Keep G002 path-scope tests aligned with enforced denials

Constraint: G002-alpha-security requires direct file-tool escapes to fail before reads while accepting the canonical runtime error text. Rejected: weakening the test to accept successful reads | the verified behavior denies the escape and only the assertion vocabulary was stale. Confidence: high Scope-risk: narrow Directive: Keep path-scope tests asserting denial semantics, not a single legacy wording. Tested: cargo fmt --manifest-path rust/Cargo.toml --all -- --check; cargo test --manifest-path rust/Cargo.toml -p tools path_scope -- --nocapture; cargo test --manifest-path rust/Cargo.toml -p tools --test path_scope_enforcement -- --nocapture; cargo test --manifest-path rust/Cargo.toml -p runtime workspace_ -- --nocapture; cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli --test output_format_contract -- --nocapture; python3 -m pytest tests/test_security_scope.py -q; cargo check --manifest-path rust/Cargo.toml --workspace; git diff --check Not-tested: full cargo test --workspace due known unrelated session_lifecycle_prefers_running_process_over_idle_shell failure. Co-authored-by: OmX <omx@oh-my-codex.dev>
2026-05-14 18:06:45 +00:00 · 2026-05-14 17:33:47 +09:00
parent f2dc615a8a
commit 37b2b75287
1 changed files with 2 additions and 1 deletions
--- a/rust/crates/tools/tests/path_scope_enforcement.rs
+++ b/rust/crates/tools/tests/path_scope_enforcement.rs
@@ -44,7 +44,8 @@ fn assert_permission_denied(result: Result<String, String>, case_name: &str) {
    assert!(
        (err.contains("requires danger-full-access permission")
            || err.contains("requires \'danger-full-access\' permission"))
-            || err.contains("current mode is workspace-write"),
+            || err.contains("current mode is workspace-write")
+            || err.contains("escapes workspace"),
        "{case_name} should fail in permission enforcement, got: {err}"
    );
 }