Updates GitHub workflow files to use the new claude-code-action@v1 and replaces prompt_file with inline prompt parameter.
Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Generated-By: Claude Code (cli/claude-opus-4-5=100%)
Claude-Steers: 3
Claude-Permission-Prompts: 4
Claude-Escapes: 0
- Add note that npm installation is deprecated
- Add link to setup documentation
- Add WinGet installation option for Windows
- Update Homebrew to indicate MacOS/Linux support
- Mark recommended installation methods
- Improve formatting with proper indentation
1. Remove redundant tool parameter descriptions - MCP tool is source of truth
2. Clarify what issues to flag:
- Compile/parse errors (syntax, types, imports, references)
- Clear logic errors that produce wrong results regardless of inputs
- CLAUDE.md violations
3. Clarify what NOT to flag:
- Code style or quality concerns
- Issues that depend on specific inputs or state
- Subjective suggestions
Add validation to comment-on-duplicates.sh that verifies the base issue
and all potential duplicate issues actually exist in the repo before
posting a comment.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(security): Remove overly broad gh api permission from dedupe command
Remove `Bash(gh api:*)` from dedupe.md allowed-tools to prevent potential
secret exfiltration via prompt injection. The dedupe workflow only needs
gh issue view/list/comment and gh search commands - it doesn't require
raw API access.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* feat: Add comment-on-duplicates script for safer duplicate handling
Replace `gh issue comment:*` permission with a constrained script that:
- Only accepts validated issue numbers
- Enforces max 3 duplicates
- Uses a fixed comment format
- Prevents arbitrary comment content injection
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
The allowed-tools pattern was missing :* suffix, causing permission check
failures when arguments were passed to the setup script via ```! block.
Fixes#16398
Fixes#12170
The ralph-wiggum slash commands had multi-line bash scripts in their
```! blocks. Claude Code's security check blocks commands with
newlines to prevent command injection, causing the error:
"Command contains newlines that could separate multiple commands"
Changes:
ralph-loop.md:
- Remove multi-line bash from code block
- Keep single-line call to setup script
- Keep scoped allowed-tools for security
cancel-ralph.md:
- Replace multi-line bash with step-by-step instructions
- Tighten allowed-tools to specific file paths
setup-ralph-loop.sh:
- Add completion promise display logic (moved from ralph-loop.md)
- Uses COMPLETION_PROMISE variable directly instead of reading from file
Suggestions must include all necessary changes. If a fix requires
additional work elsewhere (e.g., renaming a variable requires updating
usages), use the Claude Code prompt format instead of a partial suggestion.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Only post a summary comment when no issues are found. When issues
exist, post inline comments directly without a redundant summary block.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Change the default behavior of /code-review to output to the terminal
instead of posting a PR comment. Users can use the --comment flag to
explicitly post the review as a PR comment when desired.
This is more suitable for local development workflows where posting
comments to the PR is not always needed.
