fix(daily-spdd-spec-planner): add sed to bash allowlist to prevent tool denial threshold

[Copilot]

The Daily SPDD Spec Planner was hitting the 5/5 tool denial guardrail, causing early session termination. Two independent denial sources compounded to reach the threshold:

• 3 denials — built-in glob tool calls read(/workspace) (not in --allow-tool); three parallel glob calls at turn 1 consumed 3 of the 5 slots
• 2 denials — when cat specs/*.md output exceeds the Copilot SDK's inline limit, it's saved to /tmp/copilot-tool-output-*.txt; the agent then uses sed -n to paginate it, but sed was absent from the bash allowlist

Change

Added "sed -n" to the bash: allowlist in daily-spdd-spec-planner.md and recompiled:

  bash:
    - "find specs docs scratchpad -type f -name \"*.md\""
    - "cat specs/*.md"
    - "cat docs/src/content/docs/reference/*specification*.md"
    - "cat scratchpad/*specification*.md"
    - "git log --oneline --since=\"14 days ago\" -- specs docs/src/content/docs/reference scratchpad"
+   - "sed -n"

This emits --allow-tool shell(sed -n) in the compiled workflow, allowing the agent to paginate large tool outputs. The glob denials remain (they are pre-existing and test-documented) but total denials drop from 5 → 3, safely under the threshold.

[Copilot]

✅ Ready to approve

The change is a minimal, consistent allowlist update (already used in other workflows) and the compiled lockfile reflects the intended permission.

Note: this review does not count toward required approvals for merging.

Pull request overview

This PR updates the Daily SPDD Spec Planner workflow’s shell allowlist to permit sed -n, preventing Copilot SDK tool-denial accumulation when large cat outputs are redirected to /tmp/copilot-tool-output-*.txt and then paginated via sed.

Changes:

• Added "sed -n" to the workflow’s tools.bash allowlist.
• Recompiled the workflow so the generated .lock.yml includes --allow-tool shell(sed -n).

File summaries

File	Description
.github/workflows/daily-spdd-spec-planner.md	Adds sed -n to the bash allowlist to support pagination of large tool outputs.
.github/workflows/daily-spdd-spec-planner.lock.yml	Regenerates the compiled workflow to include the corresponding --allow-tool shell(sed -n) entries.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.