fix(ui): strip inbound metadata blocks and guard reply-tag streaming (clean rewrite) by vincentkoc · Pull Request #22346 · openclaw/openclaw

vincentkoc · 2026-02-21T02:11:49Z

This is a clean reroute of the closed PR for this change.

Reuses the final intended payload from the previously closed work.
Rebased onto origin/main and squashed to a single clean commit.
This branch is clean and ready for normal review.

This supersedes #21643. The original PR became stale due a detached/dirty head after history churn while attempting rebase/cleanup.

Closes #21548.

Greptile Summary

This PR enhances security by preventing inbound metadata blocks from leaking into chat history and fixes streaming artifacts when reply tags are being processed.

Key changes:

Added stripInboundMetadataBlocks() function to remove untrusted metadata prefixes (like "Conversation info (untrusted metadata):", "Sender (untrusted metadata):", etc.) from user messages at display boundaries
Integrated the new stripping function into the sanitization pipeline in chat-sanitize.ts, applying it before envelope and message ID stripping
Added guard in stripTrailingDirective() to handle incomplete reply-tag streaming by removing trailing [ characters that haven't formed complete [[directive]] tags yet
Added comprehensive test coverage for the new metadata stripping behavior, including prefix-only matching (doesn't strip metadata blocks that appear mid-message)

The implementation correctly strips multiple consecutive metadata blocks at the start of messages using a loop with regex matching, then trims the result. The regex pattern properly escapes special characters in the header strings before building the alternation pattern.

Confidence Score: 4/5

This PR is safe to merge with minor risk
The changes are well-tested with comprehensive test coverage for the new stripping behavior. The security fix is straightforward and addresses a real vulnerability (metadata injection/leakage). The regex implementation is sound and the integration into existing sanitization pipeline is minimal and follows existing patterns. One minor logic concern was flagged regarding regex escaping, but this doesn't affect the current headers. The trailing [ guard is a simple defensive check that prevents streaming artifacts.
Review src/shared/chat-envelope.ts line 27 to verify regex escape pattern is complete

_{Last reviewed commit: 900afd4}

greptile-apps

_{5 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

…(clean rewrite) (openclaw#22346) * fix(ui): strip inbound metadata blocks from user messages * chore: clean up metadata-strip format and changelog credit * Update src/shared/chat-envelope.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

The `\-` inside a character class is unnecessary when `-` is at the end. Fixes oxlint no-useless-escape error introduced in openclaw#22346.

…(clean rewrite) (openclaw#22346) * fix(ui): strip inbound metadata blocks from user messages * chore: clean up metadata-strip format and changelog credit * Update src/shared/chat-envelope.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

fix(ui): strip inbound metadata blocks from user messages

cfaa06a

vincentkoc mentioned this pull request Feb 21, 2026

fix: strip metadata blocks and prevent reply tag streaming leaks #21643

Closed

4 tasks

openclaw-barnacle Bot added gateway Gateway runtime agents Agent runtime and tooling size: S maintainer Maintainer-authored PR labels Feb 21, 2026

chore: clean up metadata-strip format and changelog credit

900afd4

vincentkoc self-assigned this Feb 21, 2026

vincentkoc marked this pull request as ready for review February 21, 2026 02:30

greptile-apps Bot reviewed Feb 21, 2026

View reviewed changes

Comment thread src/shared/chat-envelope.ts Outdated

Update src/shared/chat-envelope.ts

597e443

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

vincentkoc merged commit 9a6b26d into main Feb 21, 2026
13 of 14 checks passed

vincentkoc deleted the vincentkoc-code/clean-21643-rebase-origin-main branch February 21, 2026 02:41

github-actions Bot mentioned this pull request Feb 21, 2026

📡 Upstream Digest — 2026-02-21 03:59 UTC curtismercier/openclaw-mods#82

Open

clawsweeper Bot mentioned this pull request May 4, 2026

privacy: reduce human-identifying system-injected inbound metadata in LLM prompt context #48585

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(ui): strip inbound metadata blocks and guard reply-tag streaming (clean rewrite)#22346

fix(ui): strip inbound metadata blocks and guard reply-tag streaming (clean rewrite)#22346
vincentkoc merged 3 commits intomainfrom
vincentkoc-code/clean-21643-rebase-origin-main

vincentkoc commented Feb 21, 2026 •

edited by greptile-apps Bot

Loading

Uh oh!

greptile-apps Bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

vincentkoc commented Feb 21, 2026 • edited by greptile-apps Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Greptile Summary

Confidence Score: 4/5

Uh oh!

greptile-apps Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vincentkoc commented Feb 21, 2026 •

edited by greptile-apps Bot

Loading