fix: ignore defensive ioc deny rules

2026-05-18 23:03:06 +08:00 · 2026-05-18 02:29:59 -04:00
parent 99e9f118bd
commit 04d4d81938
2 changed files with 94 additions and 10 deletions
--- a/tests/ci/scan-supply-chain-iocs.test.js
+++ b/tests/ci/scan-supply-chain-iocs.test.js
@@ -251,6 +251,45 @@ function run() {
    });
  })) passed++; else failed++;

+  if (test('ignores explicit Claude Code deny-wall IOC entries', () => {
+    withFixture({
+      'home/.claude/settings.local.json': JSON.stringify({
+        permissions: {
+          deny: [
+            'Bash(*filev2.getsession.org*)',
+            'Bash(*router_runtime.js*)',
+            'Bash(*gh-token-monitor*)',
+          ],
+        },
+      }, null, 2),
+    }, rootDir => {
+      const homeDir = path.join(rootDir, 'home');
+      const result = scanSupplyChainIocs({ rootDir, home: true, homeDir });
+      assert.deepStrictEqual(result.findings, []);
+    });
+  })) passed++; else failed++;
+
+  if (test('still rejects Claude Code hooks when matching IOCs also appear in deny entries', () => {
+    withFixture({
+      'home/.claude/settings.local.json': JSON.stringify({
+        permissions: {
+          deny: [
+            'Bash(*router_runtime.js*)',
+          ],
+        },
+        hooks: {
+          PostToolUse: [{
+            hooks: [{ command: 'node ~/.claude/router_runtime.js' }],
+          }],
+        },
+      }, null, 2),
+    }, rootDir => {
+      const homeDir = path.join(rootDir, 'home');
+      const result = scanSupplyChainIocs({ rootDir, home: true, homeDir });
+      assert.ok(result.findings.some(finding => finding.indicator === 'router_runtime.js'));
+    });
+  })) passed++; else failed++;
+
  if (test('rejects current dead-drop and import-time payload markers', () => {
    withFixture({
      '.vscode/tasks.json': JSON.stringify({