mirror of
https://github.com/google-gemini/gemini-cli.git
synced 2026-07-18 14:00:27 -07:00
137 lines
4.6 KiB
TOML
137 lines
4.6 KiB
TOML
# Priority system for policy rules:
|
|
# - Higher priority numbers win over lower priority numbers
|
|
# - When multiple rules match, the highest priority rule is applied
|
|
# - Rules are evaluated in order of priority (highest first)
|
|
#
|
|
# Priority bands (tiers):
|
|
# - Default policies (TOML): 1 + priority/1000 (e.g., priority 100 → 1.100)
|
|
# - Extension policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
|
|
# - Workspace policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
|
|
# - User policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
|
|
# - Admin policies (TOML): 5 + priority/1000 (e.g., priority 100 → 5.100)
|
|
#
|
|
# This ensures Admin > User > Workspace > Extension > Default hierarchy is always preserved,
|
|
# while allowing user-specified priorities to work within each tier.
|
|
#
|
|
# Settings-based and dynamic rules (all in user tier 4.x):
|
|
# 4.95: Tools that the user has selected as "Always Allow" in the interactive UI
|
|
# 4.9: MCP servers excluded list (security: persistent server blocks)
|
|
# 4.4: Command line flag --exclude-tools (explicit temporary blocks)
|
|
# 4.3: Command line flag --allowed-tools (explicit temporary allows)
|
|
# 4.2: MCP servers with trust=true (persistent trusted servers)
|
|
# 4.1: MCP servers allowed list (persistent general server allows)
|
|
#
|
|
# TOML policy priorities (before transformation):
|
|
# 10: Write tools default to ASK_USER (becomes 1.010 in default tier)
|
|
# 30: Unknown subagents (blocked by Plan Mode's 40)
|
|
# 40: Plan mode catch-all DENY override (becomes 1.040 in default tier)
|
|
# 50: Read-only tools / Plan mode explicit ALLOW (becomes 1.050 in default tier)
|
|
# 70: Mode transition overrides (into/out of Plan Mode)
|
|
# 999: YOLO mode allow-all (becomes 1.999 in default tier)
|
|
|
|
# Mode Transitions (into/out of Plan Mode)
|
|
|
|
[[rule]]
|
|
toolName = "enter_plan_mode"
|
|
decision = "ask_user"
|
|
priority = 50
|
|
interactive = true
|
|
|
|
[[rule]]
|
|
toolName = "enter_plan_mode"
|
|
decision = "allow"
|
|
priority = 50
|
|
interactive = false
|
|
|
|
[[rule]]
|
|
toolName = "enter_plan_mode"
|
|
decision = "deny"
|
|
priority = 70
|
|
modes = ["plan"]
|
|
denyMessage = "You are already in Plan Mode."
|
|
|
|
[[rule]]
|
|
toolName = "exit_plan_mode"
|
|
decision = "ask_user"
|
|
priority = 70
|
|
modes = ["plan"]
|
|
interactive = true
|
|
|
|
[[rule]]
|
|
toolName = "exit_plan_mode"
|
|
decision = "allow"
|
|
priority = 70
|
|
modes = ["plan"]
|
|
interactive = false
|
|
|
|
[[rule]]
|
|
toolName = "exit_plan_mode"
|
|
decision = "deny"
|
|
priority = 50
|
|
denyMessage = "You are not currently in Plan Mode. Use enter_plan_mode first to design a plan."
|
|
|
|
|
|
# Catch-All: Deny everything by default in Plan mode.
|
|
|
|
[[rule]]
|
|
toolName = "*"
|
|
decision = "deny"
|
|
priority = 40
|
|
modes = ["plan"]
|
|
denyMessage = "You are in Plan Mode with access to read-only tools. Execution of scripts (including those from skills) is blocked."
|
|
|
|
# Explicitly allowed tools in Plan Mode (interactive: ask user, non-interactive: deny)
|
|
# Priority 50 overrides the catch-all (40) and also ensures we override default tier ALLOW rules (e.g. from read-only.toml).
|
|
|
|
[[rule]]
|
|
toolName = "*"
|
|
mcpName = "*"
|
|
toolAnnotations = { readOnlyHint = true }
|
|
decision = "ask_user"
|
|
priority = 50
|
|
modes = ["plan"]
|
|
interactive = true
|
|
|
|
# Allow specific subagents in Plan mode.
|
|
# We use argsPattern to match the agent_name argument for invoke_agent.
|
|
[[rule]]
|
|
name = "Allow specific subagents in Plan mode"
|
|
toolName = "invoke_agent"
|
|
argsPattern = "\"agent_name\":\\s*\"(codebase_investigator|cli_help)\""
|
|
decision = "allow"
|
|
priority = 50
|
|
modes = ["plan"]
|
|
|
|
[[rule]]
|
|
toolName = ["ask_user", "save_memory", "web_fetch", "activate_skill"]
|
|
decision = "ask_user"
|
|
priority = 50
|
|
modes = ["plan"]
|
|
interactive = true
|
|
|
|
# Allow write_file and replace for .md files in the plans directory (cross-platform)
|
|
# We split this into two rules to avoid ReDoS checker issues with nested optional segments.
|
|
# This rule handles the case where there is a session ID in the plan file path
|
|
[[rule]]
|
|
toolName = ["write_file", "replace"]
|
|
decision = "allow"
|
|
priority = 70
|
|
modes = ["plan"]
|
|
argsPattern = "\\x00\"file_path\":\"[^\"]+[\\\\/]+\\.gemini[\\\\/]+tmp[\\\\/]+[\\w-]+[\\\\/]+[\\w-]+[\\\\/]+plans[\\\\/]+[\\w-]+\\.md\"\\x00"
|
|
|
|
# This rule handles the case where there isn't a session ID in the plan file path
|
|
[[rule]]
|
|
toolName = ["write_file", "replace"]
|
|
decision = "allow"
|
|
priority = 70
|
|
modes = ["plan"]
|
|
argsPattern = "\\x00\"file_path\":\"[^\"]+[\\\\/]+\\.gemini[\\\\/]+tmp[\\\\/]+[\\w-]+[\\\\/]+plans[\\\\/]+[\\w-]+\\.md\"\\x00"
|
|
|
|
# Explicitly Deny other write operations in Plan mode with a clear message.
|
|
[[rule]]
|
|
toolName = ["write_file", "replace"]
|
|
decision = "deny"
|
|
priority = 65
|
|
modes = ["plan"]
|
|
denyMessage = "You are in Plan Mode and cannot modify source code. You may ONLY use write_file or replace to save plans to the designated plans directory as .md files."
|