@google/gemini-cli-core 0.13.0-preview.2 → 0.14.0-preview.0

package/dist/src/policy/toml-loader.test.js

@@ -6,6 +6,37 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import { ApprovalMode, PolicyDecision } from './types.js';
 import nodePath from 'node:path';
+async function runLoadPoliciesFromToml(tomlContent, fileName = 'test.toml') {
+    const actualFs = await vi.importActual('node:fs/promises');
+    const mockReaddir = vi.fn(async (path, _options) => {
+        if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
+            return [
+                {
+                    name: fileName,
+                    isFile: () => true,
+                    isDirectory: () => false,
+                },
+            ];
+        }
+        return [];
+    });
+    const mockReadFile = vi.fn(async (path) => {
+        if (nodePath.normalize(path) ===
+            nodePath.normalize(nodePath.join('/policies', fileName))) {
+            return tomlContent;
+        }
+        throw new Error('File not found');
+    });
+    vi.doMock('node:fs/promises', () => ({
+        ...actualFs,
+        default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
+        readFile: mockReadFile,
+        readdir: mockReaddir,
+    }));
+    const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
+    const getPolicyTier = (_dir) => 1;
+    return load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+}
 describe('policy-toml-loader', () => {
     beforeEach(() => {
         vi.resetModules();
@@ -16,40 +47,12 @@ describe('policy-toml-loader', () => {
     });
     describe('loadPoliciesFromToml', () => {
         it('should load and parse a simple policy file', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'test.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'test.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "glob"
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 1;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.rules).toHaveLength(1);
             expect(result.rules[0]).toEqual({
                 toolName: 'glob',
@@ -59,41 +62,13 @@ priority = 100
             expect(result.errors).toHaveLength(0);
         });
         it('should expand commandPrefix array to multiple rules', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'shell.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'shell.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "run_shell_command"
 commandPrefix = ["git status", "git log"]
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 2;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.rules).toHaveLength(2);
             expect(result.rules[0].toolName).toBe('run_shell_command');
             expect(result.rules[1].toolName).toBe('run_shell_command');
@@ -102,41 +77,13 @@ priority = 100
             expect(result.errors).toHaveLength(0);
         });
         it('should transform commandRegex to argsPattern', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'shell.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'shell.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "run_shell_command"
 commandRegex = "git (status|log).*"
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 2;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.rules).toHaveLength(1);
             expect(result.rules[0].argsPattern?.test('{"command":"git status"}')).toBe(true);
             expect(result.rules[0].argsPattern?.test('{"command":"git log --all"}')).toBe(true);
@@ -144,40 +91,12 @@ priority = 100
             expect(result.errors).toHaveLength(0);
         });
         it('should expand toolName array', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'tools.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'tools.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = ["glob", "grep", "read"]
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 1;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.rules).toHaveLength(3);
             expect(result.rules.map((r) => r.toolName)).toEqual([
                 'glob',
@@ -187,64 +106,20 @@ priority = 100
             expect(result.errors).toHaveLength(0);
         });
         it('should transform mcpName to composite toolName', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'mcp.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'mcp.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 mcpName = "google-workspace"
 toolName = ["calendar.list", "calendar.get"]
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 2;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.rules).toHaveLength(2);
             expect(result.rules[0].toolName).toBe('google-workspace__calendar.list');
             expect(result.rules[1].toolName).toBe('google-workspace__calendar.get');
             expect(result.errors).toHaveLength(0);
         });
         it('should filter rules by mode', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'modes.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'modes.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "glob"
 decision = "allow"
@@ -256,189 +131,97 @@ toolName = "grep"
 decision = "allow"
 priority = 100
 modes = ["yolo"]
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 1;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             // Only the first rule should be included (modes includes "default")
             expect(result.rules).toHaveLength(1);
             expect(result.rules[0].toolName).toBe('glob');
             expect(result.errors).toHaveLength(0);
         });
         it('should handle TOML parse errors', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'invalid.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'invalid.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]
 toolName = "glob"
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 1;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.rules).toHaveLength(0);
             expect(result.errors).toHaveLength(1);
             expect(result.errors[0].errorType).toBe('toml_parse');
-            expect(result.errors[0].fileName).toBe('invalid.toml');
+            expect(result.errors[0].fileName).toBe('test.toml');
         });
         it('should handle schema validation errors', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'invalid.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'invalid.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "glob"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 1;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.rules).toHaveLength(0);
             expect(result.errors).toHaveLength(1);
             expect(result.errors[0].errorType).toBe('schema_validation');
             expect(result.errors[0].details).toContain('decision');
         });
         it('should reject commandPrefix without run_shell_command', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'invalid.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'invalid.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "glob"
 commandPrefix = "git status"
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 1;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.errors).toHaveLength(1);
             expect(result.errors[0].errorType).toBe('rule_validation');
             expect(result.errors[0].details).toContain('run_shell_command');
         });
         it('should reject commandPrefix + argsPattern combination', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'invalid.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'invalid.toml'))) {
-                    return `
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "run_shell_command"
 commandPrefix = "git status"
 argsPattern = "test"
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
-            });
-            vi.doMock('node:fs/promises', () => ({
-                ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
-                readdir: mockReaddir,
-            }));
-            const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
-            const getPolicyTier = (_dir) => 1;
-            const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
+`);
             expect(result.errors).toHaveLength(1);
             expect(result.errors[0].errorType).toBe('rule_validation');
             expect(result.errors[0].details).toContain('mutually exclusive');
         });
         it('should handle invalid regex patterns', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "run_shell_command"
+commandRegex = "git (status|branch"
+decision = "allow"
+priority = 100
+`);
+            expect(result.rules).toHaveLength(0);
+            expect(result.errors).toHaveLength(1);
+            expect(result.errors[0].errorType).toBe('regex_compilation');
+            expect(result.errors[0].details).toContain('git (status|branch');
+        });
+        it('should escape regex special characters in commandPrefix', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "run_shell_command"
+commandPrefix = "git log *.txt"
+decision = "allow"
+priority = 100
+`);
+            expect(result.rules).toHaveLength(1);
+            // The regex should have escaped the * and .
+            expect(result.rules[0].argsPattern?.test('{"command":"git log file.txt"}')).toBe(false);
+            expect(result.rules[0].argsPattern?.test('{"command":"git log *.txt"}')).toBe(true);
+            expect(result.errors).toHaveLength(0);
+        });
+        it('should handle a mix of valid and invalid policy files', async () => {
             const actualFs = await vi.importActual('node:fs/promises');
             const mockReaddir = vi.fn(async (path, _options) => {
                 if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
                     return [
+                        {
+                            name: 'valid.toml',
+                            isFile: () => true,
+                            isDirectory: () => false,
+                        },
                         {
                             name: 'invalid.toml',
                             isFile: () => true,
@@ -450,13 +233,21 @@ priority = 100
             });
             const mockReadFile = vi.fn(async (path) => {
                 if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'invalid.toml'))) {
+                    nodePath.normalize(nodePath.join('/policies', 'valid.toml'))) {
                     return `
 [[rule]]
-toolName = "run_shell_command"
-commandRegex = "git (status|branch"
+toolName = "glob"
 decision = "allow"
 priority = 100
+`;
+                }
+                if (nodePath.normalize(path) ===
+                    nodePath.normalize(nodePath.join('/policies', 'invalid.toml'))) {
+                    return `
+[[rule]]
+toolName = "grep"
+decision = "allow"
+priority = -1
 `;
                 }
                 throw new Error('File not found');
@@ -470,52 +261,145 @@ priority = 100
             const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
             const getPolicyTier = (_dir) => 1;
             const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
-            expect(result.rules).toHaveLength(0);
+            expect(result.rules).toHaveLength(1);
+            expect(result.rules[0].toolName).toBe('glob');
             expect(result.errors).toHaveLength(1);
-            expect(result.errors[0].errorType).toBe('regex_compilation');
-            expect(result.errors[0].details).toContain('git (status|branch');
+            expect(result.errors[0].fileName).toBe('invalid.toml');
+            expect(result.errors[0].errorType).toBe('schema_validation');
         });
-        it('should escape regex special characters in commandPrefix', async () => {
-            const actualFs = await vi.importActual('node:fs/promises');
-            const mockReaddir = vi.fn(async (path, _options) => {
-                if (nodePath.normalize(path) === nodePath.normalize('/policies')) {
-                    return [
-                        {
-                            name: 'shell.toml',
-                            isFile: () => true,
-                            isDirectory: () => false,
-                        },
-                    ];
-                }
-                return [];
-            });
-            const mockReadFile = vi.fn(async (path) => {
-                if (nodePath.normalize(path) ===
-                    nodePath.normalize(nodePath.join('/policies', 'shell.toml'))) {
-                    return `
+    });
+    describe('Negative Tests', () => {
+        it('should return a schema_validation error if priority is missing', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "test"
+decision = "allow"
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('schema_validation');
+            expect(error.details).toContain('priority');
+        });
+        it('should return a schema_validation error if priority is a float', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "test"
+decision = "allow"
+priority = 1.5
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('schema_validation');
+            expect(error.details).toContain('priority');
+            expect(error.details).toContain('integer');
+        });
+        it('should return a schema_validation error if priority is negative', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "test"
+decision = "allow"
+priority = -1
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('schema_validation');
+            expect(error.details).toContain('priority');
+            expect(error.details).toContain('>= 0');
+        });
+        it('should return a schema_validation error if priority is >= 1000', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "test"
+decision = "allow"
+priority = 1000
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('schema_validation');
+            expect(error.details).toContain('priority');
+            expect(error.details).toContain('<= 999');
+        });
+        it('should return a schema_validation error if decision is invalid', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "test"
+decision = "maybe"
+priority = 100
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('schema_validation');
+            expect(error.details).toContain('decision');
+        });
+        it('should return a schema_validation error if toolName is not a string or array', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = 123
+decision = "allow"
+priority = 100
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('schema_validation');
+            expect(error.details).toContain('toolName');
+        });
+        it('should return a rule_validation error if commandRegex is used with wrong toolName', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "not_shell"
+commandRegex = ".*"
+decision = "allow"
+priority = 100
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('rule_validation');
+            expect(error.details).toContain('run_shell_command');
+        });
+        it('should return a rule_validation error if commandPrefix and commandRegex are combined', async () => {
+            const result = await runLoadPoliciesFromToml(`
 [[rule]]
 toolName = "run_shell_command"
-commandPrefix = "git log *.txt"
+commandPrefix = "git"
+commandRegex = ".*"
 decision = "allow"
 priority = 100
-`;
-                }
-                throw new Error('File not found');
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('rule_validation');
+            expect(error.details).toContain('mutually exclusive');
+        });
+        it('should return a regex_compilation error for invalid argsPattern', async () => {
+            const result = await runLoadPoliciesFromToml(`
+[[rule]]
+toolName = "test"
+argsPattern = "([a-z)"
+decision = "allow"
+priority = 100
+`);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('regex_compilation');
+            expect(error.message).toBe('Invalid regex pattern');
+        });
+        it('should return a file_read error if readdir fails', async () => {
+            const actualFs = await vi.importActual('node:fs/promises');
+            const mockReaddir = vi.fn(async () => {
+                throw new Error('Permission denied');
             });
             vi.doMock('node:fs/promises', () => ({
                 ...actualFs,
-                default: { ...actualFs, readFile: mockReadFile, readdir: mockReaddir },
-                readFile: mockReadFile,
+                default: { ...actualFs, readdir: mockReaddir },
                 readdir: mockReaddir,
             }));
             const { loadPoliciesFromToml: load } = await import('./toml-loader.js');
             const getPolicyTier = (_dir) => 1;
             const result = await load(ApprovalMode.DEFAULT, ['/policies'], getPolicyTier);
-            expect(result.rules).toHaveLength(1);
-            // The regex should have escaped the * and .
-            expect(result.rules[0].argsPattern?.test('{"command":"git log file.txt"}')).toBe(false);
-            expect(result.rules[0].argsPattern?.test('{"command":"git log *.txt"}')).toBe(true);
-            expect(result.errors).toHaveLength(0);
+            expect(result.errors).toHaveLength(1);
+            const error = result.errors[0];
+            expect(error.errorType).toBe('file_read');
+            expect(error.message).toContain('Failed to read policy directory');
         });
     });
 });