fix(agents): repair malformed tool-call args on Codex/Responses transports

[Nimraakram22]

Summary
This PR broadens the malformed tool-call argument repair gate in shouldRepairMalformedToolCallArguments to include the openai-codex-responses and azure-openai-responses transports. It also addresses automated review feedback by ensuring code style compliance and narrowing the transport scope to HTTP/SSE-based Response APIs.

Context
GPT-5.5 (via Codex) and Azure-hosted models using the Responses API emit toolcall_delta events with the same partial-JSON shape as the openai-completions API. Previously, these were excluded from the repair gate, which could lead to tools receiving empty {} objects or fragmented JSON, triggering validation failures like "Missing required property".

Changes
Narrowed Transport Scope: Following review feedback, I have explicitly excluded the generic openai-responses transport. This is a safety measure because direct OpenAI sessions can route through WebSockets, which do not emit the toolcall_delta events this specific repair logic relies on ``.

Logic Implementation: Updated the gate in src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts to return true for verified SSE Response transports.

Test Suite Alignment:

Added positive test cases for the enabled SSE/HTTP transports.

Added a negative test case to ensure openai-responses (WebSocket-capable) remains disabled.

Code Quality: Applied oxfmt to all touched files to satisfy the repository's formatting requirements.

Changelog Documentation: Added a fix entry at the bottom of the UNRELEASED > Fixed section of CHANGELOG.md with proper contributor attribution (thanks @Nimraakram22) and a reference to this PR (#75281) ``.

Testing Verification
Ran the targeted test suite: pnpm vitest src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.test.ts.

Result: 8 tests passed.

Verified that azure-openai-responses and openai-codex-responses correctly return true, while openai-responses and unrelated transports (e.g., google-generative-ai) return false.

Issues
Closes #75154

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR enables malformed tool-call argument repair for Codex and Azure OpenAI Responses transports, adds focused regression coverage and a changelog entry, and narrows transcript-policy cache access to a proven config object.

Reproducibility: yes. for the gate behavior: current main visibly excludes the requested Responses transport IDs, and the PR tests exercise the newly enabled Codex/Azure cases plus the preserved direct OpenAI Responses negative case. A captured malformed Azure live stream is not included.

Next step before merge
No repair lane: I found no discrete actionable patch defect, and the remaining work is CI completion plus the normal maintainer merge decision.

Security
Cleared: The diff adds no dependency, workflow, package-script, secret-handling, artifact download, or supply-chain surface.

Review details

Best possible solution:

Land the narrow allowlist and regression coverage after exact-head CI finishes green, preserving generic openai-responses exclusion unless a separate evidence-backed change expands it.

Do we have a high-confidence way to reproduce the issue?

Yes for the gate behavior: current main visibly excludes the requested Responses transport IDs, and the PR tests exercise the newly enabled Codex/Azure cases plus the preserved direct OpenAI Responses negative case. A captured malformed Azure live stream is not included.

Is this the best way to solve the issue?

Yes. A transport-ID allowlist matches the current SSE event boundary and avoids applying the repair to the WebSocket-capable generic OpenAI Responses path.

What I checked:

• Current main excludes requested transports: On current main, shouldRepairMalformedToolCallArguments only enables Kimi anthropic-messages and openai-completions, so openai-codex-responses and azure-openai-responses do not get this repair wrapper today. (src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts:297, 56c4f9761c75)
• Runtime path is gated: The embedded runner installs wrapStreamFnRepairMalformedToolCallArguments only after shouldRepairMalformedToolCallArguments returns true, so the allowlist directly controls live stream repair behavior. (src/agents/pi-embedded-runner/run/attempt.ts:2043, 56c4f9761c75)
• SSE Responses stream emits compatible deltas: The HTTP/SSE Responses parser maps response.function_call_arguments.delta into internal toolcall_delta events with accumulated partial JSON, which is the event shape this wrapper repairs. (src/agents/openai-transport-stream.ts:477, 56c4f9761c75)
• Generic OpenAI WebSocket path stays distinct: openai-ws-stream.ts observes response.function_call_arguments.delta only as WebSocket output activity; rg found no toolcall_delta emission there, supporting the PR's decision to keep generic openai-responses disabled. (src/agents/openai-ws-stream.ts:1123, 56c4f9761c75)
• Diff uses a narrow allowlist and tests both sides: The PR adds only azure-openai-responses and openai-codex-responses to the repair allowlist, adds positive tests for those transports, and keeps a direct openai-responses negative test. (src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts:21, 7a55a76dee85)
• Second commit addresses stale CodeQL cache warning without behavior expansion: The head diff changes transcript-policy caching to keep the narrowed config in cacheConfig before calling the WeakMap, matching the maintainer's force-push after the prior CodeQL review comment. (src/agents/transcript-policy.ts:224, 7a55a76dee85)

Likely related people:

• MonkeyLeeT: Merged PR fix(agents): repair malformed tool-call args on openai-completions #70294 introduced the conservative shouldRepairMalformedToolCallArguments transport gate and the existing openai-responses exclusion that this PR extends. (role: introduced current scoped gate behavior; confidence: high; commits: 49c7319ea5a2, 2ba43f5d270c; files: src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts, src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.test.ts)
• keshavbotagent: Merged PR [codex] fix OpenAI Codex OAuth transport #75111 recently changed OpenAI Codex Responses transport behavior in the adjacent files that determine how Codex Responses streams reach the embedded runner. (role: recent Codex Responses transport contributor; confidence: medium; commits: 388019f5b693; files: src/agents/openai-transport-stream.ts, src/agents/pi-embedded-runner/openai-stream-wrappers.ts, extensions/openai/openai-codex-provider.ts)
• steipete: Recent history shows repeated maintenance of OpenAI Responses, Codex transport, WebSocket routing, transcript-policy caching, and the current PR branch rewrite. (role: recent maintainer and adjacent owner; confidence: high; commits: f8cbd356e1ce, cf511288b84b, b68f3de91b30; files: src/agents/transcript-policy.ts, src/agents/openai-ws-stream.ts, src/agents/openai-transport-stream.ts)

Remaining risk / open question:

• Four exact-head CI checks were still in progress at review time, although no failures were observed.
• Azure live behavior was not exercised in the maintainer comment; coverage relies on the shared SSE event path and unit tests.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 56c4f9761c75.

[steipete]

Rewrote this PR into a narrow maintainer commit on top of current origin/main.

What changed:

• kept the repair gate scoped to openai-completions, Kimi Anthropic Messages, plus the exact Responses transports that need this workaround: openai-codex-responses and azure-openai-responses
• intentionally left generic openai-responses out of the repair gate
• added regression coverage for the gate and the wrapper repair behavior for Codex/Azure Responses
• added the changelog entry with contributor credit

Verification:

• pnpm exec oxfmt --check --threads=1 CHANGELOG.md src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.test.ts
• git diff --check
• pnpm test src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.test.ts (9 tests)
• live OpenAI Responses SSE probe with gpt-5.4-mini saw response.function_call_arguments.delta and streamed {"order_id":"oc-live-75154"} as tool-call arguments

Azure live was not run from my machine because there is no configured Azure Responses deployment/provider in the local OpenClaw config; the added unit coverage exercises the same repaired stream event path after provider transport mapping.

[steipete]

Landed via rebase onto current main.

• PR fix commit: 68bfdb4d29
• Main-red unblocker: d7ab2c4c41
• Gate: exact-head CI green before merge; local pnpm tsgo:core, pnpm test src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.test.ts, and git diff --check
• Live proof from rewrite: OpenAI Responses SSE with gpt-5.4-mini emitted response.function_call_arguments.delta for streamed tool-call arguments

Issue #75154 auto-closed on merge. Thanks @Nimraakram22!