@aliou/pi-guardrails 0.12.1 → 0.13.0

package/src/core/paths/access.test.ts

@@ -1,150 +0,0 @@
-import { assert, describe, expect, it } from "vitest";
-import { checkPathAccess, isPathAllowed, type PathAccessState } from "./access";
-
-describe("isPathAllowed", () => {
-  describe("when allowedPaths is empty", () => {
-    it("returns false", () => {
-      expect(isPathAllowed("/foo/bar", [])).toBe(false);
-    });
-  });
-
-  describe("when entry is an exact file grant", () => {
-    it.each([
-      { desc: "matches the exact file", path: "/foo/bar", expected: true },
-      {
-        desc: "does not match a sibling file",
-        path: "/foo/other",
-        expected: false,
-      },
-      {
-        desc: "does not match the containing directory",
-        path: "/foo",
-        expected: false,
-      },
-    ])("$desc", ({ path, expected }) => {
-      expect(isPathAllowed(path, ["/foo/bar"])).toBe(expected);
-    });
-  });
-
-  describe("when entry is a directory grant (trailing /)", () => {
-    it.each([
-      {
-        desc: "matches the directory itself",
-        path: "/foo/bar",
-        expected: true,
-      },
-      { desc: "matches a direct child", path: "/foo/bar/baz", expected: true },
-      {
-        desc: "matches a grandchild",
-        path: "/foo/bar/baz/qux",
-        expected: true,
-      },
-      {
-        desc: "does not match a prefix-collision path like /foo/barbaz",
-        path: "/foo/barbaz",
-        expected: false,
-      },
-    ])("$desc", ({ path, expected }) => {
-      expect(isPathAllowed(path, ["/foo/bar/"])).toBe(expected);
-    });
-  });
-
-  describe("when allowedPaths has multiple entries", () => {
-    it("returns true if any entry matches", () => {
-      expect(isPathAllowed("/b", ["/a", "/b"])).toBe(true);
-    });
-
-    it.each([
-      { path: "/foo/file.ts", expected: true },
-      { path: "/bar/anything", expected: true },
-      { path: "/foo/other.ts", expected: false },
-      { path: "/baz", expected: false },
-    ])("with mixed file + directory grants, returns $expected for $path", ({
-      path,
-      expected,
-    }) => {
-      expect(isPathAllowed(path, ["/foo/file.ts", "/bar/"])).toBe(expected);
-    });
-  });
-});
-
-describe("checkPathAccess", () => {
-  const cwd = "/work/project";
-  const base = (overrides: Partial<PathAccessState> = {}): PathAccessState => ({
-    cwd,
-    mode: "ask",
-    allowedPaths: [],
-    hasUI: true,
-    ...overrides,
-  });
-
-  describe("when mode is allow", () => {
-    it("always returns allow, even for paths outside cwd and without UI", () => {
-      const state = base({ mode: "allow", hasUI: false, allowedPaths: [] });
-      expect(checkPathAccess("/etc/hosts", "/etc/hosts", state).kind).toBe(
-        "allow",
-      );
-      expect(checkPathAccess("/work/project/src", "src", state).kind).toBe(
-        "allow",
-      );
-    });
-  });
-
-  describe("when path is inside cwd", () => {
-    it.each([
-      { mode: "block" as const },
-      { mode: "ask" as const },
-    ])("returns allow in $mode mode", ({ mode }) => {
-      const state = base({ mode });
-      expect(
-        checkPathAccess("/work/project/src/file", "src/file", state).kind,
-      ).toBe("allow");
-    });
-
-    it("returns allow when path equals cwd", () => {
-      expect(checkPathAccess(cwd, ".", base({ mode: "ask" })).kind).toBe(
-        "allow",
-      );
-    });
-  });
-
-  describe("when path is outside cwd and mode is block", () => {
-    it("returns deny with the displayPath in the reason", () => {
-      const state = base({ mode: "block" });
-      const decision = checkPathAccess("/etc/hosts", "/etc/hosts", state);
-      assert(decision.kind === "deny", "expected deny decision");
-      expect(decision.reason).toContain("/etc/hosts");
-    });
-
-    it("returns allow when the path is in allowedPaths", () => {
-      const state = base({ mode: "block", allowedPaths: ["/etc/hosts"] });
-      expect(checkPathAccess("/etc/hosts", "/etc/hosts", state).kind).toBe(
-        "allow",
-      );
-    });
-  });
-
-  describe("when path is outside cwd and mode is ask", () => {
-    it("returns ask with displayPath when UI is available", () => {
-      const state = base({ mode: "ask", hasUI: true });
-      const decision = checkPathAccess("/etc/hosts", "/etc/hosts", state);
-      assert(decision.kind === "ask", "expected ask decision");
-      expect(decision.displayPath).toBe("/etc/hosts");
-      expect(decision.absolutePath).toBe("/etc/hosts");
-    });
-
-    it("returns deny with a 'no UI' reason when UI is unavailable", () => {
-      const state = base({ mode: "ask", hasUI: false });
-      const decision = checkPathAccess("/etc/hosts", "/etc/hosts", state);
-      assert(decision.kind === "deny", "expected deny decision");
-      expect(decision.reason).toContain("no UI");
-    });
-
-    it("returns allow when the path is in allowedPaths (no prompt)", () => {
-      const state = base({ mode: "ask", allowedPaths: ["/etc/hosts"] });
-      expect(checkPathAccess("/etc/hosts", "/etc/hosts", state).kind).toBe(
-        "allow",
-      );
-    });
-  });
-});

package/src/core/paths/path.test.ts

@@ -1,293 +0,0 @@
-import { homedir } from "node:os";
-import { describe, expect, it } from "vitest";
-import {
-  expandHomePath,
-  isWithinBoundary,
-  maybePathLike,
-  normalizeForDisplay,
-  resolveFromCwd,
-  toStorageForm,
-} from "./path";
-
-const HOME = homedir();
-
-describe("expandHomePath", () => {
-  it.each([
-    { desc: "bare ~", input: "~", expected: HOME },
-    { desc: "~/foo", input: "~/foo", expected: `${HOME}/foo` },
-    {
-      desc: "~\\foo (Windows tilde)",
-      input: "~\\foo",
-      expected: `${HOME}/foo`,
-    },
-    {
-      desc: "an absolute path",
-      input: "/absolute/path",
-      expected: "/absolute/path",
-    },
-    {
-      desc: "a relative path",
-      input: "relative/path",
-      expected: "relative/path",
-    },
-    { desc: "an empty string", input: "", expected: "" },
-  ])("given $desc, returns the expanded path", ({ input, expected }) => {
-    expect(expandHomePath(input)).toBe(expected);
-  });
-});
-
-describe("resolveFromCwd", () => {
-  const cwd = "/some/cwd";
-
-  it.each([
-    {
-      desc: "a relative path",
-      input: "sub/file",
-      expected: "/some/cwd/sub/file",
-    },
-    { desc: "an absolute path", input: "/etc/hosts", expected: "/etc/hosts" },
-    { desc: "a ~ path", input: "~/foo", expected: `${HOME}/foo` },
-    { desc: "'.'", input: ".", expected: "/some/cwd" },
-  ])("given $desc, resolves against cwd", ({ input, expected }) => {
-    expect(resolveFromCwd(input, cwd)).toBe(expected);
-  });
-});
-
-describe("isWithinBoundary", () => {
-  it.each([
-    {
-      desc: "paths are identical",
-      target: "/foo/bar",
-      root: "/foo/bar",
-      expected: true,
-    },
-    {
-      desc: "target is a direct child",
-      target: "/foo/bar/baz",
-      root: "/foo/bar",
-      expected: true,
-    },
-    {
-      desc: "target is a grandchild",
-      target: "/foo/bar/baz/qux",
-      root: "/foo/bar",
-      expected: true,
-    },
-    {
-      desc: "target is a parent",
-      target: "/foo",
-      root: "/foo/bar",
-      expected: false,
-    },
-    {
-      desc: "target is a sibling",
-      target: "/foo/other",
-      root: "/foo/bar",
-      expected: false,
-    },
-    {
-      desc: "target shares a string prefix but is not a child (critical case)",
-      target: "/foo/barbaz",
-      root: "/foo/bar",
-      expected: false,
-    },
-    {
-      desc: "paths are completely unrelated",
-      target: "/tmp",
-      root: "/home/user",
-      expected: false,
-    },
-  ])("when $desc, returns $expected", ({ target, root, expected }) => {
-    expect(isWithinBoundary(target, root)).toBe(expected);
-  });
-});
-
-describe("normalizeForDisplay", () => {
-  const cwd = "/work/project";
-
-  it.each([
-    { desc: "path equals cwd", input: cwd, expected: "." },
-    {
-      desc: "path is a child of cwd",
-      input: "/work/project/src/file.ts",
-      expected: "src/file.ts",
-    },
-    {
-      desc: "path is under home but not cwd",
-      input: `${HOME}/config/file`,
-      expected: "~/config/file",
-    },
-    {
-      desc: "path is outside both cwd and home",
-      input: "/etc/hosts",
-      expected: "/etc/hosts",
-    },
-    { desc: "path is home itself", input: HOME, expected: "~" },
-  ])("when $desc, returns $expected", ({ input, expected }) => {
-    expect(normalizeForDisplay(input, cwd)).toBe(expected);
-  });
-});
-
-describe("toStorageForm", () => {
-  it.each([
-    {
-      desc: "file under home",
-      absPath: `${HOME}/code/file.ts`,
-      isDirectory: false,
-      expected: "~/code/file.ts",
-    },
-    {
-      desc: "directory under home",
-      absPath: `${HOME}/code`,
-      isDirectory: true,
-      expected: "~/code/",
-    },
-    {
-      desc: "absolute file outside home",
-      absPath: "/etc/hosts",
-      isDirectory: false,
-      expected: "/etc/hosts",
-    },
-    {
-      desc: "absolute directory outside home",
-      absPath: "/etc",
-      isDirectory: true,
-      expected: "/etc/",
-    },
-    {
-      desc: "input has trailing slash but isDirectory=false",
-      absPath: "/etc/hosts/",
-      isDirectory: false,
-      expected: "/etc/hosts",
-    },
-    {
-      desc: "input uses Windows backslashes",
-      absPath: "C:\\Users\\foo",
-      isDirectory: false,
-      expected: "C:/Users/foo",
-    },
-    {
-      desc: "input is home itself with isDirectory=true",
-      absPath: HOME,
-      isDirectory: true,
-      expected: "~/",
-    },
-  ])("when $desc, returns $expected", ({ absPath, isDirectory, expected }) => {
-    expect(toStorageForm(absPath, isDirectory)).toBe(expected);
-  });
-});
-
-describe("maybePathLike", () => {
-  it.each([
-    // --- True cases: structural path signals ---
-    {
-      desc: "absolute Unix path",
-      input: "/etc/hosts",
-      expected: true,
-    },
-    {
-      desc: "relative path with /",
-      input: "src/index.ts",
-      expected: true,
-    },
-    {
-      desc: "./ prefix",
-      input: "./foo",
-      expected: true,
-    },
-    {
-      desc: "../ prefix",
-      input: "../bar",
-      expected: true,
-    },
-    {
-      desc: "backslash path (Windows)",
-      input: "foo\\bar",
-      expected: true,
-    },
-    {
-      desc: "Windows drive letter",
-      input: "C:\\tmp",
-      expected: true,
-    },
-    {
-      desc: "Windows drive with forward slash",
-      input: "C:/tmp",
-      expected: true,
-    },
-    {
-      desc: "tilde home path",
-      input: "~/code",
-      expected: true,
-    },
-    {
-      desc: "MIME type (has / — safe false positive)",
-      input: "application/json",
-      expected: true,
-    },
-    {
-      desc: "regular expression with braces (has / — safe false positive)",
-      input: "/abc/{2,3}",
-      expected: true,
-    },
-    // --- False cases: non-path tokens ---
-    {
-      desc: "empty string",
-      input: "",
-      expected: false,
-    },
-    {
-      desc: "simple command name",
-      input: "rm",
-      expected: false,
-    },
-    {
-      desc: "flag",
-      input: "--force",
-      expected: false,
-    },
-    {
-      desc: "short flag",
-      input: "-rf",
-      expected: false,
-    },
-    {
-      desc: "bare word",
-      input: "build",
-      expected: false,
-    },
-    {
-      desc: "bare tilde (no slash)",
-      input: "~",
-      expected: false,
-    },
-    {
-      desc: "version number",
-      input: "3.14",
-      expected: false,
-    },
-    {
-      desc: "domain name",
-      input: "example.com",
-      expected: false,
-    },
-    {
-      desc: "bare filename with extension",
-      input: "README.md",
-      expected: false,
-    },
-    {
-      desc: "dotfile without slash",
-      input: ".env",
-      expected: false,
-    },
-  ])("when $desc, returns $expected", ({ input, expected }) => {
-    expect(maybePathLike(input)).toBe(expected);
-  });
-
-  // maybePathLike is command-agnostic. Command-specific regex/code args are
-  // filtered by extractBashPathCandidates before this fallback heuristic runs.
-  it("treats awk-looking regex text as path-like without command context", () => {
-    expect(maybePathLike("/aaa/{flag=1} flag{print}")).toBe(true);
-  });
-});

package/src/core/shell/command-args.test.ts

@@ -1,142 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { classifyCommandArgs } from "./command-args";
-
-const tokens = (command: string, args: string[]) =>
-  classifyCommandArgs(command, args).map((arg) => arg.token);
-
-describe("classifyCommandArgs", () => {
-  it("keeps unknown command arguments unchanged", () => {
-    expect(tokens("cat", ["/etc/hosts", "./file"])).toEqual([
-      "/etc/hosts",
-      "./file",
-    ]);
-  });
-
-  it("normalizes command basenames", () => {
-    expect(tokens("/usr/bin/awk", ["/aaa/{print}", "./input"])).toEqual([
-      "./input",
-    ]);
-  });
-
-  it("ignores awk inline program and keeps file operands", () => {
-    expect(tokens("awk", ["/aaa/{print}", "./input"])).toEqual(["./input"]);
-  });
-
-  it.each([
-    ["-f as separate option", ["-f", "./prog.awk", "./input"]],
-    ["-f as joined option", ["-f./prog.awk", "./input"]],
-  ])("keeps awk program files with %s", (_label, args) => {
-    expect(tokens("awk", args)).toEqual(["./prog.awk", "./input"]);
-  });
-
-  it("ignores sed inline scripts and keeps file operands", () => {
-    expect(tokens("sed", ["s#/old#/new#g", "./file"])).toEqual(["./file"]);
-  });
-
-  it.each([
-    ["-f as separate option", ["-f", "./script.sed", "./file"]],
-    ["--file as long option", ["--file", "./script.sed", "./file"]],
-    ["-f as joined option", ["-f./script.sed", "./file"]],
-  ])("keeps sed script files with %s", (_label, args) => {
-    expect(tokens("sed", args)).toEqual(["./script.sed", "./file"]);
-  });
-
-  it("ignores grep patterns and keeps file operands", () => {
-    expect(tokens("grep", ["/api/v1", "./src"])).toEqual(["./src"]);
-  });
-
-  it.each([
-    ["-f as separate option", ["-f", "./patterns", "./src"]],
-    ["--file as long option", ["--file", "./patterns", "./src"]],
-    ["-f as joined option", ["-f./patterns", "./src"]],
-  ])("keeps grep pattern files with %s", (_label, args) => {
-    expect(tokens("grep", args)).toEqual(["./patterns", "./src"]);
-  });
-
-  it("keeps find roots and ignores expression patterns", () => {
-    expect(tokens("find", ["./src", "-regex", ".*/test/.*"])).toEqual([
-      "./src",
-    ]);
-  });
-
-  it("ignores jq filters and keeps file operands", () => {
-    expect(tokens("jq", ['.path | test("^/tmp/")', "./data.json"])).toEqual([
-      "./data.json",
-    ]);
-  });
-
-  it.each([
-    ["-f as separate option", ["-f", "./filter.jq", "./data.json"]],
-    [
-      "--from-file as long option",
-      ["--from-file", "./filter.jq", "./data.json"],
-    ],
-  ])("keeps jq filter files with %s", (_label, args) => {
-    expect(tokens("jq", args)).toEqual(["./filter.jq", "./data.json"]);
-  });
-
-  it("ignores interpreter inline code", () => {
-    expect(tokens("python3", ["-c", 'open("/etc/passwd")'])).toEqual([]);
-  });
-
-  it("keeps interpreter script operands", () => {
-    expect(tokens("python3", ["./script.py", "./data.json"])).toEqual([
-      "./script.py",
-      "./data.json",
-    ]);
-  });
-
-  it("ignores delimiter args", () => {
-    expect(tokens("cut", ["-d", "/", "./file"])).toEqual(["./file"]);
-    expect(tokens("sort", ["-t", "/", "./file"])).toEqual(["./file"]);
-    expect(tokens("tr", ["/", ":"])).toEqual([]);
-  });
-
-  describe("go subcommand", () => {
-    it("skips Go package wildcard patterns", () => {
-      expect(tokens("go", ["test", "./..."])).toEqual([]);
-    });
-
-    it("keeps go run .go file operands", () => {
-      expect(tokens("go", ["run", "main.go"])).toEqual(["main.go"]);
-    });
-
-    it("skips non-.go positionals for go run", () => {
-      expect(tokens("go", ["run", "-exec", "/bin/env", "main.go"])).toEqual([
-        "main.go",
-      ]);
-    });
-
-    it("skips package patterns for build/vet/list", () => {
-      expect(tokens("go", ["build", "./..."])).toEqual([]);
-      expect(tokens("go", ["vet", "./pkg/..."])).toEqual([]);
-      expect(tokens("go", ["list", "./..."])).toEqual([]);
-    });
-
-    it("keeps file-valued flags", () => {
-      expect(tokens("go", ["build", "-modfile", "./go.mod", "./..."])).toEqual([
-        "./go.mod",
-      ]);
-    });
-
-    it("keeps -o flag value for go build", () => {
-      expect(tokens("go", ["build", "-o", "./bin/app", "./..."])).toEqual([
-        "./bin/app",
-      ]);
-    });
-
-    it("handles -C global flag before subcommand", () => {
-      expect(tokens("go", ["-C", "/tmp", "test", "./..."])).toEqual([]);
-    });
-
-    it("handles -C joined form before subcommand", () => {
-      expect(tokens("go", ["-C=/tmp", "test", "./..."])).toEqual([]);
-    });
-
-    it("keeps go run .go file operands with -C", () => {
-      expect(tokens("go", ["-C", "/tmp", "run", "main.go"])).toEqual([
-        "main.go",
-      ]);
-    });
-  });
-});

package/src/shared/matching.test.ts

@@ -1,86 +0,0 @@
-import { describe, expect, it } from "vitest";
-import {
-  compileCommandPattern,
-  compileFilePattern,
-  normalizeFilePath,
-} from "./matching";
-import { drainPendingWarnings } from "./warnings";
-
-describe("normalizeFilePath", () => {
-  it.each([
-    ["./src//file.ts", "src/file.ts"],
-    ["src\\file.ts", "src/file.ts"],
-    ["./foo\\bar//baz", "foo/bar/baz"],
-  ])("normalizes %s", (input, expected) => {
-    expect(normalizeFilePath(input)).toBe(expected);
-  });
-});
-
-describe("compileFilePattern", () => {
-  it("matches basename when the pattern has no slash", () => {
-    const pattern = compileFilePattern({ pattern: ".env" });
-
-    expect(pattern.test(".env")).toBe(true);
-    expect(pattern.test("config/.env")).toBe(true);
-    expect(pattern.test("config/.env.local")).toBe(false);
-  });
-
-  it("matches full normalized paths when the pattern has a slash", () => {
-    const pattern = compileFilePattern({ pattern: "config/*.env" });
-
-    expect(pattern.test("config/app.env")).toBe(true);
-    expect(pattern.test("./config//app.env")).toBe(true);
-    expect(pattern.test("nested/config/app.env")).toBe(false);
-  });
-
-  it("uses case-insensitive regex matching for file patterns", () => {
-    const pattern = compileFilePattern({
-      pattern: "SECRET\\.TXT$",
-      regex: true,
-    });
-
-    expect(pattern.test("docs/secret.txt")).toBe(true);
-    expect(pattern.test("docs/public.txt")).toBe(false);
-  });
-
-  it("records a warning and returns a non-matching pattern for invalid regex", () => {
-    drainPendingWarnings();
-
-    const pattern = compileFilePattern({ pattern: "[", regex: true });
-
-    expect(pattern.test("anything")).toBe(false);
-    expect(drainPendingWarnings()).toEqual([
-      "Invalid regex in guardrails config: [",
-    ]);
-  });
-});
-
-describe("compileCommandPattern", () => {
-  it("uses substring matching by default", () => {
-    const pattern = compileCommandPattern({ pattern: "deploy production" });
-
-    expect(pattern.test("please deploy production now")).toBe(true);
-    expect(pattern.test("deploy staging")).toBe(false);
-  });
-
-  it("uses regex matching when requested", () => {
-    const pattern = compileCommandPattern({
-      pattern: "terraform\\s+apply",
-      regex: true,
-    });
-
-    expect(pattern.test("terraform apply -auto-approve")).toBe(true);
-    expect(pattern.test("terraform plan")).toBe(false);
-  });
-
-  it("records a warning and returns a non-matching pattern for invalid regex", () => {
-    drainPendingWarnings();
-
-    const pattern = compileCommandPattern({ pattern: "[", regex: true });
-
-    expect(pattern.test("anything")).toBe(false);
-    expect(drainPendingWarnings()).toEqual([
-      "Invalid regex in guardrails config: [",
-    ]);
-  });
-});