openai-responses adapter is unusable against Azure OpenAI: every turn returns a synthetic 0-token refusal (openai-completions works)

[achandmsft]

openai-responses adapter is unusable against Azure OpenAI: every turn returns a synthetic refusal (openai-completions works)

Severity: Blocks all Azure OpenAI users on the Responses adapter.

Summary

Pointing OpenClaw at Azure OpenAI's OpenAI-v1 surface with models[].api: "openai-responses" causes every user message to come back as "I'm sorry, but I cannot assist with that request." with usage.totalTokens == 0 (the model never runs — Azure short-circuits the request). Switching the same model to "openai-completions" makes it work immediately. The trigger is OpenClaw's Sender (untrusted metadata): envelope: Azure's prompt-stage shield on the Responses surface classifies it as Indirect Prompt Injection and refuses, even with a custom RAI policy that disables Jailbreak + Indirect Attack.

Why it matters

• Azure OpenAI is a first-class deployment target. Today the Responses adapter is silently broken there — the gateway boots, the model is configured, but every reply is a synthetic refusal. There is no error in logs and no clear failure signal; users assume the model or their prompt is the problem.
• The two adapters (openai-responses vs openai-completions) are presented as interchangeable in config. They aren't on Azure. This is a footgun.

Repro (5 minutes)

// openclaw.json
{
  "models": {
    "providers": {
      "openai": {
        "baseUrl": "https://<aoai>.openai.azure.com/openai/v1/",
        "models": [{ "id": "gpt-5-mini", "api": "openai-responses" }]
      }
    }
  }
}

Send hello. The session jsonl shows:

{
  "role": "assistant",
  "content": [{"type": "text", "text": "I'm sorry, but I cannot assist with that request."}],
  "usage": {"input": 0, "output": 0, "totalTokens": 0},
  "stopReason": "stop"
}

Flip to "api": "openai-completions". Send hello → normal greeting.

Confirmed not a model / policy issue

A direct call to the same Azure deployment at /openai/v1/responses with the bare envelope returns HTTP 200 + usage.input_tokens=65 + "Hello! How can I help you today?". The shield only fires on the payload OpenClaw assembles for the Responses adapter (system prompt + ## Inbound Context (trusted metadata) + fenced Sender (untrusted metadata): user block + tool catalog + injected workspace files).

Source pointer

Likely culprit: src/auto-reply/reply/inbound-meta.ts — buildInboundUserContextPrefix emits a fenced Sender (untrusted metadata): JSON block on every user turn, paired with a ## Inbound Context (trusted metadata) system block from buildInboundMetaSystemPrompt. On Azure OpenAI's Responses surface, this two-block fingerprint trips an undocumented prompt-stage shield that fires even when the visible Indirect Attack RAI filter is set non-blocking. The same envelope works on openai-completions and on direct AOAI Responses calls without the system-block pairing.

Suggested fixes (any one unblocks Azure users)

1. Add agents.defaults.senderEnvelope: "off" config to opt out of the Sender (untrusted metadata) wrapper for single-tenant trusted-channel deployments (e.g. WebChat-only behind Easy Auth) where there is no untrusted sender.
2. On the Responses adapter, move sender metadata out of user-content (e.g. into the Responses API metadata field or a non-text item) so it doesn't read as injection-shaped.
3. Document Azure OpenAI compatibility and recommend openai-completions until 1 or 2 lands.

Environment

• OpenClaw: latest (npm install -g openclaw@latest, image built 2026-04-24)
• Azure OpenAI: gpt-5-mini 2025-08-07 GlobalStandard, OpenAI-v1 surface, managed-identity auth
• Runtime: Node 24 / Linux / Azure Container Apps

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still builds the reported trusted-system plus untrusted-user metadata envelope and sends it through the Responses payload path, and I did not find a merged fix or a current doc-only resolution that makes the Azure refusal obsolete.

Reproducibility: no. high-confidence live reproduction is available from this review. Source inspection does confirm that current main emits the reported system/user envelope into the Responses payload path, but Azure's refusal behavior still needs a redacted live Azure run to prove end to end.

Next step
Maintainer review is needed because the fix affects prompt-injection metadata handling and should be backed by live Azure proof before code changes.

Review details

Best possible solution:

Add a live-proven Azure Responses compatibility path that preserves sender/context safety, and document openai-completions as the fallback if no secure Responses payload shape is available yet.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live reproduction is available from this review. Source inspection does confirm that current main emits the reported system/user envelope into the Responses payload path, but Azure's refusal behavior still needs a redacted live Azure run to prove end to end.

Is this the best way to solve the issue?

Unclear: the suggested sender-envelope opt-out may unblock Azure, but it touches an intentional untrusted-metadata safety boundary. A safer solution should be Azure-specific payload shaping or an explicit documented fallback, backed by live Azure proof.

Acceptance criteria:

• Redacted live Azure OpenAI Responses run showing the refusal on current main and a control openai-completions run that succeeds.
• If patched, run pnpm test src/auto-reply/reply/inbound-meta.test.ts src/agents/openai-transport-stream.test.ts plus the narrow changed gate if it stays scoped.

What I checked:

• Reporter context: The issue includes a concrete Azure OpenAI /openai/v1 config, a 0-token synthetic refusal example, a working openai-completions comparison, and a source pointer to inbound metadata construction.
• Trusted inbound metadata is still emitted: Current main builds a ## Inbound Context (trusted metadata) system prompt for inbound channel/provider metadata. (src/auto-reply/reply/inbound-meta.ts:171, ed11b64cbfb3)
• Sender envelope is still user-role text: Current main still formats sender details as Sender (untrusted metadata): in a fenced JSON block that is prepended to the user prompt. (src/auto-reply/reply/inbound-meta.ts:214, ed11b64cbfb3)
• Reply path composes both blocks: get-reply-run injects inbound metadata into extraSystemPrompt and prepends buildInboundUserContextPrefix to the effective user body before the agent run. (src/auto-reply/reply/get-reply-run.ts:542, ed11b64cbfb3)
• Responses transport preserves that prompt shape: The Responses adapter converts context.systemPrompt into a system/developer item and user messages into Responses input; the Azure-specific Responses transport reuses buildOpenAIResponsesParams. (src/agents/openai-transport-stream.ts:981, ed11b64cbfb3)
• Azure provider exists but does not settle this report: Docs say Azure chat/Responses should use onboarding or the dedicated azure-openai-responses/* provider rather than openai.baseUrl alone, but the dedicated transport still shares the same prompt builder path. Public docs: docs/providers/openai.md. (docs/providers/openai.md:793, ed11b64cbfb3)

Likely related people:

• Peter Steinberger: Current blame and recent file history point to Peter across inbound-meta.ts, OpenAI/Azure Responses transport, onboarding, and provider docs. (role: recent maintainer and adjacent owner; confidence: high; commits: 47099da93784, eeef4864494f; files: src/auto-reply/reply/inbound-meta.ts, src/agents/openai-transport-stream.ts, src/commands/onboard-custom-config.ts)
• Ted Li: The relevant inbound metadata history includes fix(prompt): keep inbound chat ids out of system prefix, which is directly adjacent to the trusted-system versus untrusted-user split raised here. (role: prior prompt metadata maintainer; confidence: medium; commits: eb1080369165; files: src/auto-reply/reply/inbound-meta.ts, src/auto-reply/reply/get-reply-run.ts)

Remaining risk / open question:

• I did not live-reproduce the Azure prompt-stage shield behavior, so the refusal trigger remains based on the reporter's Azure evidence plus source-path confirmation.
• Any fix that disables or relocates the sender envelope could weaken OpenClaw's prompt-injection and sender-context boundary if it is not designed carefully.
• The dedicated azure-openai-responses path shares the same Responses payload builder, but this review did not prove whether Azure refuses that exact provider setup too.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ed11b64cbfb3.