MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-04-24 12:04:56 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(policy): change priority hierarchy to Admin > User > Project > Default

Browse Source 
Updates the policy engine to prioritize User policies over Project-specific policies.
This change is a security measure to ensure that users maintain control over their
environment and are not inadvertently compromised by policies defined in a cloned
repository.

Key Changes:
- Swapped Tier 2 (now Project) and Tier 3 (now User).
- Updated documentation to reflect the new hierarchy.
- Updated all built-in policy TOML files with correct tier information.
- Adjusted all tests and integration test expectations to match new priority values.
This commit is contained in:
Abhijit Balaji
2026-02-09 16:17:10 -08:00
parent f34a3ee1df
commit 3a24b0c975
12 changed files with 146 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/core/policy-engine.md
+7 -7
View File
@@ -95,8 +95,8 @@ has a designated number that forms the base of the final priority calculation.
| Tier | Base | Description |
| :------ | :--- | :------------------------------------------------------------------------- |
| Default | 1 | Built-in policies that ship with the Gemini CLI. |
| User | 2 | Custom policies defined by the user. |
| Project | 3 | Policies defined in the current project's configuration directory. |
| Project | 2 | Policies defined in the current project's configuration directory. |
| User | 3 | Custom policies defined by the user. |
| Admin | 4 | Policies managed by an administrator (e.g., in an enterprise environment). |
Within a TOML policy file, you assign a priority value from **0 to 999**. The
@@ -106,16 +106,16 @@ engine transforms this into a final priority using the following formula:
This system guarantees that:
- Admin policies always override Project, User, and Default policies.
- Project policies override User and Default policies.
- User policies always override Default policies.
- Admin policies always override User, Project, and Default policies.
- User policies override Project and Default policies.
- Project policies override Default policies.
- You can still order rules within a single tier with fine-grained control.
For example:
- A `priority: 50` rule in a Default policy file becomes `1.050`.
- A `priority: 100` rule in a User policy file becomes `2.100`.
- A `priority: 10` rule in a Project policy file becomes `3.010`.
- A `priority: 10` rule in a Project policy file becomes `2.010`.
- A `priority: 100` rule in a User policy file becomes `3.100`.
- A `priority: 20` rule in an Admin policy file becomes `4.020`.
### Approval modes