fix: keep media provider inventory internal

[MkDev11]

Summary

• Problem: image_generate / video_generate provider inventory could bypass normal tool-output visibility and be emitted to shared chat surfaces.
• Why it matters: provider/model/capability/auth-env-var inventory is operator environment detail and should not be visible by default in group/channel contexts.
• What changed: removed the compact provider-inventory output bypass so inventory text follows shouldEmitToolOutput().
• What did NOT change (scope boundary): provider list generation, structured tool results, generated media delivery, and verbose/full tool output behavior.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: image/video provider inventory leaks into Discord group channels as visible tool output #75166
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: media provider inventory had a special compact-output path that emitted text even when normal tool output was disabled.
• Missing detection / guardrail: tests asserted the bypass behavior instead of protecting hidden-output surfaces.
• Contributing context (if known): the bypass was added for compact media inventory display but crossed the visibility boundary.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts
• Scenario the test should lock in: image_generate and video_generate provider inventory does not emit when shouldEmitToolOutput() is false.
• Why this is the smallest reliable guardrail: it exercises the exact tool-result emission path without channel/network fixtures.
• Existing test that already covers this (if any): updated the prior compact provider inventory test and added image coverage.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

Provider inventory text from media list results is no longer shown when normal tool output is hidden. Verbose/full tool output can still show it.

Diagram (if applicable)

N/A

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux
• Runtime/container: local repo test environment
• Model/provider: N/A
• Integration/channel (if any): Discord/shared tool-output path
• Relevant config (redacted): shouldEmitToolOutput: false

Steps

1. Produce an image_generate or video_generate list result with details.providers.
2. Process it through handleToolExecutionEnd with shouldEmitToolOutput() false.
3. Observe whether emitToolOutput is called.

Expected

• Provider inventory remains internal and emitToolOutput is not called.

Actual

• Before this fix, emitToolOutput was called through the compact provider inventory bypass.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • hidden image_generate provider inventory does not emit
  • hidden video_generate provider inventory does not emit
  • verbose image/video provider inventory still emits
  • dispatcher and Discord process tests still pass
• Edge cases checked:
  • generated media queueing remains covered by existing media tests
  • plain/markdown verbose generated media behavior remains covered
• What you did not verify:
  • live Discord runtime delivery

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: maintainers may want an explicit operator-visible provider inventory mode later.
  • Mitigation: this PR preserves verbose/full tool output and only removes the default hidden-output bypass.

AI Assistance

• AI-assisted: yes, implemented with Codex.
• Testing degree: targeted tests and changed-check lane passed locally.
• I understand what the code does: yes.

[clawsweeper]

Codex review: passed.

Summary
The branch removes the compact image/video provider-inventory output bypass, adds media handler regression tests for hidden and verbose modes, and adds an Unreleased changelog fix entry.

Reproducibility: yes. On current main, a synthetic image_generate or video_generate list result with details.providers and shouldEmitToolOutput false reaches emitToolOutput; the existing media handler test locks in that old video_generate behavior.

Next step before merge
No repair job is needed; this is an automerge-opted implementation PR with no discrete findings, so exact-head checks and merge policy should gate it.

Security
Cleared: The diff narrows a provider-inventory exposure path and does not add execution, dependency, network, permission, or secret-handling changes.

Review details

Best possible solution:

Land one canonical fix that keeps provider inventory off hidden/shared chat surfaces, preserves generated media delivery and internal structured results, then close #75166 and reconcile the overlapping #75728 branch.

Do we have a high-confidence way to reproduce the issue?

Yes. On current main, a synthetic image_generate or video_generate list result with details.providers and shouldEmitToolOutput false reaches emitToolOutput; the existing media handler test locks in that old video_generate behavior.

Is this the best way to solve the issue?

Yes for the narrow reported bug. Removing the compact-output exception is the smallest maintainable handler fix; #75728 is the broader alternative only if maintainers want surface-aware direct-chat diagnostics.

What I checked:

• Current-main bypass: Current main still defines image_generate/video_generate as compact provider-inventory tools and treats details.providers as bypass-eligible. (src/agents/pi-embedded-subscribe.handlers.tools.ts:364, ad0e1a0d5d9b)
• Current-main emission gate: Current main emits tool output when ctx.shouldEmitToolOutput() is false if shouldEmitCompactToolOutput returns true. (src/agents/pi-embedded-subscribe.handlers.tools.ts:556, ad0e1a0d5d9b)
• Current-main test proves old behavior: The existing test on current main asserts that a video_generate provider inventory result emits with shouldEmitToolOutput false. (src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts:427, ad0e1a0d5d9b)
• Inventory contents are operator detail: Image list output includes provider ids, model lists, configured state, auth hints, capabilities, and details.providers. (src/agents/tools/image-generate-tool.ts:626, ad0e1a0d5d9b)
• Shared media inventory includes auth hints: The shared media provider list helper includes provider ids, default/models, capabilities, auth env vars, and details.providers. (src/agents/tools/media-generate-tool-actions-shared.ts:33, ad0e1a0d5d9b)
• PR implementation: The PR patch deletes COMPACT_PROVIDER_INVENTORY_TOOLS/shouldEmitCompactToolOutput and gates output only on ctx.shouldEmitToolOutput(). (src/agents/pi-embedded-subscribe.handlers.tools.ts:516, 56069df90306)

Likely related people:

• steipete: Local blame routes the current compact inventory helper, emission gate, provider-inventory test, and media provider list output to Peter Steinberger, and the feature-history trail includes the provider-support commit that introduced this area. (role: introduced behavior and recent maintainer; confidence: high; commits: 932194b7d58c, 82eb90b8a286, 84dc9f12f1b9; files: src/agents/pi-embedded-subscribe.handlers.tools.ts, src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts, src/agents/tools/image-generate-tool.ts)

Remaining risk / open question:

• fix(dispatch): suppress provider inventory on shared surfaces #75728 is an open broader alternative that preserves direct-chat diagnostics, so maintainers should avoid landing both branches without reconciling the overlap.
• The PR preserves provider inventory in verbose/full tool-output mode; if maintainers want stronger suppression even there, the broader policy needs an explicit product choice.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ad0e1a0d5d9b.

[MkDev11]

Thanks for the review. Added the missing CHANGELOG.md entry under Unreleased / Fixes and pushed the updated commit.

Verified locally:

• git diff --check
• pnpm test src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts --run
• pnpm check:changed -- --base upstream/main

[MkDev11]

The remaining failure appears to be unrelated to this PR. The parity gate times out before running scenarios because qa-channel never becomes ready; the artifact shows missing bundled runtime deps for qa-channel (typebox@1.1.34). Recent unrelated PRs are failing the same parity gate with the same timeout.

All standard CI checks for this PR are passing. Happy to rerun once the parity gate/base issue is resolved.

[MkDev11]

@greptileai

[steipete]

@clawsweeper automerge

[clawsweeper]

🦞🦞
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=56069df9030685ad698bd72682d51275c1b31614)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-02T23:34:45Z
Merge commit: 9ef7f241f605

What merged:

• The branch removes the compact image/video provider-inventory output bypass, adds media handler regression tests for hidden and verbose modes, and adds an Unreleased changelog fix entry.
• Reproducibility: yes. On current main, a synthetic image_generate or video_generate list result with details ... ut false reaches emitToolOutput; the existing media handler test locks in that old video_generate behavior.

Fixups included:

• Included follow-up commit: chore: rerun ci
• Included follow-up commit: chore: move changelog entry below media fixes

The automerge loop is complete.

Automerge progress:

• 2026-05-02 23:30:58 UTC review queued [`56069df90306`](https://github.com/openclaw/openclaw/commit/56069df9030685ad698bd72682d51275c1b31614) (queued)
• 2026-05-02 23:34:33 UTC review passed [`56069df90306`](https://github.com/openclaw/openclaw/commit/56069df9030685ad698bd72682d51275c1b31614) (structured ClawSweeper verdict: pass (sha=56069df9030685ad698bd72682d51275c1b31...)
• 2026-05-02 23:34:47 UTC merged [`56069df90306`](https://github.com/openclaw/openclaw/commit/56069df9030685ad698bd72682d51275c1b31614) (merged by ClawSweeper automerge)