First Release of Claw3D (#11)
Co-authored-by: iamlukethedev <iamlukethedev@users.noreply.github.com>
This commit is contained in:
Luke The Dev
@@ -0,0 +1,115 @@
|
||||
import { describe, expect, it } from "vitest";
|
||||
|
||||
import {
|
||||
resolveExecApprovalsPolicyForRole,
|
||||
resolveRuntimeToolOverridesForRole,
|
||||
resolveSessionExecSettingsForRole,
|
||||
} from "@/features/agents/operations/agentPermissionsOperation";
|
||||
|
||||
describe("permissions role helpers", () => {
|
||||
it("maps roles to exec approvals policy while preserving allowlist", () => {
|
||||
const allowlist = [{ pattern: "a" }, { pattern: "b" }];
|
||||
|
||||
expect(resolveExecApprovalsPolicyForRole({ role: "conservative", allowlist })).toBeNull();
|
||||
|
||||
const collaborative = resolveExecApprovalsPolicyForRole({
|
||||
role: "collaborative",
|
||||
allowlist,
|
||||
});
|
||||
expect(collaborative).toEqual({
|
||||
security: "allowlist",
|
||||
ask: "always",
|
||||
allowlist,
|
||||
});
|
||||
expect(collaborative?.allowlist).toBe(allowlist);
|
||||
|
||||
const autonomous = resolveExecApprovalsPolicyForRole({
|
||||
role: "autonomous",
|
||||
allowlist,
|
||||
});
|
||||
expect(autonomous).toEqual({
|
||||
security: "full",
|
||||
ask: "off",
|
||||
allowlist,
|
||||
});
|
||||
expect(autonomous?.allowlist).toBe(allowlist);
|
||||
});
|
||||
|
||||
it("updates tool overrides using allow when existing tools.allow is present", () => {
|
||||
const existingTools = { allow: ["group:web"], deny: ["group:runtime"] };
|
||||
|
||||
const collaborative = resolveRuntimeToolOverridesForRole({
|
||||
role: "collaborative",
|
||||
existingTools,
|
||||
});
|
||||
expect(collaborative.tools.allow).toEqual(expect.arrayContaining(["group:web", "group:runtime"]));
|
||||
expect(collaborative.tools).not.toHaveProperty("alsoAllow");
|
||||
expect(collaborative.tools.deny).not.toEqual(expect.arrayContaining(["group:runtime"]));
|
||||
|
||||
const autonomous = resolveRuntimeToolOverridesForRole({
|
||||
role: "autonomous",
|
||||
existingTools,
|
||||
});
|
||||
expect(autonomous.tools.allow).toEqual(expect.arrayContaining(["group:web", "group:runtime"]));
|
||||
expect(autonomous.tools).not.toHaveProperty("alsoAllow");
|
||||
expect(autonomous.tools.deny).not.toEqual(expect.arrayContaining(["group:runtime"]));
|
||||
|
||||
const conservative = resolveRuntimeToolOverridesForRole({
|
||||
role: "conservative",
|
||||
existingTools,
|
||||
});
|
||||
expect(conservative.tools.allow).toEqual(expect.arrayContaining(["group:web"]));
|
||||
expect(conservative.tools.allow).not.toEqual(expect.arrayContaining(["group:runtime"]));
|
||||
expect(conservative.tools.deny).toEqual(expect.arrayContaining(["group:runtime"]));
|
||||
});
|
||||
|
||||
it("updates tool overrides using alsoAllow when tools.allow is absent", () => {
|
||||
const existingTools = { alsoAllow: ["group:web"], deny: [] as string[] };
|
||||
|
||||
const collaborative = resolveRuntimeToolOverridesForRole({
|
||||
role: "collaborative",
|
||||
existingTools,
|
||||
});
|
||||
expect(collaborative.tools.alsoAllow).toEqual(expect.arrayContaining(["group:web", "group:runtime"]));
|
||||
expect(collaborative.tools).not.toHaveProperty("allow");
|
||||
|
||||
const conservative = resolveRuntimeToolOverridesForRole({
|
||||
role: "conservative",
|
||||
existingTools,
|
||||
});
|
||||
expect(conservative.tools.alsoAllow).toEqual(expect.arrayContaining(["group:web"]));
|
||||
expect(conservative.tools.alsoAllow).not.toEqual(expect.arrayContaining(["group:runtime"]));
|
||||
expect(conservative.tools.deny).toEqual(expect.arrayContaining(["group:runtime"]));
|
||||
});
|
||||
|
||||
it("resolves session exec settings from role and sandbox mode", () => {
|
||||
expect(resolveSessionExecSettingsForRole({ role: "conservative", sandboxMode: "all" })).toEqual({
|
||||
execHost: null,
|
||||
execSecurity: "deny",
|
||||
execAsk: "off",
|
||||
});
|
||||
|
||||
expect(resolveSessionExecSettingsForRole({ role: "collaborative", sandboxMode: "all" }).execHost).toBe(
|
||||
"sandbox"
|
||||
);
|
||||
expect(resolveSessionExecSettingsForRole({ role: "autonomous", sandboxMode: "all" }).execHost).toBe(
|
||||
"sandbox"
|
||||
);
|
||||
|
||||
expect(resolveSessionExecSettingsForRole({ role: "collaborative", sandboxMode: "none" }).execHost).toBe(
|
||||
"gateway"
|
||||
);
|
||||
expect(resolveSessionExecSettingsForRole({ role: "autonomous", sandboxMode: "none" }).execHost).toBe(
|
||||
"gateway"
|
||||
);
|
||||
});
|
||||
|
||||
it("treats missing tools config as empty lists and still enforces group:runtime semantics", () => {
|
||||
const collaborative = resolveRuntimeToolOverridesForRole({
|
||||
role: "collaborative",
|
||||
existingTools: null,
|
||||
});
|
||||
expect(collaborative.tools.alsoAllow).toEqual(expect.arrayContaining(["group:runtime"]));
|
||||
expect(collaborative.tools).not.toHaveProperty("allow");
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user