PR #72761: Fix: Issue 72703 system events user role

• Repository: openclaw/openclaw
• Author: sahilsatralkar
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/72761

Description (problem / solution / changelog)

Summary

Describe the problem and fix in 2–5 bullets:

If this PR fixes a plugin beta-release blocker, title it fix(<plugin-id>): beta blocker - <summary> and link the matching Beta blocker: <plugin-name> - <summary> issue labeled beta-blocker. Contributors cannot label PRs, so the title is the PR-side signal for maintainers and automation.

• Problem: queued runtime system events, including background task and deferred maintenance notices, were prepended to user prompt text.
• Why it matters: models could treat OpenClaw-generated maintenance/task notices as user-authored requests, causing confused replies or unnecessary follow-up turns.
• What changed: drained system events now route through runtime system context, while tests assert they stay out of commandBody, followupRun.prompt, and transcript prompt text.
• What did NOT change (scope boundary): heartbeat prompts remain documented user messages; task registry delivery policy, notification formatting, and direct channel delivery behavior are unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #72703
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

For bug fixes or regressions, explain why this happened, not just what changed. Otherwise write N/A. If the cause is unclear, write Unknown.

• Root cause: queued system events were formatted as System: lines and passed into buildReplyPromptBodies, which prepended them to the user prompt path.
• Missing detection / guardrail: tests asserted the old behavior instead of requiring runtime-generated events to stay out of user-authored prompt text.
• Contributing context (if known): heartbeat prompts are intentionally user messages, which made the nearby system-event wake path easy to conflate with normal user prompt delivery.

Regression Test Plan (if applicable)

For bug fixes or regressions, name the smallest reliable test coverage that should catch this. Otherwise write N/A.

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
  • Target test or file: src/auto-reply/reply/get-reply-run.media-only.test.ts
  • Scenario the test should lock in: drained system events are routed to extraSystemPrompt and are absent from commandBody, followupRun.prompt, transcriptCommandBody, and followupRun.transcriptPrompt.
  • Why this is the smallest reliable guardrail: it covers the prompt assembly seam where queued system events are converted into model input without requiring live channel or model execution.
  • Existing test that already covers this (if any): updated existing prompt-placement tests in get-reply-run.media-only.test.ts.
  • If no new test is added, why not: N/A

User-visible / Behavior Changes

Runtime-generated queued system events are no longer presented to the model as user-authored prompt text. Heartbeat prompt behavior is unchanged.

Diagram (if applicable)

For UI changes or non-trivial logic flows, include a small ASCII diagram reviewers can scan quickly. Otherwise write N/A.

 Before:
  [background task update] -> [queued system event] -> [user prompt text] -> [model treats as user input]

  After:
  [background task update] -> [queued system event] -> [runtime system context] -> [model sees non-user runtime context]

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local Node/pnpm workspace
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): N/A

Steps

1. Queue or mock a formatted runtime system event.
2. Build a prepared reply.
3. Inspect prompt fields passed to runReplyAgent.

Expected

• Runtime system-event text is present in followupRun.run.extraSystemPrompt.
• Runtime system-event text is absent from user prompt and transcript prompt fields.

Actual

• Before this PR, runtime system-event text was included in commandBody and followupRun.prompt.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • pnpm test src/auto-reply/reply/get-reply-run.media-only.test.ts src/agents/pi-embedded-runner/run/runtime-context-prompt.test.ts src/agents/pi-embedded- runner/context-engine-maintenance.test.ts
  • pnpm check:changed
  • pnpm build
  • pnpm dlx codex review --base origin/main
• Edge cases checked: untrusted event sender downgrade remains covered; trusted events preserve owner status; deferred follow-up prompts no longer replay system events as user text.
• What you did not verify: live channel delivery with a real messaging integration.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps: N/A

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: moving system events out of user prompt text could hide context from deferred turns if not forwarded elsewhere.
  • Mitigation: tests assert the event text is still present in extraSystemPrompt.
• Risk: untrusted system events could regain owner authority.
  • Mitigation: existing ownership downgrade tests remain and continue to pass.

Built with Codex

Changed files

• src/auto-reply/reply/get-reply-run.media-only.test.ts (modified, +24/-15)
• src/auto-reply/reply/get-reply-run.ts (modified, +19/-7)
• src/auto-reply/reply/prompt-prelude.ts (modified, +2/-6)
• src/plugins/cli-registry-loader.ts (modified, +27/-1)
• src/plugins/cli.test.ts (modified, +87/-0)