policy-engine-builder
SKILL.md
Policy Engine Builder
π¨ MANDATORY: Invoke gemini-cli-docs First
STOP - Before providing ANY response about Gemini policy engine:
- INVOKE
gemini-cli-docsskill- QUERY for the specific policy topic
- BASE all responses EXCLUSIVELY on official documentation loaded
Overview
This skill provides guidance for configuring Gemini CLI's Policy Engine using TOML rules. The policy engine controls tool execution with fine-grained allow/deny/ask rules.
When to Use This Skill
Keywords: policy engine, policy toml, tool policy, allow deny, gemini rules, security policy, mcp policy
Use this skill when:
- Restricting which tools Gemini can use
- Creating enterprise security policies
- Controlling MCP server permissions
- Setting up approval workflows
- Auditing tool execution rules
Policy File Locations
User Policies
~/.gemini/policies/
βββ default.toml # User default rules
βββ security.toml # Additional security rules
Project Policies
.gemini/policies/
βββ project.toml # Project-specific rules
βββ team.toml # Team conventions
System Policies (Enterprise)
/etc/gemini-cli/policies/ # Linux
/Library/Application Support/GeminiCli/policies/ # macOS
C:\ProgramData\gemini-cli\policies\ # Windows
Rule Structure
Basic Rule
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
priority = 100
Rule Fields
| Field | Type | Description |
|---|---|---|
toolName |
string/array | Tool name(s) to match |
mcpName |
string | MCP server name |
argsPattern |
string | Regex for tool arguments |
commandPrefix |
string/array | Shell command prefix(es) |
commandRegex |
string | Regex for shell commands |
decision |
string | allow, deny, or ask_user |
priority |
number | 0-999 within tier |
modes |
array | Optional: yolo, autoEdit |
Decision Types
Allow
Automatically approve without prompting:
[[rule]]
toolName = "read_file"
decision = "allow"
priority = 100
Deny
Block execution entirely:
[[rule]]
toolName = "run_shell_command"
commandPrefix = "rm -rf"
decision = "deny"
priority = 999
Ask User
Prompt for confirmation:
[[rule]]
toolName = "write_file"
decision = "ask_user"
priority = 100
Priority System
Three Tiers
| Tier | Base | Source |
|---|---|---|
| Default | 1 | Built-in defaults |
| User | 2 | User policies |
| Admin | 3 | System/enterprise |
Priority Calculation
The formula is: final_priority = tier_base + (toml_priority / 1000)
Example:
- User rule with priority 100 β 2 + (100/1000) = 2.100
- Admin rule with priority 50 β 3 + (50/1000) = 3.050
Higher tier always wins, then higher priority within tier.
Priority Guidelines
| Priority | Use Case |
|---|---|
| 0-99 | Low priority defaults |
| 100-499 | Normal rules |
| 500-799 | Important restrictions |
| 800-999 | Critical security rules |
Tool Matching
Single Tool
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
Multiple Tools
[[rule]]
toolName = ["write_file", "replace"]
decision = "ask_user"
All Tools
[[rule]]
toolName = "*"
decision = "ask_user"
Shell Command Patterns
Command Prefix
# Match commands starting with "git"
[[rule]]
toolName = "run_shell_command"
commandPrefix = "git "
decision = "allow"
priority = 100
Multiple Prefixes
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm ", "yarn ", "pnpm "]
decision = "allow"
priority = 100
Command Regex
# Match destructive commands
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir|del|rd)\\s"
decision = "deny"
priority = 999
Argument Patterns
JSON Argument Matching
Tool arguments are JSON strings:
# Deny writes to sensitive paths
[[rule]]
toolName = "write_file"
argsPattern = ".*\\.(env|key|pem|crt)$"
decision = "deny"
priority = 900
Complex Patterns
# Allow reads only from src/
[[rule]]
toolName = "read_file"
argsPattern = "^\\{\"path\":\"src/.*\"\\}$"
decision = "allow"
priority = 100
MCP Server Rules
Server-Level Control
# Deny all tools from untrusted server
[[rule]]
mcpName = "untrusted-server"
decision = "deny"
priority = 500
Tool-Level Control
# Allow specific tool from server
[[rule]]
mcpName = "my-server"
toolName = "safe_tool"
decision = "allow"
priority = 100
Wildcards
# All tools from server pattern
[[rule]]
toolName = "my-server__*"
decision = "ask_user"
priority = 100
Approval Modes
YOLO Mode Rules
Apply only in YOLO mode (--yolo):
[[rule]]
toolName = "write_file"
decision = "allow"
modes = ["yolo"]
priority = 100
Auto-Edit Mode Rules
Apply in auto-edit mode:
[[rule]]
toolName = "replace"
decision = "allow"
modes = ["autoEdit"]
priority = 100
Template Library
Secure Development Environment
# Allow read operations
[[rule]]
toolName = ["read_file", "glob", "search_file_content", "list_directory"]
decision = "allow"
priority = 100
# Ask for writes
[[rule]]
toolName = ["write_file", "replace"]
decision = "ask_user"
priority = 100
# Allow safe git commands
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["git status", "git diff", "git log", "git branch"]
decision = "allow"
priority = 200
# Ask for other git commands
[[rule]]
toolName = "run_shell_command"
commandPrefix = "git "
decision = "ask_user"
priority = 150
# Deny destructive commands
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir|del|rd|format|mkfs)\\s"
decision = "deny"
priority = 999
Read-Only Mode
# Allow all reads
[[rule]]
toolName = ["read_file", "glob", "search_file_content", "list_directory", "web_fetch"]
decision = "allow"
priority = 100
# Deny all writes
[[rule]]
toolName = ["write_file", "replace", "run_shell_command"]
decision = "deny"
priority = 500
NPM/Node.js Safe
# Allow npm read commands
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm list", "npm outdated", "npm audit"]
decision = "allow"
priority = 200
# Ask for npm install/run
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm install", "npm run", "npm exec"]
decision = "ask_user"
priority = 150
# Deny npm publish
[[rule]]
toolName = "run_shell_command"
commandPrefix = "npm publish"
decision = "deny"
priority = 900
MCP Server Restrictions
# Deny all external MCP servers by default
[[rule]]
toolName = "*__*"
decision = "deny"
priority = 100
# Allow specific trusted server
[[rule]]
mcpName = "trusted-internal-server"
decision = "allow"
priority = 200
# Allow specific tools from another server
[[rule]]
toolName = ["other-server__read_docs", "other-server__search"]
decision = "allow"
priority = 200
Enterprise Lockdown
# System-level (Admin tier)
# Block all network access
[[rule]]
toolName = ["web_fetch", "google_web_search"]
decision = "deny"
priority = 999
# Block all MCP servers
[[rule]]
toolName = "*__*"
decision = "deny"
priority = 999
# Allow only reads
[[rule]]
toolName = ["read_file", "glob", "search_file_content"]
decision = "allow"
priority = 100
# Block all shell commands except safe ones
[[rule]]
toolName = "run_shell_command"
decision = "deny"
priority = 500
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["ls ", "cat ", "echo ", "pwd"]
decision = "allow"
priority = 600
Validation
Check TOML Syntax
python -c "import tomllib; tomllib.load(open('policy.toml', 'rb'))"
Common Errors
| Error | Cause | Fix |
|---|---|---|
| Parse error | Invalid TOML | Check quotes, brackets |
| Rule ignored | Lower priority | Increase priority |
| Rule conflicts | Overlapping patterns | Refine patterns |
| Regex fails | Bad escape | Use \\ for backslash |
Debug Rules
# Test which rule matches
gemini "Test shell command" --debug-policy
Best Practices
1. Start Restrictive
# Default deny, then allow specific
[[rule]]
toolName = "*"
decision = "ask_user"
priority = 1
[[rule]]
toolName = "read_file"
decision = "allow"
priority = 100
2. Use Clear Priorities
# Security rules at 900+
[[rule]]
commandRegex = "^rm\\s"
decision = "deny"
priority = 999
# Normal rules at 100-499
[[rule]]
commandPrefix = "git "
decision = "allow"
priority = 200
3. Document Rules
# SECURITY: Block destructive file operations
# Reason: Prevent accidental data loss
# Author: security-team
# Date: 2025-11-30
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir)\\s+-r"
decision = "deny"
priority = 999
4. Test Before Deploy
# Test in interactive mode first
gemini --policy-file ./test-policy.toml
5. Layer Policies
System policies (enterprise defaults)
βββ User policies (personal preferences)
βββ Project policies (project-specific)
Related Skills
gemini-cli-docs- Official policy documentationtoml-command-builder- Custom command creation
Keyword Registry
| Topic | Keywords |
|---|---|
| Basic | policy engine, toml rules, tool policy |
| Decisions | allow, deny, ask_user, decision |
| Matching | toolName, commandPrefix, commandRegex, argsPattern |
| Priority | priority tier, rule priority, precedence |
| MCP | mcp policy, mcpName, server rules |
| Modes | yolo mode, autoEdit, approval mode |
Test Scenarios
Scenario 1: Create Policy Rule
Query: "How do I create a Gemini policy to block rm commands?" Expected Behavior:
- Skill activates on "policy engine" or "tool policy"
- Provides TOML rule with commandPrefix/commandRegex Success Criteria: User receives working deny rule for destructive commands
Scenario 2: Priority Configuration
Query: "How do Gemini policy priorities work?" Expected Behavior:
- Skill activates on "priority tier" or "rule priority"
- Explains tier system and calculation Success Criteria: User understands tier-based priority (Admin > User > Default)
Scenario 3: MCP Server Policy
Query: "How do I restrict MCP server tools in Gemini?" Expected Behavior:
- Skill activates on "mcp policy" or "server rules"
- Provides mcpName and wildcard patterns Success Criteria: User receives MCP-specific policy rules
Version History
- v1.1.0 (2025-12-01): Added MANDATORY section, Test Scenarios, Version History
- v1.0.0 (2025-11-25): Initial release
Weekly Installs
7
Repository
melodic-softwarβ¦-pluginsGitHub Stars
38
First Seen
Jan 24, 2026
Security Audits
Installed on
trae6
antigravity6
claude-code6
codex6
windsurf6
gemini-cli6