Add wildcard in the middle test coverage (#15813)

## Summary Add a focused codex network proxy unit test for the denylist pattern with wildcard in the middle `region*.some.malicious.tunnel.com`. This does not change how existing code works, just ensure that behavior stays the same and we got CI guards to guard existin behavior. ## Why The managed Codex denylist update relies on this mid label glob form, and the existing tests only covered exact hosts, `*.` subdomains, and `**.` apex plus subdomains. ## Validation `cargo test -p codex-network-proxy compile_globset_supports_mid_label_wildcards` `cargo test -p codex-network-proxy` `./tools/argument-comment-lint/run-prebuilt-linter.sh -p codex-network-proxy`
2026-04-29 02:41:12 +03:00 · 2026-03-26 10:53:31 -07:00
parent af04273778
commit 0bd34c28c7
1 changed files with 10 additions and 0 deletions
--- a/codex-rs/network-proxy/src/policy.rs
+++ b/codex-rs/network-proxy/src/policy.rs
@@ -367,6 +367,16 @@ mod tests {
        assert_eq!(false, set.is_match("example.com"));
    }

+    #[test]
+    fn compile_globset_supports_mid_label_wildcards() {
+        let set = compile_denylist_globset(&["region*.v2.argotunnel.com".to_string()]).unwrap();
+
+        assert_eq!(true, set.is_match("region1.v2.argotunnel.com"));
+        assert_eq!(true, set.is_match("region.v2.argotunnel.com"));
+        assert_eq!(false, set.is_match("xregion1.v2.argotunnel.com"));
+        assert_eq!(false, set.is_match("foo.region1.v2.argotunnel.com"));
+    }
+
    #[test]
    fn compile_globset_normalizes_apex_and_subdomains() {
        let set = compile_denylist_globset(&["**.Example.COM.".to_string()]).unwrap();