test: extract exec approvals policy coverage

2026-03-13 20:43:54 +00:00
parent 8b05cd4074
commit bde038527c
2 changed files with 84 additions and 58 deletions
--- a/src/infra/exec-approvals-policy.test.ts
+++ b/src/infra/exec-approvals-policy.test.ts
@@ -0,0 +1,84 @@
+import { describe, expect, it } from "vitest";
+import {
+  maxAsk,
+  minSecurity,
+  normalizeExecAsk,
+  normalizeExecHost,
+  normalizeExecSecurity,
+  requiresExecApproval,
+} from "./exec-approvals.js";
+
+describe("exec approvals policy helpers", () => {
+  it("normalizes exec host values and rejects blanks or unknown values", () => {
+    expect(normalizeExecHost(" gateway ")).toBe("gateway");
+    expect(normalizeExecHost("NODE")).toBe("node");
+    expect(normalizeExecHost("")).toBeNull();
+    expect(normalizeExecHost("ssh")).toBeNull();
+  });
+
+  it("normalizes exec security and ask values", () => {
+    expect(normalizeExecSecurity(" allowlist ")).toBe("allowlist");
+    expect(normalizeExecSecurity("FULL")).toBe("full");
+    expect(normalizeExecSecurity("unknown")).toBeNull();
+
+    expect(normalizeExecAsk(" on-miss ")).toBe("on-miss");
+    expect(normalizeExecAsk("ALWAYS")).toBe("always");
+    expect(normalizeExecAsk("maybe")).toBeNull();
+  });
+
+  it("minSecurity returns the more restrictive value", () => {
+    expect(minSecurity("deny", "full")).toBe("deny");
+    expect(minSecurity("allowlist", "full")).toBe("allowlist");
+    expect(minSecurity("full", "allowlist")).toBe("allowlist");
+  });
+
+  it("maxAsk returns the more aggressive ask mode", () => {
+    expect(maxAsk("off", "always")).toBe("always");
+    expect(maxAsk("on-miss", "off")).toBe("on-miss");
+    expect(maxAsk("always", "on-miss")).toBe("always");
+  });
+
+  it("requiresExecApproval respects ask mode and allowlist satisfaction", () => {
+    const cases = [
+      {
+        ask: "always" as const,
+        security: "allowlist" as const,
+        analysisOk: true,
+        allowlistSatisfied: true,
+        expected: true,
+      },
+      {
+        ask: "off" as const,
+        security: "allowlist" as const,
+        analysisOk: true,
+        allowlistSatisfied: false,
+        expected: false,
+      },
+      {
+        ask: "on-miss" as const,
+        security: "allowlist" as const,
+        analysisOk: true,
+        allowlistSatisfied: true,
+        expected: false,
+      },
+      {
+        ask: "on-miss" as const,
+        security: "allowlist" as const,
+        analysisOk: false,
+        allowlistSatisfied: false,
+        expected: true,
+      },
+      {
+        ask: "on-miss" as const,
+        security: "full" as const,
+        analysisOk: false,
+        allowlistSatisfied: false,
+        expected: false,
+      },
+    ];
+
+    for (const testCase of cases) {
+      expect(requiresExecApproval(testCase)).toBe(testCase.expected);
+    }
+  });
+});
--- a/src/infra/exec-approvals.test.ts
+++ b/src/infra/exec-approvals.test.ts
@@ -9,10 +9,7 @@ import {
  buildSafeBinsShellCommand,
  evaluateExecAllowlist,
  evaluateShellAllowlist,
-  maxAsk,
-  minSecurity,
  normalizeSafeBins,
-  requiresExecApproval,
 } from "./exec-approvals.js";

 describe("exec approvals safe shell command builder", () => {
@@ -525,58 +522,3 @@ describe("exec approvals allowlist evaluation", () => {
    expect(result.segmentSatisfiedBy).toEqual(["allowlist", "safeBins"]);
  });
 });
-
-describe("exec approvals policy helpers", () => {
-  it("minSecurity returns the more restrictive value", () => {
-    expect(minSecurity("deny", "full")).toBe("deny");
-    expect(minSecurity("allowlist", "full")).toBe("allowlist");
-  });
-
-  it("maxAsk returns the more aggressive ask mode", () => {
-    expect(maxAsk("off", "always")).toBe("always");
-    expect(maxAsk("on-miss", "off")).toBe("on-miss");
-  });
-
-  it("requiresExecApproval respects ask mode and allowlist satisfaction", () => {
-    expect(
-      requiresExecApproval({
-        ask: "always",
-        security: "allowlist",
-        analysisOk: true,
-        allowlistSatisfied: true,
-      }),
-    ).toBe(true);
-    expect(
-      requiresExecApproval({
-        ask: "off",
-        security: "allowlist",
-        analysisOk: true,
-        allowlistSatisfied: false,
-      }),
-    ).toBe(false);
-    expect(
-      requiresExecApproval({
-        ask: "on-miss",
-        security: "allowlist",
-        analysisOk: true,
-        allowlistSatisfied: true,
-      }),
-    ).toBe(false);
-    expect(
-      requiresExecApproval({
-        ask: "on-miss",
-        security: "allowlist",
-        analysisOk: false,
-        allowlistSatisfied: false,
-      }),
-    ).toBe(true);
-    expect(
-      requiresExecApproval({
-        ask: "on-miss",
-        security: "full",
-        analysisOk: false,
-        allowlistSatisfied: false,
-      }),
-    ).toBe(false);
-  });
-});