Files
executus/tool/checks_test.go
T
steve dc28b63ad8
executus CI / test (push) Successful in 36s
P1 (part 1): move skilltools core -> tool/ (clean, verbatim)
The tool registry core (registry, permission model, Invocation, gated-tool
wrapper, ssrf guard, hmac, encryption, argcoerce, helpers, rootrun,
session_tools, webhook_rate_limit) had zero mort coupling — it imports only
majordomo/llm + x/crypto/hkdf — so it moves verbatim with a package rename
(skilltools -> tool). All same-package tests came along and pass; the SSRF,
gated-wrapper, encryption and output-pattern invariants are re-anchored here.

majordomo re-enters the module graph (now pinned to the latest, incl. the
front-loaded-output fix). model/ + llmmeta + structured follow next.

Docs: CLAUDE.md now requires README/examples to stay in sync with changes in
the same commit; CI skips docs/example-only pushes via paths-ignore.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 19:31:47 -04:00

57 lines
1.9 KiB
Go

package tool
import (
"strings"
"testing"
)
func TestCheckAuthoring_AllowsAnyone(t *testing.T) {
r := NewRegistry()
_ = r.Register(&fakeTool{name: "calc", perm: Permission{AuthoringRequirement: RequirementAnyone}})
if err := CheckAuthoring(r, []string{"calc"}, false); err != nil {
t.Fatalf("expected anyone to pass, got %v", err)
}
}
func TestCheckAuthoring_BlocksNonAdminFromAdminTool(t *testing.T) {
r := NewRegistry()
_ = r.Register(&fakeTool{name: "db_select", perm: Permission{AuthoringRequirement: RequirementAdmin}})
err := CheckAuthoring(r, []string{"db_select"}, false)
if err == nil || !strings.Contains(err.Error(), "requires admin authoring") {
t.Fatalf("expected admin-required error, got %v", err)
}
}
func TestCheckAuthoring_AllowsAdminWithAdminTool(t *testing.T) {
r := NewRegistry()
_ = r.Register(&fakeTool{name: "db_select", perm: Permission{AuthoringRequirement: RequirementAdmin}})
if err := CheckAuthoring(r, []string{"db_select"}, true); err != nil {
t.Fatalf("expected admin to pass, got %v", err)
}
}
func TestCheckAuthoring_UnknownTool(t *testing.T) {
r := NewRegistry()
err := CheckAuthoring(r, []string{"missing"}, true)
if err == nil || !strings.Contains(err.Error(), "unknown tool") {
t.Fatalf("expected unknown-tool error, got %v", err)
}
}
func TestCheckShareSafety_Pass(t *testing.T) {
r := NewRegistry()
_ = r.Register(&fakeTool{name: "search", perm: Permission{SafeForShare: true}})
if err := CheckShareSafety(r, []string{"search"}); err != nil {
t.Fatalf("expected safe tool to pass, got %v", err)
}
}
func TestCheckShareSafety_BlocksUnsafe(t *testing.T) {
r := NewRegistry()
_ = r.Register(&fakeTool{name: "balance", perm: Permission{SafeForShare: false}})
err := CheckShareSafety(r, []string{"balance"})
if err == nil || !strings.Contains(err.Error(), "operates on the caller's own data") {
t.Fatalf("expected share-safety error, got %v", err)
}
}