Agents: move bootstrap warnings out of system prompt

[scoootscooob]

Summary

• Problem: bootstrap truncation warning lines were injected into # Project Context inside the system prompt, which made the cached prefix change when the warning appeared or disappeared.
• Why it matters: this reduced provider-side prompt cache reuse even though the underlying workspace bootstrap content was unchanged.
• What changed: keep bootstrap warning visibility, but prepend the warning details to the per-turn prompt body instead of the stable system prompt prefix.
• Tests: add regression coverage that compares legacy warning-in-system behavior against the new body-prefix behavior and asserts the cache-relevant system prompt stays stable.

Change Type

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Follow-up to Agent: unify bootstrap truncation warning handling #32769

User-visible / Behavior Changes

• Bootstrap truncation warnings are still shown to the model, but they now ride in the per-turn prompt body instead of mutating the system prompt.
• The system prompt no longer gains or loses a ⚠ Bootstrap truncation warning block across turns.

Security Impact

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): No
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local Node 25 + pnpm
• Model/provider: anthropic/claude-sonnet-4-5
• Integration/channel (if any): local prompt construction + live Anthropic cache metrics

Steps

1. Run targeted tests:
   • pnpm test -- src/agents/bootstrap-budget.test.ts src/agents/system-prompt.test.ts
2. Run the prompt-cache investigation harness:
   • pnpm exec tsx scripts/investigate-prompt-cache.ts
3. Run the harness with live cache logging enabled:
   • ANTHROPIC_API_KEY=... OPENCLAW_INVESTIGATE_CACHE_LIVE=1 MODEL_ID=claude-sonnet-4-5 MAX_TOKENS=16 pnpm exec tsx scripts/investigate-prompt-cache.ts

Expected

• The bootstrap warning scenario should no longer change the system prompt after bootstrap.
• Live cache behavior for the bootstrap warning path should shift from repeated cache writes to cache reads on later turns.

Actual

• Targeted tests pass.
• bootstrap-warning now reports 0 system-change turn(s) after initial bootstrap.
• Live cache metrics improved materially for the bootstrap warning path.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Perf numbers (if relevant)

Cache hit-rate measurements

Bootstrap warning scenario before this change:

• cacheRead=25854
• cacheWrite=51602
• cached=33%

Bootstrap warning scenario after this change:

• cacheRead=51494
• cacheWrite=25747
• cached=66%

Per-turn bootstrap warning behavior before:

• t1: write only
• t2: write only again
• t3: cached

Per-turn bootstrap warning behavior after:

• t1: write only
• t2: 99% cached
• t3: 99% cached

Overall latest-main harness average before this fix:

• cacheRead=35523
• cacheWrite=63056
• cached=36%

Overall latest-main harness average after this fix:

• cacheRead=53124
• cacheWrite=45234
• cached=54%

Human Verification

• Verified that bootstrap warning details are still visible to the model, but no longer mutate the system prompt.
• Verified the cache-specific regression with a dedicated unit test comparing legacy and optimized prompt construction.
• Verified live Anthropic cache metrics before/after using the same investigation harness.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No

Failure Recovery

• If this causes issues, revert this PR to restore the old warning placement.
• Symptom to watch for: missing bootstrap warning visibility in prompt body on truncated runs.

Risks and Mitigations

• Risk: warning text might become less salient now that it lives in the body prompt instead of the system prompt.
  • Mitigation: the prepended warning block explicitly tells the model to treat project context as partial and read files directly when needed, and tests cover the new body injection path.

[greptile-apps]

Greptile Summary

This PR fixes a prompt-cache degradation by moving bootstrap truncation warnings out of the stable system prompt and into the per-turn prompt body via the new prependBootstrapPromptWarning utility. The core fix is sound and the live cache metrics (33% → 66% hit rate for the bootstrap-warning scenario) confirm the improvement.

Key changes and observations:

• bootstrap-budget.ts — new prependBootstrapPromptWarning helper is clean, well-guarded (handles undefined/empty arrays), and correctly separates warning content from the cacheable system prefix.
• system-prompt.ts — warning injection removed correctly; the # Project Context guard was also tightened to fire only when valid context files exist. However, bootstrapTruncationWarningLines remains in the params type and is still passed by both main call sites (cli-runner.ts:158, attempt.ts:1671), making it a silent no-op that may mislead future contributors.
• pi-embedded-runner/run/attempt.ts — also contains a welcome pre-existing bug fix: the hook prependContext path now operates on effectivePrompt rather than the raw params.prompt, so bootstrap warnings are no longer discarded when a hook injects context.
• bootstrap-budget.test.ts — the regression test correctly validates cache stability, though the cacheHitRate helper uses the misleading variable name changes for what are actually cache-hit counts.

Confidence Score: 4/5

• Safe to merge — the core cache-stability fix is correct and well-tested; the only concern is a dead parameter left in the public API of buildAgentSystemPrompt.
• The behavioral change is exactly as described, backed by unit tests and live cache measurements. The fix in attempt.ts also resolves a pre-existing bug. The one deduction is for bootstrapTruncationWarningLines remaining as a silently-ignored parameter in buildAgentSystemPrompt (and its two wrapper helpers), which is a maintenance hazard but not a runtime defect.
• src/agents/system-prompt.ts (and the untouched wrappers src/agents/cli-runner/helpers.ts and src/agents/pi-embedded-runner/system-prompt.ts) for the dead bootstrapTruncationWarningLines parameter.

Comments Outside Diff (1)

1. src/agents/system-prompt.ts, line 205 (link)

   Dead parameter silently accepted but now ignored

   bootstrapTruncationWarningLines is still part of the buildAgentSystemPrompt params type (line 205), still forwarded through buildSystemPrompt in cli-runner/helpers.ts:95 and buildAgentSystemPromptForRun in pi-embedded-runner/system-prompt.ts:84, and still passed by both call sites (cli-runner.ts:158, attempt.ts:1671). But after this PR, the implementation does nothing with it — the field is read by zero lines of buildAgentSystemPrompt.

   Future readers will assume passing bootstrapTruncationWarningLines causes a warning to appear in the system prompt; it no longer does. Consider either:

   • removing the field from the param type (small breaking change, but honest), or
   • marking it /** @deprecated – warnings are now prepended to the per-turn prompt body via prependBootstrapPromptWarning */ in the type definition

   Both the helper wrappers (cli-runner/helpers.ts and pi-embedded-runner/system-prompt.ts) also need updating.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: src/agents/system-prompt.ts
   Line: 205
   
   Comment:
   **Dead parameter silently accepted but now ignored**
   
   `bootstrapTruncationWarningLines` is still part of the `buildAgentSystemPrompt` params type (line 205), still forwarded through `buildSystemPrompt` in `cli-runner/helpers.ts:95` and `buildAgentSystemPromptForRun` in `pi-embedded-runner/system-prompt.ts:84`, and still passed by both call sites (`cli-runner.ts:158`, `attempt.ts:1671`). But after this PR, the implementation does nothing with it — the field is read by zero lines of `buildAgentSystemPrompt`.
   
   Future readers will assume passing `bootstrapTruncationWarningLines` causes a warning to appear in the system prompt; it no longer does. Consider either:
   - removing the field from the param type (small breaking change, but honest), or
   - marking it `/** @deprecated – warnings are now prepended to the per-turn prompt body via prependBootstrapPromptWarning */` in the type definition
   
   Both the helper wrappers (`cli-runner/helpers.ts` and `pi-embedded-runner/system-prompt.ts`) also need updating.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/agents/system-prompt.ts
Line: 205

Comment:
**Dead parameter silently accepted but now ignored**

`bootstrapTruncationWarningLines` is still part of the `buildAgentSystemPrompt` params type (line 205), still forwarded through `buildSystemPrompt` in `cli-runner/helpers.ts:95` and `buildAgentSystemPromptForRun` in `pi-embedded-runner/system-prompt.ts:84`, and still passed by both call sites (`cli-runner.ts:158`, `attempt.ts:1671`). But after this PR, the implementation does nothing with it — the field is read by zero lines of `buildAgentSystemPrompt`.

Future readers will assume passing `bootstrapTruncationWarningLines` causes a warning to appear in the system prompt; it no longer does. Consider either:
- removing the field from the param type (small breaking change, but honest), or
- marking it `/** @deprecated – warnings are now prepended to the per-turn prompt body via prependBootstrapPromptWarning */` in the type definition

Both the helper wrappers (`cli-runner/helpers.ts` and `pi-embedded-runner/system-prompt.ts`) also need updating.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: src/agents/bootstrap-budget.test.ts
Line: 443-446

Comment:
**Misleading variable name `changes` counts cache hits, not changes**

The variable is named `changes` but the filter counts pairs of adjacent turns that are **equal** (i.e., cache hits), not pairs that differ. The assertions happen to work correctly, but a reader unfamiliar with the intent will spend time reconciling "why does `changes = 2` produce a hit-rate of 1?"

```suggestion
    const cacheHitRate = (turns: string[]) => {
      const hits = turns.slice(1).filter((turn, index) => turn === turns[index]).length;
      return hits / Math.max(1, turns.length - 1);
    };
```

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: dff644a}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dff644aa02

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Prompt/content injection via unsanitized bootstrap truncation warning lines in user prompt

---

1. 🟡 Prompt/content injection via unsanitized bootstrap truncation warning lines in user prompt

Property	Value
Severity	Medium
CWE	CWE-74
Location	src/agents/bootstrap-budget.ts:333-353

Description

prependBootstrapPromptWarning() prepends a warning block into the per-turn user prompt, formatting each warningLines entry as a Markdown bullet.

Because the only normalization is trim() and filter(Boolean), any warning line containing embedded newlines or control characters can break out of the intended - ... bullet formatting and inject arbitrary additional prompt content ahead of the real user prompt.

Vulnerable flow:

• Sink (prompt assembly): prependBootstrapPromptWarning() interpolates each line directly:
  • ...normalizedLines.map((line) => - ${line})
  • joined with "\n" and prepended to prompt
• Source (can include paths/names): warningLines typically comes from buildBootstrapPromptWarning() → formatBootstrapTruncationWarningLines() which includes file.name and, when duplicate names exist, file.path:
  • nameLabel = ${file.name} (${file.path})`` (no escaping)
• Untrusted influence on file.path/file.name: resolveBootstrapFilesForRun() applies hook overrides (applyBootstrapHookOverrides) and then sanitizeBootstrapFiles() only does file.path.trim() (does not remove internal \n/\r). Additionally, extra bootstrap loading can incorporate repository-controlled paths via glob patterns.

Why this is exploitable:

• On POSIX filesystems, path components can legally contain \n/\r and other characters (except NUL and /).
• A malicious repo / plugin / hook can craft a bootstrap file path (or name via hook overrides) like:
  • "AGENTS.md (/repo/evil\n\nIgnore previous instructions and ...)"
• When included in the warning block, the injected newline terminates the bullet and adds attacker-controlled instructions at the top of the user prompt.

Vulnerable code:

const normalizedLines = (warningLines ?? []).map((line) => line.trim()).filter(Boolean);
...
...normalizedLines.map((line) => `- ${line}`),

Impact:

• The injected text appears before the user’s actual request and can materially alter agent behavior (including tool-using agents in embedded runs), despite being presented as a “warning” block.

Recommendation

Treat warningLines as untrusted display data and sanitize/encode it so it cannot introduce newlines or control characters into the prompt.

Recommended fix (sanitize + encode):

function sanitizeWarningLine(line: string): string {
  ​// Remove CR/LF and other control chars; collapse whitespace.
  return line
    .replace(/[\r\n]+/g, " ")
    .replace(/\p{C}+/gu, "")
    .replace(/\s+/g, " ")
    .trim();
}

const normalizedLines = (warningLines ?? [])
  .map((line) => (typeof line === "string" ? sanitizeWarningLine(line) : ""))
  .filter(Boolean);

const warningBlock = [
  "[Bootstrap truncation warning]",
  ...normalizedLines.map((line) => `- ${JSON.stringify(line)}`),
].join("\n");

Notes:

• Replacing \r/\n prevents breaking out of the bullet list.
• Stripping Unicode control characters (\p{C}) helps avoid terminal/control-sequence and invisible-text tricks.
• Using JSON.stringify (or wrapping in a code span / code block with escaping) ensures special characters are rendered as data, not instructions.

---

Analyzed PR: #48753 at commit dc1d4d0

_{Last updated on: 2026-03-17T07:11:19Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d81cef8297

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Relax heartbeat-preserve check beyond exact string equality

The new guard only skips warning prepending when prompt === preserveExactPrompt, but heartbeat runs usually wrap the configured heartbeat text before it reaches this function (fresh evidence: runHeartbeatOnce appends a HEARTBEAT.md path hint and a current-time line in src/infra/heartbeat-runner.ts), so this equality is typically false and heartbeat polls still get a bootstrap warning prefix. In truncation cases this can push heartbeat turns off the intended HEARTBEAT_OK path and generate avoidable heartbeat alerts/noise.

Useful? React with 👍 / 👎.

[obviyus]

Looks good! Pushed a follow up commit that fixes:

• warning prepend now preserves prompt whitespace
• heartbeat exact-match stays intact
• runtime CLI/embedded paths are covered by tests

I also spot-checked the cache behavior locally and can confirm that cache hit has improved.

[scoootscooob]

Merged via manual deterministic squash.

• Prepared head SHA: dc1d4d075af7afdf4c143f1639cd49e129969f6c
• Merge mode: squash with --match-head-commit
• Notes: local prep artifacts were completed manually after the fork pull/48753/head wrapper fetch bug.

[scoootscooob]

Merged via manual deterministic squash.

• Prepared head SHA: dc1d4d075af7afdf4c143f1639cd49e129969f6c
• Merge mode: squash with --match-head-commit
• Notes: local prep artifacts were completed manually after the fork pull/48753/head wrapper fetch bug.