Problem
git push --force origin main bypasses the protected branch push block in guardrail.ts because the regex \bgit\s+push\s+\S+\s+(?:HEAD:)?(\S+)/i matches --force as the remote name.
Root cause
The regex expects exactly: git push <remote> <branch> but doesn't account for flags like --force, -f, --no-verify between push and the remote.
Fix
Add optional flag group before remote: (?:(?:-\w+|--[\w-]+)\s+)*
// Before
cmd.match(/\bgit\s+push\s+\S+\s+(?:HEAD:)?(\S+)/i)
// After
cmd.match(/\bgit\s+push\s+(?:(?:-\w+|--[\w-]+)\s+)*\S+\s+(?:HEAD:)?(\S+)/i)
Ref
PR #102 code-reviewer HIGH-2. guardrail.ts:~514
Problem
git push --force origin mainbypasses the protected branch push block in guardrail.ts because the regex\bgit\s+push\s+\S+\s+(?:HEAD:)?(\S+)/imatches--forceas the remote name.Root cause
The regex expects exactly:
git push <remote> <branch>but doesn't account for flags like--force,-f,--no-verifybetweenpushand the remote.Fix
Add optional flag group before remote:
(?:(?:-\w+|--[\w-]+)\s+)*Ref
PR #102 code-reviewer HIGH-2. guardrail.ts:~514