name: policy-engine-builder description: 创建Gemini CLI政策引擎TOML规则的指南。涵盖规则语法、优先级层级、条件和MCP通配符。用于限制Gemini工具、创建安全策略、控制MCP服务器权限或设置审批工作流。 allowed-tools: Read, Glob, Grep, Skill
政策引擎构建器
🚨 强制:首先调用gemini-cli-docs
停止 - 在提供任何关于Gemini政策引擎的响应之前:
- 调用
gemini-cli-docs技能- 查询 特定的政策主题
- 基于 所有响应完全基于加载的官方文档
概述
这个技能提供指导,用于使用TOML规则配置Gemini CLI的政策引擎。政策引擎通过细粒度的允许/拒绝/询问规则控制工具执行。
何时使用这个技能
关键词: 政策引擎,政策toml,工具政策,允许拒绝,gemini规则,安全策略,mcp政策
在以下情况下使用此技能:
- 限制Gemini可以使用的工具
- 创建企业安全策略
- 控制MCP服务器权限
- 设置审批工作流
- 审计工具执行规则
政策文件位置
用户政策
~/.gemini/policies/
├── default.toml # 用户默认规则
└── security.toml # 额外安全规则
项目政策
.gemini/policies/
├── project.toml # 项目特定规则
└── team.toml # 团队约定
系统政策(企业)
/etc/gemini-cli/policies/ # Linux
/Library/Application Support/GeminiCli/policies/ # macOS
C:\ProgramData\gemini-cli\policies\ # Windows
规则结构
基本规则
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
priority = 100
规则字段
| 字段 | 类型 | 描述 |
|---|---|---|
toolName |
字符串/数组 | 匹配的工具名称 |
mcpName |
字符串 | MCP服务器名称 |
argsPattern |
字符串 | 工具参数的正则表达式 |
commandPrefix |
字符串/数组 | shell命令前缀 |
commandRegex |
字符串 | shell命令的正则表达式 |
decision |
字符串 | allow, deny, 或 ask_user |
priority |
数字 | 层级内的0-999 |
modes |
数组 | 可选: yolo, autoEdit |
决策类型
允许
自动批准而不提示:
[[rule]]
toolName = "read_file"
decision = "allow"
priority = 100
拒绝
完全阻止执行:
[[rule]]
toolName = "run_shell_command"
commandPrefix = "rm -rf"
decision = "deny"
priority = 999
询问用户
提示确认:
[[rule]]
toolName = "write_file"
decision = "ask_user"
priority = 100
优先级系统
三个层级
| 层级 | 基础 | 来源 |
|---|---|---|
| 默认 | 1 | 内置默认 |
| 用户 | 2 | 用户政策 |
| 管理员 | 3 | 系统/企业 |
优先级计算
公式是:final_priority = tier_base + (toml_priority / 1000)
示例:
- 用户规则优先级100 → 2 + (100/1000) = 2.100
- 管理员规则优先级50 → 3 + (50/1000) = 3.050
更高层级总是胜出,然后在层级内更高优先级。
优先级指南
| 优先级 | 使用案例 |
|---|---|
| 0-99 | 低优先级默认 |
| 100-499 | 正常规则 |
| 500-799 | 重要限制 |
| 800-999 | 关键安全规则 |
工具匹配
单个工具
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
多个工具
[[rule]]
toolName = ["write_file", "replace"]
decision = "ask_user"
所有工具
[[rule]]
toolName = "*"
decision = "ask_user"
Shell命令模式
命令前缀
# 匹配以"git"开头的命令
[[rule]]
toolName = "run_shell_command"
commandPrefix = "git "
decision = "allow"
priority = 100
多个前缀
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm ", "yarn ", "pnpm "]
decision = "allow"
priority = 100
命令正则表达式
# 匹配破坏性命令
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir|del|rd)\\s"
decision = "deny"
priority = 999
参数模式
JSON参数匹配
工具参数是JSON字符串:
# 拒绝写入敏感路径
[[rule]]
toolName = "write_file"
argsPattern = ".*\\.(env|key|pem|crt)$"
decision = "deny"
priority = 900
复杂模式
# 只允许从src/读取
[[rule]]
toolName = "read_file"
argsPattern = "^\\{\"path\":\"src/.*\"\\}$"
decision = "allow"
priority = 100
MCP服务器规则
服务器级别控制
# 拒绝所有来自不受信任服务器的工具
[[rule]]
mcpName = "untrusted-server"
decision = "deny"
priority = 500
工具级别控制
# 允许来自服务器的特定工具
[[rule]]
mcpName = "my-server"
toolName = "safe_tool"
decision = "allow"
priority = 100
通配符
# 来自服务器模式的所有工具
[[rule]]
toolName = "my-server__*"
decision = "ask_user"
priority = 100
审批模式
YOLO模式规则
仅在YOLO模式(--yolo)下应用:
[[rule]]
toolName = "write_file"
decision = "allow"
modes = ["yolo"]
priority = 100
自动编辑模式规则
在自动编辑模式下应用:
[[rule]]
toolName = "replace"
decision = "allow"
modes = ["autoEdit"]
priority = 100
模板库
安全开发环境
# 允许读取操作
[[rule]]
toolName = ["read_file", "glob", "search_file_content", "list_directory"]
decision = "allow"
priority = 100
# 询问写入
[[rule]]
toolName = ["write_file", "replace"]
decision = "ask_user"
priority = 100
# 允许安全的git命令
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["git status", "git diff", "git log", "git branch"]
decision = "allow"
priority = 200
# 询问其他git命令
[[rule]]
toolName = "run_shell_command"
commandPrefix = "git "
decision = "ask_user"
priority = 150
# 拒绝破坏性命令
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir|del|rd|format|mkfs)\\s"
decision = "deny"
priority = 999
只读模式
# 允许所有读取
[[rule]]
toolName = ["read_file", "glob", "search_file_content", "list_directory", "web_fetch"]
decision = "allow"
priority = 100
# 拒绝所有写入
[[rule]]
toolName = ["write_file", "replace", "run_shell_command"]
decision = "deny"
priority = 500
NPM/Node.js 安全
# 允许npm读取命令
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm list", "npm outdated", "npm audit"]
decision = "allow"
priority = 200
# 询问npm安装/运行
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["npm install", "npm run", "npm exec"]
decision = "ask_user"
priority = 150
# 拒绝npm发布
[[rule]]
toolName = "run_shell_command"
commandPrefix = "npm publish"
decision = "deny"
priority = 900
MCP服务器限制
# 默认拒绝所有外部MCP服务器
[[rule]]
toolName = "*__*"
decision = "deny"
priority = 100
# 允许特定的受信任服务器
[[rule]]
mcpName = "trusted-internal-server"
decision = "allow"
priority = 200
# 允许来自另一个服务器的特定工具
[[rule]]
toolName = ["other-server__read_docs", "other-server__search"]
decision = "allow"
priority = 200
企业锁定
# 系统级别(管理员层级)
# 阻止所有网络访问
[[rule]]
toolName = ["web_fetch", "google_web_search"]
decision = "deny"
priority = 999
# 阻止所有MCP服务器
[[rule]]
toolName = "*__*"
decision = "deny"
priority = 999
# 只允许读取
[[rule]]
toolName = ["read_file", "glob", "search_file_content"]
decision = "allow"
priority = 100
# 阻止所有shell命令,除了安全的
[[rule]]
toolName = "run_shell_command"
decision = "deny"
priority = 500
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["ls ", "cat ", "echo ", "pwd"]
decision = "allow"
priority = 600
验证
检查TOML语法
python -c "import tomllib; tomllib.load(open('policy.toml', 'rb'))"
常见错误
| 错误 | 原因 | 修复 |
|---|---|---|
| 解析错误 | 无效的TOML | 检查引号,括号 |
| 规则被忽略 | 较低优先级 | 增加优先级 |
| 规则冲突 | 重叠模式 | 优化模式 |
| 正则表达式失败 | 错误转义 | 使用 \\ 表示反斜杠 |
调试规则
# 测试哪个规则匹配
gemini "Test shell command" --debug-policy
最佳实践
1. 从限制性开始
# 默认拒绝,然后允许特定的
[[rule]]
toolName = "*"
decision = "ask_user"
priority = 1
[[rule]]
toolName = "read_file"
decision = "allow"
priority = 100
2. 使用清晰的优先级
# 安全规则在900+
[[rule]]
commandRegex = "^rm\\s"
decision = "deny"
priority = 999
# 正常规则在100-499
[[rule]]
commandPrefix = "git "
decision = "allow"
priority = 200
3. 记录规则
# 安全:阻止破坏性文件操作
# 原因:防止意外数据丢失
# 作者:安全团队
# 日期:2025-11-30
[[rule]]
toolName = "run_shell_command"
commandRegex = "^(rm|rmdir)\\s+-r"
decision = "deny"
priority = 999
4. 部署前测试
# 首先在交互模式测试
gemini --policy-file ./test-policy.toml
5. 分层政策
系统政策(企业默认)
└── 用户政策(个人偏好)
└── 项目政策(项目特定)
相关技能
gemini-cli-docs- 官方政策文档toml-command-builder- 自定义命令创建
关键词注册表
| 主题 | 关键词 |
|---|---|
| 基础 | policy engine, toml rules, tool policy |
| 决策 | allow, deny, ask_user, decision |
| 匹配 | toolName, commandPrefix, commandRegex, argsPattern |
| 优先级 | priority tier, rule priority, precedence |
| MCP | mcp policy, mcpName, server rules |
| 模式 | yolo mode, autoEdit, approval mode |
测试场景
场景1:创建政策规则
查询:“如何创建Gemini政策来阻止rm命令?” 预期行为:
- 技能在"policy engine"或"tool policy"上激活
- 提供带有commandPrefix/commandRegex的TOML规则 成功标准:用户收到用于破坏性命令的工作拒绝规则
场景2:优先级配置
查询:“Gemini政策优先级如何工作?” 预期行为:
- 技能在"priority tier"或"rule priority"上激活
- 解释层级系统和计算 成功标准:用户理解基于层级的优先级(管理员 > 用户 > 默认)
场景3:MCP服务器政策
查询:“如何在Gemini中限制MCP服务器工具?” 预期行为:
- 技能在"mcp policy"或"server rules"上激活
- 提供mcpName和通配符模式 成功标准:用户收到MCP特定的政策规则
版本历史
- v1.1.0 (2025-12-01): 添加了强制部分,测试场景,版本历史
- v1.0.0 (2025-11-25): 初始发布