feat(git-guards): block gh pr comment, enforce GraphQL review threads

[JacobPEvans]

Summary

• Adds DENY_GH list to git-permission-guard.py that blocks gh pr comment — which creates top-level issue comments that cannot be resolved or tracked in PR reviews
• Directs to GitHub GraphQL API for proper review threads with file/line references (addPullRequestReview, addPullRequestReviewThreadReply, resolveReviewThread)
• Extracts sub_tokens once before both DENY and ASK checks to avoid duplication

Test plan

• gh pr comment 123 --body "test" → denied
• gh pr comment (bare) → denied
• gh api graphql → allowed (not blocked)
• gh pr close, gh pr merge → ask (existing ASK_GH preserved)
• gh pr view, gh issue list → allowed
• git push --force → ask (existing ASK_GIT preserved)
• ls -la → allowed (non-git/gh early exit)

🤖 Generated with Claude Code

---

Important

Adds DENY_GH to block gh pr comment and enforces GraphQL review threads in git-permission-guard.py.

• Behavior:
  • Adds DENY_GH list in git-permission-guard.py to block gh pr comment to enforce using GitHub GraphQL API for review threads.
  • Extracts sub_tokens once before both DENY and ASK checks to avoid duplication in main() function.
• Test Plan:
  • gh pr comment 123 --body "test" and gh pr comment (bare) are denied.
  • gh api graphql and other non-git/gh commands are allowed.
  • Existing ASK behavior for gh pr close, gh pr merge, and git push --force is preserved.

^{This description was created by for a0d5240. You can customize this summary. It will automatically update as commits are pushed.}

[gemini-code-assist]

Summary of Changes

Hello @JacobPEvans, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the git-permission-guard.py script to improve the quality and trackability of pull request reviews. It introduces a new denial rule for the gh pr comment command, guiding users towards the structured GitHub GraphQL API for review comments. Additionally, it includes a minor refactoring to optimize command token parsing.

Highlights

• Blocked gh pr comment command: The git-permission-guard.py script now explicitly denies the gh pr comment command, as it creates untrackable top-level issue comments that cannot be resolved or tracked within PR reviews.
• Enforced GitHub GraphQL API for PR reviews: Users attempting to use gh pr comment are now directed to use specific GitHub GraphQL API mutations (addPullRequestReview, addPullRequestReviewThreadReply, resolveReviewThread) for creating resolvable, line-specific review threads.
• Refactored sub_tokens extraction: The sub_tokens variable is now extracted once at the beginning of the main function, before both DENY and ASK checks, to avoid redundant processing.

Changelog

• git-guards/scripts/git-permission-guard.py
  • Added a new DENY_GH list to block the gh pr comment command.
  • Included detailed instructions and examples for using GitHub GraphQL API mutations for proper PR review threads.
  • Moved the extraction of sub_tokens to an earlier point in the main function to prevent redundant calculations.
  • Integrated the DENY_GH check before the existing ASK checks for gh commands.

Activity

• The pull request includes a comprehensive test plan demonstrating the blocking and allowing of various gh and git commands, ensuring the new guard rules function as intended.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to a0d5240 in 1 minute and 16 seconds. Click for details.

• Reviewed 53 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_9oGFqYVvtHdgGAKh

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[Copilot]

Pull request overview

Adds a new gh command deny rule in the git permission guard to prevent creating untracked/unresolvable PR feedback via gh pr comment, and nudges contributors toward using review threads instead.

Changes:

• Introduces DENY_GH with a rule blocking gh pr comment and explaining preferred review-thread workflows.
• Refactors main() to compute sub_tokens once and reuse it for both deny and ask checks.
• Enforces deny checks for gh subcommands prior to existing ASK_GH checks.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gemini-code-assist]

Code Review

This pull request introduces a valuable guard to block gh pr comment and guide users towards creating resolvable review threads using the GraphQL API. The refactoring to calculate sub_tokens only once is also a nice cleanup. I have a couple of suggestions to improve consistency with project conventions and enhance the robustness of the new logic.

[JacobPEvans]

Fixed in commit 70dcaee. Removed the leading 'BLOCKED: ' from the DENY_GH reason string — deny() already prepends 'BLOCKED: ' at line 85, so the old message produced 'BLOCKED: BLOCKED: ...' in output.

[JacobPEvans]

Fixed in commit 70dcaee. Added if tokens and guard before the slice comparison so an empty pattern string can't match all commands.