feat(security): add configuration to toggle Gemini CLI endpoint access

Closes: #2445
2026-04-21 07:02:05 +00:00 · 2026-04-03 21:46:49 +08:00
parent 06405f2129
commit adb580b344
3 changed files with 18 additions and 0 deletions
--- a/sdk/api/handlers/gemini/gemini-cli_handlers.go
+++ b/sdk/api/handlers/gemini/gemini-cli_handlers.go
@@ -50,6 +50,16 @@ func (h *GeminiCLIAPIHandler) Models() []map[string]any {
 // CLIHandler handles CLI-specific requests for Gemini API operations.
 // It restricts access to localhost only and routes requests to appropriate internal handlers.
 func (h *GeminiCLIAPIHandler) CLIHandler(c *gin.Context) {
+	if h.Cfg == nil || !h.Cfg.EnableGeminiCLIEndpoint {
+		c.JSON(http.StatusForbidden, handlers.ErrorResponse{
+			Error: handlers.ErrorDetail{
+				Message: "Gemini CLI endpoint is disabled",
+				Type:    "forbidden",
+			},
+		})
+		return
+	}
+
 	requestHost := c.Request.Host
 	requestHostname := requestHost
 	if hostname, _, errSplitHostPort := net.SplitHostPort(requestHost); errSplitHostPort == nil {