback method.
• packages/core/src/services/fileKeychain.ts
  • Added a new class FileKeychain for encrypted file-based credential storage.
• packages/core/src/services/keychainService.test.ts
  • Updated tests to verify the new fallback behavior to FileKeychain and the handling of GEMINI_FORCE_FILE_STORAGE.
• packages/core/src/services/keychainService.ts
  • Implemented fallback logic to FileKeychain if native keychain is unavailable or forced by environment variable, and added isUsingFileFallback method.

Activity

• The pull request was automatically created by gemini-cli-robot to cherry-pick a specific commit, indicating an automated release process.
• The changes primarily involve refactoring and improving the robustness of the token storage mechanism.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the credential storage by consolidating file-based and keychain-based storage into a single KeychainService with a file-based fallback. However, the encryption key derivation in the new FileKeychain is weak, relying on a hardcoded password and non-secret system information, which effectively reduces the encryption to obfuscation. Additionally, this refactoring introduces a critical data loss issue as it lacks logic to migrate existing tokens from the old mcp-oauth-tokens-v2.json file to the new gemini-credentials.json format, impacting users who relied on file-based storage. A more secure key derivation method and a migration path are needed to address these issues.

[gemini-code-assist]

This new FileKeychain implementation introduces a critical data loss issue for users who were previously using the file-based token storage. The old implementation (FileTokenStorage) used mcp-oauth-tokens-v2.json, but this new implementation uses gemini-credentials.json with a different internal structure and does not attempt to migrate existing data.

This will cause users who relied on the file-based fallback to lose all their saved OAuth tokens upon updating.

A migration path should be implemented. For example, in the constructor or loadData, you could check for the existence of the old file, read and convert the data to the new format, save it to the new file, and then delete or rename the old file to prevent re-migration.

[gemini-code-assist]

The FileKeychain class, which serves as the fallback mechanism for secure credential storage when a native OS keychain is unavailable, uses a hardcoded password ('gemini-cli-oauth') and non-secret system information (hostname and username) to derive its encryption key via scryptSync. Because both the password and the salt are either hardcoded in the source code or easily discoverable on the system, the encryption provides very little security beyond the file system permissions. An attacker who obtains the encrypted credentials file (e.g., through backups, unauthorized disk access, or a separate vulnerability) can easily derive the encryption key and decrypt the sensitive OAuth tokens stored within.

[github-actions]

Size Change: -656 B (0%)

Total Size: 26.5 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	26 MB	-656 B (0%)
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B

_{compressed-size-action}