fix: strip leaked model control tokens from user-facing text

[odysseus0]

Summary

Rework of #40573 by @imwyvern — same fix, different architecture.

Models like GLM-5 and DeepSeek sometimes emit internal delimiter tokens (e.g. <|assistant|>, <|tool_call_result_begin|>, <｜begin▁of▁sentence｜>) in their responses. This is a provider bug (#40020).

What changed vs #40573:

• Generic pattern (<[|｜]...[|｜]>) instead of a brittle allowlist — all <|...|> tokens are internal control tokens by convention, no legitimate user text uses this format
• Right architectural layer — stripModelSpecialTokens() in pi-embedded-utils.ts next to stripMinimaxToolCallXml(), following the same provider-bug-defense pattern
• Both call sites covered — extractAssistantText (embedded output) and sanitizeTextContent (session replay)
• No changes to errors.ts — original PR's changes there reverted (wrong layer, would affect error messages)

Changes

• src/agents/pi-embedded-utils.ts — new stripModelSpecialTokens(), wired into extractAssistantText sanitization chain
• src/agents/tools/sessions-helpers.ts — same function wired into sanitizeTextContent
• src/agents/pi-embedded-utils.strip-model-special-tokens.test.ts — 4 focused tests (core stripping, full-width variant, HTML false-positive guard, passthrough)

Closes #40020
Supersedes #40573

Co-authored-by: imwyvern 100903837+imwyvern@users.noreply.github.com

Test plan

• vitest run pi-embedded-utils.strip-model-special-tokens — 4/4 pass
• Full suite: 881/882 (pre-existing unrelated failure)
• Build passes, linter passes

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8d5b542ee6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict token matcher to avoid removing legitimate <|...|> text

The new MODEL_SPECIAL_TOKEN_RE is broad enough to treat any <|...|> span as a control token, so normal assistant output that contains language syntax or examples using <| and |> (for example f <| x |> g) will be stripped and corrupted before display/replay via extractAssistantText and sanitizeTextContent. Because this sanitizer now runs on all user-facing assistant/tool text, the current pattern can delete real content that is not a provider control token.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR adds stripModelSpecialTokens() to sanitize control tokens (e.g. <|assistant|>, <｜begin▁of▁sentence｜>) leaked by GLM-5 and DeepSeek models before they reach end users. The fix is placed at the correct architectural layer alongside stripMinimaxToolCallXml() and is wired into both extractAssistantText (embedded output) and sanitizeTextContent (session replay).

• The regex /<[|｜][^|｜]*[|｜]>/g correctly handles both ASCII and full-width pipe variants and avoids false-positives on plain HTML tags.
• The g-flagged module-level constant is handled correctly (explicit lastIndex = 0 reset after a successful test()), but the pattern is a JavaScript footgun — splitting into a non-global test regex and a separate global replace regex would make the intent clearer and eliminate the manual reset.
• Tests cover the main cases: ASCII tokens, full-width tokens, HTML passthrough, and clean passthrough. The trim behaviour on token-containing strings is implicitly covered.

Confidence Score: 4/5

• Safe to merge — the logic is correct and the fix is well-scoped; only a minor stylistic concern about the stateful global regex constant.
• The implementation correctly handles the lastIndex state of the global regex (explicit reset after a successful test(), automatic reset after a failed one), the sanitization pipeline ordering is sound, and the HTML false-positive guard in the regex is verified by tests. The one deduction is for the fragile module-level stateful regex pattern that could silently break if a future contributor adds another test()/exec() call without the corresponding reset.
• src/agents/pi-embedded-utils.ts — specifically lines 49–59 where the module-level global regex and its lastIndex reset live.

_{Last reviewed commit: 8d5b542}

[greptile-apps]

Stateful global regex on module-level constant

The g flag makes MODEL_SPECIAL_TOKEN_RE stateful via lastIndex. The current code handles this correctly — when test() returns true, lastIndex is explicitly reset to 0 before calling replace(); when test() returns false, JavaScript automatically resets lastIndex to 0. So there is no bug here.

However, this pattern is a well-known JavaScript footgun. If a future change adds another test() / exec() call against this constant without a corresponding lastIndex reset, it will silently skip matches for every other call on the same string. Consider making the intent explicit with a comment, or avoid the footgun entirely by splitting into a non-global test regex and a local regex literal in replace():

Suggested change

	const MODEL_SPECIAL_TOKEN_RE = /<[|｜][^|｜]*[|｜]>/g;
	export function stripModelSpecialTokens(text: string): string {
	if (!text) {
	return text;
	}
	if (!MODEL_SPECIAL_TOKEN_RE.test(text)) {
	return text;
	}
	MODEL_SPECIAL_TOKEN_RE.lastIndex = 0;
	return text.replace(MODEL_SPECIAL_TOKEN_RE, " ").replace(/ +/g, " ").trim();
	// Match both ASCII pipe <|...|> and full-width pipe <｜...｜> (U+FF5C) variants.
	// Note: no /g flag here — used only for the fast-path existence check (stateless).
	const MODEL_SPECIAL_TOKEN_RE_TEST = /<[|｜][^|｜]*[|｜]>/;
	// Separate global regex for replace(); defined here to avoid recompiling on every call.
	const MODEL_SPECIAL_TOKEN_RE = /<[|｜][^|｜]*[|｜]>/g;
	export function stripModelSpecialTokens(text: string): string {
	if (!text) {
	return text;
	}
	if (!MODEL_SPECIAL_TOKEN_RE_TEST.test(text)) {
	return text;
	}
	return text.replace(MODEL_SPECIAL_TOKEN_RE, " ").replace(/ +/g, " ").trim();
	}

This removes the need for the manual lastIndex = 0 reset and makes the two distinct usages self-documenting.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/agents/pi-embedded-utils.ts
Line: 49-59

Comment:
**Stateful global regex on module-level constant**

The `g` flag makes `MODEL_SPECIAL_TOKEN_RE` stateful via `lastIndex`. The current code handles this correctly — when `test()` returns `true`, `lastIndex` is explicitly reset to `0` before calling `replace()`; when `test()` returns `false`, JavaScript automatically resets `lastIndex` to `0`. So there is no bug here.

However, this pattern is a well-known JavaScript footgun. If a future change adds another `test()` / `exec()` call against this constant without a corresponding `lastIndex` reset, it will silently skip matches for every other call on the same string. Consider making the intent explicit with a comment, or avoid the footgun entirely by splitting into a non-global test regex and a local regex literal in `replace()`:

```suggestion
// Match both ASCII pipe <|...|> and full-width pipe <｜...｜> (U+FF5C) variants.
// Note: no /g flag here — used only for the fast-path existence check (stateless).
const MODEL_SPECIAL_TOKEN_RE_TEST = /<[|｜][^|｜]*[|｜]>/;
// Separate global regex for replace(); defined here to avoid recompiling on every call.
const MODEL_SPECIAL_TOKEN_RE = /<[|｜][^|｜]*[|｜]>/g;

export function stripModelSpecialTokens(text: string): string {
  if (!text) {
    return text;
  }
  if (!MODEL_SPECIAL_TOKEN_RE_TEST.test(text)) {
    return text;
  }
  return text.replace(MODEL_SPECIAL_TOKEN_RE, " ").replace(/  +/g, " ").trim();
}
```

This removes the need for the manual `lastIndex = 0` reset and makes the two distinct usages self-documenting.

How can I resolve this? If you propose a fix, please make it concise.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}