2025-04-16 10:21:48 -07:00
|
|
|
|
import type { SafetyAssessment } from "../src/lib/approvals";
|
2025-04-16 12:56:08 -04:00
|
|
|
|
|
2025-04-16 10:21:48 -07:00
|
|
|
|
import { canAutoApprove } from "../src/lib/approvals";
|
2025-04-16 12:56:08 -04:00
|
|
|
|
import { describe, test, expect } from "vitest";
|
|
|
|
|
|
|
|
|
|
|
|
describe("canAutoApprove()", () => {
|
|
|
|
|
|
const env = {
|
|
|
|
|
|
PATH: "/usr/local/bin:/usr/bin:/bin",
|
|
|
|
|
|
HOME: "/home/user",
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
const writeablePaths: Array<string> = [];
|
|
|
|
|
|
const check = (command: ReadonlyArray<string>): SafetyAssessment =>
|
|
|
|
|
|
canAutoApprove(command, "suggest", writeablePaths, env);
|
|
|
|
|
|
|
|
|
|
|
|
test("simple safe commands", () => {
|
|
|
|
|
|
expect(check(["ls"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "List directory",
|
|
|
|
|
|
group: "Searching",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
expect(check(["cat", "file.txt"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "View file contents",
|
|
|
|
|
|
group: "Reading files",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
expect(check(["pwd"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "Print working directory",
|
|
|
|
|
|
group: "Navigating",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
test("simple safe commands within a `bash -lc` call", () => {
|
|
|
|
|
|
expect(check(["bash", "-lc", "ls"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "List directory",
|
|
|
|
|
|
group: "Searching",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
expect(check(["bash", "-lc", "ls $HOME"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "List directory",
|
|
|
|
|
|
group: "Searching",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
expect(check(["bash", "-lc", "git show ab9811cb90"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "Git show",
|
|
|
|
|
|
group: "Using git",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
test("bash -lc commands with unsafe redirects", () => {
|
|
|
|
|
|
expect(check(["bash", "-lc", "echo hello > file.txt"])).toEqual({
|
|
|
|
|
|
type: "ask-user",
|
|
|
|
|
|
});
|
|
|
|
|
|
// In theory, we could make our checker more sophisticated to auto-approve
|
|
|
|
|
|
// This previously required approval, but now that we consider safe
|
|
|
|
|
|
// operators like "&&" the entire expression can be auto‑approved.
|
|
|
|
|
|
expect(check(["bash", "-lc", "ls && pwd"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "List directory",
|
|
|
|
|
|
group: "Searching",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
test("true command is considered safe", () => {
|
|
|
|
|
|
expect(check(["true"])).toEqual({
|
|
|
|
|
|
type: "auto-approve",
|
|
|
|
|
|
reason: "No‑op (true)",
|
|
|
|
|
|
group: "Utility",
|
|
|
|
|
|
runInSandbox: false,
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|
|
test("commands that should require approval", () => {
|
|
|
|
|
|
// Should this be on the auto-approved list?
|
|
|
|
|
|
expect(check(["printenv"])).toEqual({ type: "ask-user" });
|
|
|
|
|
|
|
|
|
|
|
|
expect(check(["git", "commit"])).toEqual({ type: "ask-user" });
|
|
|
|
|
|
|
|
|
|
|
|
expect(check(["pytest"])).toEqual({ type: "ask-user" });
|
|
|
|
|
|
|
|
|
|
|
|
expect(check(["cargo", "build"])).toEqual({ type: "ask-user" });
|
|
|
|
|
|
});
|
|
|
|
|
|
});
|
