fix(agents): clean subagent fallback scaffolding

[steipete]

Summary

• replace generated <<<BEGIN_UNTRUSTED_CHILD_RESULT>>> prompt sentinels with neutral <prompt-data> child-result blocks for parent-agent announce prompts
• simplify completion delivery so background child results stay on the requester-agent handoff / queue-retry path instead of raw-sending child output directly to the external chat
• strip runtime-context/prompt-data scaffolding before write-ahead outbound queue persistence and rebuild queued batch plans from cleaned payloads
• update subagent docs and regression coverage for the simplified delivery contract

Fixes #78531.

Real behavior proof

• Behavior addressed: background subagent completions no longer bypass the requester-agent handoff by raw-sending child output; active wake failures go to queue fallback, and failed/no-output requester-agent handoffs are reported as failed instead of leaking wrapper/runtime scaffolding to the external chat.
• Real environment tested: Blacksmith Testbox Linux worker tbx_01kr071t6gf9j80yhfpe94ezj2 running the rebased branch against current OpenClaw source.
• Exact steps or command run after this patch: env CI=1 NODE_OPTIONS=--max-old-space-size=4096 OPENCLAW_TEST_PROJECTS_PARALLEL=6 OPENCLAW_VITEST_MAX_WORKERS=1 OPENCLAW_VITEST_NO_OUTPUT_TIMEOUT_MS=900000 pnpm check:changed
• Evidence after fix: terminal output from the Testbox run included check:changed lanes=core, coreTests, docs, Found 0 warnings and 0 errors, Import cycle check: 0 runtime value cycle(s)., and final JSON {"provider":"blacksmith-testbox","leaseId":"tbx_01kr071t6gf9j80yhfpe94ezj2","exitCode":0}.
• Observed result after fix: the rebased branch passed core/core-test/docs changed-gate proof on the remote Linux worker, including core typecheck, core test typecheck, core lint, runtime sidecar loader guard, import-cycle guard, webhook body guard, and auth pairing guards.
• What was not tested: no live Telegram/Slack/Discord bot send was performed for this refactor; the behavior is covered by focused delivery/announce regression tests and the remote changed gate.

Verification

• pnpm test src/agents/subagent-announce-delivery.test.ts src/agents/subagent-announce-dispatch.test.ts src/agents/subagent-announce.format.e2e.test.ts -- --reporter=verbose
• pnpm test src/agents/sanitize-for-prompt.test.ts src/agents/subagent-announce-delivery.test.ts src/infra/outbound/sanitize-text.test.ts src/infra/outbound/deliver.test.ts src/agents/subagent-announce.format.e2e.test.ts src/agents/pi-embedded-helpers.sanitizeuserfacingtext.test.ts -- --reporter=verbose
• pnpm exec oxfmt --check --threads=1 src/agents/subagent-announce-delivery.ts src/agents/subagent-announce-delivery.test.ts src/agents/subagent-announce-dispatch.ts docs/tools/subagents.md CHANGELOG.md
• git diff --check
• pnpm changed:lanes --json
• Crabbox/Testbox pnpm check:changed on rebased head tbx_01kr071t6gf9j80yhfpe94ezj2 (exitCode=0)

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
This PR changes subagent completion handoff/fallback delivery, queues sanitized outbound payloads, switches child-result prompt wrappers, and updates docs, tests, and the changelog.

Reproducibility: yes. at source level. Current main returns raw event.result for completion fallback and persists original outbound payloads to the write-ahead queue, matching the linked Telegram queue evidence.

Real behavior proof
Not applicable: The PR has the protected maintainer label, so the external-contributor proof gate is not applied; the body reports Testbox and targeted test proof but no live chat send.

Next step before merge
A narrow automated repair can fix the sanitizer false-positive and add focused coverage without a product decision.

Security
Cleared: No supply-chain, workflow, dependency, secret-handling, or permission regression was found; the remaining concern is the functional sanitizer false-positive tracked in the review finding.

Review findings

• [P2] Gate prompt-tag stripping on generated wrappers — src/infra/outbound/sanitize-text.ts:94-96

Review details

Best possible solution:

Keep the layered fallback and queue hardening, but narrow prompt-data unwrapping so only generated wrapper blocks are removed while literal tag examples are preserved.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main returns raw event.result for completion fallback and persists original outbound payloads to the write-ahead queue, matching the linked Telegram queue evidence.

Is this the best way to solve the issue?

No, not as currently written. The fallback and queue direction is maintainable, but unwrapPromptDataWrapperLines() should require a generated header plus matching wrapper before removing prompt-data or untrusted-text tag lines.

Full review comments:

• [P2] Gate prompt-tag stripping on generated wrappers — src/infra/outbound/sanitize-text.ts:94-96
unwrapPromptDataWrapperLines() drops standalone <prompt-data>, </prompt-data>, <untrusted-text>, and close-tag lines even when they are literal XML/code content from the user. Since this sanitizer now runs before outbound send and queue persistence, legitimate content can be silently changed; only unwrap these tags when they are part of a generated header plus matching wrapper block.
  Confidence: 0.91

Overall correctness: patch is incorrect
Overall confidence: 0.9

Acceptance criteria:

• pnpm test src/infra/outbound/sanitize-text.test.ts src/infra/outbound/deliver.test.ts src/agents/subagent-announce-delivery.test.ts src/agents/subagent-announce.format.e2e.test.ts src/agents/sanitize-for-prompt.test.ts -- --reporter=verbose
• pnpm exec oxfmt --check --threads=1 src/infra/outbound/sanitize-text.ts src/infra/outbound/sanitize-text.test.ts
• git diff --check
• Use Testbox for pnpm check:changed if the changed gate expands beyond the narrow touched surface.

What I checked:

• Current main raw fallback path: Current main still returns event.result.trim() from extractTaskCompletionFallbackText(), so raw child completion text can be reused when mediated announce delivery fails. (src/agents/subagent-announce-delivery.ts:541, 58fa23b4a2f2)
• Current main queue persistence path: Current main enqueues the original payloads and renderedBatchPlan in the write-ahead queue before delivery normalization/sanitization. (src/infra/outbound/deliver.ts:1095, 58fa23b4a2f2)
• Existing test documents raw queue behavior: The current test named writes raw payloads to the queue before normalization asserts raw payloads are stored before normalization. (src/infra/outbound/deliver.test.ts:2305, 58fa23b4a2f2)
• PR head removes raw-send fallback behavior: The latest PR head adds regression coverage expecting failed/no-output completion handoffs not to call sendMessage, with active wake failure falling through to queued delivery. (src/agents/subagent-announce-delivery.test.ts:841, ceea202337ef)
• Blocking PR head sanitizer bug: unwrapPromptDataWrapperLines() removes any standalone <prompt-data>, </prompt-data>, <untrusted-text>, or close-tag line even when it is not part of a generated wrapper. (src/infra/outbound/sanitize-text.ts:94, ceea202337ef)
• Linked report evidence: The linked report Telegram subagent completion fallback can queue raw child/internal output after mediated announce failure #78531 includes redacted Telegram queue metadata showing internal child-result/runtime-context markers persisted into a failed queued delivery path.

Likely related people:

• steipete: GitHub path history shows repeated recent current-main work on subagent announce delivery and outbound queue lifecycle, including media completion fallback handling and durable outbound routing. (role: recent maintainer and adjacent owner; confidence: high; commits: 7188e4f4ad87, b32d4c5255c5, 6c8974f3f5a9; files: src/agents/subagent-announce-delivery.ts, src/infra/outbound/deliver.ts, src/agents/internal-events.ts)
• vincentkoc: Current-line blame in the checked-out main points to Vincent Koc for the fallback, queue, and sanitizer lines, and GitHub history shows recent subagent completion and security/sanitizer work in the same area. (role: recent fallback and sanitizer maintainer; confidence: high; commits: 6587832f2583, b6f9b5f21e84, e80de466e5e1; files: src/agents/subagent-announce-delivery.ts, src/infra/outbound/deliver.ts, src/infra/outbound/sanitize-text.ts)
• sfuminya: GitHub history shows a recent merged fix preserving requester routes for subagent completion delivery, which is adjacent to this fallback path. (role: adjacent completion-route contributor; confidence: medium; commits: 2c57d70a10db; files: src/agents/subagent-announce-delivery.ts)

Remaining risk / open question:

• I did not run tests or live channel delivery in this read-only review; validation is from source inspection, PR body proof, and GitHub check-run metadata.
• No live Telegram/Slack/Discord send proof is present for the refactor, although the protected maintainer label makes the external-contributor real-behavior proof gate not applicable.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 58fa23b4a2f2.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e73c149919

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Only unwrap prompt-data tags when in generated wrapper

stripInternalRuntimeScaffolding now drops any standalone <prompt-data>/</prompt-data> (and <untrusted-text>) lines unconditionally, even when they are literal user-facing content rather than OpenClaw scaffolding. Because this sanitizer is applied broadly in outbound delivery paths, legitimate XML/code examples that include these tags on their own lines will be silently altered before send and before queued retry persistence. The unwrap should be gated to an actual generated wrapper pattern (header + matching open/close) instead of removing every matching tag line globally.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ceea202337

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate prompt-tag stripping on full generated wrapper

unwrapPromptDataWrapperLines removes any standalone <prompt-data> / </prompt-data> (and legacy <untrusted-text>) lines even when there is no generated OpenClaw wrapper header, so user-authored examples/XML snippets that place these tags on their own lines are silently altered before outbound delivery and queue persistence. This should only unwrap when a full generated wrapper pattern is detected (header + matching open/close), otherwise legitimate content is corrupted.

Useful? React with 👍 / 👎.

[steipete]

Landed via squash merge.

• Source head: ceea202
• Landed commit: 92284bc
• Verification: focused agent/outbound tests passed locally; Testbox pnpm check:changed passed on the rebased head (tbx_01kr071t6gf9j80yhfpe94ezj2, exit 0).
• Follow-up: Telegram subagent completion fallback can queue raw child/internal output after mediated announce failure #78531 auto-closed from the Fixes reference.