fix: add file reading guardrails to drafter and verifier sub-agents#84
Merged
derekmisler merged 1 commit intodocker:mainfrom Mar 12, 2026
Merged
Conversation
PR docker#77 added guardrails to the root agent but the drafter and verifier had none, causing them to enter degenerate read_file loops that exhaust the 40-minute timeout. Evidence: docker/sandboxes run 22930756843 showed the verifier making 868 read_file calls (432 not-found) brute-forcing /tmp/*.json path permutations. Changes: - Add circuit breaker instructions to drafter (20-file cap) and verifier (10-file cap) with 3-consecutive-not-found stop rule - Add list_directory to both sub-agent toolsets so they can discover files instead of guessing paths - Root agent now passes directory listings to sub-agents in delegation messages to eliminate path guessing upfront
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Review Summary
Assessment: 🟢 APPROVE
Summary
The changes add comprehensive file reading guardrails to both the drafter and verifier sub-agents, effectively addressing the path-guessing vulnerability documented in the PR description. The implementation is clean, consistent, and well-documented.
Key improvements:
- Circuit breaker pattern (3 consecutive not-found → stop)
- File read caps (drafter: 20 files, verifier: 10 files)
- Adds
list_directoryto both agent toolsets - Root agent now provides directory listings to sub-agents
No bugs detected in the added code. The guardrails mirror the approach used in PR #77 for the root agent and should prevent the degenerate behavior seen in docker/sandboxes run 22930756843.
Findings
No issues found. The code changes are safe to merge.
trungutt
approved these changes
Mar 12, 2026
derekmisler
added a commit
to derekmisler/cagent-action
that referenced
this pull request
Mar 16, 2026
The drafter sub-agent can enter a degenerate loop where it calls read_file on the same diff chunk path hundreds of times without producing any analysis output. This consumed the entire 40-minute timeout in docker/pinata#40026 (629 identical read_file calls). The existing guardrails from PR docker#84 (circuit breakers, read caps) only catch file-not-found loops. This adds explicit instructions to never re-read the same path and to immediately produce output if about to duplicate a read.
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes: https://github.com/docker/gordon/issues/199
Summary
list_directoryto both sub-agent toolsets so they can discover files instead of guessing pathsContext
PR #77 added guardrails to the root agent, but the drafter and verifier had none. In docker/sandboxes run 22930756843, the verifier made 868
read_filecalls (432 not-found) brute-forcing/tmp/*.jsonpath permutations until the 40-minute timeout killed the process. The drafter contributed another 330 reads (146 not-found).This is the same class of bug as the drafter loop in docker/docker-agent#2038 (from #77), but this time the verifier was the primary offender — trying paths like
/tmp/verify.json,/tmp/verifier.json,/tmp/spec.json,/tmp/payload.json, etc.Test plan
read_filecalls in the verbose log