fix(runtime): use prependSystemContext to prevent runtime instructions leaking into chat UI#4037
Merged
Conversation
Contributor
📝 WalkthroughWalkthroughThe PR renames the hook response field carrying the runtime summary from ChangesRuntime Context Field Migration
Estimated Code Review Effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
|
✨ Thanks for submitting this detailed PR about preventing system runtime instructions from leaking into the chat UI. This proposes a way to improve the security and usability of NemoClaw by ensuring that system-level runtime context is not displayed to the user. Related open issues: |
Contributor
Author
|
Hi 👋 Just checking in — this PR has been open for a week. Let me know if there are any concerns with the approach or if you'd like me to adjust anything. Happy to iterate! |
Contributor
Author
|
Friendly ping — this has been open for 10 days. The fix uses |
Contributor
Author
|
Friendly ping — this PR has been open for 11 days. Happy to address any feedback. 🙏 |
wscurran
added
area: policy
Contributor
Author
|
Friendly ping — this PR has been open for 12 days. Happy to adjust the approach if needed. 🙏 |
cv
approved these changes
Jun 4, 2026
Contributor
Author
|
Disregard my previous closing comment — I see @cv approved this. Thanks for the review! Ready to merge whenever convenient. 🙏 |
Collaborator
|
@kagura-agent can you add a DCO to the PR description, please? |
auto-merge was automatically disabled
June 4, 2026 02:09
Head branch was pushed to by a user without write access
kagura-agent
force-pushed
the
fix/runtime-context-system-prompt
branch
from
0c1a648 to
4b4d4fb
Compare
Contributor
Author
|
Done — rebased on latest main and added DCO signoff. Thanks for the heads-up! 🙏 |
Collaborator
|
@kagura-agent I don't see the DCO Signed-off-by in the PR description, mind adding it? |
…s leaking into chat UI The <nemoclaw-runtime> context block was injected via prependContext, which prepends to the user-visible conversation prompt. On certain models (e.g. Nemotron 3 Super 120B via Ollama), this caused the sandbox policy instructions to appear in the chat UI on the third message. Switch to prependSystemContext, which injects into the system prompt (invisible to users), matching the intent of these instructions as system-level runtime context. Fixes NVIDIA#4019 Signed-off-by: kagura-agent <kagura.agent.ai@gmail.com>
kagura-agent
force-pushed
the
fix/runtime-context-system-prompt
branch
from
be124be to
de3a7e2
Compare
Contributor
Author
|
Done — added the DCO Signed-off-by. Thanks for the reminder! 🙏 |
Contributor
Author
|
Hi @cv — thanks for the approval! DCO signoff is now in place. Would you be able to merge this when convenient? 🙏 |
Collaborator
|
@kagura-agent you must add a string like "Signed-off-by Your Name your.email@example.com" to the PR description, not to the commits. |
Contributor
Author
|
Thanks @cv — added the Signed-off-by line to the PR description. Should be good now! 🙏 |
Merged
12 tasks
miyoungc
added a commit
that referenced
this pull request
Jun 6, 2026
## Summary - Adds the `v0.0.60` section to `docs/about/release-notes.mdx` using the dev announcement from discussion #4877. - Fills the source-doc gaps found during release-prep review across inference, policy tiers, command behavior, security boundaries, Hermes dashboard/tooling, runtime context, and troubleshooting. - Refreshes generated agent skills under `.agents/skills/` from the current Fern docs output and upgrades Fern from `5.44.3` to `5.45.0`. ## Source summary - #4037 -> `docs/reference/architecture.mdx`, `docs/about/how-it-works.mdx`, `docs/about/release-notes.mdx`: Documents system-only runtime context that stays out of visible chat. - #4875 -> `docs/reference/architecture.mdx`, `docs/about/how-it-works.mdx`, `docs/about/release-notes.mdx`: Documents try-first sandbox network/filesystem guidance and clearer failure classification. - #4788 -> `docs/security/best-practices.mdx`, `docs/about/release-notes.mdx`: Documents shared OpenClaw device-approval policy for startup and connect. - #4768 -> `docs/reference/network-policies.mdx`, `docs/network-policy/integration-policy-examples.mdx`, `docs/get-started/quickstart.mdx`, `docs/get-started/quickstart-hermes.mdx`, `docs/reference/commands.mdx`: Documents `weather`, `public-reference`, and Hermes managed-tool gateway preset behavior. - #3788 and #4864 -> `docs/reference/network-policies.mdx`, `docs/reference/commands.mdx`: Documents non-interactive policy-tier fail-fast behavior and interactive prompt fallback. - #4756 and #4866 -> `docs/reference/commands.mdx`: Documents env-aware default sandbox resolution for `list`, `status`, and `tunnel` commands. - #4320 -> `docs/reference/commands.mdx`: Documents `$$nemoclaw tunnel status` behavior. - #4328 -> `docs/reference/commands.mdx`: Documents line-scoped policy preset descriptions in `policy-list`. - #4580 and #4748 -> `docs/reference/architecture.mdx`: Documents package-managed OpenShell gateway service and Docker-driver gateway-marker behavior. - #4598 -> `docs/manage-sandboxes/lifecycle.mdx`: Documents concurrent gateway/dashboard cleanup isolation by sandbox name and port. - #4777 -> `docs/reference/troubleshooting.mdx`: Documents Docker GPU patch rollback behavior. - #4610 -> `docs/reference/troubleshooting.mdx`, `docs/reference/commands.mdx`: Keeps mutable OpenClaw config permission guidance aligned and removes skipped experimental wording. - #4868 -> `docs/reference/commands.mdx`: Keeps `.dockerignore` handling for custom `onboard --from <Dockerfile>` contexts in generated skills. - #4870 -> `docs/reference/commands.mdx`, `docs/manage-sandboxes/runtime-controls.mdx`: Documents `NEMOCLAW_MINIMAL_BOOTSTRAP` and generated skill coverage. - #4641 -> `docs/inference/inference-options.mdx`, `docs/reference/troubleshooting.mdx`: Documents local NVIDIA NIM platform-digest pulls and served-model id adoption. - #4810 and #4867 -> `docs/inference/inference-options.mdx`: Documents stable NGC managed-vLLM image lineage and DGX Station DeepSeek V4 Flash coverage. - #4852 -> `docs/inference/use-local-inference.mdx`, `docs/reference/troubleshooting.mdx`: Documents Ollama model fit filtering, 16K context floor, cold-load retry, and failed-model exclusion. - #4847 -> `docs/inference/switch-inference-providers.mdx`: Documents API-family sync, Hermes `api_mode`, and Bedrock Runtime exception. - #4800 -> `docs/inference/tool-calling-reliability.mdx`: Documents Nemotron managed-inference native tool-search fallback. - #4333 -> `docs/inference/switch-inference-providers.mdx`: Documents interactive multimodal input prompting. - #4086 -> `docs/reference/troubleshooting.mdx`: Keeps proxy bypass normalization in generated troubleshooting coverage. - #4811 and #4855 -> `docs/get-started/quickstart-hermes.mdx`: Documents prebuilt Hermes dashboard assets and TUI recovery without runtime rebuilds. - #4854 -> `docs/inference/switch-inference-providers.mdx`, `docs/reference/commands.mdx`: Documents Hermes proxy API-key placeholder preservation during inference switches. - #4248 -> `docs/manage-sandboxes/messaging-channels.mdx`, `.agents/skills/`: Keeps messaging enrollment behavior aligned with manifest-hook implementation. - #4771 -> `docs/security/best-practices.mdx`, `docs/security/credential-storage.mdx`: Documents Hermes placeholder-only secret boundary for sandbox-visible runtime files. - #4787 -> `docs/security/best-practices.mdx`, `docs/about/release-notes.mdx`: Documents expanded memory scanner examples for OpenAI project keys and Slack app-level tokens. - #4848 -> `docs/reference/commands.mdx`: Documents OpenClaw skill install mirroring into the agent home directory. - #4790 -> `docs/about/release-notes.mdx`: Uses the prior release-prep structure and generated `.agents/skills/` refresh as the template for this release. ## Verification - `python3 scripts/docs-to-skills.py docs/ .agents/skills/ --prefix nemoclaw-user --doc-platform fern-mdx` - `python3 scripts/docs-to-skills.py docs/ .agents/skills/ skills/ --prefix nemoclaw-user --doc-platform fern-mdx --dry-run` - `npm run docs` - `git diff --check` - skip-term scan across `docs/`, `.agents/skills/`, and `skills/` - `npm run build:cli` - `npm run typecheck:cli` - Commit and pre-push hook suites, including markdownlint, gitleaks, env-var docs gate, docs-to-skills verification, and skills YAML tests <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * DeepSeek-V4-Flash now available as default inference model for DGX Station. * Hermes dashboard improved with dedicated port and OAuth-authenticated tool gateway selection. * Added weather and public-reference policy presets for expanded agent capabilities. * Enhanced Ollama model selection with GPU memory filtering and automatic retry for timeouts. * **Bug Fixes** * Improved policy tier validation to prevent invalid configurations. * Better sandbox cleanup scoping by port to prevent conflicts across deployments. * Added GPU patch failure recovery with automatic rollback. * **Documentation** * Expanded troubleshooting guides for inference, security, and sandbox lifecycle. * Added .dockerignore best practices for custom deployments. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Carlos Villela <cvillela@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #4019 — system runtime instructions (
<nemoclaw-runtime>block) leaking into the chat UI on the third message.Root Cause
registerRuntimeContext()was usingprependContextin thebefore_prompt_buildhook return. In the OpenClaw host,prependContextprepends content to the user-visible conversation prompt, which means the sandbox policy instructions could appear in the chat UI — especially with models like Nemotron 3 Super 120B via Ollama that may echo prepended context.Fix
Switch from
prependContexttoprependSystemContext, which injects into the system prompt (invisible to users). This matches the intent of these instructions as system-level runtime context that should never be displayed to the user.Changes
nemoclaw/src/runtime-context.ts:prependContext→prependSystemContext(1 line)nemoclaw/src/runtime-context.test.ts: Updated test expectations to match (3 test assertions)Testing
Summary by CodeRabbit
Refactor
Tests
Signed-off-by: kagura-agent kagura.agent.ai@gmail.com