fix(llm): prevent UUID leak in knowledge titles and observation update targeting

Stranmor · sisyphus-dev-ai · Stranmor · commit c2f864a237d0 · 2026-03-15T09:51:33.000+03:00
Replace UUID-based target_id with 1-based target_number in compression prompts so LLMs reference candidates by index instead of echoing raw UUIDs. Add strip_uuid_from_title() helper in core with tests. Apply UUID stripping to knowledge extraction titles. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
diff --git a/crates/core/src/lib.rs b/crates/core/src/lib.rs
@@ -31,6 +31,27 @@ pub use observation::*;
 pub use project_filter::*;
 pub use session::*;
 
+/// Strips UUID patterns from text (e.g., `"sshd needs absolute path b3b61de2-..."` → `"sshd needs absolute path"`).
+///
+/// Handles both full UUIDs (`8-4-4-4-12` hex) and truncated ones (e.g., `b3b61de2-...`).
+#[must_use]
+pub fn strip_uuid_from_title(title: &str) -> String {
+    use std::sync::LazyLock;
+
+    #[expect(
+        clippy::unwrap_used,
+        reason = "static regex pattern is compile-time validated"
+    )]
+    static UUID_RE: LazyLock<regex::Regex> = LazyLock::new(|| {
+        regex::Regex::new(
+            r"\s*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4,}(?:-[0-9a-fA-F]*)*\.{0,3}\s*",
+        )
+        .unwrap()
+    });
+
+    UUID_RE.replace_all(title, " ").trim().to_string()
+}
+
 /// Truncates a string to the given maximum length at a char boundary.
 #[must_use]
 pub fn truncate(s: &str, max_len: usize) -> &str {
@@ -44,3 +65,55 @@ pub fn truncate(s: &str, max_len: usize) -> &str {
         s.get(..end).unwrap_or("")
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn strip_uuid_full() {
+        assert_eq!(
+            strip_uuid_from_title("sshd needs absolute path b3b61de2-1234-5678-9abc-def012345678"),
+            "sshd needs absolute path"
+        );
+    }
+
+    #[test]
+    fn strip_uuid_truncated() {
+        assert_eq!(
+            strip_uuid_from_title("sshd needs absolute path b3b61de2-1234-5678..."),
+            "sshd needs absolute path"
+        );
+    }
+
+    #[test]
+    fn strip_uuid_mid_title() {
+        assert_eq!(
+            strip_uuid_from_title("Observation b3b61de2-1234-5678-9abc-def012345678 is important"),
+            "Observation is important"
+        );
+    }
+
+    #[test]
+    fn strip_uuid_no_uuid() {
+        assert_eq!(
+            strip_uuid_from_title("normal title without uuid"),
+            "normal title without uuid"
+        );
+    }
+
+    #[test]
+    fn strip_uuid_empty() {
+        assert_eq!(strip_uuid_from_title(""), "");
+    }
+
+    #[test]
+    fn strip_uuid_multiple() {
+        assert_eq!(
+            strip_uuid_from_title(
+                "a b3b61de2-1234-5678-9abc-def012345678 and c4c72ef3-5678-9abc-def0-123456789012"
+            ),
+            "a and"
+        );
+    }
+}
diff --git a/crates/llm/src/ai_types.rs b/crates/llm/src/ai_types.rs
@@ -112,9 +112,12 @@ pub struct ObservationJson {
     /// Context-aware compression action: "create", "update", or "skip"
     #[serde(default = "default_action")]
     pub action: String,
-    /// UUID of existing observation to update (only for action="update")
+    /// UUID of existing observation to update (only for action="update") — legacy field
     #[serde(default)]
     pub target_id: Option<String>,
+    /// 1-based index of existing observation to update (only for action="update")
+    #[serde(default)]
+    pub target_number: Option<u32>,
     /// Reason for skipping (only for action="skip")
     #[serde(default)]
     pub skip_reason: Option<String>,
diff --git a/crates/llm/src/compression_prompt.rs b/crates/llm/src/compression_prompt.rs
@@ -41,9 +41,8 @@ pub(crate) fn build_compression_prompt(
                 format!(" facts=[{}]", obs.facts.join(", "))
             };
             entries.push_str(&format!(
-                "[{}] id=\"{}\" type={} title=\"{}\" | {}{}\n",
+                "[{}] type={} title=\"{}\" | {}{}\n",
                 i.saturating_add(1),
-                obs.id,
                 obs.observation_type.as_str(),
                 obs.title,
                 narrative_preview,
@@ -57,7 +56,7 @@ EXISTING OBSERVATIONS (potentially related):
 {entries}
 DECISION (MANDATORY — choose exactly one):
 - If this is genuinely NEW knowledge not covered by any existing observation → action: "create"
-- If this REFINES or ADDS TO an existing observation above → action: "update", target_id: "<id of the observation to update>"
+- If this REFINES or ADDS TO an existing observation above → action: "update", target_number: <number in brackets of the observation to update>
 - If this adds ZERO new information beyond what already exists → action: "skip""#
         )
     };
@@ -86,7 +85,7 @@ DECISION (MANDATORY — choose exactly one):
         format!(
             r#"Return JSON:
 - action: one of "create", "update", "skip"
-- target_id: id of existing observation to update (required if action is "update")
+- target_number: number in brackets of existing observation to update (required if action is "update")
 - skip_reason: why this should be skipped (required if action is "skip")
 - noise_level: one of [{noise_levels}]
 - noise_reason: why this is/isn't worth remembering (max 100 chars)
diff --git a/crates/llm/src/knowledge.rs b/crates/llm/src/knowledge.rs
@@ -91,11 +91,15 @@ Return JSON: {{"extract": false, "reason": "..."}}"#,
             LlmError::MissingField(format!("unknown knowledge_type: {}", knowledge_type_str))
         })?;
 
-        Ok(Some(KnowledgeInput::new(
-            knowledge_type,
-            extraction
+        let title = opencode_mem_core::strip_uuid_from_title(
+            &extraction
                 .title
                 .unwrap_or_else(|| observation.title.clone()),
+        );
+
+        Ok(Some(KnowledgeInput::new(
+            knowledge_type,
+            title,
             extraction
                 .description
                 .unwrap_or_else(|| observation.narrative.clone().unwrap_or_default()),
diff --git a/crates/llm/src/observation.rs b/crates/llm/src/observation.rs
@@ -30,7 +30,7 @@ fn parse_observation_response(
     id: &str,
     session_id: &str,
     project: Option<&str>,
-    candidate_ids: &std::collections::HashSet<&str>,
+    candidates: &[opencode_mem_core::Observation],
 ) -> Result<CompressionResult, LlmError> {
     let stripped = opencode_mem_core::strip_markdown_json(response);
     let obs_json: ObservationJson =
@@ -109,22 +109,37 @@ fn parse_observation_response(
     .created_at(Utc::now())
     .build();
 
-    // Determine action: update requires valid target_id in candidate set
+    // Determine action: update requires valid target resolved from candidates
     if action == "update" {
-        if let Some(ref target_id) = obs_json.target_id {
-            if candidate_ids.contains(&target_id.as_str()) {
-                return Ok(CompressionResult::Update {
-                    target_id: target_id.clone(),
-                    observation,
-                });
-            }
-            tracing::warn!(
-                target_id = %target_id,
-                "LLM returned update with target_id not in candidate set — treating as create"
-            );
-        } else {
-            tracing::warn!("LLM returned action=update without target_id — treating as create");
+        // Resolve target: prefer target_number (index into candidates), fall back to target_id (legacy)
+        let resolved_target_id = obs_json
+            .target_number
+            .and_then(|n| {
+                let idx = n.checked_sub(1)? as usize;
+                candidates.get(idx).map(|o| o.id.to_string())
+            })
+            .or_else(|| {
+                obs_json.target_id.as_ref().and_then(|tid| {
+                    if candidates.iter().any(|o| o.id.as_ref() == tid.as_str()) {
+                        Some(tid.clone())
+                    } else {
+                        None
+                    }
+                })
+            });
+
+        if let Some(target_id) = resolved_target_id {
+            return Ok(CompressionResult::Update {
+                target_id,
+                observation,
+            });
         }
+        tracing::warn!(
+            target_number = ?obs_json.target_number,
+            target_id = ?obs_json.target_id,
+            candidates_len = candidates.len(),
+            "LLM returned update with unresolvable target — treating as create"
+        );
     }
 
     if action != "create" {
@@ -167,16 +182,13 @@ impl LlmClient {
             max_tokens: None,
         };
 
-        let candidate_ids: std::collections::HashSet<&str> =
-            candidates.iter().map(|o| o.id.as_ref()).collect();
-
         let response = self.chat_completion(&request).await?;
         parse_observation_response(
             &response,
             id,
             input.session_id.as_ref(),
             project,
-            &candidate_ids,
+            candidates,
         )
     }
 
