Add untrusted-context boundaries for retrieved docs, skills, memories, and tool output

[Akane-CN]

Reference scanned

Odysseus pewdiepie-archdaemon/odysseus@f6b0dcb.

Code evidence:

• src/prompt_security.py: global untrusted-context policy and untrusted_context_message() wrapper.
• src/chat_processor.py: wraps pinned/retrieved memory, documents, web search results, page content, and skill indexes as untrusted user-role data.
• src/agent_loop.py: treats user-editable skills as untrusted rather than concatenating them into trusted system prompt.
• Tests include prompt-injection/security regressions around skills and document scope.

Why this matters for Melix

Any content retrieved from local files, web, memory, skills, logs, or tools can contain instructions. Melix should make the trust boundary explicit in prompt construction and receipts, rather than relying on informal prompt wording.

In scope

• Standard wrapper for untrusted source data with source type/id and boundary markers.
• Policy that untrusted content is data only and cannot override system/developer/operator instructions.
• Ensure retrieved docs, memories, skills, tool output, web content, and local source integrations use the wrapper.
• Receipt exposes trusted vs untrusted segments.

Out of scope

• Claiming prompt injection is solved by a wrapper alone.
• Preventing user-authored trusted system/developer instructions when intentionally configured.

Verification

• Regression tests where malicious skill/document/memory asks the model to reveal secrets or call tools.
• Prompt assembly tests confirm untrusted content never enters trusted system role.
• Receipt includes source count and trust labels.

[Akane-CN]

Reference-watch note: fail-closed type boundaries for untrusted inputs

Design principle: untrusted local content and tool outputs should fail closed on unexpected types before URL checks, path checks, document parsing, tool-block parsing, or skill extraction run.

Melix-specific goal: pair the untrusted-context wrapper with low-level type guards so malformed retrieved documents, tool results, log names, URLs, and skill payloads become typed rejections instead of crashes or accidental trust-boundary bypasses.

Measurable target: prompt/context assembly tests cover truthy non-string URLs, non-string paths, non-string document titles/content, non-string tool blocks, and non-dict skill payloads; receipts record invalid_untrusted_input_type with source type/id and no tool execution side effect.

Next executable slice: add a shared UntrustedValue validation helper and retrofit the document, URL, path, tool-parse, and skill-ingest entrypoints with fail-closed tests before expanding the wrapper surface.

[Akane-CN]

Watch-log follow-up: writable tool access should be workspace-scoped by default

• Design principle: read/write/edit tools need a concrete workspace root boundary, not just broad allowlists, so local agents can work productively without turning arbitrary filesystem paths into writable targets.
• Melix-specific goal: make agent/workflow tools resolve relative paths inside the active project workspace, reject escapes after symlink/realpath normalization, and preserve sensitive-path deny rules even inside the workspace.
• Measurable target: add fixtures for relative paths, absolute in-workspace paths, .. traversal, symlink escapes, case-normalized containment on macOS, and sensitive filenames; target write/edit refusal before any file mutation when containment fails.
• Next executable slice: introduce a shared WorkspacePathResolver for local-job and agent tools, then make write/edit/read receipts include workspace_root, resolved_path, and refusal_reason when blocked.

[Akane-CN]

Watch finding: owner-scoped retrieved data and tool surfaces

Design principle: local-first assistants need ownership checks at every wrapper boundary, not only at the top-level route. Retrieved documents, upload endpoints, note/tool actions, scheduled-task chains, media endpoints, and API-token contexts should all fail closed when the effective owner or privilege does not match.

Melix-specific goal: extend the untrusted-context boundary work so each retrieved/tool-provided segment carries an owner/privilege receipt and cross-owner data cannot be linked into prompts, tool actions, or background continuations by ID prefix, shared endpoint URL, or pseudo-user token state.

Measurable target: security fixtures cover document upload privilege, RAG owner propagation, API-token-vs-browser route gates, note/tool ID-prefix updates, scheduled-task chaining, and media endpoint selection. Receipts should show owner_scope_checked = true, privilege = ..., and typed refusal reasons without exposing hidden identifiers.

Next executable slice: add an owner-scope test matrix for Melix retrieval/tool entrypoints, starting with document ingestion and background job chaining, then require prompt-construction receipts to show owner scope for every untrusted segment.

[Zigfreidish]

Completed the first deterministic Python worker slice in PR #1905:

• deterministic agentic tool arguments and fixture payloads now fail closed on non-string untrusted values
• failed observations include typed invalid_untrusted_input_type details with source, field, actual type, and corrective action
• layout_parse.detail_level and image_crop.purpose are covered after review, alongside URL/page/text/image/status/layout/crop/local-compute fixture paths
• docs/unified-agentic-tool-runtime-contract.md and docs/plans/2026-06-07-issue-1761-untrusted-tool-boundaries.md record the boundary and verification evidence

Follow-up #1761 work remains for owner-scoped retrieval, workspace path resolution, prompt assembly wrappers, skill/memory entrypoints, and background-job surfaces.

[Zigfreidish]

Merged #1912 for the selected corpus boundary slice.

Covered:

• selected text/image corpus containers must be JSON lists before fixture filtering/projection
• selected corpus rows must be JSON objects before source metadata projection
• unsupported retrieved corpus keys fail before defaulting to document metadata
• contract docs and slice plan updated

Verification:

• focused agentic tool tests: 3 passed
• full agentic tool test file: 41 passed
• changed-line coverage: 100.00% (29/29)
• make swift-test
• make py-test
• make integration-test
• PR-scoped performance report: Status ok, regressions 0
• Remote PR checks: pr-evidence, pr-scoped-performance, and ci-pr succeeded

[Zigfreidish]

Merged #1921 as the workspace path resolver slice.\n\nCovered:\n- shared Python worker WorkspacePathResolver and receipt fields\n- relative and absolute in-workspace resolution\n- traversal and symlink escape rejection after realpath normalization\n- default credential filename blocking with opt-in extra sensitive filenames\n- contract and plan docs for future read/write/edit tool integration\n\nVerification:\n- focused resolver pytest: 5 passed\n- changed-line coverage: 100.00% (97/97)\n- full local pre-commit gate: make swift-test, make py-test, make integration-test\n- PR scoped performance: Status ok, regressions 0\n- Remote performance report: Status ok, regressions 0\n\nFollow-up remains under #1761: wire the resolver into concrete read/write/edit tools, local-job mutation hooks, prompt assembly receipts, skill/memory entrypoints, and owner-scoped retrieval/tool boundaries.

[Zigfreidish]

This was generated by AI during triage.

Agent Brief

Category: enhancement
Summary: Continue untrusted-context hardening by wiring existing boundary primitives into concrete retrieval, tool, and prompt surfaces.

Current behavior:
Recent #1761 slices added deterministic invalid-type rejection, selected corpus boundary checks, and a shared workspace path resolver primitive. The remaining risk is that concrete read/write/edit tools, prompt assembly, skill/memory entrypoints, background jobs, and owner-scoped retrieval paths may not all consume those primitives consistently.

Desired behavior:
All untrusted local content and tool output entering prompts or tool execution should carry explicit boundary handling. Unexpected types, cross-owner data, path escapes, sensitive filenames, and unsupported wrapper shapes should fail closed before prompt assembly or file mutation. Receipts should make the boundary decision visible without exposing hidden identifiers or private content.

Key interfaces:

• Untrusted value/type boundary: rejects malformed retrieved docs, tool observations, URLs, paths, skill payloads, and selected corpus rows before use.
• Workspace path resolver: shared path containment and sensitive-filename gate for read/write/edit and local-job mutation surfaces.
• Owner-scope checks: confirm effective owner/privilege on retrieved data, tool IDs, uploads, media endpoints, and background continuations.
• Prompt assembly receipts: record boundary status for each untrusted segment included or refused.

Acceptance criteria:

• Concrete read/write/edit tools use the workspace path resolver before opening or mutating files.
• Prompt construction records boundary receipts for retrieved docs, skills, memories, and tool output.
• Owner-scoped retrieval/tool fixtures reject cross-owner IDs, shared endpoint URL collisions, and mismatched token privilege.
• Background-job continuation cannot link cross-owner retrieved data or tool output into a session.
• Invalid wrapper types and unsupported keys fail closed with typed receipt reasons.
• Tests prove no refused segment is included in the final prompt or mutation path.

Out of scope:

• Relaxing workspace containment rules for convenience.
• Copying private prompt bodies into receipts or diagnostics.
• Broad redesign of agent planning unrelated to untrusted-context boundaries.