feat(diagnostics-otel): capture tool input/output content via trusted channel

[amknight]

Summary

diagnostics.otel.captureContent.toolInputs / toolOutputs were documented and
config-wired but never produced any span content — the OTel exporter had a
consumer for tool content, but nothing on the runtime side emitted it.

This wires the missing producer, mirroring the model-content path (#86191):

• Producer (agent-tools.before-tool-call.ts): on tool completion/error,
  emit cloned tool args/results over the trusted private-data diagnostic
  channel, gated behind the existing captureContent opt-in. Raw tool content
  never rides the public diagnostic event bus.
• Consumer (diagnostics-otel/service.ts): reads privateData.toolContent
  and bounds/redacts/truncates (128KB) before setting openclaw.content.tool_input
  and openclaw.content.tool_output span attributes.

Scope is the core embedded-runner tool path (the canonical producer). The Codex
harness (async-batched diagnostics) and the Claude CLI session remain follow-ups,
noted in docs/gateway/opentelemetry.md and tracked by #77391.

Verification

• Tests: diagnostic-llm-content (4), attempt.model-diagnostic-events (13),
  agent-tools.before-tool-call.e2e (54, incl. 4 new producer cases),
  diagnostics-otel/service (87) — all pass via node scripts/run-vitest.mjs.
• Types: tsgo:core, tsgo:extensions, tsgo:test:src, tsgo:test:extensions.
• SDK contract: plugin-sdk:api:check passes (baseline regenerated for source
  line shifts; no public declaration shape change).
• oxfmt --check + oxlint clean; Codex autoreview clean (no findings).

Refs #77391

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 3:25 PM ET / 19:25 UTC.

Summary
The branch wires embedded-runner tool input/output capture into trusted diagnostic private data, updates diagnostics-otel to export bounded/redacted span attributes, adds focused tests, and documents Codex/Claude exclusions.

PR surface: Source +53, Tests +206, Docs +7, Generated 0. Total +266 across 10 files.

Reproducibility: yes. Source inspection shows current main and v2026.6.5 expose the config/docs but emit embedded-runner tool terminal diagnostics without raw tool fields or privateData.toolContent.

Review metrics: 2 noteworthy metrics.

• Config behavior activation: 2 existing subkeys activated, 0 new keys. toolInputs and toolOutputs already exist in config/docs, but this PR changes them from no-op to exporting sensitive content when enabled.
• Trusted private data shape: 1 field added. Adding toolContent broadens the plugin-SDK-exposed internal diagnostics payload that trusted exporters can receive.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Maintainers should explicitly accept the opt-in privacy and trusted diagnostic contract before merge.
• Redacted real collector output would reduce the remaining runtime-proof uncertainty.

Risk before merge

• [P1] Existing installations that already opted into diagnostics.otel.captureContent.toolInputs or toolOutputs will change from a documented no-op to exporting bounded/redacted tool args/results after upgrade.
• [P1] DiagnosticEventPrivateData gains a toolContent field on a trusted internal diagnostics surface exported through the plugin SDK, so maintainers should explicitly accept the additive sensitive-data contract.
• [P1] Codex and Claude harness parity remains out of scope and tracked by diagnostics.otel.captureContent.* is non-functional — runtime broadcast emits sanitized paramsSummary only #77391, so this PR intentionally fixes only the embedded-runner producer path.

Maintainer options:

1. Accept the opt-in content export
   Maintainership can accept that already-enabled toolInputs/toolOutputs configs will begin exporting bounded/redacted tool content because the keys were documented for that purpose.
2. Require collector proof first
   Before merge, ask for redacted OTLP collector output showing openclaw.content.tool_input and openclaw.content.tool_output on real embedded-runner tool spans.
3. Pause for private-data contract review
   If the trusted diagnostic SDK surface is not yet accepted, pause the PR and decide whether toolContent belongs in this private contract or behind a narrower exporter-only seam.

Next step before merge

• [P2] Protected maintainer handling plus privacy/SDK contract acceptance are the remaining actions; there is no narrow ClawSweeper repair to queue.

Security
Needs attention: No supply-chain issue was found, but the diff intentionally activates privacy-sensitive tool content export through trusted diagnostics.

Review details

Best possible solution:

Land only after maintainers explicitly accept the opt-in privacy behavior and trusted diagnostic private-data contract, while keeping Codex/Claude parity tracked in #77391.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main and v2026.6.5 expose the config/docs but emit embedded-runner tool terminal diagnostics without raw tool fields or privateData.toolContent.

Is this the best way to solve the issue?

Yes, this appears to be the best core fix for the embedded-runner path because it mirrors the model-content private-data design and keeps raw content off the public diagnostic bus. The open question is maintainer acceptance of the privacy/SDK contract, not a narrower code defect.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5b9cb3bd3a36.

Label changes

Label justifications:

• P2: This is a normal-priority diagnostics bug fix with limited blast radius but privacy-sensitive opt-in behavior.
• merge-risk: 🚨 compatibility: Users with existing captureContent.toolInputs/toolOutputs settings will observe new exported span attributes after upgrade.
• merge-risk: 🚨 security-boundary: The PR intentionally moves raw tool args/results onto a trusted private diagnostic channel before exporter redaction and truncation.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The contributor real-behavior proof gate is not applied because this is a MEMBER-authored protected maintainer PR; the body lists focused tests, type checks, SDK checks, lint, and autoreview.

Evidence reviewed

PR surface:

Source +53, Tests +206, Docs +7, Generated 0. Total +266 across 10 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	94	41	+53
Tests	3	224	18	+206
Docs	1	7	0	+7
Config	0	0	0	0
Generated	1	2	2	0
Other	0	0	0	0
Total	10	327	61	+266

Security concerns:

• [medium] Confirm opt-in tool content export is acceptable — src/agents/agent-tools.before-tool-call.ts:1268
  The PR now emits cloned tool args/results over private diagnostics when captureContent.toolInputs/toolOutputs are enabled; even with trusted listeners and exporter redaction, this is a security-boundary decision for operators upgrading from a no-op setting.
  Confidence: 0.86

What I checked:

• Repository policy read and applied: Root AGENTS.md plus scoped docs/extensions/src/agents/embedded-runner guides were read; protected maintainer handling, plugin SDK/privacy risk, docs wording, and sibling Codex review requirements shaped the verdict. (AGENTS.md:1, 5b9cb3bd3a36)
• Current main still lacks the producer: Current main emits embedded-runner tool completed/error diagnostics with emitTrustedDiagnosticEvent and no private content payload, so the PR remains necessary. (src/agents/agent-tools.before-tool-call.ts:1238, 5b9cb3bd3a36)
• Latest release has the same gap: The latest release v2026.6.5 also emits tool terminal events without private tool content, confirming the fix has not shipped. (src/agents/agent-tools.before-tool-call.ts:1238, 5181e4f7c82b)
• PR producer uses trusted private data: The PR emits completed/error tool diagnostics through emitTrustedDiagnosticEventWithPrivateData and builds cloned tool input/output content only when the capture policy opts in. (src/agents/agent-tools.before-tool-call.ts:1268, 1ccd84b86dfc)
• PR consumer reads privateData.toolContent: diagnostics-otel assigns openclaw.content.tool_input/tool_output from privateData.toolContent, then uses the existing content normalization/redaction/truncation path. (extensions/diagnostics-otel/src/service.ts:3426, 1ccd84b86dfc)
• Trusted diagnostics are narrowly granted: The internalDiagnostics capability is granted only to bundled or trusted-official diagnostics exporters, which limits but does not remove the privacy sensitivity of the new private payload shape. (src/plugins/services.ts:31, 5b9cb3bd3a36)

Likely related people:

• amknight: Authored the current PR and the merged OpenTelemetry LLM content span work that established the private diagnostic-content pattern this PR extends. (role: feature owner and recent area contributor; confidence: high; commits: 1ccd84b86dfc, f824e1596ad5; files: src/agents/agent-tools.before-tool-call.ts, extensions/diagnostics-otel/src/service.ts, src/infra/diagnostic-events.ts)
• vincentkoc: Co-authored the merged model-content OTel span PR and is connected to the shipped captureContent configuration/docs surface this branch extends to tool content. (role: adjacent contributor; confidence: medium; commits: f824e1596ad5; files: extensions/diagnostics-otel/src/service.ts, src/infra/diagnostic-events.ts, src/infra/diagnostic-llm-content.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.