Merge branch 'fizzy-forging-stardust': safe-agent-action git-gate rewrite + upstream-pr-prep helper

Author: igor

agent-helpers/safe-agent-action.sh

@@ -182,38 +182,108 @@ case "$ACTION" in
     # ====================================================================
 
     git)
-        cd "$REPO_ROOT"
+        # Worktree-aware cwd: resolve the repo toplevel from the caller's
+        # cwd instead of the fixed REPO_ROOT. This lets wrapper git calls
+        # issued from inside a git worktree (e.g. /tmp/linuxcnc-pr-...)
+        # operate on that worktree's HEAD rather than the main fork
+        # working tree. Other wrapper cases still cd to REPO_ROOT; only
+        # the git case is worktree-aware.
+        local_TOPLEVEL=$(git rev-parse --show-toplevel 2>/dev/null || true)
+        [ -z "$local_TOPLEVEL" ] && die "git: not in a git repo"
+        cd "$local_TOPLEVEL"
         local_SUB="${1:-}"
         case "$local_SUB" in
-            # Read-only
-            status|log|diff|branch|show|rev-parse|describe|tag|ls-files|blame|shortlog|reflog|config|stash|grep|ls-tree|cat-file)
+            # Read-only (always safe)
+            status|log|diff|show|rev-parse|describe|tag|ls-files|blame|shortlog|reflog|config|grep|ls-tree|cat-file)
+                exec git "$@"
+                ;;
+            # Branch: allow listing/creation, block -D/-M/-d/-m/--delete/--move
+            # when the target is master or main (closes the pre-existing gap).
+            branch)
+                local_HAS_DEL=0
+                local_HAS_MAIN=0
+                for arg in "$@"; do
+                    case "$arg" in
+                        -D|-M|-d|-m|--delete|--move|--delete-force|--move-force)
+                            local_HAS_DEL=1
+                            ;;
+                        master|main)
+                            local_HAS_MAIN=1
+                            ;;
+                    esac
+                done
+                if [ "$local_HAS_DEL" = 1 ] && [ "$local_HAS_MAIN" = 1 ]; then
+                    die "git branch: refusing to delete/move master/main. Protected branches."
+                fi
                 exec git "$@"
                 ;;
-            # Index / commit (non-destructive)
-            add|rm|mv|restore)
+            # Workspace / remote-tracking ops (non-destructive to remotes)
+            add|rm|mv|restore|switch|stash|fetch)
                 exec git "$@"
                 ;;
-            switch)
+            # Local state mutations (recoverable from reflog/origin; permitted
+            # under "allow all feature-branch work")
+            checkout|reset|clean|gc|rebase|cherry-pick|worktree)
                 exec git "$@"
                 ;;
+            # Commit: always allow. --amend is normal pre-push; post-push
+            # amend is gated by the push rule below. --no-edit is allowed
+            # (useful for amend flows the operator explicitly chose).
             commit)
+                exec git "$@"
+                ;;
+            # Merge: refuse when current branch is master/main. Operator
+            # uses session-merge flow or bare git with explicit approval.
+            merge)
+                local_CUR=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
+                if [ "$local_CUR" = "master" ] || [ "$local_CUR" = "main" ]; then
+                    die "git merge: refusing to merge into '$local_CUR'. Use 'session-merge <branch>' for the merge-to-main approval flow, or switch off master/main first."
+                fi
+                exec git "$@"
+                ;;
+            # Push: refuse if (a) current branch is master/main, (b) any
+            # argv token targets master/main via any refspec form, or
+            # (c) the remote argument is 'upstream'. Force-push flags are
+            # allowed on feature branches by design.
+            push)
+                local_CUR=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
+                if [ "$local_CUR" = "master" ] || [ "$local_CUR" = "main" ]; then
+                    die "git push: refusing to push while on '$local_CUR' (implicit target). Switch to a feature branch first, or use session-merge for the merge-to-main approval flow."
+                fi
+                local_SAW_REMOTE=0
+                local_REMOTE=""
+                for arg in "$@"; do
+                    case "$arg" in
+                        push|-*) ;;  # subcommand or flag
+                        *)
+                            if [ "$local_SAW_REMOTE" = 0 ]; then
+                                local_REMOTE="$arg"
+                                local_SAW_REMOTE=1
+                            fi
+                            ;;
+                    esac
+                done
+                if [ "$local_REMOTE" = "upstream" ]; then
+                    die "git push upstream ...: refusing to push to the upstream remote. This script never pushes upstream. Use origin for your own fork."
+                fi
                 for arg in "$@"; do
                     case "$arg" in
-                        --amend|--no-edit)
-                            die "git commit $arg: not allowed (would rewrite a published commit). Create a new commit instead."
+                        master|main|*:master|*:main|+master|+main|HEAD:master|HEAD:main|refs/heads/master|refs/heads/main|:master|:main)
+                            die "git push: refusing refspec '$arg' (targets master/main). Feature branches only. Use session-merge to merge a feature branch to main."
                             ;;
                     esac
                 done
                 exec git "$@"
                 ;;
-            push|"push-force"|reset|rebase|clean|gc|filter-branch|update-ref|checkout|merge)
-                die "git $local_SUB: blocked in wrapper (destructive or rewriting history). Get explicit operator approval via bare git permission."
+            # Still blocked: niche history/ref manipulation
+            filter-branch|update-ref)
+                die "git $local_SUB: blocked in wrapper (niche history/ref manipulation, rarely correct). Get explicit operator approval if truly needed."
                 ;;
             "")
                 die "Usage: $0 git <subcommand> [args]"
                 ;;
             *)
-                die "git $local_SUB: not in wrapper allowlist. Read-only: status, log, diff, branch, show, etc. Write: add, rm, mv, commit, restore, stash. Anything else needs explicit operator approval."
+                die "git $local_SUB: not in wrapper allowlist. Add it to safe-agent-action.sh if it's safe for feature-branch work."
                 ;;
         esac
         ;;
@@ -471,10 +541,16 @@ Search / inspect (read-only):
   tail <file> [n]       Show last N lines of a file (default 50)
   du [path]             Disk usage (defaults to repo root)
 
-Git (restricted):
-  git <subcmd> [args]   Read-only: status, log, diff, branch, show, etc.
-                        Index/commit: add, rm, mv, commit (no --amend),
-                        restore, stash. Destructive ops blocked.
+Git (feature-branch work allowed; master/main protection):
+  git <subcmd> [args]   Feature-branch work allowed freely. Push/merge to
+                        master/main is blocked by gates on the subcommand
+                        (refuses refspecs targeting master/main and refuses
+                        the upstream remote). Force-push to feature branches
+                        is allowed. commit --amend is allowed pre-push.
+                        branch -D/-M on master/main is blocked.
+                        filter-branch and update-ref are still blocked.
+                        The git case is worktree-aware: calls from inside a
+                        git worktree operate on that worktree's HEAD.
 
 Branch-per-session workflow:
   session-start <name>  Create feature branch from main + push to origin
@@ -501,7 +577,9 @@ LinuxCNC tools (each documents its PURPOSE in the source):
 
 Disallowed:
   exec, sh, bash, eval, sudo, su
-  git push / reset / rebase / merge (use session-push for feature branches)
+  git filter-branch / update-ref (niche history rewriting)
+  git push/merge targeting master/main or the upstream remote
+  (use session-merge flow for merging a feature branch to master/main)
 
 Permission setup:
   Add to .claude/settings.json: