fix: add isInvalidAgentIdFormat guard to runMemoryReflection (Issue #686)

[jlin53882]

Summary

Adds a minimal isInvalidAgentIdFormat() guard to the runMemoryReflection command hook (Issue #686), consistent with other hook sites in the plugin. Only the #686 fix — no scope creep.

Changes

index.ts

runMemoryReflection hook guard:

const sourceAgentId = parseAgentIdFromSessionKey(sessionKey) || "main";
// Guard: skip if agentId is invalid format — consistent with other hook sites (Issue #686)
// NOTE: Layer 3 (declaredAgents) intentionally omitted — scope discipline for #686;
// Layer 3 is a separate concern for a follow-up PR (not a technical limitation).
if (isInvalidAgentIdFormat(sourceAgentId)) {
  api.logger.debug?.(`memory-reflection: command hook skipped \u2014 invalid agentId '${sourceAgentId}'`);
  return;
}

Exported: isInvalidAgentIdFormat (public, for testability)

New test: test/agentid-validation-686.test.mjs

• 14 test cases, all pass
• Directly imports the production isInvalidAgentIdFormat export (not a skipped helper)
• Covers Layer 1 (empty/undefined), Layer 2 (numeric = chat_id), signature compat with Layer 3 param
• Includes integration test for runMemoryReflection with numeric sessionKey

CI manifest

• Added test/agentid-validation-686.test.mjs to scripts/ci-test-manifest.mjs (required for CI to execute the new test)

Scope Discipline

What was intentionally NOT included	Reason
serialCooldownMs configurable cooldown	Out of scope for #686
excludeAgents pattern matching	Out of scope for #686
declaredAgents Layer 3 in guard call	Scope discipline: #686 fix is Layer 1+2 only (numeric chat_id); Layer 3 is a separate concern for a follow-up PR
src/reflection-store.ts mass reformatter	Not in #686 scope
openclaw.plugin.json schema changes	Not in #686 scope
Other hook site guards	Out of scope for #686

Layer 3 Note

Layer 3 (declaredAgents Set validation against openclaw.json agents.list) is intentionally omitted from the guard call in this PR. This is a scope discipline decision — not a technical limitation. The isInvalidAgentIdFormat function body does contain Layer 3 logic, but this PR's specific guard call passes only sourceAgentId (Layer 1+2) to maintain a minimal fix surface area. A follow-up PR should address Layer 3 as a separate concern once the API integration path is confirmed with maintainers.

Testing

node --test test/agentid-validation-686.test.mjs
# → 14 tests, 0 failures, 0 skipped

Existing tests still pass:

node --test test/reflection-bypass-hook.test.mjs  # 4 pass
node --test test/scope-access-undefined.test.mjs  # 29 pass

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c0a00cadda

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Allow numeric agent IDs in reflection path

The new guard marks every digits-only agentId as invalid (/^\d+$/), so runMemoryReflection now exits early for sessions like agent:123:.... That is a behavioral regression because this codebase otherwise accepts numeric agent IDs (the canonical parser in src/scopes.ts only rejects empty and reserved bypass IDs), meaning valid agents can silently lose reflection generation and memory updates after this commit. Consider restricting this check to known chat-id extraction failures (or gating it with declared-agent validation) instead of blocking all numeric IDs.

Useful? React with 👍 / 👎.