fix(policy): reject unsupported tools policy stubs

2026-06-06 05:51:15 +08:00 · 2026-06-02 13:11:06 -07:00
parent 1ca7aa6330
commit 3ab4ff1d8f
2 changed files with 10 additions and 22 deletions
--- a/extensions/policy/src/doctor/register.test.ts
+++ b/extensions/policy/src/doctor/register.test.ts
@@ -1005,6 +1005,16 @@ describe("registerPolicyDoctorChecks", () => {
        policy: { tools: { execPolicy: { allowHosts: ["sandbox"] } } },
        target: "oc://policy.jsonc/tools/execPolicy",
      },
+      {
+        label: "tools settings",
+        policy: { tools: { settings: {} } },
+        target: "oc://policy.jsonc/tools/settings",
+      },
+      {
+        label: "tools entries",
+        policy: { tools: { entries: [] } },
+        target: "oc://policy.jsonc/tools/entries",
+      },
      {
        label: "tools profile",
        policy: { tools: { profiles: { deny: ["full"] } } },
--- a/extensions/policy/src/doctor/register.ts
+++ b/extensions/policy/src/doctor/register.ts
@@ -1667,26 +1667,6 @@ export function policyContainerShapeFindings(
    ];
  }
  if (isRecord(policy.tools)) {
-    if (policy.tools.settings !== undefined && !isRecord(policy.tools.settings)) {
-      return [
-        policyShapeFinding(
-          policyPath,
-          `oc://${policyDocName}/tools/settings`,
-          `${policyPath} tools.settings must be an object.`,
-          `Fix ${policyPath} so tools.settings is an object.`,
-        ),
-      ];
-    }
-    if (policy.tools.entries !== undefined && !Array.isArray(policy.tools.entries)) {
-      return [
-        policyShapeFinding(
-          policyPath,
-          `oc://${policyDocName}/tools/entries`,
-          `${policyPath} tools.entries must be an array.`,
-          `Fix ${policyPath} so tools.entries is an array.`,
-        ),
-      ];
-    }
    const postureFinding = toolPosturePolicyShapeFinding(policy.tools, {
      policyDocName,
      policyPath,
@@ -2568,12 +2548,10 @@ function toolPosturePolicyShapeFinding(
    "alsoAllow",
    "denyTools",
    "elevated",
-    "entries",
    "exec",
    "fs",
    "profiles",
    "requireMetadata",
-    "settings",
  ];
  const unsupportedTopLevel = unsupportedPolicyKey(tools, allowedTopLevel);
  if (unsupportedTopLevel !== undefined) {