Current state
loops/fix.py lines 222–223 call issue_context(ctx.issue_number), which returns raw gh issue view JSON (title, body, labels authored by anyone who can open a GitHub issue), and passes the result directly to the implement agent as context with no schema check, content bounds, or sanitization. A malicious or oversized issue body can embed prompt injection instructions that redirect the agent's behavior, exfiltrate project secrets passed in other context fields, or cause the agent to take unintended actions.
Ideal state
issue_context() output is validated against a declared schema (required keys: title, body, number; type checks; max-length bounds on body and title) before being embedded in agent context.- A validation failure raises a structured error that is logged and reported as a run failure, rather than letting untrusted content reach the agent prompt.
- The schema is defined once and reused wherever issue context is embedded.
Starting points
loops/fix.py lines 222–223 — the issue_context(ctx.issue_number) call and the dict that embeds itloops/common/github.py — issue_context definition, to understand the current return shape
QA plan
- Craft a GitHub issue with a body exceeding the proposed max-length bound and trigger the fix loop against it.
- Expect the run to fail with a clear validation error before the agent is started, not a prompt injection that causes unexpected agent behavior.
- Trigger the fix loop against a normal issue — expect the agent receives context and runs to completion as before.
Done when
The fix loop raises a validation error for any issue body that exceeds defined bounds or fails the schema check, before any agent subprocess is started.
Current state
loops/fix.pylines 222–223 callissue_context(ctx.issue_number), which returns rawgh issue viewJSON (title, body, labels authored by anyone who can open a GitHub issue), and passes the result directly to the implement agent as context with no schema check, content bounds, or sanitization. A malicious or oversized issue body can embed prompt injection instructions that redirect the agent's behavior, exfiltrate project secrets passed in other context fields, or cause the agent to take unintended actions.Ideal state
issue_context()output is validated against a declared schema (required keys:title,body,number; type checks; max-length bounds onbodyandtitle) before being embedded in agent context.Starting points
loops/fix.pylines 222–223 — theissue_context(ctx.issue_number)call and the dict that embeds itloops/common/github.py—issue_contextdefinition, to understand the current return shapeQA plan
Done when
The fix loop raises a validation error for any issue body that exceeds defined bounds or fails the schema check, before any agent subprocess is started.