Compare commits
1 Commits
fix/839
...
claude/iss
| Author | SHA1 | Date | |
|---|---|---|---|
|
4d8e004b5f |
85
run_agent.py
85
run_agent.py
@@ -106,7 +106,7 @@ from agent.trajectory import (
|
||||
convert_scratchpad_to_think, has_incomplete_scratchpad,
|
||||
save_trajectory as _save_trajectory_to_file,
|
||||
)
|
||||
from utils import atomic_json_write, env_var_enabled
|
||||
from utils import atomic_json_write, env_var_enabled, repair_and_load_json
|
||||
|
||||
|
||||
|
||||
@@ -2246,9 +2246,8 @@ class AIAgent:
|
||||
for msg in getattr(review_agent, "_session_messages", []):
|
||||
if not isinstance(msg, dict) or msg.get("role") != "tool":
|
||||
continue
|
||||
try:
|
||||
data = json.loads(msg.get("content", "{}"))
|
||||
except (json.JSONDecodeError, TypeError):
|
||||
data = repair_and_load_json(msg.get("content", "{}"), default=None, context="trajectory_content")
|
||||
if data is None:
|
||||
continue
|
||||
if not data.get("success"):
|
||||
continue
|
||||
@@ -2496,13 +2495,13 @@ class AIAgent:
|
||||
if not tool_call or not isinstance(tool_call, dict): continue
|
||||
# Parse arguments - should always succeed since we validate during conversation
|
||||
# but keep try-except as safety net
|
||||
try:
|
||||
arguments = json.loads(tool_call["function"]["arguments"]) if isinstance(tool_call["function"]["arguments"], str) else tool_call["function"]["arguments"]
|
||||
except json.JSONDecodeError:
|
||||
# This shouldn't happen since we validate and retry during conversation,
|
||||
# but if it does, log warning and use empty dict
|
||||
logging.warning(f"Unexpected invalid JSON in trajectory conversion: {tool_call['function']['arguments'][:100]}")
|
||||
arguments = {}
|
||||
raw_args = tool_call["function"]["arguments"]
|
||||
if isinstance(raw_args, str):
|
||||
arguments = repair_and_load_json(raw_args, default={}, context="trajectory_tool_call")
|
||||
if arguments == {} and raw_args.strip() not in ("{}", ""):
|
||||
logging.warning("Unexpected invalid JSON in trajectory conversion: %.100s", raw_args)
|
||||
else:
|
||||
arguments = raw_args
|
||||
|
||||
tool_call_json = {
|
||||
"name": tool_call["function"]["name"],
|
||||
@@ -2530,11 +2529,10 @@ class AIAgent:
|
||||
|
||||
# Try to parse tool content as JSON if it looks like JSON
|
||||
tool_content = tool_msg["content"]
|
||||
try:
|
||||
if tool_content.strip().startswith(("{", "[")):
|
||||
tool_content = json.loads(tool_content)
|
||||
except (json.JSONDecodeError, AttributeError):
|
||||
pass # Keep as string if not valid JSON
|
||||
if isinstance(tool_content, str) and tool_content.strip().startswith(("{", "[")):
|
||||
parsed = repair_and_load_json(tool_content, default=None, context="trajectory_tool_content")
|
||||
if parsed is not None:
|
||||
tool_content = parsed
|
||||
|
||||
tool_index = len(tool_responses)
|
||||
tool_name = (
|
||||
@@ -2885,14 +2883,21 @@ class AIAgent:
|
||||
# with partial history and would otherwise clobber the full JSON log.
|
||||
if self.session_log_file.exists():
|
||||
try:
|
||||
existing = json.loads(self.session_log_file.read_text(encoding="utf-8"))
|
||||
existing_count = existing.get("message_count", len(existing.get("messages", [])))
|
||||
if existing_count > len(cleaned):
|
||||
logging.debug(
|
||||
"Skipping session log overwrite: existing has %d messages, current has %d",
|
||||
existing_count, len(cleaned),
|
||||
)
|
||||
return
|
||||
existing = repair_and_load_json(
|
||||
self.session_log_file.read_text(encoding="utf-8"),
|
||||
default=None,
|
||||
context="session_log_load",
|
||||
)
|
||||
if existing is None:
|
||||
logging.warning("Session log at %s could not be parsed; allowing overwrite", self.session_log_file)
|
||||
else:
|
||||
existing_count = existing.get("message_count", len(existing.get("messages", [])))
|
||||
if existing_count > len(cleaned):
|
||||
logging.debug(
|
||||
"Skipping session log overwrite: existing has %d messages, current has %d",
|
||||
existing_count, len(cleaned),
|
||||
)
|
||||
return
|
||||
except Exception:
|
||||
pass # corrupted existing file — allow the overwrite
|
||||
|
||||
@@ -3115,13 +3120,12 @@ class AIAgent:
|
||||
# Quick check: todo responses contain "todos" key
|
||||
if '"todos"' not in content:
|
||||
continue
|
||||
try:
|
||||
data = json.loads(content)
|
||||
if "todos" in data and isinstance(data["todos"], list):
|
||||
last_todo_response = data["todos"]
|
||||
break
|
||||
except (json.JSONDecodeError, TypeError):
|
||||
data = repair_and_load_json(content, default=None, context="todo_content")
|
||||
if data is None:
|
||||
continue
|
||||
if "todos" in data and isinstance(data["todos"], list):
|
||||
last_todo_response = data["todos"]
|
||||
break
|
||||
|
||||
if last_todo_response:
|
||||
# Replay the items into the store (replace mode)
|
||||
@@ -5960,7 +5964,7 @@ class AIAgent:
|
||||
result_json = asyncio.run(
|
||||
vision_analyze_tool(image_url=vision_source, user_prompt=analysis_prompt)
|
||||
)
|
||||
result = json.loads(result_json) if isinstance(result_json, str) else {}
|
||||
result = repair_and_load_json(result_json, default={}, context="vision_result") if isinstance(result_json, str) else {}
|
||||
description = (result.get("analysis") or "").strip()
|
||||
except Exception as e:
|
||||
description = f"Image analysis failed: {e}"
|
||||
@@ -6758,7 +6762,7 @@ class AIAgent:
|
||||
for tc in tool_calls:
|
||||
if tc.function.name == "memory":
|
||||
try:
|
||||
args = json.loads(tc.function.arguments)
|
||||
args = repair_and_load_json(tc.function.arguments, default={}, context="memory_flush")
|
||||
flush_target = args.get("target", "memory")
|
||||
from tools.memory_tool import memory_tool as _memory_tool
|
||||
_memory_tool(
|
||||
@@ -8297,14 +8301,15 @@ class AIAgent:
|
||||
for tc in tcs:
|
||||
if isinstance(tc, dict) and "function" in tc:
|
||||
try:
|
||||
args_obj = json.loads(tc["function"]["arguments"])
|
||||
tc = {**tc, "function": {
|
||||
**tc["function"],
|
||||
"arguments": json.dumps(
|
||||
args_obj, separators=(",", ":"),
|
||||
sort_keys=True,
|
||||
),
|
||||
}}
|
||||
args_obj = repair_and_load_json(tc["function"]["arguments"], default=None, context="cache_serialization")
|
||||
if args_obj is not None:
|
||||
tc = {**tc, "function": {
|
||||
**tc["function"],
|
||||
"arguments": json.dumps(
|
||||
args_obj, separators=(",", ":"),
|
||||
sort_keys=True,
|
||||
),
|
||||
}}
|
||||
except Exception:
|
||||
pass
|
||||
new_tcs.append(tc)
|
||||
|
||||
@@ -1,122 +0,0 @@
|
||||
"""Tests for credential redaction — Issue #839."""
|
||||
import json
|
||||
import sys
|
||||
from pathlib import Path
|
||||
sys.path.insert(0, str(Path(__file__).parent.parent))
|
||||
|
||||
from tools.credential_redaction import (
|
||||
redact_credentials, should_auto_mask, mask_config_values,
|
||||
redact_tool_output, RedactionResult
|
||||
)
|
||||
|
||||
|
||||
class TestRedactCredentials:
|
||||
def test_openai_key(self):
|
||||
text = "API key: sk-abc123def456ghi789jkl012mno345pqr678stu901vwx"
|
||||
result = redact_credentials(text)
|
||||
assert result.was_redacted
|
||||
assert "sk-abc" not in result.text
|
||||
assert "[REDACTED" in result.text
|
||||
|
||||
def test_github_pat(self):
|
||||
text = "token: ghp_1234567890abcdefghijklmnopqrstuvwxyz"
|
||||
result = redact_credentials(text)
|
||||
assert result.was_redacted
|
||||
assert "ghp_" not in result.text
|
||||
|
||||
def test_bearer_token(self):
|
||||
text = "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"
|
||||
result = redact_credentials(text)
|
||||
assert result.was_redacted
|
||||
assert "Bearer eyJ" not in result.text
|
||||
|
||||
def test_password_assignment(self):
|
||||
text = 'password: "supersecret123"'
|
||||
result = redact_credentials(text)
|
||||
assert result.was_redacted
|
||||
|
||||
def test_clean_text(self):
|
||||
text = "Hello world, no credentials here"
|
||||
result = redact_credentials(text)
|
||||
assert not result.was_redacted
|
||||
assert result.text == text
|
||||
|
||||
def test_empty_text(self):
|
||||
result = redact_credentials("")
|
||||
assert not result.was_redacted
|
||||
|
||||
|
||||
class TestShouldAutoMask:
|
||||
def test_env_file(self):
|
||||
assert should_auto_mask(".env") == True
|
||||
|
||||
def test_config_file(self):
|
||||
assert should_auto_mask("config.yaml") == True
|
||||
|
||||
def test_token_file(self):
|
||||
assert should_auto_mask("gitea_token") == True
|
||||
|
||||
def test_normal_file(self):
|
||||
assert should_auto_mask("readme.md") == False
|
||||
|
||||
|
||||
class TestMaskConfigValues:
|
||||
def test_env_api_key(self):
|
||||
text = "API_KEY=sk-abc123def456"
|
||||
result = mask_config_values(text)
|
||||
assert "sk-abc" not in result
|
||||
assert "[REDACTED]" in result
|
||||
|
||||
def test_yaml_token(self):
|
||||
text = 'token: "ghp_1234567890"'
|
||||
result = mask_config_values(text)
|
||||
assert "ghp_" not in result
|
||||
assert "[REDACTED]" in result
|
||||
|
||||
def test_preserves_structure(self):
|
||||
text = "API_KEY=secret\nOTHER=value"
|
||||
result = mask_config_values(text)
|
||||
assert "OTHER=value" in result # Non-credential preserved
|
||||
|
||||
|
||||
class TestRedactToolOutput:
|
||||
def test_string_output(self):
|
||||
output = "Result: sk-abc123def456ghi789jkl012mno345pqr678stu901vwx"
|
||||
redacted, notice = redact_tool_output("file_read", output)
|
||||
assert "sk-abc123" not in redacted
|
||||
assert notice is not None
|
||||
|
||||
def test_dict_output(self):
|
||||
output = {"content": "token: ghp_1234567890abcdefghijklmnopqrstuvwxyz"}
|
||||
redacted, notice = redact_tool_output("file_read", output)
|
||||
assert "ghp_" not in redacted["content"]
|
||||
|
||||
def test_clean_output(self):
|
||||
output = "No credentials here"
|
||||
redacted, notice = redact_tool_output("file_read", output)
|
||||
assert redacted == output
|
||||
assert notice is None
|
||||
|
||||
|
||||
class TestRedactionResult:
|
||||
def test_notice_singular(self):
|
||||
result = RedactionResult("redacted", "original", [{"pattern_name": "test"}])
|
||||
assert "1 credential pattern" in result.notice()
|
||||
|
||||
def test_notice_plural(self):
|
||||
result = RedactionResult("redacted", "original", [
|
||||
{"pattern_name": "test1"},
|
||||
{"pattern_name": "test2"},
|
||||
])
|
||||
assert "2 credential patterns" in result.notice()
|
||||
|
||||
def test_to_dict(self):
|
||||
result = RedactionResult("redacted", "original", [{"pattern_name": "test"}])
|
||||
d = result.to_dict()
|
||||
assert d["redacted"] == True
|
||||
assert d["count"] == 1
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
import pytest
|
||||
pytest.main([__file__, "-v"])
|
||||
@@ -1,269 +0,0 @@
|
||||
"""Credential Redaction — Poka-yoke for tool outputs.
|
||||
|
||||
Blocks silent credential exposure by redacting API keys, tokens, and
|
||||
passwords from tool outputs before they enter agent context.
|
||||
|
||||
Issue #839: Poka-yoke: Block silent credential exposure in tool outputs
|
||||
"""
|
||||
|
||||
import json
|
||||
import logging
|
||||
import re
|
||||
import time
|
||||
from pathlib import Path
|
||||
from typing import Any, Dict, List, Optional, Tuple
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
# Audit log path
|
||||
_AUDIT_DIR = Path.home() / ".hermes" / "audit"
|
||||
_AUDIT_LOG = _AUDIT_DIR / "redactions.jsonl"
|
||||
|
||||
# Credential patterns — order matters (most specific first)
|
||||
_CREDENTIAL_PATTERNS = [
|
||||
# API keys
|
||||
(r'sk-[a-zA-Z0-9]{20,}', '[REDACTED: OpenAI-style API key]'),
|
||||
(r'sk-ant-[a-zA-Z0-9-]{20,}', '[REDACTED: Anthropic API key]'),
|
||||
(r'ghp_[a-zA-Z0-9]{36}', '[REDACTED: GitHub PAT]'),
|
||||
(r'gho_[a-zA-Z0-9]{36}', '[REDACTED: GitHub OAuth token]'),
|
||||
(r'github_pat_[a-zA-Z0-9_]{82}', '[REDACTED: GitHub fine-grained PAT]'),
|
||||
(r'glpat-[a-zA-Z0-9-]{20,}', '[REDACTED: GitLab PAT]'),
|
||||
(r'syt_[a-zA-Z0-9_-]{40,}', '[REDACTED: Matrix access token]'),
|
||||
(r'xoxb-[0-9]{10,}-[a-zA-Z0-9]{20,}', '[REDACTED: Slack bot token]'),
|
||||
(r'xoxp-[0-9]{10,}-[a-zA-Z0-9]{20,}', '[REDACTED: Slack user token]'),
|
||||
|
||||
# Bearer tokens
|
||||
(r'Bearer\s+[a-zA-Z0-9_.-]{20,}', '[REDACTED: Bearer token]'),
|
||||
|
||||
# Generic tokens/passwords in assignments
|
||||
(r'(?:token|api_key|api_key|secret|password|passwd|pwd)\s*[:=]\s*["\']?([a-zA-Z0-9_.-]{8,})["\']?', '[REDACTED: credential]'),
|
||||
|
||||
# Environment variable assignments
|
||||
(r'(?:export\s+)?(?:TOKEN|KEY|SECRET|PASSWORD|API_KEY)\s*=\s*["\']?([a-zA-Z0-9_.-]{8,})["\']?', '[REDACTED: env credential]'),
|
||||
|
||||
# Base64 encoded credentials (high entropy strings)
|
||||
(r'(?:authorization|auth)\s*[:=]\s*(?:basic|bearer)\s+[a-zA-Z0-9+/=]{20,}', '[REDACTED: auth header]'),
|
||||
|
||||
# AWS credentials
|
||||
(r'AKIA[0-9A-Z]{16}', '[REDACTED: AWS access key]'),
|
||||
(r'(?<![A-Z0-9])[A-Za-z0-9/+=]{40}(?![A-Z0-9])', None), # Only match near context
|
||||
|
||||
# Private keys
|
||||
(r'-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----', '[REDACTED: private key block]'),
|
||||
]
|
||||
|
||||
|
||||
class RedactionResult:
|
||||
"""Result of credential redaction."""
|
||||
|
||||
def __init__(self, text: str, original: str, redactions: List[Dict[str, Any]]):
|
||||
self.text = text
|
||||
self.original = original
|
||||
self.redactions = redactions
|
||||
|
||||
@property
|
||||
def was_redacted(self) -> bool:
|
||||
return len(self.redactions) > 0
|
||||
|
||||
@property
|
||||
def count(self) -> int:
|
||||
return len(self.redactions)
|
||||
|
||||
def notice(self) -> str:
|
||||
"""Generate compact redaction notice."""
|
||||
if not self.was_redacted:
|
||||
return ""
|
||||
return f"[REDACTED: {self.count} credential pattern{'s' if self.count > 1 else ''} found]"
|
||||
|
||||
def to_dict(self) -> Dict[str, Any]:
|
||||
return {
|
||||
"redacted": self.was_redacted,
|
||||
"count": self.count,
|
||||
"notice": self.notice(),
|
||||
"patterns": [r["pattern_name"] for r in self.redactions],
|
||||
}
|
||||
|
||||
|
||||
def redact_credentials(text: str, source: str = "unknown") -> RedactionResult:
|
||||
"""Redact credentials from text.
|
||||
|
||||
Args:
|
||||
text: Text to redact
|
||||
source: Source identifier for audit logging
|
||||
|
||||
Returns:
|
||||
RedactionResult with redacted text and metadata
|
||||
"""
|
||||
if not text:
|
||||
return RedactionResult(text, text, [])
|
||||
|
||||
redactions = []
|
||||
result = text
|
||||
|
||||
for pattern, replacement in _CREDENTIAL_PATTERNS:
|
||||
if replacement is None:
|
||||
continue # Skip conditional patterns
|
||||
|
||||
matches = list(re.finditer(pattern, result, re.IGNORECASE))
|
||||
for match in matches:
|
||||
redactions.append({
|
||||
"pattern_name": replacement,
|
||||
"position": match.start(),
|
||||
"length": len(match.group()),
|
||||
"source": source,
|
||||
"timestamp": time.time(),
|
||||
})
|
||||
|
||||
result = re.sub(pattern, replacement, result, flags=re.IGNORECASE)
|
||||
|
||||
redaction_result = RedactionResult(result, text, redactions)
|
||||
|
||||
# Log to audit trail
|
||||
if redaction_result.was_redacted:
|
||||
_log_redaction(redaction_result, source)
|
||||
|
||||
return redaction_result
|
||||
|
||||
|
||||
def _log_redaction(result: RedactionResult, source: str) -> None:
|
||||
"""Log redaction event to audit trail."""
|
||||
try:
|
||||
_AUDIT_DIR.mkdir(parents=True, exist_ok=True)
|
||||
entry = {
|
||||
"timestamp": time.time(),
|
||||
"source": source,
|
||||
"count": result.count,
|
||||
"patterns": [r["pattern_name"] for r in result.redactions],
|
||||
}
|
||||
with open(_AUDIT_LOG, "a") as f:
|
||||
f.write(json.dumps(entry) + "\n")
|
||||
except Exception as e:
|
||||
logger.debug(f"Failed to log redaction: {e}")
|
||||
|
||||
|
||||
def should_auto_mask(file_path: str) -> bool:
|
||||
"""Check if file should have credentials auto-masked."""
|
||||
path_lower = file_path.lower()
|
||||
sensitive_patterns = [
|
||||
".env", "config", "token", "secret", "credential",
|
||||
"key", "auth", "password", ".pem", ".key",
|
||||
]
|
||||
return any(p in path_lower for p in sensitive_patterns)
|
||||
|
||||
|
||||
def mask_config_values(text: str) -> str:
|
||||
"""Mask credential values in config/env files while preserving structure.
|
||||
|
||||
Transforms:
|
||||
API_KEY=sk-abc123 → API_KEY=[REDACTED]
|
||||
token: "ghp_xyz" → token: "[REDACTED]"
|
||||
"""
|
||||
lines = text.split("\n")
|
||||
result = []
|
||||
|
||||
for line in lines:
|
||||
# Match KEY=VALUE patterns
|
||||
match = re.match(r'^(\s*(?:export\s+)?[A-Z_][A-Z0-9_]*)\s*=\s*(.*)', line)
|
||||
if match:
|
||||
key = match.group(1)
|
||||
value = match.group(2).strip()
|
||||
|
||||
# Check if key looks credential-like
|
||||
key_lower = key.lower()
|
||||
if any(p in key_lower for p in ["key", "token", "secret", "password", "auth"]):
|
||||
if value and not value.startswith("[REDACTED]"):
|
||||
# Preserve quotes
|
||||
if value.startswith('"') and value.endswith('"'):
|
||||
result.append(f'{key}="[REDACTED]"')
|
||||
elif value.startswith("'") and value.endswith("'"):
|
||||
result.append(f"{key}='[REDACTED]'")
|
||||
else:
|
||||
result.append(f"{key}=[REDACTED]")
|
||||
continue
|
||||
|
||||
# Match YAML-style key: value
|
||||
match = re.match(r'^(\s*[a-z_][a-z0-9_]*)\s*:\s*["\']?(.*?)["\']?\s*$', line)
|
||||
if match:
|
||||
key = match.group(1)
|
||||
value = match.group(2).strip()
|
||||
|
||||
key_lower = key.lower()
|
||||
if any(p in key_lower for p in ["key", "token", "secret", "password", "auth"]):
|
||||
if value and not value.startswith("[REDACTED]"):
|
||||
result.append(f'{key}: "[REDACTED]"')
|
||||
continue
|
||||
|
||||
result.append(line)
|
||||
|
||||
return "\n".join(result)
|
||||
|
||||
|
||||
def redact_tool_output(
|
||||
tool_name: str,
|
||||
output: Any,
|
||||
source: str = None,
|
||||
) -> Tuple[Any, Optional[str]]:
|
||||
"""Redact credentials from tool output.
|
||||
|
||||
Args:
|
||||
tool_name: Name of the tool
|
||||
output: Tool output (string or dict)
|
||||
source: Source identifier (defaults to tool_name)
|
||||
|
||||
Returns:
|
||||
Tuple of (redacted_output, notice)
|
||||
"""
|
||||
source = source or tool_name
|
||||
|
||||
if isinstance(output, str):
|
||||
result = redact_credentials(output, source)
|
||||
if result.was_redacted:
|
||||
return result.text, result.notice()
|
||||
return output, None
|
||||
|
||||
if isinstance(output, dict):
|
||||
# Redact string values in dict
|
||||
redacted = {}
|
||||
notices = []
|
||||
for key, value in output.items():
|
||||
if isinstance(value, str):
|
||||
r, n = redact_tool_output(tool_name, value, f"{source}.{key}")
|
||||
redacted[key] = r
|
||||
if n:
|
||||
notices.append(n)
|
||||
else:
|
||||
redacted[key] = value
|
||||
|
||||
notice = "; ".join(notices) if notices else None
|
||||
return redacted, notice
|
||||
|
||||
# Non-string, non-dict: pass through
|
||||
return output, None
|
||||
|
||||
|
||||
def get_redaction_stats() -> Dict[str, Any]:
|
||||
"""Get redaction statistics from audit log."""
|
||||
stats = {
|
||||
"total_redactions": 0,
|
||||
"by_source": {},
|
||||
"by_pattern": {},
|
||||
}
|
||||
|
||||
if not _AUDIT_LOG.exists():
|
||||
return stats
|
||||
|
||||
try:
|
||||
with open(_AUDIT_LOG, "r") as f:
|
||||
for line in f:
|
||||
entry = json.loads(line.strip())
|
||||
stats["total_redactions"] += entry.get("count", 0)
|
||||
|
||||
source = entry.get("source", "unknown")
|
||||
stats["by_source"][source] = stats["by_source"].get(source, 0) + 1
|
||||
|
||||
for pattern in entry.get("patterns", []):
|
||||
stats["by_pattern"][pattern] = stats["by_pattern"].get(pattern, 0) + 1
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
return stats
|
||||
44
utils.py
44
utils.py
@@ -145,6 +145,50 @@ def safe_json_loads(text: str, default: Any = None) -> Any:
|
||||
return default
|
||||
|
||||
|
||||
def repair_and_load_json(text: str, default: Any = None, *, context: str = "") -> Any:
|
||||
"""Parse JSON with automatic repair fallback.
|
||||
|
||||
Tries ``json.loads`` first. On failure, attempts to repair the string
|
||||
using the ``json_repair`` library before falling back to *default*.
|
||||
Logs a debug-level warning when repair is triggered so that callers can
|
||||
observe silent-failure patterns without raising exceptions.
|
||||
|
||||
Args:
|
||||
text: The JSON string to parse.
|
||||
default: Value returned when both parse and repair fail.
|
||||
context: Optional label included in the debug log (e.g. the call-site
|
||||
name) to aid tracing.
|
||||
|
||||
Returns:
|
||||
Parsed Python object, or *default* on unrecoverable failure.
|
||||
"""
|
||||
if not isinstance(text, str):
|
||||
return default
|
||||
try:
|
||||
return json.loads(text)
|
||||
except (json.JSONDecodeError, ValueError):
|
||||
pass
|
||||
|
||||
try:
|
||||
import json_repair # optional dependency
|
||||
repaired = json_repair.repair_json(text, return_objects=True)
|
||||
# json_repair returns "" when it cannot produce a valid structure.
|
||||
# Guard against returning that sentinel as if it were a successful parse.
|
||||
# Exception: if the original text was a JSON empty-string literal like `""`
|
||||
# then "" is the correct parse result.
|
||||
if repaired == "" and text.strip() not in ('""', "''"):
|
||||
tag = f" [{context}]" if context else ""
|
||||
logger.debug("repair_and_load_json%s: repair yielded empty string; returning default", tag)
|
||||
return default
|
||||
tag = f" [{context}]" if context else ""
|
||||
logger.debug("repair_and_load_json%s: repaired malformed JSON (first 120 chars): %.120s", tag, text)
|
||||
return repaired
|
||||
except Exception as exc:
|
||||
tag = f" [{context}]" if context else ""
|
||||
logger.debug("repair_and_load_json%s: repair failed (%s); returning default", tag, exc)
|
||||
return default
|
||||
|
||||
|
||||
# ─── Environment Variable Helpers ─────────────────────────────────────────────
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user