Workflow responses leak internal <function_calls> scaffolding into user-visible chat

[5toCode]

Summary

In workflow-style sessions, user-visible replies sometimes include internal tool-call scaffolding instead of only the clean final result.

Example

User sees leaked content like:

<function_calls>
<invoke name="exec">
<parameter name="command">cd /Users/mikeroberts/.openclaw/workspace && node scripts/knowledge-store.mjs search --query "what skills matter most in the age of AI" --limit 4</parameter>
<parameter name="yieldMs">10000</parameter>
</invoke>
</function_calls>
<function_response>
Searching for: "what skills matter most in the age of AI"
...
</function_response>

Important note

The underlying workflow is often working correctly. In this case, the semantic search result quality was good. The problem is that the user-facing reply is polluted with raw internal tool envelopes and command text.

Expected

Only the final human-readable answer should be shown to the user.

Actual

Internal tool-call scaffolding is included in the user-visible response:

• <function_calls>
• <invoke ...>
• <function_response>
• raw command text
• intermediate internal execution output

Impact

• confusing and noisy UX
• exposes internal implementation details
• makes workflows feel broken even when results are correct
• damages trust in agent responses

Context

Observed in Telegram workflow/agent sessions such as Second Brain, but likely not limited to that workflow.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep this open. Current main covers adjacent <function_calls> and tool-call XML leaks, but it still has no <function_response> sanitizer coverage, so response/output envelope content can remain user-visible on workflow reply paths; the related merged pull request #60619 is useful context but does not close this exact gap.

Reproducibility: yes. at source level. Current main strips the call-side XML wrappers but the shared sanitizer and tests still omit <function_response>, leaving a clear path for result text to survive user-facing cleanup.

Next step
This is a narrow source-provable sanitizer bug with clear files, adjacent tests, and no product or config decision needed.

Review details

Best possible solution:

Extend the shared assistant-visible/user-facing sanitizer to remove machine-generated <function_response> result envelopes, with focused regression tests that preserve literal inline and fenced XML examples.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main strips the call-side XML wrappers but the shared sanitizer and tests still omit <function_response>, leaving a clear path for result text to survive user-facing cleanup.

Is this the best way to solve the issue?

Yes. The narrow maintainable fix is shared sanitizer coverage plus regression tests, not a Telegram-only workaround or workflow execution change.

Acceptance criteria:

• node scripts/run-vitest.mjs src/shared/text/assistant-visible-text.test.ts src/agents/pi-embedded-helpers.sanitizeuserfacingtext.test.ts src/infra/outbound/sanitize-text.test.ts
• node scripts/crabbox-wrapper.mjs run --shell -- "pnpm check:changed"

What I checked:

• Issue report and prior review identify the exact response-envelope gap: The issue body reports visible <function_calls>, <function_response>, raw command text, and execution output; the existing ClawSweeper comment also kept it open because <function_response> was still not recognized. (916fc3d09ae1)
• Shared XML sanitizer omits function_response: The current tool-call XML quick regex and tag-name set include tool_call, tool_result, function_call, function_calls, function, and tool_calls, but not function_response. (src/shared/text/assistant-visible-text.ts:20, 916fc3d09ae1)
• User-facing sanitizer delegates to the incomplete shared stripper: sanitizeUserFacingText calls stripToolCallXmlTags(..., { stripFunctionCallsXmlPayloads: true }), which strips the reported call-side wrapper but inherits the missing response-envelope tag coverage. (src/agents/pi-embedded-helpers/sanitize-user-facing-text.ts:402, 916fc3d09ae1)
• Plain-text sanitizer does not remove function_response blocks as internal scaffolding: The plain-text runtime scaffold allow-list is only system-reminder and previous_response; unknown HTML/XML tags are stripped later, which would leave the response body text rather than removing the internal result envelope. (src/infra/outbound/sanitize-text.ts:14, 916fc3d09ae1)
• Telegram workflow surface prefers final assistant visible text: The Telegram channel config sets preferFinalAssistantVisibleText: true, so the reported Telegram workflow surface depends on the shared final visible-text sanitization path rather than a Telegram-only fix. (extensions/telegram/src/channel.ts:165, 916fc3d09ae1)
• Regression tests cover function_calls but not function_response: Targeted sanitizer test searches found existing <function_calls> coverage in shared and user-facing tests, with no <function_response> test coverage in the checked sanitizer surfaces. (src/shared/text/assistant-visible-text.test.ts:118, 916fc3d09ae1)

Likely related people:

• steipete: Current blame for the sanitizer tag set and pipeline resolves to Peter Steinberger, and nearby history includes the shared visible-text sanitizer refactors and exec-routing sanitization work. (role: recent area contributor; confidence: high; commits: 0844e771a8df, 712479eea1a1, c63a4f0f13fc; files: src/shared/text/assistant-visible-text.ts, src/agents/pi-embedded-helpers/sanitize-user-facing-text.ts, src/infra/outbound/sanitize-text.ts)
• oliviareid-svg: Authored the merged adjacent fix that introduced shared stripping for leaked <tool_call> and <function_calls> XML scaffolding. (role: related sanitizer contributor; confidence: medium; commits: 7ff90c516a63; files: src/shared/text/assistant-visible-text.ts, src/shared/text/assistant-visible-text.test.ts)
• OfflynAI: Authored the follow-up current-main commit for standalone <function> XML tool-call stripping in the same shared sanitizer surface. (role: adjacent sanitizer contributor; confidence: medium; commits: 78df859e15ac; files: src/shared/text/assistant-visible-text.ts, src/shared/text/assistant-visible-text.test.ts)
• Vincent Koc: Authored the extraction of the user-facing text sanitizer path that currently delegates to the shared XML stripping logic. (role: sanitizer extraction contributor; confidence: medium; commits: 35664d5447a4; files: src/agents/pi-embedded-helpers/sanitize-user-facing-text.ts)

Remaining risk / open question:

• No live Telegram workflow was run in this read-only review; the remaining bug is established from current source and targeted test coverage gaps.
• The fix needs code-region and literal-example guards so documentation or user prose containing XML examples is not stripped.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 916fc3d09ae1.

[steipete]

Fixed on main in b180b8ae48.

Behavior addressed: user-visible sanitizer paths now strip raw workflow <function_response> blocks, including final reply payload delivery and source-reply transcript mirrors, while preserving literal prose examples such as <function_response> is the response wrapper.

Proof run:

• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs src/auto-reply/reply/agent-runner-payloads.test.ts src/shared/text/assistant-visible-text.test.ts src/agents/pi-embedded-helpers.sanitizeuserfacingtext.test.ts src/agents/pi-embedded-utils.test.ts — 4 files / 262 tests passed.
• pnpm test src/auto-reply/reply/agent-runner.runreplyagent.e2e.test.ts -- --reporter=verbose — 1 file / 47 tests passed.
• git diff --check HEAD^ HEAD — passed.
• Codex review on the sanitizer/reply patch reported no correctness issues.

Remote Testbox proof was attempted as tbx_01krnab7admtkpzgtzyr8x1sz8, but Blacksmith stayed queued for about six minutes and was stopped before execution. Local E2E covered the final delivery leak path that reproduced the issue.

[steipete]

Landed the remaining adjacent <function_response> sanitizer fix in PR #82155.

Commit: 29b5563

Proof:

• Local sanitizer tests: node scripts/run-vitest.mjs src/shared/text/assistant-visible-text.test.ts src/agents/pi-embedded-helpers.sanitizeuserfacingtext.test.ts -- --reporter=verbose — 205 passed.
• Codex review: clean, no accepted/actionable findings after the follow-up fix.
• GitHub Real behavior proof: https://github.com/openclaw/openclaw/actions/runs/25926897171

[steipete]

Fixed on main.

Proof:

• Initial sanitizer fix merged in fix: strip adjacent function_response sanitizer leak #82155: fix: strip adjacent function_response sanitizer leak #82155 (29b5563ccda2496404b07f8341853ecd552b53ad).
• Delivery-path follow-up merged in fix: strip delivery function response leaks #82214: fix: strip delivery function response leaks #82214 (8ac30279b30235e06f39e9eaf9595e67b0b811d7).
• Focused local verification: pnpm test src/shared/text/assistant-visible-text.test.ts src/agents/pi-embedded-helpers.sanitizeuserfacingtext.test.ts -- --reporter=dot passed, and Codex review returned no accepted/actionable findings.