Fimeg/letta-code
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
103a630833ebc29f7a1a3096afba3b24cd576d14
letta-code/src/tests/permissions.test.ts
Charles Packer f1f507a45d feat: loosen read permissions on shell cmd (#144)
2025-12-01 22:10:35 -08:00

128 lines
3.5 KiB
TypeScript
Raw Blame History

import { expect, test } from "bun:test";
import { analyzeApprovalContext } from "../permissions/analyzer";
import { checkPermission } from "../permissions/checker";
import type { PermissionRules } from "../permissions/types";
test("Read within working directory is auto-allowed", () => {
if (process.platform === "win32") return; // Skip on Windows - Unix paths
const result = checkPermission(
"Read",
{ file_path: "src/test.ts" },
{ allow: [], deny: [], ask: [] },
"/Users/test/project",
);
expect(result.decision).toBe("allow");
expect(result.reason).toBe("Within working directory");
});
test("Read outside working directory requires approval", () => {
if (process.platform === "win32") return; // Skip on Windows - Unix paths
const result = checkPermission(
"Read",
{ file_path: "/Users/test/other-project/file.ts" },
{ allow: [], deny: [], ask: [] },
"/Users/test/project",
);
expect(result.decision).toBe("allow"); // Default for Read tool
});
test("Bash commands require approval by default", () => {
const result = checkPermission(
"Bash",
{ command: "curl http://example.com" }, // Use non-read-only command
{ allow: [], deny: [], ask: [] },
"/Users/test/project",
);
expect(result.decision).toBe("ask");
});
test("Allow rule matches Bash prefix pattern", () => {
const permissions: PermissionRules = {
allow: ["Bash(npm run:*)"],
deny: [],
ask: [],
};
const result = checkPermission(
"Bash",
{ command: "npm run build" },
permissions,
"/Users/test/project",
);
expect(result.decision).toBe("allow");
expect(result.matchedRule).toBe("Bash(npm run:*)");
});
test("Deny rule blocks file access", () => {
const permissions: PermissionRules = {
allow: [],
deny: ["Read(.env)"],
ask: [],
};
const result = checkPermission(
"Read",
{ file_path: ".env" },
permissions,
"/Users/test/project",
);
expect(result.decision).toBe("deny");
expect(result.matchedRule).toBe("Read(.env)");
});
test("Analyze git diff approval context", () => {
const context = analyzeApprovalContext(
"Bash",
{ command: "git diff HEAD" },
"/Users/test/project",
);
expect(context.recommendedRule).toBe("Bash(git diff:*)");
expect(context.approveAlwaysText).toContain("git diff");
expect(context.allowPersistence).toBe(true);
expect(context.safetyLevel).toBe("safe");
});
test("Dangerous commands don't offer persistence", () => {
const context = analyzeApprovalContext(
"Bash",
{ command: "rm -rf node_modules" },
"/Users/test/project",
);
expect(context.allowPersistence).toBe(false);
expect(context.safetyLevel).toBe("dangerous");
});
test("Read outside working directory suggests directory pattern", () => {
if (process.platform === "win32") return; // Skip on Windows - Unix paths
const context = analyzeApprovalContext(
"Read",
{ file_path: "/Users/test/docs/api.md" },
"/Users/test/project",
);
expect(context.recommendedRule).toBe("Read(//Users/test/docs/**)");
expect(context.approveAlwaysText).toContain("/Users/test/docs/");
expect(context.defaultScope).toBe("project");
});
test("Write suggests session-only approval", () => {
const context = analyzeApprovalContext(
"Write",
{ file_path: "src/new-file.ts" },
"/Users/test/project",
);
expect(context.recommendedRule).toBe("Write(**)");
expect(context.defaultScope).toBe("session");
expect(context.approveAlwaysText).toContain("during this session");
});
Reference in New Issue View Git Blame Copy Permalink