fix(hooks): tokenize git push flags in block-force-push#527
Conversation
Replace substring regex matching with argv-token inspection so that: - bundled short flags like -fu/-uf/-fq are caught (f anywhere in the cluster means force) - --force-with-lease and --force-if-includes are allowed as the safe force-push variants - --follow-tags and other non-force flags are no longer mis-flagged - positional arguments after -- are ignored Co-Authored-By: Kimi K2.7 Code <noreply@kimi.com>
|
Caution Review failedFailed to post review comments. GitHub was unavailable or timed out while CodeRabbit was posting the review. Please request a new review later if the pull request still needs one. This happened while posting 2 inline comments. Use ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🧰 Additional context used📓 Path-based instructions (4)src/hooks/**/*.{ts,tsx,js,jsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
src/hooks/**/*.ts📄 CodeRabbit inference engine (AGENTS.md)
Files:
**/src/hooks/**/*.{ts,tsx}📄 CodeRabbit inference engine (CLAUDE.md)
Files:
**/__tests__/**/*.{ts,tsx,js,jsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (2)📚 Learning: 2026-05-05T23:13:01.551ZApplied to files:
📚 Learning: 2026-06-26T10:17:22.613ZApplied to files:
📝 WalkthroughWalkthroughThe force-push policy now performs token-aware detection, recognizes bundled short force flags, allows safe force variants, honors ChangesForce-push policy
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Automated code review started - full review. Results will be posted here. |
|
⏳ Review in progress — Phase 1-2: diff analysis complete. Running test suite now... |
|
✅ Build & test complete.
|
| function isForcePushFlag(token: string): boolean { | ||
| if (token === "--force") return true; | ||
| if (SAFE_FORCE_PREFIXES.some((prefix) => token.startsWith(prefix))) return false; | ||
| if (token.startsWith("--force")) return true; |
There was a problem hiding this comment.
💡 Good design: fail-safe catch-all for unknown --force- variants.*
Line 698 if (token.startsWith("--force")) return true; blocks any future git flag that starts with --force but isn't on the explicit allowlist. This is strong defense-in-depth — if git ever adds --force-something-new, failproofai defaults to blocking it until you audit and add it to SAFE_FORCE_PREFIXES.
Automated Code ReviewExecutive SummaryThis PR fixes two defects in the block-force-push policy by replacing regex-based detection with proper argv tokenization. The old regex allowed bundled short flags like -fu and incorrectly blocked the safer --force-with-lease variant. The rewrite uses proper tokenization with a fail-safe catch-all and respects the -- end-of-options marker. The change is surgical, well-tested, and introduces zero regressions. Change ArchitectureBreaking ChangesNo breaking changes detected. Policy behavior is expanded (more cases correctly detected) but backward-compatible. Issues FoundNo issues found. The code is clean and correct. Logical / Bug AnalysisWhat the old code did wrong:
What the new code fixes:
Edge cases verified:
Evidence - Build & Test ResultsType check: bunx tsc --noEmit — clean (no errors) Issue LinkageThis PR closes #526. All cases covered by tests. Human Review FeedbackNo human review comments on this PR. SuggestionsConsider mentioning --force-with-lease as a safe alternative in the deny message. (Low priority, cosmetic.) VerdictVERDICT: APPROVED Automated code review - 2026-07-16 12:05 UTC |
hermes-exosphere
left a comment
There was a problem hiding this comment.
Automated review: Approved. Clean, well-tested fix for the block-force-push tokenization. No issues found. 2064 tests pass, type check clean.
hermes-exosphere
left a comment
There was a problem hiding this comment.
Automated review: Approved. ✅
|
Your PR is awaiting review by a moderator. Till then you can join the Discord for conversation: https://discord.gg/qaFM2uYFb |
|
Your PR is awaiting review by a moderator. Till then you can join the Discord for conversation: https://discord.befailproof.ai |
|
Your PR is awaiting review by a reviewer. Till then you can join the Discord for conversation: https://discord.befailproof.ai |
Hermes Agent Code Review — PR #527PR: fix(hooks): tokenize git push flags in block-force-push ✅ Looks GoodThe approach is sound. The old regex Key design decisions I agree with:
💡 Suggestions (non-blocking)
🔬 Test CoverageAll 12 cases from the PR's case table are covered in tests:
Gates:
Verdict: APPROVED ✅The change is minimal, correct, and well-tested. The token-based approach closes two real defects without introducing new false positives. No blocking issues found. Reviewed by Hermes Agent |
Fixes the
block-force-pushpolicy so it inspects actualgit pushargv tokens instead of substring-matching the raw command string.Defects fixed
git push -fu origin mainwas allowed. Git bundles short flags, so-fuis force + set-upstream. The old regex/-f\b/required a word boundary afterf, which fails when more letters follow.git push --force-with-leasewas denied. The old regex matched the--forceprefix of the safer variant, which refuses to force-push if the remote has moved.Approach
git push …pipeline segment on whitespace.--end-of-options marker.--force--force-*long flag (fail-safe)f(-f,-fu,-uf,-fq, …)--force-with-leaseand--force-with-lease=<refname>--force-if-includes--follow-tags.Case table covered by tests
git push --force origin maingit push -f origin maingit push -fu origin maingit push -uf origin maingit push -fq origin maingit push --force-with-lease origin maingit push --force-with-lease=maingit push --force-if-includes origin maingit push --follow-tags origin maingit push origin -- --forcegit push origin feat/branchgit push origin worktree/hn-fetch-jobgh pr create --body "blocks --force and -f flags"Gates
The single test failure (
Pi integration > writeHookEntries adds a packages-array entry to a fresh settings.json) is pre-existing onmainand unrelated to the force-push policy.Closes #526
Prepared with AI assistance (Kimi K2.7 Code), human-reviewed before submission.
Summary by CodeRabbit
--.