fix(security): inline redact into appendSessionTranscriptMessage

[clawsweeper]

Summary:

• Repair the opted-in contributor branch for fix(security): inline redact into appendSessionTranscriptMessage #73563 instead of opening a replacement.
• Add the missing Unreleased changelog entry with @Ziy1-Tan credit.
• Rebase/refresh against current main and preserve the centralized appendSessionTranscriptMessage redaction behavior.
• Re-run review after repair so the automerge router evaluates the exact repaired head.

Verification:

• pnpm check:changed
• pnpm test src/config/sessions/transcript-append-redact.test.ts src/agents/transcript-redact.test.ts src/config/sessions/transcript.test.ts
• pnpm plugin-sdk:api:check

Credit:

• Carries forward source PR fix(security): inline redact into appendSessionTranscriptMessage #73563 by @Ziy1-Tan.

ClawSweeper 🐠 replacement reef notes:

• Cluster: automerge-openclaw-openclaw-73563
• Source PRs: fix(security): inline redact into appendSessionTranscriptMessage #73563
• Credit: Preserve @Ziy1-Tan as the source contributor for fix(security): inline redact into appendSessionTranscriptMessage #73563.; The CHANGELOG.md entry may use allowed human attribution: Thanks @Ziy1-Tan.; Keep the existing contributor branch when possible because branch_writable=true; do not replace unless the branch becomes unrepairable during executor checkout.
• Validation: pnpm check:changed; pnpm test src/config/sessions/transcript-append-redact.test.ts src/agents/transcript-redact.test.ts src/config/sessions/transcript.test.ts; pnpm plugin-sdk:api:check
• Repair fallback: GitHub rejected the repair branch push because it updates workflow files and the ClawSweeper app token does not have workflows permission

fish notes: model gpt-5.5, reasoning high; reviewed against c9600f1.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR adds shared transcript-message redaction, returns the redacted appended message from the transcript append helper, emits that redacted message through session/gateway/Telegram transcript updates, and updates tests, changelog, and the Plugin SDK API baseline.

Reproducibility: yes. by source inspection: current main redacts the persisted JSONL entry but inline session, gateway, and Telegram transcript update paths still emit the original payload. I did not execute a live repro in this read-only review.

Real behavior proof
Not applicable: This is a ClawSweeper bot repair PR, so the external-contributor real-behavior proof gate does not apply; the carried source PR included live JSONL proof, but this head still needs maintainer validation.

Next step before merge
Human review was explicitly requested and automation was paused; the remaining work is maintainer review of a security-sensitive transcript fix with an intentional SDK API baseline change.

Security
Cleared: The diff is security-sensitive, but I found no concrete new leak or supply-chain concern after the latest head restored broad non-role fallback redaction and default-pattern coverage.

Review details

Best possible solution:

Land this PR or an equivalent maintainer-approved central append-layer redaction fix after resolving mergeability and accepting the additive SDK contract change, while preserving the source contributor credit from #73563.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: current main redacts the persisted JSONL entry but inline session, gateway, and Telegram transcript update paths still emit the original payload. I did not execute a live repro in this read-only review.

Is this the best way to solve the issue?

Yes, with maintainer acceptance: centralizing redaction at the append sink and returning the appended redacted message is the narrow maintainable fix. The remaining judgment is the public SDK return/config type change and branch mergeability, not a clear code defect in the latest head.

Acceptance criteria:

• pnpm check:changed
• pnpm test src/config/sessions/transcript-append-redact.test.ts src/agents/transcript-redact.test.ts src/config/sessions/transcript.test.ts extensions/telegram/src/bot-message-dispatch.test.ts src/gateway/server-methods/chat.inject.parentid.test.ts
• pnpm plugin-sdk:api:check

What I checked:

• Current main append sink persists a redacted message but returns no sanitized payload: On current main, appendSessionTranscriptMessage writes message: redactSecrets(params.message) to the JSONL entry and returns only { messageId }, so downstream inline emitters cannot reuse the sanitized value from this sink. (src/config/sessions/transcript-append.ts:294, aa9799320d65)
• Current main inline session update uses the original message: appendExactAssistantMessageToSessionTranscript appends through the redacting sink, then emits the original message object in inline transcript updates. (src/config/sessions/transcript.ts:316, aa9799320d65)
• Current main Telegram and gateway mirrors also emit original payloads: The Telegram mirror and gateway transcript injection helper call appendSessionTranscriptMessage, then emit or return the original message/messageBody instead of the persisted redacted value. (extensions/telegram/src/bot-message-dispatch.ts:340, aa9799320d65)
• PR head returns the redacted appended message and preserves broad fallback redaction: At PR head a6d8a21, appendSessionTranscriptMessage computes finalMessage with redactTranscriptMessage for AgentMessage-like payloads and redactSecrets for non-role payloads, writes finalMessage, and returns it with messageId. (src/config/sessions/transcript-append.ts:298, a6d8a214745e)
• PR head routes inline emitters through the appended redacted message: At PR head, session transcript, Telegram, and gateway injection paths destructure message: appendedMessage and emit or return that value instead of the original payload. (src/gateway/server-methods/chat-transcript-inject.ts:106, a6d8a214745e)
• Prior review finding is addressed in latest head: The latest head includes tests for raw string payloads, structured no-role payloads, custom patterns without dropping defaults, redacted inline events, and delivery-mirror dedupe against redacted/legacy transcript text. (src/config/sessions/transcript-append-redact.test.ts:101, a6d8a214745e)

Likely related people:

• steipete: Recent current-main commits changed transcript append, session write-lock, and gateway transcript IO behavior on the central files this PR modifies. (role: recent area contributor; confidence: high; commits: 3f6b481464bf, f7ed29e11812, 6147e1b91d3e; files: src/config/sessions/transcript-append.ts, src/config/sessions/transcript.ts, src/gateway/server-methods/chat-transcript-inject.ts)
• vincentkoc: Current-main history shows work on persisted transcript redaction and gateway transcript hot paths that overlap the redaction and transcript-event surfaces reviewed here. (role: redaction and gateway adjacent contributor; confidence: medium; commits: 406ae72fd278, ec59af33863a; files: src/agents/session-tool-result-guard-wrapper.ts, src/gateway/server-methods/chat-transcript-inject.ts)
• pgondhi987: Recent current-main commit changed persisted secret-shaped payload redaction in the transcript append/logging area, directly adjacent to this PR's sink-level redaction work. (role: recent transcript redaction contributor; confidence: medium; commits: 17ceca86d698; files: src/config/sessions/transcript-append.ts, src/logging/redact.ts)
• jalehman: Recent current-main Telegram dispatcher work touches the same Telegram file that this PR updates for transcript mirror emission. (role: recent Telegram adjacent contributor; confidence: medium; commits: 24ffd4d2f851; files: extensions/telegram/src/bot-message-dispatch.ts)
• hxy91819: The PR discussion shows this person closed the noisy replacement attempt, reopened this PR, assigned it, and documented the SDK compatibility judgment needed before landing. (role: current PR reviewer and assignee; confidence: high; commits: 09830824b742, e4dfa98c1f22, a6d8a214745e; files: src/config/sessions/transcript-append.ts, src/agents/transcript-redact.ts, docs/.generated/plugin-sdk-api-baseline.sha256)

Remaining risk / open question:

• The provided PR state reports mergeable=false, so landing may still require rebase or conflict resolution before checks can gate the exact head.
• The Plugin SDK API baseline change is intentional and likely additive, but it still needs maintainer acceptance because appendSessionTranscriptMessage is exported through the SDK runtime surface.
• This read-only review did not run the PR's validation commands; it is based on source, tests, PR context, and current-main inspection.

Codex review notes: model gpt-5.5, reasoning high; reviewed against aa9799320d65.

[clawsweeper]

ClawSweeper 🐠 automerge status

ClawSweeper finished this automerge repair pass without changing the branch.

Executor outcome: source PR #79645 is paused by clawsweeper:human-review; refusing to mutate the PR branch.
Worker summary: Canonical path is the open ClawSweeper repair this PR. It is same-repo and writable, but not merge-ready: the artifact shows dirty mergeability, no clean exact-head Codex review after the latest rebase command, and prior ClawSweeper review required structured tool-call payload redaction coverage. Plan branch repair/rebase and exact-head re-review; do not close or merge from this worker.

Worker actions:

• fix_needed on this PR: planned - Repair the writable canonical PR branch, rebase/resolve dirty state, address any remaining structured payload redaction gap, then rerun exact-head review and changed-surface validation.
• build_fix_artifact on cluster:automerge-openclaw-openclaw-73563: planned - A bounded repair artifact is required because the canonical PR is useful but not merge-ready.
• keep_closed on #73563: skipped - Closed source PR is historical evidence and credit source only.
• keep_related on #73565: planned - Keep open until the canonical repair PR lands and a later close-capable run reclassifies against the merged fix.
• keep_related on #64046: planned - Related umbrella should remain open and independent of this narrow automerge repair.

No push, rebase, replacement PR, merge, or ClawSweeper re-review happened on this pass.

fish notes: model gpt-5.5, reasoning high.

Automerge progress:

• 2026-05-09 13:01:45 UTC automerge wait 2aca24047672 (blocked) in 11m 16s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601494588 GitHub checks failed: checks-node-core-fast:FAILURE

• 2026-05-09 13:01:46 UTC repair finished 2aca24047672 (pushed) in 11m 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601494588 repair_contributor_branch

• 2026-05-09 13:09:08 UTC review requested repair 2aca24047672 (structured ClawSweeper marker: fix-required (finding=review-feedback sha=2aca24...)

• 2026-05-09 13:09:29 UTC repair queued 2aca24047672 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/25601928937

• 2026-05-09 13:12:38 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601928937 automerge-openclaw-openclaw-73563

• 2026-05-09 13:12:50 UTC validation plan (passed) in 13s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601928937 pnpm check:changed

• 2026-05-09 13:12:58 UTC Codex write preflight (passed) in 21s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601928937 danger-full-access

• 2026-05-09 13:20:32 UTC Codex edit 1 2fe423e57842 (complete) in 7m 55s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601928937 exit 0

• 2026-05-09 13:29:59 UTC validation and review 1 fe5cdeaa001e (base moved) in 17m 22s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601928937 rebased

• 2026-05-09 13:22:26 UTC review queued e77b30ed8756 (queued)

• 2026-05-09 13:30:16 UTC repair finished fe5cdeaa001e (opened) in 17m 39s Run: https://github.com/openclaw/clawsweeper/actions/runs/25601928937 open_fix_pr

• 2026-05-11 15:53:48 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/25673903603 automerge-openclaw-openclaw-73563

• 2026-05-11 15:54:03 UTC validation plan (passed) in 15s Run: https://github.com/openclaw/clawsweeper/actions/runs/25673903603 pnpm check:changed; pnpm plugin-sdk:api:check; pnpm lint; pnpm check:test-types

• 2026-05-11 15:54:11 UTC Codex write preflight (passed) in 24s Run: https://github.com/openclaw/clawsweeper/actions/runs/25673903603 danger-full-access

• 2026-05-11 15:54:14 UTC repair completed (no branch change) in 26s Run: https://github.com/openclaw/clawsweeper/actions/runs/25673903603 source PR fix(security): inline redact into appendSessionTranscriptMessage #79645 is paused by clawsweeper:human-review; refusing to mutate the PR branch

• 2026-05-11 15:54:15 UTC repair finished (blocked) in 28s Run: https://github.com/openclaw/clawsweeper/actions/runs/25673903603 source PR fix(security): inline redact into appendSessionTranscriptMessage #79645 is paused by clawsweeper:human-review; refusing to mutate the PR branch

[hxy91819]

Merged via squash.

• Prepared head SHA: da91ab6cf111db8ee9417f6717689604095f378e
• Merge commit: faaa7efef050dc19e42fa3273521bac352e036ea