Skip to content

[STG-2463] fix: silence AI SDK "system message in messages" warning on agent.execute()#2305

Open
shrey150 wants to merge 1 commit into
mainfrom
shrey/stg-fix-aisdk-system-in-messages
Open

[STG-2463] fix: silence AI SDK "system message in messages" warning on agent.execute()#2305
shrey150 wants to merge 1 commit into
mainfrom
shrey/stg-fix-aisdk-system-in-messages

Conversation

@shrey150

@shrey150 shrey150 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What & why

Every hybrid/DOM agent.execute() call prints this AI SDK v5 warning to the console:

AI SDK Warning: System messages in the prompt or messages fields can be a security risk because they may enable prompt injection attacks. Use the system option instead when possible. Set allowSystemInMessages to true to suppress this warning, or false to throw an error.

It's cosmetic (a warning, not an error), but it fires on essentially every agent run, and the "prompt injection" wording reads alarmingly enough to generate support tickets — it did (customer Christian / kento9288).

Root cause

The agent loop builds its system prompt as a system-role message inside the messages array (prependSystemMessage() in v3AgentHandler.ts) rather than the top-level system param. This is deliberate: it lets the system prompt carry Anthropic ephemeral cache-control via providerOptions (see the function's own comment). AI SDK v5 warns whenever it sees a system message in messages, since it can't distinguish a trusted, library-authored system prompt from untrusted input.

The committed lockfile pinned ai@5.0.133, which predates this warning — so the repo build never saw it, but the ^5.0.133 range means real installs resolve to newer 5.0.x (e.g. 5.0.209) that do warn. That's why users hit it and CI didn't.

Fix

  • Pass allowSystemInMessages: true to the generateText / streamText calls in the agent loop. This is the AI-SDK-sanctioned opt-out for an intentional system-in-messages structure, and it keeps prompt caching intact (vs. moving to top-level system:, which cannot carry per-message providerOptions and would regress Anthropic cache-control).
  • Bump the ai floor ^5.0.133 → ^5.0.185, where allowSystemInMessages is a typed option.
  • Add an explicit return type (LanguageModelV2) to getAISDKLanguageModel. The ai bump pulls a newer @ai-sdk/provider, and without the annotation tsc emits TS2742 ("inferred type … not portable").

E2E Test Matrix

Command / flow Observed output Confidence / sufficiency
BEFORE — published @browserbasehq/stagehand@3.6.0 (resolves ai@5.0.209), hybrid agent.execute() on a real Browserbase session, console captured AI SDK system-in-messages warning emitted: YES (1) — full "…security risk…prompt injection…" text Reproduces the customer's exact symptom on the version they run.
AFTER — local patched build (this branch, same ai@5.0.209), identical hybrid agent.execute() flow, same model, real Browserbase session AI SDK system-in-messages warning emitted: NO (0); run exits cleanly Proves the fix removes the warning without breaking the agent run. Same harness as BEFORE → clean A/B.
pnpm turbo run build --filter @browserbasehq/stagehand Tasks: 3 successful, 3 total (fails with TS2742 before the LLMProvider annotation) Typecheck + emit green; confirms the ai bump + annotation compile.
prettier --check + eslint on changed files All matched files use Prettier code style!, eslint clean Style/lint gates pass.

A/B model: anthropic/claude-haiku-4-5-20251001. Both runs used identical mode: "hybrid" + systemPrompt config (the customer's shape).

Closes STG-2463.

🤖 Generated with Claude Code


Summary by cubic

Silences the AI SDK v5 “system message in messages” warning during hybrid/DOM agent.execute() runs while preserving Anthropic cache-control. Addresses STG-2463.

  • Bug Fixes

    • Pass allowSystemInMessages: true to generateText/streamText so the agent’s system prompt in messages does not warn and caching stays intact.
  • Dependencies

    • Bump ai to ^5.0.185 (lock resolves to 5.0.209).
    • Add explicit LanguageModelV2 return type in getAISDKLanguageModel to avoid TS2742 with newer @ai-sdk/provider.

Written for commit 257ea32. Summary will update on new commits.

Review in cubic

@changeset-bot

changeset-bot Bot commented Jul 2, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 257ea32

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@browserbasehq/stagehand Patch
@browserbasehq/stagehand-evals Patch
@browserbasehq/stagehand-server-v3 Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.
Architecture diagram
sequenceDiagram
    participant Client as Agent Caller
    participant Handler as V3AgentHandler
    participant LLMClient as LLM Client
    participant AI_SDK as AI SDK
    participant Cache as Anthropic Cache

    Note over Handler: System prompt built as system-role message<br/>(carries providerOptions for<br/>ephemeral cache‑control)

    Client->>Handler: agent.execute(systemPrompt, messages)

    Handler->>Handler: prependSystemMessage(systemPrompt, messages)<br/>→ messages array with system role + providerOptions

    Handler->>LLMClient: generateText({<br/>    messages,<br/>    allowSystemInMessages: true,<br/>    tools,<br/>    ...<br/>})
    Note right of Handler: NEW: allowSystemInMessages suppresses<br/>the “system message in messages” warning

    LLMClient->>AI_SDK: generateText({<br/>    messages,<br/>    allowSystemInMessages: true,<br/>    ...<br/>})

    alt allowSystemInMessages === true
        AI_SDK->>AI_SDK: No warning emitted<br/>(trusted system prompt)
    end

    AI_SDK->>Cache: System message with providerOptions<br/>(Anthropic cache‑control)
    Cache-->>AI_SDK: Cached response (if applicable)

    AI_SDK-->>LLMClient: Generated result
    LLMClient-->>Handler: Result

    Note over Handler: Streamed path also uses<br/>allowSystemInMessages: true

    opt Streaming path
        Handler->>LLMClient: streamText({<br/>            messages,<br/>            allowSystemInMessages: true,<br/>            ...<br/>        })
        Note right of LLMClient: Same flag applied to streamText
        LLMClient->>AI_SDK: streamText(...)
        AI_SDK-->>LLMClient: Streamed chunks
        LLMClient-->>Handler: Streamed result
    end

    Handler-->>Client: Final response

    Note over Handler,AI_SDK: Dependency bump ai ^5.0.133 → ^5.0.185<br/>enables allowSystemInMessages as a typed option.
    Note over LLMClient: Explicit return type LanguageModelV2<br/>on getAISDKLanguageModel avoids TS2742.
Loading

Re-trigger cubic

@shrey150 shrey150 force-pushed the shrey/stg-fix-aisdk-system-in-messages branch from 7454233 to cef8a05 Compare July 2, 2026 18:39
The hybrid/DOM agent loop supplies its system prompt as a system-role
message (so it can carry Anthropic ephemeral cache-control via
providerOptions), which trips AI SDK v5's "System messages in the prompt
or messages fields can be a security risk" warning on every
agent.execute() call. Pass allowSystemInMessages: true to
generateText/streamText so the intentional, Stagehand-authored system
prompt no longer warns, while keeping prompt caching intact.

Bump the ai floor to ^5.0.185 (where allowSystemInMessages exists) and
add an explicit return type to getAISDKLanguageModel so tsc stays
portable under the newer @ai-sdk/provider it pulls in.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@shrey150 shrey150 force-pushed the shrey/stg-fix-aisdk-system-in-messages branch from cef8a05 to 257ea32 Compare July 2, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant