Mirror: Fixes broken /slash-commands after continue or interrupted tool-use (#5752)

[jeremylongshore]

Mirror of upstream PR #5752

Verdict: APPROVE | Tier 5

Review: kilocode-5752-review.md

[coderabbitai]

Warning

Rate limit exceeded

@jeremylongshore has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 25 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mirror/PR-5752

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @jeremylongshore, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug preventing slash commands from being correctly interpreted within tool interaction results, ensuring that user commands are consistently processed regardless of their context. It also significantly improves the responsiveness of the client-server interaction by implementing automatic capability refreshes based on Model Context Protocol notifications for changes in tools, resources, and prompts. Furthermore, the handling of unacknowledged notifications has been refined to provide a less intrusive experience for the user.

Highlights

• Fixes Slash Commands in Tool Results: Resolved an issue where /slash-commands were not processed within tool_result blocks, leading to ignored commands when users interacted with tools. A new helper function processTextContent now ensures consistent processing of both mentions and slash commands across text and tool_result blocks.
• Enhanced MCP Notification Handling: The Model Context Protocol (MCP) NotificationService now actively listens for ResourceListChangedNotificationSchema, ToolListChangedNotificationSchema, and PromptListChangedNotificationSchema. Upon receiving these, it triggers an automatic refresh of server capabilities, ensuring the client's view of available tools and resources is always up-to-date.
• Improved Fallback Notification Logging: Unhandled MCP notifications are now logged silently to the console instead of being displayed as VS Code information messages, reducing unnecessary user-facing pop-ups and improving the user experience.

Changelog

• .beads/.local_version
  • Added the local version string 0.49.1.
• .beads/beads.left.meta.json
  • Added metadata including version, timestamp, and commit hash.
• .beads/daemon.lock
  • Added a daemon lock file containing process details.
• .beads/daemon.pid
  • Added the daemon process ID.
• .beads/last-touched
  • Added a file indicating the last touched identifier.
• .beads/metadata.json
  • Added database and JSONL export configuration.
• .beads/sync-state.json
  • Added synchronization state details, including failure information.
• .changeset/free-toes-hammer.md
  • Added a changeset entry detailing the fix for slash command processing in tool_result blocks.
• src/core/mentions/tests/processKiloUserContentMentions.spec.ts
  • Added regression tests for slash command processing within tool_result blocks.
• src/core/mentions/processKiloUserContentMentions.ts
  • Refactored content processing logic to ensure slash commands are handled in tool_result blocks.
• src/services/mcp/McpHub.ts
  • Updated the MCP client connection to include a callback for refreshing server capabilities.
• src/services/mcp/kilocode/NotificationService.ts
  • Enhanced notification handling to refresh capabilities on list changes and log unhandled notifications silently.
• src/services/mcp/kilocode/tests/NotificationService.spec.ts
  • Added unit tests for the MCP notification service, covering various notification types and callback scenarios.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/auto-triage.yml

Activity

• This pull request is a mirror of an upstream PR (Fixes broken /slash-commands after continue or interrupted tool-use Kilo-Org/kilocode#5752), indicating that the changes have been developed and reviewed externally.
• The pull request has a verdict of 'APPROVE' with Tier 5, suggesting it has met quality standards.
• A review markdown file (.reviews/PR-5752/kilocode-5752-review.md) is linked, providing details of the external review.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[qodo-code-review]

Review Summary by Qodo

Fix slash commands in tool_result blocks and add MCP capability refresh handlers

🐞 Bug fix ✨ Enhancement 🧪 Tests

Walkthroughs

Description

• Fix slash commands in tool_result blocks by applying parseKiloSlashCommands processing
• Add MCP capability refresh handlers for resource, tool, and prompt list changes
• Refactor text processing into reusable helper function for consistency
• Add comprehensive test coverage for NotificationService and slash command regression

Diagram

flowchart LR
  A["tool_result blocks"] -->|processTextContent| B["parseMentions"]
  B -->|output| C["parseKiloSlashCommands"]
  C -->|processedText| D["Updated content"]
  E["MCP notifications"] -->|ResourceListChanged| F["Refresh capabilities"]
  E -->|ToolListChanged| F
  E -->|PromptListChanged| F
  F -->|callback| G["fetchAvailableServerCapabilities"]

Loading

File Changes

1. src/core/mentions/processKiloUserContentMentions.ts 🐞 Bug fix +51/-38

Extract text processing into reusable helper function

src/core/mentions/processKiloUserContentMentions.ts

---

2. src/core/mentions/__tests__/processKiloUserContentMentions.spec.ts 🧪 Tests +191/-0

Add regression tests for slash commands in tool_result

src/core/mentions/tests/processKiloUserContentMentions.spec.ts

---

3. src/services/mcp/kilocode/NotificationService.ts ✨ Enhancement +56/-4

Add handlers for MCP capability list change notifications

src/services/mcp/kilocode/NotificationService.ts

---

View more (13)

4. src/services/mcp/kilocode/__tests__/NotificationService.spec.ts 🧪 Tests +346/-0

Add comprehensive test coverage for NotificationService

src/services/mcp/kilocode/tests/NotificationService.spec.ts

---

5. src/services/mcp/McpHub.ts ✨ Enhancement +6/-1

Pass refresh callback to notification service connect method

src/services/mcp/McpHub.ts

---

6. .changeset/free-toes-hammer.md 📝 Documentation +14/-0

Document slash command processing fix in changelog

.changeset/free-toes-hammer.md

---

7. .github/workflows/auto-triage.yml ⚙️ Configuration changes +126/-0

Add GitHub Action for automatic issue and PR triage

.github/workflows/auto-triage.yml

---

8. .beads/beads.db-shm Miscellaneous +0/-0

Update beads database shared memory file

.beads/beads.db-shm

---

9. .beads/sync-state.json Miscellaneous +7/-0

Add beads sync state tracking file

.beads/sync-state.json

---

10. .beads/metadata.json Miscellaneous +4/-0

Add beads metadata configuration

.beads/metadata.json

---

11. .beads/.local_version Miscellaneous +1/-0

Add beads local version file

.beads/.local_version

---

12. .beads/last-touched Miscellaneous +1/-0

Add beads last-touched tracking file

.beads/last-touched

---

13. .beads/daemon.pid Miscellaneous +1/-0

Add beads daemon process ID file

.beads/daemon.pid

---

14. .beads/beads.db-wal Additional files +0/-0

...

.beads/beads.db-wal

---

15. .beads/beads.left.jsonl Additional files +0/-0

...

.beads/beads.left.jsonl

---

16. .beads/beads.left.meta.json Additional files +1/-0

...

.beads/beads.left.meta.json

---

[gemini-code-assist]

Code Review

This pull request successfully fixes a bug where slash commands within tool_result blocks were being ignored. The fix is well-implemented by introducing a processTextContent helper function to consolidate mention and slash command processing, which is then applied to both text and tool_result blocks. The addition of a comprehensive regression test is a great way to ensure this issue doesn't reappear.

Additionally, the pull request enhances the Model Context Protocol (MCP) notification handling by adding support for dynamic capability refreshing when a server's tools, resources, or prompts change. The implementation is solid and includes thorough testing. I've noted a minor opportunity to reduce code duplication in the new notification handlers. The change to silently log unhandled notifications instead of displaying them to the user is also a welcome UX improvement.

[gemini-code-assist]

The notification handlers for ResourceListChanged, ToolListChanged, and PromptListChanged are nearly identical. To improve maintainability and reduce code duplication, you could extract this logic into a helper function.

Suggested change

	// Handle resource list changes - refresh capabilities silently
	client.setNotificationHandler(ResourceListChangedNotificationSchema, async () => {
	console.log(`MCP ${name}: resources list changed, refreshing capabilities`)
	try {
	await onRefreshCapabilities?.(name)
	} catch (error) {
	console.error(`MCP ${name}: failed to refresh capabilities after resource list change:`, error)
	}
	})
	// Handle tool list changes - refresh capabilities silently
	client.setNotificationHandler(ToolListChangedNotificationSchema, async () => {
	console.log(`MCP ${name}: tools list changed, refreshing capabilities`)
	try {
	await onRefreshCapabilities?.(name)
	} catch (error) {
	console.error(`MCP ${name}: failed to refresh capabilities after tool list change:`, error)
	}
	})
	// Handle prompt list changes - refresh capabilities silently
	client.setNotificationHandler(PromptListChangedNotificationSchema, async () => {
	console.log(`MCP ${name}: prompts list changed, refreshing capabilities`)
	try {
	await onRefreshCapabilities?.(name)
	} catch (error) {
	console.error(`MCP ${name}: failed to refresh capabilities after prompt list change:`, error)
	}
	})
	const createRefreshHandler = (capabilityType: "resources" | "tools" | "prompts") => {
	return async () => {
	console.log(`MCP ${name}: ${capabilityType} list changed, refreshing capabilities`)
	try {
	await onRefreshCapabilities?.(name)
	} catch (error) {
	console.error(`MCP ${name}: failed to refresh capabilities after ${capabilityType} list change:`, error)
	}
	}
	}
	// Handle resource list changes - refresh capabilities silently
	client.setNotificationHandler(ResourceListChangedNotificationSchema, createRefreshHandler("resources"))
	// Handle tool list changes - refresh capabilities silently
	client.setNotificationHandler(ToolListChangedNotificationSchema, createRefreshHandler("tools"))
	// Handle prompt list changes - refresh capabilities silently
	client.setNotificationHandler(PromptListChangedNotificationSchema, createRefreshHandler("prompts"))

[github-actions]

Failed to generate code suggestions for PR

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (2) 📎 Requirement gaps (0)

1. Unmarked processTextContent changes 📘 Rule violation ⛯ Reliability

Description

New upstream-shared src/ changes were added without clear kilocode_change markers, increasing
the risk of future upstream sync merge conflicts. This makes it harder to identify and reconcile
Kilo-specific diffs during periodic mirrors.

Code

src/core/mentions/processKiloUserContentMentions.ts[R12-15]

+import { ClineRulesToggles } from "../../shared/cline-rules"

// This function is a duplicate of processUserContentMentions, but it adds a check for the newrules command
// and processes Kilo-specific slash commands. It should be merged with processUserContentMentions in the future.

Evidence

The checklist requires kilocode_change markers for modifications in upstream-shared src/ files.
The PR adds a new import and a new helper (processTextContent) without explicit kilocode_change
begin/end (or per-line) markers on the added code.

AGENTS.md
src/core/mentions/processKiloUserContentMentions.ts[11-12]
src/core/mentions/processKiloUserContentMentions.ts[45-72]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
New changes in an upstream-shared `src/` file were introduced without clear `kilocode_change` markers, which can increase merge conflict risk during upstream sync.

## Issue Context
This repo periodically mirrors/syncs from upstream (Roo Code). The compliance rule requires marking Kilo-specific edits in upstream-shared directories using documented `kilocode_change` marker forms.

## Fix Focus Areas
- src/core/mentions/processKiloUserContentMentions.ts[11-72]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. NotificationService logs raw notifications 📘 Rule violation ⛨ Security

Description

The new MCP notification handlers log unstructured messages and, in the fallback handler, log the
full notification object which may include sensitive user/tool data. This violates secure logging
requirements and can leak sensitive information into extension logs.

Code

src/services/mcp/kilocode/NotificationService.ts[R55-89]

+		// Handle resource list changes - refresh capabilities silently
+		client.setNotificationHandler(ResourceListChangedNotificationSchema, async () => {
+			console.log(`MCP ${name}: resources list changed, refreshing capabilities`)
+			try {
+				await onRefreshCapabilities?.(name)
+			} catch (error) {
+				console.error(`MCP ${name}: failed to refresh capabilities after resource list change:`, error)
+			}
+		})
+
+		// Handle tool list changes - refresh capabilities silently
+		client.setNotificationHandler(ToolListChangedNotificationSchema, async () => {
+			console.log(`MCP ${name}: tools list changed, refreshing capabilities`)
+			try {
+				await onRefreshCapabilities?.(name)
+			} catch (error) {
+				console.error(`MCP ${name}: failed to refresh capabilities after tool list change:`, error)
+			}
+		})
+
+		// Handle prompt list changes - refresh capabilities silently
+		client.setNotificationHandler(PromptListChangedNotificationSchema, async () => {
+			console.log(`MCP ${name}: prompts list changed, refreshing capabilities`)
+			try {
+				await onRefreshCapabilities?.(name)
+			} catch (error) {
+				console.error(`MCP ${name}: failed to refresh capabilities after prompt list change:`, error)
+			}
+		})
+
+		// Fallback for any other unhandled notifications - log silently, don't notify user
+		// This prevents raw JSON-RPC messages from being displayed as VS Code notifications
		client.fallbackNotificationHandler = async (notification) => {
-			vscode.window.showInformationMessage(`MCP ${name}: ${JSON.stringify(notification)}`)
+			console.log(`MCP ${name}: unhandled notification`, notification)
		}

Evidence

The compliance checklist forbids sensitive data in logs and requires logs to be structured; logging
whole notification objects (and errors) can include sensitive payloads and is not structured. The
added code uses console.log/console.error and logs the entire unhandled notification payload.

Rule 5: Generic: Secure Logging Practices
src/services/mcp/kilocode/NotificationService.ts[55-62]
src/services/mcp/kilocode/NotificationService.ts[85-89]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`NotificationService` logs unstructured strings and logs raw notification objects (`notification`) and raw `error` objects. This can leak sensitive tool/user payloads into logs and makes auditing harder.

## Issue Context
MCP notifications may contain user/tool data. Compliance requires logs to be structured and contain no sensitive data at any log level.

## Fix Focus Areas
- src/services/mcp/kilocode/NotificationService.ts[55-89]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Committed .beads artifacts 🐞 Bug ⛯ Reliability

Description

The PR adds a .beads/ runtime state directory (PID, sync state, sqlite metadata/db files), which
is machine-specific and will cause repo bloat, constant churn, and potential leakage of local
state/errors. These files should not be versioned and should be removed from the PR and ignored.

Code

.beads/sync-state.json[R1-7]

+{
+  "last_failure": "2026-02-14T20:42:41.363720889-06:00",
+  "failure_count": 7,
+  "backoff_until": "2026-02-14T21:12:41.36372132-06:00",
+  "needs_manual_sync": true,
+  "failure_reason": "git pull failed: exit status 1\nfatal: couldn't find remote ref review/PR-5667\n"
+}

Evidence

.beads contains ephemeral runtime state: a daemon PID, a sqlite-backed database reference, and a
failure/backoff state including a git error string; this is not deterministic source content and
will differ per machine/run. Another part of the repo already ignores .beads/, strongly indicating
it is intended to be local-only.

.beads/sync-state.json[1-7]
.beads/metadata.json[1-4]
.beads/daemon.pid[1-1]
apps/kilocode-docs/.gitignore[1-10]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The PR commits local/runtime `.beads/` artifacts (PID, sync-state, sqlite db-related files). These should not be tracked in git.

### Issue Context
`.beads/` contains non-deterministic state (timestamps/backoff, local PID, git error strings) and references a local sqlite database.

### Fix Focus Areas
- .gitignore[1-90]
- .beads/sync-state.json[1-7]
- .beads/metadata.json[1-4]
- .beads/daemon.pid[1-1]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

View more (1)

4. Broad gh edit allowlist 🐞 Bug ⛨ Security

Description

The new auto-triage workflow enables auto-approved command execution and allowlists `gh issue
edit/gh pr edit` as prefixes, which permits arbitrary additional arguments to be auto-approved.
This creates a prompt-injection risk where untrusted issue/PR content could steer the agent into
executing unintended GitHub edits.

Code

.github/workflows/auto-triage.yml[R40-43]

+          KILO_AUTO_APPROVAL_ENABLED: "true"
+          KILO_AUTO_APPROVAL_EXECUTE_ENABLED: "true"
+          KILO_AUTO_APPROVAL_EXECUTE_ALLOWED: "gh issue edit,gh pr edit"
+          KILO_AUTO_APPROVAL_EXECUTE_DENIED: "gh issue close,gh issue delete,gh issue transfer,gh issue lock,gh issue unlock,gh pr close,gh pr merge,gh repo,gh auth,gh secret,gh variable,rm,sudo,curl,wget,bash,sh,python,node,npm,npx"

Evidence

The workflow explicitly enables command execution and allowlists broad command prefixes. In the CLI,
allowed commands are matched via prefix (“hierarchical match”) and any match is auto-approved,
meaning gh issue edit ... <anything> will pass the allowlist once gh issue edit is allowed.

.github/workflows/auto-triage.yml[33-53]
cli/src/services/approvalDecision.ts[28-60]
cli/src/services/approvalDecision.ts[171-235]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Auto-triage enables `KILO_AUTO_APPROVAL_EXECUTE_ENABLED` and allowlists broad command prefixes (`gh issue edit`, `gh pr edit`). The CLI’s allowlist uses prefix matching, so any additional arguments are auto-approved, creating a prompt-injection avenue.

### Issue Context
The job runs on `issues.opened` and `pull_request.opened`, meaning untrusted user-controlled content is included in the model prompt.

### Fix Focus Areas
- .github/workflows/auto-triage.yml[30-126]
- cli/src/services/approvalDecision.ts[28-60]
- cli/src/services/approvalDecision.ts[171-235]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

5. Unpinned CLI install 🐞 Bug ⛯ Reliability

Description

The workflow installs @kilocode/cli without pinning a version, making CI behavior non-reproducible
and increasing exposure to supply-chain/regression risk. Pin the CLI version (or use a
lockfile-based install) for repeatable builds.

Code

.github/workflows/auto-triage.yml[R30-31]

+      - name: Install Kilo Code CLI
+        run: npm install -g @kilocode/cli

Evidence

The workflow uses a floating npm install -g @kilocode/cli, which will pull whatever the current
latest published version is at runtime.

.github/workflows/auto-triage.yml[30-33]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow installs `@kilocode/cli` from npm without a version pin.

### Issue Context
Unpinned installs can change behavior over time and can break or alter automation unexpectedly.

### Fix Focus Areas
- .github/workflows/auto-triage.yml[30-33]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

1. Unmarked processtextcontent changes 📘 Rule violation ⛯ Reliability

New upstream-shared src/ changes were added without clear kilocode_change markers, increasing
the risk of future upstream sync merge conflicts. This makes it harder to identify and reconcile
Kilo-specific diffs during periodic mirrors.

Agent Prompt

## Issue description
New changes in an upstream-shared `src/` file were introduced without clear `kilocode_change` markers, which can increase merge conflict risk during upstream sync.

## Issue Context
This repo periodically mirrors/syncs from upstream (Roo Code). The compliance rule requires marking Kilo-specific edits in upstream-shared directories using documented `kilocode_change` marker forms.

## Fix Focus Areas
- src/core/mentions/processKiloUserContentMentions.ts[11-72]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

2. notificationservice logs raw notifications 📘 Rule violation ⛨ Security

The new MCP notification handlers log unstructured messages and, in the fallback handler, log the
full notification object which may include sensitive user/tool data. This violates secure logging
requirements and can leak sensitive information into extension logs.

Agent Prompt

## Issue description
`NotificationService` logs unstructured strings and logs raw notification objects (`notification`) and raw `error` objects. This can leak sensitive tool/user payloads into logs and makes auditing harder.

## Issue Context
MCP notifications may contain user/tool data. Compliance requires logs to be structured and contain no sensitive data at any log level.

## Fix Focus Areas
- src/services/mcp/kilocode/NotificationService.ts[55-89]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

3. Committed .beads artifacts 🐞 Bug ⛯ Reliability

The PR adds a .beads/ runtime state directory (PID, sync state, sqlite metadata/db files), which
is machine-specific and will cause repo bloat, constant churn, and potential leakage of local
state/errors. These files should not be versioned and should be removed from the PR and ignored.

Agent Prompt

### Issue description
The PR commits local/runtime `.beads/` artifacts (PID, sync-state, sqlite db-related files). These should not be tracked in git.

### Issue Context
`.beads/` contains non-deterministic state (timestamps/backoff, local PID, git error strings) and references a local sqlite database.

### Fix Focus Areas
- .gitignore[1-90]
- .beads/sync-state.json[1-7]
- .beads/metadata.json[1-4]
- .beads/daemon.pid[1-1]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

4. Broad gh edit allowlist 🐞 Bug ⛨ Security

The new auto-triage workflow enables auto-approved command execution and allowlists `gh issue
edit/gh pr edit` as prefixes, which permits arbitrary additional arguments to be auto-approved.
This creates a prompt-injection risk where untrusted issue/PR content could steer the agent into
executing unintended GitHub edits.

Agent Prompt

### Issue description
Auto-triage enables `KILO_AUTO_APPROVAL_EXECUTE_ENABLED` and allowlists broad command prefixes (`gh issue edit`, `gh pr edit`). The CLI’s allowlist uses prefix matching, so any additional arguments are auto-approved, creating a prompt-injection avenue.

### Issue Context
The job runs on `issues.opened` and `pull_request.opened`, meaning untrusted user-controlled content is included in the model prompt.

### Fix Focus Areas
- .github/workflows/auto-triage.yml[30-126]
- cli/src/services/approvalDecision.ts[28-60]
- cli/src/services/approvalDecision.ts[171-235]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools