Skip to content

fix(fraud): prevent None agent_notes writing literal "None" string to DB#265

Open
sshekhar-04 wants to merge 1 commit intoGenAI-Security-Project:mainfrom
sshekhar-04:fix/bug-044-agent-notes-none-fraud
Open

fix(fraud): prevent None agent_notes writing literal "None" string to DB#265
sshekhar-04 wants to merge 1 commit intoGenAI-Security-Project:mainfrom
sshekhar-04:fix/bug-044-agent-notes-none-fraud

Conversation

@sshekhar-04
Copy link

@sshekhar-04 sshekhar-04 commented Mar 18, 2026

Problem

Fixes #146

When update_vendor_risk and update_fraud_agent_notes are called
with agent_notes=None, f-string interpolation writes the literal
string "[Fraud Agent] None" into the vendor audit trail.

This pollutes forensic records and causes CTF detectors to produce
spurious matches on fraud agent notes.

Fix

Added or '' guard with .strip() on agent_notes before
f-string interpolation in both affected functions.

Before:

new_notes = f"{existing_notes}\n\n[Fraud Agent] {agent_notes}"

After:

new_notes = f"{existing_notes}\n\n[Fraud Agent] {agent_notes or ''}".strip()

Files Changed

  • finbot/tools/data/fraud.py — fixed 2 occurrences
  • tests/unit/tools/test_fraud.py — added 5 tests

Tests

  • test_none_agent_notes_no_literal_none
  • test_normal_notes_appended
  • test_empty_existing_notes_stripped
  • test_none_agent_notes_no_literal_none (fraud agent notes) ✅
  • test_normal_notes_appended (fraud agent notes) ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug_044_MUST_FIX: Test Case FRAUD-UPD-006 — update_vendor_risk with agent_notes=None writes literal "None" into vendor notes

1 participant

@sshekhar-04