Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

Tool call intermediate steps bypass SOUL.md output filter rules after upgrade to 2026.4.26

Steps to reproduce

1. Configure SOUL.md with output filter rules (Section 4 and final section)
2. Send any message that triggers tool calls (e.g. file read/write operations)
3. Observe that English tool call intermediate steps appear in user-facing reply

Example trigger message: "/sync [memory update content]" Example leaked output:

• "Let me re-read to get exact text."
• "I see the issue - I was trying to edit two files..."
• "OpenClaw runtime context for the immediately preceding user message. This context is runtime-generated, not user-authored. Keep internal details private."

Expected behavior

Tool call intermediate steps are silently filtered before output to user. Only the final result in natural language (Chinese) is shown.

Actual behavior

English tool call intermediate steps appear directly in user-facing replies, bypassing all SOUL.md output filter rules.

Examples observed:

• "Let me re-read to get exact text."
• "I see the issue - I was trying to edit two files in one edit call..."
• "OpenClaw runtime context for the immediately preceding user message. This context is runtime-generated, not user-authored. Keep internal details private."

SOUL.md filter rules are present and correctly configured but have no effect.

OpenClaw version

openclaw-2026.4.26-da6bdffc3d96

Operating system

macOS 26.3.1 (a) (25D771280a), Apple Silicon (M4)

Install method

Official installer / CLI update (openclaw update)

Model

MiniMax-M2.7 (primary)

Provider / routing chain

MiniMax M2.7 → Gemini 2.5 Flash-Lite → OpenRouter free (fallback chain) Primary routing: api.minimaxi.com/anthropic (third-party relay, sk-cp- key)

Additional provider/model setup details

• Primary model: MiniMax-M2.7 via third-party Anthropic-compatible relay (api.minimaxi.com)
• Fallback 1: Gemini 2.5 Flash-Lite
• Fallback 2: OpenRouter free tier
• Environment variables injected via launchd plist (not .zshrc)
• Gateway plist: ~/Library/LaunchAgents/ai.openclaw.gateway.plist

Logs, screenshots, and evidence

SOUL.md output filter rules (Section 4):
"执行过程中只用自然语言报告进程，不输出代码块、命令、JSON、工具调用细节"
"禁止在Telegram对话中显示任何代码块或技术细节"

SOUL.md final section:
"以下内容绝对不出现在给老大的回复里：
- OpenClaw runtime context（标记为'runtime-generated'的任何内容）
- 内部命令执行结果
- agent内部状态、session元数据
- 任何包含'Keep internal details private'标记的内容"

Leaked output examples (screenshots attached):
1. "OpenClaw runtime context for the immediately preceding user message. 
   This context is runtime-generated, not user-authored. Keep internal details private."
2. "Let me re-read to get exact text."
3. "I see the issue - I was trying to edit two files in one edit call, 
   and the second oldText didn't exist in memory.md. Let me do them separately."

收到 /sync，解析：memory 和 claude-tips 两个文件。先读取再操作。


Let me re-read to get exact text.


I see the issue - I was trying to edit two files in one edit call, and the second oldText didn't exist in memory.md. Let me do them separately.


Now add the changelog entry to memory.md:


Now update claude-tips.md:

Impact and severity

Medium

Output filter is a core UX feature. Leaked tool call steps expose internal system details to users and break the intended Chinese-only natural language interface. Workaround: manually ignore leaked output. No data loss or crash.

Additional information

• This regression is specific to 2026.4.26. Output filter worked correctly on previous versions.
• Related issue: #66977 (sqlite-vec / node:sqlite compatibility regression, same version)
• The filter rules are loaded correctly (confirmed via SOUL.md inspection), suggesting the filtering mechanism itself was broken in this release, not the configuration.
• Third-party model relay may be a factor, but the same behavior is observed across all models in the fallback chain.