Remove unused rejectPreEncoded function

The rejectPreEncoded function is exported but never used in production code.
validateResourceId already rejects any % character via RESOURCE_ID_FORBIDDEN,
making the more specific %XX hex pattern check redundant.

Author: cursoragent

src/lib/input-validation.ts

@@ -28,12 +28,6 @@ import { ValidationError } from "./errors.js";
  */
 const RESOURCE_ID_FORBIDDEN = /[?#%\s]/;
 
-/**
- * Matches `%XX` hex-encoded sequences (e.g., `%2F`, `%20`, `%3A`).
- * Used to detect pre-encoded strings that would get double-encoded.
- */
-const PRE_ENCODED_PATTERN = /%[0-9a-fA-F]{2}/;
-
 /**
  * Matches ASCII control characters (code points 0x00–0x1F).
  * These are invisible and have no valid use in CLI string inputs.
@@ -110,27 +104,6 @@ export function rejectControlChars(input: string, label: string): void {
   }
 }
 
-/**
- * Reject pre-URL-encoded sequences (`%XX`) in resource identifiers.
- *
- * Resource IDs (slugs, issue IDs) should always be plain strings. If they
- * contain `%XX` patterns, they were likely pre-encoded by an agent and
- * would get double-encoded when interpolated into API URLs.
- *
- * @param input - String to validate
- * @param label - Human-readable name for error messages (e.g., "project slug")
- * @throws {ValidationError} When input contains percent-encoded sequences
- */
-export function rejectPreEncoded(input: string, label: string): void {
-  const match = PRE_ENCODED_PATTERN.exec(input);
-  if (match) {
-    throw new ValidationError(
-      `Invalid ${label}: contains URL-encoded sequence "${match[0]}".\n` +
-        `  Use plain text instead of percent-encoding (e.g., "my project" not "my%20project").`
-    );
-  }
-}
-
 /**
  * Validate a resource identifier (org slug, project slug, or issue ID component).
  *

test/lib/input-validation.property.test.ts

@@ -20,7 +20,6 @@ import {
 } from "fast-check";
 import {
   rejectControlChars,
-  rejectPreEncoded,
   validateEndpoint,
   validateResourceId,
 } from "../../src/lib/input-validation.js";
@@ -42,19 +41,6 @@ const validEndpointArb = stringMatching(
 /** Characters that should be rejected in resource IDs */
 const injectionCharArb = constantFrom("?", "#", "%20", " ", "\t", "\n");
 
-/** Pre-encoded sequences that should be rejected */
-const preEncodedArb = constantFrom(
-  "%2F",
-  "%20",
-  "%3A",
-  "%3F",
-  "%23",
-  "%00",
-  "%0A",
-  "%7E",
-  "%41"
-);
-
 /** Control characters (ASCII 0x00-0x1F) as strings */
 const controlCharArb = constantFrom(
   "\x00",
@@ -122,35 +108,6 @@ describe("rejectControlChars properties", () => {
   });
 });
 
-describe("rejectPreEncoded properties", () => {
-  test("valid slugs without percent signs always pass", async () => {
-    await fcAssert(
-      property(validSlugArb, (input) => {
-        rejectPreEncoded(input, "test");
-      }),
-      { numRuns: DEFAULT_NUM_RUNS }
-    );
-  });
-
-  test("any string with %XX hex pattern always throws", async () => {
-    await fcAssert(
-      property(tuple(validSlugArb, preEncodedArb), ([prefix, encoded]) => {
-        const input = `${prefix}${encoded}`;
-        expect(() => rejectPreEncoded(input, "test")).toThrow(
-          /URL-encoded sequence/
-        );
-      }),
-      { numRuns: DEFAULT_NUM_RUNS }
-    );
-  });
-
-  test("percent sign followed by non-hex does not throw", () => {
-    // "%ZZ" is not a valid encoding — we only reject real %XX patterns
-    rejectPreEncoded("my-org%ZZstuff", "test");
-    rejectPreEncoded("my-org%Gxstuff", "test");
-  });
-});
-
 describe("validateResourceId properties", () => {
   test("valid slugs always pass", async () => {
     await fcAssert(