Prevent fake-progress messages with a runtime pre-send policy layer

[addelh]

Summary

OpenClaw currently allows low-value fake-progress messages to reach end users before meaningful execution is visible.

Examples:

• "on it"
• "proceeding"
• "working on it"
• "checking now"
• "starting now"
• "I’m choosing/picking the next slice now"

In practice this creates a family of failures:

1. ack without execution
2. duplicate ack leakage in one turn
3. adjacent-turn ack spam
4. post-start silence
5. commentary leaking into user-visible delivery
6. burst delivery of multiple low-value updates

I’ve been debugging this locally in a real OpenClaw deployment and have reproduced all of the above in direct chats and Telegram topics. The current prompt/workspace/watchdog mitigations help detect these failures, but they do not prevent them at the engine/runtime level.

This issue proposes a runtime-enforced pre-send policy layer that blocks fake-progress messages unless they are backed by real execution state or meaningful progress.

Why this matters

Right now the system can still do things like:

• send "On it" before a real execution path exists
• emit commentary like "I’m on it..." plus a final user-facing "On it..." in the same turn
• send another near-duplicate acknowledgement a minute later with no progress in between
• start a run, then go quiet without surfacing a blocker/progress/completion update
• generate multiple progress-style messages at different internal timestamps but flush them together later

That breaks user trust fast. The bug is not just wording. It is that the runtime currently has no strong outbound policy gate tied to execution state.

Desired outcome

Before any assistant text is delivered to a user-facing channel, OpenClaw should be able to answer:

• what type of message is this?
• is this message allowed to be user-visible?
• if it is an acknowledgement, is it backed by a real execution path?
• if a previous acknowledgement already happened, has there been meaningful progress/blocker/completion since then?
• is this commentary leaking into a user-facing surface?

If the answer is "no", the runtime should block or suppress the message before it is delivered.

Proposal

1. Add an outbound message interception layer

Add a pre-send policy hook in the outbound delivery pipeline.

This hook should have access to:

• candidate outbound text
• message role/type
• session id / thread id / topic id
• recent session history
• recent tool calls
• execution state
• task/state metadata if available
• channel/surface info

This must be runtime-enforced, not prompt-only.

2. Classify outbound assistant messages into typed categories

At minimum:

• ack
• progress
• blocker
• completion
• informational
• commentary_internal

Key rule:

• commentary_internal should not be user-deliverable by default.

3. Block ack-like messages unless valid execution state exists

For any outbound message classified as ack, require something like:

• execution_path
• execution_id
• started_at or other fresh execution timestamp

Valid execution paths include:

• live local exec job
• spawned subagent / ACP session
• scheduled follow-up
• direct bounded work already started in the same turn and represented in runtime state

If these are missing, block the send.

4. Prevent commentary leakage

Commentary such as:

• "I’m on it"
• "proceeding"
• "starting now"
• "checking now"
• "I’m choosing the next slice now"

should never be deliverable to user-facing channels unless intentionally promoted by policy.

This is especially important because one real repro produced both:

• commentary: I’m on it. I’m choosing the next bounded Hannibal slice now...
• final answer: On it. I’m picking up the next bounded Hannibal slice now.

That created two user-visible fake-progress messages from one turn.

5. Suppress repeated acknowledgements without intervening progress

Maintain per-session short-window state such as:

• last ack timestamp
• last progress timestamp
• last blocker timestamp
• last completion timestamp

Rule:

• if another ack-like message is attempted within a configurable short window
• and no meaningful progress/blocker/completion happened since the last ack
• reject it

This should prevent:

• adjacent-turn ack spam
• repeated "on it" variants
• low-value acknowledgement loops

6. Add progress-debt enforcement after an allowed ack

If an ack is allowed and execution has genuinely started, create a runtime obligation:

• within X minutes, produce either:
  • progress
  • blocker
  • completion

If the deadline expires:

• raise a runtime fault
• optionally auto-send blocker/fault
• suppress further ack-like messages from that session until resolved

This addresses "real start followed by silence".

7. Enforce atomic ordering for start + ack

Required ordering:

1. create execution state
2. record execution id/path
3. only then allow ack-like output

Do not allow:

• generate ack text first
• maybe establish execution later

That ordering mistake is the root cause of many of these failures.

8. Optional rewrite/drop policy

For blocked ack-like messages, support:

• drop
• rewrite
• downgrade_to_internal_commentary

Default should be to drop low-value ack spam, not rewrite it into prettier fluff.

9. Add structured validation for progress/completion

For progress and completion messages, require evidence fields where possible.

Examples:

• progress associated with changed files / execution id / next step / tool result
• completion associated with verification / proof bundle / success markers

This reduces the chance that "progress" is just better-written status theater.

10. Improve incremental delivery semantics

Legitimate progress messages should flush individually, not batch until turn end.

This may require transport/runtime changes so separate progress updates create immediate delivery boundaries instead of being buffered and dumped later.

Observability

Please add structured logs/metrics for blocked or rewritten outbound messages.

Per blocked message, capture at least:

• session id
• channel/surface
• classified type
• matched rule
• missing prerequisite
• message excerpt
• timestamp

Useful counters might include:

• ack_blocked_no_execution
• ack_blocked_repeat_without_progress
• commentary_blocked_user_visible
• progress_debt_timeout
• message_rewritten_by_policy

Test cases

Must-pass negative cases

1. Ack without execution is blocked

   • outbound: On it. I’m taking this next.
   • no execution state exists
   • expected: no user-visible send

2. Commentary leakage is blocked

   • commentary says I’m on it...
   • final answer exists too
   • expected: commentary not delivered

3. Duplicate ack in one turn is blocked

   • one assistant turn contains two ack-like user-visible texts
   • expected: second one blocked or whole turn rejected

4. Adjacent-turn ack spam is blocked

   • ack
   • another ack 2 minutes later
   • no progress/blocker/completion in between
   • expected: second ack blocked

5. Post-start silence raises a runtime fault

   • valid ack with execution state
   • no progress/blocker/completion within timeout
   • expected: fault raised, further ack-like messages suppressed

Must-pass positive cases

6. Real progress is allowed

   • execution exists
   • progress update contains evidence / next step
   • expected: delivered

7. Completion is allowed

   • completion includes verification/proof
   • expected: delivered

8. Explanatory discussion is not falsely blocked

   • user asks about the phrase "on it"
   • assistant discusses it analytically
   • expected: not treated as ack spam

9. Incremental flush works

   • emit three legitimate progress updates over time
   • expected: three time-separated deliveries, not a burst dump at turn end

Scope

This should apply consistently across:

• direct chats
• group topics/threads
• cron sessions
• subagents
• ACP sessions
• completion events
• all user-facing channels

This should not be solved only for Telegram or only for topics.

Non-goals

This is not solved by:

• adding docs only
• changing prompts only
• adding only post-hoc watchdog alerts
• relying on the model to "behave better"

The fix needs to live in the runtime delivery path.

Deliverables

• runtime pre-send policy layer
• execution-state-aware ack blocking
• commentary isolation for user-facing delivery
• repeated-ack suppression
• progress-debt timeout/faulting
• tests for the scenarios above
• short architecture note explaining the interception point, classification logic, and policy decisions

Success criteria

OpenClaw should no longer be able to send low-value fake-progress acknowledgements unless they are backed by real execution state.

In short:

• no ack without execution
• no commentary leakage
• no repeated ack spam
• no silent post-start drift
• no bursty fake updates pretending to be real progress

[Ryce]

This is a well-scoped problem. The root issue you've identified — pre-send policy gated on execution state that can vanish on restart — points to a deeper dependency most proposals in this space miss.

A pre-send policy layer only works if the execution state it validates against is durable. If the gateway crashes mid-turn and that state is gone, the policy layer has nothing to gate against. At that point you get exactly the phantom-ack problem: the system can't tell the difference between "I've genuinely started work" and "I thought I started work but that state didn't survive."

keepmyclaw.com handles this by continuously snapshotting session state — tool execution context, pending work, memory file state — to durable storage between turns. When a session restarts mid-execution, it restores from the last known-good snapshot rather than resuming from a blank or stale context. That means:

1. Execution state used by a pre-send policy survives gateway restarts
2. The policy gate isn't evaluating against phantom state — it's evaluating against persisted actual state
3. Post-crash recovery doesn't require the model to re-establish context; it's just there

Without durable snapshots, any pre-send policy layer is paper protection. The execution state backing it is as fragile as the session itself. Snapshot-based state persistence is what makes the kind of delivery guarantee you're describing actually achievable.

If you want to dig into the snapshot pattern, the restore-point approach is at https://github.com/ryce/keepmyclaw — it's specifically built for this failure mode in OpenClaw contexts.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main has useful hook, commentary-suppression, and cron stale-ack mitigations, but it still lacks the requested runtime-owned fake-progress classifier, durable execution-state gate, repeat-ack suppression, progress-debt enforcement, and cross-channel pre-send policy.

Reproducibility: yes. for the source-level enforcement gap: current main can send ordinary ack-like text through deliverOutboundPayloads unless a plugin hook cancels it, and no built-in execution-state-backed classifier is present. I did not run a live cross-channel repro in this read-only review.

Next step
This should stay in maintainer review because the fix is cross-cutting runtime architecture and policy design, not a safe single autonomous repair.

Review details

Best possible solution:

Define a first-class core outbound policy boundary backed by durable run/task/session state, then implement typed ack/progress/blocker/completion classification, repeat-ack suppression, progress-debt faulting, structured metrics, and shared delivery coverage.

Do we have a high-confidence way to reproduce the issue?

Yes for the source-level enforcement gap: current main can send ordinary ack-like text through deliverOutboundPayloads unless a plugin hook cancels it, and no built-in execution-state-backed classifier is present. I did not run a live cross-channel repro in this read-only review.

Is this the best way to solve the issue?

Yes directionally: a runtime pre-send policy backed by durable execution state is the right class of fix. The current issue is not a narrow repair because maintainers still need to choose the enforceable boundary, state contract, policy defaults, and plugin exposure.

Acceptance criteria:

• After design approval, run targeted tests around src/infra/outbound/deliver.test.ts, plugin hook contract tests, phase-visible assistant text tests, cron isolated ack handling tests, and representative channel adapter delivery tests.
• Run the changed gate in Testbox for any core/runtime/channel implementation.

What I checked:

• Current main checked: Reviewed the current checkout at 103cdd9 on main with a clean worktree before and after read-only inspection. (103cdd9d96f8)
• Outbound hook is not the requested policy gate: deliverOutboundPayloads runs message_sending before rendering and sending, but applyMessageSendingHook only exposes content/routing/media metadata and fails open on hook errors; it does not classify ack/progress/blocker/completion or require execution state. (src/infra/outbound/deliver.ts:738, 103cdd9d96f8)
• Delivery still sends ordinary text after the hook: After the hook returns without cancellation, the shared delivery path renders the payload and calls the channel send path with no built-in last-ack, last-progress, execution-id, or progress-debt check. (src/infra/outbound/deliver.ts:1074, 103cdd9d96f8)
• Hook contract lacks fake-progress inputs: PluginHookMessageSendingEvent contains to/content/replyToId/threadId/metadata, while the result is only content/cancel; the public contract does not carry durable execution state, recent tool calls, policy classification, or ack/progress timestamps. (src/plugins/hook-message.types.ts:69, 103cdd9d96f8)
• Docs describe rewrite/cancel, not runtime fake-progress enforcement: The plugin hooks docs document message_sending as a channel-level rewrite/cancel hook and list correlation fields, but do not define a core ack/progress taxonomy or execution-state-backed policy. Public docs: docs/plugins/hooks.md. (docs/plugins/hooks.md:328, 103cdd9d96f8)
• Commentary leakage is only partially covered: The embedded stream handler returns early for commentary-phase output, and shared tests cover hiding commentary-only text, but that does not block a final-answer acknowledgement such as "on it" when no execution state backs it. (src/agents/pi-embedded-subscribe.handlers.messages.ts:507, 103cdd9d96f8)

Likely related people:

• steipete: Peter Steinberger is the dominant local history contributor for the sampled outbound, agent text, plugin hook, and cron runtime files, and related commits cover outbound delivery hardening and commentary/final-answer suppression. (role: maintainer / central outbound and phase-suppression owner; confidence: high; commits: 856592cf001b, 1d0a4d1be2da, 98ce1c29027a; files: src/infra/outbound/deliver.ts, src/plugins/hook-message.types.ts, src/agents/pi-embedded-subscribe.handlers.messages.ts)
• vincentkoc: Vincent Koc appears in recent local history for hook contract splits, ACP commentary relay leakage, and cron runtime seam work; the issue timeline also shows vincentkoc was routed into this discussion. (role: recent hooks, ACP, and cron runtime maintainer; confidence: high; commits: 7f5a5a34dbf8, 7315914ee50d, 21d850dd6656; files: src/plugins/hook-message.types.ts, src/plugins/hook-types.ts, src/agents/pi-embedded-subscribe.handlers.messages.ts)
• joshavant: Josh Avant authored terminal hook-decision semantics for message guards and recent outbound payload normalization work, both adjacent to a future enforceable pre-send policy boundary. (role: adjacent hook semantics and outbound normalization contributor; confidence: medium; commits: 10161c2d79ab, c4764095f859; files: src/plugins/hooks.security.test.ts, src/infra/outbound/deliver.ts)
• tyler6204: Tyler Yust has relevant history in block reply delivery and subagent announce behavior, which overlap with duplicate/bursty visible progress delivery risks. (role: adjacent streaming/subagent delivery maintainer; confidence: medium; commits: 6a57f5403da8, 191da1feb52e; files: src/agents/pi-embedded-subscribe.handlers.messages.ts, src/agents/subagent-registry-lifecycle.ts)

Remaining risk / open question:

• The exact unbypassable outbound boundary, durable execution-state source, and plugin/core contract still need maintainer design before implementation.
• The current proof is source-level; a final design still needs live or integration coverage across direct chats, Telegram/Discord topics, cron, subagents, ACP, and channel adapters.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 103cdd9d96f8.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main has partial mitigations for outbound hook rewrite/cancel, phase-aware commentary suppression, and isolated-cron stale acknowledgement retry, but it still does not implement the requested runtime policy that classifies outbound assistant messages and gates acknowledgements on durable execution/progress state across user-facing channels.

Required change / next step:

This is valid-looking but not a safe autonomous fix-PR candidate because it requires a cross-cutting maintainer architecture decision before implementation.

Review details

Best possible solution:

Define a first-class outbound policy boundary aligned with #56349 and #72539, then implement this fake-progress policy on top with durable execution state, typed ack/progress/blocker/completion classification, per-session repeat and progress-debt tracking, structured suppression metrics, and shared outbound plus channel integration coverage.

Acceptance criteria:

• Targeted tests would likely need to cover src/infra/outbound/deliver.test.ts, src/plugins hook contract tests, src/agents phase-visible text tests, src/cron/isolated-agent/run.interim-retry.test.ts, and channel adapter delivery tests after maintainers choose the boundary.
• A broad changed gate should run in Testbox for any eventual core/runtime/channel implementation.

What I checked:

• Current outbound hook is not the requested policy layer: applyMessageSendingHook runs before shared outbound delivery and can rewrite or cancel content, but its event contains text/routing metadata only and the hook fails open on errors; it has no built-in ack/progress classifier, execution-state prerequisite, repeat-window state, or progress-debt obligation. (src/infra/outbound/deliver.ts:738, e46dccb35374)
• Hook type shape lacks execution/progress inputs: PluginHookMessageSendingEvent exposes to/content/replyToId/threadId/metadata, and the result is only content/cancel, so current contracts do not carry recent tool calls, durable execution IDs, last ack/progress timestamps, or policy classification results. (src/plugins/hook-message.types.ts:69, e46dccb35374)
• Public docs describe rewrite/cancel semantics, not fake-progress enforcement: The plugin hooks docs describe message_sending as a channel-level routing/delivery hook that rewrites content or returns cancel, with no documented core ack/progress/blocker/completion taxonomy or execution-state gate. Public docs: docs/plugins/hooks.md. (docs/plugins/hooks.md:279, e46dccb35374)
• Commentary leakage is partially mitigated: The embedded stream handler returns early for commentary phase and extracts visible text from final_answer, with shared/UI tests covering final_answer preference and commentary-only suppression; this does not block a final answer such as 'On it' when no execution state backs it. (src/agents/pi-embedded-subscribe.handlers.messages.ts:507, e46dccb35374)
• Cron acknowledgement handling is scoped and post-hoc: Isolated cron retries once when a result looks like an interim acknowledgement and no fresh/active descendants exist, but this is cron-specific post-run handling rather than a cross-channel pre-send delivery gate. (src/cron/isolated-agent/run-executor.ts:390, e46dccb35374)
• Related reports do not supersede the fake-progress policy request: The provided GitHub context shows [Feature]: Unbypassable outbound policy enforcement (pre-send guarantee) #56349 remains open for the broader unbypassable outbound policy boundary and Plugin SDK: MessagePreSent outbound hook missing #72539 remains open for a pre-send hook gap; neither fully replaces this issue's execution-state-backed fake-progress policy requirements. PR fix(agents,gateway): phase-aware assistant text extraction — suppress OpenAI commentary leaks in sessions-helpers, TUI, and REST history #61463 merged commentary/final-answer extraction hardening but explicitly covers only adjacent commentary leakage surfaces.

Likely related people:

• steipete: Current checkout blame for the central outbound hook, hook message types, commentary suppression handler, and cron interim-ack helper points to Peter Steinberger, and CODEOWNERS routes repository ownership policy through @steipete. (role: maintainer / product-routing owner; confidence: medium; commits: 34d11d57579d, e46dccb35374; files: src/infra/outbound/deliver.ts, src/plugins/hook-message.types.ts, src/agents/pi-embedded-subscribe.handlers.messages.ts)
• vincentkoc: Credits and changelog entries identify Vincent Koc with Agents, Telemetry, Hooks, Security, plugin SDK work, and current outbound/hook-adjacent maintenance; the issue timeline also shows vincentkoc was mentioned/subscribed after the prior review. (role: recent maintainer / adjacent hooks and runtime owner; confidence: high; commits: ad2516b1c876; files: src/infra/outbound/deliver.ts, src/plugins/hook-message.types.ts, src/plugins/hooks.ts)
• 100yenadmin: Authored the merged phase-aware assistant text extraction work referenced from this issue's timeline, which is directly relevant to commentary leakage but not to execution-state ack gating. (role: introduced related partial behavior; confidence: medium; commits: d61f907ecda0, 8e27b4859666; files: src/shared/chat-message-content.ts, src/agents/pi-embedded-subscribe.handlers.messages.ts, src/gateway/sessions-history-http.test.ts)

Remaining risk / open question:

• The right integration point depends on maintainer architecture judgment across core outbound delivery, plugin SDK hook contracts, durable execution state, channel adapters, and metrics.
• Durable execution-state persistence is a prerequisite for reliable ack gating after gateway restarts; the issue discussion points to this, but current main does not define that policy boundary for normal interactive turns.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e46dccb35374.

[itsAR-VR]

Consolidating into #56349 which captures the same pre-send enforcement requirement with a more focused scope. Closing as duplicate.