@@ -2119,204 +2119,6 @@ func TestGenerateJobName(t *testing.T) {
21192119 }
21202120}
21212121
2122- func TestNetworkPermissionsDefaultBehavior (t * testing.T ) {
2123- compiler := NewCompiler (false , "" , "test" )
2124-
2125- tmpDir := testutil .TempDir (t , "test-*" )
2126-
2127- t .Run ("no network field defaults to full access" , func (t * testing.T ) {
2128- testContent := `---
2129- on: push
2130- engine: claude
2131- strict: false
2132- ---
2133-
2134- # Test Workflow
2135-
2136- This is a test workflow without network permissions.
2137- `
2138- testFile := filepath .Join (tmpDir , "no-network-workflow.md" )
2139- if err := os .WriteFile (testFile , []byte (testContent ), 0644 ); err != nil {
2140- t .Fatal (err )
2141- }
2142-
2143- // Compile the workflow
2144- err := compiler .CompileWorkflow (testFile )
2145- if err != nil {
2146- t .Fatalf ("Unexpected compilation error: %v" , err )
2147- }
2148-
2149- // Read the compiled output
2150- lockFile := filepath .Join (tmpDir , "no-network-workflow.lock.yml" )
2151- lockContent , err := os .ReadFile (lockFile )
2152- if err != nil {
2153- t .Fatalf ("Failed to read lock file: %v" , err )
2154- }
2155-
2156- // Should contain network hook setup (defaults to allow-list)
2157- if ! strings .Contains (string (lockContent ), "Generate Network Permissions Hook" ) {
2158- t .Error ("Should contain network hook setup when no network field specified (defaults to allow-list)" )
2159- }
2160- })
2161-
2162- t .Run ("network: defaults should enforce allow-list restrictions" , func (t * testing.T ) {
2163- testContent := `---
2164- on: push
2165- engine: claude
2166- strict: false
2167- network: defaults
2168- ---
2169-
2170- # Test Workflow
2171-
2172- This is a test workflow with explicit defaults network permissions.
2173- `
2174- testFile := filepath .Join (tmpDir , "defaults-network-workflow.md" )
2175- if err := os .WriteFile (testFile , []byte (testContent ), 0644 ); err != nil {
2176- t .Fatal (err )
2177- }
2178-
2179- // Compile the workflow
2180- err := compiler .CompileWorkflow (testFile )
2181- if err != nil {
2182- t .Fatalf ("Unexpected compilation error: %v" , err )
2183- }
2184-
2185- // Read the compiled output
2186- lockFile := filepath .Join (tmpDir , "defaults-network-workflow.lock.yml" )
2187- lockContent , err := os .ReadFile (lockFile )
2188- if err != nil {
2189- t .Fatalf ("Failed to read lock file: %v" , err )
2190- }
2191-
2192- // Should contain network hook setup (defaults mode uses allow-list)
2193- if ! strings .Contains (string (lockContent ), "Generate Network Permissions Hook" ) {
2194- t .Error ("Should contain network hook setup for network: defaults (uses allow-list)" )
2195- }
2196- })
2197-
2198- t .Run ("network: {} should enforce deny-all" , func (t * testing.T ) {
2199- testContent := `---
2200- on: push
2201- engine: claude
2202- strict: false
2203- network: {}
2204- ---
2205-
2206- # Test Workflow
2207-
2208- This is a test workflow with empty network permissions (deny all).
2209- `
2210- testFile := filepath .Join (tmpDir , "deny-all-workflow.md" )
2211- if err := os .WriteFile (testFile , []byte (testContent ), 0644 ); err != nil {
2212- t .Fatal (err )
2213- }
2214-
2215- // Compile the workflow
2216- err := compiler .CompileWorkflow (testFile )
2217- if err != nil {
2218- t .Fatalf ("Unexpected compilation error: %v" , err )
2219- }
2220-
2221- // Read the compiled output
2222- lockFile := filepath .Join (tmpDir , "deny-all-workflow.lock.yml" )
2223- lockContent , err := os .ReadFile (lockFile )
2224- if err != nil {
2225- t .Fatalf ("Failed to read lock file: %v" , err )
2226- }
2227-
2228- // Should contain network hook setup (deny-all enforcement)
2229- if ! strings .Contains (string (lockContent ), "Generate Network Permissions Hook" ) {
2230- t .Error ("Should contain network hook setup for network: {}" )
2231- }
2232- // Should have empty ALLOWED_DOMAINS array for deny-all
2233- if ! strings .Contains (string (lockContent ), "json.loads('''[]''')" ) {
2234- t .Error ("Should have empty ALLOWED_DOMAINS array for deny-all policy" )
2235- }
2236- })
2237-
2238- t .Run ("network with allowed domains should enforce restrictions" , func (t * testing.T ) {
2239- testContent := `---
2240- on: push
2241- strict: false
2242- engine:
2243- id: claude
2244- network:
2245- allowed: ["example.com", "api.github.com"]
2246- ---
2247-
2248- # Test Workflow
2249-
2250- This is a test workflow with explicit network permissions.
2251- `
2252- testFile := filepath .Join (tmpDir , "allowed-domains-workflow.md" )
2253- if err := os .WriteFile (testFile , []byte (testContent ), 0644 ); err != nil {
2254- t .Fatal (err )
2255- }
2256-
2257- // Compile the workflow
2258- err := compiler .CompileWorkflow (testFile )
2259- if err != nil {
2260- t .Fatalf ("Unexpected compilation error: %v" , err )
2261- }
2262-
2263- // Read the compiled output
2264- lockFile := filepath .Join (tmpDir , "allowed-domains-workflow.lock.yml" )
2265- lockContent , err := os .ReadFile (lockFile )
2266- if err != nil {
2267- t .Fatalf ("Failed to read lock file: %v" , err )
2268- }
2269-
2270- // Should contain network hook setup with specified domains
2271- if ! strings .Contains (string (lockContent ), "Generate Network Permissions Hook" ) {
2272- t .Error ("Should contain network hook setup with explicit network permissions" )
2273- }
2274- if ! strings .Contains (string (lockContent ), `"example.com"` ) {
2275- t .Error ("Should contain example.com in allowed domains" )
2276- }
2277- if ! strings .Contains (string (lockContent ), `"api.github.com"` ) {
2278- t .Error ("Should contain api.github.com in allowed domains" )
2279- }
2280- })
2281-
2282- t .Run ("network permissions with non-claude engine should be ignored" , func (t * testing.T ) {
2283- testContent := `---
2284- on: push
2285- engine: codex
2286- strict: false
2287- network:
2288- allowed: ["example.com"]
2289- ---
2290-
2291- # Test Workflow
2292-
2293- This is a test workflow with network permissions and codex engine.
2294- `
2295- testFile := filepath .Join (tmpDir , "codex-network-workflow.md" )
2296- if err := os .WriteFile (testFile , []byte (testContent ), 0644 ); err != nil {
2297- t .Fatal (err )
2298- }
2299-
2300- // Compile the workflow
2301- err := compiler .CompileWorkflow (testFile )
2302- if err != nil {
2303- t .Fatalf ("Unexpected compilation error: %v" , err )
2304- }
2305-
2306- // Read the compiled output
2307- lockFile := filepath .Join (tmpDir , "codex-network-workflow.lock.yml" )
2308- lockContent , err := os .ReadFile (lockFile )
2309- if err != nil {
2310- t .Fatalf ("Failed to read lock file: %v" , err )
2311- }
2312-
2313- // Should not contain claude-specific network hook setup
2314- if strings .Contains (string (lockContent ), "Generate Network Permissions Hook" ) {
2315- t .Error ("Should not contain network hook setup for non-claude engines" )
2316- }
2317- })
2318- }
2319-
23202122func TestMCPImageField (t * testing.T ) {
23212123 // Create temporary directory for test files
23222124 tmpDir := testutil .TempDir (t , "mcp-container-test" )
0 commit comments