fix(security): remove post-compaction audit injection message#28507
Merged
vincentkoc merged 4 commits intoopenclaw:mainfrom Feb 28, 2026
Merged
Conversation
Contributor
Greptile SummaryRemoved the Layer 3 post-compaction audit system (
The removal is complete, with no remaining references to the deleted audit functionality anywhere in the codebase. Confidence Score: 5/5
Last reviewed commit: f719326 |
8aa2224 to
db28bd5
Compare
Remove the post-compaction read audit that injects fake system messages
into conversations after context compaction. This audit:
- Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard
workspaces) as a required read after every compaction
- Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in
user-facing warning messages
- Injects messages via enqueueSystemEvent that appear as user-role
messages, tricking agents into reading attacker-controlled files
- Creates a persistent prompt injection vector (see openclaw#27697)
Layer 1 (compaction summary) and Layer 2 (workspace context refresh
from AGENTS.md via post-compaction-context.ts) remain intact and are
sufficient for post-compaction context recovery.
Deleted files:
- src/auto-reply/reply/post-compaction-audit.ts
- src/auto-reply/reply/post-compaction-audit.test.ts
Modified files:
- src/auto-reply/reply/agent-runner.ts (removed imports, audit map,
flag setting, and Layer 3 audit block)
Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600
Relates to openclaw#26461
db28bd5 to
ab515b7
Compare
Member
|
Rebased this branch onto current What changed:
Validation run locally:
|
This was referenced Feb 28, 2026
vincentkoc
added a commit
that referenced
this pull request
Feb 28, 2026
vincentkoc
added a commit
that referenced
this pull request
Feb 28, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (#17874) * Changelog: add Ollama autodiscovery hardening entry (#29201) * Changelog: add Ollama context-window unification entry (#29205) * Changelog: add compaction audit injection removal entry (#28507) * Changelog: add browser url alias entry (#29260) * Changelog: add codex weekly usage label entry (#26267)
r4jiv007
pushed a commit
to r4jiv007/openclaw
that referenced
this pull request
Feb 28, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
r4jiv007
pushed a commit
to r4jiv007/openclaw
that referenced
this pull request
Feb 28, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
xiexikang
pushed a commit
to cclawd007/cclawd
that referenced
this pull request
Feb 28, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
xiexikang
pushed a commit
to cclawd007/cclawd
that referenced
this pull request
Feb 28, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
mylukin
pushed a commit
to mylukin/openclaw
that referenced
this pull request
Feb 28, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
mylukin
pushed a commit
to mylukin/openclaw
that referenced
this pull request
Feb 28, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> (cherry picked from commit a65b0fa)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267) (cherry picked from commit 20263d0)
wanjizheng
pushed a commit
to wanjizheng/openclaw
that referenced
this pull request
Feb 28, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> (cherry picked from commit a65b0fa)
ansh
pushed a commit
to vibecode/openclaw
that referenced
this pull request
Mar 2, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
steipete
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Mar 2, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
steipete
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Mar 2, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
safzanpirani
pushed a commit
to safzanpirani/clawdbot
that referenced
this pull request
Mar 2, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
safzanpirani
pushed a commit
to safzanpirani/clawdbot
that referenced
this pull request
Mar 2, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
steipete
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Mar 2, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
steipete
pushed a commit
to Sid-Qin/openclaw
that referenced
this pull request
Mar 2, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
venjiang
pushed a commit
to venjiang/openclaw
that referenced
this pull request
Mar 2, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
venjiang
pushed a commit
to venjiang/openclaw
that referenced
this pull request
Mar 2, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
robertchang-ga
pushed a commit
to robertchang-ga/openclaw
that referenced
this pull request
Mar 2, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
robertchang-ga
pushed a commit
to robertchang-ga/openclaw
that referenced
this pull request
Mar 2, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
execute008
pushed a commit
to execute008/openclaw
that referenced
this pull request
Mar 2, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
execute008
pushed a commit
to execute008/openclaw
that referenced
this pull request
Mar 2, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
6 tasks
hughdidit
pushed a commit
to hughdidit/DAISy-Agency
that referenced
this pull request
Mar 3, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org> (cherry picked from commit 70a4f25) # Conflicts: # src/auto-reply/reply/agent-runner.misc.runreplyagent.test.ts # src/auto-reply/reply/agent-runner.ts
hughdidit
pushed a commit
to hughdidit/DAISy-Agency
that referenced
this pull request
Mar 3, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267) (cherry picked from commit 8090cb4) # Conflicts: # CHANGELOG.md
dorgonman
pushed a commit
to kanohorizonia/openclaw
that referenced
this pull request
Mar 3, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
dorgonman
pushed a commit
to kanohorizonia/openclaw
that referenced
this pull request
Mar 3, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
3 tasks
This was referenced Mar 4, 2026
sachinkundu
pushed a commit
to sachinkundu/openclaw
that referenced
this pull request
Mar 6, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
sachinkundu
pushed a commit
to sachinkundu/openclaw
that referenced
this pull request
Mar 6, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
zooqueen
pushed a commit
to hanzoai/bot
that referenced
this pull request
Mar 6, 2026
…aw#28507) * fix: remove post-compaction audit injection (Layer 3) Remove the post-compaction read audit that injects fake system messages into conversations after context compaction. This audit: - Hardcodes WORKFLOW_AUTO.md (a file that doesn't exist in standard workspaces) as a required read after every compaction - Leaks raw regex syntax (memory\/\d{4}-\d{2}-\d{2}\.md) in user-facing warning messages - Injects messages via enqueueSystemEvent that appear as user-role messages, tricking agents into reading attacker-controlled files - Creates a persistent prompt injection vector (see openclaw#27697) Layer 1 (compaction summary) and Layer 2 (workspace context refresh from AGENTS.md via post-compaction-context.ts) remain intact and are sufficient for post-compaction context recovery. Deleted files: - src/auto-reply/reply/post-compaction-audit.ts - src/auto-reply/reply/post-compaction-audit.test.ts Modified files: - src/auto-reply/reply/agent-runner.ts (removed imports, audit map, flag setting, and Layer 3 audit block) Fixes openclaw#27697, fixes openclaw#26851, fixes openclaw#20484, fixes openclaw#22339, fixes openclaw#25600 Relates to openclaw#26461 * fix: resolve lint failures from post-compaction audit removal * Tests: add regression for removed post-compaction audit warnings --------- Co-authored-by: Wilfred (OpenClaw Agent) <jay@openclaw.dev> Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
zooqueen
pushed a commit
to hanzoai/bot
that referenced
this pull request
Mar 6, 2026
* Changelog: add LanceDB custom baseUrl + dimensions entry (openclaw#17874) * Changelog: add Ollama autodiscovery hardening entry (openclaw#29201) * Changelog: add Ollama context-window unification entry (openclaw#29205) * Changelog: add compaction audit injection removal entry (openclaw#28507) * Changelog: add browser url alias entry (openclaw#29260) * Changelog: add codex weekly usage label entry (openclaw#26267)
thebtf
pushed a commit
to thebtf/openclaw
that referenced
this pull request
Mar 6, 2026
- Remove duplicate imports (pi-tools.ts, pi-tools.before-tool-call.ts, get-reply-run.ts, cron/run.ts, bot-message-dispatch.ts) - Remove duplicate killProcessTree block in commands-session-abort.ts - Add missing type fields to AgentCompactionConfig and AgentDefaultsConfig - Update renamed upstream fields (allowTransientCooldownProbe, timeoutSeconds) - Remove dead post-compaction audit code (upstream removed in openclaw#28507) - Remove duplicate stickerId in auto-reply types - Fix delivery.ts type error and resolveMedia signature - Update test assertions to match upstream pattern label changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remove the post-compaction read audit (Layer 3) that injects fake system messages into conversations after context compaction. This is a security fix.
The Problem
After every context compaction,
post-compaction-audit.tschecks whether the agent read specific hardcoded files and, if not, injects a user-role message viaenqueueSystemEvent:This is problematic because:
WORKFLOW_AUTO.mddoesn't exist in standard workspaces — it's a hardcoded reference to a file from a previous version that was never documented or shippedmemory\/\d{4}-\d{2}-\d{2}\.md) in user-facing textWhat's Removed
src/auto-reply/reply/post-compaction-audit.ts— the audit logic, hardcoded file list, and warning formattersrc/auto-reply/reply/post-compaction-audit.test.ts— associated testsagent-runner.ts: imports,pendingPostCompactionAuditsmap, flag setting, and the Layer 3 audit execution blockWhat's Preserved
post-compaction-context.ts) — workspace context refresh from AGENTS.md sections, still injected as a system event after compaction. This is the legitimate mechanism for post-compaction recovery.compaction-safeguard.ts) — importsextractSectionsfrompost-compaction-context.tsonly, unaffectedFixes
Fixes #27697 — [Security] post-compaction-audit.ts hardcodes WORKFLOW_AUTO.md — viable attack vector for persistent prompt injection
mRelates to #26851 — Prompt injection via fake system message during context compaction
mRelates to #20484 — Post-compaction audit warning triggers prompt injection detection by AI agent
mRelates to #22339 — RegExp .source leaks raw regex syntax in audit warning
mRelates to #25600 — Post-compaction audit requires reading WORKFLOW_AUTO.md even when the file does not exist
Relates to #26461 — Gateway Chat UI displays system-injected messages as "You"