Git

Allows everyday read/write porcelain, asks before destructive or history-rewriting operations, and guards force-pushes, hard resets and working-tree wipes.

.claude/fencepost.yaml

import:
  - git

Full preset

presets/git.yaml

# Fencepost preset: git

meta:
  title: Git
  description: >-
    Allows everyday read/write porcelain, asks before destructive or
    history-rewriting operations, and guards force-pushes, hard resets and
    working-tree wipes.

tools:
  bash:
    deny:
      # Wiping the entire working tree, including ignored files.
      - git clean -xfd
      - git clean -xdf

    checks:
      - test: 'git\s+push\b.*\s(--force(?!-with-lease)|-f)\b'
        description: "Force-pushing overwrites remote history and can clobber other people's work."
        alternative: "Use 'git push --force-with-lease', which refuses to overwrite changes you haven't seen."
      - test: 'git\s+reset\s+--hard\b.*\borigin/'
        description: "Hard-resetting onto a remote ref discards all local commits and uncommitted work."
        alternative: "Stash or branch your work first, or use 'git reset --keep' to preserve uncommitted changes."

    ask:
      - git push --mirror
      - git push --delete
      - git push --prune
      - git reset --hard
      - git rebase
      - git filter-branch
      - git branch -D
      - git branch --delete --force
      - git tag -d
      - git stash drop
      - git stash clear
      - git checkout --

    allow:
      - git status
      - git log
      - git diff
      - git show
      - git branch
      - git tag
      - git remote
      - git fetch
      - git pull
      - git add
      - git restore --staged
      - git commit
      - git switch
      - git stash
      - git stash list
      - git stash show
      - git describe
      - git rev-parse
      - git config --get
      - git config --list
      - git blame
      - git shortlog