chore: update fullsend shim workflow

[fullsend-ai-fullsend]

This PR updates the fullsend shim workflow to match the current template in the .fullsend config repo.

The shim content has drifted from the template — this brings it back in sync.

[fullsend-ai-review]

Review: #18

Head SHA: 20c93b3
Timestamp: 2026-05-06T00:00:00Z
Outcome: approve

Summary

Clean operational update to the fullsend shim workflow. Adds newline-delimited command matching for /triage, /code, /review, and /fix using the standard GHA fromJSON('"\n"') workaround — correctly applied to all four commands. Introduces a /stop-fix command with appropriate authorization checks (OWNER/MEMBER/COLLABORATOR/CONTRIBUTOR + PR author) and a fullsend-no-fix label guard on dispatch-fix-bot to prevent unwanted automatic fix runs. All new code follows the existing anti-injection patterns (env-block variable passing, no inline ${{ }} in run: blocks). No checkout of PR code, no user content interpolation, no new security surface. The PR description understates the scope ("sync with template" vs. feature additions), but all changes are within the shim workflow's domain and well-structured.

Findings

No critical, high, or medium findings.

Info

• [Intent alignment] PR description — The description characterizes this as a template sync, but the changes include new functionality (newline matching, /stop-fix command, label guard). Not a concern since all changes are appropriate, but the description could be more precise.
• [Platform security] .github/workflows/fullsend.yaml dispatch-stop-fix — The /stop-fix authorization allows CONTRIBUTOR association, which is more permissive than /fix (OWNER/MEMBER/COLLABORATOR only). This is reasonable since stopping is lower-risk than triggering, but worth noting for awareness.

Footer

Outcome: approve
This review applies to SHA 20c93b3c75289543e5893aa4e8c15e0cdc1aa8f7. Any push to the PR head clears this review and requires a new evaluation.

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml

Previous run

Review: #18

Head SHA: b3a1ea4
Timestamp: 2026-05-06T00:00:00Z
Outcome: approve

Summary

Clean, well-structured workflow update that adds newline-delimited command matching across all slash commands, replaces the dispatch-gh-classify job with a new dispatch-stop-fix mechanism (guarded by a fullsend-no-fix label), and removes the unused issues.opened event trigger. All changes are internally consistent, follow existing security patterns (env-var payload construction, no PR code checkout), and introduce no new attack surface. No critical or high findings.

Findings

Info

• [correctness] dispatch-stop-fix job — The job lacks a concurrency group unlike peer dispatch jobs (dispatch-triage, dispatch-fix-bot, dispatch-fix-human). Rapid duplicate /stop-fix comments would produce duplicate PR comments, though the label addition itself is idempotent via --force. Low practical risk since /stop-fix is a manual, infrequent action.

• [style/conventions] dispatch-stop-fix job — Job-level permissions block (issues: write, pull-requests: write) applies to GITHUB_TOKEN, but the job's gh commands use FULLSEND_DISPATCH_TOKEN via the GH_TOKEN env var. The permissions serve as documentation of intent but have no runtime effect on the active token. Consistent with the principle of least privilege for GITHUB_TOKEN even when unused.

Footer

Outcome: approve
This review applies to SHA b3a1ea4bb87d392e678d62977311c5f1a391e018. Any push to the PR head clears this review and requires a new evaluation.

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml