feat(policy): implement hot-reloading for workspace policies

This change eliminates the need for a CLI restart when a user accepts new or changed project-level policies. Workspace rules are now dynamically injected into the active PolicyEngine instance. Key improvements: - Added Config.loadWorkspacePolicies() to handle mid-session rule injection. - Fully encapsulated acceptance and integrity logic within PolicyUpdateDialog. - Integrated centralized keybindings (Command.ESCAPE) for dialog dismissal. - Refactored PolicyIntegrityManager tests to use a real temporary directory instead of filesystem mocks for improved reliability. - Updated copyright headers to 2026 across affected files. - Added UI snapshot tests for the policy update dialog. Addresses review feedback from PR #18682.
2026-06-29 04:37:12 -07:00 · 2026-02-18 12:54:47 -08:00
parent 8feff1cc9b
commit 662654c5d2
13 changed files with 248 additions and 269 deletions
@@ -199,7 +199,7 @@ const mockUIActions: UIActions = {
  vimHandleInput: vi.fn(),
  handleIdePromptComplete: vi.fn(),
  handleFolderTrustSelect: vi.fn(),
-  handlePolicyUpdateSelect: vi.fn(),
+  setIsPolicyUpdateDialogOpen: vi.fn(),
  setConstrainHeight: vi.fn(),
  onEscapePromptChange: vi.fn(),
  refreshStatic: vi.fn(),
@@ -122,7 +122,7 @@ import { appEvents, AppEvent, TransientMessageType } from '../utils/events.js';
 import { type UpdateObject } from './utils/updateCheck.js';
 import { setUpdateHandler } from '../utils/handleAutoUpdate.js';
 import { registerCleanup, runExitCleanup } from '../utils/cleanup.js';
-import { RELAUNCH_EXIT_CODE, relaunchApp } from '../utils/processUtils.js';
+import { RELAUNCH_EXIT_CODE } from '../utils/processUtils.js';
 import type { SessionInfo } from '../utils/sessionUtils.js';
 import { useMessageQueue } from './hooks/useMessageQueue.js';
 import { useMcpStatus } from './hooks/useMcpStatus.js';
@@ -154,7 +154,6 @@ import {
 } from './constants.js';
 import { LoginWithGoogleRestartDialog } from './auth/LoginWithGoogleRestartDialog.js';
 import { NewAgentsChoice } from './components/NewAgentsNotification.js';
-import { PolicyUpdateChoice } from './components/PolicyUpdateDialog.js';
 import { isSlashCommand } from './utils/commandUtils.js';
 import { useTerminalTheme } from './hooks/useTerminalTheme.js';
 import { useTimedMessage } from './hooks/useTimedMessage.js';
@@ -1446,32 +1445,6 @@ Logging in with Google... Restarting Gemini CLI to continue.
  const [isPolicyUpdateDialogOpen, setIsPolicyUpdateDialogOpen] = useState(
    !!policyUpdateConfirmationRequest,
  );
-  const [isRestartingPolicyUpdate, setIsRestartingPolicyUpdate] =
-    useState(false);
-
-  const handlePolicyUpdateSelect = useCallback(
-    async (choice: PolicyUpdateChoice) => {
-      if (
-        choice === PolicyUpdateChoice.ACCEPT &&
-        policyUpdateConfirmationRequest
-      ) {
-        const integrityManager = new PolicyIntegrityManager();
-        await integrityManager.acceptIntegrity(
-          policyUpdateConfirmationRequest.scope,
-          policyUpdateConfirmationRequest.identifier,
-          policyUpdateConfirmationRequest.newHash,
-        );
-        setIsRestartingPolicyUpdate(true);
-        // Give time for the UI to render the restarting message
-        setTimeout(async () => {
-          await relaunchApp();
-        }, 250);
-      } else {
-        setIsPolicyUpdateDialogOpen(false);
-      }
-    },
-    [policyUpdateConfirmationRequest],
-  );

  const {
    needsRestart: ideNeedsRestart,
@@ -2173,7 +2146,6 @@ Logging in with Google... Restarting Gemini CLI to continue.
      isFolderTrustDialogOpen: isFolderTrustDialogOpen ?? false,
      isPolicyUpdateDialogOpen,
      policyUpdateConfirmationRequest,
-      isRestartingPolicyUpdate,
      isTrustedFolder,
      constrainHeight,
      showErrorDetails,
@@ -2298,7 +2270,6 @@ Logging in with Google... Restarting Gemini CLI to continue.
      isFolderTrustDialogOpen,
      isPolicyUpdateDialogOpen,
      policyUpdateConfirmationRequest,
-      isRestartingPolicyUpdate,
      isTrustedFolder,
      constrainHeight,
      showErrorDetails,
@@ -2396,7 +2367,7 @@ Logging in with Google... Restarting Gemini CLI to continue.
      vimHandleInput,
      handleIdePromptComplete,
      handleFolderTrustSelect,
-      handlePolicyUpdateSelect,
+      setIsPolicyUpdateDialogOpen,
      setConstrainHeight,
      onEscapePromptChange: handleEscapePromptChange,
      refreshStatic,
@@ -2481,7 +2452,7 @@ Logging in with Google... Restarting Gemini CLI to continue.
      vimHandleInput,
      handleIdePromptComplete,
      handleFolderTrustSelect,
-      handlePolicyUpdateSelect,
+      setIsPolicyUpdateDialogOpen,
      setConstrainHeight,
      handleEscapePromptChange,
      refreshStatic,
@@ -167,16 +167,12 @@ export const DialogManager = ({
      />
    );
  }
-  if (
-    uiState.isPolicyUpdateDialogOpen &&
-    uiState.policyUpdateConfirmationRequest
-  ) {
+  if (uiState.isPolicyUpdateDialogOpen) {
    return (
      <PolicyUpdateDialog
-        onSelect={uiActions.handlePolicyUpdateSelect}
-        scope={uiState.policyUpdateConfirmationRequest.scope}
-        identifier={uiState.policyUpdateConfirmationRequest.policyDir}
-        isRestarting={uiState.isRestartingPolicyUpdate}
+        config={config}
+        request={uiState.policyUpdateConfirmationRequest!}
+        onClose={() => uiActions.setIsPolicyUpdateDialogOpen(false)}
      />
    );
  }
@@ -4,46 +4,76 @@
 * SPDX-License-Identifier: Apache-2.0
 */

-import { describe, it, expect, vi, afterEach } from 'vitest';
+import { describe, it, expect, vi, afterEach, beforeEach } from 'vitest';
 import { act } from 'react';
 import { renderWithProviders } from '../../test-utils/render.js';
 import { waitFor } from '../../test-utils/async.js';
+import { PolicyUpdateDialog } from './PolicyUpdateDialog.js';
 import {
-  PolicyUpdateDialog,
-  PolicyUpdateChoice,
-} from './PolicyUpdateDialog.js';
+  type Config,
+  type PolicyUpdateConfirmationRequest,
+  PolicyIntegrityManager,
+} from '@google/gemini-cli-core';
+
+// Mock PolicyIntegrityManager
+vi.mock('@google/gemini-cli-core', async (importOriginal) => {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const original = (await importOriginal()) as any;
+  return {
+    ...original,
+    PolicyIntegrityManager: vi.fn().mockImplementation(() => ({
+      acceptIntegrity: vi.fn().mockResolvedValue(undefined),
+    })),
+  };
+});

 describe('PolicyUpdateDialog', () => {
+  let mockConfig: Config;
+  let mockRequest: PolicyUpdateConfirmationRequest;
+  let onClose: () => void;
+
+  beforeEach(() => {
+    mockConfig = {
+      loadWorkspacePolicies: vi.fn().mockResolvedValue(undefined),
+    } as unknown as Config;
+
+    mockRequest = {
+      scope: 'workspace',
+      identifier: '/test/workspace/.gemini/policies',
+      policyDir: '/test/workspace/.gemini/policies',
+      newHash: 'test-hash',
+    } as PolicyUpdateConfirmationRequest;
+
+    onClose = vi.fn();
+  });
+
  afterEach(() => {
    vi.clearAllMocks();
  });

-  it('renders correctly with default props', () => {
-    const onSelect = vi.fn();
+  it('renders correctly and matches snapshot', () => {
    const { lastFrame } = renderWithProviders(
      <PolicyUpdateDialog
-        onSelect={onSelect}
-        scope="workspace"
-        identifier="/test/path"
-        isRestarting={false}
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
      />,
    );

    const output = lastFrame();
+    expect(output).toMatchSnapshot();
    expect(output).toContain('New or changed workspace policies detected');
-    expect(output).toContain('Location: /test/path');
+    expect(output).toContain('Location: /test/workspace/.gemini/policies');
    expect(output).toContain('Accept and Load');
    expect(output).toContain('Ignore');
  });

-  it('calls onSelect with ACCEPT when accept option is chosen', async () => {
-    const onSelect = vi.fn();
+  it('handles ACCEPT correctly', async () => {
    const { stdin } = renderWithProviders(
      <PolicyUpdateDialog
-        onSelect={onSelect}
-        scope="workspace"
-        identifier="/test/path"
-        isRestarting={false}
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
      />,
    );

@@ -53,18 +83,20 @@ describe('PolicyUpdateDialog', () => {
    });

    await waitFor(() => {
-      expect(onSelect).toHaveBeenCalledWith(PolicyUpdateChoice.ACCEPT);
+      expect(PolicyIntegrityManager).toHaveBeenCalled();
+      expect(mockConfig.loadWorkspacePolicies).toHaveBeenCalledWith(
+        mockRequest.policyDir,
+      );
+      expect(onClose).toHaveBeenCalled();
    });
  });

-  it('calls onSelect with IGNORE when ignore option is chosen', async () => {
-    const onSelect = vi.fn();
+  it('handles IGNORE correctly', async () => {
    const { stdin } = renderWithProviders(
      <PolicyUpdateDialog
-        onSelect={onSelect}
-        scope="workspace"
-        identifier="/test/path"
-        isRestarting={false}
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
      />,
    );

@@ -77,44 +109,27 @@ describe('PolicyUpdateDialog', () => {
    });

    await waitFor(() => {
-      expect(onSelect).toHaveBeenCalledWith(PolicyUpdateChoice.IGNORE);
+      expect(PolicyIntegrityManager).not.toHaveBeenCalled();
+      expect(mockConfig.loadWorkspacePolicies).not.toHaveBeenCalled();
+      expect(onClose).toHaveBeenCalled();
    });
  });

-  it('calls onSelect with IGNORE when Escape is pressed', async () => {
-    const onSelect = vi.fn();
+  it('calls onClose when Escape key is pressed', async () => {
    const { stdin } = renderWithProviders(
      <PolicyUpdateDialog
-        onSelect={onSelect}
-        scope="workspace"
-        identifier="/test/path"
-        isRestarting={false}
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
      />,
    );

    await act(async () => {
-      stdin.write('\x1B'); // Escape key
+      stdin.write('\x1B'); // Escape key (matches Command.ESCAPE default)
    });

    await waitFor(() => {
-      expect(onSelect).toHaveBeenCalledWith(PolicyUpdateChoice.IGNORE);
+      expect(onClose).toHaveBeenCalled();
    });
  });
-
-  it('displays restarting message when isRestarting is true', () => {
-    const onSelect = vi.fn();
-    const { lastFrame } = renderWithProviders(
-      <PolicyUpdateDialog
-        onSelect={onSelect}
-        scope="workspace"
-        identifier="/test/path"
-        isRestarting={true}
-      />,
-    );
-
-    const output = lastFrame();
-    expect(output).toContain(
-      'Gemini CLI is restarting to apply the policy changes...',
-    );
-  });
 });
@@ -5,11 +5,18 @@
 */

 import { Box, Text } from 'ink';
+import { useCallback } from 'react';
 import type React from 'react';
+import {
+  type Config,
+  type PolicyUpdateConfirmationRequest,
+  PolicyIntegrityManager,
+} from '@google/gemini-cli-core';
 import { theme } from '../semantic-colors.js';
 import type { RadioSelectItem } from './shared/RadioButtonSelect.js';
 import { RadioButtonSelect } from './shared/RadioButtonSelect.js';
 import { useKeypress } from '../hooks/useKeypress.js';
+import { keyMatchers, Command } from '../keyMatchers.js';

 export enum PolicyUpdateChoice {
  ACCEPT = 'accept',
@@ -17,32 +24,46 @@ export enum PolicyUpdateChoice {
 }

 interface PolicyUpdateDialogProps {
-  onSelect: (choice: PolicyUpdateChoice) => void;
-  scope: string;
-  identifier: string;
-  isRestarting?: boolean;
+  config: Config;
+  request: PolicyUpdateConfirmationRequest;
+  onClose: () => void;
 }

 export const PolicyUpdateDialog: React.FC<PolicyUpdateDialogProps> = ({
-  onSelect,
-  scope,
-  identifier,
-  isRestarting,
+  config,
+  request,
+  onClose,
 }) => {
+  const handleSelect = useCallback(
+    async (choice: PolicyUpdateChoice) => {
+      if (choice === PolicyUpdateChoice.ACCEPT) {
+        const integrityManager = new PolicyIntegrityManager();
+        await integrityManager.acceptIntegrity(
+          request.scope,
+          request.identifier,
+          request.newHash,
+        );
+        await config.loadWorkspacePolicies(request.policyDir);
+      }
+      onClose();
+    },
+    [config, request, onClose],
+  );
+
  useKeypress(
    (key) => {
-      if (key.name === 'escape') {
-        onSelect(PolicyUpdateChoice.IGNORE);
+      if (keyMatchers[Command.ESCAPE](key)) {
+        onClose();
        return true;
      }
      return false;
    },
-    { isActive: !isRestarting },
+    { isActive: true },
  );

  const options: Array<RadioSelectItem<PolicyUpdateChoice>> = [
    {
-      label: 'Accept and Load (Requires Restart)',
+      label: 'Accept and Load',
      value: PolicyUpdateChoice.ACCEPT,
      key: 'accept',
    },
@@ -65,9 +86,9 @@ export const PolicyUpdateDialog: React.FC<PolicyUpdateDialogProps> = ({
      >
        <Box flexDirection="column" marginBottom={1}>
          <Text bold color={theme.text.primary}>
-            New or changed {scope} policies detected
+            New or changed {request.scope} policies detected
          </Text>
-          <Text color={theme.text.primary}>Location: {identifier}</Text>
+          <Text color={theme.text.primary}>Location: {request.identifier}</Text>
          <Text color={theme.text.primary}>
            Do you want to accept and load these policies?
          </Text>
@@ -75,17 +96,10 @@ export const PolicyUpdateDialog: React.FC<PolicyUpdateDialogProps> = ({

        <RadioButtonSelect
          items={options}
-          onSelect={onSelect}
-          isFocused={!isRestarting}
+          onSelect={handleSelect}
+          isFocused={true}
        />
      </Box>
-      {isRestarting && (
-        <Box marginLeft={1} marginTop={1}>
-          <Text color={theme.status.warning}>
-            Gemini CLI is restarting to apply the policy changes...
-          </Text>
-        </Box>
-      )}
    </Box>
  );
 };
@@ -0,0 +1,14 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`PolicyUpdateDialog > renders correctly and matches snapshot 1`] = `
+" ╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
+ │                                                                                                                    │
+ │ New or changed workspace policies detected                                                                         │
+ │ Location: /test/workspace/.gemini/policies                                                                         │
+ │ Do you want to accept and load these policies?                                                                     │
+ │                                                                                                                    │
+ │ ● 1. Accept and Load                                                                                               │
+ │   2. Ignore (Use Default Policies)                                                                                 │
+ │                                                                                                                    │
+ ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯"
+`;
@@ -1,6 +1,6 @@
 /**
 * @license
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
 * SPDX-License-Identifier: Apache-2.0
 */

@@ -8,7 +8,6 @@ import { createContext, useContext } from 'react';
 import { type Key } from '../hooks/useKeypress.js';
 import { type IdeIntegrationNudgeResult } from '../IdeIntegrationNudge.js';
 import { type FolderTrustChoice } from '../components/FolderTrustDialog.js';
-import { type PolicyUpdateChoice } from '../components/PolicyUpdateDialog.js';
 import {
  type AuthType,
  type EditorType,
@@ -53,7 +52,7 @@ export interface UIActions {
  vimHandleInput: (key: Key) => boolean;
  handleIdePromptComplete: (result: IdeIntegrationNudgeResult) => void;
  handleFolderTrustSelect: (choice: FolderTrustChoice) => void;
-  handlePolicyUpdateSelect: (choice: PolicyUpdateChoice) => Promise<void>;
+  setIsPolicyUpdateDialogOpen: (value: boolean) => void;
  setConstrainHeight: (value: boolean) => void;
  onEscapePromptChange: (show: boolean) => void;
  refreshStatic: () => void;
@@ -115,7 +115,6 @@ export interface UIState {
  isFolderTrustDialogOpen: boolean;
  isPolicyUpdateDialogOpen: boolean;
  policyUpdateConfirmationRequest: PolicyUpdateConfirmationRequest | undefined;
-  isRestartingPolicyUpdate: boolean;
  isTrustedFolder: boolean | undefined;
  constrainHeight: boolean;
  showErrorDetails: boolean;