Guide for creating Gemini CLI policy engine TOML rules. Covers rule syntax, priority tiers, conditions, and MCP wildcards. Use when restricting Gemini tools, creating security policies, controlling MCP server permissions, or setting up approval workflows.
Limited to specific tools
Additional assets for this skill
This skill is limited to using the following tools:
STOP - Before providing ANY response about Gemini policy engine:
- INVOKE
gemini-cli-docsskill- QUERY for the specific policy topic
- BASE all responses EXCLUSIVELY on official documentation loaded
This skill provides guidance for configuring Gemini CLI's Policy Engine using TOML rules. The policy engine controls tool execution with fine-grained allow/deny/ask rules.
Keywords: policy engine, policy toml, tool policy, allow deny, gemini rules, security policy, mcp policy
Use this skill when:
~/.gemini/policies/
āāā default.toml # User default rules
āāā security.toml # Additional security rules
.gemini/policies/
āāā project.toml # Project-specific rules
āāā team.toml # Team conventions
/etc/gemini-cli/policies/ # Linux
/Library/Application Support/GeminiCli/policies/ # macOS
C:\ProgramData\gemini-cli\policies\ # Windows
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
priority = 100
| Field | Type | Description |
|---|---|---|
toolName | string/array | Tool name(s) to match |
mcpName | string | MCP server name |
argsPattern | string | Regex for tool arguments |
commandPrefix | string/array | Shell command prefix(es) |
commandRegex | string | Regex for shell commands |
decision | string | allow, deny, or ask_user |
priority | number | 0-999 within tier |
modes | array | Optional: yolo, autoEdit |
Automatically approve without prompting:
[[rule]]
toolName = "read_file"
decision = "allow"
priority = 100
Block execution entirely:
[[rule]]
toolName = "run_shell_command"
commandPrefix = "rm -rf"
decision = "deny"
priority = 999
Prompt for confirmation:
[[rule]]
toolName = "write_file"
decision = "ask_user"
priority = 100
| Tier | Base | Source |
|---|---|---|
| Default | 1 | Built-in defaults |
| User | 2 | User policies |
| Admin | 3 | System/enterprise |
The formula is: final_priority = tier_base + (toml_priority / 1000)
Example:
Higher tier always wins, then higher priority within tier.
| Priority | Use Case |
|---|---|
| 0-99 | Low priority defaults |
| 100-499 | Normal rules |
| 500-799 | Important restrictions |
| 800-999 | Critical security rules |
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
[[rule]]
toolName = ["write_file", "replace"]
decision = "ask_user"
[[rule]]
toolName = "*"
decision = "ask_user"
# Match commands starting with "git"
[[rule]]
toolName = "run_shell_command"
commandPrefix = "git "
decision = "allow"
priority = 100
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm ", "yarn ", "pnpm "]
decision = "allow"
priority = 100
# Match destructive commands
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir|del|rd)\\s"
decision = "deny"
priority = 999
Tool arguments are JSON strings:
# Deny writes to sensitive paths
[[rule]]
toolName = "write_file"
argsPattern = ".*\\.(env|key|pem|crt)$"
decision = "deny"
priority = 900
# Allow reads only from src/
[[rule]]
toolName = "read_file"
argsPattern = "^\\{\"path\":\"src/.*\"\\}$"
decision = "allow"
priority = 100
# Deny all tools from untrusted server
[[rule]]
mcpName = "untrusted-server"
decision = "deny"
priority = 500
# Allow specific tool from server
[[rule]]
mcpName = "my-server"
toolName = "safe_tool"
decision = "allow"
priority = 100
# All tools from server pattern
[[rule]]
toolName = "my-server__*"
decision = "ask_user"
priority = 100
Apply only in YOLO mode (--yolo):
[[rule]]
toolName = "write_file"
decision = "allow"
modes = ["yolo"]
priority = 100
Apply in auto-edit mode:
[[rule]]
toolName = "replace"
decision = "allow"
modes = ["autoEdit"]
priority = 100
# Allow read operations
[[rule]]
toolName = ["read_file", "glob", "search_file_content", "list_directory"]
decision = "allow"
priority = 100
# Ask for writes
[[rule]]
toolName = ["write_file", "replace"]
decision = "ask_user"
priority = 100
# Allow safe git commands
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["git status", "git diff", "git log", "git branch"]
decision = "allow"
priority = 200
# Ask for other git commands
[[rule]]
toolName = "run_shell_command"
commandPrefix = "git "
decision = "ask_user"
priority = 150
# Deny destructive commands
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir|del|rd|format|mkfs)\\s"
decision = "deny"
priority = 999
# Allow all reads
[[rule]]
toolName = ["read_file", "glob", "search_file_content", "list_directory", "web_fetch"]
decision = "allow"
priority = 100
# Deny all writes
[[rule]]
toolName = ["write_file", "replace", "run_shell_command"]
decision = "deny"
priority = 500
# Allow npm read commands
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm list", "npm outdated", "npm audit"]
decision = "allow"
priority = 200
# Ask for npm install/run
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm install", "npm run", "npm exec"]
decision = "ask_user"
priority = 150
# Deny npm publish
[[rule]]
toolName = "run_shell_command"
commandPrefix = "npm publish"
decision = "deny"
priority = 900
# Deny all external MCP servers by default
[[rule]]
toolName = "*__*"
decision = "deny"
priority = 100
# Allow specific trusted server
[[rule]]
mcpName = "trusted-internal-server"
decision = "allow"
priority = 200
# Allow specific tools from another server
[[rule]]
toolName = ["other-server__read_docs", "other-server__search"]
decision = "allow"
priority = 200
# System-level (Admin tier)
# Block all network access
[[rule]]
toolName = ["web_fetch", "google_web_search"]
decision = "deny"
priority = 999
# Block all MCP servers
[[rule]]
toolName = "*__*"
decision = "deny"
priority = 999
# Allow only reads
[[rule]]
toolName = ["read_file", "glob", "search_file_content"]
decision = "allow"
priority = 100
# Block all shell commands except safe ones
[[rule]]
toolName = "run_shell_command"
decision = "deny"
priority = 500
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["ls ", "cat ", "echo ", "pwd"]
decision = "allow"
priority = 600
python -c "import tomllib; tomllib.load(open('policy.toml', 'rb'))"
| Error | Cause | Fix |
|---|---|---|
| Parse error | Invalid TOML | Check quotes, brackets |
| Rule ignored | Lower priority | Increase priority |
| Rule conflicts | Overlapping patterns | Refine patterns |
| Regex fails | Bad escape | Use \\ for backslash |
# Test which rule matches
gemini "Test shell command" --debug-policy
# Default deny, then allow specific
[[rule]]
toolName = "*"
decision = "ask_user"
priority = 1
[[rule]]
toolName = "read_file"
decision = "allow"
priority = 100
# Security rules at 900+
[[rule]]
commandRegex = "^rm\\s"
decision = "deny"
priority = 999
# Normal rules at 100-499
[[rule]]
commandPrefix = "git "
decision = "allow"
priority = 200
# SECURITY: Block destructive file operations
# Reason: Prevent accidental data loss
# Author: security-team
# Date: 2025-11-30
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir)\\s+-r"
decision = "deny"
priority = 999
# Test in interactive mode first
gemini --policy-file ./test-policy.toml
System policies (enterprise defaults)
āāā User policies (personal preferences)
āāā Project policies (project-specific)
gemini-cli-docs - Official policy documentationtoml-command-builder - Custom command creation| Topic | Keywords |
|---|---|
| Basic | policy engine, toml rules, tool policy |
| Decisions | allow, deny, ask_user, decision |
| Matching | toolName, commandPrefix, commandRegex, argsPattern |
| Priority | priority tier, rule priority, precedence |
| MCP | mcp policy, mcpName, server rules |
| Modes | yolo mode, autoEdit, approval mode |
Query: "How do I create a Gemini policy to block rm commands?" Expected Behavior:
Query: "How do Gemini policy priorities work?" Expected Behavior:
Query: "How do I restrict MCP server tools in Gemini?" Expected Behavior: