Skip to content

test(policy): additional coverage for policy_file loading, MAX_RULES boundary, and confirmed allow path#1896

Merged
bug-ops merged 3 commits intomainfrom
test-policy-additional-coverag
Mar 15, 2026
Merged

test(policy): additional coverage for policy_file loading, MAX_RULES boundary, and confirmed allow path#1896
bug-ops merged 3 commits intomainfrom
test-policy-additional-coverag

Conversation

@bug-ops
Copy link
Copy Markdown
Owner

@bug-ops bug-ops commented Mar 15, 2026

Closes #1874

Summary

Adds tests for three coverage gaps identified in the post-review of PR #1870:

  • GAP-03 (policy.rs): four tests for load_policy_file():
    • policy_file_happy_path — file-loaded deny rule evaluates correctly
    • policy_file_too_large — file > 256 KiB returns FileTooLarge
    • policy_file_load_error — nonexistent path returns FileLoad
    • policy_file_parse_error — malformed TOML returns FileParse
  • GAP-04 (policy.rs): max_rules_exactly_256_compiles — exactly 256 rules compile without error, closing the off-by-one gap where only 257 was tested
  • GAP-05 (policy_gate.rs): confirmed_allow_delegates_to_innerexecute_tool_call_confirmed() returns the inner executor's output when policy allows

Notes

Tests in policy.rs and policy_gate.rs are behind #[cfg(feature = "policy-enforcer")]. File-based tests use tempdir_in(cwd) to satisfy the symlink boundary check added in load_policy_file (merged from main during development).

Test plan

  • cargo nextest run -p zeph-tools --features policy-enforcer --lib — 753 passed
  • cargo nextest run --workspace --features full --lib --bins — 6000 passed
  • cargo +nightly fmt --check — clean
  • cargo clippy --workspace --features full -- -D warnings — clean

bug-ops added 3 commits March 16, 2026 00:31
@bug-ops
test(policy): cover policy_file loading, MAX_RULES boundary, and conf…
e29cf68 
…irmed allow path (#1874)

GAP-03: add four tests for load_policy_file() — happy-path (file-loaded deny rule
evaluates correctly), FileTooLarge (>256 KiB rejected), FileLoad (nonexistent path),
and FileParse (malformed TOML).

GAP-04: add test verifying exactly MAX_RULES (256) rules compile without error,
closing the off-by-one gap where only 257 was tested.

GAP-05: add test confirming execute_tool_call_confirmed() delegates to the inner
executor and returns its output when policy allows the call.
@bug-ops
Merge remote-tracking branch 'origin/main' into test-policy-additiona…
2cfa6aa 
…l-coverag
@bug-ops
test(policy): fix policy_file tests to work with symlink boundary check
f175edf 
After merging main (which added load_policy_file security hardening), the
boundary check rejects files outside the process cwd. Switch from
NamedTempFile (creates in /tmp) to tempdir_in(cwd) so the canonical path
stays within the cwd and all three error-case tests pass correctly.
@github-actions github-actions bot added documentation Improvements or additions to documentation rust Rust code changes tests Test-related changes size/M Medium PR (51-200 lines) labels Mar 15, 2026
@bug-ops bug-ops enabled auto-merge (squash) March 15, 2026 23:35
@bug-ops bug-ops merged commit 2511932 into main Mar 15, 2026
20 checks passed
@bug-ops bug-ops deleted the test-policy-additional-coverag branch March 15, 2026 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation rust Rust code changes size/M Medium PR (51-200 lines) tests Test-related changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

test(policy): additional coverage gaps for policy_file loading and boundary conditions

1 participant

@bug-ops