mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-21 10:22:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

docs: clean up three stale comments from the #32848 audit (#45638)

Browse source 
* docs: clean up three stale comments from the #32848 audit

- tools/memory_tool.py:20 — 'read' action was intentionally removed
  but the docstring still listed it. Now matches the schema.
- tools/fuzzy_match.py:9 — unicode_normalized was added but the
  chain-count docstring still said '8-strategy'. Now says '9'.
- run_agent.py:1485 — 'See #<TBD>.' placeholder was never filled in.
  Replaced with a backfill note.

Fixes #32848 (parts 3, 4, and 12)

* docs(memory): also remove stray memory(action=read) references in lines 144 and 201

The original #32848 audit fix (in 6fd661d6) only addressed line 20
(the action list in the module docstring), but the action was
referenced in two other places:

- tools/memory_tool.py:144 — in a class docstring, claimed
  'memory(action=read)' was a way to SEE poisoned entries
- tools/memory_tool.py:201 — in a user-facing warning message,
  told the user to 'use memory(action=read) to inspect'

Since the schema on line 683 only allows add/replace/remove, both
references were misleading: the first claimed a way to inspect
poisoned entries that doesn't exist, the second would error out
when the user followed the warning.

This commit removes both references:
- Line 144: '...keep the original text so the user can still SEE
  poisoned entries by inspecting the source files directly, and
  remove them — silently dropping them would hide the attack
  from the user.'
- Line 201: '...use memory(action=remove) to delete the
  original. (drop the read-action reference)'

Followup to the previous commit on this branch.

---------

Co-authored-by: KeyArgo <keyargo@argobox.com>
This commit is contained in:
KeyArgo 2026-06-19 17:09:30 -06:00 committed by GitHub
parent d799284b15
commit 1e40b21b2e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 5 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
run_agent.py
View file

@ -1528,7 +1528,7 @@ class AIAgent:
a raw ``tool`` message and the next user turn lands as
``...tool, user, user`` a protocol-invalid sequence that most
providers silently reject (returns empty content), causing the
empty-retry loop to fire forever. See #<TBD>.
empty-retry loop to fire forever. (issue number to be backfilled once filed)
"""
# Pass 1: strip the flagged scaffolding messages themselves.
dropped_scaffolding = False

2
tools/fuzzy_match.py
View file

@ -6,7 +6,7 @@ Implements a multi-strategy matching chain to robustly find and replace text,
accommodating variations in whitespace, indentation, and escaping common
in LLM-generated code.
The 8-strategy chain (inspired by OpenCode), tried in order:
The 9-strategy chain (inspired by OpenCode), tried in order:
1. Exact match - Direct string comparison
2. Line-trimmed - Strip leading/trailing whitespace per line
3. Whitespace normalized - Collapse multiple spaces/tabs to single space

7
tools/memory_tool.py
View file

@ -17,7 +17,7 @@ Entry delimiter: § (section sign). Entries can be multiline.
Character limits (not tokens) because char counts are model-independent.
Design:
- Single `memory` tool with action parameter: add, replace, remove, read
- Single `memory` tool with action parameter: add, replace, remove
- replace/remove use short unique substring matching (not full text or IDs)
- Behavioral guidance lives in the tool schema description
- Frozen snapshot pattern: system prompt is stable, tool responses show live state
@ -141,8 +141,7 @@ class MemoryStore:
The live ``memory_entries`` / ``user_entries`` lists keep the
original text so the user can still SEE poisoned entries via
``memory(action=read)`` and remove them silently dropping them
would hide the attack from the user.
see poisoned entries by inspecting the source files directly, and remove them silently dropping them would hide the attack from the user.
Scanning is deterministic from disk bytes, so the snapshot remains
stable for the entire session (prefix-cache invariant holds).
@ -198,7 +197,7 @@ class MemoryStore:
sanitized.append(
f"[BLOCKED: {filename} entry contained threat pattern(s): "
f"{', '.join(findings)}. Removed from system prompt; "
f"use memory(action=read) to inspect and memory(action=remove) "
f"use memory(action=remove) "
f"to delete the original.]"
)
else: