docs: document inter-session prompt guards

CHANGELOG.md

@@ -16,6 +16,8 @@ Docs: https://docs.openclaw.ai
 - Channels/Discord: ignore stale route-shaped conversation bindings after a Discord channel is reconfigured to another agent, while preserving explicit focus and subagent bindings. Fixes #73626. Thanks @ramitrkar-hash.
 - NVIDIA/NIM: persist the `NVIDIA_API_KEY` provider marker and mark bundled NVIDIA Chat Completions models as string-content compatible, so NIM models load from `models.json` and OpenAI-compatible subagent calls send plain text content. Fixes #73013 and #50107; refs #73014. Thanks @bautrey, @iot2edge, @ifearghal, and @futhgar.
 - Channels/Discord: let text-only configs drop the `GuildVoiceStates` gateway intent and expose a bounded `/gateway/bot` metadata timeout with rate-limited fallback logs, reducing idle CPU and warning floods. Fixes #73709 and #73585. Thanks @sanchezm86 and @trac3r00.
+- Agents/sessions: mark same-turn `sessions_send` and A2A reply prompts with an inter-session `isUser=false` envelope before they reach the model, so foreign session output no longer lands as bare active user text. Fixes #73702; refs #73698, #73609, #73595, and #73622. Thanks @alvelda.
+- Outbound/security: strip known internal runtime scaffolding such as `<system-reminder>` and `<previous_response>` at the final channel delivery boundary and keep Discord output on targeted tag stripping, so degraded harness replies cannot leak those tags to users. Fixes #73595. Thanks @gabrielexito-stack and @martingarramon.
 - CLI/plugins: use plugin metadata snapshots for install slot selection and add opt-in plugin lifecycle timing traces, so plugin install avoids runtime-loading the plugin registry for metadata-only decisions. Thanks @shakkernerd.
 - fix(plugins): restrict bundled plugin dir resolution to trusted package roots. (#73275) Thanks @pgondhi987.
 - fix(security): prevent workspace PATH injection via service env and trash helpers. (#73264) Thanks @pgondhi987.

docs/concepts/session-tool.md

@@ -93,6 +93,11 @@ the response:
   immediately.
 - **Wait for reply:** set a timeout and get the response inline.
 
+Messages and A2A follow-up replies are marked as inter-session data in the
+receiving prompt (`[Inter-session message ... isUser=false]`) and in transcript
+provenance. The receiving agent should treat them as tool-routed data, not as a
+direct end-user-authored instruction.
+
 After the target responds, OpenClaw can run a **reply-back loop** where the
 agents alternate messages (up to 5 turns). The target agent can reply
 `REPLY_SKIP` to stop early.

docs/reference/transcript-hygiene.md

@@ -96,13 +96,15 @@ agent-to-agent reply/announce steps), OpenClaw persists the created user turn wi
 
 - `message.provenance.kind = "inter_session"`
 
-This metadata is written at transcript append time and does not change role
-(`role: "user"` remains for provider compatibility). Transcript readers can use
-this to avoid treating routed internal prompts as end-user-authored instructions.
+OpenClaw also prepends a same-turn `[Inter-session message ... isUser=false]`
+marker before the routed prompt text so the active model call can distinguish
+foreign session output from external end-user instructions. This marker includes
+the source session, channel, and tool when available. The transcript still uses
+`role: "user"` for provider compatibility, but the visible text and provenance
+metadata both mark the turn as inter-session data.
 
-During context rebuild, OpenClaw also prepends a short `[Inter-session message]`
-marker to those user turns in-memory so the model can distinguish them from
-external end-user instructions.
+During context rebuild, OpenClaw applies the same marker to older persisted
+inter-session user turns that only have provenance metadata.
 
 ---