feat: add defaultDenyRead mode for strict filesystem isolation (#24)

2026-02-01 15:11:40 -08:00
parent cef3576076
commit 7679fecf06
9 changed files with 430 additions and 11 deletions
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -111,6 +111,15 @@ func TestConfigValidate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "empty allowRead path",
+			config: Config{
+				Filesystem: FilesystemConfig{
+					AllowRead: []string{""},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "empty denyRead path",
 			config: Config{
@@ -453,6 +462,50 @@ func TestMerge(t *testing.T) {
 		}
 	})

+	t.Run("merge defaultDenyRead and allowRead", func(t *testing.T) {
+		base := &Config{
+			Filesystem: FilesystemConfig{
+				DefaultDenyRead: true,
+				AllowRead:       []string{"/home/user/project"},
+			},
+		}
+		override := &Config{
+			Filesystem: FilesystemConfig{
+				AllowRead: []string{"/home/user/other"},
+			},
+		}
+		result := Merge(base, override)
+
+		if !result.Filesystem.DefaultDenyRead {
+			t.Error("expected DefaultDenyRead to be true (from base)")
+		}
+		if len(result.Filesystem.AllowRead) != 2 {
+			t.Errorf("expected 2 allowRead paths, got %d: %v", len(result.Filesystem.AllowRead), result.Filesystem.AllowRead)
+		}
+	})
+
+	t.Run("merge defaultDenyRead from override", func(t *testing.T) {
+		base := &Config{
+			Filesystem: FilesystemConfig{
+				DefaultDenyRead: false,
+			},
+		}
+		override := &Config{
+			Filesystem: FilesystemConfig{
+				DefaultDenyRead: true,
+				AllowRead:       []string{"/home/user/project"},
+			},
+		}
+		result := Merge(base, override)
+
+		if !result.Filesystem.DefaultDenyRead {
+			t.Error("expected DefaultDenyRead to be true (from override)")
+		}
+		if len(result.Filesystem.AllowRead) != 1 {
+			t.Errorf("expected 1 allowRead path, got %d", len(result.Filesystem.AllowRead))
+		}
+	})
+
 	t.Run("override ports", func(t *testing.T) {
 		base := &Config{
 			Network: NetworkConfig{