Summary
Address all findings from the 2026-02-12 comprehensive code review (score: 8.5/10).
Issues Found
HIGH Severity (5)
- H1: Untrusted plan comment fallback -
findPlanComment() falls back to any comment author
- H2: Shell injection via labels/author in execute prompt templates
- H3:
NONE accepted as valid authorized_approvers association
- H4: Unsafe
as LeonidasMode type cast without validation
- H5: Unsafe
as Command type cast without validation
MEDIUM Severity (12)
- M1: API key and GitHub token not registered with
core.setSecret()
- M2:
escapeForShellArg() doesn't handle newlines/carriage returns
- M3:
allowed_tools default includes dangerous Bash(npx:*) and Bash(node:*) (documented)
- M4: Plan comment not wrapped in prompt injection delimiters
- M5: Octokit instances re-created on every call (no caching)
- M6: String interpolation used for file paths instead of
path.join()
- M7: Test suite only covers 5 of 8 supported languages
- M10:
run() function already refactored (no action needed)
- M12: ESLint ignores missing
coverage/** directory
LOW Severity (5)
- L1: Magic number
5 for reserved turns
- L3: Silent catch in
linkSubIssues (already fixed)
- L4:
parseRepo() doesn't validate empty input
- L5: Temp prompt file created with default permissions
Summary
Address all findings from the 2026-02-12 comprehensive code review (score: 8.5/10).
Issues Found
HIGH Severity (5)
findPlanComment()falls back to any comment authorNONEaccepted as validauthorized_approversassociationas LeonidasModetype cast without validationas Commandtype cast without validationMEDIUM Severity (12)
core.setSecret()escapeForShellArg()doesn't handle newlines/carriage returnsallowed_toolsdefault includes dangerousBash(npx:*)andBash(node:*)(documented)path.join()run()function already refactored (no action needed)coverage/**directoryLOW Severity (5)
5for reserved turnslinkSubIssues(already fixed)parseRepo()doesn't validate empty input