@poolzin/pool-bot 2026.2.11 → 2026.2.17

package/CHANGELOG.md

@@ -1,3 +1,20 @@
+## v2026.2.17 (2026-02-17)
+
+### Features
+- Upstream gap port — comprehensive security, memory, and agent tooling update:
+  - **Security:** path traversal guards, sandbox security validation, prompt literal sanitization, PID-based process liveness checks
+  - **Tool loop detection:** configurable detector with cooldown, warning injection, and diagnostic logging to prevent runaway tool-call loops
+  - **Memory search:** MMR (maximal marginal relevance) re-ranking, temporal decay scoring, query expansion — all configurable via `mmr` and `temporalDecay` search options
+  - **Hybrid search:** async merge with MMR diversity + temporal recency scoring
+  - **Embeddings:** graceful FTS-only fallback when all embedding providers are unavailable
+  - **Model fallback:** probe-during-cooldown logic — automatically tests primary model recovery without waiting for full cooldown expiry
+  - **Session write lock:** rewritten with PID liveness checks, watchdog timer, and stale lock cleanup
+  - **System prompt:** `llms.txt` context section, sanitized workspace variables, valid context file filtering
+  - **Tool policy:** extracted glob patterns to shared module, sandbox tool policy helpers, configurable subagent spawn depth/children limits
+  - **Post-compaction:** audit and context enrichment for compacted conversation summaries
+
+---
+
 ## v2026.2.11 (2026-02-16)
 
 ### Fixes

package/dist/agents/auth-profiles/usage.js

@@ -8,6 +8,28 @@ function resolveProfileUnusableUntil(stats) {
         return null;
     return Math.max(...values);
 }
+/**
+ * Returns the soonest `cooldownUntil` / `disabledUntil` timestamp across the given
+ * profiles, or `null` when no profile has a recorded cooldown. Note: the
+ * returned timestamp may be in the past if the cooldown has already expired.
+ */
+export function getSoonestCooldownExpiry(store, profileIds) {
+    let soonest = null;
+    for (const id of profileIds) {
+        const stats = store.usageStats?.[id];
+        if (!stats) {
+            continue;
+        }
+        const until = resolveProfileUnusableUntil(stats);
+        if (typeof until !== "number" || !Number.isFinite(until) || until <= 0) {
+            continue;
+        }
+        if (soonest === null || until < soonest) {
+            soonest = until;
+        }
+    }
+    return soonest;
+}
 /**
  * Check if a profile is currently in cooldown (due to rate limiting or errors).
  */

package/dist/agents/auth-profiles.js

@@ -7,4 +7,4 @@ export { resolveAuthStorePathForDisplay } from "./auth-profiles/paths.js";
 export { listProfilesForProvider, markAuthProfileGood, setAuthProfileOrder, upsertAuthProfile, upsertAuthProfileWithLock, } from "./auth-profiles/profiles.js";
 export { repairOAuthProfileIdMismatch, suggestOAuthProfileIdForLegacyDefault, } from "./auth-profiles/repair.js";
 export { ensureAuthProfileStore, loadAuthProfileStore, saveAuthProfileStore, } from "./auth-profiles/store.js";
-export { calculateAuthProfileCooldownMs, clearAuthProfileCooldown, isProfileInCooldown, markAuthProfileCooldown, markAuthProfileFailure, markAuthProfileUsed, resolveProfileUnusableUntilForDisplay, } from "./auth-profiles/usage.js";
+export { calculateAuthProfileCooldownMs, clearAuthProfileCooldown, getSoonestCooldownExpiry, isProfileInCooldown, markAuthProfileCooldown, markAuthProfileFailure, markAuthProfileUsed, resolveProfileUnusableUntilForDisplay, } from "./auth-profiles/usage.js";

package/dist/agents/glob-pattern.js

@@ -0,0 +1,42 @@
+function escapeRegex(value) {
+    // Standard "escape string for regex literal" pattern.
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+export function compileGlobPattern(params) {
+    const normalized = params.normalize(params.raw);
+    if (!normalized) {
+        return { kind: "exact", value: "" };
+    }
+    if (normalized === "*") {
+        return { kind: "all" };
+    }
+    if (!normalized.includes("*")) {
+        return { kind: "exact", value: normalized };
+    }
+    return {
+        kind: "regex",
+        value: new RegExp(`^${escapeRegex(normalized).replaceAll("\\*", ".*")}$`),
+    };
+}
+export function compileGlobPatterns(params) {
+    if (!Array.isArray(params.raw)) {
+        return [];
+    }
+    return params.raw
+        .map((raw) => compileGlobPattern({ raw, normalize: params.normalize }))
+        .filter((pattern) => pattern.kind !== "exact" || pattern.value);
+}
+export function matchesAnyGlobPattern(value, patterns) {
+    for (const pattern of patterns) {
+        if (pattern.kind === "all") {
+            return true;
+        }
+        if (pattern.kind === "exact" && value === pattern.value) {
+            return true;
+        }
+        if (pattern.kind === "regex" && pattern.value.test(value)) {
+            return true;
+        }
+    }
+    return false;
+}

package/dist/agents/memory-search.js

@@ -17,6 +17,10 @@ const DEFAULT_HYBRID_ENABLED = true;
 const DEFAULT_HYBRID_VECTOR_WEIGHT = 0.7;
 const DEFAULT_HYBRID_TEXT_WEIGHT = 0.3;
 const DEFAULT_HYBRID_CANDIDATE_MULTIPLIER = 4;
+const DEFAULT_MMR_ENABLED = false;
+const DEFAULT_MMR_LAMBDA = 0.7;
+const DEFAULT_TEMPORAL_DECAY_ENABLED = false;
+const DEFAULT_TEMPORAL_DECAY_HALF_LIFE_DAYS = 30;
 const DEFAULT_CACHE_ENABLED = true;
 const DEFAULT_SOURCES = ["memory"];
 function normalizeSources(sources, sessionMemoryEnabled) {
@@ -141,6 +145,22 @@ function mergeConfig(defaults, overrides, agentId) {
         candidateMultiplier: overrides?.query?.hybrid?.candidateMultiplier ??
             defaults?.query?.hybrid?.candidateMultiplier ??
             DEFAULT_HYBRID_CANDIDATE_MULTIPLIER,
+        mmr: {
+            enabled: overrides?.query?.hybrid?.mmr?.enabled ??
+                defaults?.query?.hybrid?.mmr?.enabled ??
+                DEFAULT_MMR_ENABLED,
+            lambda: overrides?.query?.hybrid?.mmr?.lambda ??
+                defaults?.query?.hybrid?.mmr?.lambda ??
+                DEFAULT_MMR_LAMBDA,
+        },
+        temporalDecay: {
+            enabled: overrides?.query?.hybrid?.temporalDecay?.enabled ??
+                defaults?.query?.hybrid?.temporalDecay?.enabled ??
+                DEFAULT_TEMPORAL_DECAY_ENABLED,
+            halfLifeDays: overrides?.query?.hybrid?.temporalDecay?.halfLifeDays ??
+                defaults?.query?.hybrid?.temporalDecay?.halfLifeDays ??
+                DEFAULT_TEMPORAL_DECAY_HALF_LIFE_DAYS,
+        },
     };
     const cache = {
         enabled: overrides?.cache?.enabled ?? defaults?.cache?.enabled ?? DEFAULT_CACHE_ENABLED,
@@ -154,6 +174,9 @@ function mergeConfig(defaults, overrides, agentId) {
     const normalizedVectorWeight = sum > 0 ? vectorWeight / sum : DEFAULT_HYBRID_VECTOR_WEIGHT;
     const normalizedTextWeight = sum > 0 ? textWeight / sum : DEFAULT_HYBRID_TEXT_WEIGHT;
     const candidateMultiplier = clampInt(hybrid.candidateMultiplier, 1, 20);
+    const temporalDecayHalfLifeDays = Math.max(1, Math.floor(Number.isFinite(hybrid.temporalDecay.halfLifeDays)
+        ? hybrid.temporalDecay.halfLifeDays
+        : DEFAULT_TEMPORAL_DECAY_HALF_LIFE_DAYS));
     const deltaBytes = clampInt(sync.sessions.deltaBytes, 0, Number.MAX_SAFE_INTEGER);
     const deltaMessages = clampInt(sync.sessions.deltaMessages, 0, Number.MAX_SAFE_INTEGER);
     return {
@@ -185,6 +208,16 @@ function mergeConfig(defaults, overrides, agentId) {
                 vectorWeight: normalizedVectorWeight,
                 textWeight: normalizedTextWeight,
                 candidateMultiplier,
+                mmr: {
+                    enabled: Boolean(hybrid.mmr.enabled),
+                    lambda: Number.isFinite(hybrid.mmr.lambda)
+                        ? Math.max(0, Math.min(1, hybrid.mmr.lambda))
+                        : DEFAULT_MMR_LAMBDA,
+                },
+                temporalDecay: {
+                    enabled: Boolean(hybrid.temporalDecay.enabled),
+                    halfLifeDays: temporalDecayHalfLifeDays,
+                },
             },
         },
         cache: {

package/dist/agents/model-fallback.js

@@ -1,7 +1,7 @@
 import { DEFAULT_MODEL, DEFAULT_PROVIDER } from "./defaults.js";
 import { coerceToFailoverError, describeFailoverError, isFailoverError, isTimeoutError, } from "./failover-error.js";
 import { buildModelAliasIndex, modelKey, parseModelRef, resolveConfiguredModelRef, resolveModelRefFromString, } from "./model-selection.js";
-import { ensureAuthProfileStore, isProfileInCooldown, resolveAuthProfileOrder, } from "./auth-profiles.js";
+import { ensureAuthProfileStore, getSoonestCooldownExpiry, isProfileInCooldown, resolveAuthProfileOrder, } from "./auth-profiles.js";
 function isAbortError(err) {
     if (!err || typeof err !== "object")
         return false;
@@ -135,6 +135,36 @@ function resolveFallbackCandidates(params) {
     }
     return candidates;
 }
+const lastProbeAttempt = new Map();
+const MIN_PROBE_INTERVAL_MS = 30_000; // 30 seconds between probes per key
+const PROBE_MARGIN_MS = 2 * 60 * 1000;
+const PROBE_SCOPE_DELIMITER = "::";
+function resolveProbeThrottleKey(provider, agentDir) {
+    const scope = String(agentDir ?? "").trim();
+    return scope ? `${scope}${PROBE_SCOPE_DELIMITER}${provider}` : provider;
+}
+function shouldProbePrimaryDuringCooldown(params) {
+    if (!params.isPrimary || !params.hasFallbackCandidates) {
+        return false;
+    }
+    const lastProbe = lastProbeAttempt.get(params.throttleKey) ?? 0;
+    if (params.now - lastProbe < MIN_PROBE_INTERVAL_MS) {
+        return false;
+    }
+    const soonest = getSoonestCooldownExpiry(params.authStore, params.profileIds);
+    if (soonest === null || !Number.isFinite(soonest)) {
+        return true;
+    }
+    // Probe when cooldown already expired or within the configured margin.
+    return params.now >= soonest - PROBE_MARGIN_MS;
+}
+/** @internal – exposed for unit tests only */
+export const _probeThrottleInternals = {
+    lastProbeAttempt,
+    MIN_PROBE_INTERVAL_MS,
+    PROBE_MARGIN_MS,
+    resolveProbeThrottleKey,
+};
 export async function runWithModelFallback(params) {
     const candidates = resolveFallbackCandidates({
         cfg: params.cfg,
@@ -146,6 +176,7 @@ export async function runWithModelFallback(params) {
         ? ensureAuthProfileStore(params.agentDir, { allowKeychainPrompt: false })
         : null;
     const attempts = [];
+    const hasFallbackCandidates = candidates.length > 1;
     let lastError;
     for (let i = 0; i < candidates.length; i += 1) {
         const candidate = candidates[i];
@@ -157,14 +188,34 @@ export async function runWithModelFallback(params) {
             });
             const isAnyProfileAvailable = profileIds.some((id) => !isProfileInCooldown(authStore, id));
             if (profileIds.length > 0 && !isAnyProfileAvailable) {
-                // All profiles for this provider are in cooldown; skip without attempting
-                attempts.push({
-                    provider: candidate.provider,
-                    model: candidate.model,
-                    error: `Provider ${candidate.provider} is in cooldown (all profiles unavailable)`,
-                    reason: "rate_limit",
+                // All profiles for this provider are in cooldown.
+                // For the primary model (i === 0), probe it if the soonest cooldown
+                // expiry is close or already past. This avoids staying on a fallback
+                // model long after the real rate-limit window clears.
+                const now = Date.now();
+                const probeThrottleKey = resolveProbeThrottleKey(candidate.provider, params.agentDir);
+                const shouldProbe = shouldProbePrimaryDuringCooldown({
+                    isPrimary: i === 0,
+                    hasFallbackCandidates,
+                    now,
+                    throttleKey: probeThrottleKey,
+                    authStore,
+                    profileIds,
                 });
-                continue;
+                if (!shouldProbe) {
+                    // Skip without attempting
+                    attempts.push({
+                        provider: candidate.provider,
+                        model: candidate.model,
+                        error: `Provider ${candidate.provider} is in cooldown (all profiles unavailable)`,
+                        reason: "rate_limit",
+                    });
+                    continue;
+                }
+                // Primary model probe: attempt it despite cooldown to detect recovery.
+                // If it fails, the error is caught below and we fall through to the
+                // next candidate as usual.
+                lastProbeAttempt.set(probeThrottleKey, now);
             }
         }
         try {

package/dist/agents/pi-tools.before-tool-call.js

@@ -3,13 +3,108 @@ import { getGlobalHookRunner } from "../plugins/hook-runner-global.js";
 import { isPlainObject } from "../utils.js";
 import { normalizeToolName } from "./tool-policy.js";
 const log = createSubsystemLogger("agents/tools");
+const BEFORE_TOOL_CALL_WRAPPED = Symbol("beforeToolCallWrapped");
+const adjustedParamsByToolCallId = new Map();
+const MAX_TRACKED_ADJUSTED_PARAMS = 1024;
+const LOOP_WARNING_BUCKET_SIZE = 10;
+const MAX_LOOP_WARNING_KEYS = 256;
+function shouldEmitLoopWarning(state, warningKey, count) {
+    if (!state.toolLoopWarningBuckets) {
+        state.toolLoopWarningBuckets = new Map();
+    }
+    const bucket = Math.floor(count / LOOP_WARNING_BUCKET_SIZE);
+    const lastBucket = state.toolLoopWarningBuckets.get(warningKey) ?? 0;
+    if (bucket <= lastBucket) {
+        return false;
+    }
+    state.toolLoopWarningBuckets.set(warningKey, bucket);
+    if (state.toolLoopWarningBuckets.size > MAX_LOOP_WARNING_KEYS) {
+        const oldest = state.toolLoopWarningBuckets.keys().next().value;
+        if (oldest) {
+            state.toolLoopWarningBuckets.delete(oldest);
+        }
+    }
+    return true;
+}
+async function recordLoopOutcome(args) {
+    if (!args.ctx?.sessionKey) {
+        return;
+    }
+    try {
+        const { getDiagnosticSessionState } = await import("../logging/diagnostic-session-state.js");
+        const { recordToolCallOutcome } = await import("./tool-loop-detection.js");
+        const sessionState = getDiagnosticSessionState({
+            sessionKey: args.ctx.sessionKey,
+            sessionId: args.ctx?.agentId,
+        });
+        recordToolCallOutcome(sessionState, {
+            toolName: args.toolName,
+            toolParams: args.toolParams,
+            toolCallId: args.toolCallId,
+            result: args.result,
+            error: args.error,
+            config: args.ctx.loopDetection,
+        });
+    }
+    catch (err) {
+        log.warn(`tool loop outcome tracking failed: tool=${args.toolName} error=${String(err)}`);
+    }
+}
 export async function runBeforeToolCallHook(args) {
+    const toolName = normalizeToolName(args.toolName || "tool");
+    const params = args.params;
+    if (args.ctx?.sessionKey) {
+        const { getDiagnosticSessionState } = await import("../logging/diagnostic-session-state.js");
+        const { logToolLoopAction } = await import("../logging/diagnostic.js");
+        const { detectToolCallLoop, recordToolCall } = await import("./tool-loop-detection.js");
+        const sessionState = getDiagnosticSessionState({
+            sessionKey: args.ctx.sessionKey,
+            sessionId: args.ctx?.agentId,
+        });
+        const loopResult = detectToolCallLoop(sessionState, toolName, params, args.ctx.loopDetection);
+        if (loopResult.stuck) {
+            if (loopResult.level === "critical") {
+                log.error(`Blocking ${toolName} due to critical loop: ${loopResult.message}`);
+                logToolLoopAction({
+                    sessionKey: args.ctx.sessionKey,
+                    sessionId: args.ctx?.agentId,
+                    toolName,
+                    level: "critical",
+                    action: "block",
+                    detector: loopResult.detector,
+                    count: loopResult.count,
+                    message: loopResult.message,
+                    pairedToolName: loopResult.pairedToolName,
+                });
+                return {
+                    blocked: true,
+                    reason: loopResult.message,
+                };
+            }
+            else {
+                const warningKey = loopResult.warningKey ?? `${loopResult.detector}:${toolName}`;
+                if (shouldEmitLoopWarning(sessionState, warningKey, loopResult.count)) {
+                    log.warn(`Loop warning for ${toolName}: ${loopResult.message}`);
+                    logToolLoopAction({
+                        sessionKey: args.ctx.sessionKey,
+                        sessionId: args.ctx?.agentId,
+                        toolName,
+                        level: "warning",
+                        action: "warn",
+                        detector: loopResult.detector,
+                        count: loopResult.count,
+                        message: loopResult.message,
+                        pairedToolName: loopResult.pairedToolName,
+                    });
+                }
+            }
+        }
+        recordToolCall(sessionState, toolName, params, args.toolCallId, args.ctx.loopDetection);
+    }
     const hookRunner = getGlobalHookRunner();
     if (!hookRunner?.hasHooks("before_tool_call")) {
         return { blocked: false, params: args.params };
     }
-    const toolName = normalizeToolName(args.toolName || "tool");
-    const params = args.params;
     try {
         const normalizedParams = isPlainObject(params) ? params : {};
         const hookResult = await hookRunner.runBeforeToolCall({
@@ -45,7 +140,7 @@ export function wrapToolWithBeforeToolCallHook(tool, ctx) {
         return tool;
     }
     const toolName = tool.name || "tool";
-    return {
+    const wrappedTool = {
         ...tool,
         execute: async (toolCallId, params, signal, onUpdate) => {
             const outcome = await runBeforeToolCallHook({
@@ -57,11 +152,57 @@ export function wrapToolWithBeforeToolCallHook(tool, ctx) {
             if (outcome.blocked) {
                 throw new Error(outcome.reason);
             }
-            return await execute(toolCallId, outcome.params, signal, onUpdate);
+            if (toolCallId) {
+                adjustedParamsByToolCallId.set(toolCallId, outcome.params);
+                if (adjustedParamsByToolCallId.size > MAX_TRACKED_ADJUSTED_PARAMS) {
+                    const oldest = adjustedParamsByToolCallId.keys().next().value;
+                    if (oldest) {
+                        adjustedParamsByToolCallId.delete(oldest);
+                    }
+                }
+            }
+            const normalizedToolName = normalizeToolName(toolName || "tool");
+            try {
+                const result = await execute(toolCallId, outcome.params, signal, onUpdate);
+                await recordLoopOutcome({
+                    ctx,
+                    toolName: normalizedToolName,
+                    toolParams: outcome.params,
+                    toolCallId,
+                    result,
+                });
+                return result;
+            }
+            catch (err) {
+                await recordLoopOutcome({
+                    ctx,
+                    toolName: normalizedToolName,
+                    toolParams: outcome.params,
+                    toolCallId,
+                    error: err,
+                });
+                throw err;
+            }
         },
     };
+    Object.defineProperty(wrappedTool, BEFORE_TOOL_CALL_WRAPPED, {
+        value: true,
+        enumerable: false,
+    });
+    return wrappedTool;
+}
+export function isToolWrappedWithBeforeToolCallHook(tool) {
+    const taggedTool = tool;
+    return taggedTool[BEFORE_TOOL_CALL_WRAPPED] === true;
+}
+export function consumeAdjustedParamsForToolCall(toolCallId) {
+    const params = adjustedParamsByToolCallId.get(toolCallId);
+    adjustedParamsByToolCallId.delete(toolCallId);
+    return params;
 }
 export const __testing = {
+    BEFORE_TOOL_CALL_WRAPPED,
+    adjustedParamsByToolCallId,
     runBeforeToolCallHook,
     isPlainObject,
 };

package/dist/agents/pi-tools.js

@@ -5,12 +5,13 @@ import { createApplyPatchTool } from "./apply-patch.js";
 import { createExecTool, createProcessTool, } from "./bash-tools.js";
 import { listChannelAgentTools } from "./channel-tools.js";
 import { createPoolBotTools } from "./poolbot-tools.js";
+import { resolveAgentConfig } from "./agent-scope.js";
 import { wrapToolWithAbortSignal } from "./pi-tools.abort.js";
 import { wrapToolWithBeforeToolCallHook } from "./pi-tools.before-tool-call.js";
 import { filterToolsByPolicy, isToolAllowedByPolicies, resolveEffectiveToolPolicy, resolveGroupToolPolicy, resolveSubagentToolPolicy, } from "./pi-tools.policy.js";
 import { assertRequiredParams, CLAUDE_PARAM_GROUPS, createPoolbotReadTool, createSandboxedEditTool, createSandboxedReadTool, createSandboxedWriteTool, normalizeToolParams, patchToolSchemaForClaudeCompatibility, wrapToolParamNormalization, } from "./pi-tools.read.js";
 import { cleanToolSchemaForGemini, normalizeToolParameters } from "./pi-tools.schema.js";
-import { buildPluginToolGroups, collectExplicitAllowlist, expandPolicyWithPluginGroups, normalizeToolName, resolveToolProfilePolicy, stripPluginOnlyAllowlist, applyOwnerOnlyToolPolicy, } from "./tool-policy.js";
+import { buildPluginToolGroups, collectExplicitAllowlist, expandPolicyWithPluginGroups, mergeAlsoAllowPolicy, normalizeToolName, resolveToolProfilePolicy, stripPluginOnlyAllowlist, applyOwnerOnlyToolPolicy, } from "./tool-policy.js";
 import { getPluginToolMeta } from "../plugins/tools.js";
 import { logWarn } from "../logger.js";
 function isOpenAIProvider(provider) {
@@ -53,6 +54,26 @@ function resolveExecConfig(cfg) {
         applyPatch: globalExec?.applyPatch,
     };
 }
+export function resolveToolLoopDetectionConfig(params) {
+    const global = params.cfg?.tools?.loopDetection;
+    const agent = params.agentId && params.cfg
+        ? resolveAgentConfig(params.cfg, params.agentId)?.tools?.loopDetection
+        : undefined;
+    if (!agent) {
+        return global;
+    }
+    if (!global) {
+        return agent;
+    }
+    return {
+        ...global,
+        ...agent,
+        detectors: {
+            ...global.detectors,
+            ...agent.detectors,
+        },
+    };
+}
 export const __testing = {
     cleanToolSchemaForGemini,
     normalizeToolParams,
@@ -85,13 +106,8 @@ export function createPoolbotCodingTools(options) {
     });
     const profilePolicy = resolveToolProfilePolicy(profile);
     const providerProfilePolicy = resolveToolProfilePolicy(providerProfile);
-    const mergeAlsoAllow = (policy, alsoAllow) => {
-        if (!policy?.allow || !Array.isArray(alsoAllow) || alsoAllow.length === 0)
-            return policy;
-        return { ...policy, allow: Array.from(new Set([...policy.allow, ...alsoAllow])) };
-    };
-    const profilePolicyWithAlsoAllow = mergeAlsoAllow(profilePolicy, profileAlsoAllow);
-    const providerProfilePolicyWithAlsoAllow = mergeAlsoAllow(providerProfilePolicy, providerProfileAlsoAllow);
+    const profilePolicyWithAlsoAllow = mergeAlsoAllowPolicy(profilePolicy, profileAlsoAllow);
+    const providerProfilePolicyWithAlsoAllow = mergeAlsoAllowPolicy(providerProfilePolicy, providerProfileAlsoAllow);
     const scopeKey = options?.exec?.scopeKey ?? (agentId ? `agent:${agentId}` : undefined);
     const subagentPolicy = isSubagentSessionKey(options?.sessionKey) && options?.sessionKey
         ? resolveSubagentToolPolicy(options.config)
@@ -292,10 +308,12 @@ export function createPoolbotCodingTools(options) {
         : sandboxed;
     // Always normalize tool JSON Schemas before handing them to pi-agent/pi-ai.
     // Without this, some providers (notably OpenAI) will reject root-level union schemas.
-    const normalized = subagentFiltered.map(normalizeToolParameters);
+    // Provider-specific cleaning: Gemini needs constraint keywords stripped, but Anthropic expects them.
+    const normalized = subagentFiltered.map((tool) => normalizeToolParameters(tool, { modelProvider: options?.modelProvider }));
     const withHooks = normalized.map((tool) => wrapToolWithBeforeToolCallHook(tool, {
         agentId,
         sessionKey: options?.sessionKey,
+        loopDetection: resolveToolLoopDetectionConfig({ cfg: options?.config, agentId }),
     }));
     const withAbort = options?.abortSignal
         ? withHooks.map((tool) => wrapToolWithAbortSignal(tool, options.abortSignal))