Default systemPrompt to claude_code preset

Without an explicit systemPrompt, the SDK would use no system prompt.
Now it defaults to the claude_code preset to match CLI behavior.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.github/workflows/sync-base-action.yml

@@ -94,5 +94,5 @@ jobs:
           echo "✅ Successfully synced \`base-action\` directory to [anthropics/claude-code-base-action](https://github.com/anthropics/claude-code-base-action)" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "- **Source commit**: [\`${GITHUB_SHA:0:7}\`](https://github.com/anthropics/claude-code-action/commit/${GITHUB_SHA})" >> $GITHUB_STEP_SUMMARY
-          echo "- **Triggered by**: $GITHUB_EVENT_NAME" >> $GITHUB_STEP_SUMMARY
+          echo "- **Triggered by**: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Actor**: @$GITHUB_ACTOR" >> $GITHUB_STEP_SUMMARY
+          echo "- **Actor**: @${{ github.actor }}" >> $GITHUB_STEP_SUMMARY

action.yml

@@ -127,9 +127,6 @@ outputs:
   structured_output:
     description: "JSON string containing all structured output fields when --json-schema is provided in claude_args. Use fromJSON() to parse: fromJSON(steps.id.outputs.structured_output).field_name"
     value: ${{ steps.claude-code.outputs.structured_output }}
-  session_id:
-    description: "The Claude Code session ID that can be used with --resume to continue this conversation"
-    value: ${{ steps.claude-code.outputs.session_id }}
 
 runs:
   using: "composite"
@@ -143,12 +140,10 @@ runs:
     - name: Setup Custom Bun Path
       if: inputs.path_to_bun_executable != ''
       shell: bash
-      env:
-        PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
       run: |
-        echo "Using custom Bun executable: $PATH_TO_BUN_EXECUTABLE"
+        echo "Using custom Bun executable: ${{ inputs.path_to_bun_executable }}"
         # Add the directory containing the custom executable to PATH
-        BUN_DIR=$(dirname "$PATH_TO_BUN_EXECUTABLE")
+        BUN_DIR=$(dirname "${{ inputs.path_to_bun_executable }}")
         echo "$BUN_DIR" >> "$GITHUB_PATH"
 
     - name: Install Dependencies
@@ -187,8 +182,6 @@ runs:
     - name: Install Base Action Dependencies
       if: steps.prepare.outputs.contains_trigger == 'true'
       shell: bash
-      env:
-        PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
         echo "Installing base-action dependencies..."
         cd ${GITHUB_ACTION_PATH}/base-action
@@ -197,8 +190,8 @@ runs:
         cd -
 
         # Install Claude Code if no custom executable is provided
-        if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
+        if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
-          CLAUDE_CODE_VERSION="2.0.69"
+          CLAUDE_CODE_VERSION="2.0.60"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."
@@ -217,9 +210,9 @@ runs:
           echo "Claude Code installed successfully"
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
         else
-          echo "Using custom Claude Code executable: $PATH_TO_CLAUDE_CODE_EXECUTABLE"
+          echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
           # Add the directory containing the custom executable to PATH
-          CLAUDE_DIR=$(dirname "$PATH_TO_CLAUDE_CODE_EXECUTABLE")
+          CLAUDE_DIR=$(dirname "${{ inputs.path_to_claude_code_executable }}")
           echo "$CLAUDE_DIR" >> "$GITHUB_PATH"
         fi
 

base-action/action.yml

@@ -82,9 +82,6 @@ outputs:
   structured_output:
     description: "JSON string containing all structured output fields when --json-schema is provided in claude_args (use fromJSON() or jq to parse)"
     value: ${{ steps.run_claude.outputs.structured_output }}
-  session_id:
-    description: "The Claude Code session ID that can be used with --resume to continue this conversation"
-    value: ${{ steps.run_claude.outputs.session_id }}
 
 runs:
   using: "composite"
@@ -104,12 +101,10 @@ runs:
     - name: Setup Custom Bun Path
       if: inputs.path_to_bun_executable != ''
       shell: bash
-      env:
-        PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
       run: |
-        echo "Using custom Bun executable: $PATH_TO_BUN_EXECUTABLE"
+        echo "Using custom Bun executable: ${{ inputs.path_to_bun_executable }}"
         # Add the directory containing the custom executable to PATH
-        BUN_DIR=$(dirname "$PATH_TO_BUN_EXECUTABLE")
+        BUN_DIR=$(dirname "${{ inputs.path_to_bun_executable }}")
         echo "$BUN_DIR" >> "$GITHUB_PATH"
 
     - name: Install Dependencies
@@ -120,11 +115,9 @@ runs:
 
     - name: Install Claude Code
       shell: bash
-      env:
-        PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
-        if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
+        if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
-          CLAUDE_CODE_VERSION="2.0.69"
+          CLAUDE_CODE_VERSION="2.0.60"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."
@@ -142,9 +135,9 @@ runs:
           done
           echo "Claude Code installed successfully"
         else
-          echo "Using custom Claude Code executable: $PATH_TO_CLAUDE_CODE_EXECUTABLE"
+          echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
           # Add the directory containing the custom executable to PATH
-          CLAUDE_DIR=$(dirname "$PATH_TO_CLAUDE_CODE_EXECUTABLE")
+          CLAUDE_DIR=$(dirname "${{ inputs.path_to_claude_code_executable }}")
           echo "$CLAUDE_DIR" >> "$GITHUB_PATH"
         fi
 

base-action/src/run-claude-sdk.ts

@@ -75,15 +75,28 @@ export async function runClaudeWithSdk(
   }
 
   console.log(`Running Claude with prompt from file: ${promptPath}`);
-  // Log SDK options without env (which could contain sensitive data)
+  console.log(
-  const { env, ...optionsToLog } = sdkOptions;
+    "[DEBUG] Prompt content (first 2000 chars):",
-  console.log("SDK options:", JSON.stringify(optionsToLog, null, 2));
+    prompt.substring(0, 2000),
+  );
+  console.log("[DEBUG] Prompt length:", prompt.length);
+  console.log(
+    "[DEBUG] sdkOptions passed to query():",
+    JSON.stringify(sdkOptions, null, 2),
+  );
 
   const messages: SDKMessage[] = [];
   let resultMessage: SDKResultMessage | undefined;
 
   try {
+    console.log("[DEBUG] About to call query()...");
     for await (const message of query({ prompt, options: sdkOptions })) {
+      console.log(
+        "[DEBUG] Received message type:",
+        message.type,
+        "subtype:",
+        (message as any).subtype,
+      );
       messages.push(message);
 
       const sanitized = sanitizeSdkOutput(message, showFullOutput);
@@ -93,8 +106,16 @@ export async function runClaudeWithSdk(
 
       if (message.type === "result") {
         resultMessage = message as SDKResultMessage;
+        console.log(
+          "[DEBUG] Got result message:",
+          JSON.stringify(resultMessage, null, 2),
+        );
       }
     }
+    console.log(
+      "[DEBUG] Finished iterating query(), total messages:",
+      messages.length,
+    );
   } catch (error) {
     console.error("SDK execution error:", error);
     core.setOutput("conclusion", "failure");

base-action/src/run-claude.ts

@@ -124,36 +124,6 @@ export function prepareRunConfig(
   };
 }
 
-/**
- * Parses session_id from execution file and sets GitHub Action output
- * Exported for testing
- */
-export async function parseAndSetSessionId(
-  executionFile: string,
-): Promise<void> {
-  try {
-    const content = await readFile(executionFile, "utf-8");
-    const messages = JSON.parse(content) as {
-      type: string;
-      subtype?: string;
-      session_id?: string;
-    }[];
-
-    // Find the system.init message which contains session_id
-    const initMessage = messages.find(
-      (m) => m.type === "system" && m.subtype === "init",
-    );
-
-    if (initMessage?.session_id) {
-      core.setOutput("session_id", initMessage.session_id);
-      core.info(`Set session_id: ${initMessage.session_id}`);
-    }
-  } catch (error) {
-    // Don't fail the action if session_id extraction fails
-    core.warning(`Failed to extract session_id: ${error}`);
-  }
-}
-
 /**
  * Parses structured_output from execution file and sets GitHub Action outputs
  * Only runs if --json-schema was explicitly provided in claude_args
@@ -197,14 +167,22 @@ export async function parseAndSetStructuredOutputs(
 }
 
 export async function runClaude(promptPath: string, options: ClaudeOptions) {
-  // Feature flag: use SDK path by default, set USE_AGENT_SDK=false to use CLI
+  // Feature flag: use SDK path when USE_AGENT_SDK=true
-  const useAgentSdk = process.env.USE_AGENT_SDK !== "false";
+  const useAgentSdk = process.env.USE_AGENT_SDK === "true";
   console.log(
     `Using ${useAgentSdk ? "Agent SDK" : "CLI"} path (USE_AGENT_SDK=${process.env.USE_AGENT_SDK ?? "unset"})`,
   );
 
   if (useAgentSdk) {
+    console.log(
+      "[DEBUG] Raw options passed to SDK path:",
+      JSON.stringify(options, null, 2),
+    );
     const parsedOptions = parseSdkOptions(options);
+    console.log(
+      "[DEBUG] Parsed SDK options:",
+      JSON.stringify(parsedOptions, null, 2),
+    );
     return runClaudeWithSdk(promptPath, parsedOptions);
   }
 
@@ -398,9 +376,6 @@ export async function runClaude(promptPath: string, options: ClaudeOptions) {
 
     core.setOutput("execution_file", EXECUTION_FILE);
 
-    // Extract and set session_id
-    await parseAndSetSessionId(EXECUTION_FILE);
-
     // Parse and set structured outputs only if user provided --json-schema in claude_args
     if (hasJsonSchema) {
       try {

base-action/test/structured-output.test.ts

@@ -4,10 +4,7 @@ import { describe, test, expect, afterEach, beforeEach, spyOn } from "bun:test";
 import { writeFile, unlink } from "fs/promises";
 import { tmpdir } from "os";
 import { join } from "path";
-import {
+import { parseAndSetStructuredOutputs } from "../src/run-claude";
-  parseAndSetStructuredOutputs,
-  parseAndSetSessionId,
-} from "../src/run-claude";
 import * as core from "@actions/core";
 
 // Mock execution file path
@@ -38,19 +35,16 @@ async function createMockExecutionFile(
 // Spy on core functions
 let setOutputSpy: any;
 let infoSpy: any;
-let warningSpy: any;
 
 beforeEach(() => {
   setOutputSpy = spyOn(core, "setOutput").mockImplementation(() => {});
   infoSpy = spyOn(core, "info").mockImplementation(() => {});
-  warningSpy = spyOn(core, "warning").mockImplementation(() => {});
 });
 
 describe("parseAndSetStructuredOutputs", () => {
   afterEach(async () => {
     setOutputSpy?.mockRestore();
     infoSpy?.mockRestore();
-    warningSpy?.mockRestore();
     try {
       await unlink(TEST_EXECUTION_FILE);
     } catch {
@@ -162,66 +156,3 @@ describe("parseAndSetStructuredOutputs", () => {
     );
   });
 });
-
-describe("parseAndSetSessionId", () => {
-  afterEach(async () => {
-    setOutputSpy?.mockRestore();
-    infoSpy?.mockRestore();
-    warningSpy?.mockRestore();
-    try {
-      await unlink(TEST_EXECUTION_FILE);
-    } catch {
-      // Ignore if file doesn't exist
-    }
-  });
-
-  test("should extract session_id from system.init message", async () => {
-    const messages = [
-      { type: "system", subtype: "init", session_id: "test-session-123" },
-      { type: "result", cost_usd: 0.01 },
-    ];
-    await writeFile(TEST_EXECUTION_FILE, JSON.stringify(messages));
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).toHaveBeenCalledWith("session_id", "test-session-123");
-    expect(infoSpy).toHaveBeenCalledWith("Set session_id: test-session-123");
-  });
-
-  test("should handle missing session_id gracefully", async () => {
-    const messages = [
-      { type: "system", subtype: "init" },
-      { type: "result", cost_usd: 0.01 },
-    ];
-    await writeFile(TEST_EXECUTION_FILE, JSON.stringify(messages));
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-  });
-
-  test("should handle missing system.init message gracefully", async () => {
-    const messages = [{ type: "result", cost_usd: 0.01 }];
-    await writeFile(TEST_EXECUTION_FILE, JSON.stringify(messages));
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-  });
-
-  test("should handle malformed JSON gracefully with warning", async () => {
-    await writeFile(TEST_EXECUTION_FILE, "{ invalid json");
-
-    await parseAndSetSessionId(TEST_EXECUTION_FILE);
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-    expect(warningSpy).toHaveBeenCalled();
-  });
-
-  test("should handle non-existent file gracefully with warning", async () => {
-    await parseAndSetSessionId("/nonexistent/file.json");
-
-    expect(setOutputSpy).not.toHaveBeenCalled();
-    expect(warningSpy).toHaveBeenCalled();
-  });
-});

src/create-prompt/index.ts

@@ -563,22 +563,9 @@ ${getCommitInstructions(eventData, githubData, context, useCommitSigning)}
 ${
   eventData.claudeBranch
     ? `
-When done with changes:
+When done with changes, provide a PR link:
-1. Run git log origin/${eventData.baseBranch}..HEAD and git diff origin/${eventData.baseBranch}...HEAD to understand ALL commits
-2. Draft a PR summary analyzing ALL changes (not just the latest commit)
-3. Provide a PR link:
 [Create a PR](${GITHUB_SERVER_URL}/${context.repository}/compare/${eventData.baseBranch}...${eventData.claudeBranch}?quick_pull=1&title=<url-encoded-title>&body=<url-encoded-body>)
-Use THREE dots (...) between branches. URL-encode all parameters.
+Use THREE dots (...) between branches. URL-encode all parameters.`
-PR body format:
-## Summary
-<1-3 bullet points>
-
-## Test plan
-<Checklist of testing TODOs>
-
-Fixes #<issue-number>
-
-Generated with [Claude Code](https://claude.ai/code)`
     : ""
 }
 
@@ -756,13 +743,8 @@ ${eventData.eventName === "issue_comment" || eventData.eventName === "pull_reque
       - Mark each subtask as completed as you progress.${getCommitInstructions(eventData, githubData, context, useCommitSigning)}
       ${
         eventData.claudeBranch
-          ? `- When creating a pull request, follow these steps:
+          ? `- Provide a URL to create a PR manually in this format:
-        1. Use git log and git diff to understand the full commit history for the current branch (from the time it diverged from the base branch):
+        [Create a PR](${GITHUB_SERVER_URL}/${context.repository}/compare/${eventData.baseBranch}...<branch-name>?quick_pull=1&title=<url-encoded-title>&body=<url-encoded-body>)
-           - Run: git log origin/${eventData.baseBranch}..HEAD
-           - Run: git diff origin/${eventData.baseBranch}...HEAD
-        2. Analyze ALL changes that will be included in the pull request, making sure to look at all relevant commits (NOT just the latest commit, but ALL commits that will be included in the pull request), and draft a pull request summary
-        3. Provide a URL to create a PR manually in this format:
-           [Create a PR](${GITHUB_SERVER_URL}/${context.repository}/compare/${eventData.baseBranch}...<branch-name>?quick_pull=1&title=<url-encoded-title>&body=<url-encoded-body>)
         - IMPORTANT: Use THREE dots (...) between branch names, not two (..)
           Example: ${GITHUB_SERVER_URL}/${context.repository}/compare/main...feature-branch (correct)
           NOT: ${GITHUB_SERVER_URL}/${context.repository}/compare/main..feature-branch (incorrect)
@@ -770,16 +752,10 @@ ${eventData.eventName === "issue_comment" || eventData.eventName === "pull_reque
           Example: Instead of "fix: update welcome message", use "fix%3A%20update%20welcome%20message"
         - The target-branch should be '${eventData.baseBranch}'.
         - The branch-name is the current branch: ${eventData.claudeBranch}
-        - The PR body MUST follow this format:
+        - The body should include:
-          ## Summary
+          - A clear description of the changes
-          <1-3 bullet points summarizing the changes>
+          - Reference to the original ${eventData.isPR ? "PR" : "issue"}
-
+          - The signature: "Generated with [Claude Code](https://claude.ai/code)"
-          ## Test plan
-          <Bulleted markdown checklist of TODOs for testing the pull request>
-
-          Fixes #<issue-number>
-
-          Generated with [Claude Code](https://claude.ai/code)
         - Just include the markdown link with text "Create a PR" - do not add explanatory text before it like "You can create a PR using this link"`
           : ""
       }

src/github/operations/branch.ts

@@ -6,112 +6,13 @@
  * - For Issues: Create a new branch
  */
 
-import { execFileSync } from "child_process";
+import { $ } from "bun";
 import * as core from "@actions/core";
 import type { ParsedGitHubContext } from "../context";
 import type { GitHubPullRequest } from "../types";
 import type { Octokits } from "../api/client";
 import type { FetchDataResult } from "../data/fetcher";
 
-/**
- * Validates a git branch name against a strict whitelist pattern.
- * This prevents command injection by ensuring only safe characters are used.
- *
- * Valid branch names:
- * - Start with alphanumeric character (not dash, to prevent option injection)
- * - Contain only alphanumeric, forward slash, hyphen, underscore, or period
- * - Do not start or end with a period
- * - Do not end with a slash
- * - Do not contain '..' (path traversal)
- * - Do not contain '//' (consecutive slashes)
- * - Do not end with '.lock'
- * - Do not contain '@{'
- * - Do not contain control characters or special git characters (~^:?*[\])
- */
-export function validateBranchName(branchName: string): void {
-  // Check for empty or whitespace-only names
-  if (!branchName || branchName.trim().length === 0) {
-    throw new Error("Branch name cannot be empty");
-  }
-
-  // Check for leading dash (prevents option injection like --help, -x)
-  if (branchName.startsWith("-")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot start with a dash.`,
-    );
-  }
-
-  // Check for control characters and special git characters (~^:?*[\])
-  // eslint-disable-next-line no-control-regex
-  if (/[\x00-\x1F\x7F ~^:?*[\]\\]/.test(branchName)) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain control characters, spaces, or special git characters (~^:?*[\\]).`,
-    );
-  }
-
-  // Strict whitelist pattern: alphanumeric start, then alphanumeric/slash/hyphen/underscore/period
-  const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.-]*$/;
-
-  if (!validPattern.test(branchName)) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names must start with an alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens, underscores, or periods.`,
-    );
-  }
-
-  // Check for leading/trailing periods
-  if (branchName.startsWith(".") || branchName.endsWith(".")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot start or end with a period.`,
-    );
-  }
-
-  // Check for trailing slash
-  if (branchName.endsWith("/")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot end with a slash.`,
-    );
-  }
-
-  // Check for consecutive slashes
-  if (branchName.includes("//")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain consecutive slashes.`,
-    );
-  }
-
-  // Additional git-specific validations
-  if (branchName.includes("..")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain '..'`,
-    );
-  }
-
-  if (branchName.endsWith(".lock")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot end with '.lock'`,
-    );
-  }
-
-  if (branchName.includes("@{")) {
-    throw new Error(
-      `Invalid branch name: "${branchName}". Branch names cannot contain '@{'`,
-    );
-  }
-}
-
-/**
- * Executes a git command safely using execFileSync to avoid shell interpolation.
- *
- * Security: execFileSync passes arguments directly to the git binary without
- * invoking a shell, preventing command injection attacks where malicious input
- * could be interpreted as shell commands (e.g., branch names containing `;`, `|`, `&&`).
- *
- * @param args - Git command arguments (e.g., ["checkout", "branch-name"])
- */
-function execGit(args: string[]): void {
-  execFileSync("git", args, { stdio: "inherit" });
-}
-
 export type BranchInfo = {
   baseBranch: string;
   claudeBranch?: string;
@@ -152,19 +53,14 @@ export async function setupBranch(
         `PR #${entityNumber}: ${commitCount} commits, using fetch depth ${fetchDepth}`,
       );
 
-      // Validate branch names before use to prevent command injection
-      validateBranchName(branchName);
-
       // Execute git commands to checkout PR branch (dynamic depth based on PR size)
-      // Using execFileSync instead of shell template literals for security
+      await $`git fetch origin --depth=${fetchDepth} ${branchName}`;
-      execGit(["fetch", "origin", `--depth=${fetchDepth}`, branchName]);
+      await $`git checkout ${branchName} --`;
-      execGit(["checkout", branchName, "--"]);
 
       console.log(`Successfully checked out PR branch for PR #${entityNumber}`);
 
       // For open PRs, we need to get the base branch of the PR
       const baseBranch = prData.baseRefName;
-      validateBranchName(baseBranch);
 
       return {
         baseBranch,
@@ -222,9 +118,8 @@ export async function setupBranch(
 
       // Ensure we're on the source branch
       console.log(`Fetching and checking out source branch: ${sourceBranch}`);
-      validateBranchName(sourceBranch);
+      await $`git fetch origin ${sourceBranch} --depth=1`;
-      execGit(["fetch", "origin", sourceBranch, "--depth=1"]);
+      await $`git checkout ${sourceBranch}`;
-      execGit(["checkout", sourceBranch, "--"]);
 
       // Set outputs for GitHub Actions
       core.setOutput("CLAUDE_BRANCH", newBranch);
@@ -243,13 +138,11 @@ export async function setupBranch(
 
     // Fetch and checkout the source branch first to ensure we branch from the correct base
     console.log(`Fetching and checking out source branch: ${sourceBranch}`);
-    validateBranchName(sourceBranch);
+    await $`git fetch origin ${sourceBranch} --depth=1`;
-    validateBranchName(newBranch);
+    await $`git checkout ${sourceBranch}`;
-    execGit(["fetch", "origin", sourceBranch, "--depth=1"]);
-    execGit(["checkout", sourceBranch, "--"]);
 
     // Create and checkout the new branch from the source branch
-    execGit(["checkout", "-b", newBranch]);
+    await $`git checkout -b ${newBranch}`;
 
     console.log(
       `Successfully created and checked out local branch: ${newBranch}`,

test/validate-branch-name.test.ts

@@ -1,201 +0,0 @@
-import { describe, expect, it } from "bun:test";
-import { validateBranchName } from "../src/github/operations/branch";
-
-describe("validateBranchName", () => {
-  describe("valid branch names", () => {
-    it("should accept simple alphanumeric names", () => {
-      expect(() => validateBranchName("main")).not.toThrow();
-      expect(() => validateBranchName("feature123")).not.toThrow();
-      expect(() => validateBranchName("Branch1")).not.toThrow();
-    });
-
-    it("should accept names with hyphens", () => {
-      expect(() => validateBranchName("feature-branch")).not.toThrow();
-      expect(() => validateBranchName("fix-bug-123")).not.toThrow();
-    });
-
-    it("should accept names with underscores", () => {
-      expect(() => validateBranchName("feature_branch")).not.toThrow();
-      expect(() => validateBranchName("fix_bug_123")).not.toThrow();
-    });
-
-    it("should accept names with forward slashes", () => {
-      expect(() => validateBranchName("feature/new-thing")).not.toThrow();
-      expect(() => validateBranchName("user/feature/branch")).not.toThrow();
-    });
-
-    it("should accept names with periods", () => {
-      expect(() => validateBranchName("v1.0.0")).not.toThrow();
-      expect(() => validateBranchName("release.1.2.3")).not.toThrow();
-    });
-
-    it("should accept typical branch name formats", () => {
-      expect(() =>
-        validateBranchName("claude/issue-123-20250101-1234"),
-      ).not.toThrow();
-      expect(() => validateBranchName("refs/heads/main")).not.toThrow();
-      expect(() => validateBranchName("bugfix/JIRA-1234")).not.toThrow();
-    });
-  });
-
-  describe("command injection attempts", () => {
-    it("should reject shell command substitution with $()", () => {
-      expect(() => validateBranchName("$(whoami)")).toThrow();
-      expect(() => validateBranchName("branch-$(rm -rf /)")).toThrow();
-      expect(() => validateBranchName("test$(cat /etc/passwd)")).toThrow();
-    });
-
-    it("should reject shell command substitution with backticks", () => {
-      expect(() => validateBranchName("`whoami`")).toThrow();
-      expect(() => validateBranchName("branch-`rm -rf /`")).toThrow();
-    });
-
-    it("should reject command chaining with semicolons", () => {
-      expect(() => validateBranchName("branch; rm -rf /")).toThrow();
-      expect(() => validateBranchName("test;whoami")).toThrow();
-    });
-
-    it("should reject command chaining with &&", () => {
-      expect(() => validateBranchName("branch && rm -rf /")).toThrow();
-      expect(() => validateBranchName("test&&whoami")).toThrow();
-    });
-
-    it("should reject command chaining with ||", () => {
-      expect(() => validateBranchName("branch || rm -rf /")).toThrow();
-      expect(() => validateBranchName("test||whoami")).toThrow();
-    });
-
-    it("should reject pipe characters", () => {
-      expect(() => validateBranchName("branch | cat")).toThrow();
-      expect(() => validateBranchName("test|grep password")).toThrow();
-    });
-
-    it("should reject redirection operators", () => {
-      expect(() => validateBranchName("branch > /etc/passwd")).toThrow();
-      expect(() => validateBranchName("branch < input")).toThrow();
-      expect(() => validateBranchName("branch >> file")).toThrow();
-    });
-  });
-
-  describe("option injection attempts", () => {
-    it("should reject branch names starting with dash", () => {
-      expect(() => validateBranchName("-x")).toThrow(
-        /cannot start with a dash/,
-      );
-      expect(() => validateBranchName("--help")).toThrow(
-        /cannot start with a dash/,
-      );
-      expect(() => validateBranchName("-")).toThrow(/cannot start with a dash/);
-      expect(() => validateBranchName("--version")).toThrow(
-        /cannot start with a dash/,
-      );
-      expect(() => validateBranchName("-rf")).toThrow(
-        /cannot start with a dash/,
-      );
-    });
-  });
-
-  describe("path traversal attempts", () => {
-    it("should reject double dot sequences", () => {
-      expect(() => validateBranchName("../../../etc")).toThrow();
-      expect(() => validateBranchName("branch/../secret")).toThrow(/'\.\.'$/);
-      expect(() => validateBranchName("a..b")).toThrow(/'\.\.'$/);
-    });
-  });
-
-  describe("git-specific invalid patterns", () => {
-    it("should reject @{ sequence", () => {
-      expect(() => validateBranchName("branch@{1}")).toThrow(/@{/);
-      expect(() => validateBranchName("HEAD@{yesterday}")).toThrow(/@{/);
-    });
-
-    it("should reject .lock suffix", () => {
-      expect(() => validateBranchName("branch.lock")).toThrow(/\.lock/);
-      expect(() => validateBranchName("feature.lock")).toThrow(/\.lock/);
-    });
-
-    it("should reject consecutive slashes", () => {
-      expect(() => validateBranchName("feature//branch")).toThrow(
-        /consecutive slashes/,
-      );
-      expect(() => validateBranchName("a//b//c")).toThrow(
-        /consecutive slashes/,
-      );
-    });
-
-    it("should reject trailing slashes", () => {
-      expect(() => validateBranchName("feature/")).toThrow(
-        /cannot end with a slash/,
-      );
-      expect(() => validateBranchName("branch/")).toThrow(
-        /cannot end with a slash/,
-      );
-    });
-
-    it("should reject leading periods", () => {
-      expect(() => validateBranchName(".hidden")).toThrow();
-    });
-
-    it("should reject trailing periods", () => {
-      expect(() => validateBranchName("branch.")).toThrow(
-        /cannot start or end with a period/,
-      );
-    });
-
-    it("should reject special git refspec characters", () => {
-      expect(() => validateBranchName("branch~1")).toThrow();
-      expect(() => validateBranchName("branch^2")).toThrow();
-      expect(() => validateBranchName("branch:ref")).toThrow();
-      expect(() => validateBranchName("branch?")).toThrow();
-      expect(() => validateBranchName("branch*")).toThrow();
-      expect(() => validateBranchName("branch[0]")).toThrow();
-      expect(() => validateBranchName("branch\\path")).toThrow();
-    });
-  });
-
-  describe("control characters and special characters", () => {
-    it("should reject null bytes", () => {
-      expect(() => validateBranchName("branch\x00name")).toThrow();
-    });
-
-    it("should reject other control characters", () => {
-      expect(() => validateBranchName("branch\x01name")).toThrow();
-      expect(() => validateBranchName("branch\x1Fname")).toThrow();
-      expect(() => validateBranchName("branch\x7Fname")).toThrow();
-    });
-
-    it("should reject spaces", () => {
-      expect(() => validateBranchName("branch name")).toThrow();
-      expect(() => validateBranchName("feature branch")).toThrow();
-    });
-
-    it("should reject newlines and tabs", () => {
-      expect(() => validateBranchName("branch\nname")).toThrow();
-      expect(() => validateBranchName("branch\tname")).toThrow();
-    });
-  });
-
-  describe("empty and whitespace", () => {
-    it("should reject empty strings", () => {
-      expect(() => validateBranchName("")).toThrow(/cannot be empty/);
-    });
-
-    it("should reject whitespace-only strings", () => {
-      expect(() => validateBranchName("   ")).toThrow();
-      expect(() => validateBranchName("\t\n")).toThrow();
-    });
-  });
-
-  describe("edge cases", () => {
-    it("should accept single alphanumeric character", () => {
-      expect(() => validateBranchName("a")).not.toThrow();
-      expect(() => validateBranchName("1")).not.toThrow();
-    });
-
-    it("should reject single special characters", () => {
-      expect(() => validateBranchName(".")).toThrow();
-      expect(() => validateBranchName("/")).toThrow();
-      expect(() => validateBranchName("-")).toThrow();
-    });
-  });
-});