0b86fdb0e0
* fix(security): Remove overly broad gh api permission from dedupe command Remove `Bash(gh api:*)` from dedupe.md allowed-tools to prevent potential secret exfiltration via prompt injection. The dedupe workflow only needs gh issue view/list/comment and gh search commands - it doesn't require raw API access. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: Add comment-on-duplicates script for safer duplicate handling Replace `gh issue comment:*` permission with a constrained script that: - Only accepts validated issue numbers - Enforces max 3 duplicates - Uses a fixed comment format - Prevents arbitrary comment content injection 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| commit-push-pr.md | ||
| dedupe.md | ||
| oncall-triage.md | ||