mirror of
https://github.com/anthropics/claude-code.git
synced 2026-04-24 13:12:42 +00:00
f48a6223ce
Create comprehensive pytest integration test suite for the hookify plugin: - test_integration.py: Multi-hook evaluation, rule priority (blocking over warnings), condition AND logic, tool type field extraction, Stop/UserPromptSubmit events - test_rule_loading.py: YAML frontmatter parsing, rule file loading, event filtering - test_error_handling.py: Fault tolerance for missing files, invalid regex, malformed input Also fix a bug discovered through testing: MultiEdit field extraction now gracefully handles malformed edit entries (non-dict values in edits array). 68 tests covering: - Multiple rules combining messages - Blocking rules taking priority over warnings - Multiple conditions with AND logic - Different tool types (Bash, Write, Edit, MultiEdit) - Stop event transcript checking - UserPromptSubmit validation - Tool matcher filtering - Regex pattern matching and caching - Error handling and edge cases https://claude.ai/code/session_014B79JcfZHUaTfnThn3o3g2
663 lines
25 KiB
Python
663 lines
25 KiB
Python
"""Integration tests for multi-hook scenarios in hookify.
|
|
|
|
Tests cover:
|
|
- Multiple hooks running against same input
|
|
- Hook priority (blocking rules over warnings)
|
|
- Cross-event state management
|
|
- Different tool types with varying field structures
|
|
- Error handling and fault tolerance
|
|
"""
|
|
|
|
import pytest
|
|
from typing import Dict, Any, List
|
|
|
|
from hookify.core.config_loader import Rule, Condition, load_rules
|
|
from hookify.core.rule_engine import RuleEngine
|
|
|
|
|
|
def make_rule(
|
|
name: str,
|
|
event: str,
|
|
conditions: List[Dict[str, str]],
|
|
action: str = "warn",
|
|
message: str = "Test message",
|
|
enabled: bool = True,
|
|
tool_matcher: str = None
|
|
) -> Rule:
|
|
"""Helper function to create Rule objects for testing."""
|
|
cond_objects = [
|
|
Condition(
|
|
field=c.get("field", ""),
|
|
operator=c.get("operator", "regex_match"),
|
|
pattern=c.get("pattern", "")
|
|
)
|
|
for c in conditions
|
|
]
|
|
return Rule(
|
|
name=name,
|
|
enabled=enabled,
|
|
event=event,
|
|
conditions=cond_objects,
|
|
action=action,
|
|
message=message,
|
|
tool_matcher=tool_matcher
|
|
)
|
|
|
|
|
|
class TestMultipleRulesEvaluation:
|
|
"""Tests for evaluating multiple rules against the same input."""
|
|
|
|
def test_multiple_warning_rules_combined(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Multiple warning rules should combine their messages."""
|
|
rules = [
|
|
make_rule(
|
|
name="warn-ls",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "ls"}],
|
|
action="warn",
|
|
message="ls command detected"
|
|
),
|
|
make_rule(
|
|
name="warn-la-flag",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "-la"}],
|
|
action="warn",
|
|
message="-la flag detected"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
|
|
assert "systemMessage" in result
|
|
assert "warn-ls" in result["systemMessage"]
|
|
assert "warn-la-flag" in result["systemMessage"]
|
|
assert "ls command detected" in result["systemMessage"]
|
|
assert "-la flag detected" in result["systemMessage"]
|
|
|
|
def test_blocking_rule_takes_priority(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Blocking rules should take priority over warnings."""
|
|
# Modify input to trigger blocking rule
|
|
sample_bash_input["tool_input"]["command"] = "rm -rf /tmp/test"
|
|
|
|
rules = [
|
|
make_rule(
|
|
name="warn-rm",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "rm"}],
|
|
action="warn",
|
|
message="rm command detected"
|
|
),
|
|
make_rule(
|
|
name="block-rm-rf",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "regex_match", "pattern": r"rm\s+-rf"}],
|
|
action="block",
|
|
message="Dangerous rm -rf blocked!"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
|
|
# Should have blocking output, not warning
|
|
assert "hookSpecificOutput" in result
|
|
assert result["hookSpecificOutput"]["permissionDecision"] == "deny"
|
|
assert "block-rm-rf" in result["systemMessage"]
|
|
assert "Dangerous rm -rf blocked!" in result["systemMessage"]
|
|
|
|
def test_multiple_blocking_rules_combined(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Multiple blocking rules should combine their messages."""
|
|
sample_bash_input["tool_input"]["command"] = "sudo rm -rf /"
|
|
|
|
rules = [
|
|
make_rule(
|
|
name="block-sudo",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "sudo"}],
|
|
action="block",
|
|
message="sudo is blocked"
|
|
),
|
|
make_rule(
|
|
name="block-rm-rf",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "regex_match", "pattern": r"rm\s+-rf"}],
|
|
action="block",
|
|
message="rm -rf is blocked"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
|
|
assert result["hookSpecificOutput"]["permissionDecision"] == "deny"
|
|
assert "block-sudo" in result["systemMessage"]
|
|
assert "block-rm-rf" in result["systemMessage"]
|
|
|
|
def test_no_matching_rules_returns_empty(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""When no rules match, result should be empty (allow operation)."""
|
|
rules = [
|
|
make_rule(
|
|
name="block-delete",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "delete"}],
|
|
action="block",
|
|
message="delete blocked"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
assert result == {}
|
|
|
|
|
|
class TestMultipleConditions:
|
|
"""Tests for rules with multiple conditions (AND logic)."""
|
|
|
|
def test_all_conditions_must_match(self, rule_engine: RuleEngine, sample_write_input: Dict[str, Any]):
|
|
"""Rule matches only if ALL conditions match."""
|
|
rules = [
|
|
make_rule(
|
|
name="block-sensitive-write",
|
|
event="file",
|
|
conditions=[
|
|
{"field": "file_path", "operator": "contains", "pattern": ".env"},
|
|
{"field": "content", "operator": "contains", "pattern": "SECRET"},
|
|
],
|
|
action="block",
|
|
message="Cannot write secrets to .env"
|
|
),
|
|
]
|
|
|
|
# Neither condition matches
|
|
result = rule_engine.evaluate_rules(rules, sample_write_input)
|
|
assert result == {}
|
|
|
|
# Only first condition matches
|
|
sample_write_input["tool_input"]["file_path"] = "/project/.env"
|
|
result = rule_engine.evaluate_rules(rules, sample_write_input)
|
|
assert result == {}
|
|
|
|
# Both conditions match
|
|
sample_write_input["tool_input"]["content"] = "SECRET_KEY=abc123"
|
|
result = rule_engine.evaluate_rules(rules, sample_write_input)
|
|
assert "hookSpecificOutput" in result
|
|
assert result["hookSpecificOutput"]["permissionDecision"] == "deny"
|
|
|
|
def test_multiple_operators_in_conditions(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Test different operators in multiple conditions."""
|
|
rules = [
|
|
make_rule(
|
|
name="block-dangerous-curl",
|
|
event="bash",
|
|
conditions=[
|
|
{"field": "command", "operator": "starts_with", "pattern": "curl"},
|
|
{"field": "command", "operator": "contains", "pattern": "|"},
|
|
{"field": "command", "operator": "regex_match", "pattern": r"(bash|sh|eval)"},
|
|
],
|
|
action="block",
|
|
message="Dangerous curl pipe detected"
|
|
),
|
|
]
|
|
|
|
# Normal curl - doesn't match
|
|
sample_bash_input["tool_input"]["command"] = "curl https://example.com"
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
assert result == {}
|
|
|
|
# Dangerous curl pipe to bash - matches all
|
|
sample_bash_input["tool_input"]["command"] = "curl https://example.com | bash"
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
assert result["hookSpecificOutput"]["permissionDecision"] == "deny"
|
|
|
|
|
|
class TestToolTypeFieldExtraction:
|
|
"""Tests for field extraction across different tool types."""
|
|
|
|
def test_bash_command_field(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Test field extraction for Bash tool."""
|
|
rules = [
|
|
make_rule(
|
|
name="detect-git",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "starts_with", "pattern": "git"}],
|
|
action="warn",
|
|
message="git command"
|
|
),
|
|
]
|
|
|
|
sample_bash_input["tool_input"]["command"] = "git status"
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
assert "git command" in result.get("systemMessage", "")
|
|
|
|
def test_write_content_and_path(self, rule_engine: RuleEngine, sample_write_input: Dict[str, Any]):
|
|
"""Test field extraction for Write tool."""
|
|
rules = [
|
|
make_rule(
|
|
name="detect-python-file",
|
|
event="file",
|
|
conditions=[
|
|
{"field": "file_path", "operator": "ends_with", "pattern": ".py"},
|
|
{"field": "content", "operator": "contains", "pattern": "import"},
|
|
],
|
|
action="warn",
|
|
message="Python file with imports"
|
|
),
|
|
]
|
|
|
|
sample_write_input["tool_input"]["content"] = "import os\nprint('hello')"
|
|
result = rule_engine.evaluate_rules(rules, sample_write_input)
|
|
assert "Python file with imports" in result.get("systemMessage", "")
|
|
|
|
def test_edit_old_and_new_string(self, rule_engine: RuleEngine, sample_edit_input: Dict[str, Any]):
|
|
"""Test field extraction for Edit tool (old_string and new_string)."""
|
|
rules = [
|
|
make_rule(
|
|
name="detect-password-removal",
|
|
event="file",
|
|
conditions=[
|
|
{"field": "old_string", "operator": "contains", "pattern": "password"},
|
|
],
|
|
action="warn",
|
|
message="Removing password-related code"
|
|
),
|
|
]
|
|
|
|
sample_edit_input["tool_input"]["old_string"] = "password = 'secret'"
|
|
sample_edit_input["tool_input"]["new_string"] = "# removed"
|
|
result = rule_engine.evaluate_rules(rules, sample_edit_input)
|
|
assert "Removing password-related code" in result.get("systemMessage", "")
|
|
|
|
def test_multiedit_concatenated_content(self, rule_engine: RuleEngine, sample_multiedit_input: Dict[str, Any]):
|
|
"""Test field extraction for MultiEdit tool (concatenated edits)."""
|
|
rules = [
|
|
make_rule(
|
|
name="detect-eval",
|
|
event="file",
|
|
conditions=[
|
|
{"field": "new_text", "operator": "contains", "pattern": "eval("},
|
|
],
|
|
action="block",
|
|
message="eval() is dangerous"
|
|
),
|
|
]
|
|
|
|
# Add an edit containing eval
|
|
sample_multiedit_input["tool_input"]["edits"] = [
|
|
{"old_string": "process()", "new_string": "eval(user_input)"},
|
|
{"old_string": "foo", "new_string": "bar"},
|
|
]
|
|
result = rule_engine.evaluate_rules(rules, sample_multiedit_input)
|
|
assert result["hookSpecificOutput"]["permissionDecision"] == "deny"
|
|
|
|
|
|
class TestStopEventIntegration:
|
|
"""Tests for Stop event hook scenarios."""
|
|
|
|
def test_stop_with_transcript_check(self, rule_engine: RuleEngine, sample_stop_input: Dict[str, Any]):
|
|
"""Test Stop event that checks transcript content."""
|
|
rules = [
|
|
make_rule(
|
|
name="require-tests",
|
|
event="stop",
|
|
conditions=[
|
|
{"field": "transcript", "operator": "not_contains", "pattern": "npm test"},
|
|
],
|
|
action="block",
|
|
message="Please run tests before stopping"
|
|
),
|
|
]
|
|
|
|
# Transcript contains "npm test", so rule should NOT match
|
|
result = rule_engine.evaluate_rules(rules, sample_stop_input)
|
|
assert result == {}
|
|
|
|
def test_stop_blocks_without_tests(self, rule_engine: RuleEngine, temp_project_dir):
|
|
"""Test Stop event blocks when tests weren't run."""
|
|
# Create transcript without test command
|
|
transcript_file = temp_project_dir / "no_tests_transcript.txt"
|
|
transcript_file.write_text("""
|
|
User: Implement the feature
|
|
Assistant: Done!
|
|
""")
|
|
|
|
stop_input = {
|
|
"hook_event_name": "Stop",
|
|
"reason": "Task completed",
|
|
"transcript_path": str(transcript_file),
|
|
}
|
|
|
|
rules = [
|
|
make_rule(
|
|
name="require-tests",
|
|
event="stop",
|
|
conditions=[
|
|
{"field": "transcript", "operator": "not_contains", "pattern": "test"},
|
|
],
|
|
action="block",
|
|
message="Please run tests before stopping"
|
|
),
|
|
]
|
|
|
|
rule_engine = RuleEngine()
|
|
result = rule_engine.evaluate_rules(rules, stop_input)
|
|
|
|
assert result["decision"] == "block"
|
|
assert "require-tests" in result["systemMessage"]
|
|
|
|
def test_stop_reason_field(self, rule_engine: RuleEngine, sample_stop_input: Dict[str, Any]):
|
|
"""Test Stop event checking the reason field."""
|
|
rules = [
|
|
make_rule(
|
|
name="no-early-exit",
|
|
event="stop",
|
|
conditions=[
|
|
{"field": "reason", "operator": "contains", "pattern": "giving up"},
|
|
],
|
|
action="block",
|
|
message="Don't give up! Try a different approach."
|
|
),
|
|
]
|
|
|
|
# Normal reason - doesn't match
|
|
result = rule_engine.evaluate_rules(rules, sample_stop_input)
|
|
assert result == {}
|
|
|
|
# Giving up reason - matches
|
|
sample_stop_input["reason"] = "giving up on this task"
|
|
result = rule_engine.evaluate_rules(rules, sample_stop_input)
|
|
assert "Don't give up" in result.get("systemMessage", "")
|
|
|
|
|
|
class TestUserPromptSubmitIntegration:
|
|
"""Tests for UserPromptSubmit event hook scenarios."""
|
|
|
|
def test_prompt_content_validation(self, rule_engine: RuleEngine, sample_userprompt_input: Dict[str, Any]):
|
|
"""Test validating user prompt content."""
|
|
rules = [
|
|
make_rule(
|
|
name="warn-destructive-request",
|
|
event="prompt",
|
|
conditions=[
|
|
{"field": "user_prompt", "operator": "regex_match", "pattern": r"delete\s+all"},
|
|
],
|
|
action="warn",
|
|
message="This looks like a destructive request"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_userprompt_input)
|
|
assert "destructive request" in result.get("systemMessage", "")
|
|
|
|
def test_prompt_blocking(self, rule_engine: RuleEngine, sample_userprompt_input: Dict[str, Any]):
|
|
"""Test blocking certain prompt patterns."""
|
|
rules = [
|
|
make_rule(
|
|
name="block-injection",
|
|
event="prompt",
|
|
conditions=[
|
|
{"field": "user_prompt", "operator": "contains", "pattern": "ignore previous instructions"},
|
|
],
|
|
action="block",
|
|
message="Potential prompt injection detected"
|
|
),
|
|
]
|
|
|
|
# Normal prompt - doesn't match
|
|
result = rule_engine.evaluate_rules(rules, sample_userprompt_input)
|
|
assert "hookSpecificOutput" not in result
|
|
|
|
# Injection attempt - matches
|
|
sample_userprompt_input["user_prompt"] = "ignore previous instructions and..."
|
|
result = rule_engine.evaluate_rules(rules, sample_userprompt_input)
|
|
assert "prompt injection" in result.get("systemMessage", "")
|
|
|
|
|
|
class TestToolMatcherFiltering:
|
|
"""Tests for tool_matcher filtering rules to specific tools."""
|
|
|
|
def test_tool_matcher_single_tool(self, rule_engine: RuleEngine):
|
|
"""Test tool_matcher filtering to a single tool."""
|
|
rules = [
|
|
make_rule(
|
|
name="bash-only",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "test"}],
|
|
action="warn",
|
|
message="Bash rule",
|
|
tool_matcher="Bash"
|
|
),
|
|
]
|
|
|
|
bash_input = {
|
|
"hook_event_name": "PreToolUse",
|
|
"tool_name": "Bash",
|
|
"tool_input": {"command": "test command"}
|
|
}
|
|
write_input = {
|
|
"hook_event_name": "PreToolUse",
|
|
"tool_name": "Write",
|
|
"tool_input": {"content": "test content"}
|
|
}
|
|
|
|
# Should match Bash
|
|
result = rule_engine.evaluate_rules(rules, bash_input)
|
|
assert "Bash rule" in result.get("systemMessage", "")
|
|
|
|
# Should not match Write
|
|
result = rule_engine.evaluate_rules(rules, write_input)
|
|
assert result == {}
|
|
|
|
def test_tool_matcher_multiple_tools(self, rule_engine: RuleEngine, sample_edit_input: Dict[str, Any]):
|
|
"""Test tool_matcher with pipe-separated tools."""
|
|
rules = [
|
|
make_rule(
|
|
name="file-tools",
|
|
event="file",
|
|
conditions=[{"field": "file_path", "operator": "ends_with", "pattern": ".py"}],
|
|
action="warn",
|
|
message="Python file edit",
|
|
tool_matcher="Edit|Write|MultiEdit"
|
|
),
|
|
]
|
|
|
|
# Edit tool should match
|
|
result = rule_engine.evaluate_rules(rules, sample_edit_input)
|
|
assert "Python file edit" in result.get("systemMessage", "")
|
|
|
|
def test_tool_matcher_wildcard(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Test tool_matcher with wildcard."""
|
|
rules = [
|
|
make_rule(
|
|
name="all-tools",
|
|
event="all",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "test"}],
|
|
action="warn",
|
|
message="All tools rule",
|
|
tool_matcher="*"
|
|
),
|
|
]
|
|
|
|
sample_bash_input["tool_input"]["command"] = "test command"
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
assert "All tools rule" in result.get("systemMessage", "")
|
|
|
|
|
|
class TestRegexOperations:
|
|
"""Tests for regex pattern matching and caching."""
|
|
|
|
def test_complex_regex_patterns(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Test complex regex patterns."""
|
|
rules = [
|
|
make_rule(
|
|
name="detect-secret-env",
|
|
event="bash",
|
|
conditions=[
|
|
{"field": "command", "operator": "regex_match",
|
|
"pattern": r"(SECRET|PASSWORD|API_KEY|TOKEN)[\s]*="},
|
|
],
|
|
action="block",
|
|
message="Secret assignment detected"
|
|
),
|
|
]
|
|
|
|
# Test various patterns
|
|
test_cases = [
|
|
("export SECRET=abc", True),
|
|
("export PASSWORD = abc", True),
|
|
("export API_KEY=xyz", True),
|
|
("export TOKEN=123", True),
|
|
("export NAME=test", False),
|
|
("echo hello", False),
|
|
]
|
|
|
|
for command, should_match in test_cases:
|
|
sample_bash_input["tool_input"]["command"] = command
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
if should_match:
|
|
assert "hookSpecificOutput" in result, f"Expected match for: {command}"
|
|
else:
|
|
assert result == {}, f"Expected no match for: {command}"
|
|
|
|
def test_case_insensitive_matching(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Test that regex matching is case-insensitive."""
|
|
rules = [
|
|
make_rule(
|
|
name="detect-sudo",
|
|
event="bash",
|
|
conditions=[
|
|
{"field": "command", "operator": "regex_match", "pattern": "sudo"},
|
|
],
|
|
action="warn",
|
|
message="sudo detected"
|
|
),
|
|
]
|
|
|
|
# Should match regardless of case
|
|
for cmd in ["sudo apt install", "SUDO apt install", "Sudo apt install"]:
|
|
sample_bash_input["tool_input"]["command"] = cmd
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
assert "sudo detected" in result.get("systemMessage", ""), f"Failed for: {cmd}"
|
|
|
|
def test_invalid_regex_handled_gracefully(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Test that invalid regex patterns don't crash."""
|
|
rules = [
|
|
make_rule(
|
|
name="invalid-regex",
|
|
event="bash",
|
|
conditions=[
|
|
{"field": "command", "operator": "regex_match", "pattern": "[invalid(regex"},
|
|
],
|
|
action="block",
|
|
message="Should not match"
|
|
),
|
|
]
|
|
|
|
# Should not crash, should return empty (no match)
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
assert result == {}
|
|
|
|
|
|
class TestDisabledRules:
|
|
"""Tests for disabled rule handling."""
|
|
|
|
def test_disabled_rules_not_evaluated(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Disabled rules should not be evaluated."""
|
|
rules = [
|
|
make_rule(
|
|
name="disabled-rule",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "ls"}],
|
|
action="block",
|
|
message="Should not appear",
|
|
enabled=False
|
|
),
|
|
make_rule(
|
|
name="enabled-rule",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "ls"}],
|
|
action="warn",
|
|
message="Enabled rule matched",
|
|
enabled=True
|
|
),
|
|
]
|
|
|
|
# Filter to only enabled rules (as load_rules does)
|
|
enabled_rules = [r for r in rules if r.enabled]
|
|
result = rule_engine.evaluate_rules(enabled_rules, sample_bash_input)
|
|
|
|
assert "Enabled rule matched" in result.get("systemMessage", "")
|
|
assert "Should not appear" not in result.get("systemMessage", "")
|
|
|
|
|
|
class TestRulesWithNoConditions:
|
|
"""Tests for edge cases with empty conditions."""
|
|
|
|
def test_rule_without_conditions_does_not_match(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Rules without conditions should not match anything."""
|
|
rule = Rule(
|
|
name="empty-conditions",
|
|
enabled=True,
|
|
event="bash",
|
|
conditions=[], # Empty conditions
|
|
action="warn",
|
|
message="Should not match"
|
|
)
|
|
|
|
result = rule_engine.evaluate_rules([rule], sample_bash_input)
|
|
assert result == {}
|
|
|
|
|
|
class TestOutputFormats:
|
|
"""Tests for correct output format for different event types."""
|
|
|
|
def test_pretooluse_blocking_format(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""PreToolUse blocking should use hookSpecificOutput format."""
|
|
rules = [
|
|
make_rule(
|
|
name="block-test",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "ls"}],
|
|
action="block",
|
|
message="Blocked"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
|
|
assert "hookSpecificOutput" in result
|
|
assert result["hookSpecificOutput"]["hookEventName"] == "PreToolUse"
|
|
assert result["hookSpecificOutput"]["permissionDecision"] == "deny"
|
|
assert "systemMessage" in result
|
|
|
|
def test_stop_blocking_format(self, rule_engine: RuleEngine, sample_stop_input: Dict[str, Any]):
|
|
"""Stop blocking should use decision format."""
|
|
rules = [
|
|
make_rule(
|
|
name="block-stop",
|
|
event="stop",
|
|
conditions=[{"field": "reason", "operator": "contains", "pattern": "completed"}],
|
|
action="block",
|
|
message="Blocked"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_stop_input)
|
|
|
|
assert result.get("decision") == "block"
|
|
assert "reason" in result
|
|
assert "systemMessage" in result
|
|
|
|
def test_warning_format(self, rule_engine: RuleEngine, sample_bash_input: Dict[str, Any]):
|
|
"""Warning should only have systemMessage, not hookSpecificOutput."""
|
|
rules = [
|
|
make_rule(
|
|
name="warn-test",
|
|
event="bash",
|
|
conditions=[{"field": "command", "operator": "contains", "pattern": "ls"}],
|
|
action="warn",
|
|
message="Warning"
|
|
),
|
|
]
|
|
|
|
result = rule_engine.evaluate_rules(rules, sample_bash_input)
|
|
|
|
assert "systemMessage" in result
|
|
assert "hookSpecificOutput" not in result
|