fix(agent-runtime): remediate onboarding boundary-audit findings#97
Merged
Conversation
KAS's NULLA boundary audit (Parad0x-Labs/nulla-video#2, 34 findings) reproduced onboarding-chat failures on a build that already carried the prior live-memory fixes, so the residual causes were elsewhere. This addresses the in-repo-fixable subset: - routing: the web0 builder fast-path no longer fires on prose ("make a web0 guide"); the live-price fast-path drops the x402 stage word "quote", matches markers on word boundaries, and skips a Web0/x402 topical turn, so x402/.null prompts stop returning crypto quotes; the hive create intent no longer fires on "summarize without adding new topics". - input: stop appending a stale "Context subject:" reference onto a turn that declares its own subject ("keep this label: X"), which had corrupted the turn and the session summary. - memory: a content-avoidance directive ("do not mention X") is no longer stored as a durable global constraint that contaminates unrelated fresh sessions, on both the rule-based and LLM-extraction paths. - response guards: strip a leaked OpenClaw NO_REPLY control token (reveal the real answer behind a prefix; drop it from persisted history so it cannot re-feed); add a wallet-safety guard that replaces a response soliciting a private key / seed phrase, or claiming a payment completed, with a documented-safe correction (a best-effort defense-in-depth backstop, not a complete filter). - grounding: add docs/NULLA_SELF_KNOWLEDGE.md (injected as must-keep context) with the tight safety/capability facts; add deterministic answers for /stopx402, the default cloud-off policy, and "settlement cannot be self-claimed"; the x402 definition now names the request -> quote -> verify -> settle -> receipt flow. - config: write an OpenClaw compaction reserve floor so a long session compacts instead of hard-erroring at the context precheck. Two adversarial review passes over the diff found and fixed regressions in the new guards and regexes before this commit; the wallet guard was validated against 50 solicitation / false-payment / honest-content cases. The num_ctx / tools-profile context-window tuning and the OpenClaw session-projection items are left for live validation on the runtime.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
KAS's NULLA boundary audit (Parad0x-Labs/nulla-video#2, 34 findings) reproduced onboarding-chat failures on a build that already carried the prior live-memory remediation, so the residual causes were elsewhere — the OpenClaw persona/session layer, the local-model context window, and a set of in-repo routing/grounding/guard bugs. This PR addresses the in-repo-fixable subset.
What changed
quote, matches markers on word boundaries, and skips a Web0/x402 topical turn, so x402/.nullprompts stop returning crypto quotes; the hive create intent no longer fires on "summarize without adding new topics".Context subject:reference onto a turn that declares its own subject ("keep this label: X") — that had corrupted the turn and the session summary into an invented lease record.NO_REPLYcontrol token (reveal the real answer behind a prefix; drop it from persisted history so it can't re-feed). Add a wallet-safety guard that replaces a response soliciting a private key / seed phrase, or claiming a payment completed, with a documented-safe correction.docs/NULLA_SELF_KNOWLEDGE.md(injected as must-keep context) with the tight safety/capability facts; add deterministic answers for/stopx402, the default cloud-off policy, and "settlement cannot be self-claimed"; the x402 definition now names the request → quote → verify → settle → receipt flow.Validation
tests/test_onboarding_boundary_remediation.pypins each finding, including the legit-preserved cases. Targeted suites and ruff are green locally; the full matrix runs sharded in CI.Deferred to live validation (KAS)
tools.profile: fullschema size and the local Ollamanum_ctx(4096 default / adaptive-context flag) — are VRAM/runtime-sensitive and need a hardware run, not a blind config flip.mainbefore merge (same loop as fix(installer): validate port health on restart and reset OpenClaw session state (KAS-049) #92).