🤖 We're reviewing this PR with Aisle

We're running a security check on the changes in this PR now. This usually takes a few minutes. ⌛
We'll post the results here as soon as they're ready.

Progress:

• Analysis
• Finalization

Latest run failed. Keeping previous successful results. Trace ID: 019d3ebe00c79641990b003376a0ce38.

_{Last updated on: 2026-03-30T15:55:42Z}

Latest run failed. Keeping previous successful results. Trace ID: 019d3ec796bd5b69ddb3c8e6f91c05ee.

_{Last updated on: 2026-03-30T16:40:47Z}

Greptile Summary

This PR hardens the gateway's trust boundaries across three vectors: node-originated agent runs are restricted to a small allowlist of safe tools (canvas, image, pdf, tts, web_fetch, web_search); all notifications.changed system events are marked trusted: false and notification title/text is sanitized with sanitizeInboundSystemTags before embedding; and drainFormattedSystemEvents is refactored so each event carries its own System: / System (untrusted): prefix rather than having the prefix applied uniformly at return time.

Issues found:

• Regression in channel summary formatting (P1): In the old code the System: prefix was applied at the final return to all systemLines, including lines unshifted from buildChannelSummary. In the new code the prefix is applied per-event during the flatMap, so channel summary lines (e.g. WhatsApp: linked +1234567890) are joined into the output with no prefix. On new main sessions the model loses the System: attribution that marks these lines as trusted, gateway-originated content. The fix is to wrap summary lines with System: before inserting them into systemLines.

• packageName / key not sanitized before embedding in summary (P2): title and text are sanitized via sanitizeInboundSystemTags, but packageName and key from the node payload are embedded verbatim. The trusted: false marking on the whole event mitigates the risk (the model sees System (untrusted): regardless), but consistent sanitization across all node-supplied fields would be more robust.

Confidence Score: 4/5

Mostly safe, but a formatting regression causes channel summary lines to appear without their System: prefix in the model's prompt context on new sessions.

The tool-allowlist and trust-bit changes are correct and well-tested. The P1 regression in session-system-events.ts — where buildChannelSummary lines lose their System: prefix after the refactor — is a real behavioral change that affects what the model sees on new main sessions. It should be fixed before merging.

src/auto-reply/reply/session-system-events.ts — the buildChannelSummary unshift path needs System: prefix applied to each line.

This is a comment left during a code review.
Path: src/auto-reply/reply/session-system-events.ts
Line: 96-108

Comment:
**Channel summary lines lose their `System:` prefix**

In the old code, the `System:` prefix was applied at the final `return` statement, uniformly covering **all** `systemLines` — including those `unshift`ed from `buildChannelSummary`. After this refactor, the prefix is applied per-event during the `flatMap`, but the channel-summary lines are inserted via `systemLines.unshift(...summary)` and then joined with no additional wrapping. They end up in the output without any `System:` prefix.

Old output (on a new main session):
```
System: WhatsApp: linked +1234567890 auth 2h ago
System:   - default (linked)
System: [ts] Node connected
```

New output:
```
WhatsApp: linked +1234567890 auth 2h ago
  - default (linked)
System: [ts] Node connected
```

The model loses the trusted attribution marker for channel-status lines, and they become visually indistinguishable from user content. The fix is to apply the trusted prefix when inserting summary lines:

```ts
if (params.isMainSession && params.isNewSession) {
  const summary = await buildChannelSummary(params.cfg);
  if (summary.length > 0) {
    systemLines.unshift(...summary.map((line) => `System: ${line}`));
  }
}
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/gateway/server-node-events.ts
Line: 483-491

Comment:
**`packageName` and `key` embedded without sanitization**

`title` and `text` are passed through `sanitizeInboundSystemTags` before being embedded in `summary`, but `packageName` and `key` come from the node payload and are inserted verbatim. A malicious node could craft a `packageName` that closes the parenthetical early and appends a raw `System:` token inside the event body.

In practice the whole event is marked `trusted: false`, so `drainFormattedSystemEvents` wraps everything in `System (untrusted):` regardless. However, applying the same sanitization to these fields would be more consistent and avoid confusing nested untrusted markers inside the body. This is a defense-in-depth suggestion.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "Gateway: harden node event trust boundar..." | Re-trigger Greptile}