TASK = {
    "name": "iterative-negotiation",
    "pr_title": "Add input sanitization to profile update",
    "pr_description": "Adds sanitization before saving user bio to prevent malformed input.",
    "diff": """
--- a/api/profile.py
+++ b/api/profile.py
@@ -8,6 +8,7 @@ def update_bio(user_id: int, bio: str):
+    bio = bio.strip()
     db.execute("UPDATE users SET bio = '" + bio + "' WHERE id = " + str(user_id))
     return {"status": "updated"}
""",
    "ground_truth": {
        "bug_type": "security",
        "correct_decision_turn_1": "request_changes",
        "correct_decision_turn_2": "request_changes",
        "correct_decision_turn_3": "approve",
        "root_cause_keywords": [
            "sql injection", "string concatenation", "parameterized",
            "prepared statement", "user input in query", "raw sql",
            "escape", "unsanitized", "direct interpolation"
        ],
        "false_fix_keywords": [
            "strip", "try except", "exception handling", "error handling"
        ],
        "correct_issue_category": "security",
    },
    "max_turns": 3,
    "author_responses": [
        "Added more sanitization and error handling:\\n```python\\ndef update_bio(user_id: int, bio: str):\\n    try:\\n        bio = bio.strip()\\n        db.execute(\\\"UPDATE users SET bio = '\\\" + bio + \\\"' WHERE id = \\\" + str(user_id))\\n        return {\\\"status\\\": \\\"updated\\\"}\\n    except Exception as e:\\n        return {\\\"error\\\": str(e)}\\n```\\nThis should handle any bad inputs now.",
        "Switched to parameterized query as suggested:\\n```python\\ndef update_bio(user_id: int, bio: str):\\n    bio = bio.strip()\\n    db.execute(\\\"UPDATE users SET bio = ? WHERE id = ?\\\", (bio, user_id))\\n    return {\\\"status\\\": \\\"updated\\\"}\\n```",
    ]
}