fix: Encode branch names in URLs to prevent truncation in markdown links

Branch names containing special characters (particularly parentheses)
were breaking markdown links in GitHub comments. This caused URLs to be
truncated when clicked.

Changes:
- Add encodeBranchName() helper function that:
  - Uses encodeURIComponent for basic encoding
  - Preserves forward slashes (GitHub expects literal / in branch URLs)
  - Manually encodes parentheses (not encoded by encodeURIComponent per RFC 3986)
- Apply encoding to branch URLs in:
  - update-comment-link.ts (PR compare URLs)
  - branch-cleanup.ts (branch tree URLs)
  - comment-logic.ts (branch tree URLs)
  - comments/common.ts (branch tree URLs)
- Improve PR link regex to use greedy match with end anchor
- Add test for branch names with special characters

.github/workflows/sync-base-action.yml

@@ -94,5 +94,5 @@ jobs:
           echo "✅ Successfully synced \`base-action\` directory to [anthropics/claude-code-base-action](https://github.com/anthropics/claude-code-base-action)" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "- **Source commit**: [\`${GITHUB_SHA:0:7}\`](https://github.com/anthropics/claude-code-action/commit/${GITHUB_SHA})" >> $GITHUB_STEP_SUMMARY
-          echo "- **Triggered by**: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Actor**: @${{ github.actor }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Triggered by**: $GITHUB_EVENT_NAME" >> $GITHUB_STEP_SUMMARY
+          echo "- **Actor**: @$GITHUB_ACTOR" >> $GITHUB_STEP_SUMMARY

.github/workflows/test-base-action.yml

@@ -118,3 +118,61 @@ jobs:
             echo "❌ Execution log file not found"
             exit 1
           fi
+
+  test-agent-sdk:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Test with Agent SDK
+        id: sdk-test
+        uses: ./base-action
+        env:
+          USE_AGENT_SDK: "true"
+        with:
+          prompt: ${{ github.event.inputs.test_prompt || 'List the files in the current directory starting with "package"' }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          allowed_tools: "LS,Read"
+
+      - name: Verify SDK output
+        run: |
+          OUTPUT_FILE="${{ steps.sdk-test.outputs.execution_file }}"
+          CONCLUSION="${{ steps.sdk-test.outputs.conclusion }}"
+
+          echo "Conclusion: $CONCLUSION"
+          echo "Output file: $OUTPUT_FILE"
+
+          if [ "$CONCLUSION" = "success" ]; then
+            echo "✅ Action completed successfully with Agent SDK"
+          else
+            echo "❌ Action failed with Agent SDK"
+            exit 1
+          fi
+
+          if [ -f "$OUTPUT_FILE" ]; then
+            if [ -s "$OUTPUT_FILE" ]; then
+              echo "✅ Execution log file created successfully with content"
+              echo "Validating JSON format:"
+              if jq . "$OUTPUT_FILE" > /dev/null 2>&1; then
+                echo "✅ Output is valid JSON"
+                # Verify SDK output contains total_cost_usd (SDK field name)
+                if jq -e '.[] | select(.type == "result") | .total_cost_usd' "$OUTPUT_FILE" > /dev/null 2>&1; then
+                  echo "✅ SDK output contains total_cost_usd field"
+                else
+                  echo "❌ SDK output missing total_cost_usd field"
+                  exit 1
+                fi
+                echo "Content preview:"
+                head -c 500 "$OUTPUT_FILE"
+              else
+                echo "❌ Output is not valid JSON"
+                exit 1
+              fi
+            else
+              echo "❌ Execution log file is empty"
+              exit 1
+            fi
+          else
+            echo "❌ Execution log file not found"
+            exit 1
+          fi

action.yml

@@ -93,10 +93,6 @@ inputs:
     description: "Force tag mode with tracking comments for pull_request and issue events. Only applicable to pull_request (opened, synchronize, ready_for_review, reopened) and issue (opened, edited, labeled, assigned) events."
     required: false
     default: "false"
-  experimental_allowed_domains:
-    description: "Restrict network access to these domains only (newline-separated). If not set, no restrictions are applied. Provider domains are auto-detected."
-    required: false
-    default: ""
   path_to_claude_code_executable:
     description: "Optional path to a custom Claude Code executable. If provided, skips automatic installation and uses this executable instead. WARNING: Using an older version may cause problems if the action begins taking advantage of new Claude Code features. This input is typically not needed unless you're debugging something specific or have unique needs in your environment."
     required: false
@@ -144,10 +140,12 @@ runs:
     - name: Setup Custom Bun Path
       if: inputs.path_to_bun_executable != ''
       shell: bash
+      env:
+        PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
       run: |
-        echo "Using custom Bun executable: ${{ inputs.path_to_bun_executable }}"
+        echo "Using custom Bun executable: $PATH_TO_BUN_EXECUTABLE"
         # Add the directory containing the custom executable to PATH
-        BUN_DIR=$(dirname "${{ inputs.path_to_bun_executable }}")
+        BUN_DIR=$(dirname "$PATH_TO_BUN_EXECUTABLE")
         echo "$BUN_DIR" >> "$GITHUB_PATH"
 
     - name: Install Dependencies
@@ -186,6 +184,8 @@ runs:
     - name: Install Base Action Dependencies
       if: steps.prepare.outputs.contains_trigger == 'true'
       shell: bash
+      env:
+        PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
         echo "Installing base-action dependencies..."
         cd ${GITHUB_ACTION_PATH}/base-action
@@ -194,48 +194,32 @@ runs:
         cd -
 
         # Install Claude Code if no custom executable is provided
-        if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
-          CLAUDE_CODE_VERSION="2.0.50"
+        if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
+          CLAUDE_CODE_VERSION="2.0.62"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."
-            # Cross-platform timeout (GNU timeout not available on macOS)
-            (curl -fsSL https://claude.ai/install.sh | bash -s -- "$CLAUDE_CODE_VERSION") &
-            install_pid=$!
-            ( sleep 120; kill $install_pid 2>/dev/null ) &
-            timeout_pid=$!
-            if wait $install_pid 2>/dev/null; then
-              kill $timeout_pid 2>/dev/null || true
-              wait $timeout_pid 2>/dev/null || true
-              echo "Claude Code installed successfully"
-              break
+            if command -v timeout &> /dev/null; then
+              timeout 120 bash -c "curl -fsSL https://claude.ai/install.sh | bash -s -- $CLAUDE_CODE_VERSION" && break
+            else
+              curl -fsSL https://claude.ai/install.sh | bash -s -- "$CLAUDE_CODE_VERSION" && break
             fi
-            kill $timeout_pid 2>/dev/null || true
-            wait $timeout_pid 2>/dev/null || true
             if [ $attempt -eq 3 ]; then
               echo "Failed to install Claude Code after 3 attempts"
               exit 1
             fi
-            echo "Installation timed out or failed, retrying..."
+            echo "Installation failed, retrying..."
             sleep 5
           done
+          echo "Claude Code installed successfully"
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
         else
-          echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
+          echo "Using custom Claude Code executable: $PATH_TO_CLAUDE_CODE_EXECUTABLE"
           # Add the directory containing the custom executable to PATH
-          CLAUDE_DIR=$(dirname "${{ inputs.path_to_claude_code_executable }}")
+          CLAUDE_DIR=$(dirname "$PATH_TO_CLAUDE_CODE_EXECUTABLE")
           echo "$CLAUDE_DIR" >> "$GITHUB_PATH"
         fi
 
-    - name: Setup Network Restrictions
-      if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != ''
-      shell: bash
-      run: |
-        chmod +x ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh
-        ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh
-      env:
-        EXPERIMENTAL_ALLOWED_DOMAINS: ${{ inputs.experimental_allowed_domains }}
-
     - name: Run Claude Code
       id: claude-code
       if: steps.prepare.outputs.contains_trigger == 'true'

base-action/action.yml

@@ -101,10 +101,12 @@ runs:
     - name: Setup Custom Bun Path
       if: inputs.path_to_bun_executable != ''
       shell: bash
+      env:
+        PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
       run: |
-        echo "Using custom Bun executable: ${{ inputs.path_to_bun_executable }}"
+        echo "Using custom Bun executable: $PATH_TO_BUN_EXECUTABLE"
         # Add the directory containing the custom executable to PATH
-        BUN_DIR=$(dirname "${{ inputs.path_to_bun_executable }}")
+        BUN_DIR=$(dirname "$PATH_TO_BUN_EXECUTABLE")
         echo "$BUN_DIR" >> "$GITHUB_PATH"
 
     - name: Install Dependencies
@@ -115,36 +117,31 @@ runs:
 
     - name: Install Claude Code
       shell: bash
+      env:
+        PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
-        if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
-          CLAUDE_CODE_VERSION="2.0.50"
+        if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
+          CLAUDE_CODE_VERSION="2.0.62"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."
-            # Cross-platform timeout (GNU timeout not available on macOS)
-            (curl -fsSL https://claude.ai/install.sh | bash -s -- "$CLAUDE_CODE_VERSION") &
-            install_pid=$!
-            ( sleep 120; kill $install_pid 2>/dev/null ) &
-            timeout_pid=$!
-            if wait $install_pid 2>/dev/null; then
-              kill $timeout_pid 2>/dev/null || true
-              wait $timeout_pid 2>/dev/null || true
-              echo "Claude Code installed successfully"
-              break
+            if command -v timeout &> /dev/null; then
+              timeout 120 bash -c "curl -fsSL https://claude.ai/install.sh | bash -s -- $CLAUDE_CODE_VERSION" && break
+            else
+              curl -fsSL https://claude.ai/install.sh | bash -s -- "$CLAUDE_CODE_VERSION" && break
             fi
-            kill $timeout_pid 2>/dev/null || true
-            wait $timeout_pid 2>/dev/null || true
             if [ $attempt -eq 3 ]; then
               echo "Failed to install Claude Code after 3 attempts"
               exit 1
             fi
-            echo "Installation timed out or failed, retrying..."
+            echo "Installation failed, retrying..."
             sleep 5
           done
+          echo "Claude Code installed successfully"
         else
-          echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
+          echo "Using custom Claude Code executable: $PATH_TO_CLAUDE_CODE_EXECUTABLE"
           # Add the directory containing the custom executable to PATH
-          CLAUDE_DIR=$(dirname "${{ inputs.path_to_claude_code_executable }}")
+          CLAUDE_DIR=$(dirname "$PATH_TO_CLAUDE_CODE_EXECUTABLE")
           echo "$CLAUDE_DIR" >> "$GITHUB_PATH"
         fi
 

base-action/bun.lock

@@ -5,6 +5,7 @@
       "name": "@anthropic-ai/claude-code-base-action",
       "dependencies": {
         "@actions/core": "^1.10.1",
+        "@anthropic-ai/claude-agent-sdk": "^0.1.52",
         "shell-quote": "^1.8.3",
       },
       "devDependencies": {
@@ -25,8 +26,40 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.52", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1" } }, "sha512-yF8N05+9NRbqYA/h39jQ726HTQFrdXXp7pEfDNKIJ2c4FdWvEjxBA/8ciZIebN6/PyvGDcbEp3yq2Co4rNpg6A=="],
+
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 
+    "@img/sharp-darwin-arm64": ["@img/sharp-darwin-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-arm64": "1.0.4" }, "os": "darwin", "cpu": "arm64" }, "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ=="],
+
+    "@img/sharp-darwin-x64": ["@img/sharp-darwin-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-x64": "1.0.4" }, "os": "darwin", "cpu": "x64" }, "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q=="],
+
+    "@img/sharp-libvips-darwin-arm64": ["@img/sharp-libvips-darwin-arm64@1.0.4", "", { "os": "darwin", "cpu": "arm64" }, "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg=="],
+
+    "@img/sharp-libvips-darwin-x64": ["@img/sharp-libvips-darwin-x64@1.0.4", "", { "os": "darwin", "cpu": "x64" }, "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ=="],
+
+    "@img/sharp-libvips-linux-arm": ["@img/sharp-libvips-linux-arm@1.0.5", "", { "os": "linux", "cpu": "arm" }, "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g=="],
+
+    "@img/sharp-libvips-linux-arm64": ["@img/sharp-libvips-linux-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA=="],
+
+    "@img/sharp-libvips-linux-x64": ["@img/sharp-libvips-linux-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw=="],
+
+    "@img/sharp-libvips-linuxmusl-arm64": ["@img/sharp-libvips-linuxmusl-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA=="],
+
+    "@img/sharp-libvips-linuxmusl-x64": ["@img/sharp-libvips-linuxmusl-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw=="],
+
+    "@img/sharp-linux-arm": ["@img/sharp-linux-arm@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm": "1.0.5" }, "os": "linux", "cpu": "arm" }, "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ=="],
+
+    "@img/sharp-linux-arm64": ["@img/sharp-linux-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA=="],
+
+    "@img/sharp-linux-x64": ["@img/sharp-linux-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA=="],
+
+    "@img/sharp-linuxmusl-arm64": ["@img/sharp-linuxmusl-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g=="],
+
+    "@img/sharp-linuxmusl-x64": ["@img/sharp-linuxmusl-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw=="],
+
+    "@img/sharp-win32-x64": ["@img/sharp-win32-x64@0.33.5", "", { "os": "win32", "cpu": "x64" }, "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg=="],
+
     "@types/bun": ["@types/bun@1.2.19", "", { "dependencies": { "bun-types": "1.2.19" } }, "sha512-d9ZCmrH3CJ2uYKXQIUuZ/pUnTqIvLDS0SK7pFmbx8ma+ziH/FRMoAq5bYpRG7y+w1gl+HgyNZbtqgMq4W4e2Lg=="],
 
     "@types/node": ["@types/node@20.19.9", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw=="],
@@ -50,5 +83,7 @@
     "undici": ["undici@5.29.0", "", { "dependencies": { "@fastify/busboy": "^2.0.0" } }, "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg=="],
 
     "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
+
+    "zod": ["zod@3.25.76", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
   }
 }

base-action/package.json

@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "@actions/core": "^1.10.1",
+    "@anthropic-ai/claude-agent-sdk": "^0.1.52",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {

base-action/src/parse-sdk-options.ts

@@ -0,0 +1,149 @@
+import { parse as parseShellArgs } from "shell-quote";
+import type { ClaudeOptions } from "./run-claude";
+import type { Options as SdkOptions } from "@anthropic-ai/claude-agent-sdk";
+
+/**
+ * Result of parsing ClaudeOptions for SDK usage
+ */
+export type ParsedSdkOptions = {
+  sdkOptions: SdkOptions;
+  showFullOutput: boolean;
+  hasJsonSchema: boolean;
+};
+
+// Flags that should accumulate multiple values instead of overwriting
+const ACCUMULATING_FLAGS = new Set(["allowedTools", "disallowedTools"]);
+
+/**
+ * Parse claudeArgs string into extraArgs record for SDK pass-through
+ * The SDK/CLI will handle --mcp-config, --json-schema, etc.
+ * For allowedTools and disallowedTools, multiple occurrences are accumulated (comma-joined).
+ */
+function parseClaudeArgsToExtraArgs(
+  claudeArgs?: string,
+): Record<string, string | null> {
+  if (!claudeArgs?.trim()) return {};
+
+  const result: Record<string, string | null> = {};
+  const args = parseShellArgs(claudeArgs).filter(
+    (arg): arg is string => typeof arg === "string",
+  );
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg?.startsWith("--")) {
+      const flag = arg.slice(2);
+      const nextArg = args[i + 1];
+
+      // Check if next arg is a value (not another flag)
+      if (nextArg && !nextArg.startsWith("--")) {
+        // For accumulating flags, join multiple values with commas
+        if (ACCUMULATING_FLAGS.has(flag) && result[flag]) {
+          result[flag] = `${result[flag]},${nextArg}`;
+        } else {
+          result[flag] = nextArg;
+        }
+        i++; // Skip the value
+      } else {
+        result[flag] = null; // Boolean flag
+      }
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Parse ClaudeOptions into SDK-compatible options
+ * Uses extraArgs for CLI pass-through instead of duplicating option parsing
+ */
+export function parseSdkOptions(options: ClaudeOptions): ParsedSdkOptions {
+  // Determine output verbosity
+  const isDebugMode = process.env.ACTIONS_STEP_DEBUG === "true";
+  const showFullOutput = options.showFullOutput === "true" || isDebugMode;
+
+  // Parse claudeArgs into extraArgs for CLI pass-through
+  const extraArgs = parseClaudeArgsToExtraArgs(options.claudeArgs);
+
+  // Detect if --json-schema is present (for hasJsonSchema flag)
+  const hasJsonSchema = "json-schema" in extraArgs;
+
+  // Extract and merge allowedTools from both sources:
+  // 1. From extraArgs (parsed from claudeArgs - contains tag mode's tools)
+  // 2. From options.allowedTools (direct input - may be undefined)
+  // This prevents duplicate flags being overwritten when claudeArgs contains --allowedTools
+  const extraArgsAllowedTools = extraArgs["allowedTools"]
+    ? extraArgs["allowedTools"].split(",").map((t) => t.trim())
+    : [];
+  const directAllowedTools = options.allowedTools
+    ? options.allowedTools.split(",").map((t) => t.trim())
+    : [];
+  const mergedAllowedTools = [
+    ...new Set([...extraArgsAllowedTools, ...directAllowedTools]),
+  ];
+  delete extraArgs["allowedTools"];
+
+  // Same for disallowedTools
+  const extraArgsDisallowedTools = extraArgs["disallowedTools"]
+    ? extraArgs["disallowedTools"].split(",").map((t) => t.trim())
+    : [];
+  const directDisallowedTools = options.disallowedTools
+    ? options.disallowedTools.split(",").map((t) => t.trim())
+    : [];
+  const mergedDisallowedTools = [
+    ...new Set([...extraArgsDisallowedTools, ...directDisallowedTools]),
+  ];
+  delete extraArgs["disallowedTools"];
+
+  // Build custom environment
+  const env: Record<string, string | undefined> = { ...process.env };
+  if (process.env.INPUT_ACTION_INPUTS_PRESENT) {
+    env.GITHUB_ACTION_INPUTS = process.env.INPUT_ACTION_INPUTS_PRESENT;
+  }
+
+  // Build system prompt option - default to claude_code preset
+  let systemPrompt: SdkOptions["systemPrompt"];
+  if (options.systemPrompt) {
+    systemPrompt = options.systemPrompt;
+  } else if (options.appendSystemPrompt) {
+    systemPrompt = {
+      type: "preset",
+      preset: "claude_code",
+      append: options.appendSystemPrompt,
+    };
+  } else {
+    // Default to claude_code preset when no custom prompt is specified
+    systemPrompt = {
+      type: "preset",
+      preset: "claude_code",
+    };
+  }
+
+  // Build SDK options - use merged tools from both direct options and claudeArgs
+  const sdkOptions: SdkOptions = {
+    // Direct options from ClaudeOptions inputs
+    model: options.model,
+    maxTurns: options.maxTurns ? parseInt(options.maxTurns, 10) : undefined,
+    allowedTools:
+      mergedAllowedTools.length > 0 ? mergedAllowedTools : undefined,
+    disallowedTools:
+      mergedDisallowedTools.length > 0 ? mergedDisallowedTools : undefined,
+    systemPrompt,
+    fallbackModel: options.fallbackModel,
+    pathToClaudeCodeExecutable: options.pathToClaudeCodeExecutable,
+
+    // Pass through claudeArgs as extraArgs - CLI handles --mcp-config, --json-schema, etc.
+    // Note: allowedTools and disallowedTools have been removed from extraArgs to prevent duplicates
+    extraArgs,
+    env,
+
+    // Load settings from all sources to pick up CLI-installed plugins, CLAUDE.md, etc.
+    settingSources: ["user", "project", "local"],
+  };
+
+  return {
+    sdkOptions,
+    showFullOutput,
+    hasJsonSchema,
+  };
+}

base-action/src/run-claude-sdk.ts

@@ -0,0 +1,151 @@
+import * as core from "@actions/core";
+import { readFile, writeFile } from "fs/promises";
+import { query } from "@anthropic-ai/claude-agent-sdk";
+import type {
+  SDKMessage,
+  SDKResultMessage,
+} from "@anthropic-ai/claude-agent-sdk";
+import type { ParsedSdkOptions } from "./parse-sdk-options";
+
+const EXECUTION_FILE = `${process.env.RUNNER_TEMP}/claude-execution-output.json`;
+
+/**
+ * Sanitizes SDK output to match CLI sanitization behavior
+ */
+function sanitizeSdkOutput(
+  message: SDKMessage,
+  showFullOutput: boolean,
+): string | null {
+  if (showFullOutput) {
+    return JSON.stringify(message, null, 2);
+  }
+
+  // System initialization - safe to show
+  if (message.type === "system" && message.subtype === "init") {
+    return JSON.stringify(
+      {
+        type: "system",
+        subtype: "init",
+        message: "Claude Code initialized",
+        model: "model" in message ? message.model : "unknown",
+      },
+      null,
+      2,
+    );
+  }
+
+  // Result messages - show sanitized summary
+  if (message.type === "result") {
+    const resultMsg = message as SDKResultMessage;
+    return JSON.stringify(
+      {
+        type: "result",
+        subtype: resultMsg.subtype,
+        is_error: resultMsg.is_error,
+        duration_ms: resultMsg.duration_ms,
+        num_turns: resultMsg.num_turns,
+        total_cost_usd: resultMsg.total_cost_usd,
+        permission_denials: resultMsg.permission_denials,
+      },
+      null,
+      2,
+    );
+  }
+
+  // Suppress other message types in non-full-output mode
+  return null;
+}
+
+/**
+ * Run Claude using the Agent SDK
+ */
+export async function runClaudeWithSdk(
+  promptPath: string,
+  { sdkOptions, showFullOutput, hasJsonSchema }: ParsedSdkOptions,
+): Promise<void> {
+  const prompt = await readFile(promptPath, "utf-8");
+
+  if (!showFullOutput) {
+    console.log(
+      "Running Claude Code via SDK (full output hidden for security)...",
+    );
+    console.log(
+      "Rerun in debug mode or enable `show_full_output: true` in your workflow file for full output.",
+    );
+  }
+
+  console.log(`Running Claude with prompt from file: ${promptPath}`);
+  // Log SDK options without env (which could contain sensitive data)
+  const { env, ...optionsToLog } = sdkOptions;
+  console.log("SDK options:", JSON.stringify(optionsToLog, null, 2));
+
+  const messages: SDKMessage[] = [];
+  let resultMessage: SDKResultMessage | undefined;
+
+  try {
+    for await (const message of query({ prompt, options: sdkOptions })) {
+      messages.push(message);
+
+      const sanitized = sanitizeSdkOutput(message, showFullOutput);
+      if (sanitized) {
+        console.log(sanitized);
+      }
+
+      if (message.type === "result") {
+        resultMessage = message as SDKResultMessage;
+      }
+    }
+  } catch (error) {
+    console.error("SDK execution error:", error);
+    core.setOutput("conclusion", "failure");
+    process.exit(1);
+  }
+
+  // Write execution file
+  try {
+    await writeFile(EXECUTION_FILE, JSON.stringify(messages, null, 2));
+    console.log(`Log saved to ${EXECUTION_FILE}`);
+    core.setOutput("execution_file", EXECUTION_FILE);
+  } catch (error) {
+    core.warning(`Failed to write execution file: ${error}`);
+  }
+
+  if (!resultMessage) {
+    core.setOutput("conclusion", "failure");
+    core.error("No result message received from Claude");
+    process.exit(1);
+  }
+
+  const isSuccess = resultMessage.subtype === "success";
+  core.setOutput("conclusion", isSuccess ? "success" : "failure");
+
+  // Handle structured output
+  if (hasJsonSchema) {
+    if (
+      isSuccess &&
+      "structured_output" in resultMessage &&
+      resultMessage.structured_output
+    ) {
+      const structuredOutputJson = JSON.stringify(
+        resultMessage.structured_output,
+      );
+      core.setOutput("structured_output", structuredOutputJson);
+      core.info(
+        `Set structured_output with ${Object.keys(resultMessage.structured_output as object).length} field(s)`,
+      );
+    } else {
+      core.setFailed(
+        `--json-schema was provided but Claude did not return structured_output. Result subtype: ${resultMessage.subtype}`,
+      );
+      core.setOutput("conclusion", "failure");
+      process.exit(1);
+    }
+  }
+
+  if (!isSuccess) {
+    if ("errors" in resultMessage && resultMessage.errors) {
+      core.error(`Execution failed: ${resultMessage.errors.join(", ")}`);
+    }
+    process.exit(1);
+  }
+}

base-action/src/run-claude.ts

@@ -5,6 +5,8 @@ import { unlink, writeFile, stat, readFile } from "fs/promises";
 import { createWriteStream } from "fs";
 import { spawn } from "child_process";
 import { parse as parseShellArgs } from "shell-quote";
+import { runClaudeWithSdk } from "./run-claude-sdk";
+import { parseSdkOptions } from "./parse-sdk-options";
 
 const execAsync = promisify(exec);
 
@@ -165,6 +167,17 @@ export async function parseAndSetStructuredOutputs(
 }
 
 export async function runClaude(promptPath: string, options: ClaudeOptions) {
+  // Feature flag: use SDK path when USE_AGENT_SDK=true
+  const useAgentSdk = process.env.USE_AGENT_SDK === "true";
+  console.log(
+    `Using ${useAgentSdk ? "Agent SDK" : "CLI"} path (USE_AGENT_SDK=${process.env.USE_AGENT_SDK ?? "unset"})`,
+  );
+
+  if (useAgentSdk) {
+    const parsedOptions = parseSdkOptions(options);
+    return runClaudeWithSdk(promptPath, parsedOptions);
+  }
+
   const config = prepareRunConfig(promptPath, options);
 
   // Detect if --json-schema is present in claude args

base-action/test/parse-sdk-options.test.ts

@@ -0,0 +1,163 @@
+#!/usr/bin/env bun
+
+import { describe, test, expect } from "bun:test";
+import { parseSdkOptions } from "../src/parse-sdk-options";
+import type { ClaudeOptions } from "../src/run-claude";
+
+describe("parseSdkOptions", () => {
+  describe("allowedTools merging", () => {
+    test("should extract allowedTools from claudeArgs", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--allowedTools "Edit,Read,Write"',
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.allowedTools).toEqual(["Edit", "Read", "Write"]);
+      expect(result.sdkOptions.extraArgs?.["allowedTools"]).toBeUndefined();
+    });
+
+    test("should extract allowedTools from claudeArgs with MCP tools", () => {
+      const options: ClaudeOptions = {
+        claudeArgs:
+          '--allowedTools "Edit,Read,mcp__github_comment__update_claude_comment"',
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.allowedTools).toEqual([
+        "Edit",
+        "Read",
+        "mcp__github_comment__update_claude_comment",
+      ]);
+    });
+
+    test("should accumulate multiple --allowedTools flags from claudeArgs", () => {
+      // This simulates tag mode adding its tools, then user adding their own
+      const options: ClaudeOptions = {
+        claudeArgs:
+          '--allowedTools "Edit,Read,mcp__github_comment__update_claude_comment" --model "claude-3" --allowedTools "Bash(npm install),mcp__github__get_issue"',
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.allowedTools).toEqual([
+        "Edit",
+        "Read",
+        "mcp__github_comment__update_claude_comment",
+        "Bash(npm install)",
+        "mcp__github__get_issue",
+      ]);
+    });
+
+    test("should merge allowedTools from both claudeArgs and direct options", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--allowedTools "Edit,Read"',
+        allowedTools: "Write,Glob",
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.allowedTools).toEqual([
+        "Edit",
+        "Read",
+        "Write",
+        "Glob",
+      ]);
+    });
+
+    test("should deduplicate allowedTools when merging", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--allowedTools "Edit,Read"',
+        allowedTools: "Edit,Write",
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.allowedTools).toEqual(["Edit", "Read", "Write"]);
+    });
+
+    test("should use only direct options when claudeArgs has no allowedTools", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--model "claude-3-5-sonnet"',
+        allowedTools: "Edit,Read",
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.allowedTools).toEqual(["Edit", "Read"]);
+    });
+
+    test("should return undefined allowedTools when neither source has it", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--model "claude-3-5-sonnet"',
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.allowedTools).toBeUndefined();
+    });
+
+    test("should remove allowedTools from extraArgs after extraction", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--allowedTools "Edit,Read" --model "claude-3-5-sonnet"',
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.extraArgs?.["allowedTools"]).toBeUndefined();
+      expect(result.sdkOptions.extraArgs?.["model"]).toBe("claude-3-5-sonnet");
+    });
+  });
+
+  describe("disallowedTools merging", () => {
+    test("should extract disallowedTools from claudeArgs", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--disallowedTools "Bash,Write"',
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.disallowedTools).toEqual(["Bash", "Write"]);
+      expect(result.sdkOptions.extraArgs?.["disallowedTools"]).toBeUndefined();
+    });
+
+    test("should merge disallowedTools from both sources", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: '--disallowedTools "Bash"',
+        disallowedTools: "Write",
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.disallowedTools).toEqual(["Bash", "Write"]);
+    });
+  });
+
+  describe("other extraArgs passthrough", () => {
+    test("should pass through mcp-config in extraArgs", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: `--mcp-config '{"mcpServers":{}}' --allowedTools "Edit"`,
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.extraArgs?.["mcp-config"]).toBe(
+        '{"mcpServers":{}}',
+      );
+    });
+
+    test("should pass through json-schema in extraArgs", () => {
+      const options: ClaudeOptions = {
+        claudeArgs: `--json-schema '{"type":"object"}'`,
+      };
+
+      const result = parseSdkOptions(options);
+
+      expect(result.sdkOptions.extraArgs?.["json-schema"]).toBe(
+        '{"type":"object"}',
+      );
+      expect(result.hasJsonSchema).toBe(true);
+    });
+  });
+});

bun.lock

@@ -6,6 +6,7 @@
       "dependencies": {
         "@actions/core": "^1.10.1",
         "@actions/github": "^6.0.1",
+        "@anthropic-ai/claude-agent-sdk": "^0.1.52",
         "@modelcontextprotocol/sdk": "^1.11.0",
         "@octokit/graphql": "^8.2.2",
         "@octokit/rest": "^21.1.1",
@@ -35,8 +36,40 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.52", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1" } }, "sha512-yF8N05+9NRbqYA/h39jQ726HTQFrdXXp7pEfDNKIJ2c4FdWvEjxBA/8ciZIebN6/PyvGDcbEp3yq2Co4rNpg6A=="],
+
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 
+    "@img/sharp-darwin-arm64": ["@img/sharp-darwin-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-arm64": "1.0.4" }, "os": "darwin", "cpu": "arm64" }, "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ=="],
+
+    "@img/sharp-darwin-x64": ["@img/sharp-darwin-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-darwin-x64": "1.0.4" }, "os": "darwin", "cpu": "x64" }, "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q=="],
+
+    "@img/sharp-libvips-darwin-arm64": ["@img/sharp-libvips-darwin-arm64@1.0.4", "", { "os": "darwin", "cpu": "arm64" }, "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg=="],
+
+    "@img/sharp-libvips-darwin-x64": ["@img/sharp-libvips-darwin-x64@1.0.4", "", { "os": "darwin", "cpu": "x64" }, "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ=="],
+
+    "@img/sharp-libvips-linux-arm": ["@img/sharp-libvips-linux-arm@1.0.5", "", { "os": "linux", "cpu": "arm" }, "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g=="],
+
+    "@img/sharp-libvips-linux-arm64": ["@img/sharp-libvips-linux-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA=="],
+
+    "@img/sharp-libvips-linux-x64": ["@img/sharp-libvips-linux-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw=="],
+
+    "@img/sharp-libvips-linuxmusl-arm64": ["@img/sharp-libvips-linuxmusl-arm64@1.0.4", "", { "os": "linux", "cpu": "arm64" }, "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA=="],
+
+    "@img/sharp-libvips-linuxmusl-x64": ["@img/sharp-libvips-linuxmusl-x64@1.0.4", "", { "os": "linux", "cpu": "x64" }, "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw=="],
+
+    "@img/sharp-linux-arm": ["@img/sharp-linux-arm@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm": "1.0.5" }, "os": "linux", "cpu": "arm" }, "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ=="],
+
+    "@img/sharp-linux-arm64": ["@img/sharp-linux-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA=="],
+
+    "@img/sharp-linux-x64": ["@img/sharp-linux-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linux-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA=="],
+
+    "@img/sharp-linuxmusl-arm64": ["@img/sharp-linuxmusl-arm64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-arm64": "1.0.4" }, "os": "linux", "cpu": "arm64" }, "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g=="],
+
+    "@img/sharp-linuxmusl-x64": ["@img/sharp-linuxmusl-x64@0.33.5", "", { "optionalDependencies": { "@img/sharp-libvips-linuxmusl-x64": "1.0.4" }, "os": "linux", "cpu": "x64" }, "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw=="],
+
+    "@img/sharp-win32-x64": ["@img/sharp-win32-x64@0.33.5", "", { "os": "win32", "cpu": "x64" }, "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg=="],
+
     "@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.16.0", "", { "dependencies": { "ajv": "^6.12.6", "content-type": "^1.0.5", "cors": "^2.8.5", "cross-spawn": "^7.0.5", "eventsource": "^3.0.2", "eventsource-parser": "^3.0.0", "express": "^5.0.1", "express-rate-limit": "^7.5.0", "pkce-challenge": "^5.0.0", "raw-body": "^3.0.0", "zod": "^3.23.8", "zod-to-json-schema": "^3.24.1" } }, "sha512-8ofX7gkZcLj9H9rSd50mCgm3SSF8C7XoclxJuLoV0Cz3rEQ1tv9MZRYYvJtm9n1BiEQQMzSmE/w2AEkNacLYfg=="],
 
     "@octokit/auth-token": ["@octokit/auth-token@4.0.0", "", {}, "sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA=="],

docs/experimental.md

@@ -61,68 +61,3 @@ For specialized use cases, you can fine-tune behavior using `claude_args`:
       --system-prompt "You are a code review specialist"
     anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 ```
-
-## Network Restrictions
-
-For enhanced security, you can restrict Claude's network access to specific domains only. This feature is particularly useful for:
-
-- Enterprise environments with strict security policies
-- Preventing access to external services
-- Limiting Claude to only your internal APIs and services
-
-When `experimental_allowed_domains` is set, Claude can only access the domains you explicitly list. You'll need to include the appropriate provider domains based on your authentication method.
-
-### Provider-Specific Examples
-
-#### If using Anthropic API or subscription
-
-```yaml
-- uses: anthropics/claude-code-action@v1
-  with:
-    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-    # Or: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-    experimental_allowed_domains: |
-      .anthropic.com
-```
-
-#### If using AWS Bedrock
-
-```yaml
-- uses: anthropics/claude-code-action@v1
-  with:
-    use_bedrock: "true"
-    experimental_allowed_domains: |
-      bedrock.*.amazonaws.com
-      bedrock-runtime.*.amazonaws.com
-```
-
-#### If using Google Vertex AI
-
-```yaml
-- uses: anthropics/claude-code-action@v1
-  with:
-    use_vertex: "true"
-    experimental_allowed_domains: |
-      *.googleapis.com
-      vertexai.googleapis.com
-```
-
-### Common GitHub Domains
-
-In addition to your provider domains, you may need to include GitHub-related domains. For GitHub.com users, common domains include:
-
-```yaml
-- uses: anthropics/claude-code-action@v1
-  with:
-    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-    experimental_allowed_domains: |
-      .anthropic.com  # For Anthropic API
-      .github.com
-      .githubusercontent.com
-      ghcr.io
-      .blob.core.windows.net
-```
-
-For GitHub Enterprise users, replace the GitHub.com domains above with your enterprise domains (e.g., `.github.company.com`, `packages.company.com`, etc.).
-
-To determine which domains your workflow needs, you can temporarily run without restrictions and monitor the network requests, or check your GitHub Enterprise configuration for the specific services you use.

docs/usage.md

@@ -70,7 +70,6 @@ jobs:
 | `branch_prefix`                  | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                                                                                           | No       | `claude/`     |
 | `settings`                       | Claude Code settings as JSON string or path to settings JSON file                                                                                                                      | No       | ""            |
 | `additional_permissions`         | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                                                                                      | No       | ""            |
-| `experimental_allowed_domains`   | Restrict network access to these domains only (newline-separated).                                                                                                                     | No       | ""            |
 | `use_commit_signing`             | Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands                                                                      | No       | `false`       |
 | `bot_id`                         | GitHub user ID to use for git operations (defaults to Claude's bot ID)                                                                                                                 | No       | `41898282`    |
 | `bot_name`                       | GitHub username to use for git operations (defaults to Claude's bot name)                                                                                                              | No       | `claude[bot]` |

package.json

@@ -12,6 +12,7 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.1",
+    "@anthropic-ai/claude-agent-sdk": "^0.1.52",
     "@modelcontextprotocol/sdk": "^1.11.0",
     "@octokit/graphql": "^8.2.2",
     "@octokit/rest": "^21.1.1",

scripts/setup-network-restrictions.sh

@@ -1,123 +0,0 @@
-#!/bin/bash
-
-# Setup Network Restrictions with Squid Proxy
-# This script sets up a Squid proxy to restrict network access to whitelisted domains only.
-
-set -e
-
-# Check if experimental_allowed_domains is provided
-if [ -z "$EXPERIMENTAL_ALLOWED_DOMAINS" ]; then
-  echo "ERROR: EXPERIMENTAL_ALLOWED_DOMAINS environment variable is required"
-  exit 1
-fi
-
-# Check required environment variables
-if [ -z "$RUNNER_TEMP" ]; then
-  echo "ERROR: RUNNER_TEMP environment variable is required"
-  exit 1
-fi
-
-if [ -z "$GITHUB_ENV" ]; then
-  echo "ERROR: GITHUB_ENV environment variable is required"
-  exit 1
-fi
-
-echo "Setting up network restrictions with Squid proxy..."
-
-SQUID_START_TIME=$(date +%s.%N)
-
-# Create whitelist file
-echo "$EXPERIMENTAL_ALLOWED_DOMAINS" > $RUNNER_TEMP/whitelist.txt
-
-# Ensure each domain has proper format
-# If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching
-mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig
-while IFS= read -r domain; do
-  if [ -n "$domain" ]; then
-    # Trim whitespace
-    domain=$(echo "$domain" | xargs)
-    # If it's not empty and doesn't start with a dot, add one
-    if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-      echo ".$domain" >> $RUNNER_TEMP/whitelist.txt
-    else
-      echo "$domain" >> $RUNNER_TEMP/whitelist.txt
-    fi
-  fi
-done < $RUNNER_TEMP/whitelist.txt.orig
-
-# Create Squid config with whitelist
-echo "http_port 3128" > $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf
-echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf
-echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf
-echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf
-echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf
-echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf
-echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf
-echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf
-echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf
-echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf
-echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf
-echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf
-echo "http_access deny all" >> $RUNNER_TEMP/squid.conf
-
-echo "Starting Squid proxy..."
-# First, remove any existing container
-sudo docker rm -f squid-proxy 2>/dev/null || true
-
-# Ensure whitelist file is not empty (Squid fails with empty files)
-if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then
-  echo "WARNING: Whitelist file is empty, adding a dummy entry"
-  echo ".example.com" >> $RUNNER_TEMP/whitelist.txt
-fi
-
-# Use sudo to prevent Claude from stopping the container
-CONTAINER_ID=$(sudo docker run -d \
-  --name squid-proxy \
-  -p 127.0.0.1:3128:3128 \
-  -v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \
-  -v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \
-  ubuntu/squid:latest 2>&1) || {
-  echo "ERROR: Failed to start Squid container"
-  exit 1
-}
-
-# Wait for proxy to be ready (usually < 1 second)
-READY=false
-for i in {1..30}; do
-  if nc -z 127.0.0.1 3128 2>/dev/null; then
-    TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc)
-    echo "Squid proxy ready in ${TOTAL_TIME}s"
-    READY=true
-    break
-  fi
-  sleep 0.1
-done
-
-if [ "$READY" != "true" ]; then
-  echo "ERROR: Squid proxy failed to start within 3 seconds"
-  echo "Container logs:"
-  sudo docker logs squid-proxy 2>&1 || true
-  echo "Container status:"
-  sudo docker ps -a | grep squid-proxy || true
-  exit 1
-fi
-
-# Set proxy environment variables
-echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
-echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
-
-echo "Network restrictions setup completed successfully"

src/create-prompt/index.ts

@@ -192,11 +192,6 @@ export function prepareContext(
       if (!isPR) {
         throw new Error("IS_PR must be true for pull_request_review event");
       }
-      if (!commentBody) {
-        throw new Error(
-          "COMMENT_BODY is required for pull_request_review event",
-        );
-      }
       eventData = {
         eventName: "pull_request_review",
         isPR: true,
@@ -464,6 +459,123 @@ export function generatePrompt(
   return mode.generatePrompt(context, githubData, useCommitSigning);
 }
 
+/**
+ * Generates a simplified prompt for tag mode (opt-in via USE_SIMPLE_PROMPT env var)
+ * @internal
+ */
+function generateSimplePrompt(
+  context: PreparedContext,
+  githubData: FetchDataResult,
+  useCommitSigning: boolean = false,
+): string {
+  const {
+    contextData,
+    comments,
+    changedFilesWithSHA,
+    reviewData,
+    imageUrlMap,
+  } = githubData;
+  const { eventData } = context;
+
+  const { triggerContext } = getEventTypeAndContext(context);
+
+  const formattedContext = formatContext(contextData, eventData.isPR);
+  const formattedComments = formatComments(comments, imageUrlMap);
+  const formattedReviewComments = eventData.isPR
+    ? formatReviewComments(reviewData, imageUrlMap)
+    : "";
+  const formattedChangedFiles = eventData.isPR
+    ? formatChangedFilesWithSHA(changedFilesWithSHA)
+    : "";
+
+  const hasImages = imageUrlMap && imageUrlMap.size > 0;
+  const imagesInfo = hasImages
+    ? `\n\n<images_info>
+Images from comments have been saved to disk. Paths are in the formatted content above. Use Read tool to view them.
+</images_info>`
+    : "";
+
+  const formattedBody = contextData?.body
+    ? formatBody(contextData.body, imageUrlMap)
+    : "No description provided";
+
+  const entityType = eventData.isPR ? "pull request" : "issue";
+  const jobUrl = `${GITHUB_SERVER_URL}/${context.repository}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+
+  let promptContent = `You were tagged on a GitHub ${entityType} via "${context.triggerPhrase}". Read the request and decide how to help.
+
+<context>
+${formattedContext}
+</context>
+
+<${eventData.isPR ? "pr" : "issue"}_body>
+${formattedBody}
+</${eventData.isPR ? "pr" : "issue"}_body>
+
+<comments>
+${formattedComments || "No comments"}
+</comments>
+${
+  eventData.isPR
+    ? `
+<review_comments>
+${formattedReviewComments || "No review comments"}
+</review_comments>
+
+<changed_files>
+${formattedChangedFiles || "No files changed"}
+</changed_files>`
+    : ""
+}${imagesInfo}
+
+<metadata>
+repository: ${context.repository}
+${eventData.isPR && eventData.prNumber ? `pr_number: ${eventData.prNumber}` : ""}
+${!eventData.isPR && eventData.issueNumber ? `issue_number: ${eventData.issueNumber}` : ""}
+trigger: ${triggerContext}
+triggered_by: ${context.triggerUsername ?? "Unknown"}
+claude_comment_id: ${context.claudeCommentId}
+</metadata>
+${
+  (eventData.eventName === "issue_comment" ||
+    eventData.eventName === "pull_request_review_comment" ||
+    eventData.eventName === "pull_request_review") &&
+  eventData.commentBody
+    ? `
+<trigger_comment>
+${sanitizeContent(eventData.commentBody)}
+</trigger_comment>`
+    : ""
+}
+
+Your request is in <trigger_comment> above${eventData.eventName === "issues" ? ` (or the ${entityType} body for assigned/labeled events)` : ""}.
+
+Decide what's being asked:
+1. **Question or code review** - Answer directly or provide feedback
+2. **Code change** - Implement the change, commit, and push
+
+Communication:
+- Your ONLY visible output is your GitHub comment - update it with progress and results
+- Use mcp__github_comment__update_claude_comment to update (only "body" param needed)
+- Use checklist format for tasks: - [ ] incomplete, - [x] complete
+- Use ### headers (not #)
+${getCommitInstructions(eventData, githubData, context, useCommitSigning)}
+${
+  eventData.claudeBranch
+    ? `
+When done with changes, provide a PR link:
+[Create a PR](${GITHUB_SERVER_URL}/${context.repository}/compare/${eventData.baseBranch}...${eventData.claudeBranch}?quick_pull=1&title=<url-encoded-title>&body=<url-encoded-body>)
+Use THREE dots (...) between branches. URL-encode all parameters.`
+    : ""
+}
+
+Always include at the bottom:
+- Job link: [View job run](${jobUrl})
+- Follow the repo's CLAUDE.md file for project-specific guidelines`;
+
+  return promptContent;
+}
+
 /**
  * Generates the default prompt for tag mode
  * @internal
@@ -473,6 +585,10 @@ export function generateDefaultPrompt(
   githubData: FetchDataResult,
   useCommitSigning: boolean = false,
 ): string {
+  // Use simplified prompt if opted in
+  if (process.env.USE_SIMPLE_PROMPT === "true") {
+    return generateSimplePrompt(context, githubData, useCommitSigning);
+  }
   const {
     contextData,
     comments,

src/create-prompt/types.ts

@@ -23,7 +23,7 @@ type PullRequestReviewEvent = {
   eventName: "pull_request_review";
   isPR: true;
   prNumber: string;
-  commentBody: string;
+  commentBody?: string; // May be absent for approvals without comments
   claudeBranch?: string;
   baseBranch?: string;
 };

src/entrypoints/collect-inputs.ts

@@ -26,7 +26,6 @@ export function collectActionInputsPresence(): void {
     max_turns: "",
     use_sticky_comment: "false",
     use_commit_signing: "false",
-    experimental_allowed_domains: "",
   };
 
   const allInputsJson = process.env.ALL_INPUTS;

src/entrypoints/update-comment-link.ts

@@ -15,6 +15,20 @@ import { GITHUB_SERVER_URL } from "../github/api/config";
 import { checkAndCommitOrDeleteBranch } from "../github/operations/branch-cleanup";
 import { updateClaudeComment } from "../github/operations/comments/update-claude-comment";
 
+/**
+ * Encodes a branch name for use in a URL, preserving forward slashes.
+ * GitHub expects literal slashes in branch names (e.g., /tree/feature/branch)
+ * but other special characters like parentheses need to be encoded.
+ * Note: encodeURIComponent doesn't encode ( ) ! ' * ~ per RFC 3986,
+ * but parentheses break markdown links so we encode them manually.
+ */
+function encodeBranchName(branchName: string): string {
+  return encodeURIComponent(branchName)
+    .replace(/%2F/gi, "/")
+    .replace(/\(/g, "%28")
+    .replace(/\)/g, "%29");
+}
+
 async function run() {
   try {
     const commentId = parseInt(process.env.CLAUDE_COMMENT_ID!);
@@ -140,7 +154,7 @@ async function run() {
             const prBody = encodeURIComponent(
               `This PR addresses ${entityType.toLowerCase()} #${context.entityNumber}\n\nGenerated with [Claude Code](https://claude.ai/code)`,
             );
-            const prUrl = `${serverUrl}/${owner}/${repo}/compare/${baseBranch}...${claudeBranch}?quick_pull=1&title=${prTitle}&body=${prBody}`;
+            const prUrl = `${serverUrl}/${owner}/${repo}/compare/${encodeBranchName(baseBranch)}...${encodeBranchName(claudeBranch)}?quick_pull=1&title=${prTitle}&body=${prBody}`;
             prLink = `\n[Create a PR](${prUrl})`;
           }
         } catch (error) {
@@ -152,7 +166,7 @@ async function run() {
 
     // Check if action failed and read output file for execution details
     let executionDetails: {
-      cost_usd?: number;
+      total_cost_usd?: number;
       duration_ms?: number;
       duration_api_ms?: number;
     } | null = null;
@@ -179,11 +193,11 @@ async function run() {
             const lastElement = outputData[outputData.length - 1];
             if (
               lastElement.type === "result" &&
-              "cost_usd" in lastElement &&
+              "total_cost_usd" in lastElement &&
               "duration_ms" in lastElement
             ) {
               executionDetails = {
-                cost_usd: lastElement.cost_usd,
+                total_cost_usd: lastElement.total_cost_usd,
                 duration_ms: lastElement.duration_ms,
                 duration_api_ms: lastElement.duration_api_ms,
               };

src/github/api/queries/github.ts

@@ -13,6 +13,8 @@ export const PR_QUERY = `
         headRefName
         headRefOid
         createdAt
+        updatedAt
+        lastEditedAt
         additions
         deletions
         state
@@ -96,6 +98,8 @@ export const ISSUE_QUERY = `
           login
         }
         createdAt
+        updatedAt
+        lastEditedAt
         state
         comments(first: 100) {
           nodes {

src/github/data/fetcher.ts

@@ -107,6 +107,38 @@ export function filterReviewsToTriggerTime<
   });
 }
 
+/**
+ * Checks if the issue/PR body was edited after the trigger time.
+ * This prevents a race condition where an attacker could edit the issue/PR body
+ * between when an authorized user triggered Claude and when Claude processes the request.
+ *
+ * @param contextData - The PR or issue data containing body and edit timestamps
+ * @param triggerTime - ISO timestamp of when the trigger event occurred
+ * @returns true if the body is safe to use, false if it was edited after trigger
+ */
+export function isBodySafeToUse(
+  contextData: { createdAt: string; updatedAt?: string; lastEditedAt?: string },
+  triggerTime: string | undefined,
+): boolean {
+  // If no trigger time is available, we can't validate - allow the body
+  // This maintains backwards compatibility for triggers that don't have timestamps
+  if (!triggerTime) return true;
+
+  const triggerTimestamp = new Date(triggerTime).getTime();
+
+  // Check if the body was edited after the trigger
+  // Use lastEditedAt if available (more accurate for body edits), otherwise fall back to updatedAt
+  const lastEditTime = contextData.lastEditedAt || contextData.updatedAt;
+  if (lastEditTime) {
+    const lastEditTimestamp = new Date(lastEditTime).getTime();
+    if (lastEditTimestamp >= triggerTimestamp) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
 type FetchDataParams = {
   octokits: Octokits;
   repository: string;
@@ -273,9 +305,13 @@ export async function fetchGitHubData({
       body: c.body,
     }));
 
-  // Add the main issue/PR body if it has content
-  const mainBody: CommentWithImages[] = contextData.body
-    ? [
+  // Add the main issue/PR body if it has content and wasn't edited after trigger
+  // This prevents a TOCTOU race condition where an attacker could edit the body
+  // between when an authorized user triggered Claude and when Claude processes the request
+  let mainBody: CommentWithImages[] = [];
+  if (contextData.body) {
+    if (isBodySafeToUse(contextData, triggerTime)) {
+      mainBody = [
         {
           ...(isPR
             ? {
@@ -289,8 +325,14 @@ export async function fetchGitHubData({
                 body: contextData.body,
               }),
         },
-      ]
-    : [];
+      ];
+    } else {
+      console.warn(
+        `Security: ${isPR ? "PR" : "Issue"} #${prNumber} body was edited after the trigger event. ` +
+          `Excluding body content to prevent potential injection attacks.`,
+      );
+    }
+  }
 
   const allComments = [
     ...mainBody,

src/github/operations/branch-cleanup.ts

@@ -2,6 +2,20 @@ import type { Octokits } from "../api/client";
 import { GITHUB_SERVER_URL } from "../api/config";
 import { $ } from "bun";
 
+/**
+ * Encodes a branch name for use in a URL, preserving forward slashes.
+ * GitHub expects literal slashes in branch names (e.g., /tree/feature/branch)
+ * but other special characters like parentheses need to be encoded.
+ * Note: encodeURIComponent doesn't encode ( ) ! ' * ~ per RFC 3986,
+ * but parentheses break markdown links so we encode them manually.
+ */
+function encodeBranchName(branchName: string): string {
+  return encodeURIComponent(branchName)
+    .replace(/%2F/gi, "/")
+    .replace(/\(/g, "%28")
+    .replace(/\)/g, "%29");
+}
+
 export async function checkAndCommitOrDeleteBranch(
   octokit: Octokits,
   owner: string,
@@ -80,7 +94,7 @@ export async function checkAndCommitOrDeleteBranch(
               );
 
               // Set branch link since we now have commits
-              const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${claudeBranch}`;
+              const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${encodeBranchName(claudeBranch)}`;
               branchLink = `\n[View branch](${branchUrl})`;
             } else {
               console.log(
@@ -91,7 +105,7 @@ export async function checkAndCommitOrDeleteBranch(
           } catch (gitError) {
             console.error("Error checking/committing changes:", gitError);
             // If we can't check git status, assume the branch might have changes
-            const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${claudeBranch}`;
+            const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${encodeBranchName(claudeBranch)}`;
             branchLink = `\n[View branch](${branchUrl})`;
           }
         } else {
@@ -102,13 +116,13 @@ export async function checkAndCommitOrDeleteBranch(
         }
       } else {
         // Only add branch link if there are commits
-        const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${claudeBranch}`;
+        const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${encodeBranchName(claudeBranch)}`;
         branchLink = `\n[View branch](${branchUrl})`;
       }
     } catch (error) {
       console.error("Error comparing commits on Claude branch:", error);
       // If we can't compare but the branch exists remotely, include the branch link
-      const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${claudeBranch}`;
+      const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${encodeBranchName(claudeBranch)}`;
       branchLink = `\n[View branch](${branchUrl})`;
     }
   }

src/github/operations/comment-logic.ts

@@ -1,7 +1,21 @@
 import { GITHUB_SERVER_URL } from "../api/config";
 
+/**
+ * Encodes a branch name for use in a URL, preserving forward slashes.
+ * GitHub expects literal slashes in branch names (e.g., /tree/feature/branch)
+ * but other special characters like parentheses need to be encoded.
+ * Note: encodeURIComponent doesn't encode ( ) ! ' * ~ per RFC 3986,
+ * but parentheses break markdown links so we encode them manually.
+ */
+function encodeBranchName(branchName: string): string {
+  return encodeURIComponent(branchName)
+    .replace(/%2F/gi, "/")
+    .replace(/\(/g, "%28")
+    .replace(/\)/g, "%29");
+}
+
 export type ExecutionDetails = {
-  cost_usd?: number;
+  total_cost_usd?: number;
   duration_ms?: number;
   duration_api_ms?: number;
 };
@@ -160,7 +174,7 @@ export function updateCommentBody(input: CommentUpdateInput): string {
       // Extract owner/repo from jobUrl
       const repoMatch = jobUrl.match(/github\.com\/([^\/]+)\/([^\/]+)\//);
       if (repoMatch) {
-        branchUrl = `${GITHUB_SERVER_URL}/${repoMatch[1]}/${repoMatch[2]}/tree/${finalBranchName}`;
+        branchUrl = `${GITHUB_SERVER_URL}/${repoMatch[1]}/${repoMatch[2]}/tree/${encodeBranchName(finalBranchName)}`;
       }
     }
 
@@ -172,8 +186,9 @@ export function updateCommentBody(input: CommentUpdateInput): string {
   }
 
   // Add PR link (either from content or provided)
+  // Use greedy match with end anchor to capture full URL even if it contains parentheses
   const prUrl =
-    prLinkFromContent || (prLink ? prLink.match(/\(([^)]+)\)/)?.[1] : "");
+    prLinkFromContent || (prLink ? prLink.match(/\((.+)\)$/)?.[1] : "");
   if (prUrl) {
     links += ` • [Create PR ➔](${prUrl})`;
   }

src/github/operations/comments/common.ts

@@ -12,12 +12,26 @@ export function createJobRunLink(
   return `[View job run](${jobRunUrl})`;
 }
 
+/**
+ * Encodes a branch name for use in a URL, preserving forward slashes.
+ * GitHub expects literal slashes in branch names (e.g., /tree/feature/branch)
+ * but other special characters like parentheses need to be encoded.
+ * Note: encodeURIComponent doesn't encode ( ) ! ' * ~ per RFC 3986,
+ * but parentheses break markdown links so we encode them manually.
+ */
+function encodeBranchName(branchName: string): string {
+  return encodeURIComponent(branchName)
+    .replace(/%2F/gi, "/")
+    .replace(/\(/g, "%28")
+    .replace(/\)/g, "%29");
+}
+
 export function createBranchLink(
   owner: string,
   repo: string,
   branchName: string,
 ): string {
-  const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${branchName}`;
+  const branchUrl = `${GITHUB_SERVER_URL}/${owner}/${repo}/tree/${encodeBranchName(branchName)}`;
   return `\n[View branch](${branchUrl})`;
 }
 

src/github/types.ts

@@ -58,6 +58,8 @@ export type GitHubPullRequest = {
   headRefName: string;
   headRefOid: string;
   createdAt: string;
+  updatedAt?: string;
+  lastEditedAt?: string;
   additions: number;
   deletions: number;
   state: string;
@@ -83,6 +85,8 @@ export type GitHubIssue = {
   body: string;
   author: GitHubAuthor;
   createdAt: string;
+  updatedAt?: string;
+  lastEditedAt?: string;
   state: string;
   comments: {
     nodes: GitHubComment[];

test/comment-logic.test.ts

@@ -139,6 +139,21 @@ describe("updateCommentBody", () => {
       );
       expect(result).not.toContain("View branch");
     });
+
+    it("encodes special characters in branch names while preserving slashes", () => {
+      const input = {
+        ...baseInput,
+        branchName: "feature/fix(issue)-test",
+      };
+
+      const result = updateCommentBody(input);
+      // Branch name display should show the original name
+      expect(result).toContain("`feature/fix(issue)-test`");
+      // URL should have encoded parentheses but preserved slashes
+      expect(result).toContain(
+        "https://github.com/owner/repo/tree/feature/fix%28issue%29-test",
+      );
+    });
   });
 
   describe("PR link", () => {
@@ -258,7 +273,7 @@ describe("updateCommentBody", () => {
       const input = {
         ...baseInput,
         executionDetails: {
-          cost_usd: 0.13382595,
+          total_cost_usd: 0.13382595,
           duration_ms: 31033,
           duration_api_ms: 31034,
         },
@@ -301,7 +316,7 @@ describe("updateCommentBody", () => {
       const input = {
         ...baseInput,
         executionDetails: {
-          cost_usd: 0.25,
+          total_cost_usd: 0.25,
         },
         triggerUsername: "testuser",
       };
@@ -322,7 +337,7 @@ describe("updateCommentBody", () => {
         branchName: "claude-branch-123",
         prLink: "\n[Create a PR](https://github.com/owner/repo/pr-url)",
         executionDetails: {
-          cost_usd: 0.01,
+          total_cost_usd: 0.01,
           duration_ms: 65000, // 1 minute 5 seconds
         },
         triggerUsername: "trigger-user",

test/data-fetcher.test.ts

@@ -4,6 +4,7 @@ import {
   fetchGitHubData,
   filterCommentsToTriggerTime,
   filterReviewsToTriggerTime,
+  isBodySafeToUse,
 } from "../src/github/data/fetcher";
 import {
   createMockContext,
@@ -371,6 +372,139 @@ describe("filterReviewsToTriggerTime", () => {
   });
 });
 
+describe("isBodySafeToUse", () => {
+  const triggerTime = "2024-01-15T12:00:00Z";
+
+  const createMockContextData = (
+    createdAt: string,
+    updatedAt?: string,
+    lastEditedAt?: string,
+  ) => ({
+    createdAt,
+    updatedAt,
+    lastEditedAt,
+  });
+
+  describe("body edit time validation", () => {
+    it("should return true when body was never edited", () => {
+      const contextData = createMockContextData("2024-01-15T10:00:00Z");
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(true);
+    });
+
+    it("should return true when body was edited before trigger time", () => {
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T11:00:00Z",
+        "2024-01-15T11:30:00Z",
+      );
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(true);
+    });
+
+    it("should return false when body was edited after trigger time (using updatedAt)", () => {
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T13:00:00Z",
+      );
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(false);
+    });
+
+    it("should return false when body was edited after trigger time (using lastEditedAt)", () => {
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        undefined,
+        "2024-01-15T13:00:00Z",
+      );
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(false);
+    });
+
+    it("should return false when body was edited exactly at trigger time", () => {
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T12:00:00Z",
+      );
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(false);
+    });
+
+    it("should prioritize lastEditedAt over updatedAt", () => {
+      // updatedAt is after trigger, but lastEditedAt is before - should be safe
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T13:00:00Z", // updatedAt after trigger
+        "2024-01-15T11:00:00Z", // lastEditedAt before trigger
+      );
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(true);
+    });
+  });
+
+  describe("edge cases", () => {
+    it("should return true when no trigger time is provided (backward compatibility)", () => {
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T13:00:00Z", // Would normally fail
+        "2024-01-15T14:00:00Z", // Would normally fail
+      );
+      expect(isBodySafeToUse(contextData, undefined)).toBe(true);
+    });
+
+    it("should handle millisecond precision correctly", () => {
+      // Edit 1ms after trigger - should be unsafe
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T12:00:00.001Z",
+      );
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(false);
+    });
+
+    it("should handle edit 1ms before trigger - should be safe", () => {
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T11:59:59.999Z",
+      );
+      expect(isBodySafeToUse(contextData, triggerTime)).toBe(true);
+    });
+
+    it("should handle various ISO timestamp formats", () => {
+      const contextData1 = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T11:00:00Z",
+      );
+      const contextData2 = createMockContextData(
+        "2024-01-15T10:00:00+00:00",
+        "2024-01-15T11:00:00+00:00",
+      );
+      const contextData3 = createMockContextData(
+        "2024-01-15T10:00:00.000Z",
+        "2024-01-15T11:00:00.000Z",
+      );
+
+      expect(isBodySafeToUse(contextData1, triggerTime)).toBe(true);
+      expect(isBodySafeToUse(contextData2, triggerTime)).toBe(true);
+      expect(isBodySafeToUse(contextData3, triggerTime)).toBe(true);
+    });
+  });
+
+  describe("security scenarios", () => {
+    it("should detect race condition attack - body edited between trigger and processing", () => {
+      // Simulates: Owner triggers @claude at 12:00, attacker edits body at 12:00:30
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z", // Issue created
+        "2024-01-15T12:00:30Z", // Body edited after trigger
+      );
+      expect(isBodySafeToUse(contextData, "2024-01-15T12:00:00Z")).toBe(false);
+    });
+
+    it("should allow body that was stable at trigger time", () => {
+      // Body was last edited well before the trigger
+      const contextData = createMockContextData(
+        "2024-01-15T10:00:00Z",
+        "2024-01-15T10:30:00Z",
+        "2024-01-15T10:30:00Z",
+      );
+      expect(isBodySafeToUse(contextData, "2024-01-15T12:00:00Z")).toBe(true);
+    });
+  });
+});
+
 describe("fetchGitHubData integration with time filtering", () => {
   it("should filter comments based on trigger time when provided", async () => {
     const mockOctokits = {
@@ -696,4 +830,119 @@ describe("fetchGitHubData integration with time filtering", () => {
     // All three comments should be included as they're all before trigger time
     expect(result.comments.length).toBe(3);
   });
+
+  it("should exclude issue body when edited after trigger time (TOCTOU protection)", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          issue: {
+            number: 555,
+            title: "Test Issue",
+            body: "Malicious body edited after trigger",
+            author: { login: "attacker" },
+            createdAt: "2024-01-15T10:00:00Z",
+            updatedAt: "2024-01-15T12:30:00Z", // Edited after trigger
+            lastEditedAt: "2024-01-15T12:30:00Z", // Edited after trigger
+            comments: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "555",
+      isPR: false,
+      triggerUsername: "trigger-user",
+      triggerTime: "2024-01-15T12:00:00Z",
+    });
+
+    // The body should be excluded from image processing due to TOCTOU protection
+    // We can verify this by checking that issue_body is NOT in the imageUrlMap keys
+    const hasIssueBodyInMap = Array.from(result.imageUrlMap.keys()).some(
+      (key) => key.includes("issue_body"),
+    );
+    expect(hasIssueBodyInMap).toBe(false);
+  });
+
+  it("should include issue body when not edited after trigger time", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          issue: {
+            number: 666,
+            title: "Test Issue",
+            body: "Safe body not edited after trigger",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            updatedAt: "2024-01-15T11:00:00Z", // Edited before trigger
+            lastEditedAt: "2024-01-15T11:00:00Z", // Edited before trigger
+            comments: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "666",
+      isPR: false,
+      triggerUsername: "trigger-user",
+      triggerTime: "2024-01-15T12:00:00Z",
+    });
+
+    // The contextData should still contain the body
+    expect(result.contextData.body).toBe("Safe body not edited after trigger");
+  });
+
+  it("should exclude PR body when edited after trigger time (TOCTOU protection)", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          pullRequest: {
+            number: 777,
+            title: "Test PR",
+            body: "Malicious PR body edited after trigger",
+            author: { login: "attacker" },
+            baseRefName: "main",
+            headRefName: "feature",
+            headRefOid: "abc123",
+            createdAt: "2024-01-15T10:00:00Z",
+            updatedAt: "2024-01-15T12:30:00Z", // Edited after trigger
+            lastEditedAt: "2024-01-15T12:30:00Z", // Edited after trigger
+            additions: 10,
+            deletions: 5,
+            state: "OPEN",
+            commits: { totalCount: 1, nodes: [] },
+            files: { nodes: [] },
+            comments: { nodes: [] },
+            reviews: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "777",
+      isPR: true,
+      triggerUsername: "trigger-user",
+      triggerTime: "2024-01-15T12:00:00Z",
+    });
+
+    // The body should be excluded from image processing due to TOCTOU protection
+    const hasPrBodyInMap = Array.from(result.imageUrlMap.keys()).some((key) =>
+      key.includes("pr_body"),
+    );
+    expect(hasPrBodyInMap).toBe(false);
+  });
 });

test/fixtures/sample-turns.json

@@ -189,7 +189,7 @@
   },
   {
     "type": "result",
-    "cost_usd": 0.0347,
+    "total_cost_usd": 0.0347,
     "duration_ms": 18750,
     "result": "Successfully removed debug print statement from file and added review comment to document the change."
   }

test/mockContext.ts

@@ -401,6 +401,53 @@ export const mockPullRequestReviewContext: ParsedGitHubContext = {
   inputs: { ...defaultInputs, triggerPhrase: "@claude" },
 };
 
+export const mockPullRequestReviewWithoutCommentContext: ParsedGitHubContext = {
+  runId: "1234567890",
+  eventName: "pull_request_review",
+  eventAction: "dismissed",
+  repository: defaultRepository,
+  actor: "senior-developer",
+  payload: {
+    action: "submitted",
+    review: {
+      id: 11122233,
+      body: null, // Simulating approval without comment
+      user: {
+        login: "senior-developer",
+        id: 44444,
+        avatar_url: "https://avatars.githubusercontent.com/u/44444",
+        html_url: "https://github.com/senior-developer",
+      },
+      state: "approved",
+      html_url:
+        "https://github.com/test-owner/test-repo/pull/321#pullrequestreview-11122233",
+      submitted_at: "2024-01-15T15:30:00Z",
+    },
+    pull_request: {
+      number: 321,
+      title: "Refactor: Improve error handling in API layer",
+      body: "This PR improves error handling across all API endpoints",
+      user: {
+        login: "backend-developer",
+        id: 33333,
+        avatar_url: "https://avatars.githubusercontent.com/u/33333",
+        html_url: "https://github.com/backend-developer",
+      },
+    },
+    repository: {
+      name: "test-repo",
+      full_name: "test-owner/test-repo",
+      private: false,
+      owner: {
+        login: "test-owner",
+      },
+    },
+  } as PullRequestReviewEvent,
+  entityNumber: 321,
+  isPR: true,
+  inputs: { ...defaultInputs, triggerPhrase: "@claude" },
+};
+
 export const mockPullRequestReviewCommentContext: ParsedGitHubContext = {
   runId: "1234567890",
   eventName: "pull_request_review_comment",

test/prepare-context.test.ts

@@ -10,6 +10,7 @@ import {
   mockPullRequestCommentContext,
   mockPullRequestReviewContext,
   mockPullRequestReviewCommentContext,
+  mockPullRequestReviewWithoutCommentContext,
 } from "./mockContext";
 
 const BASE_ENV = {
@@ -126,6 +127,24 @@ describe("parseEnvVarsWithContext", () => {
     });
   });
 
+  describe("pull_request_review event without comment", () => {
+    test("should parse pull_request_review event correctly", () => {
+      process.env = BASE_ENV;
+      const result = prepareContext(
+        mockPullRequestReviewWithoutCommentContext,
+        "12345",
+      );
+
+      expect(result.eventData.eventName).toBe("pull_request_review");
+      expect(result.eventData.isPR).toBe(true);
+      expect(result.triggerUsername).toBe("senior-developer");
+      if (result.eventData.eventName === "pull_request_review") {
+        expect(result.eventData.prNumber).toBe("321");
+        expect(result.eventData.commentBody).toBe("");
+      }
+    });
+  });
+
   describe("pull_request_review_comment event", () => {
     test("should parse pull_request_review_comment event correctly", () => {
       process.env = BASE_ENV;