diff --git a/pkg/tools/risk.go b/pkg/tools/risk.go index 3f86c67..4ceee87 100644 --- a/pkg/tools/risk.go +++ b/pkg/tools/risk.go @@ -28,11 +28,11 @@ var destructivePatterns = []*regexp.Regexp{ regexp.MustCompile(`\bchown\b.+\s+/`), regexp.MustCompile(`\bclawgo\s+uninstall\b`), regexp.MustCompile(`\bdbt\s+drop\b`), + regexp.MustCompile(`\bgit\s+clean\b`), } var moderatePatterns = []*regexp.Regexp{ regexp.MustCompile(`\bgit\s+reset\s+--hard\b`), - regexp.MustCompile(`\bgit\s+clean\b`), regexp.MustCompile(`\bdocker\s+system\s+prune\b`), regexp.MustCompile(`\bapt(-get)?\s+install\b`), regexp.MustCompile(`\byum\s+install\b`), diff --git a/pkg/tools/shell.go b/pkg/tools/shell.go index 3e8ebdb..26e735c 100644 --- a/pkg/tools/shell.go +++ b/pkg/tools/shell.go @@ -29,15 +29,21 @@ type ExecTool struct { } func NewExecTool(cfg config.ShellConfig, workspace string) *ExecTool { - denyPatterns := make([]*regexp.Regexp, 0) + denyPatterns := make([]*regexp.Regexp, 0, len(cfg.DeniedCmds)) for _, p := range cfg.DeniedCmds { denyPatterns = append(denyPatterns, regexp.MustCompile(`\b`+regexp.QuoteMeta(p)+`\b`)) } + allowPatterns := make([]*regexp.Regexp, 0, len(cfg.AllowedCmds)) + for _, p := range cfg.AllowedCmds { + allowPatterns = append(allowPatterns, regexp.MustCompile(`\b`+regexp.QuoteMeta(p)+`\b`)) + } + return &ExecTool{ workingDir: workspace, timeout: cfg.Timeout, denyPatterns: denyPatterns, + allowPatterns: allowPatterns, restrictToWorkspace: cfg.RestrictPath, sandboxEnabled: cfg.Sandbox.Enabled, sandboxImage: cfg.Sandbox.Image, @@ -254,7 +260,7 @@ func (t *ExecTool) applyRiskGate(command string, force bool) (string, string) { return "Error: destructive command is disabled by policy (tools.shell.risk.allow_destructive=false).", "" } - if t.riskCfg.RequireDryRun { + if t.riskCfg.RequireDryRun && !force { if dryRunCmd, ok := buildDryRunCommand(command); ok { return "Risk gate: dry-run required first. Review output, then execute intentionally with force=true.", dryRunCmd } diff --git a/pkg/tools/shell_test.go b/pkg/tools/shell_test.go new file mode 100644 index 0000000..2d7fef2 --- /dev/null +++ b/pkg/tools/shell_test.go @@ -0,0 +1,63 @@ +package tools + +import ( + "testing" + + "clawgo/pkg/config" +) + +func TestApplyRiskGate_DryRunCanBeBypassedWithForce(t *testing.T) { + tool := &ExecTool{riskCfg: config.RiskConfig{ + Enabled: true, + AllowDestructive: true, + RequireDryRun: true, + RequireForceFlag: false, + }} + + msg, dryRun := tool.applyRiskGate("git clean -fd", true) + if msg != "" || dryRun != "" { + t.Fatalf("expected force=true to allow execution after dry-run step, got msg=%q dryRun=%q", msg, dryRun) + } +} + +func TestApplyRiskGate_RequiresDryRunWithoutForce(t *testing.T) { + tool := &ExecTool{riskCfg: config.RiskConfig{ + Enabled: true, + AllowDestructive: true, + RequireDryRun: true, + RequireForceFlag: false, + }} + + msg, dryRun := tool.applyRiskGate("git clean -fd", false) + if msg == "" { + t.Fatal("expected dry-run block message") + } + if dryRun == "" { + t.Fatal("expected dry-run command") + } +} + +func TestAssessCommandRisk_GitCleanIsDestructive(t *testing.T) { + assessment := assessCommandRisk("git clean -fd") + if assessment.Level != RiskDestructive { + t.Fatalf("expected git clean to be destructive, got %s", assessment.Level) + } +} + +func TestNewExecTool_LoadsAllowedCmdsIntoAllowPatterns(t *testing.T) { + tool := NewExecTool(config.ShellConfig{AllowedCmds: []string{"echo"}}, ".") + if len(tool.allowPatterns) != 1 { + t.Fatalf("expected one allow pattern, got %d", len(tool.allowPatterns)) + } +} + +func TestGuardCommand_BlocksCommandNotInAllowlist(t *testing.T) { + tool := NewExecTool(config.ShellConfig{AllowedCmds: []string{"echo"}}, ".") + if msg := tool.guardCommand("ls -la", "."); msg == "" { + t.Fatal("expected allowlist to block command not in allowed_cmds") + } + + if msg := tool.guardCommand("echo hi", "."); msg != "" { + t.Fatalf("expected allowed command to pass guard, got %q", msg) + } +}