fix: don't auto approve git -C ... (#20085)

It's safer to make sure these commands go through approval flows.

codex-rs/shell-command/src/command_safety/is_safe_command.rs

@@ -331,20 +331,19 @@ mod tests {
 
     #[test]
     fn git_branch_global_options_respect_safety_rules() {
-        use pretty_assertions::assert_eq;
-
-        assert_eq!(
-            is_known_safe_command(&vec_str(&["git", "-C", ".", "branch", "--show-current"])),
-            true
-        );
-        assert_eq!(
-            is_known_safe_command(&vec_str(&["git", "-C", ".", "branch", "-d", "feature"])),
-            false
-        );
-        assert_eq!(
-            is_known_safe_command(&vec_str(&["bash", "-lc", "git -C . branch -d feature",])),
-            false
-        );
+        assert!(is_known_safe_command(&vec_str(&[
+            "git",
+            "branch",
+            "--show-current",
+        ])));
+        assert!(!is_known_safe_command(&vec_str(&[
+            "git", "branch", "-d", "feature",
+        ])));
+        assert!(!is_known_safe_command(&vec_str(&[
+            "bash",
+            "-lc",
+            "git branch -d feature",
+        ])));
     }
 
     #[test]
@@ -381,6 +380,10 @@ mod tests {
 
     #[test]
     fn git_global_override_flags_are_not_safe() {
+        assert!(!is_known_safe_command(&vec_str(&[
+            "git", "-C", ".", "status",
+        ])));
+        assert!(!is_known_safe_command(&vec_str(&["git", "-C.", "status",])));
         assert!(!is_known_safe_command(&vec_str(&[
             "git",
             "-c",
@@ -415,6 +418,11 @@ mod tests {
             );
         }
 
+        assert!(!is_known_safe_command(&vec_str(&[
+            "bash",
+            "-lc",
+            "git -C .project-deps/test-fixtures status",
+        ])));
         assert!(!is_known_safe_command(&vec_str(&[
             "bash",
             "-lc",