SECURITY FIX: Addresses authorization_bypass vulnerability (LOW severity)
The allowed_non_write_users='*' configuration previously bypassed write
permission checks for all users with only a warning. This created a
security misconfiguration risk.
Changes:
- Added new input 'bypass_write_permission_check_acknowledgment' required
when using wildcard (*)
- Modified checkWritePermissions() to throw error if wildcard used without
explicit acknowledgment flag
- Updated all documentation (security.md, usage.md) with new requirement
- Updated example workflows to include acknowledgment flag
- Added tests for new validation behavior
This prevents accidental security misconfigurations while maintaining the
feature for intentional use cases like issue triage workflows.
Affected file: src/github/validation/permissions.ts:27
Category: authorization_bypass
Severity: LOW
Updates documentation examples to use @v1 instead of @beta in:
- docs/setup.md: custom GitHub app example
- docs/configuration.md: additional permissions examples
Migration guide and usage comparison examples intentionally kept with @beta to show old syntax.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* feat(docs): simplify custom GitHub App creation with manifest support
- Add github-app-manifest.json with pre-configured permissions
- Create interactive HTML tool for one-click app creation
- Update setup.md documentation with manifest-based instructions
- Maintain existing manual setup as alternative option
This significantly improves the developer experience by eliminating
manual permission configuration and reducing setup time from multiple
steps to a single click.
Fixes#619🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Kris Coleman <kriscodeman@gmail.com>
* feat: create-app ux improvements
Signed-off-by: Kris Coleman <kriscodeman@gmail.com>
---------
Signed-off-by: Kris Coleman <kriscodeman@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
