feat: send user request as separate content block for slash command support #785

ashwin-ant · 2026-01-02T23:34:23Z

When in tag mode with the SDK path, extracts the user's request from the trigger comment (text after @claude) and sends it as a separate content block. This enables the CLI to process slash commands like "/review-pr".

Changes

Add extract-user-request utility to parse trigger comments
Write user request to separate file during prompt generation
Send multi-block SDKUserMessage when user request file exists
Add tests for the extraction utility

@claude

…upport When in tag mode with the SDK path, extracts the user's request from the trigger comment (text after @claude) and sends it as a separate content block. This enables the CLI to process slash commands like "/review-pr". - Add extract-user-request utility to parse trigger comments - Write user request to separate file during prompt generation - Send multi-block SDKUserMessage when user request file exists - Add tests for the extraction utility 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>

src/utils/extract-user-request.ts

base-action/src/run-claude-sdk.ts

claude · 2026-01-02T23:37:39Z

base-action/src/run-claude-sdk.ts

+  const promptContent = await readFile(promptPath, "utf-8");
+
+  // Check for user request file in the same directory
+  const userRequestPath = join(dirname(promptPath), "claude-user-request.txt");


Code Quality: Magic string should be a constant

The filename "claude-user-request.txt" is hardcoded here and in src/create-prompt/index.ts:945. Define a shared constant:

export const USER_REQUEST_FILENAME = "claude-user-request.txt";

claude · 2026-01-02T23:37:40Z

base-action/src/run-claude-sdk.ts

+
+  // User request file exists - create multi-block message
+  const userRequest = await readFile(userRequestPath, "utf-8");
+  console.log("Using multi-block message with user request:", userRequest);


Security: Sensitive data logging

User requests may contain sensitive information. Consider conditional logging based on showFullOutput to match the pattern used elsewhere in the file (line 125-129).

src/create-prompt/index.ts

test/extract-user-request.test.ts

claude · 2026-01-02T23:38:03Z

Code Review Summary

I've completed a comprehensive review of PR #785 using specialized analysis agents. Overall, the implementation is well-structured and adds valuable slash command support, but there are several critical issues that need attention.

Critical Issues

🔒 Security: ReDoS Vulnerability - The regex pattern in extract-user-request.ts:24 uses a greedy quantifier that could cause catastrophic backtracking with large inputs
🧹 Code Quality: Unused Export - extractUserRequestFromEvent() is exported but never used, creating maintenance overhead
🧪 Testing: Zero Coverage for Core Integration - createPromptConfig() and extractUserRequestFromContext() have no tests despite being critical to the feature

High Priority Issues

📝 Documentation: Missing JSDoc - extractUserRequestFromContext() lacks proper documentation
🏗️ Code Quality: Single Responsibility Violation - createPromptConfig() handles multiple concerns (file I/O, existence checking, message generation)
🔧 Code Quality: Magic String - Hardcoded filename appears in two files without a constant

Positive Observations

✅ Proper regex escaping prevents injection attacks
✅ Good null/undefined handling throughout
✅ No command injection vulnerabilities
✅ Comprehensive test coverage for the extraction utility
✅ Clear separation of concerns between extraction and usage

Performance Assessment

The changes add minimal overhead (2-5ms) and follow best practices for file I/O. No performance concerns identified.

Recommendations

Must Fix:

Add input length validation to prevent ReDoS
Remove unused extractUserRequestFromEvent function
Add integration tests for createPromptConfig() and extractUserRequestFromContext()

Should Fix:

Define shared constant for filename
Split createPromptConfig() into focused functions
Add comprehensive JSDoc for new functions

See inline comments for detailed recommendations and code examples.

- Fix potential ReDoS vulnerability by using string operations instead of regex - Remove unused extractUserRequestFromEvent function and tests - Extract USER_REQUEST_FILENAME to shared constants - Conditionally log user request based on showFullOutput setting - Add JSDoc documentation to extractUserRequestFromContext

…updates [skip ci] Bumps the github-actions group with 4 updates in the / directory: [graalvm/setup-graalvm](https://github.com/graalvm/setup-graalvm), [dorny/test-reporter](https://github.com/dorny/test-reporter), [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `graalvm/setup-graalvm` from 1.4.4 to 1.4.5 Commits * [`54b4f5a`](graalvm/setup-graalvm@54b4f5a) Bump version to `1.4.5`. * [`3742797`](graalvm/setup-graalvm@3742797) Update dist files. * [`24f39d0`](graalvm/setup-graalvm@24f39d0) Bump the npm-updates group with 11 updates * [`f9a4cbb`](graalvm/setup-graalvm@f9a4cbb) Bump the github-actions-updates group with 3 updates * [`3f22a48`](graalvm/setup-graalvm@3f22a48) Add 25e1 EA builds. * [`2e57584`](graalvm/setup-graalvm@2e57584) Replace `macos-13` with `macos-15-intel`. * See full diff in [compare view](graalvm/setup-graalvm@790e289...54b4f5a) Updates `dorny/test-reporter` from 2.3.0 to 2.5.0 Release notes *Sourced from [dorny/test-reporter's releases](https://github.com/dorny/test-reporter/releases).* > v2.5.0 > ------ > > What's Changed > -------------- > > ### Features > > * Add Nette Tester JUnit Reporter by [`@jozefizso`](https://github.com/jozefizso) in [dorny/test-reporter#707](https://redirect.github.com/dorny/test-reporter/pull/707) > > ### Project maintanance > > * Bump actions/upload-artifact from 5 to 6 by [`@dependabot`](https://github.com/dependabot)[bot] in [dorny/test-reporter#695](https://redirect.github.com/dorny/test-reporter/pull/695) > > **Full Changelog**: <dorny/test-reporter@v2.4.0...v2.5.0> > > v2.4.0 > ------ > > What's Changed > -------------- > > * Create tests for sample JUnit files by [`@jozefizso`](https://github.com/jozefizso) in [dorny/test-reporter#701](https://redirect.github.com/dorny/test-reporter/pull/701) > * Support for the PHPUnit dialect of JUnit by [`@mbeccati`](https://github.com/mbeccati) in [dorny/test-reporter#422](https://redirect.github.com/dorny/test-reporter/pull/422) > * Use `String.substring()` function by [`@jozefizso`](https://github.com/jozefizso) in [dorny/test-reporter#704](https://redirect.github.com/dorny/test-reporter/pull/704) > > New Contributors > ---------------- > > * [`@mbeccati`](https://github.com/mbeccati) made their first contribution in [dorny/test-reporter#422](https://redirect.github.com/dorny/test-reporter/pull/422) > > **Full Changelog**: <dorny/test-reporter@v2.3.0...v2.4.0> Changelog *Sourced from [dorny/test-reporter's changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md).* > Changelog > ========= > > 2.5.0 > ----- > > * Feature: Add Nette Tester support with `tester-junit` reporter [dorny/test-reporter#707](https://redirect.github.com/dorny/test-reporter/pull/707) > * Maintenance: Bump actions/upload-artifact from 5 to 6 [dorny/test-reporter#695](https://redirect.github.com/dorny/test-reporter/pull/695) > > 2.4.0 > ----- > > * Feature: Add PHPUnit support with JUnit XML dialect parser [dorny/test-reporter#422](https://redirect.github.com/dorny/test-reporter/pull/422) > * Feature: Add JUnit XML sample files and tests for validation [dorny/test-reporter#701](https://redirect.github.com/dorny/test-reporter/pull/701) > * Fix: Refactor deprecated `String.substr()` function to use `String.substring()` [dorny/test-reporter#704](https://redirect.github.com/dorny/test-reporter/pull/704) > > 2.3.0 > ----- > > * Feature: Add Python support with `python-xunit` reporter (pytest) [dorny/test-reporter#643](https://redirect.github.com/dorny/test-reporter/pull/643) > * Feature: Add pytest traceback parsing and `directory-mapping` option [dorny/test-reporter#238](https://redirect.github.com/dorny/test-reporter/pull/238) > * Performance: Update sax.js to fix large XML file parsing [dorny/test-reporter#681](https://redirect.github.com/dorny/test-reporter/pull/681) > * Documentation: Complete documentation for all supported reporters [dorny/test-reporter#691](https://redirect.github.com/dorny/test-reporter/pull/691) > * Security: Bump js-yaml and mocha in /reports/mocha (fixes prototype pollution) [dorny/test-reporter#682](https://redirect.github.com/dorny/test-reporter/pull/682) > > 2.2.0 > ----- > > * Feature: Add collapsed option to control report summary visibility [dorny/test-reporter#664](https://redirect.github.com/dorny/test-reporter/pull/664) > * Fix badge encoding for values including underscore and hyphens [dorny/test-reporter#672](https://redirect.github.com/dorny/test-reporter/pull/672) > * Fix missing `report-title` attribute in action definition [dorny/test-reporter#637](https://redirect.github.com/dorny/test-reporter/pull/637) > * Refactor variable names to fix shadowing issues [dorny/test-reporter#630](https://redirect.github.com/dorny/test-reporter/pull/630) > > 2.1.1 > ----- > > * Fix error when a TestMethod element does not have a className attribute in a trx file [dorny/test-reporter#623](https://redirect.github.com/dorny/test-reporter/pull/623) > * Add stack trace from trx to summary [dorny/test-reporter#615](https://redirect.github.com/dorny/test-reporter/pull/615) > * List only failed tests [dorny/test-reporter#606](https://redirect.github.com/dorny/test-reporter/pull/606) > * Add type definitions to `github-utils.ts` [dorny/test-reporter#604](https://redirect.github.com/dorny/test-reporter/pull/604) > * Avoid split on undefined [dorny/test-reporter#258](https://redirect.github.com/dorny/test-reporter/pull/258) > * Return links to summary report [dorny/test-reporter#588](https://redirect.github.com/dorny/test-reporter/pull/588) > * Add step summary short summary [dorny/test-reporter#589](https://redirect.github.com/dorny/test-reporter/pull/589) > * Fix for empty TRX TestDefinitions [dorny/test-reporter#582](https://redirect.github.com/dorny/test-reporter/pull/582) > * Increase step summary limit to 1MiB [dorny/test-reporter#581](https://redirect.github.com/dorny/test-reporter/pull/581) > * Fix input description for list options [dorny/test-reporter#572](https://redirect.github.com/dorny/test-reporter/pull/572) > > 2.1.0 > ----- > > * Feature: Add summary title [dorny/test-reporter#568](https://redirect.github.com/dorny/test-reporter/pull/568) > * Feature: Add Golang test parser [dorny/test-reporter#571](https://redirect.github.com/dorny/test-reporter/pull/571) > * Increase step summary limit to 1MiB [dorny/test-reporter#581](https://redirect.github.com/dorny/test-reporter/pull/581) > * Fix for empty TRX TestDefinitions [dorny/test-reporter#582](https://redirect.github.com/dorny/test-reporter/pull/582) > * Fix input description for list options [dorny/test-reporter#572](https://redirect.github.com/dorny/test-reporter/pull/572) > * Update npm packages [dorny/test-reporter#583](https://redirect.github.com/dorny/test-reporter/pull/583) > > 2.0.0 > ----- > > * Parse JUnit report with detailed message in failure [dorny/test-reporter#559](https://redirect.github.com/dorny/test-reporter/pull/559) > * Support displaying test results in markdown using GitHub Actions Job Summaries [dorny/test-reporter#383](https://redirect.github.com/dorny/test-reporter/pull/383) > > 1.9.1 > ----- > > * Fix problematic retransmission of authentication token [dorny/test-reporter#438](https://redirect.github.com/dorny/test-reporter/pull/438) ... (truncated) Commits * [`b082adf`](dorny/test-reporter@b082adf) test-reporter release v2.5.0 * [`bcafc9f`](dorny/test-reporter@bcafc9f) Merge pull request [#707](https://redirect.github.com/dorny/test-reporter/issues/707) from dorny/feature/700-nette-tester-junit-reporter * [`b0cbac6`](dorny/test-reporter@b0cbac6) Rebuild the `dist/index.js` file * [`c92a289`](dorny/test-reporter@c92a289) Remove unnecessary output files * [`6697ec4`](dorny/test-reporter@6697ec4) Merge pull request [#695](https://redirect.github.com/dorny/test-reporter/issues/695) from dorny/dependabot/github\_actions/actions/upload-a... * [`6387029`](dorny/test-reporter@6387029) Create `tester-junit` reporter for Nette Tester tool * [`6896772`](dorny/test-reporter@6896772) Merge pull request [#706](https://redirect.github.com/dorny/test-reporter/issues/706) from dorny/release/v2.4.0 * [`e17be7e`](dorny/test-reporter@e17be7e) test-reporter release v2.4.0 * [`6efb86e`](dorny/test-reporter@6efb86e) Merge pull request [#704](https://redirect.github.com/dorny/test-reporter/issues/704) from dorny/bugfix/703-refactor-deprecated-substr-func... * [`055bc8c`](dorny/test-reporter@055bc8c) Rebuild the `dist/index.js` file * Additional commits viewable in [compare view](dorny/test-reporter@fe45e95...b082adf) Updates `anthropics/claude-code-action` from 1.0.27 to 1.0.28 Release notes *Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).* > v1.0.28 > ------- > > What's Changed > -------------- > > * fix: update broken link in cloud-providers.md by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#758](https://redirect.github.com/anthropics/claude-code-action/pull/758) > * chore: remove unused ci yaml file by [`@kiwamizamurai`](https://github.com/kiwamizamurai) in [anthropics/claude-code-action#763](https://redirect.github.com/anthropics/claude-code-action/pull/763) > * feat: add instant "Fix this" links to PR code reviews by [`@aiddun`](https://github.com/aiddun) in [anthropics/claude-code-action#773](https://redirect.github.com/anthropics/claude-code-action/pull/773) > * feat: add ssh\_signing\_key input for SSH commit signing by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#784](https://redirect.github.com/anthropics/claude-code-action/pull/784) > * feat: send user request as separate content block for slash command support by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#785](https://redirect.github.com/anthropics/claude-code-action/pull/785) > * feat: support local plugin marketplace paths by [`@gor-st`](https://github.com/gor-st) in [anthropics/claude-code-action#761](https://redirect.github.com/anthropics/claude-code-action/pull/761) > * fix: prevent orphaned installer processes from blocking retries by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#790](https://redirect.github.com/anthropics/claude-code-action/pull/790) > * fix: set CLAUDE\_CODE\_ENTRYPOINT for SDK path to match CLI path by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#791](https://redirect.github.com/anthropics/claude-code-action/pull/791) > > New Contributors > ---------------- > > * [`@kiwamizamurai`](https://github.com/kiwamizamurai) made their first contribution in [anthropics/claude-code-action#763](https://redirect.github.com/anthropics/claude-code-action/pull/763) > * [`@aiddun`](https://github.com/aiddun) made their first contribution in [anthropics/claude-code-action#773](https://redirect.github.com/anthropics/claude-code-action/pull/773) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.28> Commits * [`c9ec2b0`](anthropics/claude-code-action@c9ec2b0) fix: set CLAUDE\_CODE\_ENTRYPOINT for SDK path to match CLI path ([#791](https://redirect.github.com/anthropics/claude-code-action/issues/791)) * [`63ea7e3`](anthropics/claude-code-action@63ea7e3) fix: prevent orphaned installer processes from blocking retries ([#790](https://redirect.github.com/anthropics/claude-code-action/issues/790)) * [`653f9cd`](anthropics/claude-code-action@653f9cd) feat: support local plugin marketplace paths ([#761](https://redirect.github.com/anthropics/claude-code-action/issues/761)) * [`b17b541`](anthropics/claude-code-action@b17b541) feat: send user request as separate content block for slash command support (... * [`7e4bf87`](anthropics/claude-code-action@7e4bf87) feat: add ssh\_signing\_key input for SSH commit signing ([#784](https://redirect.github.com/anthropics/claude-code-action/issues/784)) * [`154d0de`](anthropics/claude-code-action@154d0de) feat: add instant "Fix this" links to PR code reviews ([#773](https://redirect.github.com/anthropics/claude-code-action/issues/773)) * [`3ba9f7c`](anthropics/claude-code-action@3ba9f7c) chore: bump Claude Code to 2.0.76 and Agent SDK to 0.1.76 * [`e5b0741`](anthropics/claude-code-action@e5b0741) chore: remove unused ci yaml file ([#763](https://redirect.github.com/anthropics/claude-code-action/issues/763)) * [`b89827f`](anthropics/claude-code-action@b89827f) fix: update broken link in cloud-providers.md ([#758](https://redirect.github.com/anthropics/claude-code-action/issues/758)) * See full diff in [compare view](anthropics/claude-code-action@7145c3e...c9ec2b0) Updates `ruby/setup-ruby` from 1.275.0 to 1.280.0 Release notes *Sourced from [ruby/setup-ruby's releases](https://github.com/ruby/setup-ruby/releases).* > v1.280.0 > -------- > > What's Changed > -------------- > > * Test ruby 4.0 on windows by [`@ntkme`](https://github.com/ntkme) in [ruby/setup-ruby#853](https://redirect.github.com/ruby/setup-ruby/pull/853) > * Add token input for downloading release assets by [`@TingluoHuang`](https://github.com/TingluoHuang) in [ruby/setup-ruby#851](https://redirect.github.com/ruby/setup-ruby/pull/851) > > New Contributors > ---------------- > > * [`@TingluoHuang`](https://github.com/TingluoHuang) made their first contribution in [ruby/setup-ruby#851](https://redirect.github.com/ruby/setup-ruby/pull/851) > > **Full Changelog**: <ruby/setup-ruby@v1.279.0...v1.280.0> > > v1.279.0 > -------- > > **Full Changelog**: <ruby/setup-ruby@v1.278.0...v1.279.0> > > v1.278.0 > -------- > > What's Changed > -------------- > > * Set BUNDLER\_VERSION whenever we know which version to use by [`@eregon`](https://github.com/eregon) in [ruby/setup-ruby#849](https://redirect.github.com/ruby/setup-ruby/pull/849) > > **Full Changelog**: <ruby/setup-ruby@v1.277.0...v1.278.0> > > v1.277.0 > -------- > > What's Changed > -------------- > > * Update CRuby releases on Windows by [`@ruby-builder-bot`](https://github.com/ruby-builder-bot) in [ruby/setup-ruby#847](https://redirect.github.com/ruby/setup-ruby/pull/847) > > **Full Changelog**: <ruby/setup-ruby@v1.276.0...v1.277.0> > > v1.276.0 > -------- > > What's Changed > -------------- > > * Add ruby-4.0.0 by [`@ruby-builder-bot`](https://github.com/ruby-builder-bot) in [ruby/setup-ruby#844](https://redirect.github.com/ruby/setup-ruby/pull/844) > > **Full Changelog**: <ruby/setup-ruby@v1.275.0...v1.276.0> Commits * [`d5f787c`](ruby/setup-ruby@d5f787c) Define a helper to download to avoid duplication * [`1010da4`](ruby/setup-ruby@1010da4) Tweaks * [`7f50f6e`](ruby/setup-ruby@7f50f6e) Add token input and pass it to release assets download. * [`be19563`](ruby/setup-ruby@be19563) Test ruby 4.0 on windows * [`b90be12`](ruby/setup-ruby@b90be12) Rename 3.4-asan to asan-release * [`4c24fa5`](ruby/setup-ruby@4c24fa5) Set BUNDLER\_VERSION whenever we know which version to use * [`8a836ef`](ruby/setup-ruby@8a836ef) Update CRuby releases on Windows * [`ae195bb`](ruby/setup-ruby@ae195bb) Add ruby-4.0.0 * See full diff in [compare view](ruby/setup-ruby@d354de1...d5f787c) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions