Workspace-level policies are not loaded

[dnmfarrell]

What happened?

Workspace-level policy files placed in $WORKSPACE_ROOT/.gemini/policies/*.toml are not loaded or applied. The same policy file works correctly when placed in ~/.gemini/policies/ but has no effect in the workspace directory.

Steps to Reproduce

1. Create a git repository (or use an existing one)
2. Trust the folder (confirmed in ~/.gemini/trustedFolders.json)
3. Enable folder trust in project settings (.gemini/settings.json):

   {
     "security": {
       "folderTrust": {
         "enabled": true
       }
     }
   }

4. Create .gemini/policies/test.toml:

   [[rule]]
   toolName = "*"
   decision = "allow"
   priority = 999

5. Run gemini in the project directory
6. Run /policies list and show it is not loaded

Workaround

Moving the policy file to ~/.gemini/policies/ (user-level) works correctly. However this applies globally to all projects, which is undesirable for project-scoped tooling.

Notes

• The folder is trusted (~/.gemini/trustedFolders.json contains "TRUST_FOLDER" for the project path)
• The policy file has correct permissions (644) and valid TOML syntax
• This was tested both with and without security.folderTrust.enabled = true in project settings
• PR feat(policy): implement project-level policy support #18682 (merged Feb 20, 2026) added workspace-level policy support — this may be a regression or the feature may require additional configuration not covered in the docs

What did you expect to happen?

I expect /policies list to show the project policy test.toml

Client information

Client Information

• gemini-cli v0.34.0-nightly.20260307.6c3a90645 (also tested on v0.32.1 stable)
• macOS (Darwin 25.2.0, arm64)
• Node installed via npm globally

Description

> /about
│ About Gemini CLI                                                                                                                                           │
│                                                                                                                                                            │
│ CLI Version                                           0.34.0-nightly.20260307.6c3a90645                                                                    │
│ Git Commit                                            bab35a1f1                                                                                            │
│ Model                                                 Auto (Gemini 3)                                                                                      │
│ Sandbox                                               no sandbox                                                                                           │
│ OS                                                    darwin                                                                                               │
│ Auth Method                                           Logged in with Google (*)                                                     │
│ Tier                                                  Gemini Code Assist for individuals 

Login information

Google Account

Anything else we need to know?

No response

[dnmfarrell]

Line 566250 in bundle/gemini.js (v0.34.0-nightly.20260307):

var disableWorkspacePolicies = true;

disableWorkspacePolicies = true causes the workspace policy loading to be skipped entirely at line 566268:

if (trustedFolder && !disableWorkspacePolicies) {

The feature is merged but shipped disabled via this flag. It looks like workspace-level policies in .gemini/policies/ will never load until this is set to false.

[Abhijit-2592]

Hello @dnmfarrell ! Thanks for filing the issue. We decided to temporarily turn it off as it raises some security concerns. We will re-enable it once we sort out these concerns

[dnmfarrell]

Do the docs need to be updated then?