fix(agents): prevent ReDoS in background-session name derivation

[clawsweeper]

Makes #90976 merge-ready for the ClawSweeper automerge loop.
The edit pass should inspect the live PR diff, review comments, and failing checks; rebase if needed; keep the contributor branch credited; and stop only when validation is green or an external blocker is proven.

ClawSweeper 🐠 replacement reef notes:

• Cluster: automerge-openclaw-openclaw-90976
• Source PRs: fix(agents): prevent ReDoS in background-session name derivation #90976
• Credit: Source PR: fix(agents): prevent ReDoS in background-session name derivation #90976
• Validation: pnpm check:changed
• Replacement reason: ClawSweeper could not update the source PR branch directly, so it opened a writable replacement PR instead.
• Automerge requested by: @Takhoffman

• Repair fallback: GitHub rejected the repair branch push because it updates workflow files and the ClawSweeper app token does not have workflows permission

Co-author credit kept:

• @yetval: Co-authored-by: Yuval Dinodia 102706514+yetval@users.noreply.github.com

fish notes: model gpt-5.5, reasoning high; reviewed against 0a38952.

[clawsweeper]

Codex review: passed. Reviewed June 7, 2026, 4:30 PM ET / 20:30 UTC.

Summary
The PR updates background-session command tokenization to avoid catastrophic regex backtracking and adds deriveSessionName regression tests for quoted and backslash-heavy commands.

PR surface: Source 0, Tests +26. Total +26 across 2 files.

Reproducibility: yes. with high confidence from source inspection and supplied terminal proof: current main and v2026.6.1 route background session commands through the vulnerable regex, and the linked source PR shows before/after timing for the production helper. I did not run tests because this review is read-only.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

• [P2] No repair job is needed; this PR has no blocking findings and is already on the automerge path, so exact-head checks or a maintainer merge are the remaining gate.

Security
Cleared: The diff only changes the shared tokenizer and colocated tests, adds no dependency/workflow/secret surface, and reduces the ReDoS exposure it targets.

Review details

Best possible solution:

Land the narrow shared-tokenizer fix after exact-head CI/automerge gates, preserving the source contributor credit from the linked source PR.

Do we have a high-confidence way to reproduce the issue?

Yes, with high confidence from source inspection and supplied terminal proof: current main and v2026.6.1 route background session commands through the vulnerable regex, and the linked source PR shows before/after timing for the production helper. I did not run tests because this review is read-only.

Is this the best way to solve the issue?

Yes: fixing the single shared tokenizer is the narrowest maintainable layer, avoids patching every process caller, and the tests cover both preserved behavior and the malicious backslash-run case.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0c33f4e0786e.

Label changes

Label changes:

• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• remove rating: 🦀 challenger crab: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P1: A crafted background-session command can make agent process/session operations spend unbounded time deriving display names.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (terminal): The current PR links the source PR whose body supplies before/after terminal timings against the production deriveSessionName helper, showing the fixed behavior after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The current PR links the source PR whose body supplies before/after terminal timings against the production deriveSessionName helper, showing the fixed behavior after the patch.

Evidence reviewed

PR surface:

Source 0, Tests +26. Total +26 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	1	1	0
Tests	1	27	1	+26
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	28	2	+26

What I checked:

• Current main still has the ambiguous tokenizer: deriveSessionName on current main calls tokenizeCommand, whose quoted-span regex lets backslash match both the escape branch and the negated character class. (src/agents/bash-tools.shared.ts:294, 0c33f4e0786e)
• PR head removes the ambiguous match: The PR head excludes backslash from the double-quoted negated class and treats single-quoted spans literally, which removes the overlapping backslash alternatives in the changed tokenizer. (src/agents/bash-tools.shared.ts:294, 0a38952fc866)
• Background process callers derive names from stored commands: The process tool maps both running and finished background sessions through deriveSessionName(s.command) for list/details output, so slow tokenization would affect normal process-session operations. (src/agents/bash-tools.process.ts:282, 0c33f4e0786e)
• Active-session context also uses the tokenizer: Active background process references derive the context-facing name from session.command, so the vulnerable path is not limited to one process action. (src/agents/bash-process-references.ts:65, 0c33f4e0786e)
• Regression tests cover benign and malicious inputs: The PR adds deriveSessionName tests for well-formed quotes, backslash-bearing spans, single-quote semantics, and unterminated quoted backslash runs bounded under 100 ms. (src/agents/bash-tools.shared.test.ts:122, 0a38952fc866)
• Latest release still has the unsafe regex: v2026.6.1 shows the same ambiguous tokenizer, and no release tag contains the PR fix commit checked locally. (src/agents/bash-tools.shared.ts:278, 2e08f0f4221f)

Likely related people:

• vincentkoc: Available blame and history for deriveSessionName, tokenizeCommand, and the central background-session callers point to Vincent Koc on b9d530e29213bc043727e8cb28c243663809ec4d; the release tag blame also attributes the tokenizer line to the same author. (role: introduced behavior / recent area contributor; confidence: medium; commits: b9d530e29213, 2e08f0f4221f; files: src/agents/bash-tools.shared.ts, src/agents/bash-tools.process.ts, src/agents/bash-process-references.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=0a38952fc866cf206319ca04add05dd5b91cdb54)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-06-07T20:30:57Z
Merge commit: e498d39bedaa

What merged:

• The PR updates background-session command tokenization to avoid catastrophic regex backtracking and adds deriveSessionName regression tests for quoted and backslash-heavy commands.
• PR surface: Source 0, Tests +26. Total +26 across 2 files.
• Reproducibility: yes. with high confidence from source inspection and supplied terminal proof: current `main ... shows before/after timing for the production helper. I did not run tests because this review is read-only.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(agents): treat backslash as literal inside single-quoted session …
• PR branch already contained follow-up commit before automerge: fix(agents): prevent ReDoS in background-session name derivation

The automerge loop is complete.

Automerge progress:

• 2026-06-07 20:22:52 UTC review queued 0a38952fc866 (queued)

• 2026-06-07 20:30:47 UTC review passed 0a38952fc866 (structured ClawSweeper verdict: pass (sha=0a38952fc866cf206319ca04add05dd5b91cd...)

• 2026-06-07 19:54:29 UTC repair queued 0a38952fc866 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/27103091600

• 2026-06-07 19:58:04 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/27103091600 automerge-openclaw-openclaw-90976

• 2026-06-07 19:58:09 UTC repair completed 0a38952fc866 (no branch change) in 5s Run: https://github.com/openclaw/clawsweeper/actions/runs/27103091600 no planned fix actions

• 2026-06-07 19:58:08 UTC merge check queued 0a38952fc866 (checks and exact-head review are ready)

• 2026-06-07 20:02:38 UTC repair queued 0a38952fc866 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/27103293464

• 2026-06-07 20:05:47 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/27103293464 automerge-openclaw-openclaw-90976

• 2026-06-07 20:05:52 UTC repair completed 0a38952fc866 (no branch change) in 6s Run: https://github.com/openclaw/clawsweeper/actions/runs/27103293464 no planned fix actions

• 2026-06-07 20:05:51 UTC merge check queued 0a38952fc866 (checks and exact-head review are ready)

• 2026-06-07 20:30:59 UTC merged 0a38952fc866 (merged by ClawSweeper automerge)