-
由 Will Chen 提交于
## Summary - Expanded the safe pipe destinations whitelist in the GitHub CLI permission hook to include common text-processing commands like `base64`, `cat`, `column`, `fmt`, `fold`, `paste`, `strings`, checksum utilities, and more - Previously, commands like `gh api ... | base64 -d` were blocked because `base64` wasn't in the narrow allowlist ## Test plan - [x] Verified `gh api repos/dyad-sh/dyad/contents/.github/workflows/closed-issue-comment.yml --jq '.content' 2>&1 | base64 -d` no longer blocked - [x] All 784 unit tests pass - [x] Lint and type checks pass
🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2581" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Expands the set of commands permitted in piped shell invocations, which could widen the attack surface if the whitelist includes tools with unexpected side effects; changes are contained to the permission hook and docs. > > **Overview** > Broadens the `gh` permission hook’s allowed pipe destinations from a small set of utilities to a larger whitelist of common text-processing commands (e.g., `base64`, `cat`, `column`, `strings`, and checksum tools), so more `gh ... | <tool>` pipelines are auto-approved. > > Updates `rules/git-workflow.md` to document using `gh api .../issues/{PR_NUMBER}/labels` as a workaround for `gh pr edit --add-label` failing due to the GraphQL Projects (classic) deprecation error. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 775a7623ae7bd4b484cf09626f425aaa2912b8f1. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Broadened the GitHub CLI permission hook’s safe pipe whitelist to include more text-processing commands (e.g., base64, column, strings, checksum tools), allowing gh ... | base64 -d. Clarified allowed-pipe wording in the hook and updated git-workflow docs to use the REST API for adding labels due to GraphQL “Projects (classic)” errors. <sup>Written for commit 08eb796e50730e1e0ed78f2a55b2c9addb8c38cd. Summary will update on new commits.</sup> <!-- End of auto-generated description by cubic. --> --------- Co-authored-by:Claude Opus 4.6 <noreply@anthropic.com>
