npm - @aliou/pi-guardrails - Versions diffs - 0.12.0 → 0.13.0 - Mend

@aliou/pi-guardrails 0.12.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +8 -6
package/extensions/path-access/index.ts +12 -0
package/extensions/permission-gate/index.ts +12 -0
package/package.json +7 -5
package/src/core/shell/command-args.ts +71 -0
package/src/shared/events.ts +28 -0
package/extensions/guardrails/rules.test.ts +0 -107
package/extensions/guardrails/targets.test.ts +0 -44
package/extensions/path-access/grants.test.ts +0 -47
package/extensions/path-access/rules.test.ts +0 -46
package/extensions/path-access/targets.test.ts +0 -40
package/extensions/permission-gate/rules.test.ts +0 -132
package/src/core/check.test.ts +0 -169
package/src/core/commands/dangerous.test.ts +0 -468
package/src/core/paths/access.test.ts +0 -150
package/src/core/paths/path.test.ts +0 -293
package/src/core/shell/command-args.test.ts +0 -94
package/src/shared/matching.test.ts +0 -86
package/src/shared/paths/bash-paths.test.ts +0 -150

package/extensions/permission-gate/rules.test.ts DELETED Viewed

@@ -1,132 +0,0 @@
-import { describe, expect, it } from "vitest";
-import {
-  createPermissionGateRule,
-  formatAutoDenyReason,
-  matchCommandPattern,
-  matchesAnyCommandPattern,
-} from "./rules";
-describe("createPermissionGateRule", () => {
-  it("passes file actions", async () => {
-    const rule = createPermissionGateRule({
-      patterns: [{ pattern: "rm -rf", description: "recursive delete" }],
-      useBuiltinMatchers: false,
-    });
-    expect(rule.check({ kind: "file", path: "package.json" })).toEqual({
-      kind: "pass",
-    });
-  });
-  it("matches configured dangerous command patterns", async () => {
-    const rule = createPermissionGateRule({
-      patterns: [
-        { pattern: "terraform destroy", description: "Destroy infra" },
-      ],
-      useBuiltinMatchers: false,
-    });
-    expect(
-      rule.check({
-        kind: "command",
-        command: "terraform destroy -auto-approve",
-      }),
-    ).toEqual({
-      kind: "match",
-      reason: "Destroy infra",
-      metadata: {
-        command: "terraform destroy -auto-approve",
-        description: "Destroy infra",
-        pattern: "terraform destroy",
-      },
-    });
-  });
-  it("can use builtin dangerous command matchers", async () => {
-    const rule = createPermissionGateRule({
-      patterns: [],
-      useBuiltinMatchers: true,
-    });
-    expect(
-      rule.check({ kind: "command", command: "rm -rf dist" }),
-    ).toMatchObject({ kind: "match" });
-  });
-});
-describe("matchesAnyCommandPattern", () => {
-  it("matches substring and regex command patterns", () => {
-    expect(
-      matchesAnyCommandPattern("npm publish --dry-run", [
-        { pattern: "npm publish" },
-      ]),
-    ).toBe(true);
-    expect(
-      matchesAnyCommandPattern("DROP TABLE users", [
-        { pattern: "^DROP TABLE", regex: true },
-      ]),
-    ).toBe(true);
-    expect(
-      matchesAnyCommandPattern("npm test", [{ pattern: "npm publish" }]),
-    ).toBe(false);
-  });
-});
-describe("matchCommandPattern", () => {
-  it("returns the matched PatternConfig", () => {
-    const patterns = [{ pattern: "npm publish" }, { pattern: "rm -rf" }];
-    expect(matchCommandPattern("npm publish --dry-run", patterns)).toBe(
-      patterns[0],
-    );
-  });
-  it("returns the matching regex pattern", () => {
-    const patterns = [{ pattern: "^DROP TABLE", regex: true }];
-    expect(matchCommandPattern("DROP TABLE users", patterns)).toBe(patterns[0]);
-  });
-  it("returns null when no pattern matches", () => {
-    expect(
-      matchCommandPattern("npm test", [{ pattern: "npm publish" }]),
-    ).toBeNull();
-  });
-  it("preserves description on the returned pattern", () => {
-    const patterns = [
-      {
-        pattern: "python -m venv",
-        description: "Use the project .venv instead",
-      },
-    ];
-    const result = matchCommandPattern("python -m venv .venv", patterns);
-    expect(result).not.toBeNull();
-    expect(result?.description).toBe("Use the project .venv instead");
-  });
-});
-describe("formatAutoDenyReason", () => {
-  it("uses description when present", () => {
-    expect(
-      formatAutoDenyReason({
-        pattern: "python -m venv",
-        description: "Use the project .venv instead",
-      }),
-    ).toBe("Command auto-denied: Use the project .venv instead");
-  });
-  it("falls back to generic reason when description is missing", () => {
-    expect(formatAutoDenyReason({ pattern: "python -m venv" })).toBe(
-      "Command matched auto-deny pattern and was blocked automatically.",
-    );
-  });
-  it("falls back when description is empty string", () => {
-    expect(
-      formatAutoDenyReason({ pattern: "python -m venv", description: "" }),
-    ).toBe("Command matched auto-deny pattern and was blocked automatically.");
-  });
-  it("falls back when description is whitespace-only", () => {
-    expect(
-      formatAutoDenyReason({ pattern: "python -m venv", description: "  " }),
-    ).toBe("Command matched auto-deny pattern and was blocked automatically.");
-  });
-});

package/src/core/check.test.ts DELETED Viewed

@@ -1,169 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import { checkAction, resolveDecision } from "./check";
-import type { Action, Rule, Safety } from "./types";
-const commandAction: Action = { kind: "command", command: "rm -rf /tmp/test" };
-type TestMeta = { pattern: string; source: "test" };
-const testMetadata: TestMeta = { pattern: "rm -rf", source: "test" };
-describe("checkAction", () => {
-  it("returns safe when no rules match", async () => {
-    const rules: Rule[] = [
-      {
-        key: "sudo",
-        check: () => ({ kind: "pass" }),
-      },
-    ];
-    await expect(checkAction(commandAction, rules)).resolves.toEqual({
-      kind: "safe",
-    });
-  });
-  it("returns dangerous for the first matching rule", async () => {
-    const secondCheck = vi.fn(() => ({
-      kind: "match" as const,
-      reason: "second match",
-      metadata: testMetadata,
-    }));
-    const rules: Rule<TestMeta>[] = [
-      {
-        key: "first",
-        check: () => ({
-          kind: "match",
-          reason: "first match",
-          metadata: testMetadata,
-        }),
-      },
-      {
-        key: "second",
-        check: secondCheck,
-      },
-    ];
-    await expect(checkAction(commandAction, rules)).resolves.toEqual({
-      kind: "dangerous",
-      action: commandAction,
-      key: "first",
-      reason: "first match",
-      metadata: testMetadata,
-    });
-    expect(secondCheck).not.toHaveBeenCalled();
-  });
-  it("supports async rules", async () => {
-    const rules: Rule[] = [
-      {
-        key: "async",
-        check: async (action) =>
-          action.kind === "command"
-            ? {
-                kind: "match",
-                reason: "async match",
-                metadata: null,
-              }
-            : { kind: "pass" },
-      },
-    ];
-    await expect(checkAction(commandAction, rules)).resolves.toMatchObject({
-      kind: "dangerous",
-      key: "async",
-      reason: "async match",
-      metadata: null,
-    });
-  });
-  it("propagates rule errors", async () => {
-    const error = new Error("rule failed");
-    const rules: Rule[] = [
-      {
-        key: "broken",
-        check: () => {
-          throw error;
-        },
-      },
-    ];
-    await expect(checkAction(commandAction, rules)).rejects.toThrow(error);
-  });
-  it("propagates async rule rejections", async () => {
-    const error = new Error("async rule failed");
-    const rules: Rule[] = [
-      {
-        key: "broken-async",
-        check: async () => {
-          throw error;
-        },
-      },
-    ];
-    await expect(checkAction(commandAction, rules)).rejects.toThrow(error);
-  });
-  it("preserves typed match metadata", async () => {
-    const rules: Rule<TestMeta>[] = [
-      {
-        key: "typed",
-        check: () => ({
-          kind: "match",
-          reason: "typed match",
-          metadata: testMetadata,
-        }),
-      },
-    ];
-    const safety = await checkAction(commandAction, rules);
-    if (safety.kind !== "dangerous") {
-      throw new Error("expected dangerous safety");
-    }
-    expect(safety.metadata.pattern).toBe("rm -rf");
-    const decision = resolveDecision(safety, "prompt");
-    if (decision.kind !== "prompt") {
-      throw new Error("expected prompt decision");
-    }
-    expect(decision.risk.metadata.pattern).toBe("rm -rf");
-  });
-});
-describe("resolveDecision", () => {
-  const dangerous: Safety = {
-    kind: "dangerous",
-    action: commandAction,
-    key: "rm-rf",
-    reason: "recursive force delete",
-    metadata: null,
-  };
-  it("allows safe actions", () => {
-    expect(resolveDecision({ kind: "safe" }, "denied")).toEqual({
-      kind: "allow",
-    });
-  });
-  it("allows dangerous actions when permission is granted", () => {
-    expect(resolveDecision(dangerous, "granted")).toEqual({ kind: "allow" });
-  });
-  it("denies dangerous actions when permission is denied", () => {
-    expect(resolveDecision(dangerous, "denied")).toEqual({
-      kind: "deny",
-      reason: "recursive force delete",
-    });
-  });
-  it("prompts for dangerous actions when permission is prompt", () => {
-    expect(resolveDecision(dangerous, "prompt")).toEqual({
-      kind: "prompt",
-      risk: dangerous,
-    });
-  });
-});