jamubc/gemini-mcp-tool v1.2.0-beta.1

v1.2.0-beta.1 — beta

on GitHub

Pre-release of 1.2.0. Not published to NPM.
A cumulative beta of the Windows work since 1.1.5 (bundles the CVE-2026-0755 fix from 1.1.6 + the stdin/windowsHide feature work from #77).

Install/test from this tag: npm install -g github:jamubc/gemini-mcp-tool#v1.2.0-beta.1

Security (included from 1.1.6)

• CVE-2026-0755 (CWE-78) — removed the broken prompt quoting that injected literal quotes under shell:false and corrupted @file references; added assertSafeFileReferences() to contain @file refs to the working directory (blocks @/etc/passwd, @~/.ssh/…, ../ traversal); hardened Windows cmd.exe argument quoting so metacharacters in spaceless tokens can't break out. Fixes #73, #66.

Windows

• Complex prompts (changeMode / @file) are sent via stdin, sidestepping cmd.exe parsing and the OS command-line length limit on large prompts.
• windowsHide suppresses the popup console window.
• Resolves the word-splitting / "positional + --prompt" failures (#62, #40, #30, #28).

Thanks

Windows diagnosis & PRs from @quantitypg-jpg, @toller892, @Sundeepg98, @cj-elevate, @leonardommello, @orzcls.