feat: Disable YOLO and AUTO_EDIT modes for untrusted folders (#7041)

2025-12-20 16:57:46 +00:00 · 2025-08-25 17:30:04 -07:00
parent 2c6794feed
commit ae1f67df04
9 changed files with 451 additions and 55 deletions
--- a/packages/cli/src/ui/components/messages/ToolConfirmationMessage.test.tsx
+++ b/packages/cli/src/ui/components/messages/ToolConfirmationMessage.test.tsx
@@ -6,7 +6,10 @@

 import { describe, it, expect, vi } from 'vitest';
 import { ToolConfirmationMessage } from './ToolConfirmationMessage.js';
-import type { ToolCallConfirmationDetails } from '@google/gemini-cli-core';
+import type {
+  ToolCallConfirmationDetails,
+  Config,
+} from '@google/gemini-cli-core';
 import { renderWithProviders } from '../../../test-utils/render.js';

 describe('ToolConfirmationMessage', () => {
@@ -55,4 +58,101 @@ describe('ToolConfirmationMessage', () => {
      '- https://raw.githubusercontent.com/google/gemini-react/main/README.md',
    );
  });
+
+  describe('with folder trust', () => {
+    const editConfirmationDetails: ToolCallConfirmationDetails = {
+      type: 'edit',
+      title: 'Confirm Edit',
+      fileName: 'test.txt',
+      filePath: '/test.txt',
+      fileDiff: '...diff...',
+      originalContent: 'a',
+      newContent: 'b',
+      onConfirm: vi.fn(),
+    };
+
+    const execConfirmationDetails: ToolCallConfirmationDetails = {
+      type: 'exec',
+      title: 'Confirm Execution',
+      command: 'echo "hello"',
+      rootCommand: 'echo',
+      onConfirm: vi.fn(),
+    };
+
+    const infoConfirmationDetails: ToolCallConfirmationDetails = {
+      type: 'info',
+      title: 'Confirm Web Fetch',
+      prompt: 'https://example.com',
+      urls: ['https://example.com'],
+      onConfirm: vi.fn(),
+    };
+
+    const mcpConfirmationDetails: ToolCallConfirmationDetails = {
+      type: 'mcp',
+      title: 'Confirm MCP Tool',
+      serverName: 'test-server',
+      toolName: 'test-tool',
+      toolDisplayName: 'Test Tool',
+      onConfirm: vi.fn(),
+    };
+
+    describe.each([
+      {
+        description: 'for edit confirmations',
+        details: editConfirmationDetails,
+        alwaysAllowText: 'Yes, allow always',
+      },
+      {
+        description: 'for exec confirmations',
+        details: execConfirmationDetails,
+        alwaysAllowText: 'Yes, allow always',
+      },
+      {
+        description: 'for info confirmations',
+        details: infoConfirmationDetails,
+        alwaysAllowText: 'Yes, allow always',
+      },
+      {
+        description: 'for mcp confirmations',
+        details: mcpConfirmationDetails,
+        alwaysAllowText: 'always allow',
+      },
+    ])('$description', ({ details, alwaysAllowText }) => {
+      it('should show "allow always" when folder is trusted', () => {
+        const mockConfig = {
+          isTrustedFolder: () => true,
+          getIdeMode: () => false,
+        } as unknown as Config;
+
+        const { lastFrame } = renderWithProviders(
+          <ToolConfirmationMessage
+            confirmationDetails={details}
+            config={mockConfig}
+            availableTerminalHeight={30}
+            terminalWidth={80}
+          />,
+        );
+
+        expect(lastFrame()).toContain(alwaysAllowText);
+      });
+
+      it('should NOT show "allow always" when folder is untrusted', () => {
+        const mockConfig = {
+          isTrustedFolder: () => false,
+          getIdeMode: () => false,
+        } as unknown as Config;
+
+        const { lastFrame } = renderWithProviders(
+          <ToolConfirmationMessage
+            confirmationDetails={details}
+            config={mockConfig}
+            availableTerminalHeight={30}
+            terminalWidth={80}
+          />,
+        );
+
+        expect(lastFrame()).not.toContain(alwaysAllowText);
+      });
+    });
+  });
 });
--- a/packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx
+++ b/packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx
@@ -125,16 +125,16 @@ export const ToolConfirmationMessage: React.FC<
    }

    question = `Apply this change?`;
-    options.push(
-      {
-        label: 'Yes, allow once',
-        value: ToolConfirmationOutcome.ProceedOnce,
-      },
-      {
+    options.push({
+      label: 'Yes, allow once',
+      value: ToolConfirmationOutcome.ProceedOnce,
+    });
+    if (config?.isTrustedFolder()) {
+      options.push({
        label: 'Yes, allow always',
        value: ToolConfirmationOutcome.ProceedAlways,
-      },
-    );
+      });
+    }
    if (config?.getIdeMode()) {
      options.push({
        label: 'No (esc)',
@@ -164,20 +164,20 @@ export const ToolConfirmationMessage: React.FC<
      confirmationDetails as ToolExecuteConfirmationDetails;

    question = `Allow execution of: '${executionProps.rootCommand}'?`;
-    options.push(
-      {
-        label: `Yes, allow once`,
-        value: ToolConfirmationOutcome.ProceedOnce,
-      },
-      {
+    options.push({
+      label: 'Yes, allow once',
+      value: ToolConfirmationOutcome.ProceedOnce,
+    });
+    if (config?.isTrustedFolder()) {
+      options.push({
        label: `Yes, allow always ...`,
        value: ToolConfirmationOutcome.ProceedAlways,
-      },
-      {
-        label: 'No, suggest changes (esc)',
-        value: ToolConfirmationOutcome.Cancel,
-      },
-    );
+      });
+    }
+    options.push({
+      label: 'No, suggest changes (esc)',
+      value: ToolConfirmationOutcome.Cancel,
+    });

    let bodyContentHeight = availableBodyContentHeight();
    if (bodyContentHeight !== undefined) {
@@ -204,20 +204,20 @@ export const ToolConfirmationMessage: React.FC<
      !(infoProps.urls.length === 1 && infoProps.urls[0] === infoProps.prompt);

    question = `Do you want to proceed?`;
-    options.push(
-      {
-        label: 'Yes, allow once',
-        value: ToolConfirmationOutcome.ProceedOnce,
-      },
-      {
+    options.push({
+      label: 'Yes, allow once',
+      value: ToolConfirmationOutcome.ProceedOnce,
+    });
+    if (config?.isTrustedFolder()) {
+      options.push({
        label: 'Yes, allow always',
        value: ToolConfirmationOutcome.ProceedAlways,
-      },
-      {
-        label: 'No, suggest changes (esc)',
-        value: ToolConfirmationOutcome.Cancel,
-      },
-    );
+      });
+    }
+    options.push({
+      label: 'No, suggest changes (esc)',
+      value: ToolConfirmationOutcome.Cancel,
+    });

    bodyContent = (
      <Box flexDirection="column" paddingX={1} marginLeft={1}>
@@ -249,24 +249,24 @@ export const ToolConfirmationMessage: React.FC<
    );

    question = `Allow execution of MCP tool "${mcpProps.toolName}" from server "${mcpProps.serverName}"?`;
-    options.push(
-      {
-        label: 'Yes, allow once',
-        value: ToolConfirmationOutcome.ProceedOnce,
-      },
-      {
+    options.push({
+      label: 'Yes, allow once',
+      value: ToolConfirmationOutcome.ProceedOnce,
+    });
+    if (config?.isTrustedFolder()) {
+      options.push({
        label: `Yes, always allow tool "${mcpProps.toolName}" from server "${mcpProps.serverName}"`,
        value: ToolConfirmationOutcome.ProceedAlwaysTool, // Cast until types are updated
-      },
-      {
+      });
+      options.push({
        label: `Yes, always allow all tools from server "${mcpProps.serverName}"`,
        value: ToolConfirmationOutcome.ProceedAlwaysServer,
-      },
-      {
-        label: 'No, suggest changes (esc)',
-        value: ToolConfirmationOutcome.Cancel,
-      },
-    );
+      });
+    }
+    options.push({
+      label: 'No, suggest changes (esc)',
+      value: ToolConfirmationOutcome.Cancel,
+    });
  }

  return (