fix(recipes): replace quoted heredocs with direct env-var assignment (skwaq#469)

[rysweet]

Problem

The recipe runner 0.3.4 does inline substitution inside quoted heredocs (<<'EOF'). If a template variable value (e.g. final_requirements from step-02c) contains the heredoc terminator string on its own line, the heredoc terminates early. When the remaining content after the early termination has an odd number of single quotes, bash raises:

/bin/bash: -c: line N: unexpected EOF while looking for matching \'

This is the exact failure in skwaq issue #469, which blocked every benchmark and PR workflow going through default-workflow/smart-orchestrator.

Root Cause Verified

recipe-runner-rs recipe.yaml \
  --set 'final_requirements=normal content
EOFREQS
it\'s content'
# → /bin/bash: -c: line 5: unexpected EOF while looking for matching `'

The bug chain:

1. 0.3.4 binary inlines {{final_requirements}} directly into quoted heredoc body
2. If value contains EOFREQS on its own line, heredoc terminates early
3. Remaining content after fake terminator is parsed as bash commands
4. If that content has an odd number of single quotes → syntax error

Fix

Replace quoted-heredoc captures with direct env-var assignment:

# Before (vulnerable):
ISSUE_REQS=$(cat <<'EOFREQS'
{{final_requirements}}
EOFREQS
)

# After (safe):
ISSUE_REQS={{final_requirements}}
# render_shell expands to: ISSUE_REQS="$RECIPE_VAR_final_requirements"

Security: bash does NOT re-execute $() or backtick substitutions when expanding a variable reference — so values containing $(evil) are safe.

Scope

Fixed in 4 steps:

• step-03-create-issue — {{task_description}}, {{final_requirements}}
• step-03b-extract-issue-number — {{issue_creation}}, {{task_description}}
• step-16-create-draft-pr — {{task_description}}, {{design_spec}}
• step-19d-verification-gate — {{philosophy_check}}, {{patterns_check}}

Validation

Tested with recipe-runner-rs 0.3.4: values containing heredoc terminators + single quotes now succeed with all content preserved.

[github-actions]

Repo Guardian - Passed

All files in this PR have been reviewed and no ephemeral content was found.

File	Status
amplifier-bundle/recipes/default-workflow.yaml	✅ Durable — project recipe/toolchain configuration

No violations detected.

Generated by Repo Guardian for issue #4245 · ◷

[github-actions]

PR Triage Report

Risk: Medium | Priority: High | Type: Bugfix / Shell injection prevention

Summary

Replaces quoted-heredoc captures with direct env-var assignment in 4 recipe steps (step-03, step-03b, step-16, step-19d) to fix heredoc terminator injection that caused unexpected EOF while looking for matching ' failures (skwaq#469).

Assessment

Dimension	Score	Notes
Risk	Medium	Changes 4 core workflow steps in default-workflow.yaml; no Python/test changes
Priority	High	Fixes blocking failure (#469) that affected all benchmark and PR workflows
Scope	Focused	1 file, 30 additions / 46 deletions — simplification
CI	✅ Green	Validate Code, plugin tests, skill/agent drift, Root Hygiene all pass
Tests	⚠️ None added	Validated manually with recipe-runner-rs 0.3.4; no regression tests included
Security	Related PRs: #4228, #4236	All three address the same heredoc quoting issue with different approaches

Key Finding: Overlapping PRs

Three open PRs address the same quoting issue with different strategies:

• fix: repair shell quoting in step-03 issue creation (#4221) #4228 — quoted heredocs (<<'EOFTASKDESC') approach
• fix(recipes): step-03 shell quoting + PR URL resolution (#4221, #4233) #4236 — step-03 quoting + PR URL resolution fix
• fix(recipes): replace quoted heredocs with direct env-var assignment (skwaq#469) #4245 (this PR) — direct env-var assignment (supersedes heredoc approach)

Recommendation: If this approach is preferred, #4228 and #4236 should be closed as superseded before merging. The direct env-var approach is technically superior (immune to terminator injection by design), but the lack of regression tests is a gap given the blocking nature of the original issue.

Action Required

• Confirm merge strategy for fix: repair shell quoting in step-03 issue creation (#4221) #4228 and fix(recipes): step-03 shell quoting + PR URL resolution (#4221, #4233) #4236 (close as superseded?)
• Consider adding regression test to tests/recipes/ to prevent recurrence
• Review and merge when ready

Generated by PR Triage Agent · ◷