test(replay): expand egress policy coverage for path+method

Author: rexleimo

crates/rexos/tests/fixtures/replay/session_egress_policy_method_block.json

@@ -0,0 +1,25 @@
+[
+  {
+    "choices": [
+      {
+        "index": 0,
+        "message": {
+          "role": "assistant",
+          "content": null,
+          "tool_calls": [
+            {
+              "id": "call_1",
+              "type": "function",
+              "function": {
+                "name": "a2a_send",
+                "arguments": "{\"agent_url\":\"http://127.0.0.1/\",\"message\":\"hi\",\"allow_private\":true}"
+              }
+            }
+          ]
+        },
+        "finish_reason": "tool_calls"
+      }
+    ]
+  }
+]
+

crates/rexos/tests/fixtures/replay/session_egress_policy_path_block.json

@@ -0,0 +1,25 @@
+[
+  {
+    "choices": [
+      {
+        "index": 0,
+        "message": {
+          "role": "assistant",
+          "content": null,
+          "tool_calls": [
+            {
+              "id": "call_1",
+              "type": "function",
+              "function": {
+                "name": "web_fetch",
+                "arguments": "{\"url\":\"http://127.0.0.1/nope\",\"allow_private\":true,\"max_bytes\":100}"
+              }
+            }
+          ]
+        },
+        "finish_reason": "tool_calls"
+      }
+    ]
+  }
+]
+

crates/rexos/tests/session_replay.rs

@@ -702,3 +702,147 @@ async fn replay_fixture_blocks_egress_policy_rule_mismatches() {
 
     server.abort();
 }
+
+#[tokio::test]
+#[serial]
+async fn replay_fixture_blocks_egress_policy_path_prefix_mismatches() {
+    let fixture = support::openai_compat_fixture::load_json_array(include_str!(
+        "fixtures/replay/session_egress_policy_path_block.json"
+    ));
+    let server = support::openai_compat_fixture::FixtureServer::spawn(fixture).await;
+
+    let tmp = tempfile::tempdir().unwrap();
+    let security = rexos::security::SecurityConfig {
+        egress: EgressConfig {
+            rules: vec![EgressRule {
+                tool: "web_fetch".to_string(),
+                host: "127.0.0.1".to_string(),
+                path_prefix: "/ok".to_string(),
+                methods: vec!["GET".to_string()],
+            }],
+        },
+        ..Default::default()
+    };
+
+    let (agent, _paths, workspace_root) = fixture_agent(&tmp, server.base_url.clone(), security);
+
+    let session_id = "s-replay-egress-path";
+    agent
+        .set_session_allowed_tools(session_id, vec!["web_fetch".to_string()])
+        .unwrap();
+
+    let err = agent
+        .run_session(
+            workspace_root,
+            session_id,
+            None,
+            "fetch disallowed path",
+            TaskKind::Coding,
+        )
+        .await
+        .unwrap_err();
+    let err_text = err.to_string();
+    assert!(
+        err_text.contains("egress path not allowed"),
+        "expected egress path block, got: {err_text}"
+    );
+    assert!(
+        err_text.contains("web_fetch"),
+        "expected tool name in error, got: {err_text}"
+    );
+
+    let requests = server.requests.lock().unwrap().clone();
+    assert_eq!(requests.len(), 1, "expected one chat completions call");
+    assert_eq!(
+        compact_request(&requests[0]),
+        json!({
+            "model": "fixture-model",
+            "temperature": 0.0,
+            "tools": [{
+                "name": "web_fetch",
+                "type": "function",
+                "param_type": "object",
+                "required": ["url"],
+                "properties": ["allow_private", "max_bytes", "timeout_ms", "url"],
+                "additional_properties": false,
+            }],
+            "message_roles": ["user"],
+            "assistant_tool_calls": [],
+            "tool_messages": [],
+        })
+    );
+
+    server.abort();
+}
+
+#[tokio::test]
+#[serial]
+async fn replay_fixture_blocks_egress_policy_method_mismatches() {
+    let fixture = support::openai_compat_fixture::load_json_array(include_str!(
+        "fixtures/replay/session_egress_policy_method_block.json"
+    ));
+    let server = support::openai_compat_fixture::FixtureServer::spawn(fixture).await;
+
+    let tmp = tempfile::tempdir().unwrap();
+    let security = rexos::security::SecurityConfig {
+        egress: EgressConfig {
+            rules: vec![EgressRule {
+                tool: "a2a_send".to_string(),
+                host: "127.0.0.1".to_string(),
+                path_prefix: "/".to_string(),
+                methods: vec!["GET".to_string()],
+            }],
+        },
+        ..Default::default()
+    };
+
+    let (agent, _paths, workspace_root) = fixture_agent(&tmp, server.base_url.clone(), security);
+
+    let session_id = "s-replay-egress-method";
+    agent
+        .set_session_allowed_tools(session_id, vec!["a2a_send".to_string()])
+        .unwrap();
+
+    let err = agent
+        .run_session(
+            workspace_root,
+            session_id,
+            None,
+            "send a2a disallowed method",
+            TaskKind::Coding,
+        )
+        .await
+        .unwrap_err();
+    let err_text = err.to_string();
+    assert!(
+        err_text.contains("egress method not allowed"),
+        "expected egress method block, got: {err_text}"
+    );
+    assert!(
+        err_text.contains("a2a_send"),
+        "expected tool name in error, got: {err_text}"
+    );
+
+    let requests = server.requests.lock().unwrap().clone();
+    assert_eq!(requests.len(), 1, "expected one chat completions call");
+    assert_eq!(
+        compact_request(&requests[0]),
+        json!({
+            "model": "fixture-model",
+            "temperature": 0.0,
+            "tools": [{
+                "name": "a2a_send",
+                "type": "function",
+                "param_type": "object",
+                "required": ["message"],
+                "properties": ["agent_url", "allow_private", "message", "session_id", "url"],
+                "additional_properties": false,
+            }],
+            "message_roles": ["user"],
+            "assistant_tool_calls": [],
+            "tool_messages": [],
+        })
+    );
+
+    server.abort();
+}