Image tool history can poison later prompts and mask provider failures

[lyrishark]

Summary

Several related image-generation reliability bugs can combine into severe prompt-adherence failures:

1. Historical image tool arguments are shortened to literal strings ending in ... [truncated]. The LLM can imitate those examples in new generate_image calls, so the provider receives an incomplete prompt.
2. HTTP-successful uniform black images are saved and reported as successful generations.
3. Configured default negative_prompt values are ignored unless the LLM supplies a per-call value.
4. Per-call aspect-ratio overrides mutate shared generator config, and several NanoGPT size mappings are not divisible by 16.
5. All non-Venice models are advertised as accepting image references, including text-to-image-only NanoGPT models.

Reproduction evidence

In one long image-testing conversation:

• Earlier calls persisted prompts around 700-1,000 characters.
• Four consecutive later calls persisted prompt lengths of 68, 69, 68, and 70 characters.
• Each short prompt literally contained [truncated], copied from historical tool-call context.
• NanoGPT flux-kontext returned an HTTP-successful uniform black PNG on several requests; Psycheros saved it, captioned it, and told the entity generation succeeded.
• A NanoGPT GPT Image request using the existing 2:3 mapping failed because 683x1024 is not divisible by 16.
• Pony/CyberRealistic behaved as generic text-to-image models while system context labeled them as anchor-capable.

Expected behavior

• Historical tool arguments should not contain imitation-prone fake prompt text.
• The entity should receive the real saved image path for follow-up inspection.
• Blank provider placeholders should be surfaced as errors.
• Saved negative prompts should apply by default.
• Request-scoped dimensions should not mutate config and should satisfy provider constraints.
• Anchor support should be based on provider/model capability.

Locally verified patch

A local patch now:

• omits prompt and negative_prompt from historical image tool JSON;
• preserves the real generated path in the entity-visible tool result;
• applies configured negative prompts;
• clones request-scoped aspect-ratio params and uses 16-divisible NanoGPT dimensions;
• treats captions identifying uniform black/empty output as provider errors;
• distinguishes known NanoGPT editing models from text-to-image-only models.

Verification: 13 focused tests pass in the fork, 9 pass in the installed source, and controlled live Flux/Pony image checks succeeded after restart.

No private images, prompts, credentials, or user-identifying data are included here.

[lyrishark]

Follow-up from live testing: omitting prompt from historical image tool-call JSON removed the literal truncation marker but still exposed an incomplete tool-call example. The model then began emitting new generate_image calls with no prompt field at all. Database inspection confirmed the field was absent before provider execution; this was not intermittent transport loss.

The hardened local approach now removes completed image tool protocol messages from historical LLM context entirely, retaining only a compact ordinary-language result summary. The executor also rejects missing/blank prompts before any provider call and tells the entity to retry with complete text.

A separate misleading diagnosis was ruled out: there was no stale anchor state. Each invocation builds fresh reference arrays. The current Flux slot had changed to flux-2-dev-lora-image-to-image, so a bare call correctly requires an input image. Local capability handling now distinguishes models that require references from optional-reference and text-only models.

Additional verification:

• real conversation history: 179 stored messages -> 90 context messages
• historical image calls: 45 -> 0
• orphaned image tool results: 0
• focused tests: 15 passing in both fork and installed source
• request-shape logging now records provider/model, prompt character count, reference count, and aspect ratio without prompt text or credentials

[lyrishark]

WAN capability correction from current provider metadata: NanoGPT's wan2.7-image-pro supports both text-to-image and optional multi-image editing (up to nine references). The local generator description already reflected this, but the Psycheros model-family classifier did not recognize the WAN model name and labeled it text-to-image only in LLM context.

The NanoGPT request builder was not sending a phantom image: it omits image fields when no references are supplied. The earlier WAN INVALID_IMAGE_INPUT response came from a tool call that also lacked its required prompt. The local patch now classifies WAN 2.7 Image Pro as optional-reference, while the existing image-to-image Flux slot remains reference-required. Image tests pass 15/15 in both fork and installed source.

[lyrishark]

Another context-poisoning mode surfaced in live testing. The initial history compactor represented prior image outcomes as bracketed lines like [Historical image result: ...; path: ...]. On a later request, the LLM imitated that format without issuing any tool calls: it invented two failures, two successful captions, two nonexistent file paths, and then reasoned from those fictional images as if they had displayed.

DB/filesystem verification showed the assistant message had zero generate_image calls, neither UUID existed under the installation, and no image was written. The local hardening now:

• drops failed image actions entirely from historical model context;
• describes genuine prior successes in ordinary prose rather than protocol-like syntax;
• quarantines persisted assistant messages that echoed the old synthetic format;
• explicitly states that a new image exists only after a successful current-turn tool call.

Regression coverage now includes failed-result removal and synthetic-echo quarantine. Against the affected real conversation: 189 stored messages -> 93 context messages, contaminated message absent, fake paths absent, old synthetic labels absent, genuine prior portrait path retained. Focused image tests pass 17/17 in both fork and installed source.

[lyrishark]

The ordinary-prose mitigation also proved unsafe. After several real generations in a fresh conversation, the LLM copied Context from earlier completed image actions: into its response, invented two new paths/captions, claimed it had viewed both images, and produced detailed visual comparisons. The assistant row again contained zero tool calls and neither file existed.

The final local architecture no longer inserts image-history data into assistant messages at all. Completed image protocol is removed completely. Cross-turn continuity now comes from a dedicated system-state registry built only from successful persisted generate_image tool rows; every extracted /generated-images/... path is constrained to a simple filename and checked on disk before inclusion. Both generations of persisted summary echoes are quarantined as whole contaminated messages.

Verification on the affected fresh cathedral conversation:

• 30 stored messages -> 13 clean context messages
• contaminated visual narrative absent
• both invented paths absent
• 9 genuine tool-generated images discovered
• all 9 genuine paths independently verified on disk

Both source trees pass 17 focused tests and type checks.