feat: centralized outbound message sanitization gate

[dahifi]

Problem

The current error sanitization is scattered across multiple per-tool and per-error-type handlers (sanitizeUserFacingText, formatAssistantErrorText, individual tool error formatting). Each new tool or API integration can introduce new leak vectors that require patching individually. This doesn't scale.

PR #16653 patches three specific variants (Brave Search 429, Edit tool path leaks, generic API error JSON), but the underlying architecture remains fragile.

Proposed Solution

Add a single sanitization gate in src/infra/outbound/deliver.ts at the deliverOutboundPayloads() boundary — every payload.text gets sanitized before hitting any channel send function, regardless of source (tool error, LLM error, assistant reply, system event).

Architecture

Current:  Tool errors → payloads.ts (per-tool sanitization) → deliver.ts → channels
Proposed: Tool errors → payloads.ts (raw) → deliver.ts (central sanitizer) → channels
                                                    ↓
                                              audit log (raw error for debugging)

Scope estimate (~70 net lines)

• Add sanitizeOutboundText() in deliver.ts before channel sends (~20 lines)
• Move/refactor sanitizeUserFacingText() to be outbound-aware (~30 lines)
• Remove redundant per-tool sanitization (~-50 lines)
• Emit raw errors to logging/audit before sanitizing (~40 lines)
• Tests for the boundary sanitizer (~30 lines)

Benefits

• Single point of control — new tools/APIs are safe by default
• Audit trail — raw errors preserved for debugging, never shown to users
• Simpler tool code — tools don't need to worry about error formatting

Related: #7867, PR #16653

[jheeanny]

Centralized outbound message sanitization gate is essential for PII protection. We use a pipeline: (1) detect secrets with regex + entropy, (2) redact based on policy, (3) log full message to audit store. Do you also support per‑channel sanitization rules (e.g., Slack vs Discord differences)?

[aldoeliacim]

Related: PR #20251 takes a step in this direction by sanitizing two major leak vectors (LLM API errors in errors.ts and media fetch errors in deliver-reply.ts). It doesn't implement a centralized gate yet, but it covers the patterns described here — transient API errors, auth errors, failover strings, and media fetch metadata all get stripped before reaching users. Fixes #20250 and #20279.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.