haitham/claw3d
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a18c8c630c20cd77be9a458965fd93a5295b875d
claw3d/tests/unit/agentPermissionsRoleHelpers.test.ts
T
Luke The Dev 4fa4f13558 First Release of Claw3D (#11) 
Co-authored-by: iamlukethedev <iamlukethedev@users.noreply.github.com>
2026-03-19 23:14:04 -05:00

116 lines
4.3 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import {
resolveExecApprovalsPolicyForRole,
resolveRuntimeToolOverridesForRole,
resolveSessionExecSettingsForRole,
} from "@/features/agents/operations/agentPermissionsOperation";
describe("permissions role helpers", () => {
it("maps roles to exec approvals policy while preserving allowlist", () => {
const allowlist = [{ pattern: "a" }, { pattern: "b" }];
expect(resolveExecApprovalsPolicyForRole({ role: "conservative", allowlist })).toBeNull();
const collaborative = resolveExecApprovalsPolicyForRole({
role: "collaborative",
allowlist,
});
expect(collaborative).toEqual({
security: "allowlist",
ask: "always",
allowlist,
});
expect(collaborative?.allowlist).toBe(allowlist);
const autonomous = resolveExecApprovalsPolicyForRole({
role: "autonomous",
allowlist,
});
expect(autonomous).toEqual({
security: "full",
ask: "off",
allowlist,
});
expect(autonomous?.allowlist).toBe(allowlist);
});
it("updates tool overrides using allow when existing tools.allow is present", () => {
const existingTools = { allow: ["group:web"], deny: ["group:runtime"] };
const collaborative = resolveRuntimeToolOverridesForRole({
role: "collaborative",
existingTools,
});
expect(collaborative.tools.allow).toEqual(expect.arrayContaining(["group:web", "group:runtime"]));
expect(collaborative.tools).not.toHaveProperty("alsoAllow");
expect(collaborative.tools.deny).not.toEqual(expect.arrayContaining(["group:runtime"]));
const autonomous = resolveRuntimeToolOverridesForRole({
role: "autonomous",
existingTools,
});
expect(autonomous.tools.allow).toEqual(expect.arrayContaining(["group:web", "group:runtime"]));
expect(autonomous.tools).not.toHaveProperty("alsoAllow");
expect(autonomous.tools.deny).not.toEqual(expect.arrayContaining(["group:runtime"]));
const conservative = resolveRuntimeToolOverridesForRole({
role: "conservative",
existingTools,
});
expect(conservative.tools.allow).toEqual(expect.arrayContaining(["group:web"]));
expect(conservative.tools.allow).not.toEqual(expect.arrayContaining(["group:runtime"]));
expect(conservative.tools.deny).toEqual(expect.arrayContaining(["group:runtime"]));
});
it("updates tool overrides using alsoAllow when tools.allow is absent", () => {
const existingTools = { alsoAllow: ["group:web"], deny: [] as string[] };
const collaborative = resolveRuntimeToolOverridesForRole({
role: "collaborative",
existingTools,
});
expect(collaborative.tools.alsoAllow).toEqual(expect.arrayContaining(["group:web", "group:runtime"]));
expect(collaborative.tools).not.toHaveProperty("allow");
const conservative = resolveRuntimeToolOverridesForRole({
role: "conservative",
existingTools,
});
expect(conservative.tools.alsoAllow).toEqual(expect.arrayContaining(["group:web"]));
expect(conservative.tools.alsoAllow).not.toEqual(expect.arrayContaining(["group:runtime"]));
expect(conservative.tools.deny).toEqual(expect.arrayContaining(["group:runtime"]));
});
it("resolves session exec settings from role and sandbox mode", () => {
expect(resolveSessionExecSettingsForRole({ role: "conservative", sandboxMode: "all" })).toEqual({
execHost: null,
execSecurity: "deny",
execAsk: "off",
});
expect(resolveSessionExecSettingsForRole({ role: "collaborative", sandboxMode: "all" }).execHost).toBe(
"sandbox"
);
expect(resolveSessionExecSettingsForRole({ role: "autonomous", sandboxMode: "all" }).execHost).toBe(
"sandbox"
);
expect(resolveSessionExecSettingsForRole({ role: "collaborative", sandboxMode: "none" }).execHost).toBe(
"gateway"
);
expect(resolveSessionExecSettingsForRole({ role: "autonomous", sandboxMode: "none" }).execHost).toBe(
"gateway"
);
});
it("treats missing tools config as empty lists and still enforces group:runtime semantics", () => {
const collaborative = resolveRuntimeToolOverridesForRole({
role: "collaborative",
existingTools: null,
});
expect(collaborative.tools.alsoAllow).toEqual(expect.arrayContaining(["group:runtime"]));
expect(collaborative.tools).not.toHaveProperty("allow");
});
});
Reference in New Issue View Git Blame Copy Permalink