* fix(security): Remove overly broad gh api permission from dedupe command
Remove `Bash(gh api:*)` from dedupe.md allowed-tools to prevent potential
secret exfiltration via prompt injection. The dedupe workflow only needs
gh issue view/list/comment and gh search commands - it doesn't require
raw API access.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* feat: Add comment-on-duplicates script for safer duplicate handling
Replace `gh issue comment:*` permission with a constrained script that:
- Only accepts validated issue numbers
- Enforces max 3 duplicates
- Uses a fixed comment format
- Prevents arbitrary comment content injection
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove dry run mode and implement actual issue closing
- Extract duplicate issue number from bot comments
- Close issues via GitHub API with proper state and comments
- Add error handling for API failures
- Use Claude Code comment format with reopening instructions
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Update dedupe command to include auto-close warning
- Add commit-push-pr command for streamlined workflow
- Add GitHub workflow to automatically close duplicates
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
