TOCTOU window on agent output temp file between write and unlink

[ooloth]

Current state

loops/common/agent.py (line ~117) writes agent output to a named temp file, reads it back, and then unlinks it. The gap between write and unlink creates a TOCTOU (time-of-check/time-of-use) window during which another process with access to the temp directory can read the file's content or replace it with attacker-controlled output. In a CI or shared environment this window is exploitable; an agent run that processes sensitive issue content or produces a commit could be intercepted.

Ideal state

• The file descriptor is held open across the write→read sequence so no separate process can open the file by name during that window
• The file is unlinked immediately after the read completes, or replaced with an approach that does not expose content between write and consumption (e.g., tempfile.SpooledTemporaryFile)

Starting points

• loops/common/agent.py line ~117 — temp file creation, write, read, and unlink sequence

QA plan

1. Add a deliberate time.sleep(5) between the write and the unlink; in a second terminal confirm the file is readable at its /tmp/... path during the sleep
2. After fix, confirm the gap no longer exists (file is unlinked before the sleep would have ended, or the descriptor pattern prevents external access)

Done when

The temp file used for agent output is not readable by other processes between the write and unlink steps.