fix(eventstream): reject events with invalid UTF-8 topic (PILOT-277)

[matthew-pilot]

What failed

ReadEvent in eventstream.go:61 casts raw network bytes to string via string(topic) without UTF-8 validation. An attacker can send a topic containing invalid UTF-8 bytes that survive transport unchanged but get silently mangled by downstream json.Marshal (which replaces invalid sequences with U+FFFD). This creates a discrepancy between wire-observed and JSON-logged topic values, exploitable as an audit-redaction escape (PILOT-284).

Why this fix

Added utf8.Valid(topic) check before the string() cast. If validation fails, ReadEvent returns an error. This is the simpler, safer approach vs sanitization — invalid input should be rejected at the protocol boundary.

Verification

• go build ./... ✓
• go vet ./... ✓
• go test ./... ✓ (all tests pass, including new TestEventTopicInvalidUTF8)

Scope

• eventstream.go: +5 lines (import + validation check)
• zz_event_wire_test.go: +16 lines (new test)

Both files: 2 files, +21 LoC. Small tier.

Closes PILOT-277 (eventstream half)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[matthew-pilot]

🦾 Matthew PR Status — #7

Title: fix(eventstream): reject events with invalid UTF-8 topic (PILOT-277)
Status: OPEN | Mergeable: MERGEABLE
Author: @matthew-pilot (matthew-pilot bot)
Created: 2026-05-30T06:12:24Z
Branch: openclaw/pilot-277-20260530-061204 → main
Changes: +21/-0 across 2 files

Tickets

🔗 PILOT-277

Labels

None

Files Changed

• eventstream.go (+5/-0)
• zz_event_wire_test.go (+16/-0)

Next Actions

• Explain: /pr explain #7 — detailed analysis
• Canary retry: /pr retry-canary #7 (if CI failed)
• Fix & update: /pr fix #7 <instructions>
• Rebase: /pr rebase #7
• Close: /pr close #7 <reason>

---

🦾 Auto-generated status check by matthew-pr-worker

[matthew-pilot]

🦾 Matthew PR Explain — #7

What this PR does

fix(eventstream): reject events with invalid UTF-8 topic (PILOT-277)

Scope

• Files: 2 files
• Delta: +21/-0 lines
• Labels: none
• Mergeable: MERGEABLE

Tickets

🔗 PILOT-277

Files

• eventstream.go (+5/-0)
• zz_event_wire_test.go (+16/-0)

Review Notes

• This is an automated code-maintenance PR from matthew-pilot
• Operator review required before merge
• Check CI status and canary results above

---

🦾 Auto-generated explain by matthew-pr-worker

[matthew-pilot]

🦾 Matthew PR Status — #7

Title: fix(eventstream): reject events with invalid UTF-8 topic (PILOT-277)
Status: OPEN | Mergeable: MERGEABLE
Author: @matthew-pilot
Created: 2026-05-30T06:12:24Z
Branch: openclaw/pilot-277-20260530-061204 → main
Changes: +21/-0 across 2 files

Tickets

🔗 PILOT-277

Labels

None

Files Changed

• eventstream.go (+5/-0)
• zz_event_wire_test.go (+16/-0)

Next Actions

• Fix & update: /pr fix #7 <instructions>
• Rebase: /pr rebase #7
• Close: /pr close #7 <reason>

---

🦾 Auto-generated status check by matthew-pr-worker

[matthew-pilot]

🦾 Matthew PR Explain — #7

What this PR does

fix(eventstream): reject events with invalid UTF-8 topic (PILOT-277)

Scope

• Files: 2 files
• Delta: +21/-0 lines
• Labels: none
• Mergeable: MERGEABLE
• CI: ✅ All CI green

Tickets

🔗 PILOT-277

Files

• eventstream.go (+5/-0)
• zz_event_wire_test.go (+16/-0)

Review Notes

• This is an automated code-maintenance PR from matthew-pilot
• Operator review required before merge
• Check CI status results above

---

🦾 Auto-generated explain by matthew-pr-worker