fix(gateway): scope /yolo to the active session

2026-04-28 01:21:43 +00:00 · 2026-04-10 16:55:51 +09:00 · 2026-04-10 16:55:51 +09:00 · 9a0dfb5a6d
commit 9a0dfb5a6d
parent 68528068ec
4 changed files with 185 additions and 10 deletions
--- a/tests/tools/test_yolo_mode.py
+++ b/tests/tools/test_yolo_mode.py
@ -10,6 +10,11 @@ from tools.approval import (
    check_all_command_guards,
    check_dangerous_command,
    detect_dangerous_command,
+    disable_session_yolo,
+    enable_session_yolo,
+    is_session_yolo_enabled,
+    reset_current_session_key,
+    set_current_session_key,
 )


@ -18,10 +23,14 @@ def _clear_approval_state():
    approval_module._permanent_approved.clear()
    approval_module.clear_session("default")
    approval_module.clear_session("test-session")
+    approval_module.clear_session("session-a")
+    approval_module.clear_session("session-b")
    yield
    approval_module._permanent_approved.clear()
    approval_module.clear_session("default")
    approval_module.clear_session("test-session")
+    approval_module.clear_session("session-a")
+    approval_module.clear_session("session-b")


 class TestYoloMode:
@ -108,3 +117,67 @@ class TestYoloMode:
        result = check_dangerous_command("rm -rf /", "local",
                                         approval_callback=lambda *a: "deny")
        assert not result["approved"]
+
+    def test_session_scoped_yolo_only_bypasses_current_session(self, monkeypatch):
+        """Gateway /yolo should only bypass approvals for the active session."""
+        monkeypatch.delenv("HERMES_YOLO_MODE", raising=False)
+        monkeypatch.setenv("HERMES_INTERACTIVE", "1")
+
+        enable_session_yolo("session-a")
+        assert is_session_yolo_enabled("session-a") is True
+        assert is_session_yolo_enabled("session-b") is False
+
+        token_a = set_current_session_key("session-a")
+        try:
+            approved = check_dangerous_command("rm -rf /", "local")
+            assert approved["approved"] is True
+        finally:
+            reset_current_session_key(token_a)
+
+        token_b = set_current_session_key("session-b")
+        try:
+            blocked = check_dangerous_command(
+                "rm -rf /",
+                "local",
+                approval_callback=lambda *a: "deny",
+            )
+            assert blocked["approved"] is False
+        finally:
+            reset_current_session_key(token_b)
+
+        disable_session_yolo("session-a")
+        assert is_session_yolo_enabled("session-a") is False
+
+    def test_session_scoped_yolo_bypasses_combined_guard_only_for_current_session(self, monkeypatch):
+        """Combined guard should honor session-scoped YOLO without affecting others."""
+        monkeypatch.delenv("HERMES_YOLO_MODE", raising=False)
+        monkeypatch.setenv("HERMES_INTERACTIVE", "1")
+
+        enable_session_yolo("session-a")
+
+        token_a = set_current_session_key("session-a")
+        try:
+            approved = check_all_command_guards("rm -rf /", "local")
+            assert approved["approved"] is True
+        finally:
+            reset_current_session_key(token_a)
+
+        token_b = set_current_session_key("session-b")
+        try:
+            blocked = check_all_command_guards(
+                "rm -rf /",
+                "local",
+                approval_callback=lambda *a: "deny",
+            )
+            assert blocked["approved"] is False
+        finally:
+            reset_current_session_key(token_b)
+
+    def test_clear_session_removes_session_yolo_state(self):
+        """Session cleanup must remove YOLO bypass state."""
+        enable_session_yolo("session-a")
+        assert is_session_yolo_enabled("session-a") is True
+
+        approval_module.clear_session("session-a")
+
+        assert is_session_yolo_enabled("session-a") is False