Rule Reference

SEC440lintai-ai-securitystablemarkdownwarn

AI markdown: `Bash(git restore:*)` tool grant

AI-native markdown frontmatter grants `Bash(git restore:*)` authority

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for wildcard git restore grants in shared allowed-tools policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for `Bash(git restore:*)` inside allowed-tools or allowed_tools.

Malicious corpus

skill-git-restore-allowed-tools

Benign corpus

skill-git-restore-allowed-tools-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable

SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable

SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable

SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable

SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC440 / MD-GIT-RESTORE-ALLOWED-TOOLS

SEC440 flags AI-native markdown frontmatter when allowed-tools grants the exact token Bash(git restore:*).

Why It Matters

Blanket git restore authority lets an agent discard or rewrite file state by default. In shared AI instruction frontmatter, that is broader than most reviewed workflows need.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface with parsed frontmatter
the path is not fixture-like
allowed-tools or allowed_tools contains the exact token Bash(git restore:*)

Clean Cases

These stay clean:

more specific reviewed commands such as Bash(git restore src/lib.rs)
frontmatter that does not grant git restore
fixture-like examples under test or fixture paths

Example Trigger

---
allowed-tools:
  - Bash(git restore:*)
  - Read
---

Safer Example

---
allowed-tools:
  - Bash(git restore src/lib.rs)
  - Read
---

How To Fix

Replace Bash(git restore:*) with a narrower reviewed command pattern, or remove broad restore authority from shared frontmatter entirely.

AI markdown: `Bash(git restore:*)` tool grant

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC440 / MD-GIT-RESTORE-ALLOWED-TOOLS ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​