fix(auto-reply): strip leading NO_REPLY tokens to prevent silent-reply leak

[frankekn]

Summary

• Problem: When a model generates NO_REPLYThe user is saying... (NO_REPLY immediately followed by text, no separator), the silent reply detection fails and sends the entire output including the NO_REPLY token as visible messages to end users.
• Why it matters: Models using openai-completions API (e.g. fireworks/kimi) can emit NO_REPLY glued to text without whitespace separation. This causes the token to leak into user-visible messages.
• What changed: Added stripLeadingSilentToken and startsWithSilentToken functions to src/auto-reply/tokens.ts. Applied leading-strip in normalize-reply.ts alongside existing trailing-strip. Added leading-token detection and stripping in the streaming accumulator in attempt-execution.ts.
• What did NOT change (scope boundary): No changes to trailing strip logic, exact-match detection, prefix detection, or any other existing silent-reply behavior.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related NO_REPLY leaked in messages when appended to real content #30916, Strip NO_REPLY token from mixed-content messages #30955
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: isSilentReplyText uses exact-match regex (^\s*NO_REPLY\s*$) and isSilentReplyPrefixText requires all-uppercase text. When a model emits NO_REPLYThe user is saying... as a single token/chunk, neither check matches, so the token passes through as visible text.
• Missing detection / guardrail: No leading-token strip existed (only trailing via stripSilentToken). The streaming accumulator had no path for stripping a leading token glued to visible content.
• Contributing context (if known): Models using openai-completions API (fireworks, kimi) can concatenate thinking output with text output without whitespace separation.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/auto-reply/tokens.test.ts, src/auto-reply/reply/reply-utils.test.ts
• Scenario the test should lock in: stripLeadingSilentToken("NO_REPLYThe user is saying") returns "The user is saying"; startsWithSilentToken("NO_REPLYfoo") returns true.
• Why this is the smallest reliable guardrail: the token stripping functions are pure and testable in isolation.
• Existing test that already covers this (if any): None for the leading-token case.
• If no new test is added, why not: This PR focuses on the minimal runtime fix. Unit tests for the new functions can be added as follow-up.

User-visible / Behavior Changes

Messages containing a leading NO_REPLY token glued to text (e.g. NO_REPLYThe user is saying...) now correctly strip the token and either suppress the message (if nothing remains) or deliver only the visible portion.

Diagram (if applicable)

Before:
[model emits "NO_REPLYThe user is saying..."] -> [no match on exact/prefix check] -> [entire string sent as visible message]

After:
[model emits "NO_REPLYThe user is saying..."] -> [startsWithSilentToken matches] -> [stripLeadingSilentToken] -> ["The user is saying..." delivered]

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: Linux
• Runtime/container: Node 22+ / pnpm
• Model/provider: Any model using openai-completions API (fireworks, kimi)
• Integration/channel (if any): Any messaging channel
• Relevant config (redacted): N/A

Steps

1. Configure a model that uses openai-completions API
2. Trigger a scenario where the model decides not to reply
3. Observe the model emitting NO_REPLY concatenated with reasoning text

Expected

• The NO_REPLY token is stripped and the message is either suppressed or only the visible portion is delivered

Actual

• Before this fix: the entire string including NO_REPLY is sent as a visible message

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: pnpm build passes; pnpm check passes (via pre-commit hook)
• Edge cases checked: multiple leading NO_REPLY tokens, NO_REPLY with whitespace before text, NO_REPLY as exact match (existing behavior preserved)
• What you did not verify: full test suite; live model testing with fireworks/kimi

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Risks and Mitigations

• Risk: the leading-strip regex could match a legitimate message that starts with the exact token text followed by content.
  • Mitigation: the regex is case-insensitive but requires the exact token string. NO_REPLY is not a natural language prefix, so false positives are extremely unlikely. The existing trailing-strip uses the same approach.

[greptile-apps]

Greptile Summary

Fixes a silent-reply token leak where models (fireworks, kimi via openai-completions API) emit NO_REPLYVisible text as a single chunk with no separator, bypassing the existing exact-match and prefix-match guards. The fix adds stripLeadingSilentToken/startsWithSilentToken helpers and applies leading-strip in both the streaming accumulator (attempt-execution.ts) and the final normalization pass (normalize-reply.ts). The scope is intentionally narrow and does not touch existing trailing-strip or exact-match logic.

Confidence Score: 5/5

Safe to merge — the fix is narrowly scoped, the core logic is correct, and all remaining findings are non-blocking P2 style suggestions.

No P0 or P1 issues found. The new leading-strip functions are logically correct, the streaming accumulator branch is correctly ordered after existing guards, and the normalize-reply ordering (leading then trailing) handles all documented edge cases. Two P2 observations: a case-sensitivity inconsistency between startsWithSilentToken and getSilentLeadingRegex, and a minor efficiency opportunity in normalize-reply.ts. Neither blocks merge.

No files require special attention.

Vulnerabilities

No security concerns identified. The change strips a known control token (NO_REPLY) from model output before it reaches users; this reduces information leakage rather than introducing any new attack surface.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/auto-reply/tokens.ts
Line: 116-124

Comment:
**Case-sensitivity inconsistency with sibling functions**

`startsWithSilentToken` uses a case-sensitive `String.prototype.startsWith`, while `getSilentLeadingRegex` (called by `stripLeadingSilentToken`) uses the `"i"` flag. The existing detection helpers (`isSilentReplyText`, `isSilentReplyPrefixText`) are also case-insensitive. This means `startsWithSilentToken("no_replyFoo")` returns `false`, but `stripLeadingSilentToken("no_replyFoo")` would return `"Foo"` — the two sibling functions disagree on what counts as a leading token. Since the streaming call site and `normalize-reply.ts` both gate on case-sensitive checks (`includes`, `startsWith`) before reaching these helpers, this is benign in practice today, but it is a latent trap for future callers who expect the same case rules across all token helpers.

Consider using the cached regex instead:

```suggestion
export function startsWithSilentToken(
  text: string | undefined,
  token: string = SILENT_REPLY_TOKEN,
): boolean {
  if (!text) {
    return false;
  }
  return getSilentLeadingRegex(token).test(text);
}
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/auto-reply/reply/normalize-reply.ts
Line: 66-68

Comment:
**Both strip passes run even when no leading token is present**

`stripLeadingSilentToken` is now always called whenever `text.includes(silentToken)` is true, even for the common case of trailing-only tokens (e.g. `"Great! NO_REPLY"`). The extra call is a no-op when there is no leading token, but running two regex replacements unconditionally is slightly wasteful. Guarding with `startsWithSilentToken` before the leading strip keeps the hot path efficient and makes intent explicit.

```suggestion
  if (text && text.includes(silentToken) && !isSilentReplyText(text, silentToken)) {
    if (startsWithSilentToken(text, silentToken)) {
      text = stripLeadingSilentToken(text, silentToken);
    }
    text = stripSilentToken(text, silentToken);
```

(Note: `startsWithSilentToken` will need to be added to the import from `../tokens.js`.)

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(auto-reply): strip leading NO_REPLY ..." | Re-trigger Greptile}

[greptile-apps]

Case-sensitivity inconsistency with sibling functions

startsWithSilentToken uses a case-sensitive String.prototype.startsWith, while getSilentLeadingRegex (called by stripLeadingSilentToken) uses the "i" flag. The existing detection helpers (isSilentReplyText, isSilentReplyPrefixText) are also case-insensitive. This means startsWithSilentToken("no_replyFoo") returns false, but stripLeadingSilentToken("no_replyFoo") would return "Foo" — the two sibling functions disagree on what counts as a leading token. Since the streaming call site and normalize-reply.ts both gate on case-sensitive checks (includes, startsWith) before reaching these helpers, this is benign in practice today, but it is a latent trap for future callers who expect the same case rules across all token helpers.

Consider using the cached regex instead:

Suggested change

	export function startsWithSilentToken(
	text: string | undefined,
	token: string = SILENT_REPLY_TOKEN,
	): boolean {
	if (!text) {
	return false;
	}
	return text.trimStart().startsWith(token);
	}
	export function startsWithSilentToken(
	text: string | undefined,
	token: string = SILENT_REPLY_TOKEN,
	): boolean {
	if (!text) {
	return false;
	}
	return getSilentLeadingRegex(token).test(text);
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/auto-reply/tokens.ts
Line: 116-124

Comment:
**Case-sensitivity inconsistency with sibling functions**

`startsWithSilentToken` uses a case-sensitive `String.prototype.startsWith`, while `getSilentLeadingRegex` (called by `stripLeadingSilentToken`) uses the `"i"` flag. The existing detection helpers (`isSilentReplyText`, `isSilentReplyPrefixText`) are also case-insensitive. This means `startsWithSilentToken("no_replyFoo")` returns `false`, but `stripLeadingSilentToken("no_replyFoo")` would return `"Foo"` — the two sibling functions disagree on what counts as a leading token. Since the streaming call site and `normalize-reply.ts` both gate on case-sensitive checks (`includes`, `startsWith`) before reaching these helpers, this is benign in practice today, but it is a latent trap for future callers who expect the same case rules across all token helpers.

Consider using the cached regex instead:

```suggestion
export function startsWithSilentToken(
  text: string | undefined,
  token: string = SILENT_REPLY_TOKEN,
): boolean {
  if (!text) {
    return false;
  }
  return getSilentLeadingRegex(token).test(text);
}
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Both strip passes run even when no leading token is present

stripLeadingSilentToken is now always called whenever text.includes(silentToken) is true, even for the common case of trailing-only tokens (e.g. "Great! NO_REPLY"). The extra call is a no-op when there is no leading token, but running two regex replacements unconditionally is slightly wasteful. Guarding with startsWithSilentToken before the leading strip keeps the hot path efficient and makes intent explicit.

Suggested change

	if (text && text.includes(silentToken) && !isSilentReplyText(text, silentToken)) {
	text = stripLeadingSilentToken(text, silentToken);
	text = stripSilentToken(text, silentToken);
	if (text && text.includes(silentToken) && !isSilentReplyText(text, silentToken)) {
	if (startsWithSilentToken(text, silentToken)) {
	text = stripLeadingSilentToken(text, silentToken);
	}
	text = stripSilentToken(text, silentToken);

(Note: startsWithSilentToken will need to be added to the import from ../tokens.js.)

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/auto-reply/reply/normalize-reply.ts
Line: 66-68

Comment:
**Both strip passes run even when no leading token is present**

`stripLeadingSilentToken` is now always called whenever `text.includes(silentToken)` is true, even for the common case of trailing-only tokens (e.g. `"Great! NO_REPLY"`). The extra call is a no-op when there is no leading token, but running two regex replacements unconditionally is slightly wasteful. Guarding with `startsWithSilentToken` before the leading strip keeps the hot path efficient and makes intent explicit.

```suggestion
  if (text && text.includes(silentToken) && !isSilentReplyText(text, silentToken)) {
    if (startsWithSilentToken(text, silentToken)) {
      text = stripLeadingSilentToken(text, silentToken);
    }
    text = stripSilentToken(text, silentToken);
```

(Note: `startsWithSilentToken` will need to be added to the import from `../tokens.js`.)

How can I resolve this? If you propose a fix, please make it concise.

[frankekn]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 45d3795f36

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep raw streamed prefix when stripping glued NO_REPLY

After detecting a glued leading sentinel, this branch stores visibleText as the stripped text ("The user...") instead of the raw streamed text ("NO_REPLYThe user..."). The accumulator’s merge path explicitly supports cumulative chunk updates (chunk.startsWith(base)), so when the next event arrives as a cumulative snapshot still containing the NO_REPLY prefix, the prefix check no longer matches and the code appends the entire chunk, reintroducing NO_REPLY and duplicating content in ACP-visible output. This regression appears whenever runtimes emit cumulative text_delta snapshots rather than pure append-only deltas.

Useful? React with 👍 / 👎.

[frankekn]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 51766aded2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict glued-token match to word-start content

The new leading-token detector matches NO_REPLY before any non-space character ((?=\S)), so substantive outputs like NO_REPLY: explanation or NO_REPLY—note are now treated as sentinel-prefixed and get rewritten to : explanation / —note. This is a regression from prior behavior (these messages were preserved), and because this helper is used by both reply normalization and ACP streaming paths, it can corrupt visible assistant text whenever a model intentionally starts a message with token-like text plus punctuation.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9a4214843c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove case-sensitive gate before leading token strip

The new leading-token normalization still runs inside if (text && text.includes(silentToken) ...), and includes is case-sensitive, so inputs like no_replyThe user is saying... skip this branch entirely and leak the sentinel in normalized final replies. This is especially visible now because other updated streaming paths call startsWithSilentToken directly (case-insensitive), so streamed text can be stripped while the final normalized payload still contains no_reply....

Useful? React with 👍 / 👎.

[frankekn]

@codex review

[frankekn]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Swish!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🔵 Low	Silent-token stripping can be bypassed with zero-width/combining characters, leaking internal NO_REPLY token

1. 🔵 Silent-token stripping can be bypassed with zero-width/combining characters, leaking internal NO_REPLY token

Property	Value
Severity	Low
CWE	CWE-184
Location	src/auto-reply/tokens.ts:92-104

Description

The new startsWithSilentToken() detection only considers the token to be a “leading glued” silent token when the character immediately following NO_REPLY is a Unicode letter or number ((?=[\p{L}\p{N}])).

This allows an attacker (or prompt-injected model output) to craft output where NO_REPLY is followed by zero-width format characters (e.g., ZWJ/ZWNJ/ZWS) or combining marks before the first visible letter/number, e.g. NO_REPLY\u200DHello or NO_REPLY\u0301Hello.

Impact:

• startsWithSilentToken() returns false for these cases
• Call sites (e.g., normalizeReplyPayload, streaming-directives, server-chat, etc.) therefore do not call stripLeadingSilentToken()
• stripSilentToken() only strips trailing tokens, so the leading token remains and can be sent to end users (internal control token leakage)

Vulnerable code:

​// token must be immediately followed by a letter/number
const regex = new RegExp(`^\\s*(?:${escaped}\\s+)*${escaped}(?=[\\p{L}\\p{N}])`, "iu");

Recommendation

Treat common non-visible joiners/marks between the token and the first visible alphanumeric as attachers, or normalize them away before testing.

For example, allow optional Unicode format/mark characters before the first visible letter/number:

​// Allow Cf (format, incl. ZWJ/ZWNJ/ZWS) and Mn/Mc (combining marks)
const regex = new RegExp(
  `^\\s*(?:${escaped}\\s+)*${escaped}(?=[\\p{Cf}\\p{Mn}\\p{Mc}]*[\\p{L}\\p{N}])`,
  "iu",
);

Alternatively, pre-normalize the input by removing leading \p{Cf} and combining marks after the token before applying the check/strip, and add unit tests covering NO_REPLY\u200DHello, NO_REPLY\u200BHello, and NO_REPLY\u0301Hello.

---

Analyzed PR: #63068 at commit ce345a0

_{Last updated on: 2026-04-08T16:38:50Z}