Skip to content

fix: move common git commands from ask to allow #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stranma merged 2 commits into from
Mar 17, 2026
Merged

fix: move common git commands from ask to allow #30

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ddc5d3e
fix: move common git commands from ask to allow
stranma Mar 16, 2026
0a820e0
fix: update tests for git commands moved to allow
stranma Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .claude/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
"Bash(git branch *)", "Bash(git checkout *)", "Bash(git status *)",
"Bash(git diff *)", "Bash(git log *)", "Bash(git show *)",
"Bash(git merge *)", "Bash(git stash *)",
"Bash(git restore *)", "Bash(git reset *)", "Bash(git rm *)",
"Bash(git mv *)", "Bash(git worktree *)",
Comment on lines +14 to +15
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

git reset can cause irreversible data loss when used with --hard.

Moving git reset * to allow means destructive commands like git reset --hard will execute without prompting. This can permanently discard uncommitted work.

Note the inconsistency: git clean is in the deny list (line 35) because it removes untracked files, yet git reset --hard (which discards uncommitted staged/unstaged changes) would now run without confirmation.

Consider one of these alternatives:

  1. Keep git reset in ask to require confirmation for potentially destructive resets
  2. Add Bash(git reset --hard *) to the deny list while allowing safer variants
  3. Accept the risk if the workflow prioritizes speed over safety for uncommitted changes

The other four commands (git restore, git rm, git mv, git worktree) are reasonable additions to allow as they are routine and less destructive.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.claude/settings.json around lines 14 - 15, The entry "Bash(git reset *)" in
the allow list is risky because it permits destructive variants like "git reset
--hard"; update the settings to prevent accidental data loss by either moving
"Bash(git reset *)" back to ask, or keep a safe allow and add a deny entry
specifically for "Bash(git reset --hard *)" (or both), and ensure consistency
with the existing "git clean" deny; edit the settings to replace or augment the
"Bash(git reset *)" token with the chosen safer option so the policy enforces
confirmation or denial for hard resets.

"Bash(git remote *)", "Bash(git submodule *)", "Bash(git tag *)",
"Bash(git switch *)", "Bash(git rev-parse *)", "Bash(git cherry-pick *)",
"Bash(git blame *)", "Bash(git reflog *)", "Bash(git ls-files *)",
Expand Down Expand Up @@ -41,8 +43,7 @@
"Bash(gh workflow enable *)", "Bash(gh workflow disable *)",
"Bash(gh issue create *)", "Bash(gh issue comment *)",
"Bash(gh issue close *)", "Bash(gh issue edit *)",
"Bash(git reset *)", "Bash(git init *)", "Bash(git clone *)",
"Bash(git rm *)", "Bash(git mv *)", "Bash(git restore *)", "Bash(git worktree *)",
"Bash(git init *)", "Bash(git clone *)",
"Bash(uv remove *)", "Bash(uv cache *)", "Bash(uv init *)",
"WebFetch"
]
Expand Down
Loading