@semalt-ai/code 1.8.4 → 1.8.5

package/.claude/settings.local.json

@@ -15,7 +15,9 @@
       "Bash(python3 *)",
       "Read(//tmp/**)",
       "Bash(sed -i \"s/addMessage\\('>>> AI MSG 2'.*$/addMessage\\('>>> AI MSG 2',   ['response body 2a', 'response body 2b']\\);\\\\nfor \\(let k = 3; k <= 8; k++\\) { addMessage\\('>>> USER MSG ' + k, ['line body ' + k]\\); addMessage\\('>>> AI MSG ' + k, ['response body ' + k + 'a', 'response body ' + k + 'b']\\); }/\" scroll-capture.js)",
-      "Bash(echo \"exit=$?\")"
+      "Bash(echo \"exit=$?\")",
+      "Bash(echo \"---grep done, exit=$?---\")",
+      "Bash(grep *)"
     ]
   }
 }

package/CLAUDE.md

@@ -87,7 +87,10 @@ semalt-code config [set <key> <val>]   # show or update config keys
 --dashboard-url <url>     dashboard base URL (overrides config)
 --default-model <name>    set default model in config
 --show-think              display model reasoning (thinking) content
---debug                   print raw AI response (stderr) each iteration
+--debug                   inline debug: per-iteration debug block in chat history (TUI-safe)
+--debug-file <path>       extended debug: per-iteration block + raw SSE chunks
+                          + request body dumps written to <path>, nothing to stdout.
+                          Mutually exclusive with --debug.
 --allow-fs                auto-approve all filesystem operations
 --allow-exec              auto-approve shell command execution
 --allow-net               auto-approve network operations

package/TECHNICAL_DEBT.md

@@ -0,0 +1,66 @@
+## Activity region in-place update breaks when a modal is open
+
+When a modal occupies screen lines below an active activity bubble, the
+activity region's redraw mechanism appears to fall back to scrollback
+append per tick instead of in-place rewrite. Surfaced via the `ask_user`
+ticking-timer bug; mitigated by making `ask_user` a static bubble.
+
+Latent: any future long-running tool that opens a modal concurrently
+(none today) will reproduce the fragmentation. Fix likely involves
+making the activity region modal-aware in `lib/ui/writer.js` — when a
+modal region is active, route activity updates through a path that
+clears modal, redraws activity, redraws modal — or reserves activity
+above the modal in a way that survives modal lifecycle.
+
+Not blocking. Revisit if a second use-case appears.
+
+## `cmdShell` and `chatStream` write to stdout bypassing the writer
+
+Several call sites currently emit directly to `process.stdout.write`
+without going through `lib/ui/writer.js`:
+
+- `lib/commands.js` (`cmdShell`)
+- `lib/api.js` (streaming output path)
+
+These were flagged during the Phase 2 writer audit and annotated as
+`// audit: allowed` because they need to interleave with synchronous
+writes from `StreamRenderer`. Routing them through the writer today
+would require buffering or sequencing changes that don't compose with
+how `StreamRenderer` flushes content per chunk.
+
+Resolves when: `StreamRenderer` itself is migrated to write through
+the writer. After that, the bypass annotations can be removed and
+these call sites become normal `writer.scrollback(...)` calls.
+
+Not blocking. The audit annotation makes the bypass intentional and
+greppable. Revisit when `StreamRenderer` migration is on the table.
+
+## Tool result storage: single `content` field used for both model and UI
+
+Storage (PHP backend, MySQL `messages` table) holds one `content` field
+per tool result. The full payload is required for the model on
+subsequent turns, but the UI needs a compact summary (e.g. `net · GET
+https://... · 200 · 256 KB`).
+
+Today this is handled UI-side: `summarizeToolResult` in
+`lib/ui/format.js` runs read-side heuristics on the raw `content` every
+time `/history` renders. Heuristics cover HTTP, exec, file ops, with
+a fallback for unknown shapes. They work in practice but are a
+compromise — any tool whose output format drifts will fall through to
+the generic fallback until the heuristic is updated.
+
+Full fix: storage holds both `content` (full, model-bound) and
+`display` (pre-rendered summary, UI-bound). Summary is generated
+write-side at tool execution time, when the live activity bubble
+already produces the right string — that string just needs to be
+captured and persisted alongside the full content.
+
+Resolves when: backend schema migration for native function calling
+lands (Phase 2.2 of the native-tools plan, which already touches the
+`messages` table). Adding a `display` column in the same migration is
+cheap; doing it as a separate migration later is not. When this lands,
+`summarizeToolResult` becomes unnecessary for new tool results; it
+stays only as a fallback for legacy rows lacking `display`.
+
+Not blocking — current heuristics cover all 33 tools' output shapes.
+Track until Phase 2.2 lands.

package/index.js

@@ -49,7 +49,7 @@ if (_argv.includes('--allow-all')) {
 const _readonly = _argv.includes('--readonly');
 
 const permissionManager = createPermissionManager(ui, { allowedTiers: _allowedTiers, readonly: _readonly });
-const { agentExecShell, agentExecFile } = createToolExecutor(permissionManager, ui, getConfig);
+const { agentExecShell, agentExecFile, describePermission } = createToolExecutor(permissionManager, ui, getConfig);
 const apiClient = createApiClient({
   getConfig,
   saveConfig: (nextConfig) => {
@@ -66,6 +66,8 @@ const { runAgentLoop } = createAgentRunner({
   }),
   agentExecShell,
   agentExecFile,
+  describePermission,
+  permissionManager,
   ui,
   getConfig,
 });
@@ -119,7 +121,12 @@ Options:
   --dashboard-url <url>   Dashboard URL           (init)
   --default-model <name>  Default model           (init)
   --show-think            Display model reasoning (thinking) content
-  --debug                 Print messages sent to agent + raw AI response (stderr) each iteration
+  --debug                 Inline debug output: per-iteration debug block in the
+                          chat history. TUI-safe; no per-chunk noise.
+  --debug-file <path>     Extended debug to file: per-iteration block PLUS raw
+                          SSE chunks, request body dumps, accumulator state,
+                          and other high-volume traces. Nothing prints to stdout
+                          — the TUI stays clean. Mutually exclusive with --debug.
   --allow-fs              Auto-approve all filesystem operations
   --allow-exec            Auto-approve shell command execution
   --allow-net             Auto-approve network operations

package/lib/agent.js

@@ -3,13 +3,16 @@
 const { logToolCall } = require('./audit');
 const { Metrics } = require('./metrics');
 const { getSystemPrompt } = require('./prompts');
+const { isNativeToolsActive } = require('./config');
 const { TAG_REGISTRY } = require('./constants');
 const { mapInvokeToCall } = require('./tools');
+const { TOOL_SPECS } = require('./tool_specs');
 const { UI_THEME } = require('./ui/theme');
 const { RST } = require('./ui/ansi');
 const { getCols: _getCols, repeatToWidth } = require('./ui/utils');
 const writer = require('./ui/writer');
 const messages = require('./ui/messages');
+const dbg = require('./debug');
 
 class StreamParser {
   constructor(onToken, onTagOpen, onTagContent, onTagClose) {
@@ -180,7 +183,8 @@ function abortableSleep(ms, signal) {
   });
 }
 
-function detectFormat(reply, toolCalls) {
+function detectFormat(reply, toolCalls, nativeToolCalls) {
+  if (nativeToolCalls && nativeToolCalls.length > 0) return 'native_tool_calls';
   if (!reply || !reply.trim()) return 'empty';
   if (/<(minimax:tool_call|qwen:tool_call|tool_call|function_call)\b/i.test(reply)) return 'tool_call';
   if (toolCalls && toolCalls.length > 0) return 'command';
@@ -222,6 +226,26 @@ function previewCommand(call) {
   return trimmed ? `<${tag}> ${trimmed}` : `<${tag}>`;
 }
 
+// Classify why mapInvokeToCall returned null for a native tool_call so the
+// debug block (and the corrective retry hint) can surface the specific cause
+// instead of a generic "unknown name or invalid args". Source of truth is
+// TOOL_SPECS — its `required` array tells us which positional args the
+// native API advertised, and `wrapper:true` flags parser envelopes that
+// must never appear as a model-emitted tool name.
+function describeNativeRejection(toolName, params) {
+  const lowerName = (toolName || '').toLowerCase();
+  const spec = TOOL_SPECS[lowerName];
+  if (!spec || spec.wrapper) {
+    return 'unknown name (not in TOOL_SPECS / not supported by mapInvokeToCall)';
+  }
+  const required = (spec.parameters && spec.parameters.required) || [];
+  const missing = required.filter((r) => params[r] === undefined || params[r] === null);
+  if (missing.length > 0) {
+    return `missing required arg: ${missing.join(', ')}`;
+  }
+  return 'mapInvokeToCall returned null without specific reason';
+}
+
 function formatDebugBlock(sections) {
   // The debug block is rendered as a tool-output message in the TUI. Chat
   // history indents output by 5 cols; account for that so the frame still
@@ -418,7 +442,7 @@ function _attrsFromCall(call) {
   }
 }
 
-function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agentExecFile, ui, getConfig }) {
+function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agentExecFile, describePermission, permissionManager, ui, getConfig }) {
   const { BOLD, FG_DARK, FG_GRAY, FG_TEAL, FG_YELLOW, RST, THEME, getCols } = ui;
 
   function formatFileResult(call, result) {
@@ -542,8 +566,7 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
       }
       case 'http_get': {
         const url = attrs.url || content;
-        const raw = attrs.raw || '';
-        return formatFileResult(['http_get', url, raw], await agentExecFile('http_get', url, raw));
+        return formatFileResult(['http_get', url], await agentExecFile('http_get', url));
       }
       case 'ask_user': {
         const q = attrs.question || content;
@@ -598,22 +621,23 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
     const metrics = new Metrics(tokenLimit);
     const mode = overrideMode || 'system_role';
 
-    // Route debug blocks to the UI callback when present (interactive TUI mode
-    // overwrites stderr with redraws, losing the output). Fall back to stderr
-    // for one-shot/non-TTY flows where there's no UI to host the block.
+    // Route debug blocks based on debug mode.
+    //   file mode   — write to the debug file. Never touch the TUI.
+    //   simple mode — UI callback when present (chat-bubble in interactive
+    //                 TUI), fall back to stderr for one-shot/non-TTY flows.
+    //   off mode    — discard. (debug=true can also come from in-chat /debug
+    //                 toggle with no global mode active.)
     const emitDebug = (block) => {
+      if (dbg.isFile()) {
+        dbg.log(block);
+        return;
+      }
       if (typeof cb.onDebug === 'function') cb.onDebug(block);
       // audit: allowed — stderr debug under --debug flag (no UI hosting available).
       else process.stderr.write('\n' + block + '\n');
     };
 
-    // Resolve native_tools from the active profile (matched by api_base+model).
-    // Fallback to true if no matching profile — mirrors config-normalization default.
-    const _cfg = typeof getConfig === 'function' ? getConfig() : {};
-    const _profile = Array.isArray(_cfg.models)
-      ? _cfg.models.find((p) => p && p.api_base === _cfg.api_base && p.model === model)
-      : null;
-    const nativeTools = _profile && _profile.native_tools === false ? false : true;
+    const nativeTools = isNativeToolsActive(model);
 
     const activeSystemPrompt = overrideSystemPrompt !== null ? overrideSystemPrompt : getSystemPrompt(nativeTools);
 
@@ -854,20 +878,35 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
       const nativeToolCalls = Array.isArray(result?.toolCalls) ? result.toolCalls : [];
       let toolCalls;
       let nativeToolCallIds = [];
+      // Per-call rejection records for native tool_calls that could not be
+      // converted to executable form (parse error or unknown name / missing
+      // required arg). Used downstream to (a) keep the assistant's tool_calls
+      // ↔ tool-result map consistent, and (b) feed a corrective hint back to
+      // the model so it retries instead of stalling.
+      const nativeRejections = [];
       if (nativeToolCalls.length > 0) {
         toolCalls = [];
         for (const tc of nativeToolCalls) {
+          const fnName = tc.function?.name || '(unknown)';
+          const argsRaw = tc.function?.arguments || '';
+          const argsPreview = argsRaw.length > 200 ? argsRaw.slice(0, 200) + '…' : argsRaw;
           let args;
           try {
-            args = tc.function?.arguments ? JSON.parse(tc.function.arguments) : {};
+            args = argsRaw ? JSON.parse(argsRaw) : {};
           } catch (err) {
-            if (cb.onError) cb.onError({ message: `Failed to parse tool_call arguments for ${tc.function?.name || '(unknown)'}: ${err.message}`, isWarning: true });
+            const reason = `JSON parse failed: ${err.message}`;
+            if (cb.onError) cb.onError({ message: `${fnName}: ${reason} Args: ${argsPreview}`, isWarning: true });
+            nativeRejections.push({ id: tc.id, name: fnName, argsPreview, reason });
             continue;
           }
-          const call = mapInvokeToCall(tc.function?.name, args);
+          const call = mapInvokeToCall(fnName, args);
           if (call) {
             toolCalls.push(call);
             nativeToolCallIds.push(tc.id);
+          } else {
+            const reason = describeNativeRejection(fnName, args);
+            if (cb.onError) cb.onError({ message: `${fnName}: ${reason} Args: ${argsPreview}`, isWarning: true });
+            nativeRejections.push({ id: tc.id, name: fnName, argsPreview, reason });
           }
         }
       } else {
@@ -895,17 +934,27 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
         const visibleTokens = Math.max(completionTokens - thinkingTokens, 0);
         const contextLimit = tokenLimit || null;
         const ctxPct = contextLimit ? Math.round((promptTokens / contextLimit) * 100) : null;
-        const detected = detectFormat(reply, toolCalls);
+        const detected = detectFormat(reply, toolCalls, nativeToolCalls);
         const firstCmd = toolCalls.length > 0 ? previewCommand(toolCalls[0]) : previewCommand(null);
         const toolTags = Object.entries(TAG_REGISTRY)
           .filter(([, e]) => e.type === 'tool')
           .map(([t]) => t);
+        const callableSpecCount = Object.values(TOOL_SPECS).filter((s) => !s.wrapper).length;
 
         const warnings = [];
         if (result.finish_reason === 'length') warnings.push('finish_reason=length  → response truncated, increase max_tokens');
         if (detected === 'tool_call' && toolCalls.length === 0) {
           warnings.push('commands_found=0      → agent emitted no command, client will stall');
         }
+        if (detected === 'native_tool_calls' && toolCalls.length === 0) {
+          const lines = [`commands_found=0      → all ${nativeToolCalls.length} native tool_call(s) rejected:`];
+          for (const r of nativeRejections) {
+            lines.push(`    • name="${r.name}"`);
+            lines.push(`      args=${r.argsPreview || '(empty)'}`);
+            lines.push(`      reason=${r.reason}`);
+          }
+          warnings.push(lines.join('\n'));
+        }
         if (ctxPct !== null && ctxPct > 80) warnings.push(`context_used=${ctxPct}%    → approaching context limit`);
 
         const block = formatDebugBlock({
@@ -931,7 +980,9 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
               ['temperature:', result.request?.temperature ?? '(default)'],
               ['stop_sequences:', JSON.stringify(result.request?.stop || [])],
               ['reasoning_effort:', '(n/a)'],
-              ['tools_enabled:', `${toolTags.length} XML tags (via system prompt)`],
+              ['tools_enabled:', nativeTools
+                ? `${callableSpecCount} functions (via tools API)`
+                : `${toolTags.length} XML tags (via system prompt)`],
             ]],
             ['RESPONSE', [
               ['finish_reason:', result.finish_reason || '(unknown)'],
@@ -981,7 +1032,13 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
       }
 
       const assistantMsg = { role: 'assistant', content: cleanedReply };
-      if (isNativeCall) assistantMsg.tool_calls = nativeToolCalls;
+      // Only attach tool_calls for the calls we actually accepted. Attaching
+      // rejected calls here would leave them without matching `tool` results
+      // on the next turn — strict providers reject the resulting history.
+      if (isNativeCall && nativeToolCallIds.length > 0) {
+        const acceptedSet = new Set(nativeToolCallIds);
+        assistantMsg.tool_calls = nativeToolCalls.filter((tc) => acceptedSet.has(tc.id));
+      }
       messages.push(assistantMsg);
       // When showThink is off and the turn has tool calls, suppress the text bubble —
       // pre-tool reasoning is noise, tool result bubbles already convey what happened.
@@ -989,6 +1046,29 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
       if (cb.onAssistantMessage) cb.onAssistantMessage(displayReply);
 
       if (toolCalls.length === 0) {
+        // Native mode: tool_calls came in but none could be converted (parse
+        // error or unknown name / missing required arg). Push a corrective
+        // user hint so the model retries instead of stalling. Without this
+        // the loop would break silently — that's the bug the migration set
+        // out to fix.
+        if (isNativeCall && nativeRejections.length > 0) {
+          const summary = nativeRejections
+            .map((r) => `- ${r.name}: ${r.reason}`)
+            .join('\n');
+          if (cb.onError) {
+            const names = nativeRejections.map((r) => r.name).join(', ');
+            cb.onError({
+              message: `Native tool_call(s) rejected: ${names}. Asking the model to retry with a valid call.`,
+              isWarning: true,
+            });
+          }
+          messages.push({
+            role: 'user',
+            content: `Your last response contained tool_calls that could not be executed:\n\n${summary}\n\nRetry with a valid tool name and complete required arguments per the tools schema.`,
+          });
+          continue;
+        }
+
         // Detect malformed known-tag syntax (e.g. <create_file> with no path
         // attribute, usually paired with nonsense like <attrs: path=...> inside
         // the body). Push a corrective feedback message and keep looping so
@@ -1027,36 +1107,125 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
       // never reused even if the agent runs the same tag twice.
       let invocationCounter = 0;
 
-      for (const call of toolCalls) {
-        if (isAborted()) { aborted = true; break; }
+      // Re-arm the abort watcher for the tool-execution phase. The API-call
+      // finally cleared the previous one, so without this a Ctrl+C while a
+      // long shell command is running would never reach the AbortSignal we
+      // now thread into agentExecShell — the child would keep running and
+      // the UI would show "Interrupted" without actually killing anything.
+      const toolAbortWatcher = setInterval(() => {
+        if (isAborted() && !controller.signal.aborted) controller.abort();
+      }, 50);
 
-        const tag = call[0] || 'unknown';
-        const arg = call[1] || '';
-        const toolStart = Date.now();
-        const invocationId = `tool-${iteration}-${invocationCounter++}-${tag}`;
-        const attrs = _attrsFromCall(call);
-        const startCtx = { id: invocationId, call, attrs, startedAt: toolStart };
+      try {
+        for (const call of toolCalls) {
+          if (isAborted()) { aborted = true; break; }
+
+          const tag = call[0] || 'unknown';
+          const arg = call[1] || '';
+          const attrs = _attrsFromCall(call);
+
+          // Permission gate, lifted out of the executors. Asking before
+          // onToolStart fires means the activity bubble (and its 1Hz
+          // ticker) doesn't pre-date grant — and on denial no bubble
+          // appears at all. The picker's own onCloseModal scrollback
+          // line ("✗ <description>") is the visual record of the denial.
+          let permDesc = null;
+          try {
+            permDesc = describePermission ? await describePermission(call) : null;
+          } catch (err) {
+            if (cb.onError) cb.onError({ message: `describePermission(${tag}): ${err.message}`, isWarning: true });
+          }
+          if (permDesc) {
+            if (cb.onPermissionAsk) cb.onPermissionAsk(tag, arg);
+            let approved = true;
+            try {
+              approved = await permissionManager.askPermission(permDesc.actionType, permDesc.description, permDesc.tag);
+            } catch (err) {
+              if (cb.onError) cb.onError({ message: `askPermission(${tag}): ${err.message}`, isWarning: true });
+              approved = false;
+            }
+            if (!approved) {
+              const resultStr = (tag === 'shell' || tag === 'exec')
+                ? `Command \`${arg}\`: Permission denied by user.`
+                : `${tag} ${arg}: Permission denied by user.`;
+              logToolCall(permDesc.tag, { args: call.slice(1) }, false, 'denied');
+              results.push(resultStr);
+              if (debugEntries) debugEntries.push({ tag, call, ms: 0, status: 'denied', exitCode: null, result: resultStr });
+              aborted = true;
+              break;
+            }
+          }
 
-        if (cb.onToolStart) cb.onToolStart(tag, arg, startCtx);
+          const toolStart = Date.now();
+          const invocationId = `tool-${iteration}-${invocationCounter++}-${tag}`;
+          const startCtx = { id: invocationId, call, attrs, startedAt: toolStart };
 
-        try {
-          if (tag === 'shell') {
-            const shellResult = await agentExecShell(arg);
+          if (cb.onToolStart) cb.onToolStart(tag, arg, startCtx);
+
+          try {
+            if (tag === 'shell') {
+              const shellResult = await agentExecShell(arg, { signal: controller.signal });
+              const ms = Date.now() - toolStart;
+              if (shellResult.aborted) {
+                // User pressed Ctrl+C mid-command. The child process tree
+                // has already been terminated by killTreeEscalating in
+                // tools.js. Surface a clear message to the model so it can
+                // plan around the interruption instead of blindly retrying
+                // the same long-running command on the next turn.
+                const elapsedS = shellResult.elapsed_s || 0;
+                const oneLine = String(arg).replace(/\s+/g, ' ').trim();
+                const truncatedCmd = oneLine.length > 80 ? oneLine.slice(0, 77) + '...' : oneLine;
+                const resultStr = `User interrupted execution after ${elapsedS}s. Tool was running: ${truncatedCmd}. Plan around this — do not retry the same long-running command.`;
+                if (cb.onToolEnd) cb.onToolEnd(tag, resultStr, ms, { id: invocationId, call, attrs, meta: null, error: { message: 'aborted' } });
+                results.push(resultStr);
+                if (debugEntries) debugEntries.push({ tag, call, ms, status: 'aborted', exitCode: null, result: resultStr });
+                aborted = true;
+                break;
+              } else {
+                let out = shellResult.stdout;
+                if (shellResult.stderr) out += `\nSTDERR: ${shellResult.stderr}`;
+                const resultStr = `Command \`${arg}\`:\nExit code: ${shellResult.exit_code}\n${out}`;
+                const meta = _metaForTool(tag, shellResult);
+                const error = shellResult.exit_code !== 0
+                  ? { message: `exit ${shellResult.exit_code}`, code: shellResult.exit_code }
+                  : null;
+                if (cb.onToolEnd) cb.onToolEnd(tag, resultStr, ms, { id: invocationId, call, attrs, meta, error });
+                results.push(resultStr);
+                if (debugEntries) debugEntries.push({
+                  tag,
+                  call,
+                  ms,
+                  status: shellResult.exit_code === 0 ? 'ok' : 'nonzero_exit',
+                  exitCode: shellResult.exit_code,
+                  result: resultStr,
+                });
+              }
+              continue;
+            }
+
+            const fileResult = await agentExecFile(...call, { signal: controller.signal });
             const ms = Date.now() - toolStart;
-            if (shellResult.stderr === 'Permission denied by user') {
-              const resultStr = `Command \`${arg}\`: Permission denied by user.`;
-              if (cb.onToolEnd) cb.onToolEnd(tag, resultStr, ms, { id: invocationId, call, attrs, meta: null, error: { message: 'denied' }, denied: true });
+
+            if (fileResult.aborted) {
+              // User pressed Ctrl+C while a file/network tool was running.
+              // The per-tool abort listener has already torn down the in-flight
+              // op (closed the FS read, destroyed the HTTP request, stopped the
+              // recursive walk). Surface a clear note to the model so the next
+              // turn doesn't replay the same long-running operation.
+              const elapsedS = fileResult.elapsed_s || 0;
+              const oneLine = String(arg).replace(/\s+/g, ' ').trim();
+              const truncatedArg = oneLine.length > 80 ? oneLine.slice(0, 77) + '...' : oneLine;
+              const resultStr = `User interrupted execution after ${elapsedS}s. Tool was running: ${tag} ${truncatedArg}. Plan around this — do not retry the same long-running operation.`;
+              if (cb.onToolEnd) cb.onToolEnd(tag, resultStr, ms, { id: invocationId, call, attrs, meta: null, error: { message: 'aborted' } });
               results.push(resultStr);
-              if (debugEntries) debugEntries.push({ tag, call, ms, status: 'denied', exitCode: null, result: resultStr });
+              if (debugEntries) debugEntries.push({ tag, call, ms, status: 'aborted', exitCode: null, result: resultStr });
               aborted = true;
               break;
             } else {
-              let out = shellResult.stdout;
-              if (shellResult.stderr) out += `\nSTDERR: ${shellResult.stderr}`;
-              const resultStr = `Command \`${arg}\`:\nExit code: ${shellResult.exit_code}\n${out}`;
-              const meta = _metaForTool(tag, shellResult);
-              const error = shellResult.exit_code !== 0
-                ? { message: `exit ${shellResult.exit_code}`, code: shellResult.exit_code }
+              const resultStr = formatFileResult(call, fileResult);
+              const meta = _metaForTool(tag, fileResult);
+              const error = fileResult.error
+                ? { message: fileResult.error, code: fileResult.error_code || null }
                 : null;
               if (cb.onToolEnd) cb.onToolEnd(tag, resultStr, ms, { id: invocationId, call, attrs, meta, error });
               results.push(resultStr);
@@ -1064,53 +1233,26 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
                 tag,
                 call,
                 ms,
-                status: shellResult.exit_code === 0 ? 'ok' : 'nonzero_exit',
-                exitCode: shellResult.exit_code,
+                status: fileResult.error ? 'error' : 'ok',
+                exitCode: null,
                 result: resultStr,
               });
             }
-            continue;
-          }
-
-          const fileResult = await agentExecFile(...call);
-          const ms = Date.now() - toolStart;
-
-          if (fileResult.error === 'Permission denied') {
-            const resultStr = `${tag} ${call[1] || ''}: Permission denied by user.`;
-            if (cb.onToolEnd) cb.onToolEnd(tag, resultStr, ms, { id: invocationId, call, attrs, meta: null, error: { message: 'denied' }, denied: true });
-            results.push(resultStr);
-            if (debugEntries) debugEntries.push({ tag, call, ms, status: 'denied', exitCode: null, result: resultStr });
-            aborted = true;
-            break;
-          } else {
-            const resultStr = formatFileResult(call, fileResult);
-            const meta = _metaForTool(tag, fileResult);
-            const error = fileResult.error
-              ? { message: fileResult.error, code: fileResult.error_code || null }
-              : null;
-            if (cb.onToolEnd) cb.onToolEnd(tag, resultStr, ms, { id: invocationId, call, attrs, meta, error });
-            results.push(resultStr);
-            if (debugEntries) debugEntries.push({
-              tag,
-              call,
-              ms,
-              status: fileResult.error ? 'error' : 'ok',
-              exitCode: null,
-              result: resultStr,
-            });
-          }
-        } catch (err) {
-          const ms = Date.now() - toolStart;
-          if (cb.onToolEnd) cb.onToolEnd(tag, `Error: ${err.message}`, ms, { id: invocationId, call, attrs, meta: null, error: err });
-          if (cb.onError) {
-            cb.onError({ message: `Tool error (${tag}): ${err.message}`, isWarning: true });
-          } else {
-            messages.toolError(tag, err.message);
+          } catch (err) {
+            const ms = Date.now() - toolStart;
+            if (cb.onToolEnd) cb.onToolEnd(tag, `Error: ${err.message}`, ms, { id: invocationId, call, attrs, meta: null, error: err });
+            if (cb.onError) {
+              cb.onError({ message: `Tool error (${tag}): ${err.message}`, isWarning: true });
+            } else {
+              messages.toolError(tag, err.message);
+            }
+            logToolCall(tag, { args: call.slice(1) }, false, 'error');
+            results.push(`${tag}: Error — ${err.message}`);
+            if (debugEntries) debugEntries.push({ tag, call, ms, status: 'exception', exitCode: null, result: `Error — ${err.message}` });
           }
-          logToolCall(tag, { args: call.slice(1) }, false, 'error');
-          results.push(`${tag}: Error — ${err.message}`);
-          if (debugEntries) debugEntries.push({ tag, call, ms, status: 'exception', exitCode: null, result: `Error — ${err.message}` });
         }
+      } finally {
+        clearInterval(toolAbortWatcher);
       }
 
       if (debug && debugEntries && debugEntries.length > 0) {
@@ -1167,9 +1309,14 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
         } else {
           messages.sysWarn(warnMsg);
         }
-        // Push whatever results accumulated before the denial so the LLM has
-        // context if the user asks to continue.
+        // Push whatever results accumulated before the stop so the LLM has
+        // context if the user asks to continue. The reason matters: an abort
+        // (Ctrl+C) and a denial are both surfaced through the same `aborted`
+        // flag, but the model should know which happened so it doesn't
+        // immediately retry a runaway command after the user explicitly
+        // killed it.
         if (results.length > 0) {
+          const reason = isAborted() ? 'user interrupted' : 'after user denied an action';
           if (isNativeCall) {
             for (let i = 0; i < results.length; i++) {
               messages.push({ role: 'tool', tool_call_id: nativeToolCallIds[i], content: results[i] });
@@ -1177,7 +1324,7 @@ function createAgentRunner({ chatStream, extractToolCalls, agentExecShell, agent
           } else {
             messages.push({
               role: 'user',
-              content: `Tool execution results (partial — stopped after user denied an action):\n\n${results.join('\n\n')}`,
+              content: `Tool execution results (partial — stopped: ${reason}):\n\n${results.join('\n\n')}`,
             });
           }
         }