chore: constrain wildcard position in network.allow domain patterns

[Copilot]

generate_allowed_domains accepted * anywhere in a domain pattern (e.g., ex*ample.com, example.*, *.*.com), diverging from the documented *.mycompany.com convention.

Changes

• src/compile/standalone.rs: Added a second validation pass after the character check. Any pattern containing * that isn't exactly a single leading *. prefix (with no further * in the remainder) now fails compilation with a descriptive error:

  network.allow domain 'example.*' uses '*' in an unsupported position.
  Wildcards must appear only as a leading prefix (e.g. '*.example.com').
  

• tests/compiler_tests.rs: Added 5 tests covering valid (*.mycompany.com) and invalid (example.*, ex*ample.com, *.*.com, bare *) patterns.

[jamesadevine]

/rust-review

[github-actions]

✅ Rust PR Reviewer completed successfully!

[github-actions]

🔍 Rust PR Review

Summary: Looks good — the wildcard validation logic is correct and the tests are comprehensive. One minor edge case worth noting.

Findings

⚠️ Suggestions

• src/compile/standalone.rs:356 — The pattern *. (a wildcard followed by a bare dot, no TLD) passes the new validation. Evaluating:

  • host.starts_with("*.") → true
  • host[2..].contains('*') → false (empty string)
  • Result: accepted, inserted into the allowlist

  This is almost certainly harmless (AWF's Squid proxy would not match anything meaningful against *.), but a stricter guard could also require !host[2..].is_empty() to block this degenerate form.

• src/compile/standalone.rs:367-373 — network.blocked entries are inserted into HashSet::remove() with no character validation. Since blocked only performs exact set-membership removal (it can never add domains to the allowlist), there's no security risk — a malformed entry simply won't match. Still worth a follow-up to apply the same valid_chars check for consistency and early feedback to users who typo a blocked entry.

✅ What Looks Good

• Panic safety: host[2..] is always a valid UTF-8 byte boundary because * and . are both single-byte ASCII, so the slice cannot split a multibyte character.
• Logic correctness: The condition host.contains('*') && !(host.starts_with("*.") && !host[2..].contains('*')) correctly accepts only the *.label.tld form and rejects bare *, trailing .*, mid-string ex*ample.com, and double-wildcard *.*.com.
• Test coverage: All five test cases map directly to the documented convention and its edge cases; the stderr assertion on "unsupported position" ties tests to the actual error message.
• Error messages: Both error paths include the offending pattern and a concrete example of the correct form — good UX for pipeline authors.

Generated by Rust PR Reviewer for issue #185 · ● 388.1K · ◷