Skip to content

refactor(policy): use most-specific-pattern-wins evaluation model#3282

Open
laststylebender14 wants to merge 11 commits into
mainfrom
fix/policy-most-specific-wins
Open

refactor(policy): use most-specific-pattern-wins evaluation model#3282
laststylebender14 wants to merge 11 commits into
mainfrom
fix/policy-most-specific-wins

Conversation

@laststylebender14
Copy link
Copy Markdown
Contributor

@laststylebender14 laststylebender14 commented May 7, 2026
edited
Loading

fixes: #3085

@github-actions github-actions Bot added the type: refactor Code refactoring and restructuring. label May 7, 2026
@laststylebender14 laststylebender14 marked this pull request as ready for review May 7, 2026 08:31
amitksingh1490
amitksingh1490 previously approved these changes May 12, 2026
View reviewed changes
amitksingh1490
amitksingh1490 reviewed May 12, 2026
View reviewed changes
Comment thread crates/forge_domain/src/policies/policy.rs
/// Returns the max specificity across child rules.
pub fn specificity(&self) -> usize {
match self {
Policy::Simple { permission: _, rule } => rule.specificity(),
Copy link
Copy Markdown
Contributor

@amitksingh1490 amitksingh1490 May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is Simple?

@amitksingh1490 amitksingh1490 dismissed their stale review May 12, 2026 16:15

need some changes

@amitksingh1490
Copy link
Copy Markdown
Contributor

amitksingh1490 commented May 12, 2026

this test will fail

#[test]
fn test_policy_engine_composite_specificity_ignores_non_matching_child() {
    let fixture_workflow = PolicyConfig::new()
        .add_policy(Policy::Any {
            any: vec![
                Policy::Simple {
                    permission: Permission::Allow,
                    rule: Rule::Write(WriteRule { write: "*.rs".to_string(), dir: None }),
                },
                Policy::Simple {
                    permission: Permission::Allow,
                    rule: Rule::Write(WriteRule {
                        write: "very/specific/path/that/does/not/match/*.rs".to_string(),
                        dir: None,
                    }),
                },
            ],
        })
        .add_policy(Policy::Simple {
            permission: Permission::Deny,
            rule: Rule::Write(WriteRule { write: "test.rs".to_string(), dir: None }),
        });
    let fixture = PolicyEngine::new(&fixture_workflow);
    let operation = PermissionOperation::Write {
        path: std::path::PathBuf::from("test.rs"),
        cwd: std::path::PathBuf::from("/test/cwd"),
        message: "Create/overwrite file: test.rs".to_string(),
    };

    let actual = fixture.can_perform(&operation);
    let expected = Permission::Deny;

    assert_eq!(actual, expected);
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amitksingh1490 amitksingh1490 amitksingh1490 left review comments

Assignees

No one assigned

Labels

type: refactor Code refactoring and restructuring.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Tool Permission Allow-Deny Pattern is Contradictory

2 participants

@laststylebender14 @amitksingh1490