saeeol 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +72 -0
- package/BUN_SHELL_MIGRATION_PLAN.md +136 -0
- package/Dockerfile +18 -0
- package/assets/saeeol.ico +0 -0
- package/bin/saeeol.cjs +3 -1
- package/bunfig.toml +7 -0
- package/database.db +0 -0
- package/drizzle.config.ts +10 -0
- package/git +0 -0
- package/migration/20260127222353_familiar_lady_ursula/migration.sql +90 -0
- package/migration/20260127222353_familiar_lady_ursula/snapshot.json +796 -0
- package/migration/20260211171708_add_project_commands/migration.sql +1 -0
- package/migration/20260211171708_add_project_commands/snapshot.json +806 -0
- package/migration/20260213144116_wakeful_the_professor/migration.sql +11 -0
- package/migration/20260213144116_wakeful_the_professor/snapshot.json +897 -0
- package/migration/20260225215848_workspace/migration.sql +7 -0
- package/migration/20260225215848_workspace/snapshot.json +959 -0
- package/migration/20260227213759_add_session_workspace_id/migration.sql +2 -0
- package/migration/20260227213759_add_session_workspace_id/snapshot.json +983 -0
- package/migration/20260228203230_blue_harpoon/migration.sql +17 -0
- package/migration/20260228203230_blue_harpoon/snapshot.json +1102 -0
- package/migration/20260303231226_add_workspace_fields/migration.sql +5 -0
- package/migration/20260303231226_add_workspace_fields/snapshot.json +1013 -0
- package/migration/20260309230000_move_org_to_state/migration.sql +3 -0
- package/migration/20260309230000_move_org_to_state/snapshot.json +1156 -0
- package/migration/20260312043431_session_message_cursor/migration.sql +4 -0
- package/migration/20260312043431_session_message_cursor/snapshot.json +1168 -0
- package/migration/20260323234822_events/migration.sql +13 -0
- package/migration/20260323234822_events/snapshot.json +1271 -0
- package/migration/20260410174513_workspace-name/migration.sql +16 -0
- package/migration/20260410174513_workspace-name/snapshot.json +1271 -0
- package/migration/20260413175956_chief_energizer/migration.sql +13 -0
- package/migration/20260413175956_chief_energizer/snapshot.json +1399 -0
- package/migration/20260423070820_add_icon_url_override/migration.sql +2 -0
- package/migration/20260423070820_add_icon_url_override/snapshot.json +1409 -0
- package/migration/20260428004200_add_session_path/migration.sql +1 -0
- package/migration/20260428004200_add_session_path/snapshot.json +1419 -0
- package/npm/bin/saeeol +42 -0
- package/npm/package.json +39 -0
- package/npm/postinstall.js +162 -0
- package/package.json +201 -207
- package/parsers-config.ts +289 -0
- package/script/build.ts +393 -0
- package/script/check-migrations.ts +16 -0
- package/script/fix-node-pty.ts +34 -0
- package/script/generate.ts +23 -0
- package/script/postinstall.mjs +189 -0
- package/script/publish.ts +200 -0
- package/script/run-workspace-server +106 -0
- package/script/schema.ts +63 -0
- package/script/test-runner.ts +420 -0
- package/script/time.ts +6 -0
- package/script/trace-imports.ts +153 -0
- package/script/upgrade-opentui.ts +64 -0
- package/scripts/diff-sdk-types.sh +52 -0
- package/specs/effect/facades.md +221 -0
- package/specs/effect/http-api.md +401 -0
- package/specs/effect/instance-context.md +309 -0
- package/specs/effect/loose-ends.md +34 -0
- package/specs/effect/migration.md +299 -0
- package/specs/effect/routes.md +64 -0
- package/specs/effect/schema.md +399 -0
- package/specs/effect/server-package.md +668 -0
- package/specs/effect/tools.md +90 -0
- package/specs/tui-plugins.md +433 -0
- package/specs/v2/api.ts +67 -0
- package/specs/v2/keymappings.md +10 -0
- package/specs/v2/message-shape.md +136 -0
- package/src/acp/agent-message.ts +1 -1
- package/src/acp/agent-utils.ts +1 -1
- package/src/boxes/ansi.ts +17 -0
- package/src/boxes/atomic-write.ts +35 -0
- package/src/boxes/b64.ts +58 -0
- package/src/boxes/bash-security.ts +129 -0
- package/src/boxes/bom.ts +18 -0
- package/src/boxes/cancel.ts +16 -0
- package/src/boxes/chop.ts +12 -0
- package/src/boxes/clamp.ts +3 -0
- package/src/boxes/compact.ts +9 -0
- package/src/boxes/cost-tracker.ts +116 -0
- package/src/boxes/dataurl.ts +29 -0
- package/src/boxes/delay.ts +27 -0
- package/src/boxes/diff-apply.ts +53 -0
- package/src/boxes/disposable.ts +13 -0
- package/src/boxes/err.ts +34 -0
- package/src/boxes/human.ts +47 -0
- package/src/boxes/iife.ts +9 -0
- package/src/boxes/latch.ts +8 -0
- package/src/boxes/memory.ts +198 -0
- package/src/boxes/net.ts +16 -0
- package/src/boxes/plural.ts +4 -0
- package/src/boxes/puny.ts +21 -0
- package/src/boxes/retry.ts +49 -0
- package/src/boxes/rwlock.ts +41 -0
- package/src/boxes/schedule.ts +71 -0
- package/src/boxes/scope.ts +21 -0
- package/src/boxes/tokens.ts +9 -0
- package/src/boxes/ttl-cache.ts +63 -0
- package/src/boxes/typed-event.ts +51 -0
- package/src/boxes/uid.ts +50 -0
- package/src/boxes/wave6.test.ts +296 -0
- package/src/boxes/wildcard.ts +58 -0
- package/src/bus/global.ts +1 -1
- package/src/cli/cmd/github-run-api.ts +2 -2
- package/src/cli/cmd/run-events.ts +2 -2
- package/src/cli/cmd/tui/component/logo.tsx +1 -1
- package/src/cli/cmd/tui/component/prompt/use-prompt-memos.ts +2 -2
- package/src/cli/cmd/tui/context/app/editor-zed.ts +1 -1
- package/src/cli/cmd/tui/context/app/editor.ts +1 -1
- package/src/cli/cmd/tui/context/app/theme.tsx +1 -1
- package/src/cli/cmd/tui/preflight.ts +138 -0
- package/src/cli/cmd/tui/thread.ts +20 -0
- package/src/cli/cmd/tui/util/revert-diff.ts +1 -1
- package/src/overlay/cli/cmd/roll-call-call.ts +1 -1
- package/src/overlay/cost-tracker/format.ts +1 -1
- package/src/overlay/cost-tracker/index.ts +4 -4
- package/src/overlay/cost-tracker/state.ts +2 -2
- package/src/overlay/cost-tracker/types.ts +2 -2
- package/src/overlay/memory/age.ts +1 -1
- package/src/overlay/memory/index.ts +4 -4
- package/src/overlay/memory/paths.ts +2 -2
- package/src/overlay/memory/scan.ts +1 -1
- package/src/overlay/memory/types.ts +2 -2
- package/src/overlay/tool/bash-security.ts +3 -3
- package/src/overlay/util/url.ts +1 -1
- package/src/plugin/codex-auth.ts +1 -1
- package/src/provider/model-cache.ts +2 -2
- package/src/provider/provider-resolve.ts +3 -3
- package/src/provider/transform-message.ts +1 -1
- package/src/server/routes/game.ts +284 -0
- package/src/server/server.ts +2 -0
- package/src/session/core/compaction/compaction-helpers.ts +1 -1
- package/src/session/core/compaction/compaction.ts +1 -1
- package/src/session/core/session.ts +2 -0
- package/src/sessions/ingest-queue.ts +2 -2
- package/src/sessions/remote-ws.ts +1 -1
- package/src/tool/workflow/question.ts +1 -1
- package/src/util/abort.ts +1 -1
- package/src/util/bom.ts +2 -2
- package/src/util/color.ts +1 -1
- package/src/util/data-url.ts +1 -1
- package/src/util/defer.ts +1 -1
- package/src/util/error.ts +2 -2
- package/src/util/filesystem.ts +2 -2
- package/src/util/format.ts +1 -1
- package/src/util/iife.ts +1 -1
- package/src/util/local-context.ts +1 -1
- package/src/util/locale.ts +2 -2
- package/src/util/lock.ts +1 -1
- package/src/util/network.ts +1 -1
- package/src/util/signal.ts +1 -1
- package/src/util/token.ts +1 -1
- package/src/util/wildcard.ts +1 -1
- package/sst-env.d.ts +10 -0
- package/test/AGENTS.md +133 -0
- package/test/account/repo.test.ts +352 -0
- package/test/account/service.test.ts +456 -0
- package/test/acp/agent-interface.test.ts +51 -0
- package/test/acp/event-subscription.test.ts +725 -0
- package/test/agent/agent.test.ts +890 -0
- package/test/auth/auth.test.ts +86 -0
- package/test/bun/registry.test.ts +75 -0
- package/test/bus/bus-effect.test.ts +161 -0
- package/test/bus/bus-integration.test.ts +87 -0
- package/test/bus/bus.test.ts +219 -0
- package/test/cli/account.test.ts +26 -0
- package/test/cli/auto-mode.test.ts +75 -0
- package/test/cli/bin-saeeol.test.ts +8 -0
- package/test/cli/cmd/tui/prompt-part.test.ts +47 -0
- package/test/cli/cmd/tui/prompt-traits.test.ts +38 -0
- package/test/cli/cmd/tui/sync.test.tsx +159 -0
- package/test/cli/error.test.ts +18 -0
- package/test/cli/github-action.test.ts +198 -0
- package/test/cli/github-remote.test.ts +85 -0
- package/test/cli/import.test.ts +97 -0
- package/test/cli/install-artifact.test.ts +72 -0
- package/test/cli/plugin-auth-picker.test.ts +120 -0
- package/test/cli/pr.test.ts +59 -0
- package/test/cli/tui/editor-context-zed.test.ts +356 -0
- package/test/cli/tui/editor-context.test.tsx +228 -0
- package/test/cli/tui/keybind-plugin.test.ts +90 -0
- package/test/cli/tui/markdown.test.ts +161 -0
- package/test/cli/tui/plugin-add.test.ts +111 -0
- package/test/cli/tui/plugin-install.test.ts +87 -0
- package/test/cli/tui/plugin-lifecycle.test.ts +224 -0
- package/test/cli/tui/plugin-loader-entrypoint.test.ts +484 -0
- package/test/cli/tui/plugin-loader-pure.test.ts +71 -0
- package/test/cli/tui/plugin-loader.test.ts +816 -0
- package/test/cli/tui/plugin-toggle.test.ts +157 -0
- package/test/cli/tui/revert-diff.test.ts +35 -0
- package/test/cli/tui/slot-replace.test.tsx +47 -0
- package/test/cli/tui/theme-store.test.ts +54 -0
- package/test/cli/tui/thread.test.ts +28 -0
- package/test/cli/tui/transcript.test.ts +426 -0
- package/test/cli/tui/usage.test.ts +60 -0
- package/test/cli/tui/use-event.test.tsx +175 -0
- package/test/config/agent-color.test.ts +67 -0
- package/test/config/config.test.ts +2544 -0
- package/test/config/fixtures/empty-frontmatter.md +4 -0
- package/test/config/fixtures/frontmatter.md +28 -0
- package/test/config/fixtures/markdown-header.md +11 -0
- package/test/config/fixtures/no-frontmatter.md +1 -0
- package/test/config/fixtures/weird-model-id.md +13 -0
- package/test/config/lsp.test.ts +87 -0
- package/test/config/markdown.test.ts +228 -0
- package/test/config/plugin.test.ts +0 -0
- package/test/config/tui.test.ts +624 -0
- package/test/control-plane/adapters.test.ts +71 -0
- package/test/control-plane/workspace.test.ts +1526 -0
- package/test/effect/app-runtime-logger.test.ts +98 -0
- package/test/effect/config-service.test.ts +65 -0
- package/test/effect/instance-state.test.ts +394 -0
- package/test/effect/run-service.test.ts +89 -0
- package/test/effect/runner.test.ts +523 -0
- package/test/fake/provider.ts +82 -0
- package/test/file/fsmonitor.test.ts +68 -0
- package/test/file/ignore.test.ts +10 -0
- package/test/file/index.test.ts +954 -0
- package/test/file/path-traversal.test.ts +205 -0
- package/test/file/ripgrep.test.ts +226 -0
- package/test/file/watcher.test.ts +249 -0
- package/test/filesystem/filesystem.test.ts +319 -0
- package/test/fixture/db.ts +11 -0
- package/test/fixture/fixture.test.ts +26 -0
- package/test/fixture/fixture.ts +175 -0
- package/test/fixture/flock-worker.ts +72 -0
- package/test/fixture/log-init-worker.ts +62 -0
- package/test/fixture/lsp/fake-lsp-server.js +249 -0
- package/test/fixture/plug-worker.ts +93 -0
- package/test/fixture/plugin-meta-worker.ts +19 -0
- package/test/fixture/skills/agents-sdk/SKILL.md +152 -0
- package/test/fixture/skills/cloudflare/SKILL.md +211 -0
- package/test/fixture/skills/index.json +6 -0
- package/test/fixture/tui-plugin.ts +323 -0
- package/test/fixture/tui-runtime.ts +31 -0
- package/test/format/format.test.ts +272 -0
- package/test/git/git.test.ts +128 -0
- package/test/ide/ide.test.ts +82 -0
- package/test/installation/installation.test.ts +168 -0
- package/test/keybind.test.ts +421 -0
- package/test/lib/effect.ts +53 -0
- package/test/lib/filesystem.ts +10 -0
- package/test/lib/llm-server.ts +778 -0
- package/test/lib/websocket.ts +46 -0
- package/test/lsp/client.test.ts +482 -0
- package/test/lsp/index.test.ts +160 -0
- package/test/lsp/launch.test.ts +22 -0
- package/test/lsp/lifecycle.test.ts +184 -0
- package/test/ltm/ltm.test.ts +230 -0
- package/test/mcp/headers.test.ts +178 -0
- package/test/mcp/lifecycle.test.ts +787 -0
- package/test/mcp/oauth-auto-connect.test.ts +311 -0
- package/test/mcp/oauth-browser.test.ts +276 -0
- package/test/mcp/oauth-callback.test.ts +34 -0
- package/test/memory/abort-leak-webfetch.ts +49 -0
- package/test/memory/abort-leak.test.ts +128 -0
- package/test/patch/patch.test.ts +348 -0
- package/test/permission/arity.test.ts +33 -0
- package/test/permission/next.test.ts +1227 -0
- package/test/permission/next.toConfig.test.ts +110 -0
- package/test/permission-task.test.ts +326 -0
- package/test/plugin/auth-override.test.ts +79 -0
- package/test/plugin/cloudflare.test.ts +68 -0
- package/test/plugin/codex.test.ts +123 -0
- package/test/plugin/github-copilot-models.test.ts +261 -0
- package/test/plugin/install-concurrency.test.ts +140 -0
- package/test/plugin/install.test.ts +570 -0
- package/test/plugin/loader-shared.test.ts +1169 -0
- package/test/plugin/meta.test.ts +137 -0
- package/test/plugin/plugin-contract.test.ts +291 -0
- package/test/plugin/shared.test.ts +88 -0
- package/test/plugin/trigger.test.ts +102 -0
- package/test/plugin/workspace-adapter.test.ts +109 -0
- package/test/preload.ts +77 -0
- package/test/project/instance.test.ts +276 -0
- package/test/project/migrate-global.test.ts +152 -0
- package/test/project/project.test.ts +600 -0
- package/test/project/vcs.test.ts +286 -0
- package/test/project/worktree-remove.test.ts +126 -0
- package/test/project/worktree.test.ts +223 -0
- package/test/provider/amazon-bedrock.test.ts +462 -0
- package/test/provider/copilot/convert-to-copilot-messages.test.ts +523 -0
- package/test/provider/copilot/copilot-chat-model.test.ts +592 -0
- package/test/provider/gitlab-duo.test.ts +413 -0
- package/test/provider/local.test.ts +208 -0
- package/test/provider/models.test.ts +261 -0
- package/test/provider/provider-category.test.ts +190 -0
- package/test/provider/provider.test.ts +2758 -0
- package/test/provider/transform.test.ts +3681 -0
- package/test/pty/pty-output-isolation.test.ts +147 -0
- package/test/pty/pty-session.test.ts +102 -0
- package/test/pty/pty-shell.test.ts +104 -0
- package/test/question/question.test.ts +490 -0
- package/test/saeeol/agent-global-config-dirs.test.ts +24 -0
- package/test/saeeol/agent-manager-tool.test.ts +71 -0
- package/test/saeeol/agent-permission-overrides.test.ts +75 -0
- package/test/saeeol/agent-skill-permissions.test.ts +37 -0
- package/test/saeeol/ask-agent-permissions.test.ts +303 -0
- package/test/saeeol/bash-hierarchy.test.ts +64 -0
- package/test/saeeol/bash-permission-metadata.test.ts +66 -0
- package/test/saeeol/bash-security-extended.test.ts +243 -0
- package/test/saeeol/bedrock-claude-empty-content.test.ts +138 -0
- package/test/saeeol/boxes-integration.test.ts +415 -0
- package/test/saeeol/builtin-skills.test.ts +75 -0
- package/test/saeeol/cleanup.ts +28 -0
- package/test/saeeol/cli/dev-setup.test.ts +74 -0
- package/test/saeeol/cli/roll-call.test.ts +161 -0
- package/test/saeeol/cli-run-auto-helper.test.ts +58 -0
- package/test/saeeol/codex-auth-refresh.test.ts +124 -0
- package/test/saeeol/commit-message/generate.test.ts +188 -0
- package/test/saeeol/commit-message/git-context.test.ts +303 -0
- package/test/saeeol/commit-message-windows.test.ts +38 -0
- package/test/saeeol/compaction-payload-recovery.test.ts +406 -0
- package/test/saeeol/compaction-preservation-audit.test.ts +122 -0
- package/test/saeeol/compaction-skip-guard.test.ts +224 -0
- package/test/saeeol/compaction-smart-select.test.ts +100 -0
- package/test/saeeol/config/config.test.ts +166 -0
- package/test/saeeol/config/indexing-default-plugin.test.ts +82 -0
- package/test/saeeol/config/opentelemetry-default.test.ts +29 -0
- package/test/saeeol/config-gitignore.test.ts +70 -0
- package/test/saeeol/config-injector.test.ts +305 -0
- package/test/saeeol/config-resilience.test.ts +234 -0
- package/test/saeeol/config-validation.test.ts +183 -0
- package/test/saeeol/cost-propagation.test.ts +94 -0
- package/test/saeeol/cost-tracker-extended.test.ts +141 -0
- package/test/saeeol/cost-tracker.test.ts +64 -0
- package/test/saeeol/custom-provider-delete.test.ts +149 -0
- package/test/saeeol/diff-full.test.ts +226 -0
- package/test/saeeol/edit-permission-filediff.test.ts +223 -0
- package/test/saeeol/encoding.test.ts +364 -0
- package/test/saeeol/enhance-prompt.test.ts +61 -0
- package/test/saeeol/ensure-plan-dir.test.ts +32 -0
- package/test/saeeol/errors.test.ts +144 -0
- package/test/saeeol/external-directory-boundary.test.ts +96 -0
- package/test/saeeol/gateway-headers.test.ts +88 -0
- package/test/saeeol/help.test.ts +191 -0
- package/test/saeeol/ignore-migrator.test.ts +308 -0
- package/test/saeeol/indexing-auth.test.ts +45 -0
- package/test/saeeol/indexing-feature.test.ts +44 -0
- package/test/saeeol/indexing-label.test.ts +70 -0
- package/test/saeeol/indexing-startup.test.ts +381 -0
- package/test/saeeol/indexing-worktree.test.ts +73 -0
- package/test/saeeol/instruction.test.ts +136 -0
- package/test/saeeol/lancedb-runtime.test.ts +116 -0
- package/test/saeeol/loader-auth.test.ts +168 -0
- package/test/saeeol/local-model.test.ts +621 -0
- package/test/saeeol/logo.test.ts +31 -0
- package/test/saeeol/lsp-typescript-lightweight.test.ts +89 -0
- package/test/saeeol/mcp-branding.test.ts +33 -0
- package/test/saeeol/mcp-docker-rm.test.ts +32 -0
- package/test/saeeol/mcp-migrator.test.ts +736 -0
- package/test/saeeol/mcp-oauth-callback.test.ts +33 -0
- package/test/saeeol/memory-io.test.ts +198 -0
- package/test/saeeol/memory-paths.test.ts +87 -0
- package/test/saeeol/memory-security.test.ts +166 -0
- package/test/saeeol/model-cache-org.test.ts +164 -0
- package/test/saeeol/model-info-panel-utils.test.ts +52 -0
- package/test/saeeol/model-info-panel.types.test.ts +7 -0
- package/test/saeeol/models-401-fallback.test.ts +52 -0
- package/test/saeeol/modes-migrator.test.ts +320 -0
- package/test/saeeol/nvidia-headers.test.ts +74 -0
- package/test/saeeol/patch-jsonc.test.ts +73 -0
- package/test/saeeol/patch.test.ts +172 -0
- package/test/saeeol/paths.test.ts +265 -0
- package/test/saeeol/permission/config-paths.test.ts +174 -0
- package/test/saeeol/permission/env-read.test.ts +149 -0
- package/test/saeeol/permission/external-directory-allow.test.ts +327 -0
- package/test/saeeol/permission/next.always-rules.test.ts +882 -0
- package/test/saeeol/permission/next.reply-http.test.ts +205 -0
- package/test/saeeol/permission/next.reply-routing.test.ts +184 -0
- package/test/saeeol/plan-exit-detection.test.ts +494 -0
- package/test/saeeol/plan-followup.test.ts +1376 -0
- package/test/saeeol/project-config-update.test.ts +120 -0
- package/test/saeeol/project-id.test.ts +455 -0
- package/test/saeeol/provider-cost.test.ts +171 -0
- package/test/saeeol/provider-list-failed-state.test.ts +100 -0
- package/test/saeeol/question-dismiss-all.test.ts +174 -0
- package/test/saeeol/read-directory.test.ts +116 -0
- package/test/saeeol/rules-migrator.test.ts +257 -0
- package/test/saeeol/run-auto.test.ts +176 -0
- package/test/saeeol/run-network.test.ts +224 -0
- package/test/saeeol/semantic-search.test.ts +186 -0
- package/test/saeeol/server/permission-allow-everything.test.ts +125 -0
- package/test/saeeol/session/instruction-substitution.test.ts +72 -0
- package/test/saeeol/session/platform-attribution.test.ts +118 -0
- package/test/saeeol/session/session.test.ts +105 -0
- package/test/saeeol/session-compaction-cap.test.ts +399 -0
- package/test/saeeol/session-compaction-chunks.test.ts +501 -0
- package/test/saeeol/session-compaction-safety.test.ts +481 -0
- package/test/saeeol/session-fork-remap.test.ts +251 -0
- package/test/saeeol/session-import-service.test.ts +114 -0
- package/test/saeeol/session-list.test.ts +47 -0
- package/test/saeeol/session-message-metadata.test.ts +128 -0
- package/test/saeeol/session-overflow.test.ts +78 -0
- package/test/saeeol/session-processor-empty-tool-calls.test.ts +571 -0
- package/test/saeeol/session-processor-network-offline.test.ts +204 -0
- package/test/saeeol/session-processor-retry-limit.test.ts +238 -0
- package/test/saeeol/session-processor-review-telemetry.test.ts +82 -0
- package/test/saeeol/session-prompt-compaction-safety.test.ts +517 -0
- package/test/saeeol/session-prompt-queue.test.ts +815 -0
- package/test/saeeol/sessions/inflight-cache.test.ts +157 -0
- package/test/saeeol/sessions/ingest-queue.test.ts +402 -0
- package/test/saeeol/sessions/remote-protocol.test.ts +258 -0
- package/test/saeeol/sessions/remote-sender.test.ts +1036 -0
- package/test/saeeol/sessions/remote-ws.test.ts +367 -0
- package/test/saeeol/sessions/sessions-enable-remote.test.disable +181 -0
- package/test/saeeol/slot-prop-reactivity.test.ts +142 -0
- package/test/saeeol/snapshot-cache.test.ts +84 -0
- package/test/saeeol/snapshot-freeze-repro.test.ts +100 -0
- package/test/saeeol/snapshot-track-timeout.test.ts +519 -0
- package/test/saeeol/stats-subagent-cost.test.ts +123 -0
- package/test/saeeol/suggestion/auto-dismiss.test.ts +65 -0
- package/test/saeeol/suggestion/suggestion.test.ts +145 -0
- package/test/saeeol/suggestion/tool.test.ts +298 -0
- package/test/saeeol/summary-file-diff.test.ts +28 -0
- package/test/saeeol/system-prompt.test.ts +142 -0
- package/test/saeeol/task-nesting.test.ts +193 -0
- package/test/saeeol/telemetry/feedback.test.ts +8 -0
- package/test/saeeol/todo-view.test.ts +57 -0
- package/test/saeeol/tool-encoding.test.ts +455 -0
- package/test/saeeol/tool-registry-indexing-import-failure.test.ts +49 -0
- package/test/saeeol/tool-registry-indexing.test.ts +236 -0
- package/test/saeeol/tool-registry-semantic-import-failure.test.ts +55 -0
- package/test/saeeol/tool-task-model.test.ts +352 -0
- package/test/saeeol/transform-opus-4.7.test.ts +89 -0
- package/test/saeeol/tui-diff.test.ts +91 -0
- package/test/saeeol/tui-sync.test.ts +80 -0
- package/test/saeeol/util/url.test.ts +141 -0
- package/test/saeeol/workflows-migrator.test.ts +261 -0
- package/test/saeeol/worktree-diff-summary.test.ts +64 -0
- package/test/saeeol/worktree-diff.test.ts +223 -0
- package/test/saeeol/worktree-remove-lock.test.ts +82 -0
- package/test/server/AGENTS.md +15 -0
- package/test/server/contract.test.ts +357 -0
- package/test/server/experimental-session-list.test.ts +157 -0
- package/test/server/global-session-list.test.ts +155 -0
- package/test/server/httpapi-authorization.test.ts +103 -0
- package/test/server/httpapi-bridge.test.ts +440 -0
- package/test/server/httpapi-config.test.ts +67 -0
- package/test/server/httpapi-cors.test.ts +89 -0
- package/test/server/httpapi-event.test.ts +57 -0
- package/test/server/httpapi-experimental.test.ts +219 -0
- package/test/server/httpapi-file.test.ts +79 -0
- package/test/server/httpapi-instance-context.test.ts +237 -0
- package/test/server/httpapi-instance.legacy.test.ts +140 -0
- package/test/server/httpapi-instance.test.ts +83 -0
- package/test/server/httpapi-json-parity.test.ts +263 -0
- package/test/server/httpapi-mcp-oauth.test.ts +76 -0
- package/test/server/httpapi-mcp.test.ts +189 -0
- package/test/server/httpapi-provider.test.ts +153 -0
- package/test/server/httpapi-pty-websocket.test.ts +16 -0
- package/test/server/httpapi-pty.test.ts +175 -0
- package/test/server/httpapi-raw-route-auth.test.ts +89 -0
- package/test/server/httpapi-sdk.test.ts +681 -0
- package/test/server/httpapi-session.test.ts +464 -0
- package/test/server/httpapi-sync.test.ts +130 -0
- package/test/server/httpapi-tui.test.ts +121 -0
- package/test/server/httpapi-workspace-routing.test.ts +471 -0
- package/test/server/httpapi-workspace.test.ts +427 -0
- package/test/server/lib/conformance.ts +88 -0
- package/test/server/lib/stateful.ts +112 -0
- package/test/server/project-init-git.test.ts +113 -0
- package/test/server/proxy-util.test.ts +113 -0
- package/test/server/session-actions.test.ts +49 -0
- package/test/server/session-list.test.ts +238 -0
- package/test/server/session-messages.test.ts +167 -0
- package/test/server/session-select.test.ts +100 -0
- package/test/server/trace-attributes.test.ts +76 -0
- package/test/server/workspace-proxy.test.ts +165 -0
- package/test/server/workspace-routing.test.ts +85 -0
- package/test/session/compaction.test.ts +2420 -0
- package/test/session/instruction.test.ts +247 -0
- package/test/session/llm.test.ts +1273 -0
- package/test/session/message-v2.test.ts +1291 -0
- package/test/session/messages-pagination.test.ts +1173 -0
- package/test/session/network.test.ts +249 -0
- package/test/session/processor-effect.test.ts +847 -0
- package/test/session/prompt.test.ts +2131 -0
- package/test/session/retry.test.ts +340 -0
- package/test/session/revert-compact.test.ts +639 -0
- package/test/session/schema-decoding.test.ts +311 -0
- package/test/session/session-entry-stepper.test.ts +917 -0
- package/test/session/session-schema.test.ts +76 -0
- package/test/session/snapshot-tool-race.test.ts +257 -0
- package/test/session/structured-output-integration.test.ts +265 -0
- package/test/session/structured-output.test.ts +381 -0
- package/test/session/system.test.ts +73 -0
- package/test/share/share-next.test.ts +333 -0
- package/test/shell/shell.test.ts +99 -0
- package/test/skill/discovery.test.ts +116 -0
- package/test/skill/skill.test.ts +393 -0
- package/test/smoke/.tui-debug-output.txt +1 -0
- package/test/smoke/.tui-debug-plain.txt +1 -0
- package/test/smoke/.tui-walkthrough-report.txt +122 -0
- package/test/smoke/smoke-tui-pty.test.ts +123 -0
- package/test/smoke/smoke-tui.mjs +83 -0
- package/test/smoke/tui-walkthrough.test.ts +520 -0
- package/test/snapshot/snapshot.test.ts +1531 -0
- package/test/storage/db.test.ts +23 -0
- package/test/storage/json-migration.test.ts +832 -0
- package/test/storage/storage.test.ts +293 -0
- package/test/suggestion/suggestion.test.ts +1 -0
- package/test/sync/index.test.ts +256 -0
- package/test/tool/__snapshots__/parameters.test.ts.snap +500 -0
- package/test/tool/__snapshots__/tool.test.ts.snap +9 -0
- package/test/tool/apply_patch.test.ts +614 -0
- package/test/tool/bash.test.ts +1225 -0
- package/test/tool/diagnostics-filter.test.ts +55 -0
- package/test/tool/edit.test.ts +754 -0
- package/test/tool/external-directory.test.ts +169 -0
- package/test/tool/fixtures/large-image.png +0 -0
- package/test/tool/fixtures/models-api.json +65179 -0
- package/test/tool/glob.test.ts +107 -0
- package/test/tool/grep.test.ts +114 -0
- package/test/tool/lsp.test.ts +187 -0
- package/test/tool/parameters.test.ts +243 -0
- package/test/tool/question.test.ts +129 -0
- package/test/tool/read.test.ts +500 -0
- package/test/tool/recall.test.ts +151 -0
- package/test/tool/registry.test.ts +203 -0
- package/test/tool/skill.test.ts +135 -0
- package/test/tool/suggest.test.ts +1 -0
- package/test/tool/task.test.ts +612 -0
- package/test/tool/tool-define.test.ts +99 -0
- package/test/tool/truncation.test.ts +260 -0
- package/test/tool/webfetch.test.ts +103 -0
- package/test/tool/write.test.ts +291 -0
- package/test/util/data-url.test.ts +14 -0
- package/test/util/effect-zod.test.ts +754 -0
- package/test/util/error.test.ts +38 -0
- package/test/util/filesystem.test.ts +656 -0
- package/test/util/format.test.ts +59 -0
- package/test/util/glob.test.ts +164 -0
- package/test/util/iife.test.ts +36 -0
- package/test/util/lazy.test.ts +50 -0
- package/test/util/lock.test.ts +72 -0
- package/test/util/log.test.ts +86 -0
- package/test/util/module.test.ts +59 -0
- package/test/util/process.test.ts +128 -0
- package/test/util/timeout.test.ts +21 -0
- package/test/util/which.test.ts +100 -0
- package/test/util/wildcard.test.ts +90 -0
- package/test/workspace/workspace-restore.test.ts +296 -0
- package/src/provider/models-snapshot.d.ts +0 -2
- package/src/provider/models-snapshot.js +0 -3
|
@@ -0,0 +1,1227 @@
|
|
|
1
|
+
import { afterAll, afterEach, test, expect } from "bun:test"
|
|
2
|
+
import fs from "fs/promises"
|
|
3
|
+
import os from "os"
|
|
4
|
+
import path from "path"
|
|
5
|
+
import { Cause, Effect, Exit, Fiber, Layer } from "effect"
|
|
6
|
+
import { Bus } from "../../src/bus"
|
|
7
|
+
import { Config } from "../../src/config/config"
|
|
8
|
+
import { Global } from "@saeeol/core/global"
|
|
9
|
+
import { CrossSpawnSpawner } from "@saeeol/core/cross-spawn-spawner"
|
|
10
|
+
import { Permission } from "../../src/permission"
|
|
11
|
+
import { PermissionID } from "../../src/permission/schema"
|
|
12
|
+
import { Instance } from "../../src/project/instance"
|
|
13
|
+
import { InstanceStore } from "../../src/project/instance-store"
|
|
14
|
+
import { disposeAllInstances, provideInstance, provideTmpdirInstance, tmpdirScoped } from "../fixture/fixture"
|
|
15
|
+
import { testEffect } from "../lib/effect"
|
|
16
|
+
import { MessageID, SessionID } from "../../src/session/schema"
|
|
17
|
+
|
|
18
|
+
const bus = Bus.layer
|
|
19
|
+
const env = Layer.mergeAll(Permission.layer.pipe(Layer.provide(bus)), bus, CrossSpawnSpawner.defaultLayer)
|
|
20
|
+
const it = testEffect(env)
|
|
21
|
+
|
|
22
|
+
afterEach(async () => {
|
|
23
|
+
await disposeAllInstances()
|
|
24
|
+
})
|
|
25
|
+
afterAll(async () => {
|
|
26
|
+
const dir = Global.Path.config
|
|
27
|
+
for (const file of ["saeeol.jsonc", "saeeol.json", "config.json", "saeeol.json", "saeeol.jsonc"]) {
|
|
28
|
+
await fs.rm(path.join(dir, file), { force: true }).catch(() => {})
|
|
29
|
+
}
|
|
30
|
+
await Config.invalidate(true)
|
|
31
|
+
})
|
|
32
|
+
|
|
33
|
+
const rejectAll = (message?: string) =>
|
|
34
|
+
Effect.gen(function* () {
|
|
35
|
+
const permission = yield* Permission.Service
|
|
36
|
+
for (const req of yield* permission.list()) {
|
|
37
|
+
yield* permission.reply({
|
|
38
|
+
requestID: req.id,
|
|
39
|
+
reply: "reject",
|
|
40
|
+
message,
|
|
41
|
+
})
|
|
42
|
+
}
|
|
43
|
+
})
|
|
44
|
+
|
|
45
|
+
const waitForPending = (count: number) =>
|
|
46
|
+
Effect.gen(function* () {
|
|
47
|
+
const permission = yield* Permission.Service
|
|
48
|
+
for (let i = 0; i < 100; i++) {
|
|
49
|
+
const list = yield* permission.list()
|
|
50
|
+
if (list.length === count) return list
|
|
51
|
+
yield* Effect.sleep("10 millis")
|
|
52
|
+
}
|
|
53
|
+
return yield* Effect.fail(new Error(`timed out waiting for ${count} pending permission request(s)`))
|
|
54
|
+
})
|
|
55
|
+
|
|
56
|
+
const fail = <A, E, R>(self: Effect.Effect<A, E, R>) =>
|
|
57
|
+
Effect.gen(function* () {
|
|
58
|
+
const exit = yield* self.pipe(Effect.exit)
|
|
59
|
+
if (Exit.isFailure(exit)) return Cause.squash(exit.cause)
|
|
60
|
+
throw new Error("expected permission effect to fail")
|
|
61
|
+
})
|
|
62
|
+
|
|
63
|
+
const ask = (input: Parameters<Permission.Interface["ask"]>[0]) =>
|
|
64
|
+
Effect.gen(function* () {
|
|
65
|
+
const permission = yield* Permission.Service
|
|
66
|
+
return yield* permission.ask(input)
|
|
67
|
+
})
|
|
68
|
+
|
|
69
|
+
const reply = (input: Parameters<Permission.Interface["reply"]>[0]) =>
|
|
70
|
+
Effect.gen(function* () {
|
|
71
|
+
const permission = yield* Permission.Service
|
|
72
|
+
return yield* permission.reply(input)
|
|
73
|
+
})
|
|
74
|
+
|
|
75
|
+
const list = () =>
|
|
76
|
+
Effect.gen(function* () {
|
|
77
|
+
const permission = yield* Permission.Service
|
|
78
|
+
return yield* permission.list()
|
|
79
|
+
})
|
|
80
|
+
|
|
81
|
+
function withDir(options: { git?: boolean } | undefined, self: (dir: string) => Effect.Effect<any, any, any>) {
|
|
82
|
+
return provideTmpdirInstance(self, options)
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
function withProvided(dir: string) {
|
|
86
|
+
return <A, E, R>(self: Effect.Effect<A, E, R>) => self.pipe(provideInstance(dir))
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
// fromConfig tests
|
|
90
|
+
|
|
91
|
+
test("fromConfig - string value becomes wildcard rule", () => {
|
|
92
|
+
const result = Permission.fromConfig({ bash: "allow" })
|
|
93
|
+
expect(result).toEqual([{ permission: "bash", pattern: "*", action: "allow" }])
|
|
94
|
+
})
|
|
95
|
+
|
|
96
|
+
test("fromConfig - object value converts to rules array", () => {
|
|
97
|
+
const result = Permission.fromConfig({ bash: { "*": "allow", rm: "deny" } })
|
|
98
|
+
expect(result).toEqual([
|
|
99
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
100
|
+
{ permission: "bash", pattern: "rm", action: "deny" },
|
|
101
|
+
])
|
|
102
|
+
})
|
|
103
|
+
|
|
104
|
+
test("fromConfig - mixed string and object values", () => {
|
|
105
|
+
const result = Permission.fromConfig({
|
|
106
|
+
bash: { "*": "allow", rm: "deny" },
|
|
107
|
+
edit: "allow",
|
|
108
|
+
webfetch: "ask",
|
|
109
|
+
})
|
|
110
|
+
expect(result).toEqual([
|
|
111
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
112
|
+
{ permission: "bash", pattern: "rm", action: "deny" },
|
|
113
|
+
{ permission: "edit", pattern: "*", action: "allow" },
|
|
114
|
+
{ permission: "webfetch", pattern: "*", action: "ask" },
|
|
115
|
+
])
|
|
116
|
+
})
|
|
117
|
+
|
|
118
|
+
test("fromConfig - empty object", () => {
|
|
119
|
+
const result = Permission.fromConfig({})
|
|
120
|
+
expect(result).toEqual([])
|
|
121
|
+
})
|
|
122
|
+
|
|
123
|
+
test("fromConfig - expands tilde to home directory", () => {
|
|
124
|
+
const result = Permission.fromConfig({ external_directory: { "~/projects/*": "allow" } })
|
|
125
|
+
expect(result).toEqual([{ permission: "external_directory", pattern: `${os.homedir()}/projects/*`, action: "allow" }])
|
|
126
|
+
})
|
|
127
|
+
|
|
128
|
+
test("fromConfig - expands $HOME to home directory", () => {
|
|
129
|
+
const result = Permission.fromConfig({ external_directory: { "$HOME/projects/*": "allow" } })
|
|
130
|
+
expect(result).toEqual([{ permission: "external_directory", pattern: `${os.homedir()}/projects/*`, action: "allow" }])
|
|
131
|
+
})
|
|
132
|
+
|
|
133
|
+
test("fromConfig - expands $HOME without trailing slash", () => {
|
|
134
|
+
const result = Permission.fromConfig({ external_directory: { $HOME: "allow" } })
|
|
135
|
+
expect(result).toEqual([{ permission: "external_directory", pattern: os.homedir(), action: "allow" }])
|
|
136
|
+
})
|
|
137
|
+
|
|
138
|
+
test("fromConfig - does not expand tilde in middle of path", () => {
|
|
139
|
+
const result = Permission.fromConfig({ external_directory: { "/some/~/path": "allow" } })
|
|
140
|
+
expect(result).toEqual([{ permission: "external_directory", pattern: "/some/~/path", action: "allow" }])
|
|
141
|
+
})
|
|
142
|
+
|
|
143
|
+
// Permission precedence follows config insertion order. `evaluate()` uses the
|
|
144
|
+
// last matching rule, so later config entries intentionally override earlier
|
|
145
|
+
// entries even when a wildcard appears after a specific permission.
|
|
146
|
+
|
|
147
|
+
test("fromConfig - preserves top-level config key order", () => {
|
|
148
|
+
const wildcardFirst = Permission.fromConfig({ "*": "deny", bash: "allow" })
|
|
149
|
+
const specificFirst = Permission.fromConfig({ bash: "allow", "*": "deny" })
|
|
150
|
+
|
|
151
|
+
expect(wildcardFirst.map((r) => r.permission)).toEqual(["*", "bash"])
|
|
152
|
+
expect(specificFirst.map((r) => r.permission)).toEqual(["bash", "*"])
|
|
153
|
+
|
|
154
|
+
expect(Permission.evaluate("bash", "ls", wildcardFirst).action).toBe("allow")
|
|
155
|
+
expect(Permission.evaluate("bash", "ls", specificFirst).action).toBe("deny")
|
|
156
|
+
})
|
|
157
|
+
|
|
158
|
+
test("fromConfig - wildcard acts as fallback when it appears before specifics", () => {
|
|
159
|
+
const ruleset = Permission.fromConfig({ "*": "ask", bash: "allow" })
|
|
160
|
+
expect(Permission.evaluate("edit", "foo.ts", ruleset).action).toBe("ask")
|
|
161
|
+
expect(Permission.evaluate("bash", "ls", ruleset).action).toBe("allow")
|
|
162
|
+
})
|
|
163
|
+
|
|
164
|
+
test("fromConfig - top-level ordering is not sorted by wildcard specificity", () => {
|
|
165
|
+
const ruleset = Permission.fromConfig({
|
|
166
|
+
bash: "allow",
|
|
167
|
+
"*": "ask",
|
|
168
|
+
edit: "deny",
|
|
169
|
+
"mcp_*": "allow",
|
|
170
|
+
})
|
|
171
|
+
expect(ruleset.map((r) => r.permission)).toEqual(["bash", "*", "edit", "mcp_*"])
|
|
172
|
+
})
|
|
173
|
+
|
|
174
|
+
test("fromConfig - sub-pattern insertion order inside a tool key is preserved", () => {
|
|
175
|
+
const ruleset = Permission.fromConfig({ bash: { "*": "deny", "git *": "allow" } })
|
|
176
|
+
expect(ruleset.map((r) => r.pattern)).toEqual(["*", "git *"])
|
|
177
|
+
expect(Permission.evaluate("bash", "rm foo", ruleset).action).toBe("deny")
|
|
178
|
+
expect(Permission.evaluate("bash", "git status", ruleset).action).toBe("allow")
|
|
179
|
+
})
|
|
180
|
+
|
|
181
|
+
test("fromConfig - documented fallback-first example", () => {
|
|
182
|
+
const ruleset = Permission.fromConfig({ "*": "ask", bash: "allow", edit: "deny" })
|
|
183
|
+
expect(Permission.evaluate("bash", "ls", ruleset).action).toBe("allow")
|
|
184
|
+
expect(Permission.evaluate("edit", "foo.ts", ruleset).action).toBe("deny")
|
|
185
|
+
expect(Permission.evaluate("read", "foo.ts", ruleset).action).toBe("ask")
|
|
186
|
+
})
|
|
187
|
+
|
|
188
|
+
test("fromConfig - expands exact tilde to home directory", () => {
|
|
189
|
+
const result = Permission.fromConfig({ external_directory: { "~": "allow" } })
|
|
190
|
+
expect(result).toEqual([{ permission: "external_directory", pattern: os.homedir(), action: "allow" }])
|
|
191
|
+
})
|
|
192
|
+
|
|
193
|
+
test("evaluate - matches expanded tilde pattern", () => {
|
|
194
|
+
const ruleset = Permission.fromConfig({ external_directory: { "~/projects/*": "allow" } })
|
|
195
|
+
const result = Permission.evaluate("external_directory", `${os.homedir()}/projects/file.txt`, ruleset)
|
|
196
|
+
expect(result.action).toBe("allow")
|
|
197
|
+
})
|
|
198
|
+
|
|
199
|
+
test("evaluate - matches expanded $HOME pattern", () => {
|
|
200
|
+
const ruleset = Permission.fromConfig({ external_directory: { "$HOME/projects/*": "allow" } })
|
|
201
|
+
const result = Permission.evaluate("external_directory", `${os.homedir()}/projects/file.txt`, ruleset)
|
|
202
|
+
expect(result.action).toBe("allow")
|
|
203
|
+
})
|
|
204
|
+
|
|
205
|
+
// merge tests
|
|
206
|
+
|
|
207
|
+
test("merge - simple concatenation", () => {
|
|
208
|
+
const result = Permission.merge(
|
|
209
|
+
[{ permission: "bash", pattern: "*", action: "allow" }],
|
|
210
|
+
[{ permission: "bash", pattern: "*", action: "deny" }],
|
|
211
|
+
)
|
|
212
|
+
expect(result).toEqual([
|
|
213
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
214
|
+
{ permission: "bash", pattern: "*", action: "deny" },
|
|
215
|
+
])
|
|
216
|
+
})
|
|
217
|
+
|
|
218
|
+
test("merge - adds new permission", () => {
|
|
219
|
+
const result = Permission.merge(
|
|
220
|
+
[{ permission: "bash", pattern: "*", action: "allow" }],
|
|
221
|
+
[{ permission: "edit", pattern: "*", action: "deny" }],
|
|
222
|
+
)
|
|
223
|
+
expect(result).toEqual([
|
|
224
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
225
|
+
{ permission: "edit", pattern: "*", action: "deny" },
|
|
226
|
+
])
|
|
227
|
+
})
|
|
228
|
+
|
|
229
|
+
test("merge - concatenates rules for same permission", () => {
|
|
230
|
+
const result = Permission.merge(
|
|
231
|
+
[{ permission: "bash", pattern: "foo", action: "ask" }],
|
|
232
|
+
[{ permission: "bash", pattern: "*", action: "deny" }],
|
|
233
|
+
)
|
|
234
|
+
expect(result).toEqual([
|
|
235
|
+
{ permission: "bash", pattern: "foo", action: "ask" },
|
|
236
|
+
{ permission: "bash", pattern: "*", action: "deny" },
|
|
237
|
+
])
|
|
238
|
+
})
|
|
239
|
+
|
|
240
|
+
test("merge - multiple rulesets", () => {
|
|
241
|
+
const result = Permission.merge(
|
|
242
|
+
[{ permission: "bash", pattern: "*", action: "allow" }],
|
|
243
|
+
[{ permission: "bash", pattern: "rm", action: "ask" }],
|
|
244
|
+
[{ permission: "edit", pattern: "*", action: "allow" }],
|
|
245
|
+
)
|
|
246
|
+
expect(result).toEqual([
|
|
247
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
248
|
+
{ permission: "bash", pattern: "rm", action: "ask" },
|
|
249
|
+
{ permission: "edit", pattern: "*", action: "allow" },
|
|
250
|
+
])
|
|
251
|
+
})
|
|
252
|
+
|
|
253
|
+
test("merge - empty ruleset does nothing", () => {
|
|
254
|
+
const result = Permission.merge([{ permission: "bash", pattern: "*", action: "allow" }], [])
|
|
255
|
+
expect(result).toEqual([{ permission: "bash", pattern: "*", action: "allow" }])
|
|
256
|
+
})
|
|
257
|
+
|
|
258
|
+
test("merge - preserves rule order", () => {
|
|
259
|
+
const result = Permission.merge(
|
|
260
|
+
[
|
|
261
|
+
{ permission: "edit", pattern: "src/*", action: "allow" },
|
|
262
|
+
{ permission: "edit", pattern: "src/secret/*", action: "deny" },
|
|
263
|
+
],
|
|
264
|
+
[{ permission: "edit", pattern: "src/secret/ok.ts", action: "allow" }],
|
|
265
|
+
)
|
|
266
|
+
expect(result).toEqual([
|
|
267
|
+
{ permission: "edit", pattern: "src/*", action: "allow" },
|
|
268
|
+
{ permission: "edit", pattern: "src/secret/*", action: "deny" },
|
|
269
|
+
{ permission: "edit", pattern: "src/secret/ok.ts", action: "allow" },
|
|
270
|
+
])
|
|
271
|
+
})
|
|
272
|
+
|
|
273
|
+
test("merge - config permission overrides default ask", () => {
|
|
274
|
+
const defaults: Permission.Ruleset = [{ permission: "*", pattern: "*", action: "ask" }]
|
|
275
|
+
const config: Permission.Ruleset = [{ permission: "bash", pattern: "*", action: "allow" }]
|
|
276
|
+
const merged = Permission.merge(defaults, config)
|
|
277
|
+
|
|
278
|
+
expect(Permission.evaluate("bash", "ls", merged).action).toBe("allow")
|
|
279
|
+
expect(Permission.evaluate("edit", "foo.ts", merged).action).toBe("ask")
|
|
280
|
+
})
|
|
281
|
+
|
|
282
|
+
test("merge - config ask overrides default allow", () => {
|
|
283
|
+
const defaults: Permission.Ruleset = [{ permission: "bash", pattern: "*", action: "allow" }]
|
|
284
|
+
const config: Permission.Ruleset = [{ permission: "bash", pattern: "*", action: "ask" }]
|
|
285
|
+
const merged = Permission.merge(defaults, config)
|
|
286
|
+
|
|
287
|
+
expect(Permission.evaluate("bash", "ls", merged).action).toBe("ask")
|
|
288
|
+
})
|
|
289
|
+
|
|
290
|
+
// evaluate tests
|
|
291
|
+
|
|
292
|
+
test("evaluate - exact pattern match", () => {
|
|
293
|
+
const result = Permission.evaluate("bash", "rm", [{ permission: "bash", pattern: "rm", action: "deny" }])
|
|
294
|
+
expect(result.action).toBe("deny")
|
|
295
|
+
})
|
|
296
|
+
|
|
297
|
+
test("evaluate - wildcard pattern match", () => {
|
|
298
|
+
const result = Permission.evaluate("bash", "rm", [{ permission: "bash", pattern: "*", action: "allow" }])
|
|
299
|
+
expect(result.action).toBe("allow")
|
|
300
|
+
})
|
|
301
|
+
|
|
302
|
+
test("evaluate - last matching rule wins", () => {
|
|
303
|
+
const result = Permission.evaluate("bash", "rm", [
|
|
304
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
305
|
+
{ permission: "bash", pattern: "rm", action: "deny" },
|
|
306
|
+
])
|
|
307
|
+
expect(result.action).toBe("deny")
|
|
308
|
+
})
|
|
309
|
+
|
|
310
|
+
test("evaluate - last matching rule wins (wildcard after specific)", () => {
|
|
311
|
+
const result = Permission.evaluate("bash", "rm", [
|
|
312
|
+
{ permission: "bash", pattern: "rm", action: "deny" },
|
|
313
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
314
|
+
])
|
|
315
|
+
expect(result.action).toBe("allow")
|
|
316
|
+
})
|
|
317
|
+
|
|
318
|
+
test("evaluate - glob pattern match", () => {
|
|
319
|
+
const result = Permission.evaluate("edit", "src/foo.ts", [{ permission: "edit", pattern: "src/*", action: "allow" }])
|
|
320
|
+
expect(result.action).toBe("allow")
|
|
321
|
+
})
|
|
322
|
+
|
|
323
|
+
test("evaluate - last matching glob wins", () => {
|
|
324
|
+
const result = Permission.evaluate("edit", "src/components/Button.tsx", [
|
|
325
|
+
{ permission: "edit", pattern: "src/*", action: "deny" },
|
|
326
|
+
{ permission: "edit", pattern: "src/components/*", action: "allow" },
|
|
327
|
+
])
|
|
328
|
+
expect(result.action).toBe("allow")
|
|
329
|
+
})
|
|
330
|
+
|
|
331
|
+
test("evaluate - order matters for specificity", () => {
|
|
332
|
+
const result = Permission.evaluate("edit", "src/components/Button.tsx", [
|
|
333
|
+
{ permission: "edit", pattern: "src/components/*", action: "allow" },
|
|
334
|
+
{ permission: "edit", pattern: "src/*", action: "deny" },
|
|
335
|
+
])
|
|
336
|
+
expect(result.action).toBe("deny")
|
|
337
|
+
})
|
|
338
|
+
|
|
339
|
+
test("evaluate - unknown permission returns ask", () => {
|
|
340
|
+
const result = Permission.evaluate("unknown_tool", "anything", [
|
|
341
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
342
|
+
])
|
|
343
|
+
expect(result.action).toBe("ask")
|
|
344
|
+
})
|
|
345
|
+
|
|
346
|
+
test("evaluate - empty ruleset returns ask", () => {
|
|
347
|
+
const result = Permission.evaluate("bash", "rm", [])
|
|
348
|
+
expect(result.action).toBe("ask")
|
|
349
|
+
})
|
|
350
|
+
|
|
351
|
+
test("evaluate - no matching pattern returns ask", () => {
|
|
352
|
+
const result = Permission.evaluate("edit", "etc/passwd", [{ permission: "edit", pattern: "src/*", action: "allow" }])
|
|
353
|
+
expect(result.action).toBe("ask")
|
|
354
|
+
})
|
|
355
|
+
|
|
356
|
+
test("evaluate - empty rules array returns ask", () => {
|
|
357
|
+
const result = Permission.evaluate("bash", "rm", [])
|
|
358
|
+
expect(result.action).toBe("ask")
|
|
359
|
+
})
|
|
360
|
+
|
|
361
|
+
test("evaluate - multiple matching patterns, last wins", () => {
|
|
362
|
+
const result = Permission.evaluate("edit", "src/secret.ts", [
|
|
363
|
+
{ permission: "edit", pattern: "*", action: "ask" },
|
|
364
|
+
{ permission: "edit", pattern: "src/*", action: "allow" },
|
|
365
|
+
{ permission: "edit", pattern: "src/secret.ts", action: "deny" },
|
|
366
|
+
])
|
|
367
|
+
expect(result.action).toBe("deny")
|
|
368
|
+
})
|
|
369
|
+
|
|
370
|
+
test("evaluate - non-matching patterns are skipped", () => {
|
|
371
|
+
const result = Permission.evaluate("edit", "src/foo.ts", [
|
|
372
|
+
{ permission: "edit", pattern: "*", action: "ask" },
|
|
373
|
+
{ permission: "edit", pattern: "test/*", action: "deny" },
|
|
374
|
+
{ permission: "edit", pattern: "src/*", action: "allow" },
|
|
375
|
+
])
|
|
376
|
+
expect(result.action).toBe("allow")
|
|
377
|
+
})
|
|
378
|
+
|
|
379
|
+
test("evaluate - exact match at end wins over earlier wildcard", () => {
|
|
380
|
+
const result = Permission.evaluate("bash", "/bin/rm", [
|
|
381
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
382
|
+
{ permission: "bash", pattern: "/bin/rm", action: "deny" },
|
|
383
|
+
])
|
|
384
|
+
expect(result.action).toBe("deny")
|
|
385
|
+
})
|
|
386
|
+
|
|
387
|
+
test("evaluate - wildcard at end overrides earlier exact match", () => {
|
|
388
|
+
const result = Permission.evaluate("bash", "/bin/rm", [
|
|
389
|
+
{ permission: "bash", pattern: "/bin/rm", action: "deny" },
|
|
390
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
391
|
+
])
|
|
392
|
+
expect(result.action).toBe("allow")
|
|
393
|
+
})
|
|
394
|
+
|
|
395
|
+
// wildcard permission tests
|
|
396
|
+
|
|
397
|
+
test("evaluate - wildcard permission matches any permission", () => {
|
|
398
|
+
const result = Permission.evaluate("bash", "rm", [{ permission: "*", pattern: "*", action: "deny" }])
|
|
399
|
+
expect(result.action).toBe("deny")
|
|
400
|
+
})
|
|
401
|
+
|
|
402
|
+
test("evaluate - wildcard permission with specific pattern", () => {
|
|
403
|
+
const result = Permission.evaluate("bash", "rm", [{ permission: "*", pattern: "rm", action: "deny" }])
|
|
404
|
+
expect(result.action).toBe("deny")
|
|
405
|
+
})
|
|
406
|
+
|
|
407
|
+
test("evaluate - glob permission pattern", () => {
|
|
408
|
+
const result = Permission.evaluate("mcp_server_tool", "anything", [
|
|
409
|
+
{ permission: "mcp_*", pattern: "*", action: "allow" },
|
|
410
|
+
])
|
|
411
|
+
expect(result.action).toBe("allow")
|
|
412
|
+
})
|
|
413
|
+
|
|
414
|
+
test("evaluate - specific permission and wildcard permission combined", () => {
|
|
415
|
+
const result = Permission.evaluate("bash", "rm", [
|
|
416
|
+
{ permission: "*", pattern: "*", action: "deny" },
|
|
417
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
418
|
+
])
|
|
419
|
+
expect(result.action).toBe("allow")
|
|
420
|
+
})
|
|
421
|
+
|
|
422
|
+
test("evaluate - wildcard permission does not match when specific exists", () => {
|
|
423
|
+
const result = Permission.evaluate("edit", "src/foo.ts", [
|
|
424
|
+
{ permission: "*", pattern: "*", action: "deny" },
|
|
425
|
+
{ permission: "edit", pattern: "src/*", action: "allow" },
|
|
426
|
+
])
|
|
427
|
+
expect(result.action).toBe("allow")
|
|
428
|
+
})
|
|
429
|
+
|
|
430
|
+
test("evaluate - multiple matching permission patterns combine rules", () => {
|
|
431
|
+
const result = Permission.evaluate("mcp_dangerous", "anything", [
|
|
432
|
+
{ permission: "*", pattern: "*", action: "ask" },
|
|
433
|
+
{ permission: "mcp_*", pattern: "*", action: "allow" },
|
|
434
|
+
{ permission: "mcp_dangerous", pattern: "*", action: "deny" },
|
|
435
|
+
])
|
|
436
|
+
expect(result.action).toBe("deny")
|
|
437
|
+
})
|
|
438
|
+
|
|
439
|
+
test("evaluate - wildcard permission fallback for unknown tool", () => {
|
|
440
|
+
const result = Permission.evaluate("unknown_tool", "anything", [
|
|
441
|
+
{ permission: "*", pattern: "*", action: "ask" },
|
|
442
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
443
|
+
])
|
|
444
|
+
expect(result.action).toBe("ask")
|
|
445
|
+
})
|
|
446
|
+
|
|
447
|
+
test("evaluate - later wildcard permission can override earlier specific permission", () => {
|
|
448
|
+
const result = Permission.evaluate("bash", "rm", [
|
|
449
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
450
|
+
{ permission: "*", pattern: "*", action: "deny" },
|
|
451
|
+
])
|
|
452
|
+
expect(result.action).toBe("deny")
|
|
453
|
+
})
|
|
454
|
+
|
|
455
|
+
test("evaluate - merges multiple rulesets", () => {
|
|
456
|
+
const config: Permission.Ruleset = [{ permission: "bash", pattern: "*", action: "allow" }]
|
|
457
|
+
const approved: Permission.Ruleset = [{ permission: "bash", pattern: "rm", action: "deny" }]
|
|
458
|
+
const result = Permission.evaluate("bash", "rm", config, approved)
|
|
459
|
+
expect(result.action).toBe("deny")
|
|
460
|
+
})
|
|
461
|
+
|
|
462
|
+
// disabled tests
|
|
463
|
+
|
|
464
|
+
test("disabled - returns empty set when all tools allowed", () => {
|
|
465
|
+
const result = Permission.disabled(["bash", "edit", "read"], [{ permission: "*", pattern: "*", action: "allow" }])
|
|
466
|
+
expect(result.size).toBe(0)
|
|
467
|
+
})
|
|
468
|
+
|
|
469
|
+
test("disabled - disables tool when denied", () => {
|
|
470
|
+
const result = Permission.disabled(
|
|
471
|
+
["bash", "edit", "read"],
|
|
472
|
+
[
|
|
473
|
+
{ permission: "*", pattern: "*", action: "allow" },
|
|
474
|
+
{ permission: "bash", pattern: "*", action: "deny" },
|
|
475
|
+
],
|
|
476
|
+
)
|
|
477
|
+
expect(result.has("bash")).toBe(true)
|
|
478
|
+
expect(result.has("edit")).toBe(false)
|
|
479
|
+
expect(result.has("read")).toBe(false)
|
|
480
|
+
})
|
|
481
|
+
|
|
482
|
+
test("disabled - disables edit/write/apply_patch when edit denied", () => {
|
|
483
|
+
const result = Permission.disabled(
|
|
484
|
+
["edit", "write", "apply_patch", "bash"],
|
|
485
|
+
[
|
|
486
|
+
{ permission: "*", pattern: "*", action: "allow" },
|
|
487
|
+
{ permission: "edit", pattern: "*", action: "deny" },
|
|
488
|
+
],
|
|
489
|
+
)
|
|
490
|
+
expect(result.has("edit")).toBe(true)
|
|
491
|
+
expect(result.has("write")).toBe(true)
|
|
492
|
+
expect(result.has("apply_patch")).toBe(true)
|
|
493
|
+
expect(result.has("bash")).toBe(false)
|
|
494
|
+
})
|
|
495
|
+
|
|
496
|
+
test("disabled - does not disable when partially denied", () => {
|
|
497
|
+
const result = Permission.disabled(
|
|
498
|
+
["bash"],
|
|
499
|
+
[
|
|
500
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
501
|
+
{ permission: "bash", pattern: "rm *", action: "deny" },
|
|
502
|
+
],
|
|
503
|
+
)
|
|
504
|
+
expect(result.has("bash")).toBe(false)
|
|
505
|
+
})
|
|
506
|
+
|
|
507
|
+
test("disabled - does not disable when action is ask", () => {
|
|
508
|
+
const result = Permission.disabled(["bash", "edit"], [{ permission: "*", pattern: "*", action: "ask" }])
|
|
509
|
+
expect(result.size).toBe(0)
|
|
510
|
+
})
|
|
511
|
+
|
|
512
|
+
test("disabled - does not disable when specific allow after wildcard deny", () => {
|
|
513
|
+
const result = Permission.disabled(
|
|
514
|
+
["bash"],
|
|
515
|
+
[
|
|
516
|
+
{ permission: "bash", pattern: "*", action: "deny" },
|
|
517
|
+
{ permission: "bash", pattern: "echo *", action: "allow" },
|
|
518
|
+
],
|
|
519
|
+
)
|
|
520
|
+
expect(result.has("bash")).toBe(false)
|
|
521
|
+
})
|
|
522
|
+
|
|
523
|
+
test("disabled - does not disable when wildcard allow after deny", () => {
|
|
524
|
+
const result = Permission.disabled(
|
|
525
|
+
["bash"],
|
|
526
|
+
[
|
|
527
|
+
{ permission: "bash", pattern: "rm *", action: "deny" },
|
|
528
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
529
|
+
],
|
|
530
|
+
)
|
|
531
|
+
expect(result.has("bash")).toBe(false)
|
|
532
|
+
})
|
|
533
|
+
|
|
534
|
+
test("disabled - disables multiple tools", () => {
|
|
535
|
+
const result = Permission.disabled(
|
|
536
|
+
["bash", "edit", "webfetch"],
|
|
537
|
+
[
|
|
538
|
+
{ permission: "bash", pattern: "*", action: "deny" },
|
|
539
|
+
{ permission: "edit", pattern: "*", action: "deny" },
|
|
540
|
+
{ permission: "webfetch", pattern: "*", action: "deny" },
|
|
541
|
+
],
|
|
542
|
+
)
|
|
543
|
+
expect(result.has("bash")).toBe(true)
|
|
544
|
+
expect(result.has("edit")).toBe(true)
|
|
545
|
+
expect(result.has("webfetch")).toBe(true)
|
|
546
|
+
})
|
|
547
|
+
|
|
548
|
+
test("disabled - wildcard permission denies all tools", () => {
|
|
549
|
+
const result = Permission.disabled(["bash", "edit", "read"], [{ permission: "*", pattern: "*", action: "deny" }])
|
|
550
|
+
expect(result.has("bash")).toBe(true)
|
|
551
|
+
expect(result.has("edit")).toBe(true)
|
|
552
|
+
expect(result.has("read")).toBe(true)
|
|
553
|
+
})
|
|
554
|
+
|
|
555
|
+
test("disabled - specific allow overrides wildcard deny", () => {
|
|
556
|
+
const result = Permission.disabled(
|
|
557
|
+
["bash", "edit", "read"],
|
|
558
|
+
[
|
|
559
|
+
{ permission: "*", pattern: "*", action: "deny" },
|
|
560
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
561
|
+
],
|
|
562
|
+
)
|
|
563
|
+
expect(result.has("bash")).toBe(false)
|
|
564
|
+
expect(result.has("edit")).toBe(true)
|
|
565
|
+
expect(result.has("read")).toBe(true)
|
|
566
|
+
})
|
|
567
|
+
|
|
568
|
+
// ask tests
|
|
569
|
+
|
|
570
|
+
it.live("ask - resolves immediately when action is allow", () =>
|
|
571
|
+
withDir({ git: true }, () =>
|
|
572
|
+
Effect.gen(function* () {
|
|
573
|
+
const result = yield* ask({
|
|
574
|
+
sessionID: SessionID.make("session_test"),
|
|
575
|
+
permission: "bash",
|
|
576
|
+
patterns: ["ls"],
|
|
577
|
+
metadata: {},
|
|
578
|
+
always: [],
|
|
579
|
+
ruleset: [{ permission: "bash", pattern: "*", action: "allow" }],
|
|
580
|
+
})
|
|
581
|
+
expect(result).toBeUndefined()
|
|
582
|
+
}),
|
|
583
|
+
),
|
|
584
|
+
)
|
|
585
|
+
|
|
586
|
+
it.live("ask - throws DeniedError when action is deny", () =>
|
|
587
|
+
withDir({ git: true }, () =>
|
|
588
|
+
Effect.gen(function* () {
|
|
589
|
+
const err = yield* fail(
|
|
590
|
+
ask({
|
|
591
|
+
sessionID: SessionID.make("session_test"),
|
|
592
|
+
permission: "bash",
|
|
593
|
+
patterns: ["rm -rf /"],
|
|
594
|
+
metadata: {},
|
|
595
|
+
always: [],
|
|
596
|
+
ruleset: [{ permission: "bash", pattern: "*", action: "deny" }],
|
|
597
|
+
}),
|
|
598
|
+
)
|
|
599
|
+
expect(err).toBeInstanceOf(Permission.DeniedError)
|
|
600
|
+
}),
|
|
601
|
+
),
|
|
602
|
+
)
|
|
603
|
+
|
|
604
|
+
it.live("ask - stays pending when action is ask", () =>
|
|
605
|
+
withDir({ git: true }, () =>
|
|
606
|
+
Effect.gen(function* () {
|
|
607
|
+
const fiber = yield* ask({
|
|
608
|
+
sessionID: SessionID.make("session_test"),
|
|
609
|
+
permission: "bash",
|
|
610
|
+
patterns: ["ls"],
|
|
611
|
+
metadata: {},
|
|
612
|
+
always: [],
|
|
613
|
+
ruleset: [{ permission: "bash", pattern: "*", action: "ask" }],
|
|
614
|
+
}).pipe(Effect.forkScoped)
|
|
615
|
+
|
|
616
|
+
expect(yield* waitForPending(1)).toHaveLength(1)
|
|
617
|
+
yield* rejectAll()
|
|
618
|
+
yield* Fiber.await(fiber)
|
|
619
|
+
}),
|
|
620
|
+
),
|
|
621
|
+
)
|
|
622
|
+
|
|
623
|
+
it.live("ask - adds request to pending list", () =>
|
|
624
|
+
withDir({ git: true }, () =>
|
|
625
|
+
Effect.gen(function* () {
|
|
626
|
+
const fiber = yield* ask({
|
|
627
|
+
sessionID: SessionID.make("session_test"),
|
|
628
|
+
permission: "bash",
|
|
629
|
+
patterns: ["ls"],
|
|
630
|
+
metadata: { cmd: "ls" },
|
|
631
|
+
always: ["ls"],
|
|
632
|
+
tool: {
|
|
633
|
+
messageID: MessageID.make("msg_test"),
|
|
634
|
+
callID: "call_test",
|
|
635
|
+
},
|
|
636
|
+
ruleset: [],
|
|
637
|
+
}).pipe(Effect.forkScoped)
|
|
638
|
+
|
|
639
|
+
const items = yield* waitForPending(1)
|
|
640
|
+
expect(items).toHaveLength(1)
|
|
641
|
+
expect(items[0]).toMatchObject({
|
|
642
|
+
sessionID: SessionID.make("session_test"),
|
|
643
|
+
permission: "bash",
|
|
644
|
+
patterns: ["ls"],
|
|
645
|
+
metadata: { cmd: "ls" },
|
|
646
|
+
always: ["ls"],
|
|
647
|
+
tool: {
|
|
648
|
+
messageID: MessageID.make("msg_test"),
|
|
649
|
+
callID: "call_test",
|
|
650
|
+
},
|
|
651
|
+
})
|
|
652
|
+
|
|
653
|
+
yield* rejectAll()
|
|
654
|
+
yield* Fiber.await(fiber)
|
|
655
|
+
}),
|
|
656
|
+
),
|
|
657
|
+
)
|
|
658
|
+
|
|
659
|
+
it.live("ask - publishes asked event", () =>
|
|
660
|
+
withDir({ git: true }, () =>
|
|
661
|
+
Effect.gen(function* () {
|
|
662
|
+
const bus = yield* Bus.Service
|
|
663
|
+
let seen: Permission.Request | undefined
|
|
664
|
+
const unsub = yield* bus.subscribeCallback(Permission.Event.Asked, (event) => {
|
|
665
|
+
seen = event.properties
|
|
666
|
+
})
|
|
667
|
+
|
|
668
|
+
try {
|
|
669
|
+
const fiber = yield* ask({
|
|
670
|
+
sessionID: SessionID.make("session_test"),
|
|
671
|
+
permission: "bash",
|
|
672
|
+
patterns: ["ls"],
|
|
673
|
+
metadata: { cmd: "ls" },
|
|
674
|
+
always: ["ls"],
|
|
675
|
+
tool: {
|
|
676
|
+
messageID: MessageID.make("msg_test"),
|
|
677
|
+
callID: "call_test",
|
|
678
|
+
},
|
|
679
|
+
ruleset: [],
|
|
680
|
+
}).pipe(Effect.forkScoped)
|
|
681
|
+
|
|
682
|
+
expect(yield* waitForPending(1)).toHaveLength(1)
|
|
683
|
+
expect(seen).toBeDefined()
|
|
684
|
+
expect(seen).toMatchObject({
|
|
685
|
+
sessionID: SessionID.make("session_test"),
|
|
686
|
+
permission: "bash",
|
|
687
|
+
patterns: ["ls"],
|
|
688
|
+
})
|
|
689
|
+
|
|
690
|
+
yield* rejectAll()
|
|
691
|
+
yield* Fiber.await(fiber)
|
|
692
|
+
} finally {
|
|
693
|
+
unsub()
|
|
694
|
+
}
|
|
695
|
+
}),
|
|
696
|
+
),
|
|
697
|
+
)
|
|
698
|
+
|
|
699
|
+
// reply tests
|
|
700
|
+
|
|
701
|
+
it.live("reply - once resolves the pending ask", () =>
|
|
702
|
+
withDir({ git: true }, () =>
|
|
703
|
+
Effect.gen(function* () {
|
|
704
|
+
const fiber = yield* ask({
|
|
705
|
+
id: PermissionID.make("per_test1"),
|
|
706
|
+
sessionID: SessionID.make("session_test"),
|
|
707
|
+
permission: "bash",
|
|
708
|
+
patterns: ["ls"],
|
|
709
|
+
metadata: {},
|
|
710
|
+
always: [],
|
|
711
|
+
ruleset: [],
|
|
712
|
+
}).pipe(Effect.forkScoped)
|
|
713
|
+
|
|
714
|
+
yield* waitForPending(1)
|
|
715
|
+
yield* reply({ requestID: PermissionID.make("per_test1"), reply: "once" })
|
|
716
|
+
yield* Fiber.join(fiber)
|
|
717
|
+
}),
|
|
718
|
+
),
|
|
719
|
+
)
|
|
720
|
+
|
|
721
|
+
it.live("reply - reject throws RejectedError", () =>
|
|
722
|
+
withDir({ git: true }, () =>
|
|
723
|
+
Effect.gen(function* () {
|
|
724
|
+
const fiber = yield* ask({
|
|
725
|
+
id: PermissionID.make("per_test2"),
|
|
726
|
+
sessionID: SessionID.make("session_test"),
|
|
727
|
+
permission: "bash",
|
|
728
|
+
patterns: ["ls"],
|
|
729
|
+
metadata: {},
|
|
730
|
+
always: [],
|
|
731
|
+
ruleset: [],
|
|
732
|
+
}).pipe(Effect.forkScoped)
|
|
733
|
+
|
|
734
|
+
yield* waitForPending(1)
|
|
735
|
+
yield* reply({ requestID: PermissionID.make("per_test2"), reply: "reject" })
|
|
736
|
+
|
|
737
|
+
const exit = yield* Fiber.await(fiber)
|
|
738
|
+
expect(Exit.isFailure(exit)).toBe(true)
|
|
739
|
+
if (Exit.isFailure(exit)) expect(Cause.squash(exit.cause)).toBeInstanceOf(Permission.RejectedError)
|
|
740
|
+
}),
|
|
741
|
+
),
|
|
742
|
+
)
|
|
743
|
+
|
|
744
|
+
it.live("reply - reject with message throws CorrectedError", () =>
|
|
745
|
+
withDir({ git: true }, () =>
|
|
746
|
+
Effect.gen(function* () {
|
|
747
|
+
const fiber = yield* ask({
|
|
748
|
+
id: PermissionID.make("per_test2b"),
|
|
749
|
+
sessionID: SessionID.make("session_test"),
|
|
750
|
+
permission: "bash",
|
|
751
|
+
patterns: ["ls"],
|
|
752
|
+
metadata: {},
|
|
753
|
+
always: [],
|
|
754
|
+
ruleset: [],
|
|
755
|
+
}).pipe(Effect.forkScoped)
|
|
756
|
+
|
|
757
|
+
yield* waitForPending(1)
|
|
758
|
+
yield* reply({
|
|
759
|
+
requestID: PermissionID.make("per_test2b"),
|
|
760
|
+
reply: "reject",
|
|
761
|
+
message: "Use a safer command",
|
|
762
|
+
})
|
|
763
|
+
|
|
764
|
+
const exit = yield* Fiber.await(fiber)
|
|
765
|
+
expect(Exit.isFailure(exit)).toBe(true)
|
|
766
|
+
if (Exit.isFailure(exit)) {
|
|
767
|
+
const err = Cause.squash(exit.cause)
|
|
768
|
+
expect(err).toBeInstanceOf(Permission.CorrectedError)
|
|
769
|
+
expect(String(err)).toContain("Use a safer command")
|
|
770
|
+
}
|
|
771
|
+
}),
|
|
772
|
+
),
|
|
773
|
+
)
|
|
774
|
+
|
|
775
|
+
it.live("reply - always persists approval and resolves", () =>
|
|
776
|
+
Effect.gen(function* () {
|
|
777
|
+
const dir = yield* tmpdirScoped({ git: true })
|
|
778
|
+
const run = withProvided(dir)
|
|
779
|
+
const fiber = yield* ask({
|
|
780
|
+
id: PermissionID.make("per_test3"),
|
|
781
|
+
sessionID: SessionID.make("session_test"),
|
|
782
|
+
permission: "bash",
|
|
783
|
+
patterns: ["ls"],
|
|
784
|
+
metadata: {},
|
|
785
|
+
always: ["ls"],
|
|
786
|
+
ruleset: [],
|
|
787
|
+
}).pipe(run, Effect.forkScoped)
|
|
788
|
+
|
|
789
|
+
yield* waitForPending(1).pipe(run)
|
|
790
|
+
yield* reply({ requestID: PermissionID.make("per_test3"), reply: "always" }).pipe(run)
|
|
791
|
+
yield* Fiber.join(fiber)
|
|
792
|
+
|
|
793
|
+
const result = yield* ask({
|
|
794
|
+
sessionID: SessionID.make("session_test2"),
|
|
795
|
+
permission: "bash",
|
|
796
|
+
patterns: ["ls"],
|
|
797
|
+
metadata: {},
|
|
798
|
+
always: [],
|
|
799
|
+
ruleset: [],
|
|
800
|
+
}).pipe(run)
|
|
801
|
+
expect(result).toBeUndefined()
|
|
802
|
+
}),
|
|
803
|
+
)
|
|
804
|
+
it.live("allowEverything - session-scoped enable stays within one session", () =>
|
|
805
|
+
withDir({ git: true }, () =>
|
|
806
|
+
Effect.gen(function* () {
|
|
807
|
+
const permission = yield* Permission.Service
|
|
808
|
+
|
|
809
|
+
const first = yield* ask({
|
|
810
|
+
id: PermissionID.make("permission_session_allow"),
|
|
811
|
+
sessionID: SessionID.make("session_allowed"),
|
|
812
|
+
permission: "bash",
|
|
813
|
+
patterns: ["pwd"],
|
|
814
|
+
metadata: {},
|
|
815
|
+
always: [],
|
|
816
|
+
ruleset: [],
|
|
817
|
+
}).pipe(Effect.forkScoped)
|
|
818
|
+
|
|
819
|
+
yield* waitForPending(1)
|
|
820
|
+
yield* permission.allowEverything({
|
|
821
|
+
enable: true,
|
|
822
|
+
requestID: "permission_session_allow",
|
|
823
|
+
sessionID: "session_allowed",
|
|
824
|
+
})
|
|
825
|
+
|
|
826
|
+
yield* Fiber.join(first)
|
|
827
|
+
|
|
828
|
+
const allowed = yield* ask({
|
|
829
|
+
sessionID: SessionID.make("session_allowed"),
|
|
830
|
+
permission: "bash",
|
|
831
|
+
patterns: ["ls"],
|
|
832
|
+
metadata: {},
|
|
833
|
+
always: [],
|
|
834
|
+
ruleset: [],
|
|
835
|
+
})
|
|
836
|
+
expect(allowed).toBeUndefined()
|
|
837
|
+
|
|
838
|
+
const blocked = yield* ask({
|
|
839
|
+
id: PermissionID.make("permission_session_blocked"),
|
|
840
|
+
sessionID: SessionID.make("session_blocked"),
|
|
841
|
+
permission: "bash",
|
|
842
|
+
patterns: ["ls"],
|
|
843
|
+
metadata: {},
|
|
844
|
+
always: [],
|
|
845
|
+
ruleset: [],
|
|
846
|
+
}).pipe(Effect.forkScoped)
|
|
847
|
+
|
|
848
|
+
yield* waitForPending(1)
|
|
849
|
+
yield* reply({
|
|
850
|
+
requestID: PermissionID.make("permission_session_blocked"),
|
|
851
|
+
reply: "reject",
|
|
852
|
+
})
|
|
853
|
+
|
|
854
|
+
const exit = yield* Fiber.await(blocked)
|
|
855
|
+
expect(Exit.isFailure(exit)).toBe(true)
|
|
856
|
+
if (Exit.isFailure(exit)) {
|
|
857
|
+
expect(Cause.squash(exit.cause)).toBeInstanceOf(Permission.RejectedError)
|
|
858
|
+
}
|
|
859
|
+
}),
|
|
860
|
+
),
|
|
861
|
+
)
|
|
862
|
+
|
|
863
|
+
it.live("reply - reject cancels all pending for same session", () =>
|
|
864
|
+
withDir({ git: true }, () =>
|
|
865
|
+
Effect.gen(function* () {
|
|
866
|
+
const a = yield* ask({
|
|
867
|
+
id: PermissionID.make("per_test4a"),
|
|
868
|
+
sessionID: SessionID.make("session_same"),
|
|
869
|
+
permission: "bash",
|
|
870
|
+
patterns: ["ls"],
|
|
871
|
+
metadata: {},
|
|
872
|
+
always: [],
|
|
873
|
+
ruleset: [],
|
|
874
|
+
}).pipe(Effect.forkScoped)
|
|
875
|
+
|
|
876
|
+
const b = yield* ask({
|
|
877
|
+
id: PermissionID.make("per_test4b"),
|
|
878
|
+
sessionID: SessionID.make("session_same"),
|
|
879
|
+
permission: "edit",
|
|
880
|
+
patterns: ["foo.ts"],
|
|
881
|
+
metadata: {},
|
|
882
|
+
always: [],
|
|
883
|
+
ruleset: [],
|
|
884
|
+
}).pipe(Effect.forkScoped)
|
|
885
|
+
|
|
886
|
+
yield* waitForPending(2)
|
|
887
|
+
yield* reply({ requestID: PermissionID.make("per_test4a"), reply: "reject" })
|
|
888
|
+
|
|
889
|
+
const [ea, eb] = yield* Effect.all([Fiber.await(a), Fiber.await(b)])
|
|
890
|
+
expect(Exit.isFailure(ea)).toBe(true)
|
|
891
|
+
expect(Exit.isFailure(eb)).toBe(true)
|
|
892
|
+
if (Exit.isFailure(ea)) expect(Cause.squash(ea.cause)).toBeInstanceOf(Permission.RejectedError)
|
|
893
|
+
if (Exit.isFailure(eb)) expect(Cause.squash(eb.cause)).toBeInstanceOf(Permission.RejectedError)
|
|
894
|
+
}),
|
|
895
|
+
),
|
|
896
|
+
)
|
|
897
|
+
|
|
898
|
+
it.live("reply - always resolves matching pending requests in same session", () =>
|
|
899
|
+
withDir({ git: true }, () =>
|
|
900
|
+
Effect.gen(function* () {
|
|
901
|
+
const a = yield* ask({
|
|
902
|
+
id: PermissionID.make("per_test5a"),
|
|
903
|
+
sessionID: SessionID.make("session_same"),
|
|
904
|
+
permission: "bash",
|
|
905
|
+
patterns: ["ls"],
|
|
906
|
+
metadata: {},
|
|
907
|
+
always: ["ls"],
|
|
908
|
+
ruleset: [],
|
|
909
|
+
}).pipe(Effect.forkScoped)
|
|
910
|
+
|
|
911
|
+
const b = yield* ask({
|
|
912
|
+
id: PermissionID.make("per_test5b"),
|
|
913
|
+
sessionID: SessionID.make("session_same"),
|
|
914
|
+
permission: "bash",
|
|
915
|
+
patterns: ["ls"],
|
|
916
|
+
metadata: {},
|
|
917
|
+
always: [],
|
|
918
|
+
ruleset: [],
|
|
919
|
+
}).pipe(Effect.forkScoped)
|
|
920
|
+
|
|
921
|
+
yield* waitForPending(2)
|
|
922
|
+
yield* reply({ requestID: PermissionID.make("per_test5a"), reply: "always" })
|
|
923
|
+
|
|
924
|
+
yield* Fiber.join(a)
|
|
925
|
+
yield* Fiber.join(b)
|
|
926
|
+
expect(yield* list()).toHaveLength(0)
|
|
927
|
+
}),
|
|
928
|
+
),
|
|
929
|
+
)
|
|
930
|
+
it.live("reply - always resolves matching pending requests from other sessions", () =>
|
|
931
|
+
withDir({ git: true }, () =>
|
|
932
|
+
Effect.gen(function* () {
|
|
933
|
+
const a = yield* ask({
|
|
934
|
+
id: PermissionID.make("per_test6a"),
|
|
935
|
+
sessionID: SessionID.make("session_a"),
|
|
936
|
+
permission: "bash",
|
|
937
|
+
patterns: ["ls"],
|
|
938
|
+
metadata: {},
|
|
939
|
+
always: ["ls"],
|
|
940
|
+
ruleset: [],
|
|
941
|
+
}).pipe(Effect.forkScoped)
|
|
942
|
+
|
|
943
|
+
const b = yield* ask({
|
|
944
|
+
id: PermissionID.make("per_test6b"),
|
|
945
|
+
sessionID: SessionID.make("session_b"),
|
|
946
|
+
permission: "bash",
|
|
947
|
+
patterns: ["ls"],
|
|
948
|
+
metadata: {},
|
|
949
|
+
always: [],
|
|
950
|
+
ruleset: [],
|
|
951
|
+
}).pipe(Effect.forkScoped)
|
|
952
|
+
|
|
953
|
+
yield* waitForPending(2)
|
|
954
|
+
yield* reply({ requestID: PermissionID.make("per_test6a"), reply: "always" })
|
|
955
|
+
|
|
956
|
+
yield* Fiber.join(a)
|
|
957
|
+
yield* Fiber.join(b)
|
|
958
|
+
expect(yield* list()).toHaveLength(0)
|
|
959
|
+
}),
|
|
960
|
+
),
|
|
961
|
+
)
|
|
962
|
+
|
|
963
|
+
it.live("reply - always does not resolve dangerous variants from other sessions", () =>
|
|
964
|
+
withDir({ git: true }, () =>
|
|
965
|
+
Effect.gen(function* () {
|
|
966
|
+
const a = yield* ask({
|
|
967
|
+
id: PermissionID.make("per_test_safe_a"),
|
|
968
|
+
sessionID: SessionID.make("session_a"),
|
|
969
|
+
permission: "bash",
|
|
970
|
+
patterns: ["npm test"],
|
|
971
|
+
metadata: {},
|
|
972
|
+
always: ["npm test"],
|
|
973
|
+
ruleset: [],
|
|
974
|
+
}).pipe(Effect.forkScoped)
|
|
975
|
+
|
|
976
|
+
const b = yield* ask({
|
|
977
|
+
id: PermissionID.make("per_test_safe_b"),
|
|
978
|
+
sessionID: SessionID.make("session_b"),
|
|
979
|
+
permission: "bash",
|
|
980
|
+
patterns: ["npm test > ~/.ssh/authorized_keys"],
|
|
981
|
+
metadata: {},
|
|
982
|
+
always: [],
|
|
983
|
+
ruleset: [],
|
|
984
|
+
}).pipe(Effect.forkScoped)
|
|
985
|
+
|
|
986
|
+
yield* waitForPending(2)
|
|
987
|
+
yield* reply({ requestID: PermissionID.make("per_test_safe_a"), reply: "always" })
|
|
988
|
+
|
|
989
|
+
yield* Fiber.join(a)
|
|
990
|
+
expect((yield* list()).map((item) => item.id)).toEqual([PermissionID.make("per_test_safe_b")])
|
|
991
|
+
|
|
992
|
+
yield* rejectAll()
|
|
993
|
+
yield* Fiber.await(b)
|
|
994
|
+
}),
|
|
995
|
+
),
|
|
996
|
+
)
|
|
997
|
+
|
|
998
|
+
it.live("reply - publishes replied event", () =>
|
|
999
|
+
withDir({ git: true }, () =>
|
|
1000
|
+
Effect.gen(function* () {
|
|
1001
|
+
const bus = yield* Bus.Service
|
|
1002
|
+
let resolve!: (value: { sessionID: SessionID; requestID: PermissionID; reply: Permission.Reply }) => void
|
|
1003
|
+
const seen = Effect.promise<{
|
|
1004
|
+
sessionID: SessionID
|
|
1005
|
+
requestID: PermissionID
|
|
1006
|
+
reply: Permission.Reply
|
|
1007
|
+
}>(
|
|
1008
|
+
() =>
|
|
1009
|
+
new Promise((res) => {
|
|
1010
|
+
resolve = res
|
|
1011
|
+
}),
|
|
1012
|
+
)
|
|
1013
|
+
|
|
1014
|
+
const fiber = yield* ask({
|
|
1015
|
+
id: PermissionID.make("per_test7"),
|
|
1016
|
+
sessionID: SessionID.make("session_test"),
|
|
1017
|
+
permission: "bash",
|
|
1018
|
+
patterns: ["ls"],
|
|
1019
|
+
metadata: {},
|
|
1020
|
+
always: [],
|
|
1021
|
+
ruleset: [],
|
|
1022
|
+
}).pipe(Effect.forkScoped)
|
|
1023
|
+
|
|
1024
|
+
yield* waitForPending(1)
|
|
1025
|
+
|
|
1026
|
+
const unsub = yield* bus.subscribeCallback(Permission.Event.Replied, (event) => {
|
|
1027
|
+
resolve(event.properties)
|
|
1028
|
+
})
|
|
1029
|
+
|
|
1030
|
+
try {
|
|
1031
|
+
yield* reply({ requestID: PermissionID.make("per_test7"), reply: "once" })
|
|
1032
|
+
yield* Fiber.join(fiber)
|
|
1033
|
+
expect(yield* seen).toEqual({
|
|
1034
|
+
sessionID: SessionID.make("session_test"),
|
|
1035
|
+
requestID: PermissionID.make("per_test7"),
|
|
1036
|
+
reply: "once",
|
|
1037
|
+
})
|
|
1038
|
+
} finally {
|
|
1039
|
+
unsub()
|
|
1040
|
+
}
|
|
1041
|
+
}),
|
|
1042
|
+
),
|
|
1043
|
+
)
|
|
1044
|
+
|
|
1045
|
+
it.live("permission requests stay isolated by directory", () =>
|
|
1046
|
+
Effect.gen(function* () {
|
|
1047
|
+
const one = yield* tmpdirScoped({ git: true })
|
|
1048
|
+
const two = yield* tmpdirScoped({ git: true })
|
|
1049
|
+
const runOne = withProvided(one)
|
|
1050
|
+
const runTwo = withProvided(two)
|
|
1051
|
+
|
|
1052
|
+
const a = yield* ask({
|
|
1053
|
+
id: PermissionID.make("per_dir_a"),
|
|
1054
|
+
sessionID: SessionID.make("session_dir_a"),
|
|
1055
|
+
permission: "bash",
|
|
1056
|
+
patterns: ["ls"],
|
|
1057
|
+
metadata: {},
|
|
1058
|
+
always: [],
|
|
1059
|
+
ruleset: [],
|
|
1060
|
+
}).pipe(runOne, Effect.forkScoped)
|
|
1061
|
+
|
|
1062
|
+
const b = yield* ask({
|
|
1063
|
+
id: PermissionID.make("per_dir_b"),
|
|
1064
|
+
sessionID: SessionID.make("session_dir_b"),
|
|
1065
|
+
permission: "bash",
|
|
1066
|
+
patterns: ["pwd"],
|
|
1067
|
+
metadata: {},
|
|
1068
|
+
always: [],
|
|
1069
|
+
ruleset: [],
|
|
1070
|
+
}).pipe(runTwo, Effect.forkScoped)
|
|
1071
|
+
|
|
1072
|
+
const onePending = yield* waitForPending(1).pipe(runOne)
|
|
1073
|
+
const twoPending = yield* waitForPending(1).pipe(runTwo)
|
|
1074
|
+
expect(onePending).toHaveLength(1)
|
|
1075
|
+
expect(twoPending).toHaveLength(1)
|
|
1076
|
+
expect(onePending[0].id).toBe(PermissionID.make("per_dir_a"))
|
|
1077
|
+
expect(twoPending[0].id).toBe(PermissionID.make("per_dir_b"))
|
|
1078
|
+
|
|
1079
|
+
yield* reply({ requestID: onePending[0].id, reply: "reject" }).pipe(runOne)
|
|
1080
|
+
yield* reply({ requestID: twoPending[0].id, reply: "reject" }).pipe(runTwo)
|
|
1081
|
+
|
|
1082
|
+
yield* Fiber.await(a)
|
|
1083
|
+
yield* Fiber.await(b)
|
|
1084
|
+
}),
|
|
1085
|
+
)
|
|
1086
|
+
|
|
1087
|
+
it.live("pending permission rejects on instance dispose", () =>
|
|
1088
|
+
Effect.gen(function* () {
|
|
1089
|
+
const dir = yield* tmpdirScoped({ git: true })
|
|
1090
|
+
const run = withProvided(dir)
|
|
1091
|
+
const fiber = yield* ask({
|
|
1092
|
+
id: PermissionID.make("per_dispose"),
|
|
1093
|
+
sessionID: SessionID.make("session_dispose"),
|
|
1094
|
+
permission: "bash",
|
|
1095
|
+
patterns: ["ls"],
|
|
1096
|
+
metadata: {},
|
|
1097
|
+
always: [],
|
|
1098
|
+
ruleset: [],
|
|
1099
|
+
}).pipe(run, Effect.forkScoped)
|
|
1100
|
+
|
|
1101
|
+
expect(yield* waitForPending(1).pipe(run)).toHaveLength(1)
|
|
1102
|
+
yield* Effect.promise(() =>
|
|
1103
|
+
Instance.provide({ directory: dir, fn: () => void InstanceStore.disposeInstance(Instance.current) }),
|
|
1104
|
+
)
|
|
1105
|
+
|
|
1106
|
+
const exit = yield* Fiber.await(fiber)
|
|
1107
|
+
expect(Exit.isFailure(exit)).toBe(true)
|
|
1108
|
+
if (Exit.isFailure(exit)) expect(Cause.squash(exit.cause)).toBeInstanceOf(Permission.RejectedError)
|
|
1109
|
+
}),
|
|
1110
|
+
)
|
|
1111
|
+
|
|
1112
|
+
it.live("pending permission rejects on instance reload", () =>
|
|
1113
|
+
Effect.gen(function* () {
|
|
1114
|
+
const dir = yield* tmpdirScoped({ git: true })
|
|
1115
|
+
const run = withProvided(dir)
|
|
1116
|
+
const fiber = yield* ask({
|
|
1117
|
+
id: PermissionID.make("per_reload"),
|
|
1118
|
+
sessionID: SessionID.make("session_reload"),
|
|
1119
|
+
permission: "bash",
|
|
1120
|
+
patterns: ["ls"],
|
|
1121
|
+
metadata: {},
|
|
1122
|
+
always: [],
|
|
1123
|
+
ruleset: [],
|
|
1124
|
+
}).pipe(run, Effect.forkScoped)
|
|
1125
|
+
|
|
1126
|
+
expect(yield* waitForPending(1).pipe(run)).toHaveLength(1)
|
|
1127
|
+
yield* Effect.promise(() => InstanceStore.reloadInstance({ directory: dir }))
|
|
1128
|
+
|
|
1129
|
+
const exit = yield* Fiber.await(fiber)
|
|
1130
|
+
expect(Exit.isFailure(exit)).toBe(true)
|
|
1131
|
+
if (Exit.isFailure(exit)) expect(Cause.squash(exit.cause)).toBeInstanceOf(Permission.RejectedError)
|
|
1132
|
+
}),
|
|
1133
|
+
)
|
|
1134
|
+
it.live("reply - returns false for unknown requestID", () =>
|
|
1135
|
+
withDir({ git: true }, () =>
|
|
1136
|
+
Effect.gen(function* () {
|
|
1137
|
+
const accepted = yield* reply({ requestID: PermissionID.make("per_unknown"), reply: "once" })
|
|
1138
|
+
expect(accepted).toBe(false)
|
|
1139
|
+
expect(yield* list()).toHaveLength(0)
|
|
1140
|
+
}),
|
|
1141
|
+
),
|
|
1142
|
+
)
|
|
1143
|
+
|
|
1144
|
+
it.live("ask - checks all patterns and stops on first deny", () =>
|
|
1145
|
+
withDir({ git: true }, () =>
|
|
1146
|
+
Effect.gen(function* () {
|
|
1147
|
+
const err = yield* fail(
|
|
1148
|
+
ask({
|
|
1149
|
+
sessionID: SessionID.make("session_test"),
|
|
1150
|
+
permission: "bash",
|
|
1151
|
+
patterns: ["echo hello", "rm -rf /"],
|
|
1152
|
+
metadata: {},
|
|
1153
|
+
always: [],
|
|
1154
|
+
ruleset: [
|
|
1155
|
+
{ permission: "bash", pattern: "*", action: "allow" },
|
|
1156
|
+
{ permission: "bash", pattern: "rm *", action: "deny" },
|
|
1157
|
+
],
|
|
1158
|
+
}),
|
|
1159
|
+
)
|
|
1160
|
+
expect(err).toBeInstanceOf(Permission.DeniedError)
|
|
1161
|
+
}),
|
|
1162
|
+
),
|
|
1163
|
+
)
|
|
1164
|
+
|
|
1165
|
+
it.live("ask - allows all patterns when all match allow rules", () =>
|
|
1166
|
+
withDir({ git: true }, () =>
|
|
1167
|
+
Effect.gen(function* () {
|
|
1168
|
+
const result = yield* ask({
|
|
1169
|
+
sessionID: SessionID.make("session_test"),
|
|
1170
|
+
permission: "bash",
|
|
1171
|
+
patterns: ["echo hello", "ls -la", "pwd"],
|
|
1172
|
+
metadata: {},
|
|
1173
|
+
always: [],
|
|
1174
|
+
ruleset: [{ permission: "bash", pattern: "*", action: "allow" }],
|
|
1175
|
+
})
|
|
1176
|
+
expect(result).toBeUndefined()
|
|
1177
|
+
}),
|
|
1178
|
+
),
|
|
1179
|
+
)
|
|
1180
|
+
|
|
1181
|
+
it.live("ask - should deny even when an earlier pattern is ask", () =>
|
|
1182
|
+
withDir({ git: true }, () =>
|
|
1183
|
+
Effect.gen(function* () {
|
|
1184
|
+
const err = yield* fail(
|
|
1185
|
+
ask({
|
|
1186
|
+
sessionID: SessionID.make("session_test"),
|
|
1187
|
+
permission: "bash",
|
|
1188
|
+
patterns: ["echo hello", "rm -rf /"],
|
|
1189
|
+
metadata: {},
|
|
1190
|
+
always: [],
|
|
1191
|
+
ruleset: [
|
|
1192
|
+
{ permission: "bash", pattern: "echo *", action: "ask" },
|
|
1193
|
+
{ permission: "bash", pattern: "rm *", action: "deny" },
|
|
1194
|
+
],
|
|
1195
|
+
}),
|
|
1196
|
+
)
|
|
1197
|
+
|
|
1198
|
+
expect(err).toBeInstanceOf(Permission.DeniedError)
|
|
1199
|
+
expect(yield* list()).toHaveLength(0)
|
|
1200
|
+
}),
|
|
1201
|
+
),
|
|
1202
|
+
)
|
|
1203
|
+
|
|
1204
|
+
it.live("ask - abort should clear pending request", () =>
|
|
1205
|
+
Effect.gen(function* () {
|
|
1206
|
+
const dir = yield* tmpdirScoped({ git: true })
|
|
1207
|
+
const run = withProvided(dir)
|
|
1208
|
+
|
|
1209
|
+
const fiber = yield* ask({
|
|
1210
|
+
id: PermissionID.make("per_reload"),
|
|
1211
|
+
sessionID: SessionID.make("session_reload"),
|
|
1212
|
+
permission: "bash",
|
|
1213
|
+
patterns: ["ls"],
|
|
1214
|
+
metadata: {},
|
|
1215
|
+
always: [],
|
|
1216
|
+
ruleset: [{ permission: "bash", pattern: "*", action: "ask" }],
|
|
1217
|
+
}).pipe(run, Effect.forkScoped)
|
|
1218
|
+
|
|
1219
|
+
const pending = yield* waitForPending(1).pipe(run)
|
|
1220
|
+
expect(pending).toHaveLength(1)
|
|
1221
|
+
yield* Effect.promise(() => InstanceStore.reloadInstance({ directory: dir }))
|
|
1222
|
+
|
|
1223
|
+
const exit = yield* Fiber.await(fiber)
|
|
1224
|
+
expect(Exit.isFailure(exit)).toBe(true)
|
|
1225
|
+
if (Exit.isFailure(exit)) expect(Cause.squash(exit.cause)).toBeInstanceOf(Permission.RejectedError)
|
|
1226
|
+
}),
|
|
1227
|
+
)
|