From 1e679bcb4775c42d6f59e3727176180d04040484 Mon Sep 17 00:00:00 2001
From: Hawthorn <rv.help23@gmail.com>
Date: Wed, 10 Jun 2026 18:30:22 +0530
Subject: [PATCH] fix(agents): harden git commands against pager-based code
 execution

Git commands (log, diff, show) can execute arbitrary code via:
- core.pager set in repo-local .git/config
- diff.external pointing to an attacker-controlled binary
- filter drivers in .gitattributes

Mitigation: require --no-pager flag, recommend -c core.pager=cat
to disable pager-driven execution. Moved git commands from the
unqualified allowlist to a hardened allowlist with explicit flags.
---
 agents/agent-evaluator.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/agents/agent-evaluator.md b/agents/agent-evaluator.md
index b827bf44..04317118 100644
--- a/agents/agent-evaluator.md
+++ b/agents/agent-evaluator.md
@@ -22,7 +22,7 @@ You are a quality evaluator for AI agent output. Your job is to assess agent res
 
 ### Bash Tool Constraints
 
-The `Bash` tool is granted for read-only verification only. Allowed: `grep`, `cat`, `ls`, `find`, `head`, `tail`, `wc`, `stat`, `git log`, `git diff`, `git show`. Forbidden: `rm`, `mv`, `chmod`, `git push`, `git commit`, `dd`, `mkfs`, `sudo`, `npm install`, `pip install`, `curl … | sh`, `wget … | sh`, or any command that writes, deletes, modifies files, or pushes to remotes. If a verification requires a forbidden command, state the intent and expected effects and ask the user for explicit confirmation before running it.
+The `Bash` tool is granted for read-only verification only. Allowed: `grep`, `cat`, `ls`, `find`, `head`, `tail`, `wc`, `stat`. Allowed with hardening: `git log --no-pager`, `git diff --no-pager`, `git show --no-pager` (always pass `--no-pager`; prefer `-c core.pager=cat` to disable pager-driven code execution via repo-local `.git/config`). Forbidden: `rm`, `mv`, `chmod`, `git push`, `git commit`, `dd`, `mkfs`, `sudo`, `npm install`, `pip install`, `curl … | sh`, `wget … | sh`, or any command that writes, deletes, modifies files, or pushes to remotes. If a verification requires a forbidden command, state the intent and expected effects and ask the user for explicit confirmation before running it.
 
 ## Workflow