[Bug] claude-opus-4-8 corrupts tool-call boundary token, emitting raw XML instead of tool_use blocks

Open 💬 1 comment Opened Jun 10, 2026 by Saruwatari-Youhei

Bug Description
Title: claude-opus-4-8 corrupts the tool-call boundary token, making tool calls unparseable

Summary

claude-opus-4-8 frequently emits tool calls as raw text instead of structured tool_use blocks. The control token that should open a tool call is corrupted into a short English word such as "court", "count", or "call", followed by literal <invoke name="..."> / <parameter name="..."> XML markup leaking as plain text. The harness cannot parse it and returns "The model's tool call could not be parsed (retry also failed)."

Symptom

  • Error shown: The model's tool call could not be parsed (retry also failed).
  • The assistant text block in the transcript retains raw markup, e.g.:

count
<invoke name="mcp__office-powerpoint__manage_text">
</invoke>

  • Once the malformed text lands in the transcript, the model imitates its own prior corrupted output and reproduces it. The failure self-amplifies; the session does not recover.

Reproducibility — measured across multiple sessions

| session | date | parse failures | corrupted token | context |
| - | - | - | - | - |
| 20445d31 | 2026-06-06 | 18 | court | no MCP, built-in tools only (TaskUpdate, Edit, Read) |
| 5a162ff8 (Desktop) | 2026-06-06 | 8 | count | office-powerpoint MCP (manage_text, etc.) |
| 27abde7f | 2026-06-07 | 90 | court / count | 142 MB oversized session |
| 019b9947 | 2026-06-09 | 15 | call | opus-4-8 main loop, sonnet subagent mix |
| 81474f37 | 2026-06-09 | 4 | same class | brand-new session, hit within first 100 lines |

Also reproduced live in an unrelated reporter session on claude-opus-4-8: the assistant emitted "court" + <invoke> markup as text; a single retry recovered.

Isolation

  • Model is claude-opus-4-8 in every affected session. That is the only common factor.
  • Recurs in fresh sessions, not just context-poisoned ones. 81474f37 was a clean launch (claude --name ... --dangerously-skip-permissions, no --resume, no project .mcp.json) and corrupted by line 100.
  • The corrupted token varies (court, count, call) but is always a short English word appearing at the tool-call boundary.
  • More likely with many-parameter MCP tools (e.g. manage_text) and with batches of parallel tool calls.
  • Sonnet 4.6 does not exhibit it (0 failures).
  • claude-fable-5 does not exhibit it, but tasks classified as cybersecurity are automatically routed back to Opus, so the failure loops back on Opus(I don't do cybersecurity hacking!).

Impact

  • Tool-call-heavy work (spec authoring, PPTX generation, document editing) becomes unable to continue.
  • Large sessions accumulate many failures (e.g. 90), forcing a workflow of writing a handoff doc and restarting.
  • Users who want Opus must offload execution work to Sonnet to avoid the bug.

Environment

  • Claude Code 2.1.170, macOS (Darwin)
  • model id: claude-opus-4-8
  • Observed across 2.1.167 through 2.1.170

Requests

  • Fix the tool-call serialization boundary-token corruption.
  • Until fixed, provide a way for users to pin a model so that the internal routing of cybersecurity-classified tasks does not force them back to Opus.

Environment Info

  • Platform: darwin
  • Terminal: tmux
  • Version: 2.1.169
  • Feedback ID: 9804383f-036d-49b4-9f61-037bc01a3869

Errors

[]

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗