fix(memory-lancedb): guard memory recall output [AI]

[pgondhi987]

Summary

• Guards memory_recall output with the same untrusted-memory instruction used by auto-recall.
• Escapes recalled memory text before it is returned in model-visible tool content, while keeping structured details aligned to sanitized entries.
• Reuses the recall sanitizer for both recall paths so stale media/envelope contamination filtering does not drift.
• Overfetches manual recall candidates before filtering, then slices back to the requested limit, so dirty top hits do not hide clean matches.
• Tightens the capture filter for common instruction-override phrasing, including the canonical multi-word form.

Linked context

Maintainer-requested remediation for a security-sensitive memory plugin behavior. No public issue is linked from this PR body.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: memory_recall no longer returns recalled memory text as unguarded model-visible tool content.
• Real environment tested: Local source checkout with the memory-lancedb plugin test harness and mocked LanceDB/OpenAI boundaries.
• Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/memory-lancedb/index.test.ts
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): Test Files 1 passed (1); Tests 125 passed (125).
• Observed result after fix: The regression test verifies memory_recall includes the untrusted-memory guard, escapes tool-like markup, strips stale media annotations, overfetches before filtering, and keeps sanitized details consistent.
• What was not tested: Live OpenAI/LanceDB credentials were not available in this environment, so OPENCLAW_LIVE_TEST=1 coverage was not run.
• Proof limitations or environment constraints: The focused test mocks external embedding/vector-store boundaries to keep validation deterministic; a credentialed live run remains a proof gap before merge if maintainers require it.
• Before evidence (optional but encouraged): Existing implementation formatted r.entry.text directly into memory_recall content.

Tests and validation

• node scripts/run-vitest.mjs extensions/memory-lancedb/index.test.ts
• scripts/pr review-tests 91425 extensions/memory-lancedb/index.test.ts
• Added regression coverage for guarded and escaped memory_recall output.
• Added regression coverage that stale media-only top hits are filtered while clean overfetched matches are still returned.
• Added capture-filter coverage for Ignore all previous instructions and related override phrasing.

Risk checklist

Did user-visible behavior change? (Yes)

Did config, environment, or migration behavior change? (No)

Did security, auth, secrets, network, or tool execution behavior change? (Yes)

What is the highest-risk area?

The model-visible text returned by the memory_recall tool changes formatting by adding an explicit untrusted-memory guard, escaping markup-like characters, and filtering stale media/envelope contamination before slicing to the requested result count.

How is that risk mitigated?

The change is local to the memory-lancedb plugin recall presentation path, preserves recall parameters and result details shape for sanitized entries, overfetches before filtering to avoid hiding clean matches, and is covered by the focused plugin test suite plus review-pr/autoreview gates.

Current review state

What is the next action?

GitHub CI monitoring and final GHSA gate are pending.

What is still waiting on author, maintainer, CI, or external proof?

GitHub CI is pending. Live OpenAI/LanceDB proof is not available from this environment; maintainers may need to run that credentialed lane if required before merge.

Which bot or reviewer comments were addressed?

Autoreview requested overfetch before filtering manual recall results; this was addressed in de0f989abf. ClawSweeper requested real behavior proof; this body records the available focused proof and the remaining live-proof limitation.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 8, 2026, 11:48 AM ET / 15:48 UTC.

Summary
The PR hardens memory-lancedb manual recall output by sanitizing and escaping recalled text, adding the untrusted-memory guard, overfetching before filtering, and expanding focused regression tests.

PR surface: Source +13, Tests +114. Total +127 across 2 files.

Reproducibility: yes. from source: current main formats raw remembered text directly into manual memory_recall tool content, while the sibling auto-recall path already filters, escapes, and marks memories untrusted. I did not run a live reproduction because this is a read-only review and the PR reports credentialed live proof was unavailable.

Review metrics: 1 noteworthy metric.

• Memory recall output surface: 1 tool output changed. memory_recall model-visible text now gains warning text, escaping, filtering, and overfetch-before-slice behavior.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted real memory_recall output from an actual setup, or get an explicit maintainer proof override for the credentialed live gap.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body and follow-up comment provide focused mocked Vitest/CI proof, but no redacted live memory_recall output from an actual memory-lancedb/LanceDB/OpenAI-compatible setup; redact private details before posting proof, then update the PR body to trigger re-review.

Risk before merge

• [P1] External contributor proof remains mocked-only; no redacted live memory_recall output from an actual memory-lancedb/LanceDB/OpenAI-compatible setup has been posted.
• [P1] The PR intentionally changes existing memory_recall output wording, escaping, result filtering, and vector query limit, so exact-output consumers may see different behavior after upgrade.
• [P1] This narrow manual-tool hardening does not resolve the broader relevant-memory agent/session scoping issue tracked at [Bug] Relevant memory treated as instructions — agent scope leakage #83437.

Maintainer options:

1. Require proof, then accept the hardening (recommended)
   Ask for redacted real memory_recall output from an actual setup, or an explicit maintainer proof override, before merging the acknowledged output-format change.
2. Pause for a staged compatibility path
   Pause the PR if maintainers want an opt-in or staged migration for exact memory_recall text consumers before changing the default output.

Next step before merge

• [P1] The next action is contributor real behavior proof plus maintainer/security acceptance of a compatibility-sensitive output change, not an automated code repair.

Security
Cleared: The diff is limited to memory-lancedb runtime/test hardening and does not add dependency, CI, permission, secret, install, or supply-chain changes beyond the intended recall-output hardening.

Review details

Best possible solution:

Land the plugin-local recall presentation hardening only after redacted real behavior proof or an explicit maintainer proof override, with maintainers accepting the output-format compatibility change.

Do we have a high-confidence way to reproduce the issue?

Yes from source: current main formats raw remembered text directly into manual memory_recall tool content, while the sibling auto-recall path already filters, escapes, and marks memories untrusted. I did not run a live reproduction because this is a read-only review and the PR reports credentialed live proof was unavailable.

Is this the best way to solve the issue?

Yes, with a maintainer caveat: recall presentation is the narrow plugin-owned boundary before recalled memories reach model-visible tool content. The best merge state still needs real behavior proof or a maintainer override because the default output format changes.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 53357e8e7fa1.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P2: The PR is a bounded memory plugin hardening change with limited blast radius but non-trivial output compatibility impact.
• merge-risk: 🚨 compatibility: Existing consumers of exact memory_recall text or result ordering may see different wording, escaped markup, filtered entries, and a larger vector-store query.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body and follow-up comment provide focused mocked Vitest/CI proof, but no redacted live memory_recall output from an actual memory-lancedb/LanceDB/OpenAI-compatible setup; redact private details before posting proof, then update the PR body to trigger re-review.

Evidence reviewed

PR surface:

Source +13, Tests +114. Total +127 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	32	19	+13
Tests	1	115	1	+114
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	147	20	+127

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs extensions/memory-lancedb/index.test.ts.
• [P1] OPENCLAW_LIVE_TEST=1 pnpm test:live extensions/memory-lancedb/memory-lancedb.live.test.ts when credentials are available.

What I checked:

• Current main behavior: Current main formats r.entry.text directly into manual memory_recall model-visible content and returns raw recalled text in details. (extensions/memory-lancedb/index.ts:1569, 53357e8e7fa1)
• Sibling auto-recall hardening: The existing auto-recall path already filters recalled memory text, escapes prompt-like markup, and wraps memories with the untrusted historical-data warning. (extensions/memory-lancedb/index.ts:1316, 53357e8e7fa1)
• PR implementation: The PR head overfetches manual recall candidates, filters/slices clean results, escapes returned text, and adds the untrusted-memory guard to memory_recall content. (extensions/memory-lancedb/index.ts:1549, 6bab895497dd)
• Regression coverage: The PR adds focused tests for untrusted warning text, escaped tool-like markup, stale media filtering, overfetch-before-slice behavior, and sanitized details. (extensions/memory-lancedb/index.test.ts:719, 6bab895497dd)
• Tool-result contract: Agent tool result content is model-returned content, while structured details are for logs/UI rendering; provider serializers inspected use content blocks for tool output. (packages/agent-core/src/types.ts:419, 53357e8e7fa1)
• Provider serialization check: OpenAI chat serialization extracts text/image content from tool results and does not serialize structured details into the model tool message. (src/llm/providers/openai-completions.ts:1088, 53357e8e7fa1)

Likely related people:

• vignesh07: Vignesh Natarajan authored the earlier memory-lancedb hardening commit that added the existing recall sanitization and untrusted-memory treatment this PR extends to manual recall. (role: feature hardening contributor; confidence: high; commits: 61725fb37e33; files: extensions/memory-lancedb/index.ts, extensions/memory-lancedb/index.test.ts)
• steipete: Peter Steinberger appears most frequently in shortlog for the memory-lancedb implementation and tests, including recent cleanup/refactor commits around the same files. (role: heavy area contributor; confidence: medium; commits: 0ebeee8b0de4, e0ad3e79e6bf, 1226361c6da1; files: extensions/memory-lancedb/index.ts, extensions/memory-lancedb/index.test.ts, extensions/memory-lancedb/memory-lancedb.live.test.ts)
• vincentkoc: Vincent Koc recently touched the same memory-lancedb test/packaging surface and release baseline history, making him a plausible routing candidate for plugin compatibility review. (role: recent adjacent contributor; confidence: medium; commits: 2e08f0f4221f, 97c542a67b68, 0f56b16d47f1; files: extensions/memory-lancedb/index.ts, extensions/memory-lancedb/index.test.ts)
• Xin Sun: Xin Sun authored the recent memory-lancedb cloud storage feature touching the same runtime and test files, so they may know the plugin's LanceDB/runtime behavior. (role: recent feature contributor; confidence: medium; commits: df918c4de530; files: extensions/memory-lancedb/index.ts, extensions/memory-lancedb/index.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[pgondhi987]

@clawsweeper review

Updated the PR body with the current proof and limitation details after the overfetch fix. Current head is de0f989abf7bb8f999eb35518feffaad31c4512c.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27140688012
• Updated: 2026-06-08T13:28:13.465Z

[pgondhi987]

Verification before merge:

Behavior addressed: memory_recall now treats recalled memory as untrusted historical data instead of returning raw remembered text as unguarded model-visible tool content.
Real environment tested: local source checkout, review-pr artifact worktree, GitHub Actions PR CI; no live OpenAI/LanceDB credentialed environment was available.
Exact steps or command run after this patch:

• node scripts/run-vitest.mjs extensions/memory-lancedb/index.test.ts
• node scripts/run-bundled-extension-oxlint.mjs
• scripts/pr review-tests 91425 extensions/memory-lancedb/index.test.ts
• timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• ghsa_dry_run gate
• ghsa_real_gate gate
  Evidence after fix:
• Head SHA 6bab895497dda66a4275e20a638c4a167d461291; GitHub CI has no failed or pending checks and merge state is CLEAN.
• Focused Vitest passed: 1 file, 125 tests; bundled extension oxlint passed.
• review-pr: passed, READY FOR /prepare-pr with 0 findings; autoreview: passed, no accepted/actionable findings.
• ghsa_dry_run: passed; ghsa_real_gate: passed.
  Observed result after fix: The regression coverage verifies guarded/escaped recall output, stale media-only filtering with overfetch before final limit slicing, sanitized details, and tightened instruction-override filtering.
  What was not tested: Credentialed live OpenAI/LanceDB memory_recall run was not available in this environment.

Regression Risk:
Low. The change is limited to the memory-lancedb plugin recall presentation path and tests; auth, policy, approvals, sandboxing, config, migrations, storage schema, provider routing, channel behavior, persisted credentials, and plugin contracts are unchanged. The main risk is exact text consumers seeing the added untrusted-context wording and escaped markup, bounded by focused tests and green CI.

Best fix verdict: best/appropriate. Recall presentation is the right layer because storage-time prompt-injection matching remains heuristic, while the tool result content is the final plugin-owned model-visible boundary before recalled memory reaches the model.

User behavior change:
Before, memory_recall could return remembered text directly in tool content. After, the same tool returns recalled memories with an untrusted-history warning, escaped memory text, stale media/envelope filtering, and overfetch-before-filtering so clean matches are not hidden by dirty top hits. Tool parameters, result details shape, config, storage, provider, channel, auth, approval, and sandbox behavior do not change.

[pgondhi987]

@clawsweeper review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27149049632
• Updated: 2026-06-08T15:48:49.716Z