From 773567c6ca9a0a5e824eb9d97238b7a0eae08a33 Mon Sep 17 00:00:00 2001
From: Coco Sheng <cocosheng@google.com>
Date: Fri, 10 Apr 2026 18:43:54 -0400
Subject: [PATCH] docs: correct documentation for enforced authentication type
 (#25142)

---
 docs/cli/enterprise.md                              | 10 +++++++---
 packages/cli/src/validateNonInterActiveAuth.test.ts |  6 +++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/docs/cli/enterprise.md b/docs/cli/enterprise.md
index a34a4be269..daea2eca01 100644
--- a/docs/cli/enterprise.md
+++ b/docs/cli/enterprise.md
@@ -505,15 +505,19 @@ events. For more information, see the [telemetry documentation](./telemetry.md).
 ## Authentication
 
 You can enforce a specific authentication method for all users by setting the
-`enforcedAuthType` in the system-level `settings.json` file. This prevents users
-from choosing a different authentication method. See the
+`security.auth.enforcedType` in the system-level `settings.json` file. This
+prevents users from choosing a different authentication method. See the
 [Authentication docs](../get-started/authentication.md) for more details.
 
 **Example:** Enforce the use of Google login for all users.
 
 ```json
 {
-  "enforcedAuthType": "oauth-personal"
+  "security": {
+    "auth": {
+      "enforcedType": "oauth-personal"
+    }
+  }
 }
 ```
 
diff --git a/packages/cli/src/validateNonInterActiveAuth.test.ts b/packages/cli/src/validateNonInterActiveAuth.test.ts
index 819a4c2924..ba469d2040 100644
--- a/packages/cli/src/validateNonInterActiveAuth.test.ts
+++ b/packages/cli/src/validateNonInterActiveAuth.test.ts
@@ -294,7 +294,7 @@ describe('validateNonInterActiveAuth', () => {
     expect(processExitSpy).not.toHaveBeenCalled();
   });
 
-  it('succeeds if effectiveAuthType matches enforcedAuthType', async () => {
+  it('succeeds if effectiveAuthType matches enforcedType', async () => {
     mockSettings.merged.security.auth.enforcedType = AuthType.USE_GEMINI;
     process.env['GEMINI_API_KEY'] = 'fake-key';
     const nonInteractiveConfig = createLocalMockConfig({});
@@ -308,7 +308,7 @@ describe('validateNonInterActiveAuth', () => {
     expect(debugLoggerErrorSpy).not.toHaveBeenCalled();
   });
 
-  it('exits if configuredAuthType does not match enforcedAuthType', async () => {
+  it('exits if configuredAuthType does not match enforcedType', async () => {
     mockSettings.merged.security.auth.enforcedType = AuthType.LOGIN_WITH_GOOGLE;
     const nonInteractiveConfig = createLocalMockConfig({
       getOutputFormat: vi.fn().mockReturnValue(OutputFormat.TEXT),
@@ -334,7 +334,7 @@ describe('validateNonInterActiveAuth', () => {
     );
   });
 
-  it('exits if auth from env var does not match enforcedAuthType', async () => {
+  it('exits if auth from env var does not match enforcedType', async () => {
     mockSettings.merged.security.auth.enforcedType = AuthType.LOGIN_WITH_GOOGLE;
     process.env['GEMINI_API_KEY'] = 'fake-key';
     const nonInteractiveConfig = createLocalMockConfig({