refactor: hide context parameters from AI model tool schema

Prevent AI hallucination of runtime parameters by hiding them from the tool schema. Architecture: - Public tool functions (buy/sell) only expose symbol and amount to AI - Use **kwargs to accept hidden parameters (signature, job_id, today_date, session_id) - Internal _impl functions contain the actual business logic - ContextInjector injects parameters into kwargs (invisible to AI) Benefits: - AI cannot see or hallucinate signature/job_id/session_id parameters - Cleaner tool schema focuses on trading-relevant parameters only - Defense-in-depth: ContextInjector still overrides any provided values - More maintainable: clear separation of public API vs internal implementation Example AI sees: buy(symbol: str, amount: int) -> dict Actual execution: buy(symbol="AAPL", amount=10, signature="gpt-5", job_id="...", ...) Fixes #TBD
fix: always override context parameters in ContextInjector
2026-04-02 09:37:23 -04:00 · 2025-11-02 23:34:07 -05:00 · 2025-11-02 23:30:49 -05:00 · 2025-11-02 23:17:52 -05:00 · 2025-11-02 23:05:40 -05:00
4 changed files with 73 additions and 25 deletions
--- a/agent/base_agent/base_agent.py
+++ b/agent/base_agent/base_agent.py
@@ -232,17 +232,24 @@ class BaseAgent:
            context_injector: Configured ContextInjector instance with
                            correct signature, today_date, job_id, session_id
        """
+        print(f"[DEBUG] set_context() ENTRY: Received context_injector with signature={context_injector.signature}, date={context_injector.today_date}, job_id={context_injector.job_id}, session_id={context_injector.session_id}")
+
        self.context_injector = context_injector
+        print(f"[DEBUG] set_context(): Set self.context_injector, id={id(self.context_injector)}")

        # Recreate MCP client with the interceptor
        # Note: We need to recreate because MultiServerMCPClient doesn't have add_interceptor()
+        print(f"[DEBUG] set_context(): Creating new MCP client with interceptor, id={id(context_injector)}")
        self.client = MultiServerMCPClient(
            self.mcp_config,
            tool_interceptors=[context_injector]
        )
+        print(f"[DEBUG] set_context(): MCP client created")

        # CRITICAL: Reload tools from new client so they use the interceptor
+        print(f"[DEBUG] set_context(): Reloading tools...")
        self.tools = await self.client.get_tools()
+        print(f"[DEBUG] set_context(): Tools reloaded, count={len(self.tools)}")

        print(f"✅ Context injected: signature={context_injector.signature}, "
              f"date={context_injector.today_date}, job_id={context_injector.job_id}, "
--- a/agent/context_injector.py
+++ b/agent/context_injector.py
@@ -49,14 +49,16 @@ class ContextInjector:
        """
        # Inject context parameters for trade tools
        if request.name in ["buy", "sell"]:
-            # Add signature and today_date to args if not present
-            if "signature" not in request.args:
-                request.args["signature"] = self.signature
-            if "today_date" not in request.args:
-                request.args["today_date"] = self.today_date
-            if "job_id" not in request.args and self.job_id:
+            # Debug: Log self attributes BEFORE injection
+            print(f"[ContextInjector.__call__] ENTRY: id={id(self)}, self.signature={self.signature}, self.today_date={self.today_date}, self.job_id={self.job_id}, self.session_id={self.session_id}")
+            print(f"[ContextInjector.__call__] Args BEFORE injection: {request.args}")
+
+            # ALWAYS inject/override context parameters (don't trust AI-provided values)
+            request.args["signature"] = self.signature
+            request.args["today_date"] = self.today_date
+            if self.job_id:
                request.args["job_id"] = self.job_id
-            if "session_id" not in request.args and self.session_id:
+            if self.session_id:
                request.args["session_id"] = self.session_id

            # Debug logging
--- a/agent_tools/tool_trade.py
+++ b/agent_tools/tool_trade.py
@@ -82,24 +82,13 @@ def get_current_position_from_db(job_id: str, model: str, date: str) -> Tuple[Di
        conn.close()


-@mcp.tool()
-def buy(symbol: str, amount: int, signature: str = None, today_date: str = None,
-        job_id: str = None, session_id: int = None) -> Dict[str, Any]:
+def _buy_impl(symbol: str, amount: int, signature: str = None, today_date: str = None,
+              job_id: str = None, session_id: int = None) -> Dict[str, Any]:
    """
-    Buy stock function - writes to SQLite database.
+    Internal buy implementation - accepts injected context parameters.

-    Args:
-        symbol: Stock symbol (e.g., "AAPL", "MSFT")
-        amount: Number of shares to buy (positive integer)
-        signature: Model signature (injected by ContextInjector)
-        today_date: Trading date YYYY-MM-DD (injected by ContextInjector)
-        job_id: Job UUID (injected by ContextInjector)
-        session_id: Trading session ID (injected by ContextInjector)
-
-    Returns:
-        Dict[str, Any]:
-          - Success: {"CASH": amount, symbol: quantity, ...}
-          - Failure: {"error": message, ...}
+    This function is not exposed to the AI model. It receives runtime context
+    (signature, today_date, job_id, session_id) from the ContextInjector.
    """
    # Validate required parameters
    if not job_id:
@@ -206,8 +195,31 @@ def buy(symbol: str, amount: int, signature: str = None, today_date: str = None,


@mcp.tool()
-def sell(symbol: str, amount: int, signature: str = None, today_date: str = None,
-         job_id: str = None, session_id: int = None) -> Dict[str, Any]:
+def buy(symbol: str, amount: int, **kwargs) -> Dict[str, Any]:
+    """
+    Buy stock shares.
+
+    Args:
+        symbol: Stock symbol (e.g., "AAPL", "MSFT", "GOOGL")
+        amount: Number of shares to buy (positive integer)
+
+    Returns:
+        Dict[str, Any]:
+          - Success: {"CASH": remaining_cash, "SYMBOL": shares, ...}
+          - Failure: {"error": error_message, ...}
+    """
+    # Extract injected parameters (added by ContextInjector, hidden from AI)
+    signature = kwargs.get("signature")
+    today_date = kwargs.get("today_date")
+    job_id = kwargs.get("job_id")
+    session_id = kwargs.get("session_id")
+
+    # Delegate to internal implementation
+    return _buy_impl(symbol, amount, signature, today_date, job_id, session_id)
+
+
+def _sell_impl(symbol: str, amount: int, signature: str = None, today_date: str = None,
+               job_id: str = None, session_id: int = None) -> Dict[str, Any]:
    """
    Sell stock function - writes to SQLite database.

@@ -327,6 +339,30 @@ def sell(symbol: str, amount: int, signature: str = None, today_date: str = None
        conn.close()


+@mcp.tool()
+def sell(symbol: str, amount: int, **kwargs) -> Dict[str, Any]:
+    """
+    Sell stock shares.
+
+    Args:
+        symbol: Stock symbol (e.g., "AAPL", "MSFT", "GOOGL")
+        amount: Number of shares to sell (positive integer)
+
+    Returns:
+        Dict[str, Any]:
+          - Success: {"CASH": remaining_cash, "SYMBOL": shares, ...}
+          - Failure: {"error": error_message, ...}
+    """
+    # Extract injected parameters (added by ContextInjector, hidden from AI)
+    signature = kwargs.get("signature")
+    today_date = kwargs.get("today_date")
+    job_id = kwargs.get("job_id")
+    session_id = kwargs.get("session_id")
+
+    # Delegate to internal implementation
+    return _sell_impl(symbol, amount, signature, today_date, job_id, session_id)
+
+
 if __name__ == "__main__":
    port = int(os.getenv("TRADE_HTTP_PORT", "8002"))
    mcp.run(transport="streamable-http", port=port)
--- a/api/model_day_executor.py
+++ b/api/model_day_executor.py
@@ -140,7 +140,10 @@ class ModelDayExecutor:
                job_id=self.job_id,
                session_id=session_id
            )
+            logger.info(f"[DEBUG] ModelDayExecutor: Created ContextInjector with signature={self.model_sig}, date={self.date}, job_id={self.job_id}, session_id={session_id}")
+            logger.info(f"[DEBUG] ModelDayExecutor: Calling await agent.set_context()")
            await agent.set_context(context_injector)
+            logger.info(f"[DEBUG] ModelDayExecutor: set_context() completed")

            # Run trading session
            logger.info(f"Running trading session for {self.model_sig} on {self.date}")
Author	SHA1	Message	Date
Bill	96f6b78a93	refactor: hide context parameters from AI model tool schema Prevent AI hallucination of runtime parameters by hiding them from the tool schema. Architecture: - Public tool functions (buy/sell) only expose symbol and amount to AI - Use **kwargs to accept hidden parameters (signature, job_id, today_date, session_id) - Internal _impl functions contain the actual business logic - ContextInjector injects parameters into kwargs (invisible to AI) Benefits: - AI cannot see or hallucinate signature/job_id/session_id parameters - Cleaner tool schema focuses on trading-relevant parameters only - Defense-in-depth: ContextInjector still overrides any provided values - More maintainable: clear separation of public API vs internal implementation Example AI sees: buy(symbol: str, amount: int) -> dict Actual execution: buy(symbol="AAPL", amount=10, signature="gpt-5", job_id="...", ...) Fixes #TBD	2025-11-02 23:34:07 -05:00
Bill	6c395f740d	fix: always override context parameters in ContextInjector Root cause: AI models were hallucinating signature/job_id/today_date values and passing them in tool calls. The ContextInjector was checking "if param not in request.args" before injecting, which failed when AI provided (incorrect) values. Fix: Always override context parameters, never trust AI-provided values. Evidence from logs: - ContextInjector had correct values (self.signature=gpt-5, job_id=6dabd9e6...) - But AI was passing signature=None or hallucinated values like "fundamental-bot-v1" - After injection, args showed the AI's (wrong) values, not the interceptor's This ensures runtime context is ALWAYS injected regardless of what the AI sends. Fixes #TBD	2025-11-02 23:30:49 -05:00
Bill	618943b278	debug: add self attribute logging to ContextInjector.__call__ Log ContextInjector instance ID and attribute values at entry to __call__() to diagnose why attributes appear as None during tool invocation despite being set correctly during set_context(). This will reveal whether: - Multiple ContextInjector instances exist - Attributes are being overwritten/cleared - Wrong instance is being invoked	2025-11-02 23:17:52 -05:00
Bill	1c19eea29a	debug: add comprehensive diagnostic logging for ContextInjector flow Add instrumentation at component boundaries to trace where ContextInjector values become None: - ModelDayExecutor: Log ContextInjector creation and set_context() invocation - BaseAgent.set_context(): Log entry, client creation, tool reload, completion - Includes object IDs to verify instance identity across boundaries Part of systematic debugging investigation for issue #TBD.	2025-11-02 23:05:40 -05:00