feat(core): implement context-aware persistent policy approvals

[jerop]

Summary

This PR implements permissive context-aware persistent policy approvals. When a tool is allowed for all future sessions, the generated policy rule now explicitly includes the current approval mode and all more permissive modes in the hierarchy: plan < default < autoEdit < yolo.

Details

Previously, persistent approvals were either global or restricted to implementation modes. This change introduces a refined, explicit flow for tool trust:

• Permissiveness Hierarchy: Approvals now follow the strict order: plan (least permissive) < default < autoEdit < yolo (most permissive).
• Explicit Mode Inclusion: When a user selects "Allow for all future sessions", Gemini CLI calculates the set of allowed modes starting from the current session mode up to the most permissive mode (yolo).
  • Approvals in plan mode: Explicitly includes plan, default, autoEdit, and yolo. This represents a global trust choice.
  • Approvals in default mode: Includes default, autoEdit, and yolo. This ensures tools trusted for standard work are available in automated modes but not in the restricted research environment of plan mode.
  • Approvals in autoEdit mode: Includes only autoEdit and yolo.
  • Approvals in yolo mode: Includes only yolo.
• Intelligent Merging: Instead of appending redundant rules, the policy updater now detects existing rules for the same tool/arguments and updates their modes and permissions in-place.

This ensures that trust flows correctly to more permissive environments while maintaining the safety of plan mode as a read-only space.

Related Issues

Fixes #23245

How to Validate

Prerequisites

Enable the persistent approval UI in your settings.json:

{
  "security": {
    "enablePermanentToolApproval": true
  }
}

Approval in default Mode

• Start a session in default mode.
• Run a command (e.g., ls) and select "Allow for all future sessions".
• Verify .gemini/policies/auto-saved.toml contains modes = [ "default", "autoEdit", "yolo" ].
• Switch to plan mode and verify the tool still requires confirmation.

Approval in plan Mode

• Start a session in plan mode.
• Trigger a tool confirmation and select "Allow for all future sessions".
• Verify the TOML contains modes = [ "plan", "default", "autoEdit", "yolo" ].

Approval in autoEdit Mode

• Start a session in autoEdit mode.
• Trigger a tool confirmation and select "Allow for all future sessions".
• Verify the TOML contains only modes = [ "autoEdit", "yolo" ].

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and predictability of tool execution within the Gemini CLI by introducing context-aware persistent policy approvals. The core purpose is to safeguard the integrity of Plan Mode as a read-only research environment, preventing tools approved for active implementation from inadvertently executing during the planning phase. This change ensures that user trust in tools is applied precisely where intended, providing a more secure and controlled user experience without requiring manual mode restrictions for common workflows.

Highlights

• Context-Aware Persistent Policy Approvals: Implemented a new system where persistent tool approvals are context-aware, meaning their applicability depends on the approval mode in which they were granted. This prevents 'trust leakage' from implementation modes into Plan Mode.
• Implicit Mode Restriction: Approvals granted in 'default', 'autoEdit', or 'yolo' modes are now implicitly restricted to those modes, ensuring they do not apply in Plan Mode. This enhances the security and integrity of the research environment.
• Elevated Planning Trust: Approvals granted while already in Plan Mode are treated as intentional choices to trust the tool for planning and are saved without mode restrictions, making them globally applicable.
• Technical Implementation: Introduced a modes field to the UpdatePolicy message protocol, updated the updatePolicy logic in packages/core to determine context-aware restrictions, and modified policy persistence to serialize the modes field in TOML rules.
• Comprehensive Testing and Documentation: Added table-driven unit tests to verify behavior across all approval modes and updated documentation for Plan Mode and the Policy Engine to reflect these new context-aware behaviors.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces context-aware persistent policy approvals to enhance the security of Plan Mode by restricting tool approvals based on the mode in which they were granted. It adds a modes field to the UpdatePolicy message protocol, updates the policy persistence logic, and includes unit tests to verify the new behavior. The documentation has also been updated to reflect these changes. The review identified a potential issue with the test case for YOLO mode, where the expected modes were not being checked correctly, and a suggestion was made to correct this, aligning with the principle of avoiding overly restrictive policies without proper approval flows.

[github-actions]

Size Change: +1.72 kB (0%)

Total Size: 34.6 MB

Filename	Size	Change
./bundle/chunk-NU264AGM.js	0 B	-14.8 MB (removed)	🏆
./bundle/chunk-POK42YYV.js	0 B	-3.82 MB (removed)	🏆
./bundle/chunk-TQ47AYRP.js	0 B	-1.96 MB (removed)	🏆
./bundle/core-NNZK4W4P.js	0 B	-45.1 kB (removed)	🏆
./bundle/devtoolsService-4Y6YKQNX.js	0 B	-28.4 kB (removed)	🏆
./bundle/interactiveCli-MXFKVTDH.js	0 B	-1.67 MB (removed)	🏆
./bundle/oauth2-provider-5AXXFMBN.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-4BZO5GVB.js	1.96 MB	+1.96 MB (new file)	🆕
./bundle/chunk-F7W3MSY6.js	14.8 MB	+14.8 MB (new file)	🆕
./bundle/chunk-PBKJMCAF.js	3.82 MB	+3.82 MB (new file)	🆕
./bundle/core-XPSFBCSN.js	45.1 kB	+45.1 kB (new file)	🆕
./bundle/devtoolsService-LIEDPIRM.js	28.4 kB	+28.4 kB (new file)	🆕
./bundle/interactiveCli-S6MW6PGT.js	1.67 MB	+1.67 MB (new file)	🆕
./bundle/oauth2-provider-MVZRTJY3.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/chunk-U4FACSVX.js	1.13 kB	0 B
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-CLX3JQHP.js	418 B	0 B
./bundle/gemini.js	533 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-N26G6CUK.js	0 B	-980 B (removed)	🏆
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/memoryDiscovery-RRHQTP6U.js	980 B	+980 B (new file)	🆕

_{compressed-size-action}

[jerop]

@galz10 is working on an alternative fix

[jerop]

/patch preview

[github-actions]

🚀 [Step 1/4] Patch workflow(s) waiting for approval!

📋 Details:

• Channels: preview
• Commit: 64c928fce791fa6ddd033dde07068a5c120bb97e
• Workflows Created: 1

⏳ Status: The patch creation workflow has been triggered and is waiting for deployment approval. Please visit the specific workflow links below and approve the runs.

🔗 Track Progress:

• View dispatched workflow run
• View patch workflow history
• This trigger workflow run

[github-actions]

🚀 [Step 2/4] Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: preview → will publish to npm tag preview
• Commit: 64c928fce791fa6ddd033dde07068a5c120bb97e
• Hotfix Branch: hotfix/v0.37.0-preview.0/0.37.0-preview.1/preview/cherry-pick-64c928f/pr-23257
• Hotfix PR: #24561

📝 Next Steps:

1. Review and approve the hotfix PR: #24561
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #24561
• This patch creation workflow run

[github-actions]

🚀 [Step 3/4] Patch Release Waiting for Approval!

📋 Release Details:

• Environment: prod
• Channel: preview → publishing to npm tag preview
• Version: v0.37.0-preview.0
• Hotfix PR: Merged ✅
• Release Branch: release/v0.37.0-preview.0-pr-23257

⏳ Status: The patch release has been triggered and is waiting for deployment approval. Please visit the specific workflow run link below and approve the deployment. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow history
• This trigger workflow run

[github-actions]

✅ [Step 4/4] Patch Release Complete!

📦 Release Details:

• Version: 0.37.0-preview.1
• NPM Tag: preview
• Channel: preview
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.37.0-preview.1
• NPM Package: npm install @google/gemini-cli@preview

🔗 Links:

• GitHub Release
• This release workflow run
• Workflow History