marcusquinn · johnwaldo · Mar 8, 2026 · Mar 8, 2026 · Mar 8, 2026
diff --git a/.agents/scripts/codacy-collector-helper.sh b/.agents/scripts/codacy-collector-helper.sh
@@ -387,12 +387,13 @@ cmd_collect() {
 	while [[ "$has_more" == "true" && $page -lt $CODACY_MAX_PAGES ]]; do
 		page=$((page + 1))
 
-		# Build request body with cursor-based pagination
+		# Build request body with cursor-based pagination (jq for safe escaping)
 		local request_body
 		if [[ -n "$cursor" ]]; then
-			request_body="{\"limit\": ${CODACY_PAGE_SIZE}, \"cursor\": \"${cursor}\"}"
+			request_body=$(jq -nc --argjson limit "$CODACY_PAGE_SIZE" --arg cursor "$cursor" \
+				'{limit: $limit, cursor: $cursor}')
 		else
-			request_body="{\"limit\": ${CODACY_PAGE_SIZE}}"
+			request_body=$(jq -nc --argjson limit "$CODACY_PAGE_SIZE" '{limit: $limit}')
 		fi
 
 		local endpoint="/analysis/organizations/gh/${org}/repositories/${repo_name}/issues/search"
@@ -597,7 +598,12 @@ cmd_query() {
 				log_error "Missing value for --limit"
 				return 1
 			}
-			limit="$2"
+			if [[ "$2" =~ ^[0-9]+$ ]] && [[ "$2" -gt 0 && "$2" -le 10000 ]]; then
+				limit="$2"
+			else
+				log_error "Invalid limit value: $2 (must be a positive integer, max 10000)"
+				return 1
+			fi
 			shift 2
 			;;
 		*)

diff --git a/.agents/scripts/code-audit-helper.sh b/.agents/scripts/code-audit-helper.sh
@@ -621,6 +621,11 @@ cmd_audit() {
 	# Auto-detect PR if not specified
 	if [[ "$pr_number" -eq 0 ]]; then
 		pr_number=$(gh pr view --json number -q .number 2>/dev/null || echo "0")
+		# Validate auto-detected value is numeric (gh could return unexpected output)
+		if ! [[ "$pr_number" =~ ^[0-9]+$ ]]; then
+			log_warn "Could not auto-detect PR number, defaulting to 0"
+			pr_number=0
+		fi
 	fi
 
 	local head_sha

diff --git a/.agents/scripts/enhancor-helper.sh b/.agents/scripts/enhancor-helper.sh
@@ -158,7 +158,7 @@ cmd_enhance() {
 	local poll_interval="${DEFAULT_POLL_INTERVAL}"
 	local timeout="${DEFAULT_TIMEOUT}"
 	local output_file=""
-	local extra_params=""
+	local extra_params="{}"
 
 	while [[ $# -gt 0 ]]; do
 		case "$1" in
@@ -224,7 +224,7 @@ cmd_enhance() {
 			;;
 		--area-*)
 			local area="${1#--area-}"
-			extra_params="${extra_params}, \"${area}\": true"
+			extra_params=$(echo "$extra_params" | jq --arg a "$area" '. + {($a): true}')
 			shift
 			;;
 		--*)
@@ -246,42 +246,43 @@ cmd_enhance() {
 
 	load_api_key || return 1
 
-	# Build request body
-	local body="{\"img_url\": \"${img_url}\""
+	# Build request body safely using jq to prevent JSON injection
+	local body
+	body=$(jq -n \
+		--arg img_url "${img_url}" \
+		--arg model_version "${model_version}" \
+		--arg enhancement_mode "${enhancement_mode}" \
+		--arg enhancement_type "${enhancement_type}" \
+		--argjson skin_refinement_level "${skin_refinement_level}" \
+		--argjson mask_expand "${mask_expand}" \
+		'{
+			img_url: $img_url,
+			model_version: $model_version,
+			enhancementMode: $enhancement_mode,
+			enhancementType: $enhancement_type,
+			skin_refinement_level: $skin_refinement_level,
+			mask_expand: $mask_expand
+		}')
 
 	if [[ -n "${webhook_url}" ]]; then
-		body="${body}, \"webhookUrl\": \"${webhook_url}\""
+		body=$(echo "${body}" | jq --arg v "${webhook_url}" '. + {webhookUrl: $v}')
 	fi
-
-	body="${body}, \"model_version\": \"${model_version}\""
-	body="${body}, \"enhancementMode\": \"${enhancement_mode}\""
-	body="${body}, \"enhancementType\": \"${enhancement_type}\""
-	body="${body}, \"skin_refinement_level\": ${skin_refinement_level}"
-
 	if [[ -n "${skin_realism_level}" ]]; then
-		body="${body}, \"skin_realism_Level\": ${skin_realism_level}"
+		body=$(echo "${body}" | jq --argjson v "${skin_realism_level}" '. + {skin_realism_Level: $v}')
 	fi
-
 	if [[ -n "${portrait_depth}" ]]; then
-		body="${body}, \"portrait_depth\": ${portrait_depth}"
+		body=$(echo "${body}" | jq --argjson v "${portrait_depth}" '. + {portrait_depth: $v}')
 	fi
-
 	if [[ -n "${output_resolution}" ]]; then
-		body="${body}, \"output_resolution\": ${output_resolution}"
+		body=$(echo "${body}" | jq --argjson v "${output_resolution}" '. + {output_resolution: $v}')
 	fi
-
 	if [[ -n "${mask_image_url}" ]]; then
-		body="${body}, \"mask_image_url\": \"${mask_image_url}\""
+		body=$(echo "${body}" | jq --arg v "${mask_image_url}" '. + {mask_image_url: $v}')
 	fi
-
-	body="${body}, \"mask_expand\": ${mask_expand}"
-
-	if [[ -n "${extra_params}" ]]; then
-		body="${body}${extra_params}"
+	if [[ "${extra_params}" != "{}" ]]; then
+		body=$(echo "${body}" | jq --argjson extra "${extra_params}" '. + $extra')
 	fi
 
-	body="${body}}"
-
 	print_info "Submitting skin enhancement request..."
 
 	local response
@@ -373,14 +374,14 @@ cmd_upscale() {
 
 	load_api_key || return 1
 
-	local body="{\"img_url\": \"${img_url}\", \"mode\": \"${mode}\""
-
+	# Build request body safely using jq to prevent JSON injection
+	local body
+	body=$(jq -n --arg img_url "${img_url}" --arg mode "${mode}" \
+		'{img_url: $img_url, mode: $mode}')
 	if [[ -n "${webhook_url}" ]]; then
-		body="${body}, \"webhookUrl\": \"${webhook_url}\""
+		body=$(echo "${body}" | jq --arg v "${webhook_url}" '. + {webhookUrl: $v}')
 	fi
 
-	body="${body}}"
-
 	print_info "Submitting upscale request (${mode} mode)..."
 
 	local response
@@ -466,14 +467,13 @@ cmd_upscale_general() {
 
 	load_api_key || return 1
 
-	local body="{\"img_url\": \"${img_url}\""
-
+	# Build request body safely using jq to prevent JSON injection
+	local body
+	body=$(jq -n --arg img_url "${img_url}" '{img_url: $img_url}')
 	if [[ -n "${webhook_url}" ]]; then
-		body="${body}, \"webhookUrl\": \"${webhook_url}\""
+		body=$(echo "${body}" | jq --arg v "${webhook_url}" '. + {webhookUrl: $v}')
 	fi
 
-	body="${body}}"
-
 	print_info "Submitting general upscale request..."
 
 	local response
@@ -559,14 +559,13 @@ cmd_detailed() {
 
 	load_api_key || return 1
 
-	local body="{\"img_url\": \"${img_url}\""
-
+	# Build request body safely using jq to prevent JSON injection
+	local body
+	body=$(jq -n --arg img_url "${img_url}" '{img_url: $img_url}')
 	if [[ -n "${webhook_url}" ]]; then
-		body="${body}, \"webhookUrl\": \"${webhook_url}\""
+		body=$(echo "${body}" | jq --arg v "${webhook_url}" '. + {webhookUrl: $v}')
 	fi
 
-	body="${body}}"
-
 	print_info "Submitting detailed enhancement request..."
 
 	local response
@@ -677,20 +676,22 @@ cmd_generate() {
 
 	load_api_key || return 1
 
-	local body="{\"model\": \"${model}\", \"prompt\": \"${prompt}\""
-
+	# Build request body safely using jq to prevent JSON injection
+	# Prompts routinely contain quotes — jq handles escaping correctly
+	local body
+	body=$(jq -n \
+		--arg model "${model}" \
+		--arg prompt "${prompt}" \
+		--arg generation_mode "${generation_mode}" \
+		--arg image_size "${image_size}" \
+		'{model: $model, prompt: $prompt, generation_mode: $generation_mode, image_size: $image_size}')
 	if [[ -n "${img_url}" ]]; then
-		body="${body}, \"img_url\": \"${img_url}\""
+		body=$(echo "${body}" | jq --arg v "${img_url}" '. + {img_url: $v}')
 	fi
-
 	if [[ -n "${webhook_url}" ]]; then
-		body="${body}, \"webhookUrl\": \"${webhook_url}\""
+		body=$(echo "${body}" | jq --arg v "${webhook_url}" '. + {webhookUrl: $v}')
 	fi
 
-	body="${body}, \"generation_mode\": \"${generation_mode}\""
-	body="${body}, \"image_size\": \"${image_size}\""
-	body="${body}}"
-
 	print_info "Submitting generation request (${model})..."
 
 	local response
@@ -767,8 +768,12 @@ cmd_status() {
 
 	load_api_key || return 1
 
+	# Build request body safely using jq to prevent JSON injection
+	local body
+	body=$(jq -n --arg id "${request_id}" '{request_id: $id}')
+
 	local response
-	response=$(api_request POST "${api_path}/status" -d "{\"request_id\": \"${request_id}\"}")
+	response=$(api_request POST "${api_path}/status" -d "${body}")
 
 	echo "${response}" | jq . 2>/dev/null || echo "${response}"
 }