@google/gemini-cli 0.12.0-nightly.20251027.cb0947c5 → 0.12.0-preview.11

package/dist/src/config/policy.test.js

@@ -3,113 +3,141 @@
  * Copyright 2025 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
-import { describe, it, expect } from 'vitest';
-import { createPolicyEngineConfig } from './policy.js';
+import { describe, it, expect, vi, afterEach } from 'vitest';
+import nodePath from 'node:path';
 import { ApprovalMode, PolicyDecision, WEB_FETCH_TOOL_NAME, } from '@google/gemini-cli-core';
+afterEach(() => {
+    vi.clearAllMocks();
+});
 describe('createPolicyEngineConfig', () => {
-    it('should return ASK_USER for write tools and ALLOW for read-only tools by default', () => {
+    it('should return ASK_USER for write tools and ALLOW for read-only tools by default', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                // Return empty array for user policies
+                return [];
+            }
+            return actualFs.readdir(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readdir: mockReaddir },
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {};
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         expect(config.defaultDecision).toBe(PolicyDecision.ASK_USER);
         // The order of the rules is not guaranteed, so we sort them by tool name.
         config.rules?.sort((a, b) => (a.toolName ?? '').localeCompare(b.toolName ?? ''));
+        // Default policies are transformed to tier 1: 1 + priority/1000
         expect(config.rules).toEqual([
             {
                 toolName: 'glob',
                 decision: PolicyDecision.ALLOW,
-                priority: 50,
+                priority: 1.05, // 1 + 50/1000
             },
             {
                 toolName: 'google_web_search',
                 decision: PolicyDecision.ALLOW,
-                priority: 50,
+                priority: 1.05,
             },
             {
                 toolName: 'list_directory',
                 decision: PolicyDecision.ALLOW,
-                priority: 50,
+                priority: 1.05,
             },
             {
                 toolName: 'read_file',
                 decision: PolicyDecision.ALLOW,
-                priority: 50,
+                priority: 1.05,
             },
             {
                 toolName: 'read_many_files',
                 decision: PolicyDecision.ALLOW,
-                priority: 50,
+                priority: 1.05,
             },
             {
                 toolName: 'replace',
                 decision: PolicyDecision.ASK_USER,
-                priority: 10,
+                priority: 1.01, // 1 + 10/1000
             },
             {
                 toolName: 'run_shell_command',
                 decision: PolicyDecision.ASK_USER,
-                priority: 10,
+                priority: 1.01,
             },
             {
                 toolName: 'save_memory',
                 decision: PolicyDecision.ASK_USER,
-                priority: 10,
+                priority: 1.01,
             },
             {
                 toolName: 'search_file_content',
                 decision: PolicyDecision.ALLOW,
-                priority: 50,
+                priority: 1.05,
             },
             {
                 toolName: 'web_fetch',
                 decision: PolicyDecision.ASK_USER,
-                priority: 10,
+                priority: 1.01,
             },
             {
                 toolName: 'write_file',
                 decision: PolicyDecision.ASK_USER,
-                priority: 10,
+                priority: 1.01,
             },
         ]);
+        vi.doUnmock('node:fs/promises');
     });
-    it('should allow tools in tools.allowed', () => {
+    it('should allow tools in tools.allowed', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             tools: { allowed: ['run_shell_command'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
             r.decision === PolicyDecision.ALLOW);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBe(100);
+        expect(rule?.priority).toBeCloseTo(2.3, 5); // Command line allow
     });
-    it('should deny tools in tools.exclude', () => {
+    it('should deny tools in tools.exclude', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             tools: { exclude: ['run_shell_command'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
             r.decision === PolicyDecision.DENY);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBe(200);
+        expect(rule?.priority).toBeCloseTo(2.4, 5); // Command line exclude
     });
-    it('should allow tools from allowed MCP servers', () => {
+    it('should allow tools from allowed MCP servers', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcp: { allowed: ['my-server'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const rule = config.rules?.find((r) => r.toolName === 'my-server__*' && r.decision === PolicyDecision.ALLOW);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBe(85);
+        expect(rule?.priority).toBe(2.1); // MCP allowed server
     });
-    it('should deny tools from excluded MCP servers', () => {
+    it('should deny tools from excluded MCP servers', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcp: { excluded: ['my-server'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const rule = config.rules?.find((r) => r.toolName === 'my-server__*' && r.decision === PolicyDecision.DENY);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBe(195);
+        expect(rule?.priority).toBe(2.9); // MCP excluded server
     });
-    it('should allow tools from trusted MCP servers', () => {
+    it('should allow tools from trusted MCP servers', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcpServers: {
                 'trusted-server': {
@@ -124,17 +152,18 @@ describe('createPolicyEngineConfig', () => {
                 },
             },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const trustedRule = config.rules?.find((r) => r.toolName === 'trusted-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         expect(trustedRule).toBeDefined();
-        expect(trustedRule?.priority).toBe(90);
+        expect(trustedRule?.priority).toBe(2.2); // MCP trusted server
         // Untrusted server should not have an allow rule
         const untrustedRule = config.rules?.find((r) => r.toolName === 'untrusted-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         expect(untrustedRule).toBeUndefined();
     });
-    it('should handle multiple MCP server configurations together', () => {
+    it('should handle multiple MCP server configurations together', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcp: {
                 allowed: ['allowed-server'],
@@ -148,41 +177,47 @@ describe('createPolicyEngineConfig', () => {
                 },
             },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         // Check allowed server
         const allowedRule = config.rules?.find((r) => r.toolName === 'allowed-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         expect(allowedRule).toBeDefined();
-        expect(allowedRule?.priority).toBe(85);
+        expect(allowedRule?.priority).toBe(2.1); // MCP allowed server
         // Check trusted server
         const trustedRule = config.rules?.find((r) => r.toolName === 'trusted-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         expect(trustedRule).toBeDefined();
-        expect(trustedRule?.priority).toBe(90);
+        expect(trustedRule?.priority).toBe(2.2); // MCP trusted server
         // Check excluded server
         const excludedRule = config.rules?.find((r) => r.toolName === 'excluded-server__*' &&
             r.decision === PolicyDecision.DENY);
         expect(excludedRule).toBeDefined();
-        expect(excludedRule?.priority).toBe(195);
+        expect(excludedRule?.priority).toBe(2.9); // MCP excluded server
     });
-    it('should allow all tools in YOLO mode', () => {
+    it('should allow all tools in YOLO mode', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {};
-        const config = createPolicyEngineConfig(settings, ApprovalMode.YOLO);
-        const rule = config.rules?.find((r) => r.decision === PolicyDecision.ALLOW && r.priority === 0);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.YOLO);
+        const rule = config.rules?.find((r) => r.decision === PolicyDecision.ALLOW && !r.toolName);
         expect(rule).toBeDefined();
+        // Priority 999 in default tier → 1.999
+        expect(rule?.priority).toBeCloseTo(1.999, 5);
     });
-    it('should allow edit tool in AUTO_EDIT mode', () => {
+    it('should allow edit tool in AUTO_EDIT mode', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {};
-        const config = createPolicyEngineConfig(settings, ApprovalMode.AUTO_EDIT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.AUTO_EDIT);
         const rule = config.rules?.find((r) => r.toolName === 'replace' && r.decision === PolicyDecision.ALLOW);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBe(15);
+        // Priority 15 in default tier → 1.015
+        expect(rule?.priority).toBeCloseTo(1.015, 5);
     });
-    it('should prioritize exclude over allow', () => {
+    it('should prioritize exclude over allow', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             tools: { allowed: ['run_shell_command'], exclude: ['run_shell_command'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const denyRule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
             r.decision === PolicyDecision.DENY);
         const allowRule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
@@ -191,23 +226,25 @@ describe('createPolicyEngineConfig', () => {
         expect(allowRule).toBeDefined();
         expect(denyRule.priority).toBeGreaterThan(allowRule.priority);
     });
-    it('should prioritize specific tool allows over MCP server excludes', () => {
+    it('should prioritize specific tool allows over MCP server excludes', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcp: { excluded: ['my-server'] },
             tools: { allowed: ['my-server__specific-tool'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const serverDenyRule = config.rules?.find((r) => r.toolName === 'my-server__*' && r.decision === PolicyDecision.DENY);
         const toolAllowRule = config.rules?.find((r) => r.toolName === 'my-server__specific-tool' &&
             r.decision === PolicyDecision.ALLOW);
         expect(serverDenyRule).toBeDefined();
-        expect(serverDenyRule?.priority).toBe(195);
+        expect(serverDenyRule?.priority).toBe(2.9); // MCP excluded server
         expect(toolAllowRule).toBeDefined();
-        expect(toolAllowRule?.priority).toBe(100);
-        // Tool allow (100) has lower priority than server deny (195),
-        // so server deny wins - this might be counterintuitive
+        expect(toolAllowRule?.priority).toBeCloseTo(2.3, 5); // Command line allow
+        // Server deny (2.9) has higher priority than tool allow (2.3),
+        // so server deny wins (this is expected behavior - server-level blocks are security critical)
     });
-    it('should prioritize specific tool excludes over MCP server allows', () => {
+    it('should handle MCP server allows and tool excludes', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcp: { allowed: ['my-server'] },
             mcpServers: {
@@ -219,24 +256,27 @@ describe('createPolicyEngineConfig', () => {
             },
             tools: { exclude: ['my-server__dangerous-tool'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         const serverAllowRule = config.rules?.find((r) => r.toolName === 'my-server__*' && r.decision === PolicyDecision.ALLOW);
         const toolDenyRule = config.rules?.find((r) => r.toolName === 'my-server__dangerous-tool' &&
             r.decision === PolicyDecision.DENY);
         expect(serverAllowRule).toBeDefined();
         expect(toolDenyRule).toBeDefined();
+        // Command line exclude (2.4) has higher priority than MCP server trust (2.2)
+        // This is the correct behavior - specific exclusions should beat general server trust
         expect(toolDenyRule.priority).toBeGreaterThan(serverAllowRule.priority);
     });
-    it('should handle complex priority scenarios correctly', () => {
+    it('should handle complex priority scenarios correctly', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             tools: {
-                autoAccept: true, // Priority 50 for read-only tools
-                allowed: ['my-server__tool1', 'other-tool'], // Priority 100
-                exclude: ['my-server__tool2', 'glob'], // Priority 200
+                autoAccept: true, // Not used in policy system (modes handle this)
+                allowed: ['my-server__tool1', 'other-tool'], // Priority 2.3
+                exclude: ['my-server__tool2', 'glob'], // Priority 2.4
             },
             mcp: {
-                allowed: ['allowed-server'], // Priority 85
-                excluded: ['excluded-server'], // Priority 195
+                allowed: ['allowed-server'], // Priority 2.1
+                excluded: ['excluded-server'], // Priority 2.9
             },
             mcpServers: {
                 'trusted-server': {
@@ -246,14 +286,16 @@ describe('createPolicyEngineConfig', () => {
                 },
             },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         // Verify glob is denied even though autoAccept would allow it
         const globDenyRule = config.rules?.find((r) => r.toolName === 'glob' && r.decision === PolicyDecision.DENY);
         const globAllowRule = config.rules?.find((r) => r.toolName === 'glob' && r.decision === PolicyDecision.ALLOW);
         expect(globDenyRule).toBeDefined();
         expect(globAllowRule).toBeDefined();
-        expect(globDenyRule.priority).toBe(200);
-        expect(globAllowRule.priority).toBe(50);
+        // Deny from settings (user tier)
+        expect(globDenyRule.priority).toBeCloseTo(2.4, 5); // Command line exclude
+        // Allow from default TOML: 1 + 50/1000 = 1.05
+        expect(globAllowRule.priority).toBeCloseTo(1.05, 5);
         // Verify all priority levels are correct
         const priorities = config.rules
             ?.map((r) => ({
@@ -262,11 +304,12 @@ describe('createPolicyEngineConfig', () => {
             priority: r.priority,
         }))
             .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
-        // Check that the highest priority items are the excludes
-        const highestPriorityExcludes = priorities?.filter((p) => p.priority === 200);
+        // Check that the highest priority items are the excludes (user tier: 2.4)
+        const highestPriorityExcludes = priorities?.filter((p) => Math.abs(p.priority - 2.4) < 0.01);
         expect(highestPriorityExcludes?.every((p) => p.decision === PolicyDecision.DENY)).toBe(true);
     });
-    it('should handle MCP servers with undefined trust property', () => {
+    it('should handle MCP servers with undefined trust property', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcpServers: {
                 'no-trust-property': {
@@ -281,7 +324,7 @@ describe('createPolicyEngineConfig', () => {
                 },
             },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         // Neither server should have an allow rule
         const noTrustRule = config.rules?.find((r) => r.toolName === 'no-trust-property__*' &&
             r.decision === PolicyDecision.ALLOW);
@@ -290,15 +333,18 @@ describe('createPolicyEngineConfig', () => {
         expect(noTrustRule).toBeUndefined();
         expect(explicitFalseRule).toBeUndefined();
     });
-    it('should not add write tool rules in YOLO mode', () => {
+    it('should have YOLO allow-all rule beat write tool rules in YOLO mode', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             tools: { exclude: ['dangerous-tool'] },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.YOLO);
-        // Should have the wildcard allow rule with priority 0
-        const wildcardRule = config.rules?.find((r) => !r.toolName && r.decision === PolicyDecision.ALLOW && r.priority === 0);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.YOLO);
+        // Should have the wildcard allow rule
+        const wildcardRule = config.rules?.find((r) => !r.toolName && r.decision === PolicyDecision.ALLOW);
         expect(wildcardRule).toBeDefined();
-        // Should NOT have any write tool rules (which would have priority 10)
+        // Priority 999 in default tier → 1.999
+        expect(wildcardRule?.priority).toBeCloseTo(1.999, 5);
+        // Write tool ASK_USER rules are present (no modes restriction now)
         const writeToolRules = config.rules?.filter((r) => [
             'replace',
             'save_memory',
@@ -306,13 +352,18 @@ describe('createPolicyEngineConfig', () => {
             'write_file',
             WEB_FETCH_TOOL_NAME,
         ].includes(r.toolName || '') && r.decision === PolicyDecision.ASK_USER);
-        expect(writeToolRules).toHaveLength(0);
-        // Should still have the exclude rule
+        expect(writeToolRules).toBeDefined();
+        // But YOLO allow-all rule has higher priority than all write tool rules
+        writeToolRules?.forEach((writeRule) => {
+            expect(wildcardRule.priority).toBeGreaterThan(writeRule.priority);
+        });
+        // Should still have the exclude rule (from settings, user tier)
         const excludeRule = config.rules?.find((r) => r.toolName === 'dangerous-tool' && r.decision === PolicyDecision.DENY);
         expect(excludeRule).toBeDefined();
-        expect(excludeRule?.priority).toBe(200);
+        expect(excludeRule?.priority).toBeCloseTo(2.4, 5); // Command line exclude
     });
-    it('should handle combination of trusted server and excluded server for same name', () => {
+    it('should handle combination of trusted server and excluded server for same name', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {
             mcpServers: {
                 'conflicted-server': {
@@ -325,36 +376,683 @@ describe('createPolicyEngineConfig', () => {
                 excluded: ['conflicted-server'], // Priority 195
             },
         };
-        const config = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         // Both rules should exist
         const trustRule = config.rules?.find((r) => r.toolName === 'conflicted-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         const excludeRule = config.rules?.find((r) => r.toolName === 'conflicted-server__*' &&
             r.decision === PolicyDecision.DENY);
         expect(trustRule).toBeDefined();
-        expect(trustRule?.priority).toBe(90);
+        expect(trustRule?.priority).toBe(2.2); // MCP trusted server
         expect(excludeRule).toBeDefined();
-        expect(excludeRule?.priority).toBe(195);
+        expect(excludeRule?.priority).toBe(2.9); // MCP excluded server
         // Exclude (195) should win over trust (90) when evaluated
     });
-    it('should handle all approval modes correctly', () => {
+    it('should handle all approval modes correctly', async () => {
+        const { createPolicyEngineConfig } = await import('./policy.js');
         const settings = {};
         // Test DEFAULT mode
-        const defaultConfig = createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const defaultConfig = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
         expect(defaultConfig.defaultDecision).toBe(PolicyDecision.ASK_USER);
         expect(defaultConfig.rules?.find((r) => !r.toolName && r.decision === PolicyDecision.ALLOW)).toBeUndefined();
         // Test YOLO mode
-        const yoloConfig = createPolicyEngineConfig(settings, ApprovalMode.YOLO);
+        const yoloConfig = await createPolicyEngineConfig(settings, ApprovalMode.YOLO);
         expect(yoloConfig.defaultDecision).toBe(PolicyDecision.ASK_USER);
         const yoloWildcard = yoloConfig.rules?.find((r) => !r.toolName && r.decision === PolicyDecision.ALLOW);
         expect(yoloWildcard).toBeDefined();
-        expect(yoloWildcard?.priority).toBe(0);
+        // Priority 999 in default tier → 1.999
+        expect(yoloWildcard?.priority).toBeCloseTo(1.999, 5);
         // Test AUTO_EDIT mode
-        const autoEditConfig = createPolicyEngineConfig(settings, ApprovalMode.AUTO_EDIT);
+        const autoEditConfig = await createPolicyEngineConfig(settings, ApprovalMode.AUTO_EDIT);
         expect(autoEditConfig.defaultDecision).toBe(PolicyDecision.ASK_USER);
         const editRule = autoEditConfig.rules?.find((r) => r.toolName === 'replace' && r.decision === PolicyDecision.ALLOW);
         expect(editRule).toBeDefined();
-        expect(editRule?.priority).toBe(15);
+        // Priority 15 in default tier → 1.015
+        expect(editRule?.priority).toBeCloseTo(1.015, 5);
+    });
+    it('should support argsPattern in policy rules', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                return [
+                    {
+                        name: 'write.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/write.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+argsPattern = "\\"command\\":\\"git (status|diff|log)\\""
+decision = "allow"
+priority = 150
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        expect(rule).toBeDefined();
+        // Priority 150 in user tier → 2.150
+        expect(rule?.priority).toBeCloseTo(2.15, 5);
+        expect(rule?.argsPattern).toBeInstanceOf(RegExp);
+        expect(rule?.argsPattern?.test('{"command":"git status"}')).toBe(true);
+        expect(rule?.argsPattern?.test('{"command":"git diff"}')).toBe(true);
+        expect(rule?.argsPattern?.test('{"command":"git log"}')).toBe(true);
+        expect(rule?.argsPattern?.test('{"command":"git commit"}')).toBe(false);
+        expect(rule?.argsPattern?.test('{"command":"git push"}')).toBe(false);
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should load and apply user-defined policies', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                return [
+                    {
+                        name: 'write.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/write.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+decision = "allow"
+priority = 150
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        expect(rule).toBeDefined();
+        // Priority 150 in user tier → 2.150
+        expect(rule?.priority).toBeCloseTo(2.15, 5);
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should load and apply admin policies over user and default policies', async () => {
+        process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'] = '/tmp/admin/settings.json';
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string') {
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('/tmp/admin/policies'))) {
+                    return [
+                        {
+                            name: 'write.toml',
+                            isFile: () => true,
+                            isDirectory: () => false,
+                        },
+                    ];
+                }
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                    return [
+                        {
+                            name: 'write.toml',
+                            isFile: () => true,
+                            isDirectory: () => false,
+                        },
+                    ];
+                }
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('/tmp/admin/policies/write.toml')) ||
+                    path.endsWith('tmp/admin/policies/write.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+decision = "deny"
+priority = 200
+`;
+            }
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/write.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+decision = "allow"
+priority = 150
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const denyRule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.DENY);
+        const allowRule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        expect(denyRule).toBeDefined();
+        // Priority 200 in admin tier → 3.200
+        expect(denyRule?.priority).toBeCloseTo(3.2, 5);
+        expect(allowRule).toBeDefined();
+        // Priority 150 in user tier → 2.150
+        expect(allowRule?.priority).toBeCloseTo(2.15, 5);
+        expect(denyRule.priority).toBeGreaterThan(allowRule.priority);
+        delete process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'];
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should apply priority bands to ensure Admin > User > Default hierarchy', async () => {
+        process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'] = '/tmp/admin/settings.json';
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string') {
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('/tmp/admin/policies'))) {
+                    return [
+                        {
+                            name: 'admin-policy.toml',
+                            isFile: () => true,
+                            isDirectory: () => false,
+                        },
+                    ];
+                }
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                    return [
+                        {
+                            name: 'user-policy.toml',
+                            isFile: () => true,
+                            isDirectory: () => false,
+                        },
+                    ];
+                }
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string') {
+                // Admin policy with low priority (100)
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('/tmp/admin/policies/admin-policy.toml'))) {
+                    return `
+[[rule]]
+toolName = "run_shell_command"
+decision = "deny"
+priority = 100
+`;
+                }
+                // User policy with high priority (900)
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/user-policy.toml'))) {
+                    return `
+[[rule]]
+toolName = "run_shell_command"
+decision = "allow"
+priority = 900
+`;
+                }
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const adminRule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.DENY);
+        const userRule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        expect(adminRule).toBeDefined();
+        expect(userRule).toBeDefined();
+        // Admin priority should be 3.100 (tier 3 + 100/1000)
+        expect(adminRule?.priority).toBeCloseTo(3.1, 5);
+        // User priority should be 2.900 (tier 2 + 900/1000)
+        expect(userRule?.priority).toBeCloseTo(2.9, 5);
+        // Admin rule with low priority should still beat user rule with high priority
+        expect(adminRule.priority).toBeGreaterThan(userRule.priority);
+        delete process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'];
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should apply correct priority transformations for each tier', async () => {
+        process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'] = '/tmp/admin/settings.json';
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string') {
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('/tmp/admin/policies'))) {
+                    return [
+                        {
+                            name: 'admin.toml',
+                            isFile: () => true,
+                            isDirectory: () => false,
+                        },
+                    ];
+                }
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                    return [
+                        {
+                            name: 'user.toml',
+                            isFile: () => true,
+                            isDirectory: () => false,
+                        },
+                    ];
+                }
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string') {
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('/tmp/admin/policies/admin.toml'))) {
+                    return `
+[[rule]]
+toolName = "admin-tool"
+decision = "allow"
+priority = 500
+`;
+                }
+                if (nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/user.toml'))) {
+                    return `
+[[rule]]
+toolName = "user-tool"
+decision = "allow"
+priority = 500
+`;
+                }
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const adminRule = config.rules?.find((r) => r.toolName === 'admin-tool');
+        const userRule = config.rules?.find((r) => r.toolName === 'user-tool');
+        expect(adminRule).toBeDefined();
+        expect(userRule).toBeDefined();
+        // Priority 500 in admin tier → 3.500
+        expect(adminRule?.priority).toBeCloseTo(3.5, 5);
+        // Priority 500 in user tier → 2.500
+        expect(userRule?.priority).toBeCloseTo(2.5, 5);
+        delete process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'];
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should support array syntax for toolName in TOML policies', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                return [
+                    {
+                        name: 'array-test.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/array-test.toml'))) {
+                return `
+# Test array syntax for toolName
+[[rule]]
+toolName = ["tool1", "tool2", "tool3"]
+decision = "allow"
+priority = 100
+
+# Test array syntax with mcpName
+[[rule]]
+mcpName = "google-workspace"
+toolName = ["calendar.findFreeTime", "calendar.getEvent", "calendar.list"]
+decision = "allow"
+priority = 150
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        // Should create separate rules for each tool in the array
+        const tool1Rule = config.rules?.find((r) => r.toolName === 'tool1');
+        const tool2Rule = config.rules?.find((r) => r.toolName === 'tool2');
+        const tool3Rule = config.rules?.find((r) => r.toolName === 'tool3');
+        expect(tool1Rule).toBeDefined();
+        expect(tool2Rule).toBeDefined();
+        expect(tool3Rule).toBeDefined();
+        // All should have the same decision and priority
+        expect(tool1Rule?.decision).toBe(PolicyDecision.ALLOW);
+        expect(tool2Rule?.decision).toBe(PolicyDecision.ALLOW);
+        expect(tool3Rule?.decision).toBe(PolicyDecision.ALLOW);
+        // Priority 100 in user tier → 2.100
+        expect(tool1Rule?.priority).toBeCloseTo(2.1, 5);
+        expect(tool2Rule?.priority).toBeCloseTo(2.1, 5);
+        expect(tool3Rule?.priority).toBeCloseTo(2.1, 5);
+        // MCP tools should have composite names
+        const calendarFreeTime = config.rules?.find((r) => r.toolName === 'google-workspace__calendar.findFreeTime');
+        const calendarGetEvent = config.rules?.find((r) => r.toolName === 'google-workspace__calendar.getEvent');
+        const calendarList = config.rules?.find((r) => r.toolName === 'google-workspace__calendar.list');
+        expect(calendarFreeTime).toBeDefined();
+        expect(calendarGetEvent).toBeDefined();
+        expect(calendarList).toBeDefined();
+        // All should have the same decision and priority
+        expect(calendarFreeTime?.decision).toBe(PolicyDecision.ALLOW);
+        expect(calendarGetEvent?.decision).toBe(PolicyDecision.ALLOW);
+        expect(calendarList?.decision).toBe(PolicyDecision.ALLOW);
+        // Priority 150 in user tier → 2.150
+        expect(calendarFreeTime?.priority).toBeCloseTo(2.15, 5);
+        expect(calendarGetEvent?.priority).toBeCloseTo(2.15, 5);
+        expect(calendarList?.priority).toBeCloseTo(2.15, 5);
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should support commandPrefix syntax for shell commands', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                return [
+                    {
+                        name: 'shell.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/shell.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+commandPrefix = "git status"
+decision = "allow"
+priority = 100
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        expect(rule).toBeDefined();
+        expect(rule?.priority).toBeCloseTo(2.1, 5);
+        expect(rule?.argsPattern).toBeInstanceOf(RegExp);
+        // Should match commands starting with "git status"
+        expect(rule?.argsPattern?.test('{"command":"git status"}')).toBe(true);
+        expect(rule?.argsPattern?.test('{"command":"git status --short"}')).toBe(true);
+        // Should not match other commands
+        expect(rule?.argsPattern?.test('{"command":"git branch"}')).toBe(false);
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should support array syntax for commandPrefix', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                return [
+                    {
+                        name: 'shell.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/shell.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+commandPrefix = ["git status", "git branch", "git log"]
+decision = "allow"
+priority = 100
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const rules = config.rules?.filter((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        // Should create 3 rules (one for each prefix)
+        expect(rules?.length).toBe(3);
+        // All rules should have the same priority and decision
+        rules?.forEach((rule) => {
+            expect(rule.priority).toBeCloseTo(2.1, 5);
+            expect(rule.decision).toBe(PolicyDecision.ALLOW);
+        });
+        // Test that each prefix pattern works
+        const patterns = rules?.map((r) => r.argsPattern);
+        expect(patterns?.some((p) => p?.test('{"command":"git status"}'))).toBe(true);
+        expect(patterns?.some((p) => p?.test('{"command":"git branch"}'))).toBe(true);
+        expect(patterns?.some((p) => p?.test('{"command":"git log"}'))).toBe(true);
+        // Should not match other commands
+        expect(patterns?.some((p) => p?.test('{"command":"git commit"}'))).toBe(false);
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should support commandRegex syntax for shell commands', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                return [
+                    {
+                        name: 'shell.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/shell.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+commandRegex = "git (status|branch|log).*"
+decision = "allow"
+priority = 100
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        expect(rule).toBeDefined();
+        expect(rule?.priority).toBeCloseTo(2.1, 5);
+        expect(rule?.argsPattern).toBeInstanceOf(RegExp);
+        // Should match commands matching the regex
+        expect(rule?.argsPattern?.test('{"command":"git status"}')).toBe(true);
+        expect(rule?.argsPattern?.test('{"command":"git status --short"}')).toBe(true);
+        expect(rule?.argsPattern?.test('{"command":"git branch"}')).toBe(true);
+        expect(rule?.argsPattern?.test('{"command":"git log --all"}')).toBe(true);
+        // Should not match commands not in the regex
+        expect(rule?.argsPattern?.test('{"command":"git commit"}')).toBe(false);
+        expect(rule?.argsPattern?.test('{"command":"git push"}')).toBe(false);
+        vi.doUnmock('node:fs/promises');
+    });
+    it('should escape regex special characters in commandPrefix', async () => {
+        const actualFs = await vi.importActual('node:fs/promises');
+        const mockReaddir = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies'))) {
+                return [
+                    {
+                        name: 'shell.toml',
+                        isFile: () => true,
+                        isDirectory: () => false,
+                    },
+                ];
+            }
+            return actualFs.readdir(path, options);
+        });
+        const mockReadFile = vi.fn(async (path, options) => {
+            if (typeof path === 'string' &&
+                nodePath
+                    .normalize(path)
+                    .includes(nodePath.normalize('.gemini/policies/shell.toml'))) {
+                return `
+[[rule]]
+toolName = "run_shell_command"
+commandPrefix = "git log *.txt"
+decision = "allow"
+priority = 100
+`;
+            }
+            return actualFs.readFile(path, options);
+        });
+        vi.doMock('node:fs/promises', () => ({
+            ...actualFs,
+            default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+            readFile: mockReadFile,
+            readdir: mockReaddir,
+        }));
+        vi.resetModules();
+        const { createPolicyEngineConfig } = await import('./policy.js');
+        const settings = {};
+        const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT);
+        const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
+            r.decision === PolicyDecision.ALLOW);
+        expect(rule).toBeDefined();
+        // Should match the literal string "git log *.txt" (asterisk is escaped)
+        expect(rule?.argsPattern?.test('{"command":"git log *.txt"}')).toBe(true);
+        // Should not match "git log a.txt" because * is escaped to literal asterisk
+        expect(rule?.argsPattern?.test('{"command":"git log a.txt"}')).toBe(false);
+        vi.doUnmock('node:fs/promises');
     });
 });
 //# sourceMappingURL=policy.test.js.map