fix: treat null exec policy as unset

This commit is contained in:
Gustavo Madeira Santana
2026-04-02 00:55:20 -04:00
parent 74d0274459
commit 974945a9f0
2 changed files with 46 additions and 4 deletions

View File

@@ -207,6 +207,48 @@ describe("exec approvals invalid explicit policy fallback", () => {
askFallback: "defaults.askFallback",
});
});
it("treats null explicit agent fields as unset and still considers wildcard", () => {
const resolved = resolveExecApprovalsFromFile({
file: {
version: 1,
defaults: {
security: "full",
ask: "off",
askFallback: "full",
},
agents: {
"*": {
security: "deny",
ask: "always",
askFallback: "deny",
},
runner: {
security: null as unknown as ExecApprovalsAgent["security"],
ask: null as unknown as ExecApprovalsAgent["ask"],
askFallback: null as unknown as ExecApprovalsAgent["askFallback"],
},
},
},
agentId: "runner",
overrides: {
security: "full",
ask: "off",
askFallback: "full",
},
});
expect(resolved.agent).toMatchObject({
security: "deny",
ask: "always",
askFallback: "deny",
});
expect(resolved.agentSources).toEqual({
security: "agents.*.security",
ask: "agents.*.ask",
askFallback: "agents.*.askFallback",
});
});
});
describe("normalizeExecApprovals handles string allowlist entries (#9790)", () => {

View File

@@ -493,7 +493,7 @@ function resolveAgentSecurityField(params: {
fallback: params.fallback,
});
const agentValue = params.agent[params.field];
if (agentValue !== undefined) {
if (agentValue != null) {
if (isExecSecurity(agentValue)) {
return {
value: agentValue,
@@ -503,7 +503,7 @@ function resolveAgentSecurityField(params: {
return fallbackField;
}
const wildcardValue = params.wildcard[params.field];
if (wildcardValue !== undefined) {
if (wildcardValue != null) {
if (isExecSecurity(wildcardValue)) {
return {
value: wildcardValue,
@@ -526,7 +526,7 @@ function resolveAgentAskField(params: {
defaults: params.defaults,
fallback: params.fallback,
});
if (params.agent.ask !== undefined) {
if (params.agent.ask != null) {
if (isExecAsk(params.agent.ask)) {
return {
value: params.agent.ask,
@@ -535,7 +535,7 @@ function resolveAgentAskField(params: {
}
return fallbackField;
}
if (params.wildcard.ask !== undefined) {
if (params.wildcard.ask != null) {
if (isExecAsk(params.wildcard.ask)) {
return {
value: params.wildcard.ask,