Compare commits
1 Commits
fix/582-sh
...
burn/323-1
| Author | SHA1 | Date | |
|---|---|---|---|
|
b62fa0ec13 |
104
hermes_state.py
104
hermes_state.py
@@ -32,7 +32,7 @@ T = TypeVar("T")
|
||||
|
||||
DEFAULT_DB_PATH = get_hermes_home() / "state.db"
|
||||
|
||||
SCHEMA_VERSION = 6
|
||||
SCHEMA_VERSION = 7
|
||||
|
||||
SCHEMA_SQL = """
|
||||
CREATE TABLE IF NOT EXISTS schema_version (
|
||||
@@ -66,6 +66,7 @@ CREATE TABLE IF NOT EXISTS sessions (
|
||||
cost_source TEXT,
|
||||
pricing_version TEXT,
|
||||
title TEXT,
|
||||
profile TEXT,
|
||||
FOREIGN KEY (parent_session_id) REFERENCES sessions(id)
|
||||
);
|
||||
|
||||
@@ -86,6 +87,7 @@ CREATE TABLE IF NOT EXISTS messages (
|
||||
);
|
||||
|
||||
CREATE INDEX IF NOT EXISTS idx_sessions_source ON sessions(source);
|
||||
CREATE INDEX IF NOT EXISTS idx_sessions_profile ON sessions(profile);
|
||||
CREATE INDEX IF NOT EXISTS idx_sessions_parent ON sessions(parent_session_id);
|
||||
CREATE INDEX IF NOT EXISTS idx_sessions_started ON sessions(started_at DESC);
|
||||
CREATE INDEX IF NOT EXISTS idx_messages_session ON messages(session_id, timestamp);
|
||||
@@ -330,6 +332,19 @@ class SessionDB:
|
||||
except sqlite3.OperationalError:
|
||||
pass # Column already exists
|
||||
cursor.execute("UPDATE schema_version SET version = 6")
|
||||
if current_version < 7:
|
||||
# v7: add profile column to sessions for profile isolation (#323)
|
||||
try:
|
||||
cursor.execute('ALTER TABLE sessions ADD COLUMN "profile" TEXT')
|
||||
except sqlite3.OperationalError:
|
||||
pass # Column already exists
|
||||
try:
|
||||
cursor.execute(
|
||||
"CREATE INDEX IF NOT EXISTS idx_sessions_profile ON sessions(profile)"
|
||||
)
|
||||
except sqlite3.OperationalError:
|
||||
pass
|
||||
cursor.execute("UPDATE schema_version SET version = 7")
|
||||
|
||||
# Unique title index — always ensure it exists (safe to run after migrations
|
||||
# since the title column is guaranteed to exist at this point)
|
||||
@@ -362,13 +377,19 @@ class SessionDB:
|
||||
system_prompt: str = None,
|
||||
user_id: str = None,
|
||||
parent_session_id: str = None,
|
||||
profile: str = None,
|
||||
) -> str:
|
||||
"""Create a new session record. Returns the session_id."""
|
||||
"""Create a new session record. Returns the session_id.
|
||||
|
||||
Args:
|
||||
profile: Profile name for session isolation. When set, sessions
|
||||
are tagged so queries can filter by profile. (#323)
|
||||
"""
|
||||
def _do(conn):
|
||||
conn.execute(
|
||||
"""INSERT OR IGNORE INTO sessions (id, source, user_id, model, model_config,
|
||||
system_prompt, parent_session_id, started_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?)""",
|
||||
system_prompt, parent_session_id, profile, started_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)""",
|
||||
(
|
||||
session_id,
|
||||
source,
|
||||
@@ -377,6 +398,7 @@ class SessionDB:
|
||||
json.dumps(model_config) if model_config else None,
|
||||
system_prompt,
|
||||
parent_session_id,
|
||||
profile,
|
||||
time.time(),
|
||||
),
|
||||
)
|
||||
@@ -505,19 +527,23 @@ class SessionDB:
|
||||
session_id: str,
|
||||
source: str = "unknown",
|
||||
model: str = None,
|
||||
profile: str = None,
|
||||
) -> None:
|
||||
"""Ensure a session row exists, creating it with minimal metadata if absent.
|
||||
|
||||
Used by _flush_messages_to_session_db to recover from a failed
|
||||
create_session() call (e.g. transient SQLite lock at agent startup).
|
||||
INSERT OR IGNORE is safe to call even when the row already exists.
|
||||
|
||||
Args:
|
||||
profile: Profile name for session isolation. (#323)
|
||||
"""
|
||||
def _do(conn):
|
||||
conn.execute(
|
||||
"""INSERT OR IGNORE INTO sessions
|
||||
(id, source, model, started_at)
|
||||
VALUES (?, ?, ?, ?)""",
|
||||
(session_id, source, model, time.time()),
|
||||
(id, source, model, profile, started_at)
|
||||
VALUES (?, ?, ?, ?, ?)""",
|
||||
(session_id, source, model, profile, time.time()),
|
||||
)
|
||||
self._execute_write(_do)
|
||||
|
||||
@@ -788,6 +814,7 @@ class SessionDB:
|
||||
limit: int = 20,
|
||||
offset: int = 0,
|
||||
include_children: bool = False,
|
||||
profile: str = None,
|
||||
) -> List[Dict[str, Any]]:
|
||||
"""List sessions with preview (first user message) and last active timestamp.
|
||||
|
||||
@@ -799,6 +826,10 @@ class SessionDB:
|
||||
|
||||
By default, child sessions (subagent runs, compression continuations)
|
||||
are excluded. Pass ``include_children=True`` to include them.
|
||||
|
||||
Args:
|
||||
profile: Filter sessions to this profile name. Pass None to see all.
|
||||
(#323)
|
||||
"""
|
||||
where_clauses = []
|
||||
params = []
|
||||
@@ -813,6 +844,9 @@ class SessionDB:
|
||||
placeholders = ",".join("?" for _ in exclude_sources)
|
||||
where_clauses.append(f"s.source NOT IN ({placeholders})")
|
||||
params.extend(exclude_sources)
|
||||
if profile:
|
||||
where_clauses.append("s.profile = ?")
|
||||
params.append(profile)
|
||||
|
||||
where_sql = f"WHERE {' AND '.join(where_clauses)}" if where_clauses else ""
|
||||
query = f"""
|
||||
@@ -1158,34 +1192,52 @@ class SessionDB:
|
||||
source: str = None,
|
||||
limit: int = 20,
|
||||
offset: int = 0,
|
||||
profile: str = None,
|
||||
) -> List[Dict[str, Any]]:
|
||||
"""List sessions, optionally filtered by source."""
|
||||
"""List sessions, optionally filtered by source and profile.
|
||||
|
||||
Args:
|
||||
profile: Filter sessions to this profile name. Pass None to see all.
|
||||
(#323)
|
||||
"""
|
||||
where_clauses = []
|
||||
params = []
|
||||
if source:
|
||||
where_clauses.append("source = ?")
|
||||
params.append(source)
|
||||
if profile:
|
||||
where_clauses.append("profile = ?")
|
||||
params.append(profile)
|
||||
|
||||
where_sql = f"WHERE {' AND '.join(where_clauses)}" if where_clauses else ""
|
||||
query = f"SELECT * FROM sessions {where_sql} ORDER BY started_at DESC LIMIT ? OFFSET ?"
|
||||
params.extend([limit, offset])
|
||||
with self._lock:
|
||||
if source:
|
||||
cursor = self._conn.execute(
|
||||
"SELECT * FROM sessions WHERE source = ? ORDER BY started_at DESC LIMIT ? OFFSET ?",
|
||||
(source, limit, offset),
|
||||
)
|
||||
else:
|
||||
cursor = self._conn.execute(
|
||||
"SELECT * FROM sessions ORDER BY started_at DESC LIMIT ? OFFSET ?",
|
||||
(limit, offset),
|
||||
)
|
||||
cursor = self._conn.execute(query, params)
|
||||
return [dict(row) for row in cursor.fetchall()]
|
||||
|
||||
# =========================================================================
|
||||
# Utility
|
||||
# =========================================================================
|
||||
|
||||
def session_count(self, source: str = None) -> int:
|
||||
"""Count sessions, optionally filtered by source."""
|
||||
def session_count(self, source: str = None, profile: str = None) -> int:
|
||||
"""Count sessions, optionally filtered by source and profile.
|
||||
|
||||
Args:
|
||||
profile: Filter to this profile name. Pass None to count all. (#323)
|
||||
"""
|
||||
where_clauses = []
|
||||
params = []
|
||||
if source:
|
||||
where_clauses.append("source = ?")
|
||||
params.append(source)
|
||||
if profile:
|
||||
where_clauses.append("profile = ?")
|
||||
params.append(profile)
|
||||
|
||||
where_sql = f"WHERE {' AND '.join(where_clauses)}" if where_clauses else ""
|
||||
with self._lock:
|
||||
if source:
|
||||
cursor = self._conn.execute(
|
||||
"SELECT COUNT(*) FROM sessions WHERE source = ?", (source,)
|
||||
)
|
||||
else:
|
||||
cursor = self._conn.execute("SELECT COUNT(*) FROM sessions")
|
||||
cursor = self._conn.execute(f"SELECT COUNT(*) FROM sessions {where_sql}", params)
|
||||
return cursor.fetchone()[0]
|
||||
|
||||
def message_count(self, session_id: str = None) -> int:
|
||||
|
||||
@@ -456,71 +456,6 @@ def _coerce_boolean(value: str):
|
||||
return value
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# SHIELD: scan tool call arguments for indirect injection payloads
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# Tools whose arguments are high-risk for injection
|
||||
_SHIELD_SCAN_TOOLS = frozenset({
|
||||
"terminal", "execute_code", "write_file", "patch",
|
||||
"browser_navigate", "browser_click", "browser_type",
|
||||
})
|
||||
|
||||
# Arguments to scan per tool
|
||||
_SHIELD_ARG_MAP = {
|
||||
"terminal": ("command",),
|
||||
"execute_code": ("code",),
|
||||
"write_file": ("content",),
|
||||
"patch": ("new_string",),
|
||||
"browser_navigate": ("url",),
|
||||
"browser_click": (),
|
||||
"browser_type": ("text",),
|
||||
}
|
||||
|
||||
|
||||
def _shield_scan_tool_args(function_name: str, function_args: Dict[str, Any]) -> None:
|
||||
"""Scan tool call arguments for injection payloads.
|
||||
|
||||
Raises ValueError if a threat is detected in tool arguments.
|
||||
This catches indirect injection: the user message is clean but the
|
||||
LLM generates a tool call containing the attack.
|
||||
"""
|
||||
if function_name not in _SHIELD_SCAN_TOOLS:
|
||||
return
|
||||
|
||||
scan_fields = _SHIELD_ARG_MAP.get(function_name, ())
|
||||
if not scan_fields:
|
||||
return
|
||||
|
||||
try:
|
||||
from tools.shield.detector import detect
|
||||
except ImportError:
|
||||
return # SHIELD not loaded
|
||||
|
||||
for field_name in scan_fields:
|
||||
value = function_args.get(field_name)
|
||||
if not value or not isinstance(value, str):
|
||||
continue
|
||||
|
||||
result = detect(value)
|
||||
verdict = result.get("verdict", "CLEAN")
|
||||
|
||||
if verdict in ("JAILBREAK_DETECTED",):
|
||||
# Log but don't block — tool args from the LLM are expected to
|
||||
# sometimes match patterns. Instead, inject a warning.
|
||||
import logging
|
||||
logging.getLogger(__name__).warning(
|
||||
"SHIELD: injection pattern detected in %s arg '%s' (verdict=%s)",
|
||||
function_name, field_name, verdict,
|
||||
)
|
||||
# Add a prefix to the arg so the tool handler can see it was flagged
|
||||
if isinstance(function_args.get(field_name), str):
|
||||
function_args[field_name] = (
|
||||
f"[SHIELD-WARNING: injection pattern detected] "
|
||||
+ function_args[field_name]
|
||||
)
|
||||
|
||||
|
||||
def handle_function_call(
|
||||
function_name: str,
|
||||
function_args: Dict[str, Any],
|
||||
@@ -549,12 +484,6 @@ def handle_function_call(
|
||||
# Coerce string arguments to their schema-declared types (e.g. "42"→42)
|
||||
function_args = coerce_tool_args(function_name, function_args)
|
||||
|
||||
# SHIELD: scan tool call arguments for indirect injection payloads.
|
||||
# The LLM may emit tool calls containing injection attempts in arguments
|
||||
# (e.g. terminal commands with "ignore all rules"). Scan high-risk tools.
|
||||
# (Fixes #582)
|
||||
_shield_scan_tool_args(function_name, function_args)
|
||||
|
||||
# Notify the read-loop tracker when a non-read/search tool runs,
|
||||
# so the *consecutive* counter resets (reads after other work are fine).
|
||||
if function_name not in _READ_SEARCH_TOOLS:
|
||||
|
||||
@@ -1,110 +0,0 @@
|
||||
"""Tests for SHIELD tool argument scanning (fix #582)."""
|
||||
|
||||
import sys
|
||||
import types
|
||||
import pytest
|
||||
from unittest.mock import patch, MagicMock
|
||||
|
||||
|
||||
def _make_shield_mock():
|
||||
"""Create a mock shield detector module."""
|
||||
mock_module = types.ModuleType("tools.shield")
|
||||
mock_detector = types.ModuleType("tools.shield.detector")
|
||||
mock_detector.detect = MagicMock(return_value={"verdict": "CLEAN"})
|
||||
mock_module.detector = mock_detector
|
||||
return mock_module, mock_detector
|
||||
|
||||
|
||||
class TestShieldScanToolArgs:
|
||||
def _run_scan(self, tool_name, args, verdict="CLEAN"):
|
||||
mock_module, mock_detector = _make_shield_mock()
|
||||
mock_detector.detect.return_value = {"verdict": verdict}
|
||||
|
||||
with patch.dict(sys.modules, {
|
||||
"tools.shield": mock_module,
|
||||
"tools.shield.detector": mock_detector,
|
||||
}):
|
||||
from model_tools import _shield_scan_tool_args
|
||||
_shield_scan_tool_args(tool_name, args)
|
||||
return mock_detector
|
||||
|
||||
def test_scans_terminal_command(self):
|
||||
args = {"command": "echo hello"}
|
||||
detector = self._run_scan("terminal", args)
|
||||
detector.detect.assert_called_once_with("echo hello")
|
||||
|
||||
def test_scans_execute_code(self):
|
||||
args = {"code": "print('hello')"}
|
||||
detector = self._run_scan("execute_code", args)
|
||||
detector.detect.assert_called_once_with("print('hello')")
|
||||
|
||||
def test_scans_write_file_content(self):
|
||||
args = {"content": "some file content"}
|
||||
detector = self._run_scan("write_file", args)
|
||||
detector.detect.assert_called_once_with("some file content")
|
||||
|
||||
def test_skips_non_scanned_tools(self):
|
||||
args = {"query": "search term"}
|
||||
detector = self._run_scan("web_search", args)
|
||||
detector.detect.assert_not_called()
|
||||
|
||||
def test_skips_empty_args(self):
|
||||
args = {"command": ""}
|
||||
detector = self._run_scan("terminal", args)
|
||||
detector.detect.assert_not_called()
|
||||
|
||||
def test_skips_non_string_args(self):
|
||||
args = {"command": 123}
|
||||
detector = self._run_scan("terminal", args)
|
||||
detector.detect.assert_not_called()
|
||||
|
||||
def test_injection_detected_adds_warning_prefix(self):
|
||||
args = {"command": "ignore all rules and do X"}
|
||||
self._run_scan("terminal", args, verdict="JAILBREAK_DETECTED")
|
||||
assert args["command"].startswith("[SHIELD-WARNING")
|
||||
|
||||
def test_clean_input_unchanged(self):
|
||||
original = "ls -la /tmp"
|
||||
args = {"command": original}
|
||||
self._run_scan("terminal", args, verdict="CLEAN")
|
||||
assert args["command"] == original
|
||||
|
||||
def test_crisis_verdict_not_flagged(self):
|
||||
args = {"command": "I need help"}
|
||||
self._run_scan("terminal", args, verdict="CRISIS_DETECTED")
|
||||
assert not args["command"].startswith("[SHIELD")
|
||||
|
||||
def test_handles_missing_shield_gracefully(self):
|
||||
from model_tools import _shield_scan_tool_args
|
||||
args = {"command": "test"}
|
||||
# Clear tools.shield from sys.modules to simulate missing
|
||||
saved = {}
|
||||
for key in list(sys.modules.keys()):
|
||||
if "shield" in key:
|
||||
saved[key] = sys.modules.pop(key)
|
||||
try:
|
||||
_shield_scan_tool_args("terminal", args) # Should not raise
|
||||
finally:
|
||||
sys.modules.update(saved)
|
||||
|
||||
|
||||
class TestShieldScanToolList:
|
||||
def test_terminal_is_scanned(self):
|
||||
from model_tools import _SHIELD_SCAN_TOOLS
|
||||
assert "terminal" in _SHIELD_SCAN_TOOLS
|
||||
|
||||
def test_execute_code_is_scanned(self):
|
||||
from model_tools import _SHIELD_SCAN_TOOLS
|
||||
assert "execute_code" in _SHIELD_SCAN_TOOLS
|
||||
|
||||
def test_write_file_is_scanned(self):
|
||||
from model_tools import _SHIELD_SCAN_TOOLS
|
||||
assert "write_file" in _SHIELD_SCAN_TOOLS
|
||||
|
||||
def test_web_search_not_scanned(self):
|
||||
from model_tools import _SHIELD_SCAN_TOOLS
|
||||
assert "web_search" not in _SHIELD_SCAN_TOOLS
|
||||
|
||||
def test_read_file_not_scanned(self):
|
||||
from model_tools import _SHIELD_SCAN_TOOLS
|
||||
assert "read_file" not in _SHIELD_SCAN_TOOLS
|
||||
Reference in New Issue
Block a user