From de4ccfa0bd257b4751e7fa76ebca8942cc92e1d8 Mon Sep 17 00:00:00 2001 From: fullsend-code <278716306+fullsend-ai-coder[bot]@users.noreply.github.com> Date: Fri, 10 Jul 2026 13:12:24 +0000 Subject: [PATCH] docs(#253): add shell-safety heuristics to review correctness Add echo-flag-injection and unquoted-heredoc-expansion heuristics to the correctness sub-agent and the code-review skill. Both rules are scoped to harness scripts (post-code.sh, post-fix.sh, post-review.sh) where user- or agent-controlled content flows through shell commands. Echo flag injection: echo "${VAR}" interprets leading dashes as flags, silently corrupting output. Recommends printf. Unquoted heredoc: <