feat(cli): add temporary flag to disable workspace policies (#20523)

2026-05-12 12:54:07 -07:00 · 2026-02-27 09:25:16 -08:00
parent 3b2632fe40
commit 59c0e73718
3 changed files with 48 additions and 2 deletions
@@ -12,6 +12,8 @@ import {
  resolveWorkspacePolicyState,
  autoAcceptWorkspacePolicies,
  setAutoAcceptWorkspacePolicies,
  disableWorkspacePolicies,
  setDisableWorkspacePolicies,
 } from './policy.js';
 import { writeToStderr } from '@google/gemini-cli-core';
@@ -45,6 +47,9 @@ describe('resolveWorkspacePolicyState', () => {
    fs.mkdirSync(workspaceDir);
    policiesDir = path.join(workspaceDir, '.gemini', 'policies');
    // Enable policies for these tests to verify loading logic
    setDisableWorkspacePolicies(false);
    vi.clearAllMocks();
  });
@@ -67,6 +72,13 @@ describe('resolveWorkspacePolicyState', () => {
    });
  });
  it('should have disableWorkspacePolicies set to true by default', () => {
    // We explicitly set it to false in beforeEach for other tests,
    // so here we test that setting it to true works.
    setDisableWorkspacePolicies(true);
    expect(disableWorkspacePolicies).toBe(true);
  });
  it('should return policy directory if integrity matches', async () => {
    // Set up policies directory with a file
    fs.mkdirSync(policiesDir, { recursive: true });
@@ -188,7 +200,26 @@ describe('resolveWorkspacePolicyState', () => {
    expect(result.policyUpdateConfirmationRequest).toBeUndefined();
  });
-  it('should not return workspace policies if cwd is a symlink to the home directory', async () => {
+  it('should return empty state if disableWorkspacePolicies is true even if folder is trusted', async () => {
    setDisableWorkspacePolicies(true);
    // Set up policies directory with a file
    fs.mkdirSync(policiesDir, { recursive: true });
    fs.writeFileSync(path.join(policiesDir, 'policy.toml'), 'rules = []');
    const result = await resolveWorkspacePolicyState({
      cwd: workspaceDir,
      trustedFolder: true,
      interactive: true,
    });
    expect(result).toEqual({
      workspacePoliciesDir: undefined,
      policyUpdateConfirmationRequest: undefined,
    });
  });
  it('should return empty state if cwd is a symlink to the home directory', async () => {
    const policiesDir = path.join(tempDir, '.gemini', 'policies');
    fs.mkdirSync(policiesDir, { recursive: true });
    fs.writeFileSync(path.join(policiesDir, 'policy.toml'), 'rules = []');
@@ -35,6 +35,20 @@ export function setAutoAcceptWorkspacePolicies(value: boolean) {
  autoAcceptWorkspacePolicies = value;
 }
 /**
 * Temporary flag to disable workspace level policies altogether.
 * Exported as 'let' to allow monkey patching in tests via the setter.
 */
 export let disableWorkspacePolicies = true;
 /**
 * Sets the disableWorkspacePolicies flag.
 * Used primarily for testing purposes.
 */
 export function setDisableWorkspacePolicies(value: boolean) {
  disableWorkspacePolicies = value;
 }
 export async function createPolicyEngineConfig(
  settings: Settings,
  approvalMode: ApprovalMode,
@@ -81,7 +95,7 @@ export async function resolveWorkspacePolicyState(options: {
    | PolicyUpdateConfirmationRequest
    | undefined;
-  if (trustedFolder) {
+  if (trustedFolder && !disableWorkspacePolicies) {
    const storage = new Storage(cwd);
    // If we are in the home directory (or rather, our target Gemini dir is the global one),
@@ -54,6 +54,7 @@ describe('Workspace-Level Policy CLI Integration', () => {
  beforeEach(() => {
    vi.clearAllMocks();
    Policy.setDisableWorkspacePolicies(false);
    // Default to MATCH for existing tests
    mockCheckIntegrity.mockResolvedValue({
      status: 'match',