Block push --delete and refspec delete syntax in agent mode

[crcatala]

Problem

Agents can accidentally delete remote branches using git push --delete or the equivalent refspec syntax git push origin :<branch>. Unlike other destructive commands, there's no "safe mode" or dry-run flag for remote branch deletion - the only safe alternative is to ask the user to do it manually.

Solution

Block both deletion patterns when ZAGI_AGENT is set:

git push origin --delete feature  # blocked
git push origin :feature          # blocked (refspec syntax)

This aligns with existing guardrails for push --force, stash drop, and stash clear.

Changes

• AGENTS.md: Added both patterns to blocked commands table
• src/guardrails.zig:
  • New cmd_with_arg_prefix pattern type for refspec detection
  • Blocking rules for --delete, -d, and :<branch> syntax
  • 4 unit tests

Testing

zig build test  # all pass

# Manual verification:
$ ZAGI_AGENT=1 zagi push origin --delete branch
error: destructive command blocked (ZAGI_AGENT is set)
reason: deletes remote branch

$ ZAGI_AGENT=1 zagi push origin :branch  
error: destructive command blocked (ZAGI_AGENT is set)
reason: deletes remote branch (refspec syntax)

# Normal refspec still works:
$ ZAGI_AGENT=1 zagi push origin feature:feature  # allowed

[mattzcarey]

closed in favour of #15

Thanks for this!!!