@pugi/cli 0.1.0-beta.5 → 0.1.0-beta.50

package/dist/tools/file-tools.js

@@ -1,9 +1,37 @@
+/**
+ * file-tools - Pugi CLI file/bash/glob/grep tool surface.
+ *
+ * Workspace-binding contract (CEO red-alert 2026-05-27 follow-up):
+ *
+ *   Every tool dispatch path threads `ctx.root` from the operator's
+ *   `process.cwd()` through `EngineTask.workspaceRoot` ->
+ *   `native-pugi.run()` -> `toolCtx.root` -> here. Tools call
+ *   `resolveWorkspacePath(ctx.root, path)` for every on-disk operation
+ *   so a dispatched specialist (e.g. Hiroshi writing tic-tac-toe HTML)
+ *   produces files in the OPERATOR'S cwd, never in a server-side temp
+ *   space. The path-security gate refuses traversal (`../etc/passwd`,
+ *   URL-encoded variants, symlink escapes at the target).
+ *
+ *   Wiring chain:
+ *     1. runtime/cli.ts:    workspaceRoot = process.cwd()
+ *     2. EngineTask.workspaceRoot threads through to native-pugi.run().
+ *     3. native-pugi:       const root = task.workspaceRoot
+ *     4. tool-bridge:       passes ctx.root to file-tools / bash.
+ *     5. file-tools:        resolveWorkspacePath(ctx.root, path).
+ *
+ *   The contract is locked by `test/tools-write-to-workspace.spec.ts`
+ *   (6 cases covering relative + nested + absolute paths + traversal
+ *   refusal). If any layer of the chain regressed silently, dispatched
+ *   files would land in `/tmp` instead of the operator's repo, which
+ *   is the same failure surface as the menu-mode anti-pattern the
+ *   sibling commits close.
+ */
 import { spawnSync } from 'node:child_process';
-import { existsSync, readFileSync, realpathSync, renameSync, writeFileSync } from 'node:fs';
+import { existsSync, readFileSync, realpathSync, renameSync, statSync, writeFileSync } from 'node:fs';
 import { dirname, isAbsolute, relative } from 'node:path';
 import { globSync } from 'node:fs';
 import { decidePermission } from '../core/permission.js';
-import { createReadRecord, hashContent } from '../core/file-cache.js';
+import { StaleReadError, createReadRecord, hashContent, } from '../core/file-cache.js';
 import { resolveWorkspacePath } from '../core/path-security.js';
 import { recordFileMutation, recordToolCall, recordToolResult } from '../core/session.js';
 /**
@@ -19,6 +47,11 @@ export class OperatorAbortedError extends Error {
         this.name = 'OperatorAbortedError';
     }
 }
+// Re-export StaleReadError so tool-bridge / test consumers can import
+// the typed error from a single file-tools surface alongside
+// OperatorAbortedError. Same shape as the existing OperatorAbortedError
+// re-surface pattern.
+export { StaleReadError } from '../core/file-cache.js';
 /**
  * α6.9 WriteGate: refuse the tool dispatch when the active
  * cancellation token has aborted. Idempotent (the token's `isAborted`
@@ -124,10 +157,37 @@ export function writeTool(ctx, path, content) {
         throw error;
     }
     const existed = existsSync(resolved);
-    const before = existed ? readFileSync(resolved, 'utf8') : undefined;
+    // Leak L1 stale-read gate for writeTool's update-existing path. The
+    // model uses writeTool for two distinct intents:
+    //
+    //   - create-new: path does not exist on disk. There is no prior
+    //     read to validate against; skip the gate. This is the
+    //     intentional escape hatch the leak spec also calls out.
+    //   - overwrite-existing: path exists. Without the gate the model
+    //     could blind-clobber an externally-modified file, losing the
+    //     concurrent change silently. Force the model to re-read first.
+    //
+    // We deliberately apply the SAME stale-validation primitive editTool
+    // uses so the two write surfaces stay symmetric and a future fix to
+    // either one cannot accidentally weaken the other.
+    let before;
+    if (existed) {
+        before = readFileSync(resolved, 'utf8');
+        const currentStat = statSync(resolved);
+        const validation = ctx.readCache.validate(ctx.root, path, currentStat.mtimeMs, before);
+        if (validation.stale) {
+            const reason = `stale_read: write ${path} refused — ${validation.detail}`;
+            recordToolResult(ctx.session, toolCallId, 'error', reason);
+            throw new StaleReadError(path, validation.reason, validation.detail);
+        }
+    }
     const tmp = `${resolved}.pugi-tmp-${Date.now()}`;
     writeFileSync(tmp, content, { encoding: 'utf8', mode: 0o600 });
     renameSync(tmp, resolved);
+    // Refresh the cache with the post-write content so the model can
+    // chain a follow-up read+edit on the same file without an extra
+    // round-trip. Same pattern editTool uses below.
+    ctx.readCache.set(createReadRecord(ctx.root, path, content, 'read_tool'));
     recordFileMutation(ctx.session, {
         toolCallId,
         path,
@@ -154,10 +214,6 @@ export function editTool(ctx, path, oldString, newString) {
         recordToolResult(ctx.session, toolCallId, 'error', reason);
         throw new Error(reason);
     }
-    const readRecord = ctx.readCache.get(ctx.root, path);
-    if (!readRecord) {
-        throw new Error(`Cannot edit ${path}: file must be read first`);
-    }
     let resolved;
     try {
         resolved = permissionGatedResolve(ctx, path, 'edit', 'edit');
@@ -167,16 +223,31 @@ export function editTool(ctx, path, oldString, newString) {
         recordToolResult(ctx.session, toolCallId, 'error', reason);
         throw error;
     }
+    // Leak L1 stale-read gate. Validate the model's read-time view of
+    // the file against the on-disk state BEFORE applying the mutation.
+    // We read disk content once and feed it to the validator so a single
+    // syscall covers both the gate decision AND the oldString/newString
+    // replacement below.
     const before = readFileSync(resolved, 'utf8');
-    const currentHash = hashContent(before);
-    if (currentHash !== readRecord.sha256) {
-        throw new Error(`Cannot edit ${path}: file changed since last read`);
+    const currentStat = statSync(resolved);
+    const validation = ctx.readCache.validate(ctx.root, path, currentStat.mtimeMs, before);
+    if (validation.stale) {
+        const reason = `stale_read: edit ${path} refused — ${validation.detail}`;
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        throw new StaleReadError(path, validation.reason, validation.detail);
     }
+    const currentHash = hashContent(before);
     const matches = before.split(oldString).length - 1;
-    if (matches === 0)
-        throw new Error(`Cannot edit ${path}: oldString not found`);
-    if (matches > 1)
-        throw new Error(`Cannot edit ${path}: oldString is not unique`);
+    if (matches === 0) {
+        const reason = `Cannot edit ${path}: oldString not found`;
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        throw new Error(reason);
+    }
+    if (matches > 1) {
+        const reason = `Cannot edit ${path}: oldString is not unique`;
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        throw new Error(reason);
+    }
     const after = before.replace(oldString, newString);
     const tmp = `${resolved}.pugi-tmp-${Date.now()}`;
     writeFileSync(tmp, after, { encoding: 'utf8', mode: 0o600 });

package/dist/tools/lsp-tools.js

@@ -0,0 +1,189 @@
+import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
+import { recordToolCall, recordToolResult } from '../core/session.js';
+/** Cap for any single LSP tool's payload size. Keeps model context lean. */
+const LSP_PAYLOAD_CAP_BYTES = 8 * 1024;
+export async function lspHover(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_hover', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_hover', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.hover(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        if (!result.value) {
+            return { ok: true, value: { content: '' } };
+        }
+        const content = truncate(result.value.content);
+        return {
+            ok: true,
+            value: {
+                content: content.text,
+                ...(result.value.range ? { range: result.value.range } : {}),
+            },
+            ...(content.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspDefinition(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_definition', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_definition', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.definition(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capLocations(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspReferences(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_references', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_references', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.references(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capLocations(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspDiagnostics(ctx, lang, file) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_diagnostics', `${lang}:${file}`);
+    return guard(ctx, 'lsp_diagnostics', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.diagnostics(file, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capDiagnostics(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+async function guard(ctx, toolName, toolCallId, op) {
+    try {
+        gateOnCancellation(ctx, toolName);
+    }
+    catch (error) {
+        if (error instanceof OperatorAbortedError) {
+            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
+            return { ok: false, reason: 'operator_aborted', detail: error.message };
+        }
+        throw error;
+    }
+    try {
+        const result = await op();
+        if (result.ok) {
+            recordToolResult(ctx.session, toolCallId, 'success', summarize(result.value));
+        }
+        else {
+            recordToolResult(ctx.session, toolCallId, 'error', `${result.reason ?? 'error'}: ${result.detail ?? ''}`);
+        }
+        return result;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        recordToolResult(ctx.session, toolCallId, 'error', message);
+        return { ok: false, reason: 'lsp_error', detail: message };
+    }
+}
+function unavailable(lang) {
+    return {
+        ok: false,
+        reason: 'lsp_unavailable',
+        detail: `no LSP server started for ${lang}. Install the server and re-run ` +
+            `with --lsp ${lang}, or fall back to grep.`,
+    };
+}
+function failure(result) {
+    if (result.ok) {
+        // Shouldn't be hit — caller checks first.
+        return { ok: true, value: result.value };
+    }
+    return { ok: false, reason: result.reason, detail: result.detail };
+}
+function summarize(value) {
+    if (value === null || value === undefined)
+        return 'no result';
+    if (Array.isArray(value))
+        return `${value.length} items`;
+    if (typeof value === 'object')
+        return Object.keys(value).join(',');
+    return String(value);
+}
+function truncate(text) {
+    const bytes = Buffer.byteLength(text, 'utf8');
+    if (bytes <= LSP_PAYLOAD_CAP_BYTES)
+        return { text, truncated: false };
+    // Truncate to the cap byte boundary. We don't try to honor codepoint
+    // alignment — UTF-8 surrogate splits show up as a single ? at the
+    // boundary, which is acceptable for a debug surface; the dispatcher
+    // is the trust boundary for "this is what the model will see".
+    const buf = Buffer.from(text, 'utf8').subarray(0, LSP_PAYLOAD_CAP_BYTES);
+    return { text: `${buf.toString('utf8')}\n... [truncated]`, truncated: true };
+}
+function capLocations(locations) {
+    // Cap at 200 locations OR the byte cap, whichever hits first. The
+    // 200 number is the operator-facing "this is a hot symbol" threshold —
+    // a richer surface (paginated `pugi lsp references --offset N`) is
+    // open backlog.
+    const COUNT_CAP = 200;
+    if (locations.length === 0)
+        return { value: locations, truncated: false };
+    const trimmed = locations.slice(0, COUNT_CAP);
+    const serialized = JSON.stringify(trimmed);
+    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES && trimmed.length === locations.length) {
+        return { value: trimmed, truncated: false };
+    }
+    // Trim by halves until we fit the byte cap. Worst case ~10 iterations
+    // for the 200 max, fine for an interactive tool.
+    let upper = trimmed.length;
+    while (upper > 1) {
+        const half = Math.floor(upper / 2);
+        const sub = trimmed.slice(0, half);
+        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+            return { value: sub, truncated: true };
+        }
+        upper = half;
+    }
+    return { value: trimmed.slice(0, 1), truncated: true };
+}
+function capDiagnostics(items) {
+    if (items.length === 0)
+        return { value: items, truncated: false };
+    const serialized = JSON.stringify(items);
+    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+        return { value: items, truncated: false };
+    }
+    // Diagnostics are sorted error-first in LSP convention; trim from the
+    // tail so we keep the highest-severity items.
+    let upper = items.length;
+    while (upper > 1) {
+        const half = Math.floor(upper / 2);
+        const sub = items.slice(0, half);
+        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+            return { value: sub, truncated: true };
+        }
+        upper = half;
+    }
+    return { value: items.slice(0, 1), truncated: true };
+}
+/** Test-only surface so specs can poke truncation directly. */
+export const __test__ = { truncate, capLocations, capDiagnostics, LSP_PAYLOAD_CAP_BYTES };
+//# sourceMappingURL=lsp-tools.js.map

package/dist/tools/mcp-tool.js

@@ -0,0 +1,260 @@
+import { callTool } from '../core/mcp/client.js';
+import { getMcpPermission, setMcpPermission, } from '../core/mcp/permission.js';
+/**
+ * Tool dispatcher for MCP-invoked tools (β4 M1 + M3 + M5).
+ *
+ * Tool names use the `mcp__<server>__<tool>` namespace (double-underscore
+ * separator, mirroring Claude Code's MCP envelope). The triple-underscore
+ * forms (`mcp__server__tool__sub`) collapse into the third segment when
+ * the upstream server itself uses underscores in its tool names — `split`
+ * on the first two `__` only, so any further `__` in the tool name part
+ * survive intact (e.g. `mcp__github__create_issue` -> server=`github`,
+ * tool=`create_issue`).
+ *
+ * Why double-underscore: native Pugi tools use single-token names
+ * (`read`, `grep`, `edit`, `bash`). The double-underscore prefix
+ * unambiguously segregates the MCP namespace from native names without
+ * needing per-name regex matching at every dispatch site.
+ *
+ * Permission flow:
+ *   1. Server trust gate (handled at registry-load time). If a server is
+ *      not `trusted`, its tools never reach the engine loop.
+ *   2. Per-(server, tool) permission cache (`./mcp/permission.ts`).
+ *      Unset on first dispatch -> caller must prompt. Cached `allow_always`
+ *      auto-passes; cached `deny` auto-refuses.
+ *
+ * This module is the bridge — it parses the namespaced name, finds the
+ * live connection in the registry, consults the cache, and (when
+ * approved) routes through `client.callTool`. Prompting is the executor's
+ * responsibility; this module exposes the cache lookup + dispatch
+ * primitives so the executor stays small.
+ */
+/**
+ * Prefix every MCP tool name carries on the engine-loop wire.
+ */
+export const MCP_TOOL_PREFIX = 'mcp__';
+/**
+ * Parse `mcp__<server>__<tool>` into `{ serverName, toolName }`. Returns
+ * null when the input does not match the namespace — callers use this as
+ * the "is this an MCP tool?" predicate.
+ *
+ * Server names cannot contain `__` by registry validation (they are JSON
+ * object keys); tool names CAN (e.g. `create_issue` has a single `_` but
+ * `read_directory` has none, so the only ambiguity is when an upstream
+ * tool uses double-underscore in its slug — extremely rare, but if it
+ * happens the second `__` boundary still parses correctly because we
+ * split on the FIRST occurrence after the prefix).
+ */
+export function parseMcpToolName(name) {
+    if (!name.startsWith(MCP_TOOL_PREFIX))
+        return null;
+    const tail = name.slice(MCP_TOOL_PREFIX.length);
+    const sep = tail.indexOf('__');
+    if (sep === -1)
+        return null;
+    const serverName = tail.slice(0, sep);
+    const toolName = tail.slice(sep + 2);
+    if (serverName.length === 0 || toolName.length === 0)
+        return null;
+    return { serverName, toolName };
+}
+/**
+ * Build the namespaced tool name from a server + tool pair. Inverse of
+ * `parseMcpToolName`. Used by `buildMcpToolDefs` to emit the schema.
+ */
+export function buildMcpToolName(serverName, toolName) {
+    return `${MCP_TOOL_PREFIX}${serverName}__${toolName}`;
+}
+/**
+ * Build engine-loop tool definitions from every trusted server's
+ * surfaced tools. Empty array when no MCP servers are trusted — the
+ * schema builder can call this unconditionally without checking first.
+ */
+export function buildMcpToolDefs(registry) {
+    if (!registry)
+        return [];
+    const defs = [];
+    for (const state of registry.servers.values()) {
+        if (state.trust !== 'trusted')
+            continue;
+        for (const tool of state.surfacedTools) {
+            defs.push({
+                name: buildMcpToolName(state.name, tool.name),
+                description: descriptionFor(state.name, tool),
+                // The upstream server returns its own JSON Schema in `inputSchema`.
+                // We surface it verbatim — the loop client passes it through to
+                // the model, and the model emits arguments matching the upstream
+                // shape. Default to `{ type: 'object' }` when missing so the
+                // OpenAI-shaped tool envelope still validates.
+                parameters: tool.inputSchema ?? { type: 'object' },
+            });
+        }
+    }
+    // Sort stable so the schema bundle hash (used for caching/audit) is
+    // deterministic regardless of Map iteration order.
+    return defs.sort((a, b) => a.name.localeCompare(b.name));
+}
+function descriptionFor(serverName, tool) {
+    const base = tool.description?.trim() ?? `MCP tool ${tool.name} on server ${serverName}.`;
+    return `[MCP:${serverName}] ${base}`;
+}
+/**
+ * Look up the live connection + tool metadata for a parsed MCP tool name.
+ * Returns null when the server is not trusted, not connected, or does
+ * not expose the named tool. Callers MUST handle null — never throw,
+ * because the model may emit stale tool names after a server restart.
+ */
+export function resolveMcpTool(registry, parsed) {
+    if (!registry)
+        return null;
+    const state = registry.servers.get(parsed.serverName);
+    if (!state || state.trust !== 'trusted' || !state.connection)
+        return null;
+    const tool = state.surfacedTools.find((t) => t.name === parsed.toolName);
+    if (!tool)
+        return null;
+    return { state, connection: state.connection, tool };
+}
+/**
+ * The default prompt — used when no interactive bridge is wired (CI,
+ * non-TTY pipes). Returns `deny` so an unattended run never silently
+ * fires an MCP call the operator never approved. The deny is NOT
+ * persisted, so the next run with a wired prompt still has a chance to
+ * approve.
+ */
+export const defaultNonInteractiveMcpPrompt = async () => 'unset';
+/**
+ * Dispatch one MCP tool call. The flow:
+ *
+ *   1. Parse the namespaced tool name. Return error string when
+ *      malformed — the model sees the error and can self-correct.
+ *   2. Resolve the live connection. Return error when the server is not
+ *      trusted/connected or the tool is unknown.
+ *   3. Consult the permission cache. `deny` short-circuits. `allow_always`
+ *      proceeds. `unset` invokes the prompt; the operator's verdict is
+ *      persisted (allow_always/deny) or used one-shot (allow_once).
+ *   4. Parse the arguments string. Bad JSON -> error string.
+ *   5. Call `client.callTool` and stringify the content for the model.
+ *
+ * Throws ONLY on unrecoverable transport failures (e.g. the connection
+ * died mid-call). Tool-level errors from the upstream server are
+ * surfaced as `[MCP error] <message>` strings so the model can recover.
+ */
+export async function dispatchMcpTool(input) {
+    const parsed = parseMcpToolName(input.name);
+    if (!parsed) {
+        return `[MCP dispatch error] tool name "${input.name}" does not match the ${MCP_TOOL_PREFIX}<server>__<tool> namespace`;
+    }
+    const resolved = resolveMcpTool(input.registry, parsed);
+    if (!resolved) {
+        return `[MCP dispatch error] no trusted+connected server "${parsed.serverName}" exposes a tool named "${parsed.toolName}"`;
+    }
+    let args;
+    try {
+        args = parseArgumentsRaw(input.argumentsRaw);
+    }
+    catch (error) {
+        return `[MCP dispatch error] invalid JSON in arguments for ${input.name}: ${error instanceof Error ? error.message : String(error)}`;
+    }
+    // Permission gate.
+    const cached = getMcpPermission(parsed.serverName, parsed.toolName);
+    let effective = cached;
+    if (cached === 'unset') {
+        const verdict = await input.prompt({
+            serverName: parsed.serverName,
+            toolName: parsed.toolName,
+            toolDescription: resolved.tool.description ?? '',
+            callArguments: args,
+        });
+        effective = verdict;
+        if (verdict === 'allow_always' || verdict === 'deny') {
+            setMcpPermission(parsed.serverName, parsed.toolName, verdict, resolveDecidedBy(input.decidedBy));
+        }
+    }
+    if (effective === 'deny') {
+        return `[MCP refused] operator denied ${parsed.serverName}:${parsed.toolName}`;
+    }
+    if (effective !== 'allow_once' && effective !== 'allow_always') {
+        // Includes `unset` returned by the non-interactive default prompt.
+        return `[MCP refused] no operator approval for ${parsed.serverName}:${parsed.toolName} (run from a TTY to approve)`;
+    }
+    // Dispatch.
+    let result;
+    try {
+        result = await callTool(resolved.connection, parsed.toolName, args, {
+            ...(input.timeoutMs !== undefined ? { timeoutMs: input.timeoutMs } : {}),
+        });
+    }
+    catch (error) {
+        // Transport-level failure (timeout, child died mid-call). Surface
+        // as a recoverable string so the model can degrade gracefully.
+        return `[MCP transport error] ${parsed.serverName}:${parsed.toolName}: ${error instanceof Error ? error.message : String(error)}`;
+    }
+    return renderMcpToolResult(result.content, result.isError, parsed);
+}
+function parseArgumentsRaw(raw) {
+    if (!raw || raw.trim() === '')
+        return {};
+    const parsed = JSON.parse(raw);
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        throw new Error('arguments must be a JSON object');
+    }
+    return parsed;
+}
+function resolveDecidedBy(override) {
+    return (override?.trim() ||
+        process.env.PUGI_TRUSTED_BY?.trim() ||
+        process.env.USER?.trim() ||
+        process.env.USERNAME?.trim() ||
+        'cli');
+}
+/**
+ * Project the MCP `content` payload into a single text string the model
+ * can ingest. MCP servers reply with `content: [{ type: 'text', text }]`
+ * by convention; we concatenate every `type: text` chunk and surface a
+ * `[MCP non-text content]` marker for other content kinds (images,
+ * resource references) which are not yet wired into Pugi's loop.
+ *
+ * `isError: true` from the upstream maps to a `[MCP error] ...` prefix
+ * so the model knows the call failed at the server, not at the
+ * transport.
+ */
+export function renderMcpToolResult(content, isError, parsed) {
+    const text = projectTextContent(content);
+    const prefix = isError ? `[MCP error ${parsed.serverName}:${parsed.toolName}] ` : '';
+    if (text === null) {
+        // Fallback to a JSON dump so the model sees SOMETHING — better than
+        // an opaque empty string when the upstream uses image / resource
+        // content kinds.
+        try {
+            return `${prefix}${JSON.stringify(content)}`;
+        }
+        catch {
+            return `${prefix}[MCP non-serialisable content]`;
+        }
+    }
+    return `${prefix}${text}`;
+}
+function projectTextContent(content) {
+    if (content === null || content === undefined)
+        return '';
+    if (typeof content === 'string')
+        return content;
+    if (!Array.isArray(content))
+        return null;
+    const parts = [];
+    for (const entry of content) {
+        if (entry && typeof entry === 'object' && !Array.isArray(entry)) {
+            const obj = entry;
+            if (obj.type === 'text' && typeof obj.text === 'string') {
+                parts.push(obj.text);
+                continue;
+            }
+        }
+        // Non-text chunk — record a marker so the model knows something was
+        // dropped from the response.
+        parts.push('[MCP non-text content chunk]');
+    }
+    return parts.join('\n');
+}
+//# sourceMappingURL=mcp-tool.js.map