@pliuz/sdk 0.1.0 → 0.2.2

package/CHANGELOG.md

@@ -5,6 +5,81 @@ All notable changes to `@pliuz/sdk` (TypeScript SDK) are documented in this file
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.2] — 2026-06-13
+
+Ships the F2 long-poll that landed in the repo *after* the 0.2.1 tag, plus Vercel AI
+adapter and redaction hardening from the architecture-closure pass.
+
+### Added
+
+- **Long-poll decision delivery (F2).** `gated()` now waits on
+  `GET /approvals/:id?wait=` (up to 25s server-side), cutting polling volume ~12x. The
+  code existed in the repo but was committed after the 0.2.1 tag, so
+  `npm install @pliuz/sdk` did not include it until now.
+- **Strict redaction mode (D13).** `gated({ ..., redactStrict: true })` and
+  `applyRedaction(payload, paths, true)` throw `PliuzRedactionPathError` when a path
+  matches no field, instead of silently leaving it unredacted. The default stays lenient.
+
+### Fixed / Changed (behavior changes)
+
+- **Vercel AI adapter `toolName` is now required (D14).** `gatedTool` no longer derives
+  the Pliuz tool name from the tool's prose `description` — a copy edit silently
+  re-routed approvals. Pass `toolName` explicitly; a missing/blank value throws.
+- **Vercel AI adapter concurrency fix (D14).** Execution `options` are now captured
+  per-call instead of via a shared mutable holder that cross-talked between concurrent
+  tool invocations.
+
+## [0.2.1] — 2026-06-12
+
+Identical in content to 0.2.0 (below), which never reached npm — its release
+CI run failed on a monorepo PostCSS config leak into the SDK's vitest, fixed
+here. First published version of the 0.2 line.
+
+## [0.2.0] — 2026-06-12 (not published to npm)
+
+Correctness release from an internal security/architecture review. Three of
+these are behavior changes you should read before upgrading.
+
+### Fixed (behavior changes)
+
+- **Human edits are now executed.** When an approver decides with
+  *Edit & Approve*, the wrapper now runs the edited `final_args` — previously
+  it silently ran the ORIGINAL args the agent sent. With the default
+  `toolArgs` mapper this is automatic; custom mappers need the new
+  `applyFinalArgs` option or the call throws the new
+  `PliuzEditNotApplicableError` (the SDK refuses to execute args a human did
+  not approve). Redaction placeholders echoed back by the approver are
+  restored to the original values.
+- **Idempotency keys are now hashed over PRE-redaction args.** Previously two
+  calls differing only in a redacted field (e.g. two transfers to different
+  IBANs) produced the SAME key, so the second silently replayed the first's
+  approval. Keys change across this upgrade: in-flight dedupe windows reset
+  (worst case: one extra approval request, never a skipped approval).
+- **Execution reports are awaited** before the wrapped call returns.
+  Previously they were fire-and-forget, which on serverless (Vercel/Lambda)
+  routinely froze before the report was sent — silently losing the audit
+  loop's execution record.
+- **The execution excerpt is redacted** with the same `redact` paths as
+  `tool_args`. Previously a tool that returned the sensitive field it
+  received re-leaked it through `target_response_excerpt`.
+
+### Changed
+
+- Default `baseUrl` is now `https://pliuz.com` (was a dev deployment URL).
+- README idempotency section rewritten to match real backend semantics
+  (24h dedupe window, per-agent, payload-conflict → 409) and to recommend a
+  per-run `sessionId` for legitimately repeating calls.
+- README no longer claims AbortSignal cancellation or Vercel Edge support
+  (neither shipped yet — both on the roadmap).
+- Contract tests now FAIL (instead of silently skipping) when the OpenAPI
+  spec is missing, and resolve a vendored `api-spec/openapi.yaml` in the
+  public mirror.
+
+### Added
+
+- `applyFinalArgs?: (finalArgs, originalArgs) => TArgs` in `GatedOptions`.
+- `PliuzEditNotApplicableError` (exported).
+
 ## [0.1.0] — 2026-05-21
 
 ### Added

package/README.md

@@ -2,7 +2,7 @@
 
 [![npm](https://img.shields.io/npm/v/@pliuz/sdk)](https://www.npmjs.com/package/@pliuz/sdk)
 [![Node](https://img.shields.io/node/v/@pliuz/sdk)](https://www.npmjs.com/package/@pliuz/sdk)
-[![License](https://img.shields.io/npm/l/@pliuz/sdk)](https://github.com/mwhitex/pliuz/blob/main/sdk-typescript/LICENSE)
+[![License](https://img.shields.io/npm/l/@pliuz/sdk)](https://github.com/pliuz/pliuz-ts/blob/main/sdk-typescript/LICENSE)
 
 > **Human-in-the-loop approval gates for AI agents.** Wrap any function in `gated()` to pause execution, route the call to a human approver via Pliuz, then resume — or abort — based on the decision. Every call is audited.
 
@@ -44,7 +44,7 @@ Requires Node ≥ 18.17 (uses native `fetch` + `AbortController`).
 
 ### 1. Get an API key
 
-Sign up at [pliuz.dev](https://pliuz.dev), create an agent in the dashboard, copy the key.
+Sign up at [pliuz.com](https://pliuz.com/signup), create an agent in the dashboard, copy the key.
 
 ### 2. Set the env var
 
@@ -99,9 +99,10 @@ yourFn(...args)                                  yourFn(...args)
 - **Dual ESM/CJS** — works in any modern Node project
 - **First-class TypeScript** — fully typed, including narrow error subclasses
 - **Idempotency** via deterministic key hashing — safe to retry from anywhere
-- **Client-side redaction** — sensitive fields never leave your process plaintext
-- **Cancellable** via `AbortSignal` (pass `timeoutMs`)
-- **Single-shot execution reporting** — closes the audit loop automatically
+- **Client-side redaction** — sensitive fields never leave your process plaintext (applied to tool args AND the execution excerpt)
+- **Bounded waiting** via `timeoutMs` (first-class `AbortSignal` cancellation is on the roadmap — not shipped yet)
+- **Human edits honored** — if an approver edits the args, the edited args execute (or a typed error is thrown), never the original ones
+- **Single-shot execution reporting** — awaited before your call returns, closing the audit loop reliably on serverless
 - **Typed errors** — `PliuzRejectedError`, `PliuzApprovalExpiredError`, `PliuzPolicyError`, etc.
 - **Vercel AI SDK adapter** — `gatedTool()` wraps `tool({...})` from `ai` so existing AI SDK agents gate transparently
 
@@ -221,7 +222,7 @@ import { z } from 'zod'
 import { gatedTool } from '@pliuz/sdk/adapters/ai'
 
 const issueRefund = gatedTool(
-  { policy: 'refund', redact: ['customer.ssn'] },
+  { toolName: 'issue_refund', policy: 'refund', redact: ['customer.ssn'] },
   tool({
     description: 'Issue a refund to a customer',
     parameters: z.object({
@@ -249,7 +250,7 @@ The wrapped tool preserves `description` and `parameters` — the LLM sees it id
 | Env var | Default | Purpose |
 |---|---|---|
 | `PLIUZ_API_KEY` | _(required)_ | Per-agent API key. `pli_live_...` format. |
-| `PLIUZ_BASE_URL` | `https://pliuz-dev.vercel.app` | Override for self-hosted or staging. |
+| `PLIUZ_BASE_URL` | `https://pliuz.com` | Override for self-hosted or staging. |
 
 All env vars can be passed as `PliuzClient` constructor options:
 
@@ -261,24 +262,52 @@ new PliuzClient({ apiKey: 'pli_live_...', baseUrl: 'https://pliuz.mycompany.com'
 
 ## Production tips
 
-### Idempotency
+### Idempotency — read this before relying on it
 
-`gated()` automatically generates a deterministic `idempotency_key` per call — same args → same key. The backend dedupes within 24 h, so safe to retry from anywhere (queues, retry loops, agent restarts).
+`gated()` automatically generates a deterministic `idempotency_key` per call from `(tool_name, args, sessionId)`. The key is hashed over the **pre-redaction** args (only the truncated SHA-256 leaves your process), so two calls that differ only in a redacted field get **different** keys — each needs its own approval.
 
-```typescript
-const refund = gated({ policy: 'refund' }, async (id: string, cents: number) => {
-  // ...
-})
+**Important:** the backend currently dedupes on this key with **no time window** — a `(tool_name, args, sessionId)` combination that was approved once is replayed as approved on every identical future call (and a rejected one stays rejected). The dedupe exists for HTTP-retry safety, but with the default `sessionId: undefined` it also applies across runs and days. **If your agent legitimately repeats identical calls (crons, recurring jobs), set a per-run `sessionId`** so each run gets its own approval:
 
-// Calling twice in a 24h window → only 1 approval request created.
-// Same human decision applies to both. No duplicate refunds.
-await refund('cus_123', 5000)
-await refund('cus_123', 5000)
+```typescript
+const refund = gated(
+  { policy: 'refund', sessionId: runId },  // scope approvals to this run
+  async (id: string, cents: number) => { /* ... */ },
+)
 ```
 
+Within one run, retries are then safe: same args → one approval request, one human decision.
+
+> A bounded server-side dedupe window is planned; until then treat the replay semantics above as the contract.
+
 ### Cross-language idempotency
 
-The idempotency hash algorithm is identical to the [Python SDK](https://pypi.org/project/pliuz/). A call from Python + a call from TypeScript with the same `tool_name`, `tool_args`, and `sessionId` produces the same key.
+The hash algorithm matches the [Python SDK](https://pypi.org/project/pliuz/) for ASCII string/integer payloads. Known divergence: non-ASCII strings and float-typed numbers serialize differently between `JSON.stringify` and Python's `json.dumps`, producing different keys — don't rely on cross-language dedupe for those payloads yet.
+
+### When the approver edits the args
+
+If a human decides with **Edit & Approve**, `gated()` executes the **edited** `final_args`, never the original call. With the default `toolArgs` mapper this is automatic. With a custom `toolArgs` mapper, provide `applyFinalArgs` to map the edited object back onto your function's arguments — otherwise the SDK throws `PliuzEditNotApplicableError` (it refuses to run args the human did not approve):
+
+```typescript
+const refund = gated(
+  {
+    toolArgs: (id: string, cents: number) => ({ customer_id: id, amount_cents: cents }),
+    applyFinalArgs: (fa, [id]) => [id, fa.amount_cents as number] as const,
+  },
+  async (id: string, cents: number) => { /* ... */ },
+)
+```
+
+### Decision latency (long-poll)
+
+`gated()` waits for the human decision via **server long-poll**: each wait call
+holds the connection open up to ~25s and returns the instant the approval is
+decided. You get near-zero decision-delivery latency and ~12x fewer requests
+than fixed-interval polling — no configuration needed. `pollIntervalMs` now
+just caps the per-call wait window. The low-level client exposes it directly:
+
+```typescript
+const a = await pliuz.getApproval(id, 25) // long-poll up to 25s
+```
 
 ### Custom timeouts per call
 
@@ -292,7 +321,7 @@ If polling exceeds `timeoutMs`, you get `PliuzApprovalTimeoutError`. **Your wrap
 
 ### Edge / Bun / Deno
 
-The SDK uses only `fetch` + `AbortController` + `crypto.createHash`. Should work in any modern runtime that exposes these (Bun, Deno via `npm:` specifier, Vercel Edge, Cloudflare Workers). Not tested in CI — file an issue if you hit anything.
+The HTTP layer uses native `fetch` + `AbortController`, but `gated()` imports `node:crypto` at module load — so today the SDK requires a Node-compatible runtime: **Node ≥ 18.17, Bun, Deno (via `npm:`), and Cloudflare Workers with `nodejs_compat`**. **Vercel Edge runtime is NOT supported yet** (no `node:crypto` there); use the Node.js runtime for routes that import this SDK. A Web-Crypto build is on the roadmap.
 
 ---
 
@@ -320,9 +349,9 @@ See [`examples/`](./examples) for runnable scripts:
 
 ## Links
 
-- **Docs**: https://pliuz.dev/docs
-- **GitHub**: https://github.com/mwhitex/pliuz
-- **Issues**: https://github.com/mwhitex/pliuz/issues
+- **Docs**: https://pliuz.com/docs
+- **GitHub**: https://github.com/pliuz/pliuz-ts
+- **Issues**: https://github.com/pliuz/pliuz-ts/issues
 - **Python SDK**: [`pliuz`](https://pypi.org/project/pliuz/)
 
 ---

package/dist/adapters/ai.cjs

@@ -5,7 +5,7 @@ var crypto = require('crypto');
 // src/gated.ts
 
 // src/version.ts
-var VERSION = "0.1.0";
+var VERSION = "0.2.2";
 
 // src/errors.ts
 var PliuzError = class extends Error {
@@ -24,6 +24,17 @@ var PliuzNetworkError = class extends PliuzError {
   }
   cause;
 };
+var PliuzRedactionPathError = class extends PliuzError {
+  constructor(path) {
+    super(
+      `redaction path '${path}' did not match any field in the payload (strict mode). Fix the path or set redactStrict=false to ignore misses.`
+    );
+    this.path = path;
+    this.name = "PliuzRedactionPathError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  path;
+};
 var PliuzTimeoutError = class extends PliuzError {
   constructor(message) {
     super(message);
@@ -134,6 +145,19 @@ var PliuzApprovalTimeoutError = class extends PliuzError {
   approvalId;
   timeoutMs;
 };
+var PliuzEditNotApplicableError = class extends PliuzError {
+  constructor(approvalId, finalArgs) {
+    super(
+      `approval ${approvalId} was approved with edited args, but they cannot be mapped back to the wrapped function (custom toolArgs mapper without applyFinalArgs, or incompatible shape) \u2014 refusing to execute the original (unapproved) args. Apply e.finalArgs manually.`
+    );
+    this.approvalId = approvalId;
+    this.finalArgs = finalArgs;
+    this.name = "PliuzEditNotApplicableError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  approvalId;
+  finalArgs;
+};
 var STATUS_TO_ERROR = {
   400: PliuzValidationError,
   401: PliuzAuthError,
@@ -240,7 +264,7 @@ async function request(opts) {
 }
 
 // src/client.ts
-var DEFAULT_BASE_URL = "https://pliuz-dev.vercel.app";
+var DEFAULT_BASE_URL = "https://pliuz.com";
 var DEFAULT_TIMEOUT_MS = 3e4;
 var DEFAULT_MAX_RETRIES = 3;
 var ENV_API_KEY = "PLIUZ_API_KEY";
@@ -265,6 +289,7 @@ function approvalUrl(baseUrl, approvalId, suffix) {
   if (suffix) path += `/${suffix}`;
   return baseUrl + path;
 }
+var MAX_WAIT_SECONDS = 25;
 var PliuzClient = class {
   apiKey;
   baseUrl;
@@ -314,13 +339,22 @@ var PliuzClient = class {
   /**
    * Fetch the current state of an approval request.
    * Used by polling in `gated()` to detect status transitions.
+   *
+   * Pass `waitSeconds` (1..25) to long-poll: the server holds the request
+   * open and returns the instant the approval stops being `pending`, or after
+   * `waitSeconds` (still pending). Cuts polling volume and decision latency
+   * ~12x vs fixed-interval polling. The per-request HTTP timeout is bumped to
+   * cover the wait window.
    */
-  async getApproval(approvalId) {
+  async getApproval(approvalId, waitSeconds) {
+    const wait = waitSeconds && waitSeconds > 0 ? Math.min(Math.floor(waitSeconds), MAX_WAIT_SECONDS) : 0;
+    const url = wait > 0 ? `${approvalUrl(this.baseUrl, approvalId)}?wait=${wait}` : approvalUrl(this.baseUrl, approvalId);
     return request({
       method: "GET",
-      url: approvalUrl(this.baseUrl, approvalId),
+      url,
       apiKey: this.apiKey,
-      timeoutMs: this.timeoutMs,
+      // Give the socket head-room over the server-side wait window.
+      timeoutMs: wait > 0 ? Math.max(this.timeoutMs, wait * 1e3 + 5e3) : this.timeoutMs,
       maxRetries: this.maxRetries,
       fetchImpl: this.fetchImpl
     });
@@ -353,13 +387,16 @@ var PliuzClient = class {
 
 // src/redaction.ts
 var REDACTED_PLACEHOLDER = "<redacted>";
-function applyRedaction(payload, paths) {
+function applyRedaction(payload, paths, strict = false) {
   if (!paths || paths.length === 0) {
     return deepClone(payload);
   }
   const result = deepClone(payload);
   for (const path of paths) {
-    redactPath(result, parsePath(path));
+    const matched = redactPath(result, parsePath(path));
+    if (strict && !matched) {
+      throw new PliuzRedactionPathError(path);
+    }
   }
   return result;
 }
@@ -387,28 +424,30 @@ function parsePath(path) {
   return segments;
 }
 function redactPath(node, segments) {
-  if (segments.length === 0) return;
-  if (!isPlainObject(node)) return;
+  if (segments.length === 0) return true;
+  if (!isPlainObject(node)) return false;
   const [head, ...rest] = segments;
-  if (!head) return;
+  if (!head) return false;
   const { key, isArrayWildcard } = head;
-  if (!(key in node)) return;
+  if (!(key in node)) return false;
   if (isArrayWildcard) {
     const target = node[key];
-    if (!Array.isArray(target)) return;
+    if (!Array.isArray(target)) return false;
     if (rest.length === 0) {
       node[key] = target.map(() => REDACTED_PLACEHOLDER);
-      return;
+      return true;
     }
+    let matched = target.length > 0;
     for (const item of target) {
-      redactPath(item, rest);
+      if (!redactPath(item, rest)) matched = false;
     }
+    return matched;
   } else {
     if (rest.length === 0) {
       node[key] = REDACTED_PLACEHOLDER;
-    } else {
-      redactPath(node[key], rest);
+      return true;
     }
+    return redactPath(node[key], rest);
   }
 }
 function isPlainObject(v) {
@@ -436,8 +475,8 @@ function gated(options, fn) {
   return async (...args) => {
     const activeClient = options.client ?? new PliuzClient();
     const rawArgs = toolArgsMapper(...args);
-    const sendArgs = redactPaths && redactPaths.length > 0 ? applyRedaction(rawArgs, redactPaths) : rawArgs;
-    const idempotencyKey = idempotencyKeyFor(toolName, sendArgs, options.sessionId);
+    const sendArgs = redactPaths && redactPaths.length > 0 ? applyRedaction(rawArgs, redactPaths, options.redactStrict ?? false) : rawArgs;
+    const idempotencyKey = idempotencyKeyFor(toolName, rawArgs, options.sessionId);
     const metadata = {};
     if (options.policy) metadata.policy = options.policy;
     const response = await activeClient.createApproval({
@@ -456,27 +495,38 @@ function gated(options, fn) {
     if (TERMINAL_EXPIRED.has(response.status)) {
       throw new PliuzApprovalExpiredError(approvalId);
     }
+    let approval = null;
     if (!TERMINAL_OK.has(response.status)) {
       const deadline = Date.now() + timeoutMs;
       while (true) {
-        if (Date.now() >= deadline) {
+        const remainingMs = deadline - Date.now();
+        if (remainingMs <= 0) {
           throw new PliuzApprovalTimeoutError(approvalId, timeoutMs);
         }
-        await sleep2(pollIntervalMs);
-        const approval = await activeClient.getApproval(approvalId);
+        const waitSeconds = Math.max(1, Math.ceil(Math.min(remainingMs, pollIntervalMs * 1e3) / 1e3));
+        const callStart = Date.now();
+        approval = await activeClient.getApproval(approvalId, waitSeconds);
         if (terminalOrThrow(approval)) break;
+        if (Date.now() - callStart < 250) await sleep2(pollIntervalMs);
       }
+    } else if (response.is_replay) {
+      approval = await activeClient.getApproval(approvalId);
+    }
+    let callArgs = args;
+    const finalArgs = approval?.final_args ?? null;
+    if (finalArgs) {
+      callArgs = resolveEditedArgs(approvalId, rawArgs, finalArgs, args, options);
     }
     const started = Date.now();
     try {
-      const result = await fn(...args);
+      const result = await fn(...callArgs);
       const latencyMs = Date.now() - started;
-      void safeReport(activeClient, approvalId, "success", null, latencyMs, result);
+      await safeReport(activeClient, approvalId, "success", null, latencyMs, result, redactPaths);
       return result;
     } catch (e) {
       const latencyMs = Date.now() - started;
       const errMsg = e instanceof Error ? e.message : String(e);
-      void safeReport(activeClient, approvalId, "error", errMsg.slice(0, 2e3), latencyMs, null);
+      await safeReport(activeClient, approvalId, "error", errMsg.slice(0, 2e3), latencyMs, null, redactPaths);
       throw e;
     }
   };
@@ -500,6 +550,30 @@ function canonicalJSON(value) {
   const keys = Object.keys(obj).sort();
   return "{" + keys.map((k) => JSON.stringify(k) + ":" + canonicalJSON(obj[k])).join(",") + "}";
 }
+function mergeFinalArgs(raw, final) {
+  if (isPlainRecord(raw) && isPlainRecord(final)) {
+    const out = {};
+    for (const [k, v] of Object.entries(final)) {
+      out[k] = k in raw ? mergeFinalArgs(raw[k], v) : v;
+    }
+    return out;
+  }
+  if (final === REDACTED_PLACEHOLDER) return raw;
+  return final;
+}
+function isPlainRecord(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function resolveEditedArgs(approvalId, rawArgs, finalArgs, originalArgs, options) {
+  const merged = mergeFinalArgs(rawArgs, finalArgs);
+  if (options.applyFinalArgs) {
+    return options.applyFinalArgs(merged, originalArgs);
+  }
+  if (options.toolArgs === void 0 && Array.isArray(merged.args)) {
+    return merged.args;
+  }
+  throw new PliuzEditNotApplicableError(approvalId, merged);
+}
 function terminalOrThrow(approval) {
   if (TERMINAL_OK.has(approval.status)) return true;
   if (TERMINAL_REJECT.has(approval.status)) {
@@ -510,13 +584,14 @@ function terminalOrThrow(approval) {
   }
   return false;
 }
-async function safeReport(client, approvalId, status, errorMessage, latencyMs, result) {
+async function safeReport(client, approvalId, status, errorMessage, latencyMs, result, redactPaths) {
   let excerpt = null;
   if (result != null) {
+    const toDump = redactPaths && redactPaths.length > 0 && isPlainRecord(result) ? applyRedaction(result, redactPaths) : result;
     try {
-      excerpt = JSON.stringify(result).slice(0, 2e3);
+      excerpt = JSON.stringify(toDump).slice(0, 2e3);
     } catch {
-      excerpt = String(result).slice(0, 2e3);
+      excerpt = String(toDump).slice(0, 2e3);
     }
   }
   try {
@@ -539,28 +614,31 @@ function gatedTool(options, tool) {
   if (typeof tool.execute !== "function") {
     return tool;
   }
-  const toolName = options.toolName ?? (typeof tool.description === "string" ? tool.description.slice(0, 64) : "ai_tool");
+  const toolName = options.toolName;
+  if (typeof toolName !== "string" || toolName.trim() === "") {
+    throw new Error(
+      "gatedTool: `toolName` is required and must be a non-empty string. It drives Pliuz policy matching, so it must be explicit and stable \u2014 never derived from the tool description (a copy edit would silently re-route approvals)."
+    );
+  }
   const originalExecute = tool.execute;
-  let pendingOptions = void 0;
-  const gatedExecute1Arg = gated(
-    {
-      policy: options.policy,
-      redact: options.redact,
-      timeoutMs: options.timeoutMs,
-      pollIntervalMs: options.pollIntervalMs,
-      client: options.client,
-      contextMessages: options.contextMessages,
-      sessionId: options.sessionId,
-      originator: options.originator,
-      toolName,
-      // Surface the Vercel-AI input dict directly as Pliuz tool_args
-      // instead of wrapping in `{ args: [input] }` for cleaner audit logs.
-      toolArgs: (input) => isPlainObject2(input) ? input : { input }
-    },
-    async (input) => originalExecute(input, pendingOptions)
-  );
   const wrappedExecute = async (input, opts) => {
-    pendingOptions = opts;
+    const gatedExecute1Arg = gated(
+      {
+        policy: options.policy,
+        redact: options.redact,
+        timeoutMs: options.timeoutMs,
+        pollIntervalMs: options.pollIntervalMs,
+        client: options.client,
+        contextMessages: options.contextMessages,
+        sessionId: options.sessionId,
+        originator: options.originator,
+        toolName,
+        // Surface the Vercel-AI input dict directly as Pliuz tool_args
+        // instead of wrapping in `{ args: [input] }` for cleaner audit logs.
+        toolArgs: (inp) => isPlainObject2(inp) ? inp : { input: inp }
+      },
+      async (inp) => originalExecute(inp, opts)
+    );
     return gatedExecute1Arg(input);
   };
   return {