Block remote branch deletion and improve force push messages

[AnExiledDev]

Summary

• Block remote branch deletion — git push origin --delete and colon-refspec git push origin :branch now blocked; deleting remote branches closes associated PRs with no recovery path
• Block --force-with-lease — was bypassing the bare force push regex due to \b matching at the - in --force-with-lease; all force push variants now blocked uniformly
• Actionable error messages — force push blocks now suggest git merge origin/main as the correct alternative to rebasing, preventing agents from improvising destructive workarounds
• Fix README — error handling was documented as "fails open" but the code fails closed; corrected to match actual behavior

Context

An agent rebased a PR branch, got blocked on force push, then worked around it by deleting the remote branch and re-pushing — which permanently closed the PR. These changes close both the escape hatch (branch deletion) and the root cause (unhelpful error message that didn't suggest an alternative).

Test plan

• 11/11 pattern tests pass (force push variants, branch deletion, normal operations)

Summary by CodeRabbit

• New Features

  • Extended dangerous-command blocker to detect more force-push variants and remote branch deletion.
  • Updated block messages to recommend using git merge as a safe workaround instead of force-pushing.

• Bug Fixes

  • Consistent blocking behavior and exit codes for handled exceptions.

• Documentation

  • README updated with expanded examples and clarified fail-closed behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 17e45f5 and c8f12c1.

📒 Files selected for processing (1)

• .devcontainer/CHANGELOG.md

✅ Files skipped from review due to trivial changes (1)

• .devcontainer/CHANGELOG.md

---

📝 Walkthrough

Walkthrough

Enhances the Dangerous Command Blocker: adds a FORCE_PUSH_SUGGESTION message recommending git merge, blocks --force-with-lease, detects and blocks remote-branch-deletion push variants, and updates changelog and README to reflect fail-closed behavior and changed error handling.

Changes

Cohort / File(s)	Summary
Changelog .devcontainer/CHANGELOG.md	Added Unreleased Fixed entries documenting merge suggestion, --force-with-lease blocking, remote-branch deletion blocking, and README correction to fail-closed behavior.
Documentation .devcontainer/plugins/devs-marketplace/plugins/dangerous-command-blocker/README.md	Added --force-with-lease to examples, added remote branch deletion examples, and clarified that other exceptions now log and block (exit code 2).
Implementation .devcontainer/plugins/devs-marketplace/plugins/dangerous-command-blocker/scripts/block-dangerous.py	Added FORCE_PUSH_SUGGESTION constant advising git merge; consolidated force-push patterns to use it; added pattern for --force-with-lease; added three patterns to detect/block remote branch deletion variants (remote --delete, --delete, colon refspec).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer (git push)
    participant Hook as Dangerous Command Blocker (pre-push hook)
    participant Remote as Remote/PR System
    Dev->>Hook: git push [possibly force / delete]
    alt Matches FORCE_PUSH_SUGGESTION patterns
        Hook->>Dev: Block with FORCE_PUSH_SUGGESTION message (suggest git merge)
    else Matches remote-deletion patterns
        Hook->>Dev: Block with remote-branch-deletion message (notes PR closure)
    else No match
        Hook->>Remote: Forward push
        Remote->>Dev: Success / PR updated
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 Hopping through hooks, I sniff the push breeze,
I stop wild force and lease with gentle pleas.
I spare your PRs from sudden nighttime doom,
Suggest a git merge to keep branches in bloom.
Safe hops, tidy trees — happy repo gleams! 🌱

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and concisely summarizes the two main changes: blocking remote branch deletion and improving force push error messages.
Description check	✅ Passed	The description includes a clear summary of changes, context explaining the motivation, and confirms tests pass; however, the template's Type of Change and Checklist sections are not filled out.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dangerous-command-blocker-pr-safety

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.devcontainer/CHANGELOG.md (1)

5-11: Consider reorganizing entries by change type.

Per coding guidelines, changelog entries should be grouped under appropriate headings. Currently all entries are under ### Fixed, but:

• "Block remote branch deletion" (line 10) introduces new blocking behavior — this is an addition, not a fix. Consider moving to ### Added.
• "Force push block now suggests git merge" (line 8) improves an existing message — this could be ### Changed.

The other two entries (blocking --force-with-lease and fixing README documentation) are correctly categorized as fixes.

As per coding guidelines: "Group changelog entries under appropriate headings: ### Added, ### Changed, ### Fixed, or ### Removed"

📝 Suggested reorganization

 ## [Unreleased]
 
+### Added
+
+#### Dangerous Command Blocker
+- **Block remote branch deletion** — `git push origin --delete` and colon-refspec deletion (`git push origin :branch`) now blocked; deleting remote branches closes associated PRs
+
+### Changed
+
+#### Dangerous Command Blocker
+- **Force push block now suggests `git merge` as workaround** — error message explains how to avoid diverged history instead of leaving the agent to improvise destructive workarounds
+
 ### Fixed
 
 #### Dangerous Command Blocker
-- **Force push block now suggests `git merge` as workaround** — error message explains how to avoid diverged history instead of leaving the agent to improvise destructive workarounds
 - **Block `--force-with-lease`** — was slipping through regex; all force push variants now blocked uniformly
-- **Block remote branch deletion** — `git push origin --delete` and colon-refspec deletion (`git push origin :branch`) now blocked; deleting remote branches closes associated PRs
 - **Fixed README** — error handling was documented as "fails open" but code actually fails closed; corrected to match behavior

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.devcontainer/CHANGELOG.md around lines 5 - 11, Move the changelog entries
into proper headings: create a `### Added` section and move the "Block remote
branch deletion — `git push origin --delete` and colon-refspec deletion (`git
push origin :branch`) now blocked" entry into it; create a `### Changed` section
and move the "Force push block now suggests `git merge` — error message explains
how to avoid diverged history" entry into it; leave the "Block
`--force-with-lease`" and "Fixed README" lines under `### Fixed`; ensure
headings `### Added`, `### Changed`, and `### Fixed` appear and that entries are
removed from `### Fixed` once moved.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.devcontainer/CHANGELOG.md:
- Around line 5-11: Move the changelog entries into proper headings: create a
`### Added` section and move the "Block remote branch deletion — `git push
origin --delete` and colon-refspec deletion (`git push origin :branch`) now
blocked" entry into it; create a `### Changed` section and move the "Force push
block now suggests `git merge` — error message explains how to avoid diverged
history" entry into it; leave the "Block `--force-with-lease`" and "Fixed
README" lines under `### Fixed`; ensure headings `### Added`, `### Changed`, and
`### Fixed` appear and that entries are removed from `### Fixed` once moved.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e320ed and 17e45f5.

📒 Files selected for processing (3)

• .devcontainer/CHANGELOG.md
• .devcontainer/plugins/devs-marketplace/plugins/dangerous-command-blocker/README.md
• .devcontainer/plugins/devs-marketplace/plugins/dangerous-command-blocker/scripts/block-dangerous.py