@soulguard/openclaw 0.2.2 → 0.3.0

package/dist/index.js

@@ -73,8 +73,9 @@ var templates = {
 };
 // src/plugin.ts
 import { readFileSync } from "node:fs";
+import { access, chmod, copyFile, mkdir } from "node:fs/promises";
 import os from "node:os";
-import { join as join2 } from "node:path";
+import { dirname, join as join2 } from "node:path";
 
 // ../core/src/util/result.ts
 function ok(value) {
@@ -4064,7 +4065,8 @@ var ownershipSchema = exports_external.object({
   mode: exports_external.string()
 });
 var daemonConfigSchema = exports_external.object({
-  channel: exports_external.string()
+  channel: exports_external.string().optional(),
+  syncIntervalSecs: exports_external.number().int().nonnegative().optional()
 }).passthrough();
 var soulguardConfigSchema = exports_external.object({
   version: exports_external.literal(1),
@@ -4447,7 +4449,7 @@ class StateTree {
     return this.flatFiles().filter((f) => f.status !== "unchanged");
   }
   stagedFiles() {
-    return this.flatFiles().filter((f) => f.stagedHash !== null || f.status === "deleted");
+    return this.flatFiles().filter((f) => f.status !== "unchanged");
   }
   driftedEntities() {
     return collectDrifts(this.entities, this.protectOwnership);
@@ -4732,40 +4734,57 @@ var WRITE_TOOLS = new Set(["write", "edit"]);
 var PATH_KEYS = ["file_path", "path", "file"];
 function guardToolCall(toolName, params, options) {
   if (!WRITE_TOOLS.has(toolName.toLowerCase())) {
-    return { blocked: false };
+    return { action: "allow" };
   }
-  let targetPath;
+  let pathKey;
+  let rawPath;
   for (const key of PATH_KEYS) {
     const v = params[key];
     if (typeof v === "string" && v.length > 0) {
-      targetPath = v;
+      pathKey = key;
+      rawPath = v;
       break;
     }
   }
-  if (targetPath && path.isAbsolute(targetPath)) {
-    targetPath = path.relative(options.stateDir, targetPath);
-  }
-  if (!targetPath)
-    return { blocked: false };
-  if (isStagingPath(targetPath))
-    return { blocked: false };
-  if (!isProtectedFile(options.protectFiles, targetPath))
-    return { blocked: false };
+  if (!pathKey || !rawPath)
+    return { action: "allow" };
+  const isAbsolute = path.isAbsolute(rawPath);
+  const relativePath = isAbsolute ? path.relative(options.stateDir, rawPath) : rawPath;
+  if (isStagingPath(relativePath))
+    return { action: "allow" };
+  if (!isProtectedFile(options.protectFiles, relativePath))
+    return { action: "allow" };
+  const relativeStaging = stagingPath(relativePath);
+  const redirectedPath = isAbsolute ? path.join(options.stateDir, relativeStaging) : relativeStaging;
   return {
-    blocked: true,
-    reason: [
-      `${targetPath} is protected by soulguard.`,
-      `To propose changes, run \`soulguard stage ${targetPath}\` to create a working copy,`,
-      `then edit the staged file at ${stagingPath(targetPath)}.`,
-      `Run \`soulguard diff\` to review your changes.`,
-      `Your owner will review and apply the changes.`
-    ].join(" ")
+    action: "redirect",
+    pathKey,
+    originalPath: relativePath,
+    redirectedPath
   };
 }
 
 // src/plugin.ts
-var PKG_VERSION = "0.2.2";
+var PKG_VERSION = "0.3.0";
 var PLUGIN_DESCRIPTION = "Identity protection for AI agents";
+var MAX_TRACKED_REDIRECTS = 1024;
+var redirectMap = new Map;
+async function ensureStagingCopy(originalAbsPath, stagingAbsPath) {
+  try {
+    await access(stagingAbsPath);
+    return;
+  } catch {}
+  await mkdir(dirname(stagingAbsPath), { recursive: true });
+  try {
+    await copyFile(originalAbsPath, stagingAbsPath);
+    await chmod(stagingAbsPath, 420);
+  } catch {}
+}
+function buildRedirectWarning(info) {
+  return `
+
+[Soulguard] This edit was redirected to the staging copy at ${info.redirectedPath}. ` + `The original file ${info.originalPath} is protected. ` + "Run `soulguard diff` to review your changes. " + "Your owner will review and apply them.";
+}
 function createSoulguardPlugin(options) {
   return {
     id: "soulguard",
@@ -4786,7 +4805,7 @@ function createSoulguardPlugin(options) {
       }
       if (protectFiles.length === 0)
         return;
-      api.on("before_tool_call", (...args) => {
+      api.on("before_tool_call", async (...args) => {
         const event = args[0];
         if (!event || typeof event !== "object" || !("toolName" in event)) {
           return;
@@ -4796,11 +4815,57 @@ function createSoulguardPlugin(options) {
           protectFiles,
           stateDir
         });
-        if (result.blocked) {
+        if (result.action === "block") {
           return { block: true, blockReason: result.reason };
         }
+        if (result.action === "redirect") {
+          const originalAbsPath = join2(stateDir, result.originalPath);
+          const stagingAbsPath = result.redirectedPath.startsWith("/") ? result.redirectedPath : join2(stateDir, result.redirectedPath);
+          await ensureStagingCopy(originalAbsPath, stagingAbsPath);
+          const toolCallId = e.toolCallId;
+          if (toolCallId) {
+            if (redirectMap.size >= MAX_TRACKED_REDIRECTS) {
+              const oldest = redirectMap.keys().next().value;
+              if (oldest)
+                redirectMap.delete(oldest);
+            }
+            redirectMap.set(toolCallId, {
+              originalPath: result.originalPath,
+              redirectedPath: result.redirectedPath
+            });
+          }
+          return {
+            params: { [result.pathKey]: result.redirectedPath }
+          };
+        }
         return;
       });
+      api.on("tool_result_persist", (...args) => {
+        const event = args[0];
+        if (!event?.toolCallId || !event.message)
+          return;
+        const info = redirectMap.get(event.toolCallId);
+        if (!info)
+          return;
+        redirectMap.delete(event.toolCallId);
+        const warning = buildRedirectWarning(info);
+        const msg = event.message;
+        const content = Array.isArray(msg.content) ? [...msg.content] : [];
+        let lastText;
+        for (let i = content.length - 1;i >= 0; i--) {
+          const block = content[i];
+          if (block && block.type === "text") {
+            lastText = block;
+            break;
+          }
+        }
+        if (lastText && lastText.text != null) {
+          lastText.text += warning;
+        } else {
+          content.push({ type: "text", text: warning.trimStart() });
+        }
+        return { message: { ...msg, content } };
+      });
     }
   };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulguard/openclaw",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/guard.test.ts

@@ -7,78 +7,103 @@ const defaultOpts: GuardOptions = {
 };
 
 describe("guardToolCall", () => {
-  it("blocks Write to a protected file", () => {
+  // ── Redirect (protected file writes) ──────────────────────────────
+
+  it("redirects Write to a protected file", () => {
     const result = guardToolCall("Write", { file_path: "SOUL.md" }, defaultOpts);
-    expect(result.blocked).toBe(true);
-    expect(result.reason).toContain("protected by soulguard");
-    expect(result.reason).toContain("soulguard stage SOUL.md");
-    expect(result.reason).toContain(".soulguard-staging/SOUL.md");
-    expect(result.reason).toContain("Your owner will review and apply");
+    expect(result.action).toBe("redirect");
+    if (result.action !== "redirect") return;
+    expect(result.pathKey).toBe("file_path");
+    expect(result.originalPath).toBe("SOUL.md");
+    expect(result.redirectedPath).toBe(".soulguard-staging/SOUL.md");
   });
 
-  it("blocks Edit to a protected file", () => {
+  it("redirects Edit to a protected file", () => {
     const result = guardToolCall("Edit", { path: "IDENTITY.md" }, defaultOpts);
-    expect(result.blocked).toBe(true);
-    expect(result.reason).toContain("protected by soulguard");
-    expect(result.reason).toContain("soulguard stage IDENTITY.md");
-  });
-
-  it("allows Write to a non-protected file", () => {
-    const result = guardToolCall("Write", { file_path: "README.md" }, defaultOpts);
-    expect(result.blocked).toBe(false);
+    expect(result.action).toBe("redirect");
+    if (result.action !== "redirect") return;
+    expect(result.pathKey).toBe("path");
+    expect(result.originalPath).toBe("IDENTITY.md");
+    expect(result.redirectedPath).toBe(".soulguard-staging/IDENTITY.md");
   });
 
-  it("allows Write to staging copy of a protected file", () => {
-    const result = guardToolCall("Write", { file_path: ".soulguard-staging/SOUL.md" }, defaultOpts);
-    expect(result.blocked).toBe(false);
+  it("redirects with the 'file' param key", () => {
+    const result = guardToolCall("Edit", { file: "SOUL.md" }, defaultOpts);
+    expect(result.action).toBe("redirect");
+    if (result.action !== "redirect") return;
+    expect(result.pathKey).toBe("file");
   });
 
-  it("allows non-write tools (e.g. Read)", () => {
-    const result = guardToolCall("Read", { file_path: "SOUL.md" }, defaultOpts);
-    expect(result.blocked).toBe(false);
+  it("redirects writes to files inside a protected directory", () => {
+    const opts: GuardOptions = { protectFiles: ["skills"], stateDir: "/home/test/.openclaw" };
+    const result = guardToolCall("Write", { file_path: "skills/my-skill.md" }, opts);
+    expect(result.action).toBe("redirect");
+    if (result.action !== "redirect") return;
+    expect(result.originalPath).toBe("skills/my-skill.md");
+    expect(result.redirectedPath).toBe(".soulguard-staging/skills/my-skill.md");
   });
 
   it("handles ./prefix in file paths", () => {
     const result = guardToolCall("Write", { path: "./SOUL.md" }, defaultOpts);
-    expect(result.blocked).toBe(true);
+    expect(result.action).toBe("redirect");
+    if (result.action !== "redirect") return;
+    expect(result.pathKey).toBe("path");
   });
 
-  it("allows when no path param is present", () => {
-    const result = guardToolCall("Write", { content: "hello" }, defaultOpts);
-    expect(result.blocked).toBe(false);
+  // ── Absolute path handling ────────────────────────────────────────
+
+  it("redirects absolute path to absolute staging path", () => {
+    const result = guardToolCall(
+      "Write",
+      { file_path: "/home/test/.openclaw/SOUL.md" },
+      defaultOpts,
+    );
+    expect(result.action).toBe("redirect");
+    if (result.action !== "redirect") return;
+    expect(result.originalPath).toBe("SOUL.md");
+    expect(result.redirectedPath).toBe("/home/test/.openclaw/.soulguard-staging/SOUL.md");
   });
 
-  it("checks file param key as well", () => {
-    const result = guardToolCall("Edit", { file: "SOUL.md" }, defaultOpts);
-    expect(result.blocked).toBe(true);
+  it("redirects absolute path inside protected directory", () => {
+    const opts: GuardOptions = { protectFiles: ["skills"], stateDir: "/home/test/.openclaw" };
+    const result = guardToolCall(
+      "Edit",
+      { file_path: "/home/test/.openclaw/skills/my-skill.md" },
+      opts,
+    );
+    expect(result.action).toBe("redirect");
+    if (result.action !== "redirect") return;
+    expect(result.originalPath).toBe("skills/my-skill.md");
+    expect(result.redirectedPath).toBe(
+      "/home/test/.openclaw/.soulguard-staging/skills/my-skill.md",
+    );
   });
 
-  it("includes the original path in the block reason", () => {
-    const result = guardToolCall("Write", { file_path: "./SOUL.md" }, defaultOpts);
-    expect(result.blocked).toBe(true);
-    expect(result.reason).toContain("./SOUL.md");
+  // ── Allow (non-protected / non-write / staging) ───────────────────
+
+  it("allows Write to a non-protected file", () => {
+    const result = guardToolCall("Write", { file_path: "README.md" }, defaultOpts);
+    expect(result.action).toBe("allow");
   });
 
-  it("blocks writes to files inside a protected directory", () => {
-    const opts: GuardOptions = { protectFiles: ["skills"], stateDir: "/home/test/.openclaw" };
-    const result = guardToolCall("Write", { file_path: "skills/my-skill.md" }, opts);
-    expect(result.blocked).toBe(true);
-    expect(result.reason).toContain("skills/my-skill.md");
+  it("allows Write to staging copy of a protected file", () => {
+    const result = guardToolCall("Write", { file_path: ".soulguard-staging/SOUL.md" }, defaultOpts);
+    expect(result.action).toBe("allow");
   });
 
-  it("blocks Write with absolute path resolved against stateDir", () => {
-    const result = guardToolCall(
-      "Write",
-      { file_path: "/home/test/.openclaw/SOUL.md" },
-      defaultOpts,
-    );
-    expect(result.blocked).toBe(true);
-    expect(result.reason).toContain("protected by soulguard");
+  it("allows non-write tools (e.g. Read)", () => {
+    const result = guardToolCall("Read", { file_path: "SOUL.md" }, defaultOpts);
+    expect(result.action).toBe("allow");
+  });
+
+  it("allows when no path param is present", () => {
+    const result = guardToolCall("Write", { content: "hello" }, defaultOpts);
+    expect(result.action).toBe("allow");
   });
 
   it("allows writes to files outside a protected directory", () => {
     const opts: GuardOptions = { protectFiles: ["skills"], stateDir: "/home/test/.openclaw" };
     const result = guardToolCall("Write", { file_path: "memory/notes.md" }, opts);
-    expect(result.blocked).toBe(false);
+    expect(result.action).toBe("allow");
   });
 });

package/src/guard.ts

@@ -1,6 +1,6 @@
 /**
- * before_tool_call guard — blocks writes to protected files and
- * returns a helpful message guiding the agent to the staging workflow.
+ * before_tool_call guard — redirects writes to protected files into the
+ * staging tree so agents can propose changes without direct access.
  */
 
 import path from "node:path";
@@ -15,10 +15,10 @@ export type GuardOptions = {
   stateDir: string;
 };
 
-export type GuardResult = {
-  blocked: boolean;
-  reason?: string;
-};
+export type GuardResult =
+  | { action: "allow" }
+  | { action: "block"; reason: string }
+  | { action: "redirect"; pathKey: string; originalPath: string; redirectedPath: string };
 
 // ── Constants ──────────────────────────────────────────────────────────
 
@@ -31,9 +31,11 @@ const PATH_KEYS = ["file_path", "path", "file"] as const;
 // ── Main guard ─────────────────────────────────────────────────────────
 
 /**
- * Evaluate whether a tool call should be blocked.
+ * Evaluate whether a tool call should be redirected, blocked, or allowed.
  *
- * Returns `{ blocked: false }` to allow, or `{ blocked: true, reason }` to block.
+ * For writes to protected files the guard returns a `redirect` result that
+ * tells the caller which param key to rewrite and the staging-tree path to
+ * redirect to.
  */
 export function guardToolCall(
   toolName: string,
@@ -42,41 +44,45 @@ export function guardToolCall(
 ): GuardResult {
   // Only intercept file-writing tools (compare lowercase for robustness)
   if (!WRITE_TOOLS.has(toolName.toLowerCase())) {
-    return { blocked: false };
+    return { action: "allow" };
   }
 
-  // Extract target path from params
-  let targetPath: string | undefined;
+  // Find which param key carries the path
+  let pathKey: string | undefined;
+  let rawPath: string | undefined;
   for (const key of PATH_KEYS) {
     const v = params[key];
     if (typeof v === "string" && v.length > 0) {
-      targetPath = v;
+      pathKey = key;
+      rawPath = v;
       break;
     }
   }
 
-  // OpenClaw passes absolute paths (e.g. /Users/x/.openclaw/workspace/SOUL.md)
-  // but protectFiles uses relative paths (e.g. workspace/SOUL.md). Make relative.
-  if (targetPath && path.isAbsolute(targetPath)) {
-    targetPath = path.relative(options.stateDir, targetPath);
-  }
+  if (!pathKey || !rawPath) return { action: "allow" };
 
-  if (!targetPath) return { blocked: false };
+  // Resolve to relative for protect-check. OpenClaw passes absolute paths
+  // (e.g. /Users/x/.openclaw/workspace/SOUL.md) but protectFiles uses
+  // relative paths (e.g. workspace/SOUL.md).
+  const isAbsolute = path.isAbsolute(rawPath);
+  const relativePath = isAbsolute ? path.relative(options.stateDir, rawPath) : rawPath;
 
-  // Never block writes to staging files
-  if (isStagingPath(targetPath)) return { blocked: false };
+  // Never intercept writes to staging files
+  if (isStagingPath(relativePath)) return { action: "allow" };
 
   // Check against protect tier using core SDK
-  if (!isProtectedFile(options.protectFiles, targetPath)) return { blocked: false };
+  if (!isProtectedFile(options.protectFiles, relativePath)) return { action: "allow" };
+
+  // Compute the staging redirect path, preserving absolute/relative format
+  const relativeStaging = stagingPath(relativePath);
+  const redirectedPath = isAbsolute
+    ? path.join(options.stateDir, relativeStaging)
+    : relativeStaging;
 
   return {
-    blocked: true,
-    reason: [
-      `${targetPath} is protected by soulguard.`,
-      `To propose changes, run \`soulguard stage ${targetPath}\` to create a working copy,`,
-      `then edit the staged file at ${stagingPath(targetPath)}.`,
-      `Run \`soulguard diff\` to review your changes.`,
-      `Your owner will review and apply the changes.`,
-    ].join(" "),
+    action: "redirect",
+    pathKey,
+    originalPath: relativePath,
+    redirectedPath,
   };
 }

package/src/index.ts

@@ -28,6 +28,9 @@ export type {
   OpenClawPluginApi,
   AgentTool,
   AgentToolResult,
+  AgentMessage,
   BeforeToolCallEvent,
   BeforeToolCallResult,
+  ToolResultPersistEvent,
+  ToolResultPersistResult,
 } from "./openclaw-types.js";

package/src/openclaw-types.ts

@@ -41,12 +41,45 @@ export type AgentToolResult = {
   content: Array<{ type: "text"; text: string }>;
 };
 
+// ── before_tool_call hook ─────────────────────────────────────────────
+
 export type BeforeToolCallEvent = {
   toolName: string;
   params: Record<string, unknown>;
+  runId?: string;
+  toolCallId?: string;
 };
 
 export type BeforeToolCallResult = {
+  params?: Record<string, unknown>;
   block?: boolean;
   blockReason?: string;
 };
+
+// ── tool_result_persist hook ──────────────────────────────────────────
+
+export type AgentMessage = {
+  role: string;
+  toolCallId?: string;
+  isError?: boolean;
+  content: Array<{ type: string; text?: string }>;
+  [key: string]: unknown;
+};
+
+export type ToolResultPersistEvent = {
+  toolName?: string;
+  toolCallId?: string;
+  message: AgentMessage;
+  isSynthetic?: boolean;
+};
+
+export type ToolResultPersistContext = {
+  agentId?: string;
+  sessionKey?: string;
+  toolName?: string;
+  toolCallId?: string;
+};
+
+export type ToolResultPersistResult = {
+  message?: AgentMessage;
+};

package/src/plugin.ts

@@ -1,10 +1,12 @@
 /**
- * Soulguard OpenClaw plugin — protects files from direct writes.
+ * Soulguard OpenClaw plugin — redirects writes to protected files into the
+ * staging tree so agents can propose changes without direct access.
  */
 
 import { readFileSync } from "node:fs";
+import { access, chmod, copyFile, mkdir } from "node:fs/promises";
 import os from "node:os";
-import { join } from "node:path";
+import { dirname, join } from "node:path";
 import { parseConfig, protectPatterns } from "@soulguard/core";
 
 import { guardToolCall } from "./guard.js";
@@ -12,6 +14,8 @@ import type {
   BeforeToolCallEvent,
   BeforeToolCallResult,
   OpenClawPluginDefinition,
+  ToolResultPersistEvent,
+  ToolResultPersistResult,
 } from "./openclaw-types.js";
 
 // Injected at build time via --define (see package.json build script)
@@ -27,6 +31,57 @@ export type SoulguardPluginOptions = {
   configPath?: string;
 };
 
+// ── Redirect correlation state ────────────────────────────────────────
+
+const MAX_TRACKED_REDIRECTS = 1024;
+
+type RedirectInfo = {
+  originalPath: string;
+  redirectedPath: string;
+};
+
+const redirectMap = new Map<string, RedirectInfo>();
+
+// ── Helpers ───────────────────────────────────────────────────────────
+
+/**
+ * Ensure a staging copy exists, creating it from the original if needed.
+ * Uses raw fs operations — no SystemOperations required.
+ */
+async function ensureStagingCopy(originalAbsPath: string, stagingAbsPath: string): Promise<void> {
+  try {
+    await access(stagingAbsPath);
+    return; // already exists
+  } catch {
+    // doesn't exist yet — create it
+  }
+
+  await mkdir(dirname(stagingAbsPath), { recursive: true });
+
+  try {
+    await copyFile(originalAbsPath, stagingAbsPath);
+    // copyFile preserves the source mode (444 for protected files).
+    // The agent owns the new copy but needs write permission.
+    await chmod(stagingAbsPath, 0o644);
+  } catch {
+    // Original doesn't exist (agent creating a new file) — let the Write tool create it
+  }
+}
+
+/**
+ * Build the warning message appended to tool results for redirected writes.
+ */
+function buildRedirectWarning(info: RedirectInfo): string {
+  return (
+    `\n\n[Soulguard] This edit was redirected to the staging copy at ${info.redirectedPath}. ` +
+    `The original file ${info.originalPath} is protected. ` +
+    "Run `soulguard diff` to review your changes. " +
+    "Your owner will review and apply them."
+  );
+}
+
+// ── Plugin factory ────────────────────────────────────────────────────
+
 /**
  * Create the soulguard OpenClaw plugin definition.
  */
@@ -57,9 +112,8 @@ export function createSoulguardPlugin(options?: SoulguardPluginOptions): OpenCla
       if (protectFiles.length === 0) return;
 
       // ── Guard hook ─────────────────────────────────────────────────
-      // Block writes to protected files with a helpful message
-      // guiding the agent to use soulguard CLI commands for staging.
-      api.on("before_tool_call", (...args: unknown[]) => {
+      // Redirect writes to protected files into the staging tree.
+      api.on("before_tool_call", async (...args: unknown[]) => {
         const event = args[0];
         if (!event || typeof event !== "object" || !("toolName" in event)) {
           return undefined;
@@ -69,11 +123,77 @@ export function createSoulguardPlugin(options?: SoulguardPluginOptions): OpenCla
           protectFiles,
           stateDir,
         });
-        if (result.blocked) {
+
+        if (result.action === "block") {
           return { block: true, blockReason: result.reason } satisfies BeforeToolCallResult;
         }
+
+        if (result.action === "redirect") {
+          // Auto-create the staging copy from the original
+          const originalAbsPath = join(stateDir, result.originalPath);
+          const stagingAbsPath = result.redirectedPath.startsWith("/")
+            ? result.redirectedPath
+            : join(stateDir, result.redirectedPath);
+
+          await ensureStagingCopy(originalAbsPath, stagingAbsPath);
+
+          // Store redirect info for the tool_result_persist hook
+          const toolCallId = e.toolCallId;
+          if (toolCallId) {
+            if (redirectMap.size >= MAX_TRACKED_REDIRECTS) {
+              const oldest = redirectMap.keys().next().value;
+              if (oldest) redirectMap.delete(oldest);
+            }
+            redirectMap.set(toolCallId, {
+              originalPath: result.originalPath,
+              redirectedPath: result.redirectedPath,
+            });
+          }
+
+          // Rewrite the path param to point to the staging copy
+          return {
+            params: { [result.pathKey]: result.redirectedPath },
+          } satisfies BeforeToolCallResult;
+        }
+
         return undefined;
       });
+
+      // ── Result annotation hook ─────────────────────────────────────
+      // Append a warning to the tool result when a write was redirected.
+      // This hook is synchronous — no async allowed.
+      api.on("tool_result_persist", (...args: unknown[]) => {
+        const event = args[0] as ToolResultPersistEvent | undefined;
+        if (!event?.toolCallId || !event.message) return undefined;
+
+        const info = redirectMap.get(event.toolCallId);
+        if (!info) return undefined;
+
+        // Consume — one-shot per tool call
+        redirectMap.delete(event.toolCallId);
+
+        const warning = buildRedirectWarning(info);
+        const msg = event.message;
+
+        // Clone content and append the warning
+        type ContentBlock = { type: string; text?: string };
+        const content: ContentBlock[] = Array.isArray(msg.content) ? [...msg.content] : [];
+        let lastText: ContentBlock | undefined;
+        for (let i = content.length - 1; i >= 0; i--) {
+          const block = content[i];
+          if (block && block.type === "text") {
+            lastText = block;
+            break;
+          }
+        }
+        if (lastText && lastText.text != null) {
+          lastText.text += warning;
+        } else {
+          content.push({ type: "text", text: warning.trimStart() });
+        }
+
+        return { message: { ...msg, content } } satisfies ToolResultPersistResult;
+      });
     },
   };
 }