test: accept PTY deny phrasing in Dockerfile.test shim assertion#232
Merged
test: accept PTY deny phrasing in Dockerfile.test shim assertion#232
Conversation
The shim routes through the PTY code path (internal/cli/exec_pty.go), which emits `agentsh: command denied by policy (rule=...)`, while the non-PTY path in internal/cli/exec.go emits `blocked by policy`. The Dockerfile.test* variants only matched the non-PTY phrasing, so the shim+policy integration check has been failing in every release since the PTY path became the default for shim invocations (observed on v0.19.0-rc4 release run 24468579949, 45/46 passed, alpine variant). Widen the case pattern to accept either phrasing, update the accompanying comment to document both paths, and keep the rc != 0 guard that requires the denial to actually take effect. Applied identically to all six Dockerfile.test* variants.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
shim + policy integrationcase pattern in all sixDockerfile.test*variants to accept bothdenied by policy(PTY path,internal/cli/exec_pty.go) andblocked by policy(non-PTY path,internal/cli/exec.go).rc != 0guard so a regression that prints the denial but returns success still fails the test.This unblocks the rc4 release test — the alpine job failed with the shim printing
command denied by policywhile the test looked forblocked by policy.Test plan
grepconfirms the new case pattern)🤖 Generated with Claude Code