Skip to content

Context-Aware Persistent Policy Approvals #23245

Closed
Task
#23257
Closed
Context-Aware Persistent Policy Approvals#23245
Task
#23257
Assignees
jerop
Labels
area/coreIssues related to User Interface, OS Support, Core Functionalityworkstream-rollupLabel used to tag epics and features that are associated with one of the three primary workstreams🔒 maintainer only⛔ Do not contribute. Internal roadmap item.
@jerop

Description

@jerop
jerop
opened on Mar 20, 2026

Problem Statement

Currently, when a user selects "Allow for all future sessions" for a tool or command, the resulting policy rule is globally applicable to all ApprovalModes.

While this provides a seamless experience for implementation, it can undermine the integrity of Plan Mode. Plan Mode is designed to be a safe, read-only "thinking" space for research and design. If a user trusts a powerful shell command or write operation during implementation, that trust "leaks" into Plan Mode, potentially allowing the model to execute side-effect-heavy actions during the research phase of a future task without a fresh confirmation. See issue reports in #22434.

Proposed Solution: Implicit Mode Restriction

Introduce Implicit Mode Restriction for persistent policy approvals. The CLI should be context-aware when saving new policies:

Behavioral Logic

  • When granted in Implementation Modes (Default, Auto-Edit, YOLO): Restrict to modes = ["default", "autoEdit", "yolo"]. (Secure-by-default; prevents execution during Plan Mode).
  • When granted in Plan Mode: Save as modes = undefined (All Modes). (Intentional elevation; the user explicitly trusts this for planning).

Alternatives Considered

  • Explicit Multiselect Dialog: Show a prompt after "Allow for all sessions" to let the user manually select modes.
    • Rejected: Adds too much "confirmation fatigue" and UI friction to an action intended to reduce it.
  • Sensitive-Tool-Only Restriction: Only apply this logic to a hardcoded list of "Sensitive Tools" (Write/Execute) while allowing "Read" tools globally.
    • Rejected: Difficult to maintain a hardcoded list of sensitive tools. The proposed solution is cleaner because core "safe" tools are already explicitly allowed in plan.toml, so they remain unaffected.
  • Status Quo (Global Trust): Keep the current behavior where all permissions are global.
    • Rejected: Leads to "trust leakage" where implementation-level permissions accidentally compromise the safety of the Plan Mode sandbox.

Technical Requirements

  • Message Protocol: Update the UpdatePolicy message in packages/core/src/confirmation-bus/types.ts to include an optional modes: ApprovalMode[] field.
  • Scheduler Logic: Update packages/core/src/scheduler/policy.ts to determine the appropriate mode restriction based on the current context.config.getApprovalMode() during the updatePolicy flow.
  • Persistence: Update the policy-updater in packages/core/src/policy/config.ts to correctly serialize the modes field into the .toml policy files.
  • Priority: Ensure these dynamic rules maintain their Tier 4 (User) priority to override default system denials in Plan Mode when applicable.

UX Impact

  • Zero Friction: No new UI dialogs or multiselect prompts.
  • Predictable Safety: Users who rely on Plan Mode as a sandbox get an extra layer of protection. Their "implementation-time" trust doesn't accidentally compromise their "planning-time" safety.

Metadata

Metadata

Assignees

Labels

area/coreIssues related to User Interface, OS Support, Core Functionalityworkstream-rollupLabel used to tag epics and features that are associated with one of the three primary workstreams🔒 maintainer only⛔ Do not contribute. Internal roadmap item.

Type

Task

Projects

Gemini CLI Public Roadmap

Status

Closed

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions