fix: strip untrusted metadata blocks and system event lines from webchat UI

[takeiteasydragon]

Summary

Fixes #20297

The webchat UI was rendering raw internal metadata in chat bubbles. This PR adds stripping for two categories of leaked metadata:

• Untrusted metadata blocks — Conversation info (untrusted metadata):, Sender (untrusted metadata):, Thread starter (untrusted, for context):, Replied message (untrusted, for context):, Forwarded message context (untrusted metadata):, and Chat history since last reply (untrusted, for context): followed by ```json code fences
• System event lines — System: [timestamp] event description lines prepended by prependSystemEvents()

Changes

File	What
src/shared/chat-envelope.ts	Added stripUntrustedMetadataBlocks() and stripSystemEventLines()
src/gateway/chat-sanitize.ts	Wired new functions into the gateway sanitization pipeline
ui/src/ui/chat/message-extract.ts	Wired new functions into UI extraction as defense-in-depth
src/gateway/chat-sanitize.test.ts	Added 6 test cases covering all metadata block types

Sanitization pipeline (after this fix)

raw message text
  → stripSystemEventLines()        — remove "System: [...]..." lines
  → stripEnvelope()                — remove [WhatsApp 2026-01-24 13:36] headers
  → stripUntrustedMetadataBlocks() — remove (untrusted ...) JSON blocks
  → stripMessageIdHints()          — remove [message_id: xxx] lines
clean user message text

Test plan

• npx vitest run src/gateway/chat-sanitize.test.ts — 10/10 pass
• npx vitest run src/auto-reply/reply/inbound-meta.test.ts — 13/13 pass
• pnpm build — pass
• pnpm lint — 0 errors, 0 warnings
• CI full test suite

🤖 Generated with Claude Code

Greptile Summary

Adds stripping for untrusted metadata blocks and system event lines that were leaking into webchat UI. The implementation correctly removes internal metadata like "Conversation info (untrusted metadata):" JSON blocks, "Sender (untrusted metadata):" blocks, and "System: [timestamp]" event lines. The fix is applied at both the gateway sanitization pipeline and the UI extraction layer for defense-in-depth.

• Adds stripUntrustedMetadataBlocks() with regex pattern to match all untrusted metadata block variants
• Adds stripSystemEventLines() to remove leading system event lines and trailing blank lines
• Wires both functions into the sanitization pipeline in the correct order: system events → envelope → untrusted blocks → message ID hints
• Includes comprehensive test coverage for all metadata block types and combined scenarios
• Defense-in-depth approach ensures metadata is stripped at multiple layers

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is well-designed with proper defense-in-depth, comprehensive test coverage covering all metadata block types and combined scenarios, correct regex patterns without ReDoS vulnerabilities, and appropriate sanitization order. The fix addresses a real metadata leakage issue without introducing new risks.
• No files require special attention

_{Last reviewed commit: efd894b}

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

[takeiteasydragon]

Disclosure: AI-assisted contribution

This PR was developed in a pair-programming session with Claude Code (claude-opus-4-6). Full transparency on the division of work:

Claude Code handled:

• Tracing the bug through the codebase (from buildInboundUserContextPrefix() to the UI rendering layer)
• Identifying that all 6 untrusted metadata block types and System: event lines needed stripping (not just Conversation info)
• Writing the regex patterns, the two new stripping functions, and the test cases
• Drafting the PR description

I (human) handled:

• Reproducing the bug against a live WhatsApp-connected instance
• Spotting the System: [timestamp] line leak that Claude's initial fix missed
• Reviewing all code changes before commit
• Running local validation (build, lint, targeted tests)

The entire session — from reading the issue to submitting this PR — took about one hour. I'm relatively new to open-source contribution, and Claude Code served as both a coding partner and a patient teacher, walking me through the fork → branch → fix → test → PR workflow step by step.

For reference, PR #20231 (generated by an automated AI agent) attempted a narrower fix targeting only the Conversation info block. This PR takes a more comprehensive approach by matching all (untrusted block variants with a single regex and adding defense-in-depth stripping at the UI layer.

[vincentkoc]

Status: post-merge follow-up from PR #22142. Kept open and monitored for any additional webchat/system-event leakage not fixed by the merged #22142 scope. Close only after end-to-end validation confirms this path is covered.

[vincentkoc]

Duplicate/covered by merged PR #22142 (canonical issue #21109): this PR focuses on webchat metadata visibility already handled by the merged fix. Keeping visibility for any distinct follow-up on #21643 only if needed.

[vincentkoc]

Duplicate/covered by #22142. Closed to avoid redundant overlap.