Critical fixes: proxy, security & tool routing

[Nomadcxx]

Summary

• Fix command injection in grep/glob tools (execFile)
• Wire up prompt builder for tool message handling (fixes body.tools + role:tool)
• Fix SdkExecutor toolId gating, env var consistency, MCP source filter
• Add CI/CD GitHub Actions workflow

Changes

Security (CRITICAL)

• Command injection fix: Replaced exec() with execFile() in grep and glob handlers
• Eliminates shell interpretation by passing arguments as arrays

Proxy fixes (CRITICAL)

• Tool message handling: Integrated buildPromptFromMessages() in both Bun and Node.js handlers
• Fixes: proxy dropping body.tools array
• Fixes: role: "tool" messages not being handled

Tool routing (HIGH)

• SdkExecutor: Added setToolIds() and toolId-aware canExecute() to prevent intercepting MCP tools
• Env var consistency: Removed duplicate forwardToolCalls, uses module-level FORWARD_TOOL_CALLS everywhere
• MCP source filter: Fixed to use "mcp" instead of "sdk"

CI/CD

• Added GitHub Actions workflow with explicit test file list (avoids temp_repo)

Test Coverage

• Added 2 injection-safe tests for grep/glob
• Added 9 SdkExecutor tests (all passing)
• Created 10 prompt builder tests (all passing)
• 67+ tests passing across all modified components

Test Plan

• Command injection eliminated (execFile bypasses shell)
• Prompt builder correctly handles tool messages
• SdkExecutor gates by toolId
• All env var references consistent
• CI workflow validates on push

🤖 Generated with cursor-acp