Codecov Report

❌ Patch coverage is 42.10526% with 77 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

Greptile Overview

Greptile Summary

This PR adds agent profiles to configure system prompts, tool access, and behavior rules for specialized use cases like read-only exploration or isolated processing of untrusted content. The implementation includes 5 built-in profiles (default, explorer, researcher, developer, isolated) and supports user-defined profiles via TOML files.

Critical Issues:

• Behavior flags (read_only, no_network, confirm_writes) are defined but never enforced - they only appear in system prompts, relying on LLM compliance rather than programmatic enforcement
• Profile tool restrictions can be bypassed by users specifying --tool flag, defeating security purpose
• Profile.from_dict() mutates input dictionary with pop(), causing unexpected behavior

Design Concerns:

• The PR claims profiles enable "defense-in-depth against prompt injection" (feat: add shielded processing mode for handling untrusted content safely #1158), but since behavior rules aren't enforced and can be bypassed, this provides no actual security guarantee
• Without enforcement, profiles are documentation rather than restrictions

Confidence Score: 2/5

• This PR has critical security issues - behavior restrictions are not enforced and can be easily bypassed
• The score reflects fundamental flaws in the security model: behavior flags like read_only and no_network are only added to system prompts but never enforced programmatically, meaning they provide no actual protection against malicious or untrusted content. Additionally, users can bypass profile tool restrictions by specifying --tool explicitly, defeating the stated security purpose of profiles for "defense-in-depth against prompt injection"
• Pay close attention to gptme/profiles.py (behavior flag enforcement) and gptme/cli.py (profile security bypass)

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant User
    participant CLI as gptme/cli.py
    participant Profiles as gptme/profiles.py
    participant Tools as Tool System
    participant Agent as LLM Agent

    User->>CLI: gptme --agent-profile explorer
    CLI->>Profiles: get_profile("explorer")
    Profiles->>Profiles: Check user profiles dir
    Profiles->>Profiles: Fall back to BUILTIN_PROFILES
    Profiles-->>CLI: Return Profile(tools=[read,shell,chats], behavior={read_only:true, no_network:true})
    
    CLI->>CLI: Apply profile.tools to tool_allowlist
    Note over CLI: Only if --tool not specified
    
    CLI->>Tools: init_tools(tool_allowlist)
    Tools-->>CLI: Initialized tools
    
    CLI->>CLI: Append profile.system_prompt to initial_msgs
    Note over CLI: System message with behavior rules
    
    CLI->>Agent: Start conversation with tools + system prompt
    Note over Agent: Behavior rules only in prompt,<br/>not enforced by system

I don't really like gptme --list-profiles, I think it should probably be gptme profiles (or even gptme-util profiles or gptme-profiles until we complete #1153)

We currently have a --agent-path for agents like Bob (not these lightweight profile-based agents), we should consider how it interacts with this profile system. Maybe the same --agent-path could point to both a path like bob, or a shortcut like "explorer", or path to explorer yaml. Maybe shorten it to simply --agent and let profiles be a natural way to express an agent (in addition to the gptme.toml folder/repo-based agents).

What do you think? Confusing or good design? What if one wants to run e.g. Bob with a profile?

Design Response: Profile CLI and Agent Unification

@ErikBjare Thanks for the thoughtful questions! Here's my analysis:

1. --list-profiles → gptme profiles

Agree completely. Profile management should be a subcommand, not a flag. This follows the pattern we're establishing with gptme-agent:

gptme profiles           # List all profiles
gptme profiles show X    # Show profile details
gptme profiles create X  # Create new profile

For now, until #1153 is complete, we could use gptme-util profiles or even a standalone gptme-profiles command.

2. Unifying --agent-path with --agent

Great insight. I think we can unify this elegantly:

gptme --agent bob           # Path-based agent (~/bob or detects gptme.toml)
gptme --agent explorer      # Built-in profile
gptme --agent ./custom.yaml # File-based profile

Resolution order:

1. If it looks like a path → load as agent workspace (gptme.toml)
2. If it matches a built-in profile name → use that profile
3. If it's a .yaml/.toml file → load as user profile
4. Otherwise → error with suggestions

This keeps backwards compat with --agent-path behavior while making profiles a natural part of the agent concept.

3. Running Bob with a Profile?

Interesting edge case! Two possible approaches:

Option A: Profiles inherit from agents

gptme --agent bob --profile read-only
# Bob's full workspace + read-only behavior overlay

Option B: Profiles ARE lightweight agents
A profile is just an agent without a workspace. No overlap - you're either using a full agent (Bob) or a profile (explorer).

I lean toward Option B for simplicity - profiles are a quick way to configure behavior without a full workspace. If you need both, you'd define the profile characteristics in the agent's gptme.toml.

Other Notes

CI Failure: There's a NameError: free variable 'Message' referenced before assignment - looks like an import issue I introduced. Will fix.

Greptile's Security Points: Valid concerns about behavior enforcement. The current approach relies on LLM compliance - real enforcement would require tool-level changes. This is intentional as a soft first step, but should be documented clearly. True enforcement could be Phase 2 (per #1158).

What's your preference on the unification approach?

It should probably be gptme profile (again, cleaner). I think you're right that Option B is probably better.

However, seems like much of this is premature, as we can't actually provide the requested guarantees.

Or maybe we could kinda enforce the guarantees by prompting the agent with the limitations to follow. That could be safe enough at the limit as models get better and don't accidentally pwn themselves.

Clarification: Current Implementation IS Prompting-Based

@ErikBjare Good points. Let me clarify what this PR actually does:

What the Current PR Does (Soft Enforcement)

The current implementation is already prompting-based only. The profile's system prompt tells the agent:

• "You have access to these tools: [list]"
• "Behavior: Use concise output, don't modify files" (for explorer)

There's no technical enforcement - if the agent calls a "forbidden" tool, gptme will still execute it. The agent just follows the instructions.

Agreements

✅ gptme profile (singular) - cleaner, will update
✅ Option B - profiles ARE lightweight agents, no overlap with workspace agents

On "Premature Guarantees"

Totally agree we shouldn't overclaim. Current scope:

The "Safe Enough at the Limit" Idea

I like this framing. As models improve, prompt-based restrictions become more reliable:

• Current models: "Usually follows instructions, might slip"
• Future models: "Reliably follows instructions, no accidental pwns"

Proposed Path Forward

1. This PR: Keep it simple - profiles with soft prompting enforcement, clearly documented as behavioral hints, not security
2. PR feat: add shielded processing mode for handling untrusted content safely #1158: Adds optional hard enforcement at tool layer for when you actually need guarantees

Should I:

• Update this PR to clarify it's soft enforcement only (documentation fix)?
• Or should we pause this until the enforcement architecture is clearer?

Update this PR

✅ PR Updated as Requested

@ErikBjare Updated per your feedback. Changes made:

1. --list-profiles → gptme-util profile (singular)

New subcommand group in gptme-util:

gptme-util profile list          # List all available profiles
gptme-util profile show explorer # Show details for specific profile

2. Soft Enforcement Clarification

Updated documentation to clearly state profiles provide soft/prompting-based guidance only:

• Profile restrictions are behavioral hints via system prompts
• No hard technical enforcement at tool level
• Agent follows instructions as guidance, not enforced rules

3. Additional Fixes

• Fixed from_dict() dictionary mutation issue (Greptile feedback)
• Added test for non-mutation behavior
• Updated error messages to reference new gptme-util profile list command

The --agent-profile option remains for using profiles, but now clearly documented as soft enforcement. Hard enforcement would come via PR #1158.

Ready for review when you have time.

PR Updated ✅

@ErikBjare - Updated per your request. Changes include:

1. CLI Restructuring (as agreed)

• ❌ Removed --list-profiles flag from main CLI
• ✅ Added gptme-util profile subcommand:
  • gptme-util profile list - List all profiles
  • gptme-util profile show <name> - Show profile details

2. Fixed Greptile Code Review Issues

• Fixed from_dict() mutation bug (now uses .get() instead of .pop())
• Added test to prevent regression (test_profile_from_dict_no_mutation)

3. Clarified Soft Enforcement in Documentation

• Updated module docstring to explicitly state this is prompting-based guidance
• Added note about PR feat: add shielded processing mode for handling untrusted content safely #1158 for future hard enforcement
• CLI profile show displays reminder about soft enforcement

Summary

This PR now provides:

• Profiles as lightweight agents (Option B as agreed)
• gptme profile (singular) naming convention
• Clear documentation that restrictions are prompting-based, not enforced

Ready for review when you have time.

Closing this PR — it has merge conflicts and has been open for 3 weeks without review.

The feature (agent profiles) is still tracked in issue #1157. I'll reopen a fresh PR if/when there's interest in pursuing this.

Closing to reduce PR noise and keep the review queue focused on active, clean PRs.