claude-flow-novice 2.15.2 → 2.15.4

package/claude-assets/skills/cfn-loop-orchestration/helpers/parse-test-results.sh

@@ -0,0 +1,277 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+parse_jest_output() {
+    local output="$1"
+    local total=0 passed=0 failed=0 skipped=0 duration=0
+    local failed_names=()
+
+    local tests_line=$(echo "$output" | grep "^Tests:" || echo "")
+    
+    if [ -n "$tests_line" ]; then
+        [[ "$tests_line" =~ ([0-9]+)[[:space:]]*passed ]] && passed="${BASH_REMATCH[1]}"
+        [[ "$tests_line" =~ ([0-9]+)[[:space:]]*failed ]] && failed="${BASH_REMATCH[1]}"
+        [[ "$tests_line" =~ ([0-9]+)[[:space:]]*skipped ]] && skipped="${BASH_REMATCH[1]}"
+        [[ "$tests_line" =~ ([0-9]+)[[:space:]]*total ]] && total="${BASH_REMATCH[1]}"
+    fi
+
+    # OPTIMIZATION: Replace bc with BASH arithmetic (75-150ms savings)
+    if [[ "$output" =~ Time:[[:space:]]*([0-9.]+)[[:space:]]*s ]]; then
+        duration=$(awk "BEGIN {printf \"%.0f\", ${BASH_REMATCH[1]} * 1000}")
+    fi
+
+    while IFS= read -r line; do
+        [[ "$line" =~ ●[[:space:]]*(.*) ]] && failed_names+=("${BASH_REMATCH[1]}")
+    done <<< "$output"
+
+    # OPTIMIZATION: Replace bc with awk
+    local pass_rate="0.0000"
+    if [ "$total" -gt 0 ]; then
+        pass_rate=$(awk "BEGIN {printf \"%.4f\", $passed / $total}")
+    fi
+
+    # OPTIMIZATION: Single jq call
+    local failed_names_json="[]"
+    [ ${#failed_names[@]} -gt 0 ] && failed_names_json=$(printf '%s\n' "${failed_names[@]}" | jq -Rs 'split("\n") | map(select(length > 0))')
+
+    cat <<EOF
+{"framework":"jest","total_tests":$total,"passed_tests":$passed,"failed_tests":$failed,"skipped_tests":$skipped,"pass_rate":$pass_rate,"duration_ms":$duration,"failed_test_names":$failed_names_json}
+EOF
+}
+
+parse_mocha_output() {
+    local output="$1"
+    local total=0 passed=0 failed=0 skipped=0 duration=0
+    local failed_names=()
+
+    [[ "$output" =~ ([0-9]+)[[:space:]]*passing ]] && passed="${BASH_REMATCH[1]}"
+    [[ "$output" =~ ([0-9]+)[[:space:]]*failing ]] && failed="${BASH_REMATCH[1]}"
+    [[ "$output" =~ ([0-9]+)[[:space:]]*pending ]] && skipped="${BASH_REMATCH[1]}"
+    total=$((passed + failed + skipped))
+
+    # OPTIMIZATION: Replace bc with awk
+    if [[ "$output" =~ passing[[:space:]]*\(([0-9]+)ms\) ]]; then
+        duration="${BASH_REMATCH[1]}"
+    elif [[ "$output" =~ passing[[:space:]]*\(([0-9.]+)s\) ]]; then
+        duration=$(awk "BEGIN {printf \"%.0f\", ${BASH_REMATCH[1]} * 1000}")
+    fi
+
+    while IFS= read -r line; do
+        [[ "$line" =~ ^[[:space:]]*[0-9]+\)[[:space:]]*(.*): ]] && failed_names+=("${BASH_REMATCH[1]}")
+    done <<< "$output"
+
+    # OPTIMIZATION: Replace bc with awk
+    local pass_rate="0.0000"
+    if [ "$total" -gt 0 ]; then
+        pass_rate=$(awk "BEGIN {printf \"%.4f\", $passed / $total}")
+    fi
+
+    # OPTIMIZATION: Single jq call
+    local failed_names_json="[]"
+    [ ${#failed_names[@]} -gt 0 ] && failed_names_json=$(printf '%s\n' "${failed_names[@]}" | jq -Rs 'split("\n") | map(select(length > 0))')
+
+    cat <<EOF
+{"framework":"mocha","total_tests":$total,"passed_tests":$passed,"failed_tests":$failed,"skipped_tests":$skipped,"pass_rate":$pass_rate,"duration_ms":$duration,"failed_test_names":$failed_names_json}
+EOF
+}
+
+parse_pytest_output() {
+    local output="$1"
+    local total=0 passed=0 failed=0 skipped=0 duration=0
+    local failed_names=()
+
+    [[ "$output" =~ ([0-9]+)[[:space:]]*passed ]] && passed="${BASH_REMATCH[1]}"
+    [[ "$output" =~ ([0-9]+)[[:space:]]*failed ]] && failed="${BASH_REMATCH[1]}"
+    [[ "$output" =~ ([0-9]+)[[:space:]]*skipped ]] && skipped="${BASH_REMATCH[1]}"
+    total=$((passed + failed + skipped))
+
+    # OPTIMIZATION: Replace bc with awk
+    [[ "$output" =~ in[[:space:]]+([0-9.]+)s ]] && duration=$(awk "BEGIN {printf \"%.0f\", ${BASH_REMATCH[1]} * 1000}")
+
+    while IFS= read -r line; do
+        [[ "$line" =~ FAILED[[:space:]]+([^[:space:]]+) ]] && failed_names+=("${BASH_REMATCH[1]}")
+    done <<< "$output"
+
+    # OPTIMIZATION: Replace bc with awk
+    local pass_rate="0.0000"
+    if [ "$total" -gt 0 ]; then
+        pass_rate=$(awk "BEGIN {printf \"%.4f\", $passed / $total}")
+    fi
+
+    # OPTIMIZATION: Single jq call
+    local failed_names_json="[]"
+    [ ${#failed_names[@]} -gt 0 ] && failed_names_json=$(printf '%s\n' "${failed_names[@]}" | jq -Rs 'split("\n") | map(select(length > 0))')
+
+    cat <<EOF
+{"framework":"pytest","total_tests":$total,"passed_tests":$passed,"failed_tests":$failed,"skipped_tests":$skipped,"pass_rate":$pass_rate,"duration_ms":$duration,"failed_test_names":$failed_names_json}
+EOF
+}
+
+parse_tap_output() {
+    local output="$1"
+    local total=0 passed=0 failed=0 skipped=0
+    local failed_names=()
+
+    [[ "$output" =~ 1\.\.([0-9]+) ]] && total="${BASH_REMATCH[1]}"
+    passed=$(echo "$output" | grep -c "^ok " || true)
+    failed=$(echo "$output" | grep -c "^not ok " || true)
+    skipped=$(echo "$output" | grep -c "^ok .* # SKIP" || true)
+    passed=$((passed - skipped))
+
+    while IFS= read -r line; do
+        [[ "$line" =~ ^not\ ok\ [0-9]+\ (.*) ]] && failed_names+=("${BASH_REMATCH[1]}")
+    done <<< "$output"
+
+    # OPTIMIZATION: Replace bc with awk
+    local pass_rate="0.0000"
+    if [ "$total" -gt 0 ]; then
+        pass_rate=$(awk "BEGIN {printf \"%.4f\", $passed / $total}")
+    fi
+
+    # OPTIMIZATION: Single jq call
+    local failed_names_json="[]"
+    [ ${#failed_names[@]} -gt 0 ] && failed_names_json=$(printf '%s\n' "${failed_names[@]}" | jq -Rs 'split("\n") | map(select(length > 0))')
+
+    cat <<EOF
+{"framework":"tap","total_tests":$total,"passed_tests":$passed,"failed_tests":$failed,"skipped_tests":$skipped,"pass_rate":$pass_rate,"duration_ms":0,"failed_test_names":$failed_names_json}
+EOF
+}
+
+parse_junit_xml() {
+    local xml_file="$1"
+    [ ! -f "$xml_file" ] && echo '{"error":"File not found"}' && return 1
+
+    local total=0 failures=0 errors=0 skipped=0 duration=0
+
+    if command -v xmllint &>/dev/null; then
+        total=$(xmllint --xpath "sum(//testsuite/@tests)" "$xml_file" 2>/dev/null || echo "0")
+        failures=$(xmllint --xpath "sum(//testsuite/@failures)" "$xml_file" 2>/dev/null || echo "0")
+        errors=$(xmllint --xpath "sum(//testsuite/@errors)" "$xml_file" 2>/dev/null || echo "0")
+        skipped=$(xmllint --xpath "sum(//testsuite/@skipped)" "$xml_file" 2>/dev/null || echo "0")
+        duration=$(xmllint --xpath "sum(//testsuite/@time)" "$xml_file" 2>/dev/null || echo "0")
+    else
+        total=$(grep -oP 'tests="\K[0-9]+' "$xml_file" | awk '{s+=$1} END {print s}')
+        failures=$(grep -oP 'failures="\K[0-9]+' "$xml_file" | awk '{s+=$1} END {print s}')
+        errors=$(grep -oP 'errors="\K[0-9]+' "$xml_file" | awk '{s+=$1} END {print s}')
+        skipped=$(grep -oP 'skipped="\K[0-9]+' "$xml_file" | awk '{s+=$1} END {print s}')
+        duration=$(grep -oP 'time="\K[0-9.]+' "$xml_file" | awk '{s+=$1} END {print s}')
+    fi
+
+    total=${total:-0} failures=${failures:-0} errors=${errors:-0} skipped=${skipped:-0} duration=${duration:-0}
+    local failed=$((failures + errors))
+    local passed=$((total - failed - skipped))
+
+    # OPTIMIZATION: Replace bc with awk
+    local duration_ms=$(awk "BEGIN {printf \"%.0f\", $duration * 1000}")
+
+    local pass_rate="0.0000"
+    if [ "$total" -gt 0 ]; then
+        pass_rate=$(awk "BEGIN {printf \"%.4f\", $passed / $total}")
+    fi
+
+    cat <<EOF
+{"framework":"junit","total_tests":$total,"passed_tests":$passed,"failed_tests":$failed,"skipped_tests":$skipped,"pass_rate":$pass_rate,"duration_ms":$duration_ms,"failed_test_names":[]}
+EOF
+}
+
+parse_go_test_output() {
+    local output="$1"
+    local total=0 passed=0 failed=0 skipped=0 duration=0
+    local failed_names=()
+
+    passed=$(echo "$output" | grep -c "^--- PASS:" || true)
+    failed=$(echo "$output" | grep -c "^--- FAIL:" || true)
+    skipped=$(echo "$output" | grep -c "^--- SKIP:" || true)
+    total=$((passed + failed + skipped))
+
+    while IFS= read -r line; do
+        [[ "$line" =~ ^---\ FAIL:\ (.*) ]] && failed_names+=("${BASH_REMATCH[1]}")
+    done <<< "$output"
+
+    # OPTIMIZATION: Replace bc with awk
+    [[ "$output" =~ ok[[:space:]]+[^[:space:]]+[[:space:]]+([0-9.]+)s ]] && duration=$(awk "BEGIN {printf \"%.0f\", ${BASH_REMATCH[1]} * 1000}")
+
+    local pass_rate="0.0000"
+    if [ "$total" -gt 0 ]; then
+        pass_rate=$(awk "BEGIN {printf \"%.4f\", $passed / $total}")
+    fi
+
+    # OPTIMIZATION: Single jq call
+    local failed_names_json="[]"
+    [ ${#failed_names[@]} -gt 0 ] && failed_names_json=$(printf '%s\n' "${failed_names[@]}" | jq -Rs 'split("\n") | map(select(length > 0))')
+
+    cat <<EOF
+{"framework":"go","total_tests":$total,"passed_tests":$passed,"failed_tests":$failed,"skipped_tests":$skipped,"pass_rate":$pass_rate,"duration_ms":$duration,"failed_test_names":$failed_names_json}
+EOF
+}
+
+auto_detect_framework() {
+    local input="$1"
+
+    if [ -f "$input" ]; then
+        if grep -q "<testsuite" "$input" 2>/dev/null; then
+            echo "junit"
+            return 0
+        fi
+        input=$(cat "$input")
+    fi
+
+    if [[ "$input" =~ Test\ Suites: ]] || [[ "$input" =~ PASS[[:space:]]+.*\.test\.(js|ts) ]]; then
+        echo "jest"
+        return 0
+    fi
+
+    if [[ "$input" =~ [0-9]+\ passing ]] && [[ "$input" =~ [0-9]+\ failing ]]; then
+        echo "mocha"
+        return 0
+    fi
+
+    if [[ "$input" =~ ====.*passed.*==== ]] || [[ "$input" =~ FAILED.*\.py:: ]]; then
+        echo "pytest"
+        return 0
+    fi
+
+    if [[ "$input" =~ 1\.\.[0-9]+ ]] || [[ "$input" =~ ok\ [0-9]+ ]] || [[ "$input" =~ not\ ok\ [0-9]+ ]]; then
+        echo "tap"
+        return 0
+    fi
+
+    if [[ "$input" =~ ---\ PASS: ]] || [[ "$input" =~ ---\ FAIL: ]]; then
+        echo "go"
+        return 0
+    fi
+
+    echo "unknown"
+    return 1
+}
+
+parse_test_results() {
+    local framework="$1"
+    local input="$2"
+
+    if [ "$framework" = "auto" ]; then
+        framework=$(auto_detect_framework "$input")
+        if [ "$framework" = "unknown" ]; then
+            echo '{"error":"Unable to auto-detect testing framework"}'
+            return 1
+        fi
+    fi
+
+    local output="$input"
+    [ -f "$input" ] && output=$(cat "$input")
+
+    case "$framework" in
+        jest) parse_jest_output "$output" ;;
+        mocha) parse_mocha_output "$output" ;;
+        pytest) parse_pytest_output "$output" ;;
+        tap) parse_tap_output "$output" ;;
+        junit) parse_junit_xml "$input" ;;
+        go) parse_go_test_output "$output" ;;
+        *) echo '{"error":"Unknown framework"}' && return 1 ;;
+    esac
+}
+
+if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
+    [ $# -lt 2 ] && echo "Usage: $0 <framework|auto> <output_file_or_string>" && exit 1
+    parse_test_results "$1" "$2"
+fi

package/claude-assets/skills/cfn-loop-orchestration/orchestrate.sh

@@ -64,6 +64,16 @@ source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/security_utils.sh"
 HELPERS_DIR="$SCRIPT_DIR/helpers"
 REDIS_COORD_SKILL="$PROJECT_ROOT/.claude/skills/cfn-redis-coordination"
 
+# Validate Redis connectivity
+REDIS_PORT="${CFN_REDIS_PORT:-6379}"
+REDIS_HOST="${CFN_REDIS_HOST:-localhost}"
+if command -v redis-cli &>/dev/null; then
+  if ! redis-cli -h "${REDIS_HOST}" -p "${REDIS_PORT}" ping &>/dev/null; then
+    echo "⚠️  Warning: Redis not reachable at ${REDIS_HOST}:${REDIS_PORT}" >&2
+    echo "   Redis coordination features may not function correctly" >&2
+  fi
+fi
+
 # Configuration
 TASK_ID=""
 MODE="standard"
@@ -71,6 +81,7 @@ LOOP3_AGENTS=""
 LOOP2_AGENTS=""
 PRODUCT_OWNER=""
 MAX_ITERATIONS=10
+MAX_ALLOWED_ITERATIONS=100  # Security: Prevent resource exhaustion via unbounded iterations
 MIN_QUORUM_LOOP3="0.66"
 MIN_QUORUM_LOOP2="0.66"
 EPIC_CONTEXT=""
@@ -82,8 +93,8 @@ PHASE_ID=""
 # Mode-specific thresholds
 declare -A GATE_THRESHOLD=(
   [mvp]=0.70
-  [standard]=0.75
-  [enterprise]=0.75
+  [standard]=0.95
+  [enterprise]=0.98
 )
 
 declare -A CONSENSUS_THRESHOLD=(
@@ -162,9 +173,20 @@ while [[ $# -gt 0 ]]; do
         echo "Max iterations must be a positive integer"
         exit 1
       fi
+      # SECURITY FIX: Enforce upper bound to prevent resource exhaustion
+      if [[ "$2" -gt "$MAX_ALLOWED_ITERATIONS" ]]; then
+        echo "❌ MAX_ITERATIONS=$2 exceeds limit of $MAX_ALLOWED_ITERATIONS" >&2
+        echo "   (Use --max-iterations <N> where N <= $MAX_ALLOWED_ITERATIONS)" >&2
+        exit 1
+      fi
+      if [[ "$2" -lt 1 ]]; then
+        echo "❌ MAX_ITERATIONS must be at least 1" >&2
+        exit 1
+      fi
       MAX_ITERATIONS="$2"
       shift 2
       ;;
+
     --min-quorum-loop3)
       if [[ $# -lt 2 ]]; then
         echo "Error: --min-quorum-loop3 requires a value"
@@ -292,11 +314,11 @@ case "$MODE" in
     CONSENSUS=${CONSENSUS_THRESHOLD[mvp]:-0.80}
     ;;
   standard)
-    GATE=${GATE_THRESHOLD[standard]:-0.75}
+    GATE=${GATE_THRESHOLD[standard]:-0.95}
     CONSENSUS=${CONSENSUS_THRESHOLD[standard]:-0.90}
     ;;
   enterprise)
-    GATE=${GATE_THRESHOLD[enterprise]:-0.85}
+    GATE=${GATE_THRESHOLD[enterprise]:-0.98}
     CONSENSUS=${CONSENSUS_THRESHOLD[enterprise]:-0.95}
     ;;
   *)
@@ -420,6 +442,41 @@ build_agent_context() {
 
     context="$context | Iteration: $iteration"
 
+    # Check if jq is available before attempting JSON parsing
+    if ! command -v jq &>/dev/null; then
+        echo "⚠️  Warning: jq not installed. Test context injection will be skipped" >&2
+        echo "$context"
+        return
+    fi
+
+    # Inject test failure diagnostics from previous iteration
+    if [ "$iteration" -gt 1 ]; then
+        local iteration_context_file="/tmp/cfn-iteration-context-${task_id}.json"
+
+        if [ -f "$iteration_context_file" ]; then
+            # Extract failed test summary from iteration context
+            local failed_summary=""
+            failed_summary=$(jq -r '
+                if (.pass_rate? != null)
+                   and .failed_tests
+                   and (.failed_tests | length > 0)
+                then
+                    "Previous Test Results: Pass Rate " +
+                     ((.pass_rate * 100) | floor | tostring) +
+                     "% | Failed Tests: " +
+                     ([.failed_tests[].failed_test_names[]? // empty] | join(", "))
+                else
+                    empty
+                end
+            ' "$iteration_context_file" 2>/dev/null || echo "")
+
+            if [ -n "$failed_summary" ]; then
+                context="$context | $failed_summary"
+                echo "📊 Injected test diagnostics from previous iteration" >&2
+            fi
+        fi
+    fi
+
     if [[ -n "$feedback" ]]; then
         context="$context | Feedback: $feedback"
     fi
@@ -448,6 +505,32 @@ function spawn_loop3_agents() {
 
   echo "[Loop 3] Spawning implementer agents (iteration $iteration)..."
 
+  # Load success criteria from Redis (if available)
+  export AGENT_SUCCESS_CRITERIA=""
+  if [[ -n "$task_id" ]] && [[ -x "$SCRIPT_DIR/../cfn-redis-coordination/get-success-criteria.sh" ]]; then
+    SUCCESS_CRITERIA=$("$SCRIPT_DIR/../cfn-redis-coordination/get-success-criteria.sh" --task-id "$task_id" 2>/dev/null || echo "")
+
+    if [[ -n "$SUCCESS_CRITERIA" ]]; then
+      # SECURITY FIX: Validate JSON size before parsing (prevent DoS)
+      CRITERIA_SIZE=$(echo -n "$SUCCESS_CRITERIA" | wc -c)
+      MAX_SIZE=10485760  # 10MB
+
+      if [[ "$CRITERIA_SIZE" -gt "$MAX_SIZE" ]]; then
+        echo "  ❌ Success criteria exceeds maximum size (10MB): ${CRITERIA_SIZE} bytes" >&2
+        exit 1
+      fi
+
+      # Validate JSON before exporting
+      if echo "$SUCCESS_CRITERIA" | jq empty 2>/dev/null; then
+        export AGENT_SUCCESS_CRITERIA="$SUCCESS_CRITERIA"
+        TEST_SUITE_COUNT=$(echo "$SUCCESS_CRITERIA" | jq -r '.test_suites | length' 2>/dev/null || echo "0")
+        echo "  ✅ Success criteria loaded ($TEST_SUITE_COUNT test suites)" >&2
+      else
+        echo "  ⚠️  Invalid success criteria JSON - skipping" >&2
+      fi
+    fi
+  fi
+
   # Convert comma-separated agents to array
   IFS=',' read -ra AGENT_ARRAY <<< "$agents"
 
@@ -476,21 +559,62 @@ function spawn_loop3_agents() {
         # Docker-based spawning (prevents WebAssembly OOM)
         echo "  → Docker mode: spawning via container" >&2
 
-        docker run --detach \
-          --name "agent-${safe_agent_id}" \
-          --memory "${CFN_MEMORY_LIMIT:-2g}" \
-          --cpus 1.5 \
-          --network "${CFN_DOCKER_NETWORK:-mcp-network}" \
-          --env REDIS_URL=redis://redis:6379 \
-          --env AGENT_ID="${safe_agent_id}" \
-          --env AGENT_TYPE="${safe_agent_type}" \
-          --env TASK_ID="${safe_task_id}" \
-          --env ITERATION="${iteration}" \
-          --volume "${PROJECT_ROOT}/.claude:/app/.claude:ro" \
-          --volume "${PROJECT_ROOT}/packages:/app/packages" \
-          --volume "/tmp/agent-workspace-${safe_agent_id}:/app/workspace" \
-          "${CFN_DOCKER_IMAGE:-claude-flow-novice:agent}" \
-          sh -c "npx claude-flow-novice agent \"${safe_agent_type}\" --task-id \"${safe_task_id}\" --agent-id \"${safe_agent_id}\" --iteration \"${iteration}\"" >/dev/null 2>&1 &
+        # SECURITY FIX: Sanitize Docker environment variables to prevent command injection
+        CFN_DOCKER_IMAGE_SAFE=$(sanitize_docker_var "${CFN_DOCKER_IMAGE:-claude-flow-novice:agent}") || {
+          echo "❌ Invalid CFN_DOCKER_IMAGE" >&2
+          exit 1
+        }
+        CFN_DOCKER_NETWORK_SAFE=$(sanitize_docker_var "${CFN_DOCKER_NETWORK:-mcp-network}") || {
+          echo "❌ Invalid CFN_DOCKER_NETWORK" >&2
+          exit 1
+        }
+        CFN_MEMORY_LIMIT_SAFE=$(sanitize_docker_var "${CFN_MEMORY_LIMIT:-2g}") || {
+          echo "❌ Invalid CFN_MEMORY_LIMIT" >&2
+          exit 1
+        }
+
+        # Build Docker command as array (prevents injection, no eval needed)
+        DOCKER_CMD=(
+          docker run --detach
+          --name "agent-${safe_agent_id}"
+          --memory "$CFN_MEMORY_LIMIT_SAFE"
+          --cpus 1.5
+          --network "$CFN_DOCKER_NETWORK_SAFE"
+          --env REDIS_URL=redis://redis:6379
+          --env "AGENT_ID=${safe_agent_id}"
+          --env "AGENT_TYPE=${safe_agent_type}"
+          --env "TASK_ID=${safe_task_id}"
+          --env "ITERATION=${iteration}"
+        )
+
+        # SECURITY FIX: Base64-encode success criteria to prevent shell injection
+        if [[ -n "${AGENT_SUCCESS_CRITERIA:-}" ]]; then
+          ENCODED_CRITERIA=$(echo -n "$AGENT_SUCCESS_CRITERIA" | base64 -w 0)
+
+          # SECURITY FIX: Validate size AFTER encoding to prevent expansion bypass (10MB → 13.9MB)
+          ENCODED_SIZE=$(echo -n "$ENCODED_CRITERIA" | wc -c)
+          MAX_ENCODED_SIZE=10485760  # 10MB
+
+          if [[ "$ENCODED_SIZE" -gt "$MAX_ENCODED_SIZE" ]]; then
+            echo "❌ Encoded success criteria exceeds 10MB limit: ${ENCODED_SIZE} bytes" >&2
+            echo "   (Original: $(echo -n "$AGENT_SUCCESS_CRITERIA" | wc -c) bytes, Expanded: +33% via base64)" >&2
+            exit 1
+          fi
+
+          DOCKER_CMD+=(--env "AGENT_SUCCESS_CRITERIA_B64=${ENCODED_CRITERIA}")
+        fi
+
+        # Add volumes and image
+        DOCKER_CMD+=(
+          --volume "${PROJECT_ROOT}/.claude:/app/.claude:ro"
+          --volume "${PROJECT_ROOT}/packages:/app/packages"
+          --volume "/tmp/agent-workspace-${safe_agent_id}:/app/workspace"
+          "$CFN_DOCKER_IMAGE_SAFE"
+          sh -c "npx claude-flow-novice agent \"${safe_agent_type}\" --task-id \"${safe_task_id}\" --agent-id \"${safe_agent_id}\" --iteration \"${iteration}\""
+        )
+
+        # Execute safely without eval (prevents command injection)
+        "${DOCKER_CMD[@]}" >/dev/null 2>&1 &
 
         AGENT_PID=$!
     else
@@ -534,8 +658,13 @@ function spawn_loop3_agents() {
         echo "🔍 Started monitoring for $UNIQUE_AGENT_ID (Agent PID: $AGENT_PID, Monitor PID: $MONITOR_PID)" >&2
     fi
 
-    # Store agent ID mapping for later retrieval using Redis SADD for set storage
-    redis-cli -h "${REDIS_HOST:-localhost}" -p "${REDIS_PORT:-6379}" SADD "swarm:${task_id}:loop3:agent_ids:iteration${iteration}" "$UNIQUE_AGENT_ID" >/dev/null
+    # SECURITY FIX: Atomic SADD + EXPIRE using Lua script (prevent race condition)
+    redis-cli -h "${REDIS_HOST:-localhost}" -p "${REDIS_PORT:-6379}" --eval - \
+      "swarm:${task_id}:loop3:agent_ids:iteration${iteration}" "$UNIQUE_AGENT_ID" <<'LUA' >/dev/null
+redis.call('SADD', KEYS[1], ARGV[1])
+redis.call('EXPIRE', KEYS[1], 86400)
+return redis.call('SCARD', KEYS[1])
+LUA
   done
 
   echo "[Loop 3] All agents spawned"
@@ -747,6 +876,32 @@ function spawn_loop2_agents() {
 
   echo "[Loop 2] Spawning validator agents (iteration $iteration)..."
 
+  # Load success criteria from Redis (if available)
+  export AGENT_SUCCESS_CRITERIA=""
+  if [[ -n "$task_id" ]] && [[ -x "$SCRIPT_DIR/../cfn-redis-coordination/get-success-criteria.sh" ]]; then
+    SUCCESS_CRITERIA=$("$SCRIPT_DIR/../cfn-redis-coordination/get-success-criteria.sh" --task-id "$task_id" 2>/dev/null || echo "")
+
+    if [[ -n "$SUCCESS_CRITERIA" ]]; then
+      # SECURITY FIX: Validate JSON size before parsing (prevent DoS)
+      CRITERIA_SIZE=$(echo -n "$SUCCESS_CRITERIA" | wc -c)
+      MAX_SIZE=10485760  # 10MB
+
+      if [[ "$CRITERIA_SIZE" -gt "$MAX_SIZE" ]]; then
+        echo "  ❌ Success criteria exceeds maximum size (10MB): ${CRITERIA_SIZE} bytes" >&2
+        exit 1
+      fi
+
+      # Validate JSON before exporting
+      if echo "$SUCCESS_CRITERIA" | jq empty 2>/dev/null; then
+        export AGENT_SUCCESS_CRITERIA="$SUCCESS_CRITERIA"
+        TEST_SUITE_COUNT=$(echo "$SUCCESS_CRITERIA" | jq -r '.test_suites | length' 2>/dev/null || echo "0")
+        echo "  ✅ Success criteria loaded ($TEST_SUITE_COUNT test suites)" >&2
+      else
+        echo "  ⚠️  Invalid success criteria JSON - skipping" >&2
+      fi
+    fi
+  fi
+
   # Convert comma-separated agents to array
   IFS=',' read -ra AGENT_ARRAY <<< "$agents"
 
@@ -788,7 +943,13 @@ function spawn_loop2_agents() {
       --namespace "swarm" >/dev/null
 
     # Store agent ID mapping for later retrieval using Redis SADD for set storage
-    redis-cli -h "${REDIS_HOST:-localhost}" -p "${REDIS_PORT:-6379}" SADD "swarm:${task_id}:loop2:agent_ids:iteration${iteration}" "$UNIQUE_VALIDATOR_ID" >/dev/null
+    # SECURITY FIX: Atomic SADD + EXPIRE using Lua script (prevent race condition)
+    redis-cli -h "${REDIS_HOST:-localhost}" -p "${REDIS_PORT:-6379}" --eval - \
+      "swarm:${task_id}:loop2:agent_ids:iteration${iteration}" "$UNIQUE_VALIDATOR_ID" <<'LUA' >/dev/null
+redis.call('SADD', KEYS[1], ARGV[1])
+redis.call('EXPIRE', KEYS[1], 86400)
+return redis.call('SCARD', KEYS[1])
+LUA
   done
 
   echo "[Loop 2] All agents spawned"
@@ -804,7 +965,7 @@ function spawn_product_owner() {
   # BLOCKER #2 FIX: Match execute-decision.sh actual parameters
   # Required: --task-id, --agent-id, --consensus, --threshold, --iteration, --max-iterations
   local decision_output
-  decision_output=$("$SCRIPT_DIR/.claude/skills/cfn-product-owner-decision/execute-decision.sh" \
+  decision_output=$("$PROJECT_ROOT/.claude/skills/cfn-product-owner-decision/execute-decision.sh" \
     --task-id "$task_id" \
     --agent-id "$PRODUCT_OWNER" \
     --consensus "$LOOP2_FINAL_CONSENSUS" \

package/claude-assets/skills/cfn-loop-orchestration/security_utils.sh

@@ -96,4 +96,28 @@ function validate_agent_list() {
     done
 
     return 0
+}
+
+# SECURITY FIX: Sanitize Docker environment variables to prevent command injection
+# Allowed characters: alphanumeric, dash, colon, slash, dot, underscore
+# This prevents injection attacks via malicious CFN_DOCKER_IMAGE, CFN_DOCKER_NETWORK, etc.
+function sanitize_docker_var() {
+    local var="$1"
+    local pattern="^[a-zA-Z0-9._:/-]+$"
+
+    # Check if input is empty
+    if [ -z "$var" ]; then
+        echo "Error: Docker variable cannot be empty" >&2
+        return 1
+    fi
+
+    # Validate against allowed pattern (no semicolons, backticks, pipes, etc.)
+    if [[ ! "$var" =~ $pattern ]]; then
+        echo "❌ Invalid characters in Docker variable: $var" >&2
+        echo "   Only alphanumeric, dash, colon, slash, dot, and underscore allowed" >&2
+        return 1
+    fi
+
+    # If all checks pass, echo the sanitized input
+    echo "$var"
 }