test: cover PolicyFabric local hook

mdheller · mdheller · commit dfcd78eb79ac · 2026-05-05T13:47:25.000-04:00
diff --git a/tests/test_policy_hook.py b/tests/test_policy_hook.py
@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+from sourceos_syncd.policy import PolicyRequest, decision_counts, evaluate_policy, evaluate_report_policy
+from sourceos_syncd.store_reports import init_store, snapshot_from_store
+
+
+def test_secure_lane_agent_access_is_denied():
+    decision = evaluate_policy(PolicyRequest(action="agent_access", lane="secure"))
+    assert decision.status == "denied"
+    assert decision.reason == "secure_lane_requires_explicit_grant"
+
+
+def test_secure_lane_indexing_is_redacted():
+    decision = evaluate_policy(PolicyRequest(action="index", lane="secure"))
+    assert decision.status == "redacted"
+    assert decision.reason == "secure_lane_indexing_requires_redaction"
+
+
+def test_unknown_action_is_deferred():
+    decision = evaluate_policy(PolicyRequest(action="unknown", lane="normal"))
+    assert decision.status == "deferred"
+    assert decision.reason == "unknown_action"
+
+
+def test_report_policy_counts_include_all_statuses():
+    lanes = [{"name": "normal"}, {"name": "secure"}, {"name": "repair"}, {"name": "ephemeral"}]
+    decisions = evaluate_report_policy(lanes)
+    counts = decision_counts(decisions)
+    assert counts["allowed"] > 0
+    assert counts["denied"] > 0
+    assert counts["redacted"] > 0
+    assert counts["deferred"] > 0
+
+
+def test_store_backed_snapshot_includes_policy_summary(tmp_path):
+    init_store(tmp_path)
+    report = snapshot_from_store(tmp_path)
+    assert report["policy"]["policy_engine"] == "policy-fabric-local-stub"
+    assert report["policy"]["policy_version"] == "v0.1.0-local-stub"
+    assert report["diagnosis"]["policy"]["engine"] == "policy-fabric-local-stub"
+    assert report["diagnosis"]["policy"]["counts"]["allowed"] > 0
