Fix hidden-message leakage into plugin prompts

2026-05-15 22:30:38 +08:00 · 2026-04-10 14:06:17 +08:00
parent ed0df6eb7e
commit ef154b5950
7 changed files with 121 additions and 4 deletions
--- a/tests/chat-history.mjs
+++ b/tests/chat-history.mjs
@@ -5,6 +5,7 @@ import {
  resetHideState,
 } from "../ui/hide-engine.js";
 import {
+  buildPluginVisibleChatMessages,
  buildExtractionMessages,
  getAssistantTurns,
  isAssistantChatMessage,
@@ -36,6 +37,25 @@ const realSystemMessage = {
 };
 assert.equal(isSystemMessageForExtraction(realSystemMessage), true);
 assert.equal(isAssistantChatMessage(realSystemMessage), false);
+const pluginVisibleChat = buildPluginVisibleChatMessages([
+  realSystemMessage,
+  managedHiddenAssistant,
+]);
+assert.equal(
+  pluginVisibleChat[0].is_system,
+  true,
+  "real system message should remain system in plugin-visible chat",
+);
+assert.equal(
+  pluginVisibleChat[1].is_system,
+  false,
+  "BME-managed hidden message should be restored for plugin-internal chat views",
+);
+assert.equal(
+  managedHiddenAssistant.is_system,
+  true,
+  "plugin-visible chat clone must not mutate original managed hidden message",
+);

 function createRuntime(chat, chatId = "chat-a") {
  return {
--- a/tests/recall-hide-bypass.mjs
+++ b/tests/recall-hide-bypass.mjs
@@ -0,0 +1,33 @@
+import assert from "node:assert/strict";
+
+import { buildRecallRecentMessagesController } from "../retrieval/recall-controller.js";
+
+const chat = [
+  { is_user: false, is_system: true, mes: "greeting/system" },
+  {
+    is_user: false,
+    is_system: true,
+    mes: "managed hidden assistant",
+    extra: { __st_bme_hide_managed: true },
+  },
+  { is_user: true, is_system: false, mes: "user message" },
+  { is_user: false, is_system: true, mes: "real system" },
+  { is_user: false, is_system: false, mes: "visible assistant" },
+];
+
+const recentMessages = buildRecallRecentMessagesController(chat, 6, "", {
+  formatRecallContextLine(message) {
+    return `[${message.is_user ? "user" : "assistant"}]: ${message.mes}`;
+  },
+  normalizeRecallInputText(value = "") {
+    return String(value || "").trim();
+  },
+});
+
+assert.deepEqual(recentMessages, [
+  "[assistant]: managed hidden assistant",
+  "[user]: user message",
+  "[assistant]: visible assistant",
+]);
+
+console.log("recall-hide-bypass tests passed");
--- a/tests/st-context-task-ejs.mjs
+++ b/tests/st-context-task-ejs.mjs
@@ -69,6 +69,14 @@ try {
        },
        chat: [
          { is_user: true, mes: "第一句" },
+          {
+            is_user: false,
+            is_system: true,
+            mes: "被 BME 隐藏的助手楼层",
+            extra: {
+              __st_bme_hide_managed: true,
+            },
+          },
          {
            is_user: false,
            mes: "回应",
@@ -115,6 +123,14 @@ try {
  assert.equal(hostSnapshot.snapshot.variables.local.location, "library");
  assert.equal(hostSnapshot.snapshot.chat.lastUserMessage, "最后一句");
  assert.equal(hostSnapshot.snapshot.chat.id, "chat-from-global");
+  assert.equal(
+    hostSnapshot.snapshot.chat.messages[1]?.is_system,
+    false,
+  );
+  assert.equal(
+    hostSnapshot.snapshot.chat.messages[1]?.mes,
+    "被 BME 隐藏的助手楼层",
+  );
  assert.equal(hostSnapshot.prompt.charName, "Alice");
  assert.equal(hostSnapshot.prompt.userPersona, "桥接 persona");