fix: strip quotes from hostnames, add disclosure logging tests

Facundo Fernandez · Facundo Fernandez · commit 43288cda2363 · 2026-03-25T18:13:32.000-06:00
Address CodeRabbit review:
- getPresetEndpoints now strips surrounding quotes from YAML host
  values so disclosure log shows clean hostnames
- Add tests: disclosure logging fires with real presets, is suppressed
  for nonexistent presets, and quoted hostnames are stripped

Made-with: Cursor
diff --git a/bin/lib/policies.js b/bin/lib/policies.js
@@ -52,7 +52,7 @@ function getPresetEndpoints(content) {
   const regex = /host:\s*([^\s,}]+)/g;
   let match;
   while ((match = regex.exec(content)) !== null) {
-    hosts.push(match[1]);
+    hosts.push(match[1].replace(/^["']|["']$/g, ""));
   }
   return hosts;
 }
diff --git a/test/policies.test.js b/test/policies.test.js
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import assert from "node:assert/strict";
-import { describe, it, expect } from "vitest";
+import { describe, it, expect, vi } from "vitest";
 import path from "node:path";
 import policies from "../bin/lib/policies";
 
@@ -67,6 +67,45 @@ describe("policies", () => {
         expect(hosts.length > 0).toBeTruthy();
       }
     });
+
+    it("strips surrounding quotes from hostnames", () => {
+      const yaml = 'host: "example.com"\n  host: \'other.com\'';
+      const hosts = policies.getPresetEndpoints(yaml);
+      expect(hosts).toEqual(["example.com", "other.com"]);
+    });
+  });
+
+  describe("applyPreset disclosure logging", () => {
+    it("logs egress endpoints before applying", () => {
+      const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+      const errSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+      const exitSpy = vi.spyOn(process, "exit").mockImplementation(() => { throw new Error("exit"); });
+
+      try {
+        policies.applyPreset("test-sandbox", "npm");
+      } catch {}
+
+      const messages = logSpy.mock.calls.map((c) => c[0]);
+      expect(messages.some((m) => typeof m === "string" && m.includes("Widening sandbox egress"))).toBe(true);
+
+      logSpy.mockRestore();
+      errSpy.mockRestore();
+      exitSpy.mockRestore();
+    });
+
+    it("does not log when preset has no endpoints", () => {
+      const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+      const errSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+      // loadPreset returns null for nonexistent presets → early return
+      policies.applyPreset("test-sandbox", "nonexistent");
+
+      const messages = logSpy.mock.calls.map((c) => c[0]);
+      expect(messages.some((m) => typeof m === "string" && m.includes("Widening sandbox egress"))).toBe(false);
+
+      logSpy.mockRestore();
+      errSpy.mockRestore();
+    });
   });
 
   describe("buildPolicySetCommand", () => {

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ function getPresetEndpoints(content) {`
`52`	`52`	`const regex = /host:\s*([^\s,}]+)/g;`
`53`	`53`	`let match;`
`54`	`54`	`while ((match = regex.exec(content)) !== null) {`
`55`		`- hosts.push(match[1]);`
	`55`	`+ hosts.push(match[1].replace(/^["']\|["']$/g, ""));`
`56`	`56`	`}`
`57`	`57`	`return hosts;`
`58`	`58`	`}`