SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity)
The allowed_non_write_users='*' configuration previously bypassed write
permission checks for all users with only a warning. This created a
security misconfiguration risk.
Changes:
- Added new input 'bypass_write_permission_check_acknowledgment' required
when using wildcard (*)
- Modified checkWritePermissions() to throw error if wildcard used without
explicit acknowledgment flag
- Updated all documentation (security.md, usage.md) with new requirement
- Updated example workflows to include acknowledgment flag
- Added tests for new validation behavior
This prevents accidental security misconfigurations while maintaining the
feature for intentional use cases like issue triage workflows.
Affected file: src/github/validation/permissions.ts:27
Category: authorization_bypass
Severity: LOW
* feat: update claude-review workflow to use progress tracking and slash command
- Rename workflow from "Auto review PRs" to "PR Review with Progress Tracking"
- Update trigger types to include synchronize, ready_for_review, reopened
- Add pull-requests: write permission for tracking comments
- Replace direct_prompt with /review-pr slash command using custom command file
- Update to use claude-code-action@v1
- Switch to inline comment tool for more precise PR feedback
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* agents
* refactor: standardize agent output format instructions
Unified the output format instructions across all reviewer agents to follow a consistent structure:
- Converted numbered sections to bold headers for better readability
- Standardized "Review Structure" sections across all agents
- Maintained distinct analysis areas specific to each reviewer type
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
