Skip to content

fix(engine): sanitize assistant content snippets in compaction summaries #614

Closed
#632
Closed
fix(engine): sanitize assistant content snippets in compaction summaries#614
#632
Labels
prio:lowNice to have, can deferscope:smallLess than 1 day of workspec:memoryDESIGN_SPEC Section 7 - Memory & Persistencetype:fixBug fixes and corrections
@Aureliolo

Description

@Aureliolo
Aureliolo
opened on Mar 19, 2026

Problem

The compaction summarizer (src/synthorg/engine/compaction/summarizer.py, line ~226-228) extracts msg.content[:100] from every ASSISTANT role message and joins them into a SYSTEM message that is permanently injected into the agent's context. If the LLM response embedded sensitive tool output (credentials, PII, internal file paths) in its content field, those first 100 characters survive compaction and are sent to the LLM indefinitely.

Impact

Expanded by PR #601 -- compaction_callback is now wired into all auto-selected loops (previously only available to statically configured loops), substantially increasing the surface where compaction triggers.

Suggested Fix

In _build_summary, strip or redact known sensitive patterns (secrets-style regexes, file paths) from snippet text before joining, consistent with the sanitization already done in _handle_fatal_error (agent_engine.py lines ~1242-1253).

Requires product-level decision on what constitutes "sensitive content" in the summarizer context.

Context

Discovered during PR #601 review (security-reviewer agent, confidence 85).

Metadata

Metadata

Assignees

No one assigned

    Labels

    prio:lowNice to have, can deferscope:smallLess than 1 day of workspec:memoryDESIGN_SPEC Section 7 - Memory & Persistencetype:fixBug fixes and corrections

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions