fix(code-review): reduced permission prompts, prevented unnecessary cd calls

[sunnypatell]

the code-review plugin generates hundreds of permission prompts per review because sub-agents prefix every command with cd /path && ..., which triggers the compound command security check. this makes the plugin essentially unusable without constant babysitting.

fixes #33357, related to #28240, #30832, #30213

changes

expanded allowed-tools to match what review agents actually need:

- allowed-tools: Bash(gh issue view:*), Bash(gh search:*), Bash(gh issue list:*), Bash(gh pr comment:*), Bash(gh pr diff:*), Bash(gh pr view:*), Bash(gh pr list:*)
+ allowed-tools: Bash(gh:*), Bash(git diff:*), Bash(git log:*), Bash(git blame:*), Bash(git show:*), Bash(git rev-parse:*), Read, Grep, Glob

the old list only covered specific gh subcommands. agents that needed git blame, git log, git show, or file reads (Read, Grep, Glob) would trigger permission prompts on every call. the gh patterns were also unnecessarily granular since all subcommands are safe in a review context.

added explicit no-cd instruction to agent assumptions:

NEVER prefix bash commands with cd. The working directory is already correct.
Run commands directly (e.g., gh pr diff 123, NOT cd /path && gh pr diff 123).

this is relayed to every sub-agent and directly prevents the cd && command chaining that triggers the runtime's "compound commands with cd and git require approval" security check. users in #28240 confirmed that explicit instructions in CLAUDE.md reduce the behavior, but putting it in the plugin's command prompt is more reliable than relying on per-repo CLAUDE.md files.

added Read/Grep preference over cat/grep bash commands, which avoids unnecessary Bash tool calls entirely.

why this works

the permission explosion has two causes:

1. agents generate cd /cwd && gh pr diff ... even though the cwd is already correct. the runtime flags this as a security concern (bare repo attack prevention). the no-cd instruction stops this at the source
2. agents need git blame, git log, etc. for context analysis but these weren't in allowed-tools, forcing approval on every call. expanding the list pre-approves these safe read-only operations

the runtime's cd detection is being addressed separately (#28240), but this plugin-level fix provides immediate relief.

[Copilot]

Pull request overview

This PR updates the /code-review plugin command prompt to reduce repetitive permission prompts during PR reviews by broadening pre-approved read-only tools and steering agents away from cd && ... compound bash commands.

Changes:

• Expands allowed-tools to include broader gh access plus common read-only git subcommands, and adds Read/Grep/Glob.
• Strengthens and clarifies “agent assumptions” to explicitly prohibit cd-prefixed bash commands.
• Adds guidance to prefer Read/Grep tools over cat/grep via Bash.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[sunnypatell]

addressing copilot's 2 inline comments:

1. "never use cd" too strong (code-review.md:11) - disagree. the entire problem reported in [Bug] Code-review plugin excessive permission prompts and unnecessary cd calls #33357, [BUG] Permission prompt incorrectly triggers on cd instead of the actual command in compound bash statements #28240, [BUG] Claude always using cd command into current working directory in combination with Git commands, requiring approval for whitelisted commands #30832, and Compound cd && git commands in worktrees should not require approval #30213 is that sub-agents prepend cd /cwd && ... to every command, which triggers the runtime's compound command security check. the cd is always to the current working directory, making it completely redundant. this isn't about blocking legitimate directory changes, it's about preventing the specific pattern that causes hundreds of permission prompts. the code-review plugin only operates on the current repo's PR, there is no scenario where an agent needs to cd to a different directory. if a future use case requires it, the instruction can be relaxed then.

2. Bash(gh:*) too permissive (code-review.md:2) - disagree. the original per-subcommand list (Bash(gh issue view:*), Bash(gh search:*), etc.) was part of the problem. agents generate compound gh commands like gh pr diff 123 --name-only or gh pr view 123 --json that don't exactly match the granular patterns, triggering permission prompts. Bash(gh:*) covers all gh subcommands and is the standard pattern used by pr-review-toolkit (allowed-tools: ["Bash"] which is even more permissive). the code-review plugin runs in a controlled context with a scoped GitHub token. the model can't gh repo delete because the token doesn't have that permission. tool-level restrictions on top of token-scoped auth is defense-in-depth that adds friction without meaningful security gain here.