fix: final batch — MCP names, zombies, vision hardening, test isolation (Buckets S+T)#7654
Merged
Conversation
YAML parses bare numeric keys (e.g. `12306:`) as int, causing TypeError when sorted() is called on mixed int/str collections. Changes: - Normalize toolset_names entries to str in _get_platform_tools() - Cast MCP server name to str(name) when building enabled_mcp_servers - Add regression test
…kill enumeration
process_registry.py: _reader_loop() has process.wait() after the try-except
block (line 380). If the reader thread crashes with an unexpected exception
(e.g. MemoryError, KeyboardInterrupt), control exits the except handler but
skips wait() — leaving the child as a zombie process. Move wait() and the
cleanup into a finally block so the child is always reaped.
cron/scheduler.py: _run_job_script() only redacts secrets in stdout on the
SUCCESS path (line 417-421). When a cron script fails (non-zero exit), both
stdout and stderr are returned WITHOUT redaction (lines 407-413). A script
that accidentally prints an API key to stderr during a failure would leak it
into the LLM context. Move redaction before the success/failure branch so
both paths benefit.
skill_commands.py: _build_skill_message() enumerates supporting files using
rglob("*") but only checks is_file() (line 171) without filtering symlinks.
PR #6693 added symlink protection to scan_skill_commands() but missed this
function. A malicious skill can create symlinks in references/ pointing to
arbitrary files, exposing their paths (and potentially content via skill_view)
to the LLM. Add is_symlink() check to match the guard in scan_skill_commands.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
vision_tools.py: _download_image() loads the full HTTP response body into memory via response.content (line 190) with no Content-Length check and no max file size limit. An attacker-hosted multi-gigabyte file causes OOM. Add a 50 MB hard cap: check Content-Length header before download, and verify actual body size before writing to disk. hermes_parser.py: tc_data["name"] at line 57 raises KeyError when the LLM outputs a tool call JSON without a "name" field. The outer except catches it silently, causing the entire tool call to be lost with zero diagnostics. Add "name" field validation before constructing the ChatCompletionMessage. mistral_parser.py: tc["name"] at line 101 has the same KeyError issue in the pre-v11 format path. The fallback decoder (line 112) already checks "name" correctly, but the primary path does not. Add validation to match. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…URIs, improve 400 errors Three fixes for vision_analyze returning cryptic 400 "Invalid request data": 1. Pre-flight base64 size check — base64 inflates data ~33%, so a 3.8 MB file exceeds the 5 MB API limit. Reject early with a clear message instead of letting the provider return a generic 400. 2. Handle file:// URIs — strip the scheme and resolve as a local path. Previously file:///path/to/image.png fell through to the "invalid image source" error since it matched neither is_file() nor http(s). 3. Separate invalid_request errors from "does not support vision" errors so the user gets actionable guidance (resize/compress/retry) instead of a misleading "model does not support vision" message. Closes #6677
…onse Follow-up fixes for cherry-pick conflicts: - Removed test_context_keeps_pending_approval test that referenced pop_pending() which doesn't exist on current main - Added headers attribute to FakeResponse in vision test (needed after #6949 added Content-Length check)
This was referenced Apr 11, 2026
Contributor
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
5 PRs salvaged, all contributor authorship preserved. 367 targeted tests passing.
1. fix: numeric MCP server names (#6962, @kagura-agent)
YAML parses
12306:as int → sorted() crashes. Two str() casts + test.2. fix: zombie processes + cron stderr + symlink skip (#6952, @aaronagent)
except → finally for process reaping, redact stderr before error branch, skip symlinks in skill enumeration.
3. fix: 50MB image download cap + parser guards (#6949, @aaronagent)
Content-Length + body size check at 50MB. KeyError guards in hermes/mistral parsers.
4. fix(vision): base64 size check, file:// URIs, error messages (#6964, @Tranquil-Flow)
5MB base64 pre-flight check, file:// URI stripping, actionable 400 error guidance. 6 tests.
5. test: env isolation for approval, pairing, audio (#6956, @aquaright1)
PairingStore parameterized, expired Codex tokens return None, 5 test files cleaned up.
Follow-up
Removed stale test (pop_pending doesn't exist on main), added headers to FakeResponse.