bug: governance policy gap — plain rm and rm -r not blocked by no-destructive-rm #69
Description
Bug: Governance Policy Gap in no-destructive-rm
File: agentguard.yaml
Description
The no-destructive-rm policy only blocks rm when specific flag combinations are present (-rf, -fr, etc.). A plain rm file or rm -r dir (recursive without force) bypasses the policy entirely, even though both are destructive.
- name: no-destructive-rm
match:
command: "rm"
args_contain: ["-rf", "-fr", "--recursive --force", "--force --recursive", "-r -f", "-f -r"]
action: denyMissing cases
| Command | Currently blocked? |
|---|---|
rm -rf dir/ |
✅ Yes |
rm -fr dir/ |
✅ Yes |
rm -r dir/ |
❌ No |
rm somefile |
❌ No |
Note: the normalizer in internal/normalizer/normalizer.go already classifies any command containing "rm" as RiskDestructive, but the governance YAML policy is what actually enforces the deny — and it misses these cases.
Fix
Add "-r" to cover recursive-without-force, and add a second catch-all policy for plain rm:
- name: no-destructive-rm
description: Block any rm invocation
match:
command: "rm"
action: deny
message: "rm is not allowed by governance policy — agents should not delete files"Since args_contain being absent means "any args", a policy with just command: "rm" and no args_contain would block all rm calls.