didericis
249e8cc15e
- Delete tests/unit/test_ssh_gate.py and the fixture_with_ssh helpers. - test_pipelock_yaml: drop the ssh-leak guard (structurally impossible now); the remaining tests switch to fixture_minimal. - test_pipelock_allowlist: rewrite the union/dedup test to exercise an egress.allowlist that duplicates a baked default (the property the ssh-leak assertion was hitching onto). - test_manifest_git: shadow-route assertion becomes a legacy-ssh- dies-with-hint assertion, since bottle.ssh is now parse-fail. - test_orphan_cleanup: drop the SSHGate.stop idempotency check; pipelock equivalent stays. - test_dry_run_plan: drop assertions on the removed ssh_hosts / ssh_gate keys. 52 unit tests pass.
37 lines
1.3 KiB
Python
37 lines
1.3 KiB
Python
"""Unit: pipelock_effective_allowlist — the union of baked-in defaults
|
|
and bottle.egress.allowlist. Git upstreams declared in bottle.git do not
|
|
contribute here; they flow through the per-agent git-gate (PRD 0008)."""
|
|
|
|
import unittest
|
|
|
|
from claude_bottle.manifest import Manifest
|
|
from claude_bottle.pipelock import pipelock_effective_allowlist
|
|
|
|
|
|
class TestEffectiveAllowlist(unittest.TestCase):
|
|
def test_union_and_dedup(self):
|
|
manifest = Manifest.from_json_obj({
|
|
"bottles": {
|
|
"dev": {
|
|
"egress": {
|
|
"allowlist": [
|
|
"registry.npmjs.org",
|
|
# Duplicate of a baked default; the union
|
|
# must dedupe.
|
|
"api.anthropic.com",
|
|
],
|
|
},
|
|
},
|
|
},
|
|
"agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
|
|
})
|
|
eff = pipelock_effective_allowlist(manifest.bottles["dev"])
|
|
self.assertIn("api.anthropic.com", eff, "baked default present")
|
|
self.assertIn("registry.npmjs.org", eff, "egress.allowlist present")
|
|
self.assertEqual(len(eff), len(set(eff)), "deduplicated")
|
|
self.assertEqual(eff, sorted(eff), "sorted")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|