prettier

feat: allow user override of hardcoded disallowed tools
Allow users to override hardcoded disallowed tools (WebSearch, WebFetch) by including them in their allowed_tools configuration. This provides users with the ability to control tool access based on their security requirements. Changes: - Modified buildDisallowedToolsString() to accept allowedTools parameter - Added logic to filter out hardcoded disallowed tools if present in allowed tools - Updated function call site to pass allowedTools - Added comprehensive test coverage for override behavior - Maintains backward compatibility Resolves #49 Co-authored-by: ashwin-ant <ashwin-ant@users.noreply.github.com>
2026-01-23 15:04:13 +08:00 · 2025-05-27 17:06:57 -07:00 · 2025-05-28 00:01:59 +00:00
8 changed files with 98 additions and 77 deletions
--- a/README.md
+++ b/README.md
@@ -446,7 +446,7 @@ anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 ```

 This applies to all sensitive values including API keys, access tokens, and credentials.
-We also recommend that you always use short-lived tokens when possible
+We also reccomend that you always use short-lived tokens when possible

 ## License

--- a/action.yml
+++ b/action.yml
@@ -94,7 +94,7 @@ runs:
    - name: Run Claude Code
      id: claude-code
      if: steps.prepare.outputs.contains_trigger == 'true'
-      uses: anthropics/claude-code-base-action@266585c92dd90d61d3806a3367582c4f6224e892 # https://github.com/anthropics/claude-code-base-action/releases/tag/v0.0.6
+      uses: anthropics/claude-code-base-action@5097b6cdfe5fc5a3ac0166cc344c34ed23c93982 # https://github.com/anthropics/claude-code-base-action/releases/tag/v0.0.5
      with:
        prompt_file: /tmp/claude-prompts/claude-prompt.txt
        allowed_tools: ${{ env.ALLOWED_TOOLS }}
@@ -147,8 +147,6 @@ runs:
        CLAUDE_SUCCESS: ${{ steps.claude-code.outputs.conclusion == 'success' }}
        OUTPUT_FILE: ${{ steps.claude-code.outputs.execution_file || '' }}
        TRIGGER_USERNAME: ${{ github.event.comment.user.login || github.event.issue.user.login || github.event.pull_request.user.login || github.event.sender.login || github.triggering_actor || github.actor || '' }}
-        PREPARE_SUCCESS: ${{ steps.prepare.outcome == 'success' }}
-        PREPARE_ERROR: ${{ steps.prepare.outputs.prepare_error || '' }}

    - name: Display Claude Code Report
      if: steps.prepare.outputs.contains_trigger == 'true' && steps.claude-code.outputs.execution_file != ''
--- a/src/create-prompt/index.ts
+++ b/src/create-prompt/index.ts
@@ -58,10 +58,27 @@ export function buildAllowedToolsString(

 export function buildDisallowedToolsString(
  customDisallowedTools?: string,
+  allowedTools?: string,
 ): string {
-  let allDisallowedTools = DISALLOWED_TOOLS.join(",");
+  let disallowedTools = [...DISALLOWED_TOOLS];
+
+  // If user has explicitly allowed some hardcoded disallowed tools, remove them from disallowed list
+  if (allowedTools) {
+    const allowedToolsArray = allowedTools
+      .split(",")
+      .map((tool) => tool.trim());
+    disallowedTools = disallowedTools.filter(
+      (tool) => !allowedToolsArray.includes(tool),
+    );
+  }
+
+  let allDisallowedTools = disallowedTools.join(",");
  if (customDisallowedTools) {
-    allDisallowedTools = `${allDisallowedTools},${customDisallowedTools}`;
+    if (allDisallowedTools) {
+      allDisallowedTools = `${allDisallowedTools},${customDisallowedTools}`;
+    } else {
+      allDisallowedTools = customDisallowedTools;
+    }
  }
  return allDisallowedTools;
 }
@@ -648,6 +665,7 @@ export async function createPrompt(
    );
    const allDisallowedTools = buildDisallowedToolsString(
      preparedContext.disallowedTools,
+      preparedContext.allowedTools,
    );

    core.exportVariable("ALLOWED_TOOLS", allAllowedTools);
--- a/src/entrypoints/prepare.ts
+++ b/src/entrypoints/prepare.ts
@@ -92,10 +92,7 @@ async function run() {
    );
    core.setOutput("mcp_config", mcpConfig);
  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : String(error);
-    core.setFailed(`Prepare step failed with error: ${errorMessage}`);
-    // Also output the clean error message for the action to capture
-    core.setOutput("prepare_error", errorMessage);
+    core.setFailed(`Prepare step failed with error: ${error}`);
    process.exit(1);
  }
 }
--- a/src/entrypoints/update-comment-link.ts
+++ b/src/entrypoints/update-comment-link.ts
@@ -145,48 +145,38 @@ async function run() {
      duration_api_ms?: number;
    } | null = null;
    let actionFailed = false;
-    let errorDetails: string | undefined;

-    // First check if prepare step failed
-    const prepareSuccess = process.env.PREPARE_SUCCESS !== "false";
-    const prepareError = process.env.PREPARE_ERROR;
+    // Check for existence of output file and parse it if available
+    try {
+      const outputFile = process.env.OUTPUT_FILE;
+      if (outputFile) {
+        const fileContent = await fs.readFile(outputFile, "utf8");
+        const outputData = JSON.parse(fileContent);

-    if (!prepareSuccess && prepareError) {
-      actionFailed = true;
-      errorDetails = prepareError;
-    } else {
-      // Check for existence of output file and parse it if available
-      try {
-        const outputFile = process.env.OUTPUT_FILE;
-        if (outputFile) {
-          const fileContent = await fs.readFile(outputFile, "utf8");
-          const outputData = JSON.parse(fileContent);
-
-          // Output file is an array, get the last element which contains execution details
-          if (Array.isArray(outputData) && outputData.length > 0) {
-            const lastElement = outputData[outputData.length - 1];
-            if (
-              lastElement.role === "system" &&
-              "cost_usd" in lastElement &&
-              "duration_ms" in lastElement
-            ) {
-              executionDetails = {
-                cost_usd: lastElement.cost_usd,
-                duration_ms: lastElement.duration_ms,
-                duration_api_ms: lastElement.duration_api_ms,
-              };
-            }
+        // Output file is an array, get the last element which contains execution details
+        if (Array.isArray(outputData) && outputData.length > 0) {
+          const lastElement = outputData[outputData.length - 1];
+          if (
+            lastElement.role === "system" &&
+            "cost_usd" in lastElement &&
+            "duration_ms" in lastElement
+          ) {
+            executionDetails = {
+              cost_usd: lastElement.cost_usd,
+              duration_ms: lastElement.duration_ms,
+              duration_api_ms: lastElement.duration_api_ms,
+            };
          }
        }
-
-        // Check if the Claude action failed
-        const claudeSuccess = process.env.CLAUDE_SUCCESS !== "false";
-        actionFailed = !claudeSuccess;
-      } catch (error) {
-        console.error("Error reading output file:", error);
-        // If we can't read the file, check for any failure markers
-        actionFailed = process.env.CLAUDE_SUCCESS === "false";
      }
+
+      // Check if the action failed by looking at the exit code or error marker
+      const claudeSuccess = process.env.CLAUDE_SUCCESS !== "false";
+      actionFailed = !claudeSuccess;
+    } catch (error) {
+      console.error("Error reading output file:", error);
+      // If we can't read the file, check for any failure markers
+      actionFailed = process.env.CLAUDE_SUCCESS === "false";
    }

    // Prepare input for updateCommentBody function
@@ -199,7 +189,6 @@ async function run() {
      prLink,
      branchName: shouldDeleteBranch ? undefined : claudeBranch,
      triggerUsername,
-      errorDetails,
    };

    const updatedBody = updateCommentBody(commentInput);
--- a/src/github/operations/comment-logic.ts
+++ b/src/github/operations/comment-logic.ts
@@ -15,7 +15,6 @@ export type CommentUpdateInput = {
  prLink?: string;
  branchName?: string;
  triggerUsername?: string;
-  errorDetails?: string;
 };

 export function ensureProperlyEncodedUrl(url: string): string | null {
@@ -76,7 +75,6 @@ export function updateCommentBody(input: CommentUpdateInput): string {
    actionFailed,
    branchName,
    triggerUsername,
-    errorDetails,
  } = input;

  // Extract content from the original comment body
@@ -179,14 +177,7 @@ export function updateCommentBody(input: CommentUpdateInput): string {
  }

  // Build the new body with blank line between header and separator
-  let newBody = `${header}${links}`;
-
-  // Add error details if available
-  if (actionFailed && errorDetails) {
-    newBody += `\n\n\`\`\`\n${errorDetails}\n\`\`\``;
-  }
-
-  newBody += `\n\n---\n`;
+  let newBody = `${header}${links}\n\n---\n`;

  // Clean up the body content
  // Remove any existing View job run, branch links from the bottom
--- a/test/comment-logic.test.ts
+++ b/test/comment-logic.test.ts
@@ -39,25 +39,6 @@ describe("updateCommentBody", () => {
      expect(result).toContain("**Claude encountered an error after 45s**");
    });

-    it("includes error details when provided", () => {
-      const input = {
-        ...baseInput,
-        currentBody: "Claude Code is working...",
-        actionFailed: true,
-        executionDetails: { duration_ms: 45000 },
-        errorDetails: "Failed to fetch issue data",
-      };
-
-      const result = updateCommentBody(input);
-      expect(result).toContain("**Claude encountered an error after 45s**");
-      expect(result).toContain("[View job]");
-      expect(result).toContain("```\nFailed to fetch issue data\n```");
-      // Ensure error details come after the header/links
-      const errorIndex = result.indexOf("```");
-      const headerIndex = result.indexOf("**Claude encountered an error");
-      expect(errorIndex).toBeGreaterThan(headerIndex);
-    });
-
    it("handles username extraction from content when not provided", () => {
      const input = {
        ...baseInput,
--- a/test/create-prompt.test.ts
+++ b/test/create-prompt.test.ts
@@ -722,4 +722,51 @@ describe("buildDisallowedToolsString", () => {
    expect(parts).toContain("BadTool1");
    expect(parts).toContain("BadTool2");
  });
+
+  test("should remove hardcoded disallowed tools if they are in allowed tools", () => {
+    const customDisallowedTools = "BadTool1,BadTool2";
+    const allowedTools = "WebSearch,SomeOtherTool";
+    const result = buildDisallowedToolsString(
+      customDisallowedTools,
+      allowedTools,
+    );
+
+    // WebSearch should be removed from disallowed since it's in allowed
+    expect(result).not.toContain("WebSearch");
+
+    // WebFetch should still be disallowed since it's not in allowed
+    expect(result).toContain("WebFetch");
+
+    // Custom disallowed tools should still be present
+    expect(result).toContain("BadTool1");
+    expect(result).toContain("BadTool2");
+  });
+
+  test("should remove all hardcoded disallowed tools if they are all in allowed tools", () => {
+    const allowedTools = "WebSearch,WebFetch,SomeOtherTool";
+    const result = buildDisallowedToolsString(undefined, allowedTools);
+
+    // Both hardcoded disallowed tools should be removed
+    expect(result).not.toContain("WebSearch");
+    expect(result).not.toContain("WebFetch");
+
+    // Result should be empty since no custom disallowed tools provided
+    expect(result).toBe("");
+  });
+
+  test("should handle custom disallowed tools when all hardcoded tools are overridden", () => {
+    const customDisallowedTools = "BadTool1,BadTool2";
+    const allowedTools = "WebSearch,WebFetch";
+    const result = buildDisallowedToolsString(
+      customDisallowedTools,
+      allowedTools,
+    );
+
+    // Hardcoded tools should be removed
+    expect(result).not.toContain("WebSearch");
+    expect(result).not.toContain("WebFetch");
+
+    // Only custom disallowed tools should remain
+    expect(result).toBe("BadTool1,BadTool2");
+  });
 });