fix: treat null exec policy as unset

2026-04-23 14:45:46 +00:00 · 2026-04-02 00:55:20 -04:00
parent 74d0274459
commit 974945a9f0
2 changed files with 46 additions and 4 deletions
--- a/src/infra/exec-approvals-config.test.ts
+++ b/src/infra/exec-approvals-config.test.ts
@@ -207,6 +207,48 @@ describe("exec approvals invalid explicit policy fallback", () => {
      askFallback: "defaults.askFallback",
    });
  });
+
+  it("treats null explicit agent fields as unset and still considers wildcard", () => {
+    const resolved = resolveExecApprovalsFromFile({
+      file: {
+        version: 1,
+        defaults: {
+          security: "full",
+          ask: "off",
+          askFallback: "full",
+        },
+        agents: {
+          "*": {
+            security: "deny",
+            ask: "always",
+            askFallback: "deny",
+          },
+          runner: {
+            security: null as unknown as ExecApprovalsAgent["security"],
+            ask: null as unknown as ExecApprovalsAgent["ask"],
+            askFallback: null as unknown as ExecApprovalsAgent["askFallback"],
+          },
+        },
+      },
+      agentId: "runner",
+      overrides: {
+        security: "full",
+        ask: "off",
+        askFallback: "full",
+      },
+    });
+
+    expect(resolved.agent).toMatchObject({
+      security: "deny",
+      ask: "always",
+      askFallback: "deny",
+    });
+    expect(resolved.agentSources).toEqual({
+      security: "agents.*.security",
+      ask: "agents.*.ask",
+      askFallback: "agents.*.askFallback",
+    });
+  });
 });

 describe("normalizeExecApprovals handles string allowlist entries (#9790)", () => {
--- a/src/infra/exec-approvals.ts
+++ b/src/infra/exec-approvals.ts
@@ -493,7 +493,7 @@ function resolveAgentSecurityField(params: {
    fallback: params.fallback,
  });
  const agentValue = params.agent[params.field];
-  if (agentValue !== undefined) {
+  if (agentValue != null) {
    if (isExecSecurity(agentValue)) {
      return {
        value: agentValue,
@@ -503,7 +503,7 @@ function resolveAgentSecurityField(params: {
    return fallbackField;
  }
  const wildcardValue = params.wildcard[params.field];
-  if (wildcardValue !== undefined) {
+  if (wildcardValue != null) {
    if (isExecSecurity(wildcardValue)) {
      return {
        value: wildcardValue,
@@ -526,7 +526,7 @@ function resolveAgentAskField(params: {
    defaults: params.defaults,
    fallback: params.fallback,
  });
-  if (params.agent.ask !== undefined) {
+  if (params.agent.ask != null) {
    if (isExecAsk(params.agent.ask)) {
      return {
        value: params.agent.ask,
@@ -535,7 +535,7 @@ function resolveAgentAskField(params: {
    }
    return fallbackField;
  }
-  if (params.wildcard.ask !== undefined) {
+  if (params.wildcard.ask != null) {
    if (isExecAsk(params.wildcard.ask)) {
      return {
        value: params.wildcard.ask,