`HANDOFF_RE` used a non-greedy `.*?\}`, so the match ended at the first
closing brace. Every real `handoff_request` nests objects (`payload`,
and `payload.params`), so the captured substring was truncated
mid-object and `json.loads` raised — `extract_handoff` rejected every
well-formed handoff as `invalid_json` before the target allowlist and
schema validators ever ran. In practice the cross-agent handoff path
did not function for any realistic payload.
Replace the full-match regex with a start anchor (`HANDOFF_START_RE`)
and extract the complete object with `json.JSONDecoder().raw_decode`,
which is string- and brace-nesting aware and returns exactly one
complete JSON value plus its end offset. Multi-line payloads now parse
as well. The audit log's `raw_len` field, previously `len(m.group(0))`,
is now derived from the decoded object's span (`end - m.start()`), and
its three later uses on the target/schema/params rejection paths are
updated to the new variable. Downstream validation — target allowlist,
payload and per-intent schemas, sanitize/frame — is unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Param values for matter_id and clause are interpolated directly into the
steering-prompt templates. Their patterns previously permitted spaces, which
would let a hostile document smuggle a natural-language sentence into the
prompt through a field that looks like an ID. Restrict both to slug shape
(no spaces); descriptive context belongs in the note/event fields, which are
never interpolated and are wrapped in the data frame.
Also render templates via format_map with an empty-string default so an
optional param the template references (e.g. playbook_monitor's clause)
degrades gracefully instead of raising KeyError, and ignore __pycache__.
