fix: prevent path traversal in delete_files MCP tool

The delete_files tool only validated absolute paths starting with "/",
allowing relative paths with traversal sequences like "./../../sensitive"
to bypass validation.

Now all paths are normalized using path.resolve() before validation,
ensuring both absolute and relative paths with ".." sequences are
properly blocked from accessing files outside the repository root.

.github/workflows/claude.yml

@@ -36,4 +36,4 @@ jobs:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           claude_args: |
             --allowedTools "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
-            --model "claude-opus-4-5"
+            --model "claude-opus-4-1-20250805"

action.yml

@@ -127,9 +127,6 @@ outputs:
   structured_output:
     description: "JSON string containing all structured output fields when --json-schema is provided in claude_args. Use fromJSON() to parse: fromJSON(steps.id.outputs.structured_output).field_name"
     value: ${{ steps.claude-code.outputs.structured_output }}
-  session_id:
-    description: "The Claude Code session ID that can be used with --resume to continue this conversation"
-    value: ${{ steps.claude-code.outputs.session_id }}
 
 runs:
   using: "composite"
@@ -198,7 +195,7 @@ runs:
 
         # Install Claude Code if no custom executable is provided
         if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.0.70"
+          CLAUDE_CODE_VERSION="2.0.62"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."

base-action/action.yml

@@ -82,9 +82,6 @@ outputs:
   structured_output:
     description: "JSON string containing all structured output fields when --json-schema is provided in claude_args (use fromJSON() or jq to parse)"
     value: ${{ steps.run_claude.outputs.structured_output }}
-  session_id:
-    description: "The Claude Code session ID that can be used with --resume to continue this conversation"
-    value: ${{ steps.run_claude.outputs.session_id }}
 
 runs:
   using: "composite"
@@ -124,7 +121,7 @@ runs:
         PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
         if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.0.70"
+          CLAUDE_CODE_VERSION="2.0.62"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."

base-action/bun.lock

@@ -1,12 +1,11 @@
 {
   "lockfileVersion": 1,
-  "configVersion": 0,
   "workspaces": {
     "": {
       "name": "@anthropic-ai/claude-code-base-action",
       "dependencies": {
         "@actions/core": "^1.10.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.1.70",
+        "@anthropic-ai/claude-agent-sdk": "^0.1.52",
         "shell-quote": "^1.8.3",
       },
       "devDependencies": {
@@ -27,7 +26,7 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.70", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1" } }, "sha512-4jpFPDX8asys6skO1r3Pzh0Fe9nbND2ASYTWuyFB5iN9bWEL6WScTFyGokjql3M2TkEp9ZGuB2YYpTCdaqT9Sw=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.52", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1" } }, "sha512-yF8N05+9NRbqYA/h39jQ726HTQFrdXXp7pEfDNKIJ2c4FdWvEjxBA/8ciZIebN6/PyvGDcbEp3yq2Co4rNpg6A=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 

base-action/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.1.70",
+    "@anthropic-ai/claude-agent-sdk": "^0.1.52",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {

base-action/src/run-claude.ts

@@ -124,36 +124,6 @@ export function prepareRunConfig(
   };
 }
 
-/**
- * Parses session_id from execution file and sets GitHub Action output
- * Exported for testing
- */
-export async function parseAndSetSessionId(
-  executionFile: string,
-): Promise<void> {
-  try {
-    const content = await readFile(executionFile, "utf-8");
-    const messages = JSON.parse(content) as {
-      type: string;
-      subtype?: string;
-      session_id?: string;
-    }[];
-
-    // Find the system.init message which contains session_id
-    const initMessage = messages.find(
-      (m) => m.type === "system" && m.subtype === "init",
-    );
-
-    if (initMessage?.session_id) {
-      core.setOutput("session_id", initMessage.session_id);
-      core.info(`Set session_id: ${initMessage.session_id}`);
-    }
-  } catch (error) {
-    // Don't fail the action if session_id extraction fails
-    core.warning(`Failed to extract session_id: ${error}`);
-  }
-}
-
 /**
  * Parses structured_output from execution file and sets GitHub Action outputs
  * Only runs if --json-schema was explicitly provided in claude_args
@@ -197,8 +167,8 @@ export async function parseAndSetStructuredOutputs(
 }
 
 export async function runClaude(promptPath: string, options: ClaudeOptions) {
-  // Feature flag: use SDK path by default, set USE_AGENT_SDK=false to use CLI
-  const useAgentSdk = process.env.USE_AGENT_SDK !== "false";
+  // Feature flag: use SDK path when USE_AGENT_SDK=true
+  const useAgentSdk = process.env.USE_AGENT_SDK === "true";
   console.log(
     `Using ${useAgentSdk ? "Agent SDK" : "CLI"} path (USE_AGENT_SDK=${process.env.USE_AGENT_SDK ?? "unset"})`,
   );
@@ -398,9 +368,6 @@ export async function runClaude(promptPath: string, options: ClaudeOptions) {
 
     core.setOutput("execution_file", EXECUTION_FILE);
 
-    // Extract and set session_id
-    await parseAndSetSessionId(EXECUTION_FILE);
-
     // Parse and set structured outputs only if user provided --json-schema in claude_args
     if (hasJsonSchema) {
       try {

base-action/test/structured-output.test.ts

@@ -4,10 +4,7 @@ import { describe, test, expect, afterEach, beforeEach, spyOn } from "bun:test";
 import { writeFile, unlink } from "fs/promises";
 import { tmpdir } from "os";
 import { join } from "path";
-import {
-  parseAndSetStructuredOutputs,
-  parseAndSetSessionId,
-} from "../src/run-claude";
+import { parseAndSetStructuredOutputs } from "../src/run-claude";
 import * as core from "@actions/core";
 
 // Mock execution file path
@@ -38,19 +35,16 @@ async function createMockExecutionFile(
 // Spy on core functions
 let setOutputSpy: any;
 let infoSpy: any;
-let warningSpy: any;
 
 beforeEach(() => {
   setOutputSpy = spyOn(core, "setOutput").mockImplementation(() => {});
   infoSpy = spyOn(core, "info").mockImplementation(() => {});
-  warningSpy = spyOn(core, "warning").mockImplementation(() => {});
 });
 
 describe("parseAndSetStructuredOutputs", () => {
   afterEach(async () => {
     setOutputSpy?.mockRestore();
     infoSpy?.mockRestore();
-    warningSpy?.mockRestore();
     try {
       await unlink(TEST_EXECUTION_FILE);
     } catch {
@@ -162,66 +156,3 @@ describe("parseAndSetStructuredOutputs", () => {
     );
   });
 });
-
-describe("parseAndSetSessionId", () => {
-  afterEach(async () => {
-    setOutputSpy?.mockRestore();
-    infoSpy?.mockRestore();
-    warningSpy?.mockRestore();
-    try {
-      await unlink(TEST_EXECUTION_FILE);
-    } catch {
-      // Ignore if file doesn't exist
-    }
-  });
-
-  test("should extract session_id from system.init message", async () => {
-    const messages = [
-      { type: "system", subtype: "init", session_id: "test-session-123" },
-      { type: "result", cost_usd: 0.01 },
-    ];
-    await writeFile(TEST_EXECUTION_FILE, JSON.stringify(messages));
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).toHaveBeenCalledWith("session_id", "test-session-123");
-    expect(infoSpy).toHaveBeenCalledWith("Set session_id: test-session-123");
-  });
-
-  test("should handle missing session_id gracefully", async () => {
-    const messages = [
-      { type: "system", subtype: "init" },
-      { type: "result", cost_usd: 0.01 },
-    ];
-    await writeFile(TEST_EXECUTION_FILE, JSON.stringify(messages));
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-  });
-
-  test("should handle missing system.init message gracefully", async () => {
-    const messages = [{ type: "result", cost_usd: 0.01 }];
-    await writeFile(TEST_EXECUTION_FILE, JSON.stringify(messages));
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-  });
-
-  test("should handle malformed JSON gracefully with warning", async () => {
-    await writeFile(TEST_EXECUTION_FILE, "{ invalid json");
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-    expect(warningSpy).toHaveBeenCalled();
-  });
-
-  test("should handle non-existent file gracefully with warning", async () => {
-    await parseAndSetSessionId("/nonexistent/file.json");
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-    expect(warningSpy).toHaveBeenCalled();
-  });
-});

bun.lock

@@ -1,13 +1,12 @@
 {
   "lockfileVersion": 1,
-  "configVersion": 0,
   "workspaces": {
     "": {
       "name": "@anthropic-ai/claude-code-action",
       "dependencies": {
         "@actions/core": "^1.10.1",
         "@actions/github": "^6.0.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.1.70",
+        "@anthropic-ai/claude-agent-sdk": "^0.1.52",
         "@modelcontextprotocol/sdk": "^1.11.0",
         "@octokit/graphql": "^8.2.2",
         "@octokit/rest": "^21.1.1",
@@ -37,7 +36,7 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.70", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1" } }, "sha512-4jpFPDX8asys6skO1r3Pzh0Fe9nbND2ASYTWuyFB5iN9bWEL6WScTFyGokjql3M2TkEp9ZGuB2YYpTCdaqT9Sw=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.52", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1" } }, "sha512-yF8N05+9NRbqYA/h39jQ726HTQFrdXXp7pEfDNKIJ2c4FdWvEjxBA/8ciZIebN6/PyvGDcbEp3yq2Co4rNpg6A=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 

package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.1.70",
+    "@anthropic-ai/claude-agent-sdk": "^0.1.52",
     "@modelcontextprotocol/sdk": "^1.11.0",
     "@octokit/graphql": "^8.2.2",
     "@octokit/rest": "^21.1.1",

src/github/operations/branch.ts

@@ -6,112 +6,13 @@
  * - For Issues: Create a new branch
  */
 
-import { execFileSync } from "child_process";
+import { $ } from "bun";
 import * as core from "@actions/core";
 import type { ParsedGitHubContext } from "../context";
 import type { GitHubPullRequest } from "../types";
 import type { Octokits } from "../api/client";
 import type { FetchDataResult } from "../data/fetcher";
 
-/**
- * Validates a git branch name against a strict whitelist pattern.
- * This prevents command injection by ensuring only safe characters are used.
- *
- * Valid branch names:
- * - Start with alphanumeric character (not dash, to prevent option injection)
- * - Contain only alphanumeric, forward slash, hyphen, underscore, or period
- * - Do not start or end with a period
- * - Do not end with a slash
- * - Do not contain '..' (path traversal)
- * - Do not contain '//' (consecutive slashes)
- * - Do not end with '.lock'
- * - Do not contain '@{'
- * - Do not contain control characters or special git characters (~^:?*[\])
- */
-export function validateBranchName(branchName: string): void {
-  // Check for empty or whitespace-only names
-  if (!branchName || branchName.trim().length === 0) {
-    throw new Error("Branch name cannot be empty");
-  }
-
-  // Check for leading dash (prevents option injection like --help, -x)
-  if (branchName.startsWith("-")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot start with a dash.`,
-    );
-  }
-
-  // Check for control characters and special git characters (~^:?*[\])
-  // eslint-disable-next-line no-control-regex
-  if (/[\x00-\x1F\x7F ~^:?*[\]\\]/.test(branchName)) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain control characters, spaces, or special git characters (~^:?*[\\]).`,
-    );
-  }
-
-  // Strict whitelist pattern: alphanumeric start, then alphanumeric/slash/hyphen/underscore/period
-  const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.-]*$/;
-
-  if (!validPattern.test(branchName)) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names must start with an alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens, underscores, or periods.`,
-    );
-  }
-
-  // Check for leading/trailing periods
-  if (branchName.startsWith(".") || branchName.endsWith(".")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot start or end with a period.`,
-    );
-  }
-
-  // Check for trailing slash
-  if (branchName.endsWith("/")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot end with a slash.`,
-    );
-  }
-
-  // Check for consecutive slashes
-  if (branchName.includes("//")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain consecutive slashes.`,
-    );
-  }
-
-  // Additional git-specific validations
-  if (branchName.includes("..")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain '..'`,
-    );
-  }
-
-  if (branchName.endsWith(".lock")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot end with '.lock'`,
-    );
-  }
-
-  if (branchName.includes("@{")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain '@{'`,
-    );
-  }
-}
-
-/**
- * Executes a git command safely using execFileSync to avoid shell interpolation.
- *
- * Security: execFileSync passes arguments directly to the git binary without
- * invoking a shell, preventing command injection attacks where malicious input
- * could be interpreted as shell commands (e.g., branch names containing `;`, `|`, `&&`).
- *
- * @param args - Git command arguments (e.g., ["checkout", "branch-name"])
- */
-function execGit(args: string[]): void {
-  execFileSync("git", args, { stdio: "inherit" });
-}
-
 export type BranchInfo = {
   baseBranch: string;
   claudeBranch?: string;
@@ -152,19 +53,14 @@ export async function setupBranch(
         `PR #${entityNumber}: ${commitCount} commits, using fetch depth ${fetchDepth}`,
       );
 
-      // Validate branch names before use to prevent command injection
-      validateBranchName(branchName);
-
       // Execute git commands to checkout PR branch (dynamic depth based on PR size)
-      // Using execFileSync instead of shell template literals for security
-      execGit(["fetch", "origin", `--depth=${fetchDepth}`, branchName]);
-      execGit(["checkout", branchName, "--"]);
+      await $`git fetch origin --depth=${fetchDepth} ${branchName}`;
+      await $`git checkout ${branchName} --`;
 
       console.log(`Successfully checked out PR branch for PR #${entityNumber}`);
 
       // For open PRs, we need to get the base branch of the PR
       const baseBranch = prData.baseRefName;
-      validateBranchName(baseBranch);
 
       return {
         baseBranch,
@@ -222,9 +118,8 @@ export async function setupBranch(
 
       // Ensure we're on the source branch
       console.log(`Fetching and checking out source branch: ${sourceBranch}`);
-      validateBranchName(sourceBranch);
-      execGit(["fetch", "origin", sourceBranch, "--depth=1"]);
-      execGit(["checkout", sourceBranch, "--"]);
+      await $`git fetch origin ${sourceBranch} --depth=1`;
+      await $`git checkout ${sourceBranch}`;
 
       // Set outputs for GitHub Actions
       core.setOutput("CLAUDE_BRANCH", newBranch);
@@ -243,13 +138,11 @@ export async function setupBranch(
 
     // Fetch and checkout the source branch first to ensure we branch from the correct base
     console.log(`Fetching and checking out source branch: ${sourceBranch}`);
-    validateBranchName(sourceBranch);
-    validateBranchName(newBranch);
-    execGit(["fetch", "origin", sourceBranch, "--depth=1"]);
-    execGit(["checkout", sourceBranch, "--"]);
+    await $`git fetch origin ${sourceBranch} --depth=1`;
+    await $`git checkout ${sourceBranch}`;
 
     // Create and checkout the new branch from the source branch
-    execGit(["checkout", "-b", newBranch]);
+    await $`git checkout -b ${newBranch}`;
 
     console.log(
       `Successfully created and checked out local branch: ${newBranch}`,

src/mcp/github-file-ops-server.ts

@@ -4,7 +4,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { readFile, stat } from "fs/promises";
-import { join } from "path";
+import { join, resolve, sep } from "path";
 import { constants } from "fs";
 import fetch from "node-fetch";
 import { GITHUB_API_URL } from "../github/api/config";
@@ -474,20 +474,21 @@ server.tool(
         throw new Error("GITHUB_TOKEN environment variable is required");
       }
 
-      // Convert absolute paths to relative if they match CWD
+      // Normalize all paths and validate they're within the repository root
       const cwd = process.cwd();
       const processedPaths = paths.map((filePath) => {
-        if (filePath.startsWith("/")) {
-          if (filePath.startsWith(cwd)) {
-            // Strip CWD from absolute path
-            return filePath.slice(cwd.length + 1);
-          } else {
-            throw new Error(
-              `Path '${filePath}' must be relative to repository root or within current working directory`,
-            );
-          }
+        // Normalize the path to resolve any .. or . sequences
+        const normalizedPath = resolve(cwd, filePath);
+
+        // Validate the normalized path is within the current working directory
+        if (!normalizedPath.startsWith(cwd + sep)) {
+          throw new Error(
+            `Path '${filePath}' resolves outside the repository root`,
+          );
         }
-        return filePath;
+
+        // Convert to relative path by stripping the cwd prefix
+        return normalizedPath.slice(cwd.length + 1);
       });
 
       // 1. Get the branch reference (create if doesn't exist)

src/modes/agent/parse-tools.ts

@@ -1,55 +1,22 @@
-import { parse as parseShellArgs, type ParseEntry } from "shell-quote";
-
-/**
- * Extract the string value from a shell-quote ParseEntry.
- * Handles both plain strings and glob patterns (which are returned as objects).
- */
-function entryToString(entry: ParseEntry): string | null {
-  if (typeof entry === "string") {
-    return entry;
-  }
-  // Handle glob patterns - shell-quote returns { op: "glob", pattern: "..." }
-  if (typeof entry === "object" && "op" in entry && entry.op === "glob") {
-    return (entry as { op: "glob"; pattern: string }).pattern;
-  }
-  return null;
-}
-
 export function parseAllowedTools(claudeArgs: string): string[] {
-  if (!claudeArgs?.trim()) return [];
+  // Match --allowedTools or --allowed-tools followed by the value
+  // Handle both quoted and unquoted values
+  const patterns = [
+    /--(?:allowedTools|allowed-tools)\s+"([^"]+)"/, // Double quoted
+    /--(?:allowedTools|allowed-tools)\s+'([^']+)'/, // Single quoted
+    /--(?:allowedTools|allowed-tools)\s+([^\s]+)/, // Unquoted
+  ];
 
-  const result: string[] = [];
-
-  // Use shell-quote to properly tokenize the arguments
-  // This handles quoted strings, escaped characters, etc.
-  const rawArgs = parseShellArgs(claudeArgs);
-
-  for (let i = 0; i < rawArgs.length; i++) {
-    const entry = rawArgs[i];
-    if (!entry) continue;
-    const arg = entryToString(entry);
-    if (!arg) continue;
-
-    // Match both --allowedTools and --allowed-tools
-    if (arg === "--allowedTools" || arg === "--allowed-tools") {
-      // Collect all subsequent non-flag values as tools
-      while (i + 1 < rawArgs.length) {
-        const nextEntry = rawArgs[i + 1];
-        if (!nextEntry) break;
-        const toolArg = entryToString(nextEntry);
-
-        // Stop if we hit another flag or a non-parseable entry
-        if (!toolArg || toolArg.startsWith("--")) {
-          break;
-        }
-
-        // Split by comma in case tools are comma-separated within a single value
-        const tools = toolArg.split(",").map((t) => t.trim());
-        result.push(...tools.filter((t) => t.length > 0));
-        i++;
+  for (const pattern of patterns) {
+    const match = claudeArgs.match(pattern);
+    if (match && match[1]) {
+      // Don't return if the value starts with -- (another flag)
+      if (match[1].startsWith("--")) {
+        return [];
       }
+      return match[1].split(",").map((t) => t.trim());
     }
   }
 
-  return result;
+  return [];
 }

test/modes/parse-tools.test.ts

@@ -37,9 +37,8 @@ describe("parseAllowedTools", () => {
 
   test("handles duplicate --allowedTools flags", () => {
     const args = "--allowedTools --allowedTools mcp__github__*";
-    // Should skip the first one since the value is another flag
-    // and parse the second one correctly
-    expect(parseAllowedTools(args)).toEqual(["mcp__github__*"]);
+    // Should not match the first one since the value is another flag
+    expect(parseAllowedTools(args)).toEqual([]);
   });
 
   test("handles typo --alloedTools", () => {
@@ -85,50 +84,4 @@ describe("parseAllowedTools", () => {
       "mcp__github_comment__*",
     ]);
   });
-
-  test("parses multiple space-separated quoted tools (issue #746)", () => {
-    // This is the exact format from the bug report
-    const args =
-      '--allowed-tools "Bash(git log:*)" "Bash(git diff:*)" "Bash(git fetch:*)" "Bash(gh pr:*)"';
-    expect(parseAllowedTools(args)).toEqual([
-      "Bash(git log:*)",
-      "Bash(git diff:*)",
-      "Bash(git fetch:*)",
-      "Bash(gh pr:*)",
-    ]);
-  });
-
-  test("parses multiple --allowedTools flags with different tools", () => {
-    const args =
-      '--allowedTools "Edit,Read" --model "claude-3" --allowedTools "Bash(npm install)"';
-    expect(parseAllowedTools(args)).toEqual([
-      "Edit",
-      "Read",
-      "Bash(npm install)",
-    ]);
-  });
-
-  test("parses mix of comma-separated and space-separated tools", () => {
-    const args =
-      '--allowed-tools "Bash(git log:*),Bash(git diff:*)" "Bash(git fetch:*)"';
-    expect(parseAllowedTools(args)).toEqual([
-      "Bash(git log:*)",
-      "Bash(git diff:*)",
-      "Bash(git fetch:*)",
-    ]);
-  });
-
-  test("handles complex workflow example from issue #746", () => {
-    const args =
-      '--allowed-tools "Bash(git log:*)" "Bash(git diff:*)" "Bash(git fetch:*)" "Bash(git reflog:*)" "Bash(git merge-tree:*)" "Bash(gh pr:*)" "Bash(gh api:*)"';
-    expect(parseAllowedTools(args)).toEqual([
-      "Bash(git log:*)",
-      "Bash(git diff:*)",
-      "Bash(git fetch:*)",
-      "Bash(git reflog:*)",
-      "Bash(git merge-tree:*)",
-      "Bash(gh pr:*)",
-      "Bash(gh api:*)",
-    ]);
-  });
 });

test/validate-branch-name.test.ts

@@ -1,201 +0,0 @@
-import { describe, expect, it } from "bun:test";
-import { validateBranchName } from "../src/github/operations/branch";
-
-describe("validateBranchName", () => {
-  describe("valid branch names", () => {
-    it("should accept simple alphanumeric names", () => {
-      expect(() => validateBranchName("main")).not.toThrow();
-      expect(() => validateBranchName("feature123")).not.toThrow();
-      expect(() => validateBranchName("Branch1")).not.toThrow();
-    });
-
-    it("should accept names with hyphens", () => {
-      expect(() => validateBranchName("feature-branch")).not.toThrow();
-      expect(() => validateBranchName("fix-bug-123")).not.toThrow();
-    });
-
-    it("should accept names with underscores", () => {
-      expect(() => validateBranchName("feature_branch")).not.toThrow();
-      expect(() => validateBranchName("fix_bug_123")).not.toThrow();
-    });
-
-    it("should accept names with forward slashes", () => {
-      expect(() => validateBranchName("feature/new-thing")).not.toThrow();
-      expect(() => validateBranchName("user/feature/branch")).not.toThrow();
-    });
-
-    it("should accept names with periods", () => {
-      expect(() => validateBranchName("v1.0.0")).not.toThrow();
-      expect(() => validateBranchName("release.1.2.3")).not.toThrow();
-    });
-
-    it("should accept typical branch name formats", () => {
-      expect(() =>
-        validateBranchName("claude/issue-123-20250101-1234"),
-      ).not.toThrow();
-      expect(() => validateBranchName("refs/heads/main")).not.toThrow();
-      expect(() => validateBranchName("bugfix/JIRA-1234")).not.toThrow();
-    });
-  });
-
-  describe("command injection attempts", () => {
-    it("should reject shell command substitution with $()", () => {
-      expect(() => validateBranchName("$(whoami)")).toThrow();
-      expect(() => validateBranchName("branch-$(rm -rf /)")).toThrow();
-      expect(() => validateBranchName("test$(cat /etc/passwd)")).toThrow();
-    });
-
-    it("should reject shell command substitution with backticks", () => {
-      expect(() => validateBranchName("`whoami`")).toThrow();
-      expect(() => validateBranchName("branch-`rm -rf /`")).toThrow();
-    });
-
-    it("should reject command chaining with semicolons", () => {
-      expect(() => validateBranchName("branch; rm -rf /")).toThrow();
-      expect(() => validateBranchName("test;whoami")).toThrow();
-    });
-
-    it("should reject command chaining with &&", () => {
-      expect(() => validateBranchName("branch && rm -rf /")).toThrow();
-      expect(() => validateBranchName("test&&whoami")).toThrow();
-    });
-
-    it("should reject command chaining with ||", () => {
-      expect(() => validateBranchName("branch || rm -rf /")).toThrow();
-      expect(() => validateBranchName("test||whoami")).toThrow();
-    });
-
-    it("should reject pipe characters", () => {
-      expect(() => validateBranchName("branch | cat")).toThrow();
-      expect(() => validateBranchName("test|grep password")).toThrow();
-    });
-
-    it("should reject redirection operators", () => {
-      expect(() => validateBranchName("branch > /etc/passwd")).toThrow();
-      expect(() => validateBranchName("branch < input")).toThrow();
-      expect(() => validateBranchName("branch >> file")).toThrow();
-    });
-  });
-
-  describe("option injection attempts", () => {
-    it("should reject branch names starting with dash", () => {
-      expect(() => validateBranchName("-x")).toThrow(
-        /cannot start with a dash/,
-      );
-      expect(() => validateBranchName("--help")).toThrow(
-        /cannot start with a dash/,
-      );
-      expect(() => validateBranchName("-")).toThrow(/cannot start with a dash/);
-      expect(() => validateBranchName("--version")).toThrow(
-        /cannot start with a dash/,
-      );
-      expect(() => validateBranchName("-rf")).toThrow(
-        /cannot start with a dash/,
-      );
-    });
-  });
-
-  describe("path traversal attempts", () => {
-    it("should reject double dot sequences", () => {
-      expect(() => validateBranchName("../../../etc")).toThrow();
-      expect(() => validateBranchName("branch/../secret")).toThrow(/'\.\.'$/);
-      expect(() => validateBranchName("a..b")).toThrow(/'\.\.'$/);
-    });
-  });
-
-  describe("git-specific invalid patterns", () => {
-    it("should reject @{ sequence", () => {
-      expect(() => validateBranchName("branch@{1}")).toThrow(/@{/);
-      expect(() => validateBranchName("HEAD@{yesterday}")).toThrow(/@{/);
-    });
-
-    it("should reject .lock suffix", () => {
-      expect(() => validateBranchName("branch.lock")).toThrow(/\.lock/);
-      expect(() => validateBranchName("feature.lock")).toThrow(/\.lock/);
-    });
-
-    it("should reject consecutive slashes", () => {
-      expect(() => validateBranchName("feature//branch")).toThrow(
-        /consecutive slashes/,
-      );
-      expect(() => validateBranchName("a//b//c")).toThrow(
-        /consecutive slashes/,
-      );
-    });
-
-    it("should reject trailing slashes", () => {
-      expect(() => validateBranchName("feature/")).toThrow(
-        /cannot end with a slash/,
-      );
-      expect(() => validateBranchName("branch/")).toThrow(
-        /cannot end with a slash/,
-      );
-    });
-
-    it("should reject leading periods", () => {
-      expect(() => validateBranchName(".hidden")).toThrow();
-    });
-
-    it("should reject trailing periods", () => {
-      expect(() => validateBranchName("branch.")).toThrow(
-        /cannot start or end with a period/,
-      );
-    });
-
-    it("should reject special git refspec characters", () => {
-      expect(() => validateBranchName("branch~1")).toThrow();
-      expect(() => validateBranchName("branch^2")).toThrow();
-      expect(() => validateBranchName("branch:ref")).toThrow();
-      expect(() => validateBranchName("branch?")).toThrow();
-      expect(() => validateBranchName("branch*")).toThrow();
-      expect(() => validateBranchName("branch[0]")).toThrow();
-      expect(() => validateBranchName("branch\\path")).toThrow();
-    });
-  });
-
-  describe("control characters and special characters", () => {
-    it("should reject null bytes", () => {
-      expect(() => validateBranchName("branch\x00name")).toThrow();
-    });
-
-    it("should reject other control characters", () => {
-      expect(() => validateBranchName("branch\x01name")).toThrow();
-      expect(() => validateBranchName("branch\x1Fname")).toThrow();
-      expect(() => validateBranchName("branch\x7Fname")).toThrow();
-    });
-
-    it("should reject spaces", () => {
-      expect(() => validateBranchName("branch name")).toThrow();
-      expect(() => validateBranchName("feature branch")).toThrow();
-    });
-
-    it("should reject newlines and tabs", () => {
-      expect(() => validateBranchName("branch\nname")).toThrow();
-      expect(() => validateBranchName("branch\tname")).toThrow();
-    });
-  });
-
-  describe("empty and whitespace", () => {
-    it("should reject empty strings", () => {
-      expect(() => validateBranchName("")).toThrow(/cannot be empty/);
-    });
-
-    it("should reject whitespace-only strings", () => {
-      expect(() => validateBranchName("   ")).toThrow();
-      expect(() => validateBranchName("\t\n")).toThrow();
-    });
-  });
-
-  describe("edge cases", () => {
-    it("should accept single alphanumeric character", () => {
-      expect(() => validateBranchName("a")).not.toThrow();
-      expect(() => validateBranchName("1")).not.toThrow();
-    });
-
-    it("should reject single special characters", () => {
-      expect(() => validateBranchName(".")).toThrow();
-      expect(() => validateBranchName("/")).toThrow();
-      expect(() => validateBranchName("-")).toThrow();
-    });
-  });
-});