From 1185c4b7bd0f95116267a20e4c94370be00f9109 Mon Sep 17 00:00:00 2001 From: Shashwat Jain Date: Wed, 25 Mar 2026 21:44:15 +0800 Subject: [PATCH] fix(telegram): filter gateway startup logs from Telegram replies The non-root privilege separation log line from nemoclaw-start leaked into every Telegram reply because the response filter did not cover `[gateway]`-prefixed lines. Add a filter for `[gateway]`-prefixed lines to strip these internal startup messages before sending the agent response back to the user. Made-with: Cursor --- scripts/telegram-bridge.js | 1 + test/runner.test.js | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/scripts/telegram-bridge.js b/scripts/telegram-bridge.js index c51a5529a..32ec0abde 100755 --- a/scripts/telegram-bridge.js +++ b/scripts/telegram-bridge.js @@ -127,6 +127,7 @@ function runAgentInSandbox(message, sessionId) { (l) => !l.startsWith("Setting up NemoClaw") && !l.startsWith("[plugins]") && + !l.startsWith("[gateway]") && !l.startsWith("(node:") && !l.includes("NemoClaw ready") && !l.includes("NemoClaw registered") && diff --git a/test/runner.test.js b/test/runner.test.js index 7bc561738..917c4afce 100644 --- a/test/runner.test.js +++ b/test/runner.test.js @@ -227,6 +227,19 @@ describe("regression guards", () => { expect(src.includes("execSync")).toBeFalsy(); }); + it("telegram bridge response filter covers gateway startup lines", () => { + const src = fs.readFileSync(path.join(import.meta.dirname, "..", "scripts", "telegram-bridge.js"), "utf-8"); + expect(src.includes('!l.startsWith("[gateway]")')).toBe(true); + + const noiseThatMustBeFiltered = [ + '[gateway] Running as non-root (uid=998) — privilege separation disabled', + '[gateway] openclaw gateway launched (pid 1234)', + ]; + for (const line of noiseThatMustBeFiltered) { + expect(line.startsWith("[gateway]")).toBe(true); + } + }); + describe("credential exposure guards (#429)", () => { it("onboard createSandbox does not pass NVIDIA_API_KEY to sandbox env", () => { const fs = require("fs");