#[cfg(test)]
mod tests {
use destructive_command_guard::config::Config;
use destructive_command_guard::evaluator::evaluate_command;
use destructive_command_guard::load_default_allowlists;
use destructive_command_guard::packs::REGISTRY;
use std::collections::HashSet;
fn get_evaluator_args() -> (
Config,
Vec<&'static str>,
destructive_command_guard::config::CompiledOverrides,
destructive_command_guard::allowlist::LayeredAllowlist,
) {
let config = Config::default();
let mut enabled = HashSet::new();
enabled.insert("core.git".to_string());
enabled.insert("core.filesystem".to_string());
let keywords = REGISTRY.collect_enabled_keywords(&enabled);
let overrides = config.overrides.compile();
let allowlists = load_default_allowlists();
(config, keywords, overrides, allowlists)
}
#[test]
fn test_substring_false_positive_git() {
let (config, keywords, overrides, allowlists) = get_evaluator_args();
let cmd = "digit reset --hard";
let result = evaluate_command(cmd, &config, &keywords, &overrides, &allowlists);
assert!(
result.is_allowed(),
"digit reset --hard should be allowed, but was blocked: {:?}",
result.pattern_info
);
}
#[test]
fn test_substring_false_positive_rm() {
let (config, keywords, overrides, allowlists) = get_evaluator_args();
let cmd = "farm -rf /";
let result = evaluate_command(cmd, &config, &keywords, &overrides, &allowlists);
assert!(
result.is_allowed(),
"farm -rf / should be allowed, but was blocked: {:?}",
result.pattern_info
);
}
#[test]
fn test_relative_path_bypass_git() {
let (config, keywords, overrides, allowlists) = get_evaluator_args();
let cmd = "./git reset --hard";
let result = evaluate_command(cmd, &config, &keywords, &overrides, &allowlists);
assert!(result.is_denied(), "./git reset --hard should be blocked");
}
#[test]
fn test_relative_path_bypass_rm() {
let (config, keywords, overrides, allowlists) = get_evaluator_args();
let cmd = "./rm -rf /";
let result = evaluate_command(cmd, &config, &keywords, &overrides, &allowlists);
assert!(result.is_denied(), "./rm -rf / should be blocked");
}
#[test]
fn test_custom_bin_path_bypass_git() {
let (config, keywords, overrides, allowlists) = get_evaluator_args();
let cmd = "/opt/custom/git reset --hard";
let result = evaluate_command(cmd, &config, &keywords, &overrides, &allowlists);
assert!(
result.is_denied(),
"/opt/custom/git reset --hard should be blocked"
);
}
#[test]
fn test_hyphenated_false_positive() {
let (config, keywords, overrides, allowlists) = get_evaluator_args();
let cmd = "my-git reset --hard";
let result = evaluate_command(cmd, &config, &keywords, &overrides, &allowlists);
assert!(
result.is_allowed(),
"my-git reset --hard should be allowed (fp), but was blocked: {:?}",
result.pattern_info
);
}
}