Merge pull request #2085 from Molecule-AI/test/compliance-default-2059

test(config): lock ComplianceConfig default to owasp_agentic (#2059)
2026-04-26 09:21:41 +00:00 · 2026-04-26 09:21:41 +00:00 · b232015eee
commit b232015eee
parent 966821b7d8 4a4a740804
1 changed files with 45 additions and 0 deletions
--- a/workspace/tests/test_config.py
+++ b/workspace/tests/test_config.py
@ -2,10 +2,12 @@

 import os

+import pytest
 import yaml

 from config import (
    A2AConfig,
+    ComplianceConfig,
    DelegationConfig,
    SandboxConfig,
    WorkspaceConfig,
@ -244,3 +246,46 @@ def test_shared_context_from_yaml(tmp_path):

    cfg = load_config(str(tmp_path))
    assert cfg.shared_context == ["guidelines.md", "architecture.md"]
+
+
+# ===== Compliance default lock (#2059) =====
+#
+# PR #2056 flipped ComplianceConfig.mode default from "" to "owasp_agentic"
+# so every shipped template gets prompt-injection detection + PII redaction
+# by default. These tests pin the new default at all four entry points so
+# a silent revert (or a refactor that reintroduces the old no-op default)
+# fails fast instead of shipping a workspace with compliance silently off.
+
+
+def test_compliance_dataclass_default():
+    """ComplianceConfig() — no args — must default to owasp_agentic + detect."""
+    cfg = ComplianceConfig()
+    assert cfg.mode == "owasp_agentic"
+    assert cfg.prompt_injection == "detect"
+
+
+@pytest.mark.parametrize(
+    "yaml_payload, expected_mode",
+    [
+        # No `compliance:` key at all — full default path.
+        ({}, "owasp_agentic"),
+        # Explicit empty block — exercises load_config's
+        # `.get("mode", "owasp_agentic")` default-fill at config.py:377.
+        # Common shape during template editing.
+        ({"compliance": {}}, "owasp_agentic"),
+        # Documented opt-out: explicit `mode: ""` disables compliance.
+        ({"compliance": {"mode": ""}}, ""),
+    ],
+    ids=["yaml_omits_block", "yaml_block_empty", "yaml_explicit_optout"],
+)
+def test_compliance_default_via_load_config(tmp_path, yaml_payload, expected_mode):
+    """load_config honors the owasp_agentic default at every yaml shape and
+    still respects explicit opt-out."""
+    config_yaml = tmp_path / "config.yaml"
+    config_yaml.write_text(yaml.dump(yaml_payload))
+
+    cfg = load_config(str(tmp_path))
+    assert cfg.compliance.mode == expected_mode
+    # prompt_injection was never overridden in any payload — must stay at
+    # the dataclass default regardless of the mode value.
+    assert cfg.compliance.prompt_injection == "detect"