Cross-provider fallback should respect provider trust boundaries for images/attachments

[mitchmcalister]

Problem

When a model fallback retry crosses providers (e.g. Anthropic → OpenAI), user-supplied images and attachments are forwarded to the fallback provider. Users who configure cross-provider fallbacks for text resilience may not expect their image data to be sent to a different provider.

The current behavior is binary: configured providers receive everything. There's no mechanism to distinguish "I trust this provider for text fallback" from "I trust this provider with my image data."

Proposed solution

Add provider-level trust configuration so users can control what data crosses provider boundaries on fallback:

• A config field like agents.defaults.model.fallbackTrustPolicy or per-provider trust levels
• resolveRetryImages checks whether the fallback is cross-provider and whether the target provider is trusted for image data
• Default behavior: preserve current behavior (forward everything) to avoid breaking existing setups, but allow users to restrict it

Context

Flagged by security review on #43331. The behavior is pre-existing (prior to #43331, images were stripped unconditionally on fallback — a compatibility hack, not a privacy boundary), but worth addressing properly.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still lacks provider-level fallback media trust configuration, still does not distinguish same-provider from cross-provider media trust in the retry boundary, and prompt-detected image or media://inbound refs can still be loaded for the selected fallback model; open PR #57959 is already the paired implementation candidate.

Reproducibility: yes. Source inspection gives a high-confidence path: configure a cross-provider fallback to a vision-capable target and send a prompt containing a local image path, [Image: source: ...], or [media attached: media://inbound/...]; current main can still load prompt-detected media for that fallback model without target-provider trust context.

Next step
No repair job: open PR #57959 already specifically closes this issue, and the remaining action is maintainer review of the security/product policy.

Security
Needs attention: Current main still has a cross-provider fallback media trust-boundary gap for prompt-detected images and inbound media refs.

Review details

Best possible solution:

Land PR #57959 or a replacement policy-backed fix that covers explicit images, prompt-detected local refs, media://inbound attachments, same-provider retries, and cross-provider retries, with schema/docs updates if maintainers choose configurable trust.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection gives a high-confidence path: configure a cross-provider fallback to a vision-capable target and send a prompt containing a local image path, [Image: source: ...], or [media attached: media://inbound/...]; current main can still load prompt-detected media for that fallback model without target-provider trust context.

Is this the best way to solve the issue?

Unclear. Fail-closed cross-provider stripping and prompt-detection suppression may be the safest narrow fix, but the issue requested configurable trust, so maintainers still need to decide the product policy.

Security concerns:

• [medium] Resolve fallback media trust boundary — src/agents/pi-embedded-runner/run/attempt.ts:2806
  Prompt-detected local image paths and media://inbound attachment refs can still be loaded before submission to the selected fallback model without target-provider media trust context.
  Confidence: 0.9

What I checked:

• Current main inspected: Reviewed current main at a90be47. (a90be474f441)
• No fallback media trust config in model schema: AgentModelSchema is a strict union accepting a string or object with only primary, fallbacks, and timeoutMs; there is no fallbackTrustPolicy or provider media trust field. (src/config/zod-schema.agent-model.ts:3, a90be474f441)
• Defaults expose fallbacks but no agent media trust policy: Agent defaults document model, imageModel, generation fallbacks, and mediaGenerationAutoProviderFallback, but not a trust policy for agent prompt images or attachments on model fallback. (src/config/types.agent-defaults.ts:194, a90be474f441)
• Fallback retry strips explicit images without provider trust context: runAgentAttempt receives originalProvider/isFallbackRetry but still passes images and imageOrder as undefined on every fallback retry, not based on cross-provider trust policy. (src/agents/command/attempt-execution.ts:589, a90be474f441)
• Prompt-detected media refs still load before prompt submission: The embedded runner calls detectAndLoadPromptImages unconditionally for the selected model; that helper detects [media attached: media://inbound/...], [Image: source: ...], file:// URLs, and local image paths, then loads them into the prompt image payload. (src/agents/pi-embedded-runner/run/attempt.ts:2806, a90be474f441)
• Paired implementation remains open: Provided GitHub context shows PR fix(agents): fallback retry image safety and partial execution detection #57959 is open, unmerged, and explicitly says it closes this issue and Cross-provider fallback retry: prompt-detected images bypass resolveRetryImages guard #43492 by stripping cross-provider images and suppressing prompt image detection on cross-provider retries. (c39c5cc97332)

Likely related people:

• steipete: Local blame on the central fallback/media files in this checkout points to Peter Steinberger for the current attempt-execution, prompt-image loading, and schema lines that shape this behavior. (role: recent maintainer and current-line owner; confidence: medium; commits: b37fba7c07a7; files: src/agents/command/attempt-execution.ts, src/agents/pi-embedded-runner/run/attempt.ts, src/agents/pi-embedded-runner/run/images.ts)
• mitchmcalister: The issue body, timeline, and linked PRs show Mitch carried the security review follow-up and authored the open implementation candidate that closes this issue. (role: issue and paired implementation author; confidence: medium; commits: a6082200e655, db14ae0f3cd6, 55e4aa0e5f70; files: src/agents/command/attempt-execution.ts, src/agents/model-fallback.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• vincentkoc: Current main metadata and prior ClawSweeper context link Vincent Koc to nearby model-fallback/auth-runtime maintenance, which is adjacent to routing provider and retry state through this boundary. (role: adjacent fallback maintainer; confidence: low; commits: a90be474f441, 95517edaeba4, 93ce76afe310; files: src/agents/model-fallback.ts, src/agents/agent-command.ts)

Remaining risk / open question:

• The remaining policy choice is unresolved: maintainers need to choose between the requested configurable provider trust policy and a fail-closed cross-provider media stripping policy like PR fix(agents): fallback retry image safety and partial execution detection #57959.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a90be474f441.