Fix: <|think_on|>/<|think_off|> honored from tool responses (prompt-injection surface)

#49

Problem

The <|think_on|> / <|think_off|> scan runs on every message, including tool role responses. In agentic use, tool responses carry untrusted external content (fetched web pages, file contents, API payloads). Any such content containing the literal string <|think_off|>:

  1. silently disables the model's reasoning for subsequent generation, and
  2. is stripped from the rendered context, leaving no trace of what happened.

That is a prompt-injection primitive: a web page can turn off the model's thinking.

Fix

Toggles are now honored only in user and system/developer messages (the trusted channel, matching the README's description of the feature: "insert ... in your system or user prompt"). Tool-response content is rendered verbatim and inert.


Each fix in this series is an independent PR based on current main (v20); they touch overlapping regions of the same file, so merging one may require the others to be rebased — happy to update them.

Hey @Moore2877 ! Nevermind about rebasing—I went ahead and manually resolved the merge conflicts and integrated your excellent fixes directly into the new v21 release on main. Thank you so much for this incredible series of PRs! Closing this as the code is now officially merged.

froggeric changed pull request status to closed

Sign up or log in to comment