Agent Diagnostic
- Loaded
openshell-cli skill, traced the exec validation pipeline
- Found
reject_control_chars() in crates/openshell-server/src/grpc/validation.rs:72-84 blanket-rejects \n and \r in ALL command arguments
- Found
shell_escape() in crates/openshell-server/src/grpc/sandbox.rs:1456-1474 independently rejects newlines during command construction
- No special handling exists for
bash -c, sh -c, or python3 -c patterns where the argument IS a script
- Confirmed the rejection is at the gRPC validation layer, so it affects all callers (CLI, Python SDK, direct gRPC)
Description
sandbox exec rejects any command argument containing a newline (\n) or carriage return (\r). This blocks multi-line scripts passed to bash -c or python3 -c, which is the natural way agents produce executable code.
What happens:
Error: × code: 'Client specified an invalid argument', message: "command argument 2
│ contains newline or carriage return characters"
What I expected: The script body passed to bash -c "..." should be accepted, since the user explicitly opted into shell interpretation.
Reproduction Steps
# 1. Create a sandbox
openshell sandbox create --name exec-newline-test
# 2. Try a multi-line python script (fails)
openshell sandbox exec -n exec-newline-test -- python3 -c "
def hello():
print('hi')
hello()
"
# 3. Single-line equivalent works fine
openshell sandbox exec -n exec-newline-test -- python3 -c "print('hi')"The same rejection happens via the Python SDK:
sandbox.exec(command=["bash", "-c", "echo 'line1\nline2'"])
Use case
We use sandbox exec to dispatch tasks from a lead AI agent via MCP. The agent sends multi-line scripts (Python, shell) as its natural output. Having to convert everything to single-line with semicolons is fragile and limits what agents can do.
Environment
- OpenShell: v0.0.66
- OS: macOS (Darwin 25.0.0, Apple Silicon)
- Compute driver: Podman (rootless, podman-machine)
Logs
Error: × code: 'Client specified an invalid argument', message: "command argument 2
│ contains newline or carriage return characters"
Agent Diagnostic
openshell-cliskill, traced the exec validation pipelinereject_control_chars()incrates/openshell-server/src/grpc/validation.rs:72-84blanket-rejects\nand\rin ALL command argumentsshell_escape()incrates/openshell-server/src/grpc/sandbox.rs:1456-1474independently rejects newlines during command constructionbash -c,sh -c, orpython3 -cpatterns where the argument IS a scriptDescription
sandbox execrejects any command argument containing a newline (\n) or carriage return (\r). This blocks multi-line scripts passed tobash -corpython3 -c, which is the natural way agents produce executable code.What happens:
What I expected: The script body passed to
bash -c "..."should be accepted, since the user explicitly opted into shell interpretation.Reproduction Steps
The same rejection happens via the Python SDK:
Use case
We use
sandbox execto dispatch tasks from a lead AI agent via MCP. The agent sends multi-line scripts (Python, shell) as its natural output. Having to convert everything to single-line with semicolons is fragile and limits what agents can do.Environment
Logs