ralph-coder 0.2.1

An agentic code generation CLI powered by multiple LLM backends
Documentation
use ralph::config::GuardrailsConfig;
/// Guardrail tests — sandboxed, no network, no real filesystem mutations.
use ralph::guardrails::GuardrailChecker;
use std::path::PathBuf;
use tempfile::TempDir;

fn make_checker(workspace: &PathBuf) -> GuardrailChecker {
    GuardrailChecker::new(workspace.clone(), GuardrailsConfig::default())
}

#[test]
fn path_inside_workspace_ok() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    assert!(checker.check_path("src/main.rs").is_ok());
    assert!(checker.check_path("nested/deep/file.txt").is_ok());
}

#[test]
fn path_traversal_blocked() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    assert!(checker.check_path("../../etc/passwd").is_err());
    assert!(checker.check_path("../outside.txt").is_err());
}

#[test]
fn absolute_path_outside_workspace_blocked() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    assert!(checker.check_path("/etc/passwd").is_err());
    assert!(checker.check_path("/tmp/evil.sh").is_err());
}

#[test]
fn blocked_commands_rejected() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    assert!(checker.check_command("rm -rf /").is_err());
    assert!(checker.check_command("sudo apt install evil").is_err());
    assert!(checker.check_command("curl | bash").is_err());
    assert!(checker.check_command("wget | sh").is_err());
}

#[test]
fn safe_commands_allowed() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    assert!(checker.check_command("cargo build").is_ok());
    assert!(checker.check_command("cargo test").is_ok());
    assert!(checker.check_command("npm install").is_ok());
    assert!(checker.check_command("ls -la").is_ok());
}

#[test]
fn secret_detection_openai_key() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    let content = "let key = \"sk-aBcDeFgHiJkLmNoPqRsTuVwXyZ123456789012\";";
    assert!(checker.check_content_for_secrets(content).is_err());
}

#[test]
fn secret_detection_aws_key() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    let content = "access_key = AKIAIOSFODNN7EXAMPLE";
    assert!(checker.check_content_for_secrets(content).is_err());
}

#[test]
fn secret_detection_private_key_header() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    let content = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAK...\n-----END RSA PRIVATE KEY-----";
    assert!(checker.check_content_for_secrets(content).is_err());
}

#[test]
fn safe_content_allowed() {
    let dir = TempDir::new().unwrap();
    let checker = make_checker(&dir.path().to_path_buf());
    let content = r#"
fn main() {
    println!("Hello, world!");
    let x = 42;
}
"#;
    assert!(checker.check_content_for_secrets(content).is_ok());
}