Updates edit-issue-labels.sh and comment-on-duplicates.sh to read the
issue number from GITHUB_EVENT_PATH (the workflow event payload) instead
of accepting it as a CLI argument. Simplifies the call signature and
keeps the scripts aligned with the triggering issue.
Also updates the /triage-issue and /dedupe command docs to match.
🏠 Remote-Dev: homespace
Add validation to comment-on-duplicates.sh that verifies the base issue
and all potential duplicate issues actually exist in the repo before
posting a comment.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(security): Remove overly broad gh api permission from dedupe command
Remove `Bash(gh api:*)` from dedupe.md allowed-tools to prevent potential
secret exfiltration via prompt injection. The dedupe workflow only needs
gh issue view/list/comment and gh search commands - it doesn't require
raw API access.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* feat: Add comment-on-duplicates script for safer duplicate handling
Replace `gh issue comment:*` permission with a constrained script that:
- Only accepts validated issue numbers
- Enforces max 3 duplicates
- Uses a fixed comment format
- Prevents arbitrary comment content injection
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
