fix

Co-authored-by: Franz the Dog <franz@cutedogs.org>

Author: ajbt200128

src/generator/workflow.ts

@@ -76,11 +76,14 @@ const DEFAULT_ALLOWED_TOOLS = [
   // Plan mode
   "EnterPlanMode",
   "ExitPlanMode",
-  // Scoped Bash for git/gh
+  // Scoped Bash for git (read-only)
   "Bash(git diff*)",
   "Bash(git log*)",
   "Bash(git show*)",
-  "Bash(gh pr *)",
+  // Scoped Bash for gh (read-only + repo-scoped comment)
+  "Bash(gh pr view*)",
+  "Bash(gh pr diff*)",
+  "Bash(gh pr comment *)",
 ];
 
 function buildActionStep(

test/cli.test.ts

@@ -54,7 +54,9 @@ describe("CLI integration", () => {
     const actionStep = parsed.jobs.task.steps.find(
       (s: any) => s.uses === "anthropics/claude-code-action@v1"
     );
-    expect(actionStep.with.prompt).toBe("Review the code changes in this PR. Focus on bugs, security issues, and code quality.");
+    expect(actionStep.with.prompt).toContain("Review the code changes in this PR. Focus on bugs, security issues, and code quality.");
+    // Labeled event workaround suffix should be appended
+    expect(actionStep.with.prompt).toContain("github.event.action == 'labeled'");
     expect(actionStep.with.claude_args).toContain("--append-system-prompt");
     expect(actionStep.with.claude_args).toContain("helpful code review assistant");
   });

test/generator/workflow.test.ts

@@ -69,7 +69,8 @@ describe("generateWorkflow", () => {
       "CronCreate", "CronDelete", "CronList",
       "ToolSearch", "LSP", "ListMcpResourcesTool", "ReadMcpResourceTool",
       "EnterPlanMode", "ExitPlanMode",
-      "Bash(git diff*)", "Bash(git log*)", "Bash(git show*)", "Bash(gh pr *)",
+      "Bash(git diff*)", "Bash(git log*)", "Bash(git show*)",
+      "Bash(gh pr view*)", "Bash(gh pr diff*)", "Bash(gh pr comment *)",
     ]) {
       expect(tools).toContain(tool);
     }