@stigmer/runner 3.0.2-dev.20260609093630 → 3.0.3

package/src/activities/execute-cursor/message-translator.ts

@@ -38,8 +38,8 @@ import type { SubAgentExecution } from "@stigmer/protos/ai/stigmer/agentic/agent
 import { MessageType, ToolCallStatus, SubAgentStatus } from "@stigmer/protos/ai/stigmer/agentic/agentexecution/v1/enum_pb";
 import type { SDKMessage } from "@cursor/sdk";
 import type { MergedToolPolicy } from "./approval-policy.js";
-import { lookupMcpToolPolicy, resolveApprovalMessage, builtInRequiresApproval, getBuiltInApprovalMessage, extractArgKey } from "./approval-policy.js";
-import { grantToken, type DeniedLedgerEntry } from "./approval-state.js";
+import { lookupMcpToolPolicy, resolveApprovalMessage, builtInRequiresApproval, getBuiltInApprovalMessage } from "./approval-policy.js";
+import { grantToken, toolIdentity, type DeniedLedgerEntry } from "./approval-state.js";
 import { utcTimestamp } from "../../shared/status.js";
 import { classifyTool } from "../../shared/tool-kind.js";
 
@@ -313,6 +313,16 @@ function safeString(obj: unknown, key: string): string {
   return "";
 }
 
+/**
+ * Normalize a tool_call event result into a string for the ToolCall proto.
+ * Returns "" for an absent result so callers can treat "no result yet" and
+ * "empty result" uniformly (e.g. to avoid clobbering a captured result).
+ */
+function toResultString(result: unknown): string {
+  if (result == null) return "";
+  return typeof result === "string" ? result : JSON.stringify(result);
+}
+
 /**
  * Parse the task tool's completed result into AgentMessages.
  *
@@ -552,49 +562,84 @@ export class MessageAccumulator {
     this.activeThinkingByRunId.clear();
   }
 
+  /**
+   * Attach a tool call to the current AI message, upserting by `call_id` so a
+   * single call maps to at most ONE ToolCall across all messages.
+   *
+   * The Cursor SDK can emit the lifecycle for one `call_id` more than once —
+   * observed in production as two "running" events ~0.5s apart for task/edit
+   * tools, which previously appended a duplicate ToolCall (the same call
+   * rendered two or three times in the UI). We therefore index by `call_id`
+   * and merge subsequent events into the existing proto, mirroring how
+   * trackSubAgentExecution() upserts via subAgentMap. The first event for a
+   * `call_id` (running or terminal) creates the proto on the last AI message;
+   * the index keeps pointing at it even after later assistant text starts a
+   * new AI message, so cross-message completions still land on the original.
+   */
   private attachToolCallToLastAi(
     event: Extract<SDKMessage, { type: "tool_call" }>,
   ): void {
     if (SUPPRESSED_TOOL_NAMES.has(event.name)) return;
 
-    const status = mapToolCallStatus(event.status);
-
-    if (event.status === "running") {
-      const aiMsg = this.findOrCreateLastAiMessage();
+    const existing = this.toolCallIndex.get(event.call_id);
+    if (!existing) {
       const tc = buildToolCallProto(event, this.mergedPolicies);
-      aiMsg.toolCalls.push(tc);
+      this.findOrCreateLastAiMessage().toolCalls.push(tc);
       this.toolCallIndex.set(event.call_id, tc);
-    } else {
-      const existing = this.toolCallIndex.get(event.call_id);
-      if (existing) {
-        existing.status = status;
-        if (isTerminalToolStatus(status)) {
-          existing.completedAt = utcTimestamp();
-        }
-        if (event.result != null) {
-          existing.result = typeof event.result === "string"
-            ? event.result
-            : JSON.stringify(event.result);
-        }
-        if (status === ToolCallStatus.TOOL_CALL_FAILED) {
-          existing.error = typeof event.result === "string"
-            ? event.result
-            : "Tool call failed";
-          if (existing.requiresApproval) {
-            existing.approvalRequestedAt = utcTimestamp();
-          }
-        }
-        if (event.args != null && !existing.argsPreview) {
-          existing.argsPreview = typeof event.args === "string"
-            ? event.args
-            : JSON.stringify(event.args);
-        }
-      } else {
-        const aiMsg = this.findOrCreateLastAiMessage();
-        const tc = buildToolCallProto(event, this.mergedPolicies);
-        aiMsg.toolCalls.push(tc);
-        this.toolCallIndex.set(event.call_id, tc);
+      return;
+    }
+
+    this.mergeToolCallEvent(existing, event);
+  }
+
+  /**
+   * Merge a repeated tool_call event into the ToolCall already tracked for this
+   * `call_id`. The merge is defensive because a re-emitted event may carry less
+   * information than an earlier one (a late "running" after "completed", or a
+   * completion with an empty result): status only advances toward terminal,
+   * timestamps are stamped once, and a populated result/args is never clobbered
+   * by an empty one.
+   */
+  private mergeToolCallEvent(
+    existing: ToolCall,
+    event: Extract<SDKMessage, { type: "tool_call" }>,
+  ): void {
+    const status = mapToolCallStatus(event.status);
+
+    // Status advances monotonically: once terminal (completed/failed/skipped)
+    // a later "running" re-emit must not regress it back to RUNNING.
+    if (!isTerminalToolStatus(existing.status)) {
+      existing.status = status;
+    }
+    if (isTerminalToolStatus(status) && !existing.completedAt) {
+      existing.completedAt = utcTimestamp();
+    }
+    if (!existing.startedAt && status === ToolCallStatus.TOOL_CALL_RUNNING) {
+      existing.startedAt = utcTimestamp();
+    }
+
+    // Only a non-empty incoming result overwrites; a result-less "running"
+    // re-emit must not wipe a result captured on completion (or vice versa).
+    const incomingResult = toResultString(event.result);
+    if (incomingResult) {
+      existing.result = incomingResult;
+    }
+
+    if (status === ToolCallStatus.TOOL_CALL_FAILED) {
+      if (!existing.error) {
+        existing.error = typeof event.result === "string"
+          ? event.result
+          : "Tool call failed";
       }
+      if (existing.requiresApproval && !existing.approvalRequestedAt) {
+        existing.approvalRequestedAt = utcTimestamp();
+      }
+    }
+
+    if (event.args != null && !existing.argsPreview) {
+      existing.argsPreview = typeof event.args === "string"
+        ? event.args
+        : JSON.stringify(event.args);
     }
   }
 
@@ -763,12 +808,17 @@ export function reconcileDeniedToolCalls(
   }
 
   // 2. Synthesize a tool call for any denial that never produced a stream event.
+  // Rare with correct correlation (Cursor emits a tool_call for every attempt),
+  // so this is a defensive net that still surfaces the gate rather than letting
+  // a denied tool render as a silent success.
   for (const entry of ledger) {
     if (matched.has(entry.token)) continue;
     const decoded = decodeIdentityToken(entry.token);
-    const name = decoded?.name || entry.toolName || "tool";
-    const argKey = decoded?.argKey ?? "";
-    const tc = synthesizeWaitingApprovalToolCall(name, argKey, mergedPolicies);
+    // Display the hook's raw tool name; carry the decoded salient so the grant
+    // rebuilt from this tool call on reinvocation keys on the same resource.
+    const displayName = entry.toolName || decoded?.key || "tool";
+    const salient = decoded?.salient ?? "";
+    const tc = synthesizeWaitingApprovalToolCall(displayName, salient, entry.token, mergedPolicies);
     appendToolCallToLastAiMessage(messages, tc);
     matched.add(entry.token);
     result.push(tc);
@@ -778,23 +828,24 @@ export function reconcileDeniedToolCalls(
 }
 
 /**
- * Compute a tool call's identity token in the same space the preToolUse hook
- * uses (grantToken: base64 of `toolName \n salientArg`). Mirrors the hook's
- * choice: MCP tools are name-only (no top-level salient arg in the hook input,
- * matching the grant convention); built-in tools key on their salient arg.
+ * Compute a streamed tool call's identity token in the same canonical space the
+ * preToolUse hook records denials in (see {@link toolIdentity} and grantToken).
+ * The token keys on the cross-taxonomy category + salient resource, so a stream
+ * `edit` (token `base64("write\n/path")`) correlates to the hook's `Write` deny
+ * for the same path, even though the two layers name the tool differently.
  */
 function toolCallIdentityToken(tc: ToolCall): string {
-  const argKey = tc.mcpServerSlug ? "" : extractArgKey(toolCallArgs(tc));
-  return grantToken(tc.name, argKey);
+  const id = toolIdentity(tc.name, tc.mcpServerSlug, toolCallArgs(tc));
+  return grantToken(id.key, id.salient);
 }
 
-/** Decode a `grantToken` back into its (name, argKey) for synthesis fallback. */
-function decodeIdentityToken(token: string): { name: string; argKey: string } | undefined {
+/** Decode a grantToken back into its (key, salient) for the synthesis fallback. */
+function decodeIdentityToken(token: string): { key: string; salient: string } | undefined {
   try {
     const decoded = Buffer.from(token, "base64").toString("utf-8");
     const nl = decoded.indexOf("\n");
     if (nl < 0) return undefined;
-    return { name: decoded.slice(0, nl), argKey: decoded.slice(nl + 1) };
+    return { key: decoded.slice(0, nl), salient: decoded.slice(nl + 1) };
   } catch {
     return undefined;
   }
@@ -838,22 +889,28 @@ function markWaitingApproval(
 }
 
 function synthesizeWaitingApprovalToolCall(
-  name: string,
-  argKey: string,
+  displayName: string,
+  salient: string,
+  token: string,
   mergedPolicies?: Map<string, MergedToolPolicy>,
 ): ToolCall {
   const tc = create(ToolCallSchema, {
-    id: `approval:${grantToken(name, argKey)}`,
-    name,
+    id: `approval:${token}`,
+    name: displayName,
     status: ToolCallStatus.TOOL_CALL_WAITING_APPROVAL,
     requiresApproval: true,
     startedAt: utcTimestamp(),
     approvalRequestedAt: utcTimestamp(),
-    toolKind: classifyTool(name),
+    toolKind: classifyTool(displayName),
   });
-  tc.approvalMessage = argKey
-    ? `Tool requires approval: ${name} (${argKey})`
-    : resolveDeniedApprovalMessage(name, "", {}, mergedPolicies);
+  // Carry the salient resource so reconstructAdjudicatedApprovals -> the grant
+  // builder keys on the same resource the hook will see on the re-attempt.
+  if (salient) {
+    tc.argsPreview = JSON.stringify({ path: salient });
+  }
+  tc.approvalMessage = salient
+    ? `Tool requires approval: ${displayName} (${salient})`
+    : resolveDeniedApprovalMessage(displayName, "", {}, mergedPolicies);
   return tc;
 }