feat(sdd): implement spec-to-tracker bridge and root tracker id generation

[moisgobg]

Summary

This PR implements the foundational Spec-to-Tracker bridge for the SDD extension. It configures a dedicated tracker directory for the extension and updates the create and setup commands to automatically generate a Root Tracker Epic for each new spec, establishing the 1:1 relationship between intent (spec) and execution state (tracker).

Details

• Configuration: Updated gemini-extension.json to configure .gemini/tracker as the specific tracker directory for the SDD extension.
• Policy Updates: Allowed tracker tools (e.g., tracker_create_task, tracker_update_task) to be called in Plan Mode via sdd.toml with an ask_user policy to ensure safety.
• Workflow Integration: Modified the interactive /spec:setup and /spec:create workflows in their respective TOML definitions to:
  • Call tracker_create_task (with type epic) upon spec approval.
  • Require the model to use detailed titles and descriptions.
  • Store the returned Task ID as root_tracker_id inside the spec's metadata.json.

Related Issues

Resolves #23802

How to Validate

1. Check out this branch and build the core package: npm run build -w @google/gemini-cli-core.
2. Start the CLI (npm start).
3. Run the command: /spec:create "Test the tracker integration".
4. Follow the interactive prompts and approve the drafted spec.
5. Verify the agent prompts for permission to execute tracker_create_task.
6. Inspect the generated metadata.json in .gemini/specs/specs/<spec_id>/ and ensure the root_tracker_id is present.
7. Verify the newly created epic task file exists in .gemini/tracker/.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Linux
    • npm run
    • npx
    • Docker
  • Windows
    • npm run
    • npx
    • Docker

[gemini-cli]

Hi @moisgobg, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes a foundational bridge between the SDD extension's specification system and the task tracking infrastructure. By automating the creation of a Root Tracker Epic during spec initialization, it ensures a consistent 1:1 relationship between project intent and execution state, while providing necessary configuration flexibility and security policies for tracker operations.

Highlights

• Tracker Directory Configuration: Configured '.gemini/tracker' as the default tracker directory for the SDD extension via 'gemini-extension.json' and added support for custom tracker directory settings.
• Workflow Integration: Updated '/spec:create' and '/spec:setup' workflows to automatically generate a Root Tracker Epic using 'tracker_create_task' and store the resulting ID in the spec's 'metadata.json'.
• Policy Updates: Enabled tracker-related tools in Plan Mode within 'sdd.toml' with an 'ask_user' policy to ensure safe execution.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for a configurable task tracker directory, allowing users and extensions to specify where tracking data is stored. It includes updates to the configuration schema, extension manager, and storage logic, along with corresponding unit tests. Additionally, the SDD (Software Design Document) built-in extension is updated to utilize the tracker for creating root tasks and managing spec metadata. A review comment suggests refactoring the path resolution logic in the storage module to eliminate code duplication and ensure consistent security checks for path traversal.

_{Note: Security Review did not run due to the size of the PR.}

[gemini-code-assist]

The logic inside getTrackerDir is nearly identical to the existing getPlansDir method. This duplication increases maintenance overhead and the risk of introducing inconsistencies if one is updated and the other is not. Since this logic includes security checks (path traversal prevention), it's particularly important to keep it DRY (Don't Repeat Yourself).

Consider refactoring this logic into a private helper method. This new method can then be used by both getTrackerDir and getPlansDir.

For example:

private _resolveCustomDir(
  customDir: string | undefined,
  dirTypeName: string,
  fallbackPath: string
): string {
  if (customDir) {
    const resolvedPath = path.resolve(this.getProjectRoot(), customDir);
    const realProjectRoot = resolveToRealPath(this.getProjectRoot());
    const realResolvedPath = resolveToRealPath(resolvedPath);

    if (!isSubpath(realProjectRoot, realResolvedPath)) {
      throw new Error(
        `Custom ${dirTypeName} directory '${customDir}' resolves to '${realResolvedPath}', which is outside the project root '${realProjectRoot}'.`
      );
    }

    return resolvedPath;
  }
  return fallbackPath;
}

Then getTrackerDir would become:

getTrackerDir(): string {
  return this._resolveCustomDir(
    this.customTrackerDir,
    'tracker',
    this.getProjectTempTrackerDir()
  );
}

References

1. Sanitize user-provided file paths used in file system operations to prevent path traversal vulnerabilities.
2. Ensure consistent path resolution by using a single, robust function (e.g., resolveToRealPath) for all related path validations.
3. Functionally similar sections should be located in the same spot for consistency, as security or other concerns for one likely apply to both.
4. Utility functions that perform file system operations should validate their path inputs internally to prevent path traversal vulnerabilities.