Back to Skills

policy-engine-builder

verified

Guide for creating Gemini CLI policy engine TOML rules. Covers rule syntax, priority tiers, conditions, and MCP wildcards. Use when restricting Gemini tools, creating security policies, controlling MCP server permissions, or setting up approval workflows.

View on GitHub

Marketplace

melodic-software

melodic-software/claude-code-plugins

Plugin

google-ecosystem

Repository
Verified Org

melodic-software/claude-code-plugins
13stars

plugins/google-ecosystem/skills/policy-engine-builder/SKILL.md

Last Verified

January 21, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/melodic-software/claude-code-plugins/blob/main/plugins/google-ecosystem/skills/policy-engine-builder/SKILL.md -a claude-code --skill policy-engine-builder

Installation paths:

Claude
.claude/skills/policy-engine-builder/
Powered by add-skill CLI

Instructions

# Policy Engine Builder

## ๐Ÿšจ MANDATORY: Invoke gemini-cli-docs First

> **STOP - Before providing ANY response about Gemini policy engine:**
>
> 1. **INVOKE** `gemini-cli-docs` skill
> 2. **QUERY** for the specific policy topic
> 3. **BASE** all responses EXCLUSIVELY on official documentation loaded

## Overview

This skill provides guidance for configuring Gemini CLI's Policy Engine using TOML rules. The policy engine controls tool execution with fine-grained allow/deny/ask rules.

## When to Use This Skill

**Keywords:** policy engine, policy toml, tool policy, allow deny, gemini rules, security policy, mcp policy

**Use this skill when:**

- Restricting which tools Gemini can use
- Creating enterprise security policies
- Controlling MCP server permissions
- Setting up approval workflows
- Auditing tool execution rules

## Policy File Locations

### User Policies

```text
~/.gemini/policies/
โ”œโ”€โ”€ default.toml          # User default rules
โ””โ”€โ”€ security.toml         # Additional security rules
```

### Project Policies

```text
.gemini/policies/
โ”œโ”€โ”€ project.toml          # Project-specific rules
โ””โ”€โ”€ team.toml             # Team conventions
```

### System Policies (Enterprise)

```text
/etc/gemini-cli/policies/         # Linux
/Library/Application Support/GeminiCli/policies/  # macOS
C:\ProgramData\gemini-cli\policies\               # Windows
```

## Rule Structure

### Basic Rule

```toml
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
priority = 100
```

### Rule Fields

| Field | Type | Description |
| --- | --- | --- |
| `toolName` | string/array | Tool name(s) to match |
| `mcpName` | string | MCP server name |
| `argsPattern` | string | Regex for tool arguments |
| `commandPrefix` | string/array | Shell command prefix(es) |
| `commandRegex` | string | Regex for shell commands |
| `decision` | string | `allow`, `deny`, or `ask_user` |
| `priority` | number | 0-999 within tier |
| `modes` | array | Optional: `yolo`, `autoEdit` |

## Decision Types

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
10508 chars