fix: close git force-push bypass vectors in openclaw.yaml

Two bypass vectors caught in Opus code review:
1. 'git push origin main -f' (trailing -f with no space after) was not caught
   by the command_not_matches pattern 'git push *-f *'
2. Compound commands ('echo x && git push --force') bypass command_not_matches
   exclusions which only check the raw/full command

Fix: add dedicated block-force-push policy using command_matches patterns
prefixed with '*' to catch compound command segments. Add '-f' end-of-string
pattern for trailing flag variant. Update tests: 39/39 pass, 45/45 e2e.

Author: clap [bot]

policies/openclaw.yaml

@@ -265,6 +265,7 @@ policies:
             # Never allow force-push or branch deletion via git push
             - "git push *--force*"
             - "git push *-f *"
+            - "git push *-f"
             - "git push *--delete*"
             - "git push *:*"
         message: "Safe exec command allowed"
@@ -296,6 +297,27 @@ policies:
             - "curl*http://localhost:9090/v1/*"
         message: "External curl/wget blocked — use web_fetch tool for external requests (policy-aware)"
 
+  # ── Block force-push ───────────────────────────────────────────────────
+  # Dedicated deny for force-push variants so compound commands
+  # (e.g. "echo x && git push --force") can't bypass allow-rule exclusions.
+  - name: block-force-push
+    description: "Block git force-push and branch deletion regardless of command context"
+    match:
+      tool: ["exec"]
+    rules:
+      - action: deny
+        when:
+          command_matches:
+            - "git push *--force*"
+            - "git push *-f *"
+            - "git push *-f"
+            - "git push *--delete*"
+            - "*git push *--force*"
+            - "*git push *-f *"
+            - "*git push *-f"
+            - "*git push *--delete*"
+        message: "Git force-push and branch deletion blocked — run manually if intentional"
+
   # ── Block destructive exec ─────────────────────────────────────────────
   - name: block-destructive-exec
     description: "Block destructive filesystem and system commands"

policies/openclaw_test.go

@@ -60,8 +60,10 @@ func TestOpenClawPolicyDecisions(t *testing.T) {
 		// ── exec: dangerous docker/kubectl surface for approval ────────
 		{name: "ask: docker run privileged not in safe list", tool: "exec", command: "docker run --privileged ubuntu", expected: engine.ActionAsk},
 		{name: "ask: kubectl delete namespace", tool: "exec", command: "kubectl delete namespace production", expected: engine.ActionAsk},
-		{name: "ask: git push force", tool: "exec", command: "git push --force origin main", expected: engine.ActionAsk},
-		{name: "ask: git push delete branch", tool: "exec", command: "git push origin --delete main", expected: engine.ActionAsk},
+		{name: "deny: git push force", tool: "exec", command: "git push --force origin main", expected: engine.ActionDeny},
+		{name: "deny: git push -f trailing", tool: "exec", command: "git push origin main -f", expected: engine.ActionDeny},
+		{name: "deny: git push delete branch", tool: "exec", command: "git push origin --delete main", expected: engine.ActionDeny},
+		{name: "deny: compound git force push", tool: "exec", command: "echo x && git push origin --force main", expected: engine.ActionDeny},
 
 		// ── read: credential files require approval ────────────────────
 		{name: "ask: .env file", tool: "read", path: "/home/user/project/.env", expected: engine.ActionAsk},