(Feature Request): `allowed-files` is an allowlist, not an "additionally allow" list — undocumented and counterintuitive

[arezero]

Severity: Major — caused us to block ALL source code modifications

Reproduction: Set safe-outputs: create-pull-request: { allowed-files: [".github/workflows/*"] }. The agent modifies both .github/workflows/deploy.yml and src/app/Component.tsx.

Expected: Both .github/ files AND normal source files are allowed (i.e., allowed-files adds exceptions to the protected_files/protected_path_prefixes lists).

Actual: ONLY .github/workflows/* files are allowed. All other files (including normal source code like src/**) are blocked: Cannot create pull request: patch modifies files outside the allowed-files list (src/app/Component.tsx).

Impact: We set allowed-files to unblock .github/ files, which then blocked all normal source code. Multiple implementation runs failed before we understood the semantics.

Suggestion: Either rename to only-allow-files to make the semantics clear, or change the behavior so allowed-files acts as exceptions to the protected lists rather than a global allowlist. The current behavior is a footgun.

[pelikhan]

allowed-files is always an exclusive set. We are looking into making protected-files for tunable. Do

[".github/workflows/*", "src/**"]

[pelikhan]

@copilot review documentation and clarify it is an exclusive allow list, files outside of the list are blocked.