feat(policy): add --admin-policy flag for supplemental admin policies (#20360)

packages/cli/src/config/config.ts

@@ -76,6 +76,7 @@ export interface CliArgs {
   yolo: boolean | undefined;
   approvalMode: string | undefined;
   policy: string[] | undefined;
+  adminPolicy: string[] | undefined;
   allowedMcpServerNames: string[] | undefined;
   allowedTools: string[] | undefined;
   acp?: boolean;
@@ -97,6 +98,21 @@ export interface CliArgs {
   isCommand: boolean | undefined;
 }
 
+/**
+ * Helper to coerce comma-separated or multiple flag values into a flat array.
+ */
+const coerceCommaSeparated = (values: string[]): string[] => {
+  if (values.length === 1 && values[0] === '') {
+    return [''];
+  }
+  return values.flatMap((v) =>
+    v
+      .split(',')
+      .map((s) => s.trim())
+      .filter(Boolean),
+  );
+};
+
 export async function parseArguments(
   settings: MergedSettings,
 ): Promise<CliArgs> {
@@ -166,14 +182,15 @@ export async function parseArguments(
           nargs: 1,
           description:
             'Additional policy files or directories to load (comma-separated or multiple --policy)',
-          coerce: (policies: string[]) =>
-            // Handle comma-separated values
-            policies.flatMap((p) =>
-              p
-                .split(',')
-                .map((s) => s.trim())
-                .filter(Boolean),
-            ),
+          coerce: coerceCommaSeparated,
+        })
+        .option('admin-policy', {
+          type: 'array',
+          string: true,
+          nargs: 1,
+          description:
+            'Additional admin policy files or directories to load (comma-separated or multiple --admin-policy)',
+          coerce: coerceCommaSeparated,
         })
         .option('acp', {
           type: 'boolean',
@@ -189,11 +206,7 @@ export async function parseArguments(
           string: true,
           nargs: 1,
           description: 'Allowed MCP server names',
-          coerce: (mcpServerNames: string[]) =>
-            // Handle comma-separated values
-            mcpServerNames.flatMap((mcpServerName) =>
-              mcpServerName.split(',').map((m) => m.trim()),
-            ),
+          coerce: coerceCommaSeparated,
         })
         .option('allowed-tools', {
           type: 'array',
@@ -201,9 +214,7 @@ export async function parseArguments(
           nargs: 1,
           description:
             '[DEPRECATED: Use Policy Engine instead See https://geminicli.com/docs/core/policy-engine] Tools that are allowed to run without confirmation',
-          coerce: (tools: string[]) =>
-            // Handle comma-separated values
-            tools.flatMap((tool) => tool.split(',').map((t) => t.trim())),
+          coerce: coerceCommaSeparated,
         })
         .option('extensions', {
           alias: 'e',
@@ -212,11 +223,7 @@ export async function parseArguments(
           nargs: 1,
           description:
             'A list of extensions to use. If not provided, all extensions are used.',
-          coerce: (extensions: string[]) =>
-            // Handle comma-separated values
-            extensions.flatMap((extension) =>
-              extension.split(',').map((e) => e.trim()),
-            ),
+          coerce: coerceCommaSeparated,
         })
         .option('list-extensions', {
           alias: 'l',
@@ -258,9 +265,7 @@ export async function parseArguments(
           nargs: 1,
           description:
             'Additional directories to include in the workspace (comma-separated or multiple --include-directories)',
-          coerce: (dirs: string[]) =>
-            // Handle comma-separated values
-            dirs.flatMap((dir) => dir.split(',').map((d) => d.trim())),
+          coerce: coerceCommaSeparated,
         })
         .option('screen-reader', {
           type: 'boolean',
@@ -643,7 +648,8 @@ export async function loadCliConfig(
       ...settings.mcp,
       allowed: argv.allowedMcpServerNames ?? settings.mcp?.allowed,
     },
-    policyPaths: argv.policy,
+    policyPaths: argv.policy ?? settings.policyPaths,
+    adminPolicyPaths: argv.adminPolicy ?? settings.adminPolicyPaths,
   };
 
   const { workspacePoliciesDir, policyUpdateConfirmationRequest } =