Agents/Security: block tainted sink calls from untrusted tool outputs

[soumikbhatta]

Summary

Add a lightweight provenance tracker that records snippets from untrusted external tool outputs and blocks sensitive sink tool calls when those snippets are reused in tool parameters.

This packages the taint/provenance mitigation work for openclaw/trust#2.

lobster-biscuit

Repro Steps

1. Fetch untrusted content through an external source tool (for example web_fetch) that includes shell/file payload text.
2. In the same session, invoke a sensitive sink tool (for example exec) with parameters that include that payload.
3. Without this change, the sink call can proceed unless blocked by unrelated policies/hooks.

Root Cause

The runtime did not carry forward any structured trust/provenance signal from tool results into later tool-call decisions. The before_tool_call path had no built-in taint check, and tool-result persistence had no provenance capture.

Behavior Changes

• Added ProvenanceTracker (src/agents/provenance.ts) with per-session taint capture and sink checks.
• before_tool_call path now enforces taint blocking for sensitive sinks (exec, write/edit/message family, plus legacy aliases).
• guardSessionManager now records tainted snippets from external tool result text before persistence-hook transforms.
• Added changelog entry under 2026.2.9 fixes referencing openclaw/trust#2.

Codebase and GitHub Search

• Reviewed existing hook integration and session tool-result guard flows.
• Updated only agent security/provenance paths + tests.
• Scoped source/sink names to current OpenClaw tools and legacy aliases used by older schemas.

Tests

• pnpm lint ✅
• pnpm check ✅
• pnpm build ✅
• pnpm test ✅
• Focused tests added:
  • src/agents/provenance.test.ts
  • src/agents/pi-tools.before-tool-call.test.ts (taint block case)
  • src/agents/session-tool-result-guard.tool-result-persist-hook.test.ts (taint capture case)

Manual Testing (omit if N/A)

Prerequisites

• Clean clone with deps installed.

Steps

1. Run a session where an external tool returns malicious command text.
2. Attempt to call exec with params containing that text.
3. Verify the call is blocked with a security reason.

Evidence (omit if N/A)

• Full baseline validation passed in clean PR branch:
  • pnpm lint
  • pnpm check
  • pnpm build
  • pnpm test

Sign-Off

• Models used: GPT-5 Codex
• Submitter effort (self-reported): focused implementation + tests + full local validation
• Agent notes: This is a lightweight guardrail and not a full provenance DAG/policy engine; it is scoped as an incremental mitigation for trust issue Login fails with 'WebSocket Error (socket hang up)' ECONNRESET #2.

Greptile Overview

Greptile Summary

I wasn’t able to review PR #13293 yet because the actual patch/diff content isn’t available in this environment (the repo working tree is clean at a4c00ab, and I can’t fetch the PR diff from GitHub without a provided diff or a local PR ref). If you paste the git diff 53fd26a...a4c00ab... output for the 7 changed files (or provide a local branch/checkout containing the PR changes), I can do a line-level review and leave concrete merge-blocking comments.

Given the description, the change introduces a ProvenanceTracker and blocks sensitive sink tools when tainted snippets are detected in tool-call parameters, plus captures taint from external tool results before persistence-hook transforms. Once I can see the code, I’ll verify:

• Tool-name allow/deny lists match actual tool schemas and aliases used in code.
• Taint capture boundaries (what counts as “external/untrusted”) are correct.
• Parameter serialization/stringification is safe and deterministic (no missed nested fields).
• False-positive/negative cases (e.g., partial matches, casing, truncation, structured outputs) are handled as tests claim.
• Hook ordering and session persistence don’t drop/duplicate provenance across turns.

No actionable findings can be confirmed without the diff content.

Confidence Score: 1/5

• Cannot assess merge safety because PR diff isn’t available to review in this environment.
• The repository state here appears to already be at the head SHA with no accessible base-to-head diff context, and there’s no local PR ref/diff content provided. Without reading the exact code changes, I can’t verify correctness of the security enforcement logic or tests.
• All changed files (diff unavailable): CHANGELOG.md, src/agents/pi-tools.before-tool-call.ts, src/agents/provenance.ts, src/agents/session-tool-result-guard-wrapper.ts, and the associated tests.

_{(5/5) You can turn off certain types of comments like style here!}

Context used:

• Context from dashboard - CLAUDE.md (source)
• Context from dashboard - AGENTS.md (source)

[soumikbhatta]

Closing — this PR is too large for effective review (638 LOC). Will split into smaller, focused PRs.