lintai docs

Appearance

Rule Reference

SEC393lintai-ai-securitygovernancehardeningpreviewmarkdownwarn

AI markdown: shared git stash tool grant

AI-native markdown frontmatter grants `Bash(git stash:*)` tool access

Public lane
governance
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Shared git stash grants in AI-native frontmatter can be legitimate workflow policy, so the first release stays in the opt-in governance lane while usefulness and default posture are measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC389AI markdown: bare WebSearch tool grantAI-native markdown frontmatter grants bare `WebSearch` tool accessgovernancehardeningmarkdown
SEC390AI markdown: shared git push tool grantAI-native markdown frontmatter grants `Bash(git push)` tool accessgovernancehardeningmarkdown
SEC391AI markdown: shared git checkout tool grantAI-native markdown frontmatter grants `Bash(git checkout:*)` tool accessgovernancehardeningmarkdown
SEC392AI markdown: shared git commit tool grantAI-native markdown frontmatter grants `Bash(git commit:*)` tool accessgovernancehardeningmarkdown
SEC404AI markdown: bare WebFetch tool grantAI-native markdown frontmatter grants bare `WebFetch` tool accessgovernancehardeningmarkdown
SEC419AI markdown: `Bash(curl:*)` tool grantAI-native markdown frontmatter grants `Bash(curl:*)` authoritygovernancehardeningmarkdown

SEC393 / MD-GIT-STASH-PERMISSION

SEC393 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants the exact token Bash(git stash:*).

Why It Matters

Broad stash authority can hide in-progress work and rewrite local state in ways that are hard to review. That is safer as a narrower reviewed workflow than as a shared default permission.

This rule intentionally lives in the opt-in governance preset rather than the main preview lane. Shared stash permissions can be legitimate workflow design, but they still deserve explicit review as a policy choice instead of a headline security claim.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token Bash(git stash:*)

Clean Cases

These stay clean:

  • more specific command examples such as Bash(git stash push -u)
  • unrelated Git permissions like Bash(git status)
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools:
  - Bash(git stash:*)
  - Read
---

Safer Example

yaml
---
allowed-tools:
  - Bash(git stash push -u)
  - Read
---

How To Fix

Review whether shared Bash(git stash:*) access is really needed, or replace it with a narrower workflow-specific permission that does not grant broad stash authority by default.