Problem
LettaBot's system-reminder metadata block identifies message senders by display name only:
## Message Metadata
- **Sender**: Alice
Display names (Discord nicknames, Telegram display names) are:
- Trivially changed by any user
- Server-specific (Discord) or globally mutable
- Not unique -- multiple users can have the same display name simultaneously
The agent has no way to reliably identify who sent a message.
Security Impact
Identity spoofing
User B changes their Discord nickname to match User A. Agent treats them as User A. If the agent has instructions like "only share personal details with Alice," any user can become "Alice."
PII leakage in group chats
In group channels, any participant can ask the agent to summarize memory files, diary entries, or personal context. The agent complies because it cannot distinguish authorized from unauthorized users. This is especially problematic with memfs files containing personal information.
Tool execution via impersonation
If the agent has Bash, file operations, or other privileged tools, an impersonator can trigger actions the real user's prompt authorized ("run my backup script," "check my server status").
DM vs group asymmetry
In DMs, identity is implicitly the paired user (via pairing flow). In group chats, there is no identity verification at all -- this is where the issue is most acute.
Proposed Fix
Include the platform's stable user identifier in the system-reminder metadata:
## Message Metadata
- **Channel**: Discord
- **Chat ID**: 1234567890
- **Sender**: Alice
- **Sender ID**: 123456789012345678
- **Timestamp**: Sunday, Apr 12, 5:49 AM PDT
Every supported channel has a stable identifier available in the message event payload:
- Discord:
message.author.id (snowflake, immutable)
- Telegram:
message.from.id (numeric, immutable)
- Slack:
event.user (workspace-scoped user ID)
- WhatsApp: phone number or JID
- Signal: sender UUID
The agent can then use Sender ID for identity-sensitive decisions instead of the mutable display name.
Relationship to #666 / #667
PR #667 addressed slash command access control (restricting /help, /model etc. to authorized users). This issue is about the agent's own ability to identify users within normal conversation flow -- a complementary gap. #667 gates LettaBot commands; this gates agent-level trust decisions.
Affected Channels
All channels in group chat mode. DMs are less affected due to implicit pairing identity.
Problem
LettaBot's system-reminder metadata block identifies message senders by display name only:
Display names (Discord nicknames, Telegram display names) are:
The agent has no way to reliably identify who sent a message.
Security Impact
Identity spoofing
User B changes their Discord nickname to match User A. Agent treats them as User A. If the agent has instructions like "only share personal details with Alice," any user can become "Alice."
PII leakage in group chats
In group channels, any participant can ask the agent to summarize memory files, diary entries, or personal context. The agent complies because it cannot distinguish authorized from unauthorized users. This is especially problematic with memfs files containing personal information.
Tool execution via impersonation
If the agent has Bash, file operations, or other privileged tools, an impersonator can trigger actions the real user's prompt authorized ("run my backup script," "check my server status").
DM vs group asymmetry
In DMs, identity is implicitly the paired user (via pairing flow). In group chats, there is no identity verification at all -- this is where the issue is most acute.
Proposed Fix
Include the platform's stable user identifier in the system-reminder metadata:
Every supported channel has a stable identifier available in the message event payload:
message.author.id(snowflake, immutable)message.from.id(numeric, immutable)event.user(workspace-scoped user ID)The agent can then use Sender ID for identity-sensitive decisions instead of the mutable display name.
Relationship to #666 / #667
PR #667 addressed slash command access control (restricting
/help,/modeletc. to authorized users). This issue is about the agent's own ability to identify users within normal conversation flow -- a complementary gap. #667 gates LettaBot commands; this gates agent-level trust decisions.Affected Channels
All channels in group chat mode. DMs are less affected due to implicit pairing identity.