fix(agents): keep hook context in embedded prompts

[Alix-007]

Summary

• keep before_prompt_build prependContext/appendContext in the embedded runner model prompt when transcriptPrompt is present
• strip marked OpenClaw internal runtime-context blocks into hidden runtime context messages
• fail closed on malformed/unterminated internal runtime-context blocks so hidden text cannot leak into the model prompt
• update context-engine and prompt-splitter regression coverage for prompt-local hooks, multi-block extraction, inline marker mentions, and malformed blocks

Fixes #86849.

Real behavior proof

• Behavior or issue addressed: Embedded-runner before_prompt_build prependContext/appendContext must remain in the model prompt when a separate persisted transcriptPrompt exists, while valid and malformed internal runtime-context blocks stay out of the model prompt.
• Real environment tested: Local OpenClaw checkout at PR head 1d17a3f5596c, Linux, Node v22.22.0, runtime module src/agents/pi-embedded-runner/run/runtime-context-prompt.ts executed through node --import tsx.
• Exact steps or command run after this patch: Ran the real exported resolveRuntimeContextPromptParts() against four cases: valid hook context plus hidden block, unterminated hidden block, multiple hidden blocks, and repeated inline marker mentions.
• Evidence after fix: Terminal output from the runtime command:

{
  "environment": "node v22.22.0 platform=linux",
  "head": "1d17a3f5596c",
  "validPrompt": "dynamic hook context\n\nvisible ask\n\ndynamic hook tail",
  "validRuntimeContext": "<<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>>\nsecret runtime context\n<<<END_OPENCLAW_INTERNAL_CONTEXT>>>",
  "validPromptLeaksSecret": false,
  "malformedPrompt": "visible ask",
  "malformedLeaksSecret": false,
  "multiRuntimeBlocks": 2,
  "inlinePromptHasMarkerMention": true,
  "inlinePromptLeaksSecret": false
}

• Observed result after fix: Hook prefix/tail remained model-visible, valid hidden context moved to runtimeContext, unterminated hidden context was dropped fail-closed after the visible prompt, two hidden blocks were extracted, and inline marker mentions remained visible without leaking secret block content.
• What was not tested: No browser/channel UI rendering was run manually; the integration regression covers raw transcript/UI text remaining separate from prompt-local hook context.

Verification

• git diff --check origin/main...HEAD
• git diff --check
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/agents/pi-embedded-runner/run/runtime-context-prompt.ts src/agents/pi-embedded-runner/run/runtime-context-prompt.test.ts
• pnpm check:changed

[Alix-007]

This is a focused fix for #86849. It keeps before_prompt_build prompt context adjacent to the current user prompt in embedded runs, while preserving the existing hidden handling for marked OpenClaw internal runtime-context blocks.

Local verification:

• git diff --check origin/main...HEAD
• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run/runtime-context-prompt.test.ts src/agents/pi-embedded-runner/run/attempt.spawn-workspace.context-engine.test.ts --pool forks --maxWorkers=1 --reporter=tap
• pnpm check:changed

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[Alix-007]

Follow-up pushed at 133f57660a with a regression covering the combined path: before_prompt_build prompt context stays visible in the model prompt while inter-session provenance and marked internal runtime context remain hidden in the runtime-context message.

Current local verification:

• git diff --check origin/main...HEAD
• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run/runtime-context-prompt.test.ts src/agents/pi-embedded-runner/run/attempt.spawn-workspace.context-engine.test.ts --pool forks --maxWorkers=1 --reporter=tap
• pnpm check:changed

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[Alix-007]

Added structured real behavior proof to the PR body using the real exported runtime prompt splitter at head 133f57660a68.

The runtime output shows hook prepend/append text stays in the model prompt while the marked internal runtime context is excluded from the prompt and retained for hidden handling. No new commit was needed; code and prior targeted verification are unchanged.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26460916525
• Updated: 2026-05-26T16:27:46.250Z

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 6:58 PM ET / 22:58 UTC.

Summary
The PR separates embedded runner session/transcript prompts from model prompts so before_prompt_build prepend/append context remains model-visible while internal runtime-context blocks and transcript/UI text stay hidden.

PR surface: Source +360, Tests +500. Total +860 across 9 files.

Reproducibility: yes. source inspection of current main shows the splitter removes transcriptPrompt from effectivePrompt and treats the remainder as runtime context, which reproduces the reported hook-context stripping path when before_prompt_build changes the prompt.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none

Risk before merge

• Merging changes the embedded runner's provider-visible prompt boundary: existing hook/context-engine behavior can differ because the model prompt and persisted transcript prompt are now intentionally separate.
• The patch is security-boundary sensitive because malformed or marked internal runtime-context text must never leak into the model prompt while hook context remains model-visible.

Maintainer options:

1. Accept the prompt-boundary change (recommended)
   Maintainers can merge once they are comfortable that the current tests and proof cover the intended separation between transcript, model prompt, and hidden runtime context.
2. Ask for broader runtime proof
   Maintainers can request an additional real embedded-runner scenario if they want proof beyond the exported helper and CI checks before accepting the boundary change.

Next step before merge
No ClawSweeper repair lane is needed; the remaining action is maintainer merge judgment for a compatibility- and security-sensitive prompt-boundary fix.

Security
Cleared: No concrete supply-chain or credential-handling problem was found; the prompt-hidden-context boundary is tracked as merge risk rather than a patch defect.

Review details

Best possible solution:

Land the current approach after maintainer acceptance of the transcript/model/runtime separation and current-head checks, keeping the focused regression coverage with the prompt-boundary change.

Do we have a high-confidence way to reproduce the issue?

Yes: source inspection of current main shows the splitter removes transcriptPrompt from effectivePrompt and treats the remainder as runtime context, which reproduces the reported hook-context stripping path when before_prompt_build changes the prompt.

Is this the best way to solve the issue?

Yes, with maintainer acceptance: separating session/transcript prompt text from model prompt text is the narrow maintainable fix, and the PR adds focused tests for hidden context extraction and leak prevention.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 550a9b459a35.

Label changes

Label justifications:

• P2: This is a normal-priority agent prompt/session-state bug fix with a bounded runtime surface but meaningful user impact.
• merge-risk: 🚨 compatibility: The PR intentionally separates the model-visible prompt from the persisted transcript prompt, which can affect existing hook and context-engine behavior.
• merge-risk: 🚨 security-boundary: The PR changes how marked internal runtime-context blocks are extracted, dropped, and prevented from reaching model-visible prompt text.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body provides terminal output from the real exported runtime prompt splitter showing hook context retained and valid, malformed, and multi-block internal runtime context kept out of the model prompt.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides terminal output from the real exported runtime prompt splitter showing hook context retained and valid, malformed, and multi-block internal runtime context kept out of the model prompt.

Evidence reviewed

PR surface:

Source +360, Tests +500. Total +860 across 9 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	424	64	+360
Tests	4	526	26	+500
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	9	950	90	+860

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/run/runtime-context-prompt.test.ts src/agents/embedded-agent-runner/run/attempt.spawn-workspace.context-engine.test.ts --pool forks --maxWorkers=1 --reporter=tap
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/agents/embedded-agent-runner/run/runtime-context-prompt.ts src/agents/embedded-agent-runner/run/runtime-context-prompt.test.ts
• pnpm check:changed

What I checked:

• Root policy read: Root AGENTS.md was read in full; its ClawSweeper policy requires whole prompt/security-boundary review and treats prompt/auth/session/config boundary changes as compatibility-sensitive. (AGENTS.md:18, 550a9b459a35)
• Scoped policy read: The scoped agent runner guide favors focused helper tests plus nearest runner/context-engine proof for embedded runner prompt assembly changes. (src/agents/embedded-agent-runner/run/AGENTS.md:1, 550a9b459a35)
• Current-main bug path: Current main's splitter returns prompt: transcriptPrompt and moves the effective-prompt remainder into runtimeContext, which explains why hook prepend/append context is stripped out when a transcript prompt is present. (src/agents/embedded-agent-runner/run/runtime-context-prompt.ts:63, 550a9b459a35)
• PR implementation path: At PR head, resolveRuntimeContextPromptParts accepts a separate modelPrompt, extracts marked internal runtime context, and returns distinct prompt, modelPrompt, and runtimeContext values. (src/agents/embedded-agent-runner/run/runtime-context-prompt.ts:65, 616440a5ed9b)
• PR call-site path: At PR head, the embedded runner passes the pre-hook prompt into the runtime-context split while separately using promptForModel for model-visible hook context and promptForSession for transcript/session submission. (src/agents/embedded-agent-runner/run/attempt.ts:4163, 616440a5ed9b)
• Regression coverage: The PR adds helper and runner tests for hook context staying model-visible, multiple hidden blocks, inline marker mentions, malformed fail-closed blocks, and transcript marker stripping before provider assembly. (src/agents/embedded-agent-runner/run/runtime-context-prompt.test.ts:41, 616440a5ed9b)

Likely related people:

• steipete: git blame ties the current resolveRuntimeContextPromptParts implementation on main to 15b1e99, and the live PR head commits are signed by the same account. (role: introduced current splitter and recent PR committer; confidence: high; commits: 15b1e99df310, fff4263eb35c, 616440a5ed9b; files: src/agents/embedded-agent-runner/run/runtime-context-prompt.ts, src/agents/embedded-agent-runner/run/attempt.ts, src/agents/embedded-agent-runner/tool-result-context-guard.ts)
• mbelinky: Recent commit 7299c56 touched the embedded runner attempt.ts area for sub-agent cwd/workspace separation, making this a useful routing candidate for adjacent runner behavior. (role: recent adjacent contributor; confidence: medium; commits: 7299c5695317; files: src/agents/embedded-agent-runner/run/attempt.ts)
• martingarramon: PR review comments called out multi-block extraction and delimiter scanning risks, then confirmed the fail-closed delimiter behavior was addressed. (role: reviewer; confidence: medium; files: src/agents/embedded-agent-runner/run/runtime-context-prompt.ts, src/agents/internal-runtime-context.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Moonlit Patch Peep

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: stacks clean commits.
Image traits: location branch lighthouse; accessory lint brush; palette violet, aqua, and starlight; mood focused; pose pointing at a small proof artifact; shell glossy opal shell; lighting cool dashboard glow; background tiny shells and proof notes.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Patch Peep in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[martingarramon]

Capturing effectivePrompt before annotateInterSessionPromptText runs ensures hook context reaches the model prompt regardless of annotation order.

extractMarkedRuntimeContext iterates over all BEGIN/END pairs in a for (;;) loop. Existing tests exercise single-block extraction ("keeps hidden runtime context separate from prompt-local additions"), but a prompt assembled with two separate INTERNAL_RUNTIME_CONTEXT_BEGIN/END blocks isn't covered. Add a multi-block test to confirm the remaining splicing is correct across iterations.

Edge case: findDelimitedRuntimeContextTokenIndex recurses each time the delimiter appears in text but not on its own line. An iterative version would remove the stack-growth risk for deeply nested or repeated delimiter occurrences.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26485432101
• Updated: 2026-05-27T01:44:36.594Z

[martingarramon]

P1 fail-closed behavior confirmed: when extractMarkedRuntimeContext finds an unterminated <<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>> (no matching END), it returns prompt: before — the text before the marker — and the orphaned block content is dropped from the model prompt. The unterminated-block test locks this contract.

The iterative findDelimitedRuntimeContextTokenIndex preserves the line-delimited semantics of the recursive version. Multi-block extraction and inline-marker preservation both have regression coverage. LGTM.

[martingarramon]

P1 is resolved in 1d17a3f5596c. findDelimitedRuntimeContextTokenIndex anchors tokens to line boundaries — a token only matches when it starts after \n (or at position 0) and ends before \n/\r (or at EOF). The 250-inline-marker test confirms that mid-line occurrences don't match.

The fail-closed path (end === -1) returns { prompt: before.trimEnd() } — everything from the BEGIN marker onward is dropped. The "fails closed for unterminated" test locks the contract: an unterminated block returns { prompt: "visible ask" } with no runtimeContext.

modelPrompt carrying the pre-annotation prompt keeps prependContext/appendContext in the model prompt while inter-session provenance lands in runtimeContext. The new integration test pins both sides of the separation.

CI clean (86/86). LGTM.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26542959926
• Updated: 2026-05-27T22:46:07.698Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26543485225
• Updated: 2026-05-27T22:58:29.280Z

[steipete]

Landed via squash as 8b7a482. Thanks @Alix-007.

Proof:

• rebased head 9715d3a
• GitHub CI run 26544578760 passed
• local tsgo/test-types, oxfmt, oxlint, git diff check passed
• autoreview clean, no accepted/actionable findings