feat(auto-reply): expose safe requester identity metadata

[kiranmagic7]

Summary

• Add requester_identity to trusted inbound metadata when a stable provider id matches session.identityLinks
• Only match stable ids (NativeDirectUserId, SenderId, SenderE164, direct OriginatingTo); do not trust display names, usernames, group titles, quotes, or history
• Avoid exposing raw sender ids in the trusted block; expose only the configured canonical id and match source metadata

Real behavior proof

Behavior or issue addressed: Trusted inbound metadata can now include a canonical requester identity only when a stable provider id matches configured session.identityLinks; spoofable display metadata is not trusted and raw sender ids are not emitted.

Real environment tested: Local OpenClaw source checkout on macOS/Darwin, branch kiran/requester-identity-safe-metadata, running the changed buildInboundMetaSystemPrompt implementation through Node + tsx from the working tree.

Exact steps or command run after this patch:

$ node --import tsx --input-type=module <<'EOF'
import { buildInboundMetaSystemPrompt } from './src/auto-reply/reply/inbound-meta.ts';
const prompt = buildInboundMetaSystemPrompt({
  SenderId: '123456789',
  SenderName: 'Spoofable Display Name',
  OriginatingChannel: 'telegram',
  Provider: 'telegram',
  Surface: 'telegram',
  ChatType: 'direct',
}, { identityLinks: { alice: ['telegram:123456789'] }, includeFormattingHints: false });
const jsonText = prompt.match(/```json\n([\s\S]*?)\n```/)?.[1];
const payload = JSON.parse(jsonText);
console.log(JSON.stringify({ requester_identity: payload.requester_identity, sender_id_exposed: Object.hasOwn(payload, 'sender_id'), spoofable_name_exposed: JSON.stringify(payload).includes('Spoofable Display Name') }, null, 2));
EOF

Evidence after fix: Terminal output from the command above:

{
  "requester_identity": {
    "canonical_id": "alice",
    "source": "session.identityLinks",
    "confidence": "trusted_config_match",
    "matched_by": "sender_id"
  },
  "sender_id_exposed": false,
  "spoofable_name_exposed": false
}

Observed result after fix: The trusted metadata payload emitted requester_identity.canonical_id = "alice" from the configured stable telegram:123456789 link, while sender_id_exposed and spoofable_name_exposed were both false.

What was not tested: End-to-end delivery through a live Telegram bot/account was not tested; this proof exercises the changed OpenClaw metadata builder directly. Full CI and local checks are supplemental below.

Verification

• pnpm exec vitest run src/auto-reply/reply/inbound-meta.test.ts — 48 passed on current upstream/main
• pnpm exec oxfmt --check src/auto-reply/reply/inbound-meta.ts src/auto-reply/reply/get-reply-run.ts src/auto-reply/reply/inbound-meta.test.ts
• git diff --check
• pnpm tsgo:core
• pnpm lint:core

Safety notes

• The identity is only added when a configured identity link matches a stable provider id.
• Spoofable display metadata remains excluded from trusted identity resolution.
• Raw provider ids are used only for matching and are not emitted in the trusted inbound metadata payload.

Disclosure

AI-assisted, per the repository contribution policy.

[clawsweeper]

Codex review: found issues before merge. Reviewed June 8, 2026, 8:41 PM ET / 00:41 UTC.

Summary
The PR threads session.identityLinks into inbound metadata prompt building and emits requester_identity for stable sender identifiers, with focused tests.

PR surface: Source +106, Tests +97. Total +203 across 3 files.

Reproducibility: not applicable. as a bug reproduction; this is a feature PR. The supplied terminal proof directly exercises the changed prompt builder and shows the intended after-fix payload.

Review metrics: 2 noteworthy metrics.

• Trusted prompt metadata fields: 1 added. requester_identity becomes model-facing trusted metadata, so field naming and compatibility matter before merge.
• Identity-link matchers: 1 new local matcher. A separate resolver increases drift risk from existing session routing and dock identity-link matching.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Choose and document the trusted identity field name and owner boundary.
• [P2] Reuse or expose a canonical identity-link resolver and add tests for existing raw and channel-scoped matching semantics.

Risk before merge

• [P1] Merging now can establish requester_identity as a trusted model-facing contract before maintainers choose whether the canonical field should be requester_identity, sender_principal, or another shared shape.
• [P1] The new local matcher can drift from existing session.identityLinks behavior because current routing and dock code share broader raw-plus-channel-scoped matching semantics.

Maintainer options:

1. Align the identity contract before merge (recommended)
   Choose the field name and resolver owner, then update this PR to use that single contract with focused tests for the chosen semantics.
2. Accept requester_identity deliberately
   Maintainers can accept this field as the new trusted prompt contract, but should update or close the competing sender_principal proposal and document the decision.
3. Pause behind the canonical identity PR
   If Discord/plugin identity work is the intended owner boundary, pause this PR until that path is merged or redesigned.

Next step before merge

• [P2] Maintainers need to choose the trusted identity schema and resolver boundary; automation should not decide that contract.

Security
Needs attention: The diff avoids exposing raw ids, but the new trusted identity field is security-sensitive and needs a settled contract before merge.

Review findings

• [P1] Align the trusted identity prompt contract — src/auto-reply/reply/inbound-meta.ts:513
• [P2] Reuse the canonical identity-link matcher — src/auto-reply/reply/inbound-meta.ts:396

Review details

Best possible solution:

Settle one trusted identity contract and canonical resolver boundary, then route core and plugin callers through that shared path before merging.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction; this is a feature PR. The supplied terminal proof directly exercises the changed prompt builder and shows the intended after-fix payload.

Is this the best way to solve the issue?

No. The implementation is plausible, but the best fix is to align the trusted identity field and resolver with existing identity-link semantics and the related sender-principal proposal first.

Full review comments:

• [P1] Align the trusted identity prompt contract — src/auto-reply/reply/inbound-meta.ts:513
  This adds requester_identity as authoritative model-facing metadata, while feat(discord): resolve trusted principals via identity links #70944 proposes sender_principal for the same configured session.identityLinks concept. Once shipped, this prompt field is a compatibility and security contract, so please align on one field name and owner boundary before merge.
  Confidence: 0.84
• [P2] Reuse the canonical identity-link matcher — src/auto-reply/reply/inbound-meta.ts:396
  The new resolver only creates channel-scoped candidates like ${channel}:${value}, but current session routing and dock commands match both raw and channel-scoped peer ids against session.identityLinks. That makes trusted prompt metadata disagree with existing identity-link behavior for configs accepted elsewhere; please factor or reuse the shared matcher and cover both forms.
  Confidence: 0.82

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5b76436c452a.

Label changes

Label justifications:

• P2: This is a normal-priority feature with security-sensitive contract questions but no immediate runtime outage.
• merge-risk: 🚨 compatibility: The PR adds a new trusted prompt metadata contract that agents and future plugins may rely on after release.
• merge-risk: 🚨 security-boundary: The new field is trusted identity metadata that agents may use for authority, routing, or recipient decisions.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The PR body includes terminal proof from a local checkout showing the changed builder emits the canonical identity and omits raw sender/display metadata.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes terminal proof from a local checkout showing the changed builder emits the canonical identity and omits raw sender/display metadata.

Evidence reviewed

PR surface:

Source +106, Tests +97. Total +203 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	108	2	+106
Tests	1	97	0	+97
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	205	2	+203

Security concerns:

• [medium] Unsettled trusted identity contract — src/auto-reply/reply/inbound-meta.ts:513
requester_identity is emitted in trusted system metadata, so agents may treat it as authority for routing or recipient decisions before maintainers have aligned the schema with the related sender_principal path.
  Confidence: 0.84

What I checked:

• PR head adds trusted requester identity metadata: PR head 500fcc850302f72327338fdebf3b6f0645040db3 adds a local resolveTrustedRequesterIdentity helper and emits requester_identity into the trusted inbound metadata payload. (src/auto-reply/reply/inbound-meta.ts:502, 500fcc850302)
• Current main identity-link matcher accepts raw and channel-scoped candidates: Current main builds both the raw peer id and channel:peerId as identity-link candidates before matching configured links, so a separate scoped-only prompt resolver can diverge from existing routing semantics. (src/routing/session-key.ts:279, 5b76436c452a)
• Dock command uses broad source identity candidates: Docking also builds raw and channel-scoped source candidates from several stable sender fields before matching session.identityLinks, reinforcing that this identity behavior is shared outside the prompt builder. (src/auto-reply/reply/commands-dock.ts:47, 5b76436c452a)
• Related open PR proposes a different trusted prompt field: The related Discord PR proposes TrustedSenderPrincipal in context and sender_principal in trusted inbound metadata for the same identity-link concept, so this PR would create a competing model-facing contract. (src/auto-reply/reply/inbound-meta.ts:411, 43e811fb9de1)
• Contributor proof exercises the changed builder: The PR body includes a Node/tsx terminal probe showing buildInboundMetaSystemPrompt emits requester_identity.canonical_id = "alice" and does not expose raw sender id or spoofable sender name. (src/auto-reply/reply/inbound-meta.ts:484, 500fcc850302)
• History and ownership sampling: Recent public commit history for inbound-meta.ts, session-key.ts, and get-reply-run.ts shows recent work by zenglingbiao, steipete, and adjacent identity-link work in the related Discord PR by ericberic; local blame on the shallow checkout was also sampled.

Likely related people:

• steipete: Recent public commit history shows multiple touches to auto-reply/routing documentation and the session-key path, including session-key.ts and auto-reply helper documentation. (role: recent area contributor; confidence: medium; commits: 9b30ff181c14, 6b940ed3ca8f, 00d8d7ead059; files: src/routing/session-key.ts, src/auto-reply/reply/inbound-meta.ts, src/auto-reply/reply/get-reply-run.ts)
• zenglingbiao: Recent inbound-meta.ts work modified the same prompt metadata module and tests around trusted/untrusted prompt context behavior. (role: recent adjacent contributor; confidence: medium; commits: 3753c5e2c8f2; files: src/auto-reply/reply/inbound-meta.ts, src/auto-reply/reply/inbound-meta.test.ts)
• ericberic: The related open Discord PR proposes the competing TrustedSenderPrincipal/sender_principal identity-link path that maintainers need to reconcile with this PR. (role: adjacent proposal owner; confidence: medium; commits: 43e811fb9de1, f562d564f0e3; files: extensions/discord/src/monitor/sender-identity.ts, src/auto-reply/reply/inbound-meta.ts, src/plugin-sdk/routing.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[RomneyDa]

Heads up: this PR needs to be updated against current main before the new required Dependency Guard check can pass.

[kiranmagic7]

@clawsweeper re-review

One shared current-main UI test expectation failed in GitHub CI across the updated branches:
ui/src/ui/app-gateway.node.test.ts expected loadChatHistoryMock(host), while current code calls loadChatHistoryMock(host, { startup: false }).

I added the one-line expectation update and verified it locally:

node scripts/run-vitest.mjs run --config test/vitest/vitest.ui.config.ts ui/src/ui/app-gateway.node.test.ts --reporter=verbose
PASS: 1 file, 61 tests

git diff --check
PASS

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26754219620
• Updated: 2026-06-01T12:22:47.397Z

[kiranmagic7]

@clawsweeper re-review

Addressed the trusted-identity review finding by removing OriginatingTo as a requester identity source. requester_identity now resolves only from current sender facts (NativeDirectUserId, SenderId, or SenderE164) matched through session.identityLinks; reply-route destination metadata is not trusted as a requester.

Verification on head 162d830d3c:

node scripts/run-vitest.mjs run --config test/vitest/vitest.auto-reply.config.ts src/auto-reply/reply/inbound-meta.test.ts
PASS: 1 file, 49 tests

git diff --check
PASS

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26763428644
• Updated: 2026-06-01T15:14:26.657Z

[kiranmagic7]

@clawsweeper re-review

Refreshed this branch onto current main; current head is e5334caa2c50c9fe37c487471f28da27ee155b77.

The previous deterministic check-test-types failure is now green on GitHub after the base refresh. I also reran the touched local proof on this head:

node scripts/run-vitest.mjs run --config test/vitest/vitest.auto-reply.config.ts src/auto-reply/reply/inbound-meta.test.ts
PASS: 1 file, 49 tests

pnpm check:test-types
PASS

The only remaining GitHub failure I see is checks-node-agentic-control-plane-startup-health-runtime, which stalled with no output for 900s after unrelated gateway-server tests had already passed several files. I do not have permission to rerun that maintainer-side job directly.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26768368747
• Updated: 2026-06-01T16:45:51.474Z

[kiranmagic7]

Follow-up on the only red GitHub check for current head e5334caa2c50c9fe37c487471f28da27ee155b77.

The failed job is checks-node-agentic-control-plane-startup-health-runtime here:
https://github.com/openclaw/openclaw/actions/runs/26767114849/job/78896496564

It timed out with no output after these unrelated gateway-server files had already started passing, not on this PR's touched auto-reply identity path.

I ran the same shard include set locally on the PR head:

OPENCLAW_VITEST_MAX_WORKERS=2 OPENCLAW_VITEST_SHARD_NAME=agentic-control-plane-startup-health-runtime node scripts/run-vitest.mjs run --config test/vitest/vitest.gateway-server.config.ts src/gateway/server-runtime-config.test.ts src/gateway/server-runtime-services.test.ts src/gateway/server-runtime-state.test.ts src/gateway/server.health.test.ts src/gateway/server.lazy.test.ts src/gateway/server/health-state.test.ts src/gateway/server/readiness.test.ts --reporter=verbose
PASS: 7 files, 67 tests
Duration: 11.35s

The PR-specific checks remain green: inbound-meta.test.ts 49 tests passed and pnpm check:test-types passed on this head. I cannot rerun the failed maintainer-side GitHub job directly from this fork account.

[kiranmagic7]

@clawsweeper re-review

I pushed an empty CI-retrigger commit because the only remaining GitHub failure on the previous head was a no-output timeout in an unrelated gateway-server shard, and this fork account cannot rerun maintainer-side jobs directly.

Current head: 500fcc8503.

Code and proof are unchanged from the real fix. I also ran the exact previously failing shard locally on the PR head:

OPENCLAW_VITEST_MAX_WORKERS=2 OPENCLAW_VITEST_SHARD_NAME=agentic-control-plane-startup-health-runtime node scripts/run-vitest.mjs run --config test/vitest/vitest.gateway-server.config.ts src/gateway/server-runtime-config.test.ts src/gateway/server-runtime-services.test.ts src/gateway/server-runtime-state.test.ts src/gateway/server.health.test.ts src/gateway/server.lazy.test.ts src/gateway/server/health-state.test.ts src/gateway/server/readiness.test.ts --reporter=verbose
PASS: 7 files, 67 tests
Duration: 11.35s

PR-specific local verification remains:

node scripts/run-vitest.mjs run --config test/vitest/vitest.auto-reply.config.ts src/auto-reply/reply/inbound-meta.test.ts
PASS: 1 file, 49 tests

pnpm check:test-types
PASS

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27176103150
• Updated: 2026-06-09T00:42:16.051Z

[kiranmagic7]

Friendly follow-up: this still looks ready for maintainer review. Latest head 500fcc850302f72327338fdebf3b6f0645040db3 has GitHub checks green aside from expected skipped/neutral lanes, Real behavior proof is passing, and the branch is scoped to exposing safe requester identity metadata without private message content. Happy to adjust anything maintainers want changed.

[kiranmagic7]

@clawsweeper re-review

Re-requesting because the PR still carries the status: waiting on author label even though current head 500fcc850302f72327338fdebf3b6f0645040db3 is clean and mergeable from GitHub, with no failing checks aside from expected skipped or neutral lanes. No code change from my side at the moment; this is to refresh the reviewer/status state after the latest green run.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27175205402
• Updated: 2026-06-09T00:19:15.017Z

[kiranmagic7]

Acknowledged the updated review. I agree the remaining blocker is the trusted identity contract, not CI: current head 500fcc850302f72327338fdebf3b6f0645040db3 is clean, but requester_identity vs sender_principal and the resolver owner need an explicit maintainer decision before this becomes model-facing API.

From my side, I can update the branch in either direction once that decision is made:

• keep requester_identity and factor the identity-link matcher so it shares the existing raw plus channel-scoped semantics; or
• align this PR to the sender_principal shape / canonical identity boundary from the adjacent work; or
• pause this PR behind the canonical identity PR if that should own the contract.

I will not push a schema rename or authority-boundary change without that maintainer direction.