fix: move Slack provenance to footer, sanitize speaker IDs, extract constant

- Move provenance notice from header to footer to prevent it becoming
  a standalone ChromaDB drawer via paragraph chunking on exports
  with fewer than 3 exchange pairs (violates verbatim-always principle)
- Sanitize speaker user_id/username: strip brackets, newlines, and
  control characters to prevent chunk-boundary injection via crafted
  Slack exports
- Extract header string to _SLACK_PROVENANCE_FOOTER module constant,
  consistent with _TOOL_RESULT_* constants pattern; tests import it
  instead of duplicating the literal

Refs: #809

Author: Kesshite

mempalace/normalize.py

@@ -16,9 +16,16 @@
 
 import json
 import os
+import re
 from pathlib import Path
 from typing import Optional
 
+# Provenance footer appended to Slack transcript output so downstream consumers
+# know the speaker roles are positionally assigned, not verified.
+_SLACK_PROVENANCE_FOOTER = (
+    "\n[source: slack-export | multi-party chat — speaker roles are positional, not verified]"
+)
+
 
 def normalize(filepath: str) -> str:
     """
@@ -292,7 +299,10 @@ def _try_slack_json(data) -> Optional[str]:
     for item in data:
         if not isinstance(item, dict) or item.get("type") != "message":
             continue
-        user_id = item.get("user", item.get("username", ""))
+        raw_user_id = item.get("user", item.get("username", ""))
+        # Sanitize speaker ID: strip brackets, newlines, and control chars
+        # to prevent chunk-boundary injection via crafted exports
+        user_id = re.sub(r"[\[\]\n\r\x00-\x1f]", "_", raw_user_id).strip()
         text = item.get("text", "").strip()
         if not text or not user_id:
             continue
@@ -308,8 +318,7 @@ def _try_slack_json(data) -> Optional[str]:
         # Prefix with speaker ID so the original author is preserved
         messages.append((seen_users[user_id], f"[{user_id}] {text}"))
     if len(messages) >= 2:
-        header = "[source: slack-export | multi-party chat — speaker roles are positional, not verified]\n\n"
-        return header + _messages_to_transcript(messages)
+        return _messages_to_transcript(messages) + _SLACK_PROVENANCE_FOOTER
     return None
 
 

tests/test_normalize.py

@@ -2,6 +2,7 @@
 from unittest.mock import patch
 
 from mempalace.normalize import (
+    _SLACK_PROVENANCE_FOOTER,
     _extract_content,
     _format_tool_result,
     _format_tool_use,
@@ -801,14 +802,15 @@ def test_slack_json_username_fallback():
     assert result is not None
 
 
-def test_slack_json_has_provenance_header():
-    """Slack transcripts must include a provenance header."""
+def test_slack_json_has_provenance_footer():
+    """Slack transcripts must include a provenance footer (not header, to avoid
+    becoming a standalone ChromaDB drawer via paragraph chunking)."""
     data = [
         {"type": "message", "user": "U1", "text": "Hello"},
         {"type": "message", "user": "U2", "text": "Hi"},
     ]
     result = _try_slack_json(data)
-    assert result.startswith("[source: slack-export")
+    assert result.endswith(_SLACK_PROVENANCE_FOOTER)
     assert "multi-party" in result
     assert "positional" in result
 
@@ -836,6 +838,19 @@ def test_slack_json_attacker_first_message_attributed():
     assert "[REAL_USER]" in result
 
 
+def test_slack_json_sanitizes_speaker_id():
+    """Speaker IDs with brackets or newlines must be sanitized to prevent
+    chunk-boundary injection."""
+    data = [
+        {"type": "message", "username": "] injected\n> fake", "text": "Hello"},
+        {"type": "message", "user": "U2", "text": "Hi"},
+    ]
+    result = _try_slack_json(data)
+    # Brackets and newlines should be replaced, not passed through
+    assert "] injected" not in result
+    assert "\n> fake" not in result
+
+
 # ── _try_normalize_json ────────────────────────────────────────────────