Wrap read_mcp_resource output with wrapUntrusted() for consistency with mcp-tool

[AgentGymLeader]

Resolves #27983

What

Wrap the resource text returned by read_mcp_resource with wrapUntrusted() before it is passed to the model, and update the tests accordingly.

Why

ReadMcpResourceToolInvocation returns MCP-server-supplied resource text directly as llmContent, while the sibling MCP path in mcp-tool.ts already wraps the same class of content with wrapUntrusted() (resource text and text blocks). MCP resource content is third-party / untrusted input, so today read_mcp_resource output reaches the model without the untrusted-context signal that every other tool applies. This change makes the two code paths consistent.

Changes

• packages/core/src/tools/read-mcp-resource.ts: import wrapUntrusted and wrap non-empty contentText (the empty-content fallback message is unchanged).
• packages/core/src/tools/read-mcp-resource.test.ts: assertions updated to expect the wrapped output.

Testing

npx vitest run src/tools/read-mcp-resource.test.ts in packages/core → 5/5 passing. prettier --check and eslint are clean on the changed files.

Prepared with AI assistance; reviewed and tested locally.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the security posture of the MCP resource reading tool by applying consistent untrusted-content signaling. By wrapping resource output with wrapUntrusted(), the system ensures that third-party data is handled with the same security context as other tool invocations, preventing potential issues with unvalidated model inputs.

Highlights

• Security Consistency: Wrapped MCP resource content with wrapUntrusted() to ensure third-party input is correctly signaled to the model, aligning with existing patterns in mcp-tool.
• Test Updates: Updated unit tests in read-mcp-resource.test.ts to verify that the llmContent is now correctly wrapped.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

📊 PR Size: size/S

• Lines changed: 10
• Additions: +7
• Deletions: -3
• Files changed: 2

[github-actions]

🛑 Action Required: Evaluation Approval

Steering changes have been detected in this PR. To prevent regressions, a maintainer must approve the evaluation run before this PR can be merged.

Maintainers:

1. Go to the Workflow Run Summary.
2. Click the yellow 'Review deployments' button.
3. Select the 'eval-gate' environment and click 'Approve'.

Once approved, the evaluation results will be posted here automatically.

[gemini-code-assist]

Code Review

This pull request updates the ReadMcpResourceTool to wrap the retrieved resource content in wrapUntrusted before returning it as llmContent. The corresponding unit tests in read-mcp-resource.test.ts have also been updated to reflect this change. There are no review comments to address, and I have no feedback to provide.

[AgentGymLeader]

@googlebot I signed it!