refactor(cli): centralize and constantize workspace policy auto-accept flag

Refactor AUTO_ACCEPT_WORKSPACE_POLICIES from a mutable variable in policy.ts
to a constant in config.ts, addressing review feedback to improve code
maintainability and centralize configuration.

- Move AUTO_ACCEPT_WORKSPACE_POLICIES constant to config.ts with updated
  documentation comment for clarity.
- Update resolveWorkspacePolicyState to accept autoAcceptWorkspacePolicies
  as an explicit option, removing dependency on global state.
- Update LoadCliConfigOptions to include autoAcceptWorkspacePolicies,
  enabling precise control over the flag during configuration loading.
- Refactor unit and integration tests to pass the flag directly instead
  of using monkey patching, ensuring cleaner test isolation.
- Clean up unused imports and setter functions in policy logic.

This change eliminates mutable global state for the policy auto-accept
behavior while maintaining the new default UX of automatically accepting
workspace policies.

Author: Abhijit-2592

packages/cli/src/config/config.ts

@@ -68,6 +68,11 @@ import { promptForSetting } from './extensions/extensionSettings.js';
 import type { EventEmitter } from 'node:stream';
 import { runExitCleanup } from '../utils/cleanup.js';
 
+/**
+ * Temporary flag to automatically accept workspace policies to reduce UX friction.
+ */
+export const AUTO_ACCEPT_WORKSPACE_POLICIES = true;
+
 export interface CliArgs {
   query: string | undefined;
   model: string | undefined;
@@ -439,6 +444,7 @@ export interface LoadCliConfigOptions {
   projectHooks?: { [K in HookEventName]?: HookDefinition[] } & {
     disabled?: string[];
   };
+  autoAcceptWorkspacePolicies?: boolean;
 }
 
 export async function loadCliConfig(
@@ -700,6 +706,8 @@ export async function loadCliConfig(
       cwd,
       trustedFolder,
       interactive,
+      autoAcceptWorkspacePolicies:
+        options.autoAcceptWorkspacePolicies ?? AUTO_ACCEPT_WORKSPACE_POLICIES,
     });
 
   const policyEngineConfig = await createPolicyEngineConfig(

packages/cli/src/config/policy.test.ts

@@ -8,11 +8,7 @@ import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as os from 'node:os';
-import {
-  resolveWorkspacePolicyState,
-  AUTO_ACCEPT_WORKSPACE_POLICIES,
-  setAutoAcceptWorkspacePolicies,
-} from './policy.js';
+import { resolveWorkspacePolicyState } from './policy.js';
 import { writeToStderr } from '@google/gemini-cli-core';
 
 // Mock debugLogger to avoid noise in test output
@@ -59,6 +55,7 @@ describe('resolveWorkspacePolicyState', () => {
       cwd: workspaceDir,
       trustedFolder: false,
       interactive: true,
+      autoAcceptWorkspacePolicies: true,
     });
 
     expect(result).toEqual({
@@ -77,6 +74,7 @@ describe('resolveWorkspacePolicyState', () => {
       cwd: workspaceDir,
       trustedFolder: true,
       interactive: true,
+      autoAcceptWorkspacePolicies: true,
     });
     expect(firstResult.workspacePoliciesDir).toBe(policiesDir);
     expect(firstResult.policyUpdateConfirmationRequest).toBeUndefined();
@@ -88,6 +86,7 @@ describe('resolveWorkspacePolicyState', () => {
       cwd: workspaceDir,
       trustedFolder: true,
       interactive: true,
+      autoAcceptWorkspacePolicies: true,
     });
 
     expect(result.workspacePoliciesDir).toBe(policiesDir);
@@ -99,46 +98,42 @@ describe('resolveWorkspacePolicyState', () => {
       cwd: workspaceDir,
       trustedFolder: true,
       interactive: true,
+      autoAcceptWorkspacePolicies: true,
     });
 
     expect(result.workspacePoliciesDir).toBeUndefined();
     expect(result.policyUpdateConfirmationRequest).toBeUndefined();
   });
 
-  it('should return confirmation request if changed in interactive mode when AUTO_ACCEPT is false', async () => {
-    const originalValue = AUTO_ACCEPT_WORKSPACE_POLICIES;
-    setAutoAcceptWorkspacePolicies(false);
-
-    try {
-      fs.mkdirSync(policiesDir, { recursive: true });
-      fs.writeFileSync(path.join(policiesDir, 'policy.toml'), 'rules = []');
+  it('should return confirmation request if changed in interactive mode when autoAcceptWorkspacePolicies is false', async () => {
+    fs.mkdirSync(policiesDir, { recursive: true });
+    fs.writeFileSync(path.join(policiesDir, 'policy.toml'), 'rules = []');
 
-      const result = await resolveWorkspacePolicyState({
-        cwd: workspaceDir,
-        trustedFolder: true,
-        interactive: true,
-      });
+    const result = await resolveWorkspacePolicyState({
+      cwd: workspaceDir,
+      trustedFolder: true,
+      interactive: true,
+      autoAcceptWorkspacePolicies: false,
+    });
 
-      expect(result.workspacePoliciesDir).toBeUndefined();
-      expect(result.policyUpdateConfirmationRequest).toEqual({
-        scope: 'workspace',
-        identifier: workspaceDir,
-        policyDir: policiesDir,
-        newHash: expect.any(String),
-      });
-    } finally {
-      setAutoAcceptWorkspacePolicies(originalValue);
-    }
+    expect(result.workspacePoliciesDir).toBeUndefined();
+    expect(result.policyUpdateConfirmationRequest).toEqual({
+      scope: 'workspace',
+      identifier: workspaceDir,
+      policyDir: policiesDir,
+      newHash: expect.any(String),
+    });
   });
 
-  it('should warn and auto-accept if changed in non-interactive mode when AUTO_ACCEPT is true', async () => {
+  it('should warn and auto-accept if changed in non-interactive mode when autoAcceptWorkspacePolicies is true', async () => {
     fs.mkdirSync(policiesDir, { recursive: true });
     fs.writeFileSync(path.join(policiesDir, 'policy.toml'), 'rules = []');
 
     const result = await resolveWorkspacePolicyState({
       cwd: workspaceDir,
       trustedFolder: true,
       interactive: false,
+      autoAcceptWorkspacePolicies: true,
     });
 
     expect(result.workspacePoliciesDir).toBe(policiesDir);
@@ -148,28 +143,22 @@ describe('resolveWorkspacePolicyState', () => {
     );
   });
 
-  it('should warn and auto-accept if changed in non-interactive mode when AUTO_ACCEPT is false', async () => {
-    const originalValue = AUTO_ACCEPT_WORKSPACE_POLICIES;
-    setAutoAcceptWorkspacePolicies(false);
-
-    try {
-      fs.mkdirSync(policiesDir, { recursive: true });
-      fs.writeFileSync(path.join(policiesDir, 'policy.toml'), 'rules = []');
+  it('should warn and auto-accept if changed in non-interactive mode when autoAcceptWorkspacePolicies is false', async () => {
+    fs.mkdirSync(policiesDir, { recursive: true });
+    fs.writeFileSync(path.join(policiesDir, 'policy.toml'), 'rules = []');
 
-      const result = await resolveWorkspacePolicyState({
-        cwd: workspaceDir,
-        trustedFolder: true,
-        interactive: false,
-      });
+    const result = await resolveWorkspacePolicyState({
+      cwd: workspaceDir,
+      trustedFolder: true,
+      interactive: false,
+      autoAcceptWorkspacePolicies: false,
+    });
 
-      expect(result.workspacePoliciesDir).toBe(policiesDir);
-      expect(result.policyUpdateConfirmationRequest).toBeUndefined();
-      expect(writeToStderr).toHaveBeenCalledWith(
-        expect.stringContaining('Automatically accepting and loading'),
-      );
-    } finally {
-      setAutoAcceptWorkspacePolicies(originalValue);
-    }
+    expect(result.workspacePoliciesDir).toBe(policiesDir);
+    expect(result.policyUpdateConfirmationRequest).toBeUndefined();
+    expect(writeToStderr).toHaveBeenCalledWith(
+      expect.stringContaining('Automatically accepting and loading'),
+    );
   });
 
   it('should not return workspace policies if cwd is the home directory', async () => {
@@ -182,6 +171,7 @@ describe('resolveWorkspacePolicyState', () => {
       cwd: tempDir,
       trustedFolder: true,
       interactive: true,
+      autoAcceptWorkspacePolicies: true,
     });
 
     expect(result.workspacePoliciesDir).toBeUndefined();
@@ -206,6 +196,7 @@ describe('resolveWorkspacePolicyState', () => {
         cwd: symlinkDir,
         trustedFolder: true,
         interactive: true,
+        autoAcceptWorkspacePolicies: true,
       });
 
       expect(result.workspacePoliciesDir).toBeUndefined();

packages/cli/src/config/policy.ts

@@ -21,20 +21,6 @@ import {
 } from '@google/gemini-cli-core';
 import { type Settings } from './settings.js';
 
-/**
- * Temporary flag to automatically accept workspace policies to reduce friction.
- * Exported as 'let' to allow monkey patching in tests via the setter.
- */
-export let AUTO_ACCEPT_WORKSPACE_POLICIES = true;
-
-/**
- * Sets the AUTO_ACCEPT_WORKSPACE_POLICIES flag.
- * Used primarily for testing purposes.
- */
-export function setAutoAcceptWorkspacePolicies(value: boolean) {
-  AUTO_ACCEPT_WORKSPACE_POLICIES = value;
-}
-
 export async function createPolicyEngineConfig(
   settings: Settings,
   approvalMode: ApprovalMode,
@@ -73,8 +59,14 @@ export async function resolveWorkspacePolicyState(options: {
   cwd: string;
   trustedFolder: boolean;
   interactive: boolean;
+  autoAcceptWorkspacePolicies?: boolean;
 }): Promise<WorkspacePolicyState> {
-  const { cwd, trustedFolder, interactive } = options;
+  const {
+    cwd,
+    trustedFolder,
+    interactive,
+    autoAcceptWorkspacePolicies = false,
+  } = options;
 
   let workspacePoliciesDir: string | undefined;
   let policyUpdateConfirmationRequest:
@@ -106,7 +98,7 @@ export async function resolveWorkspacePolicyState(options: {
     ) {
       // No workspace policies found
       workspacePoliciesDir = undefined;
-    } else if (interactive && !AUTO_ACCEPT_WORKSPACE_POLICIES) {
+    } else if (interactive && !autoAcceptWorkspacePolicies) {
       // Policies changed or are new, and we are in interactive mode and auto-accept is disabled
       policyUpdateConfirmationRequest = {
         scope: 'workspace',

packages/cli/src/config/workspace-policy-cli.test.ts

@@ -10,7 +10,6 @@ import { loadCliConfig, type CliArgs } from './config.js';
 import { createTestMergedSettings } from './settings.js';
 import * as ServerConfig from '@google/gemini-cli-core';
 import { isWorkspaceTrusted } from './trustedFolders.js';
-import * as Policy from './policy.js';
 
 // Mock dependencies
 vi.mock('./trustedFolders.js', () => ({
@@ -239,48 +238,40 @@ describe('Workspace-Level Policy CLI Integration', () => {
     );
   });
 
-  it('should set policyUpdateConfirmationRequest if integrity MISMATCH in interactive mode when AUTO_ACCEPT is false', async () => {
-    // Monkey patch AUTO_ACCEPT_WORKSPACE_POLICIES using setter
-    const originalValue = Policy.AUTO_ACCEPT_WORKSPACE_POLICIES;
-    Policy.setAutoAcceptWorkspacePolicies(false);
-
-    try {
-      vi.mocked(isWorkspaceTrusted).mockReturnValue({
-        isTrusted: true,
-        source: 'file',
-      });
-      mockCheckIntegrity.mockResolvedValue({
-        status: 'mismatch',
-        hash: 'new-hash',
-        fileCount: 1,
-      });
-      vi.mocked(ServerConfig.isHeadlessMode).mockReturnValue(false); // Interactive
-
-      const settings = createTestMergedSettings();
-      const argv = {
-        query: 'test',
-        promptInteractive: 'test',
-      } as unknown as CliArgs;
-
-      const config = await loadCliConfig(settings, 'test-session', argv, {
-        cwd: MOCK_CWD,
-      });
-
-      expect(config.getPolicyUpdateConfirmationRequest()).toEqual({
-        scope: 'workspace',
-        identifier: MOCK_CWD,
-        policyDir: expect.stringContaining(path.join('.gemini', 'policies')),
-        newHash: 'new-hash',
-      });
-      expect(ServerConfig.createPolicyEngineConfig).toHaveBeenCalledWith(
-        expect.objectContaining({
-          workspacePoliciesDir: undefined,
-        }),
-        expect.anything(),
-      );
-    } finally {
-      // Restore for other tests
-      Policy.setAutoAcceptWorkspacePolicies(originalValue);
-    }
+  it('should set policyUpdateConfirmationRequest if integrity MISMATCH in interactive mode when autoAcceptWorkspacePolicies is false', async () => {
+    vi.mocked(isWorkspaceTrusted).mockReturnValue({
+      isTrusted: true,
+      source: 'file',
+    });
+    mockCheckIntegrity.mockResolvedValue({
+      status: 'mismatch',
+      hash: 'new-hash',
+      fileCount: 1,
+    });
+    vi.mocked(ServerConfig.isHeadlessMode).mockReturnValue(false); // Interactive
+
+    const settings = createTestMergedSettings();
+    const argv = {
+      query: 'test',
+      promptInteractive: 'test',
+    } as unknown as CliArgs;
+
+    const config = await loadCliConfig(settings, 'test-session', argv, {
+      cwd: MOCK_CWD,
+      autoAcceptWorkspacePolicies: false,
+    });
+
+    expect(config.getPolicyUpdateConfirmationRequest()).toEqual({
+      scope: 'workspace',
+      identifier: MOCK_CWD,
+      policyDir: expect.stringContaining(path.join('.gemini', 'policies')),
+      newHash: 'new-hash',
+    });
+    expect(ServerConfig.createPolicyEngineConfig).toHaveBeenCalledWith(
+      expect.objectContaining({
+        workspacePoliciesDir: undefined,
+      }),
+      expect.anything(),
+    );
   });
 });