fix(ui): filter system event messages from chat transcript (#68508)

[kagura-agent]

Summary

Fixes #68508 — System event messages (async exec completion notifications with System: and System (untrusted): prefixes) were leaking into the visible WebChat/Control UI chat transcript. These are internal agent-only signals and should not be shown to users.

Changes

• ui/src/ui/controllers/chat.ts: Updated shouldHideHistoryMessage to filter out system event messages (matching System: and System (untrusted): prefixes) from the rendered chat history
• ui/src/ui/controllers/chat.test.ts: Added tests verifying system event messages are hidden while normal messages remain visible

How it works

Messages are filtered at the UI rendering layer only — they remain in the underlying message history so the agent can still access them, but they are excluded from what users see in WebChat/Control UI.

[greptile-apps]

Greptile Summary

This PR filters system event messages (lines starting with System: or System (untrusted):) from the visible chat transcript by extending shouldHideHistoryMessage in the UI controller. The fix is correctly applied at the history-load layer only, so agent-accessible message history is unaffected. A minor point: the current regex matches any message beginning with System: — including potential real user messages — where a tighter timestamp-anchored pattern could eliminate false positives.

Confidence Score: 5/5

Safe to merge; the one finding is a P2 style suggestion about regex specificity.

The logic is correct, tests cover both the filtering and the mixed-content preservation cases, and the change is scoped to the UI rendering layer with no data loss. The only open concern is a broad prefix match that could theoretically hide unusual user messages — a P2 improvement, not a blocker.

ui/src/ui/controllers/chat.ts — regex specificity on line 19

Prompt To Fix All With AI

This is a comment left during a code review.
Path: ui/src/ui/controllers/chat.ts
Line: 19

Comment:
**Broad prefix risks filtering real user messages**

`SYSTEM_EVENT_LINE_RE` matches any line that starts with `System: ` or `System (untrusted): `, regardless of what follows. A user who types something like `System: can you reboot the server?` would have their message silently hidden from the chat transcript (it still reaches the agent, but they wouldn't see it on reload). The actual runtime-injected events appear to include a bracketed timestamp (e.g. `System: [2026-04-18 10:00:00] Exec completed`). Tightening the pattern to require that structure would eliminate false positives without breaking the intended filtering:

```suggestion
const SYSTEM_EVENT_LINE_RE = /^System(?:\s*\(untrusted\))?:\s*\[\d{4}-\d{2}-\d{2}/;
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(ui): filter system event messages fr..." | Re-trigger Greptile}

[greptile-apps]

Broad prefix risks filtering real user messages

SYSTEM_EVENT_LINE_RE matches any line that starts with System: or System (untrusted): , regardless of what follows. A user who types something like System: can you reboot the server? would have their message silently hidden from the chat transcript (it still reaches the agent, but they wouldn't see it on reload). The actual runtime-injected events appear to include a bracketed timestamp (e.g. System: [2026-04-18 10:00:00] Exec completed). Tightening the pattern to require that structure would eliminate false positives without breaking the intended filtering:

Suggested change

	const SYSTEM_EVENT_LINE_RE = /^System(?:\s*\(untrusted\))?:\s/;
	const SYSTEM_EVENT_LINE_RE = /^System(?:\s*\(untrusted\))?:\s*\[\d{4}-\d{2}-\d{2}/;

Prompt To Fix With AI

This is a comment left during a code review.
Path: ui/src/ui/controllers/chat.ts
Line: 19

Comment:
**Broad prefix risks filtering real user messages**

`SYSTEM_EVENT_LINE_RE` matches any line that starts with `System: ` or `System (untrusted): `, regardless of what follows. A user who types something like `System: can you reboot the server?` would have their message silently hidden from the chat transcript (it still reaches the agent, but they wouldn't see it on reload). The actual runtime-injected events appear to include a bracketed timestamp (e.g. `System: [2026-04-18 10:00:00] Exec completed`). Tightening the pattern to require that structure would eliminate false positives without breaking the intended filtering:

```suggestion
const SYSTEM_EVENT_LINE_RE = /^System(?:\s*\(untrusted\))?:\s*\[\d{4}-\d{2}-\d{2}/;
```

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cec811c843

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Narrow system-event matcher before dropping user history messages

The new SYSTEM_EVENT_LINE_RE/isSystemEventOnlyMessage logic hides any user message whose lines all start with System: or System (untrusted):, which can suppress legitimate user text, not just injected runtime events. This is especially likely because inbound normalization rewrites user-authored System: line prefixes to System (untrusted): (src/auto-reply/reply/inbound-text.ts:9-17), so a normal message like System: reboot failed after update would disappear from chat history. Please constrain the filter to the actual internal event shape (for example, the timestamped event format) or a dedicated marker so real user content remains visible.

Useful? React with 👍 / 👎.

[prtags]

Related work from PRtags group shining-insect-tzpr

Title: Open PR duplicate: Control UI async exec/system transcript leak

Number	Title
#67036	fix(ui): filter leaked control ui transcript rows
#68518*	fix(ui): filter system event messages from chat transcript (#68508)
#69366	fix(ui): hide async exec system events and heartbeat acks from chat transcript

* This PR

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

PR #68518 should close as superseded. Current main already prevents new async exec/system-event prompts from being persisted as visible chat-history user rows, and the broader UI-side legacy leaked-row guard is already tracked by related open PR #67036. This PR's narrower UI-only prefix filter also had review feedback that it could hide legitimate user-authored System: messages.

Best possible solution:

Close #68518 as superseded. Keep the current main source-level runtime/transcript separation for new async exec leaks, and use #67036 as the canonical place for any remaining legacy transcript/render hardening with a narrow matcher that avoids hiding legitimate user messages.

What I checked:

• Exec/heartbeat runs use hidden transcript path: Heartbeat-runner builds exec-event runs as Provider: "exec-event" and passes isHeartbeat: true into the reply path, so async exec completions use the heartbeat/runtime-event handling rather than an ordinary visible user turn. (src/infra/heartbeat-runner.ts:981, c7a0d9b1889c)
• System events stay out of transcript prompt: runPreparedReply adds drained system-event blocks to the agent prompt but builds transcriptCommandBody from transcriptBodyBase; for heartbeat-triggered runs that transcript body is empty, so runtime/system prompts are not persisted as visible user transcript text. (src/auto-reply/reply/get-reply-run.ts:501, c7a0d9b1889c)
• Runtime-only prompt handling: When transcriptPrompt is empty, the embedded runner treats the effective prompt as runtime-only context and submits an empty visible prompt, with the runtime event carried through system/runtime context instead of a user message. (src/agents/pi-embedded-runner/run/runtime-context-prompt.ts:35, c7a0d9b1889c)
• Regression coverage for system-event transcript separation: Existing tests assert queued System: events are present in the agent prompt but not in transcriptCommandBody/followupRun.transcriptPrompt, and that heartbeat prompts produce an empty transcript prompt. (src/auto-reply/reply/get-reply-run.media-only.test.ts:982, c7a0d9b1889c)
• Regression coverage for runtime-only visible prompt: The embedded-runner context-engine test asserts runtime-only context submits an empty visible prompt and does not leave the internal event as a user message in the message snapshot. (src/agents/pi-embedded-runner/run/attempt.spawn-workspace.context-engine.test.ts:197, c7a0d9b1889c)
• Related PR supersedes remaining UI-layer work: The provided PRtags context groups fix(ui): filter system event messages from chat transcript (#68508) #68518 with fix(ui): filter leaked control ui transcript rows #67036 and fix(ui): hide async exec system events and heartbeat acks from chat transcript #69366 as duplicate Control UI async exec/system transcript-leak work. fix(ui): filter leaked control ui transcript rows #67036 remains open and is broader than fix(ui): filter system event messages from chat transcript (#68508) #68518, covering history-side filtering plus a render-time guard for known leaked row shapes.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against c7a0d9b1889c.