fix tests; drop redundant coder --allowedTools/--disallowedTools calls

morganl-ant · morganl-ant · commit 913224b0493f · 2026-04-24T00:11:42.000Z
- The legacy-shim test set disallowed_tools, which triggered a
  pre-existing 'coder --disallowedTools' call in
  setup_claude_configurations. coder is not present in the test
  container so set -e aborted before the policy file was written.
  Those calls are redundant now that the legacy shim writes
  allow/deny via managed-settings.d, so remove them.
- claude-no-policy-keys-in-claudejson: configure_standalone_mode
  guards on CLAUDE_API_KEY in the environment, which coder_env
  provides in production but not in the test container. Pass
  coderEnvVars to execModuleScript so the file is created.
diff --git a/registry/coder/modules/claude-code/main.test.ts b/registry/coder/modules/claude-code/main.test.ts
@@ -252,13 +252,16 @@ describe("claude-code", async () => {
   });
 
   test("claude-no-policy-keys-in-claudejson", async () => {
-    const { id } = await setup({
+    const { id, coderEnvVars } = await setup({
       moduleVariables: {
         report_tasks: "false",
         claude_api_key: "sk-test-standalone",
       },
     });
-    await execModuleScript(id);
+    // configure_standalone_mode reads CLAUDE_API_KEY from the environment;
+    // in production the coder agent exports coder_env values, in tests we
+    // pass them explicitly.
+    await execModuleScript(id, coderEnvVars);
 
     const cfg = await readFileContainer(id, "/home/coder/.claude.json");
     expect(cfg).toContain("hasCompletedOnboarding");
diff --git a/registry/coder/modules/claude-code/scripts/install.sh b/registry/coder/modules/claude-code/scripts/install.sh
@@ -169,14 +169,10 @@ function setup_claude_configurations() {
     )
   fi
 
-  if [ -n "$ARG_ALLOWED_TOOLS" ]; then
-    coder --allowedTools "$ARG_ALLOWED_TOOLS"
-  fi
-
-  if [ -n "$ARG_DISALLOWED_TOOLS" ]; then
-    coder --disallowedTools "$ARG_DISALLOWED_TOOLS"
-  fi
-
+  # ARG_ALLOWED_TOOLS / ARG_DISALLOWED_TOOLS are mapped into the
+  # managed-settings policy file via the legacy_permissions shim in main.tf,
+  # so the `coder --allowedTools` / `coder --disallowedTools` calls that used
+  # to live here are no longer needed.
 }
 
 function write_managed_settings() {
