policy-engine-builder

# Policy Engine Builder

## 🚨 MANDATORY: Invoke gemini-cli-docs First

> **STOP - Before providing ANY response about Gemini policy engine:**
>
> 1. **INVOKE** `gemini-cli-docs` skill
> 2. **QUERY** for the specific policy topic
> 3. **BASE** all responses EXCLUSIVELY on official documentation loaded

## Overview

This skill provides guidance for configuring Gemini CLI's Policy Engine using TOML rules. The policy engine controls tool execution with fine-grained allow/deny/ask rules.

## When to Use This Skill

**Keywords:** policy engine, policy toml, tool policy, allow deny, gemini rules, security policy, mcp policy

**Use this skill when:**

- Restricting which tools Gemini can use
- Creating enterprise security policies
- Controlling MCP server permissions
- Setting up approval workflows
- Auditing tool execution rules

## Policy File Locations

### User Policies

```text
~/.gemini/policies/
├── default.toml          # User default rules
└── security.toml         # Additional security rules
```

### Project Policies

```text
.gemini/policies/
├── project.toml          # Project-specific rules
└── team.toml             # Team conventions
```

### System Policies (Enterprise)

```text
/etc/gemini-cli/policies/         # Linux
/Library/Application Support/GeminiCli/policies/  # macOS
C:\ProgramData\gemini-cli\policies\               # Windows
```

## Rule Structure

### Basic Rule

```toml
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
priority = 100
```

### Rule Fields

| Field | Type | Description |
| --- | --- | --- |
| `toolName` | string/array | Tool name(s) to match |
| `mcpName` | string | MCP server name |
| `argsPattern` | string | Regex for tool arguments |
| `commandPrefix` | string/array | Shell command prefix(es) |
| `commandRegex` | string | Regex for shell commands |
| `decision` | string | `allow`, `deny`, or `ask_user` |
| `priority` | number | 0-999 within tier |
| `modes` | array | Optional: `yolo`, `autoEdit` |

## Decision Types