fix: Make trustedFolders file path configurable (#8306)

Co-authored-by: cornmander <shikhman@google.com>
2026-03-10 22:21:22 -07:00 · 2025-09-16 09:58:57 -07:00
parent a1ebb6f275
commit 80fa4a310b
2 changed files with 41 additions and 13 deletions
--- a/packages/cli/src/config/trustedFolders.test.ts
+++ b/packages/cli/src/config/trustedFolders.test.ts
@@ -21,7 +21,7 @@ import stripJsonComments from 'strip-json-comments';
 import * as path from 'node:path';
 import {
  loadTrustedFolders,
-  USER_TRUSTED_FOLDERS_PATH,
+  getTrustedFoldersPath,
  TrustLevel,
  isWorkspaceTrusted,
 } from './trustedFolders.js';
@@ -80,10 +80,10 @@ describe('Trusted Folders Loading', () => {
  describe('isPathTrusted', () => {
    function setup({ config = {} as Record<string, TrustLevel> } = {}) {
      (mockFsExistsSync as Mock).mockImplementation(
-        (p) => p === USER_TRUSTED_FOLDERS_PATH,
+        (p) => p === getTrustedFoldersPath(),
      );
      (fs.readFileSync as Mock).mockImplementation((p) => {
-        if (p === USER_TRUSTED_FOLDERS_PATH) return JSON.stringify(config);
+        if (p === getTrustedFoldersPath()) return JSON.stringify(config);
        return '{}';
      });

@@ -124,7 +124,7 @@ describe('Trusted Folders Loading', () => {
  });

  it('should load user rules if only user file exists', () => {
-    const userPath = USER_TRUSTED_FOLDERS_PATH;
+    const userPath = getTrustedFoldersPath();
    (mockFsExistsSync as Mock).mockImplementation((p) => p === userPath);
    const userContent = {
      '/user/folder': TrustLevel.TRUST_FOLDER,
@@ -142,7 +142,7 @@ describe('Trusted Folders Loading', () => {
  });

  it('should handle JSON parsing errors gracefully', () => {
-    const userPath = USER_TRUSTED_FOLDERS_PATH;
+    const userPath = getTrustedFoldersPath();
    (mockFsExistsSync as Mock).mockImplementation((p) => p === userPath);
    (fs.readFileSync as Mock).mockImplementation((p) => {
      if (p === userPath) return 'invalid json';
@@ -156,6 +156,31 @@ describe('Trusted Folders Loading', () => {
    expect(errors[0].message).toContain('Unexpected token');
  });

+  it('should use GEMINI_CLI_TRUSTED_FOLDERS_PATH env var if set', () => {
+    const customPath = '/custom/path/to/trusted_folders.json';
+    process.env['GEMINI_CLI_TRUSTED_FOLDERS_PATH'] = customPath;
+
+    (mockFsExistsSync as Mock).mockImplementation((p) => p === customPath);
+    const userContent = {
+      '/user/folder/from/env': TrustLevel.TRUST_FOLDER,
+    };
+    (fs.readFileSync as Mock).mockImplementation((p) => {
+      if (p === customPath) return JSON.stringify(userContent);
+      return '{}';
+    });
+
+    const { rules, errors } = loadTrustedFolders();
+    expect(rules).toEqual([
+      {
+        path: '/user/folder/from/env',
+        trustLevel: TrustLevel.TRUST_FOLDER,
+      },
+    ]);
+    expect(errors).toEqual([]);
+
+    delete process.env['GEMINI_CLI_TRUSTED_FOLDERS_PATH'];
+  });
+
  it('setValue should update the user config and save it', () => {
    const loadedFolders = loadTrustedFolders();
    loadedFolders.setValue('/new/path', TrustLevel.TRUST_FOLDER);
@@ -164,7 +189,7 @@ describe('Trusted Folders Loading', () => {
      TrustLevel.TRUST_FOLDER,
    );
    expect(mockFsWriteFileSync).toHaveBeenCalledWith(
-      USER_TRUSTED_FOLDERS_PATH,
+      getTrustedFoldersPath(),
      JSON.stringify({ '/new/path': TrustLevel.TRUST_FOLDER }, null, 2),
      { encoding: 'utf-8', mode: 0o600 },
    );
@@ -185,13 +210,13 @@ describe('isWorkspaceTrusted', () => {
  beforeEach(() => {
    vi.spyOn(process, 'cwd').mockImplementation(() => mockCwd);
    vi.spyOn(fs, 'readFileSync').mockImplementation((p) => {
-      if (p === USER_TRUSTED_FOLDERS_PATH) {
+      if (p === getTrustedFoldersPath()) {
        return JSON.stringify(mockRules);
      }
      return '{}';
    });
    vi.spyOn(fs, 'existsSync').mockImplementation(
-      (p) => p === USER_TRUSTED_FOLDERS_PATH,
+      (p) => p === getTrustedFoldersPath(),
    );
  });

--- a/packages/cli/src/config/trustedFolders.ts
+++ b/packages/cli/src/config/trustedFolders.ts
@@ -18,10 +18,13 @@ import stripJsonComments from 'strip-json-comments';
 export const TRUSTED_FOLDERS_FILENAME = 'trustedFolders.json';
 export const SETTINGS_DIRECTORY_NAME = '.gemini';
 export const USER_SETTINGS_DIR = path.join(homedir(), SETTINGS_DIRECTORY_NAME);
-export const USER_TRUSTED_FOLDERS_PATH = path.join(
-  USER_SETTINGS_DIR,
-  TRUSTED_FOLDERS_FILENAME,
-);
+
+export function getTrustedFoldersPath(): string {
+  if (process.env['GEMINI_CLI_TRUSTED_FOLDERS_PATH']) {
+    return process.env['GEMINI_CLI_TRUSTED_FOLDERS_PATH'];
+  }
+  return path.join(USER_SETTINGS_DIR, TRUSTED_FOLDERS_FILENAME);
+}

 export enum TrustLevel {
  TRUST_FOLDER = 'TRUST_FOLDER',
@@ -110,7 +113,7 @@ export function loadTrustedFolders(): LoadedTrustedFolders {
  const errors: TrustedFoldersError[] = [];
  const userConfig: Record<string, TrustLevel> = {};

-  const userPath = USER_TRUSTED_FOLDERS_PATH;
+  const userPath = getTrustedFoldersPath();

  // Load user trusted folders
  try {