@f5xc-salesdemos/xcsh 18.59.1 → 18.61.0

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@f5xc-salesdemos/xcsh",
-	"version": "18.59.1",
+	"version": "18.61.0",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://github.com/f5xc-salesdemos/xcsh",
 	"author": "Can Boluk",
@@ -48,12 +48,12 @@
 	"dependencies": {
 		"@agentclientprotocol/sdk": "0.16.1",
 		"@mozilla/readability": "^0.6",
-		"@f5xc-salesdemos/xcsh-stats": "18.59.1",
-		"@f5xc-salesdemos/pi-agent-core": "18.59.1",
-		"@f5xc-salesdemos/pi-ai": "18.59.1",
-		"@f5xc-salesdemos/pi-natives": "18.59.1",
-		"@f5xc-salesdemos/pi-tui": "18.59.1",
-		"@f5xc-salesdemos/pi-utils": "18.59.1",
+		"@f5xc-salesdemos/xcsh-stats": "18.61.0",
+		"@f5xc-salesdemos/pi-agent-core": "18.61.0",
+		"@f5xc-salesdemos/pi-ai": "18.61.0",
+		"@f5xc-salesdemos/pi-natives": "18.61.0",
+		"@f5xc-salesdemos/pi-tui": "18.61.0",
+		"@f5xc-salesdemos/pi-utils": "18.61.0",
 		"@sinclair/typebox": "^0.34",
 		"@xterm/headless": "^6.0",
 		"ajv": "^8.18",

package/src/internal-urls/build-info.generated.ts

@@ -17,17 +17,17 @@ export interface BuildInfo {
 }
 
 export const BUILD_INFO: BuildInfo = {
-	"version": "18.59.1",
-	"commit": "fa007898365b1a63e38748e06d2c86c13779ff53",
-	"shortCommit": "fa00789",
+	"version": "18.61.0",
+	"commit": "3fb67bac59bac8144b1a3cda6a4db0567e20beb8",
+	"shortCommit": "3fb67ba",
 	"branch": "main",
-	"tag": "v18.59.1",
-	"commitDate": "2026-05-10T17:48:40Z",
-	"buildDate": "2026-05-10T18:15:56.886Z",
+	"tag": "v18.61.0",
+	"commitDate": "2026-05-10T20:38:37Z",
+	"buildDate": "2026-05-10T20:59:01.622Z",
 	"dirty": true,
 	"prNumber": "",
 	"repoUrl": "https://github.com/f5xc-salesdemos/xcsh",
 	"repoSlug": "f5xc-salesdemos/xcsh",
-	"commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/fa007898365b1a63e38748e06d2c86c13779ff53",
-	"releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v18.59.1"
+	"commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/3fb67bac59bac8144b1a3cda6a4db0567e20beb8",
+	"releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v18.61.0"
 };

package/src/prompts/tools/xcsh-api.md

@@ -3,23 +3,18 @@ Execute an F5 Distributed Cloud API call directly.
 Handles authentication, URL construction, and HTTP execution.
 Credentials are resolved from the active context profile (`/context`). Environment variables
 `F5XC_API_URL` and `F5XC_API_TOKEN` override context values when set.
-
 Path parameters like `{namespace}` are auto-resolved from the active context when not
 explicitly provided in `params`. For example, `{namespace}` resolves to the context's
 default namespace (`F5XC_NAMESPACE`).
-
 Pass all path `{placeholder}` values via `params`, e.g. `{ namespace: "default", name: "example-lb", vh_name: "example-vh" }`.
 Body is sent for all methods except GET when `payload` is provided — including DELETE operations that require a body.
 Payload values like `$F5XC_NAMESPACE` are auto-expanded from the active context.
-
 Use this tool after reading the API catalog to get the endpoint path and payload structure.
-
 Response format:
 - **List**: `{"items": […], "errors": []}` — each item has `name`, `namespace`, `uid`.
 - **Single resource**: `{"metadata": {"name", "namespace"}, "system_metadata": {"uid", "creation_timestamp"}, "spec": {…}}` — noise-reduced in TUI (nulls/empties stripped).
 - **Create/Update**: Returns the full resource object. TUI shows a Created/Updated summary with name, uid, timestamp.
 - **Delete**: Returns `{}`. TUI shows contextual confirmation.
 - **Error**: `{"code": <int>, "message": "…"}` — codes: 3=INVALID_ARGUMENT, 5=NOT_FOUND, 6=ALREADY_EXISTS, 7=PERMISSION_DENIED, 13=INTERNAL.
-
 GET requests auto-retry once on transient errors (429/503) after 1s backoff. POST/PUT/DELETE are never retried.
 API calls to the same F5 XC tenant reuse a single TLS connection — sequential calls are faster than parallel calls. Do not issue multiple xcsh_api calls in the same turn; issue them one at a time.

package/src/services/context-env.ts

@@ -9,88 +9,45 @@ const PROMPT_HIDDEN: ReadonlySet<string> = new Set([
 	F5XC_NAMESPACE,
 	F5XC_CONTEXT_NAME,
 ]);
-
 /** Keys never expanded in payloads — credentials that must not leak into request bodies. */
 const PAYLOAD_HIDDEN: ReadonlySet<string> = new Set([F5XC_API_TOKEN, F5XC_API_URL]);
 
-/**
- * Bridge between F5 XC context profiles and the xcsh_api tool.
- *
- * Reads from `Settings.bash.environment` (populated by ContextService on profile
- * activation) and provides credential resolution, path parameter auto-filling,
- * and payload variable expansion. Consumed by:
- * - `XcshApiTool` for credential and namespace resolution during API calls
- * - `sdk.ts` for surfacing non-sensitive context vars in the system prompt
- */
 export interface ContextEnv {
-	/** Get a single env var value from bash.environment, or undefined. */
 	get(key: string): string | undefined;
-
-	/**
-	 * Resolve `{placeholder}` values in a URL path.
-	 * Explicit params are applied first. Remaining `{key}` placeholders are
-	 * resolved from bash.environment: `{namespace}` → F5XC_NAMESPACE,
-	 * `{key}` → F5XC_{KEY.toUpperCase()}.
-	 * Unresolvable placeholders are left intact.
-	 */
+	/** Resolve {placeholder} values in a URL path. Explicit params first, then auto-resolve from bash.environment. */
 	resolvePath(path: string, explicitParams?: Record<string, string>): string;
-
-	/**
-	 * Expand `$F5XC_*` variable references in a serialized JSON payload string.
-	 * Unresolvable references are left intact.
-	 */
+	/** Expand $F5XC_* variable references in a serialized JSON payload string. */
 	resolvePayloadVars(payloadJson: string): string;
-
-	/**
-	 * Return non-sensitive F5XC_* env vars from bash.environment, suitable for
-	 * display in the LLM system prompt. Excludes ALWAYS_HIDDEN keys, keys
-	 * matching SECRET_ENV_PATTERNS, and explicitly provided sensitiveKeys.
-	 */
+	/** Return non-sensitive F5XC_* env vars from bash.environment for system prompt display. */
 	getNonSensitiveVars(): Record<string, string>;
-
-	/** Return the active context profile name, or undefined if not set. */
 	getContextName(): string | undefined;
 }
 
-export interface ContextEnvOptions {
-	/** Additional keys to treat as sensitive (e.g. from context.sensitiveKeys). */
-	sensitiveKeys?: ReadonlySet<string>;
-}
+export type ContextEnvOptions = { sensitiveKeys?: ReadonlySet<string> };
 
-/**
- * Create a ContextEnv instance bound to the current bash.environment settings.
- *
- * @param settings - Any object with a `get(key)` method returning the value of
- *   "bash.environment" as `Record<string, string>`. Pass `Settings.instance` or
- *   `session.settings` in production; pass a stub in tests.
- * @param options - Optional configuration (sensitiveKeys to exclude).
- */
+function isSensitiveKey(key: string, hidden: ReadonlySet<string>, sensitive: ReadonlySet<string>): boolean {
+	return hidden.has(key) || SECRET_ENV_PATTERNS.test(key) || sensitive.has(key);
+}
 export function createContextEnv(settings: { get(key: string): unknown }, options?: ContextEnvOptions): ContextEnv {
 	function bashEnv(): Record<string, string> {
 		return (settings.get("bash.environment") ?? {}) as Record<string, string>;
 	}
-
 	function allSensitiveKeys(): ReadonlySet<string> {
 		if (options?.sensitiveKeys) return options.sensitiveKeys;
 		const fromSettings = settings.get("f5xc.sensitiveKeys");
 		return new Set(Array.isArray(fromSettings) ? (fromSettings as string[]) : []);
 	}
-
 	return {
 		get(key: string): string | undefined {
 			return bashEnv()[key];
 		},
-
 		getContextName(): string | undefined {
 			return bashEnv()[F5XC_CONTEXT_NAME] || undefined;
 		},
 
 		resolvePath(path: string, explicitParams?: Record<string, string>): string {
 			let resolved = path;
-
-			// Apply explicit params first — collect substituted ranges to prevent
-			// double-substitution (values containing {placeholder} syntax must not
-			// be re-resolved by the auto-resolve pass below).
+			// Apply explicit params first — collect substituted ranges to prevent double-substitution
 			const substituted = new Set<number>();
 			if (explicitParams) {
 				for (const [key, value] of Object.entries(explicitParams)) {
@@ -98,13 +55,11 @@ export function createContextEnv(settings: { get(key: string): unknown }, option
 					let idx = resolved.indexOf(placeholder);
 					while (idx !== -1) {
 						resolved = resolved.slice(0, idx) + value + resolved.slice(idx + placeholder.length);
-						// Mark all character positions within the substituted value
 						for (let i = idx; i < idx + value.length; i++) substituted.add(i);
 						idx = resolved.indexOf(placeholder, idx + value.length);
 					}
 				}
 			}
-
 			// Auto-resolve remaining {placeholder} values from bash.environment
 			const env = bashEnv();
 			const sensitive = allSensitiveKeys();
@@ -114,27 +69,20 @@ export function createContextEnv(settings: { get(key: string): unknown }, option
 				// {namespace} maps directly to F5XC_NAMESPACE
 				const envKey = key === "namespace" ? F5XC_NAMESPACE : `F5XC_${key.toUpperCase()}`;
 				// Never auto-inject credential or sensitive values into URL paths
-				if (PAYLOAD_HIDDEN.has(envKey)) return match;
-				if (SECRET_ENV_PATTERNS.test(envKey)) return match;
-				if (sensitive.has(envKey)) return match;
+				if (isSensitiveKey(envKey, PAYLOAD_HIDDEN, sensitive)) return match;
 				return env[envKey] ?? process.env[envKey] ?? match;
 			});
-
 			return resolved;
 		},
 
 		resolvePayloadVars(payloadJson: string): string {
 			const env = bashEnv();
 			const sensitive = allSensitiveKeys();
-			// Pattern matches $F5XC_* anywhere in the string (no word boundary).
-			// This is intentional: payload values like "$F5XC_NAMESPACE" are the
-			// primary use case and don't appear with preceding word chars in practice.
+			// $F5XC_* matches without word boundary — intentional for payload values
 			return payloadJson.replace(/\$F5XC_([A-Z0-9_]+)/g, (match, suffix) => {
 				const key = `F5XC_${suffix}`;
 				// Never expand credential keys into payloads
-				if (PAYLOAD_HIDDEN.has(key)) return match;
-				if (SECRET_ENV_PATTERNS.test(key)) return match;
-				if (sensitive.has(key)) return match;
+				if (isSensitiveKey(key, PAYLOAD_HIDDEN, sensitive)) return match;
 				const value = env[key] ?? process.env[key];
 				if (value === undefined) return match;
 				// JSON-escape the substituted value to prevent injection
@@ -143,17 +91,12 @@ export function createContextEnv(settings: { get(key: string): unknown }, option
 		},
 
 		getNonSensitiveVars(): Record<string, string> {
-			const env = bashEnv();
 			const sensitive = allSensitiveKeys();
-			const result: Record<string, string> = {};
-			for (const [key, value] of Object.entries(env)) {
-				if (!key.startsWith("F5XC_")) continue;
-				if (PROMPT_HIDDEN.has(key)) continue;
-				if (SECRET_ENV_PATTERNS.test(key)) continue;
-				if (sensitive.has(key)) continue;
-				result[key] = value;
-			}
-			return result;
+			return Object.fromEntries(
+				Object.entries(bashEnv()).filter(
+					([key]) => key.startsWith("F5XC_") && !isSensitiveKey(key, PROMPT_HIDDEN, sensitive),
+				),
+			);
 		},
 	};
 }

package/src/tools/xcsh-api-renderer.ts

@@ -1,21 +1,4 @@
-/**
- * TUI renderer for the xcsh_api tool.
- *
- * Provides rich, context-aware visualization for F5 XC API calls:
- * - renderCall: method badge + compact path while request is pending
- * - renderResult: bordered output with intelligent response rendering:
- *   - List responses: compact resource name summary (capped at 20 items)
- *   - Single resources: Summary section (name, uid, created, status) + noise-reduced JSON
- *   - Create/Update: Created/Updated confirmation with key identity fields
- *   - Delete: contextual success message with resource name
- *   - Errors: API error message promoted to Guidance, JSON body suppressed
- *   - Request payload section for mutating methods (POST/PUT/PATCH)
- *
- * Header meta: context name, colored duration, item count, body size, error code label.
- * Borders: success=dim, error=red, pending=accent.
- * JSON noise reduction via stripEmpty (nulls, empty strings, empty arrays stripped;
- * empty objects preserved for F5 XC protobuf oneof markers).
- */
+/** TUI renderer for the xcsh_api tool — rich, context-aware visualization for F5 XC API calls. */
 import type { Component } from "@f5xc-salesdemos/pi-tui";
 import { Text } from "@f5xc-salesdemos/pi-tui";
 import type { RenderResultOptions } from "../extensibility/custom-tools/types";
@@ -26,49 +9,19 @@ import { formatErrorMessage, replaceTabs } from "./render-utils";
 import type { XcshApiToolDetails } from "./xcsh-api";
 
 const TOOL_TITLE = "XC-API";
-
-/** Maximum response body lines before truncation. */
 const MAX_RESPONSE_LINES = 80;
-
-/** Maximum request payload lines before truncation. */
 const MAX_PAYLOAD_LINES = 30;
 
-interface XcshApiRenderArgs {
-	method?: string;
-	path?: string;
-	params?: Record<string, string>;
-	payload?: unknown;
-}
+type XcshApiRenderArgs = { method?: string; path?: string; params?: Record<string, string>; payload?: unknown };
 
-/** Map HTTP method to a theme color for the badge. */
-function methodColor(method: string): ThemeColor {
-	switch (method) {
-		case "GET":
-			return "accent";
-		case "DELETE":
-			return "error";
-		default:
-			return "warning";
-	}
-}
+const METHOD_COLORS: Record<string, ThemeColor> = { GET: "accent", DELETE: "error" };
 
-/** Map HTTP status code to a theme color. */
 function statusColor(status: number): ThemeColor {
-	if (status < 300) return "success";
-	if (status < 400) return "warning";
-	return "error";
-}
-
-/** Format byte size to human-readable string (e.g. "1.2 KB", "3.4 MB"). */
-function formatBytes(bytes: number): string {
-	if (bytes < 1024) return `${bytes} B`;
-	if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
-	return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+	return status < 300 ? "success" : status < 400 ? "warning" : "error";
 }
 
 /**
  * Strip null, empty string, and empty array fields recursively.
- * Reduces JSON noise from F5 XC API responses which contain many null/empty defaults.
  * Preserves empty objects `{}` — these are F5 XC protobuf oneof presence markers
  * (e.g. `use_origin_server_name: {}` means that option is selected).
  */
@@ -80,8 +33,7 @@ function stripEmpty(obj: unknown): unknown {
 		if (entries.length === 0) return obj;
 		const out: Record<string, unknown> = {};
 		for (const [k, v] of entries) {
-			if (v == null || v === "") continue;
-			if (Array.isArray(v) && v.length === 0) continue;
+			if (v == null || v === "" || (Array.isArray(v) && v.length === 0)) continue;
 			const cleaned = stripEmpty(v);
 			if (cleaned != null) out[k] = cleaned;
 		}
@@ -89,36 +41,22 @@ function stripEmpty(obj: unknown): unknown {
 	}
 	return obj;
 }
-
-/** Format ISO timestamp to human-readable: `2026-05-10T00:02:42.577Z` → `2026-05-10 00:02 UTC`. */
 function formatTimestamp(iso: string): string {
-	return iso
-		.replace("T", " ")
-		.replace(/:\d{2}\.\d+Z$/, " UTC")
-		.replace(/:\d{2}Z$/, " UTC");
+	return iso.replace("T", " ").replace(/:\d{2}(\.\d+)?Z$/, " UTC");
 }
-
-/** Push a labeled section with optional line truncation. */
-function pushSection(
-	sections: Array<{ label?: string; lines: string[] }>,
-	label: string,
-	lines: string[],
-	maxLines: number,
-	uiTheme: Theme,
-): void {
-	if (lines.length > maxLines) {
-		const truncated = lines.slice(0, maxLines);
-		truncated.push(uiTheme.fg("dim", `… ${lines.length - maxLines} more lines`));
-		sections.push({ label, lines: truncated });
-	} else {
-		sections.push({ label, lines });
+function stripProtobufPrefix(message: string): string {
+	return message.replace(/^ves\.io\.schema\.\S+:\s*/i, "");
+}
+function tryPrettyJson(text: string): string | null {
+	try {
+		return JSON.stringify(JSON.parse(text.trim()), null, 2);
+	} catch {
+		return null;
 	}
 }
-
-/** Build a compact summary section for a single F5 XC resource (identity + spec). */
 function buildResourceSummary(
 	parsed: Record<string, unknown>,
-	pathParts: string[],
+	_pathParts: string[],
 	method: string,
 	uiTheme: Theme,
 ): { label: string; lines: string[] } | null {
@@ -132,30 +70,10 @@ function buildResourceSummary(
 	if (typeof sysMeta?.uid === "string") lines.push(uiTheme.fg("dim", `  uid:       ${sysMeta.uid}`));
 	const createdAt = sysMeta?.creation_timestamp;
 	if (typeof createdAt === "string") lines.push(uiTheme.fg("dim", `  created:   ${formatTimestamp(createdAt)}`));
+	const creatorId = sysMeta?.creator_id;
+	if (typeof creatorId === "string") lines.push(uiTheme.fg("dim", `  creator:   ${creatorId}`));
 	if (metadata.disable === true) lines.push(uiTheme.fg("warning", `  status:    DISABLED`));
 
-	// Compact spec line: resource type from path + key config values
-	const spec = parsed.spec;
-	if (spec && typeof spec === "object") {
-		const specEntries = Object.entries(spec as Record<string, unknown>);
-		// Only show spec line when there are actual entries (skip empty spec: {})
-		if (specEntries.length > 0) {
-			const specScalars = specEntries
-				.filter(
-					([, v]) =>
-						typeof v === "number" ||
-						typeof v === "boolean" ||
-						(typeof v === "string" && v.length > 0 && v.length <= 30),
-				)
-				.slice(0, 4)
-				.map(([k, v]) => `${k}=${v}`)
-				.join(", ");
-			const resourceType = (pathParts.at(-2) ?? "config").replace(/_/g, " ").replace(/s$/, "");
-			const specLine = specScalars ? `${resourceType} (${specScalars})` : resourceType;
-			lines.push(uiTheme.fg("dim", `  spec:      ${specLine}`));
-		}
-	}
-
 	const isMutating = method === "POST" || method === "PUT" || method === "PATCH";
 	const label = isMutating ? (method === "POST" ? "Created" : "Updated") : "Summary";
 	return { label: uiTheme.fg("toolTitle", label), lines };
@@ -177,12 +95,8 @@ function splitResultContent(textContent: string, isError: boolean): { json?: str
 	const body = bodyStart >= 0 ? textContent.slice(bodyStart + 2) : textContent;
 
 	if (!isError) {
-		// Success: entire body is JSON
-		try {
-			return { json: JSON.stringify(JSON.parse(body.trim()), null, 2), raw: body };
-		} catch {
-			return { raw: body };
-		}
+		const pretty = tryPrettyJson(body);
+		return pretty ? { json: pretty, raw: body } : { raw: body };
 	}
 
 	// Error: body is "compactJSON\n\nguidanceText"
@@ -190,39 +104,30 @@ function splitResultContent(textContent: string, isError: boolean): { json?: str
 	if (guidanceSplit >= 0) {
 		const jsonPart = body.slice(0, guidanceSplit);
 		const guidancePart = body.slice(guidanceSplit + 2);
-		try {
-			return {
-				json: JSON.stringify(JSON.parse(jsonPart.trim()), null, 2),
-				guidance: guidancePart.trim(),
-				raw: body,
-			};
-		} catch {
-			// First part isn't JSON — treat whole body as guidance
-			return { guidance: body.trim(), raw: body };
-		}
+		const pretty = tryPrettyJson(jsonPart);
+		if (pretty) return { json: pretty, guidance: guidancePart.trim(), raw: body };
+		// First part isn't JSON — treat whole body as guidance
+		return { guidance: body.trim(), raw: body };
 	}
 
 	// No double newline — might be just JSON or just text
-	try {
-		return { json: JSON.stringify(JSON.parse(body.trim()), null, 2), raw: body };
-	} catch {
-		return { guidance: body.trim(), raw: body };
-	}
+	const pretty = tryPrettyJson(body);
+	return pretty ? { json: pretty, raw: body } : { guidance: body.trim(), raw: body };
 }
 
 export const xcshApiToolRenderer = {
 	renderCall(args: XcshApiRenderArgs, _options: RenderResultOptions, uiTheme: Theme): Component {
 		const method = args.method ?? "???";
 		const apiPath = args.path ?? "…";
-		// Compact long paths for pending state consistency with result header
-		const parts = apiPath.split("/").filter(Boolean);
-		const pendingPath = parts.length > 3 ? `…/${parts.slice(-3).join("/")}` : apiPath;
+		const methodBadge = uiTheme.fg(
+			METHOD_COLORS[method] ?? "warning",
+			`${uiTheme.format.bracketLeft}${method}${uiTheme.format.bracketRight}`,
+		);
 		const text = renderStatusLine(
 			{
 				icon: "pending",
 				title: TOOL_TITLE,
-				description: pendingPath,
-				badge: { label: method, color: methodColor(method) },
+				description: `${methodBadge} ${uiTheme.fg("muted", apiPath)}`,
 			},
 			uiTheme,
 		);
@@ -262,60 +167,54 @@ export const xcshApiToolRenderer = {
 			return new Text(formatErrorMessage(errorText, uiTheme), 0, 0);
 		}
 
-		// --- Header with separate method and status badges ---
-		const methodBadge = { label: method, color: methodColor(method) };
-		const errorLabel = details?.errorCodeLabel;
-		const statusDisplay = errorLabel ? `${statusText} ${errorLabel}` : statusText;
+		// --- Header: METHOD [STATUS] full-path ---
+		const methodBadge = uiTheme.fg(
+			METHOD_COLORS[method] ?? "warning",
+			`${uiTheme.format.bracketLeft}${method}${uiTheme.format.bracketRight}`,
+		);
+		const statusDisplay = details?.errorCodeLabel ? `${statusText} ${details.errorCodeLabel}` : statusText;
 		const statusBadge = uiTheme.fg(status > 0 ? statusColor(status) : "error", `[${statusDisplay}]`);
 
 		const meta: string[] = [];
-		meta.push(statusBadge);
-		if (details?.contextName) meta.push(uiTheme.fg("statusLineContextF5xcFg", details.contextName));
-		if (details?.durationMs !== undefined) {
-			const durationColor: ThemeColor =
-				details.durationMs < 200 ? "success" : details.durationMs > 1000 ? "warning" : "dim";
-			meta.push(uiTheme.fg(durationColor, `${details.durationMs}ms`));
-		}
-		if (details?.itemCount !== undefined) meta.push(uiTheme.fg("dim", `${details.itemCount} items`));
-		if (details?.bodySize !== undefined) meta.push(uiTheme.fg("dim", formatBytes(details.bodySize)));
-		if (details?.contentType && !details.contentType.includes("json"))
-			meta.push(uiTheme.fg("dim", details.contentType));
-		// Show requestId for errors (useful for support/debugging)
 		if (isError && details?.requestId) meta.push(uiTheme.fg("dim", `req:${details.requestId.slice(0, 8)}`));
 		if (details?.retried) meta.push(uiTheme.fg("warning", "retried"));
 
-		const compactPath = pathParts.length > 3 ? `…/${pathParts.slice(-3).join("/")}` : displayPath;
-
 		const header = renderStatusLine(
 			{
 				title: TOOL_TITLE,
 				titleColor: "contentAccent",
-				description: compactPath,
-				badge: methodBadge,
+				description: `${methodBadge} ${statusBadge} ${uiTheme.fg("muted", displayPath)}`,
 				meta: meta.length > 0 ? meta : undefined,
 			},
 			uiTheme,
 		);
 
 		// --- Body sections ---
-		const textContent = result.content?.find(c => c.type === "text")?.text ?? "";
-		const { json, guidance, raw } = splitResultContent(textContent, isError);
+		const { json, guidance, raw } = splitResultContent(
+			result.content?.find(c => c.type === "text")?.text ?? "",
+			isError,
+		);
 		const sections: Array<{ label?: string; lines: string[] }> = [];
 
-		// Section 2: Request payload (for mutating methods with a body)
-		if (args?.payload && method !== "GET") {
+		const addSection = (label: string, lines: string[], maxLines?: number): void => {
+			const titled = uiTheme.fg("toolTitle", label);
+			if (maxLines && lines.length > maxLines) {
+				const truncated = lines.slice(0, maxLines);
+				truncated.push(uiTheme.fg("dim", `… ${lines.length - maxLines} more lines`));
+				sections.push({ label: titled, lines: truncated });
+			} else {
+				sections.push({ label: titled, lines });
+			}
+		};
+
+		// Section: Request payload — show resolved body (actual JSON sent to API)
+		if (method !== "GET" && (details?.resolvedPayload || args?.payload)) {
 			try {
-				const prettyPayload = JSON.stringify(args.payload, null, 2);
+				const payloadSource = details?.resolvedPayload ? JSON.parse(details.resolvedPayload) : args?.payload;
+				const prettyPayload = JSON.stringify(payloadSource, null, 2);
 				const payloadLines = highlightCode(prettyPayload, "json");
 				const sanitized = payloadLines.map(line => replaceTabs(line));
-				// Show expanded variable substitutions
-				if (details?.expandedVars && details.expandedVars.length > 0) {
-					const varLines = details.expandedVars.map(({ variable, value }) =>
-						uiTheme.fg("dim", `  ${variable} → ${value}`),
-					);
-					sanitized.push(...varLines);
-				}
-				pushSection(sections, uiTheme.fg("toolTitle", "Request"), sanitized, MAX_PAYLOAD_LINES, uiTheme);
+				addSection("Request", sanitized, MAX_PAYLOAD_LINES);
 			} catch {
 				// Payload not serializable — skip section
 			}
@@ -324,14 +223,16 @@ export const xcshApiToolRenderer = {
 		// Section: Response body — syntax-highlighted JSON or plain text
 		// Parse JSON once for all intelligence branches
 		const emptyBody = json === "{}" || (!json && (!raw.trim() || raw.trim() === "{}"));
-		let parsed: Record<string, unknown> | null = null;
-		if (json && !emptyBody) {
-			try {
-				parsed = JSON.parse(json) as Record<string, unknown>;
-			} catch {
-				// Not parseable — render raw
-			}
-		}
+		const parsed =
+			json && !emptyBody
+				? (() => {
+						try {
+							return JSON.parse(json) as Record<string, unknown>;
+						} catch {
+							return null;
+						}
+					})()
+				: null;
 		const emptyList = Array.isArray(parsed?.items) && (parsed!.items as unknown[]).length === 0;
 
 		if ((emptyBody || emptyList) && !guidance) {
@@ -343,10 +244,7 @@ export const xcshApiToolRenderer = {
 				else if (method === "POST") successMessage = `Resource${rn} created successfully.`;
 				else if (method === "PUT" || method === "PATCH") successMessage = `Resource${rn} updated successfully.`;
 			}
-			sections.push({
-				label: uiTheme.fg("toolTitle", "Response"),
-				lines: [uiTheme.fg("dim", successMessage)],
-			});
+			addSection("Response", [uiTheme.fg("dim", successMessage)]);
 		} else if (json && parsed) {
 			// Branch 1: List response with named items — compact summary
 			const items = parsed.items;
@@ -367,13 +265,7 @@ export const xcshApiToolRenderer = {
 					);
 					if (itemEntries.length > maxListItems)
 						summaryLines.push(uiTheme.fg("dim", `  … and ${itemEntries.length - maxListItems} more`));
-					pushSection(
-						sections,
-						uiTheme.fg("toolTitle", `Response (${itemEntries.length} items)`),
-						summaryLines,
-						maxListItems + 1,
-						uiTheme,
-					);
+					addSection(`Response (${itemEntries.length} items)`, summaryLines, maxListItems + 1);
 				}
 			} else {
 				// Branch 2: Single resource with metadata — summary + noise-reduced JSON
@@ -383,15 +275,14 @@ export const xcshApiToolRenderer = {
 
 				// Determine if JSON body should be suppressed
 				let apiErrorMessage: string | undefined;
-				if (isError && typeof parsed.message === "string" && parsed.message) apiErrorMessage = parsed.message;
-				const skipJsonBody = (summary && isMutating) || (isError && (guidance || apiErrorMessage));
+				if (isError && typeof parsed.message === "string" && parsed.message) {
+					apiErrorMessage = stripProtobufPrefix(parsed.message);
+				}
+				const skipJsonBody = (summary && isMutating) || (isError && (apiErrorMessage || guidance));
 
 				// Show extracted API error for errors without statusGuidance (400, 422, etc.)
 				if (apiErrorMessage && !guidance) {
-					sections.push({
-						label: uiTheme.fg("toolTitle", "Error"),
-						lines: [uiTheme.fg("error", apiErrorMessage)],
-					});
+					addSection("Error", [uiTheme.fg("error", apiErrorMessage)]);
 				}
 
 				if (!skipJsonBody) {
@@ -405,8 +296,7 @@ export const xcshApiToolRenderer = {
 					if (typeof parsed === "object" && !Array.isArray(parsed)) keyCount = Object.keys(parsed).length;
 					const responseLabel =
 						keyCount !== undefined && keyCount > 0 ? `Response (${keyCount} keys)` : "Response";
-
-					pushSection(sections, uiTheme.fg("toolTitle", responseLabel), highlighted, MAX_RESPONSE_LINES, uiTheme);
+					addSection(responseLabel, highlighted, MAX_RESPONSE_LINES);
 				}
 			}
 		} else if (json) {
@@ -414,26 +304,27 @@ export const xcshApiToolRenderer = {
 			const highlighted = isError
 				? json.split("\n").map(line => uiTheme.fg("dim", replaceTabs(line)))
 				: highlightCode(json, "json").map(line => replaceTabs(line));
-			sections.push({ label: uiTheme.fg("toolTitle", "Response"), lines: highlighted });
+			addSection("Response", highlighted);
 		} else if (raw.trim() && !guidance) {
 			// Non-JSON, non-guidance body
-			sections.push({
-				label: uiTheme.fg("toolTitle", "Response"),
-				lines: raw
+			addSection(
+				"Response",
+				raw
 					.trim()
 					.split("\n")
 					.map(line => uiTheme.fg("toolOutput", replaceTabs(line))),
-			});
+			);
 		}
 
 		// Section 4: Error guidance (for HTTP error responses)
 		if (guidance) {
 			// Extract the API's specific error message from JSON body for prominent display
 			const guidanceLines: string[] = [];
-			const apiMessage = parsed && typeof parsed.message === "string" ? parsed.message : undefined;
+			const apiMessage =
+				parsed && typeof parsed.message === "string" ? stripProtobufPrefix(parsed.message) : undefined;
 			if (apiMessage) guidanceLines.push(uiTheme.fg("error", apiMessage));
 			guidanceLines.push(uiTheme.fg("warning", guidance));
-			sections.push({ label: uiTheme.fg("toolTitle", "Guidance"), lines: guidanceLines });
+			addSection("Guidance", guidanceLines);
 		}
 
 		// --- Render with CachedOutputBlock ---

package/src/tools/xcsh-api.ts

@@ -42,8 +42,8 @@ export interface XcshApiToolDetails {
 	errorCodeLabel?: string;
 	/** Whether the request was automatically retried after a transient error (429/503). */
 	retried?: boolean;
-	/** Payload variables that were expanded (e.g. $F5XC_NAMESPACE → r-mordasiewicz). */
-	expandedVars?: Array<{ variable: string; value: string }>;
+	/** The resolved JSON body string sent to the API (after $F5XC_* expansion). */
+	resolvedPayload?: string;
 }
 
 type XcshApiResult = AgentToolResult<XcshApiToolDetails> & { isError?: boolean };
@@ -66,22 +66,24 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 	readonly label = "API";
 	readonly description: string;
 	readonly parameters = xcshApiSchema;
-
 	#contextEnv: ContextEnv;
-	/** Tracks the last API base for context-switch detection and TLS re-warm. */
 	#lastApiBase = "";
 
 	constructor(session: ToolSession) {
 		this.description = prompt.render(xcshApiDescription);
 		this.#contextEnv = createContextEnv(session.settings);
-
 		this.#warmTls();
 	}
 
-	/** Pre-warm TLS connection to the current context's API endpoint. */
+	#resolveCredentials(): [string, string] {
+		return [
+			(process.env.F5XC_API_URL ?? this.#contextEnv.get("F5XC_API_URL") ?? "").replace(/\/+$/, ""),
+			process.env.F5XC_API_TOKEN ?? this.#contextEnv.get("F5XC_API_TOKEN") ?? "",
+		];
+	}
+
 	#warmTls(): void {
-		const apiBase = this.#resolveApiBase();
-		const apiToken = this.#resolveApiToken();
+		const [apiBase, apiToken] = this.#resolveCredentials();
 		if (apiBase && apiToken) {
 			this.#lastApiBase = apiBase;
 			fetch(`${apiBase}/api/web/namespaces`, {
@@ -91,23 +93,10 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 		}
 	}
 
-	#resolveApiBase(): string {
-		return (process.env.F5XC_API_URL ?? this.#contextEnv.get("F5XC_API_URL") ?? "").replace(/\/+$/, "");
-	}
-
-	#resolveApiToken(): string {
-		return process.env.F5XC_API_TOKEN ?? this.#contextEnv.get("F5XC_API_TOKEN") ?? "";
-	}
-
 	#errorResult(text: string, details?: XcshApiToolDetails): XcshApiResult {
-		return {
-			content: [{ type: "text", text }],
-			...(details ? { details } : {}),
-			isError: true,
-		};
+		return { content: [{ type: "text", text }], details, isError: true };
 	}
 
-	/** Context-aware guidance appended to HTTP error responses for common CRUD failures. */
 	#statusGuidance(status: number): string | null {
 		const ctx = this.#contextEnv.getContextName();
 		const ctxHint = ctx ? ` (context: \`${ctx}\`)` : "";
@@ -131,11 +120,8 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 	}
 
 	async execute(_toolCallId: string, params: XcshApiParams, signal?: AbortSignal): Promise<XcshApiResult> {
-		const apiBase = this.#resolveApiBase();
-		// Detect context switch: API base changed since last call → re-warm TLS
-		if (apiBase && apiBase !== this.#lastApiBase) {
-			this.#warmTls();
-		}
+		const [apiBase, apiToken] = this.#resolveCredentials();
+		if (apiBase && apiBase !== this.#lastApiBase) this.#warmTls();
 		if (!apiBase) {
 			const ctx = this.#contextEnv.getContextName();
 			const ctxNote = ctx ? ` Active context \`${ctx}\` has no API URL.` : "";
@@ -143,7 +129,6 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 				`Error: No API URL configured.${ctxNote} Activate a context with \`/context activate <name>\` or \`/context create\`, or set the F5XC_API_URL environment variable.`,
 			);
 		}
-		const apiToken = this.#resolveApiToken();
 		if (!apiToken) {
 			const ctx = this.#contextEnv.getContextName();
 			const ctxNote = ctx ? ` Active context \`${ctx}\` has no API token.` : "";
@@ -152,9 +137,6 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 			);
 		}
 		const resolvedPath = this.#contextEnv.resolvePath(params.path, params.params);
-
-		// Guard: detect unresolved {placeholder} params still remaining in the path.
-		// Regex matches \w+ (same as ContextEnv.resolvePath) to avoid misaligned detection.
 		const unresolvedPlaceholders = resolvedPath.match(/\{\w+\}/g);
 		if (unresolvedPlaceholders) {
 			return this.#errorResult(
@@ -168,49 +150,29 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 			Accept: "application/json",
 			"X-Request-ID": requestId,
 		};
-
-		// Combine user abort signal with 30s timeout. User Ctrl+C is respected.
 		const timeoutSignal = AbortSignal.timeout(30_000);
 		const fetchSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;
+		const init: RequestInit = { method: params.method, headers, signal: fetchSignal };
 
-		const init: RequestInit = {
-			method: params.method,
-			headers,
-			signal: fetchSignal,
-		};
-
-		let expandedVars: Array<{ variable: string; value: string }> | undefined;
+		let resolvedPayload: string | undefined;
 		if (params.payload && params.method !== "GET") {
 			headers["Content-Type"] = "application/json";
 			const payloadJson = JSON.stringify(params.payload);
 			const resolved = this.#contextEnv.resolvePayloadVars(payloadJson);
 			init.body = resolved;
-			// Track which $F5XC_* variables were expanded
-			if (resolved !== payloadJson) {
-				expandedVars = [];
-				const env = this.#contextEnv;
-				for (const match of payloadJson.matchAll(/\$F5XC_([A-Z0-9_]+)/g)) {
-					const key = `F5XC_${match[1]}`;
-					const value = env.get(key) ?? process.env[key];
-					if (value) expandedVars.push({ variable: `$${key}`, value });
-				}
-			}
+			resolvedPayload = resolved;
 		}
 
 		const startMs = performance.now();
 		try {
 			let response = await fetch(url, init);
 
-			// Auto-retry idempotent GET requests on transient errors (429/503)
+			// Auto-retry idempotent GET on transient 429/503
 			let retried = false;
 			if (params.method === "GET" && (response.status === 429 || response.status === 503) && !fetchSignal.aborted) {
-				// Parse Retry-After header: seconds (integer) or HTTP-date
 				const retryAfter = response.headers.get("retry-after");
-				let delayMs = 1000;
-				if (retryAfter) {
-					const seconds = Number.parseInt(retryAfter, 10);
-					if (Number.isFinite(seconds) && seconds > 0) delayMs = Math.min(seconds * 1000, 10_000);
-				}
+				const seconds = retryAfter ? Number.parseInt(retryAfter, 10) : Number.NaN;
+				const delayMs = Number.isFinite(seconds) && seconds > 0 ? Math.min(seconds * 1000, 10_000) : 1000;
 				await Bun.sleep(delayMs);
 				if (!fetchSignal.aborted) {
 					response = await fetch(url, init);
@@ -226,21 +188,19 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 				try {
 					bodyText = JSON.stringify(JSON.parse(raw));
 				} catch {
-					// Server declared JSON but returned unparseable body — fall back to raw text
+					// Unparseable JSON body — fall back to raw text
 				}
 			}
 			const statusLine = `${response.status} ${response.statusText}`;
-
 			const contextName = this.#contextEnv.getContextName();
 			const bodySize = raw.length;
-			// Parse response JSON once for item count, error code label, etc.
 			let parsedBody: Record<string, unknown> | null = null;
 			let itemCount: number | undefined;
 			try {
 				parsedBody = JSON.parse(raw) as Record<string, unknown>;
 				if (Array.isArray(parsedBody?.items)) itemCount = (parsedBody.items as unknown[]).length;
 			} catch {
-				// Not JSON — skip structured extraction
+				// Not JSON
 			}
 			const detail: XcshApiToolDetails = {
 				status: response.status,
@@ -253,13 +213,11 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 				itemCount,
 				contentType: contentType || undefined,
 				retried: retried || undefined,
-				expandedVars,
+				resolvedPayload,
 			};
 
-			// Context-aware CRUD error guidance for common HTTP status codes
 			const guidance = this.#statusGuidance(response.status);
 			if (guidance) {
-				// Enrich with F5 XC error code label when present in response body
 				let errorCodePrefix = "";
 				const codeLabel = parsedBody ? F5XC_ERROR_CODES[parsedBody.code as number] : undefined;
 				if (codeLabel) {
@@ -272,13 +230,12 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 			return {
 				content: [{ type: "text", text: `${statusLine}\n\n${bodyText}` }],
 				details: detail,
-				...(response.status >= 400 ? { isError: true } : {}),
+				isError: response.status >= 400 || undefined,
 			};
 		} catch (err) {
 			const durationMs = Math.round(performance.now() - startMs);
 			const contextName = this.#contextEnv.getContextName();
 			const detail = { status: 0, url, method: params.method, requestId, durationMs, contextName };
-			// Classify error: timeout vs DNS/network vs generic
 			const ctxLabel = contextName ? ` (context: \`${contextName}\`)` : "";
 			if (err instanceof Error && err.name === "AbortError") {
 				// User abort vs 30s timeout produce different AbortErrors
@@ -288,12 +245,11 @@ export class XcshApiTool implements AgentTool<typeof xcshApiSchema, XcshApiToolD
 				return this.#errorResult(message, detail);
 			}
 			const message = err instanceof Error ? err.message : String(err);
-			if (/ENOTFOUND|ECONNREFUSED|EAI_AGAIN|dns/i.test(message)) {
+			if (/ENOTFOUND|ECONNREFUSED|EAI_AGAIN|dns/i.test(message))
 				return this.#errorResult(
 					`Network error${ctxLabel}: ${message}. The API URL may be incorrect. Check with \`/context show\`.`,
 					detail,
 				);
-			}
 			return this.#errorResult(`Request failed${ctxLabel}: ${message}`, detail);
 		}
 	}