thx! yeah git push is intentionally allowed, it's normal dev workflow operation. but git push --force on the other hand gets flagged as 'git_history_rewrite = ask'.

if you want regular push to also require approval you can set that in your config with nah deny git_write and you get other 'git_writes = ask' for free.