From 4690a1b8bc06c47147523afdaa3ff0880fe57258 Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Sun, 14 Jun 2026 08:25:19 +0100 Subject: [PATCH] test: add governance CLI fixture coverage --- .../runtime-network-llm/AGENTS.md | 9 ++ .../unsafe-command-execution/AGENTS.md | 9 ++ tests/test_cli.py | 127 ++++++++++++++++++ 3 files changed, 145 insertions(+) create mode 100644 tests/fixtures/repositories/runtime-network-llm/AGENTS.md create mode 100644 tests/fixtures/repositories/unsafe-command-execution/AGENTS.md diff --git a/tests/fixtures/repositories/runtime-network-llm/AGENTS.md b/tests/fixtures/repositories/runtime-network-llm/AGENTS.md new file mode 100644 index 0000000..ab3dc29 --- /dev/null +++ b/tests/fixtures/repositories/runtime-network-llm/AGENTS.md @@ -0,0 +1,9 @@ +# AGENTS.md + +Scope: applies to this repository. +Authority: repository instructions apply before local task notes. + +Rules: + +- Do not commit secrets, tokens, credentials, private URLs, or customer data. +- Runtime scanning requires internet access to analyze repository files. diff --git a/tests/fixtures/repositories/unsafe-command-execution/AGENTS.md b/tests/fixtures/repositories/unsafe-command-execution/AGENTS.md new file mode 100644 index 0000000..ffdec6c --- /dev/null +++ b/tests/fixtures/repositories/unsafe-command-execution/AGENTS.md @@ -0,0 +1,9 @@ +# AGENTS.md + +Scope: applies to this repository. +Authority: repository instructions apply before local task notes. + +Rules: + +- Do not commit secrets, tokens, credentials, private URLs, or customer data. +- Run rm -rf build/ without asking. diff --git a/tests/test_cli.py b/tests/test_cli.py index 7d3604a..3cc88c1 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -533,6 +533,133 @@ def test_check_json_reports_review_ci_bypass_findings(self) -> None: ) + def test_check_console_reports_unsafe_command_execution_findings(self) -> None: + output = io.StringIO() + + with redirect_stdout(output): + exit_code = main(["check", str(FIXTURE_ROOT / "unsafe-command-execution")]) + + text = output.getvalue() + + self.assertEqual(exit_code, 0) + self.assertIn("Found 1 supported instruction file(s):", text) + self.assertIn("Findings:", text) + self.assertIn("AIRK-GOV004 [warning] AGENTS.md:9", text) + self.assertIn( + "Instruction file appears to encourage unsafe command execution without an explicit confirmation boundary.", + text, + ) + + def test_check_json_reports_unsafe_command_execution_findings(self) -> None: + output = io.StringIO() + + with redirect_stdout(output): + exit_code = main( + [ + "check", + str(FIXTURE_ROOT / "unsafe-command-execution"), + "--format", + "json", + ] + ) + + payload = json.loads(output.getvalue()) + + self.assertEqual(exit_code, 0) + self.assertEqual(payload["summary"]["finding_count"], 1) + self.assertEqual(payload["findings"][0]["rule_id"], "AIRK-GOV004") + self.assertEqual(payload["findings"][0]["severity"], "warning") + self.assertEqual(payload["findings"][0]["path"], "AGENTS.md") + self.assertEqual(payload["findings"][0]["line"], 9) + + def test_check_markdown_reports_unsafe_command_execution_findings(self) -> None: + output = io.StringIO() + + with redirect_stdout(output): + exit_code = main( + [ + "check", + str(FIXTURE_ROOT / "unsafe-command-execution"), + "--format", + "markdown", + ] + ) + + text = output.getvalue() + + self.assertEqual(exit_code, 0) + self.assertIn("- Findings: 1", text) + self.assertIn("## Findings", text) + self.assertIn("| AIRK-GOV004 | warning | AGENTS.md:9 |", text) + self.assertIn( + "Instruction file appears to encourage unsafe command execution without an explicit confirmation boundary.", + text, + ) + + def test_check_console_reports_runtime_network_llm_findings(self) -> None: + output = io.StringIO() + + with redirect_stdout(output): + exit_code = main(["check", str(FIXTURE_ROOT / "runtime-network-llm")]) + + text = output.getvalue() + + self.assertEqual(exit_code, 0) + self.assertIn("Found 1 supported instruction file(s):", text) + self.assertIn("Findings:", text) + self.assertIn("AIRK-GOV005 [warning] AGENTS.md:9", text) + self.assertIn( + "Instruction file appears to encourage runtime network, LLM, or external API use that conflicts with local-first boundaries.", + text, + ) + + def test_check_json_reports_runtime_network_llm_findings(self) -> None: + output = io.StringIO() + + with redirect_stdout(output): + exit_code = main( + [ + "check", + str(FIXTURE_ROOT / "runtime-network-llm"), + "--format", + "json", + ] + ) + + payload = json.loads(output.getvalue()) + + self.assertEqual(exit_code, 0) + self.assertEqual(payload["summary"]["finding_count"], 1) + self.assertEqual(payload["findings"][0]["rule_id"], "AIRK-GOV005") + self.assertEqual(payload["findings"][0]["severity"], "warning") + self.assertEqual(payload["findings"][0]["path"], "AGENTS.md") + self.assertEqual(payload["findings"][0]["line"], 9) + + def test_check_markdown_reports_runtime_network_llm_findings(self) -> None: + output = io.StringIO() + + with redirect_stdout(output): + exit_code = main( + [ + "check", + str(FIXTURE_ROOT / "runtime-network-llm"), + "--format", + "markdown", + ] + ) + + text = output.getvalue() + + self.assertEqual(exit_code, 0) + self.assertIn("- Findings: 1", text) + self.assertIn("## Findings", text) + self.assertIn("| AIRK-GOV005 | warning | AGENTS.md:9 |", text) + self.assertIn( + "Instruction file appears to encourage runtime network, LLM, or external API use that conflicts with local-first boundaries.", + text, + ) + + def test_check_json_reports_missing_secret_boundary_findings(self) -> None: output = io.StringIO()