npm - @semalt-ai/code - Versions diffs - 1.8.1 → 1.8.4 - Mend

@semalt-ai/code 1.8.1 → 1.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/.claude/settings.local.json +14 -1
package/CLAUDE.md +2 -1
package/index.js +29 -8
package/lib/agent.js +725 -133
package/lib/api.js +193 -59
package/lib/commands.js +263 -201
package/lib/config.js +33 -4
package/lib/constants.js +52 -2
package/lib/metrics.js +16 -3
package/lib/permissions.js +73 -73
package/lib/prompts.js +90 -86
package/lib/tool_specs.js +499 -0
package/lib/tools.js +418 -198
package/lib/ui/ansi.js +13 -1
package/lib/ui/chat-history.js +212 -61
package/lib/ui/create-ui.js +145 -377
package/lib/ui/diff.js +91 -78
package/lib/ui/format.js +247 -0
package/lib/ui/input-field.js +200 -107
package/lib/ui/layout.js +0 -2
package/lib/ui/messages.js +44 -0
package/lib/ui/select.js +114 -0
package/lib/ui/status-bar.js +179 -42
package/lib/ui/stream.js +8 -12
package/lib/ui/terminal.js +60 -0
package/lib/ui/theme.js +99 -0
package/lib/ui/utils.js +135 -6
package/lib/ui/writer.js +603 -0
package/lib/ui.js +11 -6
package/package.json +1 -1
package/lib/ui/legacy.js +0 -130

package/lib/tools.js CHANGED Viewed

@@ -1,17 +1,20 @@
 'use strict';
 const fs = require('fs');
+const fsp = require('fs/promises');
 const http = require('http');
 const https = require('https');
 const os = require('os');
 const path = require('path');
-const { spawnSync } = require('child_process');
+const { spawn } = require('child_process');
 const { logToolCall } = require('./audit');
+const writer = require('./ui/writer');
 const MEMORY_PATH = path.join(os.homedir(), '.semalt-ai', 'memory.json');
 const _dryRun = process.argv.includes('--dry-run');
+const _allowAnywhere = process.argv.includes('--allow-anywhere');
 const _skippedOps = [];
 function getSkippedOps() { return _skippedOps.slice(); }
@@ -19,15 +22,63 @@ function getSkippedOps() { return _skippedOps.slice(); }
 // handles all tool-status display via onToolEnd callbacks instead.
 let _uiActive = false;
 function setUIActive(v) { _uiActive = v; }
+function isUIActive() { return _uiActive; }
+// audit: allowed — fires only when TUI is inactive (one-shot non-TUI commands), no live region to protect.
 function _log(...args) { if (!_uiActive) console.log(...args); }
-// Chunk store for large http_get responses.
-// Maps URL → { chunks: string[], total: number, delivered: number }
-const _httpChunkStore = new Map();
-const HTTP_CHUNK_CHARS = 10000;
+// Reject writes outside the project CWD and in sensitive system/home dirs
+// (~/.ssh, ~/.aws, ~/.gnupg, /etc, /boot, /sys, /proc). Override with
+// --allow-anywhere when an agent genuinely needs to touch outside paths.
+function isPathSafe(filePath) {
+  if (_allowAnywhere) return true;
+  if (typeof filePath !== 'string' || !filePath) return false;
+  const resolved = path.resolve(filePath);
+  const home = os.homedir();
+  const banned = [
+    path.join(home, '.ssh') + path.sep,
+    path.join(home, '.aws') + path.sep,
+    path.join(home, '.gnupg') + path.sep,
+    '/etc/',
+    '/boot/',
+    '/sys/',
+    '/proc/',
+  ];
+  for (const b of banned) {
+    if (resolved === b.slice(0, -1) || resolved.startsWith(b)) return false;
+  }
+  const cwd = process.cwd();
+  const cwdPrefix = cwd.endsWith(path.sep) ? cwd : cwd + path.sep;
+  return resolved === cwd || resolved.startsWith(cwdPrefix);
+}
+function _sandboxError(filePath) {
+  return { error: `Path outside allowed area: ${filePath}. Use --allow-anywhere to override.` };
+}
+// Cheap ReDoS guard. Rejects pathologically long patterns, common
+// catastrophic-backtracking anti-patterns, and pattern×data sizes large
+// enough to hang the regex engine.
+function _checkRegexSafety(pattern, data) {
+  if (typeof pattern !== 'string') return null;
+  if (pattern.length > 1000) {
+    return { error: 'Pattern rejected: length exceeds 1000 chars' };
+  }
+  if (/(\(.*[+*].*\).*[+*])|(\[.*\].*[+*].*[+*])/.test(pattern)) {
+    return { error: 'Pattern rejected: potentially catastrophic backtracking' };
+  }
+  const dataLen = typeof data === 'string' ? data.length : 0;
+  if (dataLen * pattern.length > 10_000_000) {
+    return { error: 'Pattern too complex for input size' };
+  }
+  return null;
+}
 function createToolExecutor(permissionManager, ui, getConfig) {
   const { BOLD, DIM, FG_DARK, FG_GRAY, FG_GREEN, FG_RED, FG_YELLOW, RST, renderDiff } = ui;
+  // Continuation lines in a system-message bubble (chat-history.js else branch)
+  // are indented by 5 spaces. Let the diff renderer reserve those columns so
+  // its lines don't auto-wrap inside the bubble.
+  const DIFF_BUBBLE_INSET = 5;
   function _parseNumberedOptions(text) {
     const options = [];
@@ -52,20 +103,43 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       return { exit_code: -1, stdout: '', stderr: 'Permission denied by user' };
     }
-    try {
-      const cfg = getConfig ? getConfig() : {};
-      const timeout = cfg.command_timeout_ms || 30000;
-      const result = spawnSync(command, { shell: true, encoding: 'utf8', timeout });
-      const stdout = result.stdout || '';
-      const stderr = result.stderr || '';
-      const exitCode = result.status ?? 0;
-      logToolCall('exec', { command }, true, exitCode === 0 ? 'ok' : 'error');
-      return { exit_code: exitCode, stdout, stderr };
-    } catch (error) {
-      _log(`  ${FG_RED}✗ ${error.message}${RST}`);
-      logToolCall('exec', { command }, true, 'error');
-      return { exit_code: -1, stdout: '', stderr: error.message };
-    }
+    const cfg = getConfig ? getConfig() : {};
+    const timeout = cfg.command_timeout_ms || 30000;
+    return new Promise((resolve) => {
+      let child;
+      try {
+        child = spawn(command, { shell: true });
+      } catch (error) {
+        _log(`  ${FG_RED}✗ ${error.message}${RST}`);
+        logToolCall('exec', { command }, true, 'error');
+        return resolve({ exit_code: -1, stdout: '', stderr: error.message });
+      }
+      let stdout = '';
+      let stderr = '';
+      let killed = false;
+      const timer = setTimeout(() => {
+        killed = true;
+        try { child.kill('SIGTERM'); } catch {}
+      }, timeout);
+      child.stdout.setEncoding('utf8');
+      child.stderr.setEncoding('utf8');
+      child.stdout.on('data', (c) => { stdout += c; });
+      child.stderr.on('data', (c) => { stderr += c; });
+      child.on('error', (error) => {
+        clearTimeout(timer);
+        _log(`  ${FG_RED}✗ ${error.message}${RST}`);
+        logToolCall('exec', { command }, true, 'error');
+        resolve({ exit_code: -1, stdout, stderr: stderr || error.message });
+      });
+      child.on('close', (code, signal) => {
+        clearTimeout(timer);
+        if (killed) stderr += (stderr ? '\n' : '') + `[timed out after ${timeout}ms]`;
+        const exit_code = killed ? -1 : (code != null ? code : (signal ? -1 : 0));
+        logToolCall('exec', { command }, true, exit_code === 0 ? 'ok' : 'error');
+        resolve({ exit_code, stdout, stderr });
+      });
+    });
   }
   async function agentExecFile(action, ...args) {
@@ -73,8 +147,8 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'read') {
       const filePath = arg0;
-      try {
-        const stat = fs.statSync(filePath);
+      const stat = await fsp.stat(filePath).catch(() => null);
+      if (stat) {
         const cfg = getConfig ? getConfig() : {};
         const maxBytes = (cfg.max_file_size_kb || 512) * 1024;
         if (stat.size > maxBytes) {
@@ -82,16 +156,9 @@ function createToolExecutor(permissionManager, ui, getConfig) {
           logToolCall('read_file', { path: filePath }, false, 'error');
           return { error: `File too large: ${kb} KB exceeds max_file_size_kb=${cfg.max_file_size_kb || 512}` };
         }
-      } catch {
-        // file doesn't exist yet — readFileSync will report it
-      }
-      const approved = await permissionManager.askPermission('file', `Read ${filePath}`, 'read_file');
-      if (!approved) {
-        logToolCall('read_file', { path: filePath }, false, 'denied');
-        return { error: 'Permission denied' };
       }
       try {
-        const data = fs.readFileSync(filePath, 'utf8');
+        const data = await fsp.readFile(filePath, 'utf8');
         const lines = data.split('\n').length;
         if (lines > 10) {
           _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Read ${filePath} (${lines} lines, ${data.length} chars)${RST}`);
@@ -99,7 +166,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
           _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Read ${filePath}${RST}`);
         }
         logToolCall('read_file', { path: filePath }, true, 'ok');
-        return { content: data, path: filePath };
+        return { content: data, path: filePath, bytes: Buffer.byteLength(data, 'utf8') };
       } catch (error) {
         _log(`  ${FG_RED}✗ ${error.message}${RST}`);
         logToolCall('read_file', { path: filePath }, true, 'error');
@@ -118,9 +185,14 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return blocked;
       }
+      if (!isPathSafe(filePath)) {
+        logToolCall(tag, { path: filePath }, false, 'denied');
+        return _sandboxError(filePath);
+      }
       // Read existing content for diff display
       let existing = '';
-      try { existing = fs.readFileSync(filePath, 'utf8'); } catch {}
+      try { existing = await fsp.readFile(filePath, 'utf8'); } catch {}
       // For append the final state is existing + new content
       const finalContent = action === 'write' ? (content || '') : (existing + (content || ''));
@@ -129,8 +201,10 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       // collide with the live chat-history/status-bar redraw, so we route the
       // diff into the permission description instead (where it renders inside
       // the permission bubble and is safely truncated by MAX_DESC_LINES).
-      const diffOutput = renderDiff(existing, finalContent, filePath);
-      if (!_uiActive) process.stdout.write(diffOutput + '\n');
+      const diffOutput = _uiActive
+        ? renderDiff(existing, finalContent, filePath, { inset: DIFF_BUBBLE_INSET })
+        : renderDiff(existing, finalContent, filePath);
+      if (!_uiActive) writer.scrollback(diffOutput);
       // Dry-run: record the skipped op and return without writing
       if (_dryRun) {
@@ -140,7 +214,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return { status: 'dry-run', message: 'dry-run: write skipped', path: filePath };
       }
-      // Permission check — routes through TUI dialog in chat mode, interactiveSelect in legacy CLI mode
+      // Permission check — routes through TUI dialog in chat mode, interactiveSelect in non-TUI flows
       let desc = `${action === 'write' ? 'Write' : 'Append to'} ${filePath}`;
       if (content) desc += ` (${content.length} chars)`;
       if (_uiActive) desc = `${desc}\n${diffOutput}`;
@@ -151,9 +225,9 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       }
       try {
         const dir = path.dirname(filePath);
-        if (dir && dir !== '.') fs.mkdirSync(dir, { recursive: true });
-        if (action === 'write') fs.writeFileSync(filePath, content || '');
-        else fs.appendFileSync(filePath, content || '');
+        if (dir && dir !== '.') await fsp.mkdir(dir, { recursive: true });
+        if (action === 'write') await fsp.writeFile(filePath, content || '');
+        else await fsp.appendFile(filePath, content || '');
         const verb = action === 'write' ? 'Wrote' : 'Appended to';
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}${verb} ${filePath}${RST}`);
         logToolCall(tag, { path: filePath, content }, true, 'ok');
@@ -167,13 +241,8 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'list_dir') {
       const dirPath = arg0;
-      const approved = await permissionManager.askPermission('file', `List ${dirPath}`, 'list_dir');
-      if (!approved) {
-        logToolCall('list_dir', { path: dirPath }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
-        const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+        const entries = await fsp.readdir(dirPath, { withFileTypes: true });
         const items = entries.map((e) => {
           if (e.isSymbolicLink()) return `[L] ${e.name}`;
           if (e.isDirectory()) return `[D] ${e.name}`;
@@ -198,6 +267,11 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return blocked;
       }
+      if (!isPathSafe(filePath)) {
+        logToolCall('delete_file', { path: filePath }, false, 'denied');
+        return _sandboxError(filePath);
+      }
       _log(`  ${FG_YELLOW}${BOLD}⚠ Deleting: ${filePath}${RST}`);
       const approved = await permissionManager.askPermission('file', `Delete ${filePath}`, 'delete_file');
@@ -206,7 +280,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return { error: 'Permission denied' };
       }
       try {
-        fs.unlinkSync(filePath);
+        await fsp.unlink(filePath);
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Deleted ${filePath}${RST}`);
         logToolCall('delete_file', { path: filePath }, true, 'ok');
         return { status: 'ok', path: filePath };
@@ -219,13 +293,17 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'make_dir') {
       const dirPath = arg0;
+      if (!isPathSafe(dirPath)) {
+        logToolCall('make_dir', { path: dirPath }, false, 'denied');
+        return _sandboxError(dirPath);
+      }
       const approved = await permissionManager.askPermission('file', `Create directory ${dirPath}`, 'make_dir');
       if (!approved) {
         logToolCall('make_dir', { path: dirPath }, false, 'denied');
         return { error: 'Permission denied' };
       }
       try {
-        fs.mkdirSync(dirPath, { recursive: true });
+        await fsp.mkdir(dirPath, { recursive: true });
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Created directory ${dirPath}${RST}`);
         logToolCall('make_dir', { path: dirPath }, true, 'ok');
         return { status: 'ok', path: dirPath };
@@ -238,13 +316,17 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'remove_dir') {
       const dirPath = arg0;
+      if (!isPathSafe(dirPath)) {
+        logToolCall('remove_dir', { path: dirPath }, false, 'denied');
+        return _sandboxError(dirPath);
+      }
       const approved = await permissionManager.askPermission('file', `Remove directory ${dirPath}`, 'remove_dir');
       if (!approved) {
         logToolCall('remove_dir', { path: dirPath }, false, 'denied');
         return { error: 'Permission denied' };
       }
       try {
-        fs.rmSync(dirPath, { recursive: true, force: true });
+        await fsp.rm(dirPath, { recursive: true, force: true });
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Removed directory ${dirPath}${RST}`);
         logToolCall('remove_dir', { path: dirPath }, true, 'ok');
         return { status: 'ok', path: dirPath };
@@ -265,6 +347,11 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return blocked;
       }
+      if (!isPathSafe(dst)) {
+        logToolCall('move_file', { src, dst }, false, 'denied');
+        return _sandboxError(dst);
+      }
       _log(`  ${FG_YELLOW}${BOLD}⚠ Moving: ${src} → ${dst}${RST}`);
       const approved = await permissionManager.askPermission('file', `Move ${src} to ${dst}`, 'move_file');
@@ -274,14 +361,14 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       }
       try {
         const dstDir = path.dirname(dst);
-        if (dstDir && dstDir !== '.') fs.mkdirSync(dstDir, { recursive: true });
+        if (dstDir && dstDir !== '.') await fsp.mkdir(dstDir, { recursive: true });
         try {
-          fs.renameSync(src, dst);
+          await fsp.rename(src, dst);
         } catch (renameErr) {
           if (renameErr.code !== 'EXDEV') throw renameErr;
           // Cross-device rename not supported — copy then remove
-          fs.cpSync(src, dst, { recursive: true });
-          fs.rmSync(src, { recursive: true, force: true });
+          await fsp.cp(src, dst, { recursive: true });
+          await fsp.rm(src, { recursive: true, force: true });
         }
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Moved ${src} → ${dst}${RST}`);
         logToolCall('move_file', { src, dst }, true, 'ok');
@@ -303,6 +390,11 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return blocked;
       }
+      if (!isPathSafe(dst)) {
+        logToolCall('copy_file', { src, dst }, false, 'denied');
+        return _sandboxError(dst);
+      }
       const approved = await permissionManager.askPermission('file', `Copy ${src} to ${dst}`, 'copy_file');
       if (!approved) {
         logToolCall('copy_file', { src, dst }, false, 'denied');
@@ -310,8 +402,8 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       }
       try {
         const dstDir = path.dirname(dst);
-        if (dstDir && dstDir !== '.') fs.mkdirSync(dstDir, { recursive: true });
-        fs.cpSync(src, dst, { recursive: true });
+        if (dstDir && dstDir !== '.') await fsp.mkdir(dstDir, { recursive: true });
+        await fsp.cp(src, dst, { recursive: true });
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Copied ${src} → ${dst}${RST}`);
         logToolCall('copy_file', { src, dst }, true, 'ok');
         return { status: 'ok', src, dst };
@@ -332,14 +424,14 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return { error: 'Permission denied' };
       }
       try {
-        const data = fs.readFileSync(filePath, 'utf8');
+        const data = await fsp.readFile(filePath, 'utf8');
         const lines = data.split('\n');
         if (lineNum < 1 || lineNum > lines.length) {
           logToolCall('edit_file', { path: filePath, line: lineNum }, true, 'error');
           return { error: `Line ${lineNum} out of range (file has ${lines.length} lines)` };
         }
         lines[lineNum - 1] = newContent;
-        fs.writeFileSync(filePath, lines.join('\n'));
+        await fsp.writeFile(filePath, lines.join('\n'));
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Edited line ${lineNum} in ${filePath}${RST}`);
         logToolCall('edit_file', { path: filePath, line: lineNum }, true, 'ok');
         return { status: 'ok', path: filePath, line: lineNum };
@@ -353,13 +445,13 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'search_in_file') {
       const filePath = arg0;
       const pattern = arg1;
-      const approved = await permissionManager.askPermission('file', `Search in ${filePath}`, 'search_in_file');
-      if (!approved) {
-        logToolCall('search_in_file', { path: filePath, pattern }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
-        const data = fs.readFileSync(filePath, 'utf8');
+        const data = await fsp.readFile(filePath, 'utf8');
+        const guardErr = _checkRegexSafety(pattern, data);
+        if (guardErr) {
+          logToolCall('search_in_file', { path: filePath, pattern }, true, 'error');
+          return guardErr;
+        }
         const regex = new RegExp(pattern);
         const matches = data.split('\n')
           .map((content, idx) => regex.test(content) ? { line: idx + 1, content } : null)
@@ -385,13 +477,18 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return { error: 'Permission denied' };
       }
       try {
-        const data = fs.readFileSync(filePath, 'utf8');
+        const data = await fsp.readFile(filePath, 'utf8');
+        const guardErr = _checkRegexSafety(searchStr, data);
+        if (guardErr) {
+          logToolCall('replace_in_file', { path: filePath, search: searchStr }, true, 'error');
+          return guardErr;
+        }
         const safeFlags = flags.replace(/[^gimsuy]/g, '');
         const countFlags = safeFlags.includes('g') ? safeFlags : safeFlags + 'g';
         const count = (data.match(new RegExp(searchStr, countFlags)) || []).length;
         const regex = new RegExp(searchStr, safeFlags || undefined);
         const newData = data.replace(regex, replaceStr);
-        fs.writeFileSync(filePath, newData);
+        await fsp.writeFile(filePath, newData);
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Replaced ${count} occurrence(s) in ${filePath}${RST}`);
         logToolCall('replace_in_file', { path: filePath, search: searchStr }, true, 'ok');
         return { status: 'ok', path: filePath, count };
@@ -405,11 +502,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'search_files') {
       const pattern = arg0;
       const searchDir = arg1 || '.';
-      const approved = await permissionManager.askPermission('file', `Search files: ${pattern} in ${searchDir}`, 'search_files');
-      if (!approved) {
-        logToolCall('search_files', { pattern, dir: searchDir }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         let regStr = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&');
         regStr = regStr.replace(/\*\*/g, '\x00');
@@ -419,16 +511,16 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         const regex = new RegExp(`^${regStr}$`);
         const matchName = !pattern.includes('/');
         const files = [];
-        function walk(dir, rel) {
+        async function walk(dir, rel) {
           let entries;
-          try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+          try { entries = await fsp.readdir(dir, { withFileTypes: true }); } catch { return; }
           for (const entry of entries) {
             const relPath = rel ? `${rel}/${entry.name}` : entry.name;
             if (regex.test(matchName ? entry.name : relPath)) files.push(relPath);
-            if (entry.isDirectory()) walk(path.join(dir, entry.name), relPath);
+            if (entry.isDirectory()) await walk(path.join(dir, entry.name), relPath);
           }
         }
-        walk(searchDir, '');
+        await walk(searchDir, '');
         files.sort();
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Found ${files.length} file(s) matching "${pattern}"${RST}`);
         logToolCall('search_files', { pattern, dir: searchDir }, true, 'ok');
@@ -442,13 +534,8 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'file_stat') {
       const filePath = arg0;
-      const approved = await permissionManager.askPermission('file', `Stat ${filePath}`, 'file_stat');
-      if (!approved) {
-        logToolCall('file_stat', { path: filePath }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
-        const stat = fs.statSync(filePath);
+        const stat = await fsp.stat(filePath);
         const type = stat.isDirectory() ? 'directory' : stat.isSymbolicLink() ? 'symlink' : 'file';
         const size_kb = (stat.size / 1024).toFixed(2);
         const mode = '0o' + stat.mode.toString(8);
@@ -474,7 +561,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'set_env') {
       const varName = arg0;
       const value = arg1 || '';
-      const approved = await permissionManager.askPermission('shell', `Set env ${varName}=${value}`, 'set_env');
+      const approved = await permissionManager.askPermission('env', `Set env ${varName}=${value}`, 'set_env');
       if (!approved) {
         logToolCall('set_env', { name: varName }, false, 'denied');
         return { error: 'Permission denied' };
@@ -499,7 +586,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         fileName = 'download';
       }
       const outPath = path.join(process.cwd(), fileName);
-      const approved = await permissionManager.askPermission('shell', `Download ${url}`, 'download');
+      const approved = await permissionManager.askPermission('net', `Download ${url}`, 'download');
       if (!approved) {
         logToolCall('download', { url }, false, 'denied');
         return { error: 'Permission denied' };
@@ -554,6 +641,10 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'upload') {
       const filePath = arg0;
       const encodedContent = arg1 || '';
+      if (!isPathSafe(filePath)) {
+        logToolCall('upload', { path: filePath }, false, 'denied');
+        return _sandboxError(filePath);
+      }
       const approved = await permissionManager.askPermission('file', `Upload to ${filePath}`, 'upload');
       if (!approved) {
         logToolCall('upload', { path: filePath }, false, 'denied');
@@ -561,9 +652,9 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       }
       try {
         const dir = path.dirname(filePath);
-        if (dir && dir !== '.') fs.mkdirSync(dir, { recursive: true });
+        if (dir && dir !== '.') await fsp.mkdir(dir, { recursive: true });
         const buffer = Buffer.from(encodedContent.trim(), 'base64');
-        fs.writeFileSync(filePath, buffer);
+        await fsp.writeFile(filePath, buffer);
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Uploaded ${buffer.length} bytes to ${filePath}${RST}`);
         logToolCall('upload', { path: filePath }, true, 'ok');
         return { status: 'ok', path: filePath, bytes: buffer.length };
@@ -574,69 +665,21 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       }
     }
-    function buildHttpResult(url, statusCode, body, raw) {
-      // Strip HTML markup so the LLM receives readable text instead of raw HTML.
-      // Reduces a typical 150k-char page to ~25-40k chars, cutting chunk count
-      // from ~16 to ~3 and preventing context-overflow re-fetch loops.
-      // Pass raw=true to skip stripping (e.g. when the agent needs to parse markup).
-      const looksLikeHtml = !raw && (/^\s*<!doctype\s+html/i.test(body) || /^\s*<html[\s>]/i.test(body));
-      const processedBody = looksLikeHtml
-        ? body
-            .replace(/<script[\s\S]*?<\/script>/gi, ' ')
-            .replace(/<style[\s\S]*?<\/style>/gi, ' ')
-            .replace(/<[^>]+>/g, ' ')
-            .replace(/&nbsp;/gi, ' ')
-            .replace(/&amp;/gi, '&')
-            .replace(/&lt;/gi, '<')
-            .replace(/&gt;/gi, '>')
-            .replace(/&quot;/gi, '"')
-            .replace(/&#x?[\da-f]+;/gi, ' ')
-            .replace(/\s{2,}/g, ' ')
-            .trim()
-        : body;
-      if (processedBody.length > HTTP_CHUNK_CHARS) {
-        const chunks = [];
-        for (let i = 0; i < processedBody.length; i += HTTP_CHUNK_CHARS) {
-          chunks.push(processedBody.slice(i, i + HTTP_CHUNK_CHARS));
-        }
-        _httpChunkStore.set(url, { chunks: chunks.slice(1), total: chunks.length, delivered: 1 });
-        return { status_code: statusCode, body: chunks[0], chunked: true, part: 1, total_parts: chunks.length, key: url };
-      }
-      _httpChunkStore.delete(url);
-      return { status_code: statusCode, body: processedBody };
-    }
-    if (action === 'http_get_next') {
-      const key = arg0;
-      const store = _httpChunkStore.get(key);
-      if (!store || store.chunks.length === 0) {
-        _httpChunkStore.delete(key);
-        return { key, body: '', part: null, total_parts: null, done: true };
-      }
-      const nextChunk = store.chunks[0];
-      store.chunks = store.chunks.slice(1);
-      store.delivered += 1;
-      const done = store.chunks.length === 0;
-      if (done) _httpChunkStore.delete(key);
-      return { key, body: nextChunk, part: store.delivered, total_parts: store.total, done };
-    }
     if (action === 'http_get') {
       const url = arg0;
-      const rawHtml = arg1 === 'true';
       if (_dryRun) {
         _skippedOps.push({ category: 'net', symbol: '↓', desc: `GET ${url}` });
         logToolCall('http_get', { url }, false, 'dry-run');
         return { status: 'dry-run', message: 'dry-run: network call skipped' };
       }
-      const approved = await permissionManager.askPermission('shell', `HTTP GET ${url}`, 'http_get');
+      const approved = await permissionManager.askPermission('net', `HTTP GET ${url}`, 'http_get');
       if (!approved) {
         logToolCall('http_get', { url }, false, 'denied');
         return { error: 'Permission denied' };
       }
       const httpCfg = getConfig ? getConfig() : {};
       const reqTimeoutMs = Math.max(15000, httpCfg.request_timeout_ms || 15000);
+      const maxBytes = Math.max(1024, httpCfg.http_fetch_max_bytes || 262144);
       return new Promise((resolve) => {
         function doGet(target, redirectsLeft) {
           const proto = target.startsWith('https') ? https : http;
@@ -645,24 +688,50 @@ function createToolExecutor(permissionManager, ui, getConfig) {
               res.resume();
               return doGet(res.headers.location, redirectsLeft - 1);
             }
-            let data = '';
-            res.setEncoding('utf8');
-            res.on('data', (chunk) => { data += chunk; });
+            const bufs = [];
+            let totalBytes = 0;
+            let capped = false;
+            res.on('data', (chunk) => {
+              totalBytes += chunk.length;
+              if (!capped) {
+                if (totalBytes <= maxBytes) {
+                  bufs.push(chunk);
+                } else {
+                  const keep = maxBytes - (totalBytes - chunk.length);
+                  if (keep > 0) bufs.push(chunk.slice(0, keep));
+                  capped = true;
+                  // Keep the connection draining so totalBytes reflects reality,
+                  // but stop buffering further bytes.
+                }
+              }
+            });
             res.on('end', () => {
-              _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}HTTP GET ${target} (${res.statusCode}, ${data.length} chars)${RST}`);
+              const kept = Buffer.concat(bufs);
+              const keptBytes = kept.length;
+              let body = kept.toString('utf8');
+              if (capped) {
+                const origKb = (totalBytes / 1024).toFixed(0);
+                const keptKb = (keptBytes / 1024).toFixed(0);
+                const droppedKb = ((totalBytes - keptBytes) / 1024).toFixed(0);
+                body += `\n\n[... truncated: original was ${origKb}KB, showing first ${keptKb}KB. The remaining ${droppedKb}KB was discarded. If you need the rest, narrow your request (e.g. fetch a specific subpage) rather than retrying this URL.]`;
+              }
+              _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}HTTP GET ${target} (${res.statusCode}, ${totalBytes} bytes${capped ? `, truncated to ${keptBytes}` : ''})${RST}`);
               logToolCall('http_get', { url: target }, true, res.statusCode < 400 ? 'ok' : 'error');
-              resolve(buildHttpResult(url, res.statusCode, data, rawHtml));
+              // `bytes` is the total transferred payload length (pre-cap);
+              // consumers that want to know the wire size without parsing
+              // the appended truncation note rely on this.
+              resolve({ status_code: res.statusCode, body, bytes: totalBytes });
             });
           });
           req.on('error', (err) => {
             _log(`  ${FG_RED}✗ ${err.message}${RST}`);
             logToolCall('http_get', { url: target }, true, 'error');
-            resolve({ error: err.message });
+            resolve({ error: err.message, error_code: err.code });
           });
           req.setTimeout(reqTimeoutMs, () => {
             req.destroy();
             logToolCall('http_get', { url: target }, true, 'error');
-            resolve({ error: 'Request timeout' });
+            resolve({ error: 'Request timeout', error_code: 'ETIMEDOUT' });
           });
         }
         doGet(url, 5);
@@ -671,7 +740,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'ask_user') {
       const question = arg0;
-      const approved = await permissionManager.askPermission('shell', `Ask user: ${question}`, 'ask_user');
+      const approved = await permissionManager.askPermission('user', `Ask user: ${question}`, 'ask_user');
       if (!approved) {
         logToolCall('ask_user', { question }, false, 'denied');
         return { error: 'Permission denied' };
@@ -683,10 +752,12 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return { question, answer: selected || options[0] };
       }
       if (!process.stdout.isTTY || process.stdin.isRaw) {
-        process.stdout.write(`\n  ${FG_YELLOW}?${RST} ${question}\n  ${DIM}[auto-answering 'y']${RST}\n`);
+        writer.scrollback(`\n  ${FG_YELLOW}?${RST} ${question}\n  ${DIM}[auto-answering 'y']${RST}`);
         logToolCall('ask_user', { question }, true, 'ok');
         return { question, answer: 'y' };
       }
+      // audit: allowed — inline prompt without trailing newline; unreachable when TUI writer is active
+      // (process.stdin.isRaw is true while the TUI input field holds raw mode).
       process.stdout.write(`\n  ${FG_YELLOW}?${RST} ${question}\n  ${FG_GRAY}>${RST} `);
       const buf = Buffer.alloc(4096);
       let input = '';
@@ -706,17 +777,17 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'store_memory') {
       const key = arg0;
       const value = arg1 || '';
-      const approved = await permissionManager.askPermission('file', `Store memory: ${key}`, 'store_memory');
+      const approved = await permissionManager.askPermission('memory', `Store memory: ${key}`, 'store_memory');
       if (!approved) {
         logToolCall('store_memory', { key }, false, 'denied');
         return { error: 'Permission denied' };
       }
       try {
         let mem = {};
-        try { mem = JSON.parse(fs.readFileSync(MEMORY_PATH, 'utf8')); } catch {}
+        try { mem = JSON.parse(await fsp.readFile(MEMORY_PATH, 'utf8')); } catch {}
         mem[key] = value;
-        fs.mkdirSync(path.dirname(MEMORY_PATH), { recursive: true });
-        fs.writeFileSync(MEMORY_PATH, JSON.stringify(mem, null, 2));
+        await fsp.mkdir(path.dirname(MEMORY_PATH), { recursive: true });
+        await fsp.writeFile(MEMORY_PATH, JSON.stringify(mem, null, 2));
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Stored memory: ${key}${RST}`);
         logToolCall('store_memory', { key }, true, 'ok');
         return { status: 'ok', key };
@@ -729,14 +800,9 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'recall_memory') {
       const key = arg0;
-      const approved = await permissionManager.askPermission('file', `Recall memory: ${key}`, 'recall_memory');
-      if (!approved) {
-        logToolCall('recall_memory', { key }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         let mem = {};
-        try { mem = JSON.parse(fs.readFileSync(MEMORY_PATH, 'utf8')); } catch {}
+        try { mem = JSON.parse(await fsp.readFile(MEMORY_PATH, 'utf8')); } catch {}
         const found = key in mem;
         const value = found ? mem[key] : null;
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Recalled memory: ${key}${RST}`);
@@ -750,14 +816,9 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     }
     if (action === 'list_memories') {
-      const approved = await permissionManager.askPermission('file', 'List memories', 'list_memories');
-      if (!approved) {
-        logToolCall('list_memories', {}, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         let mem = {};
-        try { mem = JSON.parse(fs.readFileSync(MEMORY_PATH, 'utf8')); } catch {}
+        try { mem = JSON.parse(await fsp.readFile(MEMORY_PATH, 'utf8')); } catch {}
         const keys = Object.keys(mem);
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Listed ${keys.length} memory key(s)${RST}`);
         logToolCall('list_memories', {}, true, 'ok');
@@ -770,11 +831,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     }
     if (action === 'system_info') {
-      const approved = await permissionManager.askPermission('shell', 'System info', 'system_info');
-      if (!approved) {
-        logToolCall('system_info', {}, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       const info = {
         platform: os.platform(),
         arch: os.arch(),
@@ -848,9 +904,7 @@ function mapInvokeToCall(toolName, params) {
     case 'upload':
       return p.path ? ['upload', p.path, p.content != null ? p.content : ''] : null;
     case 'http_get':
-      return p.url ? ['http_get', p.url, p.raw || ''] : null;
-    case 'http_get_next':
-      return p.key ? ['http_get_next', p.key] : null;
+      return p.url ? ['http_get', p.url] : null;
     case 'ask_user':
       return p.question ? ['ask_user', p.question] : null;
     case 'store_memory':
@@ -872,7 +926,74 @@ function mapInvokeToCall(toolName, params) {
   }
 }
-function extractToolCalls(text) {
+// Compile a regex twice — once with double quotes, once with single — from a
+// template where `Q` stands for the quote char. Matches from both variants
+// are returned in a single iterable.
+function _matchDual(text, template) {
+  const results = [];
+  for (const q of ['"', "'"]) {
+    const re = new RegExp(template.replace(/Q/g, q), 'g');
+    for (const m of text.matchAll(re)) results.push(m);
+  }
+  return results;
+}
+// Models sometimes wrap the inline body of a single-value tool tag in a nested
+// pseudo-tag, e.g. `<list_dir><path>/tmp/foo</path></list_dir>` instead of the
+// documented `<list_dir>/tmp/foo</list_dir>`. When the body is exactly one
+// wrapper element (no siblings, no surrounding text), unwrap it once so the
+// parser recovers the intended value. Safe to call on any inline-content body
+// — a plain path/command/URL won't match the regex and is returned as-is.
+function _unwrapInnerTag(inner) {
+  if (inner == null) return inner;
+  const trimmed = String(inner).trim();
+  const m = trimmed.match(/^<(\w+)(?:\s[^>]*)?>([\s\S]*)<\/\1>$/);
+  if (!m) return inner;
+  return m[2].trim();
+}
+// MiniMax-M2 tool-call XML repair. Some inference backends — notably mlx-lm
+// on Apple Silicon clusters (see ml-explore/mlx-lm#1145) — strip the leading
+// `<` (or `</`) from `<invoke>` and `<parameter>` tags when sampling this
+// model, producing malformed output like:
+//
+//   <minimax:tool_call>
+//   invoke name="get_weather">      <-- `<` missing
+//   parameter name="x">v</parameter>
+//   invoke>                         <-- `</` missing
+//   </minimax:tool_call>
+//
+// Conservative repair: anchor each rewrite to the start of a line so parameter
+// values that happen to contain the substring `parameter>` or `invoke>` mid-
+// line are not corrupted. Limitation: a parameter value whose content begins a
+// new line with exactly `invoke>` or `parameter>` at column 0 will still be
+// rewritten — accepted as unfixable without full XML parsing. Opt-in via
+// `repair_malformed_tool_xml`; silent text mutation is dangerous when wrong.
+function repairMinimaxMalformedXml(text) {
+  if (typeof text !== 'string' || !text) return text;
+  return text
+    .replace(/^(\s*)invoke(\s+name=)/gm, '$1<invoke$2')
+    .replace(/^(\s*)parameter(\s+name=)/gm, '$1<parameter$2')
+    .replace(/^(\s*)invoke>/gm, '$1</invoke>')
+    .replace(/^(\s*)parameter>/gm, '$1</parameter>');
+}
+/**
+ * Parse tool-call tags out of assistant text.
+ *
+ * @param {string} text  Assistant reply text to scan.
+ * @param {object} [options]
+ * @param {boolean} [options.repairMalformedXml]  Run the MiniMax XML repair
+ *   pass before parsing.
+ * @param {string} [options.model]  Active model name. Accepted but unused
+ *   today — reserved for future per-model preprocess hooks and per-model
+ *   format prioritization (e.g. preferring JSON over XML for models that
+ *   emit both).
+ * @param {object} [options.config]  Resolved config. Same rationale as
+ *   `model`: accepted for forward-compat, not consumed here yet.
+ */
+function extractToolCalls(text, options = {}) {
+  if (options.repairMalformedXml) text = repairMinimaxMalformedXml(text);
   const calls = [];
   // MiniMax-M2 / Qwen3 native tool-call wrappers. Emitted inline when the
@@ -902,6 +1023,48 @@ function extractToolCalls(text) {
     }
   }
+  // Qwen3-Coder / Qwen3.5 XML tool-call format. Distinct from MiniMax and
+  // Hermes: the tool name lives on the opening tag as an `=name` suffix
+  // rather than a `name="..."` attribute, and parameters use the same `=key`
+  // shape:
+  //
+  //   <function=write_file>
+  //   <parameter=path>a.json</parameter>
+  //   <parameter=content>{"k":1}</parameter>
+  //   </function>
+  //
+  // Values are kept as raw strings. The vLLM reference parser consults the
+  // tool's JSON schema to decide per-parameter whether to string/int/
+  // literal_eval a value; `mapInvokeToCall` has no schema, so schema-guided
+  // decoding isn't available here. The existing string-typed tools match the
+  // MiniMax/Hermes convention (content for write_file, command for shell,
+  // etc.) arrive as raw strings, which is also the vLLM default when a param
+  // is declared string-typed — the dominant case.
+  //
+  // TODO: if a tool ever takes an object/array param, revisit and port the
+  // schema-guided typing logic from
+  // https://github.com/vllm-project/vllm/tree/main/vllm/tool_parsers
+  // (qwen3xml_tool_parser.py → find_tool_properties / repair_param_type).
+  //
+  // Limitation: the non-greedy `[\s\S]*?` anchors on the first `</parameter>`
+  // inside the value. A parameter whose value legitimately contains the
+  // literal substring `</parameter>` — possible for a code-writing tool
+  // emitting docs about this very format — will be truncated. We accept
+  // this rather than attempt balanced/escaped matching.
+  const QWEN3_FN_BLOCK_RE = /<function=([^\s>]+)\s*>([\s\S]*?)<\/function>/g;
+  const QWEN3_PARAM_RE = /<parameter=([^\s>]+)\s*>([\s\S]*?)<\/parameter>/g;
+  for (const fnMatch of text.matchAll(QWEN3_FN_BLOCK_RE)) {
+    const params = {};
+    for (const pMatch of fnMatch[2].matchAll(QWEN3_PARAM_RE)) {
+      let val = pMatch[2];
+      if (val.startsWith('\n')) val = val.slice(1);
+      if (val.endsWith('\n')) val = val.slice(0, -1);
+      params[pMatch[1]] = val;
+    }
+    const call = mapInvokeToCall(fnMatch[1], params);
+    if (call) calls.push(call);
+  }
   // Qwen3 / Hermes-style JSON tool-call format. Qwen3-30B-A3B, Qwen3.5-4B,
   // and most Qwen-derived finetunes (Qwen3.6-Opus4.7 etc.) emit:
   //
@@ -935,10 +1098,39 @@ function extractToolCalls(text) {
     let parsed = null;
     try { parsed = JSON.parse(inner); } catch {}
     if (!parsed) {
+      // Walk the string tracking quote/escape state and brace depth. Slice
+      // the first balanced {...} block we find. Falls back to lastIndexOf
+      // if the walker can't lock onto a balanced pair.
       const firstBrace = inner.indexOf('{');
-      const lastBrace = inner.lastIndexOf('}');
-      if (firstBrace !== -1 && lastBrace > firstBrace) {
-        try { parsed = JSON.parse(inner.slice(firstBrace, lastBrace + 1)); } catch {}
+      if (firstBrace !== -1) {
+        let depth = 0;
+        let inString = false;
+        let escaped = false;
+        let endIdx = -1;
+        for (let i = firstBrace; i < inner.length; i++) {
+          const ch = inner[i];
+          if (inString) {
+            if (escaped) { escaped = false; continue; }
+            if (ch === '\\') { escaped = true; continue; }
+            if (ch === '"') { inString = false; }
+            continue;
+          }
+          if (ch === '"') { inString = true; continue; }
+          if (ch === '{') depth++;
+          else if (ch === '}') {
+            depth--;
+            if (depth === 0) { endIdx = i; break; }
+          }
+        }
+        if (endIdx !== -1) {
+          try { parsed = JSON.parse(inner.slice(firstBrace, endIdx + 1)); } catch {}
+        }
+        if (!parsed) {
+          const lastBrace = inner.lastIndexOf('}');
+          if (lastBrace > firstBrace) {
+            try { parsed = JSON.parse(inner.slice(firstBrace, lastBrace + 1)); } catch {}
+          }
+        }
       }
     }
     if (!parsed) continue;
@@ -964,113 +1156,120 @@ function extractToolCalls(text) {
   }
   for (const match of text.matchAll(/<(?:shell|exec|run_command|run)>([\s\S]*?)<\/(?:shell|exec|run_command|run)>/g)) {
-    calls.push(['shell', match[1].trim()]);
+    calls.push(['shell', _unwrapInnerTag(match[1]).trim()]);
   }
   for (const match of text.matchAll(/<read_file>([\s\S]*?)<\/read_file>/g)) {
-    calls.push(['read', match[1].trim()]);
+    calls.push(['read', _unwrapInnerTag(match[1]).trim()]);
   }
-  for (const match of text.matchAll(/<read_file\s+path="([^"]+)"\s*\/?>/g)) {
+  for (const match of _matchDual(text, '<read_file\\s+path=Q([^Q]+)Q\\s*\\/?>')) {
     calls.push(['read', match[1]]);
   }
-  for (const match of text.matchAll(/<write_file\s+path="([^"]+)">([\s\S]*?)<\/write_file>/g)) {
+  for (const match of _matchDual(text, '<write_file\\s+path=Q([^Q]+)Q>([\\s\\S]*?)<\\/write_file>')) {
     calls.push(['write', match[1], match[2]]);
   }
-  for (const match of text.matchAll(/<create_file\s+path="([^"]+)">([\s\S]*?)<\/create_file>/g)) {
+  for (const match of _matchDual(text, '<create_file\\s+path=Q([^Q]+)Q>([\\s\\S]*?)<\\/create_file>')) {
     calls.push(['write', match[1], match[2]]);
   }
-  for (const match of text.matchAll(/<append_file\s+path="([^"]+)">([\s\S]*?)<\/append_file>/g)) {
+  for (const match of _matchDual(text, '<append_file\\s+path=Q([^Q]+)Q>([\\s\\S]*?)<\\/append_file>')) {
     calls.push(['append', match[1], match[2]]);
   }
   for (const match of text.matchAll(/<list_dir>([\s\S]*?)<\/list_dir>/g)) {
-    calls.push(['list_dir', match[1].trim()]);
+    calls.push(['list_dir', _unwrapInnerTag(match[1]).trim()]);
   }
   for (const match of text.matchAll(/<search_files>([\s\S]*?)<\/search_files>/g)) {
-    calls.push(['search_files', match[1].trim(), '.']);
+    calls.push(['search_files', _unwrapInnerTag(match[1]).trim(), '.']);
   }
-  for (const match of text.matchAll(/<search_files\s+pattern="([^"]+)"(?:\s+dir="([^"]*)")?\s*(?:><\/search_files>|\/>)/g)) {
+  for (const match of _matchDual(text, '<search_files\\s+pattern=Q([^Q]+)Q(?:\\s+dir=Q([^Q]*)Q)?\\s*(?:><\\/search_files>|\\/>)')) {
     calls.push(['search_files', match[1], match[2] || '.']);
   }
   for (const match of text.matchAll(/<delete_file>([\s\S]*?)<\/delete_file>/g)) {
-    calls.push(['delete_file', match[1].trim()]);
+    calls.push(['delete_file', _unwrapInnerTag(match[1]).trim()]);
   }
   for (const match of text.matchAll(/<make_dir>([\s\S]*?)<\/make_dir>/g)) {
-    calls.push(['make_dir', match[1].trim()]);
+    calls.push(['make_dir', _unwrapInnerTag(match[1]).trim()]);
   }
   for (const match of text.matchAll(/<remove_dir>([\s\S]*?)<\/remove_dir>/g)) {
-    calls.push(['remove_dir', match[1].trim()]);
+    calls.push(['remove_dir', _unwrapInnerTag(match[1]).trim()]);
   }
   for (const match of text.matchAll(/<get_env>([\s\S]*?)<\/get_env>/g)) {
-    calls.push(['get_env', match[1].trim()]);
+    calls.push(['get_env', _unwrapInnerTag(match[1]).trim()]);
   }
-  for (const match of text.matchAll(/<set_env\s+name="([^"]+)"\s+value="([^"]*)"\s*(?:><\/set_env>|\/>)/g)) {
+  for (const match of _matchDual(text, '<set_env\\s+name=Q([^Q]+)Q\\s+value=Q([^Q]*)Q\\s*(?:><\\/set_env>|\\/>)')) {
     calls.push(['set_env', match[1], match[2]]);
   }
-  for (const match of text.matchAll(/<move_file\s+src="([^"]+)"\s+dst="([^"]+)"\s*(?:><\/move_file>|\/>)/g)) {
+  for (const match of _matchDual(text, '<move_file\\s+src=Q([^Q]+)Q\\s+dst=Q([^Q]+)Q\\s*(?:><\\/move_file>|\\/>)')) {
     calls.push(['move_file', match[1], match[2]]);
   }
-  for (const match of text.matchAll(/<copy_file\s+src="([^"]+)"\s+dst="([^"]+)"\s*(?:><\/copy_file>|\/>)/g)) {
+  for (const match of _matchDual(text, '<copy_file\\s+src=Q([^Q]+)Q\\s+dst=Q([^Q]+)Q\\s*(?:><\\/copy_file>|\\/>)')) {
     calls.push(['copy_file', match[1], match[2]]);
   }
-  for (const match of text.matchAll(/<edit_file\s+path="([^"]+)"\s+line="(\d+)">([\s\S]*?)<\/edit_file>/g)) {
+  for (const match of _matchDual(text, '<edit_file\\s+path=Q([^Q]+)Q\\s+line=Q(\\d+)Q>([\\s\\S]*?)<\\/edit_file>')) {
     calls.push(['edit_file', match[1], parseInt(match[2], 10), match[3]]);
   }
-  for (const match of text.matchAll(/<search_in_file\s+path="([^"]+)">([\s\S]*?)<\/search_in_file>/g)) {
+  for (const match of _matchDual(text, '<search_in_file\\s+path=Q([^Q]+)Q>([\\s\\S]*?)<\\/search_in_file>')) {
     calls.push(['search_in_file', match[1], match[2].trim()]);
   }
-  for (const match of text.matchAll(/<replace_in_file\s+path="([^"]+)"\s+search="([^"]*)"\s+replace="([^"]*)">([\s\S]*?)<\/replace_in_file>/g)) {
+  for (const match of _matchDual(text, '<replace_in_file\\s+path=Q([^Q]+)Q\\s+search=Q([^Q]*)Q\\s+replace=Q([^Q]*)Q>([\\s\\S]*?)<\\/replace_in_file>')) {
     calls.push(['replace_in_file', match[1], match[2], match[3], match[4].trim()]);
   }
   for (const match of text.matchAll(/<download>([\s\S]*?)<\/download>/g)) {
-    calls.push(['download', match[1].trim()]);
+    calls.push(['download', _unwrapInnerTag(match[1]).trim()]);
   }
-  for (const match of text.matchAll(/<upload\s+path="([^"]+)">([\s\S]*?)<\/upload>/g)) {
+  for (const match of _matchDual(text, '<upload\\s+path=Q([^Q]+)Q>([\\s\\S]*?)<\\/upload>')) {
     calls.push(['upload', match[1], match[2]]);
   }
   for (const match of text.matchAll(/<file_stat>([\s\S]*?)<\/file_stat>/g)) {
-    calls.push(['file_stat', match[1].trim()]);
+    calls.push(['file_stat', _unwrapInnerTag(match[1]).trim()]);
   }
   for (const match of text.matchAll(/<http_get\b([^>]*?)(?:><\/http_get>|\/>)/g)) {
     const attrStr = match[1];
-    const urlMatch = attrStr.match(/url="([^"]+)"/);
-    const rawMatch = attrStr.match(/raw="([^"]+)"/);
-    if (urlMatch) calls.push(['http_get', urlMatch[1], rawMatch ? rawMatch[1] : '']);
+    const urlMatch = attrStr.match(/url="([^"]+)"/) || attrStr.match(/url='([^']+)'/);
+    if (urlMatch) calls.push(['http_get', urlMatch[1]]);
   }
-  for (const match of text.matchAll(/<http_get_next\s+key="([^"]+)"\s*(?:><\/http_get_next>|\/>)/g)) {
-    calls.push(['http_get_next', match[1]]);
+  // Inline-content form: <http_get>URL</http_get>. Models mirror the style of
+  // <list_dir>, <download>, etc. even though the system prompt advertises the
+  // attribute form — accept both so the second tag in a multi-call response
+  // isn't silently dropped. Also tolerate `<http_get>url="URL"</http_get>` where
+  // the model put the attribute syntax in the body.
+  for (const match of text.matchAll(/<http_get>([\s\S]*?)<\/http_get>/g)) {
+    const inner = match[1].trim();
+    if (!inner) continue;
+    const urlAttr = inner.match(/url="([^"]+)"/) || inner.match(/url='([^']+)'/);
+    calls.push(['http_get', urlAttr ? urlAttr[1] : _unwrapInnerTag(inner).trim()]);
   }
-  for (const match of text.matchAll(/<ask_user\s+question="([^"]+)"\s*(?:><\/ask_user>|\/>)/g)) {
+  for (const match of _matchDual(text, '<ask_user\\s+question=Q([^Q]+)Q\\s*(?:><\\/ask_user>|\\/>)')) {
     calls.push(['ask_user', match[1]]);
   }
-  for (const match of text.matchAll(/<store_memory\s+key="([^"]+)">([\s\S]*?)<\/store_memory>/g)) {
+  for (const match of _matchDual(text, '<store_memory\\s+key=Q([^Q]+)Q>([\\s\\S]*?)<\\/store_memory>')) {
     calls.push(['store_memory', match[1], match[2]]);
   }
-  for (const match of text.matchAll(/<recall_memory\s+key="([^"]+)"\s*(?:><\/recall_memory>|\/>)/g)) {
+  for (const match of _matchDual(text, '<recall_memory\\s+key=Q([^Q]+)Q\\s*(?:><\\/recall_memory>|\\/>)')) {
     calls.push(['recall_memory', match[1]]);
   }
@@ -1085,10 +1284,31 @@ function extractToolCalls(text) {
   return calls;
 }
+// Transform a TOOL_SPECS-shaped object into an OpenAI-format `tools` array
+// suitable for the `tools` field of a chat/completions request. Pure: no
+// filtering, no caching, no validation. Insertion order is preserved.
+function buildToolsSchema(toolSpecs) {
+  const tools = [];
+  for (const [name, spec] of Object.entries(toolSpecs)) {
+    tools.push({
+      type: 'function',
+      function: {
+        name,
+        description: spec.description,
+        parameters: spec.parameters,
+      },
+    });
+  }
+  return tools;
+}
 module.exports = {
+  buildToolsSchema,
   createToolExecutor,
   extractToolCalls,
   getSkippedOps,
+  isUIActive,
   mapInvokeToCall,
+  repairMinimaxMalformedXml,
   setUIActive,
 };