fix(langchain_v1): remove non llm controllable params from tool message on invocation failure (#33625)

The LLM shouldn't be seeing parameters it cannot control in the
ToolMessage error it gets when it invokes a tool with incorrect args.

This fixes the behavior within langchain to address immediate issue.

We may want to change the behavior in langchain_core as well to prevent
validation of injected arguments. But this would be done in a separate
change

Author: eyurtsev

libs/langchain_v1/langchain/tools/tool_node.py

@@ -89,6 +89,7 @@ def my_tool(x: int) -> str:
     from collections.abc import Sequence
 
     from langgraph.runtime import Runtime
+    from pydantic_core import ErrorDetails
 
 # right now we use a dict as the default, can change this to AgentState, but depends
 # on if this lives in LangChain or LangGraph... ideally would have some typed
@@ -303,21 +304,40 @@ class ToolInvocationError(ToolException):
     """
 
     def __init__(
-        self, tool_name: str, source: ValidationError, tool_kwargs: dict[str, Any]
+        self,
+        tool_name: str,
+        source: ValidationError,
+        tool_kwargs: dict[str, Any],
+        filtered_errors: list[ErrorDetails] | None = None,
     ) -> None:
         """Initialize the ToolInvocationError.
 
         Args:
             tool_name: The name of the tool that failed.
             source: The exception that occurred.
             tool_kwargs: The keyword arguments that were passed to the tool.
+            filtered_errors: Optional list of filtered validation errors excluding
+                injected arguments.
         """
+        # Format error display based on filtered errors if provided
+        if filtered_errors is not None:
+            # Manually format the filtered errors without URLs or fancy formatting
+            error_str_parts = []
+            for error in filtered_errors:
+                loc_str = ".".join(str(loc) for loc in error.get("loc", ()))
+                msg = error.get("msg", "Unknown error")
+                error_str_parts.append(f"{loc_str}: {msg}")
+            error_display_str = "\n".join(error_str_parts)
+        else:
+            error_display_str = str(source)
+
         self.message = TOOL_INVOCATION_ERROR_TEMPLATE.format(
-            tool_name=tool_name, tool_kwargs=tool_kwargs, error=source
+            tool_name=tool_name, tool_kwargs=tool_kwargs, error=error_display_str
         )
         self.tool_name = tool_name
         self.tool_kwargs = tool_kwargs
         self.source = source
+        self.filtered_errors = filtered_errors
         super().__init__(self.message)
 
 
@@ -442,6 +462,59 @@ def _infer_handled_types(handler: Callable[..., str]) -> tuple[type[Exception],
     return (Exception,)
 
 
+def _filter_validation_errors(
+    validation_error: ValidationError,
+    tool_to_state_args: dict[str, str | None],
+    tool_to_store_arg: str | None,
+    tool_to_runtime_arg: str | None,
+) -> list[ErrorDetails]:
+    """Filter validation errors to only include LLM-controlled arguments.
+
+    When a tool invocation fails validation, only errors for arguments that the LLM
+    controls should be included in error messages. This ensures the LLM receives
+    focused, actionable feedback about parameters it can actually fix. System-injected
+    arguments (state, store, runtime) are filtered out since the LLM has no control
+    over them.
+
+    This function also removes injected argument values from the `input` field in error
+    details, ensuring that only LLM-provided arguments appear in error messages.
+
+    Args:
+        validation_error: The Pydantic ValidationError raised during tool invocation.
+        tool_to_state_args: Mapping of state argument names to state field names.
+        tool_to_store_arg: Name of the store argument, if any.
+        tool_to_runtime_arg: Name of the runtime argument, if any.
+
+    Returns:
+        List of ErrorDetails containing only errors for LLM-controlled arguments,
+        with system-injected argument values removed from the input field.
+    """
+    injected_args = set(tool_to_state_args.keys())
+    if tool_to_store_arg:
+        injected_args.add(tool_to_store_arg)
+    if tool_to_runtime_arg:
+        injected_args.add(tool_to_runtime_arg)
+
+    filtered_errors: list[ErrorDetails] = []
+    for error in validation_error.errors():
+        # Check if error location contains any injected argument
+        # error['loc'] is a tuple like ('field_name',) or ('field_name', 'nested_field')
+        if error["loc"] and error["loc"][0] not in injected_args:
+            # Create a copy of the error dict to avoid mutating the original
+            error_copy: dict[str, Any] = {**error}
+
+            # Remove injected arguments from input_value if it's a dict
+            if isinstance(error_copy.get("input"), dict):
+                input_dict = error_copy["input"]
+                input_copy = {k: v for k, v in input_dict.items() if k not in injected_args}
+                error_copy["input"] = input_copy
+
+            # Cast is safe because ErrorDetails is a TypedDict compatible with this structure
+            filtered_errors.append(error_copy)  # type: ignore[arg-type]
+
+    return filtered_errors
+
+
 class _ToolNode(RunnableCallable):
     """A node for executing tools in LangGraph workflows.
 
@@ -623,17 +696,10 @@ def _func(
             )
             tool_runtimes.append(tool_runtime)
 
-        # Inject tool arguments (including runtime)
-
-        injected_tool_calls = []
+        # Pass original tool calls without injection
         input_types = [input_type] * len(tool_calls)
-        for call, tool_runtime in zip(tool_calls, tool_runtimes, strict=False):
-            injected_call = self._inject_tool_args(call, tool_runtime)  # type: ignore[arg-type]
-            injected_tool_calls.append(injected_call)
         with get_executor_for_config(config) as executor:
-            outputs = list(
-                executor.map(self._run_one, injected_tool_calls, input_types, tool_runtimes)
-            )
+            outputs = list(executor.map(self._run_one, tool_calls, input_types, tool_runtimes))
 
         return self._combine_tool_outputs(outputs, input_type)
 
@@ -660,12 +726,10 @@ async def _afunc(
             )
             tool_runtimes.append(tool_runtime)
 
-        injected_tool_calls = []
+        # Pass original tool calls without injection
         coros = []
         for call, tool_runtime in zip(tool_calls, tool_runtimes, strict=False):
-            injected_call = self._inject_tool_args(call, tool_runtime)  # type: ignore[arg-type]
-            injected_tool_calls.append(injected_call)
-            coros.append(self._arun_one(injected_call, input_type, tool_runtime))  # type: ignore[arg-type]
+            coros.append(self._arun_one(call, input_type, tool_runtime))  # type: ignore[arg-type]
         outputs = await asyncio.gather(*coros)
 
         return self._combine_tool_outputs(outputs, input_type)
@@ -742,13 +806,23 @@ def _execute_tool_sync(
             msg = f"Tool {call['name']} is not registered with ToolNode"
             raise TypeError(msg)
 
-        call_args = {**call, "type": "tool_call"}
+        # Inject state, store, and runtime right before invocation
+        injected_call = self._inject_tool_args(call, request.runtime)
+        call_args = {**injected_call, "type": "tool_call"}
 
         try:
             try:
                 response = tool.invoke(call_args, config)
             except ValidationError as exc:
-                raise ToolInvocationError(call["name"], exc, call["args"]) from exc
+                # Filter out errors for injected arguments
+                filtered_errors = _filter_validation_errors(
+                    exc,
+                    self._tool_to_state_args.get(call["name"], {}),
+                    self._tool_to_store_arg.get(call["name"]),
+                    self._tool_to_runtime_arg.get(call["name"]),
+                )
+                # Use original call["args"] without injected values for error reporting
+                raise ToolInvocationError(call["name"], exc, call["args"], filtered_errors) from exc
 
         # GraphInterrupt is a special exception that will always be raised.
         # It can be triggered in the following scenarios,
@@ -887,13 +961,23 @@ async def _execute_tool_async(
             msg = f"Tool {call['name']} is not registered with ToolNode"
             raise TypeError(msg)
 
-        call_args = {**call, "type": "tool_call"}
+        # Inject state, store, and runtime right before invocation
+        injected_call = self._inject_tool_args(call, request.runtime)
+        call_args = {**injected_call, "type": "tool_call"}
 
         try:
             try:
                 response = await tool.ainvoke(call_args, config)
             except ValidationError as exc:
-                raise ToolInvocationError(call["name"], exc, call["args"]) from exc
+                # Filter out errors for injected arguments
+                filtered_errors = _filter_validation_errors(
+                    exc,
+                    self._tool_to_state_args.get(call["name"], {}),
+                    self._tool_to_store_arg.get(call["name"]),
+                    self._tool_to_runtime_arg.get(call["name"]),
+                )
+                # Use original call["args"] without injected values for error reporting
+                raise ToolInvocationError(call["name"], exc, call["args"], filtered_errors) from exc
 
         # GraphInterrupt is a special exception that will always be raised.
         # It can be triggered in the following scenarios,

libs/langchain_v1/tests/unit_tests/agents/test_tool_node.py

@@ -10,6 +10,8 @@
     TypeVar,
 )
 from unittest.mock import Mock
+from langchain.agents import create_agent
+from langchain.agents.middleware.types import AgentState
 
 import pytest
 from langchain_core.messages import (
@@ -302,6 +304,172 @@ def test_tool_node_error_handling_default_exception() -> None:
         )
 
 
+@pytest.mark.skipif(
+    sys.version_info >= (3, 14), reason="Pydantic model rebuild issue in Python 3.14"
+)
+def test_tool_invocation_error_excludes_injected_state() -> None:
+    """Test that tool invocation errors only include LLM-controllable arguments.
+
+    When a tool has InjectedState parameters and the LLM makes an incorrect
+    invocation (e.g., missing required arguments), the error message should only
+    contain the arguments from the tool call that the LLM controls. This ensures
+    the LLM receives relevant context to correct its mistakes, without being
+    distracted by system-injected parameters it has no control over.
+
+    This test uses create_agent to ensure the behavior works in a full agent context.
+    """
+
+    # Define a custom state schema with injected data
+    class TestState(AgentState):
+        secret_data: str  # Example of state data not controlled by LLM
+
+    @dec_tool
+    def tool_with_injected_state(
+        some_val: int,
+        state: Annotated[TestState, InjectedState],
+    ) -> str:
+        """Tool that uses injected state."""
+        return f"some_val: {some_val}"
+
+    # Create a fake model that makes an incorrect tool call (missing 'some_val')
+    # Then returns no tool calls on the second iteration to end the loop
+    model = FakeToolCallingModel(
+        tool_calls=[
+            [
+                {
+                    "name": "tool_with_injected_state",
+                    "args": {"wrong_arg": "value"},  # Missing required 'some_val'
+                    "id": "call_1",
+                }
+            ],
+            [],  # No tool calls on second iteration to end the loop
+        ]
+    )
+
+    # Create an agent with the tool and custom state schema
+    agent = create_agent(
+        model=model,
+        tools=[tool_with_injected_state],
+        state_schema=TestState,
+    )
+
+    # Invoke the agent with injected state data
+    result = agent.invoke(
+        {
+            "messages": [HumanMessage("Test message")],
+            "secret_data": "sensitive_secret_123",
+        }
+    )
+
+    # Find the tool error message
+    tool_messages = [m for m in result["messages"] if m.type == "tool"]
+    assert len(tool_messages) == 1
+    tool_message = tool_messages[0]
+    assert tool_message.status == "error"
+
+    # The error message should contain only the LLM-provided args (wrong_arg)
+    # and NOT the system-injected state (secret_data)
+    assert "{'wrong_arg': 'value'}" in tool_message.content
+    assert "secret_data" not in tool_message.content
+    assert "sensitive_secret_123" not in tool_message.content
+
+
+@pytest.mark.skipif(
+    sys.version_info >= (3, 14), reason="Pydantic model rebuild issue in Python 3.14"
+)
+async def test_tool_invocation_error_excludes_injected_state_async() -> None:
+    """Test that async tool invocation errors only include LLM-controllable arguments.
+
+    This test verifies that the async execution path (_execute_tool_async and _arun_one)
+    properly filters validation errors to exclude system-injected arguments, ensuring
+    the LLM receives only relevant context for correction.
+    """
+
+    # Define a custom state schema
+    class TestState(AgentState):
+        internal_data: str
+
+    @dec_tool
+    async def async_tool_with_injected_state(
+        query: str,
+        max_results: int,
+        state: Annotated[TestState, InjectedState],
+    ) -> str:
+        """Async tool that uses injected state."""
+        return f"query: {query}, max_results: {max_results}"
+
+    # Create a fake model that makes an incorrect tool call
+    # - query has wrong type (int instead of str)
+    # - max_results is missing
+    model = FakeToolCallingModel(
+        tool_calls=[
+            [
+                {
+                    "name": "async_tool_with_injected_state",
+                    "args": {"query": 999},  # Wrong type, missing max_results
+                    "id": "call_async_1",
+                }
+            ],
+            [],  # End the loop
+        ]
+    )
+
+    # Create an agent with the async tool
+    agent = create_agent(
+        model=model,
+        tools=[async_tool_with_injected_state],
+        state_schema=TestState,
+    )
+
+    # Invoke with state data
+    result = await agent.ainvoke(
+        {
+            "messages": [HumanMessage("Test async")],
+            "internal_data": "secret_internal_value_xyz",
+        }
+    )
+
+    # Find the tool error message
+    tool_messages = [m for m in result["messages"] if m.type == "tool"]
+    assert len(tool_messages) == 1
+    tool_message = tool_messages[0]
+    assert tool_message.status == "error"
+
+    # Verify error mentions LLM-controlled parameters only
+    content = tool_message.content
+    assert "query" in content.lower(), "Error should mention 'query' (LLM-controlled)"
+    assert "max_results" in content.lower(), "Error should mention 'max_results' (LLM-controlled)"
+
+    # Verify system-injected state does not appear in the validation errors
+    # This keeps the error focused on what the LLM can actually fix
+    assert "internal_data" not in content, (
+        "Error should NOT mention 'internal_data' (system-injected field)"
+    )
+    assert "secret_internal_value" not in content, (
+        "Error should NOT contain system-injected state values"
+    )
+
+    # Verify only LLM-controlled parameters are in the error list
+    # Should see "query" and "max_results" errors, but not "state"
+    lines = content.split("\n")
+    error_lines = [line.strip() for line in lines if line.strip()]
+    # Find lines that look like field names (single words at start of line)
+    field_errors = [
+        line
+        for line in error_lines
+        if line
+        and not line.startswith("input")
+        and not line.startswith("field")
+        and not line.startswith("error")
+        and not line.startswith("please")
+        and len(line.split()) <= 2
+    ]
+    # Verify system-injected 'state' is not in the field error list
+    assert not any("state" == field.lower() for field in field_errors), (
+        "The field 'state' (system-injected) should not appear in validation errors"
+    )
+
+
 async def test_tool_node_error_handling() -> None:
     def handle_all(e: ValueError | ToolException | ToolInvocationError):
         return TOOL_CALL_ERROR_TEMPLATE.format(error=repr(e))
@@ -355,10 +523,8 @@ def handle_all(e: ValueError | ToolException | ToolInvocationError):
             result_error["messages"][1].content
             == f"Error: {ToolException('Test error')!r}\n Please fix your mistakes."
         )
-        assert (
-            "ValidationError" in result_error["messages"][2].content
-            or "validation error" in result_error["messages"][2].content
-        )
+        # Check that the validation error contains the field name
+        assert "some_other_val" in result_error["messages"][2].content
 
         assert result_error["messages"][0].tool_call_id == "some id"
         assert result_error["messages"][1].tool_call_id == "some other id"