feat: add exec approvals allowlists

2026-01-18 01:33:52 +00:00
parent 3a0fd6be3c
commit 0674f1fa3c
21 changed files with 1019 additions and 101 deletions
--- a/apps/macos/Tests/ClawdbotIPCTests/CommandResolverTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/CommandResolverTests.swift
@@ -34,7 +34,7 @@ import Testing
        let clawdbotPath = tmp.appendingPathComponent("node_modules/.bin/clawdbot")
        try self.makeExec(at: clawdbotPath)

-        let cmd = CommandResolver.clawdbotCommand(subcommand: "gateway", defaults: defaults)
+        let cmd = CommandResolver.clawdbotCommand(subcommand: "gateway", defaults: defaults, configRoot: [:])
        #expect(cmd.prefix(2).elementsEqual([clawdbotPath.path, "gateway"]))
    }

@@ -55,6 +55,7 @@ import Testing
        let cmd = CommandResolver.clawdbotCommand(
            subcommand: "rpc",
            defaults: defaults,
+            configRoot: [:],
            searchPaths: [tmp.appendingPathComponent("node_modules/.bin").path])

        #expect(cmd.count >= 3)
@@ -75,7 +76,7 @@ import Testing
        let pnpmPath = tmp.appendingPathComponent("node_modules/.bin/pnpm")
        try self.makeExec(at: pnpmPath)

-        let cmd = CommandResolver.clawdbotCommand(subcommand: "rpc", defaults: defaults)
+        let cmd = CommandResolver.clawdbotCommand(subcommand: "rpc", defaults: defaults, configRoot: [:])

        #expect(cmd.prefix(4).elementsEqual([pnpmPath.path, "--silent", "clawdbot", "rpc"]))
    }
@@ -93,7 +94,8 @@ import Testing
        let cmd = CommandResolver.clawdbotCommand(
            subcommand: "health",
            extraArgs: ["--json", "--timeout", "5"],
-            defaults: defaults)
+            defaults: defaults,
+            configRoot: [:])

        #expect(cmd.prefix(5).elementsEqual([pnpmPath.path, "--silent", "clawdbot", "health", "--json"]))
        #expect(cmd.suffix(2).elementsEqual(["--timeout", "5"]))
@@ -114,7 +116,11 @@ import Testing
        defaults.set("/tmp/id_ed25519", forKey: remoteIdentityKey)
        defaults.set("/srv/clawdbot", forKey: remoteProjectRootKey)

-        let cmd = CommandResolver.clawdbotCommand(subcommand: "status", extraArgs: ["--json"], defaults: defaults)
+        let cmd = CommandResolver.clawdbotCommand(
+            subcommand: "status",
+            extraArgs: ["--json"],
+            defaults: defaults,
+            configRoot: [:])

        #expect(cmd.first == "/usr/bin/ssh")
        #expect(cmd.contains("clawd@example.com"))
--- a/apps/macos/Tests/ClawdbotIPCTests/MacNodeRuntimeTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/MacNodeRuntimeTests.swift
@@ -75,7 +75,7 @@ struct MacNodeRuntimeTests {
                CLLocation(latitude: 0, longitude: 0)
            }

-            func confirmSystemRun(command: String, cwd: String?) async -> SystemRunDecision {
+            func confirmSystemRun(context: SystemRunPromptContext) async -> SystemRunDecision {
                .allowOnce
            }
        }
--- a/apps/macos/Tests/ClawdbotIPCTests/SystemRunAllowlistTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/SystemRunAllowlistTests.swift
@@ -0,0 +1,43 @@
+import Foundation
+import Testing
+@testable import Clawdbot
+
+struct SystemRunAllowlistTests {
+    @Test func matchUsesResolvedPath() {
+        let entry = SystemRunAllowlistEntry(pattern: "/opt/homebrew/bin/rg", enabled: true, matchKind: .glob)
+        let resolution = SystemRunCommandResolution(
+            rawExecutable: "rg",
+            resolvedPath: "/opt/homebrew/bin/rg",
+            executableName: "rg",
+            cwd: nil)
+        let match = SystemRunAllowlistStore.match(
+            command: ["rg"],
+            resolution: resolution,
+            entries: [entry])
+        #expect(match?.id == entry.id)
+    }
+
+    @Test func matchUsesBasenameForSimplePattern() {
+        let entry = SystemRunAllowlistEntry(pattern: "rg", enabled: true, matchKind: .glob)
+        let resolution = SystemRunCommandResolution(
+            rawExecutable: "rg",
+            resolvedPath: "/opt/homebrew/bin/rg",
+            executableName: "rg",
+            cwd: nil)
+        let match = SystemRunAllowlistStore.match(
+            command: ["rg"],
+            resolution: resolution,
+            entries: [entry])
+        #expect(match?.id == entry.id)
+    }
+
+    @Test func matchUsesLegacyArgvKey() {
+        let key = SystemRunAllowlist.legacyKey(for: ["echo", "hi"])
+        let entry = SystemRunAllowlistEntry(pattern: key, enabled: true, matchKind: .argv)
+        let match = SystemRunAllowlistStore.match(
+            command: ["echo", "hi"],
+            resolution: nil,
+            entries: [entry])
+        #expect(match?.id == entry.id)
+    }
+}
--- a/apps/macos/Tests/ClawdbotIPCTests/UtilitiesTests.swift
+++ b/apps/macos/Tests/ClawdbotIPCTests/UtilitiesTests.swift
@@ -37,7 +37,7 @@ import Testing
        defaults.set(AppState.ConnectionMode.remote.rawValue, forKey: connectionModeKey)
        defaults.set("ssh  alice@example.com", forKey: remoteTargetKey)

-        let settings = CommandResolver.connectionSettings(defaults: defaults)
+        let settings = CommandResolver.connectionSettings(defaults: defaults, configRoot: [:])
        #expect(settings.mode == .remote)
        #expect(settings.target == "alice@example.com")
    }