@machina.ai/cell-cli-core 1.13.0-rc5 → 1.16.0-rc2

package/dist/src/policy/policy-engine.test.js

@@ -3,22 +3,27 @@
  * Copyright 2025 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
-import { describe, it, expect, beforeEach } from 'vitest';
+import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { PolicyEngine } from './policy-engine.js';
-import { PolicyDecision, } from './types.js';
+import { PolicyDecision, InProcessCheckerType, } from './types.js';
+import { SafetyCheckDecision } from '../safety/protocol.js';
 describe('PolicyEngine', () => {
     let engine;
+    let mockCheckerRunner;
     beforeEach(() => {
-        engine = new PolicyEngine();
+        mockCheckerRunner = {
+            runChecker: vi.fn(),
+        };
+        engine = new PolicyEngine({}, mockCheckerRunner);
     });
     describe('constructor', () => {
-        it('should use default config when none provided', () => {
-            const decision = engine.check({ name: 'test' });
+        it('should use default config when none provided', async () => {
+            const { decision } = await engine.check({ name: 'test' }, undefined);
             expect(decision).toBe(PolicyDecision.ASK_USER);
         });
-        it('should respect custom default decision', () => {
+        it('should respect custom default decision', async () => {
             engine = new PolicyEngine({ defaultDecision: PolicyDecision.DENY });
-            const decision = engine.check({ name: 'test' });
+            const { decision } = await engine.check({ name: 'test' }, undefined);
             expect(decision).toBe(PolicyDecision.DENY);
         });
         it('should sort rules by priority', () => {
@@ -35,17 +40,17 @@ describe('PolicyEngine', () => {
         });
     });
     describe('check', () => {
-        it('should match tool by name', () => {
+        it('should match tool by name', async () => {
             const rules = [
                 { toolName: 'shell', decision: PolicyDecision.ALLOW },
                 { toolName: 'edit', decision: PolicyDecision.DENY },
             ];
             engine = new PolicyEngine({ rules });
-            expect(engine.check({ name: 'shell' })).toBe(PolicyDecision.ALLOW);
-            expect(engine.check({ name: 'edit' })).toBe(PolicyDecision.DENY);
-            expect(engine.check({ name: 'other' })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'shell' }, undefined)).decision).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'edit' }, undefined)).decision).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'other' }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
         });
-        it('should match by args pattern', () => {
+        it('should match by args pattern', async () => {
             const rules = [
                 {
                     toolName: 'shell',
@@ -66,28 +71,28 @@ describe('PolicyEngine', () => {
                 name: 'shell',
                 args: { command: 'ls -la' },
             };
-            expect(engine.check(dangerousCall)).toBe(PolicyDecision.DENY);
-            expect(engine.check(safeCall)).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check(dangerousCall, undefined)).decision).toBe(PolicyDecision.DENY);
+            expect((await engine.check(safeCall, undefined)).decision).toBe(PolicyDecision.ALLOW);
         });
-        it('should apply rules by priority', () => {
+        it('should apply rules by priority', async () => {
             const rules = [
                 { toolName: 'shell', decision: PolicyDecision.DENY, priority: 1 },
                 { toolName: 'shell', decision: PolicyDecision.ALLOW, priority: 10 },
             ];
             engine = new PolicyEngine({ rules });
             // Higher priority rule (ALLOW) should win
-            expect(engine.check({ name: 'shell' })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'shell' }, undefined)).decision).toBe(PolicyDecision.ALLOW);
         });
-        it('should apply wildcard rules (no toolName)', () => {
+        it('should apply wildcard rules (no toolName)', async () => {
             const rules = [
                 { decision: PolicyDecision.DENY }, // Applies to all tools
                 { toolName: 'safe-tool', decision: PolicyDecision.ALLOW, priority: 10 },
             ];
             engine = new PolicyEngine({ rules });
-            expect(engine.check({ name: 'safe-tool' })).toBe(PolicyDecision.ALLOW);
-            expect(engine.check({ name: 'any-other-tool' })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'safe-tool' }, undefined)).decision).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'any-other-tool' }, undefined)).decision).toBe(PolicyDecision.DENY);
         });
-        it('should handle non-interactive mode', () => {
+        it('should handle non-interactive mode', async () => {
             const config = {
                 nonInteractive: true,
                 rules: [
@@ -97,11 +102,11 @@ describe('PolicyEngine', () => {
             };
             engine = new PolicyEngine(config);
             // ASK_USER should become DENY in non-interactive mode
-            expect(engine.check({ name: 'interactive-tool' })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'interactive-tool' }, undefined)).decision).toBe(PolicyDecision.DENY);
             // ALLOW should remain ALLOW
-            expect(engine.check({ name: 'allowed-tool' })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'allowed-tool' }, undefined)).decision).toBe(PolicyDecision.ALLOW);
             // Default ASK_USER should also become DENY
-            expect(engine.check({ name: 'unknown-tool' })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'unknown-tool' }, undefined)).decision).toBe(PolicyDecision.DENY);
         });
     });
     describe('addRule', () => {
@@ -127,10 +132,10 @@ describe('PolicyEngine', () => {
             expect(rules[1].priority).toBe(5);
             expect(rules[2].priority).toBe(1);
         });
-        it('should apply newly added rules', () => {
-            expect(engine.check({ name: 'new-tool' })).toBe(PolicyDecision.ASK_USER);
+        it('should apply newly added rules', async () => {
+            expect((await engine.check({ name: 'new-tool' }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
             engine.addRule({ toolName: 'new-tool', decision: PolicyDecision.ALLOW });
-            expect(engine.check({ name: 'new-tool' })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'new-tool' }, undefined)).decision).toBe(PolicyDecision.ALLOW);
         });
     });
     describe('removeRulesForTool', () => {
@@ -169,7 +174,7 @@ describe('PolicyEngine', () => {
         });
     });
     describe('MCP server wildcard patterns', () => {
-        it('should match MCP server wildcard patterns', () => {
+        it('should match MCP server wildcard patterns', async () => {
             const rules = [
                 {
                     toolName: 'my-server__*',
@@ -184,17 +189,21 @@ describe('PolicyEngine', () => {
             ];
             engine = new PolicyEngine({ rules });
             // Should match my-server tools
-            expect(engine.check({ name: 'my-server__tool1' })).toBe(PolicyDecision.ALLOW);
-            expect(engine.check({ name: 'my-server__another_tool' })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'my-server__tool1' }, undefined)).decision).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'my-server__another_tool' }, undefined))
+                .decision).toBe(PolicyDecision.ALLOW);
             // Should match blocked-server tools
-            expect(engine.check({ name: 'blocked-server__tool1' })).toBe(PolicyDecision.DENY);
-            expect(engine.check({ name: 'blocked-server__dangerous' })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'blocked-server__tool1' }, undefined))
+                .decision).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'blocked-server__dangerous' }, undefined))
+                .decision).toBe(PolicyDecision.DENY);
             // Should not match other patterns
-            expect(engine.check({ name: 'other-server__tool' })).toBe(PolicyDecision.ASK_USER);
-            expect(engine.check({ name: 'my-server-tool' })).toBe(PolicyDecision.ASK_USER); // No __ separator
-            expect(engine.check({ name: 'my-server' })).toBe(PolicyDecision.ASK_USER); // No tool name
+            expect((await engine.check({ name: 'other-server__tool' }, undefined))
+                .decision).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'my-server-tool' }, undefined)).decision).toBe(PolicyDecision.ASK_USER); // No __ separator
+            expect((await engine.check({ name: 'my-server' }, undefined)).decision).toBe(PolicyDecision.ASK_USER); // No tool name
         });
-        it('should prioritize specific tool rules over server wildcards', () => {
+        it('should prioritize specific tool rules over server wildcards', async () => {
             const rules = [
                 {
                     toolName: 'my-server__*',
@@ -209,12 +218,54 @@ describe('PolicyEngine', () => {
             ];
             engine = new PolicyEngine({ rules });
             // Specific tool deny should override server allow
-            expect(engine.check({ name: 'my-server__dangerous-tool' })).toBe(PolicyDecision.DENY);
-            expect(engine.check({ name: 'my-server__safe-tool' })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'my-server__dangerous-tool' }, undefined))
+                .decision).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'my-server__safe-tool' }, undefined))
+                .decision).toBe(PolicyDecision.ALLOW);
+        });
+        it('should NOT match spoofed server names when using wildcards', async () => {
+            // Vulnerability: A rule for 'prefix__*' matches 'prefix__suffix__tool'
+            // effectively allowing a server named 'prefix__suffix' to spoof 'prefix'.
+            const rules = [
+                {
+                    toolName: 'safe_server__*',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            engine = new PolicyEngine({ rules });
+            // A tool from a different server 'safe_server__malicious'
+            const spoofedToolCall = { name: 'safe_server__malicious__tool' };
+            // CURRENT BEHAVIOR (FIXED): Matches because it starts with 'safe_server__' BUT serverName doesn't match 'safe_server'
+            // We expect this to FAIL matching the ALLOW rule, thus falling back to default (ASK_USER)
+            expect((await engine.check(spoofedToolCall, 'safe_server__malicious'))
+                .decision).toBe(PolicyDecision.ASK_USER);
+        });
+        it('should verify tool name prefix even if serverName matches', async () => {
+            const rules = [
+                {
+                    toolName: 'safe_server__*',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            engine = new PolicyEngine({ rules });
+            // serverName matches, but tool name does not start with prefix
+            const invalidToolCall = { name: 'other_server__tool' };
+            expect((await engine.check(invalidToolCall, 'safe_server')).decision).toBe(PolicyDecision.ASK_USER);
+        });
+        it('should allow when both serverName and tool name prefix match', async () => {
+            const rules = [
+                {
+                    toolName: 'safe_server__*',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            engine = new PolicyEngine({ rules });
+            const validToolCall = { name: 'safe_server__tool' };
+            expect((await engine.check(validToolCall, 'safe_server')).decision).toBe(PolicyDecision.ALLOW);
         });
     });
     describe('complex scenarios', () => {
-        it('should handle multiple matching rules with different priorities', () => {
+        it('should handle multiple matching rules with different priorities', async () => {
             const rules = [
                 { decision: PolicyDecision.DENY, priority: 0 }, // Default deny all
                 { toolName: 'shell', decision: PolicyDecision.ASK_USER, priority: 5 },
@@ -227,13 +278,13 @@ describe('PolicyEngine', () => {
             ];
             engine = new PolicyEngine({ rules });
             // Matches highest priority rule (ls command)
-            expect(engine.check({ name: 'shell', args: { command: 'ls -la' } })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'shell', args: { command: 'ls -la' } }, undefined)).decision).toBe(PolicyDecision.ALLOW);
             // Matches middle priority rule (shell without ls)
-            expect(engine.check({ name: 'shell', args: { command: 'pwd' } })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'shell', args: { command: 'pwd' } }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
             // Matches lowest priority rule (not shell)
-            expect(engine.check({ name: 'edit' })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'edit' }, undefined)).decision).toBe(PolicyDecision.DENY);
         });
-        it('should handle tools with no args', () => {
+        it('should handle tools with no args', async () => {
             const rules = [
                 {
                     toolName: 'read',
@@ -243,13 +294,13 @@ describe('PolicyEngine', () => {
             ];
             engine = new PolicyEngine({ rules });
             // Tool call without args should not match pattern
-            expect(engine.check({ name: 'read' })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'read' }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
             // Tool call with args not matching pattern
-            expect(engine.check({ name: 'read', args: { file: 'public.txt' } })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'read', args: { file: 'public.txt' } }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
             // Tool call with args matching pattern
-            expect(engine.check({ name: 'read', args: { file: 'secret.txt' } })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'read', args: { file: 'secret.txt' } }, undefined)).decision).toBe(PolicyDecision.DENY);
         });
-        it('should match args pattern regardless of property order', () => {
+        it('should match args pattern regardless of property order', async () => {
             const rules = [
                 {
                     toolName: 'shell',
@@ -262,13 +313,16 @@ describe('PolicyEngine', () => {
             // Same args with different property order should both match
             const args1 = { command: 'rm -rf /', path: '/home' };
             const args2 = { path: '/home', command: 'rm -rf /' };
-            expect(engine.check({ name: 'shell', args: args1 })).toBe(PolicyDecision.DENY);
-            expect(engine.check({ name: 'shell', args: args2 })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'shell', args: args1 }, undefined))
+                .decision).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'shell', args: args2 }, undefined))
+                .decision).toBe(PolicyDecision.DENY);
             // Verify safe command doesn't match
             const safeArgs = { command: 'ls -la', path: '/home' };
-            expect(engine.check({ name: 'shell', args: safeArgs })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'shell', args: safeArgs }, undefined))
+                .decision).toBe(PolicyDecision.ASK_USER);
         });
-        it('should handle nested objects in args with stable stringification', () => {
+        it('should handle nested objects in args with stable stringification', async () => {
             const rules = [
                 {
                     toolName: 'api',
@@ -286,10 +340,10 @@ describe('PolicyEngine', () => {
                 method: 'POST',
                 data: { value: 'secret', sensitive: true },
             };
-            expect(engine.check({ name: 'api', args: args1 })).toBe(PolicyDecision.DENY);
-            expect(engine.check({ name: 'api', args: args2 })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'api', args: args1 }, undefined)).decision).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'api', args: args2 }, undefined)).decision).toBe(PolicyDecision.DENY);
         });
-        it('should handle circular references without stack overflow', () => {
+        it('should handle circular references without stack overflow', async () => {
             const rules = [
                 {
                     toolName: 'test',
@@ -306,14 +360,16 @@ describe('PolicyEngine', () => {
             circularArgs.data['self'] =
                 circularArgs.data;
             // Should not throw stack overflow error
-            expect(() => engine.check({ name: 'test', args: circularArgs })).not.toThrow();
+            await expect(engine.check({ name: 'test', args: circularArgs }, undefined)).resolves.not.toThrow();
             // Should detect the circular reference pattern
-            expect(engine.check({ name: 'test', args: circularArgs })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'test', args: circularArgs }, undefined))
+                .decision).toBe(PolicyDecision.DENY);
             // Non-circular object should not match
             const normalArgs = { name: 'test', data: { value: 'normal' } };
-            expect(engine.check({ name: 'test', args: normalArgs })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'test', args: normalArgs }, undefined))
+                .decision).toBe(PolicyDecision.ASK_USER);
         });
-        it('should handle deep circular references', () => {
+        it('should handle deep circular references', async () => {
             const rules = [
                 {
                     toolName: 'deep',
@@ -333,11 +389,12 @@ describe('PolicyEngine', () => {
             const level3 = deepCircular.level1.level2.level3;
             level3['back'] = deepCircular.level1;
             // Should handle without stack overflow
-            expect(() => engine.check({ name: 'deep', args: deepCircular })).not.toThrow();
+            await expect(engine.check({ name: 'deep', args: deepCircular }, undefined)).resolves.not.toThrow();
             // Should detect the circular reference
-            expect(engine.check({ name: 'deep', args: deepCircular })).toBe(PolicyDecision.DENY);
+            expect((await engine.check({ name: 'deep', args: deepCircular }, undefined))
+                .decision).toBe(PolicyDecision.DENY);
         });
-        it('should handle repeated non-circular objects correctly', () => {
+        it('should handle repeated non-circular objects correctly', async () => {
             const rules = [
                 {
                     toolName: 'test',
@@ -360,9 +417,9 @@ describe('PolicyEngine', () => {
                 third: { nested: sharedObj },
             };
             // Should NOT mark repeated objects as circular, and should match the shared value pattern
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ALLOW);
         });
-        it('should omit undefined and function values from objects', () => {
+        it('should omit undefined and function values from objects', async () => {
             const rules = [
                 {
                     toolName: 'test',
@@ -378,7 +435,7 @@ describe('PolicyEngine', () => {
                 nullValue: null,
             };
             // Should match pattern with defined value, undefined and functions omitted
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ALLOW);
             // Check that the pattern would NOT match if undefined was included
             const rulesWithUndefined = [
                 {
@@ -388,7 +445,7 @@ describe('PolicyEngine', () => {
                 },
             ];
             engine = new PolicyEngine({ rules: rulesWithUndefined });
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
             // Check that the pattern would NOT match if function was included
             const rulesWithFunction = [
                 {
@@ -398,9 +455,9 @@ describe('PolicyEngine', () => {
                 },
             ];
             engine = new PolicyEngine({ rules: rulesWithFunction });
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
         });
-        it('should convert undefined and functions to null in arrays', () => {
+        it('should convert undefined and functions to null in arrays', async () => {
             const rules = [
                 {
                     toolName: 'test',
@@ -413,9 +470,9 @@ describe('PolicyEngine', () => {
                 array: ['value', undefined, () => 'hello', null],
             };
             // Should match pattern with undefined and functions converted to null
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ALLOW);
         });
-        it('should produce valid JSON for all inputs', () => {
+        it('should produce valid JSON for all inputs', async () => {
             const testCases = [
                 { input: { simple: 'string' }, desc: 'simple object' },
                 {
@@ -443,12 +500,13 @@ describe('PolicyEngine', () => {
                 ];
                 engine = new PolicyEngine({ rules });
                 // Should not throw when checking (which internally uses stableStringify)
-                expect(() => engine.check({ name: 'test', args: input })).not.toThrow();
+                await expect(engine.check({ name: 'test', args: input }, undefined)).resolves.not.toThrow();
                 // The check should succeed
-                expect(engine.check({ name: 'test', args: input })).toBe(PolicyDecision.ALLOW);
+                expect((await engine.check({ name: 'test', args: input }, undefined))
+                    .decision).toBe(PolicyDecision.ALLOW);
             }
         });
-        it('should respect toJSON methods on objects', () => {
+        it('should respect toJSON methods on objects', async () => {
             const rules = [
                 {
                     toolName: 'test',
@@ -470,9 +528,9 @@ describe('PolicyEngine', () => {
                 },
             };
             // Should match the sanitized pattern, not the dangerous one
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ALLOW);
         });
-        it('should handle toJSON that returns primitives', () => {
+        it('should handle toJSON that returns primitives', async () => {
             const rules = [
                 {
                     toolName: 'test',
@@ -488,9 +546,9 @@ describe('PolicyEngine', () => {
                 },
             };
             // toJSON returns a string, which should be properly stringified
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ALLOW);
         });
-        it('should handle toJSON that throws an error', () => {
+        it('should handle toJSON that throws an error', async () => {
             const rules = [
                 {
                     toolName: 'test',
@@ -508,7 +566,333 @@ describe('PolicyEngine', () => {
                 },
             };
             // Should fall back to regular object serialization when toJSON throws
-            expect(engine.check({ name: 'test', args })).toBe(PolicyDecision.ALLOW);
+            expect((await engine.check({ name: 'test', args }, undefined)).decision).toBe(PolicyDecision.ALLOW);
+        });
+    });
+    describe('safety checker integration', () => {
+        it('should call checker when rule allows and has safety_checker', async () => {
+            const rules = [
+                {
+                    toolName: 'test-tool',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            const checkers = [
+                {
+                    toolName: 'test-tool',
+                    checker: {
+                        type: 'external',
+                        name: 'test-checker',
+                        config: { content: 'test-content' },
+                    },
+                },
+            ];
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.ALLOW,
+            });
+            const result = await engine.check({ name: 'test-tool', args: { foo: 'bar' } }, undefined);
+            expect(result.decision).toBe(PolicyDecision.ALLOW);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalledWith({ name: 'test-tool', args: { foo: 'bar' } }, {
+                type: 'external',
+                name: 'test-checker',
+                config: { content: 'test-content' },
+            });
+        });
+        it('should handle checker errors as DENY', async () => {
+            const rules = [
+                {
+                    toolName: 'test',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            const checkers = [
+                {
+                    toolName: 'test',
+                    checker: {
+                        type: 'in-process',
+                        name: InProcessCheckerType.ALLOWED_PATH,
+                    },
+                },
+            ];
+            mockCheckerRunner.runChecker = vi
+                .fn()
+                .mockRejectedValue(new Error('Checker failed'));
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            const { decision } = await engine.check({ name: 'test' }, undefined);
+            expect(decision).toBe(PolicyDecision.DENY);
+        });
+        it('should return DENY when checker denies', async () => {
+            const rules = [
+                {
+                    toolName: 'test-tool',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            const checkers = [
+                {
+                    toolName: 'test-tool',
+                    checker: {
+                        type: 'external',
+                        name: 'test-checker',
+                        config: { content: 'test-content' },
+                    },
+                },
+            ];
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.DENY,
+                reason: 'test reason',
+            });
+            const result = await engine.check({ name: 'test-tool', args: { foo: 'bar' } }, undefined);
+            expect(result.decision).toBe(PolicyDecision.DENY);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalled();
+        });
+        it('should not call checker if decision is not ALLOW', async () => {
+            const rules = [
+                {
+                    toolName: 'test-tool',
+                    decision: PolicyDecision.ASK_USER,
+                },
+            ];
+            const checkers = [
+                {
+                    toolName: 'test-tool',
+                    checker: {
+                        type: 'external',
+                        name: 'test-checker',
+                        config: { content: 'test-content' },
+                    },
+                },
+            ];
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.ALLOW,
+            });
+            const result = await engine.check({ name: 'test-tool', args: { foo: 'bar' } }, undefined);
+            expect(result.decision).toBe(PolicyDecision.ASK_USER);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalled();
+        });
+        it('should run checkers when rule allows', async () => {
+            const rules = [
+                {
+                    toolName: 'test',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            const checkers = [
+                {
+                    toolName: 'test',
+                    checker: {
+                        type: 'in-process',
+                        name: InProcessCheckerType.ALLOWED_PATH,
+                    },
+                },
+            ];
+            mockCheckerRunner.runChecker = vi.fn().mockResolvedValue({
+                decision: SafetyCheckDecision.ALLOW,
+            });
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            const { decision } = await engine.check({ name: 'test' }, undefined);
+            expect(decision).toBe(PolicyDecision.ALLOW);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalledTimes(1);
+        });
+        it('should not call checker if rule has no safety_checker', async () => {
+            const rules = [
+                {
+                    toolName: 'test-tool',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            engine = new PolicyEngine({ rules }, mockCheckerRunner);
+            const result = await engine.check({ name: 'test-tool', args: { foo: 'bar' } }, undefined);
+            expect(result.decision).toBe(PolicyDecision.ALLOW);
+            expect(mockCheckerRunner.runChecker).not.toHaveBeenCalled();
+        });
+    });
+    describe('serverName requirement', () => {
+        it('should require serverName for checks', async () => {
+            // @ts-expect-error - intentionally testing missing serverName
+            expect((await engine.check({ name: 'test' })).decision).toBe(PolicyDecision.ASK_USER);
+            // When serverName is provided (even undefined), it should work
+            expect((await engine.check({ name: 'test' }, undefined)).decision).toBe(PolicyDecision.ASK_USER);
+            expect((await engine.check({ name: 'test' }, 'some-server')).decision).toBe(PolicyDecision.ASK_USER);
+        });
+        it('should run multiple checkers in priority order and stop at first denial', async () => {
+            const rules = [
+                {
+                    toolName: 'test',
+                    decision: PolicyDecision.ALLOW,
+                },
+            ];
+            const checkers = [
+                {
+                    toolName: 'test',
+                    priority: 10,
+                    checker: { type: 'external', name: 'checker1' },
+                },
+                {
+                    toolName: 'test',
+                    priority: 20, // Should run first
+                    checker: { type: 'external', name: 'checker2' },
+                },
+            ];
+            mockCheckerRunner.runChecker = vi
+                .fn()
+                .mockImplementation(async (_toolCall, config) => {
+                if (config.name === 'checker2') {
+                    return {
+                        decision: SafetyCheckDecision.DENY,
+                        reason: 'checker2 denied',
+                    };
+                }
+                return { decision: SafetyCheckDecision.ALLOW };
+            });
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            const { decision, rule } = await engine.check({ name: 'test' }, undefined);
+            expect(decision).toBe(PolicyDecision.DENY);
+            expect(rule).toBeDefined();
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalledTimes(1);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalledWith(expect.anything(), expect.objectContaining({ name: 'checker2' }));
+        });
+    });
+    describe('addChecker', () => {
+        it('should add a new checker and maintain priority order', () => {
+            const checker1 = {
+                checker: { type: 'external', name: 'checker1' },
+                priority: 5,
+            };
+            const checker2 = {
+                checker: { type: 'external', name: 'checker2' },
+                priority: 10,
+            };
+            engine.addChecker(checker1);
+            engine.addChecker(checker2);
+            const checkers = engine.getCheckers();
+            expect(checkers).toHaveLength(2);
+            expect(checkers[0].priority).toBe(10);
+            expect(checkers[0].checker.name).toBe('checker2');
+            expect(checkers[1].priority).toBe(5);
+            expect(checkers[1].checker.name).toBe('checker1');
+        });
+    });
+    describe('checker matching logic', () => {
+        it('should match checkers using toolName and argsPattern', async () => {
+            const rules = [
+                { toolName: 'tool', decision: PolicyDecision.ALLOW },
+            ];
+            const matchingChecker = {
+                checker: { type: 'external', name: 'matching' },
+                toolName: 'tool',
+                argsPattern: /"safe":true/,
+            };
+            const nonMatchingChecker = {
+                checker: { type: 'external', name: 'non-matching' },
+                toolName: 'other',
+            };
+            engine = new PolicyEngine({ rules, checkers: [matchingChecker, nonMatchingChecker] }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.ALLOW,
+            });
+            await engine.check({ name: 'tool', args: { safe: true } }, undefined);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalledWith(expect.anything(), expect.objectContaining({ name: 'matching' }));
+            expect(mockCheckerRunner.runChecker).not.toHaveBeenCalledWith(expect.anything(), expect.objectContaining({ name: 'non-matching' }));
+        });
+        it('should support wildcard patterns for checkers', async () => {
+            const rules = [
+                { toolName: 'server__tool', decision: PolicyDecision.ALLOW },
+            ];
+            const wildcardChecker = {
+                checker: { type: 'external', name: 'wildcard' },
+                toolName: 'server__*',
+            };
+            engine = new PolicyEngine({ rules, checkers: [wildcardChecker] }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.ALLOW,
+            });
+            await engine.check({ name: 'server__tool' }, 'server');
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalledWith(expect.anything(), expect.objectContaining({ name: 'wildcard' }));
+        });
+        it('should run safety checkers when decision is ASK_USER and downgrade to DENY on failure', async () => {
+            const rules = [
+                { toolName: 'tool', decision: PolicyDecision.ASK_USER },
+            ];
+            const checkers = [
+                {
+                    checker: {
+                        type: 'in-process',
+                        name: InProcessCheckerType.ALLOWED_PATH,
+                    },
+                },
+            ];
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.DENY,
+                reason: 'Safety check failed',
+            });
+            const result = await engine.check({ name: 'tool' }, undefined);
+            expect(result.decision).toBe(PolicyDecision.DENY);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalled();
+        });
+        it('should run safety checkers when decision is ASK_USER and keep ASK_USER on success', async () => {
+            const rules = [
+                { toolName: 'tool', decision: PolicyDecision.ASK_USER },
+            ];
+            const checkers = [
+                {
+                    checker: {
+                        type: 'in-process',
+                        name: InProcessCheckerType.ALLOWED_PATH,
+                    },
+                },
+            ];
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.ALLOW,
+            });
+            const result = await engine.check({ name: 'tool' }, undefined);
+            expect(result.decision).toBe(PolicyDecision.ASK_USER);
+            expect(mockCheckerRunner.runChecker).toHaveBeenCalled();
+        });
+        it('should downgrade ALLOW to ASK_USER if checker returns ASK_USER', async () => {
+            const rules = [
+                { toolName: 'tool', decision: PolicyDecision.ALLOW },
+            ];
+            const checkers = [
+                {
+                    checker: {
+                        type: 'in-process',
+                        name: InProcessCheckerType.ALLOWED_PATH,
+                    },
+                },
+            ];
+            engine = new PolicyEngine({ rules, checkers }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.ASK_USER,
+                reason: 'Suspicious path',
+            });
+            const result = await engine.check({ name: 'tool' }, undefined);
+            expect(result.decision).toBe(PolicyDecision.ASK_USER);
+        });
+        it('should DENY if checker returns ASK_USER in non-interactive mode', async () => {
+            const rules = [
+                { toolName: 'tool', decision: PolicyDecision.ALLOW },
+            ];
+            const checkers = [
+                {
+                    checker: {
+                        type: 'in-process',
+                        name: InProcessCheckerType.ALLOWED_PATH,
+                    },
+                },
+            ];
+            engine = new PolicyEngine({ rules, checkers, nonInteractive: true }, mockCheckerRunner);
+            vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
+                decision: SafetyCheckDecision.ASK_USER,
+                reason: 'Suspicious path',
+            });
+            const result = await engine.check({ name: 'tool' }, undefined);
+            expect(result.decision).toBe(PolicyDecision.DENY);
         });
     });
 });