Feature: Include trusted sender_name in inbound metadata envelope

[scekker]

Summary

The current inbound metadata envelope provides sender_id (a trusted, platform-injected identifier) but not a resolved sender_name. Agents are forced to do their own name resolution — either via a local registry lookup or, incorrectly, by reading conversational context (untrusted).

This leads to a real failure mode: agents read names from prior messages or channel context and misroute DMs to the wrong person. We saw this today when Mendel sent messages intended for Steve to a different user because a name mentioned in conversation context bled into the wrong session.

Proposed Solution

Add a trusted sender_name field to the inbound metadata envelope, resolved by OpenClaw from the server's user directory at message ingestion time — the same way sender_id is already injected.

Current envelope (example):

{
  "sender_id": "927709652014215199",
  "sender": "scekker"
}

Proposed envelope:

{
  "sender_id": "927709652014215199",
  "sender": "scekker",
  "sender_display_name": "Stephen Ekker"  // resolved from server directory, trusted
}

Why This Matters

• Security: Names in conversational context can be impersonated or drift across sessions. Only the platform-resolved identity is trustworthy.
• Correctness: Agents shouldn't need local workaround registries to do basic identity resolution — this is a platform responsibility.
• Failure mode is real: Agent DM misrouting to wrong users has already occurred in production (Mar 13, 2026). The current workaround (per-agent registry SOPs) is fragile and can be forgotten.

Current Workaround

Agents maintain local people/registry.json files and are instructed via SOP to always look up sender_id before composing any message. This works but is an agent-level patch for a platform-level gap.

Context

Reported by the Ekker Lab / UViiVe AI fleet. Fleet runs multiple agents (Atlas, Zevo, Uvy, S.A.R.A.H., Buster, Pip, Mendel) across Discord channels and DMs. Identity misrouting in this context has real consequences — wrong person receives sensitive research coordination or private messages.

/cc @scekker

[Ryce]

The real damage from identity misrouting isn't just the wrong message landing in the wrong DM — it's the cascading session state corruption that follows. When Mendel sent messages to the wrong person based on conversational-name drift, every subsequent agent action was working from polluted context. The local people/registry.json workaround helps prevent future misroutes, but it doesn't fix the state that's already been corrupted.

This is where independent workspace persistence matters. If you have snapshots of your agent's full workspace (memory files, people registry, session transcripts) taken independently of the gateway's in-memory state, you can:

1. Detect the corruption window — diff the current people/registry.json and memory files against a pre-incident snapshot to see exactly what got polluted and when
2. Restore to known-good state — roll back the agent's local context to before the misrouting incident, rather than trying to manually untangle which conversations are trustworthy
3. Audit the blast radius — review session transcripts from backup to identify every message that went to the wrong recipient, so you can follow up with the actual intended recipients

The platform-level fix (trusted sender_name in the envelope) is the right long-term solution. But in the gap between now and when that lands, having independent persistence of agent state means a misrouting incident is recoverable rather than catastrophic — especially in a multi-agent fleet where one corrupted session can cascade across shared infrastructure.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 10, 2026, 9:10 PM ET / 01:10 UTC.

Summary
The issue remains necessary because current main intentionally keeps sender names and IDs in untrusted prompt context, while the reported need is for a trustworthy identity usable across agent reasoning and delivery. The open Discord implementation is the closest canonical path, but it is unmerged, conflicting, and requires maintainer approval of the security boundary; the raw trusted-display-name proposal should not proceed as written.

Reproducibility: no. Source inspection confirms the current trust-boundary gap, but the reported end-to-end wrong-recipient DM incident depends on fleet prompts, session state, and delivery behavior that has not been replayed on current main.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
Keep this issue paired with #70944; maintainer security/product review must first approve the canonical-principal contract and decide whether to refresh that conflicting branch or replace it.

Review details

Best possible solution:

Use stable channel user IDs plus operator-configured identity links to produce a canonical sender principal across all Discord ingress paths, and ensure outbound DM targeting uses stable IDs or that principal while display names remain explicitly untrusted.

Do we have a high-confidence way to reproduce the issue?

No. Source inspection confirms the current trust-boundary gap, but the reported end-to-end wrong-recipient DM incident depends on fleet prompts, session state, and delivery behavior that has not been replayed on current main.

Is this the best way to solve the issue?

No, not as proposed. Promoting a platform display name into trusted metadata violates the current attacker-controlled-string rule; the narrower solution is an operator-controlled canonical principal backed by stable channel IDs and used consistently for routing.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• Treating a transport display name as trusted would contradict the current prompt-injection boundary and could let mutable or spoofable identity data influence privileged agent reasoning.
• Human-readable names in system metadata increase privacy exposure in model prompt context.
• The related Discord PR is conflicting and its supplied proof does not replay the reported end-to-end DM misrouting or prove stable recipient selection after identity resolution.

Codex review notes: reasoning high; reviewed against 88038db3e574.

Label changes

Label changes:

• remove clawsweeper:needs-maintainer-review: Current issue advisory state no longer selects this label.
• remove clawsweeper:needs-security-review: Current issue advisory state no longer selects this label.

Label justifications:

• P1: The report describes an observed private-message misroute with ongoing channel-workflow and context consequences.
• impact:security: The issue concerns whether identity used by the agent comes from a trusted mapping or spoofable conversational and display-name data.
• impact:message-loss: The reported failure sends a private message to the wrong recipient.
• impact:session-state: The report and discussion describe later agent actions operating on polluted conversation state after the misroute.

Evidence reviewed

What I checked:

• Trusted metadata contract: The system-envelope builder explicitly excludes attacker-controlled sender names and places them in user-role untrusted context instead. (src/auto-reply/reply/inbound-meta.ts:442, 88038db3e574)
• Current sender envelope: Current main includes SenderId and SenderName in the Sender (untrusted metadata) block, so the fields exist but are deliberately outside the trusted boundary. (src/auto-reply/reply/inbound-meta.ts:568, 88038db3e574)
• Existing canonical identity mechanism: Current routing supports operator-configured session.identityLinks, mapping stable channel peer identifiers into canonical identities for direct-message session routing. (src/routing/session-key.ts:267, 88038db3e574)
• Open implementation candidate: The open related PR resolves stable Discord user IDs through operator-configured identity links and emits sender_principal, while deliberately excluding raw IDs and spoofable display names; it is currently conflicting and unmerged. (b69f66be9fac)
• Privacy trade-off: The closed unmerged privacy PR documented human-readable participant names in system-injected metadata as identifying prompt exposure, reinforcing that a trusted display-name field needs an explicit security/product decision. (4f0dc3df4ea8)
• Feature provenance: Blame attributes the current sender-context structure and explicit untrusted placement to the release stabilization commit on current main. (src/auto-reply/reply/inbound-meta.ts:568, 5d2eb3c3e1ac)

Likely related people:

• vincentkoc: Current blame ties the sender untrusted-context structure and adjacent metadata hardening to this contributor. (role: recent inbound metadata contributor; confidence: high; commits: 5d2eb3c3e1ac; files: src/auto-reply/reply/inbound-meta.ts)
• obviyus: Recent merged history cited in the related privacy review connects this contributor to inbound metadata, reply context, and prompt-local context behavior. (role: recent prompt metadata contributor; confidence: medium; commits: 503c3d139c9a, ff002ec149e7, ac75d6f76e2f; files: src/auto-reply/reply/inbound-meta.ts, src/auto-reply/reply/inbound-meta.test.ts, src/auto-reply/reply/get-reply-run.ts)
• MonkeyLeeT: The current exclusion of turn-varying inbound identifiers from the trusted system prefix is related to this contributor's prompt-cache stability work. (role: prompt-cache contract contributor; confidence: medium; commits: eb1080369165; files: src/auto-reply/reply/inbound-meta.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.