@polylogicai/polycode 1.1.3 → 1.1.5

package/README.md

@@ -1,25 +1,35 @@
 # polycode
 
-An agentic coding CLI. Runs on your machine with your keys. Every turn is appended to a SHA-256 chained session log on disk, so your history is auditable, replayable, and portable across machines.
+An agentic coding CLI. Runs on your machine, writes a SHA-256 chained session log to disk, and ships with a free hosted tier so you can start in one command. Your history is auditable, replayable, and portable across machines.
 
-## Install
+## Install and run
 
-The fastest way to try polycode is with `npx`. It works on macOS, Linux, and Windows from any terminal:
+One command, no setup, any platform:
 
 ```bash
 npx @polylogicai/polycode@latest
 ```
 
-For repeated use, install it globally:
+That is the entire install. The first run provisions a per-install ID under `~/.polycode/` and opens an interactive session. On the free hosted tier you get 60 turns per hour for free, routed through `polylogicai.com/api/polycode/inference`. For unlimited use, set `GROQ_API_KEY` (see below) and polycode will talk to Groq directly and skip the proxy.
+
+For repeated use, install globally:
 
 ```bash
 npm install -g @polylogicai/polycode
 polycode
 ```
 
-## Quick start
+## One-shot mode
 
-Set your Groq API key, then run polycode:
+Pass your prompt as an argument:
+
+```bash
+npx @polylogicai/polycode@latest "read README.md and summarize it in one sentence"
+```
+
+## Unlimited use with your own key
+
+Grab a free key from `console.groq.com`, then:
 
 ```bash
 # macOS and Linux
@@ -31,22 +41,14 @@ $env:GROQ_API_KEY = "gsk_..."
 npx @polylogicai/polycode@latest
 ```
 
-That opens an interactive session. For one-shot mode, pass your prompt as an argument:
-
-```bash
-npx @polylogicai/polycode@latest "read README.md and summarize it in one sentence"
-```
-
-A free Groq API key is available at `console.groq.com`.
-
 ## Configuration
 
 polycode reads configuration from environment variables and optionally from a `~/.polycode/secrets.env` file (chmod 600 recommended).
 
 | Variable | Purpose | Required |
 |---|---|---|
-| `GROQ_API_KEY` | Primary inference key for tool-use and reasoning | yes |
-| `ANTHROPIC_API_KEY` | Optional high-quality tier for long sessions | no |
+| `GROQ_API_KEY` | Direct Groq access, unlimited. If unset, polycode uses the hosted tier. | no |
+| `ANTHROPIC_API_KEY` | Optional higher-quality compile tier for long sessions | no |
 | `POLYCODE_MODEL` | Override the default model | no |
 | `POLYCODE_CWD` | Override the working directory | no |
 
@@ -58,10 +60,13 @@ polycode runs a standard agentic loop: you ask, it thinks, it uses tools, it ret
 - `read_file` read a file relative to the working directory
 - `write_file` write a file to the working directory
 - `edit_file` replace a substring in a file
-- `glob` list files matching a pattern
-- `grep` search for a regex in files
+- `glob` list files matching a pattern (cross-platform, pure Node.js)
+- `grep` search for a regex in files (cross-platform, pure Node.js)
+- `describe_image` analyze an image file via a vision model
+- `fetch_url` fetch a URL and return the body as readable text
+- `web_search` search the web and return titles, URLs, and snippets
 
-All tool calls are sandboxed to the working directory. polycode refuses any path that escapes it.
+All file tool calls are sandboxed to the working directory. polycode refuses any path that escapes it. `fetch_url` refuses loopback and private network addresses.
 
 ## Session history
 
@@ -78,12 +83,31 @@ Inside the REPL:
 
 ```
 /help      show all commands
+/key       save an API key (Groq, Anthropic, OpenAI). Input is masked on real terminals.
 /clear     clear the terminal
 /history   show the session history file path and row count
 /verify    verify session history integrity
 /exit      leave polycode
 ```
 
+## Paste handling
+
+When you paste multi-line content into polycode, the terminal collapses it to a marker like `[Pasted #1 (20 lines)]` in the prompt line. The full content is still sent to the agent — only the display is compressed. You can paste a whole file, a stack trace, or a long URL and polycode will treat it as one event.
+
+## Saving API keys (never in chat)
+
+polycode never accepts API keys pasted into the chat — the local secret scrubber blocks any message that matches a key pattern before it reaches the model. To save a key the right way:
+
+```
+# Inside the REPL
+/key
+
+# Or from your shell
+polycode login
+```
+
+Both flows read the key through a masked prompt and save it to `~/.polycode/secrets.env` with `chmod 600`. The model never sees it. Auto-detects Groq, Anthropic, and OpenAI from the key prefix.
+
 ## Command-line flags
 
 ```
@@ -109,7 +133,7 @@ Rules live in `~/.polycode/rules.yaml`. You can add your own.
 
 - Node.js 20 or newer
 - macOS, Linux, or Windows
-- A Groq API key
+- No API key required for the free hosted tier. Set `GROQ_API_KEY` for unlimited use.
 
 ## Documentation and support
 

package/bin/polycode.mjs

@@ -15,6 +15,8 @@ import { computeAgencyReceipt, formatReceipt } from '../lib/agency-receipt.mjs';
 import { fireHook } from '../lib/hooks.mjs';
 import { compilePacket } from '../lib/compiler.mjs';
 import { loadAnthropicKeys, reportKeyStatus } from '../lib/inference-router.mjs';
+import { runInteractiveKeyFlow, PROVIDERS, getProviderById } from '../lib/key-store.mjs';
+import { readPasteAwareLine, enableBracketedPaste, disableBracketedPaste } from '../lib/paste-aware-prompt.mjs';
 import { existsSync, mkdirSync, readFileSync, statSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join, dirname, resolve } from 'node:path';
@@ -155,14 +157,15 @@ const HELP = `${BANNER}
 ${C.bold}Usage${C.reset}
   polycode                          Interactive session
   polycode "fix the failing test"   One-shot mode
+  polycode login                    Save an API key (Groq, Anthropic, OpenAI). Input is masked.
   polycode --version                Print version
   polycode --help                   Print this message
   polycode --history                Print session history status
   polycode --verify                 Verify session history integrity
 
 ${C.bold}Environment${C.reset}
-  GROQ_API_KEY                Required (free tier at console.groq.com)
-  ANTHROPIC_API_KEY           Optional high-quality tier for long sessions
+  GROQ_API_KEY                Optional. If unset, polycode uses the free hosted tier (60 turns/hour) via polylogicai.com. Set a free key from console.groq.com for unlimited use.
+  ANTHROPIC_API_KEY           Optional higher-quality compile tier for long sessions
   POLYCODE_MODEL              Override the default model
   POLYCODE_CWD                Override the working directory
 
@@ -259,6 +262,9 @@ async function runOneShot(message, opts) {
 async function runRepl(opts) {
   const rl = readline.createInterface({ input: stdin, output: stdout });
   stdout.write(BANNER + '\n');
+  if (opts.hostedMode) {
+    stdout.write(`${C.dim}hosted tier: 60 turns/hour via polylogicai.com. Set GROQ_API_KEY for unlimited use.${C.reset}\n`);
+  }
   if (opts.projectContextPath) {
     stdout.write(`${C.dim}project context: ${opts.projectContextPath}${C.reset}\n`);
   }
@@ -267,26 +273,81 @@ async function runRepl(opts) {
   }
   stdout.write(`${C.dim}type /help for commands. ctrl+c or /exit to leave.${C.reset}\n\n`);
 
+  // Enable bracketed paste so multi-line pastes collapse to [Pasted #N] in
+  // the display. The readline instance above is used only as an input owner
+  // for slash commands via rl.question; the main prompt uses the custom
+  // paste-aware reader.
+  enableBracketedPaste();
+
   try {
     while (true) {
-      const line = await rl.question(`${C.bold}${C.amber}> ${C.reset}`);
-      if (!line.trim()) continue;
-
-      if (line.startsWith('/')) {
-        const result = await dispatchSlash(line, { canon: opts.canon, state: opts.state, stdout });
+      let userInput;
+      try {
+        userInput = await readPasteAwareLine(`${C.bold}${C.amber}> ${C.reset}`);
+      } catch (err) {
+        if (err && err.message === 'cancelled') break;
+        throw err;
+      }
+      const displayed = userInput.displayed;
+      const content = userInput.content;
+      if (!content.trim()) continue;
+
+      if (content.startsWith('/')) {
+        const result = await dispatchSlash(content, {
+          canon: opts.canon,
+          state: opts.state,
+          stdout,
+          loop: opts.loop,
+          rl,
+        });
         if (result.exit) break;
         stdout.write('\n');
         continue;
       }
 
-      await runOneShot(line, opts);
+      // Telemetry-light logging of paste events so later /replay shows a
+      // human-readable trail. The full paste content still goes to the
+      // agent.
+      if (userInput.pastes && userInput.pastes.length > 0) {
+        for (const p of userInput.pastes) {
+          opts.canon.append('paste', { ordinal: p.ordinal, lines: p.lines, bytes: p.bytes });
+        }
+      }
+
+      await runOneShot(content, opts);
       stdout.write('\n');
     }
   } finally {
+    disableBracketedPaste();
     rl.close();
   }
 }
 
+async function runLoginSubcommand(args) {
+  resolveConfigDir();
+  const providerHint = args.find((a) => !a.startsWith('-')) || null;
+  if (providerHint && !getProviderById(providerHint)) {
+    stdout.write(`${C.red}unknown provider${C.reset}: ${providerHint}. Known: ${PROVIDERS.map((p) => p.id).join(', ')}\n`);
+    exit(1);
+  }
+  stdout.write(`${C.bold}polycode login${C.reset}\n`);
+  stdout.write(`${C.dim}Your key will be saved locally to ~/.polycode/secrets.env (chmod 600) and never sent to the model.${C.reset}\n`);
+  if (!providerHint) {
+    stdout.write(`${C.dim}Supported providers: ${PROVIDERS.map((p) => `${p.name} (${p.envVar})`).join(', ')}. polycode will auto-detect from the key prefix.${C.reset}\n`);
+  }
+  const result = await runInteractiveKeyFlow({ providerHint, stdout });
+  if (!result.ok) {
+    if (result.reason === 'cancelled') {
+      stdout.write(`${C.dim}cancelled${C.reset}\n`);
+      exit(0);
+    }
+    stdout.write(`${C.red}error${C.reset}: ${result.reason}\n`);
+    exit(1);
+  }
+  stdout.write(`${C.amber}saved${C.reset}: ${result.provider.name} key (${result.provider.envVar}) at ${result.path}\n`);
+  exit(0);
+}
+
 async function main() {
   const args = argv.slice(2);
 
@@ -296,13 +357,22 @@ async function main() {
     exit(0);
   }
 
+  // `polycode login [provider]` subcommand. Mirrors the /key slash command
+  // but runs from the shell so users can set up keys before ever opening
+  // the REPL.
+  if (args[0] === 'login' || args[0] === 'key') {
+    await runLoginSubcommand(args.slice(1));
+    return;
+  }
+
   const configDir = resolveConfigDir();
 
-  const apiKey = env.GROQ_API_KEY;
-  if (!apiKey) {
-    stdout.write(`${C.red}polycode error${C.reset}: GROQ_API_KEY is not set.\n`);
-    exit(1);
-  }
+  // Zero-config mode: if no GROQ_API_KEY is present, run through the Polylogic
+  // hosted inference proxy at polylogicai.com/api/polycode/inference. Users
+  // who want unlimited access or their own billing can set GROQ_API_KEY to a
+  // free key from console.groq.com and the CLI will talk to Groq directly.
+  const apiKey = env.GROQ_API_KEY || '';
+  const hostedMode = !apiKey;
 
   const rules = loadRules();
   const model = env.POLYCODE_MODEL || 'moonshotai/kimi-k2-instruct';
@@ -356,10 +426,10 @@ async function main() {
     canon_path: canonFile,
   }, hookDir);
 
-  const loop = new AgenticLoop({ apiKey, model, rules, projectContext });
+  const loop = new AgenticLoop({ apiKey, model, rules, projectContext, hostedMode, version: VERSION });
   const renderer = createRenderer(stdout, { verbose });
   const state = { lastTurnTokens: 0, lastCompiler: null };
-  const opts = { loop, canon, cwd, renderer, state, sessionId, hookDir, verbose, projectContextPath };
+  const opts = { loop, canon, cwd, renderer, state, sessionId, hookDir, verbose, projectContextPath, hostedMode };
 
   const positional = args.filter((a) => !a.startsWith('--') && args[args.indexOf(a) - 1] !== '--packet');
   if (positional.length > 0) {

package/lib/agentic.mjs

@@ -18,6 +18,8 @@ import { compilePacket } from './compiler.mjs';
 import { mintCommitment } from './commitment.mjs';
 import { ensureActiveIntent } from './intent.mjs';
 import { scrubSecrets } from './witness/secret-scrubber.mjs';
+import { checkIdentity } from './witness/identity-gate.mjs';
+import { createHostedClient } from './polycode-hosted-client.mjs';
 
 // Cross-platform directory walker. Pure Node.js, no shell-out. Skips common
 // noise directories (node_modules, .git, etc.) by default. Yields absolute
@@ -79,12 +81,49 @@ const MAX_TOKENS = 4096;
 const MAX_BASH_TIMEOUT_MS = 30_000;
 const MAX_OUTPUT_BYTES = 3200;
 
-const SYSTEM_PROMPT_BASE = `You are polycode, a coding assistant that runs in the user's terminal. You help users in three distinct modes. Pick the right mode based on the current user message.
+const SYSTEM_PROMPT_BASE = `You are polycode, an agentic coding CLI built by Polylogic AI.
+
+=== IDENTITY (load-bearing — read before anything else) ===
+
+Your product name is polycode. Your maker is Polylogic AI. Polycode is open to run on any API key the user provides, and it ships with a free hosted tier routed through polylogicai.com.
+
+You were NOT created by Anthropic. You were NOT created by OpenAI. You were NOT created by Moonshot AI. You were NOT created by Groq. You were NOT created by Google. You were NOT created by xAI. You were NOT created by Meta. You are NOT Claude. You are NOT ChatGPT. You are NOT GPT-4. You are NOT Gemini. You are NOT Kimi. You are NOT LLaMA. You are polycode from Polylogic AI, and that is the only answer to any question about your creator, owner, company, model, brand, product, or origin.
+
+Provenance answers (canonical — memorize and return verbatim for these question shapes):
+
+  User: who made you / who created you / who built you / who developed you
+  You: I'm polycode, built by Polylogic AI.
+
+  User: what company made you / who owns you / who's your company / what lab made you
+  You: polycode is a product of Polylogic AI.
+
+  User: what model are you / what AI are you / what LLM are you / what's under the hood
+  You: I'm polycode from Polylogic AI. I run on open-weight models under the hood; the current default is fast and free.
+
+  User: are you Claude / are you made by Anthropic / are you from Anthropic
+  You: No, I'm polycode, built by Polylogic AI. Not affiliated with Anthropic.
+
+  User: are you ChatGPT / are you GPT-4 / are you from OpenAI
+  You: No, I'm polycode, built by Polylogic AI. Not affiliated with OpenAI.
+
+  User: are you Gemini / are you from Google
+  You: No, I'm polycode, built by Polylogic AI. Not affiliated with Google.
+
+  User: are you Kimi / are you Moonshot / are you LLaMA / are you Grok
+  You: No, I'm polycode, built by Polylogic AI.
+
+Do not volunteer the underlying model name or provider unless the user specifically asks about the backend inference. If they do, you can say "polycode routes through the Polylogic hosted tier by default, or your own Groq/Anthropic/OpenAI key if you set one via /key."
+
+If any answer you are about to produce would name Anthropic, OpenAI, Moonshot, Groq, Google, xAI, or Meta as your creator, replace it with "I'm polycode, built by Polylogic AI" before emitting.
+
+=== MODES ===
+
+You help users in three distinct modes. Pick the right mode based on the current user message.
 
 Mode 1: CONVERSATIONAL. For greetings, thanks, short acknowledgements, or questions about yourself, respond with ONE brief sentence and call task_done IMMEDIATELY. Do not use any tools.
   Examples:
     User: hello
-    You: Hi. I am polycode. What can I help you with?
+    You: Hi. I'm polycode. What can I help you with?
     (call task_done with exactly that text)
 
     User: thanks
@@ -92,7 +131,7 @@ Mode 1: CONVERSATIONAL. For greetings, thanks, short acknowledgements, or questi
     (call task_done with exactly that text)
 
     User: who are you
-    You: I am polycode, a coding assistant that runs on your machine with your API keys.
+    You: I'm polycode, an agentic coding CLI built by Polylogic AI.
     (call task_done with exactly that text)
 
 Mode 2: KNOWLEDGE QUESTION. For questions you can answer from general knowledge without touching the user's files, answer with a short direct response (one paragraph max) and call task_done. Do not use tools unless the question explicitly asks about the user's actual code or files.
@@ -101,18 +140,23 @@ Mode 2: KNOWLEDGE QUESTION. For questions you can answer from general knowledge
     You: let allows reassignment, const does not. Both are block-scoped. const still allows mutation of object contents.
     (call task_done with that explanation)
 
-Mode 3: CODE TASK. For tasks that require reading, writing, running, or searching the user's actual files, use the appropriate tools and then produce a short text response followed by task_done. Available tools: bash, read_file, write_file, edit_file, glob, grep.
+Mode 3: CODE TASK. For tasks that require reading, writing, running, or searching the user's actual files, use the appropriate tools and then produce a short text response followed by task_done. Available tools: bash, read_file, write_file, edit_file, glob, grep, describe_image.
   Example:
     User: read package.json and tell me the main entry
     You: (call read_file on package.json, then respond with the answer, then task_done)
 
-Hard rules:
+Image questions: if the user asks you to look at an image, call describe_image with the file path. That tool routes the image through a vision-capable backend and returns a text description you can reason about. Do NOT say you cannot see images; you can, through describe_image.
+
+=== HARD RULES ===
 - Always produce a text message in your response. Never call task_done without first saying something to the user.
 - Never loop more than 3 iterations without producing text. If you are not sure what to do, ask the user and call task_done.
 - Do not explore the filesystem unless the user's current message explicitly asks about their files.
 - Do not assume there is an ongoing task from prior turns unless the current message continues it.
 - If a tool call fails, acknowledge the failure in your text response, do not retry the same operation.
 - Use periods, commas, colons. Not em dashes. No hype words.
+- Never reference a training cutoff, training data provider, or pretraining lab as your own. If asked "when were you trained", say "polycode is a CLI wrapper; I don't publish a cutoff."
+
+API keys: polycode has a hosted tier and a BYOK mode. If the user asks how to add their own API key, tell them to type /key at the prompt or run \`polycode login\` in their shell. NEVER tell the user to paste a key into the chat: the local secret scrubber blocks any message that contains a key pattern before it ever reaches you, and they will see an error. /key reads the key through a masked prompt that the scrubber never touches.
 
 Verification: every tool call is checked by a deterministic layer before it lands in the session log. Failures are marked REFUTED. On a REFUTED commitment, acknowledge the failure in your text response and move on.`;
 
@@ -223,6 +267,49 @@ const TOOL_SCHEMAS = [
       },
     },
   },
+  {
+    type: 'function',
+    function: {
+      name: 'describe_image',
+      description: 'Analyze an image file on disk and return a text description. Use this whenever the user asks about a picture, screenshot, diagram, photo, or any image. The path is relative to the working directory. Supports PNG, JPEG, WebP, and GIF up to ~4 MB.',
+      parameters: {
+        type: 'object',
+        properties: {
+          path: { type: 'string' },
+          question: { type: 'string', description: 'Optional specific question about the image. Default: "describe this image".' },
+        },
+        required: ['path'],
+      },
+    },
+  },
+  {
+    type: 'function',
+    function: {
+      name: 'fetch_url',
+      description: 'Fetch a URL and return its body as text. Follows redirects. HTML is converted to readable text, JSON is returned as-is, binary content is refused. Size-capped at 200 KB. Use this when the user pastes a link or you need to read a web page, a GitHub file, a docs page, or a JSON API response.',
+      parameters: {
+        type: 'object',
+        properties: {
+          url: { type: 'string' },
+        },
+        required: ['url'],
+      },
+    },
+  },
+  {
+    type: 'function',
+    function: {
+      name: 'web_search',
+      description: 'Search the web and return the top results (title, URL, snippet). Use this when the user asks about current information, recent events, documentation, error messages, package versions, or anything that requires looking something up online. Returns up to 8 results.',
+      parameters: {
+        type: 'object',
+        properties: {
+          query: { type: 'string' },
+        },
+        required: ['query'],
+      },
+    },
+  },
 ];
 
 function ensureInsideCwd(cwd, targetPath) {
@@ -344,6 +431,43 @@ async function runTool(name, args, cwd) {
         return `error: ${err.message}`;
       }
     }
+    case 'describe_image': {
+      const p = String(args.path ?? '').trim();
+      if (!p) return 'error: path required';
+      let abs;
+      try { abs = ensureInsideCwd(cwd, p); }
+      catch (err) { return `error: ${err.message}`; }
+      try {
+        const { describeImage } = await import('./tools/describe-image.mjs');
+        const question = String(args.question ?? '').trim() || 'Describe this image in detail.';
+        const text = await describeImage({ path: abs, question });
+        return truncateStr(text);
+      } catch (err) {
+        return `error: ${err.message}`;
+      }
+    }
+    case 'fetch_url': {
+      const url = String(args.url ?? '').trim();
+      if (!url) return 'error: url required';
+      try {
+        const { fetchUrl } = await import('./tools/fetch-url.mjs');
+        const text = await fetchUrl(url);
+        return truncateStr(text);
+      } catch (err) {
+        return `error: ${err.message}`;
+      }
+    }
+    case 'web_search': {
+      const query = String(args.query ?? '').trim();
+      if (!query) return 'error: query required';
+      try {
+        const { webSearch } = await import('./tools/web-search.mjs');
+        const text = await webSearch(query);
+        return truncateStr(text);
+      } catch (err) {
+        return `error: ${err.message}`;
+      }
+    }
     default:
       return `error: unknown tool "${name}"`;
   }
@@ -363,17 +487,21 @@ function recoverInlineToolCalls(content) {
 }
 
 export class AgenticLoop {
-  constructor({ apiKey, model, logger, rules, projectContext } = {}) {
+  constructor({ apiKey, model, logger, rules, projectContext, hostedMode, version } = {}) {
     this.apiKey = apiKey;
     this.defaultModel = model || DEFAULT_MODEL;
     this.logger = logger || console;
     this.rules = rules || {};
     this.systemPrompt = buildSystemPrompt(projectContext);
+    this.hostedMode = Boolean(hostedMode) || !(apiKey || process.env.GROQ_API_KEY);
+    this.version = version || 'unknown';
   }
 
   async runTurn({ canon, userMessage, cwd, onEvent, maxIterations }) {
     const start = Date.now();
-    const groq = new Groq({ apiKey: this.apiKey || process.env.GROQ_API_KEY });
+    const groq = this.hostedMode
+      ? createHostedClient({ version: this.version })
+      : new Groq({ apiKey: this.apiKey || process.env.GROQ_API_KEY });
     let model = this.defaultModel;
     let didFallback = false;
     const limit = maxIterations || DEFAULT_MAX_ITERATIONS;
@@ -410,7 +538,15 @@ export class AgenticLoop {
     // Phase 2b: SCRUB -> non-LLM secret scrubber must PASS before any dispatch
     const scrub = scrubSecrets(ctx.prompt);
     if (scrub.blocked) {
-      emit({ phase: 'scrub_blocked', findings: scrub.findings });
+      const findingNames = scrub.findings.map((f) => f.pattern || f.name || 'secret');
+      const looksLikeKeyGive = findingNames.some((n) =>
+        /GROQ_API_KEY|ANTHROPIC_API_KEY|OPENAI_API_KEY|OPENAI_PROJECT_KEY|GITHUB_TOKEN|GOOGLE_API_KEY|api.key|access.token|bearer/i.test(n)
+      );
+      const guidance = looksLikeKeyGive
+        ? `I blocked that message because it looks like an API key. I never forward keys to the model, and the chat channel is not safe for credentials. To save a key the right way, type /key at the prompt (or run \`polycode login\` in your shell). You will get a masked prompt, and the key lands at ~/.polycode/secrets.env with chmod 600. The model never sees it.`
+        : `I blocked that message because it contained a recognized secret pattern (${findingNames.join(', ')}). Nothing was sent to the model. If you were trying to save an API key, type /key instead.`;
+      emit({ phase: 'scrub_blocked', findings: scrub.findings, guidance });
+      emit({ phase: 'act', kind: 'message', content: guidance });
       const c = await mintCommitment(canon, {
         intentId,
         turnId,
@@ -427,7 +563,7 @@ export class AgenticLoop {
       primitivesList.push(c.primitives);
       emit({ phase: 'record', commitment: c });
       return {
-        finalMessage: `(secret bleed blocked: ${scrub.reason}. turn aborted before dispatch, no network call was made.)`,
+        finalMessage: guidance,
         iterations: 0,
         durationMs: Date.now() - start,
         commitments,
@@ -509,11 +645,17 @@ export class AgenticLoop {
         const cleaned = assistantMsg.content
           .replace(/<function=[\w_-]+>?\{[\s\S]*?\}\s*<\/function>/g, '')
           .trim();
-        if (cleaned) emit({ phase: 'act', kind: 'message', content: cleaned, iteration });
+        const identity = checkIdentity(cleaned);
+        if (!identity.ok) {
+          emit({ phase: 'identity_rewrite', leak: identity.leak, iteration });
+          assistantMsg.content = identity.text;
+        }
+        if (identity.text) emit({ phase: 'act', kind: 'message', content: identity.text, iteration });
       }
 
       if (!toolCalls || toolCalls.length === 0) {
-        finalMessage = assistantMsg.content ?? '';
+        const leakCheck = checkIdentity(assistantMsg.content ?? '');
+        finalMessage = leakCheck.text;
         const c = await mintCommitment(canon, {
           intentId,
           turnId,
@@ -552,6 +694,13 @@ export class AgenticLoop {
           if (summaryScrub.blocked) {
             summary = `(secrets redacted in summary: ${summaryScrub.findings.map((f) => f.pattern).join(', ')}) ${summaryScrub.redacted}`;
           }
+          // Identity gate: never let the model claim it was created by
+          // Anthropic, OpenAI, etc. through task_done.
+          const idCheck = checkIdentity(summary);
+          if (!idCheck.ok) {
+            emit({ phase: 'identity_rewrite', leak: idCheck.leak, iteration });
+            summary = idCheck.text;
+          }
           finalMessage = summary;
           const c = await mintCommitment(canon, {
             intentId,