chore: comment out release-base-action job in release workflow (#833)

Temporarily disable the release-base-action job that syncs releases
to the claude-code-base-action repository. The job checkout step
and subsequent tag/release creation steps are now commented out.


Claude-Generated-By: Claude Code (cli/claude-opus-4-5=100%)
Claude-Steers: 2
Claude-Permission-Prompts: 2
Claude-Escapes: 0

Co-authored-by: Claude <noreply@anthropic.com>

.github/workflows/release.yml

@@ -109,48 +109,48 @@ jobs:
 
           echo "Updated $major_version tag to point to $next_version"
 
-  release-base-action:
-    needs: create-release
-    if: ${{ !inputs.dry_run }}
-    runs-on: ubuntu-latest
-    environment: production
-    steps:
-      - name: Checkout base-action repo
-        uses: actions/checkout@v5
-        with:
-          repository: anthropics/claude-code-base-action
-          token: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}
-          fetch-depth: 0
-
-      # - name: Create and push tag
-      #   run: |
-      #     next_version="${{ needs.create-release.outputs.next_version }}"
-
-      #     git config user.name "github-actions[bot]"
-      #     git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      #     # Create the version tag
-      #     git tag -a "$next_version" -m "Release $next_version - synced from claude-code-action"
-      #     git push origin "$next_version"
-
-      #     # Update the beta tag
-      #     git tag -fa beta -m "Update beta tag to ${next_version}"
-      #     git push origin beta --force
-
-      # - name: Create GitHub release
-      #   env:
-      #     GH_TOKEN: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}
-      #   run: |
-      #     next_version="${{ needs.create-release.outputs.next_version }}"
-
-      #     # Create the release
-      #     gh release create "$next_version" \
-      #       --repo anthropics/claude-code-base-action \
-      #       --title "$next_version" \
-      #       --notes "Release $next_version - synced from anthropics/claude-code-action" \
-      #       --latest=false
-
-      #     # Update beta release to be latest
-      #     gh release edit beta \
-      #       --repo anthropics/claude-code-base-action \
-      #       --latest
+  # release-base-action:
+  #   needs: create-release
+  #   if: ${{ !inputs.dry_run }}
+  #   runs-on: ubuntu-latest
+  #   environment: production
+  #   steps:
+  #     - name: Checkout base-action repo
+  #       uses: actions/checkout@v5
+  #       with:
+  #         repository: anthropics/claude-code-base-action
+  #         token: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}
+  #         fetch-depth: 0
+  #
+  #     - name: Create and push tag
+  #       run: |
+  #         next_version="${{ needs.create-release.outputs.next_version }}"
+  #
+  #         git config user.name "github-actions[bot]"
+  #         git config user.email "github-actions[bot]@users.noreply.github.com"
+  #
+  #         # Create the version tag
+  #         git tag -a "$next_version" -m "Release $next_version - synced from claude-code-action"
+  #         git push origin "$next_version"
+  #
+  #         # Update the beta tag
+  #         git tag -fa beta -m "Update beta tag to ${next_version}"
+  #         git push origin beta --force
+  #
+  #     - name: Create GitHub release
+  #       env:
+  #         GH_TOKEN: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}
+  #       run: |
+  #         next_version="${{ needs.create-release.outputs.next_version }}"
+  #
+  #         # Create the release
+  #         gh release create "$next_version" \
+  #           --repo anthropics/claude-code-base-action \
+  #           --title "$next_version" \
+  #           --notes "Release $next_version - synced from anthropics/claude-code-action" \
+  #           --latest=false
+  #
+  #         # Update beta release to be latest
+  #         gh release edit beta \
+  #           --repo anthropics/claude-code-base-action \
+  #           --latest

action.yml

@@ -23,6 +23,10 @@ inputs:
     description: "The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)"
     required: false
     default: "claude/"
+  branch_name_template:
+    description: "Template for branch naming. Available variables: {{prefix}}, {{entityType}}, {{entityNumber}}, {{timestamp}}, {{sha}}, {{label}}, {{description}}. {{label}} will be first label from the issue/PR, or {{entityType}} as a fallback. {{description}} will be the first 5 words of the issue/PR title in kebab-case. Default: '{{prefix}}{{entityType}}-{{entityNumber}}-{{timestamp}}'"
+    required: false
+    default: ""
   allowed_bots:
     description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots."
     required: false
@@ -178,6 +182,7 @@ runs:
         LABEL_TRIGGER: ${{ inputs.label_trigger }}
         BASE_BRANCH: ${{ inputs.base_branch }}
         BRANCH_PREFIX: ${{ inputs.branch_prefix }}
+        BRANCH_NAME_TEMPLATE: ${{ inputs.branch_name_template }}
         OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
         ALLOWED_BOTS: ${{ inputs.allowed_bots }}
         ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }}
@@ -208,7 +213,7 @@ runs:
 
         # Install Claude Code if no custom executable is provided
         if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.0.76"
+          CLAUDE_CODE_VERSION="2.1.9"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."

base-action/action.yml

@@ -124,7 +124,7 @@ runs:
         PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
       run: |
         if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
-          CLAUDE_CODE_VERSION="2.0.76"
+          CLAUDE_CODE_VERSION="2.1.9"
           echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
           for attempt in 1 2 3; do
             echo "Installation attempt $attempt..."

base-action/bun.lock

@@ -6,7 +6,7 @@
       "name": "@anthropic-ai/claude-code-base-action",
       "dependencies": {
         "@actions/core": "^1.10.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.1.76",
+        "@anthropic-ai/claude-agent-sdk": "^0.2.9",
         "shell-quote": "^1.8.3",
       },
       "devDependencies": {
@@ -27,7 +27,7 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.76", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1 || ^4.0.0" } }, "sha512-s7RvpXoFaLXLG7A1cJBAPD8ilwOhhc/12fb5mJXRuD561o4FmPtQ+WRfuy9akMmrFRfLsKv8Ornw3ClGAPL2fw=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.9", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-b4JD6ZKCZeVDqpWBnb+zJISWi3HzlweNlV7Oy/uo5G2XAfUV2M5AJ/tomKZCvZsvmr1fYbmmfyde3GL2h0pksA=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 

base-action/package.json

@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@actions/core": "^1.10.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.1.76",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.9",
     "shell-quote": "^1.8.3"
   },
   "devDependencies": {

base-action/test/mcp-test/package.json

@@ -2,6 +2,6 @@
   "name": "mcp-test",
   "version": "1.0.0",
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.11.0"
+    "@modelcontextprotocol/sdk": "^1.24.0"
   }
 }

bun.lock

@@ -7,7 +7,7 @@
       "dependencies": {
         "@actions/core": "^1.10.1",
         "@actions/github": "^6.0.1",
-        "@anthropic-ai/claude-agent-sdk": "^0.1.76",
+        "@anthropic-ai/claude-agent-sdk": "^0.2.9",
         "@modelcontextprotocol/sdk": "^1.11.0",
         "@octokit/graphql": "^8.2.2",
         "@octokit/rest": "^21.1.1",
@@ -37,7 +37,7 @@
 
     "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
 
-    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.76", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1 || ^4.0.0" } }, "sha512-s7RvpXoFaLXLG7A1cJBAPD8ilwOhhc/12fb5mJXRuD561o4FmPtQ+WRfuy9akMmrFRfLsKv8Ornw3ClGAPL2fw=="],
+    "@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.9", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-b4JD6ZKCZeVDqpWBnb+zJISWi3HzlweNlV7Oy/uo5G2XAfUV2M5AJ/tomKZCvZsvmr1fYbmmfyde3GL2h0pksA=="],
 
     "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
 

docs/security.md

@@ -13,6 +13,16 @@
 - **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered
 - **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions
 
+## Pull Request Creation
+
+In its default configuration, **Claude does not create pull requests automatically** when responding to `@claude` mentions. Instead:
+
+- Claude commits code changes to a new branch
+- Claude provides a **link to the GitHub PR creation page** in its response
+- **The user must click the link and create the PR themselves**, ensuring human oversight before any code is proposed for merging
+
+This design ensures that users retain full control over what pull requests are created and can review the changes before initiating the PR workflow.
+
 ## ⚠️ Prompt Injection Risks
 
 **Beware of potential hidden markdown when tagging Claude on untrusted content.** External contributors may include hidden instructions through HTML comments, invisible characters, hidden attributes, or other techniques. The action sanitizes content by stripping HTML comments, invisible characters, markdown image alt text, hidden HTML attributes, and HTML entities, but new bypass techniques may emerge. We recommend reviewing the raw content of all input coming from external contributors before allowing Claude to process it.

package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.1",
-    "@anthropic-ai/claude-agent-sdk": "^0.1.76",
+    "@anthropic-ai/claude-agent-sdk": "^0.2.9",
     "@modelcontextprotocol/sdk": "^1.11.0",
     "@octokit/graphql": "^8.2.2",
     "@octokit/rest": "^21.1.1",

src/github/api/queries/github.ts

@@ -18,6 +18,11 @@ export const PR_QUERY = `
         additions
         deletions
         state
+        labels(first: 1) {
+          nodes {
+            name
+          }
+        }
         commits(first: 100) {
           totalCount
           nodes {
@@ -101,6 +106,11 @@ export const ISSUE_QUERY = `
         updatedAt
         lastEditedAt
         state
+        labels(first: 1) {
+          nodes {
+            name
+          }
+        }
         comments(first: 100) {
           nodes {
             id

src/github/context.ts

@@ -88,6 +88,7 @@ type BaseContext = {
     labelTrigger: string;
     baseBranch?: string;
     branchPrefix: string;
+    branchNameTemplate?: string;
     useStickyComment: boolean;
     useCommitSigning: boolean;
     sshSigningKey: string;
@@ -145,6 +146,7 @@ export function parseGitHubContext(): GitHubContext {
       labelTrigger: process.env.LABEL_TRIGGER ?? "",
       baseBranch: process.env.BASE_BRANCH,
       branchPrefix: process.env.BRANCH_PREFIX ?? "claude/",
+      branchNameTemplate: process.env.BRANCH_NAME_TEMPLATE,
       useStickyComment: process.env.USE_STICKY_COMMENT === "true",
       useCommitSigning: process.env.USE_COMMIT_SIGNING === "true",
       sshSigningKey: process.env.SSH_SIGNING_KEY || "",

src/github/data/fetcher.ts

@@ -3,6 +3,8 @@ import type { Octokits } from "../api/client";
 import { ISSUE_QUERY, PR_QUERY, USER_QUERY } from "../api/queries/github";
 import {
   isIssueCommentEvent,
+  isIssuesEvent,
+  isPullRequestEvent,
   isPullRequestReviewEvent,
   isPullRequestReviewCommentEvent,
   type ParsedGitHubContext,
@@ -40,6 +42,31 @@ export function extractTriggerTimestamp(
   return undefined;
 }
 
+/**
+ * Extracts the original title from the GitHub webhook payload.
+ * This is the title as it existed when the trigger event occurred.
+ *
+ * @param context - Parsed GitHub context from webhook
+ * @returns The original title string or undefined if not available
+ */
+export function extractOriginalTitle(
+  context: ParsedGitHubContext,
+): string | undefined {
+  if (isIssueCommentEvent(context)) {
+    return context.payload.issue?.title;
+  } else if (isPullRequestEvent(context)) {
+    return context.payload.pull_request?.title;
+  } else if (isPullRequestReviewEvent(context)) {
+    return context.payload.pull_request?.title;
+  } else if (isPullRequestReviewCommentEvent(context)) {
+    return context.payload.pull_request?.title;
+  } else if (isIssuesEvent(context)) {
+    return context.payload.issue?.title;
+  }
+
+  return undefined;
+}
+
 /**
  * Filters comments to only include those that existed in their final state before the trigger time.
  * This prevents malicious actors from editing comments after the trigger to inject harmful content.
@@ -146,6 +173,7 @@ type FetchDataParams = {
   isPR: boolean;
   triggerUsername?: string;
   triggerTime?: string;
+  originalTitle?: string;
 };
 
 export type GitHubFileWithSHA = GitHubFile & {
@@ -169,6 +197,7 @@ export async function fetchGitHubData({
   isPR,
   triggerUsername,
   triggerTime,
+  originalTitle,
 }: FetchDataParams): Promise<FetchDataResult> {
   const [owner, repo] = repository.split("/");
   if (!owner || !repo) {
@@ -354,6 +383,11 @@ export async function fetchGitHubData({
     triggerDisplayName = await fetchUserDisplayName(octokits, triggerUsername);
   }
 
+  // Use the original title from the webhook payload if provided
+  if (originalTitle !== undefined) {
+    contextData.title = originalTitle;
+  }
+
   return {
     contextData,
     comments,

src/github/data/formatter.ts

@@ -14,7 +14,8 @@ export function formatContext(
 ): string {
   if (isPR) {
     const prData = contextData as GitHubPullRequest;
-    return `PR Title: ${prData.title}
+    const sanitizedTitle = sanitizeContent(prData.title);
+    return `PR Title: ${sanitizedTitle}
 PR Author: ${prData.author.login}
 PR Branch: ${prData.headRefName} -> ${prData.baseRefName}
 PR State: ${prData.state}
@@ -24,7 +25,8 @@ Total Commits: ${prData.commits.totalCount}
 Changed Files: ${prData.files.nodes.length} files`;
   } else {
     const issueData = contextData as GitHubIssue;
-    return `Issue Title: ${issueData.title}
+    const sanitizedTitle = sanitizeContent(issueData.title);
+    return `Issue Title: ${sanitizedTitle}
 Issue Author: ${issueData.author.login}
 Issue State: ${issueData.state}`;
   }

src/github/operations/branch.ts

@@ -6,12 +6,22 @@
  * - For Issues: Create a new branch
  */
 
+import { $ } from "bun";
 import { execFileSync } from "child_process";
 import * as core from "@actions/core";
 import type { ParsedGitHubContext } from "../context";
 import type { GitHubPullRequest } from "../types";
 import type { Octokits } from "../api/client";
 import type { FetchDataResult } from "../data/fetcher";
+import { generateBranchName } from "../../utils/branch-template";
+
+/**
+ * Extracts the first label from GitHub data, or returns undefined if no labels exist
+ */
+function extractFirstLabel(githubData: FetchDataResult): string | undefined {
+  const labels = githubData.contextData.labels?.nodes;
+  return labels && labels.length > 0 ? labels[0]?.name : undefined;
+}
 
 /**
  * Validates a git branch name against a strict whitelist pattern.
@@ -125,7 +135,7 @@ export async function setupBranch(
 ): Promise<BranchInfo> {
   const { owner, repo } = context.repository;
   const entityNumber = context.entityNumber;
-  const { baseBranch, branchPrefix } = context.inputs;
+  const { baseBranch, branchPrefix, branchNameTemplate } = context.inputs;
   const isPR = context.isPR;
 
   if (isPR) {
@@ -191,17 +201,8 @@ export async function setupBranch(
   // Generate branch name for either an issue or closed/merged PR
   const entityType = isPR ? "pr" : "issue";
 
-  // Create Kubernetes-compatible timestamp: lowercase, hyphens only, shorter format
-  const now = new Date();
-  const timestamp = `${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, "0")}${String(now.getDate()).padStart(2, "0")}-${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}`;
-
-  // Ensure branch name is Kubernetes-compatible:
-  // - Lowercase only
-  // - Alphanumeric with hyphens
-  // - No underscores
-  // - Max 50 chars (to allow for prefixes)
-  const branchName = `${branchPrefix}${entityType}-${entityNumber}-${timestamp}`;
-  const newBranch = branchName.toLowerCase().substring(0, 50);
+  // Get the SHA of the source branch to use in template
+  let sourceSHA: string | undefined;
 
   try {
     // Get the SHA of the source branch to verify it exists
@@ -211,8 +212,46 @@ export async function setupBranch(
       ref: `heads/${sourceBranch}`,
     });
 
-    const currentSHA = sourceBranchRef.data.object.sha;
-    console.log(`Source branch SHA: ${currentSHA}`);
+    sourceSHA = sourceBranchRef.data.object.sha;
+    console.log(`Source branch SHA: ${sourceSHA}`);
+
+    // Extract first label from GitHub data
+    const firstLabel = extractFirstLabel(githubData);
+
+    // Extract title from GitHub data
+    const title = githubData.contextData.title;
+
+    // Generate branch name using template or default format
+    let newBranch = generateBranchName(
+      branchNameTemplate,
+      branchPrefix,
+      entityType,
+      entityNumber,
+      sourceSHA,
+      firstLabel,
+      title,
+    );
+
+    // Check if generated branch already exists on remote
+    try {
+      await $`git ls-remote --exit-code origin refs/heads/${newBranch}`.quiet();
+
+      // If we get here, branch exists (exit code 0)
+      console.log(
+        `Branch '${newBranch}' already exists, falling back to default format`,
+      );
+      newBranch = generateBranchName(
+        undefined, // Force default template
+        branchPrefix,
+        entityType,
+        entityNumber,
+        sourceSHA,
+        firstLabel,
+        title,
+      );
+    } catch {
+      // Branch doesn't exist (non-zero exit code), continue with generated name
+    }
 
     // For commit signing, defer branch creation to the file ops server
     if (context.inputs.useCommitSigning) {

src/github/types.ts

@@ -63,6 +63,11 @@ export type GitHubPullRequest = {
   additions: number;
   deletions: number;
   state: string;
+  labels: {
+    nodes: Array<{
+      name: string;
+    }>;
+  };
   commits: {
     totalCount: number;
     nodes: Array<{
@@ -88,6 +93,11 @@ export type GitHubIssue = {
   updatedAt?: string;
   lastEditedAt?: string;
   state: string;
+  labels: {
+    nodes: Array<{
+      name: string;
+    }>;
+  };
   comments: {
     nodes: GitHubComment[];
   };

src/github/validation/actor.ts

@@ -6,11 +6,11 @@
  */
 
 import type { Octokit } from "@octokit/rest";
-import type { ParsedGitHubContext } from "../context";
+import type { GitHubContext } from "../context";
 
 export async function checkHumanActor(
   octokit: Octokit,
-  githubContext: ParsedGitHubContext,
+  githubContext: GitHubContext,
 ) {
   // Fetch user information from GitHub API
   const { data: userData } = await octokit.users.getByUsername({

src/mcp/github-file-ops-server.ts

@@ -4,11 +4,12 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { readFile, stat } from "fs/promises";
-import { join } from "path";
+import { resolve } from "path";
 import { constants } from "fs";
 import fetch from "node-fetch";
 import { GITHUB_API_URL } from "../github/api/config";
 import { retryWithBackoff } from "../utils/retry";
+import { validatePathWithinRepo } from "./path-validation";
 
 type GitHubRef = {
   object: {
@@ -213,12 +214,18 @@ server.tool(
         throw new Error("GITHUB_TOKEN environment variable is required");
       }
 
-      const processedFiles = files.map((filePath) => {
-        if (filePath.startsWith("/")) {
-          return filePath.slice(1);
-        }
-        return filePath;
-      });
+      // Validate all paths are within repository root and get full/relative paths
+      const resolvedRepoDir = resolve(REPO_DIR);
+      const validatedFiles = await Promise.all(
+        files.map(async (filePath) => {
+          const fullPath = await validatePathWithinRepo(filePath, REPO_DIR);
+          // Calculate the relative path for the git tree entry
+          // Use the original filePath (normalized) for the git path, not the symlink-resolved path
+          const normalizedPath = resolve(resolvedRepoDir, filePath);
+          const relativePath = normalizedPath.slice(resolvedRepoDir.length + 1);
+          return { fullPath, relativePath };
+        }),
+      );
 
       // 1. Get the branch reference (create if doesn't exist)
       const baseSha = await getOrCreateBranchRef(
@@ -247,18 +254,14 @@ server.tool(
 
       // 3. Create tree entries for all files
       const treeEntries = await Promise.all(
-        processedFiles.map(async (filePath) => {
-          const fullPath = filePath.startsWith("/")
-            ? filePath
-            : join(REPO_DIR, filePath);
-
+        validatedFiles.map(async ({ fullPath, relativePath }) => {
           // Get the proper file mode based on file permissions
           const fileMode = await getFileMode(fullPath);
 
           // Check if file is binary (images, etc.)
           const isBinaryFile =
             /\.(png|jpg|jpeg|gif|webp|ico|pdf|zip|tar|gz|exe|bin|woff|woff2|ttf|eot)$/i.test(
-              filePath,
+              relativePath,
             );
 
           if (isBinaryFile) {
@@ -284,7 +287,7 @@ server.tool(
             if (!blobResponse.ok) {
               const errorText = await blobResponse.text();
               throw new Error(
-                `Failed to create blob for ${filePath}: ${blobResponse.status} - ${errorText}`,
+                `Failed to create blob for ${relativePath}: ${blobResponse.status} - ${errorText}`,
               );
             }
 
@@ -292,7 +295,7 @@ server.tool(
 
             // Return tree entry with blob SHA
             return {
-              path: filePath,
+              path: relativePath,
               mode: fileMode,
               type: "blob",
               sha: blobData.sha,
@@ -301,7 +304,7 @@ server.tool(
             // For text files, include content directly in tree
             const content = await readFile(fullPath, "utf-8");
             return {
-              path: filePath,
+              path: relativePath,
               mode: fileMode,
               type: "blob",
               content: content,
@@ -421,7 +424,9 @@ server.tool(
           author: newCommitData.author.name,
           date: newCommitData.author.date,
         },
-        files: processedFiles.map((path) => ({ path })),
+        files: validatedFiles.map(({ relativePath }) => ({
+          path: relativePath,
+        })),
         tree: {
           sha: treeData.sha,
         },

src/mcp/path-validation.ts

@@ -0,0 +1,64 @@
+import { realpath } from "fs/promises";
+import { resolve, sep } from "path";
+
+/**
+ * Validates that a file path resolves within the repository root.
+ * Prevents path traversal attacks via "../" sequences and symlinks.
+ * @param filePath - The file path to validate (can be relative or absolute)
+ * @param repoRoot - The repository root directory
+ * @returns The resolved absolute path (with symlinks resolved) if valid
+ * @throws Error if the path resolves outside the repository root
+ */
+export async function validatePathWithinRepo(
+  filePath: string,
+  repoRoot: string,
+): Promise<string> {
+  // First resolve the path string (handles .. and . segments)
+  const initialPath = resolve(repoRoot, filePath);
+
+  // Resolve symlinks to get the real path
+  // This prevents symlink attacks where a link inside the repo points outside
+  let resolvedRoot: string;
+  let resolvedPath: string;
+
+  try {
+    resolvedRoot = await realpath(repoRoot);
+  } catch {
+    throw new Error(`Repository root '${repoRoot}' does not exist`);
+  }
+
+  try {
+    resolvedPath = await realpath(initialPath);
+  } catch {
+    // File doesn't exist yet - fall back to checking the parent directory
+    // This handles the case where we're creating a new file
+    const parentDir = resolve(initialPath, "..");
+    try {
+      const resolvedParent = await realpath(parentDir);
+      if (
+        resolvedParent !== resolvedRoot &&
+        !resolvedParent.startsWith(resolvedRoot + sep)
+      ) {
+        throw new Error(
+          `Path '${filePath}' resolves outside the repository root`,
+        );
+      }
+      // Parent is valid, return the initial path since file doesn't exist yet
+      return initialPath;
+    } catch {
+      throw new Error(
+        `Path '${filePath}' resolves outside the repository root`,
+      );
+    }
+  }
+
+  // Path must be within repo root (or be the root itself)
+  if (
+    resolvedPath !== resolvedRoot &&
+    !resolvedPath.startsWith(resolvedRoot + sep)
+  ) {
+    throw new Error(`Path '${filePath}' resolves outside the repository root`);
+  }
+
+  return resolvedPath;
+}

src/modes/agent/index.ts

@@ -8,6 +8,7 @@ import {
   configureGitAuth,
   setupSshSigning,
 } from "../../github/operations/git-config";
+import { checkHumanActor } from "../../github/validation/actor";
 import type { GitHubContext } from "../../github/context";
 import { isEntityContext } from "../../github/context";
 
@@ -80,7 +81,14 @@ export const agentMode: Mode = {
     return false;
   },
 
-  async prepare({ context, githubToken }: ModeOptions): Promise<ModeResult> {
+  async prepare({
+    context,
+    octokit,
+    githubToken,
+  }: ModeOptions): Promise<ModeResult> {
+    // Check if actor is human (prevents bot-triggered loops)
+    await checkHumanActor(octokit.rest, context);
+
     // Configure git authentication for agent mode (same as tag mode)
     // SSH signing takes precedence if provided
     const useSshSigning = !!context.inputs.sshSigningKey;

src/modes/agent/parse-tools.ts

@@ -1,22 +1,33 @@
 export function parseAllowedTools(claudeArgs: string): string[] {
   // Match --allowedTools or --allowed-tools followed by the value
   // Handle both quoted and unquoted values
+  // Use /g flag to find ALL occurrences, not just the first one
   const patterns = [
-    /--(?:allowedTools|allowed-tools)\s+"([^"]+)"/, // Double quoted
-    /--(?:allowedTools|allowed-tools)\s+'([^']+)'/, // Single quoted
-    /--(?:allowedTools|allowed-tools)\s+([^\s]+)/, // Unquoted
+    /--(?:allowedTools|allowed-tools)\s+"([^"]+)"/g, // Double quoted
+    /--(?:allowedTools|allowed-tools)\s+'([^']+)'/g, // Single quoted
+    /--(?:allowedTools|allowed-tools)\s+([^'"\s][^\s]*)/g, // Unquoted (must not start with quote)
   ];
 
+  const tools: string[] = [];
+  const seen = new Set<string>();
+
   for (const pattern of patterns) {
-    const match = claudeArgs.match(pattern);
-    if (match && match[1]) {
-      // Don't return if the value starts with -- (another flag)
-      if (match[1].startsWith("--")) {
-        return [];
+    for (const match of claudeArgs.matchAll(pattern)) {
+      if (match[1]) {
+        // Don't add if the value starts with -- (another flag)
+        if (match[1].startsWith("--")) {
+          continue;
+        }
+        for (const tool of match[1].split(",")) {
+          const trimmed = tool.trim();
+          if (trimmed && !seen.has(trimmed)) {
+            seen.add(trimmed);
+            tools.push(trimmed);
+          }
+        }
       }
-      return match[1].split(",").map((t) => t.trim());
     }
   }
 
-  return [];
+  return tools;
 }

src/modes/tag/index.ts

@@ -12,6 +12,7 @@ import { prepareMcpConfig } from "../../mcp/install-mcp-server";
 import {
   fetchGitHubData,
   extractTriggerTimestamp,
+  extractOriginalTitle,
 } from "../../github/data/fetcher";
 import { createPrompt, generateDefaultPrompt } from "../../create-prompt";
 import { isEntityContext } from "../../github/context";
@@ -78,6 +79,7 @@ export const tagMode: Mode = {
     const commentId = commentData.id;
 
     const triggerTime = extractTriggerTimestamp(context);
+    const originalTitle = extractOriginalTitle(context);
 
     const githubData = await fetchGitHubData({
       octokits: octokit,
@@ -86,6 +88,7 @@ export const tagMode: Mode = {
       isPR: context.isPR,
       triggerUsername: context.actor,
       triggerTime,
+      originalTitle,
     });
 
     // Setup branch

src/utils/branch-template.ts

@@ -0,0 +1,99 @@
+#!/usr/bin/env bun
+
+/**
+ * Branch name template parsing and variable substitution utilities
+ */
+
+const NUM_DESCRIPTION_WORDS = 5;
+
+/**
+ * Extracts the first 5 words from a title and converts them to kebab-case
+ */
+function extractDescription(
+  title: string,
+  numWords: number = NUM_DESCRIPTION_WORDS,
+): string {
+  if (!title || title.trim() === "") {
+    return "";
+  }
+
+  return title
+    .trim()
+    .split(/\s+/)
+    .slice(0, numWords) // Only first `numWords` words
+    .join("-")
+    .toLowerCase()
+    .replace(/[^a-z0-9-]/g, "") // Remove non-alphanumeric except hyphens
+    .replace(/-+/g, "-") // Replace multiple hyphens with single
+    .replace(/^-|-$/g, ""); // Remove leading/trailing hyphens
+}
+
+export interface BranchTemplateVariables {
+  prefix: string;
+  entityType: string;
+  entityNumber: number;
+  timestamp: string;
+  sha?: string;
+  label?: string;
+  description?: string;
+}
+
+/**
+ * Replaces template variables in a branch name template
+ * Template format: {{variableName}}
+ */
+export function applyBranchTemplate(
+  template: string,
+  variables: BranchTemplateVariables,
+): string {
+  let result = template;
+
+  // Replace each variable
+  Object.entries(variables).forEach(([key, value]) => {
+    const placeholder = `{{${key}}}`;
+    const replacement = value ? String(value) : "";
+    result = result.replaceAll(placeholder, replacement);
+  });
+
+  return result;
+}
+
+/**
+ * Generates a branch name from the provided `template` and set of `variables`. Uses a default format if the template is empty or produces an empty result.
+ */
+export function generateBranchName(
+  template: string | undefined,
+  branchPrefix: string,
+  entityType: string,
+  entityNumber: number,
+  sha?: string,
+  label?: string,
+  title?: string,
+): string {
+  const now = new Date();
+
+  const variables: BranchTemplateVariables = {
+    prefix: branchPrefix,
+    entityType,
+    entityNumber,
+    timestamp: `${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, "0")}${String(now.getDate()).padStart(2, "0")}-${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}`,
+    sha: sha?.substring(0, 8), // First 8 characters of SHA
+    label: label || entityType, // Fall back to entityType if no label
+    description: title ? extractDescription(title) : undefined,
+  };
+
+  if (template?.trim()) {
+    const branchName = applyBranchTemplate(template, variables);
+
+    // Some templates could produce empty results- validate
+    if (branchName.trim().length > 0) return branchName;
+
+    console.log(
+      `Branch template '${template}' generated empty result, falling back to default format`,
+    );
+  }
+
+  const branchName = `${branchPrefix}${entityType}-${entityNumber}-${variables.timestamp}`;
+  // Kubernetes compatible: lowercase, max 50 chars, alphanumeric and hyphens only
+  return branchName.toLowerCase().substring(0, 50);
+}

test/branch-template.test.ts

@@ -0,0 +1,247 @@
+#!/usr/bin/env bun
+
+import { describe, it, expect } from "bun:test";
+import {
+  applyBranchTemplate,
+  generateBranchName,
+} from "../src/utils/branch-template";
+
+describe("branch template utilities", () => {
+  describe("applyBranchTemplate", () => {
+    it("should replace all template variables", () => {
+      const template =
+        "{{prefix}}{{entityType}}-{{entityNumber}}-{{timestamp}}";
+      const variables = {
+        prefix: "feat/",
+        entityType: "issue",
+        entityNumber: 123,
+        timestamp: "20240301-1430",
+        sha: "abcd1234",
+      };
+
+      const result = applyBranchTemplate(template, variables);
+      expect(result).toBe("feat/issue-123-20240301-1430");
+    });
+
+    it("should handle custom templates with multiple variables", () => {
+      const template =
+        "{{prefix}}fix/{{entityType}}_{{entityNumber}}_{{timestamp}}_{{sha}}";
+      const variables = {
+        prefix: "claude-",
+        entityType: "pr",
+        entityNumber: 456,
+        timestamp: "20240301-1430",
+        sha: "abcd1234",
+      };
+
+      const result = applyBranchTemplate(template, variables);
+      expect(result).toBe("claude-fix/pr_456_20240301-1430_abcd1234");
+    });
+
+    it("should handle templates with missing variables gracefully", () => {
+      const template = "{{prefix}}{{entityType}}-{{missing}}-{{entityNumber}}";
+      const variables = {
+        prefix: "feat/",
+        entityType: "issue",
+        entityNumber: 123,
+        timestamp: "20240301-1430",
+      };
+
+      const result = applyBranchTemplate(template, variables);
+      expect(result).toBe("feat/issue-{{missing}}-123");
+    });
+  });
+
+  describe("generateBranchName", () => {
+    it("should use custom template when provided", () => {
+      const template = "{{prefix}}custom-{{entityType}}_{{entityNumber}}";
+      const result = generateBranchName(template, "feature/", "issue", 123);
+
+      expect(result).toBe("feature/custom-issue_123");
+    });
+
+    it("should use default format when template is empty", () => {
+      const result = generateBranchName("", "claude/", "issue", 123);
+
+      expect(result).toMatch(/^claude\/issue-123-\d{8}-\d{4}$/);
+    });
+
+    it("should use default format when template is undefined", () => {
+      const result = generateBranchName(undefined, "claude/", "pr", 456);
+
+      expect(result).toMatch(/^claude\/pr-456-\d{8}-\d{4}$/);
+    });
+
+    it("should preserve custom template formatting (no automatic lowercase/truncation)", () => {
+      const template = "{{prefix}}UPPERCASE_Branch-Name_{{entityNumber}}";
+      const result = generateBranchName(template, "Feature/", "issue", 123);
+
+      expect(result).toBe("Feature/UPPERCASE_Branch-Name_123");
+    });
+
+    it("should not truncate custom template results", () => {
+      const template =
+        "{{prefix}}very-long-branch-name-that-exceeds-the-maximum-allowed-length-{{entityNumber}}";
+      const result = generateBranchName(template, "feature/", "issue", 123);
+
+      expect(result).toBe(
+        "feature/very-long-branch-name-that-exceeds-the-maximum-allowed-length-123",
+      );
+    });
+
+    it("should apply Kubernetes-compatible transformations to default template only", () => {
+      const result = generateBranchName(undefined, "Feature/", "issue", 123);
+
+      expect(result).toMatch(/^feature\/issue-123-\d{8}-\d{4}$/);
+      expect(result.length).toBeLessThanOrEqual(50);
+    });
+
+    it("should handle SHA in template", () => {
+      const template = "{{prefix}}{{entityType}}-{{entityNumber}}-{{sha}}";
+      const result = generateBranchName(
+        template,
+        "fix/",
+        "pr",
+        789,
+        "abcdef123456",
+      );
+
+      expect(result).toBe("fix/pr-789-abcdef12");
+    });
+
+    it("should use label in template when provided", () => {
+      const template = "{{prefix}}{{label}}/{{entityNumber}}";
+      const result = generateBranchName(
+        template,
+        "feature/",
+        "issue",
+        123,
+        undefined,
+        "bug",
+      );
+
+      expect(result).toBe("feature/bug/123");
+    });
+
+    it("should fallback to entityType when label template is used but no label provided", () => {
+      const template = "{{prefix}}{{label}}-{{entityNumber}}";
+      const result = generateBranchName(template, "fix/", "pr", 456);
+
+      expect(result).toBe("fix/pr-456");
+    });
+
+    it("should handle template with both label and entityType", () => {
+      const template = "{{prefix}}{{label}}-{{entityType}}_{{entityNumber}}";
+      const result = generateBranchName(
+        template,
+        "dev/",
+        "issue",
+        789,
+        undefined,
+        "enhancement",
+      );
+
+      expect(result).toBe("dev/enhancement-issue_789");
+    });
+
+    it("should use description in template when provided", () => {
+      const template = "{{prefix}}{{description}}/{{entityNumber}}";
+      const result = generateBranchName(
+        template,
+        "feature/",
+        "issue",
+        123,
+        undefined,
+        undefined,
+        "Fix login bug with OAuth",
+      );
+
+      expect(result).toBe("feature/fix-login-bug-with-oauth/123");
+    });
+
+    it("should handle template with multiple variables including description", () => {
+      const template =
+        "{{prefix}}{{label}}/{{description}}-{{entityType}}_{{entityNumber}}";
+      const result = generateBranchName(
+        template,
+        "dev/",
+        "issue",
+        456,
+        undefined,
+        "bug",
+        "User authentication fails completely",
+      );
+
+      expect(result).toBe(
+        "dev/bug/user-authentication-fails-completely-issue_456",
+      );
+    });
+
+    it("should handle description with special characters in template", () => {
+      const template = "{{prefix}}{{description}}-{{entityNumber}}";
+      const result = generateBranchName(
+        template,
+        "fix/",
+        "pr",
+        789,
+        undefined,
+        undefined,
+        "Add: User Registration & Email Validation",
+      );
+
+      expect(result).toBe("fix/add-user-registration-email-789");
+    });
+
+    it("should truncate descriptions to exactly 5 words", () => {
+      const result = generateBranchName(
+        "{{prefix}}{{description}}/{{entityNumber}}",
+        "feature/",
+        "issue",
+        999,
+        undefined,
+        undefined,
+        "This is a very long title with many more than five words in it",
+      );
+      expect(result).toBe("feature/this-is-a-very-long/999");
+    });
+
+    it("should handle empty description in template", () => {
+      const template = "{{prefix}}{{description}}-{{entityNumber}}";
+      const result = generateBranchName(
+        template,
+        "test/",
+        "issue",
+        101,
+        undefined,
+        undefined,
+        "",
+      );
+
+      expect(result).toBe("test/-101");
+    });
+
+    it("should fallback to default format when template produces empty result", () => {
+      const template = "{{description}}"; // Will be empty if no title provided
+      const result = generateBranchName(template, "claude/", "issue", 123);
+
+      expect(result).toMatch(/^claude\/issue-123-\d{8}-\d{4}$/);
+      expect(result.length).toBeLessThanOrEqual(50);
+    });
+
+    it("should fallback to default format when template produces only whitespace", () => {
+      const template = "  {{description}}  "; // Will be "  " if description is empty
+      const result = generateBranchName(
+        template,
+        "fix/",
+        "pr",
+        456,
+        undefined,
+        undefined,
+        "",
+      );
+
+      expect(result).toMatch(/^fix\/pr-456-\d{8}-\d{4}$/);
+      expect(result.length).toBeLessThanOrEqual(50);
+    });
+  });
+});

test/create-prompt.test.ts

@@ -61,6 +61,7 @@ describe("generatePrompt", () => {
       body: "This is a test PR",
       author: { login: "testuser" },
       state: "OPEN",
+      labels: { nodes: [] },
       createdAt: "2023-01-01T00:00:00Z",
       additions: 15,
       deletions: 5,
@@ -475,6 +476,7 @@ describe("generatePrompt", () => {
         body: "The login form is not working",
         author: { login: "testuser" },
         state: "OPEN",
+        labels: { nodes: [] },
         createdAt: "2023-01-01T00:00:00Z",
         comments: {
           nodes: [],

test/data-fetcher.test.ts

@@ -1,6 +1,7 @@
 import { describe, expect, it, jest } from "bun:test";
 import {
   extractTriggerTimestamp,
+  extractOriginalTitle,
   fetchGitHubData,
   filterCommentsToTriggerTime,
   filterReviewsToTriggerTime,
@@ -9,6 +10,7 @@ import {
 import {
   createMockContext,
   mockIssueCommentContext,
+  mockPullRequestCommentContext,
   mockPullRequestReviewContext,
   mockPullRequestReviewCommentContext,
   mockPullRequestOpenedContext,
@@ -63,6 +65,47 @@ describe("extractTriggerTimestamp", () => {
   });
 });
 
+describe("extractOriginalTitle", () => {
+  it("should extract title from IssueCommentEvent on PR", () => {
+    const title = extractOriginalTitle(mockPullRequestCommentContext);
+    expect(title).toBe("Fix: Memory leak in user service");
+  });
+
+  it("should extract title from PullRequestReviewEvent", () => {
+    const title = extractOriginalTitle(mockPullRequestReviewContext);
+    expect(title).toBe("Refactor: Improve error handling in API layer");
+  });
+
+  it("should extract title from PullRequestReviewCommentEvent", () => {
+    const title = extractOriginalTitle(mockPullRequestReviewCommentContext);
+    expect(title).toBe("Performance: Optimize search algorithm");
+  });
+
+  it("should extract title from pull_request event", () => {
+    const title = extractOriginalTitle(mockPullRequestOpenedContext);
+    expect(title).toBe("Feature: Add user authentication");
+  });
+
+  it("should extract title from issues event", () => {
+    const title = extractOriginalTitle(mockIssueOpenedContext);
+    expect(title).toBe("Bug: Application crashes on startup");
+  });
+
+  it("should return undefined for event without title", () => {
+    const context = createMockContext({
+      eventName: "issue_comment",
+      payload: {
+        comment: {
+          id: 123,
+          body: "test",
+        },
+      } as any,
+    });
+    const title = extractOriginalTitle(context);
+    expect(title).toBeUndefined();
+  });
+});
+
 describe("filterCommentsToTriggerTime", () => {
   const createMockComment = (
     createdAt: string,
@@ -945,4 +988,115 @@ describe("fetchGitHubData integration with time filtering", () => {
     );
     expect(hasPrBodyInMap).toBe(false);
   });
+
+  it("should use originalTitle when provided instead of fetched title", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          pullRequest: {
+            number: 123,
+            title: "Fetched Title From GraphQL",
+            body: "PR body",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            additions: 10,
+            deletions: 5,
+            state: "OPEN",
+            commits: { totalCount: 1, nodes: [] },
+            files: { nodes: [] },
+            comments: { nodes: [] },
+            reviews: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: true,
+      triggerUsername: "trigger-user",
+      originalTitle: "Original Title From Webhook",
+    });
+
+    expect(result.contextData.title).toBe("Original Title From Webhook");
+  });
+
+  it("should use fetched title when originalTitle is not provided", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          pullRequest: {
+            number: 123,
+            title: "Fetched Title From GraphQL",
+            body: "PR body",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            additions: 10,
+            deletions: 5,
+            state: "OPEN",
+            commits: { totalCount: 1, nodes: [] },
+            files: { nodes: [] },
+            comments: { nodes: [] },
+            reviews: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: true,
+      triggerUsername: "trigger-user",
+    });
+
+    expect(result.contextData.title).toBe("Fetched Title From GraphQL");
+  });
+
+  it("should use original title from webhook even if title was edited after trigger", async () => {
+    const mockOctokits = {
+      graphql: jest.fn().mockResolvedValue({
+        repository: {
+          pullRequest: {
+            number: 123,
+            title: "Edited Title (from GraphQL)",
+            body: "PR body",
+            author: { login: "author" },
+            createdAt: "2024-01-15T10:00:00Z",
+            lastEditedAt: "2024-01-15T12:30:00Z", // Edited after trigger
+            additions: 10,
+            deletions: 5,
+            state: "OPEN",
+            commits: { totalCount: 1, nodes: [] },
+            files: { nodes: [] },
+            comments: { nodes: [] },
+            reviews: { nodes: [] },
+          },
+        },
+        user: { login: "trigger-user" },
+      }),
+      rest: jest.fn() as any,
+    };
+
+    const result = await fetchGitHubData({
+      octokits: mockOctokits as any,
+      repository: "test-owner/test-repo",
+      prNumber: "123",
+      isPR: true,
+      triggerUsername: "trigger-user",
+      triggerTime: "2024-01-15T12:00:00Z",
+      originalTitle: "Original Title (from webhook at trigger time)",
+    });
+
+    expect(result.contextData.title).toBe(
+      "Original Title (from webhook at trigger time)",
+    );
+  });
 });

test/data-formatter.test.ts

@@ -28,6 +28,9 @@ describe("formatContext", () => {
       additions: 50,
       deletions: 30,
       state: "OPEN",
+      labels: {
+        nodes: [],
+      },
       commits: {
         totalCount: 3,
         nodes: [],
@@ -63,6 +66,9 @@ Changed Files: 2 files`,
       author: { login: "test-user" },
       createdAt: "2023-01-01T00:00:00Z",
       state: "OPEN",
+      labels: {
+        nodes: [],
+      },
       comments: {
         nodes: [],
       },

test/github-file-ops-path-validation.test.ts

@@ -0,0 +1,214 @@
+import { describe, expect, it, beforeAll, afterAll } from "bun:test";
+import { validatePathWithinRepo } from "../src/mcp/path-validation";
+import { resolve } from "path";
+import { mkdir, writeFile, symlink, rm, realpath } from "fs/promises";
+import { tmpdir } from "os";
+
+describe("validatePathWithinRepo", () => {
+  // Use a real temp directory for tests that need filesystem access
+  let testDir: string;
+  let repoRoot: string;
+  let outsideDir: string;
+  // Real paths after symlink resolution (e.g., /tmp -> /private/tmp on macOS)
+  let realRepoRoot: string;
+
+  beforeAll(async () => {
+    // Create test directory structure
+    testDir = resolve(tmpdir(), `path-validation-test-${Date.now()}`);
+    repoRoot = resolve(testDir, "repo");
+    outsideDir = resolve(testDir, "outside");
+
+    await mkdir(repoRoot, { recursive: true });
+    await mkdir(resolve(repoRoot, "src"), { recursive: true });
+    await mkdir(outsideDir, { recursive: true });
+
+    // Create test files
+    await writeFile(resolve(repoRoot, "file.txt"), "inside repo");
+    await writeFile(resolve(repoRoot, "src", "main.js"), "console.log('hi')");
+    await writeFile(resolve(outsideDir, "secret.txt"), "sensitive data");
+
+    // Get real paths after symlink resolution
+    realRepoRoot = await realpath(repoRoot);
+  });
+
+  afterAll(async () => {
+    // Cleanup
+    await rm(testDir, { recursive: true, force: true });
+  });
+
+  describe("valid paths", () => {
+    it("should accept simple relative paths", async () => {
+      const result = await validatePathWithinRepo("file.txt", repoRoot);
+      expect(result).toBe(resolve(realRepoRoot, "file.txt"));
+    });
+
+    it("should accept nested relative paths", async () => {
+      const result = await validatePathWithinRepo("src/main.js", repoRoot);
+      expect(result).toBe(resolve(realRepoRoot, "src/main.js"));
+    });
+
+    it("should accept paths with single dot segments", async () => {
+      const result = await validatePathWithinRepo("./src/main.js", repoRoot);
+      expect(result).toBe(resolve(realRepoRoot, "src/main.js"));
+    });
+
+    it("should accept paths that use .. but resolve inside repo", async () => {
+      // src/../file.txt resolves to file.txt which is still inside repo
+      const result = await validatePathWithinRepo("src/../file.txt", repoRoot);
+      expect(result).toBe(resolve(realRepoRoot, "file.txt"));
+    });
+
+    it("should accept absolute paths within the repo root", async () => {
+      const absolutePath = resolve(repoRoot, "file.txt");
+      const result = await validatePathWithinRepo(absolutePath, repoRoot);
+      expect(result).toBe(resolve(realRepoRoot, "file.txt"));
+    });
+
+    it("should accept the repo root itself", async () => {
+      const result = await validatePathWithinRepo(".", repoRoot);
+      expect(result).toBe(realRepoRoot);
+    });
+
+    it("should handle new files (non-existent) in valid directories", async () => {
+      const result = await validatePathWithinRepo("src/newfile.js", repoRoot);
+      // For non-existent files, we validate the parent but return the initial path
+      // (can't realpath a file that doesn't exist yet)
+      expect(result).toBe(resolve(repoRoot, "src/newfile.js"));
+    });
+  });
+
+  describe("path traversal attacks", () => {
+    it("should reject simple parent directory traversal", async () => {
+      await expect(
+        validatePathWithinRepo("../outside/secret.txt", repoRoot),
+      ).rejects.toThrow(/resolves outside the repository root/);
+    });
+
+    it("should reject deeply nested parent directory traversal", async () => {
+      await expect(
+        validatePathWithinRepo("../../../etc/passwd", repoRoot),
+      ).rejects.toThrow(/resolves outside the repository root/);
+    });
+
+    it("should reject traversal hidden within path", async () => {
+      await expect(
+        validatePathWithinRepo("src/../../outside/secret.txt", repoRoot),
+      ).rejects.toThrow(/resolves outside the repository root/);
+    });
+
+    it("should reject traversal at the end of path", async () => {
+      await expect(
+        validatePathWithinRepo("src/../..", repoRoot),
+      ).rejects.toThrow(/resolves outside the repository root/);
+    });
+
+    it("should reject absolute paths outside the repo root", async () => {
+      await expect(
+        validatePathWithinRepo("/etc/passwd", repoRoot),
+      ).rejects.toThrow(/resolves outside the repository root/);
+    });
+
+    it("should reject absolute paths to sibling directories", async () => {
+      await expect(
+        validatePathWithinRepo(resolve(outsideDir, "secret.txt"), repoRoot),
+      ).rejects.toThrow(/resolves outside the repository root/);
+    });
+  });
+
+  describe("symlink attacks", () => {
+    it("should reject symlinks pointing outside the repo", async () => {
+      // Create a symlink inside the repo that points to a file outside
+      const symlinkPath = resolve(repoRoot, "evil-link");
+      await symlink(resolve(outsideDir, "secret.txt"), symlinkPath);
+
+      try {
+        // The symlink path looks like it's inside the repo, but points outside
+        await expect(
+          validatePathWithinRepo("evil-link", repoRoot),
+        ).rejects.toThrow(/resolves outside the repository root/);
+      } finally {
+        await rm(symlinkPath, { force: true });
+      }
+    });
+
+    it("should reject symlinks to parent directories", async () => {
+      // Create a symlink to the parent directory
+      const symlinkPath = resolve(repoRoot, "parent-link");
+      await symlink(testDir, symlinkPath);
+
+      try {
+        await expect(
+          validatePathWithinRepo("parent-link/outside/secret.txt", repoRoot),
+        ).rejects.toThrow(/resolves outside the repository root/);
+      } finally {
+        await rm(symlinkPath, { force: true });
+      }
+    });
+
+    it("should accept symlinks that resolve within the repo", async () => {
+      // Create a symlink inside the repo that points to another file inside
+      const symlinkPath = resolve(repoRoot, "good-link");
+      await symlink(resolve(repoRoot, "file.txt"), symlinkPath);
+
+      try {
+        const result = await validatePathWithinRepo("good-link", repoRoot);
+        // Should resolve to the actual file location
+        expect(result).toBe(resolve(realRepoRoot, "file.txt"));
+      } finally {
+        await rm(symlinkPath, { force: true });
+      }
+    });
+
+    it("should reject directory symlinks that escape the repo", async () => {
+      // Create a symlink to outside directory
+      const symlinkPath = resolve(repoRoot, "escape-dir");
+      await symlink(outsideDir, symlinkPath);
+
+      try {
+        await expect(
+          validatePathWithinRepo("escape-dir/secret.txt", repoRoot),
+        ).rejects.toThrow(/resolves outside the repository root/);
+      } finally {
+        await rm(symlinkPath, { force: true });
+      }
+    });
+  });
+
+  describe("edge cases", () => {
+    it("should handle empty path (current directory)", async () => {
+      const result = await validatePathWithinRepo("", repoRoot);
+      expect(result).toBe(realRepoRoot);
+    });
+
+    it("should handle paths with multiple consecutive slashes", async () => {
+      const result = await validatePathWithinRepo("src//main.js", repoRoot);
+      expect(result).toBe(resolve(realRepoRoot, "src/main.js"));
+    });
+
+    it("should handle paths with trailing slashes", async () => {
+      const result = await validatePathWithinRepo("src/", repoRoot);
+      expect(result).toBe(resolve(realRepoRoot, "src"));
+    });
+
+    it("should reject prefix attack (repo root as prefix but not parent)", async () => {
+      // Create a sibling directory with repo name as prefix
+      const evilDir = repoRoot + "-evil";
+      await mkdir(evilDir, { recursive: true });
+      await writeFile(resolve(evilDir, "file.txt"), "evil");
+
+      try {
+        await expect(
+          validatePathWithinRepo(resolve(evilDir, "file.txt"), repoRoot),
+        ).rejects.toThrow(/resolves outside the repository root/);
+      } finally {
+        await rm(evilDir, { recursive: true, force: true });
+      }
+    });
+
+    it("should throw error for non-existent repo root", async () => {
+      await expect(
+        validatePathWithinRepo("file.txt", "/nonexistent/repo"),
+      ).rejects.toThrow(/does not exist/);
+    });
+  });
+});

test/modes/agent.test.ts

@@ -145,12 +145,12 @@ describe("Agent Mode", () => {
         users: {
           getAuthenticated: mock(() =>
             Promise.resolve({
-              data: { login: "test-user", id: 12345 },
+              data: { login: "test-user", id: 12345, type: "User" },
             }),
           ),
           getByUsername: mock(() =>
             Promise.resolve({
-              data: { login: "test-user", id: 12345 },
+              data: { login: "test-user", id: 12345, type: "User" },
             }),
           ),
         },
@@ -187,6 +187,65 @@ describe("Agent Mode", () => {
       process.env.GITHUB_REF_NAME = originalRefName;
   });
 
+  test("prepare method rejects bot actors without allowed_bots", async () => {
+    const contextWithPrompts = createMockAutomationContext({
+      eventName: "workflow_dispatch",
+    });
+    contextWithPrompts.actor = "claude[bot]";
+    contextWithPrompts.inputs.allowedBots = "";
+
+    const mockOctokit = {
+      rest: {
+        users: {
+          getByUsername: mock(() =>
+            Promise.resolve({
+              data: { login: "claude[bot]", id: 12345, type: "Bot" },
+            }),
+          ),
+        },
+      },
+    } as any;
+
+    await expect(
+      agentMode.prepare({
+        context: contextWithPrompts,
+        octokit: mockOctokit,
+        githubToken: "test-token",
+      }),
+    ).rejects.toThrow(
+      "Workflow initiated by non-human actor: claude (type: Bot)",
+    );
+  });
+
+  test("prepare method allows bot actors when in allowed_bots list", async () => {
+    const contextWithPrompts = createMockAutomationContext({
+      eventName: "workflow_dispatch",
+    });
+    contextWithPrompts.actor = "dependabot[bot]";
+    contextWithPrompts.inputs.allowedBots = "dependabot";
+
+    const mockOctokit = {
+      rest: {
+        users: {
+          getByUsername: mock(() =>
+            Promise.resolve({
+              data: { login: "dependabot[bot]", id: 12345, type: "Bot" },
+            }),
+          ),
+        },
+      },
+    } as any;
+
+    // Should not throw - bot is in allowed list
+    await expect(
+      agentMode.prepare({
+        context: contextWithPrompts,
+        octokit: mockOctokit,
+        githubToken: "test-token",
+      }),
+    ).resolves.toBeDefined();
+  });
+
   test("prepare method creates prompt file with correct content", async () => {
     const contextWithPrompts = createMockAutomationContext({
       eventName: "workflow_dispatch",
@@ -199,12 +258,12 @@ describe("Agent Mode", () => {
         users: {
           getAuthenticated: mock(() =>
             Promise.resolve({
-              data: { login: "test-user", id: 12345 },
+              data: { login: "test-user", id: 12345, type: "User" },
             }),
           ),
           getByUsername: mock(() =>
             Promise.resolve({
-              data: { login: "test-user", id: 12345 },
+              data: { login: "test-user", id: 12345, type: "User" },
             }),
           ),
         },

test/modes/parse-tools.test.ts

@@ -35,12 +35,44 @@ describe("parseAllowedTools", () => {
     expect(parseAllowedTools("")).toEqual([]);
   });
 
-  test("handles duplicate --allowedTools flags", () => {
+  test("handles --allowedTools followed by another --allowedTools flag", () => {
     const args = "--allowedTools --allowedTools mcp__github__*";
-    // Should not match the first one since the value is another flag
+    // The second --allowedTools is consumed as a value of the first, then skipped.
+    // This is an edge case with malformed input - returns empty.
     expect(parseAllowedTools(args)).toEqual([]);
   });
 
+  test("parses multiple separate --allowed-tools flags", () => {
+    const args =
+      "--allowed-tools 'mcp__context7__*' --allowed-tools 'Read,Glob' --allowed-tools 'mcp__github_inline_comment__*'";
+    expect(parseAllowedTools(args)).toEqual([
+      "mcp__context7__*",
+      "Read",
+      "Glob",
+      "mcp__github_inline_comment__*",
+    ]);
+  });
+
+  test("parses multiple --allowed-tools flags on separate lines", () => {
+    const args = `--model 'claude-haiku'
+--allowed-tools 'mcp__context7__*'
+--allowed-tools 'Read,Glob,Grep'
+--allowed-tools 'mcp__github_inline_comment__create_inline_comment'`;
+    expect(parseAllowedTools(args)).toEqual([
+      "mcp__context7__*",
+      "Read",
+      "Glob",
+      "Grep",
+      "mcp__github_inline_comment__create_inline_comment",
+    ]);
+  });
+
+  test("deduplicates tools from multiple flags", () => {
+    const args =
+      "--allowed-tools 'Read,Glob' --allowed-tools 'Glob,Grep' --allowed-tools 'Read'";
+    expect(parseAllowedTools(args)).toEqual(["Read", "Glob", "Grep"]);
+  });
+
   test("handles typo --alloedTools", () => {
     const args = "--alloedTools mcp__github__*";
     expect(parseAllowedTools(args)).toEqual([]);

test/pull-request-target.test.ts

@@ -87,6 +87,7 @@ describe("pull_request_target event support", () => {
       },
       comments: { nodes: [] },
       reviews: { nodes: [] },
+      labels: { nodes: [] },
     },
     comments: [],
     changedFiles: [],