feat: broaden safe pipe whitelist in gh permission hook (#2581)

## Summary - Expanded the safe pipe destinations whitelist in the GitHub CLI permission hook to include common text-processing commands like `base64`, `cat`, `column`, `fmt`, `fold`, `paste`, `strings`, checksum utilities, and more - Previously, commands like `gh api ... | base64 -d` were blocked because `base64` wasn't in the narrow allowlist ## Test plan - [x] Verified `gh api repos/dyad-sh/dyad/contents/.github/workflows/closed-issue-comment.yml --jq '.content' 2>&1 | base64 -d` no longer blocked - [x] All 784 unit tests pass - [x] Lint and type checks pass 🤖 Generated with [Claude Code](https://claude.com/claude-code)  --- <a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2581" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a>   --- > [!NOTE] > **Medium Risk** > Expands the set of commands permitted in piped shell invocations, which could widen the attack surface if the whitelist includes tools with unexpected side effects; changes are contained to the permission hook and docs. > > **Overview** > Broadens the `gh` permission hook’s allowed pipe destinations from a small set of utilities to a larger whitelist of common text-processing commands (e.g., `base64`, `cat`, `column`, `strings`, and checksum tools), so more `gh ... | <tool>` pipelines are auto-approved. > > Updates `rules/git-workflow.md` to document using `gh api .../issues/{PR_NUMBER}/labels` as a workaround for `gh pr edit --add-label` failing due to the GraphQL Projects (classic) deprecation error. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 775a7623ae7bd4b484cf09626f425aaa2912b8f1. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>   --- ## Summary by cubic Broadened the GitHub CLI permission hook’s safe pipe whitelist to include more text-processing commands (e.g., base64, column, strings, checksum tools), allowing gh ... | base64 -d. Clarified allowed-pipe wording in the hook and updated git-workflow docs to use the REST API for adding labels due to GraphQL “Projects (classic)” errors. <sup>Written for commit 08eb796e50730e1e0ed78f2a55b2c9addb8c38cd. Summary will update on new commits.</sup>  --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

feat: broaden safe pipe whitelist in gh permission hook (#2581)
7fb395bf · Will Chen · GitHub · b2bf3bed · 7fb395bf · 7fb395bf
--- a/.claude/hooks/gh-permission-hook.py
+++ b/.claude/hooks/gh-permission-hook.py
@@ -34,8 +34,7 @@ ALLOWED (auto-approved):
   - Mutations: resolveReviewThread, unresolveReviewThread
   - Mutations: addPullRequestReview, addPullRequestReviewComment

-6. Piping to safe text-processing commands:
-   - jq, head, tail, grep, wc, sort, uniq, cut, tr
+6. Piping gh output to safe text-processing commands.

 BLOCKED (denied):
 -----------------
@@ -128,17 +127,16 @@ MARKDOWN_CODE_SPAN_PATTERN = re.compile(r'`[\w.-]*[._-][\w.-]*`')
 # Pattern to match double-quoted strings (for processing)
 DOUBLE_QUOTED_STRING_PATTERN = re.compile(r'"[^"]*"')

-# Safe pipe destinations - commands that only process text output
-# These are safe because they can't execute arbitrary code from piped input
-# jq: JSON processor, commonly used with gh api output
-# head/tail: display first/last N lines
-# grep: pattern search (cannot execute code from input)
-# wc: word/line/character count
-# sort/uniq: sort and deduplicate lines
-# cut: extract fields from lines
-# tr: character translation
-# Note: less/more are NOT included because they support shell escapes (e.g., !cmd)
-SAFE_PIPE_PATTERN = re.compile(r'\|\s*(jq|head|tail|grep|wc|sort|uniq|cut|tr)\b')
+# Safe pipe destinations - broad whitelist of common text-processing commands
+# Claude Code's own permission system provides the primary security layer
+SAFE_PIPE_PATTERN = re.compile(
+    r'\|\s*('
+    r'jq|head|tail|grep|egrep|fgrep|wc|sort|uniq|cut|tr'
+    r'|base64|cat|column|fmt|fold|paste'
+    r'|expand|unexpand|rev|tac|nl|od|xxd|hexdump|strings'
+    r'|md5sum|sha256sum|sha1sum|shasum|cksum'
+    r')\b'
+)

 # Safe redirect patterns - common shell redirects that don't execute commands
 # 2>&1: redirect stderr to stdout (very common for capturing all output)

--- a/rules/git-workflow.md
+++ b/rules/git-workflow.md
@@ -23,3 +23,11 @@ When running GitHub Actions with `pull_request_target` on cross-repo PRs (from f
 - To rebase onto the base repo's main, you must add an `upstream` remote: `git remote add upstream https://github.com/<base-repo>.git`
 - Remote setup for cross-repo PRs: `origin` → fork (push here), `upstream` → base repo (rebase from here)
 - The `GITHUB_TOKEN` can push to the fork if the PR author enabled "Allow edits from maintainers"
+
+## Adding labels to PRs
+
+`gh pr edit --add-label` fails with a GraphQL "Projects (classic)" deprecation error on repos that had classic projects. Use the REST API instead:
+
+```bash
+gh api repos/dyad-sh/dyad/issues/{PR_NUMBER}/labels -f "labels[]=label-name"
+```