Skip to content

fix(agent-runtime): remediate onboarding boundary-audit findings#97

Merged
Parad0x-Labs merged 1 commit into
mainfrom
fix/onboarding-boundary-remediation
Jul 11, 2026
Merged

fix(agent-runtime): remediate onboarding boundary-audit findings#97
Parad0x-Labs merged 1 commit into
mainfrom
fix/onboarding-boundary-remediation

Conversation

@Parad0x-Labs

Copy link
Copy Markdown
Owner

Context

KAS's NULLA boundary audit (Parad0x-Labs/nulla-video#2, 34 findings) reproduced onboarding-chat failures on a build that already carried the prior live-memory remediation, so the residual causes were elsewhere — the OpenClaw persona/session layer, the local-model context window, and a set of in-repo routing/grounding/guard bugs. This PR addresses the in-repo-fixable subset.

What changed

  • Routing. The web0 builder fast-path no longer fires on prose ("make a five-step web0 guide"); the live-price fast-path drops the x402 stage word quote, matches markers on word boundaries, and skips a Web0/x402 topical turn, so x402/.null prompts stop returning crypto quotes; the hive create intent no longer fires on "summarize without adding new topics".
  • Input. Stop appending a stale Context subject: reference onto a turn that declares its own subject ("keep this label: X") — that had corrupted the turn and the session summary into an invented lease record.
  • Memory. A content-avoidance directive ("do not mention X") is no longer stored as a durable global constraint that contaminates unrelated fresh sessions, on both the rule-based and LLM-extraction paths. An explicit "from now on ..." directive still persists (intended).
  • Response guards. Strip a leaked OpenClaw NO_REPLY control token (reveal the real answer behind a prefix; drop it from persisted history so it can't re-feed). Add a wallet-safety guard that replaces a response soliciting a private key / seed phrase, or claiming a payment completed, with a documented-safe correction.
  • Grounding. Add docs/NULLA_SELF_KNOWLEDGE.md (injected as must-keep context) with the tight safety/capability facts; add deterministic answers for /stopx402, the default cloud-off policy, and "settlement cannot be self-claimed"; the x402 definition now names the request → quote → verify → settle → receipt flow.
  • Config. Write an OpenClaw compaction reserve floor so a long session compacts instead of hard-erroring at the 32k context precheck.

Validation

  • Two adversarial review passes over the diff found and fixed regressions in the new guards and regexes before merge. The wallet guard is a best-effort defense-in-depth backstop (not a complete filter) and was validated against 50 solicitation / false-payment / honest-content cases; the primary F6 defense remains the grounded self-knowledge doc.
  • New regression suite tests/test_onboarding_boundary_remediation.py pins each finding, including the legit-preserved cases. Targeted suites and ruff are green locally; the full matrix runs sharded in CI.

Deferred to live validation (KAS)

  • The context-window overflow's deeper levers — the tools.profile: full schema size and the local Ollama num_ctx (4096 default / adaptive-context flag) — are VRAM/runtime-sensitive and need a hardware run, not a blind config flip.
  • The OpenClaw session-projection issue (multiple user text blocks merged into one) is upstream of nulla-local.
  • Please re-run the boundary batch against this branch's main before merge (same loop as fix(installer): validate port health on restart and reset OpenClaw session state (KAS-049) #92).

KAS's NULLA boundary audit (Parad0x-Labs/nulla-video#2, 34 findings) reproduced
onboarding-chat failures on a build that already carried the prior live-memory
fixes, so the residual causes were elsewhere. This addresses the in-repo-fixable
subset:

- routing: the web0 builder fast-path no longer fires on prose ("make a web0
  guide"); the live-price fast-path drops the x402 stage word "quote", matches
  markers on word boundaries, and skips a Web0/x402 topical turn, so x402/.null
  prompts stop returning crypto quotes; the hive create intent no longer fires
  on "summarize without adding new topics".
- input: stop appending a stale "Context subject:" reference onto a turn that
  declares its own subject ("keep this label: X"), which had corrupted the turn
  and the session summary.
- memory: a content-avoidance directive ("do not mention X") is no longer stored
  as a durable global constraint that contaminates unrelated fresh sessions, on
  both the rule-based and LLM-extraction paths.
- response guards: strip a leaked OpenClaw NO_REPLY control token (reveal the real
  answer behind a prefix; drop it from persisted history so it cannot re-feed);
  add a wallet-safety guard that replaces a response soliciting a private key /
  seed phrase, or claiming a payment completed, with a documented-safe correction
  (a best-effort defense-in-depth backstop, not a complete filter).
- grounding: add docs/NULLA_SELF_KNOWLEDGE.md (injected as must-keep context) with
  the tight safety/capability facts; add deterministic answers for /stopx402, the
  default cloud-off policy, and "settlement cannot be self-claimed"; the x402
  definition now names the request -> quote -> verify -> settle -> receipt flow.
- config: write an OpenClaw compaction reserve floor so a long session compacts
  instead of hard-erroring at the context precheck.

Two adversarial review passes over the diff found and fixed regressions in the new
guards and regexes before this commit; the wallet guard was validated against 50
solicitation / false-payment / honest-content cases. The num_ctx / tools-profile
context-window tuning and the OpenClaw session-projection items are left for live
validation on the runtime.
@Parad0x-Labs Parad0x-Labs merged commit 419ab33 into main Jul 11, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant