[Bug] claude-opus-4-8 corrupts tool-call boundary token, emitting raw XML instead of tool_use blocks
Bug Description
Title: claude-opus-4-8 corrupts the tool-call boundary token, making tool calls unparseable
Summary
claude-opus-4-8 frequently emits tool calls as raw text instead of structured tool_use blocks. The control token that should open a tool call is corrupted into a short English word such as "court", "count", or "call", followed by literal <invoke name="..."> / <parameter name="..."> XML markup leaking as plain text. The harness cannot parse it and returns "The model's tool call could not be parsed (retry also failed)."
Symptom
- Error shown: The model's tool call could not be parsed (retry also failed).
- The assistant text block in the transcript retains raw markup, e.g.:
count
<invoke name="mcp__office-powerpoint__manage_text">
</invoke>
- Once the malformed text lands in the transcript, the model imitates its own prior corrupted output and reproduces it. The failure self-amplifies; the session does not recover.
Reproducibility — measured across multiple sessions
| session | date | parse failures | corrupted token | context |
| - | - | - | - | - |
| 20445d31 | 2026-06-06 | 18 | court | no MCP, built-in tools only (TaskUpdate, Edit, Read) |
| 5a162ff8 (Desktop) | 2026-06-06 | 8 | count | office-powerpoint MCP (manage_text, etc.) |
| 27abde7f | 2026-06-07 | 90 | court / count | 142 MB oversized session |
| 019b9947 | 2026-06-09 | 15 | call | opus-4-8 main loop, sonnet subagent mix |
| 81474f37 | 2026-06-09 | 4 | same class | brand-new session, hit within first 100 lines |
Also reproduced live in an unrelated reporter session on claude-opus-4-8: the assistant emitted "court" + <invoke> markup as text; a single retry recovered.
Isolation
- Model is claude-opus-4-8 in every affected session. That is the only common factor.
- Recurs in fresh sessions, not just context-poisoned ones. 81474f37 was a clean launch (claude --name ... --dangerously-skip-permissions, no --resume, no project .mcp.json) and corrupted by line 100.
- The corrupted token varies (court, count, call) but is always a short English word appearing at the tool-call boundary.
- More likely with many-parameter MCP tools (e.g. manage_text) and with batches of parallel tool calls.
- Sonnet 4.6 does not exhibit it (0 failures).
- claude-fable-5 does not exhibit it, but tasks classified as cybersecurity are automatically routed back to Opus, so the failure loops back on Opus(I don't do cybersecurity hacking!).
Impact
- Tool-call-heavy work (spec authoring, PPTX generation, document editing) becomes unable to continue.
- Large sessions accumulate many failures (e.g. 90), forcing a workflow of writing a handoff doc and restarting.
- Users who want Opus must offload execution work to Sonnet to avoid the bug.
Environment
- Claude Code 2.1.170, macOS (Darwin)
- model id: claude-opus-4-8
- Observed across 2.1.167 through 2.1.170
Requests
- Fix the tool-call serialization boundary-token corruption.
- Until fixed, provide a way for users to pin a model so that the internal routing of cybersecurity-classified tasks does not force them back to Opus.
Environment Info
- Platform: darwin
- Terminal: tmux
- Version: 2.1.169
- Feedback ID: 9804383f-036d-49b4-9f61-037bc01a3869
Errors
[]This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗