Config restore from base branch prevents review of .claude/ changes #1134
Description
Problem
When a PR modifies files under .claude/, the action's security restore overwrites them with the base branch version before the CLI runs.
This creates two problems:
- Changes to .claude/ are never reviewed
A PR can add arbitrary content to .claude/ (hooks, MCP configs, agent specs) and it will never be reviewed by any agent running through the action. Once the PR merges, the content becomes "trusted" without ever having been inspected.
- Documentation review produces false findings
When a review agent checks .claude/CLAUDE.md for accuracy, it reads the base branch version but compares against the PR's actual code.
If the PR fixes documentation issues, the review keeps flagging the old content — an unresolvable loop.
Root cause
restore-config.ts conflates two concerns:
- Execution safety: Don't execute hooks/MCP/tool permissions from untrusted PR code (correct)
- File visibility: Review agents should be able to read the PR's .claude/ files (currently blocked)
Suggested approach
Preserve the PR's .claude/ files in a read-only location (e.g., .claude-pr/) so review agents can inspect what the PR changes, while continuing to use the base branch .claude/ for execution.