coerce_shell_call splits string commands into character lists

[Aphroq]

Please read this first

• Have you read the docs? Agents SDK docs
• Have you searched for related issues? Others may have faced similar issues.

Describe the bug

coerce_shell_call() in src/agents/run_internal/tool_execution.py treats a string-valued action.commands payload as a generic Sequence, so a single command like "echo hi" is normalized into a character list instead of being rejected.

Current code:

commands_value = get_mapping_or_attr(action_payload, "commands")
if not isinstance(commands_value, Sequence):
    raise ModelBehaviorError("Shell call action is missing commands.")
commands: list[str] = []
for entry in commands_value:
    if entry is None:
        continue
    commands.append(str(entry))

Because str is a Sequence, this produces:

["e", "c", "h", "o", " ", "h", "i"]

instead of a valid list[str] command payload.

This corrupts shell execution semantics and also pollutes approval / audit behavior, because the runtime ends up reasoning about individual characters as separate commands.

Debug information

• Agents SDK version: main at f2fb9ffb / latest release boundary v0.15.1
• Python version: Python 3.12

Repro steps

Minimal reproducer:

from agents.run_internal.tool_execution import coerce_shell_call

payload = {
    "call_id": "shell-1",
    "action": {
        "commands": "echo hi",
    },
}

result = coerce_shell_call(payload)
print(result.action.commands)

Current output:

['e', 'c', 'h', 'o', ' ', 'h', 'i']

Expected behavior

action.commands should be validated as a real command list, not any arbitrary Sequence.

At minimum, string-like values such as str, bytes, and bytearray should be rejected with a clear ModelBehaviorError, so malformed shell payloads fail loudly instead of being normalized into character-by-character commands.