feat: implemented memory_isolation assertion#76
Conversation
mertsatilmaz
left a comment
mertsatilmaz
left a comment
There was a problem hiding this comment.
Thanks for the implementation. This is the right overall shape for #27: scenario validation, dispatcher wiring, evaluator logic, fixtures, and tests are all included.
Before merge, I want three cleanup items:
- Please document the new
memory_isolationassertion in the assertion/scenario docs.
Include the expected YAML shape:
expected:
memory_isolation:
forbidden_markers:
- "alice@example.com"
- "Project Falcon API key"
scope:
user_id: "bob"
session_id: "session_b"
tenant_id: "tenant_2"
and explain that the assertion fails if any forbidden marker appears in the returned trace.
- Please change the trace serialization in
evaluate_memory_isolationto preserve Unicode:
trace_text = json.dumps(trace.to_dict(), ensure_ascii=False)
Without this, non-ASCII forbidden markers may be escaped in the JSON string and missed by substring matching.
- Please document that this MVP scans the entire serialized trace, including messages, tool calls, events, and nested data. That behavior is acceptable for now, but it needs to be explicit because any occurrence of a forbidden marker anywhere in the trace will fail the assertion.
After those changes and CI passing, this looks mergeable.
- Added evaluate_memory_isolation() to assertions.py: scans the full serialised trace for forbidden_markers from expected.memory_isolation; returns fail with evidence if any marker is found, pass otherwise; includes scope metadata in pass evidence for auditability. - Added scenario validation in scenario.py: memory_isolation assertions require expected.memory_isolation.forbidden_markers to be a non-empty list of non-empty strings. - Added example scenario: scenarios/memory_isolation/cross_session_leak_001.yaml - Added example traces: memory_isolation_leak.json (fail) and memory_isolation_clean.json (pass) - Added 10 unit tests covering all pass/fail/not_run paths and dispatcher routing"
…tching - Added docs/assertions/memory-isolation.md with YAML shape, detection mechanism, and note that scope is audit-only metadata - Added ensure_ascii=False to json.dumps so non-ASCII markers are not escaped and missed by substring matching - Added comment clarifying full-trace scan covers messages, tool calls, events, and all nested data Requested in review on OWASP#27
Hi @mertsatilmaz, I've addressed all three review points:
The PR now has 2 clean commits and all 136 tests pass. Could you take another look when you get a chance? Happy to make any further changes. |
mertsatilmaz
left a comment
mertsatilmaz
left a comment
There was a problem hiding this comment.
LGTM, welcome to the team.
2 participants
Summary
Implemented the
memory_isolationassertion feature from #27.Now, the harness fails if there is data from another user, session, tenant or memory scope found in a trace, by scanning the full serialised trace for
forbidden_markersas defined in the scenario.Changes
src/agent_harness/assertions.pyevaluate_memory_isolation(scenario, trace)— serialises the entire trace to JSON and scans for each forbidden marker as a substring; reports all leaked markers in evidencememory_isolationin theevaluate_assertions()dispatchersrc/agent_harness/scenario.pymemory_isolationassertions: requiresexpected.memory_isolation.forbidden_markersto be a non-empty list of non-empty stringsscenarios/memory_isolation/cross_session_leak_001.yamlexamples/traces/memory_isolation_leak.json— failing trace (foreign markers present in messages and events)memory_isolation_clean.json— passing trace (no foreign markers)tests/test_assertions.pynot_runon missing/empty config, scope in pass evidence, graceful skip of non-string markers, dispatcher routingCloses #27
Test results
New tests (memory_isolation):
Full suite: 136 passed in 3.48s — no regressions.