Files
wehub-resource-sync bf9395e022
CI / license-header (push) Has been skipped
CI / e2e-dry-run (push) Has been skipped
CI / fast-gate (push) Failing after 0s
Test PR Label Logic / test-pr-labels (push) Failing after 1s
Skill Format Check / check-format (push) Failing after 2s
CI / security (push) Failing after 5s
CI / unit-test (push) Has been skipped
CI / lint (push) Has been skipped
CI / script-test (push) Has been skipped
CI / deterministic-gate (push) Has been skipped
CI / coverage (push) Has been skipped
CI / results (push) Has been cancelled
CI / deadcode (push) Has been cancelled
CI / e2e-live (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:22:54 +08:00

30 lines
1.1 KiB
Go

// Copyright (c) 2026 Lark Technologies Pte. Ltd.
// SPDX-License-Identifier: MIT
package cmdpolicy
// diagnosticPaths lists command paths that are unconditionally allowed,
// regardless of any user-layer Rule. Entries must satisfy two properties:
//
// 1. Read-only. The command performs no I/O outside the local process
// and never mutates remote state.
// 2. Self-reflective. Denying the command would produce a UX dead-end
// where the operator can no longer inspect / validate the policy
// that is locking them out.
//
// Today this is `config policy show` and `config plugins show` --
// both purely local introspection over the resolved policy. Keep the
// list small and audited: every entry is a permanent hole in the
// fail-closed boundary.
var diagnosticPaths = map[string]bool{
"config/policy/show": true,
"config/plugins/show": true,
}
// IsDiagnosticPath reports whether the given canonical command path is
// exempt from user-layer pruning. Exported for test packages; callers
// inside this package use the unexported helper.
func IsDiagnosticPath(path string) bool {
return diagnosticPaths[path]
}