From 0052657e84d9a620c044bbf59942224db5f4442d Mon Sep 17 00:00:00 2001
From: mkorwel <matt.korwel@gmail.com>
Date: Wed, 11 Mar 2026 11:36:01 -0700
Subject: [PATCH] feat(skills): enrich async-pr-review policy with core unix
 and read-only git/gh commands

---
 .gemini/skills/async-pr-review/policy.toml | 111 ++++++++++++++++-----
 1 file changed, 87 insertions(+), 24 deletions(-)

diff --git a/.gemini/skills/async-pr-review/policy.toml b/.gemini/skills/async-pr-review/policy.toml
index a9671c30b2..fe400116ab 100644
--- a/.gemini/skills/async-pr-review/policy.toml
+++ b/.gemini/skills/async-pr-review/policy.toml
@@ -1,3 +1,4 @@
+# --- CORE TOOLS ---
 [[rule]]
 toolName = "read_file"
 decision = "allow"
@@ -28,60 +29,122 @@ toolName = "codebase_investigator"
 decision = "allow"
 priority = 100
 
+# --- SHELL COMMANDS ---
+
+# Git (Safe/Read-only)
 [[rule]]
 toolName = "run_shell_command"
 commandPrefix = [
-  "ls",
-  "find",
-  "head",
-  "cat",
-  "echo",
-  "cd",
-  "grep",
-  "npm run start",
-  "npm install",
-  "npm run",
-  "npm test",
-  "npm ci",
+  "git blame",
+  "git show",
+  "git grep",
+  "git show-ref",
+  "git ls-tree",
+  "git ls-remote",
+  "git reflog",
+  "git remote -v",
   "git diff",
+  "git rev-list",
   "git rev-parse",
+  "git merge-base",
+  "git cherry",
+  "git fetch",
   "git status",
   "git st",
   "git branch",
   "git br",
   "git log",
-  "git show",
+  "git --version"
+]
+decision = "allow"
+priority = 100
+
+# GitHub CLI (Read-only)
+[[rule]]
+toolName = "run_shell_command"
+commandPrefix = [
+  "gh workflow list",
+  "gh auth status",
+  "gh checkout view",
+  "gh run view",
+  "gh run job view",
+  "gh run list",
+  "gh run --help",
+  "gh issue view",
+  "gh issue list",
+  "gh label list",
   "gh pr diff",
-  "gh pr view",
+  "gh pr check",
   "gh pr checks",
+  "gh pr view",
   "gh pr list",
   "gh pr status",
   "gh repo view",
-  "gh run",
+  "gh job view",
   "gh api",
   "gh log"
 ]
 decision = "allow"
 priority = 100
 
+# Node.js/NPM (Generic Tests, Checks, and Build)
 [[rule]]
 toolName = "run_shell_command"
+commandPrefix = [
+  "npm run start",
+  "npm install",
+  "npm run",
+  "npm test",
+  "npm ci",
+  "npm list",
+  "npm --version",
+  "node",
+  "npx"
+]
 decision = "allow"
 priority = 100
+
+# Core Utilities (Safe)
+[[rule]]
+toolName = "run_shell_command"
 commandPrefix = [
-  "tail",
-  "awk",
+  "sleep",
+  "env",
+  "break",
   "xargs",
-  "wc",
+  "base64",
   "uniq",
+  "sort",
+  "echo",
+  "which",
+  "ls",
+  "find",
+  "tail",
+  "head",
+  "cat",
+  "cd",
+  "grep",
+  "ps",
+  "pwd",
+  "wc",
+  "file",
+  "stat",
+  "diff",
+  "lsof",
+  "date",
+  "whoami",
+  "uname",
+  "du",
+  "cut",
+  "true",
+  "false",
+  "readlink",
+  "awk",
   "jq",
   "rg",
   "less",
   "more",
-  "tree",
-  "file",
-  "which",
-  "pwd",
-  "node",
-  "npx"
+  "tree"
 ]
+decision = "allow"
+priority = 100