fix: strengthen immutability for BaseTool schema and ToolInvoker boundaries

[Aureliolo]

Closes #113

Summary

• Deep-copy at construction: BaseTool._parameters_schema now uses copy.deepcopy() before MappingProxyType wrapping, fully isolating nested structures from caller mutation
• Deep-copy on property access: parameters_schema property returns a deep copy to prevent cross-caller nested mutation
• Separated deepcopy error handling: ToolInvoker._execute_tool separates argument deep-copy into its own try-block for accurate error attribution (previously misattributed as tool execution failure)
• Strengthened tests: Added nested mutation isolation tests for both construction and property access; added parameters_schema to _MutatingTool so boundary isolation tests exercise the validation path
• Docs consistency: Removed stale (M3) tags from 5 implemented engine files in DESIGN_SPEC.md; updated immutability convention docs in CLAUDE.md and DESIGN_SPEC.md
• Docstring fixes: Fixed misleading "accepts any arguments" wording; clarified ToolExecutionResult.metadata boundary-copy scope

Test plan

• All 1784 tests pass
• 95.21% coverage (80% minimum)
• mypy strict mode clean
• ruff lint + format clean
• Pre-commit hooks pass
• Verify nested mutation isolation works end-to-end (new tests cover this)
• Verify deepcopy error attribution produces correct log event

Review coverage

Pre-reviewed by 10 agents: code-reviewer, python-reviewer, pr-test-analyzer, silent-failure-hunter, comment-analyzer, type-design-analyzer, logging-audit, resilience-audit, security-reviewer, docs-consistency. 11 findings addressed out of 12 total (1 reverted: async generator incompatible with tuple()).

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced argument isolation for tool execution to prevent unintended mutations from affecting external state.
  • Consolidated event constants into a single module with improved organization.

• Bug Fixes

  • Added robust error handling for deep-copy failures during tool invocation with detailed error messaging.
  • Improved parameter schema immutability protection.

• Documentation

  • Updated immutability strategy documentation with clarified boundary-copy approach and frozen-state semantics.

Walkthrough

Deep-copy-at-boundary and MappingProxyType-based immutability fixes: BaseTool now deep-copies and stores a MappingProxyType-wrapped parameters schema; ToolInvoker deep-copies tool call arguments before execution and reports deepcopy failures; docs and tests updated to reflect and verify these behaviors.

Changes

Cohort / File(s)	Summary
Design & Policy CLAUDE.md, DESIGN_SPEC.md	Clarified immutability strategy: non‑Pydantic internal collections get deepcopy at construction + MappingProxyType; Pydantic frozen models rely on frozen=True with deepcopy at system boundaries; consolidated event constants and removed M3 annotations from engine listing.
Tool core src/ai_company/tools/base.py	Store parameters_schema as MappingProxyType around a deepcopy of the input; property returns a copied dict (or None) to avoid exposing internal state; adjusted docstrings/comments.
Invocation boundary src/ai_company/tools/invoker.py	Deep-copies tool_call.arguments before calling tool execution; catches deepcopy failures to emit a dedicated deepcopy error event and return an error ToolResult; handles MemoryError/RecursionError specially.
Observability src/ai_company/observability/events.py	Added TOOL_INVOKE_DEEPCOPY_ERROR event constant for deepcopy failure reporting.
Models / Docs src/ai_company/engine/prompt.py, src/ai_company/providers/models.py	Updated field descriptions and notes to state Pydantic fields are shallow-frozen (nested contents mutable) and document when boundary deep copies occur.
Tests tests/unit/tools/conftest.py, tests/unit/tools/test_base.py, tests/unit/tools/test_invoker.py	Added _MutatingTool; expanded BaseTool tests to assert construction isolation, read-only internal schema, and returned-copy isolation; added invoker tests for boundary deepcopy isolation and deepcopy-failure behavior.
Manifests requirements.txt	(manifest change reported) Updated manifest lines (minor).

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client/Caller
    participant Invoker as ToolInvoker
    participant Tool as BaseTool
    participant Executor as Tool.execute()

    Client->>Invoker: invoke_all(tool_calls)
    Invoker->>Invoker: safe_args = deepcopy(tool_call.arguments)
    rect rgba(76, 175, 80, 0.5)
        Note over Invoker,Executor: Boundary isolation — tool receives safe_args copy
    end
    Invoker->>Tool: execute(safe_args)
    Tool->>Executor: implementation runs with safe_args
    Executor-->>Tool: ToolResult
    Tool-->>Invoker: ToolResult
    Invoker-->>Client: aggregated results

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: implement basic tool system (registry, invocation, results) (#15) #104: Modifies BaseTool parameter schema handling and MappingProxyType usage—closely related to these construction-time immutability changes.
• feat: implement personality injection and system prompt construction #105: Introduced/modified SystemPrompt model referenced by the metadata description change in this PR.
• feat: wire all modules into observability system #97: Adds observability wiring for tool invocation events that this PR extends with a deepcopy error event.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.91% which is insufficient. The required threshold is 100.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main focus: strengthening immutability for BaseTool schema and ToolInvoker boundaries, directly matching the primary changes in the changeset.
Description check	✅ Passed	The description provides relevant details about deep-copy mechanisms, error handling, test improvements, and documentation updates, all related to the changeset objectives.
Linked Issues check	✅ Passed	All acceptance criteria from issue #113 are addressed: decision documented (CLAUDE.md/DESIGN_SPEC.md updated), strategy applied consistently (MappingProxyType + boundary deepcopy), advisory comments removed/updated, ToolInvoker aligned with strategy, and tests verify boundary immutability.
Out of Scope Changes check	✅ Passed	All changes directly support the core objectives: immutability enforcement in BaseTool and ToolInvoker, documentation alignment, test coverage for boundary isolation, and error instrumentation. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/mutable-containers-strategy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the immutability guarantees within the system, particularly for BaseTool parameter schemas and ToolInvoker arguments. By implementing deep-copying at critical boundaries and leveraging MappingProxyType, it ensures that internal data structures are protected from unintended external modifications, leading to more robust and predictable tool interactions. The changes also refine error handling for argument copying and update documentation to reflect these strengthened conventions.

Highlights

• Deep-copy at construction: The BaseTool._parameters_schema now uses copy.deepcopy() before MappingProxyType wrapping, fully isolating nested structures from caller mutation.
• Deep-copy on property access: The parameters_schema property returns a deep copy to prevent cross-caller nested mutation.
• Separated deepcopy error handling: The ToolInvoker._execute_tool separates argument deep-copy into its own try-block for accurate error attribution, preventing misattribution as tool execution failure.
• Strengthened tests: Added nested mutation isolation tests for both construction and property access, and included parameters_schema to _MutatingTool to exercise the validation path.
• Docs consistency: Removed stale (M3) tags from 5 implemented engine files in DESIGN_SPEC.md and updated immutability convention docs in CLAUDE.md and DESIGN_SPEC.md.
• Docstring fixes: Fixed misleading "accepts any arguments" wording and clarified ToolExecutionResult.metadata boundary-copy scope.

Changelog

• CLAUDE.md
  • Updated immutability convention documentation to specify copy.deepcopy() at construction for non-Pydantic internal collections and copy.deepcopy() at system boundaries for Pydantic frozen models.
• DESIGN_SPEC.md
  • Updated the description of BaseTool.parameters_schema immutability strategy, detailing deep-copy at construction with MappingProxyType and deep-copy on property access.
  • Revised the "Immutability strategy" convention table entry to reflect the new deep-copy and MappingProxyType approach for BaseTool and boundary-copy for Pydantic models.
  • Removed stale (M3) tags from several engine files in the directory structure section.
• src/ai_company/engine/prompt.py
  • Removed the "treat as read-only" note from the metadata field description in SystemPrompt.
• src/ai_company/providers/models.py
  • Updated docstrings for ToolDefinition.parameters_schema and ToolCall.arguments to clarify that Pydantic's frozen=True provides shallow immutability and deep-copying is required at system boundaries for nested structures.
• src/ai_company/tools/base.py
  • Imported MappingProxyType from types.
  • Modified BaseTool.__init__ to deep-copy the parameters_schema and wrap it in MappingProxyType for internal storage.
  • Updated the parameters_schema property to return a deep copy of the internal schema, ensuring external callers receive an isolated copy.
  • Clarified the docstring for parameters_schema to indicate it's None if no schema is defined, rather than accepting "any arguments".
• src/ai_company/tools/invoker.py
  • Imported the copy module.
  • Refactored _execute_tool to introduce a separate try-except block specifically for deep-copying tool_call.arguments, allowing for distinct error attribution for deep-copy failures versus tool execution failures.
• tests/unit/tools/conftest.py
  • Added a new _MutatingTool class that modifies its arguments during execution, designed to test immutability boundaries.
  • Included _MutatingTool in the extended_invoker fixture.
• tests/unit/tools/test_base.py
  • Replaced test_schema_deep_copied_on_construction with test_schema_isolated_on_construction and test_schema_nested_isolated_on_construction to verify both top-level and nested immutability of the schema during BaseTool construction.
  • Added test_schema_internal_is_read_only to confirm that the internally stored _parameters_schema is protected by MappingProxyType.
  • Added test_schema_property_nested_mutation_isolated to ensure that nested structures returned by the parameters_schema property are also isolated from external mutation.
• tests/unit/tools/test_invoker.py
  • Added TestInvokeBoundaryIsolation class with two new tests: test_tool_receives_deep_copy_of_arguments and test_nested_mutation_does_not_leak, verifying that ToolInvoker provides deep copies of arguments to tools and that tool mutations do not affect the original ToolCall object.

Activity

• The pull request was pre-reviewed by 10 agents (code-reviewer, python-reviewer, pr-test-analyzer, silent-failure-hunter, comment-analyzer, type-design-analyzer, logging-audit, resilience-audit, security-reviewer, docs-consistency).
• 11 findings from the reviews were addressed.
• 1 finding was reverted due to incompatibility with async generators.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This is a high-quality pull request that effectively strengthens the immutability guarantees around tool schemas and execution boundaries. The use of copy.deepcopy and MappingProxyType at construction in BaseTool is a solid improvement. Separating the argument-copying logic in ToolInvoker with its own error handling significantly improves error attribution and robustness. The accompanying test additions are thorough and correctly validate the new behavior. The documentation updates are also clear and consistent with the changes. I have a couple of minor suggestions for improving code conciseness and documentation consistency.

[gemini-code-assist]

This PR does a great job of strengthening immutability and updating docstrings to reflect that. However, simply removing the (treat as read-only) note here reduces clarity about the shallow-freezing nature of Pydantic's frozen=True on collection fields. For consistency with the detailed notes added in other models (like ToolDefinition and ToolCall), consider providing a more explicit description to guide developers.

Suggested change

	description="Agent identity metadata",
	description="Agent identity metadata. This dict is shallowly frozen; do not mutate in place.",

[gemini-code-assist]

This implementation can be simplified. copy.deepcopy() correctly handles both MappingProxyType and None values, so the explicit check for None and the cast to dict() are unnecessary. A single line would be more concise and achieve the same result.

        return copy.deepcopy(self._parameters_schema)

[greptile-apps]

Greptile Summary

This PR strengthens immutability guarantees for BaseTool and ToolInvoker by deep-copying the parameters schema at construction time (wrapping it in MappingProxyType), returning deep copies on property access, and separating the argument deep-copy in ToolInvoker._execute_tool into its own try-block with a dedicated TOOL_INVOKE_DEEPCOPY_ERROR event. Documentation in CLAUDE.md and DESIGN_SPEC.md is updated to reflect the adopted convention, and five stale (M3) tags are removed.

Core implementation: Correct and sound.

• BaseTool._parameters_schema is now a MappingProxyType wrapping a deep-copied schema, and parameters_schema returns a fresh deep copy on each access — correctly preventing both top-level and nested mutation through the public API.
• ToolInvoker._execute_tool correctly isolates the deepcopy failure path from the tool execution failure path using the new TOOL_INVOKE_DEEPCOPY_ERROR event.

Findings:

• A misleading inline comment in base.py (line 115) incorrectly claims MappingProxyType cannot be deep-copied — the real reason dict() is needed is to satisfy the dict[str, Any] return type annotation.
• The deepcopy-failure tests (TestInvokeDeepcopyFailure) use a fragile call_count > 1 counter that implicitly assumes exactly one prior copy.deepcopy call. Because the global module patch intercepts all deepcopy calls, any refactoring that changes the number of calls (even in base.py) would silently shift the counter and exercise the wrong failure mode.
• test_schema_internal_is_read_only documents top-level MappingProxyType protection but does not cover or document the known gap: nested values in the private _parameters_schema remain mutable via direct access. A clarifying comment would prevent confusion about what "read-only" guarantees apply to this private attribute.

Confidence Score: 4/5

• Safe to merge — core immutability logic is correct and well-tested; findings are comment clarity and test robustness style improvements with no runtime impact.
• The production code changes are sound: deep-copy at construction, MappingProxyType wrapping, deep-copy on property access, and separated deepcopy error handling all work correctly. The dedicated TOOL_INVOKE_DEEPCOPY_ERROR event resolves the previous monitoring ambiguity. Deductions are for: (1) a misleading inline comment that could confuse maintainers about why dict() is needed; (2) brittle test counter logic in deepcopy failure tests that could silently fail during future refactors; (3) a missing clarifying comment in a test about a private attribute's immutability guarantees.
• src/ai_company/tools/base.py — the inline comment on line 115 should be corrected; tests/unit/tools/test_invoker.py — the call_count > 1 logic should be made more robust; tests/unit/tools/test_base.py — a clarifying comment should be added to test_schema_internal_is_read_only.

_{Last reviewed commit: db36d19}

[Copilot]

Pull request overview

Strengthens immutability guarantees around tool parameter schemas (BaseTool) and tool execution boundaries (ToolInvoker) to prevent nested structure mutation from leaking across callers, while updating tests and documentation to match the new conventions.

Changes:

• Deep-copies tool call arguments at the ToolInvoker execution boundary and separates deepcopy error handling from tool execution errors.
• Freezes BaseTool parameter schemas using deepcopy + MappingProxyType, and returns deep copies from the schema property.
• Adds/updates unit tests for nested mutation isolation and updates documentation to reflect the immutability strategy.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tests/unit/tools/test_invoker.py	Adds boundary-isolation tests ensuring tool argument mutation doesn’t leak back into ToolCall.arguments.
tests/unit/tools/test_base.py	Expands schema immutability tests (construction isolation, nested isolation, read-only internal).
tests/unit/tools/conftest.py	Introduces a mutating test tool and wires it into the extended invoker fixture.
src/ai_company/tools/invoker.py	Deep-copies arguments before execute() and improves error attribution for deepcopy failures.
src/ai_company/tools/base.py	Freezes parameters_schema via MappingProxyType and returns deep copies on access; adjusts docstrings.
src/ai_company/providers/models.py	Clarifies shallow immutability notes for ToolDefinition.parameters_schema and ToolCall.arguments.
src/ai_company/engine/prompt.py	Updates field description text for SystemPrompt.metadata.
DESIGN_SPEC.md	Updates immutability convention documentation and removes stale engine milestone tags.
CLAUDE.md	Updates the documented immutability strategy for non-Pydantic vs Pydantic-frozen models.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

TOOL_INVOKE_PARAMETER_ERROR is now used for two distinct failure modes: JSON Schema validation failures (_param_error_result, logged as warning) and argument deepcopy failures here (logged as exception). This will make observability/alerting ambiguous. Consider introducing a dedicated event constant for argument copy failures (or reusing a more appropriate existing event) so dashboards can distinguish validation errors from internal boundary-copy failures.

[Copilot]

The ToolExecutionResult doc note says the model is "not forwarded to tool implementations", but tool implementations explicitly construct and return ToolExecutionResult. Consider rewording to clarify that metadata is not forwarded to LLM providers / external boundaries (and that the invoker converts this to ToolResult), rather than implying tools never see this model.

Suggested change

	``frozen=True``. This model is not forwarded to tool
	implementations or LLM providers, so no additional boundary
	copy is needed at this layer.
	``frozen=True``. Tool implementations construct and return this
	model, but it is not forwarded to LLM providers or other external
	boundaries. Instead, the invoker converts it into a provider-facing
	``ToolResult``, so no additional boundary copy is needed at this
	layer.

[Copilot]

This immutability bullet is a bit self-contradictory: it recommends copy.deepcopy() at construction for non-Pydantic collections, then ends with "Deep-copy only at system boundaries". Consider rephrasing the last sentence to explicitly scope it to Pydantic frozen models (or remove it) so readers don’t infer that construction-time deep-copies are discouraged.

Suggested change

- **Immutability**: create new objects, never mutate existing ones. For non-Pydantic internal collections (registries, `BaseTool`), use `copy.deepcopy()` at construction + `MappingProxyType` wrapping for read-only enforcement. For `dict`/`list` fields in frozen Pydantic models, rely on `frozen=True` for field reassignment prevention and `copy.deepcopy()` at system boundaries (tool execution, LLM provider serialization, inter-agent delegation). Deep-copy only at system boundaries (e.g. passing data to `tool.execute()`, serializing for persistence).

- **Immutability**: create new objects, never mutate existing ones. For non-Pydantic internal collections (registries, `BaseTool`), use `copy.deepcopy()` at construction + `MappingProxyType` wrapping for read-only enforcement. For `dict`/`list` fields in frozen Pydantic models, rely on `frozen=True` for field reassignment prevention and deep-copy those fields only at system boundaries (e.g. passing data to `tool.execute()`, LLM provider serialization, inter-agent delegation, serializing for persistence).

[Copilot]

The rationale references "PEP 814 frozendict (Python 3.15)", but PEP 814 doesn’t appear elsewhere in the repo and is likely an incorrect/placeholder citation. Consider replacing this with a verified reference (or wording it generically as a potential future frozendict in CPython) to avoid publishing misleading spec guidance.

Suggested change

| **Immutability strategy** | Adopted | `copy.deepcopy()` at construction + `MappingProxyType` wrapping for non-Pydantic internal collections (registries, `BaseTool`). For Pydantic frozen models: `frozen=True` prevents field reassignment; `copy.deepcopy()` at system boundaries (tool execution, LLM provider serialization) prevents nested mutation. No MappingProxyType inside Pydantic models (serialization friction). | Deep-copy at construction fully isolates nested structures; `MappingProxyType` enforces read-only access. Boundary-copy for Pydantic models is simple, centralized, and Pydantic-native. PEP 814 `frozendict` (Python 3.15) will provide zero-friction field-level immutability when available. |

| **Immutability strategy** | Adopted | `copy.deepcopy()` at construction + `MappingProxyType` wrapping for non-Pydantic internal collections (registries, `BaseTool`). For Pydantic frozen models: `frozen=True` prevents field reassignment; `copy.deepcopy()` at system boundaries (tool execution, LLM provider serialization) prevents nested mutation. No MappingProxyType inside Pydantic models (serialization friction). | Deep-copy at construction fully isolates nested structures; `MappingProxyType` enforces read-only access. Boundary-copy for Pydantic models is simple, centralized, and Pydantic-native. If CPython eventually exposes a standardized immutable mapping type (for example, a built-in frozendict), it can be adopted to provide zero-friction field-level immutability when available. |

[greptile-apps]

Misleading comment — MappingProxyType can be deep-copied

The inline comment # dict() needed: MappingProxyType cannot be deep-copied directly is inaccurate. In Python 3, copy.deepcopy(MappingProxyType(…)) is well-defined and returns a new MappingProxyType wrapping a deep-copied dict. The real reason dict() is needed here is to satisfy the dict[str, Any] return-type annotation — a deepcopy of a MappingProxyType would return another MappingProxyType, which mismatches the declared return type.

Suggested change

	# dict() needed: MappingProxyType cannot be deep-copied directly
	return copy.deepcopy(dict(self._parameters_schema))
	# Convert to dict first: deepcopy of MappingProxyType returns a
	# MappingProxyType, but the public API declares dict[str, Any].
	return copy.deepcopy(dict(self._parameters_schema))

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/ai_company/tools/base.py
Line: 115-116

Comment:
**Misleading comment — `MappingProxyType` *can* be deep-copied**

The inline comment `# dict() needed: MappingProxyType cannot be deep-copied directly` is inaccurate. In Python 3, `copy.deepcopy(MappingProxyType(…))` is well-defined and returns a new `MappingProxyType` wrapping a deep-copied dict. The real reason `dict()` is needed here is to satisfy the `dict[str, Any]` return-type annotation — a `deepcopy` of a `MappingProxyType` would return another `MappingProxyType`, which mismatches the declared return type.

```suggestion
        # Convert to dict first: deepcopy of MappingProxyType returns a
        # MappingProxyType, but the public API declares dict[str, Any].
        return copy.deepcopy(dict(self._parameters_schema))
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Fragile call_count coupling to implementation internals

Both test_deepcopy_failure_returns_error_result (line 375: if call_count > 1) and test_recursion_error_during_deepcopy_propagates (line 404: if call_count > 1) rely on the assumption that exactly one copy.deepcopy call is made before _execute_tool's deepcopy — specifically the call inside BaseTool.parameters_schema triggered by _validate_params.

Because monkeypatch.setattr("ai_company.tools.invoker.copy.deepcopy", …) patches the copy module globally (it's a singleton), every copy.deepcopy call anywhere — including the one inside base.py — is intercepted. This means the counter is tightly coupled to the current code path: if _validate_params ever calls parameters_schema twice, if a new early-exit is added, or if the _MutatingTool fixture's schema is removed, the counter offset shifts and the test silently exercises the wrong failure mode (or never triggers the failure at all).

A more robust approach is to patch deepcopy only for the arguments object (e.g., by checking isinstance(obj, dict) and …) or to separate the two patched scopes — patch base.copy.deepcopy to a pass-through and patch invoker.copy.deepcopy to unconditionally fail, removing the counter entirely:

monkeypatch.setattr("ai_company.tools.base.copy.deepcopy", real_deepcopy)
monkeypatch.setattr("ai_company.tools.invoker.copy.deepcopy", lambda obj, memo=None: (_ for _ in ()).throw(TypeError("cannot copy")))

Prompt To Fix With AI

This is a comment left during a code review.
Path: tests/unit/tools/test_invoker.py
Line: 358-415

Comment:
**Fragile `call_count` coupling to implementation internals**

Both `test_deepcopy_failure_returns_error_result` (line 375: `if call_count > 1`) and `test_recursion_error_during_deepcopy_propagates` (line 404: `if call_count > 1`) rely on the assumption that exactly **one** `copy.deepcopy` call is made before `_execute_tool`'s deepcopy — specifically the call inside `BaseTool.parameters_schema` triggered by `_validate_params`.

Because `monkeypatch.setattr("ai_company.tools.invoker.copy.deepcopy", …)` patches the `copy` module globally (it's a singleton), every `copy.deepcopy` call anywhere — including the one inside `base.py` — is intercepted. This means the counter is tightly coupled to the current code path: if `_validate_params` ever calls `parameters_schema` twice, if a new early-exit is added, or if the `_MutatingTool` fixture's schema is removed, the counter offset shifts and the test silently exercises the wrong failure mode (or never triggers the failure at all).

A more robust approach is to patch deepcopy *only for the arguments object* (e.g., by checking `isinstance(obj, dict) and …`) or to separate the two patched scopes — patch `base.copy.deepcopy` to a pass-through and patch `invoker.copy.deepcopy` to unconditionally fail, removing the counter entirely:

```python
monkeypatch.setattr("ai_company.tools.base.copy.deepcopy", real_deepcopy)
monkeypatch.setattr("ai_company.tools.invoker.copy.deepcopy", lambda obj, memo=None: (_ for _ in ()).throw(TypeError("cannot copy")))
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

test_schema_internal_is_read_only only covers top-level mutation

The test correctly asserts that tool._parameters_schema["injected"] = True raises TypeError (top-level MappingProxyType enforcement). However, it does not cover the nested mutability gap: since _parameters_schema["properties"] is a plain dict, the following silently succeeds and corrupts internal state:

tool._parameters_schema["properties"]["x"]["type"] = "integer"  # No TypeError raised!

Given the PR's stated goal of strengthening immutability and the explicit test_schema_nested_isolated_on_construction / test_schema_property_nested_mutation_isolated additions, adding a clarifying comment would make the documented guarantees clear and prevent future confusion:

def test_schema_internal_is_read_only(self) -> None:
    schema = {"type": "object", "properties": {"x": {"type": "string"}}}
    tool = _ConcreteTool(name="t", parameters_schema=schema)
    with pytest.raises(TypeError):
        tool._parameters_schema["injected"] = True  # type: ignore[index]
    # Note: MappingProxyType provides only top-level protection. Nested dicts
    # in _parameters_schema remain mutable, but direct access is discouraged
    # since it's a private attribute. Public isolation is guaranteed by the
    # parameters_schema property, which returns a deep copy.

Prompt To Fix With AI

This is a comment left during a code review.
Path: tests/unit/tools/test_base.py
Line: 119-123

Comment:
**`test_schema_internal_is_read_only` only covers top-level mutation**

The test correctly asserts that `tool._parameters_schema["injected"] = True` raises `TypeError` (top-level `MappingProxyType` enforcement). However, it does not cover the nested mutability gap: since `_parameters_schema["properties"]` is a plain `dict`, the following silently succeeds and corrupts internal state:

```python
tool._parameters_schema["properties"]["x"]["type"] = "integer"  # No TypeError raised!
```

Given the PR's stated goal of strengthening immutability and the explicit `test_schema_nested_isolated_on_construction` / `test_schema_property_nested_mutation_isolated` additions, adding a clarifying comment would make the documented guarantees clear and prevent future confusion:

```python
def test_schema_internal_is_read_only(self) -> None:
    schema = {"type": "object", "properties": {"x": {"type": "string"}}}
    tool = _ConcreteTool(name="t", parameters_schema=schema)
    with pytest.raises(TypeError):
        tool._parameters_schema["injected"] = True  # type: ignore[index]
    # Note: MappingProxyType provides only top-level protection. Nested dicts
    # in _parameters_schema remain mutable, but direct access is discouraged
    # since it's a private attribute. Public isolation is guaranteed by the
    # parameters_schema property, which returns a deep copy.
```

How can I resolve this? If you propose a fix, please make it concise.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}