Codex replay can silently fail Telegram turns with invalid_encrypted_content from mirrored thinking blocks

[chac4l]

Summary

A channel-bound conversation stopped receiving replies even though the gateway and channel provider were healthy. Inbound messages were accepted, but the embedded Codex run failed before producing a deliverable reply because stale mirrored thinking blocks with thinkingSignature / encrypted_content were replayed back to the Responses API.

This made the user-facing symptom look like OpenClaw simply ignored the message.

Environment

• OpenClaw: 2026.5.18 (50a2481)
• @openclaw/codex: 2026.5.12
• Provider/model: openai-codex/gpt-5.5
• Surface: channel/forum-thread style ingress -> embedded/pi Codex harness
• Runtime: Linux, Node 22.x

Evidence Pattern

Operational identifiers, channel ids, session ids, host names, and deployment paths are intentionally redacted.

Two messages entered the gateway for the same bound conversation. Both embedded runs failed before a reply:

[telegram] Inbound message <redacted bound conversation>
[openai-transport] [responses] error ... status=400 code=invalid_encrypted_content ...
The encrypted content <redacted> could not be verified. Reason: Encrypted content could not be decrypted or parsed.
Embedded agent failed before reply: LLM request failed: provider rejected the request schema or tool payload.

The corresponding trajectory recorded:

terminalError: non_deliverable_terminal_turn
assistantTexts: []
finalStatus: error

The session transcript contained historical assistant content blocks like:

{ "type": "thinking", "thinkingSignature": "{...\"encrypted_content\":\"<redacted>\"...}" }

Those blocks were being included in mirrored replay context for later turns. After removing these thinking blocks from the local transcript and clearing the associated Codex app-server binding, the same conversation was able to run again and return a normal response.

Expected Behavior

OpenClaw/Codex replay should not send stale provider-encrypted reasoning payloads back to the model when they cannot be verified for the current request/thread/auth context.

At minimum:

• Strip thinking / redacted_thinking / thinkingSignature blocks from mirrored session history before sending replay messages to Responses.
• Treat invalid_encrypted_content as a recoverable replay-sanitization failure: retry once with reasoning blocks removed.
• Surface a clear channel-visible error if no reply can be delivered, instead of silent non-response.

Actual Behavior

• Channel ingress accepted the messages.
• Gateway/channel health stayed OK.
• The Codex request failed with 400 invalid_encrypted_content.
• The turn ended as non_deliverable_terminal_turn with no assistant text.
• The user received no response or actionable error.

Local Operational Workaround Applied

On the affected deployment, the conversation was restored by:

1. Backing up the affected transcript and trajectory.
2. Removing historical thinking blocks carrying encrypted reasoning signatures from the transcript.
3. Clearing the associated Codex app-server binding for that conversation.
4. Restarting the gateway.
5. Verifying the same conversation could produce a normal response again.

A local installed-runtime mitigation was also applied to strip replayed thinking blocks from mirrored history before building Codex request messages. This is only an operational patch and should be replaced by an upstream fix.

Notes

This may also interact badly with channel UX because failure is invisible to the user. A non-sensitive channel-visible fallback/error would have made the incident much easier to diagnose.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still has the Codex Responses replay path that can re-send thinkingSignature.encrypted_content, and the linked closing PR is open rather than merged.

Reproducibility: yes. source-level reproduction is high confidence: current main builds native Codex Responses params with reasoning replay enabled and the current test asserts encrypted_content is preserved. I did not run the live Telegram/OpenAI path in this read-only review.

Next step
No separate ClawSweeper repair job should be queued because an open closing PR already targets this issue.

Review details

Best possible solution:

Review and land #84367 if its provenance-bound replay fix is acceptable, then close this issue after merge with proof and split any remaining Telegram fallback or compaction-auth work into narrower follow-ups.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level reproduction is high confidence: current main builds native Codex Responses params with reasoning replay enabled and the current test asserts encrypted_content is preserved. I did not run the live Telegram/OpenAI path in this read-only review.

Is this the best way to solve the issue?

Yes, the linked provenance-bound replay fix targets shared OpenAI/Codex request assembly instead of a Telegram-only transcript cleanup. The issue should stay open until that fix merges, with any remaining channel-visible fallback or compaction-auth concern tracked separately if needed.

Label changes:

• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:queueable-fix: Current issue advisory state no longer selects this label.

What I checked:

• Reporter and follow-up evidence: The issue and three follow-up comments describe multiple live Telegram/Codex deployments where inbound messages were accepted, openai-codex/gpt-5.5 failed with 400 invalid_encrypted_content, and removing or stripping replayed encrypted reasoning restored delivery.
• Current source replays JSON thinking signatures: convertResponsesMessages parses assistant thinkingSignature JSON and pushes it as a Responses reasoning input item; there is no encrypted_content stripping in that branch. (src/agents/openai-transport-stream.ts:851, eb814b021648)
• Native Codex request assembly keeps reasoning replay enabled: buildOpenAIResponsesParams calls convertResponsesMessages with replayReasoningItems: true; native Codex only disables replayed item IDs, not replayed encrypted reasoning content. (src/agents/openai-transport-stream.ts:1703, eb814b021648)
• Current test expectation preserves encrypted content: The native Codex Responses test constructs a prior thinkingSignature with encrypted_content: "ciphertext" and asserts the outgoing reasoning item still contains that encrypted content. (src/agents/openai-transport-stream.test.ts:2185, eb814b021648)
• Replay sanitizer only drops replayable reasoning on model change: The shared history sanitizer passes dropReplayableReasoning: modelChanged, so same-model stale encrypted Codex reasoning can survive into request assembly. (src/agents/pi-embedded-runner/replay-history.ts:751, eb814b021648)
• Live GitHub state has an open closing PR: GitHub reports this issue is open, assigned to joshavant, and has closing PR fix(agents): provenance-bound Codex reasoning replay #84367.

Likely related people:

• joshavant: Assigned to this issue and authored the open closing PR that implements provenance-bound Codex reasoning replay in the affected transport file. (role: current fix owner; confidence: high; commits: fd6a2f61f6ee, 9894a526baca, 1f6aaeaaf05c; files: src/agents/openai-transport-stream.ts, src/agents/openai-transport-stream.test.ts)
• steipete: Git history shows repeated OpenAI Responses reasoning replay and WebSocket reasoning replay fixes, including merges of related prior work in this area. (role: recent area contributor and merger; confidence: medium; commits: cb10682d3ee8, d7b61228e2cb, 6fd1725a0636; files: src/agents/openai-transport-stream.ts, src/agents/openai-transport-stream.test.ts, src/agents/openai-ws-stream.ts)
• joshp123: Authored the merged prior fix preserving OpenAI reasoning replay IDs, which is directly adjacent to the current encrypted reasoning replay failure mode. (role: prior reasoning replay contributor; confidence: medium; commits: 68ea063958ee; files: src/agents/openai-transport-stream.test.ts, src/agents/pi-embedded-runner.sanitize-session-history.test.ts, src/agents/transcript-policy.ts)

Remaining risk / open question:

• The open linked PR deliberately does not cover Telegram-visible fallback messaging or the separate compaction/auth-profile concern, so maintainers may need follow-up issues if those remain after the replay fix lands.
• Current main and the latest release still preserve the problematic encrypted replay shape, so closing before the linked PR merges would hide a real P1 channel/session failure.

Codex review notes: model gpt-5.5, reasoning high; reviewed against eb814b021648.

[chac4l]

Additional field evidence from the same incident, with deployment-specific identifiers redacted:

The first local workaround only stripped thinking blocks in one mirrored-history loader. The issue reproduced after later successful turns wrote fresh thinkingSignature / encrypted_content blocks to the same transcript. A later message on the same bound conversation hit the same failure again:

[telegram] Inbound message <redacted bound conversation>
[agent/embedded] [compaction-diag] ... outcome=failed ... detail=No_API_key_found_for_provider_openai...
[openai-transport] [responses] error ... status=400 code=invalid_encrypted_content ... could not be decrypted or parsed
Embedded agent failed before reply

This suggests the durable fix should be below any single mirrored-history callsite, ideally in the session-context construction / replay sanitization layer itself, so every replay path strips provider-specific encrypted reasoning blocks before request assembly. It may also be worth ensuring compaction uses the active openai-codex auth/profile or skips cleanly when only Codex OAuth is available, because a failed pre-turn compaction preceded the replay failure here.

[zqchris]

Additional live Telegram evidence from a separate local deployment, identifiers redacted.

A real Telegram DM session hit the same user-visible failure on 2026-05-19 21:27 +08:

Telegram DM -> agent:main:telegram:<redacted>
openai-codex/gpt-5.5 -> 400 invalid_encrypted_content
fallback litellm/claude-opus-4-7 -> ECONNRESET
fallback litellm/claude-sonnet-4-6 -> ECONNRESET
channel reply -> ⚠️ Something went wrong while processing your request. Please try again, or use /new to start a fresh session.

The affected session transcript contained 87 historical thinkingSignature JSON blobs with encrypted_content. I applied a transcript-preserving local repair by backing up the session and deleting only the nested encrypted_content fields from replayed reasoning signatures, leaving visible user/assistant text and tool-call structure intact. The same Telegram session then completed a non-delivered health probe through openai-codex/gpt-5.5 with no fallback.

I also tested the durable fix shape locally below the channel layer:

• src/agents/openai-transport-stream.ts: before replaying a Responses reasoning item for openai-codex, strip only encrypted_content from the parsed thinkingSignature item.
• Keep reasoning item IDs/tool-call pairing intact so Responses replay still preserves the needed structure.
• Do not change generic OpenAI Responses replay behavior in this local patch.

Local proof on the affected checkout:

node scripts/run-vitest.mjs src/agents/openai-transport-stream.test.ts src/agents/openai-responses.reasoning-replay.test.ts --testNamePattern 'Codex|reasoning replay'
# 70 passed, 270 skipped

pnpm build
# passed

same Telegram session, after gateway restart:
# openai-codex/gpt-5.5 returned OK, fallbackUsed=false

One nuance: after a successful Codex turn, the provider may persist a fresh encrypted_content blob again. The durable fix therefore needs to sanitize outgoing replay at request assembly time; one-time transcript cleanup alone is not sufficient.