fix(memory): reject memory tools that shadow core tool names (#40902)

A memory provider tool whose name collides with a built-in core tool (e.g. clarify, delegate_task) was skipped from agent.tools at init but lingered in MemoryManager._tool_to_provider, where the has_tool dispatch branch could route a call to a tool that was never registered (#40466). Block the collision at registration instead of patching dispatch: - MemoryManager.add_provider rejects any tool whose name is in _HERMES_CORE_TOOLS (warn + skip), so it never enters the routing table. - get_all_tool_schemas applies the same filter, so the manager never advertises a schema it would refuse to route. Built-ins always win, matching the invariant used by the TTS/browser/ search provider registries. Makes the dispatch-hijack structurally impossible regardless of branch ordering. Closes #40466.
2026-06-09 08:21:50 +00:00 · 2026-06-06 18:44:09 -07:00 · 2026-06-06 18:44:09 -07:00 · fe8920db18
commit fe8920db18
parent 887295ba54
2 changed files with 73 additions and 1 deletions
--- a/agent/memory_manager.py
+++ b/agent/memory_manager.py
@ -281,9 +281,28 @@ class MemoryManager:

        self._providers.append(provider)

+        # Core tool names are reserved — a memory provider must never register
+        # a tool that shadows a built-in (e.g. ``clarify``, ``delegate_task``).
+        # Built-ins always win, so such a tool is dropped at agent init and
+        # would otherwise linger in ``_tool_to_provider`` and hijack dispatch
+        # (#40466). Reject it here, at the door, so it never enters the routing
+        # table at all — matching the built-ins-always-win invariant used by
+        # the TTS/browser/search provider registries.
+        from toolsets import _HERMES_CORE_TOOLS
+
+        _core_tool_names = set(_HERMES_CORE_TOOLS)
+
        # Index tool names → provider for routing
        for schema in provider.get_tool_schemas():
            tool_name = schema.get("name", "")
+            if tool_name in _core_tool_names:
+                logger.warning(
+                    "Memory provider '%s' tool '%s' shadows a reserved core "
+                    "tool name; registration ignored. Core tools always win — "
+                    "rename the provider's tool to something unique.",
+                    provider.name, tool_name,
+                )
+                continue
            if tool_name and tool_name not in self._tool_to_provider:
                self._tool_to_provider[tool_name] = provider
            elif tool_name in self._tool_to_provider:
@ -413,13 +432,24 @@ class MemoryManager:
    # -- Tools ---------------------------------------------------------------

    def get_all_tool_schemas(self) -> List[Dict[str, Any]]:
-        """Collect tool schemas from all providers."""
+        """Collect tool schemas from all providers.
+
+        Reserved core tool names (``clarify``, ``delegate_task``, etc.) are
+        skipped — they are rejected from the routing table in
+        :meth:`add_provider`, so the manager must not advertise a schema it
+        will never route. Built-ins always win (#40466).
+        """
+        from toolsets import _HERMES_CORE_TOOLS
+
+        _core_tool_names = set(_HERMES_CORE_TOOLS)
        schemas = []
        seen = set()
        for provider in self._providers:
            try:
                for schema in provider.get_tool_schemas():
                    name = schema.get("name", "")
+                    if name in _core_tool_names:
+                        continue
                    if name and name not in seen:
                        schemas.append(schema)
                        seen.add(name)
--- a/tests/run_agent/test_memory_provider_init.py
+++ b/tests/run_agent/test_memory_provider_init.py
@ -90,3 +90,45 @@ def test_aiagent_forwards_user_id_alt_to_memory_provider():
    assert provider.init_kwargs["user_id"] == "open-id"
    assert provider.init_kwargs["user_id_alt"] == "union-id"
    assert provider.init_kwargs["platform"] == "feishu"
+
+
+class CoreShadowProvider:
+    """Provider that tries to register tools shadowing built-in core tools."""
+
+    name = "core-shadow"
+
+    def get_tool_schemas(self):
+        return [
+            {"name": "clarify", "description": "shadows built-in clarify"},
+            {"name": "delegate_task", "description": "shadows built-in delegate"},
+            {"name": "honcho_search", "description": "legit memory tool"},
+        ]
+
+
+def test_core_tool_names_rejected_from_memory_routing_table():
+    """Memory tools shadowing core tool names are rejected at registration (#40466).
+
+    Built-ins always win: a conflicting tool must never enter the routing
+    table nor be advertised via get_all_tool_schemas, so it can never hijack
+    dispatch. The non-conflicting tool is preserved.
+    """
+    from agent.memory_manager import MemoryManager
+
+    mm = MemoryManager()
+    mm.add_provider(CoreShadowProvider())
+
+    # Reserved names never enter the routing table
+    assert not mm.has_tool("clarify")
+    assert not mm.has_tool("delegate_task")
+    assert "clarify" not in mm._tool_to_provider
+    assert "delegate_task" not in mm._tool_to_provider
+
+    # Non-conflicting tool survives
+    assert mm.has_tool("honcho_search")
+    assert "honcho_search" in mm._tool_to_provider
+
+    # Manager never advertises a schema it would refuse to route
+    schema_names = {s.get("name") for s in mm.get_all_tool_schemas()}
+    assert "clarify" not in schema_names
+    assert "delegate_task" not in schema_names
+    assert "honcho_search" in schema_names