Files
odysseus/tests/test_fenced_inline_args.py
T
botinate db29046e0b fix(email): close remaining email-tool registry drift; classify every email tool for plan mode
Deep self-review follow-up on #3681. Three review rounds each found another
hand-maintained copy of the email tool list that had drifted; this commit
hunts down ALL remaining copies and pins them to BUILTIN_EMAIL_TOOLS.

The same 5 tools (search_emails, draft_email, draft_email_reply,
ai_draft_email_reply, download_attachment) were missing from every
advertising surface, so they were dispatchable but never offered:

- FUNCTION_TOOL_SCHEMAS: native function-calling models never saw them
  (the round-1 fix covered dispatch only); schemas added, mirroring the
  email server's inputSchema definitions.
- TOOL_SECTIONS: fenced-block models were never told about them; prompt
  sections added.
- tool_index: absent from the RAG embedding registry (never retrievable),
  the email keyword hints, and the scheduled assistant's always-available
  set — the latter two now derive from BUILTIN_EMAIL_TOOLS.
- agent_loop._DOMAIN_TOOL_MAP["email"], tool_policy._COMMON_TOOL_NAMES,
  the assistant tool-selector UI groups (assistant.js), and the default
  Assistant crew seed (task_scheduler) now derive from / cover the set.

Plan mode now classifies every email tool explicitly:

- list_email_accounts and search_emails join PLAN_MODE_READONLY_TOOLS.
  Without this, list_email_accounts sat in the plan-mode bare denylist
  (schema-derived) while its qualified form passed the MCP read-only
  filter — and the round-2 bare/qualified alias gate would have blocked
  the qualified call too, regressing read-only email discovery in plan
  mode.
- draft_email, draft_email_reply, ai_draft_email_reply, and
  download_attachment join the fail-closed mutator backstop (drafts
  create documents; download_attachment writes to disk).

Tests: tests/test_email_registry_sync.py pins every registry (including
the email server source and assistant.js) to BUILTIN_EMAIL_TOOLS and
asserts the plan-mode partition, so the next email tool can't drift; a
parse/strip mirror grid covers 192 fence shapes (tag x header x body)
asserting executed <=> stripped.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 22:19:51 +02:00

167 lines
7.0 KiB
Python

"""PR #3681 — fenced tool calls with inline args, and the fence-tag boundary.
Local fenced-block models (Ollama etc.) emit calls like ```list_email_accounts {}
with the args on the same line as the tag; the parser must execute those. The
relaxed tag pattern must NOT prefix-match longer fence tags: ```python3 is a
language hint, not a "python" tool call with content "3\n...".
"""
import sys
from unittest.mock import MagicMock
for mod in ['src.agent_tools', 'src.tool_parsing', 'src.tool_schemas', 'src.tool_execution']:
sys.modules.pop(mod, None)
for mod in [
'sqlalchemy', 'sqlalchemy.orm', 'sqlalchemy.ext', 'sqlalchemy.ext.declarative',
'sqlalchemy.ext.hybrid', 'sqlalchemy.sql', 'sqlalchemy.sql.expression',
'src.database', 'core.models', 'core.database', 'core.auth'
]:
if mod not in sys.modules:
sys.modules[mod] = MagicMock()
import src.agent_tools # noqa: E402, F401
from src.tool_parsing import parse_tool_blocks, strip_tool_blocks # noqa: E402
def test_inline_args_on_tag_line_parse():
# The original bug: ```list_email_accounts {} (args on the tag line)
# never matched because the regex required a newline right after the tag.
blocks = parse_tool_blocks('```list_email_accounts {}\n```')
assert [(b.tool_type, b.content) for b in blocks] == [("list_email_accounts", "{}")]
def test_inline_json_args_parse_for_email_tools():
blocks = parse_tool_blocks('```list_emails {"max_results": 5}\n```')
assert [(b.tool_type, b.content) for b in blocks] == [("list_emails", '{"max_results": 5}')]
def test_next_line_content_still_parses():
# No regression for the classic shape: tag, newline, content.
blocks = parse_tool_blocks('```manage_memory\nadd\nsome text\n```')
assert [(b.tool_type, b.content) for b in blocks] == [("manage_memory", "add\nsome text")]
def test_plain_bash_fence_still_parses():
blocks = parse_tool_blocks('```bash\necho hello\n```')
assert [(b.tool_type, b.content) for b in blocks] == [("bash", "echo hello")]
def test_python3_language_hint_is_not_a_python_tool_call():
# ```python3 must not prefix-match the "python" fence tag — without the
# (?![\w-]) boundary it parsed as tool "python" with content "3\nprint(...)"
# and executed as code.
blocks = parse_tool_blocks('```python3\nprint("hi")\n```')
assert blocks == [], blocks
def test_hyphenated_tag_is_not_a_tool_call():
blocks = parse_tool_blocks('```bash-session\n$ ls\n```')
assert blocks == [], blocks
def test_markdown_info_string_is_not_executable_python():
# ```python title="example.py" is Markdown fence metadata, not tool args.
# Same-line content other than JSON args ({...}/[...]) must not execute —
# otherwise a fence the model meant to display runs as code.
blocks = parse_tool_blocks('```python title="example.py"\nprint("hi")\n```')
assert blocks == [], blocks
def test_markdown_info_string_is_not_executable_bash():
blocks = parse_tool_blocks('```bash title="setup"\necho hi\n```')
assert blocks == [], blocks
def test_inline_json_array_args_still_parse():
# The narrowed same-line rule must keep accepting JSON args: { or [.
blocks = parse_tool_blocks('```bulk_email {"action": "archive", "uids": [1, 2]}\n```')
assert [(b.tool_type, b.content) for b in blocks] == [
("bulk_email", '{"action": "archive", "uids": [1, 2]}')
]
def test_brace_metadata_on_bash_is_not_executable():
# ```bash {title="setup"} is a Markdown fence attribute on a real
# language. Code tags (bash/python) never take same-line args — even a
# brace-shaped info string must stay display text.
blocks = parse_tool_blocks('```bash {title="setup"}\necho hi\n```')
assert blocks == [], blocks
def test_valid_json_metadata_on_python_is_not_executable():
# Same rule when the attribute happens to BE valid JSON: the tag decides.
blocks = parse_tool_blocks('```python {"title": "example.py"}\nprint("hi")\n```')
assert blocks == [], blocks
def test_invalid_inline_json_on_email_tool_is_not_executable():
# JSON-args tools only execute same-line content that parses as JSON —
# {title="x"} is metadata/garbage, not arguments.
blocks = parse_tool_blocks('```list_emails {title="x"}\n```')
assert blocks == [], blocks
def test_inline_json_continuing_on_next_lines_still_parses():
# A JSON object opened on the tag line may close on a later line.
blocks = parse_tool_blocks('```list_emails {"folder": "INBOX",\n"max_results": 5}\n```')
assert [(b.tool_type, b.content) for b in blocks] == [
("list_emails", '{"folder": "INBOX",\n"max_results": 5}')
]
def test_brace_metadata_fences_left_intact_in_display():
# strip must mirror parse for every rejected fence shape.
for text in (
'Example:\n```bash {title="setup"}\necho hi\n```',
'Example:\n```python {"title": "example.py"}\nprint("hi")\n```',
'Example:\n```list_emails {title="x"}\n```',
):
assert strip_tool_blocks(text) == text
def test_inline_args_fence_is_stripped_from_display():
# strip must mirror parse: an executed inline-args fence must not leak
# into the displayed text.
text = 'Checking now.\n```list_email_accounts {}\n```\nDone.'
assert strip_tool_blocks(text) == 'Checking now.\n\nDone.'
def test_python3_fence_is_left_intact_in_display():
# ...and a fence that did NOT parse as a tool call must stay visible.
text = 'Example:\n```python3\nprint("hi")\n```'
assert strip_tool_blocks(text) == text
def test_markdown_info_string_fence_is_left_intact_in_display():
# strip must mirror parse for info-string fences too: not executed,
# so not stripped from the displayed text.
text = 'Example:\n```python title="example.py"\nprint("hi")\n```'
assert strip_tool_blocks(text) == text
def test_parse_strip_mirror_across_fence_shape_grid():
# Invariant for ANY single fence: either it executes AND is stripped, or
# it doesn't execute AND stays fully visible. The one allowed exception is
# an empty tool-shaped fence (no header, no body): never executed, but
# stripped as noise — pre-PR behavior, kept deliberately.
from src.agent_tools import TOOL_TAGS
tags = ["bash", "python", "list_emails", "bulk_email", "manage_memory",
"python3", "bash-session", "notatool"]
headers = ["", " ", ' title="x"', ' {title="x"}', ' {"a": 1}', " [1, 2]",
" {bad json", ' {"a": 1} extra']
bodies = ["", "content line\n", '{"k": "v"}\n']
for tag in tags:
for header in headers:
for body in bodies:
text = f"before\n```{tag}{header}\n{body}```\nafter"
blocks = parse_tool_blocks(text)
stripped = strip_tool_blocks(text)
case = (tag, header, body)
if blocks:
assert stripped == "before\n\nafter", case
elif stripped != text:
assert (
tag in TOOL_TAGS and not header.strip() and not body.strip()
), f"non-executed fence was stripped: {case}"