fix(auto-reply): hide direct-chat metadata without sender-id sentinel

[obviyus]

Supersedes #22054 (author branch was force-reset and maintainers no longer had push rights).

What changed

• Hide message_id, message_id_full, reply_to_id, sender_id, and sender in direct chats in buildInboundUserContextPrefix.
• Keep direct/group classification based on normalized ChatType only (remove sender-id sentinel behavior).
• Add direct-chat regression test for hidden message identifiers.
• Add group-chat guard test to ensure sender-id string cannot force direct behavior.
• Add changelog entry.

Validation

• pnpm vitest run src/auto-reply/reply/inbound-meta.test.ts

Greptile Summary

Removes sender-id sentinel behavior that could allow group chats to be misclassified as direct chats. Now hides message_id, message_id_full, reply_to_id, sender_id, and sender metadata strictly based on the normalized ChatType value, preventing spoofing attacks where a malicious sender could set sender_id to a special value like openclaw-control-ui to trigger direct-chat handling in a group context.

• Fixed security issue where sender-id values could override chat type classification
• Added regression test for direct chat metadata hiding
• Added guard test to ensure group chats with sentinel sender-ids remain classified as group chats
• Updated existing tests to use ChatType: "group" instead of "direct" for tests that verify group metadata visibility

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it fixes a security vulnerability and has comprehensive test coverage
• The changes are straightforward and well-tested. The fix correctly addresses the security issue by ensuring chat type classification is based solely on the normalized ChatType field rather than allowing sender-id values to override it. All modified tests now correctly use ChatType: "group" for group chat scenarios, and two new tests specifically guard against the vulnerability. The logic changes are confined to conditional checks that hide metadata in direct chats, which is the intended behavior.
• No files require special attention

_{Last reviewed commit: 1212258}

[obviyus]

Merged with admin CI bypass per maintainer instruction. Head pinned: ca54355.

[Lanfei]

@obviyus After this PR, agents in direct chats can no longer access sender_id. This breaks proactive messaging scenarios — e.g. the message tool needs a target to send to the user, but there's no reliable way to obtain one from the current metadata. What's the intended approach for this?

[obviyus]

@Lanfei Good catch! This was intentional: we removed sender_id from the untrusted direct-chat conversation block.

Proactive sends should use the trusted route target (chat_id in inbound metadata) or rely on message-tool current-session target inference (no explicit target needed for same chat).

If you have a concrete flow where those are insufficient, please let me know. I can take a look.

[Lanfei]

@obviyus Thanks! One follow-up: chat_id from trusted metadata doesn't seem to be directly usable as target in the message tool across all channels. For example, "telegram:123456789" fails looksLikeTargetId() in target-resolver.ts and falls through to a directory lookup that fails for DMs. Is there a channel-agnostic way to use chat_id as target for proactive sends to a different user (not a reply to the current session)?

[obviyus]

@Lanfei With channel=telegram, target="telegram:" is treated as a direct id (no directory lookup). The current limitation is channel selection, not Telegram id parsing: for proactive sends to another user, you must pass both channel and target (unless sending in current-session context where channel/target can be inferred).

Maybe we can also add a follow-up enhancement to infer channel from provider-prefixed targets when channel is omitted.

[Lanfei]

@obviyus Thanks for the clarification! Just to confirm: is using chat_id (from trusted inbound metadata) as target — combined with channel — a universal approach that works across all channels?

Also, in a multi-account setup, the message tool requires the correct account_id. What's the recommended way for an agent to obtain it?