feat: improve autofix suggestion detection for PR comments

Add detection logic to recognize actionable suggestions in PR comments, even when
they come from bot accounts like claude[bot]. This addresses the issue where the
autofix workflow incorrectly classified clear bug fix suggestions as not actionable.

New features:
- detectActionableSuggestion(): Analyzes comment body for actionable patterns
- Detects GitHub inline committable suggestions (```suggestion blocks)
- Detects clear bug fix language patterns (e.g., "should be", "change to", "replace with")
- Detects code alternatives and fix recommendations
- Returns confidence level (high/medium/low) and reason for the determination
- checkContainsActionableSuggestion(): Context-aware wrapper for GitHub events
- checkContainsTriggerOrActionableSuggestion(): Combined trigger and suggestion check
- checkIsActionableForAutofix(): Convenience function for autofix workflows
- extractSuggestionCode(): Extracts code from GitHub suggestion blocks

This enables workflows to automatically apply suggestions from code review comments,
improving the developer experience for PR reviews.

.claude/commands/label-issue.md

@@ -17,6 +17,7 @@ TASK OVERVIEW:
 1. First, fetch the list of labels available in this repository by running: `gh label list`. Run exactly this command with nothing else.
 
 2. Next, use gh commands to get context about the issue:
+
    - Use `gh issue view ${{ github.event.issue.number }}` to retrieve the current issue's details
    - Use `gh search issues` to find similar issues that might provide context for proper categorization
    - You have access to these Bash commands:
@@ -26,6 +27,7 @@ TASK OVERVIEW:
      - Bash(gh search:\*) - to search for similar issues
 
 3. Analyze the issue content, considering:
+
    - The issue title and description
    - The type of issue (bug report, feature request, question, etc.)
    - Technical areas mentioned
@@ -34,6 +36,7 @@ TASK OVERVIEW:
    - Components affected
 
 4. Select appropriate labels from the available labels list provided above:
+
    - Choose labels that accurately reflect the issue's nature
    - Be specific but comprehensive
    - IMPORTANT: Add a priority label (P1, P2, or P3) based on the label descriptions from gh label list

.github/workflows/issue-triage.yml

@@ -24,5 +24,4 @@ jobs:
           prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER${{ github.event.issue.number }}"
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
-          bypass_write_permission_check_acknowledgment: true # Required when using wildcard
           github_token: ${{ secrets.GITHUB_TOKEN }}

action.yml

@@ -35,10 +35,6 @@ inputs:
     description: "Comma-separated list of usernames to allow without write permissions, or '*' to allow all users. Only works when github_token input is provided. WARNING: Use with extreme caution - this bypasses security checks and should only be used for workflows with very limited permissions (e.g., issue labeling)."
     required: false
     default: ""
-  bypass_write_permission_check_acknowledgment:
-    description: "REQUIRED when using allowed_non_write_users='*'. Set to 'true' to explicitly acknowledge the security implications of bypassing write permission checks for all users. This flag serves as a safeguard against accidental security misconfigurations."
-    required: false
-    default: "false"
 
   # Claude Code configuration
   prompt:
@@ -190,7 +186,6 @@ runs:
         OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
         ALLOWED_BOTS: ${{ inputs.allowed_bots }}
         ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }}
-        BYPASS_WRITE_PERMISSION_CHECK_ACKNOWLEDGMENT: ${{ inputs.bypass_write_permission_check_acknowledgment }}
         GITHUB_RUN_ID: ${{ github.run_id }}
         USE_STICKY_COMMENT: ${{ inputs.use_sticky_comment }}
         DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
@@ -218,7 +213,7 @@ runs:
 
         # Install Claude Code if no custom executable is provided
         if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.1.6"
+          CLAUDE_CODE_VERSION="2.1.4"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."

base-action/CONTRIBUTING.md

@@ -57,6 +57,7 @@ Thank you for your interest in contributing to Claude Code Base Action! This doc
    ```
 
    This script:
+
    - Installs `act` if not present (requires Homebrew on macOS)
    - Runs the GitHub Action workflow locally using Docker
    - Requires your `ANTHROPIC_API_KEY` to be set

base-action/README.md

@@ -85,26 +85,26 @@ Add the following to your workflow file:
 
 ## Inputs
 
-| Input                     | Description                                                                                                            | Required | Default                      |
+| Input                     | Description                                                                                                             | Required | Default                      |
-| ------------------------- | ---------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
-| `prompt`                  | The prompt to send to Claude Code                                                                                      | No\*     | ''                           |
+| `prompt`                  | The prompt to send to Claude Code                                                                                       | No\*     | ''                           |
-| `prompt_file`             | Path to a file containing the prompt to send to Claude Code                                                            | No\*     | ''                           |
+| `prompt_file`             | Path to a file containing the prompt to send to Claude Code                                                             | No\*     | ''                           |
-| `allowed_tools`           | Comma-separated list of allowed tools for Claude Code to use                                                           | No       | ''                           |
+| `allowed_tools`           | Comma-separated list of allowed tools for Claude Code to use                                                            | No       | ''                           |
-| `disallowed_tools`        | Comma-separated list of disallowed tools that Claude Code cannot use                                                   | No       | ''                           |
+| `disallowed_tools`        | Comma-separated list of disallowed tools that Claude Code cannot use                                                    | No       | ''                           |
-| `max_turns`               | Maximum number of conversation turns (default: no limit)                                                               | No       | ''                           |
+| `max_turns`               | Maximum number of conversation turns (default: no limit)                                                                | No       | ''                           |
-| `mcp_config`              | Path to the MCP configuration JSON file, or MCP configuration JSON string                                              | No       | ''                           |
+| `mcp_config`              | Path to the MCP configuration JSON file, or MCP configuration JSON string                                               | No       | ''                           |
-| `settings`                | Path to Claude Code settings JSON file, or settings JSON string                                                        | No       | ''                           |
+| `settings`                | Path to Claude Code settings JSON file, or settings JSON string                                                         | No       | ''                           |
-| `system_prompt`           | Override system prompt                                                                                                 | No       | ''                           |
+| `system_prompt`           | Override system prompt                                                                                                  | No       | ''                           |
-| `append_system_prompt`    | Append to system prompt                                                                                                | No       | ''                           |
+| `append_system_prompt`    | Append to system prompt                                                                                                 | No       | ''                           |
-| `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML multiline format)                                  | No       | ''                           |
+| `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML multiline format)                                   | No       | ''                           |
-| `model`                   | Model to use (provider-specific format required for Bedrock/Vertex)                                                    | No       | 'claude-4-0-sonnet-20250219' |
+| `model`                   | Model to use (provider-specific format required for Bedrock/Vertex)                                                     | No       | 'claude-4-0-sonnet-20250219' |
-| `anthropic_model`         | DEPRECATED: Use 'model' instead                                                                                        | No       | 'claude-4-0-sonnet-20250219' |
+| `anthropic_model`         | DEPRECATED: Use 'model' instead                                                                                         | No       | 'claude-4-0-sonnet-20250219' |
-| `fallback_model`          | Enable automatic fallback to specified model when default model is overloaded                                          | No       | ''                           |
+| `fallback_model`          | Enable automatic fallback to specified model when default model is overloaded                                           | No       | ''                           |
-| `anthropic_api_key`       | Anthropic API key (required for direct Anthropic API)                                                                  | No       | ''                           |
+| `anthropic_api_key`       | Anthropic API key (required for direct Anthropic API)                                                                   | No       | ''                           |
-| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                             | No       | ''                           |
+| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                              | No       | ''                           |
-| `use_bedrock`             | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                            | No       | 'false'                      |
+| `use_bedrock`             | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                             | No       | 'false'                      |
-| `use_vertex`              | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                          | No       | 'false'                      |
+| `use_vertex`              | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                           | No       | 'false'                      |
-| `use_node_cache`          | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files)                      | No       | 'false'                      |
+| `use_node_cache`          | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files)                       | No       | 'false'                      |
 | `show_full_output`        | Show full JSON output (⚠️ May expose secrets - see [security docs](../docs/security.md#️-full-output-security-warning)) | No       | 'false'\*\*                  |
 
 \*Either `prompt` or `prompt_file` must be provided, but not both.
@@ -490,6 +490,7 @@ This example shows how to use OIDC authentication with GCP Vertex AI:
 To securely use your Anthropic API key:
 
 1. Add your API key as a repository secret:
+
    - Go to your repository's Settings
    - Navigate to "Secrets and variables" → "Actions"
    - Click "New repository secret"

base-action/action.yml

@@ -124,7 +124,7 @@ runs:
         PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
         if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.1.6"
+          CLAUDE_CODE_VERSION="2.1.4"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."

base-action/bun.lock

@@ -6,7 +6,7 @@
       "name": "@anthropic-ai/claude-code-base-action",
       "dependencies": {
         "@actions/core": "^1.10.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.2.6",
+        "@anthropic-ai/claude-agent-sdk": "^0.2.4",
         "shell-quote": "^1.8.3",
       },
       "devDependencies": {
@@ -27,7 +27,7 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.6", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-lwswHo6z/Kh9djafk2ajPju62+VqHwJ23gueG1alfaLNK4GRYHgCROfiX6/wlxAd8sRvgTo6ry1hNzkyz7bOpw=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.4", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-5RpMO8aLEwuAd8h7/QHMCKzdVSihZCtHGnouPp+Isvc7zPzQXKb6GvUitkbs3wIBgIbXA/vXQmIi126uw9qo0A=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 

base-action/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.2.6",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.4",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {

bun.lock

@@ -7,7 +7,7 @@
       "dependencies": {
         "@actions/core": "^1.10.1",
         "@actions/github": "^6.0.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.2.6",
+        "@anthropic-ai/claude-agent-sdk": "^0.2.4",
         "@modelcontextprotocol/sdk": "^1.11.0",
         "@octokit/graphql": "^8.2.2",
         "@octokit/rest": "^21.1.1",
@@ -37,7 +37,7 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.6", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-lwswHo6z/Kh9djafk2ajPju62+VqHwJ23gueG1alfaLNK4GRYHgCROfiX6/wlxAd8sRvgTo6ry1hNzkyz7bOpw=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.4", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-5RpMO8aLEwuAd8h7/QHMCKzdVSihZCtHGnouPp+Isvc7zPzQXKb6GvUitkbs3wIBgIbXA/vXQmIi126uw9qo0A=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 

docs/configuration.md

@@ -116,6 +116,7 @@ The `additional_permissions` input allows Claude to access GitHub Actions workfl
 To allow Claude to view workflow run results, job logs, and CI status:
 
 1. **Grant the necessary permission to your GitHub token**:
+
    - When using the default `GITHUB_TOKEN`, add the `actions: read` permission to your workflow:
 
    ```yaml

docs/migration-guide.md

@@ -228,10 +228,12 @@ jobs:
 The action now automatically detects the appropriate mode:
 
 1. **If `prompt` is provided** → Runs in **automation mode**
+
    - Executes immediately without waiting for @claude mentions
    - Perfect for scheduled tasks, PR automation, etc.
 
 2. **If no `prompt` but @claude is mentioned** → Runs in **interactive mode**
+
    - Waits for and responds to @claude mentions
    - Creates tracking comments with progress
 

docs/security.md

@@ -7,7 +7,6 @@
 - **⚠️ Non-Write User Access (RISKY)**: The `allowed_non_write_users` parameter allows bypassing the write permission requirement. **This is a significant security risk and should only be used for workflows with extremely limited permissions** (e.g., issue labeling workflows that only have `issues: write` permission). This feature:
   - Only works when `github_token` is provided as input (not with GitHub App authentication)
   - Accepts either a comma-separated list of specific usernames or `*` to allow all users
-  - **When using the wildcard (`*`)**, you MUST also set `bypass_write_permission_check_acknowledgment: true` to explicitly acknowledge the security implications. Without this flag, the action will fail as a safeguard against accidental security misconfigurations
   - **Should be used with extreme caution** as it bypasses the primary security mechanism of this action
   - Is designed for automation workflows where user permissions are already restricted by the workflow's permission scope
 - **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
@@ -76,12 +75,14 @@ Commits will show as verified and attributed to the GitHub account that owns the
    ```
 
 2. Add the **public key** to your GitHub account:
+
    - Go to GitHub → Settings → SSH and GPG keys
    - Click "New SSH key"
    - Select **Key type: Signing Key** (important)
    - Paste the contents of `~/.ssh/signing_key.pub`
 
 3. Add the **private key** to your repository secrets:
+
    - Go to your repo → Settings → Secrets and variables → Actions
    - Create a new secret named `SSH_SIGNING_KEY`
    - Paste the contents of `~/.ssh/signing_key`

docs/setup.md

@@ -31,23 +31,27 @@ The fastest way to create a custom GitHub App is using our pre-configured manife
    **🚀 [Download the Quick Setup Tool](./create-app.html)** (Right-click → "Save Link As" or "Download Linked File")
 
    After downloading, open `create-app.html` in your web browser:
+
    - **For Personal Accounts:** Click the "Create App for Personal Account" button
    - **For Organizations:** Enter your organization name and click "Create App for Organization"
 
    The tool will automatically configure all required permissions and submit the manifest.
 
    Alternatively, you can use the manifest file directly:
+
    - Use the [`github-app-manifest.json`](../github-app-manifest.json) file from this repository
    - Visit https://github.com/settings/apps/new (for personal) or your organization's app settings
    - Look for the "Create from manifest" option and paste the JSON content
 
 2. **Complete the creation flow:**
+
    - GitHub will show you a preview of the app configuration
    - Confirm the app name (you can customize it)
    - Click "Create GitHub App"
    - The app will be created with all required permissions automatically configured
 
 3. **Generate and download a private key:**
+
    - After creating the app, you'll be redirected to the app settings
    - Scroll down to "Private keys"
    - Click "Generate a private key"
@@ -60,6 +64,7 @@ The fastest way to create a custom GitHub App is using our pre-configured manife
 If you prefer to configure the app manually or need custom permissions:
 
 1. **Create a new GitHub App:**
+
    - Go to https://github.com/settings/apps (for personal apps) or your organization's settings
    - Click "New GitHub App"
    - Configure the app with these minimum permissions:
@@ -72,16 +77,19 @@ If you prefer to configure the app manually or need custom permissions:
    - Create the app
 
 2. **Generate and download a private key:**
+
    - After creating the app, scroll down to "Private keys"
    - Click "Generate a private key"
    - Download the `.pem` file (keep this secure!)
 
 3. **Install the app on your repository:**
+
    - Go to the app's settings page
    - Click "Install App"
    - Select the repositories where you want to use Claude
 
 4. **Add the app credentials to your repository secrets:**
+
    - Go to your repository's Settings → Secrets and variables → Actions
    - Add these secrets:
      - `APP_ID`: Your GitHub App's ID (found in the app settings)
@@ -130,6 +138,7 @@ For more information on creating GitHub Apps, see the [GitHub documentation](htt
 To securely use your Anthropic API key:
 
 1. Add your API key as a repository secret:
+
    - Go to your repository's Settings
    - Navigate to "Secrets and variables" → "Actions"
    - Click "New repository secret"

docs/usage.md

@@ -52,36 +52,35 @@ jobs:
 
 ## Inputs
 
-| Input                                          | Description                                                                                                                                                                            | Required | Default       |
+| Input                            | Description                                                                                                                                                                            | Required | Default       |
-| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
+| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
-| `anthropic_api_key`                            | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                                                                                             | No\*     | -             |
+| `anthropic_api_key`              | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                                                                                             | No\*     | -             |
-| `claude_code_oauth_token`                      | Claude Code OAuth token (alternative to anthropic_api_key)                                                                                                                             | No\*     | -             |
+| `claude_code_oauth_token`        | Claude Code OAuth token (alternative to anthropic_api_key)                                                                                                                             | No\*     | -             |
-| `prompt`                                       | Instructions for Claude. Can be a direct prompt or custom template for automation workflows                                                                                            | No       | -             |
+| `prompt`                         | Instructions for Claude. Can be a direct prompt or custom template for automation workflows                                                                                            | No       | -             |
-| `track_progress`                               | Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context                                                                              | No       | `false`       |
+| `track_progress`                 | Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context                                                                              | No       | `false`       |
-| `include_fix_links`                            | Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue                                                                     | No       | `true`        |
+| `include_fix_links`              | Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue                                                                     | No       | `true`        |
-| `claude_args`                                  | Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`) | No       | ""            |
+| `claude_args`                    | Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`) | No       | ""            |
-| `base_branch`                                  | The base branch to use for creating new branches (e.g., 'main', 'develop')                                                                                                             | No       | -             |
+| `base_branch`                    | The base branch to use for creating new branches (e.g., 'main', 'develop')                                                                                                             | No       | -             |
-| `use_sticky_comment`                           | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                                                                                            | No       | `false`       |
+| `use_sticky_comment`             | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                                                                                            | No       | `false`       |
-| `github_token`                                 | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!**                                                                   | No       | -             |
+| `github_token`                   | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!**                                                                   | No       | -             |
-| `use_bedrock`                                  | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                                                                                            | No       | `false`       |
+| `use_bedrock`                    | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                                                                                            | No       | `false`       |
-| `use_vertex`                                   | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                                                                                          | No       | `false`       |
+| `use_vertex`                     | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                                                                                          | No       | `false`       |
-| `assignee_trigger`                             | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                                                                                          | No       | -             |
+| `assignee_trigger`               | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                                                                                          | No       | -             |
-| `label_trigger`                                | The label name that triggers the action when applied to an issue (e.g. "claude")                                                                                                       | No       | -             |
+| `label_trigger`                  | The label name that triggers the action when applied to an issue (e.g. "claude")                                                                                                       | No       | -             |
-| `trigger_phrase`                               | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                                                                                          | No       | `@claude`     |
+| `trigger_phrase`                 | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                                                                                          | No       | `@claude`     |
-| `branch_prefix`                                | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                                                                                           | No       | `claude/`     |
+| `branch_prefix`                  | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                                                                                           | No       | `claude/`     |
-| `settings`                                     | Claude Code settings as JSON string or path to settings JSON file                                                                                                                      | No       | ""            |
+| `settings`                       | Claude Code settings as JSON string or path to settings JSON file                                                                                                                      | No       | ""            |
-| `additional_permissions`                       | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                                                                                      | No       | ""            |
+| `additional_permissions`         | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                                                                                      | No       | ""            |
-| `use_commit_signing`                           | Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing)                                 | No       | `false`       |
+| `use_commit_signing`             | Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing)                                 | No       | `false`       |
-| `ssh_signing_key`                              | SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing)                                   | No       | ""            |
+| `ssh_signing_key`                | SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing)                                   | No       | ""            |
-| `bot_id`                                       | GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits                                                           | No       | `41898282`    |
+| `bot_id`                         | GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits                                                           | No       | `41898282`    |
-| `bot_name`                                     | GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits                                                        | No       | `claude[bot]` |
+| `bot_name`                       | GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits                                                        | No       | `claude[bot]` |
-| `allowed_bots`                                 | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots                                                                        | No       | ""            |
+| `allowed_bots`                   | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots                                                                        | No       | ""            |
-| `allowed_non_write_users`                      | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)         | No       | ""            |
+| `allowed_non_write_users`        | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)         | No       | ""            |
-| `bypass_write_permission_check_acknowledgment` | **REQUIRED** when using `allowed_non_write_users='*'`. Set to `true` to explicitly acknowledge security implications. Prevents accidental security misconfigurations                   | No       | `false`       |
+| `path_to_claude_code_executable` | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments                                         | No       | ""            |
-| `path_to_claude_code_executable`               | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments                                         | No       | ""            |
+| `path_to_bun_executable`         | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments                                             | No       | ""            |
-| `path_to_bun_executable`                       | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments                                             | No       | ""            |
+| `plugin_marketplaces`            | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation             | No       | ""            |
-| `plugin_marketplaces`                          | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation             | No       | ""            |
+| `plugins`                        | Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution                                | No       | ""            |
-| `plugins`                                      | Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution                                | No       | ""            |
 
 ### Deprecated Inputs
 

examples/issue-triage.yml

@@ -26,5 +26,4 @@ jobs:
 
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
-          bypass_write_permission_check_acknowledgment: true # Required when using wildcard
           github_token: ${{ secrets.GITHUB_TOKEN }}

package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.2.6",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.4",
     "@modelcontextprotocol/sdk": "^1.11.0",
     "@octokit/graphql": "^8.2.2",
     "@octokit/rest": "^21.1.1",

src/entrypoints/prepare.ts

@@ -37,7 +37,6 @@ async function run() {
         context,
         context.inputs.allowedNonWriteUsers,
         githubTokenProvided,
-        context.inputs.bypassWritePermissionCheckAcknowledgment,
       );
       if (!hasWritePermissions) {
         throw new Error(

src/github/context.ts

@@ -96,7 +96,6 @@ type BaseContext = {
     botName: string;
     allowedBots: string;
     allowedNonWriteUsers: string;
-    bypassWritePermissionCheckAcknowledgment: boolean;
     trackProgress: boolean;
     includeFixLinks: boolean;
   };
@@ -155,8 +154,6 @@ export function parseGitHubContext(): GitHubContext {
       botName: process.env.BOT_NAME ?? CLAUDE_BOT_LOGIN,
       allowedBots: process.env.ALLOWED_BOTS ?? "",
       allowedNonWriteUsers: process.env.ALLOWED_NON_WRITE_USERS ?? "",
-      bypassWritePermissionCheckAcknowledgment:
-        process.env.BYPASS_WRITE_PERMISSION_CHECK_ACKNOWLEDGMENT === "true",
       trackProgress: process.env.TRACK_PROGRESS === "true",
       includeFixLinks: process.env.INCLUDE_FIX_LINKS === "true",
     },

src/github/validation/permissions.ts

@@ -8,7 +8,6 @@ import type { Octokit } from "@octokit/rest";
  * @param context - The GitHub context
  * @param allowedNonWriteUsers - Comma-separated list of users allowed without write permissions, or '*' for all
  * @param githubTokenProvided - Whether github_token was provided as input (not from app)
- * @param bypassAcknowledgment - Explicit acknowledgment required when using wildcard (*)
  * @returns true if the actor has write permissions, false otherwise
  */
 export async function checkWritePermissions(
@@ -16,7 +15,6 @@ export async function checkWritePermissions(
   context: ParsedGitHubContext,
   allowedNonWriteUsers?: string,
   githubTokenProvided?: boolean,
-  bypassAcknowledgment?: boolean,
 ): Promise<boolean> {
   const { repository, actor } = context;
 
@@ -27,17 +25,6 @@ export async function checkWritePermissions(
     if (allowedNonWriteUsers && githubTokenProvided) {
       const allowedUsers = allowedNonWriteUsers.trim();
       if (allowedUsers === "*") {
-        if (!bypassAcknowledgment) {
-          core.error(
-            `❌ SECURITY ERROR: Attempting to bypass write permission checks for all users with allowed_non_write_users='*' without explicit acknowledgment. ` +
-              `This is a critical security misconfiguration. To proceed, you must set bypass_write_permission_check_acknowledgment='true' ` +
-              `to explicitly acknowledge the security implications.`,
-          );
-          throw new Error(
-            "Cannot bypass write permission checks with wildcard (*) without explicit acknowledgment. " +
-              "Set bypass_write_permission_check_acknowledgment='true' to acknowledge security implications.",
-          );
-        }
         core.warning(
           `⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users='*'. This should only be used for workflows with very limited permissions.`,
         );

src/github/validation/trigger.ts

@@ -10,6 +10,11 @@ import {
   isPullRequestReviewCommentEvent,
 } from "../context";
 import type { ParsedGitHubContext } from "../context";
+import {
+  detectActionableSuggestion,
+  isCommentActionableForAutofix,
+  type ActionableSuggestionResult,
+} from "../../utils/detect-actionable-suggestion";
 
 export function checkContainsTrigger(context: ParsedGitHubContext): boolean {
   const {
@@ -146,3 +151,89 @@ export async function checkTriggerAction(context: ParsedGitHubContext) {
   core.setOutput("contains_trigger", containsTrigger.toString());
   return containsTrigger;
 }
+
+/**
+ * Checks if the context contains an actionable suggestion that can be automatically fixed.
+ * This is useful for autofix workflows that want to respond to code review suggestions,
+ * even when they come from bot accounts like claude[bot].
+ *
+ * @param context - The parsed GitHub context
+ * @returns Detection result with confidence level and reason
+ */
+export function checkContainsActionableSuggestion(
+  context: ParsedGitHubContext,
+): ActionableSuggestionResult {
+  // Extract comment body based on event type
+  let commentBody: string | undefined;
+
+  if (isPullRequestReviewCommentEvent(context)) {
+    commentBody = context.payload.comment.body;
+  } else if (isIssueCommentEvent(context)) {
+    commentBody = context.payload.comment.body;
+  } else if (isPullRequestReviewEvent(context)) {
+    commentBody = context.payload.review.body ?? undefined;
+  }
+
+  return detectActionableSuggestion(commentBody);
+}
+
+/**
+ * Enhanced trigger check that also considers actionable suggestions.
+ * This function first checks for the standard trigger phrase, and if not found,
+ * optionally checks for actionable suggestions when `checkSuggestions` is true.
+ *
+ * @param context - The parsed GitHub context
+ * @param checkSuggestions - Whether to also check for actionable suggestions (default: false)
+ * @returns Whether the action should be triggered
+ */
+export function checkContainsTriggerOrActionableSuggestion(
+  context: ParsedGitHubContext,
+  checkSuggestions: boolean = false,
+): boolean {
+  // First, check for standard trigger
+  if (checkContainsTrigger(context)) {
+    return true;
+  }
+
+  // If checkSuggestions is enabled, also check for actionable suggestions
+  if (checkSuggestions) {
+    const suggestionResult = checkContainsActionableSuggestion(context);
+    if (suggestionResult.isActionable) {
+      console.log(
+        `Comment contains actionable suggestion: ${suggestionResult.reason} (confidence: ${suggestionResult.confidence})`,
+      );
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Checks if a PR comment is actionable for autofix purposes.
+ * This is a convenience function for workflows that want to automatically
+ * apply suggestions from code review comments.
+ *
+ * @param context - The parsed GitHub context
+ * @returns Whether the comment should be treated as actionable for autofix
+ */
+export function checkIsActionableForAutofix(
+  context: ParsedGitHubContext,
+): boolean {
+  // Only applicable to PR review comment events
+  if (!isPullRequestReviewCommentEvent(context)) {
+    return false;
+  }
+
+  const commentBody = context.payload.comment.body;
+  const authorUsername = context.payload.comment.user?.login;
+
+  return isCommentActionableForAutofix(commentBody, authorUsername);
+}
+
+// Re-export the types and functions from the utility module for convenience
+export {
+  detectActionableSuggestion,
+  isCommentActionableForAutofix,
+  type ActionableSuggestionResult,
+} from "../../utils/detect-actionable-suggestion";

src/utils/detect-actionable-suggestion.ts

@@ -0,0 +1,213 @@
+#!/usr/bin/env bun
+
+/**
+ * Detects if a PR comment contains actionable suggestions that can be automatically fixed.
+ *
+ * This module identifies:
+ * 1. GitHub inline committable suggestions (```suggestion blocks)
+ * 2. Clear bug fix suggestions with specific patterns
+ * 3. Code fix recommendations with explicit changes
+ */
+
+/**
+ * Patterns that indicate a comment contains a GitHub inline committable suggestion.
+ * These are code blocks that GitHub renders with a "Commit suggestion" button.
+ */
+const COMMITTABLE_SUGGESTION_PATTERN = /```suggestion\b[\s\S]*?```/i;
+
+/**
+ * Patterns that indicate a clear, actionable bug fix suggestion.
+ * These phrases typically precede concrete fix recommendations.
+ */
+const BUG_FIX_PATTERNS = [
+  // Direct fix suggestions
+  /\bshould\s+(?:be|use|return|change\s+to)\b/i,
+  /\bchange\s+(?:this\s+)?to\b/i,
+  /\breplace\s+(?:this\s+)?with\b/i,
+  /\buse\s+(?:this\s+)?instead\b/i,
+  /\binstead\s+of\s+.*?,?\s*use\b/i,
+
+  // Bug identification with fix
+  /\b(?:bug|issue|error|problem):\s*.*(?:fix|change|update|replace)/i,
+  /\bfix(?:ed)?\s+by\s+(?:chang|replac|updat)/i,
+  /\bto\s+fix\s+(?:this|the)\b/i,
+
+  // Explicit code changes
+  /\bthe\s+(?:correct|proper|right)\s+(?:code|syntax|value|approach)\s+(?:is|would\s+be)\b/i,
+  /\bshould\s+(?:read|look\s+like)\b/i,
+
+  // Missing/wrong patterns
+  /\bmissing\s+(?:a\s+)?(?:semicolon|bracket|parenthesis|quote|import|return|await)\b/i,
+  /\bextra\s+(?:semicolon|bracket|parenthesis|quote)\b/i,
+  /\bwrong\s+(?:type|value|variable|import|parameter)\b/i,
+  /\btypo\s+(?:in|here)\b/i,
+];
+
+/**
+ * Patterns that suggest code alternatives (less strong than direct fixes but still actionable).
+ */
+const CODE_ALTERNATIVE_PATTERNS = [
+  /```[\w]*\n[\s\S]+?\n```/, // Any code block (might contain the fix)
+  /\b(?:try|consider)\s+(?:using|changing|replacing)\b/i,
+  /\bhere'?s?\s+(?:the|a)\s+(?:fix|solution|correction)\b/i,
+  /\b(?:correct|fixed|updated)\s+(?:version|code|implementation)\b/i,
+];
+
+export interface ActionableSuggestionResult {
+  /** Whether the comment contains an actionable suggestion */
+  isActionable: boolean;
+  /** Whether the comment contains a GitHub inline committable suggestion */
+  hasCommittableSuggestion: boolean;
+  /** Whether the comment contains clear bug fix language */
+  hasBugFixSuggestion: boolean;
+  /** Whether the comment contains code alternatives */
+  hasCodeAlternative: boolean;
+  /** Confidence level: 'high', 'medium', or 'low' */
+  confidence: "high" | "medium" | "low";
+  /** Reason for the determination */
+  reason: string;
+}
+
+/**
+ * Detects if a comment contains actionable suggestions that can be automatically fixed.
+ *
+ * @param commentBody - The body of the PR comment to analyze
+ * @returns Object with detection results and confidence level
+ *
+ * @example
+ * ```ts
+ * const result = detectActionableSuggestion("```suggestion\nfixed code\n```");
+ * // { isActionable: true, hasCommittableSuggestion: true, confidence: 'high', ... }
+ *
+ * const result2 = detectActionableSuggestion("You should use `const` instead of `let` here");
+ * // { isActionable: true, hasBugFixSuggestion: true, confidence: 'medium', ... }
+ * ```
+ */
+export function detectActionableSuggestion(
+  commentBody: string | undefined | null,
+): ActionableSuggestionResult {
+  if (!commentBody) {
+    return {
+      isActionable: false,
+      hasCommittableSuggestion: false,
+      hasBugFixSuggestion: false,
+      hasCodeAlternative: false,
+      confidence: "low",
+      reason: "Empty or missing comment body",
+    };
+  }
+
+  // Check for GitHub inline committable suggestion (highest confidence)
+  const hasCommittableSuggestion =
+    COMMITTABLE_SUGGESTION_PATTERN.test(commentBody);
+  if (hasCommittableSuggestion) {
+    return {
+      isActionable: true,
+      hasCommittableSuggestion: true,
+      hasBugFixSuggestion: false,
+      hasCodeAlternative: false,
+      confidence: "high",
+      reason: "Contains GitHub inline committable suggestion (```suggestion)",
+    };
+  }
+
+  // Check for clear bug fix patterns (medium-high confidence)
+  const matchedBugFixPattern = BUG_FIX_PATTERNS.find((pattern) =>
+    pattern.test(commentBody),
+  );
+  if (matchedBugFixPattern) {
+    // Higher confidence if also contains a code block
+    const hasCodeBlock = CODE_ALTERNATIVE_PATTERNS[0].test(commentBody);
+    return {
+      isActionable: true,
+      hasCommittableSuggestion: false,
+      hasBugFixSuggestion: true,
+      hasCodeAlternative: hasCodeBlock,
+      confidence: hasCodeBlock ? "high" : "medium",
+      reason: hasCodeBlock
+        ? "Contains clear bug fix suggestion with code example"
+        : "Contains clear bug fix suggestion",
+    };
+  }
+
+  // Check for code alternatives (medium confidence)
+  const matchedAlternativePattern = CODE_ALTERNATIVE_PATTERNS.find((pattern) =>
+    pattern.test(commentBody),
+  );
+  if (matchedAlternativePattern) {
+    return {
+      isActionable: true,
+      hasCommittableSuggestion: false,
+      hasBugFixSuggestion: false,
+      hasCodeAlternative: true,
+      confidence: "medium",
+      reason: "Contains code alternative or fix suggestion",
+    };
+  }
+
+  return {
+    isActionable: false,
+    hasCommittableSuggestion: false,
+    hasBugFixSuggestion: false,
+    hasCodeAlternative: false,
+    confidence: "low",
+    reason: "No actionable suggestion patterns detected",
+  };
+}
+
+/**
+ * Checks if a comment should be treated as actionable for autofix purposes,
+ * even if it comes from a bot account like claude[bot].
+ *
+ * This is particularly useful for workflows that want to automatically apply
+ * suggestions from code review comments.
+ *
+ * @param commentBody - The body of the PR comment
+ * @param authorUsername - The username of the comment author
+ * @returns Whether the comment should be treated as actionable
+ */
+export function isCommentActionableForAutofix(
+  commentBody: string | undefined | null,
+  authorUsername?: string,
+): boolean {
+  const result = detectActionableSuggestion(commentBody);
+
+  // If it's already clearly actionable (high confidence), return true
+  if (result.confidence === "high") {
+    return true;
+  }
+
+  // For medium confidence, be more lenient
+  if (result.confidence === "medium" && result.isActionable) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Extracts the suggested code from a GitHub inline committable suggestion block.
+ *
+ * @param commentBody - The body of the PR comment
+ * @returns The suggested code content, or null if no suggestion block found
+ *
+ * @example
+ * ```ts
+ * const code = extractSuggestionCode("```suggestion\nconst x = 1;\n```");
+ * // "const x = 1;"
+ * ```
+ */
+export function extractSuggestionCode(
+  commentBody: string | undefined | null,
+): string | null {
+  if (!commentBody) {
+    return null;
+  }
+
+  const match = commentBody.match(/```suggestion\b\n?([\s\S]*?)```/i);
+  if (match && match[1] !== undefined) {
+    return match[1].trim();
+  }
+
+  return null;
+}

test/detect-actionable-suggestion.test.ts

@@ -0,0 +1,309 @@
+import { describe, expect, it } from "bun:test";
+import {
+  detectActionableSuggestion,
+  isCommentActionableForAutofix,
+  extractSuggestionCode,
+} from "../src/utils/detect-actionable-suggestion";
+
+describe("detectActionableSuggestion", () => {
+  describe("GitHub inline committable suggestions", () => {
+    it("should detect suggestion blocks with high confidence", () => {
+      const comment = `Here's a fix:
+\`\`\`suggestion
+const x = 1;
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasCommittableSuggestion).toBe(true);
+      expect(result.confidence).toBe("high");
+      expect(result.reason).toContain("committable suggestion");
+    });
+
+    it("should detect suggestion blocks with multiple lines", () => {
+      const comment = `\`\`\`suggestion
+function foo() {
+  return bar();
+}
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasCommittableSuggestion).toBe(true);
+      expect(result.confidence).toBe("high");
+    });
+
+    it("should detect suggestion blocks case-insensitively", () => {
+      const comment = `\`\`\`SUGGESTION
+const x = 1;
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasCommittableSuggestion).toBe(true);
+    });
+
+    it("should not confuse regular code blocks with suggestion blocks", () => {
+      const comment = `\`\`\`javascript
+const x = 1;
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      expect(result.hasCommittableSuggestion).toBe(false);
+      // But it should still detect the code alternative
+      expect(result.hasCodeAlternative).toBe(true);
+    });
+  });
+
+  describe("bug fix suggestions", () => {
+    it('should detect "should be" patterns', () => {
+      const comment = "This should be `const` instead of `let`";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+      expect(result.confidence).toBe("medium");
+    });
+
+    it('should detect "change to" patterns', () => {
+      const comment = "Change this to use async/await";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "replace with" patterns', () => {
+      const comment = "Replace this with Array.from()";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "use instead" patterns', () => {
+      const comment = "Use this instead of the deprecated method";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "instead of X, use Y" patterns', () => {
+      const comment = "Instead of forEach, use map";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "to fix this" patterns', () => {
+      const comment = "To fix this, you need to add the await keyword";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "the correct code is" patterns', () => {
+      const comment = "The correct code would be: return null;";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "missing semicolon" patterns', () => {
+      const comment = "Missing a semicolon at the end";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "typo" patterns', () => {
+      const comment = "Typo here: teh should be the";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it('should detect "wrong type" patterns', () => {
+      const comment = "Wrong type here, should be string not number";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+    });
+
+    it("should have high confidence when bug fix suggestion includes code block", () => {
+      const comment = `You should use const here:
+\`\`\`javascript
+const x = 1;
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasBugFixSuggestion).toBe(true);
+      expect(result.hasCodeAlternative).toBe(true);
+      expect(result.confidence).toBe("high");
+    });
+  });
+
+  describe("code alternatives", () => {
+    it('should detect "try using" patterns', () => {
+      const comment = "Try using Array.map() instead";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+    });
+
+    it('should detect "here\'s the fix" patterns', () => {
+      const comment = "Here's the fix for this issue";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+    });
+
+    it("should detect code blocks as potential alternatives", () => {
+      const comment = `Try this approach:
+\`\`\`
+const result = [];
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasCodeAlternative).toBe(true);
+    });
+  });
+
+  describe("non-actionable comments", () => {
+    it("should not flag general questions", () => {
+      const comment = "Why is this returning undefined?";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(false);
+      expect(result.confidence).toBe("low");
+    });
+
+    it("should not flag simple observations", () => {
+      const comment = "This looks interesting";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(false);
+    });
+
+    it("should not flag approval comments", () => {
+      const comment = "LGTM! :+1:";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(false);
+    });
+
+    it("should handle empty comments", () => {
+      const result = detectActionableSuggestion("");
+      expect(result.isActionable).toBe(false);
+      expect(result.reason).toContain("Empty");
+    });
+
+    it("should handle null comments", () => {
+      const result = detectActionableSuggestion(null);
+      expect(result.isActionable).toBe(false);
+    });
+
+    it("should handle undefined comments", () => {
+      const result = detectActionableSuggestion(undefined);
+      expect(result.isActionable).toBe(false);
+    });
+  });
+
+  describe("edge cases", () => {
+    it("should handle comments with both suggestion block and bug fix language", () => {
+      const comment = `This should be fixed. Here's the suggestion:
+\`\`\`suggestion
+const x = 1;
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      // Suggestion block takes precedence (high confidence)
+      expect(result.isActionable).toBe(true);
+      expect(result.hasCommittableSuggestion).toBe(true);
+      expect(result.confidence).toBe("high");
+    });
+
+    it("should handle very long comments", () => {
+      const longContent = "a".repeat(10000);
+      const comment = `${longContent}
+\`\`\`suggestion
+const x = 1;
+\`\`\``;
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+      expect(result.hasCommittableSuggestion).toBe(true);
+    });
+
+    it("should handle comments with special characters", () => {
+      const comment =
+        "You should be using `const` here! @#$%^&* Change this to `let`";
+      const result = detectActionableSuggestion(comment);
+      expect(result.isActionable).toBe(true);
+    });
+  });
+});
+
+describe("isCommentActionableForAutofix", () => {
+  it("should return true for high confidence suggestions", () => {
+    const comment = `\`\`\`suggestion
+const x = 1;
+\`\`\``;
+    expect(isCommentActionableForAutofix(comment)).toBe(true);
+  });
+
+  it("should return true for medium confidence suggestions", () => {
+    const comment = "You should use const here instead of let";
+    expect(isCommentActionableForAutofix(comment)).toBe(true);
+  });
+
+  it("should return false for non-actionable comments", () => {
+    const comment = "This looks fine to me";
+    expect(isCommentActionableForAutofix(comment)).toBe(false);
+  });
+
+  it("should handle bot authors correctly", () => {
+    const comment = `\`\`\`suggestion
+const x = 1;
+\`\`\``;
+    // Should still return true even for bot authors
+    expect(isCommentActionableForAutofix(comment, "claude[bot]")).toBe(true);
+  });
+
+  it("should handle empty comments", () => {
+    expect(isCommentActionableForAutofix("")).toBe(false);
+    expect(isCommentActionableForAutofix(null)).toBe(false);
+    expect(isCommentActionableForAutofix(undefined)).toBe(false);
+  });
+});
+
+describe("extractSuggestionCode", () => {
+  it("should extract code from suggestion block", () => {
+    const comment = `Here's a fix:
+\`\`\`suggestion
+const x = 1;
+\`\`\``;
+    expect(extractSuggestionCode(comment)).toBe("const x = 1;");
+  });
+
+  it("should extract multi-line code from suggestion block", () => {
+    const comment = `\`\`\`suggestion
+function foo() {
+  return bar();
+}
+\`\`\``;
+    expect(extractSuggestionCode(comment)).toBe(
+      "function foo() {\n  return bar();\n}",
+    );
+  });
+
+  it("should handle empty suggestion blocks", () => {
+    const comment = `\`\`\`suggestion
+\`\`\``;
+    expect(extractSuggestionCode(comment)).toBe("");
+  });
+
+  it("should return null for comments without suggestion blocks", () => {
+    const comment = "Just a regular comment";
+    expect(extractSuggestionCode(comment)).toBe(null);
+  });
+
+  it("should return null for empty comments", () => {
+    expect(extractSuggestionCode("")).toBe(null);
+    expect(extractSuggestionCode(null)).toBe(null);
+    expect(extractSuggestionCode(undefined)).toBe(null);
+  });
+
+  it("should not extract from regular code blocks", () => {
+    const comment = `\`\`\`javascript
+const x = 1;
+\`\`\``;
+    expect(extractSuggestionCode(comment)).toBe(null);
+  });
+});

test/permissions.test.ts

@@ -73,7 +73,6 @@ describe("checkWritePermissions", () => {
       botName: CLAUDE_BOT_LOGIN,
       allowedBots: "",
       allowedNonWriteUsers: "",
-      bypassWritePermissionCheckAcknowledgment: false,
       trackProgress: false,
       includeFixLinks: true,
     },
@@ -198,7 +197,7 @@ describe("checkWritePermissions", () => {
       );
     });
 
-    test("should bypass permission check for all users with wildcard when acknowledgment provided", async () => {
+    test("should bypass permission check for all users with wildcard", async () => {
       const mockOctokit = createMockOctokit("read");
       const context = createContext();
 
@@ -207,7 +206,6 @@ describe("checkWritePermissions", () => {
         context,
         "*",
         true,
-        true, // acknowledgment provided
       );
 
       expect(result).toBe(true);
@@ -216,17 +214,6 @@ describe("checkWritePermissions", () => {
       );
     });
 
-    test("should FAIL to bypass permission check with wildcard when acknowledgment NOT provided", async () => {
-      const mockOctokit = createMockOctokit("read");
-      const context = createContext();
-
-      await expect(
-        checkWritePermissions(mockOctokit, context, "*", true, false),
-      ).rejects.toThrow(
-        "Cannot bypass write permission checks with wildcard (*) without explicit acknowledgment",
-      );
-    });
-
     test("should NOT bypass permission check when user not in allowed list", async () => {
       const mockOctokit = createMockOctokit("read");
       const context = createContext();