Secret/credential masking corrupts image base64 with ellipsis marker (U+2026), permanently poisoning the session

[devinkuhn]

Summary

The secret/credential-masking layer runs its redaction pass over image base64 payloads and replaces matched substrings with the masking marker … (U+2026). This corrupts the base64 irrecoverably and injects a non-ASCII character into image.source.base64. On the next turn (and every turn after), the provider mapper replays the poisoned image block from history and the Anthropic API rejects the entire request:

LLM request rejected: messages.N.content.0.image.source.base64: string argument should contain only ASCII characters

The session is then permanently stuck — every subsequent user message fails with the same error because the corrupted frame keeps replaying from history. Plain-text turns only recover once the replay window scrolls past the bad frame.

This is distinct from #86984

#86984 / PR #88112 describe a different corruption path with the same symptom/error string:

	#86984	This issue
Cause	Replayed image data forwarded as raw latin1/binary bytes, never base64-encoded	Base64 was valid ASCII, then the secret-masker overwrote a chunk with … (U+2026)
Evidence	Many non-ASCII bytes throughout (unencoded binary)	Exactly 1 non-ASCII char in the whole payload — the masking ellipsis
Recoverable?	Yes — re-encode latin1 → base64 (ensureAsciiBase64)	No — original bytes are destroyed by the redaction; re-canonicalizing yields a still-broken image

ensureAsciiBase64 (PR #88112) would not fix this variant: once the masker replaces base64 bytes with …, the data is gone. Re-encoding the corrupted string produces an invalid image.

Root cause

The credential/secret-redaction layer scans message content for secret-like patterns and replaces matches with …. It does not exclude image.source.base64 / image data fields. A long base64 blob can contain a substring that matches a secret heuristic, so the masker rewrites part of the base64 with the ellipsis marker, corrupting it.

Evidence (production, 2026.5.20)

Real session on our deployment:

• One image block (IMG_6842.png, ~80,609-char base64) ended up with exactly one non-ASCII character: \u2026 (U+2026, the masking marker).
• Located at messages.428.content.0.image.source.base64.
• Every turn after the image was sent failed with messages.428.content.0.image.source.base64: string argument should contain only ASCII characters until we manually stripped the image block from the session JSONL.
• The single-char-in-80K signature is the giveaway: this is not unencoded binary (which would be non-ASCII throughout) — it's valid base64 with one masking marker spliced in.

Expected behavior

The secret/credential-masking pass should skip image base64 payloads entirely (image.source.base64, image block data fields, and any data-URL base64). Redacting inside an opaque base64 blob can never reveal a real secret to a human reader anyway, and it corrupts the payload.

Suggested fix

• Exclude image/base64/data-URL fields from the secret-redaction scan, OR
• If a field is detected as base64/data-URL, never substitute the masking marker mid-string (skip the field).

Workaround

Strip the poisoned image block from the session JSONL (the base64 data is unrecoverable). Replacing it with a text placeholder restores the session.

Environment

• OpenClaw 2026.5.20 (e510042)
• Provider: Anthropic (claude family) via a custom anthropic-messages provider (Bifrost)
• Channel: Slack
• Also expected to reproduce on the OpenAI/Responses path (same data-URL base64 validation)

Cross-ref: #86984 (same error, different corruption path), PR #88112.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 5, 2026, 5:35 PM ET / 21:35 UTC.

Summary
Keep open: current main still applies transcript redaction recursively to all string fields, including image payload fields, and the Anthropic/OpenAI mappers replay ImageContent.data directly as base64. The related open pull request #88112 addresses the raw latin1/history-image path for #86984, but it does not fix redaction replacing valid image bytes with the U+2026 mask marker.

Reproducibility: yes. from source inspection: a user/tool message with content: [{ type: "image", data, mimeType }] is recursively redacted before transcript persistence, and any token-like match inside data can receive U+2026 before provider replay. I did not run a live provider repro in this read-only pass.

Next step
This is a safe focused repair candidate: the implicated source files and regression-test surface are clear, and no config or product decision is needed.

Security
Needs attention: The issue is security-boundary sensitive because the repair must preserve credential redaction while exempting only opaque image/base64 payload bytes.

Review details

Best possible solution:

Add a narrow transcript-redaction guard that preserves opaque image/base64 payload bytes while continuing to redact normal text and structured secret fields, with regression coverage for persisted replay.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: a user/tool message with content: [{ type: "image", data, mimeType }] is recursively redacted before transcript persistence, and any token-like match inside data can receive U+2026 before provider replay. I did not run a live provider repro in this read-only pass.

Is this the best way to solve the issue?

Yes, the narrow maintainable fix is to preserve opaque image/base64 fields in transcript redaction rather than trying to re-canonicalize after the masker destroys bytes. The related open pull request #88112 is useful adjacent work, but it addresses a different raw-data path.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• No live provider reproduction was run in this read-only review; the source path is clear, but a fix PR should add a focused regression test that fails before the fix.
• A repair must skip only opaque image/base64 payload bytes while preserving text, tool-call, and structured secret redaction so credentials are not exposed in transcripts.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6da3b1f6a351.

Label changes

Label changes:

• add P1: The report describes a real channel/provider workflow where one persisted image block makes every subsequent agent turn fail until the transcript is manually repaired.
• add impact:security: The affected code is the credential/secret redaction boundary, so the fix must preserve secret masking while avoiding opaque payload corruption.
• add impact:message-loss: Provider rejection prevents the agent from responding to follow-up messages while the poisoned frame remains in replay history.
• add impact:session-state: The corrupted image payload is persisted in session JSONL and replays across later turns.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes a real channel/provider workflow where one persisted image block makes every subsequent agent turn fail until the transcript is manually repaired.
• impact:session-state: The corrupted image payload is persisted in session JSONL and replays across later turns.
• impact:message-loss: Provider rejection prevents the agent from responding to follow-up messages while the poisoned frame remains in replay history.
• impact:security: The affected code is the credential/secret redaction boundary, so the fix must preserve secret masking while avoiding opaque payload corruption.

Evidence reviewed

Security concerns:

• [medium] Keep image exemption narrow — src/agents/transcript-redact.ts:57
redactTranscriptStructuredValue is the transcript secret-scrubbing path; a broad opt-out could leak credentials from text, tool arguments, or custom payloads, so the fix should key off image/base64 payload structure rather than disabling recursive redaction generally.
  Confidence: 0.86

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/transcript-redact.test.ts
• node scripts/run-vitest.mjs src/config/sessions/transcript-append-redact.test.ts

What I checked:

• Repository policy read: Root policy requires source, tests, current behavior, and relevant scoped guidance for fix/triage answers; src/agents/AGENTS.md was also read because the affected code is under src/agents. (AGENTS.md:11, 6da3b1f6a351)
• Transcript redaction currently walks every string: redactTranscriptStructuredValue redacts any string and recurses into every plain object field; there is no special case for image blocks or base64-bearing fields before the string redaction call. (src/agents/transcript-redact.ts:63, 6da3b1f6a351)
• Transcript persistence stores the redacted message: appendSessionTranscriptMessageLocked calls redactTranscriptMessage before writing the message to JSONL, so a redacted image block becomes persisted session state rather than a display-only redaction. (src/config/sessions/transcript-append.ts:352, 6da3b1f6a351)
• Mask marker corrupts opaque payloads: The generic token masker inserts the U+2026 marker for long matches, which is useful for text but invalid inside an ASCII-only base64 payload. (src/logging/redact.ts:153, 6da3b1f6a351)
• Provider mappers replay image data directly: Anthropic maps image blocks to source: { type: "base64", data: block.data }, and the OpenAI Responses path builds data:${item.mimeType};base64,${item.data}, so poisoned transcript image data reaches provider request payloads unchanged. (src/agents/anthropic-transport-stream.ts:288, 6da3b1f6a351)
• Related open PR is adjacent but not this fix: Current main still passes inline image data through unchanged in resolveInlineAgentImageAttachments; the open related pull request targets raw latin1 re-encoding, not transcript redaction preserving already-valid image base64. (src/auto-reply/reply/agent-turn-attachments.ts:170, 6da3b1f6a351)

Likely related people:

• Ayaan Zaidi: Local blame and git log -S show the current transcript redaction, session persistence, provider mapping, and related image attachment code in the visible checkout history at commit cec5e36a3959a967e64e36493f65da521b1b64c3. (role: introduced current visible behavior; confidence: medium; commits: cec5e36a3959; files: src/agents/transcript-redact.ts, src/config/sessions/transcript-append.ts, src/logging/redact.ts)
• alkor2000: Authored the open related pull request fix(agents): ensure inline image attachments use ASCII base64 (Fixes #86984) #88112 for the sibling image-base64 replay failure, so they have recent context on the nearby attachment path even though that PR does not solve this redaction variant. (role: adjacent fix proposer; confidence: medium; commits: 04f38d39e68b; files: src/auto-reply/reply/agent-turn-attachments.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.