fix(ui): strip injected inbound metadata from user messages in history (#22142)

* fix(ui): strip injected inbound metadata from user messages in history

Fixes #21106
Fixes #21109
Fixes #22116

OpenClaw prepends structured metadata blocks ("Conversation info",
"Sender:", reply-context) to user messages before sending them to the
LLM. These blocks are intentionally AI-context-only and must never reach
the chat history that users see.

Root cause:
`buildInboundUserContextPrefix` in `inbound-meta.ts` prepends the
blocks directly to the stored user message content string, so they are
persisted verbatim and later shown in webchat, TUI, and every other
rendering surface.

Fix:
• `src/auto-reply/reply/strip-inbound-meta.ts` — new utility with a
  6-sentinel fast-path strip (zero-alloc on miss) + 9-test suite.
• `src/tui/tui-session-actions.ts` — wraps `chatLog.addUser(...)` with
  `stripInboundMetadata()` so the TUI never stores the prefix.
• `ui/src/ui/chat/message-normalizer.ts` — strips user-role text content
  items during normalisation so webchat renders clean messages.

* fix(ui): strip inbound metadata for user messages in display path

* test: fix discord component send test spread typing

* fix: strip inbound metadata from mac chat history decode

* fix: align Swift metadata stripping parser with TS implementation

* fix: normalize line endings in inbound metadata stripper

* chore: document Swift/TS metadata-sentinel ownership

* chore: update changelog for inbound metadata strip fix

* changelog: credit Mellowambience for 22142

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

apps/shared/OpenClawKit/Sources/OpenClawChatUI/ChatMarkdownPreprocessor.swift

@@ -1,6 +1,9 @@
 import Foundation
 
 enum ChatMarkdownPreprocessor {
+    // Keep in sync with `src/auto-reply/reply/strip-inbound-meta.ts`
+    // (`INBOUND_META_SENTINELS`), and extend parser expectations in
+    // `ChatMarkdownPreprocessorTests` when sentinels change.
     private static let inboundContextHeaders = [
         "Conversation info (untrusted metadata):",
         "Sender (untrusted metadata):",
@@ -60,16 +63,49 @@ enum ChatMarkdownPreprocessor {
     }
 
     private static func stripInboundContextBlocks(_ raw: String) -> String {
-        var output = raw
-        for header in self.inboundContextHeaders {
-            let escaped = NSRegularExpression.escapedPattern(for: header)
-            let pattern = "(?ms)^" + escaped + "\\n```json\\n.*?\\n```\\n?"
-            output = output.replacingOccurrences(
-                of: pattern,
-                with: "",
-                options: .regularExpression)
+        guard self.inboundContextHeaders.contains(where: raw.contains) else {
+            return raw
         }
-        return output
+
+        let normalized = raw.replacingOccurrences(of: "\r\n", with: "\n")
+        var outputLines: [String] = []
+        var inMetaBlock = false
+        var inFencedJson = false
+
+        for line in normalized.split(separator: "\n", omittingEmptySubsequences: false) {
+            let currentLine = String(line)
+
+            if !inMetaBlock && self.inboundContextHeaders.contains(where: currentLine.hasPrefix) {
+                inMetaBlock = true
+                inFencedJson = false
+                continue
+            }
+
+            if inMetaBlock {
+                if !inFencedJson && currentLine.trimmingCharacters(in: .whitespacesAndNewlines) == "```json" {
+                    inFencedJson = true
+                    continue
+                }
+
+                if inFencedJson {
+                    if currentLine.trimmingCharacters(in: .whitespacesAndNewlines) == "```" {
+                        inMetaBlock = false
+                        inFencedJson = false
+                    }
+                    continue
+                }
+
+                if currentLine.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty {
+                    continue
+                }
+
+                inMetaBlock = false
+            }
+
+            outputLines.append(currentLine)
+        }
+
+        return outputLines.joined(separator: "\n").replacingOccurrences(of: #"^\n+"#, with: "", options: .regularExpression)
     }
 
     private static func stripPrefixedTimestamps(_ raw: String) -> String {

apps/shared/OpenClawKit/Sources/OpenClawChatUI/ChatViewModel.swift

@@ -189,10 +189,43 @@ public final class OpenClawChatViewModel {
     private static func decodeMessages(_ raw: [AnyCodable]) -> [OpenClawChatMessage] {
         let decoded = raw.compactMap { item in
             (try? ChatPayloadDecoding.decode(item, as: OpenClawChatMessage.self))
+                .map { Self.stripInboundMetadata(from: $0) }
         }
         return Self.dedupeMessages(decoded)
     }
 
+    private static func stripInboundMetadata(from message: OpenClawChatMessage) -> OpenClawChatMessage {
+        guard message.role.lowercased() == "user" else {
+            return message
+        }
+
+        let sanitizedContent = message.content.map { content -> OpenClawChatMessageContent in
+            guard let text = content.text else { return content }
+            let cleaned = ChatMarkdownPreprocessor.preprocess(markdown: text).cleaned
+            return OpenClawChatMessageContent(
+                type: content.type,
+                text: cleaned,
+                thinking: content.thinking,
+                thinkingSignature: content.thinkingSignature,
+                mimeType: content.mimeType,
+                fileName: content.fileName,
+                content: content.content,
+                id: content.id,
+                name: content.name,
+                arguments: content.arguments)
+        }
+
+        return OpenClawChatMessage(
+            id: message.id,
+            role: message.role,
+            content: sanitizedContent,
+            timestamp: message.timestamp,
+            toolCallId: message.toolCallId,
+            toolName: message.toolName,
+            usage: message.usage,
+            stopReason: message.stopReason)
+    }
+
     private static func messageIdentityKey(for message: OpenClawChatMessage) -> String? {
         let role = message.role.trimmingCharacters(in: .whitespacesAndNewlines).lowercased()
         guard !role.isEmpty else { return nil }

apps/shared/OpenClawKit/Tests/OpenClawKitTests/ChatMarkdownPreprocessorTests.swift

@@ -43,6 +43,58 @@ struct ChatMarkdownPreprocessorTests {
         #expect(result.cleaned == "Razor?")
     }
 
+    @Test func stripsSingleConversationInfoBlock() {
+        let text = """
+        Conversation info (untrusted metadata):
+        ```json
+        {"x": 1}
+        ```
+
+        User message
+        """
+
+        let result = ChatMarkdownPreprocessor.preprocess(markdown: text)
+
+        #expect(result.cleaned == "User message")
+    }
+
+    @Test func stripsAllKnownInboundMetadataSentinels() {
+        let sentinels = [
+            "Conversation info (untrusted metadata):",
+            "Sender (untrusted metadata):",
+            "Thread starter (untrusted, for context):",
+            "Replied message (untrusted, for context):",
+            "Forwarded message context (untrusted metadata):",
+            "Chat history since last reply (untrusted, for context):",
+        ]
+
+        for sentinel in sentinels {
+            let markdown = """
+            \(sentinel)
+            ```json
+            {"x": 1}
+            ```
+
+            User content
+            """
+            let result = ChatMarkdownPreprocessor.preprocess(markdown: markdown)
+            #expect(result.cleaned == "User content")
+        }
+    }
+
+    @Test func preservesNonMetadataJsonFence() {
+        let markdown = """
+        Here is some json:
+        ```json
+        {"x": 1}
+        ```
+        """
+
+        let result = ChatMarkdownPreprocessor.preprocess(markdown: markdown)
+
+        #expect(result.cleaned == markdown.trimmingCharacters(in: .whitespacesAndNewlines))
+    }
+
     @Test func stripsLeadingTimestampPrefix() {
         let markdown = """
         [Fri 2026-02-20 18:45 GMT+1] How's it going?

apps/shared/OpenClawKit/Tests/OpenClawKitTests/ChatViewModelTests.swift

@@ -647,6 +647,35 @@ extension TestChatTransportState {
         try await waitUntil("streaming cleared") { await MainActor.run { vm.streamingAssistantText == nil } }
     }
 
+    @Test func stripsInboundMetadataFromHistoryMessages() async throws {
+        let history = OpenClawChatHistoryPayload(
+            sessionKey: "main",
+            sessionId: "sess-main",
+            messages: [
+                AnyCodable([
+                    "role": "user",
+                    "content": [["type": "text", "text": """
+Conversation info (untrusted metadata):
+```json
+{ \"sender\": \"openclaw-ios\" }
+```
+
+Hello?
+"""]],
+                    "timestamp": Date().timeIntervalSince1970 * 1000,
+                ]),
+            ],
+            thinkingLevel: "off")
+        let transport = TestChatTransport(historyResponses: [history])
+        let vm = await MainActor.run { OpenClawChatViewModel(sessionKey: "main", transport: transport) }
+
+        await MainActor.run { vm.load() }
+        try await waitUntil("history loaded") { await MainActor.run { !vm.messages.isEmpty } }
+
+        let sanitized = await MainActor.run { vm.messages.first?.content.first?.text }
+        #expect(sanitized == "Hello?")
+    }
+
     @Test func abortRequestsDoNotClearPendingUntilAbortedEvent() async throws {
         let sessionId = "sess-main"
         let history = OpenClawChatHistoryPayload(