From 4731df1fe646faa4a92da0fe48ff4a25d812ead2 Mon Sep 17 00:00:00 2001
From: Abhijit Balaji <abhijitbalaji@google.com>
Date: Tue, 3 Feb 2026 13:19:30 -0800
Subject: [PATCH] feat: Deprecate tool args in favor of policy engine

Deprecate `--allowedTools`, `--excludeTools`, and `--coreTools` in favor of the Policy Engine.
Display a warning when `allowed-tools` CLI argument is used.

Fixes #11302
---
 packages/cli/src/config/config.ts  |  3 ++-
 packages/cli/src/gemini.tsx        | 10 ++++++++++
 packages/core/src/config/config.ts |  3 +++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/packages/cli/src/config/config.ts b/packages/cli/src/config/config.ts
index 45bec5d41e..3aea0b0a9b 100755
--- a/packages/cli/src/config/config.ts
+++ b/packages/cli/src/config/config.ts
@@ -177,7 +177,8 @@ export async function parseArguments(
           type: 'array',
           string: true,
           nargs: 1,
-          description: 'Tools that are allowed to run without confirmation',
+          description:
+            '[DEPRECATED: Use Policy Engine instead See https://geminicli.com/docs/core/policy-engine] Tools that are allowed to run without confirmation.',
           coerce: (tools: string[]) =>
             // Handle comma-separated values
             tools.flatMap((tool) => tool.split(',').map((t) => t.trim())),
diff --git a/packages/cli/src/gemini.tsx b/packages/cli/src/gemini.tsx
index 1e0f4ecd06..56fb94a246 100644
--- a/packages/cli/src/gemini.tsx
+++ b/packages/cli/src/gemini.tsx
@@ -518,6 +518,16 @@ export async function main() {
 
     adminControlsListner.setConfig(config);
 
+    // Show deprecation warning only for allowedTools as that's the only one set by the user currently via command line args
+    if (config.getAllowedTools() !== undefined) {
+      setTimeout(() => {
+        coreEvents.emitFeedback(
+          'warning',
+          `The allowed-tools cli argument is deprecated and will be removed in Gemini CLI 1.0: Please use the Policy Engine to manage tool permissions instead: https://geminicli.com/docs/core/policy-engine/`,
+        );
+      }, 0);
+    }
+
     if (config.isInteractive() && config.storage && config.getDebugMode()) {
       const { registerActivityLogger } = await import(
         './utils/activityLogger.js'
diff --git a/packages/core/src/config/config.ts b/packages/core/src/config/config.ts
index 48f81d081f..7a0095121f 100644
--- a/packages/core/src/config/config.ts
+++ b/packages/core/src/config/config.ts
@@ -376,8 +376,11 @@ export interface ConfigParameters {
   debugMode: boolean;
   question?: string;
 
+  /** @deprecated Use the Policy System instead. See https://geminicli.com/docs/core/policy-engine/ */
   coreTools?: string[];
+  /** @deprecated Use the Policy System instead. See https://geminicli.com/docs/core/policy-engine/ */
   allowedTools?: string[];
+  /** @deprecated Use the Policy System instead. See https://geminicli.com/docs/core/policy-engine/ */
   excludeTools?: string[];
   toolDiscoveryCommand?: string;
   toolCallCommand?: string;