fix: sync deno permissions across config files

schpet · schpet · commit 88ecf1bd5114 · 2026-01-23T10:54:38.000-08:00
- Add public.linear.app to --allow-net in deno.json and dist-workspace.toml
- Add uploads.linear.app to dist-workspace.toml (was missing)
- Add XDG_CONFIG_HOME, HOME, APPDATA to dist-workspace.toml --allow-env
- Add --allow-sys=hostname to dist-workspace.toml
- Add permissions section to CLAUDE.md
- Add docs/deno-permissions.md documenting all permission locations
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -9,6 +9,12 @@
 - import: use dynamic import only when necessary, the static form is preferable
 - avoid the typescript `any` type - prefer strict typing, if you can't find a good way to fix a type issue (particularly with graphql data or documents) explain the problem instead of working around it
 
+## permissions
+
+- deno permissions (--allow-env, --allow-net, etc.) are configured in multiple files that must stay in sync
+- see [docs/deno-permissions.md](docs/deno-permissions.md) for the full list of files to update when adding new permissions
+- key files: `deno.json` (tasks), `dist-workspace.toml` (release builds), test files
+
 ## tests
 
 - tests on commands should mirror the directory structure of the src, e.g.
diff --git a/deno.json b/deno.json
@@ -5,14 +5,14 @@
   "exports": "./src/main.ts",
   "license": "MIT",
   "tasks": {
-    "dev": "deno task codegen && deno run '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app --allow-sys=hostname --quiet src/main.ts ",
-    "install": "deno task codegen && deno install -c ./deno.json '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app --allow-sys=hostname --quiet -g -f -n linear ./src/main.ts",
+    "dev": "deno task codegen && deno run '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app,public.linear.app --allow-sys=hostname --quiet src/main.ts ",
+    "install": "deno task codegen && deno install -c ./deno.json '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app,public.linear.app --allow-sys=hostname --quiet -g -f -n linear ./src/main.ts",
     "uninstall": "deno uninstall -g linear",
     "sync-schema": "deno task dev schema -o graphql/schema.graphql",
     "codegen": "deno run --allow-all npm:@graphql-codegen/cli/graphql-codegen-esm",
     "check": "deno check src/main.ts",
-    "test": "deno test '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,SNAPSHOT_TEST_NAME,CLIFFY_SNAPSHOT_FAKE_TIME,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA,PATH,SystemRoot' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app --allow-sys=hostname --quiet",
-    "snapshot": "deno test '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,SNAPSHOT_TEST_NAME,CLIFFY_SNAPSHOT_FAKE_TIME,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA,PATH,SystemRoot' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app --allow-sys=hostname -- --update",
+    "test": "deno test '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,SNAPSHOT_TEST_NAME,CLIFFY_SNAPSHOT_FAKE_TIME,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA,PATH,SystemRoot' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app,public.linear.app --allow-sys=hostname --quiet",
+    "snapshot": "deno test '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,SNAPSHOT_TEST_NAME,CLIFFY_SNAPSHOT_FAKE_TIME,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA,PATH,SystemRoot' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app,public.linear.app --allow-sys=hostname -- --update",
     "lefthook-install": "deno run --allow-run --allow-read --allow-write --allow-env npm:lefthook install",
     "validate": "deno task check && deno fmt && deno lint",
     "generate-skill-docs": "deno run --allow-run --allow-read --allow-write skills/linear-cli/scripts/generate-docs.ts"
diff --git a/dist-workspace.toml b/dist-workspace.toml
@@ -13,7 +13,7 @@ binaries = ["linear"]
 build-command = [
     "sh",
     "-c",
-    "deno compile --target=$CARGO_DIST_TARGET -o linear '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP' --allow-read --allow-write --allow-run --allow-net=api.linear.app --quiet src/main.ts",
+    "deno compile --target=$CARGO_DIST_TARGET -o linear '--allow-env=GITHUB_*,GH_*,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app,public.linear.app --allow-sys=hostname --quiet src/main.ts",
 ]
 
 # Config for 'dist'
diff --git a/docs/deno-permissions.md b/docs/deno-permissions.md
@@ -0,0 +1,90 @@
+# Deno Permissions Configuration
+
+This document tracks all locations where Deno permission flags are configured. When adding new permissions (e.g., new network hosts, environment variables), **all files must be updated** to stay in sync.
+
+## Permission Types
+
+| Permission      | Purpose                                                       |
+| --------------- | ------------------------------------------------------------- |
+| `--allow-env`   | Environment variable access (API keys, config, editor, pager) |
+| `--allow-net`   | Network access to Linear API and file storage                 |
+| `--allow-read`  | File system read access                                       |
+| `--allow-write` | File system write access                                      |
+| `--allow-run`   | Execute subprocesses (git, jj, editor, pager)                 |
+| `--allow-sys`   | System info access (hostname)                                 |
+
+## Network Hosts
+
+The following hosts must be allowed for full functionality:
+
+- `api.linear.app` - GraphQL API
+- `uploads.linear.app` - Private file uploads/downloads
+- `public.linear.app` - Public image downloads
+
+## Files to Update
+
+### Primary Configuration
+
+These files define permissions for production use:
+
+| File                  | Lines      | Purpose                                    |
+| --------------------- | ---------- | ------------------------------------------ |
+| `deno.json`           | 8-9, 14-15 | `dev`, `install`, `test`, `snapshot` tasks |
+| `dist-workspace.toml` | 16         | Binary compilation for releases            |
+
+### Test Configuration
+
+Test files define their own `denoArgs` arrays. Most use a shared helper:
+
+| File                                         | Lines | Notes                                           |
+| -------------------------------------------- | ----- | ----------------------------------------------- |
+| `test/utils/test-helpers.ts`                 | 5-9   | Shared `commonDenoArgs` used by milestone tests |
+| `test/commands/issue/issue-view.test.ts`     | 10-14 | Local `denoArgs`                                |
+| `test/commands/issue/issue-describe.test.ts` | 7-11  | Local `denoArgs`                                |
+| `test/commands/issue/issue-commits.test.ts`  | 6-10  | Local `denoArgs`                                |
+| `test/commands/team/team-list.test.ts`       | 8-12  | Local `denoArgs`                                |
+| `test/commands/project/project-view.test.ts` | 7-11  | Local `denoArgs`                                |
+
+Note: Test files often use broader permissions (e.g., `--allow-net` without host restrictions) since they run against mock servers.
+
+## Environment Variables
+
+### Runtime Variables
+
+Used by the CLI during normal operation:
+
+```
+GITHUB_*, GH_*     - GitHub integration
+LINEAR_*           - Linear API key and config
+NODE_ENV           - Environment detection
+EDITOR             - Text editor for descriptions
+PAGER              - Pager for long output
+NO_COLOR           - Disable color output
+TMPDIR, TMP, TEMP  - Temp directory for downloads
+XDG_CONFIG_HOME    - Config file location (Linux)
+HOME               - Home directory
+APPDATA            - Config file location (Windows)
+```
+
+### Test-Only Variables
+
+Additional variables needed for tests:
+
+```
+SNAPSHOT_TEST_NAME        - Cliffy snapshot testing
+CLIFFY_SNAPSHOT_FAKE_TIME - Time mocking in tests
+PATH                      - Process execution
+SystemRoot                - Windows compatibility
+MOCK_GIT_BRANCH_COMMAND   - Git mocking in tests
+TEST_CURRENT_TIME         - Time mocking
+```
+
+## Checklist for Adding Permissions
+
+When adding a new permission:
+
+1. [ ] Update `deno.json` tasks: `dev`, `install`, `test`, `snapshot`
+2. [ ] Update `dist-workspace.toml` build command
+3. [ ] Update `test/utils/test-helpers.ts` if tests need it
+4. [ ] Update individual test files if they have local `denoArgs`
+5. [ ] Document the new permission in this file

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ binaries = ["linear"]`
`13`	`13`	`build-command = [`
`14`	`14`	`"sh",`
`15`	`15`	`"-c",`
`16`		`- "deno compile --target=$CARGO_DIST_TARGET -o linear '--allow-env=GITHUB_,GH_,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP' --allow-read --allow-write --allow-run --allow-net=api.linear.app --quiet src/main.ts",`
	`16`	`+ "deno compile --target=$CARGO_DIST_TARGET -o linear '--allow-env=GITHUB_,GH_,LINEAR_*,NODE_ENV,EDITOR,PAGER,NO_COLOR,TMPDIR,TMP,TEMP,XDG_CONFIG_HOME,HOME,APPDATA' --allow-read --allow-write --allow-run --allow-net=api.linear.app,uploads.linear.app,public.linear.app --allow-sys=hostname --quiet src/main.ts",`
`17`	`17`	`]`
`18`	`18`
`19`	`19`	`# Config for 'dist'`