Add enforcedAuthType setting (#6564)

docs/cli/configuration.md

@@ -240,6 +240,10 @@ Settings are organized into categories. All settings should be placed within the
   - **Description:** The currently selected authentication type.
   - **Default:** `undefined`
 
+- **`security.auth.enforcedType`** (string):
+  - **Description:** The required auth type (useful for enterprises).
+  - **Default:** `undefined`
+
 - **`security.auth.useExternal`** (boolean):
   - **Description:** Whether to use an external authentication flow.
   - **Default:** `undefined`

docs/cli/enterprise.md

@@ -317,6 +317,20 @@ For auditing and monitoring purposes, you can configure Gemini CLI to send telem
 
 **Note:** Ensure that `logPrompts` is set to `false` in an enterprise setting to avoid collecting potentially sensitive information from user prompts.
 
+## Authentication
+
+You can enforce a specific authentication method for all users by setting the `enforcedAuthType` in the system-level `settings.json` file. This prevents users from choosing a different authentication method. See the [Authentication docs](./authentication.md) for more details.
+
+**Example:** Enforce the use of Google login for all users.
+
+```json
+{
+  "enforcedAuthType": "oauth-personal"
+}
+```
+
+If a user has a different authentication method configured, they will be prompted to switch to the enforced method. In non-interactive mode, the CLI will exit with an error if the configured authentication method does not match the enforced one.
+
 ## Putting It All Together: Example System `settings.json`
 
 Here is an example of a system `settings.json` file that combines several of the patterns discussed above to create a secure, controlled environment for Gemini CLI.