From bde038527c28f31d9b68eb3056c148ff2456fb60 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Fri, 13 Mar 2026 20:43:54 +0000
Subject: [PATCH] test: extract exec approvals policy coverage

---
 src/infra/exec-approvals-policy.test.ts | 84 +++++++++++++++++++++++++
 src/infra/exec-approvals.test.ts        | 58 -----------------
 2 files changed, 84 insertions(+), 58 deletions(-)
 create mode 100644 src/infra/exec-approvals-policy.test.ts

diff --git a/src/infra/exec-approvals-policy.test.ts b/src/infra/exec-approvals-policy.test.ts
new file mode 100644
index 000000000..b546d89d6
--- /dev/null
+++ b/src/infra/exec-approvals-policy.test.ts
@@ -0,0 +1,84 @@
+import { describe, expect, it } from "vitest";
+import {
+  maxAsk,
+  minSecurity,
+  normalizeExecAsk,
+  normalizeExecHost,
+  normalizeExecSecurity,
+  requiresExecApproval,
+} from "./exec-approvals.js";
+
+describe("exec approvals policy helpers", () => {
+  it("normalizes exec host values and rejects blanks or unknown values", () => {
+    expect(normalizeExecHost(" gateway ")).toBe("gateway");
+    expect(normalizeExecHost("NODE")).toBe("node");
+    expect(normalizeExecHost("")).toBeNull();
+    expect(normalizeExecHost("ssh")).toBeNull();
+  });
+
+  it("normalizes exec security and ask values", () => {
+    expect(normalizeExecSecurity(" allowlist ")).toBe("allowlist");
+    expect(normalizeExecSecurity("FULL")).toBe("full");
+    expect(normalizeExecSecurity("unknown")).toBeNull();
+
+    expect(normalizeExecAsk(" on-miss ")).toBe("on-miss");
+    expect(normalizeExecAsk("ALWAYS")).toBe("always");
+    expect(normalizeExecAsk("maybe")).toBeNull();
+  });
+
+  it("minSecurity returns the more restrictive value", () => {
+    expect(minSecurity("deny", "full")).toBe("deny");
+    expect(minSecurity("allowlist", "full")).toBe("allowlist");
+    expect(minSecurity("full", "allowlist")).toBe("allowlist");
+  });
+
+  it("maxAsk returns the more aggressive ask mode", () => {
+    expect(maxAsk("off", "always")).toBe("always");
+    expect(maxAsk("on-miss", "off")).toBe("on-miss");
+    expect(maxAsk("always", "on-miss")).toBe("always");
+  });
+
+  it("requiresExecApproval respects ask mode and allowlist satisfaction", () => {
+    const cases = [
+      {
+        ask: "always" as const,
+        security: "allowlist" as const,
+        analysisOk: true,
+        allowlistSatisfied: true,
+        expected: true,
+      },
+      {
+        ask: "off" as const,
+        security: "allowlist" as const,
+        analysisOk: true,
+        allowlistSatisfied: false,
+        expected: false,
+      },
+      {
+        ask: "on-miss" as const,
+        security: "allowlist" as const,
+        analysisOk: true,
+        allowlistSatisfied: true,
+        expected: false,
+      },
+      {
+        ask: "on-miss" as const,
+        security: "allowlist" as const,
+        analysisOk: false,
+        allowlistSatisfied: false,
+        expected: true,
+      },
+      {
+        ask: "on-miss" as const,
+        security: "full" as const,
+        analysisOk: false,
+        allowlistSatisfied: false,
+        expected: false,
+      },
+    ];
+
+    for (const testCase of cases) {
+      expect(requiresExecApproval(testCase)).toBe(testCase.expected);
+    }
+  });
+});
diff --git a/src/infra/exec-approvals.test.ts b/src/infra/exec-approvals.test.ts
index 9edd3f390..ee92d1011 100644
--- a/src/infra/exec-approvals.test.ts
+++ b/src/infra/exec-approvals.test.ts
@@ -9,10 +9,7 @@ import {
   buildSafeBinsShellCommand,
   evaluateExecAllowlist,
   evaluateShellAllowlist,
-  maxAsk,
-  minSecurity,
   normalizeSafeBins,
-  requiresExecApproval,
 } from "./exec-approvals.js";
 
 describe("exec approvals safe shell command builder", () => {
@@ -525,58 +522,3 @@ describe("exec approvals allowlist evaluation", () => {
     expect(result.segmentSatisfiedBy).toEqual(["allowlist", "safeBins"]);
   });
 });
-
-describe("exec approvals policy helpers", () => {
-  it("minSecurity returns the more restrictive value", () => {
-    expect(minSecurity("deny", "full")).toBe("deny");
-    expect(minSecurity("allowlist", "full")).toBe("allowlist");
-  });
-
-  it("maxAsk returns the more aggressive ask mode", () => {
-    expect(maxAsk("off", "always")).toBe("always");
-    expect(maxAsk("on-miss", "off")).toBe("on-miss");
-  });
-
-  it("requiresExecApproval respects ask mode and allowlist satisfaction", () => {
-    expect(
-      requiresExecApproval({
-        ask: "always",
-        security: "allowlist",
-        analysisOk: true,
-        allowlistSatisfied: true,
-      }),
-    ).toBe(true);
-    expect(
-      requiresExecApproval({
-        ask: "off",
-        security: "allowlist",
-        analysisOk: true,
-        allowlistSatisfied: false,
-      }),
-    ).toBe(false);
-    expect(
-      requiresExecApproval({
-        ask: "on-miss",
-        security: "allowlist",
-        analysisOk: true,
-        allowlistSatisfied: true,
-      }),
-    ).toBe(false);
-    expect(
-      requiresExecApproval({
-        ask: "on-miss",
-        security: "allowlist",
-        analysisOk: false,
-        allowlistSatisfied: false,
-      }),
-    ).toBe(true);
-    expect(
-      requiresExecApproval({
-        ask: "on-miss",
-        security: "full",
-        analysisOk: false,
-        allowlistSatisfied: false,
-      }),
-    ).toBe(false);
-  });
-});