[Feature]: Reduce human-identifying system-injected inbound metadata in LLM context

[kraocode]

Summary

Add and tighten privacy.redactPII so OpenClaw reduces human-identifying system-injected inbound metadata before that metadata is injected into the LLM.

This PR is intentionally limited to metadata added by OpenClaw itself. It does not rewrite user-authored message body content.

Scope

In scope:

• trusted inbound metadata: chat_id
• user-role inbound metadata blocks:
  • current sender identity fields
  • InboundHistory.sender
  • ReplyToSender
  • ForwardedFrom
  • human-readable group/thread labels
  • forwarded profile-like labels

Out of scope:

• user-authored message bodies
• quoted / forwarded body text
• auth/routing internals that still use raw values before the LLM call
• logs / exports / backups
• unrelated prompt privacy surfaces such as Authorized Senders

Why

OpenClaw previously exposed raw or human-identifying inbound metadata to the LLM prompt context.

Even with initial identifier redaction, the prompt could still contain human-readable participant names, group/thread labels, and forwarded profile labels. That still exposed who a person is or what a conversation is called.

This PR narrows that gap while preserving the minimal speaker continuity and structural context the model still needs.

Behavior

Field / path	Behavior when privacy.redactPII=true
chat_id	hash ID portion, preserve channel prefix
SenderE164	strip
SenderId	pseudonymize as user_<hash>
conversationInfo.sender	pseudonymize
sender metadata label	pseudonymize
InboundHistory[*].sender	pseudonymize
ReplyToSender	pseudonymize
ForwardedFrom	pseudonymize
ConversationLabel	strip
GroupSubject / GroupChannel / GroupSpace	strip
ThreadLabel	strip
ForwardedFromUsername / ForwardedFromTitle / ForwardedFromSignature	strip

Stable pseudonymous labels are used where speaker continuity still matters:

• identifier-backed participants → user_<hash>
• name-only participants → participant_<hash>

Non-goals

This PR does not:

• rewrite user-authored body text
• sanitize arbitrary identifiers inside message body content
• change auth/routing behavior that still relies on raw identifiers internally
• implement full anonymization
• normalize every upstream identity source into a single cross-source pseudonym

Design choices

• Pseudonymization, not deletion, for participant identity where speaker continuity still matters
• Strip human-readable labels where they are not needed for model behavior
• Keep structural/behavioral context like message_id, reply_to_id, topic_id, was_mentioned, and history_count
• Preserve field semantics: e164 is removed rather than replaced with a pseudonym

Known trade-offs

• This is pseudonymization, not strong anonymization
• Deterministic hashes intentionally preserve speaker continuity
• Different upstream raw identifiers can still map to different pseudonyms
• User-authored body text may still mention identifying information; that is outside this PR boundary

Changes

• src/config/zod-schema.ts
  • add privacy.redactPII
• src/auto-reply/reply/get-reply-run.ts
  • thread redactPII into inbound metadata builders
• src/auto-reply/reply/inbound-meta.ts
  • hash chat_id
  • strip SenderE164
  • pseudonymize sender labels across current/history/reply/forward metadata
  • strip human-readable group/thread labels under redactPII
  • strip forwarded profile-like fields under redactPII
• src/auto-reply/reply/inbound-meta.test.ts
  • add focused coverage for all in-scope metadata path classes

Validation

• npx vitest run src/auto-reply/reply/inbound-meta.test.ts
• 40/40 tests passing

Closes #47958

[Ryce]

Good proposal. The deterministic hashing approach (no salt, same user always maps to same pseudonym) is the right call — preserves conversation threading and speaker differentiation without exposing real identifiers.

Two additional angles worth considering:

1. Backup/restore safety: When users export gateway state or create config snapshots for debugging, PII from SenderE164 and chat_id ends up in shareable artifacts. If you post a diagnostic dump to a GitHub issue or share it with a provider, you are exposing real phone numbers and user IDs. A redactPII flag that also applies to diagnostic/export paths would prevent accidental PII leaks from the debug workflow.

2. Multi-environment restore: When restoring a backup to a different gateway instance (e.g. staging → production, or recovery after hardware failure), you may want to preserve conversation history and user mapping without carrying real phone numbers across environments. Hashed IDs make this safe — the pseudonym preserves relationships without exposing sensitive data.

Implementation note: The existing ownerDisplay: "hash" mechanism already proves this pattern works in OpenClaw. Extending it to the message/prompt layer is consistent with what the system already does for Authorized Senders.