这是indexloc提供的服务,不要输入任何密码
Skip to content

Make --allowed-tools work in non-interactive mode #9114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 34 commits into from
Sep 26, 2025
Merged

Make --allowed-tools work in non-interactive mode #9114

merged 34 commits into from
Sep 26, 2025
+388 −7

Conversation

@mistergarrison
Copy link
Contributor

@mistergarrison mistergarrison commented Sep 22, 2025
edited
Loading

TLDR

Non-interactive mode excludes tools that can block (including ShellTool), which means that passing --allowed-tools with shell tools doesn't do anything.

This change blocks ShellTool from being excluded if it is allowed, and preemptively rejects non-allowed shell tools (so that they don't hang waiting for user approval that will never come).

This should not affect interactive behavior at all, nor should it affect the behavior of YOLO mode.

Reviewer Test Plan

# Should print something like "There are 55 lines in /proc/meminfo"
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --yolo \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should print something like "There are 55 lines in /proc/meminfo"
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="ShellTool(wc)" \
  --allowed-tools="ShellTool()" \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should print something like "There are 55 lines in /proc/meminfo"
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="run_shell_command(wc)" \
  --allowed-tools="run_shell_command()" \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should print something like "There are 55 lines in /proc/meminfo"
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="ShellTool(wc)" \
  --allowed-tools="ShellTool" \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should print something like "There are 55 lines in /proc/meminfo"
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="run_shell_command(wc)" \
  --allowed-tools="ShellTool" \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should print something like "There are 55 lines in /proc/meminfo"
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="ShellTool(ls)" \
  --allowed-tools="ShellTool" \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should add a line to the file
touch tmp_file.txt
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="write_file" \
  --prompt="Add '42' to the end of ./tmp_file.txt."
cat tmp_file.txt
rm tmp_file.txt

# Should fail
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="ShellTool(ls)" \
  --allowed-tools="ShellTool()" \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should fail
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --allowed-tools="run_shell_command(ls)" \
  --allowed-tools="run_shell_command()" \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

# Should fail
npx github:mistergarrison/gemini-cli#fix/allowed-tools-non-interactive \
  --prompt="use wc to tell me how many lines there are in /proc/meminfo"

Testing Matrix

🍏 🪟 🐧
npm run
npx
Docker
Podman - -
Seatbelt - -

Linked issues / bugs

Fixes #9011

google-labs-jules bot and others added 8 commits September 21, 2025 01:11
@google-labs-jules
fix: Make --allowed-tools apply to non-interactive mode
c568cb2 
The `--allowed-tools` flag was not being respected in non-interactive
mode. This was because the logic that excludes tools in non-interactive
mode was overriding the `allowedTools` setting.

This change modifies the logic to check if a tool is in the
`allowedTools` list before excluding it. This allows the user to
explicitly enable tools in non-interactive mode.

A new test case has been added to verify that a normally-excluded tool
can be used in non-interactive mode when it is specified with the
`--allowed-tools` flag.
@google-labs-jules
Fix(shell): Handle sub-command allowlist in non-interactive mode
7889cdd 
This change fixes an issue where the `--allowed-tools` flag did not correctly handle sub-commands for `ShellTool` in non-interactive mode.

Previously, `loadCliConfig` was performing an exact match on the tool name, which would cause `ShellTool` to be excluded even if a sub-command was allowed (e.g., `ShellTool(wc)`).

The new behavior is as follows:
1.  `loadCliConfig` no longer excludes `ShellTool` if it is present in the `--allowed-tools` list, even with sub-commands.
2.  A runtime check is added to `ShellTool.shouldConfirmExecute` to verify that the command is allowed in non-interactive mode. If the command is not in the allowlist, an error is thrown, preventing the tool from hanging.
3.  The `parseAllowedSubcommands` helper function in `shell.ts` now correctly handles multiple `--allowed-tools` flags for `ShellTool`, taking the union of specified sub-commands and treating a bare `ShellTool` as a wildcard.
4.  Added comments to `shell.ts` to explain the motivation for the changes.

Integration tests have been added to verify the new behavior, including special cases like `ShellTool()`, `ShellTool`, and multiple `--allowed-tools` flags.
@google-labs-jules
Fix(shell): Handle sub-command allowlist in non-interactive mode
1af7e98 
This change fixes an issue where the `--allowed-tools` flag did not correctly handle sub-commands for `ShellTool` in non-interactive mode.

Previously, `loadCliConfig` was performing an exact match on the tool name, which would cause `ShellTool` to be excluded even if a sub-command was allowed (e.g., `ShellTool(wc)`).

The new behavior is as follows:
1.  `loadCliConfig` no longer excludes `ShellTool` if it is present in the `--allowed-tools` list, even with sub-commands.
2.  A runtime check is added to `ShellTool.shouldConfirmExecute` to verify that the command is allowed in non-interactive mode. If the command is not in the allowlist, an error is thrown, preventing the tool from hanging. This check is skipped in YOLO mode.
3.  The `parseAllowedSubcommands` helper function in `shell.ts` now correctly handles multiple `--allowed-tools` flags for `ShellTool`, taking the union of specified sub-commands and treating a bare `ShellTool` or `run_shell_command` as a wildcard. It also handles the `ShellTool` alias.
4.  Added comments to `shell.ts` to explain the motivation for the changes.

Integration tests have been added to verify the new behavior, including special cases like `ShellTool()`, `ShellTool`, multiple `--allowed-tools` flags, the `ShellTool` alias, and `--yolo` mode.
@google-labs-jules
Fix(shell): Handle sub-command allowlist in non-interactive mode
73cb53e 
This change fixes an issue where the `--allowed-tools` flag did not correctly handle sub-commands for `ShellTool` in non-interactive mode.

Previously, `loadCliConfig` was performing an exact match on the tool name, which would cause `ShellTool` to be excluded even if a sub-command was allowed (e.g., `ShellTool(wc)`).

The new behavior is as follows:
1.  `loadCliConfig` no longer excludes `ShellTool` if it is present in the `--allowed-tools` list, even with sub-commands.
2.  A runtime check is added to `ShellTool.shouldConfirmExecute` to verify that the command is allowed in non-interactive mode. If the command is not in the allowlist, an error is thrown, preventing the tool from hanging. This check is skipped in YOLO mode.
3.  The `parseAllowedSubcommands` helper function in `shell.ts` now correctly handles multiple `--allowed-tools` flags for `ShellTool`, taking the union of specified sub-commands and treating a bare `ShellTool` or `run_shell_command` as a wildcard. It also handles the `ShellTool` alias.
4.  Added comments to `shell.ts` to explain the motivation for the changes.

Integration tests have been added to verify the new behavior, including special cases like `ShellTool()`, `ShellTool`, multiple `--allowed-tools` flags, the `ShellTool` alias, and `--yolo` mode.
@google-labs-jules
fix(cli): Allow ShellTool alias in --allowed-tools
3d3cd4d 
The `--allowed-tools` flag was not correctly handling the `ShellTool`
alias. This was because the `doesToolInvocationMatch` function was
hardcoding a check for `run_shell_command`.

This change modifies the check to use the `SHELL_TOOL_NAMES` constant,
which includes both `run_shell_command` and `ShellTool`.

A test case has been added to verify that the alias works as expected.
Additionally, a failing test in `shell.test.ts` has been fixed by
mocking the `isInteractive` function in the test configuration.
@mistergarrison
Merge pull request #1 from mistergarrison/fix-shell-tool-alias
2eb8e00 
Fix shell tool alias
@google-labs-jules
fix: Allow ShellTool in non-interactive mode via --allowed-tools
aa54834 
The `--allowed-tools` flag was not correctly identifying `ShellTool` and its aliases in non-interactive mode. This caused the tool to be excluded even when explicitly allowed.

This change fixes the issue by using `SHELL_TOOL_NAMES` to check for all valid names of the shell tool.

Adds unit tests to verify the fix.
@mistergarrison
Merge pull request #2 from mistergarrison/fix-allowed-tools-non-inter…
44435ca 
…active

fix: Allow ShellTool in non-interactive mode via --allowed-tools
@mistergarrison mistergarrison requested a review from a team as a code owner September 22, 2025 15:06
@google-cla
Copy link

google-cla bot commented Sep 22, 2025

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Sep 22, 2025

Summary of Changes

Hello @mistergarrison, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical usability issue where the --allowed-tools flag failed to properly enable ShellTool functionality in non-interactive CLI sessions. The changes ensure that explicitly permitted shell commands are no longer automatically excluded, allowing for predictable execution. Furthermore, it introduces a mechanism to prevent the CLI from hanging when an unallowed shell command is attempted in non-interactive mode, by immediately rejecting it. This significantly improves the robustness and reliability of automated workflows using the CLI.

Highlights

  • Non-Interactive ShellTool Usage: The primary issue addressed is that the ShellTool (or run_shell_command) was being excluded by default in non-interactive mode, even when explicitly allowed via the --allowed-tools flag. This PR fixes that behavior.
  • Explicit Tool Allowance: When --allowed-tools is used to permit ShellTool or specific shell sub-commands (e.g., ShellTool(wc)), the system will now correctly recognize and allow these tools in non-interactive sessions.
  • Preventing Hangs: In non-interactive mode, if a shell command is invoked but not explicitly allowed via --allowed-tools, the system will now preemptively throw an error instead of hanging while waiting for user approval that will never come.
  • No Impact on Interactive/YOLO Modes: The changes are specifically designed to affect non-interactive behavior and should not alter the functionality of interactive mode or YOLO mode.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 22, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request successfully enables the use of --allowed-tools in non-interactive mode, particularly for ShellTool. The changes correctly adjust the tool exclusion logic in loadCliConfig and add a preemptive check within ShellTool to prevent hangs on unapproved commands. The updates are well-supported by a comprehensive set of new integration and unit tests. My review includes one high-severity suggestion to refactor duplicated code in packages/cli/src/config/config.ts to improve long-term maintainability.

@mistergarrison mistergarrison mentioned this pull request Sep 22, 2025
Closed
mistergarrison and others added 11 commits September 22, 2025 08:51
@mistergarrison
Merge branch 'main' into fix/allowed-tools-non-interactive
88ae5b2
@mistergarrison
Merge branch 'main' into fix/allowed-tools-non-interactive
1d4b608
@mistergarrison
Merge branch 'main' into fix/allowed-tools-non-interactive
7d46033
@mistergarrison
Merge branch 'main' into fix/allowed-tools-non-interactive
96e5bcf
@google-labs-jules
Refactor duplicated tool exclusion logic in config.ts
70b8006 
Extracted the duplicated tool exclusion filter logic into a
new helper function `createToolExclusionFilter`. This improves
maintainability and readability of the code.

Added a JSDoc comment to the new function to explain what it
does and why.
@mistergarrison
Merge pull request #3 from mistergarrison/refactor-config-tool-exclusion
69ee64c 
Refactor duplicated tool exclusion logic in config.ts
@mistergarrison
Remove tmp files that were accidentally added.
ce6db0a
@mistergarrison
Merge branch 'main' into fix/allowed-tools-non-interactive
47bbd7b
@mistergarrison
Merge branch 'main' into fix/allowed-tools-non-interactive
9869d9f
@mistergarrison
Fix a bad merge [I dropped a '}']
7953431
@mistergarrison
Merge branch 'main' into fix/allowed-tools-non-interactive
4d0e086
@jerop jerop requested a review from cornmander September 23, 2025 16:29
cornmander
cornmander reviewed Sep 23, 2025
View reviewed changes
@mistergarrison
Copy link
Contributor Author

mistergarrison commented Sep 25, 2025
edited
Loading

The failing test (because it runs long) looks unrelated:

  it('should not be interactive if positional prompt words are provided with other flags', async () => {
    process.stdin.isTTY = true;
    process.argv = ['node', 'script.js', '--model', 'gemini-1.5-pro', 'Hello'];
    const argv = await parseArguments({} as Settings);
    const config = await loadCliConfig({}, [], 'test-session', argv);
    expect(config.isInteractive()).toBe(false);
  });

@jerop jerop enabled auto-merge September 26, 2025 16:59
@jerop jerop added this pull request to the merge queue Sep 26, 2025
Merged via the queue into google-gemini:main with commit e8a065c Sep 26, 2025
19 of 22 checks passed
dtometzki pushed a commit to dtometzki/gemini-cli that referenced this pull request Sep 26, 2025
@mistergarrison @google-labs-jules @dtometzki
Make --allowed-tools work in non-interactive mode (google-gemini#9114)
106f8c3 
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
galz10 added a commit that referenced this pull request Sep 26, 2025
@galz10
Revert "Make --allowed-tools work in non-interactive mode (#9114)"
2e6cb2b 
This reverts commit e8a065c.
galz10 added a commit that referenced this pull request Sep 26, 2025
@galz10
Revert "Make --allowed-tools work in non-interactive mode (#9114)"
5c83caf 
This reverts commit e8a065c.
@galz10 galz10 mentioned this pull request Sep 26, 2025
Merged
@mattKorwel mattKorwel mentioned this pull request Sep 26, 2025
Open
jkcinouye pushed a commit that referenced this pull request Sep 29, 2025
@mistergarrison @google-labs-jules @jkcinouye
Make --allowed-tools work in non-interactive mode (#9114)
3f127d2 
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@mistergarrison mistergarrison mentioned this pull request Sep 30, 2025
Closed
@mistergarrison mistergarrison mentioned this pull request Oct 1, 2025
Merged
thacio added a commit to thacio/auditaria that referenced this pull request Oct 4, 2025
@thacio
Merge Commit 'e8a065c': Make --allowed-tools work in non-interactive …
9242931 
…mode (google-gemini#9114)
@mistergarrison mistergarrison deleted the fix/allowed-tools-non-interactive branch October 10, 2025 00:44
giraffe-tree pushed a commit to giraffe-tree/gemini-cli that referenced this pull request Oct 10, 2025
@mistergarrison @google-labs-jules
Make --allowed-tools work in non-interactive mode (google-gemini#9114)
3bd8d0a 
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cornmander cornmander cornmander approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

maintainer:e2e:ok

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

--allowed-tools does not work in non-interactive mode

3 participants

@mistergarrison @cornmander @jerop