fix(core): replace hardcoded non-interactive ASK_USER denial with explicit policy rules (#23668)

2026-04-06 19:31:15 -07:00 · 2026-03-26 14:35:12 -04:00
parent aa4d9316a9
commit c888da5f73
13 changed files with 207 additions and 66 deletions
--- a/packages/cli/src/config/config.test.ts
+++ b/packages/cli/src/config/config.test.ts
@@ -143,12 +143,17 @@ vi.mock('@google/gemini-cli-core', async () => {
      respectGeminiIgnore: true,
      customIgnoreFilePaths: [],
    },
-    createPolicyEngineConfig: vi.fn(async () => ({
-      rules: [],
-      checkers: [],
-      defaultDecision: ServerConfig.PolicyDecision.ASK_USER,
-      approvalMode: ServerConfig.ApprovalMode.DEFAULT,
-    })),
+    createPolicyEngineConfig: vi.fn(
+      async (_settings, approvalMode, _workspacePoliciesDir, interactive) => ({
+        rules: [],
+        checkers: [],
+        defaultDecision: interactive
+          ? ServerConfig.PolicyDecision.ASK_USER
+          : ServerConfig.PolicyDecision.DENY,
+        approvalMode: approvalMode ?? ServerConfig.ApprovalMode.DEFAULT,
+        nonInteractive: !interactive,
+      }),
+    ),
    getAdminErrorMessage: vi.fn(
      (_feature) =>
        `YOLO mode is disabled by your administrator. To enable it, please request an update to the settings at: https://goo.gle/manage-gemini-cli`,
@@ -3460,6 +3465,8 @@ describe('Policy Engine Integration in loadCliConfig', () => {
        }),
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -3481,6 +3488,8 @@ describe('Policy Engine Integration in loadCliConfig', () => {
        }),
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -3504,6 +3513,8 @@ describe('Policy Engine Integration in loadCliConfig', () => {
        ],
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });
 });
--- a/packages/cli/src/config/config.ts
+++ b/packages/cli/src/config/config.ts
@@ -792,8 +792,8 @@ export async function loadCliConfig(
    effectiveSettings,
    approvalMode,
    workspacePoliciesDir,
+    interactive,
  );
-  policyEngineConfig.nonInteractive = !interactive;

  const defaultModel = PREVIEW_GEMINI_MODEL_AUTO;
  const specifiedModel =
--- a/packages/cli/src/config/policy-engine.integration.test.ts
+++ b/packages/cli/src/config/policy-engine.integration.test.ts
@@ -605,12 +605,12 @@ describe('Policy Engine Integration Tests', () => {
    it('should verify non-interactive mode transformation', async () => {
      const settings: Settings = {};

-      const config = await createPolicyEngineConfig(
+      const engineConfig = await createPolicyEngineConfig(
        settings,
        ApprovalMode.DEFAULT,
+        undefined,
+        false,
      );
-      // Enable non-interactive mode
-      const engineConfig = { ...config, nonInteractive: true };
      const engine = new PolicyEngine(engineConfig);

      // ASK_USER should become DENY in non-interactive mode
--- a/packages/cli/src/config/policy.ts
+++ b/packages/cli/src/config/policy.ts
@@ -53,6 +53,7 @@ export async function createPolicyEngineConfig(
  settings: Settings,
  approvalMode: ApprovalMode,
  workspacePoliciesDir?: string,
+  interactive: boolean = true,
 ): Promise<PolicyEngineConfig> {
  // Explicitly construct PolicySettings from Settings to ensure type safety
  // and avoid accidental leakage of other settings properties.
@@ -68,7 +69,12 @@ export async function createPolicyEngineConfig(
      settings.admin?.secureModeEnabled,
  };

-  return createCorePolicyEngineConfig(policySettings, approvalMode);
+  return createCorePolicyEngineConfig(
+    policySettings,
+    approvalMode,
+    undefined,
+    interactive,
+  );
 }

 export function createPolicyUpdater(
--- a/packages/cli/src/config/workspace-policy-cli.test.ts
+++ b/packages/cli/src/config/workspace-policy-cli.test.ts
@@ -88,6 +88,8 @@ describe('Workspace-Level Policy CLI Integration', () => {
        ),
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -107,6 +109,8 @@ describe('Workspace-Level Policy CLI Integration', () => {
        workspacePoliciesDir: undefined,
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -131,6 +135,8 @@ describe('Workspace-Level Policy CLI Integration', () => {
        workspacePoliciesDir: undefined,
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -163,6 +169,8 @@ describe('Workspace-Level Policy CLI Integration', () => {
        ),
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -201,6 +209,8 @@ describe('Workspace-Level Policy CLI Integration', () => {
        ),
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -237,6 +247,8 @@ describe('Workspace-Level Policy CLI Integration', () => {
        ),
      }),
      expect.anything(),
+      undefined,
+      expect.anything(),
    );
  });

@@ -278,6 +290,8 @@ describe('Workspace-Level Policy CLI Integration', () => {
          workspacePoliciesDir: undefined,
        }),
        expect.anything(),
+        undefined,
+        expect.anything(),
      );
    } finally {
      // Restore for other tests