import { describe, it } from 'node:test'; import assert from 'node:assert/strict'; import { parseRule, paramMatches, dominates, rulesIntersect, isIneffectiveAllowGlob, forbiddenParamRule, } from '../../scanners/lib/permission-rules.mjs'; describe('permission-rules — parseRule', () => { it('bare tool → param null', () => { assert.deepEqual(parseRule('Bash'), { tool: 'Bash', param: null }); }); it('param-qualified tool → tool + param', () => { assert.deepEqual(parseRule('Bash(npm:*)'), { tool: 'Bash', param: 'npm:*' }); }); it('domain rule → tool + param', () => { assert.deepEqual(parseRule('WebFetch(domain:example.com)'), { tool: 'WebFetch', param: 'domain:example.com', }); }); it('non-string → tool null', () => { assert.equal(parseRule(null).tool, null); }); }); describe('permission-rules — paramMatches (glob)', () => { it('wildcard matches any suffix', () => { assert.equal(paramMatches('domain:*', 'domain:good.com'), true); assert.equal(paramMatches('npm:*', 'npm:install'), true); }); it('exact literal matches', () => { assert.equal(paramMatches('domain:good.com', 'domain:good.com'), true); }); it('distinct literals do not match', () => { assert.equal(paramMatches('domain:evil.com', 'domain:good.com'), false); assert.equal(paramMatches('model:opus', 'model:sonnet'), false); }); it('literal pattern does not match a wildcard value', () => { assert.equal(paramMatches('domain:good.com', 'domain:*'), false); }); }); describe('permission-rules — dominates (deny fully covers allow → dead allow)', () => { it('bare deny covers any param-qualified allow', () => { assert.equal(dominates('Bash', 'Bash(npm:*)'), true); }); it('exact param deny covers identical allow', () => { assert.equal(dominates('Agent(model:opus)', 'Agent(model:opus)'), true); }); it('wildcard deny covers matching literal allow', () => { assert.equal(dominates('WebFetch(domain:*)', 'WebFetch(domain:example.com)'), true); }); it('distinct param deny does NOT cover a different param allow (the false positive)', () => { assert.equal(dominates('Agent(model:opus)', 'Agent(model:sonnet)'), false); assert.equal(dominates('WebFetch(domain:evil.com)', 'WebFetch(domain:good.com)'), false); }); it('specific deny does NOT cover a bare allow (sonnet still allowed)', () => { assert.equal(dominates('Agent(model:opus)', 'Agent'), false); }); it('deny-all glob Tool(*) covers a bare allow (Bash(*) ≡ bare Bash deny)', () => { // CC: "Bash(*) is equivalent to Bash ... As a deny rule, both forms remove // the tool from Claude's context." So Bash(*) deny kills a bare Bash allow. assert.equal(dominates('Bash(*)', 'Bash'), true); assert.equal(dominates('Bash(*)', 'Bash(npm:*)'), true); }); it('different tools never dominate', () => { assert.equal(dominates('Bash', 'Read'), false); }); }); describe('permission-rules — isIneffectiveAllowGlob (CC silently skips these allow entries)', () => { it('unanchored tool-name globs are ineffective', () => { assert.equal(isIneffectiveAllowGlob('*'), true); assert.equal(isIneffectiveAllowGlob('B*'), true); assert.equal(isIneffectiveAllowGlob('mcp__*'), true); assert.equal(isIneffectiveAllowGlob('mcp__*__foo'), true); // glob in server segment }); it('MCP globs anchored to a literal server are valid (not flagged)', () => { assert.equal(isIneffectiveAllowGlob('mcp__puppeteer__*'), false); assert.equal(isIneffectiveAllowGlob('mcp__github__get_*'), false); }); it('non-glob and specifier forms are valid (not flagged)', () => { assert.equal(isIneffectiveAllowGlob('Bash'), false); // legit match-all-tool allow assert.equal(isIneffectiveAllowGlob('mcp__puppeteer'), false); // legit match-all-server assert.equal(isIneffectiveAllowGlob('Bash(npm run *)'), false);// glob inside specifier is fine assert.equal(isIneffectiveAllowGlob('Read(src/**)'), false); }); it('non-string → false', () => { assert.equal(isIneffectiveAllowGlob(null), false); assert.equal(isIneffectiveAllowGlob(undefined), false); }); }); describe('permission-rules — forbiddenParamRule (CC ignores Tool(param:value) for the tool\'s own canonicalizing field)', () => { // CC: "Fields that a tool already matches with its own canonicalizing rules // are not matchable this way: command for Bash and PowerShell, file_path for // Read/Edit/Write, path for Grep/Glob, notebook_path for NotebookEdit, and // url for WebFetch. ... Claude Code ignores it and emits a startup warning." // (code.claude.com/docs/en/permissions — "Match by input parameter") it('flags command: for Bash and PowerShell', () => { assert.equal(forbiddenParamRule('Bash(command:rm *)').key, 'command'); assert.equal(forbiddenParamRule('PowerShell(command:Remove-Item *)').key, 'command'); }); it('flags file_path: for Read/Edit/Write', () => { assert.equal(forbiddenParamRule('Read(file_path:/etc/passwd)').key, 'file_path'); assert.equal(forbiddenParamRule('Edit(file_path:/src/x)').tool, 'Edit'); assert.equal(forbiddenParamRule('Write(file_path:/src/x)').tool, 'Write'); }); it('flags path: for Grep/Glob, notebook_path: for NotebookEdit, url: for WebFetch', () => { assert.equal(forbiddenParamRule('Grep(path:/secrets)').key, 'path'); assert.equal(forbiddenParamRule('Glob(path:/secrets)').key, 'path'); assert.equal(forbiddenParamRule('NotebookEdit(notebook_path:/nb.ipynb)').key, 'notebook_path'); assert.equal(forbiddenParamRule('WebFetch(url:http://evil.com)').key, 'url'); }); it('returns a tool-specific correct-syntax hint', () => { assert.match(forbiddenParamRule('Bash(command:rm *)').hint, /Bash\(/); assert.match(forbiddenParamRule('WebFetch(url:http://x)').hint, /domain:/); }); it('does NOT flag valid specifier/param syntax for the same tools', () => { assert.equal(forbiddenParamRule('Bash(npm:*)'), null); // npm: is a trailing-wildcard prefix, not command: assert.equal(forbiddenParamRule('WebFetch(domain:good.com)'), null); // domain: is the valid WebFetch syntax assert.equal(forbiddenParamRule('Read(./path)'), null); // gitignore-style path, no param:value assert.equal(forbiddenParamRule('Bash(command)'), null); // literal command-prefix, no colon }); it('does NOT flag param:value on tools that have no forbidden field', () => { assert.equal(forbiddenParamRule('Agent(model:opus)'), null); assert.equal(forbiddenParamRule('Bash(run_in_background:true)'), null); }); it('bare tools and non-strings → null', () => { assert.equal(forbiddenParamRule('Bash'), null); assert.equal(forbiddenParamRule('Bash(*)'), null); assert.equal(forbiddenParamRule(null), null); }); }); describe('permission-rules — rulesIntersect (cross-scope conflict)', () => { it('exact same rule intersects', () => { assert.equal(rulesIntersect('Bash(npm run *)', 'Bash(npm run *)'), true); }); it('bare tool intersects any param of same tool', () => { assert.equal(rulesIntersect('Bash', 'Bash(npm:*)'), true); assert.equal(rulesIntersect('Agent(model:opus)', 'Agent'), true); }); it('wildcard intersects matching literal (currently a false negative)', () => { assert.equal(rulesIntersect('WebFetch(domain:*)', 'WebFetch(domain:good.com)'), true); assert.equal(rulesIntersect('WebFetch(domain:good.com)', 'WebFetch(domain:*)'), true); }); it('distinct literal params are disjoint (no conflict)', () => { assert.equal(rulesIntersect('Agent(model:opus)', 'Agent(model:sonnet)'), false); }); it('different tools never intersect', () => { assert.equal(rulesIntersect('Read', 'Write'), false); }); });