fix(delivery): suppress Codex/Harmony internal protocol artifacts from user-facing channels

[joelnishanth]

Summary

Fixes #88128 — Internal messages (<channel|>, set-thought <channel|>, ───) surface in Telegram chat as standalone visible messages.

Root cause: Codex/Harmony providers emit internal protocol fragments (channel routing markers, reasoning lane directives, box-drawing HRs from the internal markdown renderer) as standalone text deltas during streaming. The shared normalizeReplyPayload pipeline had no guard for these artifacts, so they passed through to all messaging channels as deliverable payloads.

Fix: Adds a narrow isInternalFormattingArtifact() detector in src/auto-reply/tokens.ts that catches only observed protocol-only markers, then short-circuits delivery in normalizeReplyPayload with a new "internalArtifact" skip reason.

Design decisions (vs #88194)

This PR takes a narrower approach than the existing #88194, addressing ClawSweeper's P1 findings:

Concern	#88194 (broad)	This PR (narrow)
Generic ---, ***, ___	Suppressed (false-positive risk)	Not suppressed — legitimate markdown
Generic <tag>, </tag>	Suppressed (false-positive risk)	Not suppressed — could be user content
Harmony <word|value> markers	Suppressed	Suppressed
set-thought directives	Suppressed	Suppressed
Box-drawing ─── (renderer HR)	Suppressed	Suppressed (unambiguous internal artifact)

The two regexes are anchored (^...$) and require the artifact to be the entire message content — text that merely contains an artifact pattern (e.g. "Use <channel|> in your config") is never suppressed.

Files changed

• src/auto-reply/tokens.ts — new isInternalFormattingArtifact() export
• src/auto-reply/reply/normalize-reply.ts — artifact skip before sanitizeUserFacingText
• src/auto-reply/tokens.test.ts — unit tests for the detector
• src/auto-reply/reply/reply-utils.test.ts — integration test for skip reason

Real behavior proof

• Behavior or issue addressed: [Bug]: Internal messages surface in Telegram chat #88128 — Internal protocol fragments (<channel|>, set-thought <channel|>, box-drawing ───) from Codex/Harmony providers are delivered as visible standalone messages to Telegram users during streaming. The fix adds isInternalFormattingArtifact() to detect and suppress these before delivery.

• Real environment tested: macOS 15.3 (arm64), Node 22.22.3, OpenClaw 2026.5.28 local install at ~/.openclaw/, Telegram channel configured in local mode.

• Exact steps or command run after this patch:

  1. Ran openclaw --version to confirm local setup: OpenClaw 2026.5.28 (e932160)
  2. Ran node -e to exercise isInternalFormattingArtifact against the exact artifact strings from issue [Bug]: Internal messages surface in Telegram chat #88128
  3. Confirmed all four artifact patterns are detected and all four user-content patterns pass through

• Evidence after fix: Console output from node exercising the artifact detector against real protocol strings from [Bug]: Internal messages surface in Telegram chat #88128:

  === Internal protocol artifacts (should be suppressed) ===
  <channel|>              → true
  set-thought <thinking|> → true
  ───────                 → true
  <channel|routing>       → true
  
  === User content (must NOT be suppressed) ===
  Hello world             → false
  Use <channel|> in cfg   → false
  ---                     → false
  Normal markdown text    → false
  

• Before evidence (optional): From the issue report ([Bug]: Internal messages surface in Telegram chat #88128), Telegram users receive standalone visible messages containing raw <channel|>, set-thought <thinking|>, and ─────── fragments between real response chunks during Codex/Harmony streaming.

• Observed result after fix: isInternalFormattingArtifact correctly identifies all four observed protocol artifact patterns (<channel|>, set-thought <channel|>, <channel|routing>, ───────) as internal artifacts, returning true. Legitimate user content (Hello world, embedded artifact mentions, standard markdown HRs, normal text) returns false — no false positives. The normalizeReplyPayload pipeline short-circuits with skip reason "internalArtifact" for detected patterns, preventing delivery to any messaging channel.

• What was not tested: Live end-to-end with Discord, Slack, and WhatsApp Web channels. The fix is in the shared normalizeReplyPayload path so all channels benefit. The Codex/Harmony artifacts are provider-specific streaming behavior that occurs intermittently during long responses.

Risks and Mitigations

• Risk: False positives suppressing legitimate user content
  • Mitigation: Regexes are anchored (^...$) and require the artifact to be the entire trimmed message. Content that merely contains a pattern (e.g. "Use <channel|> in config") passes through unchanged. The detector covers only observed protocol-specific patterns, not generic markdown.

— Joel Nishanth · offlyn.AI

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 8, 2026, 12:02 PM ET / 16:02 UTC.

Summary
The PR adds a shared reply-normalization detector for standalone Codex/Harmony artifact text, treats detected artifacts as silent skips, and adds normalization plus Telegram fallback regression coverage.

PR surface: Source +16, Tests +93. Total +109 across 5 files.

Reproducibility: Do we have a high-confidence way to reproduce the issue? Not as a fresh live run in this review; the linked report and earlier Mantis baseline show the Telegram-visible symptom, and source inspection shows Codex assistant deltas flow into shared reply dispatch without this filter.

Review metrics: 1 noteworthy metric.

• Shared suppression scope: 3 artifact families, all channels. The detector covers Harmony markers, set-thought directives, and box-drawing separators in shared normalization, so reviewers should weigh Telegram value against global message-suppression risk.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Provide or rerun Telegram Desktop proof for head 2272f504 showing the artifacts are suppressed and no empty-response fallback appears, with private details redacted.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR body shows detector terminal output, but it does not prove the latest head suppresses artifacts in real Telegram delivery; after adding proof, updating the PR body should trigger re-review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Mantis proof suggestion
Native Telegram Desktop proof would materially settle whether the latest head suppresses the artifact and avoids the fallback message in the actual transport. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram desktop proof: verify on PR head 2272f504 that standalone <channel|>, set-thought <channel|>, and ─── messages are suppressed and no empty-response fallback appears.

Risk before merge

• [P1] Latest-head real Telegram proof is still missing: the PR body only exercises the detector in a terminal command, and the prepared Mantis media artifacts could not be inspected while the older Mantis run reported the candidate still showed the marker.
• [P1] The suppressor runs in the shared normalizeReplyPayload path, so any false positive would silently drop standalone artifact-shaped user text across channels, not only Telegram.

Maintainer options:

1. Prove current-head Telegram delivery (recommended)
   Run Telegram Desktop or equivalent live Telegram proof against head 2272f504 showing standalone <channel|>, set-thought <channel|>, and box-drawing separator payloads do not appear and do not trigger the fallback message.
2. Accept detector-only proof
   Maintainers can intentionally accept the remaining delivery risk based on the shared-path tests, but that would merge without user-visible proof for the regression surface.
3. Pause if live proof still fails
   If a fresh Telegram run still shows the artifact or fallback message, pause this branch and repair the delivery path before keeping it as the canonical fix.

Next step before merge

• [P1] The remaining blocker is latest-head real Telegram proof and maintainer acceptance of the shared suppression risk, not a narrow automated code repair.

Security
Cleared: The diff only changes text normalization and tests; it does not touch dependencies, workflows, secrets, permissions, package metadata, or code-execution surfaces.

Review details

Best possible solution:

Land the narrow shared normalizer fix only after current-head Telegram proof shows the reported artifacts are suppressed and no empty-response fallback is emitted, while keeping the false-positive tests focused on standalone artifact-only text.

Do we have a high-confidence way to reproduce the issue?

Do we have a high-confidence way to reproduce the issue? Not as a fresh live run in this review; the linked report and earlier Mantis baseline show the Telegram-visible symptom, and source inspection shows Codex assistant deltas flow into shared reply dispatch without this filter.

Is this the best way to solve the issue?

Is this the best way to solve the issue? Yes, as an acceptable narrow mitigation: filtering artifact-only text in shared reply normalization matches the delivery boundary and treating it as silent avoids Telegram fallback, but latest-head E2E proof is still needed.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against cfeaf6897fd8.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.
• remove proof: 🎥 video: Current real behavior proof evidence kind is terminal.

Label justifications:

• P1: This PR targets a visible Telegram delivery regression where internal Codex protocol artifacts can appear as user-facing messages.
• merge-risk: 🚨 message-delivery: The diff changes shared reply normalization to silently suppress artifact-shaped standalone text before channel delivery.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body shows detector terminal output, but it does not prove the latest head suppresses artifacts in real Telegram delivery; after adding proof, updating the PR body should trigger re-review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The PR changes visible Telegram chat delivery behavior, so a short Telegram Desktop proof can directly demonstrate the user-facing fix.

Evidence reviewed

PR surface:

Source +16, Tests +93. Total +109 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	16	0	+16
Tests	3	94	1	+93
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	110	1	+109

What I checked:

• PR diff adds shared artifact suppression: The latest PR diff adds isInternalFormattingArtifact in src/auto-reply/tokens.ts and calls it from normalizeReplyPayload before user-facing text sanitization; the skip now reports silent, not a distinct non-silent reason. (src/auto-reply/reply/normalize-reply.ts:98, 2272f504eb4b)
• Current Telegram fallback contract: Telegram dispatch only marks skipped payloads as non-silent when the skip reason is not silent, and the empty-response fallback is gated on non-silent skips without delivered output. (extensions/telegram/src/bot-message-dispatch.ts:2198, cfeaf6897fd8)
• Telegram regression coverage added: The PR adds a Telegram dispatch test that simulates an artifact skip with reason silent and asserts no empty-response fallback is sent. (extensions/telegram/src/bot-message-dispatch.test.ts:4660, 2272f504eb4b)
• Codex upstream delta contract inspected: Upstream Codex parses response.output_text.delta into ResponseEvent::OutputTextDelta, and the app-server protocol maps AgentMessageContentDelta directly into item/agentMessage/delta with the same delta string, so OpenClaw must treat these as raw assistant text at the delivery boundary. (../codex/codex-rs/codex-api/src/sse/responses.rs:288)
• OpenClaw Codex projector streams assistant deltas: OpenClaw's Codex app-server projector handles item/agentMessage/delta, appends the raw delta into assistant text, and streams final-answer deltas into partial replies, which makes shared reply normalization an appropriate delivery guard. (extensions/codex/src/app-server/event-projector.ts:469, cfeaf6897fd8)
• Proof artifact check: The prepared media proof manifest reports both baseline and candidate MP4 downloads failed with HTTP 500, and the older Mantis comment in the provided GitHub context says the candidate at an older SHA still showed the internal marker in Telegram.

Likely related people:

• mushuiyu_xydt: Blame attributes the current shared reply normalization and Telegram silent/non-silent fallback decision lines to commit b2c1de7, which is the central path this PR changes. (role: recent area contributor; confidence: high; commits: b2c1de77acc7; files: src/auto-reply/reply/normalize-reply.ts, src/auto-reply/tokens.ts, extensions/telegram/src/bot-message-dispatch.ts)
• Alexazhu: Recent Telegram streaming commits own nearby draft/block skip handling that interacts with the fallback behavior under review. (role: recent adjacent contributor; confidence: medium; commits: 3fdc17b921bf, 4f319671412e; files: extensions/telegram/src/bot-message-dispatch.ts)
• Ayaan Zaidi: Recent Telegram dispatch refactor work touched the block rotation cleanup near the same skip path, making this a useful routing candidate for Telegram delivery review. (role: recent adjacent contributor; confidence: medium; commits: 5b0061e7a2ec, 817a0910f35e; files: extensions/telegram/src/bot-message-dispatch.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[openclaw-mantis]

Mantis Telegram Desktop Proof

Summary: Mantis captured native Telegram Desktop before/after GIFs; both Main and this PR show the internal marker as a chat reply.

• Scenario: telegram-desktop-proof
• Trigger: pull_request_target
• Run: https://github.com/openclaw/openclaw/actions/runs/26790513009
• Artifact: https://github.com/openclaw/openclaw/actions/runs/26790513009/artifacts/7346663260
• Baseline: pass at 4e1f8b8ac72640e1465bc9c2a17cefdef03c419e, expected internal marker is visible in Telegram
• Candidate: fail at b6373f189c651bd05a656d16e41c8bc53cab2018, expected internal marker should be suppressed in Telegram
• Overall: false

Main screenshot	This PR screenshot

Main	This PR

Motion-trimmed clips:

• Main MP4
• This PR MP4

Raw QA files: https://artifacts.openclaw.ai/mantis/telegram-desktop/pr-89151/run-26790513009-1/index.json

[joelnishanth]

The build-artifacts and check-additional-runtime-topology-architecture failures are pre-existing on main (see CI run 27070147311 on commit 1af55bc6). This PR's changes (src/auto-reply/tokens.ts, src/auto-reply/reply/normalize-reply.ts, and their tests) do not affect build output or architecture topology.

— Joel Nishanth · offlyn.AI

[obviyus]

Landed via rebase onto main.

• Scoped tests: node scripts/run-vitest.mjs src/auto-reply/tokens.test.ts src/auto-reply/reply/reply-utils.test.ts extensions/telegram/src/bot-message-dispatch.test.ts
• Snapshot gate check: pnpm prompt:snapshots:check reproduced existing Codex dynamic-tool snapshot drift unrelated to this PR; PR diff stayed limited to the five reply/Telegram files.
• Autoreview: .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main clean before final rebase.
• CI: latest PR run had 131 successful checks; non-blocking check-additional-boundaries-a failed on the unrelated prompt snapshot drift above.
• Changelog: not updated; normal PR release context is in the PR body and commit history.
• Land commit: 3cb2453
• Merge commit: e7f1b24

Thanks @joelnishanth!