fix(security): update tests for verdict and --force changes

2026-05-30 06:41:51 +00:00 · 2026-03-27 00:27:30 +03:00 · 2026-03-27 00:27:30 +03:00 · 789043b691
commit 789043b691
parent 0f8215f633
2 changed files with 11 additions and 11 deletions
--- a/tests/tools/test_skills_guard.py
+++ b/tests/tools/test_skills_guard.py
@ -84,13 +84,13 @@ class TestDetermineVerdict:
        f = Finding("x", "high", "network", "f.py", 1, "m", "d")
        assert _determine_verdict([f]) == "caution"

-    def test_medium_finding_caution(self):
+    def test_medium_finding_safe(self):
        f = Finding("x", "medium", "structural", "f.py", 1, "m", "d")
-        assert _determine_verdict([f]) == "caution"
+        assert _determine_verdict([f]) == "safe"

-    def test_low_finding_caution(self):
+    def test_low_finding_safe(self):
        f = Finding("x", "low", "obfuscation", "f.py", 1, "m", "d")
-        assert _determine_verdict([f]) == "caution"
+        assert _determine_verdict([f]) == "safe"


 # ---------------------------------------------------------------------------
@ -145,21 +145,21 @@ class TestShouldAllowInstall:
        allowed, _ = should_allow_install(self._result("community", "dangerous", f), force=False)
        assert allowed is False

-    def test_force_overrides_dangerous_for_community(self):
+    def test_force_does_not_override_dangerous_for_community(self):
        f = [Finding("x", "critical", "c", "f", 1, "m", "d")]
        allowed, reason = should_allow_install(
            self._result("community", "dangerous", f), force=True
        )
-        assert allowed is True
-        assert "Force-installed" in reason
+        assert allowed is False
+        assert "Blocked" in reason

-    def test_force_overrides_dangerous_for_trusted(self):
+    def test_force_does_not_override_dangerous_for_trusted(self):
        f = [Finding("x", "critical", "c", "f", 1, "m", "d")]
        allowed, reason = should_allow_install(
            self._result("trusted", "dangerous", f), force=True
        )
-        assert allowed is True
-        assert "Force-installed" in reason
+        assert allowed is False
+        assert "Blocked" in reason

    # -- agent-created policy --

--- a/tools/skills_guard.py
+++ b/tools/skills_guard.py
@ -661,7 +661,7 @@ def should_allow_install(result: ScanResult, force: bool = False) -> Tuple[bool,
    if decision == "allow":
        return True, f"Allowed ({result.trust_level} source, {result.verdict} verdict)"

-    if force and result.verdict != "dangerous":
+    if force and not (result.verdict == "dangerous" and result.trust_level in ("community", "trusted")):
        return True, (
            f"Force-installed despite {result.verdict} verdict "
            f"({len(result.findings)} findings)"