file_read default path materializes the whole file (OOM risk) and never redacts secrets

[Aaronontheweb]

What happens

file_read's default path (no offset/limit) reads the entire file into memory and only then truncates it:

• netclaw/src/Netclaw.Actors/Tools/FileReadTool.cs

  Lines 99 to 101 in 60601c6

  	var content = await File.ReadAllTextAsync(authorizedPath, encoding, ct);
  	RecordSkillReadIfApplicable(authorizedPath);
  	return TruncateFileOutput(content, _config.MaxOutputChars);

That's the same allocate-then-cap pattern #1293 removed from the shell path — File.ReadAllTextAsync materializes the whole thing, then TruncateFileOutput throws most of it away. The bounded, line-by-line path right above it (ReadLinesAsync, used when offset/limit are supplied) does the right thing; the default path does not.

Why it matters

Reading a large authorized file (a multi-hundred-MB log or data dump) spikes the heap by O(file size) before truncation runs, which can OOM the same memory-limited daemon. Since file_read recently gained the ability to pull arbitrary on-disk files into context, the surface for this is wider than it used to be.

Second, related problem: no redaction on read

FileReadTool runs no SecretOutputRedactor at all — reading a file that contains an API key, connection string, or private key hands those bytes straight to the model in cleartext. Every other "return external content to the LLM" path (shell output, background-job output) redacts; this one doesn't.

Suggested direction

• Bound the read. For the default path, either read a bounded head+tail window instead of the whole file, or — since we know the file size up front — refuse an unbounded read of a large file and steer the model to offset/limit or grep rather than silently materializing it. (Industry harnesses do the latter: cap inline, point at the file, tell the model to read ranges / grep.)
• Redact on read. Run the secret redactor over whatever file_read returns. The content is already bounded, so this is a cheap pass over a small string. This complements redact-on-write for files we emit ourselves (shell/job spill): we can scrub files we write, but only redact-on-read covers files someone else put on disk.

Related

#1293 (same allocate-then-cap pattern, shell path).

[Aaronontheweb]

Slated to be solved alongside #1300 by a planned bound-tool-output-with-file-spill design (an OpenSpec change following the #1293 review). That change covers both halves of this issue: the shared bounded-output reader bounds the default file_read path (the OOM), and a redact-on-read requirement runs the secret redactor over whatever file_read returns (the cleartext-secrets gap). It also adds the reject-and-steer behavior (point the model at offset/limit or grep instead of materializing a huge file).

Parked until #1298 (the #1293 BoundedDrainAsync work it builds on) merges.

[Aaronontheweb]

Resolved by #1305 (bound-tool-output-with-file-spill), merged to dev on 2026-06-03 in commit 1d80a45. This is the design called out in the earlier comment, landed once #1298 (the #1293 BoundedDrainAsync work) merged.

Both halves of this issue are addressed:

• OOM / allocate-then-cap: the default file_read path no longer calls File.ReadAllTextAsync. It now streams a bounded head via ReadBoundedHeadAsync (FileReadTool.cs), reading up to MaxOutputChars and stopping, so a multi-hundred-MB file is never materialized just to be truncated.
• Reject-and-steer: when the cap is hit, the output appends a hint steering the model to StartLine/Limit or grep for the rest instead of silently truncating.
• Redact on read: redaction was made a central pass rather than per-tool — DispatchingToolExecutor runs SecretOutputRedactor.Redact over every tool's output (including file_read), followed by ToolOutputSpill.BoundAndSpillAsync for the inline budget + spill.

The "closes #1301" keyword didn't auto-close because #1305 merged into dev rather than the GitHub default branch. Closing manually.