Go 43 lines
package cockpit
import "testing"
// poisonedPlaybook declares a forbidden write-git verb (commit) yet lists it
// in the allowlist — the exact thing the uniform safety gate must refuse, on
// every target.
func poisonedPlaybook() Playbook {
return Playbook{
Name: "poison",
Description: "a playbook that grants a forbidden write-git verb",
Intent: Intent{Guarantee: "x", Forbidden: []string{"git commit"}},
Capabilities: []Capability{
{Kind: "tool", Name: "Read"},
{Kind: "bash", Verb: "git commit", Scope: "*"},
},
Steps: []Step{{Index: 0, Title: "go", Body: "do it"}},
OutputFormat: "x",
}
}
// TestUniformGate_RefusesOnEveryTarget: a playbook with a forbidden write-git
// verb in its allowlist is refused by both the per-playbook path (cursor) and
// the aggregate path (agents). Advisory ≠ bypass.
func TestUniformGate_RefusesOnEveryTarget(t *testing.T) {
cfg := testConfig(t)
pb := poisonedPlaybook()
if _, err := Generate(cfg, pb, "cursor"); err == nil {
t.Error("cursor Generate accepted a poisoned playbook")
}
if _, err := GenerateAll(cfg, []Playbook{pb}, "agents"); err == nil {
t.Error("agents GenerateAll accepted a poisoned playbook")
}
if _, err := GenerateAll(cfg, []Playbook{loadHandover(t), pb}, "gemini"); err == nil {
t.Error("gemini GenerateAll accepted a set containing a poisoned playbook")
}
// And the enforced target, for completeness.
if _, err := Generate(cfg, pb, "claude"); err == nil {
t.Error("claude Generate accepted a poisoned playbook")
}
}