fix(ui): strip inbound metadata blocks and guard reply-tag streaming (clean rewrite) (#22346)

* fix(ui): strip inbound metadata blocks from user messages * chore: clean up metadata-strip format and changelog credit * Update src/shared/chat-envelope.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-04-18 04:17:27 +00:00 · 2026-02-20 18:41:32 -08:00
parent 0e068194ad
commit 9a6b26d427
5 changed files with 69 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ Docs: https://docs.openclaw.ai
 - Agents/Subagents: restore announce-chain delivery to agent injection, defer nested announce output until descendant follow-up content is ready, and prevent descendant deferrals from consuming announce retry budget so deep chains do not drop final completions. (#22223) Thanks @tyler6204.
 - Gateway/Auth: require `gateway.trustedProxies` to include a loopback proxy address when `auth.mode="trusted-proxy"` and `bind="loopback"`, preventing same-host proxy misconfiguration from silently blocking auth. (#22082, follow-up to #20097) thanks @mbelinky.
 - Security/OpenClawKit/UI: prevent injected inbound user context metadata blocks from leaking into chat history in TUI, webchat, and macOS surfaces by stripping all untrusted metadata prefixes at display boundaries. (#22142) Thanks @Mellowambience, @vincentkoc.
+- Security/OpenClawKit/UI: prevent inbound metadata leaks and reply-tag streaming artifacts in TUI rendering by stripping untrusted metadata prefixes at display boundaries. (#22346) Thanks @akramcodez, @vincentkoc.
 - Agents/System Prompt: label allowlisted senders as authorized senders to avoid implying ownership. Thanks @thewilloftheshadow.
 - Agents/Tool display: fix exec cwd suffix inference so `pushd ... && popd ... && <command>` does not keep stale `(in <dir>)` context in summaries. (#21925) thanks @Lukavyi.
 - Gateway/Auth: allow trusted-proxy mode with loopback bind for same-host reverse-proxy deployments, while still requiring configured `gateway.trustedProxies`. (#20097) thanks @xinhuagu.
--- a/src/agents/pi-embedded-subscribe.handlers.messages.ts
+++ b/src/agents/pi-embedded-subscribe.handlers.messages.ts
@@ -21,6 +21,9 @@ import {
 const stripTrailingDirective = (text: string): string => {
  const openIndex = text.lastIndexOf("[[");
  if (openIndex < 0) {
+    if (text.endsWith("[")) {
+      return text.slice(0, -1);
+    }
    return text;
  }
  const closeIndex = text.indexOf("]]", openIndex + 2);
--- a/src/gateway/chat-sanitize.test.ts
+++ b/src/gateway/chat-sanitize.test.ts
@@ -39,4 +39,35 @@ describe("stripEnvelopeFromMessage", () => {
    const result = stripEnvelopeFromMessage(input) as { content?: string };
    expect(result.content).toBe("note\n[message_id: 123]");
  });
+  test("removes inbound un-bracketed conversation info blocks from user messages", () => {
+    const input = {
+      role: "user",
+      content:
+        'Conversation info (untrusted metadata):\n```json\n{\n  "message_id": "123"\n}\n```\n\nHello there',
+    };
+    const result = stripEnvelopeFromMessage(input) as { content?: string };
+    expect(result.content).toBe("Hello there");
+  });
+
+  test("removes all inbound metadata blocks before user text", () => {
+    const input = {
+      role: "user",
+      content:
+        'Thread starter (untrusted, for context):\n```json\n{"seed": 1}\n```\n\nSender (untrusted metadata):\n```json\n{"name": "alice"}\n```\n\nActual user message',
+    };
+    const result = stripEnvelopeFromMessage(input) as { content?: string };
+    expect(result.content).toBe("Actual user message");
+  });
+
+  test("does not strip metadata-like blocks that are not a prefix", () => {
+    const input = {
+      role: "user",
+      content:
+        'Actual text\nConversation info (untrusted metadata):\n```json\n{"message_id": "123"}\n```\n\nFollow-up',
+    };
+    const result = stripEnvelopeFromMessage(input) as { content?: string };
+    expect(result.content).toBe(
+      'Actual text\nConversation info (untrusted metadata):\n```json\n{"message_id": "123"}\n```\n\nFollow-up',
+    );
+  });
 });
--- a/src/gateway/chat-sanitize.ts
+++ b/src/gateway/chat-sanitize.ts
@@ -1,4 +1,8 @@
-import { stripEnvelope, stripMessageIdHints } from "../shared/chat-envelope.js";
+import {
+  stripEnvelope,
+  stripInboundMetadataBlocks,
+  stripMessageIdHints,
+} from "../shared/chat-envelope.js";

 export { stripEnvelope };

@@ -12,7 +16,7 @@ function stripEnvelopeFromContent(content: unknown[]): { content: unknown[]; cha
    if (entry.type !== "text" || typeof entry.text !== "string") {
      return item;
    }
-    const stripped = stripMessageIdHints(stripEnvelope(entry.text));
+    const stripped = stripMessageIdHints(stripEnvelope(stripInboundMetadataBlocks(entry.text)));
    if (stripped === entry.text) {
      return item;
    }
@@ -39,7 +43,7 @@ export function stripEnvelopeFromMessage(message: unknown): unknown {
  const next: Record<string, unknown> = { ...entry };

  if (typeof entry.content === "string") {
-    const stripped = stripMessageIdHints(stripEnvelope(entry.content));
+    const stripped = stripMessageIdHints(stripEnvelope(stripInboundMetadataBlocks(entry.content)));
    if (stripped !== entry.content) {
      next.content = stripped;
      changed = true;
@@ -51,7 +55,7 @@ export function stripEnvelopeFromMessage(message: unknown): unknown {
      changed = true;
    }
  } else if (typeof entry.text === "string") {
-    const stripped = stripMessageIdHints(stripEnvelope(entry.text));
+    const stripped = stripMessageIdHints(stripEnvelope(stripInboundMetadataBlocks(entry.text)));
    if (stripped !== entry.text) {
      next.text = stripped;
      changed = true;
--- a/src/shared/chat-envelope.ts
+++ b/src/shared/chat-envelope.ts
@@ -16,6 +16,20 @@ const ENVELOPE_CHANNELS = [
 ];

 const MESSAGE_ID_LINE = /^\s*\[message_id:\s*[^\]]+\]\s*$/i;
+const INBOUND_METADATA_HEADERS = [
+  "Conversation info (untrusted metadata):",
+  "Sender (untrusted metadata):",
+  "Thread starter (untrusted, for context):",
+  "Replied message (untrusted, for context):",
+  "Forwarded message context (untrusted metadata):",
+  "Chat history since last reply (untrusted, for context):",
+];
+const REGEX_ESCAPE_RE = /[.*+?^${}()|[\]\\\-]/g;
+const INBOUND_METADATA_PREFIX_RE = new RegExp(
+  "^\\s*(?:" +
+    INBOUND_METADATA_HEADERS.map((header) => header.replace(REGEX_ESCAPE_RE, "\\$&")).join("|") +
+    ")\\r?\\n```json\\r?\\n[\\s\\S]*?\\r?\\n```(?:\\r?\\n)*",
+);

 function looksLikeEnvelopeHeader(header: string): boolean {
  if (/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z\b/.test(header)) {
@@ -47,3 +61,15 @@ export function stripMessageIdHints(text: string): string {
  const filtered = lines.filter((line) => !MESSAGE_ID_LINE.test(line));
  return filtered.length === lines.length ? text : filtered.join("\n");
 }
+
+export function stripInboundMetadataBlocks(text: string): string {
+  let remaining = text;
+  for (;;) {
+    const match = INBOUND_METADATA_PREFIX_RE.exec(remaining);
+    if (!match) {
+      break;
+    }
+    remaining = remaining.slice(match[0].length).replace(/^\r?\n+/, "");
+  }
+  return remaining.trim();
+}