githubnext · pelikhan · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
diff --git a/pkg/workflow/strict_mode.go b/pkg/workflow/strict_mode.go
@@ -35,7 +35,6 @@ package workflow
 //  1. validateStrictPermissions() - Refuses write permissions on sensitive scopes
 //  2. validateStrictNetwork() - Requires explicit network configuration
 //  3. validateStrictMCPNetwork() - Requires network config on custom MCP servers
-//  4. validateStrictBashTools() - Refuses bash wildcard tools ("*" and ":*")
 //
 // Note: Strict mode also affects zizmor security scanner behavior (see pkg/cli/zizmor.go)
 // When zizmor is enabled with --zizmor flag, strict mode will treat any security
@@ -60,10 +59,5 @@ func (c *Compiler) validateStrictMode(frontmatter map[string]any, networkPermiss
 		return err
 	}
 
-	// 4. Refuse bash wildcard tools ("*" and ":*")
-	if err := c.validateStrictBashTools(frontmatter); err != nil {
-		return err
-	}
-
 	return nil
 }
diff --git a/pkg/workflow/strict_mode_test.go b/pkg/workflow/strict_mode_test.go
@@ -486,7 +486,7 @@ network:
 			expectError: false,
 		},
 		{
-			name: "bash wildcard star refused in strict mode",
+			name: "bash wildcard star allowed in strict mode",
 			content: `---
 on: push
 permissions:
@@ -503,11 +503,10 @@ network:
 ---
 
 # Test Workflow`,
-			expectError: true,
-			errorMsg:    "strict mode: bash wildcard '*' is not allowed - use specific commands instead",
+			expectError: false,
 		},
 		{
-			name: "bash wildcard colon-star refused in strict mode",
+			name: "bash wildcard colon-star allowed in strict mode",
 			content: `---
 on: push
 permissions:
@@ -524,11 +523,10 @@ network:
 ---
 
 # Test Workflow`,
-			expectError: true,
-			errorMsg:    "strict mode: bash wildcard ':*' is not allowed - use specific commands instead",
+			expectError: false,
 		},
 		{
-			name: "bash wildcard star mixed with commands refused in strict mode",
+			name: "bash wildcard star mixed with commands allowed in strict mode",
 			content: `---
 on: push
 permissions:
@@ -545,8 +543,7 @@ network:
 ---
 
 # Test Workflow`,
-			expectError: true,
-			errorMsg:    "strict mode: bash wildcard '*' is not allowed - use specific commands instead",
+			expectError: false,
 		},
 		{
 			name: "bash command wildcards like git:* are allowed in strict mode",

diff --git a/pkg/workflow/validation_strict_mode.go b/pkg/workflow/validation_strict_mode.go
@@ -12,7 +12,6 @@
 //  1. validateStrictPermissions() - Refuses write permissions on sensitive scopes
 //  2. validateStrictNetwork() - Requires explicit network configuration
 //  3. validateStrictMCPNetwork() - Requires network config on custom MCP servers
-//  4. validateStrictBashTools() - Refuses bash wildcard tools ("*" and ":*")
 //
 // # Integration with Security Scanners
 //
@@ -119,45 +118,3 @@ func (c *Compiler) validateStrictMCPNetwork(frontmatter map[string]any) error {
 
 	return nil
 }
-
-// validateStrictBashTools refuses bash wildcard tools ("*" and ":*")
-func (c *Compiler) validateStrictBashTools(frontmatter map[string]any) error {
-	// Check tools section
-	toolsValue, exists := frontmatter["tools"]
-	if !exists {
-		return nil
-	}
-
-	toolsMap, ok := toolsValue.(map[string]any)
-	if !ok {
-		return nil
-	}
-
-	// Check bash tool for wildcards
-	bashValue, hasBash := toolsMap["bash"]
-	if !hasBash {
-		return nil
-	}
-
-	// Check if bash is an array of commands
-	bashCommands, ok := bashValue.([]any)
-	if !ok {
-		// If bash is not an array (e.g., true, null, or object), it's allowed in strict mode
-		return nil
-	}
-
-	// Check for wildcard patterns in bash commands
-	for _, cmd := range bashCommands {
-		cmdStr, ok := cmd.(string)
-		if !ok {
-			continue
-		}
-
-		// Refuse "*" and ":*" wildcards
-		if cmdStr == "*" || cmdStr == ":*" {
-			return fmt.Errorf("strict mode: bash wildcard '%s' is not allowed - use specific commands instead", cmdStr)
-		}
-	}
-
-	return nil
-}