feat(context): enhance timeout handling, tenant isolation, and budget management

- Added timeout enforcement for token counting, scoring, and compression with detailed error handling. - Introduced tenant isolation in context caching using project and agent identifiers. - Enhanced budget management with stricter checks for critical context overspending and buffer limitations. - Optimized per-context locking with cleanup to prevent memory leaks in concurrent environments. - Updated default assembly timeout settings for improved performance and reliability. - Improved XML escaping in Claude adapter for safety against injection attacks. - Standardized token estimation using model-specific ratios.
2026-01-04 15:52:50 +01:00
parent 2bea057fb1
commit 1628eacf2b
10 changed files with 271 additions and 175 deletions
--- a/backend/app/services/context/adapters/claude.py
+++ b/backend/app/services/context/adapters/claude.py
@@ -94,12 +94,13 @@ class ClaudeAdapter(ModelAdapter):

    def _format_system(self, contexts: list[BaseContext]) -> str:
        """Format system contexts."""
-        content = "\n\n".join(c.content for c in contexts)
+        # System prompts are typically admin-controlled, but escape for safety
+        content = "\n\n".join(self._escape_xml_content(c.content) for c in contexts)
        return f"<system_instructions>\n{content}\n</system_instructions>"

    def _format_task(self, contexts: list[BaseContext]) -> str:
        """Format task contexts."""
-        content = "\n\n".join(c.content for c in contexts)
+        content = "\n\n".join(self._escape_xml_content(c.content) for c in contexts)
        return f"<current_task>\n{content}\n</current_task>"

    def _format_knowledge(self, contexts: list[BaseContext]) -> str:
@@ -107,12 +108,14 @@ class ClaudeAdapter(ModelAdapter):
        Format knowledge contexts as structured documents.

        Each knowledge context becomes a document with source attribution.
+        All content is XML-escaped to prevent injection attacks.
        """
        parts = ["<reference_documents>"]

        for ctx in contexts:
            source = self._escape_xml(ctx.source)
-            content = ctx.content
+            # Escape content to prevent XML injection
+            content = self._escape_xml_content(ctx.content)
            score = ctx.metadata.get("score", ctx.metadata.get("relevance_score", ""))

            if score:
@@ -131,13 +134,16 @@ class ClaudeAdapter(ModelAdapter):
        Format conversation contexts as message history.

        Uses role-based message tags for clear turn delineation.
+        All content is XML-escaped to prevent prompt injection.
        """
        parts = ["<conversation_history>"]

        for ctx in contexts:
-            role = ctx.metadata.get("role", "user")
+            role = self._escape_xml(ctx.metadata.get("role", "user"))
+            # Escape content to prevent prompt injection via fake XML tags
+            content = self._escape_xml_content(ctx.content)
            parts.append(f'<message role="{role}">')
-            parts.append(ctx.content)
+            parts.append(content)
            parts.append("</message>")

        parts.append("</conversation_history>")
@@ -148,19 +154,23 @@ class ClaudeAdapter(ModelAdapter):
        Format tool contexts as tool results.

        Each tool result is wrapped with the tool name.
+        All content is XML-escaped to prevent injection.
        """
        parts = ["<tool_results>"]

        for ctx in contexts:
-            tool_name = ctx.metadata.get("tool_name", "unknown")
+            tool_name = self._escape_xml(ctx.metadata.get("tool_name", "unknown"))
            status = ctx.metadata.get("status", "")

            if status:
-                parts.append(f'<tool_result name="{tool_name}" status="{status}">')
+                parts.append(
+                    f'<tool_result name="{tool_name}" status="{self._escape_xml(status)}">'
+                )
            else:
                parts.append(f'<tool_result name="{tool_name}">')

-            parts.append(ctx.content)
+            # Escape content to prevent injection
+            parts.append(self._escape_xml_content(ctx.content))
            parts.append("</tool_result>")

        parts.append("</tool_results>")
@@ -176,3 +186,21 @@ class ClaudeAdapter(ModelAdapter):
            .replace('"', "&quot;")
            .replace("'", "&apos;")
        )
+
+    @staticmethod
+    def _escape_xml_content(text: str) -> str:
+        """
+        Escape XML special characters in element content.
+
+        This prevents XML injection attacks where malicious content
+        could break out of XML tags or inject fake tags for prompt injection.
+
+        Only escapes &, <, > since quotes don't need escaping in content.
+
+        Args:
+            text: Content text to escape
+
+        Returns:
+            XML-safe content string
+        """
+        return text.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")