refactor: migrate 6 handler groups onto declared safety policies (step 3a)

[stevehansen]

What & why

Step 3 of the deep Safety Policy RFC (specs/RFC-safety-policy.md), stacked on the foundation in #6. The foundation introduced the Policy vocabulary, the domain ports, and central enforcement at the dispatch site, but migrated only bun as a proof of concept. This PR migrates the inline, hand-rolled safety validation in 6 of the remaining groups — git, db, docker, process, npm, pnpm — onto declarative Policy chains.

Each handler's safety check (OutputFormatter.WriteBlocked blocks, blocklist foreach loops, FilterFlags, the git clean-tree / not-a-repo / amend-already-pushed probes) becomes data attached at registration and evaluated once before the handler runs. Handlers keep only their usage checks and the actual execution.

What landed

• git — RequireGitRepo() on every command (the probe spawns git once per run, not ~25×); push/commit/add/checkout/checkout-file block rules; commit-amend → RequireHeadNotPushed(); pull/checkout/merge → RequireCleanTree(); log/diff flag-allowlists → AllowOnlyFlags rewrite.
• db — the 4 migration commands → BlockFlags(DestructiveFlags); artisan-migrate → BlockSubstrings; django-migrate → BlockFlags(["zero"]).
• docker — compose-down → BlockFlags; build/compose-up FilterFlags → AllowOnlyFlags.
• process — kill-name → AllowOnlyFirstArg.
• npm/pnpm — run → AllowOnlyFirstArg; npm audit-fix --force → BlockFlags.
• dedup — the 3×-duplicated run-script allowlist (npm/pnpm/bun) collapses into one PackageScripts.Allowed.

Defects closed (for these groups)

• Add audit logging for command execution #1 --flag=value bypass — BlockFlags normalizes via Flag.Base, so --force=true, --accept-data-loss=…, etc. are now caught (git push, db migrations, npm audit-fix).
• refactor: ports-and-adapters seam for handlers (PR 1/6 of #2) #3 --json blocked-envelope fork — blocked output now renders through the central dispatcher (ConsoleRenderer.Blocked, which has a JSON branch), so safe git push --force --json emits a structured envelope instead of Spectre markup.

Out of scope (follow-up PRs)

• RFC: Introduce ports-and-adapters seam for handlers (IExecutor, IRenderer, IGitRepo) with a thin Run.* sugar layer #2 dead proxy AllowedFlags — also needs the Program.cs proxy early-return untangled so proxy commands reach the dispatcher.
• file/generate path-containment (STRIDE E1) — needs a richer path rule (two-path / --in-value cases) than the foundation shipped.
• STRIDE.md update — lands with the path-containment / proxy work that closes E1 and the proxy gap.

Behavior deltas (intentional, RFC-sanctioned)

RequireGitRepo "Not a git repository" now renders as a Blocked: envelope rather than a plain Error:; block messages show the whole arg vector; db block reasons are generic; kill-name lists 15 names instead of 10; docker FilterFlags unified onto the explicit value-flag algorithm; artisan/django blocks are now case-insensitive (strictly safer); safety runs before a handler's usage check.

Tests

92 → 157 passing, green across repeated runs. New MigratedCommandPolicyTests.cs asserts each migrated command's wired policy directly (allowed/rewrite cases never dispatch, to avoid spawning real tools); blocked-path + --json envelope are checked through the dispatcher.

Review notes resolved

Reviewer flagged a flaky suite: CommandRegistry.Initialize() was neither idempotent nor thread-safe, and the new parallel test collections raced on the shared list. Fixed at the root (double-checked guard); harmless to production's single startup call.

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request refactors the validation logic across several command groups (Git, DB, Docker, Process, NPM, PNPM, Bun) by migrating from manual inline checks to a declarative, policy-based framework. It also consolidates the allowed package scripts into a shared class, makes the command registry initialization thread-safe, and adds a comprehensive test suite. The review feedback is highly constructive, pointing out opportunities to prevent security bypasses by blocking the git push '-d' short flag, ensuring consistency by blocking the '*' wildcard in git add, and improving usability by allowing multiple files to be restored in git checkout-file.

[gemini-code-assist]

The PushBlockedFlags set is missing the short flag -d, which is the standard alias for --delete in git push. Without blocking -d, users could bypass the deletion block by running safe git push origin -d . Please add -d to the blocked flags set to prevent this bypass.

    private static readonly HashSet<string> PushBlockedFlags = ["--force", "-f", "--delete", "-d", "--no-verify"];

[gemini-code-assist]

The AddBlockedArgs set blocks ., but does not block the wildcard *. While shell expansion often resolves * before it reaches the application, blocking * explicitly ensures consistency with checkout-file (which blocks both . and *) and guards against staging all files if the wildcard is passed literally. Consider adding * to AddBlockedArgs.

    private static readonly HashSet<string> AddBlockedArgs = ["-A", "--all", ".", "*"];

[gemini-code-assist]

Currently, RunCheckoutFile only restores the first file (args[0]) and ignores any subsequent files passed to the command. Since the policy BlockFlags([., *]) evaluates all arguments in the vector, it is completely safe to pass all arguments to RunGit using the spread operator (..args). This will allow users to restore multiple files at once (e.g., safe git checkout-file file1.cs file2.cs).

        return RunGit(["checkout", "--", ..args], json);