first pass at prefix rules

2026-04-25 23:24:55 +00:00 · 2025-11-10 10:38:08 -08:00
parent 6c384eb9c6
commit 773177ec8b
13 changed files with 664 additions and 0 deletions
--- a/codex-rs/execpolicy2/tests/basic.rs
+++ b/codex-rs/execpolicy2/tests/basic.rs
@@ -0,0 +1,90 @@
+use codex_execpolicy2::Decision;
+use codex_execpolicy2::PolicyParser;
+use codex_execpolicy2::tokenize_command;
+
+#[test]
+fn matches_default_git_status() {
+    let policy = codex_execpolicy2::load_default_policy().expect("parse");
+    let cmd = tokenize_command("git status").expect("tokenize");
+    let eval = policy.evaluate(&cmd).expect("match");
+    assert_eq!(eval.decision, Decision::Allow);
+    assert_eq!(eval.rule_id, "git_status");
+}
+
+#[test]
+fn pattern_expands_alternatives() {
+    let policy_src = r#"
+prefix_rule(
+    id = "npm_install",
+    pattern = ["npm", ["i", "install"]],
+)
+    "#;
+    let parser = PolicyParser::new("test.policy", policy_src);
+    let policy = parser.parse().expect("parse policy");
+
+    for cmd in ["npm i", "npm install"] {
+        let tokens = tokenize_command(cmd).expect("tokenize");
+        let eval = policy.evaluate(&tokens).expect("match");
+        assert_eq!(eval.rule_id, "npm_install");
+    }
+
+    let no_match = tokenize_command("npmx install").expect("tokenize");
+    assert!(policy.evaluate(&no_match).is_none());
+}
+
+#[test]
+fn match_and_not_match_examples_are_enforced() {
+    let policy_src = r#"
+prefix_rule(
+    id = "git_status",
+    pattern = ["git", "status"],
+    match = ["git status"],
+    not_match = ["git reset --hard"],
+)
+    "#;
+    let parser = PolicyParser::new("test.policy", policy_src);
+    let policy = parser.parse().expect("parse policy");
+    assert!(
+        policy
+            .evaluate(&tokenize_command("git status").expect("tokenize"))
+            .is_some()
+    );
+    assert!(
+        policy
+            .evaluate(&tokenize_command("git reset --hard").expect("tokenize"))
+            .is_none()
+    );
+}
+
+#[test]
+fn strictest_decision_wins_across_matches() {
+    let policy_src = r#"
+prefix_rule(
+    id = "allow_git_status",
+    pattern = ["git", "status"],
+    decision = "allow",
+)
+prefix_rule(
+    id = "prompt_git",
+    pattern = ["git"],
+    decision = "prompt",
+)
+prefix_rule(
+    id = "forbid_git_commit",
+    pattern = ["git", "commit"],
+    decision = "forbidden",
+)
+    "#;
+    let parser = PolicyParser::new("test.policy", policy_src);
+    let policy = parser.parse().expect("parse policy");
+
+    let status = tokenize_command("git status").expect("tokenize");
+    let status_eval = policy.evaluate(&status).expect("match");
+    assert_eq!(status_eval.decision, Decision::Prompt);
+    assert_eq!(status_eval.rule_id, "prompt_git");
+
+    let commit = tokenize_command("git commit -m hi").expect("tokenize");
+    let commit_eval = policy.evaluate(&commit).expect("match");
+    assert_eq!(commit_eval.decision, Decision::Forbidden);
+    assert_eq!(commit_eval.rule_id, "forbid_git_commit");
+}