- agent-job.yml: pass untrusted issue body via env (BODY), never interpolated
into a run: shell line (fixes GHA expression-injection). Adds security note.
- lab/.gitignore: keep propose_pr's `git add -A` from sweeping __pycache__ and
copied scaffolding into the review diff.
- agent_runner.py: simulated reject() now removes the agent's untracked files
(git restore can't), and the Module 2 restore line only prints for the real
tracked-edit path.
- README: clarify --simulate uses a deterministic stand-in, not the delete issue.
Closes#24Closes#25Closes#26Closes#27
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT