From e74ccfc6fa2715aebc5aa9e99d4dd1afcf6c91e3 Mon Sep 17 00:00:00 2001
From: "serhii.sakal" <serhii.sakal@gmail.com>
Date: Thu, 23 Apr 2026 10:30:16 -0400
Subject: [PATCH] fix: prevent heredoc injection and shell expansion in ralph
 loop setup

The prompt text was inserted into an unquoted heredoc (<<EOF), which
caused two issues:
1. If the prompt contained 'EOF' on its own line, the heredoc would
   terminate early, producing a truncated state file.
2. Shell variables ($VAR) and command substitutions ($(cmd)) in the
   prompt would be expanded rather than written literally.

Write the file in two steps: a heredoc for the frontmatter (where
variable expansion is intentional) and printf for the prompt (where
the text should be written verbatim).

Fixes #52408

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 plugins/ralph-wiggum/scripts/setup-ralph-loop.sh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/plugins/ralph-wiggum/scripts/setup-ralph-loop.sh b/plugins/ralph-wiggum/scripts/setup-ralph-loop.sh
index ac5491f4b8..e3f6d469e0 100755
--- a/plugins/ralph-wiggum/scripts/setup-ralph-loop.sh
+++ b/plugins/ralph-wiggum/scripts/setup-ralph-loop.sh
@@ -137,17 +137,22 @@ else
   COMPLETION_PROMISE_YAML="null"
 fi
 
-cat > .claude/ralph-loop.local.md <<EOF
+# Write state file in two steps to avoid shell expansion of prompt text
+# and heredoc termination if prompt contains 'EOF' on its own line
+STARTED_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+{
+  cat <<FRONTMATTER_EOF
 ---
 active: true
 iteration: 1
 max_iterations: $MAX_ITERATIONS
 completion_promise: $COMPLETION_PROMISE_YAML
-started_at: "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+started_at: "$STARTED_AT"
 ---
 
-$PROMPT
-EOF
+FRONTMATTER_EOF
+  printf '%s\n' "$PROMPT"
+} > .claude/ralph-loop.local.md
 
 # Output setup message
 cat <<EOF