@miller-tech/uap 1.20.7 → 1.20.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@miller-tech/uap",
-  "version": "1.20.7",
+  "version": "1.20.9",
   "description": "Autonomous AI agent memory system with CLAUDE.md protocol enforcement",
   "type": "module",
   "main": "dist/index.js",

package/tools/agents/scripts/anthropic_proxy.py

@@ -51,7 +51,7 @@ Configuration (Environment Variables)
 
     PROXY_CONTEXT_PRUNE_THRESHOLD   Fraction of context window at which
                                     conversation pruning activates (0.0-1.0)
-                                    Default: 0.75
+                                    Default: 0.85
 
 Usage
 -----
@@ -113,10 +113,10 @@ PROXY_UPSTREAM_RETRY_DELAY_SECS = float(os.environ.get("PROXY_UPSTREAM_RETRY_DEL
 PROXY_MAX_CONNECTIONS = int(os.environ.get("PROXY_MAX_CONNECTIONS", "20"))
 PROXY_CONTEXT_WINDOW = int(os.environ.get("PROXY_CONTEXT_WINDOW", "0"))
 PROXY_CONTEXT_PRUNE_THRESHOLD = float(
-    os.environ.get("PROXY_CONTEXT_PRUNE_THRESHOLD", "0.75")
+    os.environ.get("PROXY_CONTEXT_PRUNE_THRESHOLD", "0.85")
 )
 PROXY_CONTEXT_PRUNE_TARGET_FRACTION = float(
-    os.environ.get("PROXY_CONTEXT_PRUNE_TARGET_FRACTION", "0.65")
+    os.environ.get("PROXY_CONTEXT_PRUNE_TARGET_FRACTION", "0.50")
 )
 PROXY_LOOP_BREAKER = os.environ.get("PROXY_LOOP_BREAKER", "on").lower() not in {
     "0",
@@ -277,6 +277,12 @@ PROXY_FORCED_TOOL_DAMPENER_AUTO_TURNS = int(
 PROXY_FORCED_TOOL_DAMPENER_REJECTIONS = int(
     os.environ.get("PROXY_FORCED_TOOL_DAMPENER_REJECTIONS", "2")
 )
+PROXY_TOOL_STARVATION_THRESHOLD = int(
+    os.environ.get("PROXY_TOOL_STARVATION_THRESHOLD", "5")
+)
+PROXY_CONTEXT_HIGH_RELAXATION_THRESHOLD = float(
+    os.environ.get("PROXY_CONTEXT_HIGH_RELAXATION_THRESHOLD", "0.70")
+)
 PROXY_SESSION_CONTAMINATION_BREAKER = os.environ.get(
     "PROXY_SESSION_CONTAMINATION_BREAKER", "on"
 ).lower() not in {
@@ -609,6 +615,7 @@ class SessionMonitor:
     loop_warnings_emitted: int = 0  # How many loop warnings sent to the model
     no_progress_streak: int = 0  # Forced tool turns without new tool_result
     unexpected_end_turn_count: int = 0  # end_turn without tool_use in active loop
+    tool_starvation_streak: int = 0  # Consecutive forced turns with no tool_calls produced
     malformed_tool_streak: int = 0  # consecutive malformed pseudo tool payloads
     invalid_tool_call_streak: int = 0  # consecutive invalid tool arg payloads
     required_tool_miss_streak: int = 0  # required tool turns with no tool call
@@ -1626,8 +1633,14 @@ _AGENTIC_SYSTEM_SUPPLEMENT_CLEAN = (
     "</agentic-protocol>"
 )
 
+_AGENTIC_SYSTEM_SUPPLEMENT_MINIMAL = (
+    "\n\nUse tools for all actions. Respond with tool calls, not descriptions of what to do."
+)
+
 if PROXY_AGENTIC_SUPPLEMENT_MODE == "legacy":
     _AGENTIC_SYSTEM_SUPPLEMENT = _AGENTIC_SYSTEM_SUPPLEMENT_LEGACY
+elif PROXY_AGENTIC_SUPPLEMENT_MODE == "minimal":
+    _AGENTIC_SYSTEM_SUPPLEMENT = _AGENTIC_SYSTEM_SUPPLEMENT_MINIMAL
 elif PROXY_AGENTIC_SUPPLEMENT_MODE == "clean":
     _AGENTIC_SYSTEM_SUPPLEMENT = _AGENTIC_SYSTEM_SUPPLEMENT_CLEAN
 else:
@@ -2112,19 +2125,26 @@ def build_openai_request(
     has_tools = _has_tool_definitions(anthropic_body)
 
     # Inject agentic protocol instructions only for tool-enabled turns.
+    # Use minimal supplement for qwen models to reduce prompt leak surface.
     if has_tools:
+        model_name = anthropic_body.get("model", "").lower()
+        supplement = (
+            _AGENTIC_SYSTEM_SUPPLEMENT_MINIMAL
+            if "qwen" in model_name and PROXY_AGENTIC_SUPPLEMENT_MODE != "legacy"
+            else _AGENTIC_SYSTEM_SUPPLEMENT
+        )
         if (
             openai_body["messages"]
             and openai_body["messages"][0].get("role") == "system"
         ):
-            openai_body["messages"][0]["content"] += _AGENTIC_SYSTEM_SUPPLEMENT
+            openai_body["messages"][0]["content"] += supplement
         else:
             # No system message from the client; inject one.
             openai_body["messages"].insert(
                 0,
                 {
                     "role": "system",
-                    "content": _AGENTIC_SYSTEM_SUPPLEMENT.strip(),
+                    "content": supplement.strip(),
                 },
             )
         if profile_prompt_suffix:
@@ -2266,6 +2286,29 @@ def build_openai_request(
             last_user_has_tool_result,
         )
 
+        # TOOL STARVATION BREAKER: if model repeatedly fails to produce tool
+        # calls despite required, strip tools to let it generate text and break
+        # the forcing loop.
+        if (
+            monitor.consecutive_forced_count >= PROXY_TOOL_STARVATION_THRESHOLD
+            and _last_assistant_was_text_only(anthropic_body)
+        ):
+            openai_body.pop("tool_choice", None)
+            openai_body.pop("tools", None)
+            monitor.tool_starvation_streak += 1
+            monitor.consecutive_forced_count = 0
+            monitor.no_progress_streak = 0
+            monitor.reset_tool_turn_state(reason="tool_starvation_breaker")
+            logger.warning(
+                "TOOL STARVATION BREAKER: stripped tools after %d forced turns with no tool output (starvation_streak=%d)",
+                PROXY_TOOL_STARVATION_THRESHOLD,
+                monitor.tool_starvation_streak,
+            )
+            # Skip all further tool_choice logic — no tools this turn
+            if PROXY_DISABLE_THINKING_ON_TOOL_TURNS:
+                openai_body["enable_thinking"] = False
+            return openai_body
+
         # Check if forced-tool dampener or loop breaker should override tool_choice
         if monitor.consume_forced_auto_turn():
             openai_body["tool_choice"] = "auto"
@@ -2345,6 +2388,23 @@ def build_openai_request(
             if not has_tool_results:
                 monitor.reset_tool_turn_state(reason="no_tool_results")
 
+        # CONTEXT-AWARE RELAXATION: when context utilization is high and
+        # tool_choice was forced to required, relax to auto to let the model
+        # emit shorter text responses instead of consuming more tokens.
+        if openai_body.get("tool_choice") == "required":
+            ctx_utilization = (
+                monitor.last_input_tokens / monitor.context_window
+                if monitor.context_window > 0
+                else 0.0
+            )
+            if ctx_utilization >= PROXY_CONTEXT_HIGH_RELAXATION_THRESHOLD:
+                openai_body["tool_choice"] = "auto"
+                logger.warning(
+                    "CONTEXT-AWARE RELAXATION: tool_choice=auto (utilization=%.1f%% >= %.0f%% threshold)",
+                    ctx_utilization * 100,
+                    PROXY_CONTEXT_HIGH_RELAXATION_THRESHOLD * 100,
+                )
+
         if PROXY_DISABLE_THINKING_ON_TOOL_TURNS:
             openai_body["enable_thinking"] = False
             logger.info(
@@ -2754,6 +2814,145 @@ def _sanitize_garbled_tool_calls(openai_resp: dict) -> bool:
     return True
 
 
+# Distinctive phrases from the agentic system supplement that Qwen3.5 leaks
+# into tool call arguments.  Keep lowercase for case-insensitive matching.
+_SYSTEM_PROMPT_LEAK_MARKERS = (
+    "agentic-protocol",
+    "agentic coding loop",
+    "follow these rules",
+    "function signatures within",
+    "provided with function signatures",
+    "you are provided with function",
+    "call one or more functions",
+    "xml tags:",
+    "do not summarize the issue",
+    "you must call a tool",
+    "proceed immediately to make the fix",
+    "do not ask for permission or confirmation",
+    "do not give up after one failure",
+    "emit a valid tool call object",
+    "never output protocol fragments",
+    "never emit literal tag artifacts",
+    "use tools for concrete work",
+    "stopping at analysis",
+    # Client system prompt phrases that also leak into tool args
+    "only produce a final text response without tool calls",
+    "the entire task is fully complete",
+    "always use tools to read, edit, write",
+    "after reading files and identifying an issue",
+    "do not output raw protocol tags",
+    "valid tool call with strict json",
+    "return exactly one valid tool call",
+    "invalid tool call format",
+)
+
+
+def _contains_system_prompt_leak(value) -> bool:
+    """Check if any string leaf in *value* contains system prompt fragments."""
+    for text in _iter_string_leaves(value):
+        lowered = text.lower()
+        if any(marker in lowered for marker in _SYSTEM_PROMPT_LEAK_MARKERS):
+            return True
+    return False
+
+
+def _find_earliest_leak_position(text: str) -> int | None:
+    """Return the character index where the first system prompt leak starts, or None."""
+    lowered = text.lower()
+    earliest = None
+    for marker in _SYSTEM_PROMPT_LEAK_MARKERS:
+        idx = lowered.find(marker)
+        if idx != -1 and (earliest is None or idx < earliest):
+            earliest = idx
+    return earliest
+
+
+def _repair_system_prompt_leak(openai_resp: dict) -> tuple[dict, int]:
+    """Strip system prompt leak fragments from tool call argument values.
+
+    Truncates string values at the first detected leak marker.
+    Returns (possibly-mutated response, repair count).
+    """
+    if not _openai_has_tool_calls(openai_resp):
+        return openai_resp, 0
+
+    choice, message = _extract_openai_choice(openai_resp)
+    tool_calls = message.get("tool_calls") or []
+    if not tool_calls:
+        return openai_resp, 0
+
+    repaired_tool_calls = []
+    repaired_count = 0
+
+    for tool_call in tool_calls:
+        fn = tool_call.get("function") if isinstance(tool_call, dict) else {}
+        if not isinstance(fn, dict):
+            fn = {}
+
+        raw_args = fn.get("arguments", "{}")
+        if isinstance(raw_args, dict):
+            parsed_args = dict(raw_args)
+        else:
+            try:
+                parsed_args = json.loads(str(raw_args))
+            except json.JSONDecodeError:
+                repaired_tool_calls.append(tool_call)
+                continue
+
+        if not isinstance(parsed_args, dict):
+            repaired_tool_calls.append(tool_call)
+            continue
+
+        changed = False
+        cleaned_args = {}
+        for key, val in parsed_args.items():
+            if isinstance(val, str):
+                pos = _find_earliest_leak_position(val)
+                if pos is not None and pos > 0:
+                    cleaned_args[key] = val[:pos].rstrip()
+                    changed = True
+                    logger.warning(
+                        "PROMPT LEAK REPAIR: tool=%s field=%s truncated at pos=%d",
+                        fn.get("name", "?"),
+                        key,
+                        pos,
+                    )
+                elif pos == 0:
+                    # Entire value is leaked content — clear it
+                    cleaned_args[key] = ""
+                    changed = True
+                else:
+                    cleaned_args[key] = val
+            else:
+                cleaned_args[key] = val
+
+        if not changed:
+            repaired_tool_calls.append(tool_call)
+            continue
+
+        new_tool_call = dict(tool_call)
+        new_fn = dict(fn)
+        new_fn["arguments"] = json.dumps(cleaned_args, separators=(",", ":"))
+        new_tool_call["function"] = new_fn
+        repaired_tool_calls.append(new_tool_call)
+        repaired_count += 1
+
+    if repaired_count > 0:
+        repaired_response = dict(openai_resp)
+        repaired_choice = dict(choice)
+        repaired_message = dict(message)
+        repaired_message["tool_calls"] = repaired_tool_calls
+        repaired_choice["message"] = repaired_message
+        repaired_response["choices"] = [repaired_choice]
+        logger.warning(
+            "PROMPT LEAK REPAIR: repaired %d tool call(s)",
+            repaired_count,
+        )
+        return repaired_response, repaired_count
+
+    return openai_resp, 0
+
+
 def _tool_schema_map_from_anthropic_body(anthropic_body: dict) -> dict[str, dict]:
     schema_map: dict[str, dict] = {}
     for tool in anthropic_body.get("tools", []) or []:
@@ -3305,6 +3504,16 @@ def _validate_tool_call_arguments(
             ),
         )
 
+    if _contains_system_prompt_leak(parsed):
+        return ToolResponseIssue(
+            kind="invalid_tool_args",
+            reason=f"arguments for '{tool_name}' contain leaked system prompt fragments",
+            retry_hint=(
+                f"Emit exactly one `{tool_name}` tool call with only the requested arguments. "
+                "Do not include any system instructions or protocol text in argument values."
+            ),
+        )
+
     if _contains_required_placeholder(parsed):
         return ToolResponseIssue(
             kind="invalid_tool_args",
@@ -3860,7 +4069,8 @@ async def _apply_malformed_tool_guardrail(
             working_resp, anthropic_body
         )
         working_resp, bash_repairs = _repair_bash_command_artifacts(working_resp)
-        repair_count = markup_repairs + required_repairs + bash_repairs
+        working_resp, leak_repairs = _repair_system_prompt_leak(working_resp)
+        repair_count = markup_repairs + required_repairs + bash_repairs + leak_repairs
 
     required_tool_choice = openai_body.get("tool_choice") == "required"
     has_tool_calls = _openai_has_tool_calls(working_resp)
@@ -3949,8 +4159,11 @@ async def _apply_malformed_tool_guardrail(
             retry_working, retry_bash_repairs = _repair_bash_command_artifacts(
                 retry_working
             )
+            retry_working, retry_leak_repairs = _repair_system_prompt_leak(
+                retry_working
+            )
             retry_repairs = (
-                retry_markup_repairs + retry_required_repairs + retry_bash_repairs
+                retry_markup_repairs + retry_required_repairs + retry_bash_repairs + retry_leak_repairs
             )
 
         working_resp = retry_working

package/tools/agents/tests/test_anthropic_proxy_streaming.py

@@ -3027,6 +3027,183 @@ class TestToolTurnTemperature(unittest.TestCase):
         self.assertEqual(result["temperature"], 0.8)
 
 
+class TestSystemPromptLeakDetection(unittest.TestCase):
+    """Tests for detecting and repairing system prompt leaks in tool args."""
+
+    def test_detects_agentic_protocol_leak(self):
+        self.assertTrue(proxy._contains_system_prompt_leak(
+            {"command": "echo test call one or more functions to assist"}
+        ))
+
+    def test_detects_follow_rules_leak(self):
+        self.assertTrue(proxy._contains_system_prompt_leak(
+            {"command": "ls Follow these rules: 1. Use tools"}
+        ))
+
+    def test_detects_xml_tags_leak(self):
+        self.assertTrue(proxy._contains_system_prompt_leak(
+            {"command": "echo function signatures within <tools></tools> XML tags:"}
+        ))
+
+    def test_clean_args_not_flagged(self):
+        self.assertFalse(proxy._contains_system_prompt_leak(
+            {"command": "echo hello world"}
+        ))
+        self.assertFalse(proxy._contains_system_prompt_leak(
+            {"file_path": "/home/user/test.py"}
+        ))
+
+    def test_find_earliest_leak_position(self):
+        text = "echo test-1 call one or more functions to assist"
+        pos = proxy._find_earliest_leak_position(text)
+        self.assertIsNotNone(pos)
+        self.assertEqual(text[:pos].strip(), "echo test-1")
+
+    def test_find_no_leak_returns_none(self):
+        self.assertIsNone(proxy._find_earliest_leak_position("echo hello"))
+
+    def test_repair_truncates_at_leak(self):
+        openai_resp = {
+            "choices": [{
+                "finish_reason": "tool_calls",
+                "message": {
+                    "tool_calls": [{
+                        "function": {
+                            "name": "Bash",
+                            "arguments": '{"command":"echo test-1 call one or more functions to assist"}'
+                        }
+                    }],
+                },
+            }]
+        }
+        repaired, count = proxy._repair_system_prompt_leak(openai_resp)
+        self.assertEqual(count, 1)
+        fn = repaired["choices"][0]["message"]["tool_calls"][0]["function"]
+        args = json.loads(fn["arguments"])
+        self.assertEqual(args["command"], "echo test-1")
+
+    def test_repair_noop_on_clean_args(self):
+        openai_resp = {
+            "choices": [{
+                "finish_reason": "tool_calls",
+                "message": {
+                    "tool_calls": [{
+                        "function": {"name": "Bash", "arguments": '{"command":"ls -la"}'}
+                    }],
+                },
+            }]
+        }
+        repaired, count = proxy._repair_system_prompt_leak(openai_resp)
+        self.assertEqual(count, 0)
+
+    def test_validate_rejects_leaked_args(self):
+        result = proxy._validate_tool_call_arguments(
+            "Bash",
+            '{"command":"echo test follow these rules"}',
+            {"type": "object", "properties": {"command": {"type": "string"}}, "required": ["command"]},
+            {"Bash"},
+        )
+        self.assertTrue(result.has_issue())
+        self.assertIn("leaked system prompt", result.reason)
+
+
+class TestMinimalSupplementForQwen(unittest.TestCase):
+    """Tests for model-based supplement selection."""
+
+    def _make_monitor(self):
+        return proxy.SessionMonitor()
+
+    def test_qwen_model_gets_minimal_supplement(self):
+        body = {
+            "model": "qwen3.5",
+            "messages": [{"role": "user", "content": "hello"}],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+        }
+        result = proxy.build_openai_request(body, self._make_monitor())
+        system_msg = result["messages"][0]["content"]
+        self.assertNotIn("agentic-protocol", system_msg)
+        self.assertIn("Use tools for all actions", system_msg)
+
+    def test_non_qwen_model_gets_full_supplement(self):
+        body = {
+            "model": "claude-3",
+            "messages": [{"role": "user", "content": "hello"}],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+        }
+        result = proxy.build_openai_request(body, self._make_monitor())
+        system_msg = result["messages"][0]["content"]
+        self.assertIn("agentic-protocol", system_msg)
+
+
+class TestToolStarvationBreaker(unittest.TestCase):
+    """Tests for tool-call starvation breaker."""
+
+    def _make_body_with_tools(self):
+        return {
+            "model": "qwen3.5",
+            "messages": [
+                {"role": "user", "content": "hello"},
+                {"role": "assistant", "content": "I will help you."},
+                {"role": "user", "content": [{"type": "tool_result", "tool_use_id": "x", "content": "ok"}]},
+            ],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+        }
+
+    def test_starvation_breaker_strips_tools(self):
+        monitor = proxy.SessionMonitor()
+        monitor.consecutive_forced_count = proxy.PROXY_TOOL_STARVATION_THRESHOLD
+        body = self._make_body_with_tools()
+        result = proxy.build_openai_request(body, monitor)
+        self.assertNotIn("tools", result)
+        self.assertNotIn("tool_choice", result)
+        self.assertEqual(monitor.tool_starvation_streak, 1)
+
+    def test_no_starvation_below_threshold(self):
+        monitor = proxy.SessionMonitor()
+        monitor.consecutive_forced_count = proxy.PROXY_TOOL_STARVATION_THRESHOLD - 1
+        body = self._make_body_with_tools()
+        result = proxy.build_openai_request(body, monitor)
+        self.assertIn("tools", result)
+
+
+class TestContextAwareRelaxation(unittest.TestCase):
+    """Tests for context-aware tool_choice relaxation."""
+
+    def test_relaxes_at_high_utilization(self):
+        monitor = proxy.SessionMonitor()
+        monitor.context_window = 100000
+        monitor.last_input_tokens = 75000  # 75% > 70% threshold
+        body = {
+            "model": "qwen3.5",
+            "messages": [
+                {"role": "user", "content": "hello"},
+                {"role": "assistant", "content": "text only"},
+                {"role": "user", "content": [{"type": "tool_result", "tool_use_id": "x", "content": "ok"}]},
+            ],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+        }
+        result = proxy.build_openai_request(body, monitor)
+        # Should be auto, not required
+        self.assertEqual(result.get("tool_choice"), "auto")
+
+    def test_no_relaxation_below_threshold(self):
+        monitor = proxy.SessionMonitor()
+        monitor.context_window = 100000
+        monitor.last_input_tokens = 50000  # 50% < 70%
+        body = {
+            "model": "qwen3.5",
+            "messages": [
+                {"role": "user", "content": "hello"},
+                {"role": "assistant", "content": "text only"},
+                {"role": "user", "content": [{"type": "tool_result", "tool_use_id": "x", "content": "ok"}]},
+            ],
+            "tools": [{"name": "Bash", "input_schema": {"type": "object", "properties": {"command": {"type": "string"}}}}],
+        }
+        result = proxy.build_openai_request(body, monitor)
+        # Should still be required (state machine forces it)
+        self.assertEqual(result.get("tool_choice"), "required")
+
+
 if __name__ == "__main__":
     unittest.main()