Potential Data Race in shallowCopyMap

The shallowCopyMap function only copies the top-level map, leaving nested maps, slices, or pointers shared between the original and the copy. If any code (including Genkit or future changes) mutates nested structures within Metadata or Custom, this could result in subtle data races.

Recommended Solution:
If there is any possibility that nested structures are mutated, implement a recursive deep copy for maps and slices, or ensure that all code treats these fields as immutable after copying. Otherwise, document this requirement clearly and audit all usages.

Reference Copy of ToolRequest.Input and ToolResponse.Output

In deepCopyPart, the Input and Output fields of ToolRequest and ToolResponse are copied by reference. The comment notes that this is acceptable because Genkit only mutates msg.Content, and these fields are typically JSON-serializable primitives. However, if these fields ever contain mutable objects (e.g., maps, slices, structs), a data race could occur if they are mutated elsewhere.

Recommended Solution:
Consider using a deep copy (e.g., via encoding/json round-trip) for these fields if there is any risk of mutation. Alternatively, document and enforce that these fields must be immutable or only contain primitives.

The substring matching for verifying multiple aspects in the response is brittle and may result in false negatives if the LLM uses synonyms or paraphrases (e.g., 'parallelism' instead of 'concurrent', or 'efficiency' instead of 'fast'). Consider expanding the set of keywords or employing a more flexible matching strategy, such as regular expressions or semantic similarity checks, to make the test more robust.

Potential Issue: Message Order Not Verified in General Test Logic

The assertions in lines 248-269 verify the count, system message presence, last message text, and retained message texts, but do not check that the retained messages maintain their original chronological order (except in the dedicated order test). This could allow a bug where messages are retained but reordered during truncation.

Recommended Solution:
Add an assertion to verify that the order of retained messages matches the order in the original input slice (for the retained subset). For example:

for i, msg := range got {
    if msg != tt.msgs[len(tt.msgs)-len(got)+i] {
        t.Errorf("message %d is not in original order", i)
    }
}

This will ensure that truncation does not reorder messages.

Potential Issue: Duplicate Messages Not Checked

The test logic does not verify that the output of truncateHistory does not contain duplicate messages. If the truncation logic is incorrect, it could potentially retain the same message multiple times, which would not be detected by the current assertions.

Recommended Solution:
Add an assertion to check for duplicate messages in the output. For example:

seen := make(map[*ai.Message]bool)
for i, msg := range got {
    if seen[msg] {
        t.Errorf("duplicate message found at index %d", i)
    }
    seen[msg] = true
}

This will ensure that each retained message is unique.

The adversarial prompt corpus is statically defined and may not cover emerging or less common prompt injection patterns, especially those using novel Unicode or language-based evasion techniques. To improve coverage and maintainability, consider externalizing the corpus to a configuration file or database, or providing a mechanism to dynamically update the seed set. This will facilitate easier updates and broader coverage as new attack vectors are discovered.

Potential Test Fragility and Ambiguity

Assigning a hardcoded session ID of "default" when session_id is missing (line 326) may cause ambiguous or conflicting test results if multiple tests are run in parallel or if test logic depends on unique session IDs. Consider generating a unique session ID for each test invocation to avoid accidental state sharing or collisions:

if sessionIDStr == "" {
    sessionIDStr = uuid.New().String()
}

This ensures test isolation and reduces the risk of subtle test failures.