@miller-tech/uap 1.20.6 → 1.20.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@miller-tech/uap",
-  "version": "1.20.6",
+  "version": "1.20.8",
   "description": "Autonomous AI agent memory system with CLAUDE.md protocol enforcement",
   "type": "module",
   "main": "dist/index.js",

package/tools/agents/scripts/anthropic_proxy.py

@@ -227,6 +227,9 @@ PROXY_MALFORMED_TOOL_RETRY_MAX_TOKENS = int(
 PROXY_MALFORMED_TOOL_RETRY_TEMPERATURE = float(
     os.environ.get("PROXY_MALFORMED_TOOL_RETRY_TEMPERATURE", "0")
 )
+PROXY_TOOL_TURN_TEMPERATURE = float(
+    os.environ.get("PROXY_TOOL_TURN_TEMPERATURE", "0.3")
+)
 PROXY_MALFORMED_TOOL_STREAM_STRICT = os.environ.get(
     "PROXY_MALFORMED_TOOL_STREAM_STRICT", "off"
 ).lower() not in {
@@ -1623,8 +1626,14 @@ _AGENTIC_SYSTEM_SUPPLEMENT_CLEAN = (
     "</agentic-protocol>"
 )
 
+_AGENTIC_SYSTEM_SUPPLEMENT_MINIMAL = (
+    "\n\nUse tools for all actions. Respond with tool calls, not descriptions of what to do."
+)
+
 if PROXY_AGENTIC_SUPPLEMENT_MODE == "legacy":
     _AGENTIC_SYSTEM_SUPPLEMENT = _AGENTIC_SYSTEM_SUPPLEMENT_LEGACY
+elif PROXY_AGENTIC_SUPPLEMENT_MODE == "minimal":
+    _AGENTIC_SYSTEM_SUPPLEMENT = _AGENTIC_SYSTEM_SUPPLEMENT_MINIMAL
 elif PROXY_AGENTIC_SUPPLEMENT_MODE == "clean":
     _AGENTIC_SYSTEM_SUPPLEMENT = _AGENTIC_SYSTEM_SUPPLEMENT_CLEAN
 else:
@@ -2109,19 +2118,26 @@ def build_openai_request(
     has_tools = _has_tool_definitions(anthropic_body)
 
     # Inject agentic protocol instructions only for tool-enabled turns.
+    # Use minimal supplement for qwen models to reduce prompt leak surface.
     if has_tools:
+        model_name = anthropic_body.get("model", "").lower()
+        supplement = (
+            _AGENTIC_SYSTEM_SUPPLEMENT_MINIMAL
+            if "qwen" in model_name and PROXY_AGENTIC_SUPPLEMENT_MODE != "legacy"
+            else _AGENTIC_SYSTEM_SUPPLEMENT
+        )
         if (
             openai_body["messages"]
             and openai_body["messages"][0].get("role") == "system"
         ):
-            openai_body["messages"][0]["content"] += _AGENTIC_SYSTEM_SUPPLEMENT
+            openai_body["messages"][0]["content"] += supplement
         else:
             # No system message from the client; inject one.
             openai_body["messages"].insert(
                 0,
                 {
                     "role": "system",
-                    "content": _AGENTIC_SYSTEM_SUPPLEMENT.strip(),
+                    "content": supplement.strip(),
                 },
             )
         if profile_prompt_suffix:
@@ -2208,6 +2224,17 @@ def build_openai_request(
     if "stop_sequences" in anthropic_body:
         openai_body["stop"] = anthropic_body["stop_sequences"]
 
+    # Force controlled temperature for tool-call turns to reduce garbled output
+    if has_tools:
+        client_temp = openai_body.get("temperature")
+        if client_temp is None or client_temp > PROXY_TOOL_TURN_TEMPERATURE:
+            openai_body["temperature"] = PROXY_TOOL_TURN_TEMPERATURE
+            logger.info(
+                "TOOL TURN TEMP: forcing temperature=%.2f (was %s) for tool-enabled request",
+                PROXY_TOOL_TURN_TEMPERATURE,
+                client_temp,
+            )
+
     # Convert Anthropic tools to OpenAI function-calling tools
     if has_tools:
         openai_body["tools"] = _convert_anthropic_tools_to_openai(
@@ -2655,6 +2682,221 @@ def _extract_tool_calls_from_text(text: str) -> tuple[list[dict], str]:
     return extracted, remaining
 
 
+# Pattern: runaway closing braces like }}}}}
+_GARBLED_RUNAWAY_BRACES_RE = re.compile(r"\}{4,}")
+# Pattern: repetitive digit sequences like 000000 or 398859738398859738
+_GARBLED_REPETITIVE_DIGITS_RE = re.compile(r"(\d{3,})\1{2,}")
+# Pattern: long runs of zeros
+_GARBLED_ZEROS_RE = re.compile(r"0{8,}")
+# Pattern: extremely long unbroken digit strings (>30 digits)
+_GARBLED_LONG_DIGITS_RE = re.compile(r"\d{30,}")
+
+
+def _is_garbled_tool_arguments(arguments_str: str) -> bool:
+    """Detect garbled/degenerate tool call arguments.
+
+    Returns True if the arguments string shows signs of degenerate generation:
+    - Runaway closing braces (}}}}})
+    - Repetitive digit patterns (000000, 398859738398859738)
+    - Extremely long digit strings
+    - Unbalanced braces suggesting truncated/corrupt JSON
+    """
+    if not arguments_str or arguments_str == "{}":
+        return False
+
+    if _GARBLED_RUNAWAY_BRACES_RE.search(arguments_str):
+        return True
+    if _GARBLED_REPETITIVE_DIGITS_RE.search(arguments_str):
+        return True
+    if _GARBLED_ZEROS_RE.search(arguments_str):
+        return True
+    if _GARBLED_LONG_DIGITS_RE.search(arguments_str):
+        return True
+
+    # Check brace balance — more than 2 unmatched braces suggests corruption
+    open_count = arguments_str.count("{")
+    close_count = arguments_str.count("}")
+    if abs(open_count - close_count) > 2:
+        return True
+
+    return False
+
+
+def _sanitize_garbled_tool_calls(openai_resp: dict) -> bool:
+    """Check tool calls in an OpenAI response for garbled arguments.
+
+    If garbled arguments are detected, removes the affected tool calls
+    and logs a warning. Returns True if any tool calls were removed.
+    """
+    choice = (openai_resp.get("choices") or [{}])[0]
+    message = choice.get("message", {})
+    tool_calls = message.get("tool_calls")
+    if not tool_calls:
+        return False
+
+    clean = []
+    garbled_count = 0
+    for tc in tool_calls:
+        fn = tc.get("function", {})
+        args_str = fn.get("arguments", "{}")
+        if _is_garbled_tool_arguments(args_str):
+            garbled_count += 1
+            logger.warning(
+                "GARBLED TOOL ARGS: name=%s args_preview=%.120s",
+                fn.get("name", "?"),
+                args_str,
+            )
+        else:
+            clean.append(tc)
+
+    if garbled_count == 0:
+        return False
+
+    if clean:
+        message["tool_calls"] = clean
+    else:
+        # All tool calls were garbled — remove tool_calls entirely
+        message.pop("tool_calls", None)
+        choice["finish_reason"] = "stop"
+
+    logger.warning(
+        "GARBLED TOOL ARGS: removed %d garbled tool call(s), %d clean remaining",
+        garbled_count,
+        len(clean),
+    )
+    return True
+
+
+# Distinctive phrases from the agentic system supplement that Qwen3.5 leaks
+# into tool call arguments.  Keep lowercase for case-insensitive matching.
+_SYSTEM_PROMPT_LEAK_MARKERS = (
+    "agentic-protocol",
+    "agentic coding loop",
+    "follow these rules",
+    "function signatures within",
+    "provided with function signatures",
+    "you are provided with function",
+    "call one or more functions",
+    "xml tags:",
+    "do not summarize the issue",
+    "you must call a tool",
+    "proceed immediately to make the fix",
+    "do not ask for permission or confirmation",
+    "do not give up after one failure",
+    "emit a valid tool call object",
+    "never output protocol fragments",
+    "never emit literal tag artifacts",
+    "use tools for concrete work",
+    "stopping at analysis",
+)
+
+
+def _contains_system_prompt_leak(value) -> bool:
+    """Check if any string leaf in *value* contains system prompt fragments."""
+    for text in _iter_string_leaves(value):
+        lowered = text.lower()
+        if any(marker in lowered for marker in _SYSTEM_PROMPT_LEAK_MARKERS):
+            return True
+    return False
+
+
+def _find_earliest_leak_position(text: str) -> int | None:
+    """Return the character index where the first system prompt leak starts, or None."""
+    lowered = text.lower()
+    earliest = None
+    for marker in _SYSTEM_PROMPT_LEAK_MARKERS:
+        idx = lowered.find(marker)
+        if idx != -1 and (earliest is None or idx < earliest):
+            earliest = idx
+    return earliest
+
+
+def _repair_system_prompt_leak(openai_resp: dict) -> tuple[dict, int]:
+    """Strip system prompt leak fragments from tool call argument values.
+
+    Truncates string values at the first detected leak marker.
+    Returns (possibly-mutated response, repair count).
+    """
+    if not _openai_has_tool_calls(openai_resp):
+        return openai_resp, 0
+
+    choice, message = _extract_openai_choice(openai_resp)
+    tool_calls = message.get("tool_calls") or []
+    if not tool_calls:
+        return openai_resp, 0
+
+    repaired_tool_calls = []
+    repaired_count = 0
+
+    for tool_call in tool_calls:
+        fn = tool_call.get("function") if isinstance(tool_call, dict) else {}
+        if not isinstance(fn, dict):
+            fn = {}
+
+        raw_args = fn.get("arguments", "{}")
+        if isinstance(raw_args, dict):
+            parsed_args = dict(raw_args)
+        else:
+            try:
+                parsed_args = json.loads(str(raw_args))
+            except json.JSONDecodeError:
+                repaired_tool_calls.append(tool_call)
+                continue
+
+        if not isinstance(parsed_args, dict):
+            repaired_tool_calls.append(tool_call)
+            continue
+
+        changed = False
+        cleaned_args = {}
+        for key, val in parsed_args.items():
+            if isinstance(val, str):
+                pos = _find_earliest_leak_position(val)
+                if pos is not None and pos > 0:
+                    cleaned_args[key] = val[:pos].rstrip()
+                    changed = True
+                    logger.warning(
+                        "PROMPT LEAK REPAIR: tool=%s field=%s truncated at pos=%d",
+                        fn.get("name", "?"),
+                        key,
+                        pos,
+                    )
+                elif pos == 0:
+                    # Entire value is leaked content — clear it
+                    cleaned_args[key] = ""
+                    changed = True
+                else:
+                    cleaned_args[key] = val
+            else:
+                cleaned_args[key] = val
+
+        if not changed:
+            repaired_tool_calls.append(tool_call)
+            continue
+
+        new_tool_call = dict(tool_call)
+        new_fn = dict(fn)
+        new_fn["arguments"] = json.dumps(cleaned_args, separators=(",", ":"))
+        new_tool_call["function"] = new_fn
+        repaired_tool_calls.append(new_tool_call)
+        repaired_count += 1
+
+    if repaired_count > 0:
+        repaired_response = dict(openai_resp)
+        repaired_choice = dict(choice)
+        repaired_message = dict(message)
+        repaired_message["tool_calls"] = repaired_tool_calls
+        repaired_choice["message"] = repaired_message
+        repaired_response["choices"] = [repaired_choice]
+        logger.warning(
+            "PROMPT LEAK REPAIR: repaired %d tool call(s)",
+            repaired_count,
+        )
+        return repaired_response, repaired_count
+
+    return openai_resp, 0
+
+
 def _tool_schema_map_from_anthropic_body(anthropic_body: dict) -> dict[str, dict]:
     schema_map: dict[str, dict] = {}
     for tool in anthropic_body.get("tools", []) or []:
@@ -3206,6 +3448,16 @@ def _validate_tool_call_arguments(
             ),
         )
 
+    if _contains_system_prompt_leak(parsed):
+        return ToolResponseIssue(
+            kind="invalid_tool_args",
+            reason=f"arguments for '{tool_name}' contain leaked system prompt fragments",
+            retry_hint=(
+                f"Emit exactly one `{tool_name}` tool call with only the requested arguments. "
+                "Do not include any system instructions or protocol text in argument values."
+            ),
+        )
+
     if _contains_required_placeholder(parsed):
         return ToolResponseIssue(
             kind="invalid_tool_args",
@@ -3761,7 +4013,8 @@ async def _apply_malformed_tool_guardrail(
             working_resp, anthropic_body
         )
         working_resp, bash_repairs = _repair_bash_command_artifacts(working_resp)
-        repair_count = markup_repairs + required_repairs + bash_repairs
+        working_resp, leak_repairs = _repair_system_prompt_leak(working_resp)
+        repair_count = markup_repairs + required_repairs + bash_repairs + leak_repairs
 
     required_tool_choice = openai_body.get("tool_choice") == "required"
     has_tool_calls = _openai_has_tool_calls(working_resp)
@@ -3850,8 +4103,11 @@ async def _apply_malformed_tool_guardrail(
             retry_working, retry_bash_repairs = _repair_bash_command_artifacts(
                 retry_working
             )
+            retry_working, retry_leak_repairs = _repair_system_prompt_leak(
+                retry_working
+            )
             retry_repairs = (
-                retry_markup_repairs + retry_required_repairs + retry_bash_repairs
+                retry_markup_repairs + retry_required_repairs + retry_bash_repairs + retry_leak_repairs
             )
 
         working_resp = retry_working
@@ -4048,6 +4304,8 @@ def openai_to_anthropic_response(openai_resp: dict, model: str) -> dict:
     """Convert an OpenAI Chat Completions response to Anthropic Messages format."""
     # First: try to recover tool calls trapped in text XML tags
     _maybe_extract_text_tool_calls(openai_resp)
+    # Second: strip garbled/degenerate tool call arguments
+    _sanitize_garbled_tool_calls(openai_resp)
 
     choice = openai_resp.get("choices", [{}])[0]
     message = choice.get("message", {})

package/tools/agents/tests/test_anthropic_proxy_streaming.py

@@ -2925,6 +2925,216 @@ class TestToolCallXMLExtraction(unittest.TestCase):
         self.assertEqual(anthropic["stop_reason"], "tool_use")
 
 
+class TestGarbledToolArgDetection(unittest.TestCase):
+    """Tests for detecting and sanitizing garbled tool call arguments."""
+
+    def test_runaway_braces_detected(self):
+        self.assertTrue(proxy._is_garbled_tool_arguments('{"command":"echo test}}}}}'))
+
+    def test_repetitive_digits_detected(self):
+        self.assertTrue(proxy._is_garbled_tool_arguments('{"command":"echo 398398398398398398"}'))
+
+    def test_long_zeros_detected(self):
+        self.assertTrue(proxy._is_garbled_tool_arguments('{"command":"echo 00000000000"}'))
+
+    def test_extremely_long_digits_detected(self):
+        self.assertTrue(proxy._is_garbled_tool_arguments('{"x":"' + "1" * 35 + '"}'))
+
+    def test_unbalanced_braces_detected(self):
+        self.assertTrue(proxy._is_garbled_tool_arguments('{"a":{"b":{"c":"d"'))
+
+    def test_normal_args_not_flagged(self):
+        self.assertFalse(proxy._is_garbled_tool_arguments('{"command":"ls -la /tmp"}'))
+        self.assertFalse(proxy._is_garbled_tool_arguments('{"file_path":"/home/user/test.py"}'))
+
+    def test_empty_args_not_flagged(self):
+        self.assertFalse(proxy._is_garbled_tool_arguments("{}"))
+        self.assertFalse(proxy._is_garbled_tool_arguments(""))
+
+    def test_sanitize_removes_garbled_calls(self):
+        openai_resp = {
+            "choices": [{
+                "finish_reason": "tool_calls",
+                "message": {
+                    "tool_calls": [
+                        {"function": {"name": "Bash", "arguments": '{"command":"ls"}'}},
+                        {"function": {"name": "Bash", "arguments": '{"command":"echo test}}}}}}'}},
+                    ],
+                },
+            }]
+        }
+        removed = proxy._sanitize_garbled_tool_calls(openai_resp)
+        self.assertTrue(removed)
+        msg = openai_resp["choices"][0]["message"]
+        self.assertEqual(len(msg["tool_calls"]), 1)
+        self.assertEqual(msg["tool_calls"][0]["function"]["name"], "Bash")
+
+    def test_sanitize_all_garbled_removes_tool_calls(self):
+        openai_resp = {
+            "choices": [{
+                "finish_reason": "tool_calls",
+                "message": {
+                    "tool_calls": [
+                        {"function": {"name": "Bash", "arguments": '{"command":"echo }}}}}}'}},
+                    ],
+                },
+            }]
+        }
+        removed = proxy._sanitize_garbled_tool_calls(openai_resp)
+        self.assertTrue(removed)
+        msg = openai_resp["choices"][0]["message"]
+        self.assertNotIn("tool_calls", msg)
+        self.assertEqual(openai_resp["choices"][0]["finish_reason"], "stop")
+
+    def test_sanitize_clean_args_noop(self):
+        openai_resp = {
+            "choices": [{
+                "finish_reason": "tool_calls",
+                "message": {
+                    "tool_calls": [
+                        {"function": {"name": "Read", "arguments": '{"file_path":"/x.py"}'}},
+                    ],
+                },
+            }]
+        }
+        removed = proxy._sanitize_garbled_tool_calls(openai_resp)
+        self.assertFalse(removed)
+
+
+class TestToolTurnTemperature(unittest.TestCase):
+    """Tests for per-request temperature forcing on tool-enabled turns."""
+
+    def _make_monitor(self):
+        return proxy.SessionMonitor()
+
+    def test_tool_turn_forces_temperature(self):
+        body = {
+            "model": "qwen3.5",
+            "messages": [{"role": "user", "content": "hello"}],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+            "temperature": 0.8,
+        }
+        result = proxy.build_openai_request(body, self._make_monitor())
+        self.assertLessEqual(result["temperature"], proxy.PROXY_TOOL_TURN_TEMPERATURE)
+
+    def test_no_tools_preserves_temperature(self):
+        body = {
+            "model": "qwen3.5",
+            "messages": [{"role": "user", "content": "hello"}],
+            "temperature": 0.8,
+        }
+        result = proxy.build_openai_request(body, self._make_monitor())
+        self.assertEqual(result["temperature"], 0.8)
+
+
+class TestSystemPromptLeakDetection(unittest.TestCase):
+    """Tests for detecting and repairing system prompt leaks in tool args."""
+
+    def test_detects_agentic_protocol_leak(self):
+        self.assertTrue(proxy._contains_system_prompt_leak(
+            {"command": "echo test call one or more functions to assist"}
+        ))
+
+    def test_detects_follow_rules_leak(self):
+        self.assertTrue(proxy._contains_system_prompt_leak(
+            {"command": "ls Follow these rules: 1. Use tools"}
+        ))
+
+    def test_detects_xml_tags_leak(self):
+        self.assertTrue(proxy._contains_system_prompt_leak(
+            {"command": "echo function signatures within <tools></tools> XML tags:"}
+        ))
+
+    def test_clean_args_not_flagged(self):
+        self.assertFalse(proxy._contains_system_prompt_leak(
+            {"command": "echo hello world"}
+        ))
+        self.assertFalse(proxy._contains_system_prompt_leak(
+            {"file_path": "/home/user/test.py"}
+        ))
+
+    def test_find_earliest_leak_position(self):
+        text = "echo test-1 call one or more functions to assist"
+        pos = proxy._find_earliest_leak_position(text)
+        self.assertIsNotNone(pos)
+        self.assertEqual(text[:pos].strip(), "echo test-1")
+
+    def test_find_no_leak_returns_none(self):
+        self.assertIsNone(proxy._find_earliest_leak_position("echo hello"))
+
+    def test_repair_truncates_at_leak(self):
+        openai_resp = {
+            "choices": [{
+                "finish_reason": "tool_calls",
+                "message": {
+                    "tool_calls": [{
+                        "function": {
+                            "name": "Bash",
+                            "arguments": '{"command":"echo test-1 call one or more functions to assist"}'
+                        }
+                    }],
+                },
+            }]
+        }
+        repaired, count = proxy._repair_system_prompt_leak(openai_resp)
+        self.assertEqual(count, 1)
+        fn = repaired["choices"][0]["message"]["tool_calls"][0]["function"]
+        args = json.loads(fn["arguments"])
+        self.assertEqual(args["command"], "echo test-1")
+
+    def test_repair_noop_on_clean_args(self):
+        openai_resp = {
+            "choices": [{
+                "finish_reason": "tool_calls",
+                "message": {
+                    "tool_calls": [{
+                        "function": {"name": "Bash", "arguments": '{"command":"ls -la"}'}
+                    }],
+                },
+            }]
+        }
+        repaired, count = proxy._repair_system_prompt_leak(openai_resp)
+        self.assertEqual(count, 0)
+
+    def test_validate_rejects_leaked_args(self):
+        result = proxy._validate_tool_call_arguments(
+            "Bash",
+            '{"command":"echo test follow these rules"}',
+            {"type": "object", "properties": {"command": {"type": "string"}}, "required": ["command"]},
+            {"Bash"},
+        )
+        self.assertTrue(result.has_issue())
+        self.assertIn("leaked system prompt", result.reason)
+
+
+class TestMinimalSupplementForQwen(unittest.TestCase):
+    """Tests for model-based supplement selection."""
+
+    def _make_monitor(self):
+        return proxy.SessionMonitor()
+
+    def test_qwen_model_gets_minimal_supplement(self):
+        body = {
+            "model": "qwen3.5",
+            "messages": [{"role": "user", "content": "hello"}],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+        }
+        result = proxy.build_openai_request(body, self._make_monitor())
+        system_msg = result["messages"][0]["content"]
+        self.assertNotIn("agentic-protocol", system_msg)
+        self.assertIn("Use tools for all actions", system_msg)
+
+    def test_non_qwen_model_gets_full_supplement(self):
+        body = {
+            "model": "claude-3",
+            "messages": [{"role": "user", "content": "hello"}],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+        }
+        result = proxy.build_openai_request(body, self._make_monitor())
+        system_msg = result["messages"][0]["content"]
+        self.assertIn("agentic-protocol", system_msg)
+
+
 if __name__ == "__main__":
     unittest.main()