Bug: agents.defaults.heartbeat.to corrupts deliveryContext, causing private messages to leak to group with different content

[smallmj]

Summary

When agents.defaults.heartbeat.to is configured, all outgoing messages (including normal replies to user DMs) get incorrectly routed to the heartbeat target channel. Moreover, the content sent to the wrong channel is different from the content sent to the correct channel — as if two independent LLM generations occurred.

This is a privacy breach: private chat responses are leaked to a group/channel, and the leaked content may not even match what the user receives.

Configuration

{
  "agents": {
    "defaults": {
      "heartbeat": {
        "every": "30m",
        "activeHours": { "start": "08:00", "end": "22:00" },
        "target": "feishu",
        "to": "oc_8d6a0a64d5d4bb05a9f19c707c03ca6a"
      }
    }
  }
}

Observed Behavior

1. User sends a DM to the agent (main)
2. Agent generates a response intended for the DM
3. The response appears in the heartbeat target group (oc_8d6a0a64d5d4bb05a9f19c707c03ca6a) with content A
4. The user receives a DIFFERENT response with content B in the private chat

Or, in some cases:

• The DM reply goes to the group
• The heartbeat reply goes to the DM
• Both contents are different

It appears that the routing context (deliveryContext.to) is being overwritten globally by the heartbeat configuration, and the message generation is triggered twice (once for each destination) with different outputs.

Related Issues

This is similar to but distinct from:

• [Bug]: Heartbeat set to reply to Telegram group gets mixed up with direct chat #28639 - "Heartbeat set to reply to Telegram group gets mixed up with direct chat"

  • That issue reports heartbeat messages and DM replies swapping channels.
  • My report shows ALL messages are affected, not just concurrent heartbeat+DM scenarios.
  • Also reveals content divergence (two different generations), which is not mentioned in [Bug]: Heartbeat set to reply to Telegram group gets mixed up with direct chat #28639.

• [Bug]: Heartbeat prompts incorrectly routed to Discord DMs #25871 - "Heartbeat prompts incorrectly routed to Discord DMs"

  • That issue is about heartbeat prompts spamming DMs.
  • This is about private replies leaking to groups with altered content.

• [Bug]: agents.defaults.heartbeat.model Config Ignored #19445 - "agents.defaults.heartbeat.model Config Ignored"

  • Shows that heartbeat config in defaults is buggy in multiple ways.
  • Supports the hypothesis that agents.defaults.heartbeat.* should not be applied globally.

Root Cause Hypothesis

When agents.defaults.heartbeat.to is set, the heartbeat's routing target is being incorrectly applied to the session's deliveryContext as a side effect. Since OpenClaw uses deliveryContext.to to determine where to send outgoing messages, all messages (not just heartbeat) get routed to the heartbeat target.

Furthermore, the system seems to queue the message for both destinations (original and heartbeat target), generating two independent LLM responses. This explains the content divergence.

Workaround (Validated ✅)

Move the heartbeat configuration from agents.defaults to the specific agent that needs it:

{
  "agents": {
    "defaults": {
      // Remove heartbeat from here
    },
    "list": [
      {
        "id": "main",
        // ...
        "heartbeat": {
          "every": "30m",
          "activeHours": { "start": "08:00", "end": "22:00" },
          "target": "feishu",
          "to": "oc_8d6a0a64d5d4bb05a9f19c707c03ca6a"
        }
      }
    ]
  }
}

Validation results (after Gateway restart):

• ✅ Private chat replies go to the correct private chat (deliveryContext.to remains user:ou_xxx)
• ✅ Heartbeat messages still go to the target group (to be confirmed on next heartbeat tick)
• ✅ No duplicate messages observed in testing
• ✅ Session count remains normal (1 active session, no extra ghost sessions)

Test method:

1. Applied configuration change (removed heartbeat from defaults, added to main)
2. Restarted Gateway (openclaw gateway restart)
3. Sent test DM to agent
4. Verified deliveryContext.to in active session points to DM, not group
5. Checked logs: only one feishu_im_user_message: send entry for the test message
6. No evidence of duplicate routing

Note: This workaround is validated for single-agent setups. Multi-agent with different heartbeat targets needs further testing.

Impact & Severity

• Privacy violation: Private conversations leaked to group channels
• Data integrity: Users receive different content than what was "sent"
• Trust: Undermines confidence in message delivery
• Potential compliance risk: Depending on data sensitivity

OpenClaw Version

2026.4.10 (from openclaw.json meta.lastTouchedVersion)

Request

1. Fix the routing isolation bug in agents.defaults.heartbeat handling.
2. Document that heartbeat should be configured per-agent if routing isolation is required, or deprecate agents.defaults.heartbeat.
3. Consider heartbeat session separation as proposed in [Bug]: Heartbeat set to reply to Telegram group gets mixed up with direct chat #28639 (run heartbeats in isolated sub-sessions that don't share delivery context).
4. Release a patch version, as this is a high-severity bug.

---

Workaround Status: ✅ Validated — Configuration change applied, Gateway restarted, routing verified correct in production. Heartbeat functionality preserved. Multi-agent scenarios untested.

[smallmj]

更新：工作区验证失败 — 问题仍在发生

经过进一步测试，上述工作区并未真正解决问题。私聊消息仍然被错误路由到群聊。

新证据

时间线（消息 om_x100b52f879f2d4b4c445802afb2913f）：

• 18:20:36 — 私聊消息到达，dispatch 到 agent:main:feishu:default:direct:ou_84fcd051b32f39453ebe455d2146abfd ✅
• 18:22:16 — dispatch complete（处理耗时 99.9 秒）
• 18:22:33 — 消息发送到群聊 oc_8d6a0a64d5d4bb05a9f19c707c03ca6a ❌

关键矛盾：

• dispatch 阶段：会话匹配正确（私聊）
• 发送阶段：destination 变为群聊

根本原因重新评估

已排除：

• ❌ agents.defaults.heartbeat 配置残留（已彻底移除）
• ❌ 旧会话残留（已删除 ef9ffd17 并重启）
• ❌ Dreaming 功能干扰（heartbeat 未配置 dreaming）

新假设：会话运行中 deliveryContext 被修改

可能机制：

1. 某个 skill 在工具调用中修改了 context.deliveryContext
2. OpenClaw 核心的会话状态管理存在竞态条件或状态污染
3. 心跳的 dreaming 阶段（如果存在）可能在后台修改全局状态

需要的信息

要定位问题，需要：

• 会话 a49d08a3-cdbd-4a03-b5dc-f223fd3b94cb 的完整消息日志（18:20-18:22）
• 检查该会话期间所有工具调用
• 检查 deliveryContext 的变更历史

临时建议

对于受影响的用户：

• 暂时避免在私聊中使用 agent（或接受消息可能泄露）
• 或禁用 heartbeat 功能

工作区状态：❌ 验证失败 — 需要新的修复方案

---

更新于 2026-04-13 18:38

[martingarramon]

The isSystemEvent guard from #66073 (lines 429-434, 511-530 of session.ts) protects session-store corruption — lastTo/lastChannel/deliveryContext are no longer overwritten by heartbeat turns. Test at session.test.ts:2622 confirms.

The remaining leak is in the outbound dispatch path: resolveHeartbeatDeliveryTarget (targets.ts:84-203) receives explicitTo: heartbeat?.to and resolves the heartbeat group as the delivery target. deliverOutboundPayloads (heartbeat-runner.ts:992) then routes the agent's reply to that target instead of preserving the DM-originating context. This is why the reporter's workaround (moving heartbeat config out of agents.defaults) didn't help — the outbound dispatch reads the heartbeat config regardless of where it's declared.

PR #45039 targets the session-init side but doesn't address outbound dispatch routing. The fix likely needs delivery context isolation in heartbeat-runner.ts to scope the heartbeat target to heartbeat-generated replies only.

[steipete]

Closing this as implemented after Codex review.

Current main already preserves shared-session delivery state during heartbeat/system-event turns and resolves outbound replies from the live turn source instead of a stale persisted route. That matches the issue discussion: the session-store poisoning path is guarded, and the remaining outbound-routing path is also covered by current routing code and regression tests.

What I checked:

• Release note for shared-session route poisoning fix: The 2026.4.14 changelog explicitly says heartbeat, cron-event, and exec-event turns no longer overwrite shared-session routing/origin metadata, preventing synthetic heartbeat targets from poisoning later user delivery. (CHANGELOG.md:882, a9797214338b)
• System-event turns preserve prior delivery route: initSessionState treats heartbeat/cron/exec as system events and reuses the existing route fields instead of rewriting lastChannel, lastTo, or deliveryContext. The nearby test covers a heartbeat targeting a group while preserving the existing Feishu DM route. (src/auto-reply/reply/session.ts:533, c150110e0255)
• Regression test for preserved user route: The test preserves the existing user route when a heartbeat targets a different chat on the shared session asserts that a heartbeat-originating group target does not overwrite the stored DM route or origin metadata. (src/auto-reply/reply/session.test.ts:3121, c150110e0255)
• Outbound target resolution prefers current turn source: resolveSessionDeliveryTarget accepts turnSourceChannel/turnSourceTo/turnSourceAccountId specifically to override shared-session lastChannel/deliveryContext, and drops stale thread state when the live turn route differs from the persisted session route. (src/infra/outbound/targets-session.ts:56, c150110e0255)
• Regression tests for stale-route override: Current tests assert both that shared-session races drop stale thread routing when the live turnSourceTo differs and that agent delivery planning overrides a wrong persisted destination with the live turn's direct-chat target/account. (src/infra/outbound/targets.test.ts:916, c150110e0255)
• Normal replies use live origin metadata: resolveEffectiveReplyRoute uses live OriginatingChannel/OriginatingTo for normal providers and only falls back to persisted route state for system-event replies, preventing ordinary DM replies from inheriting heartbeat routing. (src/auto-reply/reply/effective-reply-route.ts:24, c150110e0255)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against c150110e0255; fix evidence: release v2026.4.23, commit a9797214338b.