feat(policy): support auto-add to policy by default and scoped persistence

[spencer426]

Summary

This PR implements the "auto-add to policy by default" feature (#17148) as an opt-in setting, streamlining the tool approval process in trusted workspaces while enhancing security through rule narrowing for edit/exec tools and workspace-scoped persistence.

Details

• Opt-in Auto-add: The new setting security.autoAddToPolicyByDefault (default: false) allows users to make "Allow for all future sessions" the default choice for tools in trusted workspaces.
• Rule Narrowing & Scoped Persistence:
  • Approvals for edit tools (e.g., write_file) and exec tools are now strictly narrowed to the specific file or root command using relative paths.
  • Policy persistence now prefers a workspace-local policy file (.gemini/policies/auto-saved.toml) when the folder is trusted.
• Improved UI Clarity: UI labels for permanent approvals have been updated to be more specific (e.g., "Allow for this file in all future sessions").
• Core Refactors & Robustness:
  • Refactored regex pattern builders in utils.ts to use safe JSON.stringify logic, avoiding brittle slicing.
  • Restored and unified priority calculation logic using getAlwaysAllowPriorityFraction and ALWAYS_ALLOW_PRIORITY_FRACTION.
  • Improved test stability using advanceTimersByTimeAsync and escapeRegex for assertions.
  • Fixed a regression where EditTool path correction was interfering with policy matching.
• Experimental Sandbox Support: (Note: This PR currently includes experimental support for LXC and gVisor/runsc sandboxing as part of the broader tool isolation improvements).

Related Issues

Closes #17148

How to Validate

1. Enable Opt-in: Set "security.autoAddToPolicyByDefault": true and "security.enablePermanentToolApproval": true in your settings.
2. Trusted Folder: Open the CLI in a trusted directory.
3. Trigger Edit: Perform an operation that triggers edit or write_file.
4. Observe Default: Verify that "Allow for this file in all future sessions" is the default selected option.
5. Verify Persistence: Select the option and verify that a narrowed rule is saved to .gemini/policies/auto-saved.toml (if workspace policies are enabled) or the global auto-saved policy.
6. Narrowing Check: Verify the saved rule uses a relative path and correctly constrains future calls.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • Linux
    • npm run

[github-actions]

Size Change: +6.46 kB (+0.02%)

Total Size: 26.2 MB

Filename	Size	Change
./bundle/gemini.js	25.7 MB	+6.46 kB (+0.03%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}

[jacob314]

LGTM once we back out the functionality making approve all the default which needs to be an opt in only setting or removed.

[jacob314]

why are we calling escapeRegex here and line 116? That seems unneeded.

[mattKorwel]

gemini tells me without this we are insecure? i blocked the follow on pr just to verify...

---

Review and Manual Test Results

• Intent of the PR: The author intended to remove the escapeRegex wrapping from buildFilePathArgsPattern and buildPatternArgsPattern in packages/core/src/policy/utils.ts, claiming that JSON.stringify already safely escapes paths and patterns.
• Identified Bug: Both the static review and the manual script execution identified a critical flaw in this logic. While JSON.stringify safely escapes strings for valid JSON syntax (e.g., quotes and newlines), it does not escape Regular Expression control
  characters (such as ., +, ?, [, ], (, ), etc.).
• Manual Execution Findings: A test script verified that without escapeRegex, any file path or pattern containing regex special characters (like src/foo[bar].ts) fails to match its literal string counterpart because the characters are interpreted as regex operators
  rather than literal characters.

Final Recommendation
Reject the PR.

The changes introduce a critical bug that compromises the security, accuracy, and core logic of the policy engine. The removal of escapeRegex breaks literal string matching for any file path or pattern containing regex special characters.

The assessment recommends leaving a comment on the PR explaining the difference between JSON escaping and Regex escaping, and requesting that the author restore the escapeRegex calls around JSON.stringify.

[jacob314]

Sorry my mistake. I think the correct order of operations is
JSON.stringify(escapeRegex(filePath))
Calling escapeRegex after the JSON.stringify doesn't make sense but calling it before is reasonable if the pattern we are trying to match is the filePath as an escaped regexp.

[jacob314]