feat(policy): implement project-level policy support (#18682)

2026-04-12 22:31:12 -07:00 · 2026-02-19 16:16:03 -08:00
parent d25c469f77
commit d8b24e6983
32 changed files with 1895 additions and 186 deletions
--- a/packages/cli/src/ui/AppContainer.tsx
+++ b/packages/cli/src/ui/AppContainer.tsx
@@ -1438,6 +1438,13 @@ Logging in with Google... Restarting Gemini CLI to continue.

  const { isFolderTrustDialogOpen, handleFolderTrustSelect, isRestarting } =
    useFolderTrust(settings, setIsTrustedFolder, historyManager.addItem);
+
+  const policyUpdateConfirmationRequest =
+    config.getPolicyUpdateConfirmationRequest();
+  const [isPolicyUpdateDialogOpen, setIsPolicyUpdateDialogOpen] = useState(
+    !!policyUpdateConfirmationRequest,
+  );
+
  const {
    needsRestart: ideNeedsRestart,
    restartReason: ideTrustRestartReason,
@@ -1910,6 +1917,7 @@ Logging in with Google... Restarting Gemini CLI to continue.
    (shouldShowRetentionWarning && retentionCheckComplete) ||
    shouldShowIdePrompt ||
    isFolderTrustDialogOpen ||
+    isPolicyUpdateDialogOpen ||
    adminSettingsChanged ||
    !!commandConfirmationRequest ||
    !!authConsentRequest ||
@@ -2137,6 +2145,8 @@ Logging in with Google... Restarting Gemini CLI to continue.
      isResuming,
      shouldShowIdePrompt,
      isFolderTrustDialogOpen: isFolderTrustDialogOpen ?? false,
+      isPolicyUpdateDialogOpen,
+      policyUpdateConfirmationRequest,
      isTrustedFolder,
      constrainHeight,
      showErrorDetails,
@@ -2259,6 +2269,8 @@ Logging in with Google... Restarting Gemini CLI to continue.
      isResuming,
      shouldShowIdePrompt,
      isFolderTrustDialogOpen,
+      isPolicyUpdateDialogOpen,
+      policyUpdateConfirmationRequest,
      isTrustedFolder,
      constrainHeight,
      showErrorDetails,
@@ -2356,6 +2368,7 @@ Logging in with Google... Restarting Gemini CLI to continue.
      vimHandleInput,
      handleIdePromptComplete,
      handleFolderTrustSelect,
+      setIsPolicyUpdateDialogOpen,
      setConstrainHeight,
      onEscapePromptChange: handleEscapePromptChange,
      refreshStatic,
@@ -2440,6 +2453,7 @@ Logging in with Google... Restarting Gemini CLI to continue.
      vimHandleInput,
      handleIdePromptComplete,
      handleFolderTrustSelect,
+      setIsPolicyUpdateDialogOpen,
      setConstrainHeight,
      handleEscapePromptChange,
      refreshStatic,
--- a/packages/cli/src/ui/components/DialogManager.tsx
+++ b/packages/cli/src/ui/components/DialogManager.tsx
@@ -37,6 +37,7 @@ import { AgentConfigDialog } from './AgentConfigDialog.js';
 import { SessionRetentionWarningDialog } from './SessionRetentionWarningDialog.js';
 import { useCallback } from 'react';
 import { SettingScope } from '../../config/settings.js';
+import { PolicyUpdateDialog } from './PolicyUpdateDialog.js';

 interface DialogManagerProps {
  addItem: UseHistoryManagerReturn['addItem'];
@@ -166,6 +167,15 @@ export const DialogManager = ({
      />
    );
  }
+  if (uiState.isPolicyUpdateDialogOpen) {
+    return (
+      <PolicyUpdateDialog
+        config={config}
+        request={uiState.policyUpdateConfirmationRequest!}
+        onClose={() => uiActions.setIsPolicyUpdateDialogOpen(false)}
+      />
+    );
+  }
  if (uiState.loopDetectionConfirmationRequest) {
    return (
      <LoopDetectionConfirmation
--- a/packages/cli/src/ui/components/PolicyUpdateDialog.test.tsx
+++ b/packages/cli/src/ui/components/PolicyUpdateDialog.test.tsx
@@ -0,0 +1,141 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { describe, it, expect, vi, afterEach, beforeEach } from 'vitest';
+import { act } from 'react';
+import { renderWithProviders } from '../../test-utils/render.js';
+import { waitFor } from '../../test-utils/async.js';
+import { PolicyUpdateDialog } from './PolicyUpdateDialog.js';
+import {
+  type Config,
+  type PolicyUpdateConfirmationRequest,
+  PolicyIntegrityManager,
+} from '@google/gemini-cli-core';
+
+const { mockAcceptIntegrity } = vi.hoisted(() => ({
+  mockAcceptIntegrity: vi.fn(),
+}));
+
+// Mock PolicyIntegrityManager
+vi.mock('@google/gemini-cli-core', async (importOriginal) => {
+  const original =
+    await importOriginal<typeof import('@google/gemini-cli-core')>();
+  return {
+    ...original,
+    PolicyIntegrityManager: vi.fn().mockImplementation(() => ({
+      acceptIntegrity: mockAcceptIntegrity,
+      checkIntegrity: vi.fn(),
+    })),
+  };
+});
+
+describe('PolicyUpdateDialog', () => {
+  let mockConfig: Config;
+  let mockRequest: PolicyUpdateConfirmationRequest;
+  let onClose: () => void;
+
+  beforeEach(() => {
+    mockConfig = {
+      loadWorkspacePolicies: vi.fn().mockResolvedValue(undefined),
+    } as unknown as Config;
+
+    mockRequest = {
+      scope: 'workspace',
+      identifier: '/test/workspace/.gemini/policies',
+      policyDir: '/test/workspace/.gemini/policies',
+      newHash: 'test-hash',
+    } as PolicyUpdateConfirmationRequest;
+
+    onClose = vi.fn();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('renders correctly and matches snapshot', async () => {
+    const { lastFrame, waitUntilReady } = renderWithProviders(
+      <PolicyUpdateDialog
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
+      />,
+    );
+
+    await waitUntilReady();
+    const output = lastFrame();
+    expect(output).toMatchSnapshot();
+    expect(output).toContain('New or changed workspace policies detected');
+    expect(output).toContain('Location: /test/workspace/.gemini/policies');
+    expect(output).toContain('Accept and Load');
+    expect(output).toContain('Ignore');
+  });
+
+  it('handles ACCEPT correctly', async () => {
+    const { stdin } = renderWithProviders(
+      <PolicyUpdateDialog
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
+      />,
+    );
+
+    // Accept is the first option, so pressing enter should select it
+    await act(async () => {
+      stdin.write('\r');
+    });
+
+    await waitFor(() => {
+      expect(PolicyIntegrityManager).toHaveBeenCalled();
+      expect(mockConfig.loadWorkspacePolicies).toHaveBeenCalledWith(
+        mockRequest.policyDir,
+      );
+      expect(onClose).toHaveBeenCalled();
+    });
+  });
+
+  it('handles IGNORE correctly', async () => {
+    const { stdin } = renderWithProviders(
+      <PolicyUpdateDialog
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
+      />,
+    );
+
+    // Move down to Ignore option
+    await act(async () => {
+      stdin.write('\x1B[B'); // Down arrow
+    });
+    await act(async () => {
+      stdin.write('\r'); // Enter
+    });
+
+    await waitFor(() => {
+      expect(PolicyIntegrityManager).not.toHaveBeenCalled();
+      expect(mockConfig.loadWorkspacePolicies).not.toHaveBeenCalled();
+      expect(onClose).toHaveBeenCalled();
+    });
+  });
+
+  it('calls onClose when Escape key is pressed', async () => {
+    const { stdin } = renderWithProviders(
+      <PolicyUpdateDialog
+        config={mockConfig}
+        request={mockRequest}
+        onClose={onClose}
+      />,
+    );
+
+    await act(async () => {
+      stdin.write('\x1B'); // Escape key (matches Command.ESCAPE default)
+    });
+
+    await waitFor(() => {
+      expect(onClose).toHaveBeenCalled();
+    });
+  });
+});
--- a/packages/cli/src/ui/components/PolicyUpdateDialog.tsx
+++ b/packages/cli/src/ui/components/PolicyUpdateDialog.tsx
@@ -0,0 +1,116 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { Box, Text } from 'ink';
+import { useCallback, useRef } from 'react';
+import type React from 'react';
+import {
+  type Config,
+  type PolicyUpdateConfirmationRequest,
+  PolicyIntegrityManager,
+} from '@google/gemini-cli-core';
+import { theme } from '../semantic-colors.js';
+import type { RadioSelectItem } from './shared/RadioButtonSelect.js';
+import { RadioButtonSelect } from './shared/RadioButtonSelect.js';
+import { useKeypress } from '../hooks/useKeypress.js';
+import { keyMatchers, Command } from '../keyMatchers.js';
+
+export enum PolicyUpdateChoice {
+  ACCEPT = 'accept',
+  IGNORE = 'ignore',
+}
+
+interface PolicyUpdateDialogProps {
+  config: Config;
+  request: PolicyUpdateConfirmationRequest;
+  onClose: () => void;
+}
+
+export const PolicyUpdateDialog: React.FC<PolicyUpdateDialogProps> = ({
+  config,
+  request,
+  onClose,
+}) => {
+  const isProcessing = useRef(false);
+
+  const handleSelect = useCallback(
+    async (choice: PolicyUpdateChoice) => {
+      if (isProcessing.current) {
+        return;
+      }
+
+      isProcessing.current = true;
+      try {
+        if (choice === PolicyUpdateChoice.ACCEPT) {
+          const integrityManager = new PolicyIntegrityManager();
+          await integrityManager.acceptIntegrity(
+            request.scope,
+            request.identifier,
+            request.newHash,
+          );
+          await config.loadWorkspacePolicies(request.policyDir);
+        }
+        onClose();
+      } finally {
+        isProcessing.current = false;
+      }
+    },
+    [config, request, onClose],
+  );
+
+  useKeypress(
+    (key) => {
+      if (keyMatchers[Command.ESCAPE](key)) {
+        onClose();
+        return true;
+      }
+      return false;
+    },
+    { isActive: true },
+  );
+
+  const options: Array<RadioSelectItem<PolicyUpdateChoice>> = [
+    {
+      label: 'Accept and Load',
+      value: PolicyUpdateChoice.ACCEPT,
+      key: 'accept',
+    },
+    {
+      label: 'Ignore (Use Default Policies)',
+      value: PolicyUpdateChoice.IGNORE,
+      key: 'ignore',
+    },
+  ];
+
+  return (
+    <Box flexDirection="column" width="100%">
+      <Box
+        flexDirection="column"
+        borderStyle="round"
+        borderColor={theme.status.warning}
+        padding={1}
+        marginLeft={1}
+        marginRight={1}
+      >
+        <Box flexDirection="column" marginBottom={1}>
+          <Text bold color={theme.text.primary}>
+            New or changed {request.scope} policies detected
+          </Text>
+          <Text color={theme.text.primary}>Location: {request.identifier}</Text>
+          <Text color={theme.text.primary}>
+            Do you want to accept and load these policies?
+          </Text>
+        </Box>
+
+        <RadioButtonSelect
+          items={options}
+          onSelect={handleSelect}
+          isFocused={true}
+        />
+      </Box>
+    </Box>
+  );
+};
--- a/packages/cli/src/ui/components/snapshots/PolicyUpdateDialog.test.tsx.snap
+++ b/packages/cli/src/ui/components/snapshots/PolicyUpdateDialog.test.tsx.snap
@@ -0,0 +1,15 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`PolicyUpdateDialog > renders correctly and matches snapshot 1`] = `
+" ╭────────────────────────────────────────────────────────────────────────────────────────────────╮
+ │                                                                                                │
+ │ New or changed workspace policies detected                                                     │
+ │ Location: /test/workspace/.gemini/policies                                                     │
+ │ Do you want to accept and load these policies?                                                 │
+ │                                                                                                │
+ │ ● 1. Accept and Load                                                                           │
+ │   2. Ignore (Use Default Policies)                                                             │
+ │                                                                                                │
+ ╰────────────────────────────────────────────────────────────────────────────────────────────────╯
+"
+`;
--- a/packages/cli/src/ui/contexts/UIActionsContext.tsx
+++ b/packages/cli/src/ui/contexts/UIActionsContext.tsx
@@ -1,6 +1,6 @@
 /**
 * @license
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
 * SPDX-License-Identifier: Apache-2.0
 */

@@ -52,6 +52,7 @@ export interface UIActions {
  vimHandleInput: (key: Key) => boolean;
  handleIdePromptComplete: (result: IdeIntegrationNudgeResult) => void;
  handleFolderTrustSelect: (choice: FolderTrustChoice) => void;
+  setIsPolicyUpdateDialogOpen: (value: boolean) => void;
  setConstrainHeight: (value: boolean) => void;
  onEscapePromptChange: (show: boolean) => void;
  refreshStatic: () => void;
--- a/packages/cli/src/ui/contexts/UIStateContext.tsx
+++ b/packages/cli/src/ui/contexts/UIStateContext.tsx
@@ -27,6 +27,7 @@ import type {
  FallbackIntent,
  ValidationIntent,
  AgentDefinition,
+  PolicyUpdateConfirmationRequest,
 } from '@google/gemini-cli-core';
 import { type TransientMessageType } from '../../utils/events.js';
 import type { DOMElement } from 'ink';
@@ -112,6 +113,8 @@ export interface UIState {
  isResuming: boolean;
  shouldShowIdePrompt: boolean;
  isFolderTrustDialogOpen: boolean;
+  isPolicyUpdateDialogOpen: boolean;
+  policyUpdateConfirmationRequest: PolicyUpdateConfirmationRequest | undefined;
  isTrustedFolder: boolean | undefined;
  constrainHeight: boolean;
  showErrorDetails: boolean;