fix(imessage): prevent echo loop from leaking internal metadata and amplifying NO_REPLY into queue overflow

[joelnishanth]

Summary

Fixes a severe iMessage delivery bug where assistant internal metadata and control outputs were being echoed back as inbound user messages, creating recursive message amplification and queue overflow (#33281).

• Outbound sanitization at channel boundary: strips thinking/reasoning tags, relevant-memories tags, model-specific separators (+#+#), and assistant role markers before iMessage delivery — internal metadata never reaches the user channel
• Inbound reflection guard: detects and drops inbound messages containing assistant-internal markers, preventing reflected outbound content from re-entering the agent pipeline
• Echo cache hardening: increases text TTL from 5s to 30s so delayed reflections are reliably caught
• Loop rate limiter: per-conversation rapid-fire detection (5 messages/60s threshold) that suppresses amplification cascades as a safety net
• Telemetry: all reflection detections and rate-limit hits produce verbose log entries with specific marker labels

Changes

File	What
src/imessage/monitor/sanitize-outbound.ts	New — strips <thinking>, <thought>, <final>, <relevant_memories> tags, +#+# separators, and assistant to=… role markers from outbound text
src/imessage/monitor/reflection-guard.ts	New — detects assistant-internal markers in inbound text and returns matched labels for telemetry
src/imessage/monitor/loop-rate-limiter.ts	New — per-conversation sliding-window rate limiter
src/imessage/monitor/deliver.ts	Applies sanitizeOutboundText before iMessage transport
src/imessage/monitor/inbound-processing.ts	Adds reflection guard check after echo cache, drops reflected content
src/imessage/monitor/monitor-provider.ts	Wires loop rate limiter into dispatch path
src/imessage/monitor/echo-cache.ts	Increases text TTL from 5s → 30s

Test plan

• 26 new unit tests covering sanitize-outbound, reflection-guard, and loop-rate-limiter
• All 73 existing iMessage tests pass (including updated echo-cache TTL test)
• Lint and format clean (pnpm check)

Risks and Mitigations

• Echo cache TTL increase (5s → 30s): slightly higher memory for the text cache, but entries are scoped per conversation and cleaned up on access — negligible in practice
• Reflection guard false positives: patterns are specific to assistant-internal markers (thinking tags, +#+# separators, role markers) that would not appear in normal user messages. The guard runs after is_from_me and echo cache checks, so it only fires on messages that already passed those filters
• Rate limiter: threshold of 5 messages/60s per conversation is generous for normal use; only triggers during genuine amplification cascades

Closes #33281

— Joel Nishanth · offlyn.AI

Made with Cursor

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1887b199ac

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR addresses a real and well-understood iMessage echo-loop bug (#33281) by adding four complementary defences: outbound sanitization of internal metadata, an inbound reflection guard, an extended echo-cache TTL, and a per-conversation sliding-window rate limiter. The overall architecture is sound and the layered approach is a good fit for a messaging channel where timing-dependent reflections can slip past any single guard.

Verified concerns:

• Overly broad reflection-guard patterns (reflection-guard.ts, lines 9–11): The FINAL_TAG_RE and THINKING_TAG_RE patterns do not require a closing >, so they will match partial tokens like <final answer> or <thought experiment> in ordinary user messages and silently drop them. The sanitizer in reasoning-tags.ts uses stricter patterns with [^<>]*> suffix for the same tags — the reflection guard should match that specificity to avoid false-positive message drops.

• Rate limiter records all dispatched messages, not just anomalous traffic (monitor-provider.ts, lines 265–275): Users who send multiple legitimate messages in quick succession (common in iMessage) will be silently blocked once they exceed the 5-message / 60-second threshold, with no user feedback. The rate limiter should either be reserved for detecting already-confirmed echo/reflection patterns, or should notify the user rather than silently dropping messages.

Confidence Score: 2/5

• The PR implements a real echo-loop fix with sound architecture, but two verified issues could cause user-impacting silent failures: false-positive reflection detection that drops legitimate messages, and rate limiting that silently drops normal rapid-fire messages with no feedback.
• Functional fix for a real bug, but the reflection guard's broad regex patterns will false-positive on innocent user messages containing phrases like <final answer> or <thought experiment>, silently dropping them. Additionally, the rate limiter applies to all conversation traffic with a 5-message / 60-second window, meaning users sending rapid back-and-forth iMessages will be silently blocked on the 6th message with no acknowledgment. These two issues should be resolved before merge — the reflection guard patterns must be tightened to require closing brackets (matching reasoning-tags.ts), and the rate limiter should either be reserved for confirmed echo/reflection patterns or provide user feedback.
• src/imessage/monitor/reflection-guard.ts (overly broad FINAL_TAG_RE / THINKING_TAG_RE patterns) and src/imessage/monitor/monitor-provider.ts (rate-limiter applies to all dispatched messages, not just anomalous traffic)

_{Last reviewed commit: 1887b19}

[greptile-apps]

_{11 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 74a242d31f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[vincentkoc]

Keeping this as the canonical PR for the metadata-leak and NO_REPLY amplification incident.

This is related to the wider echo family, but it stays separate from the self-chat and camelCase branches because the root cause here is reflected assistant-internal output re-entering inbound processing and snowballing into a flood. The sanitization and reflection-guard work belongs on this track.

From the current cluster pass, this is the cleanest merge candidate in the set.

[vincentkoc]

Rebased this PR onto current main and pushed the updated branch.

What changed in this pass:

• added the missing 2026.3.3 changelog entry for the iMessage echo-loop hardening work, with contributor credit
• reran local verification on top of the rebased branch

Local verification completed:

• pnpm check
• pnpm exec vitest run src/imessage/monitor/sanitize-outbound.test.ts src/imessage/monitor/reflection-guard.test.ts src/imessage/monitor/loop-rate-limiter.test.ts src/imessage/monitor/monitor-provider.echo-cache.test.ts src/imessage/monitor/inbound-processing.test.ts

The earlier automated review concerns are already addressed in the branch, so the remaining step is just letting GitHub CI re-run on the rebased head.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: acb3b21458

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[vincentkoc]

Follow-up pushed for the two remaining review points:

• Restored the short text fallback TTL in src/imessage/monitor/echo-cache.ts and kept the longer message-id TTL as the delayed-reflection backstop.
• Updated src/imessage/monitor/reflection-guard.ts to ignore reflection markers that only appear inside inline or fenced code, with regression coverage for both cases.

Local verification:

• pnpm exec vitest run src/imessage/monitor/monitor-provider.echo-cache.test.ts src/imessage/monitor/reflection-guard.test.ts src/imessage/monitor/sanitize-outbound.test.ts src/imessage/monitor/loop-rate-limiter.test.ts src/imessage/monitor/inbound-processing.test.ts
• pnpm check

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e89e1c34b2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Limit role-turn stripping to trailing scaffold artifacts

The global ROLE_TURN_MARKER_RE cleanup removes any line that ends with user:, system:, or assistant:, which means legitimate outbound content (for example YAML/chat-transcript snippets, including code-fenced examples) is silently deleted before sending. This introduces user-visible content corruption in normal iMessage conversations; the stripping should be constrained to actual leaked trailer scaffolding (or skip code regions) instead of applying to every line.

Useful? React with 👍 / 👎.