claude-code

ros/claude-code

Fork 0

mirror of https://github.com/anthropics/claude-code.git synced 2026-01-30 04:02:03 +00:00

Commit Graph

Author	SHA1	Message	Date
David Dworken	a3df424857	fix: validate that issues exist before commenting on duplicates Add validation to comment-on-duplicates.sh that verifies the base issue and all potential duplicate issues actually exist in the repo before posting a comment. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2026-01-07 07:57:56 -08:00
Boris Cherny	0b86fdb0e0	fix(security): Remove overly broad gh api permission from dedupe command (#16549 ) * fix(security): Remove overly broad gh api permission from dedupe command Remove `Bash(gh api:)` from dedupe.md allowed-tools to prevent potential secret exfiltration via prompt injection. The dedupe workflow only needs gh issue view/list/comment and gh search commands - it doesn't require raw API access. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> feat: Add comment-on-duplicates script for safer duplicate handling Replace `gh issue comment:*` permission with a constrained script that: - Only accepts validated issue numbers - Enforces max 3 duplicates - Uses a fixed comment format - Prevents arbitrary comment content injection 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-07 08:46:31 +05:30

Author

SHA1

Message

Date

David Dworken

a3df424857

fix: validate that issues exist before commenting on duplicates

Add validation to comment-on-duplicates.sh that verifies the base issue
and all potential duplicate issues actually exist in the repo before
posting a comment.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2026-01-07 07:57:56 -08:00

Boris Cherny

0b86fdb0e0

fix(security): Remove overly broad gh api permission from dedupe command (#16549 )

* fix(security): Remove overly broad gh api permission from dedupe command

Remove `Bash(gh api:*)` from dedupe.md allowed-tools to prevent potential
secret exfiltration via prompt injection. The dedupe workflow only needs
gh issue view/list/comment and gh search commands - it doesn't require
raw API access.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: Add comment-on-duplicates script for safer duplicate handling

Replace `gh issue comment:*` permission with a constrained script that:
- Only accepts validated issue numbers
- Enforces max 3 duplicates
- Uses a fixed comment format
- Prevents arbitrary comment content injection

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-01-07 08:46:31 +05:30

2 Commits