feat(policy): allowlist enforcement, confirm gates, backup-before-edit

2026-03-01 22:17:59 -05:00
parent 5c74e6c2e6
commit 66df060c6a
2 changed files with 76 additions and 0 deletions
--- a/tests/test_policy.py
+++ b/tests/test_policy.py
@@ -0,0 +1,42 @@
+import os
+from unittest.mock import patch
+import pytest
+
+from rook.policy import is_approved_dir, confirm_spawn, backup_before_edit, check_allowlist
+
+
+def test_is_approved_dir_true():
+ assert is_approved_dir(os.path.expanduser('~/dev/myproject')) == True
+
+
+def test_is_approved_dir_false():
+ assert is_approved_dir('/tmp/evil') == False
+
+
+def test_is_approved_dir_subpath():
+ assert is_approved_dir(os.path.expanduser('~/logs/app.log')) == True
+
+
+def test_confirm_spawn_yes():
+ with patch('builtins.input', return_value='y'):
+  assert confirm_spawn('git push', 'origin main') == True
+
+
+def test_confirm_spawn_no():
+ with patch('builtins.input', return_value='n'):
+  assert confirm_spawn('rm file', 'myfile.txt') == False
+
+
+def test_backup_before_edit(tmp_path):
+ tmp_file = tmp_path / 'sample.txt'
+ tmp_file.write_text('hello')
+ backup_path = backup_before_edit(str(tmp_file))
+ assert os.path.exists(backup_path)
+ assert open(backup_path).read() == 'hello'
+
+
+def test_check_allowlist():
+ assert check_allowlist('file', 'read') == True
+ assert check_allowlist('file', 'delete') == False
+ assert check_allowlist('git', 'push') == False
+ assert check_allowlist('git', 'commit') == True