chore: bump Claude Code to 2.1.123 and Agent SDK to 0.2.123

* docs: add pull_request_target/workflow_run guidance and base-action trust model

Adds a security.md section on safe checkout patterns under
pull_request_target/workflow_run, and a trust-model section to the
base-action README clarifying that callers are responsible for the
working directory and prompt being trusted.

🏠 Remote-Dev: homespace

* docs: refine PRT/workflow_run guidance — root checkout + workflow_run ref

Second example now checks out the base ref at the workspace root before
the head-ref subdirectory checkout (this action expects a git repo at
the root). Adds the workflow_run ref form, drops the PRT-specific
gh-pr-diff hint from the first example, and generalises the closing
line to cover both event types.

🏠 Remote-Dev: homespace

* docs: use actions/checkout@v6 in examples (consistency)

🏠 Remote-Dev: homespace

.claude/commands/label-issue.md

@@ -1,5 +1,5 @@
 ---
-allowed-tools: Bash(gh label list:*),Bash(gh issue view:*),Bash(gh issue edit:*),Bash(gh search:*)
+allowed-tools: Bash(./scripts/gh.sh:*),Bash(./scripts/edit-issue-labels.sh:*)
 description: Apply labels to GitHub issues
 ---
 
@@ -14,17 +14,18 @@ Issue Information:
 
 TASK OVERVIEW:
 
-1. First, fetch the list of labels available in this repository by running: `gh label list`. Run exactly this command with nothing else.
+1. First, fetch the list of labels available in this repository by running: `./scripts/gh.sh label list`. Run exactly this command with nothing else.
 
-2. Next, use gh commands to get context about the issue:
+2. Next, use gh wrapper commands to get context about the issue:
 
-   - Use `gh issue view ${{ github.event.issue.number }}` to retrieve the current issue's details
+   - Use `./scripts/gh.sh issue view ${{ github.event.issue.number }}` to retrieve the current issue's details
-   - Use `gh search issues` to find similar issues that might provide context for proper categorization
+   - Use `./scripts/gh.sh search issues` to find similar issues that might provide context for proper categorization
-   - You have access to these Bash commands:
+   - `./scripts/gh.sh` is a wrapper for `gh` CLI. Example commands:
-     - Bash(gh label list:\*) - to get available labels
+     - `./scripts/gh.sh label list` — fetch all available labels
-     - Bash(gh issue view:\*) - to view issue details
+     - `./scripts/gh.sh issue view 123` — view issue details
-     - Bash(gh issue edit:\*) - to apply labels to the issue
+     - `./scripts/gh.sh issue view 123 --comments` — view with comments
-     - Bash(gh search:\*) - to search for similar issues
+     - `./scripts/gh.sh search issues "query" --limit 10` — search for issues
+   - `./scripts/edit-issue-labels.sh` — apply labels to the issue
 
 3. Analyze the issue content, considering:
 
@@ -39,12 +40,12 @@ TASK OVERVIEW:
 
    - Choose labels that accurately reflect the issue's nature
    - Be specific but comprehensive
-   - IMPORTANT: Add a priority label (P1, P2, or P3) based on the label descriptions from gh label list
+   - IMPORTANT: Add a priority label (P1, P2, or P3) based on the label descriptions from ./scripts/gh.sh label list
    - Consider platform labels (android, ios) if applicable
-   - If you find similar issues using gh search, consider using a "duplicate" label if appropriate. Only do so if the issue is a duplicate of another OPEN issue.
+   - If you find similar issues using ./scripts/gh.sh search, consider using a "duplicate" label if appropriate. Only do so if the issue is a duplicate of another OPEN issue.
 
 5. Apply the selected labels:
-   - Use `gh issue edit` to apply your selected labels
+   - Use `./scripts/edit-issue-labels.sh --add-label LABEL1 --add-label LABEL2` to apply your selected labels (issue number is read from the workflow event)
    - DO NOT post any comments explaining your decision
    - DO NOT communicate directly with users
    - If no labels are clearly applicable, do not apply any labels
@@ -54,7 +55,7 @@ IMPORTANT GUIDELINES:
 - Be thorough in your analysis
 - Only select labels from the provided list above
 - DO NOT post any comments to the issue
-- Your ONLY action should be to apply labels using gh issue edit
+- Your ONLY action should be to apply labels using ./scripts/edit-issue-labels.sh
 - It's okay to not add any labels if none are clearly applicable
 
 ---

.github/workflows/claude-review.yml

@@ -25,3 +25,4 @@ jobs:
           prompt: "/review-pr REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"
           claude_args: |
             --allowedTools "mcp__github_inline_comment__create_inline_comment"
+            --model "claude-opus-4-7"

.github/workflows/claude.yml

@@ -19,9 +19,9 @@ jobs:
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
-      pull-requests: read
+      pull-requests: write
-      issues: read
+      issues: write
       id-token: write
     steps:
       - name: Checkout repository
@@ -31,9 +31,9 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@main
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           claude_args: |
             --allowedTools "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
-            --model "claude-opus-4-5"
+            --model "claude-opus-4-7"

.github/workflows/issue-triage.yml

@@ -20,8 +20,10 @@ jobs:
 
       - name: Run Claude Code for Issue Triage
         uses: anthropics/claude-code-action@main
+        env:
+          CLAUDE_CODE_SCRIPT_CAPS: '{"edit-issue-labels.sh":2}'
         with:
-          prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER${{ github.event.issue.number }}"
+          prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER: ${{ github.event.issue.number }}"
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/non-write-users-check.yml

@@ -0,0 +1,47 @@
+name: Non-write Users Check
+on:
+  pull_request:
+    paths:
+      - ".github/**"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  allowed-non-write-check:
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - run: |
+          DIFF=$(gh pr diff "$PR_NUMBER" -R "$REPO" || true)
+
+          if ! echo "$DIFF" | grep -qE '^diff --git a/\.github/.*\.ya?ml'; then
+            exit 0
+          fi
+
+          MATCHES=$(echo "$DIFF" | grep "^+.*allowed_non_write_users" || true)
+
+          if [ -z "$MATCHES" ]; then
+            exit 0
+          fi
+
+          EXISTING=$(gh pr view "$PR_NUMBER" -R "$REPO" --json comments --jq '.comments[].body' \
+            | grep -c "<!-- non-write-users-check -->" || true)
+
+          if [ "$EXISTING" -gt 0 ]; then
+            exit 0
+          fi
+
+          gh pr comment "$PR_NUMBER" -R "$REPO" --body '<!-- non-write-users-check -->
+          **`allowed_non_write_users` detected**
+
+          This PR adds or modifies `allowed_non_write_users`, which allows users without write access to trigger Claude Code Action workflows. This can introduce security risks.
+
+          If this is a new flow, please make sure you actually need `allowed_non_write_users`. If you are editing an existing workflow, double check that you are not adding new Claude permissions which might lead to a vulnerability.
+
+          See existing workflows in this repo for safe usage examples, or contact the AppSec team.'
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}

CLAUDE.md

@@ -1,136 +1,44 @@
 # CLAUDE.md
 
-This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+## Commands
-
-## Development Tools
-
-- Runtime: Bun 1.2.11
-- TypeScript with strict configuration
-
-## Common Development Tasks
-
-### Available npm/bun scripts from package.json:
 
 ```bash
-# Test
+bun test                # Run tests
-bun test
+bun run typecheck       # TypeScript type checking
-
+bun run format          # Format with prettier
-# Formatting
+bun run format:check    # Check formatting
-bun run format          # Format code with prettier
-bun run format:check    # Check code formatting
-
-# Type checking
-bun run typecheck       # Run TypeScript type checker
 ```
 
-## Architecture Overview
+## What This Is
 
-This is a GitHub Action that enables Claude to interact with GitHub PRs and issues. The action operates in two main phases:
+A GitHub Action that lets Claude respond to `@claude` mentions on issues/PRs (tag mode) or run tasks via `prompt` input (agent mode). Mode is auto-detected: if `prompt` is provided, it's agent mode; if triggered by a comment/issue event with `@claude`, it's tag mode. See `src/modes/detector.ts`.
 
-### Phase 1: Preparation (`src/entrypoints/prepare.ts`)
+## How It Runs
 
-1. **Authentication Setup**: Establishes GitHub token via OIDC or GitHub App
+Single entrypoint: `src/entrypoints/run.ts` orchestrates everything — prepare (auth, permissions, trigger check, branch/comment creation), install Claude Code CLI, execute Claude via `base-action/` functions (imported directly, not subprocess), then cleanup (update tracking comment, write step summary). SSH signing cleanup and token revocation are separate `always()` steps in `action.yml`.
-2. **Permission Validation**: Verifies actor has write permissions
-3. **Trigger Detection**: Uses mode-specific logic to determine if Claude should respond
-4. **Context Creation**: Prepares GitHub context and initial tracking comment
 
-### Phase 2: Execution (`base-action/`)
+`base-action/` is also published standalone as `@anthropic-ai/claude-code-base-action`. Don't break its public API. It reads config from `INPUT_`-prefixed env vars (set by `action.yml`), not from action inputs directly.
 
-The `base-action/` directory contains the core Claude Code execution logic, which serves a dual purpose:
+## Key Concepts
 
-- **Standalone Action**: Published separately as `@anthropic-ai/claude-code-base-action` for direct use
+**Auth priority**: `github_token` input (user-provided) > GitHub App OIDC token (default). The `claude_code_oauth_token` and `anthropic_api_key` are for the Claude API, not GitHub. Token setup lives in `src/github/token.ts`.
-- **Inner Logic**: Used internally by this GitHub Action after preparation phase completes
 
-Execution steps:
+**Mode lifecycle**: `detectMode()` in `src/modes/detector.ts` picks the mode name ("tag" or "agent"). Trigger checking and prepare dispatch are inlined in `run.ts`: tag mode calls `prepareTagMode()` from `src/modes/tag/`, agent mode calls `prepareAgentMode()` from `src/modes/agent/`.
 
-1. **MCP Server Setup**: Installs and configures GitHub MCP server for tool access
+**Prompt construction**: Tag mode's `prepareTagMode()` builds the prompt by fetching GitHub data (`src/github/data/fetcher.ts`), formatting it as markdown (`src/github/data/formatter.ts`), and writing it to a temp file via `createPrompt()`. Agent mode writes the user's prompt directly. The prompt includes issue/PR body, comments, diff, and CI status. This is the most important part of the action — it's what Claude sees.
-2. **Prompt Generation**: Creates context-rich prompts from GitHub data
-3. **Claude Integration**: Executes via multiple providers (Anthropic API, AWS Bedrock, Google Vertex AI)
-4. **Result Processing**: Updates comments and creates branches/PRs as needed
 
-### Key Architectural Components
+## Things That Will Bite You
 
-#### Mode System (`src/modes/`)
+- **Strict TypeScript**: `noUnusedLocals` and `noUnusedParameters` are enabled. Typecheck will fail on unused variables.
-
+- **Discriminated unions for GitHub context**: `GitHubContext` is a union type — call `isEntityContext(context)` before accessing entity-specific fields like `context.issue` or `context.pullRequest`.
-- **Tag Mode** (`tag/`): Responds to `@claude` mentions and issue assignments
+- **Token lifecycle matters**: The GitHub App token is obtained early and revoked in a separate `always()` step in `action.yml`. If you move token revocation into `run.ts`, it won't run if the process crashes. Same for SSH signing cleanup.
-- **Agent Mode** (`agent/`): Direct execution when explicit prompt is provided
+- **Error phase attribution**: The catch block in `run.ts` uses `prepareCompleted` to distinguish prepare failures from execution failures. The tracking comment shows different messages for each.
-- Extensible registry pattern in `modes/registry.ts`
+- **`action.yml` outputs reference step IDs**: Outputs like `execution_file`, `branch_name`, `github_token` reference `steps.run.outputs.*`. If you rename the step ID, update the outputs section too.
-
+- **Integration testing** happens in a separate repo (`install-test`), not here. The tests in this repo are unit tests.
-#### GitHub Integration (`src/github/`)
-
-- **Context Parsing** (`context.ts`): Unified GitHub event handling
-- **Data Fetching** (`data/fetcher.ts`): Retrieves PR/issue data via GraphQL/REST
-- **Data Formatting** (`data/formatter.ts`): Converts GitHub data to Claude-readable format
-- **Branch Operations** (`operations/branch.ts`): Handles branch creation and cleanup
-- **Comment Management** (`operations/comments/`): Creates and updates tracking comments
-
-#### MCP Server Integration (`src/mcp/`)
-
-- **GitHub Actions Server** (`github-actions-server.ts`): Workflow and CI access
-- **GitHub Comment Server** (`github-comment-server.ts`): Comment operations
-- **GitHub File Operations** (`github-file-ops-server.ts`): File system access
-- Auto-installation and configuration in `install-mcp-server.ts`
-
-#### Authentication & Security (`src/github/`)
-
-- **Token Management** (`token.ts`): OIDC token exchange and GitHub App authentication
-- **Permission Validation** (`validation/permissions.ts`): Write access verification
-- **Actor Validation** (`validation/actor.ts`): Human vs bot detection
-
-### Project Structure
-
-```
-src/
-├── entrypoints/           # Action entry points
-│   ├── prepare.ts         # Main preparation logic
-│   ├── update-comment-link.ts  # Post-execution comment updates
-│   └── format-turns.ts    # Claude conversation formatting
-├── github/               # GitHub integration layer
-│   ├── api/              # REST/GraphQL clients
-│   ├── data/             # Data fetching and formatting
-│   ├── operations/       # Branch, comment, git operations
-│   ├── validation/       # Permission and trigger validation
-│   └── utils/            # Image downloading, sanitization
-├── modes/                # Execution modes
-│   ├── tag/              # @claude mention mode
-│   ├── agent/            # Automation mode
-│   └── registry.ts       # Mode selection logic
-├── mcp/                  # MCP server implementations
-├── prepare/              # Preparation orchestration
-└── utils/                # Shared utilities
-```
-
-## Important Implementation Notes
-
-### Authentication Flow
-
-- Uses GitHub OIDC token exchange for secure authentication
-- Supports custom GitHub Apps via `APP_ID` and `APP_PRIVATE_KEY`
-- Falls back to official Claude GitHub App if no custom app provided
-
-### MCP Server Architecture
-
-- Each MCP server has specific GitHub API access patterns
-- Servers are auto-installed in `~/.claude/mcp/github-{type}-server/`
-- Configuration merged with user-provided MCP config via `mcp_config` input
-
-### Mode System Design
-
-- Modes implement `Mode` interface with `shouldTrigger()` and `prepare()` methods
-- Registry validates mode compatibility with GitHub event types
-- Agent mode triggers when explicit prompt is provided
-
-### Comment Threading
-
-- Single tracking comment updated throughout execution
-- Progress indicated via dynamic checkboxes
-- Links to job runs and created branches/PRs
-- Sticky comment option for consolidated PR comments
 
 ## Code Conventions
 
-- Use Bun-specific TypeScript configuration with `moduleResolution: "bundler"`
+- Runtime is Bun, not Node. Use `bun test`, not `jest`.
-- Strict TypeScript with `noUnusedLocals` and `noUnusedParameters` enabled
+- `moduleResolution: "bundler"` — imports don't need `.js` extensions.
-- Prefer explicit error handling with detailed error messages
+- GitHub API calls should use retry logic (`src/utils/retry.ts`).
-- Use discriminated unions for GitHub context types
+- MCP servers are auto-installed at runtime to `~/.claude/mcp/github-{type}-server/`.
-- Implement retry logic for GitHub API operations via `utils/retry.ts`

action.yml

@@ -28,11 +28,20 @@ inputs:
     required: false
     default: ""
   allowed_bots:
-    description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots."
+    description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots. WARNING: On public repos with '*', external Apps may be able to invoke this action with prompts they control. See docs/security.md."
     required: false
     default: ""
   allowed_non_write_users:
-    description: "Comma-separated list of usernames to allow without write permissions, or '*' to allow all users. Only works when github_token input is provided. WARNING: Use with extreme caution - this bypasses security checks and should only be used for workflows with very limited permissions (e.g., issue labeling)."
+    description: |
+      Comma-separated list of usernames to allow without write permissions, or '*' to allow all users.
+      Only works when github_token input is provided. WARNING: Use with extreme caution - this
+      bypasses security checks and should only be used for workflows with very limited permissions
+      (e.g., issue labeling).
+
+      SECURITY: Processing untrusted content exposes the workflow to prompt injection. When this
+      input is set, Claude does a best-effort scrub of Anthropic, cloud, and GitHub Actions secrets
+      from subprocess environments. This reduces but does not eliminate prompt injection risk -
+      only use for workflows with very limited permissions and validate all outputs.
     required: false
     default: ""
   include_comments_by_actor:
@@ -89,6 +98,10 @@ inputs:
     description: "Use just one comment to deliver issue/PR comments"
     required: false
     default: "false"
+  classify_inline_comments:
+    description: "Buffer inline comments without confirmed=true and classify them (real review vs test/probe) before posting after the session ends. Set to 'false' to post all inline comments immediately (pre-buffering behavior)."
+    required: false
+    default: "true"
   use_commit_signing:
     description: "Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands"
     required: false
@@ -121,6 +134,10 @@ inputs:
     description: "Optional path to a custom Bun executable. If provided, skips automatic Bun installation and uses this executable instead. WARNING: Using an incompatible version may cause problems if the action requires specific Bun features. This input is typically not needed unless you're debugging something specific or have unique needs in your environment."
     required: false
     default: ""
+  display_report:
+    description: "Whether to display the Claude Code Report in GitHub Step Summary. Set to 'false' to disable when using custom formatting solutions. WARNING: This outputs Claude-authored content in the GitHub Step Summary. This should only be used in cases where the action is used solely with trusted input."
+    required: false
+    default: "false"
   show_full_output:
     description: "Show full JSON output from Claude Code. WARNING: This outputs ALL Claude messages including tool execution results which may contain secrets, API keys, or other sensitive information. These logs are publicly visible in GitHub Actions. Only enable for debugging in non-sensitive environments."
     required: false
@@ -137,28 +154,29 @@ inputs:
 outputs:
   execution_file:
     description: "Path to the Claude Code execution output file"
-    value: ${{ steps.claude-code.outputs.execution_file }}
+    value: ${{ steps.run.outputs.execution_file }}
   branch_name:
     description: "The branch created by Claude Code for this execution"
-    value: ${{ steps.prepare.outputs.CLAUDE_BRANCH }}
+    value: ${{ steps.run.outputs.branch_name }}
   github_token:
     description: "The GitHub token used by the action (Claude App token if available)"
-    value: ${{ steps.prepare.outputs.github_token }}
+    value: ${{ steps.run.outputs.github_token }}
   structured_output:
     description: "JSON string containing all structured output fields when --json-schema is provided in claude_args. Use fromJSON() to parse: fromJSON(steps.id.outputs.structured_output).field_name"
-    value: ${{ steps.claude-code.outputs.structured_output }}
+    value: ${{ steps.run.outputs.structured_output }}
   session_id:
     description: "The Claude Code session ID that can be used with --resume to continue this conversation"
-    value: ${{ steps.claude-code.outputs.session_id }}
+    value: ${{ steps.run.outputs.session_id }}
 
 runs:
   using: "composite"
   steps:
     - name: Install Bun
       if: inputs.path_to_bun_executable == ''
-      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # https://github.com/oven-sh/setup-bun/releases/tag/v2.1.2
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # https://github.com/oven-sh/setup-bun/releases/tag/v2.2.0
       with:
         bun-version: 1.3.6
+        token: ${{ inputs.github_token || github.token }}
 
     - name: Setup Custom Bun Path
       if: inputs.path_to_bun_executable != ''
@@ -175,14 +193,60 @@ runs:
       shell: bash
       run: |
         cd ${GITHUB_ACTION_PATH}
-        bun install
+        bun install --production
 
-    - name: Prepare action
+    - name: Install subprocess isolation dependencies
-      id: prepare
+      # Install subprocess isolation dependencies when processing content from non-write users.
+      # Best-effort: skips on non-Linux or when sudo/apt unavailable (self-hosted runners).
+      if: ${{ inputs.allowed_non_write_users != '' && runner.os == 'Linux' }}
+      continue-on-error: true
       shell: bash
       run: |
-        bun run ${GITHUB_ACTION_PATH}/src/entrypoints/prepare.ts
+        if [ "${CLAUDE_CODE_SUBPROCESS_ENV_SCRUB:-}" = "0" ]; then
+          echo "Subprocess isolation opted out via CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=0"
+          exit 0
+        fi
+        if command -v apt-get >/dev/null && command -v sudo >/dev/null; then
+          for i in 1 2 3; do
+            sudo apt-get update -qq && sudo apt-get install -y --no-install-recommends bubblewrap socat && break
+            echo "apt-get attempt $i failed, retrying..."
+            sleep 5
+          done
+        fi
+        # Ubuntu 24.04+ restricts unprivileged user namespaces via AppArmor.
+        # The sysctl doesn't exist on older kernels — that's fine.
+        if [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] && command -v sudo >/dev/null; then
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+        fi
+
+    - name: Pin bun binary for post-steps
+      if: ${{ inputs.allowed_non_write_users != '' }}
+      continue-on-error: true
+      shell: bash
+      run: |
+        # Keep a copy of the bun binary alongside the action's own files so
+        # post-steps use the same version that was on PATH at action start.
+        mkdir -p "$GITHUB_ACTION_PATH/bin"
+        cp "$(command -v bun)" "$GITHUB_ACTION_PATH/bin/bun"
+
+    - name: Prepend system bin dirs to PATH
+      if: ${{ inputs.allowed_non_write_users != '' && runner.os != 'Windows' }}
+      continue-on-error: true
+      shell: /bin/bash --noprofile --norc -e -o pipefail {0}
+      run: |
+        echo "/usr/bin" >> "$GITHUB_PATH"
+        echo "/bin" >> "$GITHUB_PATH"
+
+    - name: Run Claude Code Action
+      id: run
+      shell: bash
+      run: |
+        bun --no-env-file \
+          --config="${GITHUB_ACTION_PATH}/bunfig.toml" \
+          --tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \
+          run ${GITHUB_ACTION_PATH}/src/entrypoints/run.ts
       env:
+        # Prepare inputs
         MODE: ${{ inputs.mode }}
         PROMPT: ${{ inputs.prompt }}
         TRIGGER_PHRASE: ${{ inputs.trigger_phrase }}
@@ -194,10 +258,13 @@ runs:
         OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
         ALLOWED_BOTS: ${{ inputs.allowed_bots }}
         ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }}
+        CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: ${{ env.CLAUDE_CODE_SUBPROCESS_ENV_SCRUB || (inputs.allowed_non_write_users != '' && '1') || '' }}
+        CLAUDE_CODE_SCRIPT_CAPS: ${{ env.CLAUDE_CODE_SCRIPT_CAPS || '' }}
         INCLUDE_COMMENTS_BY_ACTOR: ${{ inputs.include_comments_by_actor }}
         EXCLUDE_COMMENTS_BY_ACTOR: ${{ inputs.exclude_comments_by_actor }}
         GITHUB_RUN_ID: ${{ github.run_id }}
         USE_STICKY_COMMENT: ${{ inputs.use_sticky_comment }}
+        CLASSIFY_INLINE_COMMENTS: ${{ inputs.classify_inline_comments }}
         DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
         USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}
         SSH_SIGNING_KEY: ${{ inputs.ssh_signing_key }}
@@ -209,73 +276,20 @@ runs:
         CLAUDE_ARGS: ${{ inputs.claude_args }}
         ALL_INPUTS: ${{ toJson(inputs) }}
 
-    - name: Install Base Action Dependencies
-      if: steps.prepare.outputs.contains_trigger == 'true'
-      shell: bash
-      env:
-        PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
-      run: |
-        echo "Installing base-action dependencies..."
-        cd ${GITHUB_ACTION_PATH}/base-action
-        bun install
-        echo "Base-action dependencies installed"
-        cd -
-
-        # Install Claude Code if no custom executable is provided
-        if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.1.20"
-          echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
-          for attempt in 1 2 3; do
-            echo "Installation attempt $attempt..."
-            if command -v timeout &> /dev/null; then
-              # Use --foreground to kill entire process group on timeout, --kill-after to send SIGKILL if SIGTERM fails
-              timeout --foreground --kill-after=10 120 bash -c "curl -fsSL https://claude.ai/install.sh | bash -s -- $CLAUDE_CODE_VERSION" && break
-            else
-              curl -fsSL https://claude.ai/install.sh | bash -s -- "$CLAUDE_CODE_VERSION" && break
-            fi
-            if [ $attempt -eq 3 ]; then
-              echo "Failed to install Claude Code after 3 attempts"
-              exit 1
-            fi
-            echo "Installation failed, retrying..."
-            sleep 5
-          done
-          echo "Claude Code installed successfully"
-          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
-        else
-          echo "Using custom Claude Code executable: $PATH_TO_CLAUDE_CODE_EXECUTABLE"
-          # Add the directory containing the custom executable to PATH
-          CLAUDE_DIR=$(dirname "$PATH_TO_CLAUDE_CODE_EXECUTABLE")
-          echo "$CLAUDE_DIR" >> "$GITHUB_PATH"
-        fi
-
-    - name: Run Claude Code
-      id: claude-code
-      if: steps.prepare.outputs.contains_trigger == 'true'
-      shell: bash
-      run: |
-
-        # Run the base-action
-        bun run ${GITHUB_ACTION_PATH}/base-action/src/index.ts
-      env:
         # Base-action inputs
-        CLAUDE_CODE_ACTION: "1"
         INPUT_PROMPT_FILE: ${{ runner.temp }}/claude-prompts/claude-prompt.txt
         INPUT_SETTINGS: ${{ inputs.settings }}
-        INPUT_CLAUDE_ARGS: ${{ steps.prepare.outputs.claude_args }}
         INPUT_EXPERIMENTAL_SLASH_COMMANDS_DIR: ${{ github.action_path }}/slash-commands
-        INPUT_ACTION_INPUTS_PRESENT: ${{ steps.prepare.outputs.action_inputs_present }}
         INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
         INPUT_PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
         INPUT_SHOW_FULL_OUTPUT: ${{ inputs.show_full_output }}
+        DISPLAY_REPORT: ${{ inputs.display_report }}
         INPUT_PLUGINS: ${{ inputs.plugins }}
         INPUT_PLUGIN_MARKETPLACES: ${{ inputs.plugin_marketplaces }}
+        PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
 
         # Model configuration
-        GITHUB_TOKEN: ${{ steps.prepare.outputs.GITHUB_TOKEN }}
-        GH_TOKEN: ${{ steps.prepare.outputs.GITHUB_TOKEN }}
         NODE_VERSION: ${{ env.NODE_VERSION }}
-        DETAILED_PERMISSION_MESSAGES: "1"
 
         # Provider configuration
         ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}
@@ -312,62 +326,87 @@ runs:
         ANTHROPIC_DEFAULT_HAIKU_MODEL: ${{ env.ANTHROPIC_DEFAULT_HAIKU_MODEL }}
         ANTHROPIC_DEFAULT_OPUS_MODEL: ${{ env.ANTHROPIC_DEFAULT_OPUS_MODEL }}
 
-    - name: Update comment with job link
+        # MCP configuration — these env vars are read directly from process.env by the
-      if: steps.prepare.outputs.contains_trigger == 'true' && steps.prepare.outputs.claude_comment_id && always()
+        # Claude CLI subprocess. They must be listed explicitly here because this step's
-      shell: bash
+        # env: block shadows the calling workflow's job-level env vars (GitHub Actions
-      run: |
+        # composite action behavior). Set these in your workflow's job-level env: or via
-        bun run ${GITHUB_ACTION_PATH}/src/entrypoints/update-comment-link.ts
+        # a prior step that writes to $GITHUB_ENV.
-      env:
+        MCP_TIMEOUT: ${{ env.MCP_TIMEOUT }}
-        REPOSITORY: ${{ github.repository }}
+        MCP_TOOL_TIMEOUT: ${{ env.MCP_TOOL_TIMEOUT }}
-        PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
+        MAX_MCP_OUTPUT_TOKENS: ${{ env.MAX_MCP_OUTPUT_TOKENS }}
-        CLAUDE_COMMENT_ID: ${{ steps.prepare.outputs.claude_comment_id }}
-        GITHUB_RUN_ID: ${{ github.run_id }}
-        GITHUB_TOKEN: ${{ steps.prepare.outputs.GITHUB_TOKEN }}
-        GH_TOKEN: ${{ steps.prepare.outputs.GITHUB_TOKEN }}
-        GITHUB_EVENT_NAME: ${{ github.event_name }}
-        TRIGGER_COMMENT_ID: ${{ github.event.comment.id }}
-        CLAUDE_BRANCH: ${{ steps.prepare.outputs.CLAUDE_BRANCH }}
-        IS_PR: ${{ github.event.issue.pull_request != null || github.event_name == 'pull_request_target' || github.event_name == 'pull_request_review_comment' }}
-        BASE_BRANCH: ${{ steps.prepare.outputs.BASE_BRANCH }}
-        CLAUDE_SUCCESS: ${{ steps.claude-code.outputs.conclusion == 'success' }}
-        OUTPUT_FILE: ${{ steps.claude-code.outputs.execution_file || '' }}
-        TRIGGER_USERNAME: ${{ github.event.comment.user.login || github.event.issue.user.login || github.event.pull_request.user.login || github.event.sender.login || github.triggering_actor || github.actor || '' }}
-        PREPARE_SUCCESS: ${{ steps.prepare.outcome == 'success' }}
-        PREPARE_ERROR: ${{ steps.prepare.outputs.prepare_error || '' }}
-        USE_STICKY_COMMENT: ${{ inputs.use_sticky_comment }}
-        USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}
-        TRACK_PROGRESS: ${{ inputs.track_progress }}
 
-    - name: Display Claude Code Report
+        # Telemetry configuration
-      if: steps.prepare.outputs.contains_trigger == 'true' && steps.claude-code.outputs.execution_file != ''
+        CLAUDE_CODE_ENABLE_TELEMETRY: ${{ env.CLAUDE_CODE_ENABLE_TELEMETRY }}
-      shell: bash
+        OTEL_METRICS_EXPORTER: ${{ env.OTEL_METRICS_EXPORTER }}
+        OTEL_LOGS_EXPORTER: ${{ env.OTEL_LOGS_EXPORTER }}
+        OTEL_EXPORTER_OTLP_PROTOCOL: ${{ env.OTEL_EXPORTER_OTLP_PROTOCOL }}
+        OTEL_EXPORTER_OTLP_ENDPOINT: ${{ env.OTEL_EXPORTER_OTLP_ENDPOINT }}
+        OTEL_EXPORTER_OTLP_HEADERS: ${{ env.OTEL_EXPORTER_OTLP_HEADERS }}
+        OTEL_METRIC_EXPORT_INTERVAL: ${{ env.OTEL_METRIC_EXPORT_INTERVAL }}
+        OTEL_LOGS_EXPORT_INTERVAL: ${{ env.OTEL_LOGS_EXPORT_INTERVAL }}
+        OTEL_RESOURCE_ATTRIBUTES: ${{ env.OTEL_RESOURCE_ATTRIBUTES }}
+
+    - name: Re-prepend system bin dirs to PATH
+      if: ${{ always() && inputs.allowed_non_write_users != '' && runner.os != 'Windows' }}
+      continue-on-error: true
+      shell: /bin/bash --noprofile --norc -e -o pipefail {0}
+      env:
+        BASH_ENV: ""
+        LD_PRELOAD: ""
+        LD_LIBRARY_PATH: ""
+        NODE_OPTIONS: ""
+        DYLD_INSERT_LIBRARIES: ""
+        DYLD_PRELOAD: ""
+        DYLD_LIBRARY_PATH: ""
+        DYLD_FRAMEWORK_PATH: ""
       run: |
-        # Try to format the turns, but if it fails, dump the raw JSON
+        echo "/usr/bin" >> "$GITHUB_PATH"
-        if bun run ${{ github.action_path }}/src/entrypoints/format-turns.ts "${{ steps.claude-code.outputs.execution_file }}" >> $GITHUB_STEP_SUMMARY 2>/dev/null; then
+        echo "/bin" >> "$GITHUB_PATH"
-          echo "Successfully formatted Claude Code report"
+        {
-        else
+          echo "BASH_ENV="
-          echo "## Claude Code Report (Raw Output)" >> $GITHUB_STEP_SUMMARY
+          echo "LD_PRELOAD="
-          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "LD_LIBRARY_PATH="
-          echo "Failed to format output (please report). Here's the raw JSON:" >> $GITHUB_STEP_SUMMARY
+          echo "DYLD_INSERT_LIBRARIES="
-          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "DYLD_PRELOAD="
-          echo '```json' >> $GITHUB_STEP_SUMMARY
+          echo "DYLD_LIBRARY_PATH="
-          cat "${{ steps.claude-code.outputs.execution_file }}" >> $GITHUB_STEP_SUMMARY
+          echo "DYLD_FRAMEWORK_PATH="
-          echo '```' >> $GITHUB_STEP_SUMMARY
+        } >> "$GITHUB_ENV"
-        fi
 
     - name: Cleanup SSH signing key
       if: always() && inputs.ssh_signing_key != ''
       shell: bash
       run: |
-        bun run ${GITHUB_ACTION_PATH}/src/entrypoints/cleanup-ssh-signing.ts
+        BUN_BIN="${GITHUB_ACTION_PATH}/bin/bun"
+        [ -x "$BUN_BIN" ] || BUN_BIN="bun"
+        "$BUN_BIN" --no-env-file \
+          --config="${GITHUB_ACTION_PATH}/bunfig.toml" \
+          --tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \
+          run ${GITHUB_ACTION_PATH}/src/entrypoints/cleanup-ssh-signing.ts
+
+    - name: Post buffered inline comments
+      if: always() && inputs.classify_inline_comments != 'false'
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ steps.run.outputs.github_token || inputs.github_token || github.token }}
+        REPO_OWNER: ${{ github.event.repository.owner.login }}
+        REPO_NAME: ${{ github.event.repository.name }}
+        PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+        ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}
+      run: |
+        BUN_BIN="${GITHUB_ACTION_PATH}/bin/bun"
+        [ -x "$BUN_BIN" ] || BUN_BIN="bun"
+        "$BUN_BIN" --no-env-file \
+          --config="${GITHUB_ACTION_PATH}/bunfig.toml" \
+          --tsconfig-override="${GITHUB_ACTION_PATH}/tsconfig.json" \
+          run ${GITHUB_ACTION_PATH}/src/entrypoints/post-buffered-inline-comments.ts
 
     - name: Revoke app token
-      if: always() && inputs.github_token == '' && steps.prepare.outputs.skipped_due_to_workflow_validation_mismatch != 'true'
+      if: always() && inputs.github_token == '' && steps.run.outputs.github_token != '' && steps.run.outputs.skipped_due_to_workflow_validation_mismatch != 'true'
       shell: bash
       run: |
         curl -L \
           -X DELETE \
           -H "Accept: application/vnd.github+json" \
-          -H "Authorization: Bearer ${{ steps.prepare.outputs.GITHUB_TOKEN }}" \
+          -H "Authorization: Bearer ${{ steps.run.outputs.github_token }}" \
           -H "X-GitHub-Api-Version: 2022-11-28" \
           ${GITHUB_API_URL:-https://api.github.com}/installation/token

base-action/README.md

@@ -4,6 +4,14 @@ This GitHub Action allows you to run [Claude Code](https://www.anthropic.com/cla
 
 For simply tagging @claude in issues and PRs out of the box, [check out the Claude Code action and GitHub app](https://github.com/anthropics/claude-code-action).
 
+## Trust model
+
+This action is a thin wrapper that installs and runs Claude Code with the inputs you provide. It does **not** enforce any trust boundaries on its own. Running this action in a directory is equivalent to running Claude Code in that directory — Claude reads project-level configuration (`.claude/`, `CLAUDE.md`, `.mcp.json`, etc.) from the working directory, and the action's own setup steps run from there as well.
+
+**The caller is responsible for ensuring the working directory and prompt are trusted.** If your workflow processes untrusted input (issues, fork pull requests, external comments), use [`anthropics/claude-code-action`](https://github.com/anthropics/claude-code-action) instead — it provides actor permission checks, restores project configuration from the base ref in PR contexts, and is the supported path for those scenarios.
+
+See [Claude Code's security documentation](https://docs.anthropic.com/en/docs/claude-code/security) and the [GitHub Actions guidance on `pull_request_target`](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) for background.
+
 ## Usage
 
 Add the following to your workflow file:

base-action/action.yml

@@ -97,7 +97,7 @@ runs:
 
     - name: Install Bun
       if: inputs.path_to_bun_executable == ''
-      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # https://github.com/oven-sh/setup-bun/releases/tag/v2.1.2
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # https://github.com/oven-sh/setup-bun/releases/tag/v2.2.0
       with:
         bun-version: 1.3.6
 
@@ -116,7 +116,7 @@ runs:
       shell: bash
       run: |
         cd ${GITHUB_ACTION_PATH}
-        bun install
+        bun install --production
 
     - name: Install Claude Code
       shell: bash
@@ -124,7 +124,7 @@ runs:
         PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
         if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.1.20"
+          CLAUDE_CODE_VERSION="2.1.123"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."
@@ -202,3 +202,14 @@ runs:
         ANTHROPIC_DEFAULT_SONNET_MODEL: ${{ env.ANTHROPIC_DEFAULT_SONNET_MODEL }}
         ANTHROPIC_DEFAULT_HAIKU_MODEL: ${{ env.ANTHROPIC_DEFAULT_HAIKU_MODEL }}
         ANTHROPIC_DEFAULT_OPUS_MODEL: ${{ env.ANTHROPIC_DEFAULT_OPUS_MODEL }}
+
+        # Telemetry configuration
+        CLAUDE_CODE_ENABLE_TELEMETRY: ${{ env.CLAUDE_CODE_ENABLE_TELEMETRY }}
+        OTEL_METRICS_EXPORTER: ${{ env.OTEL_METRICS_EXPORTER }}
+        OTEL_LOGS_EXPORTER: ${{ env.OTEL_LOGS_EXPORTER }}
+        OTEL_EXPORTER_OTLP_PROTOCOL: ${{ env.OTEL_EXPORTER_OTLP_PROTOCOL }}
+        OTEL_EXPORTER_OTLP_ENDPOINT: ${{ env.OTEL_EXPORTER_OTLP_ENDPOINT }}
+        OTEL_EXPORTER_OTLP_HEADERS: ${{ env.OTEL_EXPORTER_OTLP_HEADERS }}
+        OTEL_METRIC_EXPORT_INTERVAL: ${{ env.OTEL_METRIC_EXPORT_INTERVAL }}
+        OTEL_LOGS_EXPORT_INTERVAL: ${{ env.OTEL_LOGS_EXPORT_INTERVAL }}
+        OTEL_RESOURCE_ATTRIBUTES: ${{ env.OTEL_RESOURCE_ATTRIBUTES }}

base-action/bun.lock

@@ -6,7 +6,7 @@
       "name": "@anthropic-ai/claude-code-base-action",
       "dependencies": {
         "@actions/core": "^1.10.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.2.20",
+        "@anthropic-ai/claude-agent-sdk": "^0.2.123",
         "shell-quote": "^1.8.3",
       },
       "devDependencies": {
@@ -27,39 +27,33 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.20", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-Q2rJlYC2hEhJRKcOswJrcvm0O6H/uhXkRPAAqbAlFR/jbCWeg6jpyr9iUmVBFUFOBzAWqT2C6KLHiTJ8NySvQg=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.123", "", { "dependencies": { "@anthropic-ai/sdk": "^0.81.0", "@modelcontextprotocol/sdk": "^1.29.0" }, "optionalDependencies": { "@anthropic-ai/claude-agent-sdk-darwin-arm64": "0.2.123", "@anthropic-ai/claude-agent-sdk-darwin-x64": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-arm64": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-x64": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-x64-musl": "0.2.123", "@anthropic-ai/claude-agent-sdk-win32-arm64": "0.2.123", "@anthropic-ai/claude-agent-sdk-win32-x64": "0.2.123" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-a4TysYoR9DBdkM9Uwh4J5ub7TwKmRPe5hFiWh4En+IKC+qkk5UFkxFM22c//cZjYZKynHX0ah2t6LUqb+najYA=="],
+
+    "@anthropic-ai/claude-agent-sdk-darwin-arm64": ["@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.123", "", { "os": "darwin", "cpu": "arm64" }, "sha512-tYAXCjlXZQklsUs0J//gip3fZQRzhlH5OCgvNXV70qe7A1iiwHqO2KPGvEHV1L+deEKQoMZmTaCOrQpN6zju3w=="],
+
+    "@anthropic-ai/claude-agent-sdk-darwin-x64": ["@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.123", "", { "os": "darwin", "cpu": "x64" }, "sha512-AcUC6sTon6z6HculP87KsAOeTMRLBwpovdhcXUTjXUpo/8nplJ7lBEzWjZCHt8FF1KuN/WBy1Z4bDg/59TQDmA=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-arm64": ["@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.123", "", { "os": "linux", "cpu": "arm64" }, "sha512-7+GnbcF3/aZ8RJ1WmU/ogtPsOpknBAoUPer90MvZuFYBLPT9iI/U7f24gjrOHuYdcbDA5n7jFlhcfIO26F5DJQ=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": ["@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.123", "", { "os": "linux", "cpu": "arm64" }, "sha512-bYgRiaf2q+yVbGAoUluuhqrEW1zexL34+3HDmK9DneKXa2K2EJpw4M6Sq4XoBD/JezGaemoAP78Xv/M/QUS1OQ=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-x64": ["@anthropic-ai/claude-agent-sdk-linux-x64@0.2.123", "", { "os": "linux", "cpu": "x64" }, "sha512-Xi+Rwk8uP5vWEnawJOlsk179fr0ATLl5J90MlbLj+puKaX5svEq8ljS+P3zq6zHTJeKh9GKLzPf7bc5YJKwcew=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-x64-musl": ["@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.123", "", { "os": "linux", "cpu": "x64" }, "sha512-IX95lFKhmmndY/YPfWPsVV+C3rLYJmuuq5wCS53p6jYIkCMxH1iGfhBGF1EUWcXO4Uc8yqXFmQ3aaxMzOOPrwA=="],
+
+    "@anthropic-ai/claude-agent-sdk-win32-arm64": ["@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.123", "", { "os": "win32", "cpu": "arm64" }, "sha512-WDZmAQG1rOiqNLZlSXaCjSWmqJvLk2io+vFQWWqSy2b5HCk9pa3PadLiaLztiihyk81wPhH9Q/44kOxdyfEGMw=="],
+
+    "@anthropic-ai/claude-agent-sdk-win32-x64": ["@anthropic-ai/claude-agent-sdk-win32-x64@0.2.123", "", { "os": "win32", "cpu": "x64" }, "sha512-588xrd1i6d4kXQ6FqwL+cgBiN4evRQSi5DCtPa02CZ3VEbuVQBeFlyPlD8tfWtNNeGZ4NM8kjPNNzZz5omezPA=="],
+
+    "@anthropic-ai/sdk": ["@anthropic-ai/sdk@0.81.0", "", { "dependencies": { "json-schema-to-ts": "^3.1.1" }, "peerDependencies": { "zod": "^3.25.0 || ^4.0.0" }, "optionalPeers": ["zod"], "bin": { "anthropic-ai-sdk": "bin/cli" } }, "sha512-D4K5PvEV6wPiRtVlVsJHIUhHAmOZ6IT/I9rKlTf84gR7GyyAurPJK7z9BOf/AZqC5d1DhYQGJNKRmV+q8dGhgw=="],
+
+    "@babel/runtime": ["@babel/runtime@7.29.2", "", {}, "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 
-    "@img/sharp-darwin-arm64": ["@img/sharp-darwin-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-arm64": "1.0.4" }, "os": "darwin", "cpu": "arm64" }, "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ=="],
+    "@hono/node-server": ["@hono/node-server@1.19.11", "", { "peerDependencies": { "hono": "^4" } }, "sha512-dr8/3zEaB+p0D2n/IUrlPF1HZm586qgJNXK1a9fhg/PzdtkK7Ksd5l312tJX2yBuALqDYBlG20QEbayqPyxn+g=="],
 
-    "@img/sharp-darwin-x64": ["@img/sharp-darwin-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-x64": "1.0.4" }, "os": "darwin", "cpu": "x64" }, "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q=="],
+    "@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.29.0", "", { "dependencies": { "@hono/node-server": "^1.19.9", "ajv": "^8.17.1", "ajv-formats": "^3.0.1", "content-type": "^1.0.5", "cors": "^2.8.5", "cross-spawn": "^7.0.5", "eventsource": "^3.0.2", "eventsource-parser": "^3.0.0", "express": "^5.2.1", "express-rate-limit": "^8.2.1", "hono": "^4.11.4", "jose": "^6.1.3", "json-schema-typed": "^8.0.2", "pkce-challenge": "^5.0.0", "raw-body": "^3.0.0", "zod": "^3.25 || ^4.0", "zod-to-json-schema": "^3.25.1" }, "peerDependencies": { "@cfworker/json-schema": "^4.1.1" }, "optionalPeers": ["@cfworker/json-schema"] }, "sha512-zo37mZA9hJWpULgkRpowewez1y6ML5GsXJPY8FI0tBBCd77HEvza4jDqRKOXgHNn867PVGCyTdzqpz0izu5ZjQ=="],
-
-    "@img/sharp-libvips-darwin-arm64": ["@img/sharp-libvips-darwin-arm64@1.0.4", "", { "os": "darwin", "cpu": "arm64" }, "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg=="],
-
-    "@img/sharp-libvips-darwin-x64": ["@img/sharp-libvips-darwin-x64@1.0.4", "", { "os": "darwin", "cpu": "x64" }, "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ=="],
-
-    "@img/sharp-libvips-linux-arm": ["@img/sharp-libvips-linux-arm@1.0.5", "", { "os": "linux", "cpu": "arm" }, "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g=="],
-
-    "@img/sharp-libvips-linux-arm64": ["@img/sharp-libvips-linux-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA=="],
-
-    "@img/sharp-libvips-linux-x64": ["@img/sharp-libvips-linux-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw=="],
-
-    "@img/sharp-libvips-linuxmusl-arm64": ["@img/sharp-libvips-linuxmusl-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA=="],
-
-    "@img/sharp-libvips-linuxmusl-x64": ["@img/sharp-libvips-linuxmusl-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw=="],
-
-    "@img/sharp-linux-arm": ["@img/sharp-linux-arm@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm": "1.0.5" }, "os": "linux", "cpu": "arm" }, "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ=="],
-
-    "@img/sharp-linux-arm64": ["@img/sharp-linux-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA=="],
-
-    "@img/sharp-linux-x64": ["@img/sharp-linux-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA=="],
-
-    "@img/sharp-linuxmusl-arm64": ["@img/sharp-linuxmusl-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g=="],
-
-    "@img/sharp-linuxmusl-x64": ["@img/sharp-linuxmusl-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw=="],
-
-    "@img/sharp-win32-x64": ["@img/sharp-win32-x64@0.33.5", "", { "os": "win32", "cpu": "x64" }, "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg=="],
 
     "@types/bun": ["@types/bun@1.2.19", "", { "dependencies": { "bun-types": "1.2.19" } }, "sha512-d9ZCmrH3CJ2uYKXQIUuZ/pUnTqIvLDS0SK7pFmbx8ma+ziH/FRMoAq5bYpRG7y+w1gl+HgyNZbtqgMq4W4e2Lg=="],
 
@@ -69,22 +63,202 @@
 
     "@types/shell-quote": ["@types/shell-quote@1.7.5", "", {}, "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw=="],
 
+    "accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="],
+
+    "ajv": ["ajv@8.18.0", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A=="],
+
+    "ajv-formats": ["ajv-formats@3.0.1", "", { "dependencies": { "ajv": "^8.0.0" } }, "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ=="],
+
+    "body-parser": ["body-parser@2.2.2", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.3", "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.1", "raw-body": "^3.0.1", "type-is": "^2.0.1" } }, "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA=="],
+
     "bun-types": ["bun-types@1.2.19", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-uAOTaZSPuYsWIXRpj7o56Let0g/wjihKCkeRqUBhlLVM/Bt+Fj9xTo+LhC1OV1XDaGkz4hNC80et5xgy+9KTHQ=="],
 
+    "bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="],
+
+    "call-bind-apply-helpers": ["call-bind-apply-helpers@1.0.2", "", { "dependencies": { "es-errors": "^1.3.0", "function-bind": "^1.1.2" } }, "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ=="],
+
+    "call-bound": ["call-bound@1.0.4", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "get-intrinsic": "^1.3.0" } }, "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg=="],
+
+    "content-disposition": ["content-disposition@1.0.1", "", {}, "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q=="],
+
+    "content-type": ["content-type@1.0.5", "", {}, "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA=="],
+
+    "cookie": ["cookie@0.7.2", "", {}, "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="],
+
+    "cookie-signature": ["cookie-signature@1.2.2", "", {}, "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg=="],
+
+    "cors": ["cors@2.8.6", "", { "dependencies": { "object-assign": "^4", "vary": "^1" } }, "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw=="],
+
+    "cross-spawn": ["cross-spawn@7.0.6", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="],
+
     "csstype": ["csstype@3.1.3", "", {}, "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw=="],
 
+    "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],
+
+    "depd": ["depd@2.0.0", "", {}, "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="],
+
+    "dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="],
+
+    "ee-first": ["ee-first@1.1.1", "", {}, "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="],
+
+    "encodeurl": ["encodeurl@2.0.0", "", {}, "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg=="],
+
+    "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="],
+
+    "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="],
+
+    "es-object-atoms": ["es-object-atoms@1.1.1", "", { "dependencies": { "es-errors": "^1.3.0" } }, "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA=="],
+
+    "escape-html": ["escape-html@1.0.3", "", {}, "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow=="],
+
+    "etag": ["etag@1.8.1", "", {}, "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="],
+
+    "eventsource": ["eventsource@3.0.7", "", { "dependencies": { "eventsource-parser": "^3.0.1" } }, "sha512-CRT1WTyuQoD771GW56XEZFQ/ZoSfWid1alKGDYMmkt2yl8UXrVR4pspqWNEcqKvVIzg6PAltWjxcSSPrboA4iA=="],
+
+    "eventsource-parser": ["eventsource-parser@3.0.6", "", {}, "sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg=="],
+
+    "express": ["express@5.2.1", "", { "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.2.1", "content-disposition": "^1.0.0", "content-type": "^1.0.5", "cookie": "^0.7.1", "cookie-signature": "^1.2.1", "debug": "^4.4.0", "depd": "^2.0.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "finalhandler": "^2.1.0", "fresh": "^2.0.0", "http-errors": "^2.0.0", "merge-descriptors": "^2.0.0", "mime-types": "^3.0.0", "on-finished": "^2.4.1", "once": "^1.4.0", "parseurl": "^1.3.3", "proxy-addr": "^2.0.7", "qs": "^6.14.0", "range-parser": "^1.2.1", "router": "^2.2.0", "send": "^1.1.0", "serve-static": "^2.2.0", "statuses": "^2.0.1", "type-is": "^2.0.1", "vary": "^1.1.2" } }, "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw=="],
+
+    "express-rate-limit": ["express-rate-limit@8.3.1", "", { "dependencies": { "ip-address": "10.1.0" }, "peerDependencies": { "express": ">= 4.11" } }, "sha512-D1dKN+cmyPWuvB+G2SREQDzPY1agpBIcTa9sJxOPMCNeH3gwzhqJRDWCXW3gg0y//+LQ/8j52JbMROWyrKdMdw=="],
+
+    "fast-deep-equal": ["fast-deep-equal@3.1.3", "", {}, "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q=="],
+
+    "fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="],
+
+    "finalhandler": ["finalhandler@2.1.1", "", { "dependencies": { "debug": "^4.4.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "on-finished": "^2.4.1", "parseurl": "^1.3.3", "statuses": "^2.0.1" } }, "sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA=="],
+
+    "forwarded": ["forwarded@0.2.0", "", {}, "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow=="],
+
+    "fresh": ["fresh@2.0.0", "", {}, "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A=="],
+
+    "function-bind": ["function-bind@1.1.2", "", {}, "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA=="],
+
+    "get-intrinsic": ["get-intrinsic@1.3.0", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "es-define-property": "^1.0.1", "es-errors": "^1.3.0", "es-object-atoms": "^1.1.1", "function-bind": "^1.1.2", "get-proto": "^1.0.1", "gopd": "^1.2.0", "has-symbols": "^1.1.0", "hasown": "^2.0.2", "math-intrinsics": "^1.1.0" } }, "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ=="],
+
+    "get-proto": ["get-proto@1.0.1", "", { "dependencies": { "dunder-proto": "^1.0.1", "es-object-atoms": "^1.0.0" } }, "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g=="],
+
+    "gopd": ["gopd@1.2.0", "", {}, "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg=="],
+
+    "has-symbols": ["has-symbols@1.1.0", "", {}, "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ=="],
+
+    "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
+
+    "hono": ["hono@4.12.9", "", {}, "sha512-wy3T8Zm2bsEvxKZM5w21VdHDDcwVS1yUFFY6i8UobSsKfFceT7TOwhbhfKsDyx7tYQlmRM5FLpIuYvNFyjctiA=="],
+
+    "http-errors": ["http-errors@2.0.1", "", { "dependencies": { "depd": "~2.0.0", "inherits": "~2.0.4", "setprototypeof": "~1.2.0", "statuses": "~2.0.2", "toidentifier": "~1.0.1" } }, "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ=="],
+
+    "iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
+
+    "inherits": ["inherits@2.0.4", "", {}, "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="],
+
+    "ip-address": ["ip-address@10.1.0", "", {}, "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q=="],
+
+    "ipaddr.js": ["ipaddr.js@1.9.1", "", {}, "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g=="],
+
+    "is-promise": ["is-promise@4.0.0", "", {}, "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="],
+
+    "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
+
+    "jose": ["jose@6.2.2", "", {}, "sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ=="],
+
+    "json-schema-to-ts": ["json-schema-to-ts@3.1.1", "", { "dependencies": { "@babel/runtime": "^7.18.3", "ts-algebra": "^2.0.0" } }, "sha512-+DWg8jCJG2TEnpy7kOm/7/AxaYoaRbjVB4LFZLySZlWn8exGs3A4OLJR966cVvU26N7X9TWxl+Jsw7dzAqKT6g=="],
+
+    "json-schema-traverse": ["json-schema-traverse@1.0.0", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="],
+
+    "json-schema-typed": ["json-schema-typed@8.0.2", "", {}, "sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA=="],
+
+    "math-intrinsics": ["math-intrinsics@1.1.0", "", {}, "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g=="],
+
+    "media-typer": ["media-typer@1.1.0", "", {}, "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw=="],
+
+    "merge-descriptors": ["merge-descriptors@2.0.0", "", {}, "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g=="],
+
+    "mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
+
+    "mime-types": ["mime-types@3.0.2", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A=="],
+
+    "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
+
+    "negotiator": ["negotiator@1.0.0", "", {}, "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="],
+
+    "object-assign": ["object-assign@4.1.1", "", {}, "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="],
+
+    "object-inspect": ["object-inspect@1.13.4", "", {}, "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew=="],
+
+    "on-finished": ["on-finished@2.4.1", "", { "dependencies": { "ee-first": "1.1.1" } }, "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg=="],
+
+    "once": ["once@1.4.0", "", { "dependencies": { "wrappy": "1" } }, "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w=="],
+
+    "parseurl": ["parseurl@1.3.3", "", {}, "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="],
+
+    "path-key": ["path-key@3.1.1", "", {}, "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q=="],
+
+    "path-to-regexp": ["path-to-regexp@8.4.0", "", {}, "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg=="],
+
+    "pkce-challenge": ["pkce-challenge@5.0.1", "", {}, "sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ=="],
+
     "prettier": ["prettier@3.5.3", "", { "bin": { "prettier": "bin/prettier.cjs" } }, "sha512-QQtaxnoDJeAkDvDKWCLiwIXkTgRhwYDEQCghU9Z6q03iyek/rxRh/2lC3HB7P8sWT2xC/y5JDctPLBIGzHKbhw=="],
 
+    "proxy-addr": ["proxy-addr@2.0.7", "", { "dependencies": { "forwarded": "0.2.0", "ipaddr.js": "1.9.1" } }, "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg=="],
+
+    "qs": ["qs@6.15.0", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ=="],
+
+    "range-parser": ["range-parser@1.2.1", "", {}, "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="],
+
+    "raw-body": ["raw-body@3.0.2", "", { "dependencies": { "bytes": "~3.1.2", "http-errors": "~2.0.1", "iconv-lite": "~0.7.0", "unpipe": "~1.0.0" } }, "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA=="],
+
+    "require-from-string": ["require-from-string@2.0.2", "", {}, "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw=="],
+
+    "router": ["router@2.2.0", "", { "dependencies": { "debug": "^4.4.0", "depd": "^2.0.0", "is-promise": "^4.0.0", "parseurl": "^1.3.3", "path-to-regexp": "^8.0.0" } }, "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ=="],
+
+    "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
+
+    "send": ["send@1.2.1", "", { "dependencies": { "debug": "^4.4.3", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", "http-errors": "^2.0.1", "mime-types": "^3.0.2", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", "statuses": "^2.0.2" } }, "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ=="],
+
+    "serve-static": ["serve-static@2.2.1", "", { "dependencies": { "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", "send": "^1.2.0" } }, "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw=="],
+
+    "setprototypeof": ["setprototypeof@1.2.0", "", {}, "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw=="],
+
+    "shebang-command": ["shebang-command@2.0.0", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="],
+
+    "shebang-regex": ["shebang-regex@3.0.0", "", {}, "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A=="],
+
     "shell-quote": ["shell-quote@1.8.3", "", {}, "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw=="],
 
+    "side-channel": ["side-channel@1.1.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3", "side-channel-list": "^1.0.0", "side-channel-map": "^1.0.1", "side-channel-weakmap": "^1.0.2" } }, "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw=="],
+
+    "side-channel-list": ["side-channel-list@1.0.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3" } }, "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA=="],
+
+    "side-channel-map": ["side-channel-map@1.0.1", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3" } }, "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA=="],
+
+    "side-channel-weakmap": ["side-channel-weakmap@1.0.2", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3", "side-channel-map": "^1.0.1" } }, "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A=="],
+
+    "statuses": ["statuses@2.0.2", "", {}, "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw=="],
+
+    "toidentifier": ["toidentifier@1.0.1", "", {}, "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA=="],
+
+    "ts-algebra": ["ts-algebra@2.0.0", "", {}, "sha512-FPAhNPFMrkwz76P7cdjdmiShwMynZYN6SgOujD1urY4oNm80Ou9oMdmbR45LotcKOXoy7wSmHkRFE6Mxbrhefw=="],
+
     "tunnel": ["tunnel@0.0.6", "", {}, "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="],
 
+    "type-is": ["type-is@2.0.1", "", { "dependencies": { "content-type": "^1.0.5", "media-typer": "^1.1.0", "mime-types": "^3.0.0" } }, "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw=="],
+
     "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
 
     "undici": ["undici@5.29.0", "", { "dependencies": { "@fastify/busboy": "^2.0.0" } }, "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg=="],
 
     "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
 
+    "unpipe": ["unpipe@1.0.0", "", {}, "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="],
+
+    "vary": ["vary@1.1.2", "", {}, "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg=="],
+
+    "which": ["which@2.0.2", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],
+
+    "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="],
+
     "zod": ["zod@3.25.76", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
+
+    "zod-to-json-schema": ["zod-to-json-schema@3.25.2", "", { "peerDependencies": { "zod": "^3.25.28 || ^4" } }, "sha512-O/PgfnpT1xKSDeQYSCfRI5Gy3hPf91mKVDuYLUHZJMiDFptvP41MSnWofm8dnCm0256ZNfZIM7DSzuSMAFnjHA=="],
   }
 }

base-action/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.2.20",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.123",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {

base-action/src/index.ts

@@ -11,6 +11,14 @@ async function run() {
   try {
     validateEnvironmentVariables();
 
+    // The composite action's "Install Claude Code" step writes the binary to
+    // ~/.local/bin/claude. Pass that path explicitly so the Agent SDK doesn't
+    // fall back to its bundled platform package, which bun may resolve to the
+    // wrong libc variant on Linux.
+    const claudeExecutable =
+      process.env.INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE ||
+      `${process.env.HOME}/.local/bin/claude`;
+
     await setupClaudeCodeSettings(
       process.env.INPUT_SETTINGS,
       undefined, // homeDir
@@ -20,7 +28,7 @@ async function run() {
     await installPlugins(
       process.env.INPUT_PLUGIN_MARKETPLACES,
       process.env.INPUT_PLUGINS,
-      process.env.INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE,
+      claudeExecutable,
     );
 
     const promptConfig = await preparePrompt({
@@ -28,7 +36,7 @@ async function run() {
       promptFile: process.env.INPUT_PROMPT_FILE || "",
     });
 
-    await runClaude(promptConfig.path, {
+    const result = await runClaude(promptConfig.path, {
       claudeArgs: process.env.INPUT_CLAUDE_ARGS,
       allowedTools: process.env.INPUT_ALLOWED_TOOLS,
       disallowedTools: process.env.INPUT_DISALLOWED_TOOLS,
@@ -38,10 +46,21 @@ async function run() {
       appendSystemPrompt: process.env.INPUT_APPEND_SYSTEM_PROMPT,
       fallbackModel: process.env.INPUT_FALLBACK_MODEL,
       model: process.env.ANTHROPIC_MODEL,
-      pathToClaudeCodeExecutable:
+      pathToClaudeCodeExecutable: claudeExecutable,
-        process.env.INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE,
       showFullOutput: process.env.INPUT_SHOW_FULL_OUTPUT,
     });
+
+    // Set outputs for the standalone base-action
+    core.setOutput("conclusion", result.conclusion);
+    if (result.executionFile) {
+      core.setOutput("execution_file", result.executionFile);
+    }
+    if (result.sessionId) {
+      core.setOutput("session_id", result.sessionId);
+    }
+    if (result.structuredOutput) {
+      core.setOutput("structured_output", result.structuredOutput);
+    }
   } catch (error) {
     core.setFailed(`Action failed with error: ${error}`);
     core.setOutput("conclusion", "failure");

base-action/src/parse-sdk-options.ts

@@ -79,6 +79,20 @@ function mergeMcpConfigs(configValues: string[]): string {
   return JSON.stringify(merged);
 }
 
+/**
+ * Strip comment lines from a shell argument string.
+ * Lines whose first non-whitespace character is `#` are removed entirely.
+ * Inline `#` within a line (e.g. inside a quoted value) is left untouched
+ * because shell-quote handles quoting — we only need to remove full comment lines
+ * before shell-quote sees them.
+ */
+function stripShellComments(input: string): string {
+  return input
+    .split("\n")
+    .filter((line) => !line.trim().startsWith("#"))
+    .join("\n");
+}
+
 /**
  * Parse claudeArgs string into extraArgs record for SDK pass-through
  * The SDK/CLI will handle --mcp-config, --json-schema, etc.
@@ -92,7 +106,7 @@ function parseClaudeArgsToExtraArgs(
   if (!claudeArgs?.trim()) return {};
 
   const result: Record<string, string | null> = {};
-  const args = parseShellArgs(claudeArgs).filter(
+  const args = parseShellArgs(stripShellComments(claudeArgs)).filter(
     (arg): arg is string => typeof arg === "string",
   );
 
@@ -215,6 +229,12 @@ export function parseSdkOptions(options: ClaudeOptions): ParsedSdkOptions {
   // Set the entrypoint for Claude Code to identify this as the GitHub Action
   env.CLAUDE_CODE_ENTRYPOINT = "claude-code-github-action";
 
+  // Remove OIDC token request variables so Claude cannot mint new tokens.
+  // These are only needed by the action itself (via @actions/core.getIDToken()),
+  // not by the Claude session.
+  delete env.ACTIONS_ID_TOKEN_REQUEST_URL;
+  delete env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+
   // Build system prompt option - default to claude_code preset
   let systemPrompt: SdkOptions["systemPrompt"];
   if (options.systemPrompt) {

base-action/src/run-claude-sdk.ts

@@ -9,6 +9,13 @@ import type {
 } from "@anthropic-ai/claude-agent-sdk";
 import type { ParsedSdkOptions } from "./parse-sdk-options";
 
+export type ClaudeRunResult = {
+  executionFile?: string;
+  sessionId?: string;
+  conclusion: "success" | "failure";
+  structuredOutput?: string;
+};
+
 const EXECUTION_FILE = `${process.env.RUNNER_TEMP}/claude-execution-output.json`;
 
 /** Filename for the user request file, written by prompt generation */
@@ -112,7 +119,7 @@ function sanitizeSdkOutput(
         duration_ms: resultMsg.duration_ms,
         num_turns: resultMsg.num_turns,
         total_cost_usd: resultMsg.total_cost_usd,
-        permission_denials: resultMsg.permission_denials,
+        permission_denials_count: resultMsg.permission_denials?.length ?? 0,
       },
       null,
       2,
@@ -129,7 +136,7 @@ function sanitizeSdkOutput(
 export async function runClaudeWithSdk(
   promptPath: string,
   { sdkOptions, showFullOutput, hasJsonSchema }: ParsedSdkOptions,
-): Promise<void> {
+): Promise<ClaudeRunResult> {
   // Create prompt configuration - may be a string or multi-block message
   const prompt = await createPromptConfig(promptPath, showFullOutput);
 
@@ -144,7 +151,7 @@ export async function runClaudeWithSdk(
 
   console.log(`Running Claude with prompt from file: ${promptPath}`);
   // Log SDK options without env (which could contain sensitive data)
-  const { env, ...optionsToLog } = sdkOptions;
+  const { env, extraArgs, ...optionsToLog } = sdkOptions;
   console.log("SDK options:", JSON.stringify(optionsToLog, null, 2));
 
   const messages: SDKMessage[] = [];
@@ -165,36 +172,38 @@ export async function runClaudeWithSdk(
     }
   } catch (error) {
     console.error("SDK execution error:", error);
-    core.setOutput("conclusion", "failure");
+    throw new Error(`SDK execution error: ${error}`);
-    process.exit(1);
   }
 
+  const result: ClaudeRunResult = {
+    conclusion: "failure",
+  };
+
   // Write execution file
   try {
     await writeFile(EXECUTION_FILE, JSON.stringify(messages, null, 2));
     console.log(`Log saved to ${EXECUTION_FILE}`);
-    core.setOutput("execution_file", EXECUTION_FILE);
+    result.executionFile = EXECUTION_FILE;
   } catch (error) {
     core.warning(`Failed to write execution file: ${error}`);
   }
 
-  // Extract and set session_id from system.init message
+  // Extract session_id from system.init message
   const initMessage = messages.find(
     (m) => m.type === "system" && "subtype" in m && m.subtype === "init",
   );
   if (initMessage && "session_id" in initMessage && initMessage.session_id) {
-    core.setOutput("session_id", initMessage.session_id);
+    result.sessionId = initMessage.session_id as string;
-    core.info(`Set session_id: ${initMessage.session_id}`);
+    core.info(`Set session_id: ${result.sessionId}`);
   }
 
   if (!resultMessage) {
-    core.setOutput("conclusion", "failure");
     core.error("No result message received from Claude");
-    process.exit(1);
+    throw new Error("No result message received from Claude");
   }
 
   const isSuccess = resultMessage.subtype === "success";
-  core.setOutput("conclusion", isSuccess ? "success" : "failure");
+  result.conclusion = isSuccess ? "success" : "failure";
 
   // Handle structured output
   if (hasJsonSchema) {
@@ -203,10 +212,7 @@ export async function runClaudeWithSdk(
       "structured_output" in resultMessage &&
       resultMessage.structured_output
     ) {
-      const structuredOutputJson = JSON.stringify(
+      result.structuredOutput = JSON.stringify(resultMessage.structured_output);
-        resultMessage.structured_output,
-      );
-      core.setOutput("structured_output", structuredOutputJson);
       core.info(
         `Set structured_output with ${Object.keys(resultMessage.structured_output as object).length} field(s)`,
       );
@@ -214,8 +220,10 @@ export async function runClaudeWithSdk(
       core.setFailed(
         `--json-schema was provided but Claude did not return structured_output. Result subtype: ${resultMessage.subtype}`,
       );
-      core.setOutput("conclusion", "failure");
+      result.conclusion = "failure";
-      process.exit(1);
+      throw new Error(
+        `--json-schema was provided but Claude did not return structured_output. Result subtype: ${resultMessage.subtype}`,
+      );
     }
   }
 
@@ -223,6 +231,14 @@ export async function runClaudeWithSdk(
     if ("errors" in resultMessage && resultMessage.errors) {
       core.error(`Execution failed: ${resultMessage.errors.join(", ")}`);
     }
-    process.exit(1);
+    throw new Error(
+      `Claude execution failed: ${
+        "errors" in resultMessage && resultMessage.errors
+          ? resultMessage.errors.join(", ")
+          : "unknown error"
+      }`,
+    );
   }
+
+  return result;
 }

base-action/src/run-claude.ts

@@ -1,4 +1,5 @@
 import { runClaudeWithSdk } from "./run-claude-sdk";
+import type { ClaudeRunResult } from "./run-claude-sdk";
 import { parseSdkOptions } from "./parse-sdk-options";
 
 export type ClaudeOptions = {
@@ -15,7 +16,10 @@ export type ClaudeOptions = {
   showFullOutput?: string;
 };
 
-export async function runClaude(promptPath: string, options: ClaudeOptions) {
+export async function runClaude(
+  promptPath: string,
+  options: ClaudeOptions,
+): Promise<ClaudeRunResult> {
   const parsedOptions = parseSdkOptions(options);
   return runClaudeWithSdk(promptPath, parsedOptions);
 }

base-action/test/parse-sdk-options.test.ts

@@ -312,4 +312,114 @@ describe("parseSdkOptions", () => {
       expect(result.hasJsonSchema).toBe(true);
     });
   });
+
+  describe("shell comment stripping", () => {
+    test("should parse flags before and after a comment line", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: "--model 'claude-haiku'\n# comment\n--allowed-tools 'Edit'",
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.extraArgs?.["model"]).toBe("claude-haiku");
+      expect(result.sdkOptions.allowedTools).toEqual(["Edit"]);
+    });
+
+    test("should parse flags correctly when no comments are present", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: "--model 'claude-haiku'",
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.extraArgs?.["model"]).toBe("claude-haiku");
+    });
+
+    test("should not strip inline # that appears inside a quoted value", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: "--model 'claude-haiku' --prompt 'use color #ff0000'",
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.extraArgs?.["model"]).toBe("claude-haiku");
+      expect(result.sdkOptions.extraArgs?.["prompt"]).toBe("use color #ff0000");
+    });
+  });
+
+  describe("environment variables passthrough", () => {
+    test("should include OTEL environment variables in sdkOptions.env", () => {
+      // Set up test environment variables
+      const originalEnv = { ...process.env };
+      process.env.CLAUDE_CODE_ENABLE_TELEMETRY = "1";
+      process.env.OTEL_METRICS_EXPORTER = "otlp";
+      process.env.OTEL_LOGS_EXPORTER = "otlp";
+      process.env.OTEL_EXPORTER_OTLP_PROTOCOL = "http/json";
+      process.env.OTEL_EXPORTER_OTLP_ENDPOINT = "https://example.com";
+      process.env.OTEL_EXPORTER_OTLP_HEADERS =
+        "Authorization=Bearer test-token";
+      process.env.OTEL_METRIC_EXPORT_INTERVAL = "10000";
+      process.env.OTEL_LOGS_EXPORT_INTERVAL = "5000";
+      process.env.OTEL_RESOURCE_ATTRIBUTES = "department=test";
+
+      try {
+        const options: ClaudeOptions = {};
+        const result = parseSdkOptions(options);
+
+        // Verify OTEL env vars are passed through to sdkOptions.env
+        expect(result.sdkOptions.env?.CLAUDE_CODE_ENABLE_TELEMETRY).toBe("1");
+        expect(result.sdkOptions.env?.OTEL_METRICS_EXPORTER).toBe("otlp");
+        expect(result.sdkOptions.env?.OTEL_LOGS_EXPORTER).toBe("otlp");
+        expect(result.sdkOptions.env?.OTEL_EXPORTER_OTLP_PROTOCOL).toBe(
+          "http/json",
+        );
+        expect(result.sdkOptions.env?.OTEL_EXPORTER_OTLP_ENDPOINT).toBe(
+          "https://example.com",
+        );
+        expect(result.sdkOptions.env?.OTEL_EXPORTER_OTLP_HEADERS).toBe(
+          "Authorization=Bearer test-token",
+        );
+        expect(result.sdkOptions.env?.OTEL_METRIC_EXPORT_INTERVAL).toBe(
+          "10000",
+        );
+        expect(result.sdkOptions.env?.OTEL_LOGS_EXPORT_INTERVAL).toBe("5000");
+        expect(result.sdkOptions.env?.OTEL_RESOURCE_ATTRIBUTES).toBe(
+          "department=test",
+        );
+      } finally {
+        // Restore original environment
+        process.env = originalEnv;
+      }
+    });
+
+    test("should set CLAUDE_CODE_ENTRYPOINT in sdkOptions.env", () => {
+      const options: ClaudeOptions = {};
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.env?.CLAUDE_CODE_ENTRYPOINT).toBe(
+        "claude-code-github-action",
+      );
+    });
+
+    test("should strip ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN from env", () => {
+      const originalEnv = { ...process.env };
+      process.env.ACTIONS_ID_TOKEN_REQUEST_URL =
+        "https://token.actions.githubusercontent.com";
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = "secret-token-value";
+
+      try {
+        const options: ClaudeOptions = {};
+        const result = parseSdkOptions(options);
+
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_URL,
+        ).toBeUndefined();
+        expect(
+          result.sdkOptions.env?.ACTIONS_ID_TOKEN_REQUEST_TOKEN,
+        ).toBeUndefined();
+      } finally {
+        process.env = originalEnv;
+      }
+    });
+  });
 });

bun.lock

@@ -7,7 +7,7 @@
       "dependencies": {
         "@actions/core": "^1.10.1",
         "@actions/github": "^6.0.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.2.20",
+        "@anthropic-ai/claude-agent-sdk": "^0.2.123",
         "@modelcontextprotocol/sdk": "^1.11.0",
         "@octokit/graphql": "^8.2.2",
         "@octokit/rest": "^21.1.1",
@@ -37,39 +37,31 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.20", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-Q2rJlYC2hEhJRKcOswJrcvm0O6H/uhXkRPAAqbAlFR/jbCWeg6jpyr9iUmVBFUFOBzAWqT2C6KLHiTJ8NySvQg=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.123", "", { "dependencies": { "@anthropic-ai/sdk": "^0.81.0", "@modelcontextprotocol/sdk": "^1.29.0" }, "optionalDependencies": { "@anthropic-ai/claude-agent-sdk-darwin-arm64": "0.2.123", "@anthropic-ai/claude-agent-sdk-darwin-x64": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-arm64": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-x64": "0.2.123", "@anthropic-ai/claude-agent-sdk-linux-x64-musl": "0.2.123", "@anthropic-ai/claude-agent-sdk-win32-arm64": "0.2.123", "@anthropic-ai/claude-agent-sdk-win32-x64": "0.2.123" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-a4TysYoR9DBdkM9Uwh4J5ub7TwKmRPe5hFiWh4En+IKC+qkk5UFkxFM22c//cZjYZKynHX0ah2t6LUqb+najYA=="],
+
+    "@anthropic-ai/claude-agent-sdk-darwin-arm64": ["@anthropic-ai/claude-agent-sdk-darwin-arm64@0.2.123", "", { "os": "darwin", "cpu": "arm64" }, "sha512-tYAXCjlXZQklsUs0J//gip3fZQRzhlH5OCgvNXV70qe7A1iiwHqO2KPGvEHV1L+deEKQoMZmTaCOrQpN6zju3w=="],
+
+    "@anthropic-ai/claude-agent-sdk-darwin-x64": ["@anthropic-ai/claude-agent-sdk-darwin-x64@0.2.123", "", { "os": "darwin", "cpu": "x64" }, "sha512-AcUC6sTon6z6HculP87KsAOeTMRLBwpovdhcXUTjXUpo/8nplJ7lBEzWjZCHt8FF1KuN/WBy1Z4bDg/59TQDmA=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-arm64": ["@anthropic-ai/claude-agent-sdk-linux-arm64@0.2.123", "", { "os": "linux", "cpu": "arm64" }, "sha512-7+GnbcF3/aZ8RJ1WmU/ogtPsOpknBAoUPer90MvZuFYBLPT9iI/U7f24gjrOHuYdcbDA5n7jFlhcfIO26F5DJQ=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": ["@anthropic-ai/claude-agent-sdk-linux-arm64-musl@0.2.123", "", { "os": "linux", "cpu": "arm64" }, "sha512-bYgRiaf2q+yVbGAoUluuhqrEW1zexL34+3HDmK9DneKXa2K2EJpw4M6Sq4XoBD/JezGaemoAP78Xv/M/QUS1OQ=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-x64": ["@anthropic-ai/claude-agent-sdk-linux-x64@0.2.123", "", { "os": "linux", "cpu": "x64" }, "sha512-Xi+Rwk8uP5vWEnawJOlsk179fr0ATLl5J90MlbLj+puKaX5svEq8ljS+P3zq6zHTJeKh9GKLzPf7bc5YJKwcew=="],
+
+    "@anthropic-ai/claude-agent-sdk-linux-x64-musl": ["@anthropic-ai/claude-agent-sdk-linux-x64-musl@0.2.123", "", { "os": "linux", "cpu": "x64" }, "sha512-IX95lFKhmmndY/YPfWPsVV+C3rLYJmuuq5wCS53p6jYIkCMxH1iGfhBGF1EUWcXO4Uc8yqXFmQ3aaxMzOOPrwA=="],
+
+    "@anthropic-ai/claude-agent-sdk-win32-arm64": ["@anthropic-ai/claude-agent-sdk-win32-arm64@0.2.123", "", { "os": "win32", "cpu": "arm64" }, "sha512-WDZmAQG1rOiqNLZlSXaCjSWmqJvLk2io+vFQWWqSy2b5HCk9pa3PadLiaLztiihyk81wPhH9Q/44kOxdyfEGMw=="],
+
+    "@anthropic-ai/claude-agent-sdk-win32-x64": ["@anthropic-ai/claude-agent-sdk-win32-x64@0.2.123", "", { "os": "win32", "cpu": "x64" }, "sha512-588xrd1i6d4kXQ6FqwL+cgBiN4evRQSi5DCtPa02CZ3VEbuVQBeFlyPlD8tfWtNNeGZ4NM8kjPNNzZz5omezPA=="],
+
+    "@anthropic-ai/sdk": ["@anthropic-ai/sdk@0.81.0", "", { "dependencies": { "json-schema-to-ts": "^3.1.1" }, "peerDependencies": { "zod": "^3.25.0 || ^4.0.0" }, "optionalPeers": ["zod"], "bin": { "anthropic-ai-sdk": "bin/cli" } }, "sha512-D4K5PvEV6wPiRtVlVsJHIUhHAmOZ6IT/I9rKlTf84gR7GyyAurPJK7z9BOf/AZqC5d1DhYQGJNKRmV+q8dGhgw=="],
+
+    "@babel/runtime": ["@babel/runtime@7.29.2", "", {}, "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 
-    "@img/sharp-darwin-arm64": ["@img/sharp-darwin-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-arm64": "1.0.4" }, "os": "darwin", "cpu": "arm64" }, "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ=="],
+    "@hono/node-server": ["@hono/node-server@1.19.11", "", { "peerDependencies": { "hono": "^4" } }, "sha512-dr8/3zEaB+p0D2n/IUrlPF1HZm586qgJNXK1a9fhg/PzdtkK7Ksd5l312tJX2yBuALqDYBlG20QEbayqPyxn+g=="],
-
-    "@img/sharp-darwin-x64": ["@img/sharp-darwin-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-x64": "1.0.4" }, "os": "darwin", "cpu": "x64" }, "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q=="],
-
-    "@img/sharp-libvips-darwin-arm64": ["@img/sharp-libvips-darwin-arm64@1.0.4", "", { "os": "darwin", "cpu": "arm64" }, "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg=="],
-
-    "@img/sharp-libvips-darwin-x64": ["@img/sharp-libvips-darwin-x64@1.0.4", "", { "os": "darwin", "cpu": "x64" }, "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ=="],
-
-    "@img/sharp-libvips-linux-arm": ["@img/sharp-libvips-linux-arm@1.0.5", "", { "os": "linux", "cpu": "arm" }, "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g=="],
-
-    "@img/sharp-libvips-linux-arm64": ["@img/sharp-libvips-linux-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA=="],
-
-    "@img/sharp-libvips-linux-x64": ["@img/sharp-libvips-linux-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw=="],
-
-    "@img/sharp-libvips-linuxmusl-arm64": ["@img/sharp-libvips-linuxmusl-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA=="],
-
-    "@img/sharp-libvips-linuxmusl-x64": ["@img/sharp-libvips-linuxmusl-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw=="],
-
-    "@img/sharp-linux-arm": ["@img/sharp-linux-arm@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm": "1.0.5" }, "os": "linux", "cpu": "arm" }, "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ=="],
-
-    "@img/sharp-linux-arm64": ["@img/sharp-linux-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA=="],
-
-    "@img/sharp-linux-x64": ["@img/sharp-linux-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA=="],
-
-    "@img/sharp-linuxmusl-arm64": ["@img/sharp-linuxmusl-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g=="],
-
-    "@img/sharp-linuxmusl-x64": ["@img/sharp-linuxmusl-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw=="],
-
-    "@img/sharp-win32-x64": ["@img/sharp-win32-x64@0.33.5", "", { "os": "win32", "cpu": "x64" }, "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg=="],
 
     "@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.16.0", "", { "dependencies": { "ajv": "^6.12.6", "content-type": "^1.0.5", "cors": "^2.8.5", "cross-spawn": "^7.0.5", "eventsource": "^3.0.2", "eventsource-parser": "^3.0.0", "express": "^5.0.1", "express-rate-limit": "^7.5.0", "pkce-challenge": "^5.0.0", "raw-body": "^3.0.0", "zod": "^3.23.8", "zod-to-json-schema": "^3.24.1" } }, "sha512-8ofX7gkZcLj9H9rSd50mCgm3SSF8C7XoclxJuLoV0Cz3rEQ1tv9MZRYYvJtm9n1BiEQQMzSmE/w2AEkNacLYfg=="],
 
@@ -111,6 +103,8 @@
 
     "ajv": ["ajv@6.12.6", "", { "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g=="],
 
+    "ajv-formats": ["ajv-formats@3.0.1", "", { "dependencies": { "ajv": "^8.0.0" } }, "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ=="],
+
     "asynckit": ["asynckit@0.4.0", "", {}, "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q=="],
 
     "before-after-hook": ["before-after-hook@2.2.3", "", {}, "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="],
@@ -181,6 +175,8 @@
 
     "fast-json-stable-stringify": ["fast-json-stable-stringify@2.1.0", "", {}, "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw=="],
 
+    "fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="],
+
     "fetch-blob": ["fetch-blob@3.2.0", "", { "dependencies": { "node-domexception": "^1.0.0", "web-streams-polyfill": "^3.0.3" } }, "sha512-7yAQpD2UMJzLi1Dqv7qFYnPbaPx7ZfFK6PiIxQ4PfkGPyNyl2Ugx+a/umUonmKqjhM4DnfbMvdX6otXq83soQQ=="],
 
     "finalhandler": ["finalhandler@2.1.0", "", { "dependencies": { "debug": "^4.4.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "on-finished": "^2.4.1", "parseurl": "^1.3.3", "statuses": "^2.0.1" } }, "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q=="],
@@ -207,20 +203,30 @@
 
     "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
 
+    "hono": ["hono@4.12.9", "", {}, "sha512-wy3T8Zm2bsEvxKZM5w21VdHDDcwVS1yUFFY6i8UobSsKfFceT7TOwhbhfKsDyx7tYQlmRM5FLpIuYvNFyjctiA=="],
+
     "http-errors": ["http-errors@2.0.0", "", { "dependencies": { "depd": "2.0.0", "inherits": "2.0.4", "setprototypeof": "1.2.0", "statuses": "2.0.1", "toidentifier": "1.0.1" } }, "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ=="],
 
     "iconv-lite": ["iconv-lite@0.6.3", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="],
 
     "inherits": ["inherits@2.0.4", "", {}, "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="],
 
+    "ip-address": ["ip-address@10.1.0", "", {}, "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q=="],
+
     "ipaddr.js": ["ipaddr.js@1.9.1", "", {}, "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g=="],
 
     "is-promise": ["is-promise@4.0.0", "", {}, "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="],
 
     "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
 
+    "jose": ["jose@6.2.2", "", {}, "sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ=="],
+
+    "json-schema-to-ts": ["json-schema-to-ts@3.1.1", "", { "dependencies": { "@babel/runtime": "^7.18.3", "ts-algebra": "^2.0.0" } }, "sha512-+DWg8jCJG2TEnpy7kOm/7/AxaYoaRbjVB4LFZLySZlWn8exGs3A4OLJR966cVvU26N7X9TWxl+Jsw7dzAqKT6g=="],
+
     "json-schema-traverse": ["json-schema-traverse@0.4.1", "", {}, "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg=="],
 
+    "json-schema-typed": ["json-schema-typed@8.0.2", "", {}, "sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA=="],
+
     "math-intrinsics": ["math-intrinsics@1.1.0", "", {}, "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g=="],
 
     "media-typer": ["media-typer@1.1.0", "", {}, "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw=="],
@@ -267,6 +273,8 @@
 
     "raw-body": ["raw-body@3.0.0", "", { "dependencies": { "bytes": "3.1.2", "http-errors": "2.0.0", "iconv-lite": "0.6.3", "unpipe": "1.0.0" } }, "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g=="],
 
+    "require-from-string": ["require-from-string@2.0.2", "", {}, "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw=="],
+
     "router": ["router@2.2.0", "", { "dependencies": { "debug": "^4.4.0", "depd": "^2.0.0", "is-promise": "^4.0.0", "parseurl": "^1.3.3", "path-to-regexp": "^8.0.0" } }, "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ=="],
 
     "safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
@@ -297,6 +305,8 @@
 
     "toidentifier": ["toidentifier@1.0.1", "", {}, "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA=="],
 
+    "ts-algebra": ["ts-algebra@2.0.0", "", {}, "sha512-FPAhNPFMrkwz76P7cdjdmiShwMynZYN6SgOujD1urY4oNm80Ou9oMdmbR45LotcKOXoy7wSmHkRFE6Mxbrhefw=="],
+
     "tunnel": ["tunnel@0.0.6", "", {}, "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="],
 
     "type-is": ["type-is@2.0.1", "", { "dependencies": { "content-type": "^1.0.5", "media-typer": "^1.1.0", "mime-types": "^3.0.0" } }, "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw=="],
@@ -325,6 +335,8 @@
 
     "zod-to-json-schema": ["zod-to-json-schema@3.24.6", "", { "peerDependencies": { "zod": "^3.24.1" } }, "sha512-h/z3PKvcTcTetyjl1fkj79MHNEjm+HpD6NXheWjzOekY7kV+lwDYnHw+ivHkijnCSMz1yJaWBD9vu/Fcmk+vEg=="],
 
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.29.0", "", { "dependencies": { "@hono/node-server": "^1.19.9", "ajv": "^8.17.1", "ajv-formats": "^3.0.1", "content-type": "^1.0.5", "cors": "^2.8.5", "cross-spawn": "^7.0.5", "eventsource": "^3.0.2", "eventsource-parser": "^3.0.0", "express": "^5.2.1", "express-rate-limit": "^8.2.1", "hono": "^4.11.4", "jose": "^6.1.3", "json-schema-typed": "^8.0.2", "pkce-challenge": "^5.0.0", "raw-body": "^3.0.0", "zod": "^3.25 || ^4.0", "zod-to-json-schema": "^3.25.1" }, "peerDependencies": { "@cfworker/json-schema": "^4.1.1" }, "optionalPeers": ["@cfworker/json-schema"] }, "sha512-zo37mZA9hJWpULgkRpowewez1y6ML5GsXJPY8FI0tBBCd77HEvza4jDqRKOXgHNn867PVGCyTdzqpz0izu5ZjQ=="],
+
     "@octokit/core/@octokit/graphql": ["@octokit/graphql@7.1.1", "", { "dependencies": { "@octokit/request": "^8.4.1", "@octokit/types": "^13.0.0", "universal-user-agent": "^6.0.0" } }, "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g=="],
 
     "@octokit/core/@octokit/types": ["@octokit/types@13.10.0", "", { "dependencies": { "@octokit/openapi-types": "^24.2.0" } }, "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA=="],
@@ -357,12 +369,24 @@
 
     "accepts/mime-types": ["mime-types@3.0.1", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA=="],
 
+    "ajv-formats/ajv": ["ajv@8.18.0", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A=="],
+
     "express/mime-types": ["mime-types@3.0.1", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA=="],
 
     "send/mime-types": ["mime-types@3.0.1", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA=="],
 
     "type-is/mime-types": ["mime-types@3.0.1", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA=="],
 
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/ajv": ["ajv@8.18.0", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express": ["express@5.2.1", "", { "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.2.1", "content-disposition": "^1.0.0", "content-type": "^1.0.5", "cookie": "^0.7.1", "cookie-signature": "^1.2.1", "debug": "^4.4.0", "depd": "^2.0.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "finalhandler": "^2.1.0", "fresh": "^2.0.0", "http-errors": "^2.0.0", "merge-descriptors": "^2.0.0", "mime-types": "^3.0.0", "on-finished": "^2.4.1", "once": "^1.4.0", "parseurl": "^1.3.3", "proxy-addr": "^2.0.7", "qs": "^6.14.0", "range-parser": "^1.2.1", "router": "^2.2.0", "send": "^1.1.0", "serve-static": "^2.2.0", "statuses": "^2.0.1", "type-is": "^2.0.1", "vary": "^1.1.2" } }, "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express-rate-limit": ["express-rate-limit@8.3.1", "", { "dependencies": { "ip-address": "10.1.0" }, "peerDependencies": { "express": ">= 4.11" } }, "sha512-D1dKN+cmyPWuvB+G2SREQDzPY1agpBIcTa9sJxOPMCNeH3gwzhqJRDWCXW3gg0y//+LQ/8j52JbMROWyrKdMdw=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/raw-body": ["raw-body@3.0.2", "", { "dependencies": { "bytes": "~3.1.2", "http-errors": "~2.0.1", "iconv-lite": "~0.7.0", "unpipe": "~1.0.0" } }, "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/zod-to-json-schema": ["zod-to-json-schema@3.25.2", "", { "peerDependencies": { "zod": "^3.25.28 || ^4" } }, "sha512-O/PgfnpT1xKSDeQYSCfRI5Gy3hPf91mKVDuYLUHZJMiDFptvP41MSnWofm8dnCm0256ZNfZIM7DSzuSMAFnjHA=="],
+
     "@octokit/core/@octokit/types/@octokit/openapi-types": ["@octokit/openapi-types@24.2.0", "", {}, "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg=="],
 
     "@octokit/endpoint/@octokit/types/@octokit/openapi-types": ["@octokit/openapi-types@24.2.0", "", {}, "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg=="],
@@ -401,12 +425,24 @@
 
     "accepts/mime-types/mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
 
+    "ajv-formats/ajv/json-schema-traverse": ["json-schema-traverse@1.0.0", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="],
+
     "express/mime-types/mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
 
     "send/mime-types/mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
 
     "type-is/mime-types/mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
 
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/ajv/json-schema-traverse": ["json-schema-traverse@1.0.0", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express/body-parser": ["body-parser@2.2.2", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.3", "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.1", "raw-body": "^3.0.1", "type-is": "^2.0.1" } }, "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express/mime-types": ["mime-types@3.0.1", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/raw-body/http-errors": ["http-errors@2.0.1", "", { "dependencies": { "depd": "~2.0.0", "inherits": "~2.0.4", "setprototypeof": "~1.2.0", "statuses": "~2.0.2", "toidentifier": "~1.0.1" } }, "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/raw-body/iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
+
     "@octokit/plugin-request-log/@octokit/core/@octokit/request/@octokit/endpoint": ["@octokit/endpoint@10.1.4", "", { "dependencies": { "@octokit/types": "^14.0.0", "universal-user-agent": "^7.0.2" } }, "sha512-OlYOlZIsfEVZm5HCSR8aSg02T2lbUWOsCQoPKfTXJwDzcHQBrVBGdGXb89dv2Kw2ToZaRtudp8O3ZIYoaOjKlA=="],
 
     "@octokit/rest/@octokit/core/@octokit/request/@octokit/endpoint": ["@octokit/endpoint@10.1.4", "", { "dependencies": { "@octokit/types": "^14.0.0", "universal-user-agent": "^7.0.2" } }, "sha512-OlYOlZIsfEVZm5HCSR8aSg02T2lbUWOsCQoPKfTXJwDzcHQBrVBGdGXb89dv2Kw2ToZaRtudp8O3ZIYoaOjKlA=="],
@@ -414,5 +450,15 @@
     "@octokit/rest/@octokit/plugin-paginate-rest/@octokit/types/@octokit/openapi-types": ["@octokit/openapi-types@24.2.0", "", {}, "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg=="],
 
     "@octokit/rest/@octokit/plugin-rest-endpoint-methods/@octokit/types/@octokit/openapi-types": ["@octokit/openapi-types@24.2.0", "", {}, "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express/body-parser/debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express/body-parser/iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express/body-parser/qs": ["qs@6.15.0", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/express/mime-types/mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
+
+    "@anthropic-ai/claude-agent-sdk/@modelcontextprotocol/sdk/raw-body/http-errors/statuses": ["statuses@2.0.2", "", {}, "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw=="],
   }
 }

bunfig.toml

@@ -0,0 +1,2 @@
+# Intentionally minimal. action.yml pins --config to this file so bun resolves
+# its runtime config from the action directory rather than the workspace.

docs/configuration.md

@@ -172,9 +172,14 @@ jobs:
 
 **Important Notes**:
 
-- The GitHub token must have the `actions: read` permission in your workflow
+- The GitHub token must have the corresponding permission in your workflow
 - If the permission is missing, Claude will warn you and suggest adding it
-- Currently, only `actions: read` is supported, but the format allows for future extensions
+- The following additional permissions can be requested beyond the defaults:
+  - `actions: read`
+  - `checks: read`
+  - `discussions: read` or `discussions: write`
+  - `workflows: read` or `workflows: write`
+- Standard permissions (`contents: write`, `pull_requests: write`, `issues: write`) are always included and do not need to be specified
 
 ## Custom Environment Variables
 

docs/security.md

@@ -4,15 +4,55 @@
 
 - **Repository Access**: The action can only be triggered by users with write access to the repository
 - **Bot User Control**: By default, GitHub Apps and bots cannot trigger this action for security reasons. Use the `allowed_bots` parameter to enable specific bots or all bots
+  - **⚠️ Allowed bots are not checked for repository permissions.** A bot that matches an entry does **not** need to be installed on your repository or have write access. On a **public repository**, external parties — including GitHub Apps created by anyone — may be able to trigger workflow events such as opening issues, commenting, or reviewing pull requests. If your workflow listens on those events and `allowed_bots` is set to `'*'`, any such App can invoke this action with a prompt it controls.
+  - Prefer an explicit list over `'*'`
+  - Only list App names you trust
+  - If you need `'*'`, scope workflow `permissions:` to the minimum required
 - **⚠️ Non-Write User Access (RISKY)**: The `allowed_non_write_users` parameter allows bypassing the write permission requirement. **This is a significant security risk and should only be used for workflows with extremely limited permissions** (e.g., issue labeling workflows that only have `issues: write` permission). This feature:
   - Only works when `github_token` is provided as input (not with GitHub App authentication)
   - Accepts either a comma-separated list of specific usernames or `*` to allow all users
   - **Should be used with extreme caution** as it bypasses the primary security mechanism of this action
   - Is designed for automation workflows where user permissions are already restricted by the workflow's permission scope
+  - When set, Claude does a best-effort scrub of Anthropic, cloud, and GitHub Actions secrets from subprocess environments. On Linux runners with bubblewrap available, subprocesses additionally run with PID-namespace isolation. This reduces but does not eliminate prompt injection risk — keep workflow permissions minimal and validate all outputs. Set `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: 0` in your workflow or job `env:` block to opt out.
+  - Optionally set `CLAUDE_CODE_SCRIPT_CAPS` in your workflow `env:` block to limit how many times Claude can call specific scripts per run. Value is JSON: `{"script-name.sh": maxCalls}`. Example: `CLAUDE_CODE_SCRIPT_CAPS: '{"edit-issue-labels.sh":2}'` allows at most 2 calls to `edit-issue-labels.sh`. Useful for write-capable helper scripts.
+  - When using `allowed_non_write_users`, always pass `github_token: ${{ secrets.GITHUB_TOKEN }}`. The auto-generated workflow token is scoped to the job's declared permissions and expires when the job completes. **Do not use a personal access token** — a static token does not rotate between runs and could be partially or fully recovered over time via prompt injection. Restricting allowed tools via `claude_args` reduces the rate of recovery but may not eliminate the risk. We recommend restricting allowed tools (e.g. `claude_args: '--allowedTools "Bash(gh issue view:*)"'`) to the minimum required when using `allowed_non_write_users`.
 - **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
 - **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered
 - **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions
 
+## Using this action with `pull_request_target` or `workflow_run`
+
+`pull_request_target` and `workflow_run` execute with the **base repository's secrets**. If your workflow checks out the PR head (`ref: ${{ github.event.pull_request.head.sha }}` for `pull_request_target`, `ref: ${{ github.event.workflow_run.head_sha }}` for `workflow_run`) into `$GITHUB_WORKSPACE` before this action, the action and Claude run with that checkout as the working directory.
+
+**Do not check out an untrusted ref into the workspace root before this action.** Use one of these patterns instead:
+
+```yaml
+# Preferred — check out the base ref (default).
+- uses: actions/checkout@v6 # no `ref:` → base branch
+- uses: anthropics/claude-code-action@v1
+```
+
+```yaml
+# If you need the PR's files locally — check out the base ref at the workspace
+# root (this action expects a git repo there), then check out the head ref into
+# a subdirectory and pass it via --add-dir.
+- uses: actions/checkout@v6 # no `ref:` → base branch at workspace root
+- uses: actions/checkout@v6
+  with:
+    # For workflow_run use: ${{ github.event.workflow_run.head_sha }}
+    ref: ${{ github.event.pull_request.head.sha }}
+    path: pr-head
+- uses: anthropics/claude-code-action@v1
+  with:
+    claude_args: "--add-dir pr-head"
+```
+
+This is general guidance for these event types — see [GitHub's documentation](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+
+### `claude-code-action` vs `claude-code-base-action`
+
+`claude-code-base-action` is a lower-level building block that installs and runs Claude Code with the inputs you provide. It does not perform actor permission checks or restore project configuration from the base ref. If you need those behaviors, use this action (`claude-code-action`). See the [base-action README](../base-action/README.md#trust-model) for details.
+
 ## Pull Request Creation
 
 In its default configuration, **Claude does not create pull requests automatically** when responding to `@claude` mentions. Instead:
@@ -27,6 +67,8 @@ This design ensures that users retain full control over what pull requests are c
 
 **Beware of potential hidden markdown when tagging Claude on untrusted content.** External contributors may include hidden instructions through HTML comments, invisible characters, hidden attributes, or other techniques. The action sanitizes content by stripping HTML comments, invisible characters, markdown image alt text, hidden HTML attributes, and HTML entities, but new bypass techniques may emerge. We recommend reviewing the raw content of all input coming from external contributors before allowing Claude to process it.
 
+On public repos, you can also use `include_comments_by_actor` to allowlist which users' comments are passed to Claude, reducing exposure to untrusted input. Use `exclude_comments_by_actor` to filter out noisy bot comments (e.g., `dependabot[bot]`, `renovate[bot]`). If an actor matches both lists, exclusion takes priority. See [Usage](./usage.md) for details.
+
 ## GitHub App Permissions
 
 The [Claude Code GitHub app](https://github.com/apps/claude) requests the following permissions:

docs/solutions.md

@@ -55,7 +55,7 @@ jobs:
             Note: The PR branch is already checked out in the current working directory.
 
             Use `gh pr comment` for top-level feedback.
-            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
+            Use `mcp__github_inline_comment__create_inline_comment` (with `confirmed: true`) to highlight specific code issues.
             Only post GitHub comments - don't submit review text as messages.
 
           claude_args: |
@@ -398,6 +398,7 @@ jobs:
       issues: write
       id-token: write
     steps:
+      - uses: actions/checkout@v4
       - uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -414,13 +415,19 @@ jobs:
             3. Suggest appropriate labels
             4. Check if it duplicates existing issues
 
+            Use ./scripts/gh.sh to interact with GitHub:
+            - `./scripts/gh.sh issue view [number]` to view the issue
+            - `./scripts/gh.sh search issues "query"` to find similar issues
+            - `./scripts/gh.sh label list` to see available labels
+
             Based on your analysis, add the appropriate labels using:
-            `gh issue edit [number] --add-label "label1,label2"`
+            `./scripts/edit-issue-labels.sh --add-label "label1" --add-label "label2"`
+            (the issue number is read automatically from the workflow event)
 
             If it appears to be a duplicate, post a comment mentioning the original issue.
 
           claude_args: |
-            --allowedTools "Bash(gh issue:*),Bash(gh search:*)"
+            --allowedTools "Bash(./scripts/gh.sh:*),Bash(./scripts/edit-issue-labels.sh:*)"
 ```
 
 **Key Configuration:**
@@ -428,6 +435,7 @@ jobs:
 - Triggered on new issues
 - Issue context in prompt
 - Label management capabilities
+- Requires `scripts/gh.sh` and `scripts/edit-issue-labels.sh` in your repo (see this repo's `scripts/` directory for examples)
 
 **Expected Output:** Automatically labeled and categorized issues.
 
@@ -578,7 +586,7 @@ prompt: |
 ### Common Tool Permissions
 
 - **PR Comments**: `Bash(gh pr comment:*)`
-- **Inline Comments**: `mcp__github_inline_comment__create_inline_comment`
+- **Inline Comments**: `mcp__github_inline_comment__create_inline_comment` — pass `confirmed: true` to post immediately. When omitted, the comment is buffered and classified after the session ends (real review comments post, test/probe comments are filtered). This prevents subagent test comments from reaching PRs. To disable classification entirely, set `classify_inline_comments: 'false'` on the action.
 - **File Operations**: `Read,Write,Edit`
 - **Git Operations**: `Bash(git:*)`
 

docs/usage.md

@@ -52,35 +52,38 @@ jobs:
 
 ## Inputs
 
-| Input                            | Description                                                                                                                                                                            | Required | Default       |
+| Input                            | Description                                                                                                                                                                                                                            | Required | Default       |
-| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
+| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
-| `anthropic_api_key`              | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                                                                                             | No\*     | -             |
+| `anthropic_api_key`              | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                                                                                                                                             | No\*     | -             |
-| `claude_code_oauth_token`        | Claude Code OAuth token (alternative to anthropic_api_key)                                                                                                                             | No\*     | -             |
+| `claude_code_oauth_token`        | Claude Code OAuth token (alternative to anthropic_api_key)                                                                                                                                                                             | No\*     | -             |
-| `prompt`                         | Instructions for Claude. Can be a direct prompt or custom template for automation workflows                                                                                            | No       | -             |
+| `prompt`                         | Instructions for Claude. Can be a direct prompt or custom template for automation workflows                                                                                                                                            | No       | -             |
-| `track_progress`                 | Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context                                                                              | No       | `false`       |
+| `track_progress`                 | Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context                                                                                                                              | No       | `false`       |
-| `include_fix_links`              | Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue                                                                     | No       | `true`        |
+| `include_fix_links`              | Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue                                                                                                                     | No       | `true`        |
-| `claude_args`                    | Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`) | No       | ""            |
+| `claude_args`                    | Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`)                                                 | No       | ""            |
-| `base_branch`                    | The base branch to use for creating new branches (e.g., 'main', 'develop')                                                                                                             | No       | -             |
+| `base_branch`                    | The base branch to use for creating new branches (e.g., 'main', 'develop')                                                                                                                                                             | No       | -             |
-| `use_sticky_comment`             | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                                                                                            | No       | `false`       |
+| `use_sticky_comment`             | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                                                                                                                                            | No       | `false`       |
-| `github_token`                   | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!**                                                                   | No       | -             |
+| `classify_inline_comments`       | Buffer inline comments without `confirmed: true` and classify them (real review vs test/probe) via Haiku before posting after the session ends. Prevents subagent test comments. Set `'false'` to post all inline comments immediately | No       | `true`        |
-| `use_bedrock`                    | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                                                                                            | No       | `false`       |
+| `github_token`                   | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!**                                                                                                                   | No       | -             |
-| `use_vertex`                     | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                                                                                          | No       | `false`       |
+| `use_bedrock`                    | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                                                                                                                                            | No       | `false`       |
-| `assignee_trigger`               | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                                                                                          | No       | -             |
+| `use_vertex`                     | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                                                                                                                                          | No       | `false`       |
-| `label_trigger`                  | The label name that triggers the action when applied to an issue (e.g. "claude")                                                                                                       | No       | -             |
+| `assignee_trigger`               | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                                                                                                                                          | No       | -             |
-| `trigger_phrase`                 | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                                                                                          | No       | `@claude`     |
+| `label_trigger`                  | The label name that triggers the action when applied to an issue (e.g. "claude")                                                                                                                                                       | No       | -             |
-| `branch_prefix`                  | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                                                                                           | No       | `claude/`     |
+| `trigger_phrase`                 | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                                                                                                                                          | No       | `@claude`     |
-| `settings`                       | Claude Code settings as JSON string or path to settings JSON file                                                                                                                      | No       | ""            |
+| `branch_prefix`                  | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                                                                                                                                           | No       | `claude/`     |
-| `additional_permissions`         | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                                                                                      | No       | ""            |
+| `settings`                       | Claude Code settings as JSON string or path to settings JSON file                                                                                                                                                                      | No       | ""            |
-| `use_commit_signing`             | Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing)                                 | No       | `false`       |
+| `additional_permissions`         | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                                                                                                                                      | No       | ""            |
-| `ssh_signing_key`                | SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing)                                   | No       | ""            |
+| `use_commit_signing`             | Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing)                                                                                 | No       | `false`       |
-| `bot_id`                         | GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits                                                           | No       | `41898282`    |
+| `ssh_signing_key`                | SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing)                                                                                   | No       | ""            |
-| `bot_name`                       | GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits                                                        | No       | `claude[bot]` |
+| `bot_id`                         | GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits                                                                                                           | No       | `41898282`    |
-| `allowed_bots`                   | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots                                                                        | No       | ""            |
+| `bot_name`                       | GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits                                                                                                        | No       | `claude[bot]` |
-| `allowed_non_write_users`        | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)         | No       | ""            |
+| `include_comments_by_actor`      | Comma-separated list of actor usernames to INCLUDE in comments. Supports the `*[bot]` wildcard to match all bot accounts. Empty (default) includes all actors                                                                          | No       | ""            |
-| `path_to_claude_code_executable` | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments                                         | No       | ""            |
+| `exclude_comments_by_actor`      | Comma-separated list of actor usernames to EXCLUDE from comments. Supports the `*[bot]` wildcard to match all bot accounts. If an actor matches both lists, exclusion takes priority                                                   | No       | ""            |
-| `path_to_bun_executable`         | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments                                             | No       | ""            |
+| `allowed_bots`                   | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots. **⚠️ On public repos with `'*'`, external Apps may be able to invoke this action.** See [Security](./security.md)     | No       | ""            |
-| `plugin_marketplaces`            | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation             | No       | ""            |
+| `allowed_non_write_users`        | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)                                                         | No       | ""            |
-| `plugins`                        | Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution                                | No       | ""            |
+| `path_to_claude_code_executable` | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments                                                                                         | No       | ""            |
+| `path_to_bun_executable`         | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments                                                                                             | No       | ""            |
+| `plugin_marketplaces`            | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation                                                             | No       | ""            |
+| `plugins`                        | Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution                                                                                | No       | ""            |
 
 ### Deprecated Inputs
 

examples/ci-failure-auto-fix.yml

@@ -1,5 +1,21 @@
 name: Auto Fix CI Failures
 
+# ⚠️ SECURITY NOTE
+#
+# This workflow checks out the PR branch and runs build/test commands
+# (npm, bun, etc.) against it with elevated permissions (contents:write,
+# id-token:write). This means code from the PR branch executes in a
+# trusted context with access to secrets and the ability to push to the
+# repository.
+#
+# Only use this workflow in repositories where everyone with write access
+# is fully trusted with these permissions. Do not use this in repositories
+# that accept contributions from untrusted or semi-trusted collaborators.
+#
+# The pull_requests[0] check below limits this to same-repo PRs (fork PRs
+# are excluded), but anyone who can push a branch to this repository can
+# control what code runs here.
+
 on:
   workflow_run:
     workflows: ["CI"]
@@ -35,10 +51,14 @@ jobs:
 
       - name: Create fix branch
         id: branch
+        env:
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          RUN_ID: ${{ github.run_id }}
         run: |
-          BRANCH_NAME="claude-auto-fix-ci-${{ github.event.workflow_run.head_branch }}-${{ github.run_id }}"
+          SAFE_BRANCH=$(printf '%s' "$HEAD_BRANCH" | tr -cd 'a-zA-Z0-9/_.-')
+          BRANCH_NAME="claude-auto-fix-ci-${SAFE_BRANCH}-${RUN_ID}"
           git checkout -b "$BRANCH_NAME"
-          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          echo "branch_name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Get CI failure details
         id: failure_details

examples/issue-triage.yml

@@ -21,8 +21,8 @@ jobs:
       - name: Run Claude Code for Issue Triage
         uses: anthropics/claude-code-action@v1
         with:
-          # NOTE: /label-issue here requires a .claude/commands/label-issue.md file in your repo (see this repo's .claude directory for an example)
+          # NOTE: /label-issue requires .claude/commands/label-issue.md and scripts/edit-issue-labels.sh in your repo (see this repo for examples)
-          prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER${{ github.event.issue.number }}"
+          prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER: ${{ github.event.issue.number }}"
 
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues

examples/test-failure-analysis.yml

@@ -53,6 +53,8 @@ jobs:
           fromJSON(steps.detect.outputs.structured_output).confidence >= 0.7
         env:
           GH_TOKEN: ${{ github.token }}
+          WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
           OUTPUT='${{ steps.detect.outputs.structured_output }}'
           CONFIDENCE=$(echo "$OUTPUT" | jq -r '.confidence')
@@ -63,8 +65,7 @@ jobs:
           echo ""
           echo "Triggering automatic retry..."
 
-          gh workflow run "${{ github.event.workflow_run.name }}" \
+          gh workflow run "$WORKFLOW_NAME" --ref "$HEAD_BRANCH"
-            --ref "${{ github.event.workflow_run.head_branch }}"
 
       # Low confidence flaky detection - skip retry
       - name: Low confidence detection
@@ -83,13 +84,14 @@ jobs:
         if: github.event.workflow_run.event == 'pull_request'
         env:
           GH_TOKEN: ${{ github.token }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
           OUTPUT='${{ steps.detect.outputs.structured_output }}'
           IS_FLAKY=$(echo "$OUTPUT" | jq -r '.is_flaky')
           CONFIDENCE=$(echo "$OUTPUT" | jq -r '.confidence')
           SUMMARY=$(echo "$OUTPUT" | jq -r '.summary')
 
-          pr_number=$(gh pr list --head "${{ github.event.workflow_run.head_branch }}" --json number --jq '.[0].number')
+          pr_number=$(gh pr list --head "$HEAD_BRANCH" --json number --jq '.[0].number')
 
           if [ -n "$pr_number" ]; then
             if [ "$IS_FLAKY" = "true" ]; then

package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.2.20",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.123",
     "@modelcontextprotocol/sdk": "^1.11.0",
     "@octokit/graphql": "^8.2.2",
     "@octokit/rest": "^21.1.1",

scripts/edit-issue-labels.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+#
+# Edits labels on a GitHub issue.
+# Usage: ./scripts/edit-issue-labels.sh --add-label bug --add-label needs-triage --remove-label untriaged
+#
+# The issue number is read from the workflow event payload.
+#
+
+set -euo pipefail
+
+# Read from event payload so the issue number is bound to the triggering event
+ISSUE=$(jq -r '.issue.number // empty' "${GITHUB_EVENT_PATH:?GITHUB_EVENT_PATH not set}")
+if ! [[ "$ISSUE" =~ ^[0-9]+$ ]]; then
+  echo "Error: no issue number in event payload" >&2
+  exit 1
+fi
+
+ADD_LABELS=()
+REMOVE_LABELS=()
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --add-label)
+      ADD_LABELS+=("$2")
+      shift 2
+      ;;
+    --remove-label)
+      REMOVE_LABELS+=("$2")
+      shift 2
+      ;;
+    *)
+      echo "Error: unknown argument (only --add-label and --remove-label are accepted)" >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ ${#ADD_LABELS[@]} -eq 0 && ${#REMOVE_LABELS[@]} -eq 0 ]]; then
+  exit 1
+fi
+
+# Fetch valid labels from the repo
+VALID_LABELS=$(gh label list --limit 500 --json name --jq '.[].name')
+
+# Filter to only labels that exist in the repo
+FILTERED_ADD=()
+for label in "${ADD_LABELS[@]}"; do
+  if echo "$VALID_LABELS" | grep -qxF "$label"; then
+    FILTERED_ADD+=("$label")
+  fi
+done
+
+FILTERED_REMOVE=()
+for label in "${REMOVE_LABELS[@]}"; do
+  if echo "$VALID_LABELS" | grep -qxF "$label"; then
+    FILTERED_REMOVE+=("$label")
+  fi
+done
+
+if [[ ${#FILTERED_ADD[@]} -eq 0 && ${#FILTERED_REMOVE[@]} -eq 0 ]]; then
+  exit 0
+fi
+
+# Build gh command arguments
+GH_ARGS=("issue" "edit" "$ISSUE")
+
+for label in "${FILTERED_ADD[@]}"; do
+  GH_ARGS+=("--add-label" "$label")
+done
+
+for label in "${FILTERED_REMOVE[@]}"; do
+  GH_ARGS+=("--remove-label" "$label")
+done
+
+gh "${GH_ARGS[@]}"
+
+if [[ ${#FILTERED_ADD[@]} -gt 0 ]]; then
+  echo "Added: ${FILTERED_ADD[*]}"
+fi
+if [[ ${#FILTERED_REMOVE[@]} -gt 0 ]]; then
+  echo "Removed: ${FILTERED_REMOVE[*]}"
+fi

scripts/gh.sh

@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wrapper around gh CLI that only allows specific subcommands and flags.
+# All commands are scoped to the current repository via GH_REPO or GITHUB_REPOSITORY.
+#
+# Usage:
+#   ./scripts/gh.sh issue view 123
+#   ./scripts/gh.sh issue view 123 --comments
+#   ./scripts/gh.sh issue list --state open --limit 20
+#   ./scripts/gh.sh search issues "search query" --limit 10
+#   ./scripts/gh.sh label list --limit 100
+
+export GH_HOST=github.com
+
+REPO="${GH_REPO:-${GITHUB_REPOSITORY:-}}"
+if [[ -z "$REPO" || "$REPO" == */*/* || "$REPO" != */* ]]; then
+  echo "Error: GH_REPO or GITHUB_REPOSITORY must be set to owner/repo format (e.g., GITHUB_REPOSITORY=anthropics/claude-code)" >&2
+  exit 1
+fi
+export GH_REPO="$REPO"
+
+ALLOWED_FLAGS=(--comments --state --limit --label)
+FLAGS_WITH_VALUES=(--state --limit --label)
+
+SUB1="${1:-}"
+SUB2="${2:-}"
+CMD="$SUB1 $SUB2"
+case "$CMD" in
+  "issue view"|"issue list"|"search issues"|"label list")
+    ;;
+  *)
+    echo "Error: only 'issue view', 'issue list', 'search issues', 'label list' are allowed (e.g., ./scripts/gh.sh issue view 123)" >&2
+    exit 1
+    ;;
+esac
+
+shift 2
+
+# Separate flags from positional arguments
+POSITIONAL=()
+FLAGS=()
+skip_next=false
+for arg in "$@"; do
+  if [[ "$skip_next" == true ]]; then
+    FLAGS+=("$arg")
+    skip_next=false
+  elif [[ "$arg" == -* ]]; then
+    flag="${arg%%=*}"
+    matched=false
+    for allowed in "${ALLOWED_FLAGS[@]}"; do
+      if [[ "$flag" == "$allowed" ]]; then
+        matched=true
+        break
+      fi
+    done
+    if [[ "$matched" == false ]]; then
+      echo "Error: only --comments, --state, --limit, --label flags are allowed (e.g., ./scripts/gh.sh issue list --state open --limit 20)" >&2
+      exit 1
+    fi
+    FLAGS+=("$arg")
+    # If flag expects a value and isn't using = syntax, skip next arg
+    if [[ "$arg" != *=* ]]; then
+      for vflag in "${FLAGS_WITH_VALUES[@]}"; do
+        if [[ "$flag" == "$vflag" ]]; then
+          skip_next=true
+          break
+        fi
+      done
+    fi
+  else
+    POSITIONAL+=("$arg")
+  fi
+done
+
+if [[ "$CMD" == "search issues" ]]; then
+  QUERY="${POSITIONAL[0]:-}"
+  QUERY_LOWER=$(echo "$QUERY" | tr '[:upper:]' '[:lower:]')
+  if [[ "$QUERY_LOWER" == *"repo:"* || "$QUERY_LOWER" == *"org:"* || "$QUERY_LOWER" == *"user:"* ]]; then
+    echo "Error: search query must not contain repo:, org:, or user: qualifiers (e.g., ./scripts/gh.sh search issues \"bug report\" --limit 10)" >&2
+    exit 1
+  fi
+  gh "$SUB1" "$SUB2" "$QUERY" --repo "$REPO" "${FLAGS[@]}"
+elif [[ "$CMD" == "issue view" ]]; then
+  if [[ ${#POSITIONAL[@]} -ne 1 ]] || ! [[ "${POSITIONAL[0]}" =~ ^[0-9]+$ ]]; then
+    echo "Error: issue view requires exactly one numeric issue number (e.g., ./scripts/gh.sh issue view 123)" >&2
+    exit 1
+  fi
+  gh "$SUB1" "$SUB2" "${POSITIONAL[0]}" "${FLAGS[@]}"
+else
+  if [[ ${#POSITIONAL[@]} -ne 0 ]]; then
+    echo "Error: issue list and label list do not accept positional arguments (e.g., ./scripts/gh.sh issue list --state open, ./scripts/gh.sh label list --limit 100)" >&2
+    exit 1
+  fi
+  gh "$SUB1" "$SUB2" "${FLAGS[@]}"
+fi

scripts/git-push.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Wrapper around `git push` that only allows `origin <ref>` with no flags.
+# Defends against --receive-pack / --exec RCE and arbitrary-remote exfiltration
+# (H1 #3556799). `git push:*` in allowedTools permits `git push --receive-pack='sh -c ...' ext::sh`
+# which runs arbitrary shell on the Actions runner. This wrapper closes that.
+#
+# Usage:
+#   git-push.sh origin HEAD
+#   git-push.sh origin claude/issue-123-20260304
+
+if [[ $# -ne 2 ]]; then
+  echo "Error: exactly two arguments required: origin <ref>" >&2
+  exit 1
+fi
+
+for arg in "$@"; do
+  if [[ "$arg" == -* ]]; then
+    echo "Error: flags are not allowed (got: $arg)" >&2
+    exit 1
+  fi
+done
+
+if [[ "$1" != "origin" ]]; then
+  echo "Error: remote must be 'origin' (got: $1)" >&2
+  exit 1
+fi
+
+REF="$2"
+if [[ "$REF" != "HEAD" ]] && ! git check-ref-format --branch "$REF" >/dev/null 2>&1; then
+  echo "Error: invalid ref: $REF" >&2
+  exit 1
+fi
+
+exec git push origin "$REF"

src/create-prompt/index.ts

@@ -20,23 +20,18 @@ import {
 import type { ParsedGitHubContext } from "../github/context";
 import type { CommonFields, PreparedContext, EventData } from "./types";
 import { GITHUB_SERVER_URL } from "../github/api/config";
-import type { Mode, ModeContext } from "../modes/types";
 import { extractUserRequest } from "../utils/extract-user-request";
 export type { CommonFields, PreparedContext } from "./types";
 
+const GIT_PUSH_WRAPPER = `${process.env.GITHUB_ACTION_PATH}/scripts/git-push.sh`;
+
 /** Filename for the user request file, read by the SDK runner */
 const USER_REQUEST_FILENAME = "claude-user-request.txt";
 
-// Tag mode defaults - these tools are needed for tag mode to function
+// Tag mode defaults - these tools are needed for tag mode to function.
-const BASE_ALLOWED_TOOLS = [
+// Edit/MultiEdit/Write are intentionally omitted: acceptEdits permission mode
-  "Edit",
+// auto-allows file edits inside $GITHUB_WORKSPACE and denies writes outside it.
-  "MultiEdit",
+const BASE_ALLOWED_TOOLS = ["Glob", "Grep", "LS", "Read"];
-  "Glob",
-  "Grep",
-  "LS",
-  "Read",
-  "Write",
-];
 
 export function buildAllowedToolsString(
   customAllowedTools?: string[],
@@ -60,10 +55,7 @@ export function buildAllowedToolsString(
     baseTools.push(
       "Bash(git add:*)",
       "Bash(git commit:*)",
-      "Bash(git push:*)",
+      `Bash(${GIT_PUSH_WRAPPER}:*)`,
-      "Bash(git status:*)",
-      "Bash(git diff:*)",
-      "Bash(git log:*)",
       "Bash(git rm:*)",
     );
   }
@@ -435,7 +427,7 @@ function getCommitInstructions(
           Bash(git commit -m "<message>\\n\\n${coAuthorLine}")`
             : ""
         }
-        - Push to the remote: Bash(git push origin HEAD)`;
+        - Push to the remote: Bash(${GIT_PUSH_WRAPPER} origin HEAD)`;
     } else {
       const branchName = eventData.claudeBranch || eventData.baseBranch;
       return `
@@ -449,7 +441,7 @@ function getCommitInstructions(
           Bash(git commit -m "<message>\\n\\n${coAuthorLine}")`
             : ""
         }
-        - Push to the remote: Bash(git push origin ${branchName})`;
+        - Push to the remote: Bash(${GIT_PUSH_WRAPPER} origin ${branchName})`;
     }
   }
 }
@@ -458,9 +450,31 @@ export function generatePrompt(
   context: PreparedContext,
   githubData: FetchDataResult,
   useCommitSigning: boolean,
-  mode: Mode,
+  modeName: "tag" | "agent",
 ): string {
-  return mode.generatePrompt(context, githubData, useCommitSigning);
+  if (modeName === "agent") {
+    return context.prompt || `Repository: ${context.repository}`;
+  }
+
+  // Tag mode
+  const defaultPrompt = generateDefaultPrompt(
+    context,
+    githubData,
+    useCommitSigning,
+  );
+
+  if (context.githubContext?.inputs?.prompt) {
+    return (
+      defaultPrompt +
+      `
+
+<custom_instructions>
+${context.githubContext.inputs.prompt}
+</custom_instructions>`
+    );
+  }
+
+  return defaultPrompt;
 }
 
 /**
@@ -802,7 +816,7 @@ ${
     : `- Use git commands via the Bash tool for version control (remember that you have access to these git commands):
   - Stage files: Bash(git add <files>)
   - Commit changes: Bash(git commit -m "<message>")
-  - Push to remote: Bash(git push origin <branch>) (NEVER force push)
+  - Push to remote: Bash(${GIT_PUSH_WRAPPER} origin <branch>)
   - Delete files: Bash(git rm <files>) followed by commit and push
   - Check status: Bash(git status)
   - View diff: Bash(git diff)${eventData.isPR && eventData.baseBranch ? `\n  - IMPORTANT: For PR diffs, use: Bash(git diff origin/${eventData.baseBranch}...HEAD)` : ""}`
@@ -901,28 +915,20 @@ function extractUserRequestFromContext(
 }
 
 export async function createPrompt(
-  mode: Mode,
+  commentId: number,
-  modeContext: ModeContext,
+  baseBranch: string | undefined,
+  claudeBranch: string | undefined,
   githubData: FetchDataResult,
   context: ParsedGitHubContext,
 ) {
   try {
-    // Prepare the context for prompt generation
+    const claudeCommentId = commentId.toString();
-    let claudeCommentId: string = "";
-    if (mode.name === "tag") {
-      if (!modeContext.commentId) {
-        throw new Error(
-          `${mode.name} mode requires a comment ID for prompt generation`,
-        );
-      }
-      claudeCommentId = modeContext.commentId.toString();
-    }
 
     const preparedContext = prepareContext(
       context,
       claudeCommentId,
-      modeContext.baseBranch,
+      baseBranch,
-      modeContext.claudeBranch,
+      claudeBranch,
     );
 
     await mkdir(`${process.env.RUNNER_TEMP || "/tmp"}/claude-prompts`, {
@@ -934,7 +940,7 @@ export async function createPrompt(
       preparedContext,
       githubData,
       context.inputs.useCommitSigning,
-      mode,
+      "tag",
     );
 
     // Log the final prompt to console
@@ -964,22 +970,17 @@ export async function createPrompt(
       console.log("========================");
     }
 
-    // Set allowed tools
+    // NOTE: these env var exports are dead — nothing reads ALLOWED_TOOLS / DISALLOWED_TOOLS.
+    // The live path is modes/tag/index.ts which builds --allowedTools into claudeArgs directly.
+    // Kept only so the H1 report's pointed-to file stays in sync with the live fix.
     const hasActionsReadPermission = false;
 
-    // Get mode-specific tools
-    const modeAllowedTools = mode.getAllowedTools();
-    const modeDisallowedTools = mode.getDisallowedTools();
-
     const allAllowedTools = buildAllowedToolsString(
-      modeAllowedTools,
+      [],
       hasActionsReadPermission,
       context.inputs.useCommitSigning,
     );
-    const allDisallowedTools = buildDisallowedToolsString(
+    const allDisallowedTools = buildDisallowedToolsString([], []);
-      modeDisallowedTools,
-      modeAllowedTools,
-    );
 
     core.exportVariable("ALLOWED_TOOLS", allAllowedTools);
     core.exportVariable("DISALLOWED_TOOLS", allDisallowedTools);

src/entrypoints/collect-inputs.ts

@@ -1,6 +1,4 @@
-import * as core from "@actions/core";
+export function collectActionInputsPresence(): string {
-
-export function collectActionInputsPresence(): void {
   const inputDefaults: Record<string, string> = {
     trigger_phrase: "@claude",
     assignee_trigger: "",
@@ -25,6 +23,7 @@ export function collectActionInputsPresence(): void {
     github_token: "",
     max_turns: "",
     use_sticky_comment: "false",
+    classify_inline_comments: "true",
     use_commit_signing: "false",
     ssh_signing_key: "",
   };
@@ -32,8 +31,7 @@ export function collectActionInputsPresence(): void {
   const allInputsJson = process.env.ALL_INPUTS;
   if (!allInputsJson) {
     console.log("ALL_INPUTS environment variable not found");
-    core.setOutput("action_inputs_present", JSON.stringify({}));
+    return JSON.stringify({});
-    return;
   }
 
   let allInputs: Record<string, string>;
@@ -41,8 +39,7 @@ export function collectActionInputsPresence(): void {
     allInputs = JSON.parse(allInputsJson);
   } catch (e) {
     console.error("Failed to parse ALL_INPUTS JSON:", e);
-    core.setOutput("action_inputs_present", JSON.stringify({}));
+    return JSON.stringify({});
-    return;
   }
 
   const presentInputs: Record<string, boolean> = {};
@@ -54,5 +51,5 @@ export function collectActionInputsPresence(): void {
     presentInputs[name] = isSet;
   }
 
-  core.setOutput("action_inputs_present", JSON.stringify(presentInputs));
+  return JSON.stringify(presentInputs);
 }

src/entrypoints/post-buffered-inline-comments.ts

@@ -0,0 +1,233 @@
+#!/usr/bin/env bun
+/**
+ * Reads buffered inline-comment calls from /tmp/inline-comments-buffer.jsonl,
+ * classifies each as "real review" vs "test/probe" using Haiku, and posts
+ * only the real ones. Calls with confirmed=false are never posted.
+ *
+ * If the Anthropic API is unavailable (Bedrock/Vertex users without a direct
+ * key), falls back to posting everything with confirmed !== false. This
+ * preserves backward compatibility — before this change, all unconfirmed
+ * calls posted immediately.
+ */
+import { readFileSync } from "fs";
+import { createOctokit } from "../github/api/client";
+
+const BUFFER_PATH = "/tmp/inline-comments-buffer.jsonl";
+
+type BufferedComment = {
+  ts: string;
+  path: string;
+  line?: number;
+  startLine?: number;
+  side?: "LEFT" | "RIGHT";
+  commit_id?: string;
+  body: string;
+  confirmed?: boolean;
+};
+
+const CLASSIFICATION_PROMPT = `You are classifying PR inline comments as either REAL code review feedback or TEST/PROBE calls.
+
+A TEST/PROBE call is when an automated agent is checking whether a commenting tool works. These typically:
+- Start with phrases like "Test comment", "Testing if", "Can I", "Does this work", "Checking if"
+- Have generic/placeholder content not specific to any code
+- Exist to verify tool functionality, not to provide review feedback
+
+A REAL review comment:
+- Discusses specific code, logic, bugs, or style
+- Provides actionable feedback for the PR author
+- References concrete aspects of the change
+
+For each numbered comment body below, respond with ONLY a JSON array of booleans where true = REAL review comment, false = test/probe. No other text.
+
+Comments:
+`;
+
+async function classifyComments(bodies: string[]): Promise<boolean[] | null> {
+  const apiKey = process.env.ANTHROPIC_API_KEY;
+  if (!apiKey) {
+    console.log(
+      "ANTHROPIC_API_KEY not set — skipping classification, posting all unconfirmed comments",
+    );
+    return null;
+  }
+
+  const prompt =
+    CLASSIFICATION_PROMPT +
+    bodies.map((b, i) => `${i + 1}. ${JSON.stringify(b)}`).join("\n");
+
+  try {
+    const res = await fetch("https://api.anthropic.com/v1/messages", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        "x-api-key": apiKey,
+        "anthropic-version": "2023-06-01",
+      },
+      body: JSON.stringify({
+        model: "claude-haiku-4-5",
+        max_tokens: 1024,
+        messages: [{ role: "user", content: prompt }],
+      }),
+    });
+
+    if (!res.ok) {
+      console.log(
+        `Classification API returned ${res.status} — posting all unconfirmed comments`,
+      );
+      return null;
+    }
+
+    const data = (await res.json()) as {
+      content: { type: string; text: string }[];
+    };
+    const text = data.content.find((c) => c.type === "text")?.text ?? "";
+    const match = text.match(/\[[\s\S]*\]/);
+    if (!match) {
+      console.log(
+        "Could not parse classification response — posting all unconfirmed comments",
+      );
+      return null;
+    }
+    const parsed = JSON.parse(match[0]);
+    if (
+      !Array.isArray(parsed) ||
+      parsed.length !== bodies.length ||
+      !parsed.every((v) => typeof v === "boolean")
+    ) {
+      console.log(
+        "Classification response shape mismatch — posting all unconfirmed comments",
+      );
+      return null;
+    }
+    return parsed;
+  } catch (e) {
+    console.log(
+      `Classification failed (${e instanceof Error ? e.message : String(e)}) — posting all unconfirmed comments`,
+    );
+    return null;
+  }
+}
+
+async function postComment(
+  octokit: ReturnType<typeof createOctokit>["rest"],
+  owner: string,
+  repo: string,
+  pull_number: number,
+  headSha: string,
+  c: BufferedComment,
+): Promise<boolean> {
+  const params: Parameters<typeof octokit.rest.pulls.createReviewComment>[0] = {
+    owner,
+    repo,
+    pull_number,
+    body: c.body,
+    path: c.path,
+    side: c.side || "RIGHT",
+    commit_id: c.commit_id || headSha,
+  };
+  if (c.startLine) {
+    params.start_line = c.startLine;
+    params.start_side = c.side || "RIGHT";
+    params.line = c.line;
+  } else {
+    params.line = c.line;
+  }
+  try {
+    await octokit.rest.pulls.createReviewComment(params);
+    return true;
+  } catch (e) {
+    console.log(
+      `  failed ${c.path}:${c.line}: ${e instanceof Error ? e.message : String(e)}`,
+    );
+    return false;
+  }
+}
+
+async function main() {
+  let raw: string;
+  try {
+    raw = readFileSync(BUFFER_PATH, "utf8");
+  } catch {
+    console.log("No buffered inline comments");
+    return;
+  }
+
+  const comments: BufferedComment[] = raw
+    .split("\n")
+    .filter(Boolean)
+    .map((line) => JSON.parse(line));
+
+  if (comments.length === 0) {
+    console.log("No buffered inline comments");
+    return;
+  }
+
+  console.log(`Found ${comments.length} buffered inline comment(s)`);
+
+  const githubToken = process.env.GITHUB_TOKEN;
+  const owner = process.env.REPO_OWNER;
+  const repo = process.env.REPO_NAME;
+  const prNumber = process.env.PR_NUMBER;
+
+  if (!githubToken || !owner || !repo || !prNumber) {
+    console.log(
+      "::warning::Missing GITHUB_TOKEN/REPO_OWNER/REPO_NAME/PR_NUMBER — cannot post buffered comments",
+    );
+    return;
+  }
+
+  // Partition: confirmed=false are never posted; the rest are candidates
+  const neverPost = comments.filter((c) => c.confirmed === false);
+  const candidates = comments.filter((c) => c.confirmed !== false);
+
+  if (neverPost.length > 0) {
+    console.log(`  ${neverPost.length} with confirmed=false — not posting`);
+  }
+
+  if (candidates.length === 0) {
+    return;
+  }
+
+  // Classify candidates
+  const verdicts = await classifyComments(candidates.map((c) => c.body));
+  const toPost =
+    verdicts === null
+      ? candidates
+      : candidates.filter((_, i) => verdicts[i] === true);
+  const filtered =
+    verdicts === null ? [] : candidates.filter((_, i) => verdicts[i] === false);
+
+  if (filtered.length > 0) {
+    console.log(
+      `::warning::${filtered.length} buffered comment(s) classified as test/probe — NOT posted:`,
+    );
+    for (const c of filtered) {
+      console.log(`  [${c.path}:${c.line}] ${c.body.slice(0, 120)}`);
+    }
+  }
+
+  if (toPost.length === 0) {
+    console.log("No real comments to post");
+    return;
+  }
+
+  const octokit = createOctokit(githubToken).rest;
+  const pull_number = parseInt(prNumber, 10);
+  const pr = await octokit.pulls.get({ owner, repo, pull_number });
+  const headSha = pr.data.head.sha;
+
+  console.log(`Posting ${toPost.length} classified-as-real comment(s)`);
+  let posted = 0;
+  for (const c of toPost) {
+    if (await postComment(octokit, owner, repo, pull_number, headSha, c)) {
+      console.log(`  posted ${c.path}:${c.line}`);
+      posted++;
+    }
+  }
+  console.log(`Posted ${posted}/${toPost.length}`);
+}
+
+main().catch((e) => {
+  console.error("post-buffered-inline-comments failed:", e);
+  process.exit(1);
+});

src/entrypoints/prepare.ts

@@ -10,8 +10,10 @@ import { setupGitHubToken } from "../github/token";
 import { checkWritePermissions } from "../github/validation/permissions";
 import { createOctokit } from "../github/api/client";
 import { parseGitHubContext, isEntityContext } from "../github/context";
-import { getMode } from "../modes/registry";
+import { detectMode } from "../modes/detector";
-import { prepare } from "../prepare";
+import { prepareTagMode } from "../modes/tag";
+import { prepareAgentMode } from "../modes/agent";
+import { checkContainsTrigger } from "../github/validation/trigger";
 import { collectActionInputsPresence } from "./collect-inputs";
 
 async function run() {
@@ -22,7 +24,10 @@ async function run() {
     const context = parseGitHubContext();
 
     // Auto-detect mode based on context
-    const mode = getMode(context);
+    const modeName = detectMode(context);
+    console.log(
+      `Auto-detected mode: ${modeName} for event: ${context.eventName}`,
+    );
 
     // Setup GitHub token
     const githubToken = await setupGitHubToken();
@@ -46,10 +51,13 @@ async function run() {
     }
 
     // Check trigger conditions
-    const containsTrigger = mode.shouldTrigger(context);
+    const containsTrigger =
+      modeName === "tag"
+        ? isEntityContext(context) && checkContainsTrigger(context)
+        : !!context.inputs?.prompt;
 
     // Debug logging
-    console.log(`Mode: ${mode.name}`);
+    console.log(`Mode: ${modeName}`);
     console.log(`Context prompt: ${context.inputs?.prompt || "NO PROMPT"}`);
     console.log(`Trigger result: ${containsTrigger}`);
 
@@ -63,31 +71,20 @@ async function run() {
       return;
     }
 
-    // Step 5: Use the new modular prepare function
+    // Run prepare
-    const result = await prepare({
+    console.log(
-      context,
+      `Preparing with mode: ${modeName} for event: ${context.eventName}`,
-      octokit,
+    );
-      mode,
+    if (modeName === "tag") {
-      githubToken,
+      await prepareTagMode({ context, octokit, githubToken });
-    });
+    } else {
+      await prepareAgentMode({ context, octokit, githubToken });
+    }
 
     // MCP config is handled by individual modes (tag/agent) and included in their claude_args output
 
     // Expose the GitHub token (Claude App token) as an output
     core.setOutput("github_token", githubToken);
-
-    // Step 6: Get system prompt from mode if available
-    if (mode.getSystemPrompt) {
-      const modeContext = mode.prepareContext(context, {
-        commentId: result.commentId,
-        baseBranch: result.branchInfo.baseBranch,
-        claudeBranch: result.branchInfo.claudeBranch,
-      });
-      const systemPrompt = mode.getSystemPrompt(modeContext);
-      if (systemPrompt) {
-        core.exportVariable("APPEND_SYSTEM_PROMPT", systemPrompt);
-      }
-    }
   } catch (error) {
     const errorMessage = error instanceof Error ? error.message : String(error);
     core.setFailed(`Prepare step failed with error: ${errorMessage}`);

src/entrypoints/run.ts

@@ -0,0 +1,353 @@
+#!/usr/bin/env bun
+
+/**
+ * Unified entrypoint for the Claude Code Action.
+ * Merges all previously separate action.yml steps (prepare, install, run, cleanup)
+ * into a single TypeScript orchestrator.
+ */
+
+import * as core from "@actions/core";
+import { dirname } from "path";
+import { spawn } from "child_process";
+import { appendFile } from "fs/promises";
+import { existsSync, readFileSync } from "fs";
+import { setupGitHubToken, WorkflowValidationSkipError } from "../github/token";
+import { checkWritePermissions } from "../github/validation/permissions";
+import { createOctokit } from "../github/api/client";
+import type { Octokits } from "../github/api/client";
+import {
+  parseGitHubContext,
+  isEntityContext,
+  isPullRequestEvent,
+  isPullRequestReviewEvent,
+  isPullRequestReviewCommentEvent,
+} from "../github/context";
+import type { GitHubContext } from "../github/context";
+import { detectMode } from "../modes/detector";
+import { prepareTagMode } from "../modes/tag";
+import { prepareAgentMode } from "../modes/agent";
+import { checkContainsTrigger } from "../github/validation/trigger";
+import { restoreConfigFromBase } from "../github/operations/restore-config";
+import { validateBranchName } from "../github/operations/branch";
+import { collectActionInputsPresence } from "./collect-inputs";
+import { updateCommentLink } from "./update-comment-link";
+import { formatTurnsFromData } from "./format-turns";
+import type { Turn } from "./format-turns";
+// Base-action imports (used directly instead of subprocess)
+import { validateEnvironmentVariables } from "../../base-action/src/validate-env";
+import { setupClaudeCodeSettings } from "../../base-action/src/setup-claude-code-settings";
+import { installPlugins } from "../../base-action/src/install-plugins";
+import { preparePrompt } from "../../base-action/src/prepare-prompt";
+import { runClaude } from "../../base-action/src/run-claude";
+import type { ClaudeRunResult } from "../../base-action/src/run-claude-sdk";
+
+/**
+ * Install Claude Code CLI, handling retry logic and custom executable paths.
+ * Returns the absolute path to the claude executable.
+ */
+async function installClaudeCode(): Promise<string> {
+  const customExecutable = process.env.PATH_TO_CLAUDE_CODE_EXECUTABLE;
+  if (customExecutable) {
+    if (/[\x00-\x1f\x7f]/.test(customExecutable)) {
+      throw new Error(
+        "PATH_TO_CLAUDE_CODE_EXECUTABLE contains control characters (e.g. newlines), which is not allowed",
+      );
+    }
+    console.log(`Using custom Claude Code executable: ${customExecutable}`);
+    const claudeDir = dirname(customExecutable);
+    // Add to PATH by appending to GITHUB_PATH
+    const githubPath = process.env.GITHUB_PATH;
+    if (githubPath) {
+      await appendFile(githubPath, `${claudeDir}\n`);
+    }
+    // Also add to current process PATH
+    process.env.PATH = `${claudeDir}:${process.env.PATH}`;
+    return customExecutable;
+  }
+
+  const claudeCodeVersion = "2.1.123";
+  console.log(`Installing Claude Code v${claudeCodeVersion}...`);
+
+  for (let attempt = 1; attempt <= 3; attempt++) {
+    console.log(`Installation attempt ${attempt}...`);
+    try {
+      await new Promise<void>((resolve, reject) => {
+        const child = spawn(
+          "bash",
+          [
+            "-c",
+            `curl -fsSL https://claude.ai/install.sh | bash -s -- ${claudeCodeVersion}`,
+          ],
+          { stdio: "inherit" },
+        );
+        child.on("close", (code) => {
+          if (code === 0) resolve();
+          else reject(new Error(`Install failed with exit code ${code}`));
+        });
+        child.on("error", reject);
+      });
+      console.log("Claude Code installed successfully");
+      // Add to PATH
+      const homeBin = `${process.env.HOME}/.local/bin`;
+      const githubPath = process.env.GITHUB_PATH;
+      if (githubPath) {
+        await appendFile(githubPath, `${homeBin}\n`);
+      }
+      process.env.PATH = `${homeBin}:${process.env.PATH}`;
+      return `${homeBin}/claude`;
+    } catch (error) {
+      if (attempt === 3) {
+        throw new Error(
+          `Failed to install Claude Code after 3 attempts: ${error}`,
+        );
+      }
+      console.log("Installation failed, retrying...");
+      await new Promise((resolve) => setTimeout(resolve, 5000));
+    }
+  }
+  throw new Error("unreachable");
+}
+
+/**
+ * Write the step summary from Claude's execution output file.
+ */
+async function writeStepSummary(executionFile: string): Promise<void> {
+  const summaryFile = process.env.GITHUB_STEP_SUMMARY;
+  if (!summaryFile) return;
+
+  try {
+    const fileContent = readFileSync(executionFile, "utf-8");
+    const data: Turn[] = JSON.parse(fileContent);
+    const markdown = formatTurnsFromData(data);
+    await appendFile(summaryFile, markdown);
+    console.log("Successfully formatted Claude Code report");
+  } catch (error) {
+    console.error(`Failed to format output: ${error}`);
+    // Fall back to raw JSON
+    try {
+      let fallback = "## Claude Code Report (Raw Output)\n\n";
+      fallback +=
+        "Failed to format output (please report). Here's the raw JSON:\n\n";
+      fallback += "```json\n";
+      fallback += readFileSync(executionFile, "utf-8");
+      fallback += "\n```\n";
+      await appendFile(summaryFile, fallback);
+    } catch {
+      console.error("Failed to write raw output to step summary");
+    }
+  }
+}
+
+async function run() {
+  let githubToken: string | undefined;
+  let commentId: number | undefined;
+  let claudeBranch: string | undefined;
+  let baseBranch: string | undefined;
+  let executionFile: string | undefined;
+  let claudeSuccess = false;
+  let prepareSuccess = true;
+  let prepareError: string | undefined;
+  let context: GitHubContext | undefined;
+  let octokit: Octokits | undefined;
+  // Track whether we've completed prepare phase, so we can attribute errors correctly
+  let prepareCompleted = false;
+  try {
+    // Phase 1: Prepare
+    const actionInputsPresent = collectActionInputsPresence();
+    context = parseGitHubContext();
+    const modeName = detectMode(context);
+    console.log(
+      `Auto-detected mode: ${modeName} for event: ${context.eventName}`,
+    );
+
+    try {
+      githubToken = await setupGitHubToken();
+    } catch (error) {
+      if (error instanceof WorkflowValidationSkipError) {
+        core.setOutput("skipped_due_to_workflow_validation_mismatch", "true");
+        console.log("Exiting due to workflow validation skip");
+        return;
+      }
+      throw error;
+    }
+
+    octokit = createOctokit(githubToken);
+
+    // Set GITHUB_TOKEN and GH_TOKEN in process env for downstream usage
+    process.env.GITHUB_TOKEN = githubToken;
+    process.env.GH_TOKEN = githubToken;
+
+    // Check write permissions (only for entity contexts)
+    if (isEntityContext(context)) {
+      const hasWritePermissions = await checkWritePermissions(
+        octokit.rest,
+        context,
+        context.inputs.allowedNonWriteUsers,
+        !!process.env.OVERRIDE_GITHUB_TOKEN,
+      );
+      if (!hasWritePermissions) {
+        throw new Error(
+          "Actor does not have write permissions to the repository",
+        );
+      }
+    }
+
+    // Check trigger conditions
+    const containsTrigger =
+      modeName === "tag"
+        ? isEntityContext(context) && checkContainsTrigger(context)
+        : !!context.inputs?.prompt;
+    console.log(`Mode: ${modeName}`);
+    console.log(`Context prompt: ${context.inputs?.prompt || "NO PROMPT"}`);
+    console.log(`Trigger result: ${containsTrigger}`);
+
+    if (!containsTrigger) {
+      console.log("No trigger found, skipping remaining steps");
+      core.setOutput("github_token", githubToken);
+      return;
+    }
+
+    // Run prepare
+    console.log(
+      `Preparing with mode: ${modeName} for event: ${context.eventName}`,
+    );
+    const prepareResult =
+      modeName === "tag"
+        ? await prepareTagMode({ context, octokit, githubToken })
+        : await prepareAgentMode({ context, octokit, githubToken });
+
+    commentId = prepareResult.commentId;
+    claudeBranch = prepareResult.branchInfo.claudeBranch;
+    baseBranch = prepareResult.branchInfo.baseBranch;
+    prepareCompleted = true;
+
+    // Phase 2: Install Claude Code CLI
+    const claudeExecutable = await installClaudeCode();
+
+    // Phase 3: Run Claude (import base-action directly)
+    // Set env vars needed by the base-action code
+    process.env.INPUT_ACTION_INPUTS_PRESENT = actionInputsPresent;
+    process.env.CLAUDE_CODE_ACTION = "1";
+    process.env.DETAILED_PERMISSION_MESSAGES = "1";
+
+    validateEnvironmentVariables();
+
+    // On PRs, .claude/ and .mcp.json in the checkout are attacker-controlled.
+    // Restore them from the base branch before the CLI reads them.
+    //
+    // We read pull_request.base.ref from the payload directly because agent
+    // mode's branchInfo.baseBranch defaults to the repo's default branch rather
+    // than the PR's actual target (agent/index.ts). For issue_comment on a PR the payload
+    // lacks base.ref, so we fall back to the mode-provided value — tag mode
+    // fetches it from GraphQL; agent mode on issue_comment is an edge case
+    // that at worst restores from the wrong trusted branch (still secure).
+    if (isEntityContext(context) && context.isPR) {
+      let restoreBase = baseBranch;
+      if (
+        isPullRequestEvent(context) ||
+        isPullRequestReviewEvent(context) ||
+        isPullRequestReviewCommentEvent(context)
+      ) {
+        restoreBase = context.payload.pull_request.base.ref;
+        validateBranchName(restoreBase);
+      }
+      if (restoreBase) {
+        restoreConfigFromBase(restoreBase);
+      }
+    }
+
+    await setupClaudeCodeSettings(process.env.INPUT_SETTINGS);
+
+    await installPlugins(
+      process.env.INPUT_PLUGIN_MARKETPLACES,
+      process.env.INPUT_PLUGINS,
+      claudeExecutable,
+    );
+
+    const promptFile =
+      process.env.INPUT_PROMPT_FILE ||
+      `${process.env.RUNNER_TEMP}/claude-prompts/claude-prompt.txt`;
+    const promptConfig = await preparePrompt({
+      prompt: "",
+      promptFile,
+    });
+
+    const claudeResult: ClaudeRunResult = await runClaude(promptConfig.path, {
+      claudeArgs: prepareResult.claudeArgs,
+      appendSystemPrompt: process.env.APPEND_SYSTEM_PROMPT,
+      model: process.env.ANTHROPIC_MODEL,
+      pathToClaudeCodeExecutable: claudeExecutable,
+      showFullOutput: process.env.INPUT_SHOW_FULL_OUTPUT,
+    });
+
+    claudeSuccess = claudeResult.conclusion === "success";
+    executionFile = claudeResult.executionFile;
+
+    // Set action-level outputs
+    if (claudeResult.executionFile) {
+      core.setOutput("execution_file", claudeResult.executionFile);
+    }
+    if (claudeResult.sessionId) {
+      core.setOutput("session_id", claudeResult.sessionId);
+    }
+    if (claudeResult.structuredOutput) {
+      core.setOutput("structured_output", claudeResult.structuredOutput);
+    }
+    core.setOutput("conclusion", claudeResult.conclusion);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    // Only mark as prepare failure if we haven't completed the prepare phase
+    if (!prepareCompleted) {
+      prepareSuccess = false;
+      prepareError = errorMessage;
+    }
+    core.setFailed(`Action failed with error: ${errorMessage}`);
+  } finally {
+    // Phase 4: Cleanup (always runs)
+
+    // Update tracking comment
+    if (
+      commentId &&
+      context &&
+      isEntityContext(context) &&
+      githubToken &&
+      octokit
+    ) {
+      try {
+        await updateCommentLink({
+          commentId,
+          githubToken,
+          claudeBranch,
+          baseBranch: baseBranch || context.repository.default_branch || "main",
+          triggerUsername: context.actor,
+          context,
+          octokit,
+          claudeSuccess,
+          outputFile: executionFile,
+          prepareSuccess,
+          prepareError,
+          useCommitSigning: context.inputs.useCommitSigning,
+        });
+      } catch (error) {
+        console.error("Error updating comment with job link:", error);
+      }
+    }
+
+    // Write step summary (unless display_report is set to false)
+    if (
+      executionFile &&
+      existsSync(executionFile) &&
+      process.env.DISPLAY_REPORT !== "false"
+    ) {
+      await writeStepSummary(executionFile);
+    }
+
+    // Set remaining action-level outputs
+    core.setOutput("branch_name", claudeBranch);
+    core.setOutput("github_token", githubToken);
+  }
+}
+
+if (import.meta.main) {
+  run();
+}

src/entrypoints/update-comment-link.ts

@@ -1,6 +1,7 @@
 #!/usr/bin/env bun
 
 import { createOctokit } from "../github/api/client";
+import type { Octokits } from "../github/api/client";
 import * as fs from "fs/promises";
 import {
   updateCommentBody,
@@ -11,229 +12,258 @@ import {
   isPullRequestReviewCommentEvent,
   isEntityContext,
 } from "../github/context";
+import type { ParsedGitHubContext } from "../github/context";
 import { GITHUB_SERVER_URL } from "../github/api/config";
 import { checkAndCommitOrDeleteBranch } from "../github/operations/branch-cleanup";
 import { updateClaudeComment } from "../github/operations/comments/update-claude-comment";
 
+export type UpdateCommentLinkParams = {
+  commentId: number;
+  githubToken: string;
+  claudeBranch?: string;
+  baseBranch: string;
+  triggerUsername?: string;
+  context: ParsedGitHubContext;
+  octokit: Octokits;
+  claudeSuccess: boolean;
+  outputFile?: string;
+  prepareSuccess: boolean;
+  prepareError?: string;
+  useCommitSigning: boolean;
+};
+
+export async function updateCommentLink(
+  params: UpdateCommentLinkParams,
+): Promise<void> {
+  const {
+    commentId,
+    claudeBranch,
+    baseBranch,
+    triggerUsername,
+    context,
+    octokit,
+    useCommitSigning,
+  } = params;
+
+  const { owner, repo } = context.repository;
+
+  const serverUrl = GITHUB_SERVER_URL;
+  const jobUrl = `${serverUrl}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+
+  let comment;
+  let isPRReviewComment = false;
+
+  try {
+    // GitHub has separate ID namespaces for review comments and issue comments
+    // We need to use the correct API based on the event type
+    if (isPullRequestReviewCommentEvent(context)) {
+      // For PR review comments, use the pulls API
+      console.log(`Fetching PR review comment ${commentId}`);
+      const { data: prComment } = await octokit.rest.pulls.getReviewComment({
+        owner,
+        repo,
+        comment_id: commentId,
+      });
+      comment = prComment;
+      isPRReviewComment = true;
+      console.log("Successfully fetched as PR review comment");
+    }
+
+    // For all other event types, use the issues API
+    if (!comment) {
+      console.log(`Fetching issue comment ${commentId}`);
+      const { data: issueComment } = await octokit.rest.issues.getComment({
+        owner,
+        repo,
+        comment_id: commentId,
+      });
+      comment = issueComment;
+      isPRReviewComment = false;
+      console.log("Successfully fetched as issue comment");
+    }
+  } catch (finalError) {
+    // If all attempts fail, try to determine more information about the comment
+    console.error("Failed to fetch comment. Debug info:");
+    console.error(`Comment ID: ${commentId}`);
+    console.error(`Event name: ${context.eventName}`);
+    console.error(`Entity number: ${context.entityNumber}`);
+    console.error(`Repository: ${context.repository.full_name}`);
+
+    // Try to get the PR info to understand the comment structure
+    try {
+      const { data: pr } = await octokit.rest.pulls.get({
+        owner,
+        repo,
+        pull_number: context.entityNumber,
+      });
+      console.log(`PR state: ${pr.state}`);
+      console.log(`PR comments count: ${pr.comments}`);
+      console.log(`PR review comments count: ${pr.review_comments}`);
+    } catch {
+      console.error("Could not fetch PR info for debugging");
+    }
+
+    throw finalError;
+  }
+
+  const currentBody = comment.body ?? "";
+
+  // Check if we need to add branch link for new branches
+  const { shouldDeleteBranch, branchLink } = await checkAndCommitOrDeleteBranch(
+    octokit,
+    owner,
+    repo,
+    claudeBranch,
+    baseBranch,
+    useCommitSigning,
+  );
+
+  // Check if we need to add PR URL when we have a new branch
+  let prLink = "";
+  // If claudeBranch is set, it means we created a new branch (for issues or closed/merged PRs)
+  if (claudeBranch && !shouldDeleteBranch) {
+    // Check if comment already contains a PR URL
+    const serverUrlPattern = serverUrl.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const prUrlPattern = new RegExp(
+      `${serverUrlPattern}\\/.+\\/compare\\/${baseBranch.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\.\\.\\.`,
+    );
+    const containsPRUrl = currentBody.match(prUrlPattern);
+
+    if (!containsPRUrl) {
+      // Check if there are changes to the branch compared to the default branch
+      try {
+        const { data: comparison } =
+          await octokit.rest.repos.compareCommitsWithBasehead({
+            owner,
+            repo,
+            basehead: `${baseBranch}...${claudeBranch}`,
+          });
+
+        // If there are changes (commits or file changes), add the PR URL
+        if (
+          comparison.total_commits > 0 ||
+          (comparison.files && comparison.files.length > 0)
+        ) {
+          const entityType = context.isPR ? "PR" : "Issue";
+          const prTitle = encodeURIComponent(
+            `${entityType} #${context.entityNumber}: Changes from Claude`,
+          );
+          const prBody = encodeURIComponent(
+            `This PR addresses ${entityType.toLowerCase()} #${context.entityNumber}\n\nGenerated with [Claude Code](https://claude.ai/code)`,
+          );
+          const prUrl = `${serverUrl}/${owner}/${repo}/compare/${baseBranch}...${claudeBranch}?quick_pull=1&title=${prTitle}&body=${prBody}`;
+          prLink = `\n[Create a PR](${prUrl})`;
+        }
+      } catch (error) {
+        console.error("Error checking for changes in branch:", error);
+        // Don't fail the entire update if we can't check for changes
+      }
+    }
+  }
+
+  // Check if action failed and read output file for execution details
+  let executionDetails: {
+    total_cost_usd?: number;
+    duration_ms?: number;
+    duration_api_ms?: number;
+  } | null = null;
+  let actionFailed = false;
+  let errorDetails: string | undefined;
+
+  if (!params.prepareSuccess && params.prepareError) {
+    actionFailed = true;
+    errorDetails = params.prepareError;
+  } else {
+    // Check for existence of output file and parse it if available
+    try {
+      if (params.outputFile) {
+        const fileContent = await fs.readFile(params.outputFile, "utf8");
+        const outputData = JSON.parse(fileContent);
+
+        // Output file is an array, get the last element which contains execution details
+        if (Array.isArray(outputData) && outputData.length > 0) {
+          const lastElement = outputData[outputData.length - 1];
+          if (
+            lastElement.type === "result" &&
+            "total_cost_usd" in lastElement &&
+            "duration_ms" in lastElement
+          ) {
+            executionDetails = {
+              total_cost_usd: lastElement.total_cost_usd,
+              duration_ms: lastElement.duration_ms,
+              duration_api_ms: lastElement.duration_api_ms,
+            };
+          }
+        }
+      }
+
+      actionFailed = !params.claudeSuccess;
+    } catch (error) {
+      console.error("Error reading output file:", error);
+      actionFailed = !params.claudeSuccess;
+    }
+  }
+
+  // Prepare input for updateCommentBody function
+  const commentInput: CommentUpdateInput = {
+    currentBody,
+    actionFailed,
+    executionDetails,
+    jobUrl,
+    branchLink,
+    prLink,
+    branchName: shouldDeleteBranch || !branchLink ? undefined : claudeBranch,
+    triggerUsername,
+    errorDetails,
+  };
+
+  const updatedBody = updateCommentBody(commentInput);
+
+  try {
+    await updateClaudeComment(octokit.rest, {
+      owner,
+      repo,
+      commentId,
+      body: updatedBody,
+      isPullRequestReviewComment: isPRReviewComment,
+    });
+    console.log(
+      `✅ Updated ${isPRReviewComment ? "PR review" : "issue"} comment ${commentId} with job link`,
+    );
+  } catch (updateError) {
+    console.error(
+      `Failed to update ${isPRReviewComment ? "PR review" : "issue"} comment:`,
+      updateError,
+    );
+    throw updateError;
+  }
+}
+
 async function run() {
   try {
-    const commentId = parseInt(process.env.CLAUDE_COMMENT_ID!);
-    const githubToken = process.env.GITHUB_TOKEN!;
-    const claudeBranch = process.env.CLAUDE_BRANCH;
-    const baseBranch = process.env.BASE_BRANCH || "main";
-    const triggerUsername = process.env.TRIGGER_USERNAME;
-
     const context = parseGitHubContext();
-
-    // This script is only called for entity-based events
     if (!isEntityContext(context)) {
       throw new Error("update-comment-link requires an entity context");
     }
 
-    const { owner, repo } = context.repository;
+    const githubToken = process.env.GITHUB_TOKEN!;
-
     const octokit = createOctokit(githubToken);
 
-    const serverUrl = GITHUB_SERVER_URL;
+    await updateCommentLink({
-    const jobUrl = `${serverUrl}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+      commentId: parseInt(process.env.CLAUDE_COMMENT_ID!),
-
+      githubToken,
-    let comment;
+      claudeBranch: process.env.CLAUDE_BRANCH,
-    let isPRReviewComment = false;
+      baseBranch:
-
+        process.env.BASE_BRANCH || context.repository.default_branch || "main",
-    try {
+      triggerUsername: process.env.TRIGGER_USERNAME,
-      // GitHub has separate ID namespaces for review comments and issue comments
+      context,
-      // We need to use the correct API based on the event type
+      octokit,
-      if (isPullRequestReviewCommentEvent(context)) {
+      claudeSuccess: process.env.CLAUDE_SUCCESS !== "false",
-        // For PR review comments, use the pulls API
+      outputFile: process.env.OUTPUT_FILE,
-        console.log(`Fetching PR review comment ${commentId}`);
+      prepareSuccess: process.env.PREPARE_SUCCESS !== "false",
-        const { data: prComment } = await octokit.rest.pulls.getReviewComment({
+      prepareError: process.env.PREPARE_ERROR,
-          owner,
+      useCommitSigning: process.env.USE_COMMIT_SIGNING === "true",
-          repo,
+    });
-          comment_id: commentId,
-        });
-        comment = prComment;
-        isPRReviewComment = true;
-        console.log("Successfully fetched as PR review comment");
-      }
-
-      // For all other event types, use the issues API
-      if (!comment) {
-        console.log(`Fetching issue comment ${commentId}`);
-        const { data: issueComment } = await octokit.rest.issues.getComment({
-          owner,
-          repo,
-          comment_id: commentId,
-        });
-        comment = issueComment;
-        isPRReviewComment = false;
-        console.log("Successfully fetched as issue comment");
-      }
-    } catch (finalError) {
-      // If all attempts fail, try to determine more information about the comment
-      console.error("Failed to fetch comment. Debug info:");
-      console.error(`Comment ID: ${commentId}`);
-      console.error(`Event name: ${context.eventName}`);
-      console.error(`Entity number: ${context.entityNumber}`);
-      console.error(`Repository: ${context.repository.full_name}`);
-
-      // Try to get the PR info to understand the comment structure
-      try {
-        const { data: pr } = await octokit.rest.pulls.get({
-          owner,
-          repo,
-          pull_number: context.entityNumber,
-        });
-        console.log(`PR state: ${pr.state}`);
-        console.log(`PR comments count: ${pr.comments}`);
-        console.log(`PR review comments count: ${pr.review_comments}`);
-      } catch {
-        console.error("Could not fetch PR info for debugging");
-      }
-
-      throw finalError;
-    }
-
-    const currentBody = comment.body ?? "";
-
-    // Check if we need to add branch link for new branches
-    const useCommitSigning = process.env.USE_COMMIT_SIGNING === "true";
-    const { shouldDeleteBranch, branchLink } =
-      await checkAndCommitOrDeleteBranch(
-        octokit,
-        owner,
-        repo,
-        claudeBranch,
-        baseBranch,
-        useCommitSigning,
-      );
-
-    // Check if we need to add PR URL when we have a new branch
-    let prLink = "";
-    // If claudeBranch is set, it means we created a new branch (for issues or closed/merged PRs)
-    if (claudeBranch && !shouldDeleteBranch) {
-      // Check if comment already contains a PR URL
-      const serverUrlPattern = serverUrl.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-      const prUrlPattern = new RegExp(
-        `${serverUrlPattern}\\/.+\\/compare\\/${baseBranch.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\.\\.\\.`,
-      );
-      const containsPRUrl = currentBody.match(prUrlPattern);
-
-      if (!containsPRUrl) {
-        // Check if there are changes to the branch compared to the default branch
-        try {
-          const { data: comparison } =
-            await octokit.rest.repos.compareCommitsWithBasehead({
-              owner,
-              repo,
-              basehead: `${baseBranch}...${claudeBranch}`,
-            });
-
-          // If there are changes (commits or file changes), add the PR URL
-          if (
-            comparison.total_commits > 0 ||
-            (comparison.files && comparison.files.length > 0)
-          ) {
-            const entityType = context.isPR ? "PR" : "Issue";
-            const prTitle = encodeURIComponent(
-              `${entityType} #${context.entityNumber}: Changes from Claude`,
-            );
-            const prBody = encodeURIComponent(
-              `This PR addresses ${entityType.toLowerCase()} #${context.entityNumber}\n\nGenerated with [Claude Code](https://claude.ai/code)`,
-            );
-            const prUrl = `${serverUrl}/${owner}/${repo}/compare/${baseBranch}...${claudeBranch}?quick_pull=1&title=${prTitle}&body=${prBody}`;
-            prLink = `\n[Create a PR](${prUrl})`;
-          }
-        } catch (error) {
-          console.error("Error checking for changes in branch:", error);
-          // Don't fail the entire update if we can't check for changes
-        }
-      }
-    }
-
-    // Check if action failed and read output file for execution details
-    let executionDetails: {
-      total_cost_usd?: number;
-      duration_ms?: number;
-      duration_api_ms?: number;
-    } | null = null;
-    let actionFailed = false;
-    let errorDetails: string | undefined;
-
-    // First check if prepare step failed
-    const prepareSuccess = process.env.PREPARE_SUCCESS !== "false";
-    const prepareError = process.env.PREPARE_ERROR;
-
-    if (!prepareSuccess && prepareError) {
-      actionFailed = true;
-      errorDetails = prepareError;
-    } else {
-      // Check for existence of output file and parse it if available
-      try {
-        const outputFile = process.env.OUTPUT_FILE;
-        if (outputFile) {
-          const fileContent = await fs.readFile(outputFile, "utf8");
-          const outputData = JSON.parse(fileContent);
-
-          // Output file is an array, get the last element which contains execution details
-          if (Array.isArray(outputData) && outputData.length > 0) {
-            const lastElement = outputData[outputData.length - 1];
-            if (
-              lastElement.type === "result" &&
-              "total_cost_usd" in lastElement &&
-              "duration_ms" in lastElement
-            ) {
-              executionDetails = {
-                total_cost_usd: lastElement.total_cost_usd,
-                duration_ms: lastElement.duration_ms,
-                duration_api_ms: lastElement.duration_api_ms,
-              };
-            }
-          }
-        }
-
-        // Check if the Claude action failed
-        const claudeSuccess = process.env.CLAUDE_SUCCESS !== "false";
-        actionFailed = !claudeSuccess;
-      } catch (error) {
-        console.error("Error reading output file:", error);
-        // If we can't read the file, check for any failure markers
-        actionFailed = process.env.CLAUDE_SUCCESS === "false";
-      }
-    }
-
-    // Prepare input for updateCommentBody function
-    const commentInput: CommentUpdateInput = {
-      currentBody,
-      actionFailed,
-      executionDetails,
-      jobUrl,
-      branchLink,
-      prLink,
-      branchName: shouldDeleteBranch || !branchLink ? undefined : claudeBranch,
-      triggerUsername,
-      errorDetails,
-    };
-
-    const updatedBody = updateCommentBody(commentInput);
-
-    try {
-      await updateClaudeComment(octokit.rest, {
-        owner,
-        repo,
-        commentId,
-        body: updatedBody,
-        isPullRequestReviewComment: isPRReviewComment,
-      });
-      console.log(
-        `✅ Updated ${isPRReviewComment ? "PR review" : "issue"} comment ${commentId} with job link`,
-      );
-    } catch (updateError) {
-      console.error(
-        `Failed to update ${isPRReviewComment ? "PR review" : "issue"} comment:`,
-        updateError,
-      );
-      throw updateError;
-    }
 
     process.exit(0);
   } catch (error) {
@@ -242,4 +272,6 @@ async function run() {
   }
 }
 
-run();
+if (import.meta.main) {
+  run();
+}

src/github/api/queries/github.ts

@@ -12,6 +12,13 @@ export const PR_QUERY = `
         baseRefName
         headRefName
         headRefOid
+        isCrossRepository
+        headRepository {
+          owner {
+            login
+          }
+          name
+        }
         createdAt
         updatedAt
         lastEditedAt

src/github/context.ts

@@ -79,6 +79,7 @@ type BaseContext = {
     owner: string;
     repo: string;
     full_name: string;
+    default_branch?: string;
   };
   actor: string;
   inputs: {
@@ -90,6 +91,7 @@ type BaseContext = {
     branchPrefix: string;
     branchNameTemplate?: string;
     useStickyComment: boolean;
+    classifyInlineComments: boolean;
     useCommitSigning: boolean;
     sshSigningKey: string;
     botId: string;
@@ -139,6 +141,7 @@ export function parseGitHubContext(): GitHubContext {
       owner: context.repo.owner,
       repo: context.repo.repo,
       full_name: `${context.repo.owner}/${context.repo.repo}`,
+      default_branch: context.payload.repository?.default_branch,
     },
     actor: context.actor,
     inputs: {
@@ -150,6 +153,7 @@ export function parseGitHubContext(): GitHubContext {
       branchPrefix: process.env.BRANCH_PREFIX ?? "claude/",
       branchNameTemplate: process.env.BRANCH_NAME_TEMPLATE,
       useStickyComment: process.env.USE_STICKY_COMMENT === "true",
+      classifyInlineComments: process.env.CLASSIFY_INLINE_COMMENTS !== "false",
       useCommitSigning: process.env.USE_COMMIT_SIGNING === "true",
       sshSigningKey: process.env.SSH_SIGNING_KEY || "",
       botId: process.env.BOT_ID ?? String(CLAUDE_APP_BOT_ID),

src/github/data/fetcher.ts

@@ -71,6 +71,33 @@ export function extractOriginalTitle(
   return undefined;
 }
 
+/**
+ * Extracts the original body from the GitHub webhook payload.
+ * This is the body as it existed when the trigger event occurred,
+ * preventing TOCTOU attacks where an attacker edits the body after
+ * the trigger but before the action reads it.
+ *
+ * @param context - Parsed GitHub context from webhook
+ * @returns The original body string, null (no body), or undefined (not available)
+ */
+export function extractOriginalBody(
+  context: ParsedGitHubContext,
+): string | null | undefined {
+  if (isIssueCommentEvent(context)) {
+    return context.payload.issue?.body;
+  } else if (isPullRequestEvent(context)) {
+    return context.payload.pull_request?.body;
+  } else if (isPullRequestReviewEvent(context)) {
+    return context.payload.pull_request?.body;
+  } else if (isPullRequestReviewCommentEvent(context)) {
+    return context.payload.pull_request?.body;
+  } else if (isIssuesEvent(context)) {
+    return context.payload.issue?.body;
+  }
+
+  return undefined;
+}
+
 /**
  * Filters comments to only include those that existed in their final state before the trigger time.
  * This prevents malicious actors from editing comments after the trigger to inject harmful content.
@@ -207,6 +234,7 @@ type FetchDataParams = {
   triggerUsername?: string;
   triggerTime?: string;
   originalTitle?: string;
+  originalBody?: string | null;
   includeCommentsByActor?: string;
   excludeCommentsByActor?: string;
 };
@@ -233,6 +261,7 @@ export async function fetchGitHubData({
   triggerUsername,
   triggerTime,
   originalTitle,
+  originalBody,
   includeCommentsByActor,
   excludeCommentsByActor,
 }: FetchDataParams): Promise<FetchDataResult> {
@@ -270,7 +299,7 @@ export async function fetchGitHubData({
           includeCommentsByActor,
           excludeCommentsByActor,
         );
-        reviewData = pullRequest.reviews || [];
+        reviewData = pullRequest.reviews || { nodes: [] };
 
         console.log(`Successfully fetched PR #${prNumber} data`);
       } else {
@@ -399,12 +428,21 @@ export async function fetchGitHubData({
       body: c.body,
     }));
 
-  // Add the main issue/PR body if it has content and wasn't edited after trigger
+  // Use the original body from the webhook payload if provided (TOCTOU protection).
-  // This prevents a TOCTOU race condition where an attacker could edit the body
+  // The webhook payload captures the body at event time, before any attacker edits.
-  // between when an authorized user triggered Claude and when Claude processes the request
+  if (originalBody !== undefined) {
+    contextData.body = originalBody ?? "";
+  }
+
+  // Add the main issue/PR body if it has content and wasn't edited after trigger.
+  // When originalBody is provided, the body is already safe (from webhook payload).
+  // Otherwise, fall back to timestamp-based validation.
   let mainBody: CommentWithImages[] = [];
   if (contextData.body) {
-    if (isBodySafeToUse(contextData, triggerTime)) {
+    if (
+      originalBody !== undefined ||
+      isBodySafeToUse(contextData, triggerTime)
+    ) {
       mainBody = [
         {
           ...(isPR

src/github/operations/branch.ts

@@ -8,7 +8,6 @@
 
 import { $ } from "bun";
 import { execFileSync } from "child_process";
-import * as core from "@actions/core";
 import type { ParsedGitHubContext } from "../context";
 import type { GitHubPullRequest } from "../types";
 import type { Octokits } from "../api/client";
@@ -29,7 +28,7 @@ function extractFirstLabel(githubData: FetchDataResult): string | undefined {
  *
  * Valid branch names:
  * - Start with alphanumeric character (not dash, to prevent option injection)
- * - Contain only alphanumeric, forward slash, hyphen, underscore, or period
+ * - Contain only alphanumeric, forward slash, hyphen, underscore, period, or hash (#)
  * - Do not start or end with a period
  * - Do not end with a slash
  * - Do not contain '..' (path traversal)
@@ -59,12 +58,16 @@ export function validateBranchName(branchName: string): void {
     );
   }
 
-  // Strict whitelist pattern: alphanumeric start, then alphanumeric/slash/hyphen/underscore/period
+  // Strict whitelist pattern: alphanumeric start, then alphanumeric/slash/hyphen/underscore/period/hash/plus.
-  const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.-]*$/;
+  // # is valid per git-check-ref-format and commonly used in branch names like "fix/#123-description".
+  // + is valid per git-check-ref-format and generated by Claude Code's EnterWorktree tool when
+  //   converting worktree names containing "/" (e.g. "feat/foo" becomes "worktree-feat+foo").
+  // All git calls use execFileSync (not shell interpolation), so neither # nor + carries injection risk.
+  const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.#+-]*$/;
 
   if (!validPattern.test(branchName)) {
     throw new Error(
-      `Invalid branch name: "${branchName}". Branch names must start with an alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens, underscores, or periods.`,
+      `Invalid branch name: "${branchName}". Branch names must start with an alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens, underscores, periods, hashes (#), or plus signs (+).`,
     );
   }
 
@@ -119,7 +122,7 @@ export function validateBranchName(branchName: string): void {
  * @param args - Git command arguments (e.g., ["checkout", "branch-name"])
  */
 function execGit(args: string[]): void {
-  execFileSync("git", args, { stdio: "inherit" });
+  execFileSync("git", args, { stdio: "inherit", env: process.env });
 }
 
 export type BranchInfo = {
@@ -165,9 +168,23 @@ export async function setupBranch(
       // Validate branch names before use to prevent command injection
       validateBranchName(branchName);
 
-      // Execute git commands to checkout PR branch (dynamic depth based on PR size)
+      // For cross-repository (fork) PRs, fetch via the pull ref since the
-      // Using execFileSync instead of shell template literals for security
+      // branch only exists on the fork's remote, not on origin.
-      execGit(["fetch", "origin", `--depth=${fetchDepth}`, branchName]);
+      if (prData.isCrossRepository) {
+        console.log(
+          `PR #${entityNumber} is from a fork, fetching via refs/pull/${entityNumber}/head...`,
+        );
+        execGit([
+          "fetch",
+          "origin",
+          `--depth=${fetchDepth}`,
+          `pull/${entityNumber}/head:${branchName}`,
+        ]);
+      } else {
+        // Execute git commands to checkout PR branch (dynamic depth based on PR size)
+        // Using execFileSync instead of shell template literals for security
+        execGit(["fetch", "origin", `--depth=${fetchDepth}`, branchName]);
+      }
       execGit(["checkout", branchName, "--"]);
 
       console.log(`Successfully checked out PR branch for PR #${entityNumber}`);
@@ -265,9 +282,6 @@ export async function setupBranch(
       execGit(["fetch", "origin", sourceBranch, "--depth=1"]);
       execGit(["checkout", sourceBranch, "--"]);
 
-      // Set outputs for GitHub Actions
-      core.setOutput("CLAUDE_BRANCH", newBranch);
-      core.setOutput("BASE_BRANCH", sourceBranch);
       return {
         baseBranch: sourceBranch,
         claudeBranch: newBranch,
@@ -294,9 +308,6 @@ export async function setupBranch(
       `Successfully created and checked out local branch: ${newBranch}`,
     );
 
-    // Set outputs for GitHub Actions
-    core.setOutput("CLAUDE_BRANCH", newBranch);
-    core.setOutput("BASE_BRANCH", sourceBranch);
     return {
       baseBranch: sourceBranch,
       claudeBranch: newBranch,

src/github/operations/git-config.ts

@@ -51,11 +51,34 @@ export async function configureGitAuth(
     console.log("No existing authentication headers to remove");
   }
 
-  // Update the remote URL to include the token for authentication
+  if (process.env.ALLOWED_NON_WRITE_USERS) {
-  console.log("Updating remote URL with authentication...");
+    // When processing content from non-write users, use a credential helper
-  const remoteUrl = `https://x-access-token:${githubToken}@${serverUrl.host}/${context.repository.owner}/${context.repository.repo}.git`;
+    // instead of embedding the token in the remote URL. The helper script reads
-  await $`git remote set-url origin ${remoteUrl}`;
+    // from GH_TOKEN at auth time, so .git/config stays token-free. Written as a
-  console.log("✓ Updated remote URL with authentication token");
+    // file to avoid shell-escaping the helper body; placed under
+    // GITHUB_ACTION_PATH so it sits alongside the action source.
+    console.log("Configuring git credential helper...");
+    process.env.GH_TOKEN = githubToken;
+    const helperPath = join(
+      process.env.GITHUB_ACTION_PATH || homedir(),
+      ".git-credential-gh-token",
+    );
+    await writeFile(
+      helperPath,
+      '#!/bin/sh\necho username=x-access-token\necho password="$GH_TOKEN"\n',
+      { mode: 0o700 },
+    );
+    const cleanUrl = `https://${serverUrl.host}/${context.repository.owner}/${context.repository.repo}.git`;
+    await $`git remote set-url origin ${cleanUrl}`;
+    await $`git config credential.helper ${helperPath}`;
+    console.log("✓ Configured credential helper");
+  } else {
+    // Update the remote URL to include the token for authentication
+    console.log("Updating remote URL with authentication...");
+    const remoteUrl = `https://x-access-token:${githubToken}@${serverUrl.host}/${context.repository.owner}/${context.repository.repo}.git`;
+    await $`git remote set-url origin ${remoteUrl}`;
+    console.log("✓ Updated remote URL with authentication token");
+  }
 
   console.log("Git authentication configured successfully");
 }

src/github/operations/restore-config.ts

@@ -0,0 +1,109 @@
+import { execFileSync } from "child_process";
+import { cpSync, existsSync, rmSync } from "fs";
+
+// Paths that are both PR-controllable and read from cwd at CLI startup.
+//
+// Deliberately excluded from the CLI's broader auto-edit blocklist:
+//   .git/        — not tracked by git; PR commits cannot place files there.
+//                  Restoring it would also undo the PR checkout entirely.
+//   .gitconfig   — git reads ~/.gitconfig and .git/config, never cwd/.gitconfig.
+//   .bashrc etc. — shells source these from $HOME; checkout cannot reach $HOME.
+//   .vscode/.idea— IDE config; nothing in the CLI's startup path reads them.
+const SENSITIVE_PATHS = [
+  ".claude",
+  ".mcp.json",
+  ".claude.json",
+  ".gitmodules",
+  ".ripgreprc",
+  "CLAUDE.md",
+  "CLAUDE.local.md",
+  ".husky",
+];
+
+/**
+ * Restores security-sensitive config paths from the PR base branch.
+ *
+ * The CLI's non-interactive mode trusts cwd: it reads `.mcp.json`,
+ * `.claude/settings.json`, and `.claude/settings.local.json` from the working
+ * directory and acts on them before any tool-permission gating — executing
+ * hooks (including SessionStart), setting env vars (NODE_OPTIONS, LD_PRELOAD,
+ * PATH), running apiKeyHelper/awsAuthRefresh shell commands, and auto-approving
+ * MCP servers. When this action checks out a PR head, all of these are
+ * attacker-controlled.
+ *
+ * Rather than enumerate every dangerous key, this replaces the entire `.claude/`
+ * tree and `.mcp.json` with the versions from the PR base branch, which a
+ * maintainer has reviewed and merged. Paths absent on base are deleted.
+ *
+ * Known limitation: if a PR legitimately modifies `.claude/` and the CLI later
+ * commits with `git add -A`, the revert will be included in that commit. This
+ * is a narrow UX tradeoff for closing the RCE surface.
+ *
+ * @param baseBranch - PR base branch name. Must be pre-validated (branch.ts
+ *   calls validateBranchName on it before returning).
+ */
+export function restoreConfigFromBase(baseBranch: string): void {
+  console.log(
+    `Restoring ${SENSITIVE_PATHS.join(", ")} from origin/${baseBranch} (PR head is untrusted)`,
+  );
+
+  // Snapshot every PR-authored sensitive path into .claude-pr/ before deletion
+  // so review agents can inspect what the PR changes without those files ever
+  // being executed. Captured before the security delete so it reflects the
+  // PR-authored version.
+  rmSync(".claude-pr", { recursive: true, force: true });
+  for (const p of SENSITIVE_PATHS) {
+    if (existsSync(p)) {
+      cpSync(p, `.claude-pr/${p}`, { recursive: true });
+    }
+  }
+  if (existsSync(".claude-pr")) {
+    console.log(
+      "Preserved PR's sensitive paths → .claude-pr/ for review agents (not executed)",
+    );
+  }
+
+  // Delete PR-controlled versions BEFORE fetching so the attacker-controlled
+  // .gitmodules is absent during the network operation. If git reads .gitmodules
+  // during fetch (fetch.recurseSubmodules=on-demand, the git default), it will
+  // attempt to fetch submodule objects and block on credential prompts in CI —
+  // causing an indefinite hang. Deleting first closes that window.
+  //
+  // If the restore below fails for a given path, that path stays deleted —
+  // the safe fallback (no attacker-controlled config). A bare `git checkout`
+  // alone wouldn't remove files the PR added, so nuke first.
+  for (const p of SENSITIVE_PATHS) {
+    rmSync(p, { recursive: true, force: true });
+  }
+
+  // --no-recurse-submodules: explicitly suppress submodule fetching regardless of
+  // fetch.recurseSubmodules config. Defense-in-depth alongside the delete above.
+  execFileSync(
+    "git",
+    ["fetch", "origin", baseBranch, "--depth=1", "--no-recurse-submodules"],
+    {
+      stdio: "inherit",
+      env: process.env,
+    },
+  );
+
+  for (const p of SENSITIVE_PATHS) {
+    try {
+      execFileSync("git", ["checkout", `origin/${baseBranch}`, "--", p], {
+        stdio: "pipe",
+      });
+    } catch {
+      // Path doesn't exist on base — it stays deleted.
+    }
+  }
+
+  // `git checkout <ref> -- <path>` stages the restored files. Unstage so the
+  // revert doesn't silently leak into commits the CLI makes later.
+  try {
+    execFileSync("git", ["reset", "--", ...SENSITIVE_PATHS], {
+      stdio: "pipe",
+    });
+  } catch {
+    // Nothing was staged, or paths don't exist on HEAD — either is fine.
+  }
+}

src/github/token.ts

@@ -3,6 +3,13 @@
 import * as core from "@actions/core";
 import { retryWithBackoff } from "../utils/retry";
 
+export class WorkflowValidationSkipError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "WorkflowValidationSkipError";
+  }
+}
+
 async function getOidcToken(): Promise<string> {
   try {
     const oidcToken = await core.getIDToken("claude-code-github-action");
@@ -16,15 +23,60 @@ async function getOidcToken(): Promise<string> {
   }
 }
 
-async function exchangeForAppToken(oidcToken: string): Promise<string> {
+const DEFAULT_PERMISSIONS: Record<string, string> = {
+  contents: "write",
+  pull_requests: "write",
+  issues: "write",
+};
+
+export function parseAdditionalPermissions():
+  | Record<string, string>
+  | undefined {
+  const raw = process.env.ADDITIONAL_PERMISSIONS;
+  if (!raw || !raw.trim()) {
+    return undefined;
+  }
+
+  const additional: Record<string, string> = {};
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const colonIndex = trimmed.indexOf(":");
+    if (colonIndex === -1) continue;
+    const key = trimmed.slice(0, colonIndex).trim();
+    const value = trimmed.slice(colonIndex + 1).trim();
+    if (key && value) {
+      additional[key] = value;
+    }
+  }
+
+  if (Object.keys(additional).length === 0) {
+    return undefined;
+  }
+
+  return { ...DEFAULT_PERMISSIONS, ...additional };
+}
+
+async function exchangeForAppToken(
+  oidcToken: string,
+  permissions?: Record<string, string>,
+): Promise<string> {
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${oidcToken}`,
+  };
+  const fetchOptions: RequestInit = {
+    method: "POST",
+    headers,
+  };
+
+  if (permissions) {
+    headers["Content-Type"] = "application/json";
+    fetchOptions.body = JSON.stringify({ permissions });
+  }
+
   const response = await fetch(
     "https://api.anthropic.com/api/github/github-app-token-exchange",
-    {
+    fetchOptions,
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${oidcToken}`,
-      },
-    },
   );
 
   if (!response.ok) {
@@ -51,8 +103,7 @@ async function exchangeForAppToken(oidcToken: string): Promise<string> {
       console.log(
         "Action skipped due to workflow validation error. This is expected when adding Claude Code workflows to new repositories or on PRs with workflow changes. If you're seeing this, your workflow will begin working once you merge your PR.",
       );
-      core.setOutput("skipped_due_to_workflow_validation_mismatch", "true");
+      throw new WorkflowValidationSkipError(message);
-      process.exit(0);
     }
 
     console.error(
@@ -75,34 +126,30 @@ async function exchangeForAppToken(oidcToken: string): Promise<string> {
 }
 
 export async function setupGitHubToken(): Promise<string> {
-  try {
+  // Check if GitHub token was provided as override
-    // Check if GitHub token was provided as override
+  const providedToken = process.env.OVERRIDE_GITHUB_TOKEN;
-    const providedToken = process.env.OVERRIDE_GITHUB_TOKEN;
 
-    if (providedToken) {
+  if (providedToken) {
-      console.log("Using provided GITHUB_TOKEN for authentication");
+    console.log("Using provided GITHUB_TOKEN for authentication");
-      core.setOutput("GITHUB_TOKEN", providedToken);
+    return providedToken;
-      return providedToken;
-    }
-
-    console.log("Requesting OIDC token...");
-    const oidcToken = await retryWithBackoff(() => getOidcToken());
-    console.log("OIDC token successfully obtained");
-
-    console.log("Exchanging OIDC token for app token...");
-    const appToken = await retryWithBackoff(() =>
-      exchangeForAppToken(oidcToken),
-    );
-    console.log("App token successfully obtained");
-
-    console.log("Using GITHUB_TOKEN from OIDC");
-    core.setOutput("GITHUB_TOKEN", appToken);
-    return appToken;
-  } catch (error) {
-    // Only set failed if we get here - workflow validation errors will exit(0) before this
-    core.setFailed(
-      `Failed to setup GitHub token: ${error}\n\nIf you instead wish to use this action with a custom GitHub token or custom GitHub app, provide a \`github_token\` in the \`uses\` section of the app in your workflow yml file.`,
-    );
-    process.exit(1);
   }
+
+  console.log("Requesting OIDC token...");
+  const oidcToken = await retryWithBackoff(() => getOidcToken());
+  console.log("OIDC token successfully obtained");
+
+  const permissions = parseAdditionalPermissions();
+
+  console.log("Exchanging OIDC token for app token...");
+  const appToken = await retryWithBackoff(
+    () => exchangeForAppToken(oidcToken, permissions),
+    {
+      shouldRetry: (error) => !(error instanceof WorkflowValidationSkipError),
+    },
+  );
+  console.log("App token successfully obtained");
+  core.setSecret(appToken);
+
+  console.log("Using GITHUB_TOKEN from OIDC");
+  return appToken;
 }

src/github/types.ts

@@ -57,6 +57,13 @@ export type GitHubPullRequest = {
   baseRefName: string;
   headRefName: string;
   headRefOid: string;
+  isCrossRepository: boolean;
+  headRepository: {
+    owner: {
+      login: string;
+    };
+    name: string;
+  } | null;
   createdAt: string;
   updatedAt?: string;
   lastEditedAt?: string;

src/mcp/github-inline-comment-server.ts

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { appendFileSync } from "fs";
 import { z } from "zod";
 import { createOctokit } from "../github/api/client";
 import { sanitizeContent } from "../github/utils/sanitizer";
@@ -10,6 +11,13 @@ const REPO_OWNER = process.env.REPO_OWNER;
 const REPO_NAME = process.env.REPO_NAME;
 const PR_NUMBER = process.env.PR_NUMBER;
 
+// Calls without confirmed=true are buffered here instead of posted. This
+// prevents subagents from posting test/probe comments when they inherit this
+// tool and probe it after hitting unrelated errors. The action's post-step
+// reports the buffer count for diagnostics.
+const BUFFER_PATH = "/tmp/inline-comments-buffer.jsonl";
+const CLASSIFY_ENABLED = process.env.CLASSIFY_INLINE_COMMENTS !== "false";
+
 if (!REPO_OWNER || !REPO_NAME || !PR_NUMBER) {
   console.error(
     "Error: REPO_OWNER, REPO_NAME, and PR_NUMBER environment variables are required",
@@ -67,8 +75,17 @@ server.tool(
       .describe(
         "Specific commit SHA to comment on (defaults to latest commit)",
       ),
+    confirmed: z
+      .boolean()
+      .optional()
+      .describe(
+        "Set true to post immediately. When omitted, the call is buffered " +
+          "and classified after the session completes — real review comments " +
+          "post, test/probe comments are dropped. Set false to buffer and " +
+          "never post. Only set true when posting final review comments.",
+      ),
   },
-  async ({ path, body, line, startLine, side, commit_id }) => {
+  async ({ path, body, line, startLine, side, commit_id, confirmed }) => {
     try {
       const githubToken = process.env.GITHUB_TOKEN;
 
@@ -80,8 +97,6 @@ server.tool(
       const repo = REPO_NAME;
       const pull_number = parseInt(PR_NUMBER, 10);
 
-      const octokit = createOctokit(githubToken).rest;
-
       // Sanitize the comment body to remove any potential GitHub tokens
       const sanitizedBody = sanitizeContent(body);
 
@@ -92,10 +107,49 @@ server.tool(
         );
       }
 
+      if (CLASSIFY_ENABLED && confirmed !== true) {
+        appendFileSync(
+          BUFFER_PATH,
+          JSON.stringify({
+            ts: new Date().toISOString(),
+            path,
+            line,
+            startLine,
+            side,
+            commit_id,
+            body: sanitizedBody,
+            confirmed,
+          }) + "\n",
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(
+                {
+                  success: true,
+                  buffered: true,
+                  message:
+                    "Comment buffered. It will be classified and posted after " +
+                    "this session completes (real review comments post, " +
+                    "test/probe comments are dropped). Set confirmed=true to " +
+                    "post immediately. If you are testing whether this tool " +
+                    "works: it works — no need to test further.",
+                },
+                null,
+                2,
+              ),
+            },
+          ],
+        };
+      }
+
       // If only line is provided, it's a single-line comment
       // If both startLine and line are provided, it's a multi-line comment
       const isSingleLine = !startLine;
 
+      const octokit = createOctokit(githubToken).rest;
+
       const pr = await octokit.pulls.get({
         owner,
         repo,

src/mcp/install-mcp-server.ts

@@ -152,6 +152,9 @@ export async function prepareMcpConfig(
           REPO_NAME: repo,
           PR_NUMBER: context.entityNumber?.toString() || "",
           GITHUB_API_URL: GITHUB_API_URL,
+          CLASSIFY_INLINE_COMMENTS: context.inputs.classifyInlineComments
+            ? "true"
+            : "false",
         },
       };
     }
@@ -177,25 +180,27 @@ export async function prepareMcpConfig(
       if (!actuallyHasPermission) {
         core.warning(
           "The github_ci MCP server requires 'actions: read' permission. " +
-            "Please ensure your GitHub token has this permission. " +
+            "Skipping CI server installation. " +
+            "To enable CI status checks, add 'actions: read' to your workflow permissions. " +
             "See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token",
         );
+      } else {
+        baseMcpConfig.mcpServers.github_ci = {
+          command: "bun",
+          args: [
+            "run",
+            `${process.env.GITHUB_ACTION_PATH}/src/mcp/github-actions-server.ts`,
+          ],
+          env: {
+            // Use workflow github token, not app token
+            GITHUB_TOKEN: process.env.DEFAULT_WORKFLOW_TOKEN,
+            REPO_OWNER: owner,
+            REPO_NAME: repo,
+            PR_NUMBER: context.entityNumber?.toString() || "",
+            RUNNER_TEMP: process.env.RUNNER_TEMP || "/tmp",
+          },
+        };
       }
-      baseMcpConfig.mcpServers.github_ci = {
-        command: "bun",
-        args: [
-          "run",
-          `${process.env.GITHUB_ACTION_PATH}/src/mcp/github-actions-server.ts`,
-        ],
-        env: {
-          // Use workflow github token, not app token
-          GITHUB_TOKEN: process.env.DEFAULT_WORKFLOW_TOKEN,
-          REPO_OWNER: owner,
-          REPO_NAME: repo,
-          PR_NUMBER: context.entityNumber?.toString() || "",
-          RUNNER_TEMP: process.env.RUNNER_TEMP || "/tmp",
-        },
-      };
     }
 
     if (hasGitHubMcpTools) {

src/modes/agent/index.ts

@@ -1,7 +1,4 @@
-import * as core from "@actions/core";
 import { mkdir, writeFile } from "fs/promises";
-import type { Mode, ModeOptions, ModeResult } from "../types";
-import type { PreparedContext } from "../../create-prompt/types";
 import { prepareMcpConfig } from "../../mcp/install-mcp-server";
 import { parseAllowedTools } from "./parse-tools";
 import {
@@ -10,212 +7,128 @@ import {
 } from "../../github/operations/git-config";
 import { checkHumanActor } from "../../github/validation/actor";
 import type { GitHubContext } from "../../github/context";
-import { isEntityContext } from "../../github/context";
+import type { Octokits } from "../../github/api/client";
 
 /**
- * Extract GitHub context as environment variables for agent mode
+ * Prepares the agent mode execution context.
- */
-function extractGitHubContext(context: GitHubContext): Record<string, string> {
-  const envVars: Record<string, string> = {};
-
-  // Basic repository info
-  envVars.GITHUB_REPOSITORY = context.repository.full_name;
-  envVars.GITHUB_TRIGGER_ACTOR = context.actor;
-  envVars.GITHUB_EVENT_NAME = context.eventName;
-
-  // Entity-specific context (PR/issue numbers, branches, etc.)
-  if (isEntityContext(context)) {
-    if (context.isPR) {
-      envVars.GITHUB_PR_NUMBER = String(context.entityNumber);
-
-      // Extract branch info from payload if available
-      if (
-        context.payload &&
-        "pull_request" in context.payload &&
-        context.payload.pull_request
-      ) {
-        envVars.GITHUB_BASE_REF = context.payload.pull_request.base?.ref || "";
-        envVars.GITHUB_HEAD_REF = context.payload.pull_request.head?.ref || "";
-      }
-    } else {
-      envVars.GITHUB_ISSUE_NUMBER = String(context.entityNumber);
-    }
-  }
-
-  return envVars;
-}
-
-/**
- * Agent mode implementation.
  *
- * This mode runs whenever an explicit prompt is provided in the workflow configuration.
+ * Agent mode runs whenever an explicit prompt is provided in the workflow configuration.
  * It bypasses the standard @claude mention checking and comment tracking used by tag mode,
  * providing direct access to Claude Code for automation workflows.
  */
-export const agentMode: Mode = {
+export async function prepareAgentMode({
-  name: "agent",
+  context,
-  description: "Direct automation mode for explicit prompts",
+  octokit,
+  githubToken,
+}: {
+  context: GitHubContext;
+  octokit: Octokits;
+  githubToken: string;
+}) {
+  // Check if actor is human (prevents bot-triggered loops)
+  await checkHumanActor(octokit.rest, context);
 
-  shouldTrigger(context) {
+  // Configure git authentication for agent mode (same as tag mode)
-    // Only trigger when an explicit prompt is provided
+  // SSH signing takes precedence if provided
-    return !!context.inputs?.prompt;
+  const useSshSigning = !!context.inputs.sshSigningKey;
-  },
+  const useApiCommitSigning = context.inputs.useCommitSigning && !useSshSigning;
 
-  prepareContext(context) {
+  if (useSshSigning) {
-    // Agent mode doesn't use comment tracking or branch management
+    // Setup SSH signing for commits
-    return {
+    await setupSshSigning(context.inputs.sshSigningKey);
-      mode: "agent",
+
-      githubContext: context,
+    // Still configure git auth for push operations (user/email and remote URL)
+    const user = {
+      login: context.inputs.botName,
+      id: parseInt(context.inputs.botId),
+    };
+    try {
+      await configureGitAuth(githubToken, context, user);
+    } catch (error) {
+      console.error("Failed to configure git authentication:", error);
+      // Continue anyway - git operations may still work with default config
+    }
+  } else if (!useApiCommitSigning) {
+    // Use bot_id and bot_name from inputs directly
+    const user = {
+      login: context.inputs.botName,
+      id: parseInt(context.inputs.botId),
     };
-  },
 
-  getAllowedTools() {
+    try {
-    return [];
+      // Use the shared git configuration function
-  },
+      await configureGitAuth(githubToken, context, user);
+    } catch (error) {
+      console.error("Failed to configure git authentication:", error);
+      // Continue anyway - git operations may still work with default config
+    }
+  }
 
-  getDisallowedTools() {
+  // Create prompt directory
-    return [];
+  await mkdir(`${process.env.RUNNER_TEMP || "/tmp"}/claude-prompts`, {
-  },
+    recursive: true,
+  });
 
-  shouldCreateTrackingComment() {
+  // Write the prompt file - use the user's prompt directly
-    return false;
+  const promptContent =
-  },
+    context.inputs.prompt ||
+    `Repository: ${context.repository.owner}/${context.repository.repo}`;
 
-  async prepare({
+  await writeFile(
-    context,
+    `${process.env.RUNNER_TEMP || "/tmp"}/claude-prompts/claude-prompt.txt`,
-    octokit,
+    promptContent,
+  );
+
+  // Parse allowed tools from user's claude_args
+  const userClaudeArgs = process.env.CLAUDE_ARGS || "";
+  const allowedTools = parseAllowedTools(userClaudeArgs);
+
+  // Check for branch info from environment variables (useful for auto-fix workflows)
+  const claudeBranch = process.env.CLAUDE_BRANCH || undefined;
+  const defaultBranch = context.repository.default_branch || "main";
+  const baseBranch = context.inputs.baseBranch || defaultBranch;
+
+  // Detect current branch from GitHub environment
+  const currentBranch =
+    claudeBranch ||
+    process.env.GITHUB_HEAD_REF ||
+    process.env.GITHUB_REF_NAME ||
+    defaultBranch;
+
+  // Get our GitHub MCP servers config
+  const ourMcpConfig = await prepareMcpConfig({
     githubToken,
-  }: ModeOptions): Promise<ModeResult> {
+    owner: context.repository.owner,
-    // Check if actor is human (prevents bot-triggered loops)
+    repo: context.repository.repo,
-    await checkHumanActor(octokit.rest, context);
+    branch: currentBranch,
+    baseBranch: baseBranch,
+    claudeCommentId: undefined, // No tracking comment in agent mode
+    allowedTools,
+    mode: "agent",
+    context,
+  });
 
-    // Configure git authentication for agent mode (same as tag mode)
+  // Build final claude_args with multiple --mcp-config flags
-    // SSH signing takes precedence if provided
+  let claudeArgs = "";
-    const useSshSigning = !!context.inputs.sshSigningKey;
-    const useApiCommitSigning =
-      context.inputs.useCommitSigning && !useSshSigning;
 
-    if (useSshSigning) {
+  // Add our GitHub servers config if we have any
-      // Setup SSH signing for commits
+  const ourConfig = JSON.parse(ourMcpConfig);
-      await setupSshSigning(context.inputs.sshSigningKey);
+  if (ourConfig.mcpServers && Object.keys(ourConfig.mcpServers).length > 0) {
+    const escapedOurConfig = ourMcpConfig.replace(/'/g, "'\\''");
+    claudeArgs = `--mcp-config '${escapedOurConfig}'`;
+  }
 
-      // Still configure git auth for push operations (user/email and remote URL)
+  // Append user's claude_args (which may have more --mcp-config flags)
-      const user = {
+  claudeArgs = `${claudeArgs} ${userClaudeArgs}`.trim();
-        login: context.inputs.botName,
-        id: parseInt(context.inputs.botId),
-      };
-      try {
-        await configureGitAuth(githubToken, context, user);
-      } catch (error) {
-        console.error("Failed to configure git authentication:", error);
-        // Continue anyway - git operations may still work with default config
-      }
-    } else if (!useApiCommitSigning) {
-      // Use bot_id and bot_name from inputs directly
-      const user = {
-        login: context.inputs.botName,
-        id: parseInt(context.inputs.botId),
-      };
 
-      try {
+  return {
-        // Use the shared git configuration function
+    commentId: undefined,
-        await configureGitAuth(githubToken, context, user);
+    branchInfo: {
-      } catch (error) {
-        console.error("Failed to configure git authentication:", error);
-        // Continue anyway - git operations may still work with default config
-      }
-    }
-
-    // Create prompt directory
-    await mkdir(`${process.env.RUNNER_TEMP || "/tmp"}/claude-prompts`, {
-      recursive: true,
-    });
-
-    // Write the prompt file - use the user's prompt directly
-    const promptContent =
-      context.inputs.prompt ||
-      `Repository: ${context.repository.owner}/${context.repository.repo}`;
-
-    await writeFile(
-      `${process.env.RUNNER_TEMP || "/tmp"}/claude-prompts/claude-prompt.txt`,
-      promptContent,
-    );
-
-    // Parse allowed tools from user's claude_args
-    const userClaudeArgs = process.env.CLAUDE_ARGS || "";
-    const allowedTools = parseAllowedTools(userClaudeArgs);
-
-    // Check for branch info from environment variables (useful for auto-fix workflows)
-    const claudeBranch = process.env.CLAUDE_BRANCH || undefined;
-    const baseBranch =
-      process.env.BASE_BRANCH || context.inputs.baseBranch || "main";
-
-    // Detect current branch from GitHub environment
-    const currentBranch =
-      claudeBranch ||
-      process.env.GITHUB_HEAD_REF ||
-      process.env.GITHUB_REF_NAME ||
-      "main";
-
-    // Get our GitHub MCP servers config
-    const ourMcpConfig = await prepareMcpConfig({
-      githubToken,
-      owner: context.repository.owner,
-      repo: context.repository.repo,
-      branch: currentBranch,
       baseBranch: baseBranch,
-      claudeCommentId: undefined, // No tracking comment in agent mode
+      currentBranch: baseBranch, // Use base branch as current when creating new branch
-      allowedTools,
+      claudeBranch: claudeBranch,
-      mode: "agent",
+    },
-      context,
+    mcpConfig: ourMcpConfig,
-    });
+    claudeArgs,
-
+  };
-    // Build final claude_args with multiple --mcp-config flags
+}
-    let claudeArgs = "";
-
-    // Add our GitHub servers config if we have any
-    const ourConfig = JSON.parse(ourMcpConfig);
-    if (ourConfig.mcpServers && Object.keys(ourConfig.mcpServers).length > 0) {
-      const escapedOurConfig = ourMcpConfig.replace(/'/g, "'\\''");
-      claudeArgs = `--mcp-config '${escapedOurConfig}'`;
-    }
-
-    // Append user's claude_args (which may have more --mcp-config flags)
-    claudeArgs = `${claudeArgs} ${userClaudeArgs}`.trim();
-
-    core.setOutput("claude_args", claudeArgs);
-
-    return {
-      commentId: undefined,
-      branchInfo: {
-        baseBranch: baseBranch,
-        currentBranch: baseBranch, // Use base branch as current when creating new branch
-        claudeBranch: claudeBranch,
-      },
-      mcpConfig: ourMcpConfig,
-    };
-  },
-
-  generatePrompt(context: PreparedContext): string {
-    // Inject GitHub context as environment variables
-    if (context.githubContext) {
-      const envVars = extractGitHubContext(context.githubContext);
-      for (const [key, value] of Object.entries(envVars)) {
-        core.exportVariable(key, value);
-      }
-    }
-
-    // Agent mode uses prompt field
-    if (context.prompt) {
-      return context.prompt;
-    }
-
-    // Minimal fallback - repository is a string in PreparedContext
-    return `Repository: ${context.repository}`;
-  },
-
-  getSystemPrompt() {
-    // Agent mode doesn't need additional system prompts
-    return undefined;
-  },
-};

src/modes/detector.ts

@@ -80,17 +80,6 @@ export function detectMode(context: GitHubContext): AutoDetectedMode {
   return "agent";
 }
 
-export function getModeDescription(mode: AutoDetectedMode): string {
-  switch (mode) {
-    case "tag":
-      return "Interactive mode triggered by @claude mentions";
-    case "agent":
-      return "Direct automation mode for explicit prompts";
-    default:
-      return "Unknown mode";
-  }
-}
-
 function validateTrackProgressEvent(context: GitHubContext): void {
   // track_progress is only valid for pull_request and issue events
   const validEvents = [
@@ -123,21 +112,3 @@ function validateTrackProgressEvent(context: GitHubContext): void {
     }
   }
 }
-
-export function shouldUseTrackingComment(mode: AutoDetectedMode): boolean {
-  return mode === "tag";
-}
-
-export function getDefaultPromptForMode(
-  mode: AutoDetectedMode,
-  context: GitHubContext,
-): string | undefined {
-  switch (mode) {
-    case "tag":
-      return undefined;
-    case "agent":
-      return context.inputs?.prompt;
-    default:
-      return undefined;
-  }
-}

src/modes/registry.ts

@@ -1,54 +0,0 @@
-/**
- * Mode Registry for claude-code-action v1.0
- *
- * This module provides access to all available execution modes and handles
- * automatic mode detection based on GitHub event types.
- */
-
-import type { Mode, ModeName } from "./types";
-import { tagMode } from "./tag";
-import { agentMode } from "./agent";
-import type { GitHubContext } from "../github/context";
-import { detectMode, type AutoDetectedMode } from "./detector";
-
-export const VALID_MODES = ["tag", "agent"] as const;
-
-/**
- * All available modes in v1.0
- */
-const modes = {
-  tag: tagMode,
-  agent: agentMode,
-} as const satisfies Record<AutoDetectedMode, Mode>;
-
-/**
- * Automatically detects and retrieves the appropriate mode based on the GitHub context.
- * In v1.0, modes are auto-selected based on event type.
- * @param context The GitHub context
- * @returns The appropriate mode for the context
- */
-export function getMode(context: GitHubContext): Mode {
-  const modeName = detectMode(context);
-  console.log(
-    `Auto-detected mode: ${modeName} for event: ${context.eventName}`,
-  );
-
-  const mode = modes[modeName];
-  if (!mode) {
-    throw new Error(
-      `Mode '${modeName}' not found. This should not happen. Please report this issue.`,
-    );
-  }
-
-  return mode;
-}
-
-/**
- * Type guard to check if a string is a valid mode name.
- * @param name The string to check
- * @returns True if the name is a valid mode name
- */
-export function isValidMode(name: string): name is ModeName {
-  const validModes = ["tag", "agent"];
-  return validModes.includes(name);
-}

src/modes/tag/index.ts

@@ -1,6 +1,3 @@
-import * as core from "@actions/core";
-import type { Mode, ModeOptions, ModeResult } from "../types";
-import { checkContainsTrigger } from "../../github/validation/trigger";
 import { checkHumanActor } from "../../github/validation/actor";
 import { createInitialComment } from "../../github/operations/comments/create-initial";
 import { setupBranch } from "../../github/operations/branch";
@@ -13,241 +10,179 @@ import {
   fetchGitHubData,
   extractTriggerTimestamp,
   extractOriginalTitle,
+  extractOriginalBody,
 } from "../../github/data/fetcher";
-import { createPrompt, generateDefaultPrompt } from "../../create-prompt";
+import { createPrompt } from "../../create-prompt";
 import { isEntityContext } from "../../github/context";
-import type { PreparedContext } from "../../create-prompt/types";
+import type { GitHubContext } from "../../github/context";
-import type { FetchDataResult } from "../../github/data/fetcher";
+import type { Octokits } from "../../github/api/client";
 import { parseAllowedTools } from "../agent/parse-tools";
 
 /**
- * Tag mode implementation.
+ * Prepares the tag mode execution context.
  *
- * The traditional implementation mode that responds to @claude mentions,
+ * Tag mode responds to @claude mentions, issue assignments, or labels.
- * issue assignments, or labels. Creates tracking comments showing progress
+ * Creates tracking comments showing progress and has full implementation capabilities.
- * and has full implementation capabilities.
  */
-export const tagMode: Mode = {
+export async function prepareTagMode({
-  name: "tag",
+  context,
-  description: "Traditional implementation mode triggered by @claude mentions",
+  octokit,
+  githubToken,
+}: {
+  context: GitHubContext;
+  octokit: Octokits;
+  githubToken: string;
+}) {
+  // Tag mode only handles entity-based events
+  if (!isEntityContext(context)) {
+    throw new Error("Tag mode requires entity context");
+  }
 
-  shouldTrigger(context) {
+  // Check if actor is human
-    // Tag mode only handles entity events
+  await checkHumanActor(octokit.rest, context);
-    if (!isEntityContext(context)) {
-      return false;
-    }
-    return checkContainsTrigger(context);
-  },
 
-  prepareContext(context, data) {
+  // Create initial tracking comment
-    return {
+  const commentData = await createInitialComment(octokit.rest, context);
-      mode: "tag",
+  const commentId = commentData.id;
-      githubContext: context,
+
-      commentId: data?.commentId,
+  const triggerTime = extractTriggerTimestamp(context);
-      baseBranch: data?.baseBranch,
+  const originalTitle = extractOriginalTitle(context);
-      claudeBranch: data?.claudeBranch,
+  const originalBody = extractOriginalBody(context);
+
+  const githubData = await fetchGitHubData({
+    octokits: octokit,
+    repository: `${context.repository.owner}/${context.repository.repo}`,
+    prNumber: context.entityNumber.toString(),
+    isPR: context.isPR,
+    triggerUsername: context.actor,
+    triggerTime,
+    originalTitle,
+    originalBody,
+    includeCommentsByActor: context.inputs.includeCommentsByActor,
+    excludeCommentsByActor: context.inputs.excludeCommentsByActor,
+  });
+
+  // Setup branch
+  const branchInfo = await setupBranch(octokit, githubData, context);
+
+  // Configure git authentication
+  // SSH signing takes precedence if provided
+  const useSshSigning = !!context.inputs.sshSigningKey;
+  const useApiCommitSigning = context.inputs.useCommitSigning && !useSshSigning;
+
+  if (useSshSigning) {
+    // Setup SSH signing for commits
+    await setupSshSigning(context.inputs.sshSigningKey);
+
+    // Still configure git auth for push operations (user/email and remote URL)
+    const user = {
+      login: context.inputs.botName,
+      id: parseInt(context.inputs.botId),
+    };
+    try {
+      await configureGitAuth(githubToken, context, user);
+    } catch (error) {
+      console.error("Failed to configure git authentication:", error);
+      throw error;
+    }
+  } else if (!useApiCommitSigning) {
+    // Use bot_id and bot_name from inputs directly
+    const user = {
+      login: context.inputs.botName,
+      id: parseInt(context.inputs.botId),
     };
-  },
 
-  getAllowedTools() {
+    try {
-    return [];
+      await configureGitAuth(githubToken, context, user);
-  },
+    } catch (error) {
+      console.error("Failed to configure git authentication:", error);
+      throw error;
+    }
+  }
 
-  getDisallowedTools() {
+  // Create prompt file
-    return [];
+  await createPrompt(
-  },
+    commentId,
-
+    branchInfo.baseBranch,
-  shouldCreateTrackingComment() {
+    branchInfo.claudeBranch,
-    return true;
+    githubData,
-  },
-
-  async prepare({
     context,
-    octokit,
+  );
+
+  const userClaudeArgs = process.env.CLAUDE_ARGS || "";
+  const userAllowedMCPTools = parseAllowedTools(userClaudeArgs).filter((tool) =>
+    tool.startsWith("mcp__github_"),
+  );
+
+  const gitPushWrapper = `${process.env.GITHUB_ACTION_PATH}/scripts/git-push.sh`;
+
+  // Build claude_args for tag mode with required tools.
+  // Edit/MultiEdit/Write are intentionally omitted: acceptEdits permission mode (set below)
+  // auto-allows file edits inside $GITHUB_WORKSPACE and denies writes outside (e.g. ~/.bashrc).
+  // Listing them here would grant blanket write access to the whole runner (Asana 1213310082312048).
+  const tagModeTools = [
+    "Glob",
+    "Grep",
+    "LS",
+    "Read",
+    "mcp__github_comment__update_claude_comment",
+    "mcp__github_ci__get_ci_status",
+    "mcp__github_ci__get_workflow_run_details",
+    "mcp__github_ci__download_job_log",
+    ...userAllowedMCPTools,
+  ];
+
+  // Add git commands when using git CLI (no API commit signing, or SSH signing)
+  // SSH signing still uses git CLI, just with signing enabled
+  if (!useApiCommitSigning) {
+    tagModeTools.push(
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      `Bash(${gitPushWrapper}:*)`,
+      "Bash(git rm:*)",
+    );
+  } else {
+    // When using API commit signing, use MCP file ops tools
+    tagModeTools.push(
+      "mcp__github_file_ops__commit_files",
+      "mcp__github_file_ops__delete_files",
+    );
+  }
+
+  // Get our GitHub MCP servers configuration
+  const ourMcpConfig = await prepareMcpConfig({
     githubToken,
-  }: ModeOptions): Promise<ModeResult> {
+    owner: context.repository.owner,
-    // Tag mode only handles entity-based events
+    repo: context.repository.repo,
-    if (!isEntityContext(context)) {
+    branch: branchInfo.claudeBranch || branchInfo.currentBranch,
-      throw new Error("Tag mode requires entity context");
+    baseBranch: branchInfo.baseBranch,
-    }
+    claudeCommentId: commentId.toString(),
+    allowedTools: Array.from(new Set(tagModeTools)),
+    mode: "tag",
+    context,
+  });
 
-    // Check if actor is human
+  // Build complete claude_args with multiple --mcp-config flags
-    await checkHumanActor(octokit.rest, context);
+  let claudeArgs = "";
 
-    // Create initial tracking comment
+  // Add our GitHub servers config
-    const commentData = await createInitialComment(octokit.rest, context);
+  const escapedOurConfig = ourMcpConfig.replace(/'/g, "'\\''");
-    const commentId = commentData.id;
+  claudeArgs = `--mcp-config '${escapedOurConfig}'`;
 
-    const triggerTime = extractTriggerTimestamp(context);
+  // Add required tools for tag mode.
-    const originalTitle = extractOriginalTitle(context);
+  // acceptEdits: file edits auto-allowed inside cwd ($GITHUB_WORKSPACE), denied outside.
+  // Headless SDK has no prompt handler, so anything that falls through to "ask" is denied.
+  claudeArgs += ` --permission-mode acceptEdits --allowedTools "${tagModeTools.join(",")}"`;
 
-    const githubData = await fetchGitHubData({
+  // Append user's claude_args (which may have more --mcp-config flags)
-      octokits: octokit,
+  if (userClaudeArgs) {
-      repository: `${context.repository.owner}/${context.repository.repo}`,
+    claudeArgs += ` ${userClaudeArgs}`;
-      prNumber: context.entityNumber.toString(),
+  }
-      isPR: context.isPR,
-      triggerUsername: context.actor,
-      triggerTime,
-      originalTitle,
-      includeCommentsByActor: context.inputs.includeCommentsByActor,
-      excludeCommentsByActor: context.inputs.excludeCommentsByActor,
-    });
 
-    // Setup branch
+  return {
-    const branchInfo = await setupBranch(octokit, githubData, context);
+    commentId,
-
+    branchInfo,
-    // Configure git authentication
+    mcpConfig: ourMcpConfig,
-    // SSH signing takes precedence if provided
+    claudeArgs: claudeArgs.trim(),
-    const useSshSigning = !!context.inputs.sshSigningKey;
+  };
-    const useApiCommitSigning =
+}
-      context.inputs.useCommitSigning && !useSshSigning;
-
-    if (useSshSigning) {
-      // Setup SSH signing for commits
-      await setupSshSigning(context.inputs.sshSigningKey);
-
-      // Still configure git auth for push operations (user/email and remote URL)
-      const user = {
-        login: context.inputs.botName,
-        id: parseInt(context.inputs.botId),
-      };
-      try {
-        await configureGitAuth(githubToken, context, user);
-      } catch (error) {
-        console.error("Failed to configure git authentication:", error);
-        throw error;
-      }
-    } else if (!useApiCommitSigning) {
-      // Use bot_id and bot_name from inputs directly
-      const user = {
-        login: context.inputs.botName,
-        id: parseInt(context.inputs.botId),
-      };
-
-      try {
-        await configureGitAuth(githubToken, context, user);
-      } catch (error) {
-        console.error("Failed to configure git authentication:", error);
-        throw error;
-      }
-    }
-
-    // Create prompt file
-    const modeContext = this.prepareContext(context, {
-      commentId,
-      baseBranch: branchInfo.baseBranch,
-      claudeBranch: branchInfo.claudeBranch,
-    });
-
-    await createPrompt(tagMode, modeContext, githubData, context);
-
-    const userClaudeArgs = process.env.CLAUDE_ARGS || "";
-    const userAllowedMCPTools = parseAllowedTools(userClaudeArgs).filter(
-      (tool) => tool.startsWith("mcp__github_"),
-    );
-
-    // Build claude_args for tag mode with required tools
-    // Tag mode REQUIRES these tools to function properly
-    const tagModeTools = [
-      "Edit",
-      "MultiEdit",
-      "Glob",
-      "Grep",
-      "LS",
-      "Read",
-      "Write",
-      "mcp__github_comment__update_claude_comment",
-      "mcp__github_ci__get_ci_status",
-      "mcp__github_ci__get_workflow_run_details",
-      "mcp__github_ci__download_job_log",
-      ...userAllowedMCPTools,
-    ];
-
-    // Add git commands when using git CLI (no API commit signing, or SSH signing)
-    // SSH signing still uses git CLI, just with signing enabled
-    if (!useApiCommitSigning) {
-      tagModeTools.push(
-        "Bash(git add:*)",
-        "Bash(git commit:*)",
-        "Bash(git push:*)",
-        "Bash(git status:*)",
-        "Bash(git diff:*)",
-        "Bash(git log:*)",
-        "Bash(git rm:*)",
-      );
-    } else {
-      // When using API commit signing, use MCP file ops tools
-      tagModeTools.push(
-        "mcp__github_file_ops__commit_files",
-        "mcp__github_file_ops__delete_files",
-      );
-    }
-
-    // Get our GitHub MCP servers configuration
-    const ourMcpConfig = await prepareMcpConfig({
-      githubToken,
-      owner: context.repository.owner,
-      repo: context.repository.repo,
-      branch: branchInfo.claudeBranch || branchInfo.currentBranch,
-      baseBranch: branchInfo.baseBranch,
-      claudeCommentId: commentId.toString(),
-      allowedTools: Array.from(new Set(tagModeTools)),
-      mode: "tag",
-      context,
-    });
-
-    // Build complete claude_args with multiple --mcp-config flags
-    let claudeArgs = "";
-
-    // Add our GitHub servers config
-    const escapedOurConfig = ourMcpConfig.replace(/'/g, "'\\''");
-    claudeArgs = `--mcp-config '${escapedOurConfig}'`;
-
-    // Add required tools for tag mode
-    claudeArgs += ` --allowedTools "${tagModeTools.join(",")}"`;
-
-    // Append user's claude_args (which may have more --mcp-config flags)
-    if (userClaudeArgs) {
-      claudeArgs += ` ${userClaudeArgs}`;
-    }
-
-    core.setOutput("claude_args", claudeArgs.trim());
-
-    return {
-      commentId,
-      branchInfo,
-      mcpConfig: ourMcpConfig,
-    };
-  },
-
-  generatePrompt(
-    context: PreparedContext,
-    githubData: FetchDataResult,
-    useCommitSigning: boolean,
-  ): string {
-    const defaultPrompt = generateDefaultPrompt(
-      context,
-      githubData,
-      useCommitSigning,
-    );
-
-    // If a custom prompt is provided, inject it into the tag mode prompt
-    if (context.githubContext?.inputs?.prompt) {
-      return (
-        defaultPrompt +
-        `
-
-<custom_instructions>
-${context.githubContext.inputs.prompt}
-</custom_instructions>`
-      );
-    }
-
-    return defaultPrompt;
-  },
-
-  getSystemPrompt() {
-    // Tag mode doesn't need additional system prompts
-    return undefined;
-  },
-};

src/modes/types.ts

@@ -1,100 +0,0 @@
-import type { GitHubContext } from "../github/context";
-import type { PreparedContext } from "../create-prompt/types";
-import type { FetchDataResult } from "../github/data/fetcher";
-import type { Octokits } from "../github/api/client";
-
-export type ModeName = "tag" | "agent";
-
-export type ModeContext = {
-  mode: ModeName;
-  githubContext: GitHubContext;
-  commentId?: number;
-  baseBranch?: string;
-  claudeBranch?: string;
-};
-
-export type ModeData = {
-  commentId?: number;
-  baseBranch?: string;
-  claudeBranch?: string;
-};
-
-/**
- * Mode interface for claude-code-action execution modes.
- * Each mode defines its own behavior for trigger detection, prompt generation,
- * and tracking comment creation.
- *
- * Current modes include:
- * - 'tag': Interactive mode triggered by @claude mentions
- * - 'agent': Direct automation mode triggered by explicit prompts
- */
-export type Mode = {
-  name: ModeName;
-  description: string;
-
-  /**
-   * Determines if this mode should trigger based on the GitHub context
-   */
-  shouldTrigger(context: GitHubContext): boolean;
-
-  /**
-   * Prepares the mode context with any additional data needed for prompt generation
-   */
-  prepareContext(context: GitHubContext, data?: ModeData): ModeContext;
-
-  /**
-   * Returns the list of tools that should be allowed for this mode
-   */
-  getAllowedTools(): string[];
-
-  /**
-   * Returns the list of tools that should be disallowed for this mode
-   */
-  getDisallowedTools(): string[];
-
-  /**
-   * Determines if this mode should create a tracking comment
-   */
-  shouldCreateTrackingComment(): boolean;
-
-  /**
-   * Generates the prompt for this mode.
-   * @returns The complete prompt string
-   */
-  generatePrompt(
-    context: PreparedContext,
-    githubData: FetchDataResult,
-    useCommitSigning: boolean,
-  ): string;
-
-  /**
-   * Prepares the GitHub environment for this mode.
-   * Each mode decides how to handle different event types.
-   * @returns PrepareResult with commentId, branchInfo, and mcpConfig
-   */
-  prepare(options: ModeOptions): Promise<ModeResult>;
-
-  /**
-   * Returns an optional system prompt to append to Claude's base system prompt.
-   * This allows modes to add mode-specific instructions.
-   * @returns The system prompt string or undefined if no additional prompt is needed
-   */
-  getSystemPrompt?(context: ModeContext): string | undefined;
-};
-
-// Define types for mode prepare method
-export type ModeOptions = {
-  context: GitHubContext;
-  octokit: Octokits;
-  githubToken: string;
-};
-
-export type ModeResult = {
-  commentId?: number;
-  branchInfo: {
-    baseBranch: string;
-    claudeBranch?: string;
-    currentBranch: string;
-  };
-  mcpConfig: string;
-};

src/prepare/index.ts

@@ -1,20 +0,0 @@
-/**
- * Main prepare module that delegates to the mode's prepare method
- */
-
-import type { PrepareOptions, PrepareResult } from "./types";
-
-export async function prepare(options: PrepareOptions): Promise<PrepareResult> {
-  const { mode, context, octokit, githubToken } = options;
-
-  console.log(
-    `Preparing with mode: ${mode.name} for event: ${context.eventName}`,
-  );
-
-  // Delegate to the mode's prepare method
-  return mode.prepare({
-    context,
-    octokit,
-    githubToken,
-  });
-}

src/prepare/types.ts

@@ -1,20 +0,0 @@
-import type { GitHubContext } from "../github/context";
-import type { Octokits } from "../github/api/client";
-import type { Mode } from "../modes/types";
-
-export type PrepareResult = {
-  commentId?: number;
-  branchInfo: {
-    baseBranch: string;
-    claudeBranch?: string;
-    currentBranch: string;
-  };
-  mcpConfig: string;
-};
-
-export type PrepareOptions = {
-  context: GitHubContext;
-  octokit: Octokits;
-  mode: Mode;
-  githubToken: string;
-};

src/utils/retry.ts

@@ -3,6 +3,7 @@ export type RetryOptions = {
   initialDelayMs?: number;
   maxDelayMs?: number;
   backoffFactor?: number;
+  shouldRetry?: (error: Error) => boolean;
 };
 
 export async function retryWithBackoff<T>(
@@ -14,6 +15,7 @@ export async function retryWithBackoff<T>(
     initialDelayMs = 5000,
     maxDelayMs = 20000,
     backoffFactor = 2,
+    shouldRetry,
   } = options;
 
   let delayMs = initialDelayMs;
@@ -27,6 +29,11 @@ export async function retryWithBackoff<T>(
       lastError = error instanceof Error ? error : new Error(String(error));
       console.error(`Attempt ${attempt} failed:`, lastError.message);
 
+      if (shouldRetry && !shouldRetry(lastError)) {
+        console.error("Error is not retryable, giving up immediately");
+        throw lastError;
+      }
+
       if (attempt < maxAttempts) {
         console.log(`Retrying in ${delayMs / 1000} seconds...`);
         await new Promise((resolve) => setTimeout(resolve, delayMs));

test/create-prompt.test.ts

@@ -1,60 +1,19 @@
 #!/usr/bin/env bun
 
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect, beforeAll } from "bun:test";
 import {
   generatePrompt,
-  generateDefaultPrompt,
   getEventTypeAndContext,
   buildAllowedToolsString,
   buildDisallowedToolsString,
 } from "../src/create-prompt";
 import type { PreparedContext } from "../src/create-prompt";
-import type { Mode } from "../src/modes/types";
+
+beforeAll(() => {
+  process.env.GITHUB_ACTION_PATH = "/test/action/path";
+});
 
 describe("generatePrompt", () => {
-  // Create a mock tag mode that uses the default prompt
-  const mockTagMode: Mode = {
-    name: "tag",
-    description: "Tag mode",
-    shouldTrigger: () => true,
-    prepareContext: (context) => ({ mode: "tag", githubContext: context }),
-    getAllowedTools: () => [],
-    getDisallowedTools: () => [],
-    shouldCreateTrackingComment: () => true,
-    generatePrompt: (context, githubData, useCommitSigning) =>
-      generateDefaultPrompt(context, githubData, useCommitSigning),
-    prepare: async () => ({
-      commentId: 123,
-      branchInfo: {
-        baseBranch: "main",
-        currentBranch: "main",
-        claudeBranch: undefined,
-      },
-      mcpConfig: "{}",
-    }),
-  };
-
-  // Create a mock agent mode that passes through prompts
-  const mockAgentMode: Mode = {
-    name: "agent",
-    description: "Agent mode",
-    shouldTrigger: () => true,
-    prepareContext: (context) => ({ mode: "agent", githubContext: context }),
-    getAllowedTools: () => [],
-    getDisallowedTools: () => [],
-    shouldCreateTrackingComment: () => false,
-    generatePrompt: (context) => context.prompt || "",
-    prepare: async () => ({
-      commentId: undefined,
-      branchInfo: {
-        baseBranch: "main",
-        currentBranch: "main",
-        claudeBranch: undefined,
-      },
-      mcpConfig: "{}",
-    }),
-  };
-
   const mockGitHubData = {
     contextData: {
       title: "Test PR",
@@ -68,6 +27,8 @@ describe("generatePrompt", () => {
       baseRefName: "main",
       headRefName: "feature-branch",
       headRefOid: "abc123",
+      isCrossRepository: false,
+      headRepository: { owner: { login: "testowner" }, name: "testrepo" },
       commits: {
         totalCount: 2,
         nodes: [
@@ -179,12 +140,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("You are Claude, an AI assistant");
     expect(prompt).toContain("<event_type>GENERAL_COMMENT</event_type>");
@@ -212,12 +168,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("<event_type>PR_REVIEW</event_type>");
     expect(prompt).toContain("<is_pr>true</is_pr>");
@@ -243,12 +194,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("<event_type>ISSUE_CREATED</event_type>");
     expect(prompt).toContain(
@@ -276,12 +222,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("<event_type>ISSUE_ASSIGNED</event_type>");
     expect(prompt).toContain(
@@ -308,12 +249,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("<event_type>ISSUE_LABELED</event_type>");
     expect(prompt).toContain(
@@ -339,12 +275,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("<event_type>PULL_REQUEST</event_type>");
     expect(prompt).toContain("<is_pr>true</is_pr>");
@@ -368,12 +299,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Verify prompt generates successfully without custom instructions
     expect(prompt).toContain("@claude please fix this");
@@ -398,7 +324,7 @@ describe("generatePrompt", () => {
       envVars,
       mockGitHubData,
       false,
-      mockAgentMode,
+      "agent",
     );
 
     // Agent mode: Prompt is passed through as-is
@@ -439,7 +365,7 @@ describe("generatePrompt", () => {
       envVars,
       mockGitHubData,
       false,
-      mockAgentMode,
+      "agent",
     );
 
     // v1.0: Variables are NOT substituted - prompt is passed as-is to Claude Code
@@ -488,7 +414,7 @@ describe("generatePrompt", () => {
       envVars,
       issueGitHubData,
       false,
-      mockAgentMode,
+      "agent",
     );
 
     // Agent mode: Prompt is passed through as-is
@@ -513,7 +439,7 @@ describe("generatePrompt", () => {
       envVars,
       mockGitHubData,
       false,
-      mockAgentMode,
+      "agent",
     );
 
     // Agent mode: No substitution - passed as-is
@@ -537,12 +463,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("You are Claude, an AI assistant");
     expect(prompt).toContain("<event_type>ISSUE_CREATED</event_type>");
@@ -565,12 +486,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     expect(prompt).toContain("<trigger_username>johndoe</trigger_username>");
     // With commit signing disabled, co-author info appears in git commit instructions
@@ -592,15 +508,10 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain PR-specific instructions (git commands when not using signing)
-    expect(prompt).toContain("git push");
+    expect(prompt).toContain("scripts/git-push.sh origin");
     expect(prompt).toContain(
       "Always push to the existing branch when triggered on a PR",
     );
@@ -628,12 +539,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain Issue-specific instructions
     expect(prompt).toContain(
@@ -672,12 +578,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain the actual branch name with timestamp
     expect(prompt).toContain(
@@ -707,12 +608,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain branch-specific instructions like issues
     expect(prompt).toContain(
@@ -750,15 +646,10 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain open PR instructions (git commands when not using signing)
-    expect(prompt).toContain("git push");
+    expect(prompt).toContain("scripts/git-push.sh origin");
     expect(prompt).toContain(
       "Always push to the existing branch when triggered on a PR",
     );
@@ -786,12 +677,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain new branch instructions
     expect(prompt).toContain(
@@ -819,12 +705,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain new branch instructions
     expect(prompt).toContain(
@@ -852,12 +733,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should contain new branch instructions
     expect(prompt).toContain(
@@ -881,18 +757,13 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, false, "tag");
-      envVars,
-      mockGitHubData,
-      false,
-      mockTagMode,
-    );
 
     // Should have git command instructions
     expect(prompt).toContain("Use git commands via the Bash tool");
     expect(prompt).toContain("git add");
     expect(prompt).toContain("git commit");
-    expect(prompt).toContain("git push");
+    expect(prompt).toContain("scripts/git-push.sh origin");
 
     // Should use the minimal comment tool
     expect(prompt).toContain("mcp__github_comment__update_claude_comment");
@@ -915,12 +786,7 @@ describe("generatePrompt", () => {
       },
     };
 
-    const prompt = await generatePrompt(
+    const prompt = await generatePrompt(envVars, mockGitHubData, true, "tag");
-      envVars,
-      mockGitHubData,
-      true,
-      mockTagMode,
-    );
 
     // Should have commit signing tool instructions
     expect(prompt).toContain("mcp__github_file_ops__commit_files");
@@ -1026,17 +892,18 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString();
 
     // The base tools should be in the result
-    expect(result).toContain("Edit");
+    // Edit/MultiEdit/Write are NOT in allowedTools — acceptEdits permission mode handles them
+    expect(result).not.toContain("Edit");
+    expect(result).not.toContain("Write");
     expect(result).toContain("Glob");
     expect(result).toContain("Grep");
     expect(result).toContain("LS");
     expect(result).toContain("Read");
-    expect(result).toContain("Write");
 
     // Default is no commit signing, so should have specific Bash git commands
     expect(result).toContain("Bash(git add:*)");
     expect(result).toContain("Bash(git commit:*)");
-    expect(result).toContain("Bash(git push:*)");
+    expect(result).toContain("scripts/git-push.sh:*)");
     expect(result).toContain("mcp__github_comment__update_claude_comment");
 
     // Should not have commit signing tools
@@ -1048,12 +915,12 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString([], false, false);
 
     // The base tools should be in the result
-    expect(result).toContain("Edit");
+    expect(result).not.toContain("Edit");
     expect(result).toContain("Glob");
     expect(result).toContain("Grep");
     expect(result).toContain("LS");
     expect(result).toContain("Read");
-    expect(result).toContain("Write");
+    expect(result).not.toContain("Write");
 
     // Should have specific Bash git commands for non-signing mode
     expect(result).toContain("Bash(git add:*)");
@@ -1070,7 +937,7 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString(customTools);
 
     // Base tools should be present
-    expect(result).toContain("Edit");
+    expect(result).toContain("Read");
     expect(result).toContain("Glob");
 
     // Custom tools should be appended
@@ -1090,7 +957,7 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString([], true);
 
     // Base tools should be present
-    expect(result).toContain("Edit");
+    expect(result).toContain("Read");
     expect(result).toContain("Glob");
 
     // GitHub Actions tools should be included
@@ -1104,7 +971,7 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString(customTools, true);
 
     // Base tools should be present
-    expect(result).toContain("Edit");
+    expect(result).toContain("Read");
 
     // Custom tools should be included
     expect(result).toContain("Tool1");
@@ -1120,12 +987,12 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString([], false, true);
 
     // Base tools should be present
-    expect(result).toContain("Edit");
+    expect(result).not.toContain("Edit");
     expect(result).toContain("Glob");
     expect(result).toContain("Grep");
     expect(result).toContain("LS");
     expect(result).toContain("Read");
-    expect(result).toContain("Write");
+    expect(result).not.toContain("Write");
 
     // Commit signing tools should be included
     expect(result).toContain("mcp__github_file_ops__commit_files");
@@ -1141,20 +1008,17 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString([], false, false);
 
     // Base tools should be present
-    expect(result).toContain("Edit");
+    expect(result).not.toContain("Edit");
     expect(result).toContain("Glob");
     expect(result).toContain("Grep");
     expect(result).toContain("LS");
     expect(result).toContain("Read");
-    expect(result).toContain("Write");
+    expect(result).not.toContain("Write");
 
     // Specific Bash git commands should be included
     expect(result).toContain("Bash(git add:*)");
     expect(result).toContain("Bash(git commit:*)");
-    expect(result).toContain("Bash(git push:*)");
+    expect(result).toContain("scripts/git-push.sh:*)");
-    expect(result).toContain("Bash(git status:*)");
-    expect(result).toContain("Bash(git diff:*)");
-    expect(result).toContain("Bash(git log:*)");
     expect(result).toContain("Bash(git rm:*)");
 
     // Comment tool from minimal server should be included
@@ -1170,7 +1034,7 @@ describe("buildAllowedToolsString", () => {
     const result = buildAllowedToolsString(customTools, true, false);
 
     // Base tools should be present
-    expect(result).toContain("Edit");
+    expect(result).toContain("Read");
     expect(result).toContain("Bash(git add:*)");
 
     // Custom tools should be included

test/data-fetcher.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, it, jest, test } from "bun:test";
 import {
   extractTriggerTimestamp,
   extractOriginalTitle,
+  extractOriginalBody,
   fetchGitHubData,
   filterCommentsToTriggerTime,
   filterReviewsToTriggerTime,
@@ -106,6 +107,55 @@ describe("extractOriginalTitle", () => {
   });
 });
 
+describe("extractOriginalBody", () => {
+  it("should extract body from IssueCommentEvent on PR", () => {
+    const body = extractOriginalBody(mockPullRequestCommentContext);
+    expect(body).toBe("This PR fixes the memory leak issue reported in #788");
+  });
+
+  it("should extract body from PullRequestReviewEvent", () => {
+    const body = extractOriginalBody(mockPullRequestReviewContext);
+    expect(body).toBe(
+      "This PR improves error handling across all API endpoints",
+    );
+  });
+
+  it("should extract body from PullRequestReviewCommentEvent", () => {
+    const body = extractOriginalBody(mockPullRequestReviewCommentContext);
+    expect(body).toBe(
+      "This PR optimizes the search algorithm for better performance",
+    );
+  });
+
+  it("should extract body from pull_request event", () => {
+    const body = extractOriginalBody(mockPullRequestOpenedContext);
+    expect(body).toBe(
+      "## Summary\n\nThis PR adds JWT-based authentication to the API.\n\n## Changes\n\n- Added auth middleware\n- Added login endpoint\n- Added JWT token generation\n\n/claude please review the security aspects",
+    );
+  });
+
+  it("should extract body from issues event", () => {
+    const body = extractOriginalBody(mockIssueOpenedContext);
+    expect(body).toBe(
+      "## Description\n\nThe application crashes immediately after launching.\n\n## Steps to reproduce\n\n1. Install the app\n2. Launch it\n3. See crash\n\n/claude please help me fix this",
+    );
+  });
+
+  it("should return undefined for event without body", () => {
+    const context = createMockContext({
+      eventName: "issue_comment",
+      payload: {
+        comment: {
+          id: 123,
+          body: "test",
+        },
+      } as any,
+    });
+    const body = extractOriginalBody(context);
+    expect(body).toBeUndefined();
+  });
+});
+
 describe("filterCommentsToTriggerTime", () => {
   const createMockComment = (
     createdAt: string,
@@ -956,6 +1006,8 @@ describe("fetchGitHubData integration with time filtering", () => {
             baseRefName: "main",
             headRefName: "feature",
             headRefOid: "abc123",
+            isCrossRepository: false,
+            headRepository: { owner: { login: "testowner" }, name: "testrepo" },
             createdAt: "2024-01-15T10:00:00Z",
             updatedAt: "2024-01-15T12:30:00Z", // Edited after trigger
             lastEditedAt: "2024-01-15T12:30:00Z", // Edited after trigger
@@ -1099,6 +1151,186 @@ describe("fetchGitHubData integration with time filtering", () => {
       "Original Title (from webhook at trigger time)",
     );
   });
+
+  it("should use originalBody when provided instead of fetched body", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          pullRequest: {
+            number: 123,
+            title: "Test PR",
+            body: "Malicious body injected after trigger",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            additions: 10,
+            deletions: 5,
+            state: "OPEN",
+            commits: { totalCount: 1, nodes: [] },
+            files: { nodes: [] },
+            comments: { nodes: [] },
+            reviews: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: true,
+      triggerUsername: "trigger-user",
+      originalBody: "Original safe body from webhook",
+    });
+
+    expect(result.contextData.body).toBe("Original safe body from webhook");
+  });
+
+  it("should use fetched body when originalBody is not provided", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          pullRequest: {
+            number: 123,
+            title: "Test PR",
+            body: "Fetched body from GraphQL",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            additions: 10,
+            deletions: 5,
+            state: "OPEN",
+            commits: { totalCount: 1, nodes: [] },
+            files: { nodes: [] },
+            comments: { nodes: [] },
+            reviews: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: true,
+      triggerUsername: "trigger-user",
+    });
+
+    expect(result.contextData.body).toBe("Fetched body from GraphQL");
+  });
+
+  it("should use original body from webhook even if body was edited after trigger (TOCTOU prevention)", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          pullRequest: {
+            number: 123,
+            title: "Test PR",
+            body: "Malicious body (edited after trigger via GraphQL)",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            lastEditedAt: "2024-01-15T12:30:00Z", // Edited after trigger
+            additions: 10,
+            deletions: 5,
+            state: "OPEN",
+            commits: { totalCount: 1, nodes: [] },
+            files: { nodes: [] },
+            comments: { nodes: [] },
+            reviews: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: true,
+      triggerUsername: "trigger-user",
+      triggerTime: "2024-01-15T12:00:00Z",
+      originalBody: "Original safe body (from webhook at trigger time)",
+    });
+
+    // Body should be from webhook, not the malicious GraphQL-fetched version
+    expect(result.contextData.body).toBe(
+      "Original safe body (from webhook at trigger time)",
+    );
+  });
+
+  it("should handle null originalBody by setting body to empty string", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          issue: {
+            number: 123,
+            title: "Test Issue",
+            body: "Some body from GraphQL",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            state: "OPEN",
+            labels: { nodes: [] },
+            comments: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: false,
+      triggerUsername: "trigger-user",
+      originalBody: null,
+    });
+
+    // null originalBody means the issue had no body at trigger time
+    expect(result.contextData.body).toBe("");
+  });
+
+  it("should use null originalBody over malicious GraphQL body edited after trigger", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          issue: {
+            number: 123,
+            title: "Test Issue",
+            body: "Malicious body added after trigger",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            lastEditedAt: "2024-01-15T12:30:00Z", // Edited after trigger
+            state: "OPEN",
+            labels: { nodes: [] },
+            comments: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: false,
+      triggerUsername: "trigger-user",
+      triggerTime: "2024-01-15T12:00:00Z",
+      originalBody: null,
+    });
+
+    // Webhook says no body at trigger time — attacker-added GraphQL body must not be used
+    expect(result.contextData.body).toBe("");
+  });
 });
 
 describe("filterCommentsByActor", () => {

test/data-formatter.test.ts

@@ -24,6 +24,8 @@ describe("formatContext", () => {
       baseRefName: "main",
       headRefName: "feature/test",
       headRefOid: "abc123",
+      isCrossRepository: false,
+      headRepository: { owner: { login: "testowner" }, name: "testrepo" },
       createdAt: "2023-01-01T00:00:00Z",
       additions: 50,
       deletions: 30,

test/install-mcp-server.test.ts

@@ -9,6 +9,7 @@ describe("prepareMcpConfig", () => {
   let consoleWarningSpy: any;
   let setFailedSpy: any;
   let processExitSpy: any;
+  let fetchSpy: any;
 
   // Create a mock context for tests
   const mockContext: ParsedGitHubContext = {
@@ -31,6 +32,7 @@ describe("prepareMcpConfig", () => {
       labelTrigger: "",
       branchPrefix: "",
       useStickyComment: false,
+      classifyInlineComments: true,
       useCommitSigning: false,
       sshSigningKey: "",
       botId: String(CLAUDE_APP_BOT_ID),
@@ -66,6 +68,10 @@ describe("prepareMcpConfig", () => {
     processExitSpy = spyOn(process, "exit").mockImplementation(() => {
       throw new Error("Process exit");
     });
+    // Mock fetch so checkActionsReadPermission succeeds (returns 200 for actions API)
+    fetchSpy = spyOn(global, "fetch").mockResolvedValue(
+      new Response(JSON.stringify({ workflow_runs: [] }), { status: 200 }),
+    );
 
     // Set up required environment variables
     if (!process.env.GITHUB_ACTION_PATH) {
@@ -78,6 +84,7 @@ describe("prepareMcpConfig", () => {
     consoleWarningSpy.mockRestore();
     setFailedSpy.mockRestore();
     processExitSpy.mockRestore();
+    fetchSpy.mockRestore();
   });
 
   test("should return comment server when commit signing is disabled", async () => {
@@ -263,6 +270,33 @@ describe("prepareMcpConfig", () => {
     expect(parsed.mcpServers.github_ci).not.toBeDefined();
   });
 
+  test("should not include github_ci server when actions:read permission is missing", async () => {
+    process.env.DEFAULT_WORKFLOW_TOKEN = "workflow-token";
+    // Simulate 403 from actions API
+    fetchSpy.mockResolvedValue(
+      new Response(
+        JSON.stringify({ message: "Resource not accessible by integration" }),
+        { status: 403 },
+      ),
+    );
+
+    const result = await prepareMcpConfig({
+      githubToken: "test-token",
+      owner: "test-owner",
+      repo: "test-repo",
+      branch: "test-branch",
+      baseBranch: "main",
+      allowedTools: [],
+      mode: "tag",
+      context: mockPRContext,
+    });
+
+    const parsed = JSON.parse(result);
+    expect(parsed.mcpServers.github_ci).not.toBeDefined();
+
+    delete process.env.DEFAULT_WORKFLOW_TOKEN;
+  });
+
   test("should not include github_ci server when DEFAULT_WORKFLOW_TOKEN is missing", async () => {
     delete process.env.DEFAULT_WORKFLOW_TOKEN;
 

test/mockContext.ts

@@ -19,6 +19,7 @@ const defaultInputs = {
   labelTrigger: "",
   branchPrefix: "claude/",
   useStickyComment: false,
+  classifyInlineComments: true,
   useCommitSigning: false,
   sshSigningKey: "",
   botId: String(CLAUDE_APP_BOT_ID),
@@ -35,6 +36,7 @@ const defaultRepository = {
   owner: "test-owner",
   repo: "test-repo",
   full_name: "test-owner/test-repo",
+  default_branch: "main",
 };
 
 type MockContextOverrides = Omit<Partial<ParsedGitHubContext>, "inputs"> & {

test/modes/agent.test.ts

@@ -7,22 +7,17 @@ import {
   spyOn,
   mock,
 } from "bun:test";
-import { agentMode } from "../../src/modes/agent";
+import { prepareAgentMode } from "../../src/modes/agent";
-import type { GitHubContext } from "../../src/github/context";
+import { createMockAutomationContext } from "../mockContext";
-import { createMockContext, createMockAutomationContext } from "../mockContext";
 import * as core from "@actions/core";
 import * as gitConfig from "../../src/github/operations/git-config";
 
 describe("Agent Mode", () => {
-  let mockContext: GitHubContext;
   let exportVariableSpy: any;
   let setOutputSpy: any;
   let configureGitAuthSpy: any;
 
   beforeEach(() => {
-    mockContext = createMockAutomationContext({
-      eventName: "workflow_dispatch",
-    });
     exportVariableSpy = spyOn(core, "exportVariable").mockImplementation(
       () => {},
     );
@@ -45,84 +40,11 @@ describe("Agent Mode", () => {
     configureGitAuthSpy?.mockRestore();
   });
 
-  test("agent mode has correct properties", () => {
+  test("prepareAgentMode is exported as a function", () => {
-    expect(agentMode.name).toBe("agent");
+    expect(typeof prepareAgentMode).toBe("function");
-    expect(agentMode.description).toBe(
-      "Direct automation mode for explicit prompts",
-    );
-    expect(agentMode.shouldCreateTrackingComment()).toBe(false);
-    expect(agentMode.getAllowedTools()).toEqual([]);
-    expect(agentMode.getDisallowedTools()).toEqual([]);
   });
 
-  test("prepareContext returns minimal data", () => {
+  test("prepare passes through claude_args", async () => {
-    const context = agentMode.prepareContext(mockContext);
-
-    expect(context.mode).toBe("agent");
-    expect(context.githubContext).toBe(mockContext);
-    // Agent mode doesn't use comment tracking or branch management
-    expect(Object.keys(context)).toEqual(["mode", "githubContext"]);
-  });
-
-  test("agent mode only triggers when prompt is provided", () => {
-    // Should NOT trigger for automation events without prompt
-    const workflowDispatchContext = createMockAutomationContext({
-      eventName: "workflow_dispatch",
-    });
-    expect(agentMode.shouldTrigger(workflowDispatchContext)).toBe(false);
-
-    const scheduleContext = createMockAutomationContext({
-      eventName: "schedule",
-    });
-    expect(agentMode.shouldTrigger(scheduleContext)).toBe(false);
-
-    const repositoryDispatchContext = createMockAutomationContext({
-      eventName: "repository_dispatch",
-    });
-    expect(agentMode.shouldTrigger(repositoryDispatchContext)).toBe(false);
-
-    // Should NOT trigger for entity events without prompt
-    const entityEvents = [
-      "issue_comment",
-      "pull_request",
-      "pull_request_review",
-      "issues",
-    ] as const;
-
-    entityEvents.forEach((eventName) => {
-      const contextNoPrompt = createMockContext({ eventName });
-      expect(agentMode.shouldTrigger(contextNoPrompt)).toBe(false);
-    });
-
-    // Should trigger for ANY event when prompt is provided
-    const allEvents = [
-      "workflow_dispatch",
-      "repository_dispatch",
-      "schedule",
-      "issue_comment",
-      "pull_request",
-      "pull_request_review",
-      "issues",
-    ] as const;
-
-    allEvents.forEach((eventName) => {
-      const contextWithPrompt =
-        eventName === "workflow_dispatch" ||
-        eventName === "repository_dispatch" ||
-        eventName === "schedule"
-          ? createMockAutomationContext({
-              eventName,
-              inputs: { prompt: "Do something" },
-            })
-          : createMockContext({
-              eventName,
-              inputs: { prompt: "Do something" },
-            });
-      expect(agentMode.shouldTrigger(contextWithPrompt)).toBe(true);
-    });
-  });
-
-  test("prepare method passes through claude_args", async () => {
     // Clear any previous calls before this test
     exportVariableSpy.mockClear();
     setOutputSpy.mockClear();
@@ -156,19 +78,17 @@ describe("Agent Mode", () => {
         },
       },
     } as any;
-    const result = await agentMode.prepare({
+    const result = await prepareAgentMode({
       context: contextWithCustomArgs,
       octokit: mockOctokit,
       githubToken: "test-token",
     });
 
     // Verify claude_args includes user args (no MCP config in agent mode without allowed tools)
-    const callArgs = setOutputSpy.mock.calls[0];
+    expect(result.claudeArgs).toBe("--model claude-sonnet-4 --max-turns 10");
-    expect(callArgs[0]).toBe("claude_args");
+    expect(result.claudeArgs).not.toContain("--mcp-config");
-    expect(callArgs[1]).toBe("--model claude-sonnet-4 --max-turns 10");
-    expect(callArgs[1]).not.toContain("--mcp-config");
 
-    // Verify return structure - should use "main" as fallback when no env vars set
+    // Verify return structure - should fall back to repository.default_branch when no env vars set
     expect(result).toEqual({
       commentId: undefined,
       branchInfo: {
@@ -177,6 +97,7 @@ describe("Agent Mode", () => {
         claudeBranch: undefined,
       },
       mcpConfig: expect.any(String),
+      claudeArgs: "--model claude-sonnet-4 --max-turns 10",
     });
 
     // Clean up
@@ -187,7 +108,61 @@ describe("Agent Mode", () => {
       process.env.GITHUB_REF_NAME = originalRefName;
   });
 
-  test("prepare method rejects bot actors without allowed_bots", async () => {
+  test("prepare falls back to repository.default_branch when not 'main'", async () => {
+    const contextWithDevelop = createMockAutomationContext({
+      eventName: "workflow_dispatch",
+      repository: {
+        owner: "test-owner",
+        repo: "test-repo",
+        full_name: "test-owner/test-repo",
+        default_branch: "develop",
+      },
+    });
+
+    // Save and clear env vars that would otherwise override the fallback
+    const originalClaudeBranch = process.env.CLAUDE_BRANCH;
+    const originalHeadRef = process.env.GITHUB_HEAD_REF;
+    const originalRefName = process.env.GITHUB_REF_NAME;
+    delete process.env.CLAUDE_BRANCH;
+    delete process.env.GITHUB_HEAD_REF;
+    delete process.env.GITHUB_REF_NAME;
+
+    const mockOctokit = {
+      rest: {
+        users: {
+          getAuthenticated: mock(() =>
+            Promise.resolve({
+              data: { login: "test-user", id: 12345, type: "User" },
+            }),
+          ),
+          getByUsername: mock(() =>
+            Promise.resolve({
+              data: { login: "test-user", id: 12345, type: "User" },
+            }),
+          ),
+        },
+      },
+    } as any;
+
+    const result = await prepareAgentMode({
+      context: contextWithDevelop,
+      octokit: mockOctokit,
+      githubToken: "test-token",
+    });
+
+    expect(result.branchInfo.baseBranch).toBe("develop");
+    expect(result.branchInfo.currentBranch).toBe("develop");
+
+    // Restore env vars
+    if (originalClaudeBranch !== undefined)
+      process.env.CLAUDE_BRANCH = originalClaudeBranch;
+    if (originalHeadRef !== undefined)
+      process.env.GITHUB_HEAD_REF = originalHeadRef;
+    if (originalRefName !== undefined)
+      process.env.GITHUB_REF_NAME = originalRefName;
+  });
+
+  test("prepare rejects bot actors without allowed_bots", async () => {
     const contextWithPrompts = createMockAutomationContext({
       eventName: "workflow_dispatch",
     });
@@ -207,7 +182,7 @@ describe("Agent Mode", () => {
     } as any;
 
     await expect(
-      agentMode.prepare({
+      prepareAgentMode({
         context: contextWithPrompts,
         octokit: mockOctokit,
         githubToken: "test-token",
@@ -217,7 +192,7 @@ describe("Agent Mode", () => {
     );
   });
 
-  test("prepare method allows bot actors when in allowed_bots list", async () => {
+  test("prepare allows bot actors when in allowed_bots list", async () => {
     const contextWithPrompts = createMockAutomationContext({
       eventName: "workflow_dispatch",
     });
@@ -238,7 +213,7 @@ describe("Agent Mode", () => {
 
     // Should not throw - bot is in allowed list
     await expect(
-      agentMode.prepare({
+      prepareAgentMode({
         context: contextWithPrompts,
         octokit: mockOctokit,
         githubToken: "test-token",
@@ -246,7 +221,7 @@ describe("Agent Mode", () => {
     ).resolves.toBeDefined();
   });
 
-  test("prepare method creates prompt file with correct content", async () => {
+  test("prepare creates prompt file with correct content", async () => {
     const contextWithPrompts = createMockAutomationContext({
       eventName: "workflow_dispatch",
     });
@@ -269,7 +244,7 @@ describe("Agent Mode", () => {
         },
       },
     } as any;
-    await agentMode.prepare({
+    const result = await prepareAgentMode({
       context: contextWithPrompts,
       octokit: mockOctokit,
       githubToken: "test-token",
@@ -279,9 +254,7 @@ describe("Agent Mode", () => {
     // but we can verify the method completes without errors
     // With our conditional MCP logic, agent mode with no allowed tools
     // should not include any MCP config
-    const callArgs = setOutputSpy.mock.calls[0];
-    expect(callArgs[0]).toBe("claude_args");
     // Should be empty or just whitespace when no MCP servers are included
-    expect(callArgs[1]).not.toContain("--mcp-config");
+    expect(result.claudeArgs).not.toContain("--mcp-config");
   });
 });

test/modes/detector.test.ts

@@ -19,6 +19,7 @@ describe("detectMode with enhanced routing", () => {
       labelTrigger: "",
       branchPrefix: "claude/",
       useStickyComment: false,
+      classifyInlineComments: true,
       useCommitSigning: false,
       sshSigningKey: "",
       botId: "123456",

test/modes/registry.test.ts

@@ -1,155 +0,0 @@
-import { describe, test, expect } from "bun:test";
-import { getMode, isValidMode } from "../../src/modes/registry";
-import { agentMode } from "../../src/modes/agent";
-import { tagMode } from "../../src/modes/tag";
-import {
-  createMockContext,
-  createMockAutomationContext,
-  mockRepositoryDispatchContext,
-} from "../mockContext";
-
-describe("Mode Registry", () => {
-  const mockContext = createMockContext({
-    eventName: "issue_comment",
-    payload: {
-      action: "created",
-      comment: {
-        body: "Test comment without trigger",
-      },
-    } as any,
-  });
-
-  const mockWorkflowDispatchContext = createMockAutomationContext({
-    eventName: "workflow_dispatch",
-  });
-
-  const mockScheduleContext = createMockAutomationContext({
-    eventName: "schedule",
-  });
-
-  test("getMode auto-detects agent mode for issue_comment without trigger", () => {
-    const mode = getMode(mockContext);
-    // Agent mode is the default when no trigger is found
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  test("getMode auto-detects agent mode for workflow_dispatch", () => {
-    const mode = getMode(mockWorkflowDispatchContext);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  // Removed test - explicit mode override no longer supported in v1.0
-
-  test("getMode auto-detects agent for workflow_dispatch", () => {
-    const mode = getMode(mockWorkflowDispatchContext);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  test("getMode auto-detects agent for schedule event", () => {
-    const mode = getMode(mockScheduleContext);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  test("getMode auto-detects agent for repository_dispatch event", () => {
-    const mode = getMode(mockRepositoryDispatchContext);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  test("getMode auto-detects agent for repository_dispatch with client_payload", () => {
-    const contextWithPayload = createMockAutomationContext({
-      eventName: "repository_dispatch",
-      payload: {
-        action: "trigger-analysis",
-        client_payload: {
-          source: "external-system",
-          metadata: { priority: "high" },
-        },
-        repository: {
-          name: "test-repo",
-          owner: { login: "test-owner" },
-        },
-        sender: { login: "automation-user" },
-      },
-    });
-
-    const mode = getMode(contextWithPayload);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  // Removed test - legacy mode names no longer supported in v1.0
-
-  test("getMode auto-detects agent mode for PR opened", () => {
-    const prContext = createMockContext({
-      eventName: "pull_request",
-      payload: { action: "opened" } as any,
-      isPR: true,
-    });
-    const mode = getMode(prContext);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  test("getMode uses agent mode when prompt is provided, even with @claude mention", () => {
-    const contextWithPrompt = createMockContext({
-      eventName: "issue_comment",
-      payload: {
-        action: "created",
-        comment: {
-          body: "@claude please help",
-        },
-      } as any,
-      inputs: {
-        prompt: "/review",
-      } as any,
-    });
-    const mode = getMode(contextWithPrompt);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  test("getMode uses tag mode for @claude mention without prompt", () => {
-    // Ensure PROMPT env var is not set (clean up from previous tests)
-    const originalPrompt = process.env.PROMPT;
-    delete process.env.PROMPT;
-
-    const contextWithMention = createMockContext({
-      eventName: "issue_comment",
-      payload: {
-        action: "created",
-        comment: {
-          body: "@claude please help",
-        },
-      } as any,
-      inputs: {
-        triggerPhrase: "@claude",
-        prompt: "",
-      } as any,
-    });
-    const mode = getMode(contextWithMention);
-    expect(mode).toBe(tagMode);
-    expect(mode.name).toBe("tag");
-
-    // Restore original value if it existed
-    if (originalPrompt !== undefined) {
-      process.env.PROMPT = originalPrompt;
-    }
-  });
-
-  // Removed test - explicit mode override no longer supported in v1.0
-
-  test("isValidMode returns true for all valid modes", () => {
-    expect(isValidMode("tag")).toBe(true);
-    expect(isValidMode("agent")).toBe(true);
-  });
-
-  test("isValidMode returns false for invalid mode", () => {
-    expect(isValidMode("invalid")).toBe(false);
-    expect(isValidMode("review")).toBe(false);
-  });
-});

test/modes/tag.test.ts

@@ -1,92 +1,8 @@
-import { describe, test, expect, beforeEach } from "bun:test";
+import { describe, test, expect } from "bun:test";
-import { tagMode } from "../../src/modes/tag";
+import { prepareTagMode } from "../../src/modes/tag";
-import type { ParsedGitHubContext } from "../../src/github/context";
-import type { IssueCommentEvent } from "@octokit/webhooks-types";
-import { createMockContext } from "../mockContext";
 
 describe("Tag Mode", () => {
-  let mockContext: ParsedGitHubContext;
+  test("prepareTagMode is exported as a function", () => {
-
+    expect(typeof prepareTagMode).toBe("function");
-  beforeEach(() => {
-    mockContext = createMockContext({
-      eventName: "issue_comment",
-      isPR: false,
-    });
-  });
-
-  test("tag mode has correct properties", () => {
-    expect(tagMode.name).toBe("tag");
-    expect(tagMode.description).toBe(
-      "Traditional implementation mode triggered by @claude mentions",
-    );
-    expect(tagMode.shouldCreateTrackingComment()).toBe(true);
-  });
-
-  test("shouldTrigger delegates to checkContainsTrigger", () => {
-    const contextWithTrigger = createMockContext({
-      eventName: "issue_comment",
-      isPR: false,
-      inputs: {
-        ...createMockContext().inputs,
-        triggerPhrase: "@claude",
-      },
-      payload: {
-        comment: {
-          body: "Hey @claude, can you help?",
-        },
-      } as IssueCommentEvent,
-    });
-
-    expect(tagMode.shouldTrigger(contextWithTrigger)).toBe(true);
-
-    const contextWithoutTrigger = createMockContext({
-      eventName: "issue_comment",
-      isPR: false,
-      inputs: {
-        ...createMockContext().inputs,
-        triggerPhrase: "@claude",
-      },
-      payload: {
-        comment: {
-          body: "This is just a regular comment",
-        },
-      } as IssueCommentEvent,
-    });
-
-    expect(tagMode.shouldTrigger(contextWithoutTrigger)).toBe(false);
-  });
-
-  test("prepareContext includes all required data", () => {
-    const data = {
-      commentId: 123,
-      baseBranch: "main",
-      claudeBranch: "claude/fix-bug",
-    };
-
-    const context = tagMode.prepareContext(mockContext, data);
-
-    expect(context.mode).toBe("tag");
-    expect(context.githubContext).toBe(mockContext);
-    expect(context.commentId).toBe(123);
-    expect(context.baseBranch).toBe("main");
-    expect(context.claudeBranch).toBe("claude/fix-bug");
-  });
-
-  test("prepareContext works without data", () => {
-    const context = tagMode.prepareContext(mockContext);
-
-    expect(context.mode).toBe("tag");
-    expect(context.githubContext).toBe(mockContext);
-    expect(context.commentId).toBeUndefined();
-    expect(context.baseBranch).toBeUndefined();
-    expect(context.claudeBranch).toBeUndefined();
-  });
-
-  test("getAllowedTools returns empty array", () => {
-    expect(tagMode.getAllowedTools()).toEqual([]);
-  });
-
-  test("getDisallowedTools returns empty array", () => {
-    expect(tagMode.getDisallowedTools()).toEqual([]);
   });
 });

test/parse-permissions.test.ts

@@ -0,0 +1,97 @@
+import { describe, expect, test, beforeEach, afterEach } from "bun:test";
+import { parseAdditionalPermissions } from "../src/github/token";
+
+describe("parseAdditionalPermissions", () => {
+  let originalEnv: string | undefined;
+
+  beforeEach(() => {
+    originalEnv = process.env.ADDITIONAL_PERMISSIONS;
+  });
+
+  afterEach(() => {
+    if (originalEnv === undefined) {
+      delete process.env.ADDITIONAL_PERMISSIONS;
+    } else {
+      process.env.ADDITIONAL_PERMISSIONS = originalEnv;
+    }
+  });
+
+  test("returns undefined when env var is not set", () => {
+    delete process.env.ADDITIONAL_PERMISSIONS;
+    expect(parseAdditionalPermissions()).toBeUndefined();
+  });
+
+  test("returns undefined when env var is empty string", () => {
+    process.env.ADDITIONAL_PERMISSIONS = "";
+    expect(parseAdditionalPermissions()).toBeUndefined();
+  });
+
+  test("returns undefined when env var is only whitespace", () => {
+    process.env.ADDITIONAL_PERMISSIONS = "   \n  \n  ";
+    expect(parseAdditionalPermissions()).toBeUndefined();
+  });
+
+  test("parses single permission and merges with defaults", () => {
+    process.env.ADDITIONAL_PERMISSIONS = "actions: read";
+    expect(parseAdditionalPermissions()).toEqual({
+      contents: "write",
+      pull_requests: "write",
+      issues: "write",
+      actions: "read",
+    });
+  });
+
+  test("parses multiple permissions", () => {
+    process.env.ADDITIONAL_PERMISSIONS = "actions: read\nworkflows: write";
+    expect(parseAdditionalPermissions()).toEqual({
+      contents: "write",
+      pull_requests: "write",
+      issues: "write",
+      actions: "read",
+      workflows: "write",
+    });
+  });
+
+  test("additional permissions can override defaults", () => {
+    process.env.ADDITIONAL_PERMISSIONS = "contents: read";
+    expect(parseAdditionalPermissions()).toEqual({
+      contents: "read",
+      pull_requests: "write",
+      issues: "write",
+    });
+  });
+
+  test("handles extra whitespace around keys and values", () => {
+    process.env.ADDITIONAL_PERMISSIONS = "  actions :  read  ";
+    expect(parseAdditionalPermissions()).toEqual({
+      contents: "write",
+      pull_requests: "write",
+      issues: "write",
+      actions: "read",
+    });
+  });
+
+  test("skips empty lines", () => {
+    process.env.ADDITIONAL_PERMISSIONS =
+      "actions: read\n\n\nworkflows: write\n\n";
+    expect(parseAdditionalPermissions()).toEqual({
+      contents: "write",
+      pull_requests: "write",
+      issues: "write",
+      actions: "read",
+      workflows: "write",
+    });
+  });
+
+  test("skips lines without colons", () => {
+    process.env.ADDITIONAL_PERMISSIONS =
+      "actions: read\ninvalid line\nworkflows: write";
+    expect(parseAdditionalPermissions()).toEqual({
+      contents: "write",
+      pull_requests: "write",
+      issues: "write",
+      actions: "read",
+      workflows: "write",
+    });
+  });
+});

test/permissions.test.ts

@@ -67,6 +67,7 @@ describe("checkWritePermissions", () => {
       labelTrigger: "",
       branchPrefix: "claude/",
       useStickyComment: false,
+      classifyInlineComments: true,
       useCommitSigning: false,
       sshSigningKey: "",
       botId: String(CLAUDE_APP_BOT_ID),

test/pull-request-target.test.ts

@@ -1,37 +1,10 @@
 #!/usr/bin/env bun
 
 import { describe, test, expect } from "bun:test";
-import {
+import { getEventTypeAndContext, generatePrompt } from "../src/create-prompt";
-  getEventTypeAndContext,
-  generatePrompt,
-  generateDefaultPrompt,
-} from "../src/create-prompt";
 import type { PreparedContext } from "../src/create-prompt";
-import type { Mode } from "../src/modes/types";
 
 describe("pull_request_target event support", () => {
-  // Mock tag mode for testing
-  const mockTagMode: Mode = {
-    name: "tag",
-    description: "Tag mode",
-    shouldTrigger: () => true,
-    prepareContext: (context) => ({ mode: "tag", githubContext: context }),
-    getAllowedTools: () => [],
-    getDisallowedTools: () => [],
-    shouldCreateTrackingComment: () => true,
-    generatePrompt: (context, githubData, useCommitSigning) =>
-      generateDefaultPrompt(context, githubData, useCommitSigning),
-    prepare: async () => ({
-      commentId: 123,
-      branchInfo: {
-        baseBranch: "main",
-        currentBranch: "main",
-        claudeBranch: undefined,
-      },
-      mcpConfig: "{}",
-    }),
-  };
-
   const mockGitHubData = {
     contextData: {
       title: "External PR via pull_request_target",
@@ -44,6 +17,8 @@ describe("pull_request_target event support", () => {
       baseRefName: "main",
       headRefName: "feature-branch",
       headRefOid: "abc123",
+      isCrossRepository: false,
+      headRepository: { owner: { login: "testowner" }, name: "testrepo" },
       commits: {
         totalCount: 2,
         nodes: [
@@ -125,12 +100,7 @@ describe("pull_request_target event support", () => {
         },
       };
 
-      const prompt = generatePrompt(
+      const prompt = generatePrompt(envVars, mockGitHubData, false, "tag");
-        envVars,
-        mockGitHubData,
-        false,
-        mockTagMode,
-      );
 
       // Should contain pull request event type and metadata
       expect(prompt).toContain("<event_type>PULL_REQUEST</event_type>");
@@ -164,15 +134,10 @@ describe("pull_request_target event support", () => {
         },
       };
 
-      const prompt = generatePrompt(
+      const prompt = generatePrompt(envVars, mockGitHubData, false, "tag");
-        envVars,
-        mockGitHubData,
-        false,
-        mockTagMode,
-      );
 
       // Should include git commands for non-commit-signing mode
-      expect(prompt).toContain("git push");
+      expect(prompt).toContain("scripts/git-push.sh origin");
       expect(prompt).toContain(
         "Always push to the existing branch when triggered on a PR",
       );
@@ -195,7 +160,7 @@ describe("pull_request_target event support", () => {
         },
       };
 
-      const prompt = generatePrompt(envVars, mockGitHubData, true, mockTagMode);
+      const prompt = generatePrompt(envVars, mockGitHubData, true, "tag");
 
       // Should include commit signing tools
       expect(prompt).toContain("mcp__github_file_ops__commit_files");
@@ -245,13 +210,13 @@ describe("pull_request_target event support", () => {
         pullRequestContext,
         mockGitHubData,
         false,
-        mockTagMode,
+        "tag",
       );
       const pullRequestTargetPrompt = generatePrompt(
         pullRequestTargetContext,
         mockGitHubData,
         false,
-        mockTagMode,
+        "tag",
       );
 
       // Both should have the same event type and structure
@@ -292,36 +257,7 @@ describe("pull_request_target event support", () => {
         },
       };
 
-      // Use agent mode which passes through the prompt as-is
+      const prompt = generatePrompt(envVars, mockGitHubData, false, "agent");
-      const mockAgentMode: Mode = {
-        name: "agent",
-        description: "Agent mode",
-        shouldTrigger: () => true,
-        prepareContext: (context) => ({
-          mode: "agent",
-          githubContext: context,
-        }),
-        getAllowedTools: () => [],
-        getDisallowedTools: () => [],
-        shouldCreateTrackingComment: () => true,
-        generatePrompt: (context) => context.prompt || "default prompt",
-        prepare: async () => ({
-          commentId: 123,
-          branchInfo: {
-            baseBranch: "main",
-            currentBranch: "main",
-            claudeBranch: undefined,
-          },
-          mcpConfig: "{}",
-        }),
-      };
-
-      const prompt = generatePrompt(
-        envVars,
-        mockGitHubData,
-        false,
-        mockAgentMode,
-      );
 
       expect(prompt).toBe(
         "Review this pull_request_target PR for security issues",
@@ -341,12 +277,7 @@ describe("pull_request_target event support", () => {
         },
       };
 
-      const prompt = generatePrompt(
+      const prompt = generatePrompt(envVars, mockGitHubData, false, "tag");
-        envVars,
-        mockGitHubData,
-        false,
-        mockTagMode,
-      );
 
       // Should generate default prompt structure
       expect(prompt).toContain("<event_type>PULL_REQUEST</event_type>");
@@ -416,7 +347,7 @@ describe("pull_request_target event support", () => {
 
       // Should not throw when generating prompt
       expect(() => {
-        generatePrompt(minimalContext, mockGitHubData, false, mockTagMode);
+        generatePrompt(minimalContext, mockGitHubData, false, "tag");
       }).not.toThrow();
     });
 
@@ -474,13 +405,13 @@ describe("pull_request_target event support", () => {
         internalPR,
         mockGitHubData,
         false,
-        mockTagMode,
+        "tag",
       );
       const externalPrompt = generatePrompt(
         externalPR,
         mockGitHubData,
         false,
-        mockTagMode,
+        "tag",
       );
 
       // Should have same tool access patterns

test/retry.test.ts

@@ -0,0 +1,120 @@
+import { describe, it, expect, beforeEach, afterEach, mock } from "bun:test";
+import { retryWithBackoff } from "../src/utils/retry";
+
+describe("retryWithBackoff", () => {
+  let originalConsoleLog: typeof console.log;
+  let originalConsoleError: typeof console.error;
+
+  beforeEach(() => {
+    originalConsoleLog = console.log;
+    originalConsoleError = console.error;
+    console.log = mock(() => {});
+    console.error = mock(() => {});
+  });
+
+  afterEach(() => {
+    console.log = originalConsoleLog;
+    console.error = originalConsoleError;
+  });
+
+  it("returns the result on first success", async () => {
+    const result = await retryWithBackoff(() => Promise.resolve("ok"), {
+      maxAttempts: 3,
+      initialDelayMs: 1,
+    });
+    expect(result).toBe("ok");
+  });
+
+  it("retries on failure and succeeds", async () => {
+    let attempt = 0;
+    const result = await retryWithBackoff(
+      () => {
+        attempt++;
+        if (attempt < 3) throw new Error("transient");
+        return Promise.resolve("recovered");
+      },
+      { maxAttempts: 3, initialDelayMs: 1 },
+    );
+    expect(result).toBe("recovered");
+    expect(attempt).toBe(3);
+  });
+
+  it("throws after exhausting all attempts", async () => {
+    await expect(
+      retryWithBackoff(() => Promise.reject(new Error("permanent")), {
+        maxAttempts: 2,
+        initialDelayMs: 1,
+      }),
+    ).rejects.toThrow("permanent");
+  });
+
+  it("stops retrying immediately when shouldRetry returns false", async () => {
+    class NonRetryableError extends Error {
+      constructor() {
+        super("non-retryable");
+        this.name = "NonRetryableError";
+      }
+    }
+
+    let attempts = 0;
+    await expect(
+      retryWithBackoff(
+        () => {
+          attempts++;
+          throw new NonRetryableError();
+        },
+        {
+          maxAttempts: 3,
+          initialDelayMs: 1,
+          shouldRetry: (error) => !(error instanceof NonRetryableError),
+        },
+      ),
+    ).rejects.toThrow("non-retryable");
+    expect(attempts).toBe(1);
+  });
+
+  it("continues retrying when shouldRetry returns true", async () => {
+    let attempts = 0;
+    await expect(
+      retryWithBackoff(
+        () => {
+          attempts++;
+          throw new Error("retryable");
+        },
+        {
+          maxAttempts: 3,
+          initialDelayMs: 1,
+          shouldRetry: () => true,
+        },
+      ),
+    ).rejects.toThrow("retryable");
+    expect(attempts).toBe(3);
+  });
+
+  it("preserves the original error when shouldRetry aborts", async () => {
+    class SpecificError extends Error {
+      code = 401;
+      constructor() {
+        super("unauthorized");
+        this.name = "SpecificError";
+      }
+    }
+
+    try {
+      await retryWithBackoff(
+        () => {
+          throw new SpecificError();
+        },
+        {
+          maxAttempts: 3,
+          initialDelayMs: 1,
+          shouldRetry: (error) => !(error instanceof SpecificError),
+        },
+      );
+      expect.unreachable("should have thrown");
+    } catch (error) {
+      expect(error).toBeInstanceOf(SpecificError);
+      expect((error as SpecificError).code).toBe(401);
+    }
+  });
+});

test/trigger-validation.test.ts

@@ -34,6 +34,7 @@ describe("checkContainsTrigger", () => {
           labelTrigger: "",
           branchPrefix: "claude/",
           useStickyComment: false,
+          classifyInlineComments: true,
           useCommitSigning: false,
           allowedBots: "",
         },
@@ -62,6 +63,7 @@ describe("checkContainsTrigger", () => {
           labelTrigger: "",
           branchPrefix: "claude/",
           useStickyComment: false,
+          classifyInlineComments: true,
           useCommitSigning: false,
           allowedBots: "",
         },
@@ -274,6 +276,7 @@ describe("checkContainsTrigger", () => {
           labelTrigger: "",
           branchPrefix: "claude/",
           useStickyComment: false,
+          classifyInlineComments: true,
           useCommitSigning: false,
           allowedBots: "",
         },
@@ -303,6 +306,7 @@ describe("checkContainsTrigger", () => {
           labelTrigger: "",
           branchPrefix: "claude/",
           useStickyComment: false,
+          classifyInlineComments: true,
           useCommitSigning: false,
           allowedBots: "",
         },
@@ -332,6 +336,7 @@ describe("checkContainsTrigger", () => {
           labelTrigger: "",
           branchPrefix: "claude/",
           useStickyComment: false,
+          classifyInlineComments: true,
           useCommitSigning: false,
           allowedBots: "",
         },

test/validate-branch-name.test.ts

@@ -36,6 +36,25 @@ describe("validateBranchName", () => {
       expect(() => validateBranchName("refs/heads/main")).not.toThrow();
       expect(() => validateBranchName("bugfix/JIRA-1234")).not.toThrow();
     });
+
+    it("should accept branch names containing # (git-valid, common in issue-linked branches)", () => {
+      // Reported in #1137: branches like "put-back-arm64-#2" were rejected
+      expect(() => validateBranchName("put-back-arm64-#2")).not.toThrow();
+      expect(() =>
+        validateBranchName("feature/#123-description"),
+      ).not.toThrow();
+      expect(() => validateBranchName("fix/issue-#42")).not.toThrow();
+    });
+
+    it("should accept branch names containing + (generated by Claude Code EnterWorktree)", () => {
+      // EnterWorktree converts "/" in worktree names to "+" when generating branch names.
+      // e.g. EnterWorktree("feat/skill-consolidation") → branch "worktree-feat+skill-consolidation"
+      expect(() =>
+        validateBranchName("worktree-feat+skill-consolidation"),
+      ).not.toThrow();
+      expect(() => validateBranchName("fix+issue-123")).not.toThrow();
+      expect(() => validateBranchName("feature+new-thing")).not.toThrow();
+    });
   });
 
   describe("command injection attempts", () => {