From 789043b691ff1283a0d79fd7e1190a082ccfc04e Mon Sep 17 00:00:00 2001
From: sprmn24 <oncuevtv@gmail.com>
Date: Fri, 27 Mar 2026 00:27:30 +0300
Subject: [PATCH] fix(security): update tests for verdict and --force changes

---
 tests/tools/test_skills_guard.py | 20 ++++++++++----------
 tools/skills_guard.py            |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/tests/tools/test_skills_guard.py b/tests/tools/test_skills_guard.py
index ccc55da205a..530d42aeb97 100644
--- a/tests/tools/test_skills_guard.py
+++ b/tests/tools/test_skills_guard.py
@@ -84,13 +84,13 @@ class TestDetermineVerdict:
         f = Finding("x", "high", "network", "f.py", 1, "m", "d")
         assert _determine_verdict([f]) == "caution"
 
-    def test_medium_finding_caution(self):
+    def test_medium_finding_safe(self):
         f = Finding("x", "medium", "structural", "f.py", 1, "m", "d")
-        assert _determine_verdict([f]) == "caution"
+        assert _determine_verdict([f]) == "safe"
 
-    def test_low_finding_caution(self):
+    def test_low_finding_safe(self):
         f = Finding("x", "low", "obfuscation", "f.py", 1, "m", "d")
-        assert _determine_verdict([f]) == "caution"
+        assert _determine_verdict([f]) == "safe"
 
 
 # ---------------------------------------------------------------------------
@@ -145,21 +145,21 @@ class TestShouldAllowInstall:
         allowed, _ = should_allow_install(self._result("community", "dangerous", f), force=False)
         assert allowed is False
 
-    def test_force_overrides_dangerous_for_community(self):
+    def test_force_does_not_override_dangerous_for_community(self):
         f = [Finding("x", "critical", "c", "f", 1, "m", "d")]
         allowed, reason = should_allow_install(
             self._result("community", "dangerous", f), force=True
         )
-        assert allowed is True
-        assert "Force-installed" in reason
+        assert allowed is False
+        assert "Blocked" in reason
 
-    def test_force_overrides_dangerous_for_trusted(self):
+    def test_force_does_not_override_dangerous_for_trusted(self):
         f = [Finding("x", "critical", "c", "f", 1, "m", "d")]
         allowed, reason = should_allow_install(
             self._result("trusted", "dangerous", f), force=True
         )
-        assert allowed is True
-        assert "Force-installed" in reason
+        assert allowed is False
+        assert "Blocked" in reason
 
     # -- agent-created policy --
 
diff --git a/tools/skills_guard.py b/tools/skills_guard.py
index 4eb275c4b3c..2375a8e09a7 100644
--- a/tools/skills_guard.py
+++ b/tools/skills_guard.py
@@ -661,7 +661,7 @@ def should_allow_install(result: ScanResult, force: bool = False) -> Tuple[bool,
     if decision == "allow":
         return True, f"Allowed ({result.trust_level} source, {result.verdict} verdict)"
 
-    if force and result.verdict != "dangerous":
+    if force and not (result.verdict == "dangerous" and result.trust_level in ("community", "trusted")):
         return True, (
             f"Force-installed despite {result.verdict} verdict "
             f"({len(result.findings)} findings)"