GPT-5.3 Codex: DCP context_info appears as callable function and causes garbled tool-call output

[maximharizanov]

Problem

When using GPT-5.3 Codex, DCP-injected context_info metadata can appear in tool-call context as if it were callable. The model then emits malformed/garbled tool-call envelopes in user-visible text (for example functions.context_info and raw tool payload fragments).

Why this leaks in OpenCode

context_info is not a registered callable tool in OpenCode's tool registry, but it can still become model-visible when it is injected as a tool-shaped message part.

In packages/opencode/src/session/message-v2.ts, OpenCode collects tool names from assistant history tool parts:

• const toolNames = new Set<string>()
• toolNames.add(part.tool)

Then it builds a tools map from those names and passes it into model message conversion:

• const tools = Object.fromEntries(Array.from(toolNames).map((toolName) => [toolName, { toModelOutput }]))
• convertToModelMessages(..., { tools })

So if DCP injects an internal marker as type: "tool" with tool: "context_info", that name can flow into model-facing tool context and be interpreted as callable/tool-like by the model.

I believe this regression was introduced in #342 when tool-like part injection was enabled for all models.

Observed behavior

• Runtime output includes raw tool-call envelope text instead of clean assistant output.
• The model attempts/mentions functions.context_info even though context_info is an internal marker, not a real callable tool.
• Follow-on tool validation errors can appear after this malformed path.

Suggested solution

• Ensure DCP context metadata is injected as text-only context, not tool-shaped parts.
• Add a guard so synthetic/internal context labels (like context_info) are never exposed as callable tool names in model-facing tool context.
• Add a regression test for GPT-5.3 Codex to verify injected context metadata never surfaces as functions.* calls.

[Tarquinen]

hey, yea i'm aware of this, it's a hard one to fix but I hope it's also a really rare / not impactful issue, the model just outputs some garbage that doesn't do anything then carries on. Your suggestions don't work for other reasons, and I haven't been able to come up with a good fix / workaround yet, but I haven't given up.

[maximharizanov]

I can't definitively prove it as a cause, but 5.3 Codex seems to often end its turn prematurely after these garbled tool calls.

[kui123456789]

I am also experiencing this exact issue when using the latest Google models (Gemini 3.1 Pro / Antigravity). The model gets confused by the injected context metadata and ends up outputting the internal system guardrails directly into the chat response, like this:

<context-info>
Context management was just performed. Do NOT use the distill or prune tools again. A fresh list will be available after your next tool use.
</context-info>

It seems the model interprets these internal system messages or context_info blocks as visible context it needs to address or output, confirming that the current injection method leaks internal tool/state shapes to the LLM.