chore(memory): add metadata for trust

Author: bgagent

agent/src/models.py

@@ -3,7 +3,7 @@
 from __future__ import annotations
 
 from enum import StrEnum
-from typing import Self
+from typing import Literal, Self
 
 from pydantic import BaseModel, ConfigDict, Field, model_validator
 
@@ -52,6 +52,11 @@ class MemoryContext(BaseModel):
     past_episodes: list[str] = Field(default_factory=list)
 
 
+# Trust classification for content sources — mirrors ContentTrustLevel in context-hydration.ts.
+# 'trusted': user-supplied input, 'untrusted-external': GitHub-sourced content,
+# 'memory': memory records.
+ContentTrustLevel = Literal["trusted", "untrusted-external", "memory"]
+
 # Bump when this agent supports a new orchestrator HydratedContext shape
 # (see cdk/src/handlers/shared/context-hydration.ts).
 SUPPORTED_HYDRATED_CONTEXT_VERSION = 1
@@ -73,6 +78,7 @@ class HydratedContext(BaseModel):
     guardrail_blocked: str | None = None
     resolved_branch_name: str | None = None
     resolved_base_branch: str | None = None
+    content_trust: dict[str, ContentTrustLevel] | None = None
 
     @model_validator(mode="after")
     def version_supported(self) -> Self:

agent/tests/test_models.py

@@ -201,6 +201,47 @@ def test_extra_top_level_forbidden(self):
                 }
             )
 
+    def test_content_trust_none_by_default(self):
+        hc = HydratedContext(user_prompt="Fix bug")
+        assert hc.content_trust is None
+
+    def test_content_trust_accepted(self):
+        hc = HydratedContext(
+            user_prompt="Fix bug",
+            content_trust={"issue": "untrusted-external", "task_description": "trusted"},
+        )
+        assert hc.content_trust == {"issue": "untrusted-external", "task_description": "trusted"}
+
+    def test_content_trust_with_memory(self):
+        hc = HydratedContext(
+            user_prompt="Fix bug",
+            content_trust={"memory": "memory", "task_description": "trusted"},
+        )
+        assert hc.content_trust is not None
+        assert hc.content_trust["memory"] == "memory"
+
+    def test_content_trust_round_trip(self):
+        data = {
+            "version": 1,
+            "user_prompt": "Do the thing",
+            "sources": ["issue", "memory"],
+            "content_trust": {
+                "issue": "untrusted-external",
+                "memory": "memory",
+            },
+        }
+        hc = HydratedContext.model_validate(data)
+        assert hc.content_trust == {"issue": "untrusted-external", "memory": "memory"}
+
+    def test_content_trust_invalid_value_rejected(self):
+        with pytest.raises(ValidationError):
+            HydratedContext.model_validate(
+                {
+                    "user_prompt": "Fix bug",
+                    "content_trust": {"issue": "invalid-trust-level"},
+                }
+            )
+
 
 class TestTaskConfig:
     def test_required_fields(self):

cdk/src/handlers/shared/context-hydration.ts

@@ -89,6 +89,19 @@ export interface GitHubPullRequestContext {
   readonly issue_comments: IssueComment[];
 }
 
+/**
+ * Trust classification for content sources in the hydrated context.
+ * - 'trusted': authenticated user input (task_description — screened by guardrail at
+ *   submission, additionally sanitized during prompt assembly). Lower risk than external
+ *   sources but not exempt from defense-in-depth sanitization.
+ * - 'untrusted-external': GitHub issues, PR bodies/comments (attacker-controllable,
+ *   sanitized + guardrail screened). Some PR sub-fields are not sanitized:
+ *   diff_hunk and diff_summary (code/patch content in markdown code blocks),
+ *   path (file paths), head_ref and base_ref (branch names).
+ * - 'memory': memory records (sanitized, integrity-hashed)
+ */
+export type ContentTrustLevel = 'trusted' | 'untrusted-external' | 'memory';
+
 /**
  * The result of the context hydration pipeline.
  */
@@ -104,6 +117,7 @@ export interface HydratedContext {
   readonly guardrail_blocked?: string;
   readonly resolved_branch_name?: string;
   readonly resolved_base_branch?: string;
+  readonly content_trust?: Readonly<Record<string, ContentTrustLevel>>;
 }
 
 // ---------------------------------------------------------------------------
@@ -860,6 +874,44 @@ export function assemblePrIterationPrompt(
   return parts.join('\n');
 }
 
+// ---------------------------------------------------------------------------
+// Content trust classification
+// ---------------------------------------------------------------------------
+
+/**
+ * Build the content_trust record from the sources list.
+ * Maps each source to its trust classification:
+ * - 'issue', 'pull_request' → 'untrusted-external'
+ * - 'memory' → 'memory'
+ * - 'task_description' → 'trusted'
+ * Unknown sources default to 'untrusted-external' (fail-safe).
+ */
+export function buildContentTrust(sources: string[]): Record<string, ContentTrustLevel> {
+  const trust: Record<string, ContentTrustLevel> = {};
+  for (const source of sources) {
+    switch (source) {
+      case 'issue':
+      case 'pull_request':
+        trust[source] = 'untrusted-external';
+        break;
+      case 'memory':
+        trust[source] = 'memory';
+        break;
+      case 'task_description':
+        trust[source] = 'trusted';
+        break;
+      default:
+        logger.warn('Unknown content source — defaulting to untrusted-external', {
+          source,
+          metric_type: 'unknown_content_source',
+        });
+        trust[source] = 'untrusted-external';
+        break;
+    }
+  }
+  return trust;
+}
+
 // ---------------------------------------------------------------------------
 // Main hydration pipeline
 // ---------------------------------------------------------------------------
@@ -964,13 +1016,15 @@ export async function hydrateContext(task: TaskRecord, options?: HydrateContextO
           task_id: task.task_id, pr_number: task.pr_number, task_type: task.task_type,
         });
         const fallbackPrompt = assembleUserPrompt(task.task_id, task.repo, undefined, task.task_description);
+        const fallbackSources = task.task_description ? ['task_description'] : [];
         return {
           version: 1,
           user_prompt: fallbackPrompt,
-          sources: task.task_description ? ['task_description'] : [],
+          sources: fallbackSources,
           token_estimate: estimateTokens(fallbackPrompt),
           truncated: false,
           fallback_error: `Failed to fetch PR #${task.pr_number} context from GitHub`,
+          content_trust: buildContentTrust(fallbackSources),
         };
       }
 
@@ -1067,6 +1121,7 @@ export async function hydrateContext(task: TaskRecord, options?: HydrateContextO
         sources,
         token_estimate: estimateTokens(userPrompt),
         truncated,
+        content_trust: buildContentTrust(sources),
         ...(guardrailBlocked && { guardrail_blocked: guardrailBlocked }),
       };
 
@@ -1096,6 +1151,7 @@ export async function hydrateContext(task: TaskRecord, options?: HydrateContextO
       sources,
       token_estimate: tokenEstimate,
       truncated: budgetResult.truncated,
+      content_trust: buildContentTrust(sources),
       ...(guardrailBlocked && { guardrail_blocked: guardrailBlocked }),
     };
   } catch (err) {
@@ -1120,13 +1176,15 @@ export async function hydrateContext(task: TaskRecord, options?: HydrateContextO
       metric_type: 'hydration_infra_failure',
     });
     const fallbackPrompt = assembleUserPrompt(task.task_id, task.repo, undefined, task.task_description);
+    const fallbackSources = task.task_description ? ['task_description'] : [];
     return {
       version: 1,
       user_prompt: fallbackPrompt,
-      sources: task.task_description ? ['task_description'] : [],
+      sources: fallbackSources,
       token_estimate: estimateTokens(fallbackPrompt),
       truncated: false,
       fallback_error: err instanceof Error ? err.message : String(err),
+      content_trust: buildContentTrust(fallbackSources),
     };
   }
 }

cdk/src/handlers/shared/orchestrator.ts

@@ -268,6 +268,7 @@ export async function hydrateAndTransition(task: TaskRecord, blueprintConfig?: B
         pr_number: task.pr_number,
         sources: hydratedContext.sources,
         token_estimate: hydratedContext.token_estimate,
+        ...(hydratedContext.content_trust && { content_trust: hydratedContext.content_trust }),
       });
     } catch (eventErr) {
       logger.error('Failed to emit guardrail_blocked event', {
@@ -352,6 +353,7 @@ export async function hydrateAndTransition(task: TaskRecord, blueprintConfig?: B
     truncated: hydratedContext.truncated,
     prompt_version: promptVersion,
     has_memory_context: !!hydratedContext.memory_context,
+    ...(hydratedContext.content_trust && { content_trust: hydratedContext.content_trust }),
     ...(hydratedContext.fallback_error && { fallback_error: hydratedContext.fallback_error }),
   });
   return payload;

cdk/test/handlers/orchestrate-task.test.ts

@@ -139,6 +139,7 @@ describe('hydrateAndTransition', () => {
     sources: ['task_description'],
     token_estimate: 20,
     truncated: false,
+    content_trust: { task_description: 'trusted' },
   };
 
   test('transitions to HYDRATING and returns payload with hydrated_context', async () => {
@@ -198,6 +199,7 @@ describe('hydrateAndTransition', () => {
     expect(guardrailEvent.metadata.pr_number).toBe(10);
     expect(guardrailEvent.metadata.sources).toEqual(['task_description']);
     expect(guardrailEvent.metadata.token_estimate).toBe(20);
+    expect(guardrailEvent.metadata.content_trust).toEqual({ task_description: 'trusted' });
   });
 
   test('still throws guardrail error when emitTaskEvent fails during guardrail_blocked handling', async () => {
@@ -232,6 +234,7 @@ describe('hydrateAndTransition', () => {
     expect(metadata.sources).toEqual(['task_description']);
     expect(metadata.token_estimate).toBe(20);
     expect(metadata.truncated).toBe(false);
+    expect(metadata.content_trust).toEqual({ task_description: 'trusted' });
   });
 });
 
@@ -422,6 +425,7 @@ describe('hydrateAndTransition with blueprint config', () => {
     sources: ['task_description'],
     token_estimate: 20,
     truncated: false,
+    content_trust: { task_description: 'trusted' },
   };
 
   test('includes system_prompt_overrides in payload when blueprint config has them', async () => {
@@ -707,6 +711,7 @@ describe('hydrateAndTransition — memory and prompt version', () => {
     sources: ['task_description'],
     token_estimate: 20,
     truncated: false,
+    content_trust: { task_description: 'trusted' },
   };
 
   test('passes memoryId to hydrateContext', async () => {
@@ -733,6 +738,7 @@ describe('hydrateAndTransition — memory and prompt version', () => {
       ...mockHydratedContextBase,
       memory_context: { repo_knowledge: ['test'], past_episodes: [] },
       sources: ['task_description', 'memory'],
+      content_trust: { task_description: 'trusted', memory: 'memory' },
     });
     await hydrateAndTransition(baseTask as any);
 
@@ -743,6 +749,7 @@ describe('hydrateAndTransition — memory and prompt version', () => {
     const metadata = putCalls[0][0].input.Item.metadata;
     expect(metadata.has_memory_context).toBe(true);
     expect(metadata.prompt_version).toBe('abc123def456');
+    expect(metadata.content_trust).toEqual({ task_description: 'trusted', memory: 'memory' });
   });
 
   test('stores prompt_version on task record via DDB UpdateCommand', async () => {