@semalt-ai/code 1.8.1 → 1.8.4

package/lib/config.js

@@ -2,9 +2,31 @@
 
 const fs = require('fs');
 const path = require('path');
+const { URL } = require('url');
 
 const { CONFIG_PATH, DEFAULT_CONFIG } = require('./constants');
 
+let _apiKeyAnyWarned = false;
+const _LOCAL_HOSTS = new Set(['127.0.0.1', 'localhost', '[::1]', '::1']);
+
+function _maybeWarnApiKeyAny(cfg) {
+  if (_apiKeyAnyWarned) return;
+  if (cfg.api_key !== 'any') return;
+  let host = '';
+  try {
+    host = new URL(cfg.api_base).hostname;
+  } catch {
+    return;
+  }
+  if (_LOCAL_HOSTS.has(host)) return;
+  _apiKeyAnyWarned = true;
+  // audit: allowed — pre-UI startup warning, fires once before TUI initialises.
+  process.stderr.write(
+    "⚠ api_key='any' against non-local endpoint — requests will likely fail " +
+    "with 401. Run 'semalt-code config set api_key <key>' to set a real key.\n"
+  );
+}
+
 function normalizeConfig(cfg = {}) {
   const merged = { ...DEFAULT_CONFIG, ...cfg };
   // Ensure every DEFAULT_CONFIG key is present without overwriting existing values
@@ -33,6 +55,7 @@ function normalizeConfig(cfg = {}) {
   merged.dashboard_model_id = Number.isInteger(cfg.dashboard_model_id) && cfg.dashboard_model_id > 0
     ? cfg.dashboard_model_id
     : null;
+  merged.repair_malformed_tool_xml = cfg.repair_malformed_tool_xml === true;
   merged.models = Array.isArray(cfg.models)
     ? cfg.models
         .filter((entry) => entry &&
@@ -53,6 +76,9 @@ function normalizeConfig(cfg = {}) {
           if (Number.isInteger(entry.context_length) && entry.context_length > 0) {
             normalized.context_length = entry.context_length;
           }
+          // native_tools defaults to true; only explicit false/0/"false"/"0" opts out.
+          const nt = entry.native_tools;
+          normalized.native_tools = !(nt === false || nt === 0 || nt === '0' || nt === 'false');
           return normalized;
         })
     : [];
@@ -61,13 +87,16 @@ function normalizeConfig(cfg = {}) {
 
 function loadConfig() {
   fs.mkdirSync(path.dirname(CONFIG_PATH), { recursive: true });
+  let cfg;
   if (fs.existsSync(CONFIG_PATH)) {
     try {
       const data = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8'));
-      return normalizeConfig(data);
+      cfg = normalizeConfig(data);
     } catch {}
   }
-  return normalizeConfig();
+  if (!cfg) cfg = normalizeConfig();
+  _maybeWarnApiKeyAny(cfg);
+  return cfg;
 }
 
 function saveConfig(cfg) {
@@ -94,8 +123,8 @@ function configShow(systemPromptOverride = null) {
   if (systemPromptOverride) {
     lines.push(`  system_prompt: [override from ${systemPromptOverride}]`);
   } else {
-    const { SYSTEM_PROMPT } = require('./prompts');
-    lines.push(`  system_prompt: ${SYSTEM_PROMPT.slice(0, 80)}...`);
+    const { getSystemPrompt } = require('./prompts');
+    lines.push(`  system_prompt: ${getSystemPrompt().slice(0, 80)}...`);
   }
   return lines.join('\n');
 }

package/lib/constants.js

@@ -12,23 +12,39 @@ const DEFAULT_CONFIG = {
   api_key: 'any',
   dashboard_url: 'https://cli.semalt.ai',
   auth_token: '',
-  default_model: 'default',
+  default_model: '',
   dashboard_model_id: null,
   temperature: 0.7,
   request_timeout_ms: DEFAULT_API_TIMEOUT_MS,
   stream: true,
+  // native_tools (boolean, default true): when true, the
+  // client sends an OpenAI-format `tools` parameter and
+  // expects structured tool_calls in responses. Set to
+  // false only for models/endpoints that do not support
+  // native function calling (legacy finetunes, XML-only
+  // adapters). Per-profile flag on models[] entries.
   models: [],
   theme: 'dark',
   max_file_size_kb: 512,
   command_timeout_ms: 30000,
   max_output_lines: 50,
+  http_fetch_max_bytes: 262144,
   show_token_count: true,
   show_cost: false,
   system_prompt_mode: 'system_role',
+  repair_malformed_tool_xml: false,
 };
 
 const CONFIG_PATH = path.join(os.homedir(), '.semalt-ai', 'config.json');
 
+// TAG_REGISTRY classifies every XML tag the stream parser may encounter.
+// For 'tool'-type tags, the *parameter schema* lives in lib/tool_specs.js
+// (TOOL_SPECS) — that file is the single source of truth for argument
+// names, types, required flags, and descriptions used to build the
+// native function-calling `tools` array and the system-prompt tag
+// inventory. Adding or renaming a 'tool' entry here requires a matching
+// change in TOOL_SPECS; the assertion at the bottom of this module
+// enforces that parity at load time.
 const TAG_REGISTRY = {
   // Rendered visually in chat, never shown as raw text
   think:      { type: 'visual', streaming: true,  display: 'think_bubble' },
@@ -59,7 +75,6 @@ const TAG_REGISTRY = {
   download:         { type: 'tool', streaming: false, label: 'Downloading' },
   upload:           { type: 'tool', streaming: false, label: 'Uploading' },
   http_get:         { type: 'tool', streaming: false, label: 'Fetching URL' },
-  http_get_next:    { type: 'tool', streaming: false, label: 'Fetching next content chunk' },
   ask_user:         { type: 'tool', streaming: false, label: 'Asking user' },
   store_memory:     { type: 'tool', streaming: false, label: 'Storing memory' },
   recall_memory:    { type: 'tool', streaming: false, label: 'Recalling memory' },
@@ -81,6 +96,14 @@ const TAG_REGISTRY = {
   tool_call:       { type: 'tool', streaming: false, label: 'Using tool' },
   function_call:   { type: 'tool', streaming: false, label: 'Using tool' },
 
+  // Qwen3-Coder / Qwen3.5 XML tool-call format: `<function=tool_name>…</function>`.
+  // The tool name is carried as an `=name` suffix on the opening tag rather
+  // than an attribute; `parameter` (already registered as `strip` above) covers
+  // the matching `<parameter=key>…</parameter>` child tags. StreamParser splits
+  // the tag name on `[\s=]`, so the registry lookup for `<function=read_file>`
+  // resolves here.
+  function: { type: 'tool', streaming: false, label: 'Using tool' },
+
   // Silently stripped — model wrapper artifacts
   answer:    { type: 'strip' },
   response:  { type: 'strip' },
@@ -90,8 +113,35 @@ const TAG_REGISTRY = {
   text:      { type: 'strip' },
   result:    { type: 'strip' },
   code:      { type: 'strip' },
+
+  // Protocol wrapper: the model's declared final reply to the user. Tags are
+  // stripped from rendered output but the inner content IS the user-facing
+  // answer and must stream through onToken, not be buffered like tool blocks.
+  final_answer: { type: 'final', streaming: true, label: 'Final answer' },
 };
 
+// Load-time parity check: every 'tool'-type tag in TAG_REGISTRY must have a
+// matching entry in TOOL_SPECS, and TOOL_SPECS must not declare phantom
+// tools that aren't registered. Requiring tool_specs.js here (rather than
+// at the top of the file) keeps the module boundary one-directional —
+// tool_specs.js does not depend on this file.
+const { TOOL_SPECS } = require('./tool_specs');
+(function assertToolSpecParity() {
+  const registryTools = Object.entries(TAG_REGISTRY)
+    .filter(([, v]) => v.type === 'tool')
+    .map(([k]) => k)
+    .sort();
+  const specTools = Object.keys(TOOL_SPECS).sort();
+  const missing = registryTools.filter((k) => !Object.prototype.hasOwnProperty.call(TOOL_SPECS, k));
+  const extra = specTools.filter((k) => !(k in TAG_REGISTRY) || TAG_REGISTRY[k].type !== 'tool');
+  if (missing.length || extra.length) {
+    const parts = [];
+    if (missing.length) parts.push(`missing in TOOL_SPECS: ${missing.join(', ')}`);
+    if (extra.length) parts.push(`extra in TOOL_SPECS: ${extra.join(', ')}`);
+    throw new Error(`TAG_REGISTRY ↔ TOOL_SPECS mismatch — ${parts.join('; ')}`);
+  }
+})();
+
 module.exports = {
   CONFIG_PATH,
   DEFAULT_API_TIMEOUT_MS,

package/lib/metrics.js

@@ -32,13 +32,22 @@ class Metrics {
   }
 
   tokenLimitStatus() {
-    if (this.modelTokenLimit === null) return null;
     const used = this.contextTokens();
+    if (this.modelTokenLimit == null) {
+      // No known limit — still expose `used` once we have a turn's prompt_tokens
+      // so the UI can render "N tok · limit unknown" instead of hiding the line.
+      if (!this.turns.length || !used) return null;
+      return { used, limit: null, pct: null, bar: null };
+    }
     const pct = Math.round((used / this.modelTokenLimit) * 100);
     const bar = this._buildBar(pct, 10);
     return { used, limit: this.modelTokenLimit, pct, bar };
   }
 
+  setModelTokenLimit(limit) {
+    this.modelTokenLimit = Number.isInteger(limit) && limit > 0 ? limit : null;
+  }
+
   _buildBar(pct, width) {
     const filled = Math.min(Math.round((pct / 100) * width), width);
     const empty = Math.max(0, width - filled);
@@ -79,8 +88,12 @@ class Metrics {
 
     const status = this.tokenLimitStatus();
     if (status !== null) {
-      lines.push(row(`  Context used:  ${this.contextTokens()}`));
-      lines.push(row(`  Token limit:   ${status.used}/${status.limit} (${status.pct}%)`));
+      if (status.limit === null) {
+        lines.push(row(`  Context used:  ${status.used} (limit unknown)`));
+      } else {
+        lines.push(row(`  Context used:  ${this.contextTokens()}`));
+        lines.push(row(`  Token limit:   ${status.used}/${status.limit} (${status.pct}%)`));
+      }
     }
 
     lines.push(row(`  Duration:      ${durationStr}`));

package/lib/permissions.js

@@ -1,5 +1,8 @@
 'use strict';
 
+const writer = require('./ui/writer');
+const messages = require('./ui/messages');
+
 const TIER_FS = ['read_file', 'write_file', 'append_file', 'delete_file', 'list_dir', 'make_dir', 'move_file', 'copy_file', 'file_stat', 'search_files', 'store_memory', 'recall_memory'];
 const TIER_EXEC = ['exec'];
 const TIER_NET = ['http_get', 'download'];
@@ -8,7 +11,6 @@ const TIER_SYS = ['system_info', 'get_env', 'set_env'];
 const TIER_MAP = { fs: TIER_FS, exec: TIER_EXEC, net: TIER_NET, sys: TIER_SYS };
 const READONLY_BLOCKED = new Set(['write_file', 'append_file', 'delete_file', 'move_file', 'copy_file']);
 
-let _permissionCounter = 0;
 let _permissionQueueTail = Promise.resolve();
 
 function createPermissionManager(ui, { allowedTiers = [], readonly = false } = {}) {
@@ -21,8 +23,8 @@ function createPermissionManager(ui, { allowedTiers = [], readonly = false } = {
   }
 
   const state = {
-    autoApproveShell: false,
-    autoApproveFile: false,
+    autoApproveAll: false,
+    sessionApprovedTags: new Set(),
   };
 
   let uiCallbacks = null;
@@ -40,127 +42,127 @@ function createPermissionManager(ui, { allowedTiers = [], readonly = false } = {
 
   const MAX_DESC_LINES = 12;
 
-  function requestPermission(description, onAddMessage, onRerenderMessage, onCollapseMessage, onCaptureNavigation) {
+  // The picker renders into the writer's modal region — a live band above
+  // the status bar that redraws in place on every keystroke. Arrow-key
+  // navigation rebuilds the lines array and calls onShowModal again; nothing
+  // lands in scrollback until the user confirms. On resolve/cancel the
+  // modal is cleared and a single summary line is emitted to scrollback
+  // (for multi-line descriptions — e.g. a file-write diff — the full body
+  // is retained so the user can still see what was approved).
+  function requestPermission(description, onShowModal, onCloseModal, onCaptureNavigation) {
     // Serialize dialogs: each permission waits for the previous one to be answered
     const myTurn = _permissionQueueTail;
     let releaseQueue;
     _permissionQueueTail = new Promise((r) => { releaseQueue = r; });
 
     return myTurn.then(() => new Promise((resolve) => {
-      const uniqueId = `perm_${++_permissionCounter}`;
       const options = ['Yes', 'Always', 'No'];
       let selectedIdx = 0;
       const descLines = description.split('\n');
       const truncatable = descLines.length > MAX_DESC_LINES;
 
-      function buildContent() {
-        let visibleDesc;
-        if (truncatable) {
-          visibleDesc = descLines.slice(0, MAX_DESC_LINES).join('\n') +
-            `\n  \x1b[2m… ${descLines.length - MAX_DESC_LINES} more lines\x1b[0m`;
-        } else {
-          visibleDesc = description;
+      function buildModalLines() {
+        const lines = [];
+        const visible = truncatable
+          ? descLines.slice(0, MAX_DESC_LINES).concat([`  \x1b[2m… ${descLines.length - MAX_DESC_LINES} more lines\x1b[0m`])
+          : descLines;
+        // First description line gets the bullet glyph; continuation lines
+        // are indented to align under it. Matches the pre-modal rendering
+        // that went through chatHistory's system-message renderer.
+        const first = visible[0] || '';
+        lines.push(`  \x1b[38;5;244m●\x1b[0m \x1b[38;5;244m${first}\x1b[0m`);
+        for (let i = 1; i < visible.length; i++) {
+          lines.push(`     \x1b[38;5;244m${visible[i]}\x1b[0m`);
         }
-        const parts = [visibleDesc, ''];
+        lines.push('');
         for (let i = 0; i < options.length; i++) {
-          parts.push(i === selectedIdx
+          lines.push(i === selectedIdx
             ? `\x1b[1m\x1b[36m  ►  ${options[i]}\x1b[0m`
             : `     ${options[i]}`
           );
         }
-        return parts.join('\n');
+        return lines;
       }
 
-      const permMsg = { role: 'system', id: uniqueId, content: buildContent() };
-      onAddMessage(permMsg);
+      onShowModal(buildModalLines());
+
+      function finish(result) {
+        const chosen = result === 'cancel' ? 'no' : options[selectedIdx].toLowerCase();
+        const glyph = (chosen === 'no') ? '✗' : '✓';
+        // The full `description` is preserved in the summary so multi-line
+        // bodies (e.g. file-write diffs) remain visible in scrollback after
+        // the modal closes. chatHistory's system-message renderer styles the
+        // first line by the leading glyph and indents continuations.
+        onCloseModal(`${glyph} ${description}`);
+        releaseQueue();
+        resolve(chosen);
+      }
 
       const releaseNav = onCaptureNavigation((action) => {
         if (action === 'next') {
           selectedIdx = (selectedIdx + 1) % options.length;
-          permMsg.content = buildContent();
-          onRerenderMessage(uniqueId);
+          onShowModal(buildModalLines());
         } else if (action === 'prev') {
           selectedIdx = (selectedIdx - 1 + options.length) % options.length;
-          permMsg.content = buildContent();
-          onRerenderMessage(uniqueId);
+          onShowModal(buildModalLines());
         } else if (action === 'select') {
-          const chosen = options[selectedIdx];
           releaseNav();
-          permMsg.content = chosen === 'No' ? `✗ ${description}` : `✓ ${description}`;
-          onCollapseMessage(uniqueId);
-          releaseQueue();
-          resolve(chosen.toLowerCase());
+          finish('select');
         } else if (action === 'cancel') {
           releaseNav();
-          permMsg.content = `✗ ${description}`;
-          onCollapseMessage(uniqueId);
-          releaseQueue();
-          resolve('no');
+          finish('cancel');
         }
       });
     }));
   }
 
-  async function askPermission(actionType, description, tag) {
-    if (tag && autoApprovedTags.has(tag)) {
-      if (uiCallbacks) {
-        uiCallbacks.onAddMessage({ role: 'system', content: `✓ Auto-approved: ${description}` });
-      } else {
-        console.log(`  ${FG_GREEN}✓${RST} ${FG_DARK}Auto-approved: ${description}${RST}`);
-      }
-      return true;
+  function _emitAutoApproved(description) {
+    if (uiCallbacks) {
+      uiCallbacks.onAddMessage({ role: 'system', content: `✓ Auto-approved: ${description}` });
+    } else {
+      messages.sysSuccess(`Auto-approved: ${description}`);
     }
+  }
 
-    if (actionType === 'shell' && state.autoApproveShell) {
-      if (uiCallbacks) {
-        uiCallbacks.onAddMessage({ role: 'system', content: `✓ Auto-approved: ${description}` });
-      } else {
-        console.log(`  ${FG_GREEN}✓${RST} ${FG_DARK}Auto-approved: ${description}${RST}`);
-      }
+  async function askPermission(actionType, description, tag) {
+    if (state.autoApproveAll) {
+      _emitAutoApproved(description);
       return true;
     }
 
-    if (actionType === 'file' && state.autoApproveFile) {
-      if (uiCallbacks) {
-        uiCallbacks.onAddMessage({ role: 'system', content: `✓ Auto-approved: ${description}` });
-      } else {
-        console.log(`  ${FG_GREEN}✓${RST} ${FG_DARK}Auto-approved: ${description}${RST}`);
-      }
+    if (tag && (autoApprovedTags.has(tag) || state.sessionApprovedTags.has(tag))) {
+      _emitAutoApproved(description);
       return true;
     }
 
     if (!process.stdout.isTTY || !process.stdin.isTTY) {
-      process.stdout.write(`  [non-TTY] Auto-approving: ${description}\n`);
+      writer.scrollback(`  [non-TTY] Auto-approving: ${description}`);
       return true;
     }
 
     if (uiCallbacks) {
       const result = await requestPermission(
         `${actionType}: ${description}`,
-        uiCallbacks.onAddMessage,
-        uiCallbacks.onRerenderMessage,
-        uiCallbacks.onCollapseMessage,
+        uiCallbacks.onShowModal,
+        uiCallbacks.onCloseModal,
         uiCallbacks.onCaptureNavigation,
       );
 
       if (result === 'no') return false;
 
-      if (result === 'always') {
-        if (actionType === 'shell') state.autoApproveShell = true;
-        else state.autoApproveFile = true;
-        uiCallbacks.onAddMessage({ role: 'system', content: `✓ Auto-approve enabled for ${actionType} operations` });
+      if (result === 'always' && tag) {
+        state.sessionApprovedTags.add(tag);
+        uiCallbacks.onAddMessage({ role: 'system', content: `✓ Auto-approve enabled for \`${tag}\` this session` });
       }
 
       return true;
     }
 
-    // Fallback: legacy TTY interactive select (used outside of chat UI)
-    const alwaysLabel = actionType === 'shell' ? 'Yes, always for shell' : 'Yes, always for files';
+    // Fallback: TTY interactive select (used outside of chat UI)
+    const alwaysLabel = tag ? `Yes, always for <${tag}>` : 'Yes, always';
     const choices = ['Yes', alwaysLabel, 'No'];
 
-    console.log();
-    console.log(`  ${FG_YELLOW}${BOLD}⚠ Permission required${RST}`);
-    console.log(`  ${FG_GRAY}${actionType}: ${description}${RST}`);
+    writer.scrollback(`\n  ${FG_YELLOW}${BOLD}⚠ Permission required${RST}\n  ${FG_GRAY}${actionType}: ${description}${RST}`);
 
     const selectedIndex = await interactiveSelect(
       choices,
@@ -173,14 +175,13 @@ function createPermissionManager(ui, { allowedTiers = [], readonly = false } = {
     );
 
     if (selectedIndex === null || selectedIndex === 2) {
-      console.log(`  ${FG_RED}✗${RST} ${FG_DARK}Denied${RST}`);
+      writer.scrollback(`  ${FG_RED}✗${RST} ${FG_DARK}Denied${RST}`);
       return false;
     }
 
-    if (selectedIndex === 1) {
-      if (actionType === 'shell') state.autoApproveShell = true;
-      else state.autoApproveFile = true;
-      console.log(`  ${FG_GREEN}✓${RST} ${FG_DARK}Auto-approve enabled for ${actionType} operations${RST}`);
+    if (selectedIndex === 1 && tag) {
+      state.sessionApprovedTags.add(tag);
+      writer.scrollback(`  ${FG_GREEN}✓${RST} ${FG_DARK}Auto-approve enabled for <${tag}> this session${RST}`);
     }
 
     return true;
@@ -194,14 +195,13 @@ function createPermissionManager(ui, { allowedTiers = [], readonly = false } = {
   }
 
   function clear() {
-    state.autoApproveShell = false;
-    state.autoApproveFile = false;
+    state.autoApproveAll = false;
+    state.sessionApprovedTags.clear();
   }
 
   function toggleAll() {
-    state.autoApproveShell = !state.autoApproveShell;
-    state.autoApproveFile = !state.autoApproveFile;
-    return state.autoApproveShell;
+    state.autoApproveAll = !state.autoApproveAll;
+    return state.autoApproveAll;
   }
 
   return {