Disallow Object.create() and reflect.

[gundermanc]

Summary

Adds another linter rule to disallow Object.create() and reflect. These two capabilities are frequently used together to perform ad hoc clones of objects and to implement Proxy in a type unsafe way. This gap in type checking has resulted in a couple of regressions, including this one: #22397

More complete fix for: #22255

Fixes: ##22675

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the codebase's type safety and reduces potential regressions by introducing a new linter rule that prohibits the use of Object.create() and the Reflect namespace in product code. The existing code has been updated to comply with this new rule, replacing these constructs with more explicit and type-safe alternatives. This strategic change aims to prevent issues arising from ad hoc object cloning and unsafe Proxy implementations, leading to a more stable and maintainable system.

Highlights

• New ESLint Rule: Introduced a new ESLint rule to disallow the use of Object.create() and the Reflect namespace in product code, aiming to improve type safety and prevent common pitfalls.
• Code Refactoring: Refactored existing code to remove instances of Object.create() and Reflect, replacing them with safer and more explicit object manipulation patterns like object literals with getters, dedicated derive methods, and clone methods.
• Improved Type Safety: The changes address a gap in type checking that previously led to regressions, promoting more robust and predictable object handling within the codebase.

Changelog

• eslint.config.js
  • Added a new no-restricted-syntax rule to disallow Object.create() and Reflect in product code.
  • Updated ignores pattern to include packages/*/src/test-utils/**.
• packages/core/src/agents/agent-scheduler.ts
  • Replaced Object.create(config) with a new object literal that uses getters to provide agent-specific context.
  • Removed the use of Object.defineProperty for overriding properties.
• packages/core/src/agents/local-executor.ts
  • Removed an unused import for the Message type.
  • Replaced Object.create(parentMessageBus) with a call to the new parentMessageBus.derive(definition.name) method for creating a subagent-scoped message bus.
• packages/core/src/agents/registry.ts
  • Replaced Object.create(definition) with an explicit object literal defining getters for all properties, ensuring lazy getters are preserved during merging.
  • Refactored the merging logic for runConfig and modelConfig within the new object literal.
• packages/core/src/confirmation-bus/message-bus.ts
  • Added a new derive method to create a child MessageBus instance, specifically designed to scope messages to a subagent and inject its name into tool confirmation requests.
• packages/core/src/tools/tool-registry.ts
  • Implemented a clone method to create a shallow copy of the ToolRegistry instance, including its current known tools.
• packages/core/src/utils/stdio.ts
  • Added an isKey type guard function to safely check for property existence on objects.
  • Refactored createWorkingStdio to use explicit ProxyHandler objects and the new isKey type guard, eliminating direct Reflect.get calls and associated ESLint disable comments.
• packages/sdk/src/session.ts
  • Replaced Object.create(originalRegistry) with a call to originalRegistry.clone() to create a scoped tool registry.
  • Adjusted the scopedRegistry.getTool method to correctly use the cloned registry's original getTool functionality.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new ESLint rule to disallow Object.create() and Reflect in product code, aiming to enhance type safety. The changes include refactoring existing code to eliminate these patterns, replacing them with safer alternatives such as explicit object cloning, derivation methods, and type-safe property access. The modifications are consistent, well-implemented, and successfully improve the overall code quality and maintainability.

[github-actions]

Size Change: +1.6 kB (+0.01%)

Total Size: 26.1 MB

Filename	Size	Change
./bundle/chunk-3I7LHW5W.js	0 B	-3.62 MB (removed)	🏆
./bundle/chunk-5EOPIMBV.js	0 B	-13.4 MB (removed)	🏆
./bundle/core-MVP2Q2GB.js	0 B	-40.3 kB (removed)	🏆
./bundle/devtoolsService-SIQHGZVG.js	0 B	-27.7 kB (removed)	🏆
./bundle/interactiveCli-NBP7WZRO.js	0 B	-1.59 MB (removed)	🏆
./bundle/oauth2-provider-BRGVJZW6.js	0 B	-9.19 kB (removed)	🏆
./bundle/chunk-ICL7YVNJ.js	3.62 MB	+3.62 MB (new file)	🆕
./bundle/chunk-KB6O4TLU.js	13.4 MB	+13.4 MB (new file)	🆕
./bundle/core-43DHITHE.js	40.3 kB	+40.3 kB (new file)	🆕
./bundle/devtoolsService-O7CEBQAT.js	27.7 kB	+27.7 kB (new file)	🆕
./bundle/interactiveCli-MNMP7FM2.js	1.59 MB	+1.59 MB (new file)	🆕
./bundle/oauth2-provider-6RKS5TQ2.js	9.19 kB	+9.19 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size
./bundle/chunk-34MYV7JD.js	2.45 kB
./bundle/chunk-37ZTTFQF.js	966 kB
./bundle/chunk-5AUYMPVF.js	858 B
./bundle/chunk-664ZODQF.js	124 kB
./bundle/chunk-BXZA3XKQ.js	1.95 MB
./bundle/chunk-DAHVX5MI.js	206 kB
./bundle/chunk-IUUIT4SU.js	56.5 kB
./bundle/chunk-RJTRUG2J.js	39.8 kB
./bundle/devtools-36NN55EP.js	696 kB
./bundle/dist-T73EYRDX.js	356 B
./bundle/gemini.js	695 kB
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB
./bundle/memoryDiscovery-ZBBGU3A2.js	922 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB
./bundle/src-QVCVGIUX.js	47 kB
./bundle/tree-sitter-7U6MW5PS.js	274 kB
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB
./bundle/undici-4X2YZID5.js	360 B

_{compressed-size-action}