a4e667de10
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
66 lines
2.6 KiB
Bash
Executable file
66 lines
2.6 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# hook_wiring_integration.sh — phase-4 smoke test for Agent Substrate v1.
|
|
#
|
|
# Asserts the three contract behaviours of hooks/agent-capability-check.sh:
|
|
# 1. KEI_CAPABILITY_NAME unset → exit 0 (pass-through)
|
|
# 2. Bash "git push" + policy::no-git-ops → exit 2 (deny)
|
|
# 3. Bash "cargo check" + policy::no-git-ops → exit 0 (allow)
|
|
#
|
|
# Build step: `cargo build --release -p kei-capability` from _primitives/_rust.
|
|
# PATH is shimmed to include the freshly-built binary; no sudo, no install.
|
|
#
|
|
# Exit 0 = all 3 assertions pass
|
|
# Exit 1 = any assertion failed — stderr names the offending case
|
|
|
|
set -euo pipefail
|
|
|
|
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
HOOK="$ROOT/hooks/agent-capability-check.sh"
|
|
|
|
fail() { echo "HOOK-WIRING FAIL: $*" >&2; exit 1; }
|
|
|
|
[ -x "$HOOK" ] || chmod +x "$HOOK" 2>/dev/null || fail "hook script not executable: $HOOK"
|
|
|
|
echo "==> Building kei-capability release binary…"
|
|
cd "$ROOT/_primitives/_rust"
|
|
cargo build --release -p kei-capability >/dev/null 2>&1 \
|
|
|| fail "cargo build -p kei-capability failed"
|
|
BIN_DIR="$(pwd)/target/release"
|
|
cd "$ROOT"
|
|
|
|
[ -x "$BIN_DIR/kei-capability" ] || fail "kei-capability binary missing at $BIN_DIR"
|
|
|
|
export PATH="$BIN_DIR:$PATH"
|
|
|
|
# ---- Assertion 1: pass-through when KEI_CAPABILITY_NAME unset -----------
|
|
echo "==> Assertion 1: env unset → pass-through (exit 0)…"
|
|
set +e
|
|
( unset KEI_CAPABILITY_NAME
|
|
echo '{"tool_name":"Bash","tool_input":{"command":"git push"}}' | "$HOOK" >/dev/null 2>&1
|
|
) ; RC=$?
|
|
set -e
|
|
[ "$RC" -eq 0 ] || fail "unset env must pass-through, got exit $RC"
|
|
|
|
# ---- Assertion 2: deny git push under policy::no-git-ops ----------------
|
|
echo "==> Assertion 2: Bash 'git push' under policy::no-git-ops → deny (exit 2)…"
|
|
set +e
|
|
OUT=$(KEI_CAPABILITY_NAME=policy::no-git-ops \
|
|
echo '{"tool_name":"Bash","tool_input":{"command":"git push"}}' \
|
|
| KEI_CAPABILITY_NAME=policy::no-git-ops "$HOOK" 2>&1)
|
|
RC=$?
|
|
set -e
|
|
[ "$RC" -eq 2 ] || fail "expected exit 2 on git-op deny, got $RC (output: $OUT)"
|
|
echo "$OUT" | grep -q "policy::no-git-ops\|RULE 0.13\|git operation blocked" \
|
|
|| fail "deny output missing expected marker (output: $OUT)"
|
|
|
|
# ---- Assertion 3: allow cargo check under policy::no-git-ops -----------
|
|
echo "==> Assertion 3: Bash 'cargo check' under policy::no-git-ops → allow (exit 0)…"
|
|
set +e
|
|
OUT=$(echo '{"tool_name":"Bash","tool_input":{"command":"cargo check"}}' \
|
|
| KEI_CAPABILITY_NAME=policy::no-git-ops "$HOOK" 2>&1)
|
|
RC=$?
|
|
set -e
|
|
[ "$RC" -eq 0 ] || fail "cargo check must be allowed by policy::no-git-ops, got exit $RC (output: $OUT)"
|
|
|
|
echo ""
|
|
echo "✓ HOOK-WIRING PASS — 3/3 assertions (pass-through / deny / allow)"
|