71 lines
2.8 KiB
Python
71 lines
2.8 KiB
Python
# #region Test.AgentChat.ConfirmationV2 [C:3] [TYPE Module] [SEMANTICS test,agent-chat,confirmation,guardrails]
|
|
# @BRIEF Contract tests for build_confirmation_contract_v2 and permission_denied payloads.
|
|
# @RELATION BINDS_TO -> [AgentChat.Confirmation.GuardV2]
|
|
# @RELATION BINDS_TO -> [AgentChat.Confirmation.PermissionDenied]
|
|
# @TEST_EDGE: deploy_prod -> guarded write with prod env_context.
|
|
# @TEST_EDGE: delete_any -> dangerous operation.
|
|
# @TEST_EDGE: analyst_deploy -> permission_denied SSE metadata.
|
|
|
|
import json
|
|
|
|
from src.agent._confirmation import build_confirmation_contract_v2, permission_denied_payload
|
|
|
|
|
|
# #region test_deploy_prod_guarded [C:2] [TYPE Function]
|
|
# @BRIEF deploy_dashboard targeting prod resolves guarded write + env_context prod.
|
|
def test_deploy_prod_guarded():
|
|
contract = build_confirmation_contract_v2(
|
|
"deploy_dashboard",
|
|
{"env_id": "prod-eu"},
|
|
user_role="admin",
|
|
target_env="staging",
|
|
)
|
|
|
|
assert contract["risk"] == "write"
|
|
assert contract["risk_level"] == "guarded"
|
|
assert contract["env_context"] == "prod"
|
|
assert contract["permission_granted"] is True
|
|
# #endregion test_deploy_prod_guarded
|
|
|
|
|
|
# #region test_delete_any_is_dangerous [C:2] [TYPE Function]
|
|
# @BRIEF delete-prefixed operations are classified as dangerous.
|
|
def test_delete_any_is_dangerous():
|
|
contract = build_confirmation_contract_v2("delete_dashboard", {}, user_role="admin")
|
|
|
|
assert contract["risk"] == "write"
|
|
assert contract["risk_level"] == "dangerous"
|
|
assert contract["dangerous"] is True
|
|
# #endregion test_delete_any_is_dangerous
|
|
|
|
|
|
# #region test_read_only_safe [C:2] [TYPE Function]
|
|
# @BRIEF search_dashboards remains safe read.
|
|
def test_read_only_safe():
|
|
contract = build_confirmation_contract_v2("search_dashboards", {}, user_role="analyst")
|
|
|
|
assert contract["risk"] == "read"
|
|
assert contract["risk_level"] == "safe"
|
|
assert contract["permission_granted"] is True
|
|
# #endregion test_read_only_safe
|
|
|
|
|
|
# #region test_analyst_deploy_permission_denied_payload [C:2] [TYPE Function]
|
|
# @BRIEF Analyst deploy produces permission_denied metadata, not confirm_required metadata.
|
|
def test_analyst_deploy_permission_denied_payload():
|
|
contract = build_confirmation_contract_v2("deploy_dashboard", {}, user_role="analyst")
|
|
payload = json.loads(permission_denied_payload(
|
|
"deploy_dashboard",
|
|
required_role=contract["required_role"],
|
|
user_role="analyst",
|
|
alternatives=contract["alternatives"],
|
|
))
|
|
|
|
assert contract["permission_granted"] is False
|
|
assert payload["metadata"]["type"] == "permission_denied"
|
|
assert payload["metadata"]["required_role"] == "admin"
|
|
assert payload["metadata"]["user_role"] == "analyst"
|
|
# #endregion test_analyst_deploy_permission_denied_payload
|
|
|
|
# #endregion Test.AgentChat.ConfirmationV2
|