| 406 | |
| 407 | #[test] |
| 408 | fn test_realistic_dev_policy() { |
| 409 | let policy = PermissionPolicy::new() |
| 410 | // Allow common dev commands |
| 411 | .allow_all(&[ |
| 412 | "Bash(cargo:*)", |
| 413 | "Bash(npm:*)", |
| 414 | "Bash(pnpm:*)", |
| 415 | "Bash(just:*)", |
| 416 | "Bash(git status:*)", |
| 417 | "Bash(git diff:*)", |
| 418 | "Bash(echo:*)", |
| 419 | "Grep(*)", |
| 420 | "Glob(*)", |
| 421 | "Ls(*)", |
| 422 | ]) |
| 423 | // Deny dangerous commands |
| 424 | .deny_all(&["Bash(rm -rf:*)", "Bash(sudo:*)", "Bash(curl | sh:*)"]) |
| 425 | // Always ask for writes |
| 426 | .ask_all(&["Write(*)", "Edit(*)"]); |
| 427 | |
| 428 | // Allowed |
| 429 | assert!(policy.is_allowed("Bash", &json!({"command": "cargo build"}))); |
| 430 | assert!(policy.is_allowed("Bash", &json!({"command": "npm run test"}))); |
| 431 | assert!(policy.is_allowed("Grep", &json!({"pattern": "TODO"}))); |
| 432 | |
| 433 | // Denied |
| 434 | assert!(policy.is_denied("Bash", &json!({"command": "rm -rf /"}))); |
| 435 | assert!(policy.is_denied("Bash", &json!({"command": "sudo apt install"}))); |
| 436 | |
| 437 | // Ask |
| 438 | assert!(policy.requires_confirmation("Write", &json!({"file_path": "/tmp/test.rs"}))); |
| 439 | assert!(policy.requires_confirmation("Edit", &json!({"file_path": "src/main.rs"}))); |
| 440 | } |
| 441 | |
| 442 | #[test] |
| 443 | fn test_mcp_tool_permissions() { |