MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-03-18 18:11:02 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(plan): enforce strict read-only policy and halt execution on violation (#16849)

Browse Source
This commit is contained in:
Jerop Kipruto
2026-01-16 12:56:48 -05:00
committed by GitHub
parent 013a4e02ff
commit 5241174827
4 changed files with 179 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
packages/cli/src/config/policy-engine.integration.test.ts
View File

@@ -287,6 +287,43 @@ describe('Policy Engine Integration Tests', () => {
).toBe(PolicyDecision.ASK_USER);
});
it('should handle Plan mode correctly', async () => {
const settings: Settings = {};
const config = await createPolicyEngineConfig(
settings,
ApprovalMode.PLAN,
);
const engine = new PolicyEngine(config);
// Read and search tools should be allowed
expect(
(await engine.check({ name: 'read_file' }, undefined)).decision,
).toBe(PolicyDecision.ALLOW);
expect(
(await engine.check({ name: 'google_web_search' }, undefined)).decision,
).toBe(PolicyDecision.ALLOW);
expect(
(await engine.check({ name: 'list_directory' }, undefined)).decision,
).toBe(PolicyDecision.ALLOW);
// Other tools should be denied via catch all
expect(
(await engine.check({ name: 'replace' }, undefined)).decision,
).toBe(PolicyDecision.DENY);
expect(
(await engine.check({ name: 'write_file' }, undefined)).decision,
).toBe(PolicyDecision.DENY);
expect(
(await engine.check({ name: 'run_shell_command' }, undefined)).decision,
).toBe(PolicyDecision.DENY);
// Unknown tools should be denied via catch-all
expect(
(await engine.check({ name: 'unknown_tool' }, undefined)).decision,
).toBe(PolicyDecision.DENY);
});
it('should verify priority ordering works correctly in practice', async () => {
const settings: Settings = {
tools: {