lintai docs

Appearance

Rule Reference

SEC393lintai-ai-securitypreviewmarkdownwarn

AI markdown: shared git stash tool grant

AI-native markdown frontmatter grants `Bash(git stash:*)` tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

governancemembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Shared git stash grants in AI-native frontmatter can be legitimate workflow policy, so the first release stays in the opt-in governance lane while usefulness and default posture are measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC390AI markdown: shared git push tool grantAI-native markdown frontmatter grants `Bash(git push)` tool accessmarkdownpreview
SEC391AI markdown: shared git checkout tool grantAI-native markdown frontmatter grants `Bash(git checkout:*)` tool accessmarkdownpreview
SEC392AI markdown: shared git commit tool grantAI-native markdown frontmatter grants `Bash(git commit:*)` tool accessmarkdownpreview
SEC474AI markdown: shared gh pr tool grantAI-native markdown frontmatter grants `Bash(gh pr:*)` tool accessmarkdownpreview
SEC494AI markdown: shared npm exec tool grantAI-native markdown frontmatter grants `Bash(npm exec:*)` tool accessmarkdownpreview
SEC495AI markdown: shared bunx tool grantAI-native markdown frontmatter grants `Bash(bunx:*)` tool accessmarkdownpreview

SEC393 / MD-GIT-STASH-PERMISSION

SEC393 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants the exact token Bash(git stash:*).

Why It Matters

Broad stash authority can hide in-progress work and rewrite local state in ways that are hard to review. That is safer as a narrower reviewed workflow than as a shared default permission.

This rule intentionally lives in the opt-in governance preset rather than the main preview lane. Shared stash permissions can be legitimate workflow design, but they still deserve explicit review as a policy choice instead of a headline security claim.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token Bash(git stash:*)

Clean Cases

These stay clean:

  • more specific command examples such as Bash(git stash push -u)
  • unrelated Git permissions like Bash(git status)
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools:
  - Bash(git stash:*)
  - Read
---

Safer Example

yaml
---
allowed-tools:
  - Bash(git stash push -u)
  - Read
---

How To Fix

Review whether shared Bash(git stash:*) access is really needed, or replace it with a narrower workflow-specific permission that does not grant broad stash authority by default.