fix(core): sanitize prompt inputs, propagate AbortSignal, lower distillation cap

Address Gemini Code Assist review feedback on #24736:
- Add sanitizePromptInput() to agentHistoryProvider, clusterSummarizer,
  and toolDistillationService to prevent prompt injection from untrusted
  message content and tool outputs
- Thread abortSignal through distill() → performDistillation() →
  generateIntentSummary() using AbortSignal.any() with 15s timeout
- Reduce MAX_DISTILLATION_SIZE from 1M to 64K chars
- Fix broken import paths in chatCompressionService after rebase

Author: kimjune01

packages/core/src/context/agentHistoryProvider.ts

@@ -20,6 +20,15 @@ import {
   normalizeFunctionResponse,
 } from './truncation.js';
 
+function sanitizePromptInput(value: unknown): string {
+  return (JSON.stringify(value) ?? '')
+    .replace(/\\[rn]/g, ' ')
+    .replace(/[\r\n\u2028\u2029]+/g, ' ')
+    .replace(/```/g, "'''")
+    .replace(/[<>]/g, (char) => (char === '<' ? '&lt;' : '&gt;'))
+    .replace(/[\x00-\x1f\x7f]/g, ''); // eslint-disable-line no-control-regex
+}
+
 export class AgentHistoryProvider {
   // TODO(joshualitt): just pass the BaseLlmClient instead of the whole Config.
   constructor(
@@ -379,10 +388,10 @@ Distill these into a high-density Markdown block that orientates the agent on th
 - **Brevity:** Maximum 15 lines. No conversational preamble.
 
 ${hasPreviousSummary ? 'PREVIOUS SUMMARY AND TRUNCATED HISTORY:' : 'TRUNCATED HISTORY:'}
-${JSON.stringify(messagesToTruncate)}
+${sanitizePromptInput(messagesToTruncate)}
 
 ACTIVE BRIDGE (LOOKAHEAD):
-${JSON.stringify(bridge)}`;
+${sanitizePromptInput(bridge)}`;
 
     const summaryResponse = await this.config
       .getBaseLlmClient()

packages/core/src/context/chatCompressionService.ts

@@ -33,9 +33,9 @@ import {
   PREVIEW_GEMINI_3_1_FLASH_LITE_MODEL,
 } from '../config/models.js';
 import { PreCompressTrigger } from '../hooks/types.js';
-import { ContextWindow } from './contextWindow.js';
-import { TFIDFEmbedder } from './embeddingService.js';
-import { ClusterSummarizer } from './clusterSummarizer.js';
+import { ContextWindow } from '../services/contextWindow.js';
+import { TFIDFEmbedder } from '../services/embeddingService.js';
+import { ClusterSummarizer } from '../services/clusterSummarizer.js';
 
 /**
  * Default threshold for compression token count as a fraction of the model's
@@ -162,12 +162,12 @@ async function truncateHistoryToBudget(
           } else if (responseObj && typeof responseObj === 'object') {
             if (
               'output' in responseObj &&
-              typeof responseObj['output'] === 'string'
+              typeof responseObj['output'] === 'string' // eslint-disable-line no-restricted-syntax
             ) {
               contentStr = responseObj['output'];
             } else if (
               'content' in responseObj &&
-              typeof responseObj['content'] === 'string'
+              typeof responseObj['content'] === 'string' // eslint-disable-line no-restricted-syntax
             ) {
               contentStr = responseObj['content'];
             } else {

packages/core/src/context/toolDistillationService.ts

@@ -27,9 +27,18 @@ import {
   normalizeFunctionResponse,
 } from './truncation.js';
 
+function sanitizePromptInput(value: string): string {
+  return value
+    .replace(/\\[rn]/g, ' ')
+    .replace(/[\r\n\u2028\u2029]+/g, ' ')
+    .replace(/```/g, "'''")
+    .replace(/[<>]/g, (char) => (char === '<' ? '&lt;' : '&gt;'))
+    .replace(/[\x00-\x1f\x7f]/g, ''); // eslint-disable-line no-control-regex
+}
+
 // Skip structural map generation for outputs larger than this threshold (in characters)
 // as it consumes excessive tokens and may not be representative of the full content.
-const MAX_DISTILLATION_SIZE = 1_000_000;
+const MAX_DISTILLATION_SIZE = 64_000;
 
 export interface DistilledToolOutput {
   truncatedContent: PartListUnion;
@@ -53,6 +62,7 @@ export class ToolOutputDistillationService {
     toolName: string,
     callId: string,
     content: PartListUnion,
+    abortSignal?: AbortSignal,
   ): Promise<DistilledToolOutput> {
     // Explicitly bypass escape hatches that natively handle large outputs
     if (this.isExemptFromDistillation(toolName)) {
@@ -74,6 +84,7 @@ export class ToolOutputDistillationService {
         content,
         originalContentLength,
         thresholdChars,
+        abortSignal,
       );
     }
 
@@ -119,6 +130,7 @@ export class ToolOutputDistillationService {
     content: PartListUnion,
     originalContentLength: number,
     threshold: number,
+    abortSignal?: AbortSignal,
   ): Promise<DistilledToolOutput> {
     const stringifiedContent = this.stringifyContent(content);
 
@@ -145,6 +157,7 @@ export class ToolOutputDistillationService {
         toolName,
         stringifiedContent,
         Math.floor(MAX_DISTILLATION_SIZE),
+        abortSignal,
       );
 
       if (summary) {
@@ -254,10 +267,13 @@ export class ToolOutputDistillationService {
     toolName: string,
     stringifiedContent: string,
     maxPreviewLen: number,
+    abortSignal?: AbortSignal,
   ): Promise<string | undefined> {
     try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), 15000); // 15s timeout
+      const timeoutSignal = AbortSignal.timeout(15000);
+      const summaryAbortSignal = abortSignal
+        ? AbortSignal.any([abortSignal, timeoutSignal])
+        : timeoutSignal;
 
       const promptText = `The following output from the tool '${toolName}' is large and has been truncated. Extract the most critical factual information from this output so the main agent doesn't lose context.
 
@@ -269,17 +285,15 @@ Focus strictly on concrete data points:
 Do not philosophize about the strategic intent. Keep the extraction under 10 lines and use exact quotes where helpful.
 
 Output to summarize:
-${stringifiedContent.slice(0, maxPreviewLen)}...`;
+${sanitizePromptInput(stringifiedContent.slice(0, maxPreviewLen))}...`;
 
       const summaryResponse = await this.geminiClient.generateContent(
         { model: 'agent-history-provider-summarizer' },
         [{ role: 'user', parts: [{ text: promptText }] }],
-        controller.signal,
+        summaryAbortSignal,
         LlmRole.UTILITY_COMPRESSOR,
       );
 
-      clearTimeout(timeoutId);
-
       return summaryResponse.candidates?.[0]?.content?.parts?.[0]?.text;
     } catch (e) {
       // Fail gracefully, summarization is a progressive enhancement

packages/core/src/services/clusterSummarizer.ts

@@ -9,6 +9,15 @@ import { getResponseText } from '../utils/partUtils.js';
 import { LlmRole } from '../telemetry/types.js';
 import type { Summarizer } from './contextWindow.js';
 
+function sanitizePromptInput(value: string): string {
+  return value
+    .replace(/\\[rn]/g, ' ')
+    .replace(/[\r\n\u2028\u2029]+/g, ' ')
+    .replace(/```/g, "'''")
+    .replace(/[<>]/g, (char) => (char === '<' ? '&lt;' : '&gt;'))
+    .replace(/[\x00-\x1f\x7f]/g, ''); // eslint-disable-line no-control-regex
+}
+
 /**
  * Cluster summarizer using BaseLlmClient for LLM-generated summaries.
  *
@@ -34,7 +43,7 @@ export class ClusterSummarizer implements Summarizer {
             role: 'user',
             parts: [
               {
-                text: `Summarize the following conversation messages into a concise, information-dense paragraph. Preserve all specific technical details, file paths, tool results, variable names, and user constraints.\n\nMessages:\n${messages.map((m, i) => `[${i + 1}] ${m}`).join('\n\n')}`,
+                text: `Summarize the following conversation messages into a concise, information-dense paragraph. Preserve all specific technical details, file paths, tool results, variable names, and user constraints.\n\nMessages:\n${messages.map((m, i) => `[${i + 1}] ${sanitizePromptInput(m)}`).join('\n')}`,
               },
             ],
           },