diff --git a/docs/src/content/docs/guides/security.md b/docs/src/content/docs/guides/security.md index 14a6f55c1a..701fdaa482 100644 --- a/docs/src/content/docs/guides/security.md +++ b/docs/src/content/docs/guides/security.md @@ -268,13 +268,13 @@ tools: github: allowed: [get_issue, add_issue_comment] -# Restricted bash (avoid wildcards) +# Specific bash commands (recommended for security) engine: claude tools: edit: bash: ["echo", "git status"] -# Avoid: ["*"] or [":*"] (too broad) +# Consider carefully: ["*"] or [":*"] (unrestricted access) ``` #### Egress Filtering diff --git a/docs/src/content/docs/reference/tools.md b/docs/src/content/docs/reference/tools.md index 26ae5f369f..4498fcd8cb 100644 --- a/docs/src/content/docs/reference/tools.md +++ b/docs/src/content/docs/reference/tools.md @@ -55,7 +55,7 @@ bash: ["git:*"] # All git commands bash: ["npm:*", "echo", "ls"] # Mix of wildcards and specific commands ``` -- `:*` or `*`: All commands (Copilot uses `--allow-all-tools`; refused in strict mode) +- `:*` or `*`: All commands (Copilot uses `--allow-all-tools`) - `command:*`: All invocations of a specific command (e.g., `git:*` allows `git add`, `git commit`, etc.) ## Web Fetch Tool (`web-fetch:`) diff --git a/docs/src/content/docs/tools/cli.md b/docs/src/content/docs/tools/cli.md index 6821adcb23..0cb4aa0ae3 100644 --- a/docs/src/content/docs/tools/cli.md +++ b/docs/src/content/docs/tools/cli.md @@ -72,6 +72,9 @@ gh aw add githubnext/agentics/ci-doctor --number 3 # Create 3 copies gh aw add githubnext/agentics/ci-doctor --append "Extra content" # Append custom content gh aw add githubnext/agentics/ci-doctor --no-gitattributes # Skip .gitattributes update +# Add multiple workflows with wildcards +gh aw add "githubnext/agentics/ci-*" # Add all CI workflows + # Remove workflows gh aw remove WorkflowName gh aw remove WorkflowName --keep-orphans # Keep shared includes @@ -79,6 +82,8 @@ gh aw remove WorkflowName --keep-orphans # Keep shared includes **Automatic .gitattributes Configuration:** The `add` command automatically updates `.gitattributes` to mark `.lock.yml` files as generated. Use `--no-gitattributes` to disable. +**Workflow Discovery:** When a workflow is not found, the `add` command displays a formatted table of available workflows with their IDs, names, and descriptions to help you find the correct workflow. When adding workflows with wildcards that match existing workflows, the command emits warnings instead of errors and continues processing. + **Workflow Updates:** ```bash wrap diff --git a/docs/src/content/docs/troubleshooting/errors.md b/docs/src/content/docs/troubleshooting/errors.md index 7584c974f0..3a3c15bff5 100644 --- a/docs/src/content/docs/troubleshooting/errors.md +++ b/docs/src/content/docs/troubleshooting/errors.md @@ -899,52 +899,6 @@ mcp-servers: Authorization: "Bearer ${{ secrets.API_TOKEN }}" ``` -### Strict Mode Bash Wildcard Not Allowed - -**Error Message:** -``` -strict mode: bash wildcard '*' is not allowed - use specific commands instead -``` - -**Cause:** The workflow uses bash wildcard `*` or `:*` when compiled with `--strict` flag. - -**Solution:** Replace wildcards with specific command allowlists: - -```yaml wrap -# Incorrect -tools: - bash: - - "*" - -# Correct - specify exact commands -tools: - bash: - - "git status" - - "git diff" - - "npm test" - - "ls -la" -``` - -**Example:** Complete workflow with specific bash commands: - -```aw wrap ---- -on: push -permissions: - contents: read -network: defaults -tools: - bash: - - "git --no-pager status" - - "git --no-pager diff" - - "npm run lint" ---- - -# Code Check - -Run specific bash commands for validation. -``` - ### Strict Mode Custom MCP Server Requires Network Configuration **Error Message:**