Skip to content

fix: tighten recursive delete policy matching#3251

Open
Peldan wants to merge 6 commits into
microsoft:mainfrom
Peldan:fix/recursive-delete-policy
Open

fix: tighten recursive delete policy matching#3251
Peldan wants to merge 6 commits into
microsoft:mainfrom
Peldan:fix/recursive-delete-policy

Conversation

@Peldan

@Peldan Peldan commented Jul 3, 2026

Copy link
Copy Markdown

Description

The recursive-delete deny rule depended too much on narrow command regexes such as rm -rf. Before this change, equivalent recursive-force deletes like rm -fr important-data, rm -r -f important-data, rm --recursive --force important- data, Remove-Item -Recurse -Force important-data, and rd /s /q important-data could miss the deny rule and fall through to the normal shell-tool review path instead.

One root cause was that several old rules matched text shape rather than command semantics. In the Claude Code, OpenCode, and Copilot CLI policy bundles, the Bash rule used patterns like \brm\b[\s\S]*\b-rf\b. In JavaScript regex semantics,
the \b-rf\b part does not match normal rm -rf target text: \b only matches a boundary between a word character and a non-word character, and both the space before -rf and the - are non-word characters. So the intended Bash deny
rule did not fire for the canonical rm -rf target form in those bundles.

Other package rules failed differently. Antigravity’s old pattern did match compact forms like rm -rf and rm -fr, but missed equivalent split or reordered forms like rm -r -f target, rm --force --recursive target, and rm target -rf.
Some PowerShell-oriented patterns also looked for literal compact spellings such as -recurse or -rf with the same text-shape assumptions rather than parsing recursive and force flags.

This PR changes the regex to act only as a broad delete-command trigger. The parser now decides whether the command is actually recursive and forceful, so equivalent destructive forms are denied consistently while safe cleanup targets and
non-force/non-recursive deletes are not hard-denied by this rule.

Notable cases covered:

  • rm -rf, rm -fr, rm -rfv
  • rm -r -f, rm --recursive --force, rm --force --recursive
  • reordered forms such as rm important-data -rf
  • Remove-Item -Recurse -Force
  • PowerShell abbreviations like Remove-Item -r -fo and ri -r -fo
  • Windows-style rd /s /q
  • safe cleanup targets such as node_modules, build, and dist
  • non-recursive or confirmation/filter parameters such as -Confirm and -Filter

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Security fix

Package(s) Affected

  • agent-governance

Checklist

  • I have added tests that prove my fix/feature works

Attribution & Prior Art

  • This contribution does not contain code copied or derived from other projects without attribution
  • Any external projects that inspired this design are credited in code comments or documentation
  • If this PR implements functionality similar to an existing open-source project, I have listed it below

AI Assistance

  • I can explain every meaningful change in this PR: what it does, why, and what tradeoffs were considered
  • I have run tests and verification appropriate for this change
  • No part of this PR was autonomously submitted by an AI agent without my review
  • I have not used AI to generate review comments on others' PRs

If AI tools materially shaped this change, briefly note what was used:
Codex helped add regression tests, find the same parser issue in sibling packages, and carry the reviewed fix across those packages. I reviewed the implementation and test coverage.

IP, Patents, and Licensing

  • This contribution does not implement patent-pending or patent-encumbered techniques
  • This contribution does not require an NDA or licensing agreement to understand or use
  • Any AI tools used have terms compatible with the MIT License

Peldan added 6 commits July 3, 2026 15:00
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
Signed-off-by: arvidpeldan <peldans@gmail.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ⚠️ Missing No current-run comment
🛡️ Security Scan ⚠️ Missing No current-run comment
🔄 Breaking Changes ⚠️ Missing No current-run comment
📝 Docs Sync ⚠️ Missing No current-run comment
🧪 Test Coverage ⚠️ Missing No current-run comment

Verdict: ⚠️ AI review incomplete; ready for human review

AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims.

@github-actions github-actions Bot added the size/XL Extra large PR (500+ lines) label Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
🤖 AI Agent: contributor-guide — View details

AI-generated review output. Treat it as untrusted analysis and verify before acting.

Welcome, and thank you for your contribution! 🎉

Your detailed explanation of the problem and solution is excellent, and the added test coverage is thorough.

Before merging, please ensure:

  1. The updated regex patterns are tested against edge cases to avoid unintended matches or false positives.
  2. Verify that the new helper functions (e.g., getRmCommandDetails) are covered by unit tests for all expected scenarios.

For guidance, please refer to CONTRIBUTING.md.

@Peldan

Peldan commented Jul 3, 2026

Copy link
Copy Markdown
Author

The branch is split by surface so each package change is easy to review on its own. The first commits apply the recursive-delete fix and matching tests to OpenCode, Claude Code, Copilot CLI, and Antigravity CLI separately. There’s also a small examples commit to keep the Copilot CLI example policies in sync with the package configs.

The final commit is a review follow-up across the affected parsers. It tightens the flag handling for longer Unix clusters like rm -rfv, preserves PowerShell abbreviations like -r -fo, and avoids false positives for ordinary parameters such as -Confirm and -Filter.

@Peldan

Peldan commented Jul 4, 2026

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree company="Regent"

@Peldan Peldan marked this pull request as ready for review July 4, 2026 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/XL Extra large PR (500+ lines)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant