Skip to content

chore(policy): hardening follow-ups from custom preset file support (#2039 / #2077) #2521

Closed
Enhancement
#3020
Closed
chore(policy): hardening follow-ups from custom preset file support (#2039 / #2077)#2521
Enhancement
#3020
Assignees
laitingsheng
Labels
area: cliCommand line interface, flags, terminal UX, or output
@jyaunches

Description

@jyaunches
jyaunches
opened on Apr 27, 2026

Context

Follow-up hardening items identified during review of #2077 (feat(policy): support custom preset files via --from-file / --from-dir), which implements the custom preset surface requested in #2039.

These were intentionally deferred from #2077 to keep scope focused on the core feature. None are blockers — all are defense-in-depth or developer-experience improvements.

Items

From PR review (suggestions)

  • File size guard in loadPresetFromFile — add a statSync(abs).size check with a reasonable limit (e.g. 1 MB) before readFileSync to avoid reading unexpectedly large files.
  • Temp file cleanup in tests — the writeTmp helper in test/policies.test.ts creates temp directories but never cleans them up. Add afterEach cleanup or vi.onTestFinished.
  • Dotfile filtering for --from-dirreaddirSync + .ya?ml filter picks up files like .hidden-preset.yaml. Add .filter(f => !f.startsWith('.')) to match typical directory-scan behavior.
  • Symlink check in loadPresetFromFileloadPresetFromFile uses fs.statSync which follows symlinks. Low blast radius since the user already has filesystem access, but worth noting for defense-in-depth (built-in loadPreset has path traversal protection).

From CodeRabbit review (deferred)

  • --dry-run merged-policy diff renderer — currently --dry-run prints endpoints that would be opened/removed. A real policy-diff renderer (structured YAML diff, colorization, tombstone handling on remove) should improve --dry-run for all policy-add and policy-remove paths, not just --from-file/--from-dir.
  • Non-hermetic NEMOCLAW_OPENSHELL_BIN env handling in tests — the delete process.env.NEMOCLAW_OPENSHELL_BIN idiom predates feat(policy): support custom preset files via --from-file / --from-dir (closes #2039) #2077 and affects multiple test call sites. Introduce a shared withEnv helper in a single chore(test) sweep.

References

Metadata

Metadata

Assignees

Labels

area: cliCommand line interface, flags, terminal UX, or output

Type

Enhancement

Fields

No fields configured for Enhancement.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions