[STG-2463] fix: silence AI SDK "system message in messages" warning on agent.execute()#2305
Open
shrey150 wants to merge 1 commit into
Open
[STG-2463] fix: silence AI SDK "system message in messages" warning on agent.execute()#2305shrey150 wants to merge 1 commit into
shrey150 wants to merge 1 commit into
Conversation
🦋 Changeset detectedLatest commit: 257ea32 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
There was a problem hiding this comment.
No issues found across 5 files
Confidence score: 5/5
- Automated review surfaced no issues in the provided summaries.
- No files require special attention.
Architecture diagram
sequenceDiagram
participant Client as Agent Caller
participant Handler as V3AgentHandler
participant LLMClient as LLM Client
participant AI_SDK as AI SDK
participant Cache as Anthropic Cache
Note over Handler: System prompt built as system-role message<br/>(carries providerOptions for<br/>ephemeral cache‑control)
Client->>Handler: agent.execute(systemPrompt, messages)
Handler->>Handler: prependSystemMessage(systemPrompt, messages)<br/>→ messages array with system role + providerOptions
Handler->>LLMClient: generateText({<br/> messages,<br/> allowSystemInMessages: true,<br/> tools,<br/> ...<br/>})
Note right of Handler: NEW: allowSystemInMessages suppresses<br/>the “system message in messages” warning
LLMClient->>AI_SDK: generateText({<br/> messages,<br/> allowSystemInMessages: true,<br/> ...<br/>})
alt allowSystemInMessages === true
AI_SDK->>AI_SDK: No warning emitted<br/>(trusted system prompt)
end
AI_SDK->>Cache: System message with providerOptions<br/>(Anthropic cache‑control)
Cache-->>AI_SDK: Cached response (if applicable)
AI_SDK-->>LLMClient: Generated result
LLMClient-->>Handler: Result
Note over Handler: Streamed path also uses<br/>allowSystemInMessages: true
opt Streaming path
Handler->>LLMClient: streamText({<br/> messages,<br/> allowSystemInMessages: true,<br/> ...<br/> })
Note right of LLMClient: Same flag applied to streamText
LLMClient->>AI_SDK: streamText(...)
AI_SDK-->>LLMClient: Streamed chunks
LLMClient-->>Handler: Streamed result
end
Handler-->>Client: Final response
Note over Handler,AI_SDK: Dependency bump ai ^5.0.133 → ^5.0.185<br/>enables allowSystemInMessages as a typed option.
Note over LLMClient: Explicit return type LanguageModelV2<br/>on getAISDKLanguageModel avoids TS2742.
7454233 to
cef8a05
Compare
The hybrid/DOM agent loop supplies its system prompt as a system-role message (so it can carry Anthropic ephemeral cache-control via providerOptions), which trips AI SDK v5's "System messages in the prompt or messages fields can be a security risk" warning on every agent.execute() call. Pass allowSystemInMessages: true to generateText/streamText so the intentional, Stagehand-authored system prompt no longer warns, while keeping prompt caching intact. Bump the ai floor to ^5.0.185 (where allowSystemInMessages exists) and add an explicit return type to getAISDKLanguageModel so tsc stays portable under the newer @ai-sdk/provider it pulls in. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
cef8a05 to
257ea32
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Every hybrid/DOM
agent.execute()call prints this AI SDK v5 warning to the console:It's cosmetic (a warning, not an error), but it fires on essentially every agent run, and the "prompt injection" wording reads alarmingly enough to generate support tickets — it did (customer Christian / kento9288).
Root cause
The agent loop builds its system prompt as a system-role message inside the
messagesarray (prependSystemMessage()inv3AgentHandler.ts) rather than the top-levelsystemparam. This is deliberate: it lets the system prompt carry Anthropic ephemeral cache-control viaproviderOptions(see the function's own comment). AI SDK v5 warns whenever it sees a system message inmessages, since it can't distinguish a trusted, library-authored system prompt from untrusted input.The committed lockfile pinned
ai@5.0.133, which predates this warning — so the repo build never saw it, but the^5.0.133range means real installs resolve to newer 5.0.x (e.g.5.0.209) that do warn. That's why users hit it and CI didn't.Fix
allowSystemInMessages: trueto thegenerateText/streamTextcalls in the agent loop. This is the AI-SDK-sanctioned opt-out for an intentional system-in-messages structure, and it keeps prompt caching intact (vs. moving to top-levelsystem:, which cannot carry per-messageproviderOptionsand would regress Anthropic cache-control).aifloor^5.0.133 → ^5.0.185, whereallowSystemInMessagesis a typed option.LanguageModelV2) togetAISDKLanguageModel. Theaibump pulls a newer@ai-sdk/provider, and without the annotation tsc emitsTS2742("inferred type … not portable").E2E Test Matrix
@browserbasehq/stagehand@3.6.0(resolvesai@5.0.209), hybridagent.execute()on a real Browserbase session, console capturedAI SDK system-in-messages warning emitted: YES (1)— full "…security risk…prompt injection…" textai@5.0.209), identical hybridagent.execute()flow, same model, real Browserbase sessionAI SDK system-in-messages warning emitted: NO (0); run exits cleanlypnpm turbo run build --filter @browserbasehq/stagehandTasks: 3 successful, 3 total(fails withTS2742before theLLMProviderannotation)aibump + annotation compile.prettier --check+eslinton changed filesAll matched files use Prettier code style!, eslint cleanA/B model:
anthropic/claude-haiku-4-5-20251001. Both runs used identicalmode: "hybrid"+systemPromptconfig (the customer's shape).Closes STG-2463.
🤖 Generated with Claude Code
Summary by cubic
Silences the AI SDK v5 “system message in messages” warning during hybrid/DOM
agent.execute()runs while preserving Anthropic cache-control. Addresses STG-2463.Bug Fixes
allowSystemInMessages: truetogenerateText/streamTextso the agent’s system prompt inmessagesdoes not warn and caching stays intact.Dependencies
aito^5.0.185(lock resolves to5.0.209).LanguageModelV2return type ingetAISDKLanguageModelto avoidTS2742with newer@ai-sdk/provider.Written for commit 257ea32. Summary will update on new commits.