Anthropic thinking blocks rejected after sanitizeTransportPayloadText() mutates signed content

[bryanbaer]

Bug: Anthropic thinking blocks rejected after sanitizeTransportPayloadText() mutation

Reporter: Bryan Baer (cerebral.baerautotech.com)
Date: 2026-05-27
OpenClaw version: 2026.5.26
Severity: High — blocks all long-running sessions on Anthropic models when thinking is enabled

---

Summary

provider-stream-DRIaVJMo.js applies sanitizeTransportPayloadText() to the content of Anthropic-signed thinking blocks while preserving the original thinkingSignature. The sanitizer strips orphan UTF-16 surrogate halves, mutating the text. Anthropic's API rejects the next turn because the mutated text no longer matches the cryptographic signature it issued in the prior response.

Symptoms

API error from Anthropic:

LLM error invalid_request_error: messages.N.content.M: thinking or
redacted_thinking blocks in the latest assistant message cannot be
modified. These blocks must remain as they were in the original response.

Where N is the offending message index (typically 100+ in long sessions) and M is the offending content block index.

Reproduction

1. Start a session against any Anthropic Claude model with extended thinking enabled (e.g. claude-sonnet-4-6, claude-opus-4-7)
2. Reach a point where the assistant's thinking contains a character represented as a UTF-16 surrogate pair (any emoji like 🤔, mathematical symbols like 𝑎, certain code blocks containing non-BMP characters)
3. Continue the conversation past that turn
4. Next API call fails with the error above

Affects:

• Multi-turn sessions where thinking blocks accumulate in history
• Subagent runs that span more than a few turns
• Any session compaction that replays the assistant message stream
• Mixed-content reasoning that touches non-BMP Unicode

Root Cause

File: src/agents/provider-stream.ts (compiled to dist/provider-stream-DRIaVJMo.js)
Lines: ~301–322 (compiled)

if (block.type === "thinking") {
    if (block.redacted) { /* ... */ }
    if (block.thinking.trim().length === 0) continue;
    if (!block.thinkingSignature || block.thinkingSignature.trim().length === 0) {
        blocks.push({
            type: "text",
            text: sanitizeTransportPayloadText(block.thinking)
        });
    } else {
        const thinking = sanitizeTransportPayloadText(block.thinking);  // ← BUG
        if (block.thinkingSignature === "reasoning_content") {
            // ... allowReasoningContentReplay path ...
        }
        blocks.push({
            type: "thinking",
            thinking,                              // ← mutated text
            signature: block.thinkingSignature     // ← original signature for unmutated text
        });
    }
}

sanitizeTransportPayloadText (in openai-transport-stream-DNhzccm-.js):

function sanitizeTransportPayloadText(text) {
    return text.replace(/[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g, "");
}

This regex strips lone surrogates. It also strips characters during multi-codepoint normalization edge cases if any prior stage has touched the text.

The signature attached by Anthropic is computed against the EXACT byte representation Anthropic returned. ANY mutation to the text breaks the signature, even removing characters that "look" invalid to OpenAI-style transports.

Why this is wrong for Anthropic specifically

The OpenAI/Azure-OpenAI transport requires sanitizeTransportPayloadText because their Responses API rejects messages containing orphan surrogates. Anthropic does not have this constraint — they happily round-trip their own response data byte-for-byte. The sanitizer should only run for transports that need it, and never for content whose integrity is signed by the provider.

The reasoning_content signature variant is a synthetic value OpenClaw assigns to non-Anthropic reasoning (e.g. xAI Grok, DeepSeek). Those signatures are not cryptographic — they're just markers. Sanitizing those is fine.

Fix

                if (block.type === "thinking") {
                    if (block.redacted) { /* ... */ }
                    if (block.thinking.trim().length === 0) continue;
                    if (!block.thinkingSignature || block.thinkingSignature.trim().length === 0) {
                        blocks.push({
                            type: "text",
                            text: sanitizeTransportPayloadText(block.thinking)
                        });
                    } else {
-                       const thinking = sanitizeTransportPayloadText(block.thinking);
+                       // Do NOT sanitize Anthropic-signed thinking blocks. Sanitization mutates
+                       // the text and invalidates the cryptographic signature attached by Anthropic.
+                       // Only sanitize the synthetic "reasoning_content" signature variant.
+                       const thinking = block.thinkingSignature === "reasoning_content"
+                           ? sanitizeTransportPayloadText(block.thinking)
+                           : block.thinking;
                        if (block.thinkingSignature === "reasoning_content") {
                            // ...
                        }
                        blocks.push({
                            type: "thinking",
                            thinking,
                            signature: block.thinkingSignature
                        });
                    }
                }

Impact (in our deployment)

Today's session (4-hour registry migration with parallel Sonnet subagents):

• 4 subagent crashes with this error
• ~2 hours of work lost across crashed sessions
• Required falling back to background shell processes (no thinking) for some workloads
• Conversation history corruption: once a session hits this state, every subsequent turn fails until the corrupted thinking block is removed from history

This is blocking real production work on platforms relying on OpenClaw + Anthropic.

Suggested test case

// tests/provider-stream-thinking-signature.test.ts
import { describe, it, expect } from "vitest";
import { transformTransportMessages } from "../src/agents/provider-stream";

describe("thinking block signature preservation", () => {
    it("does not mutate Anthropic-signed thinking content", () => {
        const input = {
            role: "assistant",
            content: [{
                type: "thinking",
                thinking: "Let me think about 🤔 this problem",  // emoji is a surrogate pair
                thinkingSignature: "ANTHROPIC_REAL_SIGNATURE_BASE64",
            }]
        };
        const output = transformTransportMessages([input], { provider: "anthropic" });
        expect(output[0].content[0].thinking).toBe("Let me think about 🤔 this problem");
    });

    it("does sanitize reasoning_content variant (non-Anthropic)", () => {
        const input = {
            role: "assistant",
            content: [{
                type: "thinking",
                thinking: "broken\uD800surrogate",  // lone surrogate
                thinkingSignature: "reasoning_content",
            }]
        };
        const output = transformTransportMessages([input], { provider: "xai" });
        expect(output[0].content[0].thinking).toBe("brokensurrogate");
    });
});

Workaround (applied locally)

Patched dist/provider-stream-DRIaVJMo.js directly with the fix above. Backup of original at dist/provider-stream-DRIaVJMo.js.bak-pre-thinking-sig-fix.

---

I'm happy to submit this as a PR to the upstream repo. Let me know if you want any additional diagnostic data (sample failing message, stack trace, etc.) attached.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 27, 2026, 8:31 PM ET / 00:31 UTC.

Summary
Keep open: current main and v2026.5.26 still sanitize non-synthetic signed Anthropic thinking text before replaying it with the original signature. The broader Claude replay cluster at #85781 is related, but this report identifies a distinct native Anthropic transport mutation that should be fixed directly.

Reproducibility: yes. source-reproducible: construct an Anthropic assistant history with non-synthetic signed thinking content that sanitizeTransportPayloadText would mutate, then inspect the outgoing request payload. I did not run a live Anthropic API call in this read-only review.

Next step
This is a localized provider-transport bug with clear affected files, a dependency contract, and a focused regression-test path.

Review details

Best possible solution:

Preserve provider-owned signed Anthropic thinking and redacted-thinking content byte-for-byte, keep sanitizer behavior for unsigned text and synthetic reasoning_content, and add a focused regression test for the mutation case.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: construct an Anthropic assistant history with non-synthetic signed thinking content that sanitizeTransportPayloadText would mutate, then inspect the outgoing request payload. I did not run a live Anthropic API call in this read-only review.

Is this the best way to solve the issue?

Yes, the narrow maintainable fix is to gate sanitization by signature ownership: preserve real Anthropic signatures unchanged and keep the existing sanitizer for unsigned or synthetic reasoning content.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• No live Anthropic replay was run during this read-only review; the current proof is source and dependency-contract based.
• The reporter's emoji-only suggested fixture would not catch the sanitizer mutation because the current sanitizer preserves valid surrogate pairs; the regression should include an actually mutated signed string such as an unpaired surrogate.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 748510b7a3e1.

Label changes

Label changes:

• add P1: The current release can make Anthropic thinking-enabled multi-turn sessions fail repeatedly on replay for affected users.
• add impact:session-state: The report concerns replayed session history becoming unusable until the offending thinking block is removed or rotates out.
• add impact:auth-provider: The failure is in Anthropic provider payload transformation and is rejected by the provider's signed-thinking contract.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The current release can make Anthropic thinking-enabled multi-turn sessions fail repeatedly on replay for affected users.
• impact:session-state: The report concerns replayed session history becoming unusable until the offending thinking block is removed or rotates out.
• impact:auth-provider: The failure is in Anthropic provider payload transformation and is rejected by the provider's signed-thinking contract.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/anthropic-transport-stream.test.ts -t "thinking"
• node scripts/run-vitest.mjs src/agents/transport-stream-shared.test.ts src/agents/anthropic-transport-stream.test.ts
• git diff --check

What I checked:

• Repository policy read: Root AGENTS.md was read fully, and src/agents/AGENTS.md was read for the affected agent runtime area. (AGENTS.md:1, 748510b7a3e1)
• Current source mutates signed thinking: Current main computes const thinking = sanitizeTransportPayloadText(block.thinking) for any non-empty thinking signature before pushing a thinking block with the original signature. (src/agents/anthropic-transport-stream.ts:383, 748510b7a3e1)
• Sanitizer changes text: sanitizeTransportPayloadText removes unpaired UTF-16 surrogate code units, so applying it to signed provider-owned thinking can change the signed text. (src/agents/transport-stream-shared.ts:28, 748510b7a3e1)
• Shipped behavior still has the same path: The latest release tag v2026.5.26 contains the same signed-thinking sanitization before replay, matching the reporter's version. (src/agents/anthropic-transport-stream.ts:381, 10ad3aa16068)
• Dependency contract requires unchanged blocks: Anthropic's official extended-thinking docs say thinking blocks passed back in multi-turn conversations must be unchanged and that signatures verify thinking block integrity.
• Adjacent OpenClaw code already recognizes immutability: Session transcript repair has an inline invariant that signed Anthropic thinking blocks must remain byte-for-byte stable on replay, which conflicts with the current transport sanitizer path. (src/agents/session-transcript-repair.ts:317, 748510b7a3e1)

Likely related people:

• Vincent Koc: Current blame and local history tie the Anthropic transport runtime and shared transport sanitizer helper to Vincent Koc's commits. (role: recent area contributor; confidence: high; commits: 21d96098664d, ea4265a82063, d8458a1481e9; files: src/agents/anthropic-transport-stream.ts, src/agents/transport-stream-shared.ts)
• Shakker: A prior local-history commit by Shakker changed signed-thinking transcript repair, the nearest existing code path documenting provider-owned thinking immutability. (role: adjacent signed-thinking repair contributor; confidence: medium; commits: 408e07f96b6f; files: src/agents/session-transcript-repair.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[bryanbaer]

Update — Additional corruption site found

After patching the send path (lines 301-322 of compiled provider-stream-DRIaVJMo.js), the error continued to occur on subsequent sessions. Tracing showed a SECOND sanitizeTransportPayloadText() call that corrupts thinking content at ingestion time from the Anthropic stream:

// /opt/homebrew/lib/node_modules/openclaw/dist/provider-stream-DRIaVJMo.js, line 843
if (contentBlock?.type === "thinking") {
    const thinking = typeof contentBlock.thinking === "string"
        ? sanitizeTransportPayloadText(contentBlock.thinking)  // ← CORRUPTS AT INGEST
        : "";
    const block = {
        type: "thinking",
        thinking,                                              // ← stored mutated
        thinkingSignature: typeof contentBlock.signature === "string" ? contentBlock.signature : "",
        ...
    };
    output.content.push(block);
    ...
}

This is the primary bug — it corrupts the session memory at storage time, before the message is ever sent back. Every signed thinking block written to session history is permanently mismatched against its signature. The send-path sanitization (already fixed in PR #87460) is downstream of this.

Required fix at the receive path:

                if (contentBlock?.type === "thinking") {
-                   const thinking = typeof contentBlock.thinking === "string" ? sanitizeTransportPayloadText(contentBlock.thinking) : "";
+                   // Do NOT sanitize Anthropic-signed thinking content at ingestion.
+                   // The signature is stored alongside this text and validated by Anthropic
+                   // on subsequent turns. Sanitization mutates the text and breaks signature pairing.
+                   const thinking = typeof contentBlock.thinking === "string" ? contentBlock.thinking : "";
                    const block = {
                        type: "thinking",
                        thinking,
                        thinkingSignature: typeof contentBlock.signature === "string" ? contentBlock.signature : "",
                        ...
                    };
                }

Implications for users with corrupted sessions

Any session that processed a thinking block containing a UTF-16 surrogate before this fix lands has its session memory permanently poisoned for that block. Workaround: drop affected thinking blocks from session history before the next turn, or start fresh sessions after the patch is deployed.

Will update PR #87460

Adding the receive-path fix to the same PR. Should I also add a guard at the read/replay site (selection-DZnXuqgh.js stripInvalidThinkingSignatures) for defense in depth, or just fix the corruption sites?