Skip to content

Add full-coverage tests for rules-guard#1

Merged
rblaine95 merged 1 commit into
masterfrom
test/rules-guard-coverage
Jul 1, 2026
Merged

Add full-coverage tests for rules-guard#1
rblaine95 merged 1 commit into
masterfrom
test/rules-guard-coverage

Conversation

@rblaine95

Copy link
Copy Markdown
Owner

Summary

Brings the rules-guard extension test suite to 100% function and line coverage across positive, negative, adversarial, and fuzzy cases, and enforces it with coverageThreshold = 1.0 in bunfig.toml so any regression fails bun test.

Test count: 20 → 55, all passing.

What changed

  • extensions/rules-guard/index.test.ts — new suites:
    • Positive / negative for every export: compileGlob, bashMatcher, parseRule, candidateAbsPaths, pathTokens, redactText, loadPolicyEntries, plus the rulesGuard wiring hooks (registration, session_start, tool_call, tool_result) via a minimal ExtensionAPI mock.
    • Adversarial bypass vectors: path traversal (..) that resolves into a denied directory, denied commands hidden after shell separators (;, &&, ||, |, newline), and a read-class deny binding write/edit/unknown tools.
    • Fuzzy invariants, seeded with mulberry32 for determinism under the coverage gate: decide never throws, compileGlob output stays anchored, redactText is idempotent, and any leaf under a denied directory is always blocked.
  • bunfig.tomlcoverageThreshold = 1.0.
  • extensions/rules-guard/index.ts — embedded deny rule for RSA private key files (Read(**/*.id_rsa)).
  • hk.pkl — exclude the test suite from the detect_private_key pre-commit hook; the suite embeds a synthetic PEM fixture purely to exercise secret redaction, which otherwise trips the scanner.

Verification

  • bun test — 55 pass, 0 fail, 100.00% funcs / 100.00% lines, exit 0.
  • bun typecheck — clean.
  • bunx biome check — clean.
  • Pre-commit hk hooks pass (including detect_private_key with the scoped exclusion).

Expand the `rules-guard` suite to positive, negative, adversarial, and
fuzzy cases, reaching 100% function and line coverage. Enforce it with
`coverageThreshold = 1.0` in `bunfig.toml` so any regression fails
`bun test`.

New coverage:

- Positive and negative cases for every export: `compileGlob`,
  `bashMatcher`, `parseRule`, `candidateAbsPaths`, `pathTokens`,
  `redactText`, `loadPolicyEntries`, and the `rulesGuard` wiring hooks
  (registration, session_start, tool_call, tool_result).
- Adversarial bypass vectors: path traversal that resolves into a
  denied directory, denied commands hidden after shell separators, and
  a read-class deny binding write, edit, and unknown tools.
- Seeded (mulberry32) fuzz invariants: `decide` never throws,
  `compileGlob` output stays anchored, `redactText` is idempotent, and
  any leaf under a denied directory is blocked.

Also add an embedded deny rule covering RSA private key files, and
exclude the test suite from the `detect_private_key` pre-commit hook
since it embeds a synthetic PEM fixture to exercise secret redaction.

Glory to the Omnissiah
@rblaine95 rblaine95 merged commit e7f90bc into master Jul 1, 2026
1 check passed
@rblaine95 rblaine95 deleted the test/rules-guard-coverage branch July 1, 2026 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant