`git branch -d` bypasses review mode

[lamyc]

What happened

When reviewing a plan that includes git branch, the review mode only checks the command name. git branch -D <branch> executes without any confirmation, even though it deletes a branch. The current git branch is within BUILTIN_ALLOWLIST (here) for Repo inspection but didn't consider blocking high‑risk arguments.

Tested with a simple prompt: "delete branch feature/foo"

Expected

git branch -D should trigger review/confirmation because -D (force delete) is destructive. Ideally any command with high‑risk arguments (-d, -D, --force, rm -rf, etc.) should be held for approval.

Reproduction

1. Start Reasonix with review mode enabled (default)
2. Prompt: delete branch feature/foo
3. Agent calls git branch -d feature/foo
4. Command executes immediately without user confirmation

Environment

• Reasonix version: 0.26.0
• Node version: 24.12.0
• OS: Linux (Ubuntu)
• DeepSeek model: deepseek-v4-flash

Logs / transcript

› you · just now
git branch delete features/foo

◆  reasoning  · 1 ¶
The user wants to delete the `features/foo` branch. Let me do that.

✓ run_command git branch -d features/foo
$ git branch -d features/foo
[exit 0]
Deleted branch features/foo (was ab89d48).

No [Review] prompt appears before execution.

Possible direction

The OWASP AI Agent Security Cheat Sheet suggests checking dangerous tool parameters as part of tool‑call validation, not just the command name. There's a section on least privilege for tools that might be relevant here:

OWASP reference: AI Agent Security Cheat Sheet § 1. Tool Security – Least Privilege

One approach could be to extend the existing review logic with simple argument‑level checks (allowlist/blocklist patterns), so that commands like git branch -D get flagged just like their base names would.

[esengine]

Thanks for the careful write-up — confirmed, this is a real bug. The allowlist matches on the leading tokens only, so anything past that flows through unchecked: git branch -D, git remote add, find . -delete, etc. all sneak through the same way.

The OWASP "per-tool scoping" framing is the right mental model — constrain what the call can actually do, not just which tool it is. My current thinking is a small per-prefix demotion table layered on top of the existing allowlist: git branch stays allowed for inspection, but -d / -D / --delete / -m / -M / --force falls back to the confirm gate; same shape for git remote add|rm|set-url|... and find -delete|-exec|-execdir|.... A global -d / -f blocklist would false-positive on grep -d skip / cargo test --release / similar, and the allowlisted entries already pin enough context to know which flags are destructive in that command's grammar.

The chain path doesn't need separate handling — chainAllowed already runs isAllowed per segment, so the demotion catches git status && git branch -D foo as well.

Will tag the fix here when it lands, and probably audit the rest of the allowlist for the same class of bypass while I'm in there. Thanks again.

[esengine]

Shipped in v0.26.1 (#258).

Per-prefix RISKY_ARGS table demotes destructive flags on otherwise-allowlisted commands back to the confirm gate. Coverage from the audit:

• git branch: -d / -D / --delete / -m / -M / --move / -c / -C / --copy / --force
• git remote: add / remove / rm / rename / set-url / set-head / prune
• git diff/log/show: --output / --ext-diff
• find: -delete / -exec / -execdir / -ok / -okdir / -fprint / -fprint0 / -fprintf / -fls
• tree: -o
• npx eslint: --fix / --fix-dry-run
• npx biome check: --write / --apply / --apply-unsafe
• ruff: --fix / --unsafe-fixes / format

Both --flag value and --flag=value forms are caught, and chain commands inherit via the existing per-segment check. Thanks for the report and the OWASP pointer.