35 lines
1002 B
Python
35 lines
1002 B
Python
|
from __future__ import annotations
|
||
|
|
|
||
|
|
import pytest
|
||
|
|
|
||
|
|
from engine.devops_agent.policies import PolicyViolation, RuntimePolicy
|
||
|
|
|
||
|
|
|
||
|
|
def test_policy_allows_declared_safe_output() -> None:
|
||
|
|
policy = RuntimePolicy(
|
||
|
|
safe_outputs={"add_comment": {"max": 2}},
|
||
|
|
path_scope=["engine/devops_agent/", "README.md"],
|
||
|
|
)
|
||
|
|
|
||
|
|
policy.assert_operation_allowed("add_comment")
|
||
|
|
|
||
|
|
|
||
|
|
def test_policy_rejects_undeclared_write_action() -> None:
|
||
|
|
policy = RuntimePolicy(
|
||
|
|
safe_outputs={"add_comment": {"max": 2}},
|
||
|
|
path_scope=[],
|
||
|
|
)
|
||
|
|
|
||
|
|
with pytest.raises(PolicyViolation, match="close_issue"):
|
||
|
|
policy.assert_operation_allowed("close_issue")
|
||
|
|
|
||
|
|
|
||
|
|
def test_policy_rejects_paths_outside_scope() -> None:
|
||
|
|
policy = RuntimePolicy(
|
||
|
|
safe_outputs={"write_file": {"max": 5}},
|
||
|
|
path_scope=["engine/devops_agent/"],
|
||
|
|
)
|
||
|
|
|
||
|
|
with pytest.raises(PolicyViolation, match="outside allowed path scope"):
|
||
|
|
policy.assert_path_allowed("skills/gitea-issue-devops-agent/SKILL.md")
|