feat(command-blocker): ✨ Enhance git command handling

knoopx · knoopx · commit fa2cc8bb148b · 2025-08-30T19:14:41.000+02:00
Updated the command blocker to allow additional read-only git commands. The changes include allowing `git log` and `git rev-parse` as valid commands while maintaining restrictions on write operations.

- Added `git log` and `git rev-parse` to the list of allowed commands.
- Updated error messages to reflect the new allowed commands.

This enhancement improves the usability of the command blocker for users needing to access git history without compromising version control integrity.
diff --git a/command-blocker.test.ts b/command-blocker.test.ts
@@ -575,6 +575,18 @@ describe("Command Blocker", () => {
       await expect(async () => {
         await plugin["tool.execute.before"](input3, output3);
       }).not.toThrow();
+
+      const input4 = { tool: "bash" };
+      const output4 = { args: { command: "git rev-parse HEAD" } };
+      await expect(async () => {
+        await plugin["tool.execute.before"](input4, output4);
+      }).not.toThrow();
+
+      const input5 = { tool: "bash" };
+      const output5 = { args: { command: "git log --oneline -1" } };
+      await expect(async () => {
+        await plugin["tool.execute.before"](input5, output5);
+      }).not.toThrow();
     });
 
     it("should block write git commands", async () => {
@@ -583,7 +595,7 @@ describe("Command Blocker", () => {
       await expect(
         plugin["tool.execute.before"](input1, output1)
       ).rejects.toThrow(
-        "`git` write operations are blocked to prevent agents from managing version control. Only read-only commands are allowed: `git status`, `git diff`, `git show`."
+        "`git` write operations are blocked to prevent agents from managing version control. Only read-only commands are allowed: `git status`, `git diff`, `git show`, `git log`, `git rev-parse`."
       );
 
       const input2 = { tool: "bash" };
@@ -1449,7 +1461,7 @@ describe("Command Blocker", () => {
 
       const hook = (plugin as PluginHook)["tool.execute.before"];
       await expect(hook(input, output)).rejects.toThrow(
-        "`git` write operations are blocked to prevent agents from managing version control. Only read-only commands are allowed: `git status`, `git diff`, `git show`."
+        "`git` write operations are blocked to prevent agents from managing version control. Only read-only commands are allowed: `git status`, `git diff`, `git show`, `git log`, `git rev-parse`."
       );
     });
 
diff --git a/command-blocker.ts b/command-blocker.ts
@@ -18,7 +18,7 @@ const BLOCKED_COMMAND_MESSAGES: BlockedCommandMessages = {
     "`python2` is blocked (Python 2 is deprecated). Use `uv` with Python 3 for modern dependency management. Virtual environment python2 commands are allowed if needed. Example: `uv run --python 3.8 python script.py`",
   python3:
     "`python3` is blocked to ensure environment isolation. Use `uv` for dependency management or `uvx` for running tools. Virtual environment python3 (e.g., `.venv/bin/python3`) is allowed. Example: `uv run python3 script.py`",
-  git: "`git` write operations are blocked to prevent agents from managing version control. Only read-only commands are allowed: `git status`, `git diff`, `git show`.",
+  git: "`git` write operations are blocked to prevent agents from managing version control. Only read-only commands are allowed: `git status`, `git diff`, `git show`, `git log`, `git rev-parse`.",
   nix: "Local flake paths without `path:` prefix are blocked to ensure reproducible builds. Use `path:` for local flakes (includes uncommitted changes), `github:` for remote repos, or `git+https:` for git URLs. Examples: `nix run path:./my-flake#output`, `nix run github:user/repo#output`",
 };
 
@@ -56,6 +56,8 @@ const BLOCKED_COMMANDS: readonly string[] = Object.keys(
 );
 const ALLOWED_GIT_COMMANDS: readonly string[] = [
   "git diff",
+  "git log",
+  "git rev-parse",
   "git show",
   "git status",
 ];
