feat: add allowEnv policy option for shell commands

[rmedranollamas]

Summary

This PR introduces the allowEnv (and allow_env) configuration option to the policy engine. This allows users to configure rules that permit the AI model to execute shell commands prefixed with environment variables (e.g., PAGER=cat git commit) without requiring user confirmation. Currently, any command with an environment variable assignment is downgraded to ASK_USER. This change brings environment variable assignments to parity with the existing allowRedirection feature, improving the agent's autonomy while maintaining security.

Details

• PolicyRule Interface: Added allowEnv property to PolicyRule and allow_env / allowEnv to the TOML policy schema loader.
• AST Parsing: Implemented hasEnvPrefix(command) in packages/core/src/utils/shell-utils.ts using the existing tree-sitter-bash parser. It specifically looks for variable_assignment nodes to ensure robust detection without false positives for inline = characters.
• Policy Engine: Updated PolicyEngine.checkShellCommand with a new shouldDowngradeForEnvPrefix check. If an allowed command contains an environment variable prefix but the rule lacks allowEnv: true, the decision is safely downgraded to ASK_USER.
• User Approvals: Updated ShellToolInvocation so that when a user persistently approves a command with an environment variable prefix, the generated policy rule will automatically include allowEnv: true.
• Tests: Comprehensive tests added across shell-utils.test.ts, policy-engine.test.ts, toml-loader.test.ts, and policy-updater.test.ts.

Related Issues

Closes #24779

How to Validate

1. Build the project locally with npm run build.
2. Run the tests in the core package: npm run test -w @google/gemini-cli-core. Ensure policy-engine.test.ts, toml-loader.test.ts, shell-utils.test.ts, and policy-updater.test.ts pass.
3. Start the CLI and verify you can add an allow_env = true rule to your user policies/user.toml file for a specific command (like git).
4. Ask the model to execute a command like PAGER=cat git log. It should execute without a confirmation prompt.
5. Ask the model to execute a command with an environment variable that doesn't have allow_env = true configured. It should safely downgrade to a confirmation prompt.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the policy engine by adding support for 'allowEnv', a configuration option that allows the AI to execute shell commands containing environment variable assignments without manual intervention. By leveraging the existing tree-sitter-bash parser for precise detection, this change improves agent autonomy while maintaining security, ensuring that commands requiring environment variables are only executed automatically when explicitly permitted by the user's policy.

Highlights

• Policy Engine Enhancement: Introduced the 'allowEnv' policy option to permit shell commands with environment variable prefixes without requiring user confirmation.
• Robust Detection: Implemented 'hasEnvPrefix' using the tree-sitter-bash parser to accurately identify variable assignments, replacing simple regex checks.
• Automatic Policy Updates: Updated 'ShellToolInvocation' to automatically include 'allowEnv: true' in generated policy rules when a user persistently approves a command with an environment variable prefix.
• Security Safeguards: Ensured that commands with environment variable prefixes are safely downgraded to 'ASK_USER' if the 'allowEnv' rule is not explicitly enabled.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to detect environment variable prefixes in shell commands and downgrade the policy decision from ALLOW to ASK_USER unless explicitly permitted by a new allowEnv rule property. This change includes updates to the policy engine, type definitions, and shell utility functions, along with corresponding tests. A security concern was identified regarding the hasEnvPrefix implementation, which currently only detects bash-native assignments and misses other methods like the env utility, potentially allowing for policy bypasses.

[rmedranollamas]

@jules ptal

[kschaab]

I think this should not work still, but it would be beneficial to carry inspection for injection in the environment prefix. For example FOO=$(rm /tmp/x.txt) echo "Done".

[kschaab]

This seems to ignore FOO=bar cmd && cmd2 case where FOO now applies to cmd2.

[kschaab]

You can use tests for escapes like PAGER="less -X" or PAGER=less\ -X.

[kschaab]

Committed by accident?

[kschaab]

Looks like leftovers from the agent.