`HANDOFF_RE` used a non-greedy `.*?\}`, so the match ended at the first
closing brace. Every real `handoff_request` nests objects (`payload`,
and `payload.params`), so the captured substring was truncated
mid-object and `json.loads` raised — `extract_handoff` rejected every
well-formed handoff as `invalid_json` before the target allowlist and
schema validators ever ran. In practice the cross-agent handoff path
did not function for any realistic payload.
Replace the full-match regex with a start anchor (`HANDOFF_START_RE`)
and extract the complete object with `json.JSONDecoder().raw_decode`,
which is string- and brace-nesting aware and returns exactly one
complete JSON value plus its end offset. Multi-line payloads now parse
as well. The audit log's `raw_len` field, previously `len(m.group(0))`,
is now derived from the decoded object's span (`end - m.start()`), and
its three later uses on the target/schema/params rejection paths are
updated to the new variable. Downstream validation — target allowlist,
payload and per-intent schemas, sanitize/frame — is unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GNU mktemp wants 3+ X's in a -t template. The bare `mktemp -t skillcache`
and `mktemp -t skill` calls worked on macOS but crash on Linux before
the script does anything. test-cookbooks.sh fails the same way for all
5 cookbooks because it calls deploy --dry-run.
Adding .XXXXXX is portable: GNU expands the X's, BSD treats them as
prefix. Confirmed on Ubuntu 24.04 / coreutils 9.4: test-cookbooks goes
0/5 -> 5/5.
Param values for matter_id and clause are interpolated directly into the
steering-prompt templates. Their patterns previously permitted spaces, which
would let a hostile document smuggle a natural-language sentence into the
prompt through a field that looks like an ID. Restrict both to slug shape
(no spaces); descriptive context belongs in the note/event fields, which are
never interpolated and are wrapped in the data frame.
Also render templates via format_map with an empty-string default so an
optional param the template references (e.g. playbook_monitor's clause)
degrades gracefully instead of raising KeyError, and ignore __pycache__.
