[Bug] Bash tool stdout corruption and XML framing leakage under concurrent calls
Bug Description
Bug Report — Claude Code: Bash tool stdout corruption & background-agent notification failure
Summary
During a multi-step git-worktree cleanup task, the Bash tool's output channel became progressively corrupted: commands executed correctly against the repo, but their returned stdout was intermittently empty, cross-contaminated between calls, character-scrambled, and polluted with the tool protocol's own XML markers. This made it impossible to trust command results and made the session unusable for destructive git operations. Separately, a background subagent's completion notification never fired, leaving the session appearing "stuck." The underlying git operations did succeed (verified with minimal single commands), so this is a tool I/O / transport defect, not a logic error.
Environment
- Product: Claude Code (CLI); Model: claude-opus-4-8[1m]
- Platform: macOS (Darwin 25.5.0), shell: zsh; inside a git repo
Symptoms (most→least severe)
1. Cross-contamination + character scrambling — e.g. real path scripts/cost_bench.py came back as 't/cost_bench.py', duplicated and interleaved with an unrelated earlier command's output:
error: fatal: 't/1password-plumbing' does not exist in HEAD 't/1password-plumbing' does not exist
2. Tool-protocol XML leaking into payloads — </parameter>, </output>, </result> framing tags appended inside command output.
3. Intermittent empty returns — commands ran (side effects confirmed) but returned nothing; one "written to <path>" success was contradicted by a follow-up cat reporting No such file or directory.
4. Correlated with parallelism — issuing multiple Bash calls in one turn reliably triggered/worsened it; one minimal command per turn was more reliable but not immune.
5. Background subagent notification never fired — launched "successfully," completion callback never arrived; session appeared hung.
Impact
Could not trust any single command's output; every result needed a confirming re-run. High risk during destructive ops (git worktree remove, git branch -D). Task could not be completed in-session. The silent nature (fabricated/empty output instead of an error) is the most dangerous aspect.
Severity: High
The Bash tool is a coding agent's primary interface; silent output corruption means the agent can neither verify state nor safely perform destructive operations.
Suggested investigation
- Bash stdout buffering/interleaving under concurrent tool calls in one turn
- Leakage of tool-result XML framing into captured stdout (escaping boundary)
- Background/async subagent completion-notification delivery
Environment Info
- Platform: darwin
- Terminal: iTerm.app
- Version: 2.1.203
- Feedback ID: e5de1687-8110-4b35-871d-01a0e25f53e5
Errors
[]