npm - @oh-my-pi/pi-agent-core - Versions diffs - 15.13.1 → 15.13.2 - Mend

@oh-my-pi/pi-agent-core 15.13.1 → 15.13.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CHANGELOG.md +24 -0
package/dist/types/agent-loop.d.ts +2 -1
package/dist/types/agent.d.ts +11 -1
package/dist/types/append-only-context.d.ts +2 -0
package/dist/types/index.d.ts +0 -1
package/dist/types/types.d.ts +23 -1
package/package.json +6 -6
package/src/agent-loop.ts +90 -11
package/src/agent.ts +17 -1
package/src/append-only-context.ts +4 -1
package/src/index.ts +0 -1
package/src/types.ts +23 -1
package/dist/types/harmony-leak.d.ts +0 -118
package/src/harmony-leak.ts +0 -456

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,30 @@
 ## [Unreleased]
+## [15.13.2] - 2026-06-15
+### Breaking Changes
+- Removed `harmony-leak` exports from the `@oh-my-pi/pi-agent-core` package entrypoint
+- Replaced the experimental `promptToolCalls` agent/loop option with `toolCallSyntax`, selecting an explicit in-band tool-call grammar instead of a boolean GLM-only mode.
+### Added
+- Added support for selecting owned in-band tool-call syntax via `PI_OWNED_TOOLS=<syntax>` (for example `hermes` or `qwen3`) while preserving legacy `PI_OWNED_TOOLS=1/true` as GLM mode
+- Added owned in-band tool calling for multiple syntaxes (`glm`, `hermes`, `kimi`, `xml`, `anthropic`, `deepseek`, `harmony`, `pi-native`, `qwen3`). Owned mode sends no native provider tools, appends a syntax-specific prompt/catalog, re-encodes prior tool calls/results as grammar-owned text, and parses streamed model output back into canonical tool calls.
+- Added tool-example folding to `normalizeTools`: when given a model's affinity syntax (resolved via `preferredToolSyntax`), it renders each tool's `examples` into an `<examples>` block in that native syntax and appends it to the wire description. Wired through both context paths (fresh build and append-only `takeSnapshot`/`build` via a new `exampleSyntax` build option), with the `_i` intent-field placeholder added to examples when intent tracing injects it.
+- Added the `abortOnFabricatedToolResult` option to `AgentOptions`/`AgentLoopConfig` (default `true`): when owned tool calling is active and the model fabricates a tool result mid-turn, `true` aborts the provider request immediately while `false` lets it finish and discards the fabricated continuation.
+### Changed
+- Added owned in-band syntax support to `Agent` loop configuration resolution by selecting syntax from `toolCallSyntax` or `PI_OWNED_TOOLS` when present
+### Fixed
+- Fixed append-only context cache fingerprinting to account for `exampleSyntax`, so switching tool-call syntax rebuilds cached prompts with the correct injected tool examples
+- Fixed owned in-band tool-calling requests to omit `toolChoice` after stripping native tools, preventing invalid tool-choice requests
+- Fixed owned tool calling letting the model fabricate tool results by treating grammar-owned tool-result markers in assistant text as a hard turn boundary: calls before the fabrication are kept, fabricated results and dependent calls are dropped, and the real result is fed back on the next turn.
 ## [15.13.1] - 2026-06-15
 ### Added

package/dist/types/agent-loop.d.ts CHANGED Viewed

@@ -3,6 +3,7 @@
  * Transforms to Message[] only at the LLM call boundary.
  */
 import { type Context, EventStream } from "@oh-my-pi/pi-ai";
+import { type ToolCallSyntax } from "@oh-my-pi/pi-ai/grammar";
 import { type AgentRunCoverage, type AgentRunSummary } from "./run-collector";
 import type { AgentContext, AgentEvent, AgentLoopConfig, AgentMessage, StreamFn } from "./types";
 /**
@@ -52,7 +53,7 @@ export declare function agentLoopContinueDetailed(context: AgentContext, config:
     readonly detailed: () => Promise<AgentLoopDetailedResult>;
 };
 export declare const INTENT_FIELD = "_i";
-export declare function normalizeTools(tools: AgentContext["tools"], injectIntent: boolean): Context["tools"];
+export declare function normalizeTools(tools: AgentContext["tools"], injectIntent: boolean, exampleSyntax?: ToolCallSyntax): Context["tools"];
 /** Resolve the human-readable reason an abort carried. A caller that aborts via
  *  `AbortController.abort(reason)` with a string or a non-`AbortError` `Error`
  *  (e.g. the coding agent's user-interrupt label) gets that text surfaced on the

package/dist/types/agent.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { type ApiKeyResolveContext, type AssistantMessage, type AssistantMessageEvent, type Context, type CursorExecHandlers, type CursorToolResultHandler, type Effort, type ImageContent, type Message, type Model, type ProviderSessionState, type ServiceTier, type SimpleStreamOptions, type ThinkingBudgets, type ToolChoice } from "@oh-my-pi/pi-ai";
+import type { ToolCallSyntax } from "@oh-my-pi/pi-ai/grammar";
+import type { HarmonyAuditEvent } from "@oh-my-pi/pi-ai/utils/harmony-leak";
 import type { AppendOnlyContextManager } from "./append-only-context";
-import type { HarmonyAuditEvent } from "./harmony-leak";
 import type { AgentEvent, AgentLoopConfig, AgentMessage, AgentState, AgentTool, AgentToolContext, AsideMessage, StreamFn, ToolCallContext } from "./types";
 export declare class AgentBusyError extends Error {
     constructor(message?: string);
@@ -126,6 +127,15 @@ export interface AgentOptions {
     transformToolCallArguments?: (args: Record<string, unknown>, toolName: string) => Record<string, unknown>;
     /** Enable intent tracing schema injection/stripping in the harness. */
     intentTracing?: boolean;
+    /** Owned tool-calling syntax. Undefined keeps provider-native tool calling. */
+    toolCallSyntax?: ToolCallSyntax;
+    /**
+     * When owned tool calling is active and the model fabricates a tool result
+     * mid-turn: `true` (default) aborts the provider request immediately; `false`
+     * drains the request and discards the fabricated continuation. Forwarded to
+     * the loop's {@link AgentLoopConfig.abortOnFabricatedToolResult}.
+     */
+    abortOnFabricatedToolResult?: boolean;
     /** Dynamic tool choice override, resolved per LLM call. */
     getToolChoice?: () => ToolChoice | undefined;
     /**

package/dist/types/append-only-context.d.ts CHANGED Viewed

@@ -14,6 +14,7 @@
  *    message delta is a cache miss each turn.
  */
 import type { Context, Message, Tool } from "@oh-my-pi/pi-ai";
+import type { ToolCallSyntax } from "@oh-my-pi/pi-ai/grammar";
 import type { AgentContext } from "./types";
 /** Frozen system prompt + tool spec snapshot. */
 export interface StablePrefixSnapshot {
@@ -25,6 +26,7 @@ export interface StablePrefixSnapshot {
 export interface BuildOptions {
     /** Inject the `_i` intent field into tool schemas (must match agent-loop's normalizeTools). */
     intentTracing: boolean;
+    exampleSyntax?: ToolCallSyntax;
 }
 /**
  * A frozen prefix (system prompt + tools) that produces stable byte

package/dist/types/index.d.ts CHANGED Viewed

@@ -2,7 +2,6 @@ export * from "./agent";
 export * from "./agent-loop";
 export * from "./append-only-context";
 export * from "./compaction";
-export * from "./harmony-leak";
 export * from "./proxy";
 export * from "./run-collector";
 export * from "./telemetry";

package/dist/types/types.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { ApiKeyResolveContext, AssistantMessage, AssistantMessageEvent, AssistantMessageEventStream, Context, Effort, ImageContent, Message, Model, SimpleStreamOptions, Static, streamSimple, TextContent, Tool, ToolChoice, ToolResultMessage, TSchema } from "@oh-my-pi/pi-ai";
+import type { ToolCallSyntax } from "@oh-my-pi/pi-ai/grammar";
+import type { HarmonyAuditEvent } from "@oh-my-pi/pi-ai/utils/harmony-leak";
 import type { AppendOnlyContextManager } from "./append-only-context";
-import type { HarmonyAuditEvent } from "./harmony-leak";
 import type { AgentRunCoverage, AgentRunSummary } from "./run-collector";
 import type { AgentTelemetryConfig } from "./telemetry";
 /** Stream function - can return sync or Promise for async config lookup */
@@ -162,6 +163,27 @@ export interface AgentLoopConfig extends SimpleStreamOptions {
      * then strips from arguments before executing tools.
      */
     intentTracing?: boolean;
+    /**
+     * Owned tool calling syntax.
+     *
+     * Undefined keeps provider-native tool calling. A syntax value sends no
+     * native `tools`, forces `toolChoice` off, appends that syntax's tool catalog
+     * instructions, re-encodes prior tool calls/results as text, and parses the
+     * model's text output back into canonical `toolCall` blocks.
+     */
+    toolCallSyntax?: ToolCallSyntax;
+    /**
+     * When owned (in-band) tool calling is active and the model starts
+     * fabricating a tool result inside its own turn, control how the loop reacts:
+     * - `true` (default): abort the provider request immediately so it stops
+     *   generating the hallucinated continuation (cheaper, lower latency).
+     * - `false`: let the request finish and silently discard everything past the
+     *   fabrication boundary (keeps the connection alive but pays for the tokens
+     *   the model spends on the discarded tail).
+     * Only meaningful when {@link toolCallSyntax} (or `PI_OWNED_TOOLS`) selects an
+     * owned syntax; native tool calling never fabricates results in text.
+     */
+    abortOnFabricatedToolResult?: boolean;
     /**
      * Append-only context mode — stabilizes system prompt + tool spec bytes
      * across turns so provider prefix caches hit at maximum rate.

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-agent-core",
-	"version": "15.13.1",
+	"version": "15.13.2",
 	"description": "General-purpose agent with transport abstraction, state management, and attachment support",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -35,11 +35,11 @@
 		"fmt": "biome format --write ."
 	},
 	"dependencies": {
-		"@oh-my-pi/pi-ai": "15.13.1",
-		"@oh-my-pi/pi-catalog": "15.13.1",
-		"@oh-my-pi/pi-natives": "15.13.1",
-		"@oh-my-pi/pi-utils": "15.13.1",
-		"@oh-my-pi/snapcompact": "15.13.1",
+		"@oh-my-pi/pi-ai": "15.13.2",
+		"@oh-my-pi/pi-catalog": "15.13.2",
+		"@oh-my-pi/pi-natives": "15.13.2",
+		"@oh-my-pi/pi-utils": "15.13.2",
+		"@oh-my-pi/snapcompact": "15.13.2",
 		"@opentelemetry/api": "^1.9.1"
 	},
 	"devDependencies": {

package/src/agent-loop.ts CHANGED Viewed

@@ -15,7 +15,13 @@ import {
 	validateToolArguments,
 	zodToWireSchema,
 } from "@oh-my-pi/pi-ai";
-import { logger, sanitizeText } from "@oh-my-pi/pi-utils";
+import {
+	encodeInbandToolHistory,
+	renderInbandToolPrompt,
+	renderToolExamples,
+	type ToolCallSyntax,
+	wrapInbandToolStream,
+} from "@oh-my-pi/pi-ai/grammar";
 import {
 	createHarmonyAuditEvent,
 	detectHarmonyLeakInAssistantMessage,
@@ -25,7 +31,9 @@ import {
 	isHarmonyLeakMitigationTarget,
 	recoverHarmonyToolCall,
 	signalListLabel,
-} from "./harmony-leak";
+} from "@oh-my-pi/pi-ai/utils/harmony-leak";
+import { preferredToolSyntax } from "@oh-my-pi/pi-catalog/identity";
+import { logger, sanitizeText } from "@oh-my-pi/pi-utils";
 import { type AgentRunCoverage, type AgentRunSummary, ToolCallBlockedError } from "./run-collector";
 import {
 	type AgentTelemetry,
@@ -76,6 +84,25 @@ class HarmonyLeakInterruption extends Error {
 		this.name = "HarmonyLeakInterruption";
 	}
 }
+function resolveOwnedToolSyntaxFromEnv(value: string | undefined): ToolCallSyntax | undefined {
+	switch (value) {
+		case "1":
+		case "true":
+			return "glm";
+		case "glm":
+		case "hermes":
+		case "kimi":
+		case "xml":
+		case "anthropic":
+		case "deepseek":
+		case "harmony":
+		case "pi":
+		case "qwen3":
+			return value;
+		default:
+			return undefined;
+	}
+}
 type AssistantContentBlock = AssistantMessage["content"][number];
 type AssistantToolCallBlock = Extract<AssistantContentBlock, { type: "toolCall" }>;
@@ -491,7 +518,11 @@ function injectIntentIntoSchema(schema: unknown, mode: "require" | "optional" =
 	};
 }
-export function normalizeTools(tools: AgentContext["tools"], injectIntent: boolean): Context["tools"] {
+export function normalizeTools(
+	tools: AgentContext["tools"],
+	injectIntent: boolean,
+	exampleSyntax?: ToolCallSyntax,
+): Context["tools"] {
 	injectIntent = injectIntent && Bun.env.PI_NO_INTENT !== "1";
 	return tools?.map(t => {
 		const intentMode = resolveIntentMode(t.intent);
@@ -505,7 +536,12 @@ export function normalizeTools(tools: AgentContext["tools"], injectIntent: boole
 			}
 		}
 		const description = t.description ?? "";
-		return { ...t, parameters, description };
+		const injectExampleIntent = injectIntent && intentMode !== "omit";
+		const examplesBlock = exampleSyntax
+			? renderToolExamples({ ...t, parameters }, exampleSyntax, injectExampleIntent ? INTENT_FIELD : undefined)
+			: "";
+		const finalDescription = examplesBlock ? `${description}\n\n${examplesBlock}` : description;
+		return { ...t, parameters, description: finalDescription };
 	});
 }
@@ -884,18 +920,37 @@ async function streamAssistantResponse(
 	let llmContext: Context;
 	if (config.appendOnlyContext) {
 		config.appendOnlyContext.syncMessages(normalizedMessages);
-		llmContext = config.appendOnlyContext.build(context, { intentTracing: !!config.intentTracing });
+		llmContext = config.appendOnlyContext.build(context, {
+			intentTracing: !!config.intentTracing,
+			exampleSyntax: preferredToolSyntax(config.model.id),
+		});
 	} else {
 		llmContext = {
 			systemPrompt: context.systemPrompt,
 			messages: normalizedMessages,
-			tools: normalizeTools(context.tools, !!config.intentTracing),
+			tools: normalizeTools(context.tools, !!config.intentTracing, preferredToolSyntax(config.model.id)),
 		};
 	}
 	if (config.transformProviderContext) {
 		llmContext = config.transformProviderContext(llmContext, config.model);
 	}
+	// Owned tool calling: take tool calls away from the provider and run them
+	// through the selected in-band prompt syntax. `PI_OWNED_TOOLS=1` still
+	// force-enables GLM; `PI_OWNED_TOOLS=<syntax>` force-enables that syntax.
+	const ownedSyntax: ToolCallSyntax | undefined =
+		config.toolCallSyntax ?? resolveOwnedToolSyntaxFromEnv(Bun.env.PI_OWNED_TOOLS);
+	let promptToolWireTools: Context["tools"];
+	if (ownedSyntax && llmContext.tools && llmContext.tools.length > 0) {
+		promptToolWireTools = llmContext.tools;
+		llmContext = {
+			...llmContext,
+			systemPrompt: [...(llmContext.systemPrompt ?? []), renderInbandToolPrompt(promptToolWireTools, ownedSyntax)],
+			messages: encodeInbandToolHistory(llmContext.messages, ownedSyntax, promptToolWireTools),
+			tools: undefined,
+		};
+	}
 	const streamFunction = streamFn || streamSimple;
 	// Resolve API key (important for expiring tokens) — do this before resolving
@@ -920,12 +975,22 @@ async function streamAssistantResponse(
 			: harmonyAbortController.signal
 		: signal;
 	const repetitionAbortController = new AbortController();
-	const finalRequestSignal = requestSignal
-		? AbortSignal.any([requestSignal, repetitionAbortController.signal])
-		: repetitionAbortController.signal;
+	// Owned tool calling: aborted by the stream wrapper when the model starts
+	// fabricating a `<tool_response>`, so the provider stops generating the rest of
+	// the hallucinated turn. Merged into the provider signal ONLY (not
+	// `requestSignal`), so it cancels the request without tripping the loop's
+	// external-abort handling (`abortRacePromise` / `requestSignal.aborted`).
+	const promptToolAbortController = ownedSyntax ? new AbortController() : undefined;
+	const providerAbortSignals: AbortSignal[] = [];
+	if (requestSignal) providerAbortSignals.push(requestSignal);
+	providerAbortSignals.push(repetitionAbortController.signal);
+	if (promptToolAbortController) providerAbortSignals.push(promptToolAbortController.signal);
+	const finalRequestSignal =
+		providerAbortSignals.length === 1 ? providerAbortSignals[0]! : AbortSignal.any(providerAbortSignals);
 	const effectiveTemperature =
 		harmonyRetryAttempt > 0 && config.temperature !== undefined ? config.temperature + 0.05 : config.temperature;
-	const effectiveToolChoice = dynamicToolChoice ?? config.toolChoice;
+	// Owned tool calling sends no native tools, so any tool_choice would error.
+	const effectiveToolChoice = ownedSyntax ? undefined : (dynamicToolChoice ?? config.toolChoice);
 	const effectiveReasoning = dynamicReasoning ?? config.reasoning;
 	const effectiveDisableReasoning = dynamicDisableReasoning ?? config.disableReasoning;
@@ -970,7 +1035,7 @@ async function streamAssistantResponse(
 	try {
 		return await runInActiveSpan(chatSpan, async () => {
-			const response = await streamFunction(config.model, llmContext, {
+			let response = await streamFunction(config.model, llmContext, {
 				...config,
 				// Hand streamSimple a resolver so its central auth-retry policy can
 				// re-resolve on 401 / usage-limit: the initial step reuses the key
@@ -993,6 +1058,20 @@ async function streamAssistantResponse(
 				signal: finalRequestSignal,
 				onResponse: captureOnResponse,
 			});
+			if (promptToolWireTools && ownedSyntax) {
+				// Re-materialize in-band tool-call text as native toolCall content blocks
+				// so the rest of the loop executes them unchanged. When the model starts
+				// fabricating tool results, the abort callback cancels the provider — unless
+				// `abortOnFabricatedToolResult` is false, in which case the stream drains and
+				// the fabricated continuation is discarded without aborting.
+				response = wrapInbandToolStream(
+					response,
+					promptToolWireTools,
+					ownedSyntax,
+					() => promptToolAbortController?.abort(),
+					config.abortOnFabricatedToolResult ?? true,
+				);
+			}
 			let partialMessage: AssistantMessage | null = null;
 			let addedPartial = false;

package/src/agent.ts CHANGED Viewed

@@ -22,11 +22,12 @@ import {
 	type ToolChoice,
 	type ToolResultMessage,
 } from "@oh-my-pi/pi-ai";
+import type { ToolCallSyntax } from "@oh-my-pi/pi-ai/grammar";
+import type { HarmonyAuditEvent } from "@oh-my-pi/pi-ai/utils/harmony-leak";
 import { getBundledModel } from "@oh-my-pi/pi-catalog/models";
 import { logger } from "@oh-my-pi/pi-utils";
 import { abortReasonText, agentLoop, agentLoopContinue } from "./agent-loop";
 import type { AppendOnlyContextManager } from "./append-only-context";
-import type { HarmonyAuditEvent } from "./harmony-leak";
 import type {
 	AgentContext,
 	AgentEvent,
@@ -220,6 +221,15 @@ export interface AgentOptions {
 	/** Enable intent tracing schema injection/stripping in the harness. */
 	intentTracing?: boolean;
+	/** Owned tool-calling syntax. Undefined keeps provider-native tool calling. */
+	toolCallSyntax?: ToolCallSyntax;
+	/**
+	 * When owned tool calling is active and the model fabricates a tool result
+	 * mid-turn: `true` (default) aborts the provider request immediately; `false`
+	 * drains the request and discards the fabricated continuation. Forwarded to
+	 * the loop's {@link AgentLoopConfig.abortOnFabricatedToolResult}.
+	 */
+	abortOnFabricatedToolResult?: boolean;
 	/** Dynamic tool choice override, resolved per LLM call. */
 	getToolChoice?: () => ToolChoice | undefined;
@@ -316,6 +326,8 @@ export class Agent {
 	#preferWebsockets?: boolean;
 	#transformToolCallArguments?: (args: Record<string, unknown>, toolName: string) => Record<string, unknown>;
 	#intentTracing: boolean;
+	#toolCallSyntax?: ToolCallSyntax;
+	#abortOnFabricatedToolResult?: boolean;
 	#getToolChoice?: () => ToolChoice | undefined;
 	#onPayload?: SimpleStreamOptions["onPayload"];
 	#onResponse?: SimpleStreamOptions["onResponse"];
@@ -378,6 +390,8 @@ export class Agent {
 		this.#preferWebsockets = opts.preferWebsockets;
 		this.#transformToolCallArguments = opts.transformToolCallArguments;
 		this.#intentTracing = opts.intentTracing === true;
+		this.#toolCallSyntax = opts.toolCallSyntax;
+		this.#abortOnFabricatedToolResult = opts.abortOnFabricatedToolResult;
 		this.#getToolChoice = opts.getToolChoice;
 		this.#onAssistantMessageEvent = opts.onAssistantMessageEvent;
 		this.#onHarmonyLeak = opts.onHarmonyLeak;
@@ -1023,6 +1037,8 @@ export class Agent {
 			cursorOnToolResult,
 			transformToolCallArguments: this.#transformToolCallArguments,
 			intentTracing: this.#intentTracing,
+			toolCallSyntax: this.#toolCallSyntax,
+			abortOnFabricatedToolResult: this.#abortOnFabricatedToolResult,
 			appendOnlyContext: this.#appendOnlyContext,
 			beforeToolCall: this.beforeToolCall ? (ctx, signal) => this.beforeToolCall?.(ctx, signal) : undefined,
 			afterToolCall: this.afterToolCall ? (ctx, signal) => this.afterToolCall?.(ctx, signal) : undefined,

package/src/append-only-context.ts CHANGED Viewed

@@ -15,6 +15,7 @@
  */
 import type { Context, Message, Tool } from "@oh-my-pi/pi-ai";
+import type { ToolCallSyntax } from "@oh-my-pi/pi-ai/grammar";
 import { normalizeTools } from "./agent-loop";
 import type { AgentContext } from "./types";
@@ -33,6 +34,7 @@ export interface StablePrefixSnapshot {
 export interface BuildOptions {
 	/** Inject the `_i` intent field into tool schemas (must match agent-loop's normalizeTools). */
 	intentTracing: boolean;
+	exampleSyntax?: ToolCallSyntax;
 }
 /**
@@ -268,7 +270,7 @@ export class AppendOnlyContextManager {
 function takeSnapshot(context: AgentContext, options: BuildOptions): StablePrefixSnapshot {
 	const systemPrompt = [...context.systemPrompt];
-	const tools = normalizeTools(context.tools, options.intentTracing) ?? [];
+	const tools = normalizeTools(context.tools, options.intentTracing, options.exampleSyntax) ?? [];
 	return {
 		systemPrompt,
 		tools,
@@ -288,6 +290,7 @@ function computeFingerprint(systemPrompt: string[], tools: Tool[], options: Buil
 			cw: t.customWireName,
 		})),
 		i: options.intentTracing,
+		ex: options.exampleSyntax,
 	});
 	let hash = 0;
 	for (let i = 0; i < payload.length; i++) {

package/src/index.ts CHANGED Viewed

@@ -6,7 +6,6 @@ export * from "./agent-loop";
 export * from "./append-only-context";
 // Compaction
 export * from "./compaction";
-export * from "./harmony-leak";
 // Proxy utilities
 export * from "./proxy";
 // Run-level telemetry collector + aggregators

package/src/types.ts CHANGED Viewed

@@ -17,8 +17,9 @@ import type {
 	ToolResultMessage,
 	TSchema,
 } from "@oh-my-pi/pi-ai";
+import type { ToolCallSyntax } from "@oh-my-pi/pi-ai/grammar";
+import type { HarmonyAuditEvent } from "@oh-my-pi/pi-ai/utils/harmony-leak";
 import type { AppendOnlyContextManager } from "./append-only-context";
-import type { HarmonyAuditEvent } from "./harmony-leak";
 import type { AgentRunCoverage, AgentRunSummary } from "./run-collector";
 import type { AgentTelemetryConfig } from "./telemetry";
@@ -199,6 +200,27 @@ export interface AgentLoopConfig extends SimpleStreamOptions {
 	 * then strips from arguments before executing tools.
 	 */
 	intentTracing?: boolean;
+	/**
+	 * Owned tool calling syntax.
+	 *
+	 * Undefined keeps provider-native tool calling. A syntax value sends no
+	 * native `tools`, forces `toolChoice` off, appends that syntax's tool catalog
+	 * instructions, re-encodes prior tool calls/results as text, and parses the
+	 * model's text output back into canonical `toolCall` blocks.
+	 */
+	toolCallSyntax?: ToolCallSyntax;
+	/**
+	 * When owned (in-band) tool calling is active and the model starts
+	 * fabricating a tool result inside its own turn, control how the loop reacts:
+	 * - `true` (default): abort the provider request immediately so it stops
+	 *   generating the hallucinated continuation (cheaper, lower latency).
+	 * - `false`: let the request finish and silently discard everything past the
+	 *   fabrication boundary (keeps the connection alive but pays for the tokens
+	 *   the model spends on the discarded tail).
+	 * Only meaningful when {@link toolCallSyntax} (or `PI_OWNED_TOOLS`) selects an
+	 * owned syntax; native tool calling never fabricates results in text.
+	 */
+	abortOnFabricatedToolResult?: boolean;
 	/**
 	 * Append-only context mode — stabilizes system prompt + tool spec bytes
 	 * across turns so provider prefix caches hit at maximum rate.

package/dist/types/harmony-leak.d.ts DELETED Viewed

@@ -1,118 +0,0 @@
-/**
- * GPT-5 Harmony-header leakage detection and recovery.
- *
- * Background and policy: see `docs/ERRATA-GPT5-HARMONY.md`. This module
- * implements §3 of that document: detection by signal fusion, plus a
- * truncate-and-resume primitive for the `edit` tool when its input is in
- * hashline DSL form. Other tools and surfaces fall through to
- * abort-and-retry handled by the agent loop.
- */
-import type { AssistantMessage, Model, ToolCall } from "@oh-my-pi/pi-ai";
-declare const SIGNAL_ORDER: readonly ["M", "C", "G", "S", "B", "R", "T"];
-export type HarmonySignalClass = "H" | (typeof SIGNAL_ORDER)[number];
-export type HarmonySurface = "assistant_text" | "assistant_thinking" | "tool_arg";
-export interface HarmonySignal {
-    classes: HarmonySignalClass[];
-    start: number;
-    end: number;
-    text: string;
-}
-export interface HarmonyDetection {
-    surface: HarmonySurface;
-    contentIndex?: number;
-    toolName?: string;
-    toolCallId?: string;
-    signals: HarmonySignal[];
-}
-export interface HarmonyAuditEvent {
-    action: "truncate_resume" | "abort_retry" | "escalated";
-    surface: HarmonySurface;
-    signal: string;
-    retryN: number;
-    model: string;
-    provider: string;
-    toolName?: string;
-    removedLen: number;
-    removedSha8: string;
-    removedPreview: string;
-    removedBlob?: string;
-}
-export interface HarmonyRecoveredToolCall {
-    message: AssistantMessage;
-    removed: string;
-}
-/**
- * Whether to run leak detection on responses from this model. We default-on
- * for every openai-codex model rather than enumerating ids, so a future
- * gpt-5.6 (or whatever) doesn't silently bypass the mitigation. Detection
- * itself is cheap; the cost of missing a leak on a new model is not.
- */
-export declare function isHarmonyLeakMitigationTarget(model: Model): boolean;
-export declare function signalListLabel(signals: readonly HarmonySignal[]): string;
-/**
- * Detect harmony-protocol leakage in `text`. Returns undefined if clean.
- *
- * Trip rule: `H` alone, or `M` paired with at least one co-signal
- * (`C`/`G`/`S`/`B`/`R`/`T`). Bare `M` does not trip — this document, its
- * tests, and bug reports legitimately carry the marker.
- *
- * The `tool_arg` surface is held to a stricter rule. A tool argument is
- * arbitrary file/data content that can legitimately carry the marker, a
- * channel word, harmony control tokens, or a non-Latin script run (editing
- * these very fixtures does exactly that). The only robust leak signal there
- * is content trailing the structurally-valid parse, so a `tool_arg` detection
- * additionally requires the `T` co-signal. Absent a `parsedEnd` boundary `T`
- * is never set, so `tool_arg` scanning stays inert and a legitimate codex tool
- * call is never hard-aborted. `assistant_text`/`assistant_thinking` keep the
- * base rule.
- *
- * `parsedEnd`, when supplied, marks the byte at which a structurally valid
- * tool-argument parse ends; markers at or past it set the `T` co-signal.
- * `contentIndex`/`toolName`/`toolCallId` flow through to the returned
- * detection for downstream auditing.
- */
-export declare function detectHarmonyLeak(text: string, surface: HarmonySurface, options?: {
-    parsedEnd?: number;
-    contentIndex?: number;
-    toolName?: string;
-    toolCallId?: string;
-}): HarmonyDetection | undefined;
-/**
- * Scan an assistant message's content blocks; return the first detection.
- *
- * `toolArgParseEnd`, when supplied, resolves the byte offset at which a tool
- * call's structurally-valid argument parse ends (the `T` co-signal in
- * {@link detectHarmonyLeak}). Callers that can parse a tool's argument DSL pass
- * it to enable `tool_arg` leak detection; omitting it keeps that surface inert
- * — the safe default the agent loop relies on, since it cannot bound a streamed
- * tool DSL and must never hard-abort a legitimate tool call.
- */
-export declare function detectHarmonyLeakInAssistantMessage(message: AssistantMessage, toolArgParseEnd?: (toolCall: ToolCall) => number | undefined): HarmonyDetection | undefined;
-/**
- * Truncate a contaminated tool call at the start of the contaminated line and
- * append the tool's recovery sentinel. Returns a recovered AssistantMessage
- * (containing only the cleaned tool call), a synthetic continuation user
- * message asking the model to re-issue the rest, and the removed substring
- * for auditing. Returns undefined when the tool is not recovery-eligible or
- * the truncation would leave nothing meaningful to dispatch.
- *
- * `providerPayload` is dropped from the recovered message: for Codex the
- * encrypted reasoning blob is opaque/signed and we cannot validate that it is
- * uncontaminated. The model re-reasons on the next turn.
- */
-export declare function recoverHarmonyToolCall(message: AssistantMessage, detection: HarmonyDetection): HarmonyRecoveredToolCall | undefined;
-/**
- * Return the contaminated substring from `message` for audit purposes when
- * recovery is not applicable (abort path). Walks from the first detected
- * signal to end-of-content within the relevant block. Returns "" if the
- * detection cannot be resolved against the message.
- */
-export declare function extractHarmonyRemoved(message: AssistantMessage, detection: HarmonyDetection): string;
-export declare function createHarmonyAuditEvent(params: {
-    action: HarmonyAuditEvent["action"];
-    detection: HarmonyDetection;
-    model: Model;
-    retryN: number;
-    removed: string;
-}): HarmonyAuditEvent;
-export {};

package/src/harmony-leak.ts DELETED Viewed

@@ -1,456 +0,0 @@
-/**
- * GPT-5 Harmony-header leakage detection and recovery.
- *
- * Background and policy: see `docs/ERRATA-GPT5-HARMONY.md`. This module
- * implements §3 of that document: detection by signal fusion, plus a
- * truncate-and-resume primitive for the `edit` tool when its input is in
- * hashline DSL form. Other tools and surfaces fall through to
- * abort-and-retry handled by the agent loop.
- */
-import type { AssistantMessage, Model, ToolCall } from "@oh-my-pi/pi-ai";
-// Single source of truth for the marker pattern. `M` in the errata.
-// Use a fresh non-global instance for `.test()` to avoid lastIndex pitfalls.
-const MARKER_RE = /\bto=functions\.[A-Za-z_]\w*/g;
-const HARMONY_RE = /<\|(start|end|channel|message|call|return)\|>/g;
-// Channel-word adjacency (`C`): channel/role name appearing immediately before the marker.
-const CHANNEL_WORD_RE = /\b(?:analysis|commentary|assistant|user|system|developer|tool)\s+to=functions\./;
-// Glitch-token adjacency (`G`). The Japgolly literal is escaped so this regex
-// source itself does not trip detection if the file is scanned (e.g. when
-// editing this module via the same agent that detects).
-const GLITCH_RE = /\b(?:changedFiles|RTLU|Jsii(?:_commentary)?|\x4aapgolly)\b/;
-// Body-channel cascade (`B`): marker followed by ` code` then another marker
-// within 200 chars. Single regex; no manual slicing needed.
-const BODY_CASCADE_RE = /to=functions\.\w+\s+code\b[\s\S]{0,200}?to=functions\./;
-// Fake-result framing (`R`): marker followed within 80 chars by Cell N: framing.
-const FAKE_RESULT_RE = /to=functions\.\w+[\s\S]{0,80}?code_output\s*\nCell\s+\d+:/;
-const FENCE_RE = /^\s*(?:```+|~~~+)/;
-// Non-Latin scripts seen in the corpus: CJK + ext, Cyrillic, Thai, Georgian,
-// Armenian, Kannada, Telugu, Devanagari, Arabic, Malayalam.
-const SCRIPT_CLASS =
-	"\u3400-\u4DBF\u4E00-\u9FFF\uF900-\uFAFF\u0400-\u04FF\u0E00-\u0E7F\u10A0-\u10FF\u0530-\u058F\u0C80-\u0CFF\u0C00-\u0C7F\u0900-\u097F\u0600-\u06FF\u0D00-\u0D7F";
-const SCRIPT_RUN_RE = new RegExp(`[${SCRIPT_CLASS}]{2,}`, "u");
-// Recovery registry. Each entry's parser must recognize the configured
-// sentinel (per-tool, see eval/parse.ts and hashline/executor.ts) and surface
-// a warning to the model so it knows to re-issue any remaining work.
-// `accepts` gates on input shape: tools whose contaminated input doesn't
-// match the parser's expected DSL fall through to abort-and-retry.
-//
-// • `edit`: hashline DSL input begins with `@<path>`. Apply_patch envelopes
-//   (`*** Begin Patch …`) and JSON-schema variants are not recoverable —
-//   their parsers don't recognize `*** Abort`.
-// • `eval`: any string is a parseable cell sequence (the parser is lenient
-//   and falls back to implicit-cell mode on bare strings).
-interface RecoveryConfig {
-	sentinel: string;
-	accepts: (input: string) => boolean;
-}
-const RECOVERY_REGISTRY: Record<string, RecoveryConfig> = {
-	edit: {
-		sentinel: "\n*** Abort\n",
-		accepts: input => input.replace(/^\s+/, "").startsWith("@"),
-	},
-	eval: {
-		sentinel: "\n*** Abort\n",
-		accepts: () => true,
-	},
-};
-const SIGNAL_ORDER = ["M", "C", "G", "S", "B", "R", "T"] as const;
-export type HarmonySignalClass = "H" | (typeof SIGNAL_ORDER)[number];
-export type HarmonySurface = "assistant_text" | "assistant_thinking" | "tool_arg";
-export interface HarmonySignal {
-	classes: HarmonySignalClass[];
-	start: number;
-	end: number;
-	text: string;
-}
-export interface HarmonyDetection {
-	surface: HarmonySurface;
-	contentIndex?: number;
-	toolName?: string;
-	toolCallId?: string;
-	signals: HarmonySignal[];
-}
-export interface HarmonyAuditEvent {
-	action: "truncate_resume" | "abort_retry" | "escalated";
-	surface: HarmonySurface;
-	signal: string;
-	retryN: number;
-	model: string;
-	provider: string;
-	toolName?: string;
-	removedLen: number;
-	removedSha8: string;
-	removedPreview: string;
-	removedBlob?: string;
-}
-export interface HarmonyRecoveredToolCall {
-	message: AssistantMessage;
-	removed: string;
-}
-/**
- * Whether to run leak detection on responses from this model. We default-on
- * for every openai-codex model rather than enumerating ids, so a future
- * gpt-5.6 (or whatever) doesn't silently bypass the mitigation. Detection
- * itself is cheap; the cost of missing a leak on a new model is not.
- */
-export function isHarmonyLeakMitigationTarget(model: Model): boolean {
-	return model.provider === "openai-codex";
-}
-export function signalListLabel(signals: readonly HarmonySignal[]): string {
-	const seen: string[] = [];
-	for (const signal of signals) {
-		const label = signal.classes.join("+");
-		if (!seen.includes(label)) seen.push(label);
-	}
-	return seen.join(",") || "none";
-}
-/**
- * Detect harmony-protocol leakage in `text`. Returns undefined if clean.
- *
- * Trip rule: `H` alone, or `M` paired with at least one co-signal
- * (`C`/`G`/`S`/`B`/`R`/`T`). Bare `M` does not trip — this document, its
- * tests, and bug reports legitimately carry the marker.
- *
- * The `tool_arg` surface is held to a stricter rule. A tool argument is
- * arbitrary file/data content that can legitimately carry the marker, a
- * channel word, harmony control tokens, or a non-Latin script run (editing
- * these very fixtures does exactly that). The only robust leak signal there
- * is content trailing the structurally-valid parse, so a `tool_arg` detection
- * additionally requires the `T` co-signal. Absent a `parsedEnd` boundary `T`
- * is never set, so `tool_arg` scanning stays inert and a legitimate codex tool
- * call is never hard-aborted. `assistant_text`/`assistant_thinking` keep the
- * base rule.
- *
- * `parsedEnd`, when supplied, marks the byte at which a structurally valid
- * tool-argument parse ends; markers at or past it set the `T` co-signal.
- * `contentIndex`/`toolName`/`toolCallId` flow through to the returned
- * detection for downstream auditing.
- */
-export function detectHarmonyLeak(
-	text: string,
-	surface: HarmonySurface,
-	options: {
-		parsedEnd?: number;
-		contentIndex?: number;
-		toolName?: string;
-		toolCallId?: string;
-	} = {},
-): HarmonyDetection | undefined {
-	const fences = computeFenceRanges(text);
-	const signals: HarmonySignal[] = [];
-	for (const match of text.matchAll(HARMONY_RE)) {
-		const start = match.index ?? 0;
-		if (isInsideFence(fences, start)) continue;
-		signals.push(makeSignal(["H"], start, start + match[0].length, match[0]));
-	}
-	for (const match of text.matchAll(MARKER_RE)) {
-		const start = match.index ?? 0;
-		if (isInsideFence(fences, start)) continue;
-		const end = start + match[0].length;
-		const classes: HarmonySignalClass[] = ["M"];
-		const adjacent = text.slice(Math.max(0, start - 64), Math.min(text.length, end + 16));
-		const near = text.slice(Math.max(0, start - 16), Math.min(text.length, end + 16));
-		const forward = text.slice(start, Math.min(text.length, start + 240));
-		if (CHANNEL_WORD_RE.test(adjacent)) classes.push("C");
-		if (GLITCH_RE.test(near)) classes.push("G");
-		if (hasScriptMismatchNear(text, start, end)) classes.push("S");
-		if (BODY_CASCADE_RE.test(forward)) classes.push("B");
-		if (FAKE_RESULT_RE.test(forward)) classes.push("R");
-		if (options.parsedEnd !== undefined && start >= options.parsedEnd) classes.push("T");
-		// `M` alone never trips: legitimate documentation/tests carry it.
-		if (classes.length > 1) {
-			signals.push(makeSignal(classes, start, end, match[0]));
-		}
-	}
-	if (signals.length === 0) return undefined;
-	// Tool arguments are data: they can legitimately embed the marker, a channel
-	// word, harmony control tokens, or a non-Latin script run. Only a marker
-	// trailing the structurally-valid parse (`T`) is a reliable leak signal, so
-	// refuse to trip a `tool_arg` detection without it. Without a `parsedEnd`
-	// boundary `T` is never set and the surface stays inert.
-	if (surface === "tool_arg" && !signals.some(s => s.classes.includes("T"))) return undefined;
-	signals.sort((a, b) => a.start - b.start || a.end - b.end);
-	return {
-		surface,
-		contentIndex: options.contentIndex,
-		toolName: options.toolName,
-		toolCallId: options.toolCallId,
-		signals,
-	};
-}
-/**
- * Scan an assistant message's content blocks; return the first detection.
- *
- * `toolArgParseEnd`, when supplied, resolves the byte offset at which a tool
- * call's structurally-valid argument parse ends (the `T` co-signal in
- * {@link detectHarmonyLeak}). Callers that can parse a tool's argument DSL pass
- * it to enable `tool_arg` leak detection; omitting it keeps that surface inert
- * — the safe default the agent loop relies on, since it cannot bound a streamed
- * tool DSL and must never hard-abort a legitimate tool call.
- */
-export function detectHarmonyLeakInAssistantMessage(
-	message: AssistantMessage,
-	toolArgParseEnd?: (toolCall: ToolCall) => number | undefined,
-): HarmonyDetection | undefined {
-	for (let i = 0; i < message.content.length; i++) {
-		const block = message.content[i];
-		if (block.type === "text") {
-			const d = detectHarmonyLeak(block.text, "assistant_text", { contentIndex: i });
-			if (d) return d;
-		} else if (block.type === "thinking") {
-			const d = detectHarmonyLeak(block.thinking, "assistant_thinking", { contentIndex: i });
-			if (d) return d;
-		} else if (block.type === "toolCall") {
-			const argText = getToolArgumentText(block);
-			if (argText !== undefined) {
-				const d = detectHarmonyLeak(argText, "tool_arg", {
-					contentIndex: i,
-					toolName: block.name,
-					toolCallId: block.id,
-					parsedEnd: toolArgParseEnd?.(block),
-				});
-				if (d) return d;
-			}
-		}
-	}
-	return undefined;
-}
-/**
- * Truncate a contaminated tool call at the start of the contaminated line and
- * append the tool's recovery sentinel. Returns a recovered AssistantMessage
- * (containing only the cleaned tool call), a synthetic continuation user
- * message asking the model to re-issue the rest, and the removed substring
- * for auditing. Returns undefined when the tool is not recovery-eligible or
- * the truncation would leave nothing meaningful to dispatch.
- *
- * `providerPayload` is dropped from the recovered message: for Codex the
- * encrypted reasoning blob is opaque/signed and we cannot validate that it is
- * uncontaminated. The model re-reasons on the next turn.
- */
-export function recoverHarmonyToolCall(
-	message: AssistantMessage,
-	detection: HarmonyDetection,
-): HarmonyRecoveredToolCall | undefined {
-	if (detection.surface !== "tool_arg" || detection.contentIndex === undefined) return undefined;
-	const block = message.content[detection.contentIndex];
-	if (block?.type !== "toolCall") return undefined;
-	const config = RECOVERY_REGISTRY[block.name];
-	if (!config) return undefined;
-	const input = block.arguments?.input;
-	if (typeof input !== "string") return undefined;
-	if (!config.accepts(input)) return undefined;
-	const offset = detection.signals[0]?.start;
-	if (offset === undefined) return undefined;
-	const truncated = truncateAtLineAndAppendSentinel(input, offset, config.sentinel);
-	if (truncated === undefined) return undefined;
-	const cleanToolCall: ToolCall = {
-		...block,
-		arguments: { ...block.arguments, input: truncated.clean },
-	};
-	const cleanMessage: AssistantMessage = {
-		...message,
-		content: [cleanToolCall],
-		// Drop encrypted reasoning blob: opaque, possibly carries the leak forward.
-		providerPayload: undefined,
-		stopReason: "toolUse",
-		errorMessage: undefined,
-	};
-	return { message: cleanMessage, removed: truncated.removed };
-}
-/**
- * Return the contaminated substring from `message` for audit purposes when
- * recovery is not applicable (abort path). Walks from the first detected
- * signal to end-of-content within the relevant block. Returns "" if the
- * detection cannot be resolved against the message.
- */
-export function extractHarmonyRemoved(message: AssistantMessage, detection: HarmonyDetection): string {
-	if (detection.contentIndex === undefined) return "";
-	const block = message.content[detection.contentIndex];
-	if (!block) return "";
-	const start = detection.signals[0]?.start ?? 0;
-	if (block.type === "text") return block.text.slice(start);
-	if (block.type === "thinking") return block.thinking.slice(start);
-	if (block.type === "toolCall") {
-		const text = getToolArgumentText(block);
-		return text ? text.slice(start) : "";
-	}
-	return "";
-}
-export function createHarmonyAuditEvent(params: {
-	action: HarmonyAuditEvent["action"];
-	detection: HarmonyDetection;
-	model: Model;
-	retryN: number;
-	removed: string;
-}): HarmonyAuditEvent {
-	return {
-		action: params.action,
-		surface: params.detection.surface,
-		signal: signalListLabel(params.detection.signals),
-		retryN: params.retryN,
-		model: params.model.id,
-		provider: params.model.provider,
-		toolName: params.detection.toolName,
-		removedLen: params.removed.length,
-		removedSha8: sha8(params.removed),
-		removedPreview: redactedJunkPreview(params.removed),
-		removedBlob: Bun.env.OMP_HARMONY_DEBUG === "1" ? params.removed : undefined,
-	};
-}
-// ─── internals ──────────────────────────────────────────────────────────────
-function makeSignal(classes: HarmonySignalClass[], start: number, end: number, text: string): HarmonySignal {
-	if (classes[0] === "H") return { classes: ["H"], start, end, text };
-	const sorted: HarmonySignalClass[] = [];
-	for (const cls of SIGNAL_ORDER) {
-		if (classes.includes(cls)) sorted.push(cls);
-	}
-	return { classes: sorted, start, end, text };
-}
-/**
- * Precompute fenced-code-block ranges once per text. Each range is a
- * [start, end) span of bytes inside any ```/~~~ fence. O(n) once instead of
- * O(n) per detected match.
- */
-function computeFenceRanges(text: string): Array<[number, number]> {
-	const ranges: Array<[number, number]> = [];
-	let inFence = false;
-	let fenceStart = 0;
-	let lineStart = 0;
-	while (lineStart <= text.length) {
-		const newline = text.indexOf("\n", lineStart);
-		const lineEnd = newline === -1 ? text.length : newline;
-		const line = text.slice(lineStart, lineEnd);
-		if (FENCE_RE.test(line)) {
-			if (inFence) {
-				ranges.push([fenceStart, lineEnd]);
-				inFence = false;
-			} else {
-				fenceStart = lineStart;
-				inFence = true;
-			}
-		}
-		if (newline === -1) break;
-		lineStart = newline + 1;
-	}
-	if (inFence) ranges.push([fenceStart, text.length]);
-	return ranges;
-}
-function isInsideFence(ranges: Array<[number, number]>, position: number): boolean {
-	for (const [start, end] of ranges) {
-		if (position >= start && position < end) return true;
-		if (start > position) break;
-	}
-	return false;
-}
-function hasScriptMismatchNear(text: string, start: number, end: number): boolean {
-	const near = text.slice(Math.max(0, start - 32), Math.min(text.length, end + 32));
-	if (!SCRIPT_RUN_RE.test(near)) return false;
-	const surrounding = text.slice(Math.max(0, start - 200), Math.min(text.length, end + 200));
-	if (surrounding.length === 0) return false;
-	let ascii = 0;
-	for (let i = 0; i < surrounding.length; i++) {
-		if (surrounding.charCodeAt(i) < 128) ascii++;
-	}
-	return ascii / surrounding.length >= 0.85;
-}
-/**
- * Tool-call argument text used for detection scanning. For tools whose args
- * include a free-form `input` string we scan that directly so reported byte
- * offsets line up with the original. For everything else we fall back to a
- * JSON-stringified blob so detection still fires; that path's offsets are
- * NOT meaningful for slicing the original args, but the recovery path gates
- * on `block.arguments.input` being a string and only ever slices that.
- */
-function getToolArgumentText(toolCall: ToolCall): string | undefined {
-	if (typeof toolCall.arguments?.input === "string") return toolCall.arguments.input;
-	try {
-		return JSON.stringify(toolCall.arguments);
-	} catch {
-		return undefined;
-	}
-}
-function truncateAtLineAndAppendSentinel(
-	input: string,
-	offset: number,
-	sentinel: string,
-): { clean: string; removed: string } | undefined {
-	const lineStart = offset <= 0 ? 0 : input.lastIndexOf("\n", offset - 1) + 1;
-	if (lineStart === 0) return undefined; // would cut everything
-	const head = input.slice(0, lineStart).replace(/\s+$/, "");
-	if (head.length === 0) return undefined;
-	return {
-		clean: head + sentinel,
-		removed: input.slice(lineStart),
-	};
-}
-function sha8(text: string): string {
-	return Bun.sha(text, "hex").slice(0, 8);
-}
-const PREVIEW_KEEP_RE = new RegExp(`[${SCRIPT_CLASS}\\s】【”“…」「、。]`, "u");
-const PREVIEW_TOKEN_RE =
-	/^(?:to=functions\.[A-Za-z_]\w*|analysis|commentary|assistant|user|system|developer|tool|changedFiles|RTLU|Jsii(?:_commentary)?|\x4aapgolly)/;
-/**
- * Privacy-safe preview for the audit log: keeps marker/channel/glitch tokens,
- * non-Latin script chars, and CJK punctuation; replaces everything else
- * (potential source/secrets) with `·`. Sufficient to grow the glitch-token
- * denylist from logs without exposing source content. Capped at 64 chars.
- */
-function redactedJunkPreview(text: string): string {
-	const source = text.slice(0, 64);
-	let out = "";
-	for (let i = 0; i < source.length; ) {
-		const tok = PREVIEW_TOKEN_RE.exec(source.slice(i));
-		if (tok) {
-			out += tok[0];
-			i += tok[0].length;
-			continue;
-		}
-		const ch = source[i] ?? "";
-		out += PREVIEW_KEEP_RE.test(ch) ? ch : "·";
-		i++;
-	}
-	return out;
-}