fix: keep inter-session provenance out of transcripts

[Patrick-Erichsen]

Summary

• keep inter-session provenance annotations in the model-facing prompt path
• stop persisting those annotations as the transcript/user-visible prompt body
• update regression coverage for auto-reply prompt bodies and context-engine runtime context handling

Verification

• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs src/auto-reply/reply.raw-body.test.ts src/auto-reply/reply/prompt-prelude.test.ts src/auto-reply/reply/get-reply-run.media-only.test.ts src/agents/pi-embedded-runner/run/runtime-context-prompt.test.ts src/agents/pi-embedded-runner/run/attempt.spawn-workspace.context-engine.test.ts
• git diff --check origin/main..HEAD
• AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode local

Real behavior proof

Behavior addressed: Inter-session messages routed into a Control UI/webchat session were persisted with model-facing provenance text such as [Inter-session message] ... isUser=false, so the Control UI rendered internal safety context in the visible chat transcript.

Real environment tested: Local OpenClaw source checkout, disposable OPENCLAW_HOME directories, real Control UI in the in-app browser, gateway instances bound to loopback, and a fake OpenAI-compatible local provider used only to make model turns deterministic.

Exact steps or command run after this patch: Started the patched gateway with a disposable home and local fake provider, opened the actual Control UI, approved browser pairing, sent a baseline UI message, then sent an inter-session/provenance-shaped message through chat.send with systemInputProvenance.kind = "inter_session". Captured the fake provider request body to verify model-facing prompt contents, and queried chat.history to verify the visible transcript contents.

Evidence after fix: The captured model request still contained [Inter-session message] sourceSession=agent:dev:source-control-ui sourceChannel=webchat sourceTool=sessions_send isUser=false and the clean test message. chat.history contained the clean user message and did not contain [Inter-session message].

Observed result after fix: The model still receives the provenance/safety context, while Control UI renders only the clean user-visible message text in the chat transcript.

What was not tested: Live external channels such as WhatsApp/Discord were not rerun for this patch; the repro used the gateway/Control UI path plus a deterministic local provider. Full release/CI suites were not run locally.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR stops applying inter-session provenance text to transcript prompt bodies while preserving model-facing provenance through the effective prompt/runtime-context path and updating focused regressions.

Reproducibility: yes. source-reproducible: current main annotates transcript prompt bodies with [Inter-session message], and the PR body provides an after-fix Control UI/gateway proof of the same path.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: The PR is small and well-targeted with strong structured proof, with normal maintainer caution because it touches provenance and transcript state.

Rank-up moves:

• Optional: add a redacted captured provider/chat.history snippet if maintainers want artifact-level proof beyond the structured body text.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
✨ Hatched: 🥚 common Pearl Patch Peep

        .--^^^^--.           
     .-'  o    o  '-.        
    /       \__/      \      
   |    /\  ____  /\   |     
   |   /  \/____\/  \  |     
    \  \_.------._/  /       
     '._  `----'  _.'        
        '-.____.-'           
       _/|_|  |_|\_          
      /__|      |__\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: collects tiny proofs.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Pearl Patch Peep in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• How to hatch it: reach status: 👀 ready for maintainer look or status: 🚀 automerge armed; that usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

Real behavior proof
Sufficient (live_output): The PR body gives after-fix real Control UI/gateway proof with captured provider request contents and chat.history results showing provenance retained for the model and absent from the visible transcript.

Risk before merge
Why this matters: - The patch intentionally moves inter-session safety/provenance text out of visible transcript text and relies on hidden runtime-context delivery to preserve the model-facing boundary.

• The PR body did not rerun live external channels such as WhatsApp or Discord, so maintainers should decide whether the Control UI/gateway proof plus focused regressions are enough before merge.

Maintainer options:

1. Merge after maintainer boundary approval (recommended)
   Treat the supplied Control UI/gateway proof and focused regressions as sufficient for this narrow transcript/provenance routing fix.
2. Request broader live-channel proof
   Ask for one additional redacted live external-channel proof if maintainers want confidence beyond the Control UI/webchat path before merging.

Next step before merge
The protected maintainer label and safety/session-state boundary make this a maintainer review and merge decision; no narrow automated repair is needed.

Security
Cleared: No supply-chain, secret-handling, or new code-execution concern found; the security-sensitive provenance-boundary change is covered as merge risk rather than a concrete defect.

Review details

Best possible solution:

Land the narrow transcript cleanup after maintainer approval and CI, keeping model-facing provenance in hidden runtime context while tracking broader external-channel delivery problems separately.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main annotates transcript prompt bodies with [Inter-session message], and the PR body provides an after-fix Control UI/gateway proof of the same path.

Is this the best way to solve the issue?

Yes, the patch targets the two transcript prompt sources while leaving model-facing prompts annotated through the existing runtime-context split. The remaining question is maintainer comfort with the supplied proof scope, not a different implementation shape.

Label justifications:

• P2: This is a limited agent prompt/transcript correctness fix, not an outage or broad channel failure.
• merge-risk: 🚨 session-state: The diff changes what text is persisted as transcript prompt state versus hidden runtime-context state for inter-session turns.
• merge-risk: 🚨 security-boundary: The diff changes the delivery path for inter-session provenance that tells the model the content is not direct end-user instruction.

What I checked:

• Current main annotates embedded transcript prompts: Current main applies annotateInterSessionPromptText to both the model prompt and params.transcriptPrompt before resolveRuntimeContextPromptParts, which matches the reported leak path into finalPromptText/transcript-visible prompt bodies. (src/agents/pi-embedded-runner/run/attempt.ts:3591, b2c5ba6d4c4e)
• Current main annotates auto-reply transcript bodies: buildReplyPromptBodies currently annotates transcriptCommandBody with inter-session provenance even though nearby types describe transcript text as user-visible. (src/auto-reply/reply/prompt-prelude.ts:64, b2c5ba6d4c4e)
• Runtime context splitter supports the proposed separation: resolveRuntimeContextPromptParts already separates a clean transcript prompt from extra effective-prompt context and returns the extra context for hidden runtime delivery. (src/agents/pi-embedded-runner/run/runtime-context-prompt.ts:66, b2c5ba6d4c4e)
• PR diff keeps model provenance while cleaning transcript text: The PR removes provenance annotation from transcript prompt bodies only, while tests assert the visible prompt remains clean and the hidden runtime context still contains [Inter-session message] and isUser=false. (src/agents/pi-embedded-runner/run/attempt.spawn-workspace.context-engine.test.ts:747, fdb8dd2771b5)
• Structured real behavior proof supplied: The PR body reports an after-fix local gateway and Control UI run with a fake OpenAI-compatible provider: captured model request kept provenance text, while chat.history omitted [Inter-session message]. (fdb8dd2771b5)
• History provenance for affected current lines: Current annotated transcript behavior in both central files blames to commit f0b43bf by Peter Steinberger, making that the best current-main routing signal for this path. (src/agents/pi-embedded-runner/run/attempt.ts:3591, f0b43bfd34c4)

Likely related people:

• steipete: Blame and shortlog for the central prompt/transcript files point to Peter Steinberger's f0b43bf current-main commit as the current implementation source for the annotated transcript behavior. (role: recent area contributor; confidence: high; commits: f0b43bfd34c4; files: src/agents/pi-embedded-runner/run/attempt.ts, src/auto-reply/reply/prompt-prelude.ts, src/agents/pi-embedded-runner/run/runtime-context-prompt.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b2c5ba6d4c4e.

[Patrick-Erichsen]

Screenshots

Before (origin/main): model-facing inter-session provenance leaks into the visible Control UI transcript.

After (this branch): the same inter-session/provenance-shaped message renders as clean transcript text.