[Bug]: Control UI renders async exec system events in the visible chat transcript

[WhiteCrispStudios]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

The Control UI displays async exec completion system events in the visible chat transcript instead of keeping them internal or clearly separated from normal chat messages.

Steps to reproduce

Open a direct session in the OpenClaw Control UI.
Trigger an async exec command that completes after the initial response.
Observe that completion events such as System (untrusted): Exec completed (...) and An async command you ran earlier has completed... appear in the visible chat transcript.

Expected behavior

Async exec completion events should remain internal to the agent/runtime or be shown only in a clearly separated system/debug area, not in the normal user-facing chat transcript.

Actual behavior

The visible chat transcript shows runtime/system messages including System (untrusted): Exec completed (...) and An async command you ran earlier has completed. The result is shown in the system messages above. Handle the result internally. Do not relay it to the user unless explicitly requested.

OpenClaw version

2026.4.15 (041266a)

Operating system

Linux 6.12.75+rpt-rpi-v8 (arm64)

Install method

pnpm

Model

openai-codex/gpt-5.4

Provider / routing chain

openclaw - oauth openai

Additional provider/model setup details

Auth profile shown in session status: openai-codex:default

Logs, screenshots, and evidence

Observed directly in the Control UI chat transcript.
Relevant runtime strings also appear in the installed OpenClaw build:

dist/session-system-events-*.js contains System (untrusted)
dist/heartbeat-runner-*.js contains An async command you ran earlier has completed... Handle the result internally...
Visible examples observed in chat:

System (untrusted): [timestamp] Exec completed (...)
An async command you ran earlier has completed. The result is shown in the system messages above. Handle the result internally. Do not relay it to the user unless explicitly requested.

Impact and severity

Affected users/systems/channels: Control UI users in visible chat sessions
Severity: Annoying and confusing; exposes internal runtime/system text in the normal conversation view
Frequency: Observed repeatedly during the session after async exec completions
Consequence: Internal system event text appears in the user-facing transcript and can be mistaken for normal assistant or user messages

Additional information

Observed on 2026-04-19 in a direct Control UI session while background exec commands completed asynchronously.. Before update from 01.April2026 it worked

[WhiteCrispStudios]

Problem: AI model is answering to those messages.

[srinivaspavan9]

Hey, I was able to replicate this on latest main. When you ask the agent to run an async shell command, after it completes you can see the full internal heartbeat injection appearing in the transcript as if you sent it , System (untrusted): Exec completed (...) followed by the entire heartbeat prompt including Read HEARTBEAT.md if it exists.... That's definitely not something the user should ever see.
Expected behavior is simple the assistant should just reply with the command output when it's done. None of the internal runtime machinery should leak into the visible transcript.
I'm interested in taking a look at fixing this!

[WhiteCrispStudios]

Great, thank you! id say it will help the whole community ;-)

[steipete]

Closing this as implemented after Codex review.

Current main already separates async exec / heartbeat system-event text from the persisted chat transcript and suppresses heartbeat ack-like chat output in the Control UI path. The fix is present after v2026.4.23, so this is implemented on main but not tied to a released tag from the evidence available in this checkout.

What I checked:

• Transcript path now split from runtime prompt: buildReplyPromptBodies() now builds a separate transcriptCommandBody from transcriptBody, while system-event blocks are only prepended to the runtime prompt bodies. That is the core guard preventing injected async-exec system text from being persisted into visible transcript history. (src/auto-reply/reply/prompt-prelude.ts:43, 0ec3b79c0797)
• Embedded runner rewrites the submitted prompt in transcript: After prompting the embedded runner, rewriteSubmittedPromptTranscript() is invoked with submittedPrompt and transcriptPrompt, so the persisted user-side transcript entry is rewritten to the sanitized transcript-safe text instead of the full runtime-injected prompt. (src/agents/pi-embedded-runner/run/attempt.ts:2561, 0ec3b79c0797)
• Transcript rewrite implementation: rewriteSubmittedPromptTranscript() finds the just-appended user message matching the submitted prompt and replaces it with transcriptPrompt, then emits a transcript update. This directly addresses leaked internal system-event / heartbeat prompt text in chat history. (src/agents/pi-embedded-runner/run/transcript-prompt-rewrite.ts:56, 0ec3b79c0797)
• Regression coverage for system events staying out of transcript: Current tests explicitly assert that drained system events appear in the runtime command body but do not appear in transcriptCommandBody or followupRun.transcriptPrompt. (src/auto-reply/reply/get-reply-run.media-only.test.ts:838, 0ec3b79c0797)
• Regression coverage for heartbeat ack suppression in chat: Current gateway chat tests explicitly assert that heartbeat ack-like output such as HEARTBEAT_OK Read HEARTBEAT.md... is not broadcast as a visible chat message. (src/gateway/server-chat.agent-events.test.ts:1439, 0ec3b79c0797)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex Review notes: reviewed against 938b53698ec1; fix evidence: commit 0ec3b79c0797.