Full agent prompt placed in _PROMPT env var, visible to all child processes

[ooloth]

Current state

The full agent prompt — including GitHub issue bodies, PR descriptions, and any other external content embedded at runtime — is assigned to the _PROMPT environment variable before launching the claude subprocess (loops/common/agent.py, ~line 125). Environment variables are inherited by every child process the subprocess spawns. Any tool claude invokes during a run (shell commands, scripts, language runtimes) can read the full unfiltered prompt via its own environment, including content sourced from untrusted external parties such as issue authors.

Ideal state

• The prompt is delivered to claude through a channel that child processes cannot read (e.g., a pipe to stdin, or a temp file that is unlinked before the subprocess is forked)
• If an environment variable is used, it holds only a pointer (e.g., a file path) that is invalidated immediately after the first read, not the full prompt text

Out of scope

• Restricting what child processes claude itself may spawn
• Sanitizing prompt content before passing it

Starting points

• loops/common/agent.py — the _PROMPT environment variable assignment and subprocess launch (~line 125)

QA plan

1. Add a temporary subprocess call inside a test agent run that prints os.environ.get('_PROMPT', 'not found') to stdout
2. Run the agency fix loop on a test issue and observe the subprocess output — expect the full prompt text appears today
3. After fix, repeat — expect the subprocess output shows the variable is absent or contains only a file path

Done when

The full agent prompt text is not accessible via environment variable to any child process spawned during an agent run.