Skip to content

Add config.toml policy_file directive#62

Draft
merphx wants to merge 8 commits intostrongdm:mainfrom
merphx:feat/config-policy-file
Draft

Add config.toml policy_file directive#62
merphx wants to merge 8 commits intostrongdm:mainfrom
merphx:feat/config-policy-file

Conversation

@merphx
Copy link
Copy Markdown
Contributor

@merphx merphx commented Feb 22, 2026
edited
Loading

Warning

DRAFT PR—DO NOT MERGE

Blocked by: #60 (Leash fails to start on Docker Desktop)

Also, I want to complete a little more manual testing on Docker Desktop before removing draft status.

Summary

Add support for configuring Cedar policy file paths in config.toml, allowing users to manage security policies at global and project scopes without relying on CLI flags or environment variables.

Example use case: allowing different network calls to different URLs depending on project-specific tech stack, 3rd-party services, etc.

Changes

  • Add policy_file configuration directive

    • Global scope: [leash] policy_file = "~/leash/policies/default.cedar"
    • Project scope: [projects."/path"] policy_file = "./policies/project.cedar"
    • Supports ~ expansion, environment variables, and relative paths (for project entries)

  • Implement precedence hierarchy

    • CLI --policy flag takes highest priority
    • LEASH_POLICY_FILE environment variable
    • Project-specific config
    • Global config
    • Auto-generated permissive policy (when none specified)

  • Update contributor list

    • Add Phoenix Zerin to CONTRIBUTORS.md 🌟

Screenshots/Videos

N/A

Reviewer Notes

Note

Not being super familiar with the codebase I let the coding agent copy+adapt the code used for target_image configuration and did not prompt it to do any refactoring/deduplication.

@merphx
Copy link
Copy Markdown
Contributor Author

merphx commented Feb 22, 2026
edited
Loading

CI Test Failure - Thoughts?

I noticed the CI is failing on TestLaunchTargetContainerSkipsDuplicateMount, and I had the coding agent look into it. Here's what it observed:

  1. Different code areas:

    • This PR modifies policy file loading in runner.go and adds tests in runner_config_test.go
    • The failing test is in mount_state_test.go, testing container mount deduplication

  2. Passes locally:

    • All 133 tests in internal/runner pass when I run them locally
    • The failure only appears in CI

  3. Possible race condition:

    • The test modifies the global commandOutput variable (line 193-195) to mock architecture detection
    • Other tests in the same file use t.Parallel(), which could cause timing issues
    • The agent noticed commit 5066912 fixed similar issues by removing t.Parallel() from environment-sensitive tests

It looks like this might be a pre-existing flaky test, and so I'd be keen for it not to block this PR, but I could be overlooking something. Whatcha think?

@merphx merphx force-pushed the feat/config-policy-file branch from b4bc072 to 3aece63 Compare February 22, 2026 23:54
merphx and others added 8 commits March 9, 2026 11:09
@merphx
feat(config): add policy_file directive to config.toml 📋
a71ff78 
Support global and project-specific Cedar policy file paths in config.toml,
providing consistency with target_image and envvars configuration.

- Add PolicyFile and ProjectPolicyFiles fields to Config struct
- Implement GetPolicyFile, SetGlobalPolicyFile, SetProjectPolicyFile methods
- Parse policy_file from [leash] and [projects] sections in TOML
- Update runner to respect config policy with correct precedence:
  CLI flag > env var > project config > global config
- Document policy_file directive in CONFIG.md with link to CEDAR.md

Co-Authored-By: opencode <noreply@opencode.ai>
@merphx
Don't forget the tests! 🙈
defdf5b
@merphx
test(config): fix policy query in roundtrip test 🔧
273acd7 
The test was attempting to query GetPolicyFile with an empty string to check global policy, but normalizeProjectKey rejects empty paths. Fixed by querying a different project path to verify global policy fallback behaviour works correctly.

Co-Authored-By: opencode <noreply@opencode.ai>
@merphx
Add Phoenix Zerin to contributors 🪑
2af9201 
Co-Authored-By: opencode <noreply@opencode.ai>
@merphx
feat(config): add environment variable expansion to policy_file paths 🧩
b4a279d 
Implements the documented feature that policy file paths support environment variable expansion. Previously, the documentation promised this functionality but resolvePolicyPath only handled tilde and relative paths.

Changes:
- Add os.ExpandEnv() to resolvePolicyPath before tilde expansion
- Add comprehensive tests covering env var expansion scenarios
- Add example to CONFIG.md showing env var usage
- Document code duplication decision with migration guidance

This matches the pattern used in resolveVolumeHost (mounts.go:325).

Co-Authored-By: opencode <noreply@opencode.ai>
@merphx
test(config): consolidate duplicate policy file tests 🧲
69e5af7 
Merged TestPolicyFileConfigPrecedence and TestPolicyFileSaveRoundTrip into a single comprehensive test TestPolicyFilePersistenceAndPrecedence.

Both tests were covering the same functionality:
- Save/Load roundtrip
- TOML persistence verification
- Global vs project scope precedence

The consolidated test maintains all coverage while removing duplication.

Co-Authored-By: opencode <noreply@opencode.ai>
@merphx
docs: use realistic target_image examples 🪞
9cfba53 
Replace vanilla base images (ubuntu:22.04, node:20) with custom image examples that include leash-entry, reflecting actual usage per CUSTOM-DOCKER-IMAGES.md guidance.

Co-Authored-By: opencode <noreply@opencode.ai>
@merphx
Doc comment shuffle 🕺
b4cb1e0
@merphx merphx force-pushed the feat/config-policy-file branch from 3aece63 to b4cb1e0 Compare March 8, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@merphx