githubnext · pelikhan · Nov 7, 2025 · Nov 7, 2025
diff --git a/docs/src/content/docs/guides/security.md b/docs/src/content/docs/guides/security.md
@@ -268,13 +268,13 @@ tools:
   github:
     allowed: [get_issue, add_issue_comment]
 
-# Restricted bash (avoid wildcards)
+# Specific bash commands (recommended for security)
 engine: claude
 tools:
   edit:
   bash: ["echo", "git status"]
 
-# Avoid: ["*"] or [":*"] (too broad)
+# Consider carefully: ["*"] or [":*"] (unrestricted access)
 ```
 
 #### Egress Filtering

diff --git a/docs/src/content/docs/reference/tools.md b/docs/src/content/docs/reference/tools.md
@@ -55,7 +55,7 @@ bash: ["git:*"]                   # All git commands
 bash: ["npm:*", "echo", "ls"]     # Mix of wildcards and specific commands
 ```
 
-- `:*` or `*`: All commands (Copilot uses `--allow-all-tools`; refused in strict mode)
+- `:*` or `*`: All commands (Copilot uses `--allow-all-tools`)
 - `command:*`: All invocations of a specific command (e.g., `git:*` allows `git add`, `git commit`, etc.)
 
 ## Web Fetch Tool (`web-fetch:`)

diff --git a/docs/src/content/docs/tools/cli.md b/docs/src/content/docs/tools/cli.md
@@ -72,13 +72,18 @@ gh aw add githubnext/agentics/ci-doctor --number 3  # Create 3 copies
 gh aw add githubnext/agentics/ci-doctor --append "Extra content"  # Append custom content
 gh aw add githubnext/agentics/ci-doctor --no-gitattributes  # Skip .gitattributes update
 
+# Add multiple workflows with wildcards
+gh aw add "githubnext/agentics/ci-*"  # Add all CI workflows
+
 # Remove workflows
 gh aw remove WorkflowName
 gh aw remove WorkflowName --keep-orphans  # Keep shared includes
 ```
 
 **Automatic .gitattributes Configuration:** The `add` command automatically updates `.gitattributes` to mark `.lock.yml` files as generated. Use `--no-gitattributes` to disable.
 
+**Workflow Discovery:** When a workflow is not found, the `add` command displays a formatted table of available workflows with their IDs, names, and descriptions to help you find the correct workflow. When adding workflows with wildcards that match existing workflows, the command emits warnings instead of errors and continues processing.
+
 **Workflow Updates:**
 
 ```bash wrap

diff --git a/docs/src/content/docs/troubleshooting/errors.md b/docs/src/content/docs/troubleshooting/errors.md
@@ -899,52 +899,6 @@ mcp-servers:
       Authorization: "Bearer ${{ secrets.API_TOKEN }}"
 ```
 
-### Strict Mode Bash Wildcard Not Allowed
-
-**Error Message:**
-```
-strict mode: bash wildcard '*' is not allowed - use specific commands instead
-```
-
-**Cause:** The workflow uses bash wildcard `*` or `:*` when compiled with `--strict` flag.
-
-**Solution:** Replace wildcards with specific command allowlists:
-
-```yaml wrap
-# Incorrect
-tools:
-  bash:
-    - "*"
-
-# Correct - specify exact commands
-tools:
-  bash:
-    - "git status"
-    - "git diff"
-    - "npm test"
-    - "ls -la"
-```
-
-**Example:** Complete workflow with specific bash commands:
-
-```aw wrap
----
-on: push
-permissions:
-  contents: read
-network: defaults
-tools:
-  bash:
-    - "git --no-pager status"
-    - "git --no-pager diff"
-    - "npm run lint"
----
-
-# Code Check
-
-Run specific bash commands for validation.
-```
-
 ### Strict Mode Custom MCP Server Requires Network Configuration
 
 **Error Message:**