feat(add-github): polling mode, git access question, safe OneCLI secret merge#2301
Open
ira-at-work wants to merge 4 commits into
Open
feat(add-github): polling mode, git access question, safe OneCLI secret merge#2301ira-at-work wants to merge 4 commits into
ira-at-work wants to merge 4 commits into
Conversation
…CLI secret merge - Add Mode B (polling): no inbound port required, polls GitHub REST API every 30s. Includes the full polling adapter source embedded in the skill so operators without an exposed port can still use GitHub integration. - Add webhook security warning before Mode A proceeds, with explicit user confirmation step and recommendation to switch to polling. - Add git/gh access question (AskUserQuestion) before touching OneCLI: operators who only need issue/PR comments skip the section entirely, preventing accidental credential clobber. - Fix OneCLI secret assignment: replace bare `set-secrets` (which overwrites the full list) with a read-then-merge pattern that preserves existing secrets (e.g. the Anthropic API key) when adding GitHub PATs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…, fix sender field and timestamp Three bugs discovered during live testing and fixed in the inline adapter code: - adapter sent `author:` (plain string) instead of `sender:` in message content, causing the sender resolver to return null, and senderScopeGate to block every inbound comment even when isMention=true - ISO string watermark comparison bug: '...10Z' > '...10.001Z' is true in JS because 'Z' > '.' in ASCII, so poll state never advanced; fixed with numeric Date.getTime() comparison and 1s advance instead of 1ms - isMention was only set for @-mention text; added fetchTriggerIssues() so the bot also auto-engages on issues/PRs it opened, is assigned to, or was requested to review Wiring section: added sender_scope='all' (required — GitHub commenters are not registered users, without this the router drops all inbound comments), changed engage_mode to 'mention-sticky' (follow-up comments in active threads work without re-mention), and added a Multi-channel agent groups section documenting the agent_destinations requirement. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ira-at-work
force-pushed
the
fix/add-github-skill-polling-safe-onecli
branch
from
94175e7 to
cae14a9
Compare
This was referenced May 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
git/ghaccess (clone, push,gh pr create) or just comment read/write. Operators who only need comments skip the OneCLI section entirely, preventing the credential clobber described below.onecli agents set-secretsreplaces the entire secret list — the previous skill ran it with only the GitHub PAT IDs, silently removing the Anthropic API key from any agent that already had one. Replaced with a read-then-merge pattern: read current list → combine → deduplicate → set.Test plan
/add-githubon a fresh install — verify polling mode works end-to-end (comment on an issue, agent replies)/add-githubon an agent that already has an Anthropic API key in OneCLI — verify the key is still present after choosing git access/add-githuband choose "comments only" — verify OneCLI is not touched at all/add-githuband choose webhook — verify security warning is shown and confirmation is required🤖 Generated with Claude Code