Delivery layer: posts raw errorMessage verbatim when assistant message has stopReason=error

[alexisperumal]

Summary

OpenClaw's chat delivery layer (Slack verified; Telegram suspected same code path) posts the raw upstream API errorMessage verbatim to the user-facing channel when an assistant message has stopReason=error and the provider populates errorMessage with raw upstream error text (e.g., an OpenAI 500 with a request ID and a help.openai.com URL).

Update (2026-04-29): This issue has been scoped down to Bug 1 only. The originally bundled multi-text concatenation behavior has been split into #74674 per @martingarramon's recommendation — different file, different blast radius, different reviewer pool. The historical text below is preserved for trace continuity; current scope is Bug 1.

Environment

• OpenClaw: 2026.4.14 (originally observed); upstream/main confirmed by community trace at cfda375bb6 (2026-04-22) and 7ddd815e469e (2026-04-28)
• Provider: openai-codex (using api: openai-codex-responses)
• Model: gpt-5.4
• Delivery channel verified: Slack (same code path likely for Telegram; untested)

Evidence

A scheduled cron fire hit an OpenAI 500. The assistant message written to the session store had:

stopReason: error
content: []
errorMessage: "The server had an error processing your request. Sorry about that!
               You can retry your request, or contact us through our help center at
               help.openai.com if you keep seeing this error. (Please include the
               request ID <uuid> in your email.)"

The delivery layer posted the errorMessage text verbatim to the end user's Slack DM.

Source trace (per community trace, 2026-04-22)

• Delivery-side fallback chain at src/agents/pi-embedded-subscribe.handlers.lifecycle.ts:76 (line :65 per Codex re-check on 7ddd815e469e):

  const errorText = (friendlyError || lastAssistant.errorMessage || "LLM request failed.").trim();

  Three levels: (a) formatAssistantErrorText(lastAssistant, …) — the sanitization hook at src/agents/pi-embedded-helpers/errors.ts:925 (line :1142 per re-check), (b) raw lastAssistant.errorMessage, (c) "LLM request failed.".

• formatAssistantErrorText only sanitizes a specific list of error patterns — unknown tool, disk space, auth_refresh, refresh_contention, refresh_timeout. A generic OpenAI 5xx with a request ID and help.openai.com URL matches none of those, so it falls through to position (b) and the raw upstream text reaches the user-facing channel.

• Payload builder at src/agents/pi-embedded-runner/run/payloads.ts:210 pushes errorText with isError: true for terminal assistant errors, so this is on the user-facing delivery path.

Expected behavior

When stopReason=error and the provider's error doesn't match a known friendly classification:

• Suppress the message entirely (admin-log server-side only), OR
• Substitute a generic user-facing fallback (e.g., "Temporary issue — will retry shortly.")
• Never post the raw errorMessage verbatim to end users

Proposed fix — minimal-blast-radius

Per @martingarramon's recommendation in the trace comment:

Option A (smallest): Remove position (b) from the fallback chain — let unmatched errors land on "LLM request failed.". Preserves the existing structured/HTTP-shaped/billing/timeout/schema/transport friendly cases handled earlier in formatAssistantErrorText.

Option B: Keep position (b) but route it through buildTextObservationFields(...).textPreview (already used for the admin log at lifecycle.ts:80-83) so at least URL/PII scrubbing applies before user delivery.

Test caveat

Per Codex re-check (2026-04-28): src/agents/pi-embedded-subscribe.handlers.lifecycle.test.ts:145 currently asserts the sanitized-raw behavior on a secret-like unclassified error (expects x-api-key: *** in the emitted lifecycle error text). Any fix that replaces raw error text with a generic fallback or suppression needs that test updated alongside.

Acceptance

• When OpenAI returns an unclassified API error (request ID + help.openai.com URL), the user-facing channel never sees the raw errorMessage text.
• Existing friendly-classification cases (structured JSON, HTTP-shaped, billing, timeout, schema, transport) continue to be sanitized as today.
• Lifecycle regression test updated to reflect the new fallback behavior.

Retry-with-backoff

A separate / larger feature — not requested here; this issue focuses on the delivery-layer fallback only.

Offer

Happy to test a PR against our production deployment and provide additional evidence (scrubbed of user data) if useful.

Related

• Bug 2 (multi-text concatenation) split out to #74674.

[martingarramon]

Source trace on current upstream/main (cfda375bb6):

Bug 1 (raw errorMessage surfacing). The delivery-side fallback chain is at src/agents/pi-embedded-subscribe.handlers.lifecycle.ts:76:

const errorText = (friendlyError || lastAssistant.errorMessage || "LLM request failed.").trim();

Three levels: (a) formatAssistantErrorText(lastAssistant, ...) — the sanitization hook at src/agents/pi-embedded-helpers/errors.ts:925, (b) raw lastAssistant.errorMessage, (c) "LLM request failed.".

formatAssistantErrorText only sanitizes a specific list of error patterns — unknown tool, disk space, auth_refresh, refresh_contention, refresh_timeout (errors.ts:925-980 et seq). A generic OpenAI 5xx with a request ID and help.openai.com URL matches none of those, so it falls through to position (b) and the raw upstream text reaches the user-facing channel as reported.

Minimal-blast-radius fix: remove position (b) and let unmatched errors land on "LLM request failed." Alternative: keep (b) but route it through buildTextObservationFields(...).textPreview (already used for the admin log at lifecycle.ts:80-83) so at least URL/PII scrubbing applies.

Bug 2 (multi-text concatenation). Broader surface. Delivery path reaches src/agents/pi-embedded-subscribe.handlers.messages.ts:546:

const rawVisibleText = coerceChatContentText(extractAssistantVisibleText(assistantMessage));

extractAssistantVisibleText at src/agents/pi-embedded-utils.ts:116 → extractAssistantTextForPhase(msg) at pi-embedded-utils.ts:47-115 which concatenates all matching-phase text blocks with joinWith: "\n" (line 106). Parallel fn with the same shape lives at src/shared/chat-message-content.ts:155. No "pick one" logic.

Blast-radius check on the shared extractor — callers beyond the Slack delivery path:

• TUI: src/tui/tui-formatters.ts:300
• Gateway session dump: src/gateway/session-utils.fs.ts:637
• Chat-history tool: src/agents/tools/chat-history-text.ts

Changing the default from joinWith: "\n" to pick-last flips behavior for all four surfaces. That's a policy call for the subsystem owner — the config-flag approach in the issue body scopes cleanly but adds config surface.

On bundling. The rationale ("same code path, same sanitization function covers both") is partially off — Bug 1 is a single-file fallback-chain issue; Bug 2 is a shared text-extractor policy with 4+ callers. Different blast radius, different reviewers likely. Would suggest splitting: keep #69737 scoped to Bug 1, file a separate issue for Bug 2 with the cross-surface policy question.

Can open a PR on Bug 1 if the fallback-chain direction is agreed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main still has a source-level path where the reported unclassified provider text can miss the existing classifier, fall through as raw errorMessage, and be pushed as a channel-visible error reply; #41803 targets this area but is still open and not merged.

Reproducibility: yes. source-level. The reported wording misses the current generic-provider classifier, the formatter can still return raw unclassified text, and the payload builder sends that text as an isError reply.

Next step
Do not queue a duplicate repair lane while #41803 already targets the same fallback; the next action is maintainer review, refresh, or replacement of that PR.

Security
Needs attention: The issue is security-sensitive because raw provider diagnostics can still reach end users through channel delivery.

Review details

Best possible solution:

Land a focused current-main formatter and payload regression that maps truly unclassified provider errors to safe user-facing copy while preserving redacted operator diagnostics and existing classified recovery messages.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level. The reported wording misses the current generic-provider classifier, the formatter can still return raw unclassified text, and the payload builder sends that text as an isError reply.

Is this the best way to solve the issue?

Yes for the narrowed direction, but no complete fix is merged. The maintainable path is to review, refresh, or replace #41803 with current-main tests for the reported OpenAI help-center/request-ID wording.

Label changes:

• add P2: This is a concrete user-facing information-disclosure bug with a bounded formatter/payload fix surface and an open implementation candidate.
• add impact:security: The issue concerns raw provider diagnostics, request IDs, and support URLs crossing from internal error handling into user-facing channel messages.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P2: This is a concrete user-facing information-disclosure bug with a bounded formatter/payload fix surface and an open implementation candidate.
• impact:security: The issue concerns raw provider diagnostics, request IDs, and support URLs crossing from internal error handling into user-facing channel messages.

Security concerns:

• [medium] Suppress unclassified provider diagnostics before delivery — src/agents/pi-embedded-helpers/errors.ts:1195
  Current main can still return raw unclassified assistant error text and then add it to channel reply payloads, which can expose request IDs, provider URLs, or other upstream diagnostics to non-operator users.
  Confidence: 0.9

What I checked:

• Issue scope and related discussion: Live issue data confirms this issue is now scoped to the raw errorMessage delivery bug, while the multi-text concatenation behavior was split to Delivery layer concatenates multiple text content items — pick-one policy needed (split from #69737) #74674; the discussion also links the still-open implementation candidate at fix(agents): suppress unrecognized errors from user surface #41803.
• Classifier misses the reported wording: The generic-provider classifier is anchored on an error occurred while processing your request, and a direct probe of the reported The server had an error processing your request wording returned generic:false even though the help-center URL and request-id markers were present. (src/shared/assistant-error-format.ts:17, 29f8715f05c8)
• Raw formatter fallback remains reachable: After the known classifier branches, formatAssistantErrorText still returns the raw error string or a raw 600-character slice despite the adjacent comment saying raw unhandled errors should not be returned. (src/agents/pi-embedded-helpers/errors.ts:1191, 29f8715f05c8)
• Delivery path is user-visible: Terminal assistant errors call formatAssistantErrorText and push the resulting errorText into replyItems with isError: true, so an unsafe formatter fallback can become channel-visible output. (src/agents/pi-embedded-runner/run/payloads.ts:282, 29f8715f05c8)
• Tests cover adjacent wording, not the reported wording: Formatter and payload tests cover the neighboring An error occurred while processing your request request-id shape, while the search found no targeted coverage for the reported server had an error text. (src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts:69, 29f8715f05c8)
• Latest release has the same raw fallback: The latest release tag v2026.5.18 points at 50a2481652b6a62d573ece3cead60400dc77020d, and the released formatter still has the same raw fallback after the classifier branches. (src/agents/pi-embedded-helpers/errors.ts:1191, 50a2481652b6)

Likely related people:

• y471823206: Authored Handle generic provider internal errors, which added the neighboring classifier and tests in the same formatter and payload surface that currently misses the reported wording. (role: recent adjacent fix contributor; confidence: high; commits: 3b9796ce9b19; files: src/agents/pi-embedded-helpers/errors.ts, src/shared/assistant-error-format.ts, src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts)
• altaywtf: The related request-id suppression work is attributed to Altay in local git history and to altaywtf in prior review context for the same formatter/test surface. (role: recent adjacent contributor; confidence: high; commits: 5988f6538e67; files: src/shared/assistant-error-format.ts, src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts, src/agents/pi-embedded-runner/run/payloads.errors.test.ts)
• vincentkoc: Split the assistant error-formatting seam into the shared formatter that current error classification and formatting depend on. (role: formatter seam contributor; confidence: high; commits: 397b0d85f571; files: src/agents/pi-embedded-helpers/errors.ts, src/shared/assistant-error-format.ts)
• singleGanghood: Authored a recent merged raw JSON parse leak fix in the same assistant error formatting and sanitizer area. (role: adjacent error-formatting contributor; confidence: medium; commits: 0544c6d493ff; files: src/agents/pi-embedded-helpers/errors.ts, src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts, src/shared/assistant-error-format.ts)

Remaining risk / open question:

• Unclassified provider diagnostics may still expose request IDs, provider help URLs, or other upstream text to channel users until the formatter fallback is changed.
• No live Slack or Telegram delivery run was performed in this read-only review; the reproduction is source-level from the formatter and payload path.
• The related fallback PR is open and conflicting, so this issue should not be treated as resolved by existing implementation work.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 29f8715f05c8.

[alexisperumal]

Thanks for the trace — this is exactly what was needed to move the issue forward.

Agree with the split. Done:

• Filed #74674 for Bug 2 (visible-text extractor / cross-surface pick-one policy), framed with the 4-caller blast-radius context (tui-formatters.ts:300, session-utils.fs.ts:637, chat-history-text.ts, plus the delivery path) and two viable fix shapes — delivery-only override vs. config flag — so the maintainer policy call has a clean place to land.
• Scoped Delivery layer: posts raw errorMessage verbatim when assistant message has stopReason=error #69737 down to Bug 1 only (title + body updated; preserved the historical text inline as trace continuity).

PR on Bug 1 welcome — happy to test against our production deployment once it's up, and provide scrubbed evidence if useful.

One implementation note flagged by @clawsweeper[bot] in the 2026-04-28 re-check: src/agents/pi-embedded-subscribe.handlers.lifecycle.test.ts:145 currently asserts the sanitized-raw behavior (expects x-api-key: *** redaction in the emitted lifecycle error text), so a fix that drops position (b) of the fallback chain in favor of "LLM request failed." (or suppression) will need that test updated alongside.

— Drafted by Claude Code (my coding agent) and reviewed by me before posting.