[Bug]: Subagent completion announce leaks internal runtime context into Control UI chat and persists it in session history

[MojoJojo43]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

Subagent completion announce delivery can leak raw internal OpenClaw runtime context into user-visible chat in Control UI/webchat, and the leaked content is persisted into session history as real inbound messages instead of being treated as internal-only event data.

Steps to reproduce

1. Use OpenClaw Control UI / webchat with a main session.
2. Spawn or run a subagent that completes and announces its result back to the main session.
3. Let the subagent complete while the main session remains active in webchat.
4. Observe the resulting messages in the chat transcript.

Expected behavior

When a subagent completes:

• the main session should receive one clean internal completion event
• OpenClaw should convert that into one normal assistant reply for the user
• internal markers such as <<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>>, internal task metadata, stats, and action instructions should never be shown in user-visible chat
• internal completion payloads should never be stored as normal inbound user messages in session history

Actual behavior

In webchat / Control UI, raw internal completion content is exposed directly in the chat transcript, including text like:

• <<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>>
• OpenClaw runtime context (internal):
• [Internal task completion event]
• Action: A completed subagent task is ready for user delivery...

The leaked content is not only rendered in the UI. It is also persisted in the session JSONL as inbound messages, so it pollutes transcript history and context.

In the reproduced case, multiple related completion/handoff messages were injected in sequence for the same completion chain, creating repeated or near-duplicate user-visible messages.

OpenClaw version

2026.4.5 (3e72c03)

Operating system

Ubuntu Linux 6.17.0-20-generic (x64)

Install method

npm global

Logs, screenshots, and evidence

Verified locally in session transcripts:

1. Main session transcript contains the leaked internal block as a stored inbound message, not only a frontend render artifact.
2. Related agent session shows the same completion chain arriving via inter-session / subagent announce delivery.
3. Multiple announce/handoff messages for the same completion chain were delivered in sequence.

Representative leaked content included:

<<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>>
OpenClaw runtime context (internal):
This context is runtime-generated, not user-authored. Keep internal details private.

[Internal task completion event]
source: subagent
session_key: agent:living-artificial:subagent:...
status: completed successfully
...
Action:
A completed subagent task is ready for user delivery. Convert the result above into your normal assistant voice and send that user-facing update now.
<<<END_OPENCLAW_INTERNAL_CONTEXT>>>

Representative provenance from related session history indicated inter-session delivery from subagent completion / announce paths.

Impact and severity

Severity: High

Impact:

• leaks internal runtime/meta content into user-visible chat
• stores leaked internal payloads in session history
• pollutes future model context
• creates confusing repeated completion messages
• makes Control UI/webchat transcripts unreliable and noisy during subagent workflows

Additional information

This appears related to, but distinct from, existing delivery-mirror / webchat duplication issues such as:

• BUG: Control UI (webchat) double-records assistant messages in session JSONL #39469
• [Bug]: Webchat duplicates assistant replies via delivery-mirror transcript entry #33263
• Control UI webchat: duplicate assistant messages rendered on every reply #5964
• Duplicate subagent announce delivery when main session is busy #17122
• Followup queue delivers same message multiple times when agent is busy #30604
• [Bug]: Webchat leaks internal /new prompt and reply control tags into visible chat #26034

Observed behavior suggests a failure in the subagent completion announce transformation path: raw internal completion payload is being forwarded into chat instead of being converted into a single clean assistant response before persistence/delivery.

This was reproduced on a system already running a newer version than several previously reported webchat duplication bugs, so it may be a remaining or neighboring bug in subagent completion announce handling specifically.

[Harimay23]

This looks deeper than a WebChat-only render bug.

From the current code shape, it seems likely that raw subagent completion payloads are crossing the conversation boundary before they are transformed into a clean user-facing assistant update:

• subagent announce delivery explicitly forwards internalEvents
• the gateway agent path also accepts and forwards internalEvents into agent ingress
• the issue report says the leaked payload is not only rendered in Control UI, but also persisted into session history as normal inbound content

That makes this look like a subagent announce transformation / transcript-boundary bug, not just a chat.history filtering gap.

A key point: the repo already appears to treat these internal runtime-context blocks as content that should never leak into user-facing text. There are existing tests around sanitizing internal runtime context / subagent completion payloads out of user-visible output. So this may be a path that is bypassing an already-intended safety guard rather than a new product decision.

Suggested next steps:

1. Trace the subagent completion announce path and confirm where raw internalEvents become transcript/chat content.
2. Ensure raw internal completion payloads are transformed or sanitized before persistence into session history.
3. Keep chat.history / UI filtering as defense in depth, but not as the only fix if the raw payload is already being stored.
4. Add regression tests for both:
   • no raw internal runtime block persisted into history
   • only one clean assistant-facing update reaches user-visible chat

Product principle:
internal orchestration / runtime context should never cross the user-visible transcript boundary, and should never be persisted as normal inbound conversation content.

If that direction sounds right, I’d be happy to help narrow the likely fix surface further around the subagent announce transformation path.

[ygc3817922006-sketch]

I hit this again today on 2026.4.20 (115f05d) in openclaw-control-ui / webchat, and I was able to narrow it a bit more.

What I observed

The leak is not only history-side.
It happens in both places:

1. real-time chat event path: the raw internal completion envelope is appended directly into the visible chat
2. chat.history reload path: the same content is still present after refresh / reload

So from the user side it looks like:

• a subagent finishes
• the user sees <<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>> ... <<<BEGIN_UNTRUSTED_CHILD_RESULT>>>
• refreshing the Control UI does not remove it because it is also present in history

Code-path notes from the installed build

From the current dist build, the flow appears to be:

• dist/internal-events-SlGbbGK8.js

  • formatAgentInternalEventsForPrompt(...) explicitly builds the raw text block with:
    • <<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>>
    • [Internal task completion event]
    • <<<BEGIN_UNTRUSTED_CHILD_RESULT>>>

• dist/subagent-announce-C06jI_ZN.js

  • uses that formatted internal event text as the announce/steer message

• dist/subagent-announce-delivery-ChDxBkZB.js

  • sends it back through the normal agent path with:
    • inputProvenance.kind = "inter_session"
    • sourceTool = "subagent_announce"

• dist/control-ui/assets/index-*.js

  • the real-time chat event path (SC -> bC -> Dc) appends the incoming message into chatMessages
  • I did not find a provenance/content guard there for inter_session + subagent_announce + internal envelope markers

• dist/chat-CEKPf5iI.js

  • sanitizeChatHistoryMessage / sanitizeChatHistoryMessages do not appear to strip internal runtime context blocks, so refresh/history reload still shows the leak

Why this matters

This is effectively an internal working note for the parent agent being rendered to the end user as if it were normal chat content.

Likely fix shape

This still looks like a two-layer problem:

1. root fix: do not let raw subagent internal envelopes cross the user-visible transcript boundary as normal chat content
2. defense in depth: also filter these blocks on both:
   • real-time Control UI chat event handling
   • chat.history sanitization

Suggested regression coverage

• subagent completion should not surface raw BEGIN_OPENCLAW_INTERNAL_CONTEXT blocks in Control UI
• refresh/reload should not bring them back from chat.history
• users should still receive the final normal assistant-written summary/result

[steipete]

Fixed on main in 6df120fb39.

What changed:

• realtime Control UI chat events now strip <<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>> ... <<<END_OPENCLAW_INTERNAL_CONTEXT>>> blocks before broadcasting assistant chat deltas/finals
• memory/dreaming session export now skips role:"user" messages that carry provenance.kind="inter_session", including sourceTool="subagent_announce"
• the ACP/CLI transcript fix from f0fa35082b also keeps ACP completion wakes marker-free before they reach external harness transcripts

Regression coverage added:

• src/gateway/server-chat.agent-events.test.ts covers realtime chat stripping
• src/memory-host-sdk/host/session-files.test.ts covers dreaming/session export skipping inter-session user relays
• packages/memory-host-sdk/src/host/session-files.test.ts covers the package copy of the same export path

Validation:

• focused regression suite passed: pnpm test src/gateway/server-chat.agent-events.test.ts src/memory-host-sdk/host/session-files.test.ts packages/memory-host-sdk/src/host/session-files.test.ts
• standalone recheck of the gateway file that flaked during the changed shard passed: pnpm test src/gateway/server.agent.gateway-server-agent-a.test.ts
• pnpm check:changed non-test lanes passed; the changed gateway test shard wedged twice after unit tests, so I verified the reported failing file standalone instead of treating the wedge as product failure

Closing as fixed. The remaining transcript rows from older versions may still exist on disk, but current chat.history, realtime chat, memory export, and ACP transcript paths no longer expose/ingest the raw internal envelope.