fix(agents): coerce non-text/image MCP tool-result blocks to text (fixes #90710)

[849261680]

Summary

MCP CallToolResult.content[] can include resource_link, resource, and audio blocks (MCP SDK ContentBlock union), but toAgentToolResult in agent-bundle-mcp-materialize.ts cast that array straight into AgentToolResult.content, whose contract is only (TextContent | ImageContent)[]. That cast lied to the type system, so the bad blocks flowed downstream where the Anthropic provider/transport "non-text ⇒ image" branch built an image block with undefined data/media_type. Anthropic rejects that with HTTP 400, and because the malformed block stays in conversation history, every subsequent turn replays it and 400s too — the session is permanently poisoned until history is reset.

• Fix at the materialize boundary so the text/image contract stays honest, instead of patching each downstream provider converter. This fixes all providers, not just Anthropic.
• Pass through valid images unchanged; coerce resource_link → [title|name] uri, resource → resource.text ?? uri, audio → [audio <mime>], and malformed/unknown blocks → stringified text.
• Discriminated-union handling means a future MCP SDK block type surfaces here rather than silently mis-coercing.
• Out of scope: the provider-side convertContentBlocks keep their honest text|image signatures; they no longer receive wider MCP blocks, so they are intentionally untouched.

Linked context

Closes #90710

Reporter: @RanSHammer (clear repro + root-cause diagnosis).

Real behavior proof (required for external PRs)

• Behavior addressed: a real MCP server returning non-text/image blocks (resource_link for a .docx, plus resource/audio) no longer leaks those blocks into the agent tool result. They are coerced to text at the materialize boundary, so the Anthropic image branch never builds an empty image block (no 400, no poisoned history).
• Real environment tested: ran the actual OpenClaw bundle-MCP runtime (createBundleMcpToolRuntime → createSessionMcpRuntime) against a real spawned stdio MCP server subprocess (MCP SDK 1.29.0 McpServer) over real JSON-RPC. No vitest, no mocks — production code paths, executed on both origin/main (before) and this branch (after). Node 22.22.2, macOS.
• Exact steps or command run after this patch: spawned a real stdio MCP server whose get_attachment tool returns [text, resource_link(.docx), resource(memo), audio], then drove the real runtime and printed the materialized AgentToolResult.content:
  node --import tsx drive.mts <repoRoot> (driver dynamically imports src/agents/agent-bundle-mcp-materialize.ts from the given checkout and calls the materialized tool).
• Evidence after fix: copied live console output from the real runtime run on this branch (f70dccf33e):

=== materialized AgentToolResult.content ===
[
  { "type": "text", "text": "Here is the attachment:" },
  { "type": "text", "text": "[Quarterly report] https://mail.example.com/att/quarterly.docx" },
  { "type": "text", "text": "inline memo body" },
  { "type": "text", "text": "[audio audio/mpeg]" }
]

Before (same driver + same real MCP server against unfixed origin/main materialize), the array carried raw non-text/image blocks — exactly what the Anthropic image branch then turns into an empty image source and 400s on:

=== materialized AgentToolResult.content ===
[
  { "type": "text", "text": "Here is the attachment:" },
  { "name": "quarterly.docx", "title": "Quarterly report",
    "uri": "https://mail.example.com/att/quarterly.docx",
    "mimeType": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
    "type": "resource_link" },
  { "type": "resource", "resource": { "uri": "memo://note", "text": "inline memo body" } },
  { "type": "audio", "data": "QUFBQQ==", "mimeType": "audio/mpeg" }
]

• Observed result after fix: every non-text/image block is now a text block; the valid image case (not shown above) still passes through as an image. The resource_link/resource/audio blocks that previously sat illegally inside the (text|image)[] array are gone, so the provider can no longer build a data:undefined / media_type:undefined image block.
• What was not tested: a live round-trip against the hosted Anthropic API to observe the literal HTTP 400 (no Anthropic credentials wired in this checkout). The 400 trigger is shown structurally — the before output contains the exact malformed blocks the provider's image branch consumes (src/llm/providers/anthropic.ts:140, src/agents/anthropic-transport-stream.ts:287).
• Proof limitations or environment constraints: ran on a local source checkout via tsx; the spawned MCP server is a minimal real SDK server rather than the reporter's Superhuman Mail remote MCP, but it emits the same ContentBlock shapes.

Tests and validation

Which commands did you run?

• Real-runtime repro above (before/after) — production paths, real MCP subprocess.
• node scripts/run-vitest.mjs src/agents/agent-bundle-mcp-tools.materialize.test.ts → 13 passed (supplemental)
• tsgo core + test:src lanes → exit 0; oxfmt --check + oxlint on changed files → clean (supplemental)

What regression coverage was added or updated?

Two new cases in agent-bundle-mcp-tools.materialize.test.ts:

• resource_link / resource (text + blob) / audio blocks coerce to text while a valid image passes through.
• A malformed image block (missing base64 source) coerces to text instead of an empty image block.

[clawsweeper]

Codex review: passed. Reviewed June 5, 2026, 10:15 PM ET / 02:15 UTC.

Summary
The PR converts wider MCP CallToolResult content blocks into text/image AgentToolResult blocks at the bundle-MCP materialization boundary and adds regression tests.

PR surface: Source +36, Tests +66. Total +102 across 2 files.

Reproducibility: yes. Source inspection shows current main lets MCP resource/audio blocks cross into a text/image-only result contract, and the PR body includes before/after real-runtime output from a spawned stdio MCP server; I did not run a live hosted Anthropic API round trip in this read-only review.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

• No ClawSweeper repair job is needed; the clean automerge path can rely on exact-head review, required checks, and GitHub mergeability gates.

Security
Cleared: The diff changes local TypeScript content normalization and tests only; it does not add dependencies, scripts, permissions, secret handling, or supply-chain surface.

Review details

Best possible solution:

Land the materialization-boundary normalization after exact-head checks pass, keep provider converters typed to text/image, and let the linked issue close on merge.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main lets MCP resource/audio blocks cross into a text/image-only result contract, and the PR body includes before/after real-runtime output from a spawned stdio MCP server; I did not run a live hosted Anthropic API round trip in this read-only review.

Is this the best way to solve the issue?

Yes. Normalizing at the bundle-MCP materialization boundary is the narrowest maintainable fix because it restores the core tool-result contract for all downstream providers, while patching only Anthropic would leave invalid content in agent history.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3a2f54e6a866.

Label changes

Label changes:

• add status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes after-fix copied live output from a real spawned stdio MCP server through the real bundle-MCP runtime, plus before output from current main showing the leaked block shapes.
• remove status: 👀 ready for maintainer look: Current PR status label is status: 🚀 automerge armed.

Label justifications:

• P1: The linked bug can break Anthropic agent turns after MCP tool output and poison subsequent session history for affected users.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes after-fix copied live output from a real spawned stdio MCP server through the real bundle-MCP runtime, plus before output from current main showing the leaked block shapes.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix copied live output from a real spawned stdio MCP server through the real bundle-MCP runtime, plus before output from current main showing the leaked block shapes.

Evidence reviewed

PR surface:

Source +36, Tests +66. Total +102 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	39	3	+36
Tests	1	66	0	+66
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	105	3	+102

What I checked:

• Current main contract leak: Current main casts MCP result.content directly into AgentToolResult.content, so wider MCP blocks can pass a text/image-only contract boundary unchanged. (src/agents/agent-bundle-mcp-materialize.ts:28, 3a2f54e6a866)
• AgentToolResult contract: AgentToolResult.content is typed and documented as only TextContent or ImageContent, which supports fixing the leak before provider conversion. (packages/agent-core/src/types.ts:419, 3a2f54e6a866)
• MCP dependency contract: MCP SDK 1.29.0 defines ContentBlock as text, image, audio, resource_link, or resource, and CallToolResult.content as an array of ContentBlock.
• Downstream Anthropic failure path: The Anthropic provider converter accepts text/image content but maps any non-text block in the image path into an image source using mimeType and data. (src/llm/providers/anthropic.ts:121, 3a2f54e6a866)
• Transport sibling has same invariant: The Anthropic transport converter also treats non-text content as image content, so boundary normalization protects both provider paths. (src/agents/anthropic-transport-stream.ts:261, 3a2f54e6a866)
• PR implementation: The PR maps MCP text, valid image, audio, resource_link, resource, malformed image, and unknown blocks into valid AgentToolResult text/image blocks before returning tool output. (src/agents/agent-bundle-mcp-materialize.ts:30, f70dccf33ed1)

Likely related people:

• steipete: GitHub path history for bundle-MCP materialization/runtime points to recent MCP operator/runtime and documentation commits by steipete, including the central materialization path this PR changes. (role: feature owner and recent area contributor; confidence: high; commits: 38d3d11cbc0c, ec8cb8bcbfae, f2d8facb4876; files: src/agents/agent-bundle-mcp-materialize.ts, src/agents/agent-bundle-mcp-runtime.ts, src/agents/agent-bundle-mcp-tools.materialize.test.ts)
• obviyus: Recent Anthropic provider history includes multiple agent/provider cache-boundary fixes by obviyus on the downstream provider path implicated by the bug. (role: recent adjacent contributor; confidence: medium; commits: 9ed9af4f3939, 01cc68ee0d22, 2454952544b1; files: src/llm/providers/anthropic.ts)
• Jerry-Xin: Recent Anthropic transport and MCP runtime cleanup history includes fixes by Jerry-Xin on paths adjacent to replay poisoning and runtime lifecycle behavior. (role: recent adjacent contributor; confidence: medium; commits: 8dc9cfe7349e, dc344a33fbfc; files: src/agents/anthropic-transport-stream.ts, src/agents/agent-bundle-mcp-runtime.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[849261680]

@clawsweeper re-review — real behavior proof added to the PR body (real spawned stdio MCP server → real bundle-MCP runtime, before/after on origin/main vs this branch). The Real behavior proof check is now green.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27034787737
• Updated: 2026-06-05T19:18:04.835Z

[849261680]

@clawsweeper re-review — the PR head was briefly overwritten by an unintended commit and has now been restored to the boundary-normalization fix (f70dccf). The previous verdict reviewed the wrong (now-reverted) code against a stale base. Current head: materialize-boundary normalization only, CI fully green (131 pass / 0 fail), real-behavior proof in the body. Please re-review f70dccf.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27032802915
• Updated: 2026-06-05T18:36:19.696Z

[849261680]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27033542992
• Updated: 2026-06-05T18:50:58.790Z

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=f70dccf33ed1cd3e4daacdfb3c352b39e23283b1)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-06-06T02:16:11Z
Merge commit: b1e4b6b65e2c

What merged:

• The PR converts wider MCP CallToolResult content blocks into text/image AgentToolResult blocks at the bundle-MCP materialization boundary and adds regression tests.
• PR surface: Source +36, Tests +66. Total +102 across 2 files.
• Reproducibility: yes. Source inspection shows current main lets MCP resource/audio blocks cross into a text/ ... a spawned stdio MCP server; I did not run a live hosted Anthropic API round trip in this read-only review.

Automerge notes:

• No ClawSweeper repair was needed after automerge opt-in.

The automerge loop is complete.

Automerge progress:

• 2026-06-06 02:08:55 UTC review queued f70dccf33ed1 (queued)

• 2026-06-06 02:15:53 UTC review passed f70dccf33ed1 (structured ClawSweeper verdict: pass (sha=f70dccf33ed1cd3e4daacdfb3c352b39e2328...)

• 2026-06-06 02:16:15 UTC merged f70dccf33ed1 (merged by ClawSweeper automerge)