Context
Surfaced during the #1042 privileged-flag binding work (PR #1048). #1042 bound the MUST-BIND privileged flags (--admin, -R/--repo, --delete-branch, --no-verify, --match-head-commit) on the operations the guard already governs (merge / close / force-push / branch-delete). During PREPARE (adversarial bypass enumeration) and the security review, three categories of deliberately deferred surface-extensions were identified and parked so #1042 could stay a tight, in-scope fix.
This umbrella tracks them so the deferral is in the tracker, not just in pact-memory (records 77fbe565 / 0e31642e).
None of these is a live under-block. #1042 closed the under-blocks on the governed surface. Everything below is a coverage/membership decision, not a bug.
SCOPE UPDATE (post-v4.4.46) — OQ-5 promoted to individual issues; umbrella narrowed to (2)+(3)
Category (1) below (OQ-5 — un-governed destructive ops) has been split out and is now tracked individually, to stop this umbrella from double-tracking the same ops:
The OQ-5 enumeration is retained below for provenance only — do the work in #1062 / #1063 / #1044, not here. This umbrella now scopes to the residual flag-membership decisions (2) and (3).
(1) OQ-5 — destructive ops the guard does NOT currently govern — MOVED → #1062 / #1063 / #1044 (provenance only)
The guard's DANGEROUS_PATTERNS cover merge / close / force-push / branch-delete. These destructive operations are entirely ungoverned (no approval gate at all), and PREPARE flagged them as arguably in-scope:
(2) Deferred GRAY-zone flag membership
During the #1042 security review these flags were assessed and deliberately NOT bound — binding them is over-block cost only (no under-block: they neither escalate privilege nor drop a safety constraint past an approval):
- merge-method:
-s/--squash, -m/--merge, -r/--rebase
--auto / --disable-auto- push:
--all, -o/--push-option, --receive-pack
branch -r
Decision: confirm these stay unbound (the security-engineer's call: "defer — over-block cost only"), or bind any that turn out to carry a real dropped-constraint/escalation. Each is a one-line PRIVILEGED_FLAGS addition if a concrete case surfaces (the scanner already handles boolean + value-taking forms).
(3) OQ-7 — API-form flag binding
For gh api / GraphQL forms the HTTP method is already the detected privilege (these commands yield empty bound_flags). Decision: keep deferred — open a concrete fix only if an API-form privilege-escalation actually surfaces.
Disposition
This umbrella now scopes to (2) and (3) only — both confirm-the-deferral items, low priority, no live bug. The OQ-5 (1) coverage work lives in #1062 (HIGH) / #1063 / #1044.
(2) and (3) are each a one-line PRIVILEGED_FLAGS / API-form addition if a concrete dropped-constraint or escalation case surfaces; otherwise they stay deferred as the security-engineer assessed.
Relates to: #1042 (PR #1048), the decline-veto follow-up #1049, and the live merge-guard backlog (#1004 / #1043 / #1044 / #1045 / #1059 / #1061 / #1062 / #1063 / #1064).
Context
Surfaced during the #1042 privileged-flag binding work (PR #1048). #1042 bound the MUST-BIND privileged flags (
--admin,-R/--repo,--delete-branch,--no-verify,--match-head-commit) on the operations the guard already governs (merge / close / force-push / branch-delete). During PREPARE (adversarial bypass enumeration) and the security review, three categories of deliberately deferred surface-extensions were identified and parked so #1042 could stay a tight, in-scope fix.This umbrella tracks them so the deferral is in the tracker, not just in pact-memory (records
77fbe565/0e31642e).SCOPE UPDATE (post-v4.4.46) — OQ-5 promoted to individual issues; umbrella narrowed to (2)+(3)
Category (1) below (OQ-5 — un-governed destructive ops) has been split out and is now tracked individually, to stop this umbrella from double-tracking the same ops:
git push origin :ref/--delete/-d), with the extended--mirror,--prune, and tag-delete colon-refspec forms. HIGH — honest-mistake under-block.ghcharter ops:gh repo delete,gh release delete,gh api -X DELETEagainst refs / releases / branch-protection (charter/scope decision).develop) for the governed push paths.The OQ-5 enumeration is retained below for provenance only — do the work in #1062 / #1063 / #1044, not here. This umbrella now scopes to the residual flag-membership decisions (2) and (3).
(1) OQ-5 — destructive ops the guard does NOT currently govern — MOVED → #1062 / #1063 / #1044 (provenance only)
The guard's
DANGEROUS_PATTERNScover merge / close / force-push / branch-delete. These destructive operations are entirely ungoverned (no approval gate at all), and PREPARE flagged them as arguably in-scope:git push --mirror— can force-overwrite all refs on the remote (→ merge-guard (honest-mistake under-block, HIGH): remote-ref-deletion push not recognized as dangerous → ungated #1062)git push --delete <branch>/remote --deleteof non-default branches (→ merge-guard (honest-mistake under-block, HIGH): remote-ref-deletion push not recognized as dangerous → ungated #1062 recognition / merge-guard: extend protected-branch scope to develop / non-default branches #1044 scope)git tag -d+git push --delete <tag>(and the:<tag>refspec form) (→ merge-guard (honest-mistake under-block, HIGH): remote-ref-deletion push not recognized as dangerous → ungated #1062)gh release delete(→ merge-guard: gate branch-protection API mutations (.../branches/*/protection); repo/release/api-repo-delete documented out-of-charter [RESOLVED] #1063)gh api -X DELETEagainst refs/releases (→ merge-guard: gate branch-protection API mutations (.../branches/*/protection); repo/release/api-repo-delete documented out-of-charter [RESOLVED] #1063)(2) Deferred GRAY-zone flag membership
During the #1042 security review these flags were assessed and deliberately NOT bound — binding them is over-block cost only (no under-block: they neither escalate privilege nor drop a safety constraint past an approval):
-s/--squash,-m/--merge,-r/--rebase--auto/--disable-auto--all,-o/--push-option,--receive-packbranch -rDecision: confirm these stay unbound (the security-engineer's call: "defer — over-block cost only"), or bind any that turn out to carry a real dropped-constraint/escalation. Each is a one-line
PRIVILEGED_FLAGSaddition if a concrete case surfaces (the scanner already handles boolean + value-taking forms).(3) OQ-7 — API-form flag binding
For
gh api/ GraphQL forms the HTTP method is already the detected privilege (these commands yield emptybound_flags). Decision: keep deferred — open a concrete fix only if an API-form privilege-escalation actually surfaces.Disposition
This umbrella now scopes to (2) and (3) only — both confirm-the-deferral items, low priority, no live bug. The OQ-5 (1) coverage work lives in #1062 (HIGH) / #1063 / #1044.
(2) and (3) are each a one-line
PRIVILEGED_FLAGS/ API-form addition if a concrete dropped-constraint or escalation case surfaces; otherwise they stay deferred as the security-engineer assessed.Relates to: #1042 (PR #1048), the decline-veto follow-up #1049, and the live merge-guard backlog (#1004 / #1043 / #1044 / #1045 / #1059 / #1061 / #1062 / #1063 / #1064).