Block +<refspec> force pushes in the pre-bash guard#38
Merged
Conversation
Summary Close a bypass in the `git push --force` guard: a refspec that leads with `+` forces the remote update without `--force`/`-f`. `agent-hook-pre-bash` blocked `git push --force` and `-f`, but its per-argument scan only looked at flags. `git push origin +main`, `+HEAD:main`, or `+refs/heads/x:y` all force-overwrite the remote ref and slipped through unguarded. - add a `+?*)` arm to the post-`push` argument loop: a positional refspec starting with `+` (the force marker) sets the force-push guard. A remote name can't start with `+`, and a leading `+` on a refspec always means force, so there is no legitimate non-force arg this catches. - `--force-with-lease` (and `=ref`) stay allowed as before Known, pre-existing gaps left as-is: `git push origin -- +main` (the scan stops at `--`) and `--mirror`; neither is a common agent form. Testing - new `agent-hook-bash-guards-test` cases: `+main`, `+HEAD:main`, and `+refs/heads/x:y` are blocked; plain `origin main` and a non-force `HEAD:main` refspec stay allowed - verified red-green: removing the `+?*)` arm lets `+main` push through (exit 0 instead of blocked) - full suite green (`./test/agentguard-test`: all suites 0 failed); `checkrun lint` clean
cgraf78
added a commit
that referenced
this pull request
Jul 2, 2026
Summary Extend the force-push guard to catch `git push --mirror`, which force-overwrites and prunes every remote ref — remote-destructive even without `--force`. Follow-up to the `+<refspec>` fix (#38). - add a dedicated `_GUARD_GIT_PUSH_MIRROR` guard and a `--mirror)` arm in the post-`push` argument scan - give it its own message (the force guard's `--force-with-lease` advice does not fit a mirror push): run it manually if a full mirror is truly intended - `--prune`/`--all` are left out of scope; `--mirror` is the clear remote-destructive gap Testing - new `agent-hook-bash-guards-test` cases: `git push --mirror`, `--mirror origin`, and `git -C repo push --mirror` are blocked with the mirror-specific message; normal pushes, `+refspec`, `--force-with-lease`, and `-u` are unaffected - verified red-green: removing the `--mirror)` arm lets `--mirror` through (exit 0) - full suite green (`./test/agentguard-test`: all suites 0 failed); `checkrun lint` clean
cgraf78
added a commit
that referenced
this pull request
Jul 2, 2026
Summary Extend the push guard to catch `git push --prune`, which deletes remote refs that have no local counterpart — remote-destructive. Follow-up to the `+<refspec>` (#38) and `--mirror` (#39) guards. - add a dedicated `_GUARD_GIT_PUSH_PRUNE` guard and a `--prune)` arm, with its own message - bare `--all` is intentionally NOT guarded: it only pushes branches and is destructive only combined with `--force`, which is already caught Testing - new `agent-hook-bash-guards-test` cases: `git push --prune ...` is blocked with the prune-specific message; bare `git push --all origin` stays allowed - verified red-green: removing the `--prune)` arm lets `--prune` through (exit 0) - full suite green (`./test/agentguard-test`: all suites 0 failed); `checkrun lint` clean
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Close a bypass in the
git push --forceguard: a refspec that leadswith
+forces the remote update without--force/-f.agent-hook-pre-bashblockedgit push --forceand-f, but itsper-argument scan only looked at flags.
git push origin +main,+HEAD:main, or+refs/heads/x:yall force-overwrite the remote ref andslipped through unguarded.
+?*)arm to the post-pushargument loop: a positional refspecstarting with
+(the force marker) sets the force-push guard. A remotename can't start with
+, and a leading+on a refspec always meansforce, so there is no legitimate non-force arg this catches.
--force-with-lease(and=ref) stay allowed as beforeKnown, pre-existing gaps left as-is:
git push origin -- +main(the scanstops at
--) and--mirror; neither is a common agent form.Testing
agent-hook-bash-guards-testcases:+main,+HEAD:main, and+refs/heads/x:yare blocked; plainorigin mainand a non-forceHEAD:mainrefspec stay allowed+?*)arm lets+mainpush through(exit 0 instead of blocked)
./test/agentguard-test: all suites 0 failed);checkrun lintclean