fix(ENG-12594): remove per-tool sanitization rules#42
Merged
Conversation
Tool rules (ToolSanitizationRule) were redundant with the existing DEFAULT_RISKY_FIELDS system which already handles per-tool field selection via toolOverrides (e.g. gmail_* → [subject, body, snippet]). What tool rules provided vs what already exists: - skipFields → redundant: risky fields allowlist already excludes non-risky fields like id, url, created_at - maxFieldLengths → dead code: getMaxFieldLength() was never called - riskyFields override → dead code: never used in implementation - sanitizationLevel → only email used "high", everything else was "medium" (same as defaultRiskLevel). Encoding-based risk escalation handles the email case via containsSuspiciousEncoding. - cumulativeRiskThresholds → minor tuning, global defaults are sufficient Removed: - ToolSanitizationRule interface (types.ts) - DEFAULT_TOOL_RULES constant (config.ts) - toolRules from PromptDefenseConfig and ToolResultSanitizerConfig - getToolRule, shouldSkipField, getMaxFieldLength (field-detection.ts) - useDefaultToolRules option (prompt-defense.ts) - ToolSanitizationRule export from public API (index.ts) - toolRule parameter threaded through all recursive sanitization methods - 5 tool-rule-specific tests All tools now treated uniformly with defaultRiskLevel: "medium" and risk escalation driven by Tier 1 patterns + encoding detection. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
hiskudin
changed the title
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove useDefaultToolRules from Quick Start, API reference, and Vercel AI SDK integration examples - Remove per-tool base risk level table (gmail_* → high, etc.) - Replace "Tool-Specific Rules" section with "Risky Field Detection" section documenting which fields are scanned per tool (this uses DEFAULT_RISKY_FIELDS.toolOverrides which is still active) - Simplify riskLevel explanation — starts at medium, escalated by detections Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 8 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="specs/integration.spec.ts">
<violation number="1" location="specs/integration.spec.ts:289">
P2: The new test does not assert the intended default `medium` risk level; it only excludes `high`/`critical`, so a regression to `low` would go undetected.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
There was a problem hiding this comment.
Pull request overview
Removes the dedicated per-tool sanitization rule system and simplifies sanitization so all tools share a uniform default risk level, relying on risky-field selection via DEFAULT_RISKY_FIELDS.toolOverrides plus Tier 1 detections for escalation.
Changes:
- Deleted
ToolSanitizationRuletypes/utilities and default per-tool rule config (DEFAULT_TOOL_RULES) - Simplified
ToolResultSanitizerto remove tool-rule threading and apply uniform defaults - Updated/removed tests that asserted tool-rule behavior
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/utils/field-detection.ts | Removes tool-rule helper APIs (getToolRule, shouldSkipField, getMaxFieldLength) leaving risky-field detection + wildcard matching. |
| src/types.ts | Removes ToolSanitizationRule and toolRules from public configuration types. |
| src/index.ts | Stops exporting ToolSanitizationRule from the package entrypoint. |
| src/core/tool-result-sanitizer.ts | Removes tool-specific rules, sets uniform base risk, and uses only global cumulative-risk thresholds. |
| src/core/prompt-defense.ts | Drops useDefaultToolRules option and stops passing tool rules into the sanitizer. |
| src/config.ts | Removes DEFAULT_TOOL_RULES and eliminates toolRules from default config creation. |
| specs/utils.spec.ts | Removes getToolRule tests and related imports. |
| specs/integration.spec.ts | Removes integration coverage for useDefaultToolRules/custom tool rules and adds a uniform-default-risk assertion. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Remove defendToolResult test that only asserted default medium risk level — redundant with existing integration tests, no longer tool-rule-specific - Improve createCumulativeRiskTracker docstring per review feedback Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
0 issues found across 2 files (changes from recent commits).
Requires human review: This PR is a major refactor of core security logic, changing how tool risk is calculated and removing parts of the public API. It requires human review to ensure no security regression.
OMauriStkOne
approved these changes
Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ToolSanitizationRulesystem entirely — per-tool rules were redundant with the existingDEFAULT_RISKY_FIELDS.toolOverrideswhich already handles per-tool field selectiondefaultRiskLevel: "medium"and risk escalation driven by Tier 1 patterns + encoding detectionWhy
skipFields(skipid,url, etc.)DEFAULT_RISKY_FIELDSallowlist already excludes non-risky fieldsmaxFieldLengthsgetMaxFieldLength()was never calledriskyFieldsoverridesanitizationLevel(e.g. email → high)defaultRiskLevel: "medium"for all; encoding escalation handles encoded payloads dynamicallycumulativeRiskThresholdsper toolmedium: 3, high: 1, patterns: 3)What was removed
ToolSanitizationRuleinterface and public type exportDEFAULT_TOOL_RULESconstant (6 per-tool rule objects)getToolRule(),shouldSkipField(),getMaxFieldLength()utilitiesuseDefaultToolRulesoption fromPromptDefenseOptionstoolRuleparameter threaded through all recursive sanitization methodstoolRulesfromPromptDefenseConfigandToolResultSanitizerConfigWhat stays (covers the same functionality)
DEFAULT_RISKY_FIELDS.toolOverrides— per-tool field selection (e.g.gmail_*→[subject, body, snippet])DEFAULT_TRAVERSAL_CONFIG—maxDepth: 10,maxSize: 10MBdefaultRiskLevel: "medium"— uniform base risk for all toolsTest plan
npm test— 181/181 passing (down from 186; 5 removed tests were tool-rule-specific)npm run lint— cleannpm run build— clean🤖 Generated with Claude Code
Summary by cubic
Removed per‑tool sanitization rules (ENG-12594) and unified all tools under a
mediumbase risk. Escalation now comes only from Tier 1 patterns, encoding checks, and Tier 2 scoring; per‑tool field scanning stays viaDEFAULT_RISKY_FIELDS.toolOverrides.Refactors
ToolSanitizationRulesystem and all related code (DEFAULT_TOOL_RULES, configtoolRules,useDefaultToolRules, and utils likegetToolRule/shouldSkipField); removed its public type export.DEFAULT_RISKY_FIELDS.toolOverridesfor per‑tool scanned fields.riskLevelstarts atmediumand only escalates via detections.Migration
ToolSanitizationRule.PromptDefenseOptions.useDefaultToolRulesand any configtoolRulesreferences.PromptDefensewithout tool rules; rely ondefaultRiskLevel: 'medium'and detection‑based escalation.Written for commit 38d52f1. Summary will update on new commits.