MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-04-30 15:04:16 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(plan): enforce strict read-only policy and halt execution on violation (#16849)

Browse Source
This commit is contained in:
Jerop Kipruto
2026-01-16 12:56:48 -05:00
committed by GitHub
parent 013a4e02ff
commit 5241174827
4 changed files with 179 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/src/policy/policies/plan.toml
+76
View File
@@ -0,0 +1,76 @@
# Priority system for policy rules:
# - Higher priority numbers win over lower priority numbers
# - When multiple rules match, the highest priority rule is applied
# - Rules are evaluated in order of priority (highest first)
#
# Priority bands (tiers):
# - Default policies (TOML): 1 + priority/1000 (e.g., priority 100 → 1.100)
# - User policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
# - Admin policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
#
# This ensures Admin > User > Default hierarchy is always preserved,
# while allowing user-specified priorities to work within each tier.
#
# Settings-based and dynamic rules (all in user tier 2.x):
# 2.95: Tools that the user has selected as "Always Allow" in the interactive UI
# 2.9: MCP servers excluded list (security: persistent server blocks)
# 2.4: Command line flag --exclude-tools (explicit temporary blocks)
# 2.3: Command line flag --allowed-tools (explicit temporary allows)
# 2.2: MCP servers with trust=true (persistent trusted servers)
# 2.1: MCP servers allowed list (persistent general server allows)
#
# TOML policy priorities (before transformation):
# 10: Write tools default to ASK_USER (becomes 1.010 in default tier)
# 20: Plan mode catch-all DENY override (becomes 1.020 in default tier)
# 50: Read-only tools (becomes 1.050 in default tier)
# 999: YOLO mode allow-all (becomes 1.999 in default tier)
# Catch-All: Deny everything by default in Plan mode.
[[rule]]
decision = "deny"
priority = 20
modes = ["plan"]
# Explicitly Allow Read-Only Tools in Plan mode.
[[rule]]
toolName = "glob"
decision = "allow"
priority = 50
modes = ["plan"]
[[rule]]
toolName = "search_file_content"
decision = "allow"
priority = 50
modes = ["plan"]
[[rule]]
toolName = "list_directory"
decision = "allow"
priority = 50
modes = ["plan"]
[[rule]]
toolName = "read_file"
decision = "allow"
priority = 50
modes = ["plan"]
[[rule]]
toolName = "read_many_files"
decision = "allow"
priority = 50
modes = ["plan"]
[[rule]]
toolName = "google_web_search"
decision = "allow"
priority = 50
modes = ["plan"]
[[rule]]
toolName = "SubagentInvocation"
decision = "allow"
priority = 50