feat(permissions): implement permission system with plan mode enforcement (M1 complete)

This commit implements the complete M1 milestone (Config & Permissions) including: - New permissions crate with Tool, Action, Mode, and PermissionManager - Three permission modes: Plan (read-only default), AcceptEdits, Code - Pattern matching for permission rules (exact match and prefix with *) - Integration with config-agent for mode-based permission management - CLI integration with --mode flag to override configured mode - Permission checks for Read, Glob, and Grep operations - Comprehensive test suite (10 tests in permissions, 4 in config, 4 in CLI) Also fixes: - Fixed failing test in tools-fs (glob pattern issue) - Improved glob_list() root extraction to handle patterns like "/*.txt" All 21 workspace tests passing. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-01 19:14:54 +01:00
parent baf833427a
commit a6cf8585ef
12 changed files with 493 additions and 24 deletions
--- a/crates/app/cli/tests/permissions.rs
+++ b/crates/app/cli/tests/permissions.rs
@@ -0,0 +1,56 @@
+use assert_cmd::Command;
+use std::fs;
+use tempfile::tempdir;
+
+#[test]
+fn plan_mode_allows_read_operations() {
+    // Create a temp file to read
+    let dir = tempdir().unwrap();
+    let file = dir.path().join("test.txt");
+    fs::write(&file, "hello world").unwrap();
+
+    // Read operation should work in plan mode (default)
+    let mut cmd = Command::new(assert_cmd::cargo::cargo_bin!("owlen"));
+    cmd.arg("read").arg(file.to_str().unwrap());
+    cmd.assert().success().stdout("hello world\n");
+}
+
+#[test]
+fn plan_mode_allows_glob_operations() {
+    let dir = tempdir().unwrap();
+    fs::write(dir.path().join("a.txt"), "test").unwrap();
+    fs::write(dir.path().join("b.txt"), "test").unwrap();
+
+    let pattern = format!("{}/*.txt", dir.path().display());
+
+    // Glob operation should work in plan mode (default)
+    let mut cmd = Command::new(assert_cmd::cargo::cargo_bin!("owlen"));
+    cmd.arg("glob").arg(&pattern);
+    cmd.assert().success();
+}
+
+#[test]
+fn plan_mode_allows_grep_operations() {
+    let dir = tempdir().unwrap();
+    fs::write(dir.path().join("test.txt"), "hello world\nfoo bar").unwrap();
+
+    // Grep operation should work in plan mode (default)
+    let mut cmd = Command::new(assert_cmd::cargo::cargo_bin!("owlen"));
+    cmd.arg("grep").arg(dir.path().to_str().unwrap()).arg("hello");
+    cmd.assert().success();
+}
+
+#[test]
+fn mode_override_via_cli_flag() {
+    let dir = tempdir().unwrap();
+    let file = dir.path().join("test.txt");
+    fs::write(&file, "content").unwrap();
+
+    // Test with --mode code (should also allow read)
+    let mut cmd = Command::new(assert_cmd::cargo::cargo_bin!("owlen"));
+    cmd.arg("--mode")
+        .arg("code")
+        .arg("read")
+        .arg(file.to_str().unwrap());
+    cmd.assert().success().stdout("content\n");
+}