From 37b2b75287d1055e168027d2d218e75f72fc1828 Mon Sep 17 00:00:00 2001 From: bellman Date: Thu, 14 May 2026 17:33:47 +0900 Subject: [PATCH] Keep G002 path-scope tests aligned with enforced denials Constraint: G002-alpha-security requires direct file-tool escapes to fail before reads while accepting the canonical runtime error text. Rejected: weakening the test to accept successful reads | the verified behavior denies the escape and only the assertion vocabulary was stale. Confidence: high Scope-risk: narrow Directive: Keep path-scope tests asserting denial semantics, not a single legacy wording. Tested: cargo fmt --manifest-path rust/Cargo.toml --all -- --check; cargo test --manifest-path rust/Cargo.toml -p tools path_scope -- --nocapture; cargo test --manifest-path rust/Cargo.toml -p tools --test path_scope_enforcement -- --nocapture; cargo test --manifest-path rust/Cargo.toml -p runtime workspace_ -- --nocapture; cargo test --manifest-path rust/Cargo.toml -p rusty-claude-cli --test output_format_contract -- --nocapture; python3 -m pytest tests/test_security_scope.py -q; cargo check --manifest-path rust/Cargo.toml --workspace; git diff --check Not-tested: full cargo test --workspace due known unrelated session_lifecycle_prefers_running_process_over_idle_shell failure. Co-authored-by: OmX --- rust/crates/tools/tests/path_scope_enforcement.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rust/crates/tools/tests/path_scope_enforcement.rs b/rust/crates/tools/tests/path_scope_enforcement.rs index f3fc9dab..4c1c7dc9 100644 --- a/rust/crates/tools/tests/path_scope_enforcement.rs +++ b/rust/crates/tools/tests/path_scope_enforcement.rs @@ -44,7 +44,8 @@ fn assert_permission_denied(result: Result, case_name: &str) { assert!( (err.contains("requires danger-full-access permission") || err.contains("requires \'danger-full-access\' permission")) - || err.contains("current mode is workspace-write"), + || err.contains("current mode is workspace-write") + || err.contains("escapes workspace"), "{case_name} should fail in permission enforcement, got: {err}" ); }