fix: filter transcript-only roles from chat-completions payload (#4715)

Add a provider-agnostic role allowlist guard to _sanitize_api_messages() that drops messages with roles not accepted by the chat-completions API (e.g. session_meta). This prevents CLI resume/session restore from leaking transcript-only metadata into the outgoing messages payload. Two layers of defense: 1. API-boundary guard: _sanitize_api_messages() now filters messages by role allowlist (system/user/assistant/tool/function/developer) before the existing orphaned tool-call repair logic. This protects all current and future call paths. 2. CLI restore defense-in-depth: Both session restore paths in cli.py now strip session_meta entries before loading history into conversation_history, matching the existing gateway behavior. Closes #4715
2026-04-28 06:51:16 +08:00 · 2026-04-03 14:09:17 +08:00
parent bef895b371
commit 6bf5946bbe
3 changed files with 107 additions and 0 deletions
--- a/cli.py
+++ b/cli.py
@@ -2166,6 +2166,7 @@ class HermesCLI:
                return False
            restored = self._session_db.get_messages_as_conversation(self.session_id)
            if restored:
+                restored = [m for m in restored if m.get("role") != "session_meta"]
                self.conversation_history = restored
                msg_count = len([m for m in restored if m.get("role") == "user"])
                title_part = ""
@@ -2361,6 +2362,7 @@ class HermesCLI:

        restored = self._session_db.get_messages_as_conversation(self.session_id)
        if restored:
+            restored = [m for m in restored if m.get("role") != "session_meta"]
            self.conversation_history = restored
            msg_count = len([m for m in restored if m.get("role") == "user"])
            title_part = ""