Fix agent fails when HUMAN_INSTRUCTION contains shell metacharacters (|| true, $() expansion)

[waynesun09]

Summary

The fix agent fails when HUMAN_INSTRUCTION contains shell metacharacters such as || true, $(), backticks, or unescaped quotes. The env file sourcing step interprets these fragments as bash commands, corrupting the sandbox environment and causing the agent to exit with code 1 without producing output.

Failed run

https://github.com/fullsend-ai/.fullsend/actions/runs/25254463710/job/74051513585

Triggered via /fix on PR #473 (fullsend-ai/fullsend).

Root cause

The HUMAN_INSTRUCTION value is injected into /tmp/workspace/.env.d/fix-agent.env with expand: true in the harness config. When bash sources this env file inside the sandbox, any shell metacharacters in the instruction text are evaluated as commands rather than treated as literal strings.

The instruction that triggered this failure contained:

...replacing `--search "$ISSUE_NUMBER in:body,title"` with timeline/cross-reference API...
Distinguish gh pr list failure from empty results instead of blanket `|| true`...

This caused three bash errors when the env file was sourced:

/tmp/workspace/.env.d/fix-agent.env: line 4: --search: command not found
/tmp/workspace/.env.d/fix-agent.env: command substitution: line 4: syntax error near unexpected token `||'
/tmp/workspace/.env.d/fix-agent.env: command substitution: line 4: `|| true'

Despite these errors, the agent continued running for ~7 minutes (iteration 1) and ~3 minutes (iteration 2), but failed to produce output/fix-result.json in both iterations. The HUMAN_INSTRUCTION env var was likely empty or corrupted inside the sandbox, so the agent had no instructions to act on.

Impact

• Any /fix instruction containing $(), backticks, ||, &&, unescaped quotes, or other shell metacharacters will trigger this failure
• The agent silently runs without its instructions, wasting compute time (this run consumed ~12 minutes of sandbox time across 2 iterations)
• This is a regression risk as fix instructions naturally reference code patterns that contain shell syntax

Reproduction

Trigger /fix on any PR with an instruction containing || true or $():

/fix Fix the blanket `|| true` pattern and replace `--search "$ISSUE_NUMBER in:body,title"` with a safer approach

Suggested fix

This is the same root cause as #408. The recommended fix from that issue:

1. Preferred: Pass HUMAN_INSTRUCTION via a mounted file (similar to review-body.txt) using the host_files harness parameter, and set the env var to the file path rather than the content
2. Alternative: Add a non-expanding env injection path in the fullsend binary for user-authored free text (e.g., expand: false or literal: true in the env config)
3. Quick workaround: Escape the value before writing it to the env file (e.g., single-quote the assignment: export HUMAN_INSTRUCTION='...' with internal single quotes escaped)

Related

• Fix agent: HUMAN_INSTRUCTION should not pass through bash expand #408 — original report of the HUMAN_INSTRUCTION expansion problem
• fix: skip code agent when human PR already exists for issue #473 — the PR where /fix was triggered

[fullsend-ai-triage]

RICE Priority Score: 3.6

Score breakdown

Dimension	Score	Reasoning
Reach	2	This affects every user of the /fix agent whose instructions contain shell metacharacters ($(),
Impact	2	The fix agent silently fails: it runs for minutes consuming compute time but produces no output because HUMAN_INSTRUCTION is corrupted. There is no workaround other than carefully sanitizing instructions to avoid shell metacharacters, which is impractical since users are describing code changes. This effectively blocks the /fix workflow for a common class of instructions.
Confidence	0.9	Very high confidence. The issue is exceptionally well-documented with exact error logs, root cause analysis, reproduction steps, a link to the failed run, and three concrete suggested fixes. It also references #408 as the same root cause, confirming this is a known, understood problem.
Effort	1	The issue provides clear fix paths. The preferred approach (passing HUMAN_INSTRUCTION via a mounted file using the existing host_files harness parameter) is a focused, well-scoped change touching the harness config and env injection logic. The pattern already exists (review-body.txt). This is medium effort — requires understanding the harness config but the path is clear.

Formula: (2 × 2 × 0.9) / 1 = 3.6