Fix all code

[samhiotisiddn-jpg]

Description

Please include a summary of the change and which issue is fixed. If adding a new feature or command, please include the output of running it with --dry-run to prove the JSON request body matches the Discovery Document schema.

Dry Run Output:

// Paste --dry-run output here if applicable

Checklist:

• My code follows the AGENTS.md guidelines (no generated google-* crates).
• I have run cargo fmt --all to format the code perfectly.
• I have run cargo clippy -- -D warnings and resolved all warnings.
• I have added tests that prove my fix is effective or that my feature works.
• I have provided a Changeset file (e.g. via pnpx changeset) to document my changes.

[changeset-bot]

🦋 Changeset detected

Latest commit: 526433e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a powerful new AI agent capability to the Google Workspace CLI. By integrating with LLM providers, the CLI can now perform complex, multi-step tasks by leveraging a suite of tools, including direct Google Workspace API calls, Notion integration, Zapier automation, and browser-based actions. The implementation includes a robust configuration system, persistent memory management, and a flexible tool registry, significantly expanding the utility of the CLI for automated workflows.

Highlights

• New Agent Command: Added a new gws agent command that enables a terminal-based AI assistant capable of tool use.
• Tooling Infrastructure: Implemented a modular tool registry supporting Google Workspace, Notion, Zapier, Supabase, and a headless browser.
• LLM Integration: Added an OpenAI-compatible client supporting both OpenRouter and local Ollama providers.
• Conversational Memory: Introduced persistent memory support using Supabase or an in-process buffer for multi-turn interactions.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/npm-publish-github-packages.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a terminal-based AI agent, gws agent, which supports multi-turn conversations using LLM providers like OpenRouter and Ollama. The implementation includes a tool registry with integrations for Google Workspace, Notion, Zapier, Supabase, and a headless browser, along with persistent memory options. Feedback highlights a resource leak in the browser tool where tabs are not closed, a bypassable recursion check in the self-hosted CLI tool, and potential query parsing issues in the Supabase tool due to overly permissive URL encoding.

[gemini-code-assist]

The run_blocking function opens a new browser tab for every tool call but never closes it. Since the browser instance is reused across the entire agent session, this will lead to a significant accumulation of open tabs, consuming excessive memory and potentially causing the browser process to crash or become unresponsive during long sessions.

    fn run_blocking(
        browser: &headless_chrome::Browser,
        action: &str,
        args: &Value,
    ) -> Result<String, ToolError> {
        let tab = browser
            .new_tab()
            .map_err(|e| ToolError::runtime(format!("new_tab: {e}")))?;
        let res = match action {
            "navigate" => {
                let url = args
                    .get("url")
                    .and_then(|v| v.as_str())
                    .ok_or_else(|| ToolError::runtime("missing 'url'"))?;
                tab.navigate_to(url)
                    .map_err(|e| ToolError::runtime(format!("navigate: {e}")))?;
                tab.wait_until_navigated()
                    .map_err(|e| ToolError::runtime(format!("wait: {e}")))?;
                Ok(format!("navigated to {url}"))
            }
            "click" => {
                let url = args.get("url").and_then(|v| v.as_str());
                let selector = args
                    .get("selector")
                    .and_then(|v| v.as_str())
                    .ok_or_else(|| ToolError::runtime("missing 'selector'"))?;
                if let Some(u) = url {
                    tab.navigate_to(u)
                        .map_err(|e| ToolError::runtime(format!("navigate: {e}")))?;
                    tab.wait_until_navigated()
                        .map_err(|e| ToolError::runtime(format!("wait: {e}")))?;
                }
                let el = tab
                    .wait_for_element(selector)
                    .map_err(|e| ToolError::runtime(format!("element: {e}")))?;
                el.click()
                    .map_err(|e| ToolError::runtime(format!("click: {e}")))?;
                Ok(format!("clicked {selector}"))
            }
            "text" => {
                let url = args
                    .get("url")
                    .and_then(|v| v.as_str())
                    .ok_or_else(|| ToolError::runtime("missing 'url'"))?;
                tab.navigate_to(url)
                    .map_err(|e| ToolError::runtime(format!("navigate: {e}")))?;
                tab.wait_until_navigated()
                    .map_err(|e| ToolError::runtime(format!("wait: {e}")))?;
                let body = tab
                    .wait_for_element("body")
                    .map_err(|e| ToolError::runtime(format!("body: {e}")))?;
                let text = body
                    .get_inner_text()
                    .map_err(|e| ToolError::runtime(format!("inner text: {e}")))?;
                Ok(truncate(&text, 4000))
            }
            other => Err(ToolError::runtime(format!(
                "unknown browser action '{other}'"
            ))),
        };
        let _ = tab.close();
        res
    }

[gemini-code-assist]

The recursion check only inspects the first argument in the vector. This can be easily bypassed by an LLM using global flags (e.g., gws --api-version v1 agent ...), leading to infinite recursive agent loops and local resource exhaustion. The check should identify the "agent" command regardless of preceding flags.

Suggested change

	if argv.first().map(|s| s.as_str()) == Some("agent") {
	if argv.iter().find(|s| !s.starts_with('-')).map(|s| s.as_str()) == Some("agent") {

[gemini-code-assist]

The encode function includes , and : in its allow-list for PostgREST query values. However, PostgREST uses these characters as delimiters for operators (like in) and complex types (like ranges). Allowing them unencoded in the value part can lead to ambiguous or incorrect query parsing. Following standard percent-encoding for values is safer.

Suggested change

	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'.' | b'~' | b',' | b':') {
	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'.' | b'~') {

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a terminal AI agent (gws agent) to the Google Workspace CLI, featuring a modular tool system, conversational memory backends, and support for multiple LLM providers. The implementation includes integrations for Notion, Zapier, Supabase, and a headless browser. Review feedback identifies several critical issues that need to be addressed: a resource leak in the browser tool where tabs are not closed on error, a flawed recursion check in the GWS tool, and incorrect argument extraction when global flags are used. Furthermore, security vulnerabilities were identified in the URL encoding logic across the Notion, Supabase, and memory modules, where unencoded dots could lead to path traversal or query injection attacks.

[gemini-code-assist]

The extraction of agent_args by skipping a fixed number of arguments (skip(2)) is incorrect when global flags (like --api-version) are provided before the agent command. This results in global flags and the agent command itself being passed as arguments to the agent handler, which misinterprets them as part of the prompt. A more robust approach is to find the position of the agent command in the argument vector.

Suggested change

	let agent_args: Vec<String> = args.iter().skip(2).cloned().collect();
	let agent_idx = args.iter().position(|a| a == "agent").unwrap_or(1);
	let agent_args: Vec<String> = args.iter().skip(agent_idx + 1).cloned().collect();

[gemini-code-assist]

The recursion check fails to detect the agent command if global flags with values are used before it (e.g., gws --api-version v1 agent). The find logic returns the first non-flag argument, which in this case would be the flag's value (v1), causing the check to miss the agent command and potentially allowing infinite recursive loops. Checking if any argument matches "agent" is a safer approach for this sandbox restriction.

Suggested change

	if argv.iter().find(|s| !s.starts_with('-')).map(|s| s.as_str()) == Some("agent") {
	if argv.iter().any(|s| s == "agent") {

[gemini-code-assist]

Allowing the dot character (.) in percent_encode_path introduces a path traversal vulnerability. Since this function is used to construct API paths (e.g., /pages/{page_id}), an attacker or a misbehaving model could provide .. as a page_id to access unintended API endpoints. The dot character should be percent-encoded for safety in path segments.

Suggested change

	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'.' | b'~') {
	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'~') {

[gemini-code-assist]

The encode function should not allow the dot character (.) as it is a reserved delimiter in PostgREST filter syntax (column=op.value). Allowing it unencoded in values can lead to query injection or misinterpretation of filters by the backend. Reserved characters in PostgREST values must be percent-encoded.

Suggested change

	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'.' | b'~') {
	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'~') {

[gemini-code-assist]

The browser tool leaks tabs when an error occurs during an operation. The tab.close() call is only reached at the end of successful execution paths. If any operation (like navigate_to or wait_for_element) returns an error via the ? operator, the tab handle is dropped without being closed in the browser process, leading to memory accumulation over time. The tab should be closed regardless of the operation's outcome.

        let res = (|| {
            match action {
                "navigate" => {
                    let url = args
                        .get("url")
                        .and_then(|v| v.as_str())
                        .ok_or_else(|| ToolError::runtime("missing 'url'"))?;
                    tab.navigate_to(url)
                        .map_err(|e| ToolError::runtime(format!("navigate: {e}")))?;
                    tab.wait_until_navigated()
                        .map_err(|e| ToolError::runtime(format!("wait: {e}")))?;
                    Ok(format!("navigated to {url}"))
                }
                "click" => {
                    let url = args.get("url").and_then(|v| v.as_str());
                    let selector = args
                        .get("selector")
                        .and_then(|v| v.as_str())
                        .ok_or_else(|| ToolError::runtime("missing 'selector'"))?;
                    if let Some(u) = url {
                        tab.navigate_to(u)
                            .map_err(|e| ToolError::runtime(format!("navigate: {e}")))?;
                        tab.wait_until_navigated()
                            .map_err(|e| ToolError::runtime(format!("wait: {e}")))?;
                    }
                    let el = tab
                        .wait_for_element(selector)
                        .map_err(|e| ToolError::runtime(format!("element: {e}")))?;
                    el.click()
                        .map_err(|e| ToolError::runtime(format!("click: {e}")))?;
                    Ok(format!("clicked {selector}"))
                }
                "text" => {
                    let url = args
                        .get("url")
                        .and_then(|v| v.as_str())
                        .ok_or_else(|| ToolError::runtime("missing 'url'"))?;
                    tab.navigate_to(url)
                        .map_err(|e| ToolError::runtime(format!("navigate: {e}")))?;
                    tab.wait_until_navigated()
                        .map_err(|e| ToolError::runtime(format!("wait: {e}")))?;
                    let body = tab
                        .wait_for_element("body")
                        .map_err(|e| ToolError::runtime(format!("body: {e}")))?;
                    let text = body
                        .get_inner_text()
                        .map_err(|e| ToolError::runtime(format!("inner text: {e}")))?;
                    Ok(truncate(&text, 4000))
                }
                other => Err(ToolError::runtime(format!(
                    "unknown browser action '{other}'"
                ))),
            }
        })();
        let _ = tab.close();
        res

[gemini-code-assist]

The urlencoding function allows the dot character (.), which is a reserved delimiter in PostgREST filter syntax. Since this function is used to encode conversation_id for Supabase queries, it should percent-encode dots to prevent potential query misinterpretation or injection if a custom ID contains dots.

Suggested change

	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'.' | b'~') {
	if b.is_ascii_alphanumeric() || matches!(b, b'-' | b'_' | b'~') {