@syengup/friday-channel-next 1.0.3 → 1.0.5

package/README.md

@@ -11,6 +11,8 @@
 - File upload/download (`POST /friday-next/files`, `GET /friday-next/files/:id`)
 - Cancel (`POST /friday-next/cancel`) and status with `activeRuns` (`GET /friday-next/status`)
 - **Agent config editing** (mirrors ControlUI, no core changes): model / core `.md` files / tool permissions / skills, per agent — via `agents.list[]` (`mutateConfigFile`) + workspace fs
+- **Codex backend support**: asserts `model_reasoning_summary` in each agent's `codex-home/config.toml` so ChatGPT/OAuth (Codex app-server) models stream reasoning text
+- **Exec / plugin approvals**: forwards approval requests as `event: approval` and accepts decisions at `POST /friday-next/approvals/{approvalId}`
 - History sync, link-preview cards, and in-app plugin self-upgrade
 
 ## Endpoints
@@ -22,6 +24,7 @@
 - `GET /friday-next/models` · `GET /friday-next/agents` · `GET|PUT /friday-next/sessions/settings`
 - `GET|PUT /friday-next/agents/{id}/config` · `GET|PUT /friday-next/agents/{id}/files[/{name}]` · `GET /friday-next/agents/{id}/tools/catalog`
 - `GET /friday-next/history/sessions` · `GET /friday-next/history/messages` · `GET /friday-next/link-preview`
+- `POST /friday-next/device-approve` · `POST /friday-next/nodes-approve` · `POST /friday-next/approvals/{approvalId}`
 - `GET /friday-next/plugin/info` · `POST /friday-next/plugin/upgrade`
 
 See **`API.md`** (English) and **`API.zh-CN.md`** (Chinese) for payloads, event shapes, offline queue paths, and breaking changes.

package/dist/index.js

@@ -16,8 +16,6 @@ import { ensureCodexReasoningSummary } from "./src/codex-reasoning-config.js";
 const hookLogger = createFridayNextLogger("hook");
 export { fridayNextChannelPlugin } from "./src/channel.js";
 export { setFridayNextRuntime } from "./src/runtime.js";
-/** `api.on` returns void — register tool hooks at most once per process. */
-let fridayNextToolHooksRegistered = false;
 let disposeAgentEventListener = null;
 /**
  * Track the last `api` instance on which HTTP routes were registered.
@@ -142,10 +140,17 @@ export default defineChannelPluginEntry({
                 total: event.usage?.total,
             }, event.model, event.provider);
         });
-        if (fridayNextToolHooksRegistered) {
+        // Tool hooks (subagent_delivery_target / before_tool_call / after_tool_call) must follow the
+        // SAME re-registration discipline as the HTTP routes and onAgentEvent listener above. When the
+        // health-monitor restarts the plugin, `registerFull` receives a fresh `api` and the host
+        // dispatches hooks on THAT api; hooks left bound to the first api go silent for the rest of the
+        // process. The old one-time boolean guard bound them to whichever api arrived first — which is
+        // exactly why Codex `command_output` (the A3 after_tool_call stdout synthesis) fired on some
+        // gateway processes and not others. Re-register on every genuinely-new api; skip only a repeat
+        // call with the same api (matching the `!sameApi` gate the routes use).
+        if (sameApi) {
             return;
         }
-        fridayNextToolHooksRegistered = true;
         // Make Codex (ChatGPT/OAuth) models emit reasoning summary text so the app can stream
         // "thinking". OpenClaw never sets this; we assert it on the plugin side. Best-effort.
         ensureCodexReasoningSummary((msg) => hookLogger.info(msg));

package/dist/src/agent/abort-run.d.ts

@@ -1,12 +1,25 @@
 export type AbortRunResult = {
     aborted: boolean;
-    drained: boolean;
+};
+export type AbortRunDeps = {
+    resolveActiveEmbeddedRunSessionId: (sessionKey: string) => string | undefined;
+    abortAgentHarnessRun: (sessionId: string) => boolean;
 };
 /**
- * Abort the active run for a channel `sessionKey`.
+ * Abort the active run for a channel `sessionKey` — the CANONICAL OpenClaw stop.
+ *
+ * Mirrors how ControlUI (`chat.abort` → `abortChatRunById`) and the voice/`/compact`/
+ * steer paths stop a run: resolve sessionKey → internal sessionId (active runs are keyed
+ * by sessionId, not the channel runId), then fire a PLAIN abort (`abortAgentHarnessRun`
+ * = `abortEmbeddedAgentRun` → `handle.abort()`). That sets the run's `externalAbort` flag
+ * so it unwinds to a clean `"aborted_by_user"` terminal — a SILENT reply plus a
+ * `status:"cancelled"` lifecycle — with NO error event.
  *
- * A session has at most one active run at a time, and the SDK keys active runs by
- * their internal `sessionId` (not the channel runId). So resolve sessionKey → sessionId
- * first, then abort-and-drain so the caller learns whether the run actually settled.
+ * Deliberately NOT abort-and-drain with `forceClear`: `forceClear` force-fails the reply
+ * operation (`operation.fail("run_failed", new Error("Embedded run force-cleared by …"))`)
+ * and never fires the abort signal, so (a) the failed operation surfaces as a spurious
+ * `dispatch_error`, and (b) without `externalAbort` the interrupted LLM call is classified
+ * as a real failure → `"LLM request failed."`. Both show up as an error toast in the app.
+ * `forceClear` is OpenClaw's stuck/cron-timeout recovery hammer, not a user-initiated stop.
  */
-export declare function abortRunForSessionKey(sessionKey: string): Promise<AbortRunResult>;
+export declare function abortRunForSessionKey(sessionKey: string, deps?: AbortRunDeps): Promise<AbortRunResult>;

package/dist/src/agent/abort-run.js

@@ -1,26 +1,49 @@
+const NO_OP = { aborted: false };
+async function loadAbortRunDeps() {
+    // The SDK is optional at runtime and unavailable/unmockable under Vitest; tests
+    // inject `deps` directly to exercise the real abort path.
+    if (process.env.VITEST === "true")
+        return null;
+    try {
+        return await import("openclaw/plugin-sdk/agent-harness");
+    }
+    catch {
+        return null;
+    }
+}
 /**
- * Abort the active run for a channel `sessionKey`.
+ * Abort the active run for a channel `sessionKey` — the CANONICAL OpenClaw stop.
  *
- * A session has at most one active run at a time, and the SDK keys active runs by
- * their internal `sessionId` (not the channel runId). So resolve sessionKey → sessionId
- * first, then abort-and-drain so the caller learns whether the run actually settled.
+ * Mirrors how ControlUI (`chat.abort` → `abortChatRunById`) and the voice/`/compact`/
+ * steer paths stop a run: resolve sessionKey → internal sessionId (active runs are keyed
+ * by sessionId, not the channel runId), then fire a PLAIN abort (`abortAgentHarnessRun`
+ * = `abortEmbeddedAgentRun` → `handle.abort()`). That sets the run's `externalAbort` flag
+ * so it unwinds to a clean `"aborted_by_user"` terminal — a SILENT reply plus a
+ * `status:"cancelled"` lifecycle — with NO error event.
+ *
+ * Deliberately NOT abort-and-drain with `forceClear`: `forceClear` force-fails the reply
+ * operation (`operation.fail("run_failed", new Error("Embedded run force-cleared by …"))`)
+ * and never fires the abort signal, so (a) the failed operation surfaces as a spurious
+ * `dispatch_error`, and (b) without `externalAbort` the interrupted LLM call is classified
+ * as a real failure → `"LLM request failed."`. Both show up as an error toast in the app.
+ * `forceClear` is OpenClaw's stuck/cron-timeout recovery hammer, not a user-initiated stop.
  */
-export async function abortRunForSessionKey(sessionKey) {
-    if (process.env.VITEST === "true")
-        return { aborted: false, drained: false };
+export async function abortRunForSessionKey(sessionKey, deps) {
     const key = sessionKey.trim();
     if (!key)
-        return { aborted: false, drained: false };
+        return NO_OP;
+    const resolved = deps ?? (await loadAbortRunDeps());
+    if (!resolved)
+        return NO_OP;
     try {
-        const { resolveActiveEmbeddedRunSessionId, abortAndDrainAgentHarnessRun } = await import("openclaw/plugin-sdk/agent-harness");
-        const sessionId = resolveActiveEmbeddedRunSessionId(key);
+        const sessionId = resolved.resolveActiveEmbeddedRunSessionId(key);
         if (!sessionId)
-            return { aborted: false, drained: false };
-        const result = await abortAndDrainAgentHarnessRun({ sessionId, sessionKey: key });
-        return { aborted: result.aborted, drained: result.drained };
+            return NO_OP;
+        const aborted = resolved.abortAgentHarnessRun(sessionId);
+        return { aborted };
     }
     catch {
         // optional at runtime
-        return { aborted: false, drained: false };
+        return NO_OP;
     }
 }

package/dist/src/agent/recent-aborts.d.ts

@@ -0,0 +1,6 @@
+/** How long after a user stop to treat surfaced errors as abort-noise. */
+export declare const RECENT_ABORT_SUPPRESSION_MS = 20000;
+export declare function markUserAbort(sessionKey: string, nowMs?: number): void;
+export declare function wasRecentlyUserAborted(sessionKey: string, nowMs?: number): boolean;
+/** Test/maintenance hook. */
+export declare function clearRecentAborts(): void;

package/dist/src/agent/recent-aborts.js

@@ -0,0 +1,35 @@
+/**
+ * Tracks recent user-initiated aborts per channel sessionKey.
+ *
+ * When the user stops a run, OpenClaw's embedded runner / Codex backend can still surface an
+ * error as a consequence of the interruption — the aborted run's own failover ("LLM request
+ * failed.") or a generic failure on the very next turn ("Something went wrong …"). Those are
+ * abort-noise, not real failures the user should see as an error toast. The channel records the
+ * abort here so the deliver/error forwarders can drop `isError` payloads that land within a short
+ * window of a stop the user explicitly requested.
+ */
+const recentAbortAtMs = new Map();
+/** How long after a user stop to treat surfaced errors as abort-noise. */
+export const RECENT_ABORT_SUPPRESSION_MS = 20_000;
+export function markUserAbort(sessionKey, nowMs = Date.now()) {
+    const key = sessionKey.trim();
+    if (key)
+        recentAbortAtMs.set(key, nowMs);
+}
+export function wasRecentlyUserAborted(sessionKey, nowMs = Date.now()) {
+    const key = sessionKey.trim();
+    if (!key)
+        return false;
+    const at = recentAbortAtMs.get(key);
+    if (at === undefined)
+        return false;
+    if (nowMs - at > RECENT_ABORT_SUPPRESSION_MS) {
+        recentAbortAtMs.delete(key);
+        return false;
+    }
+    return true;
+}
+/** Test/maintenance hook. */
+export function clearRecentAborts() {
+    recentAbortAtMs.clear();
+}

package/dist/src/friday-session.js

@@ -346,12 +346,18 @@ export function forwardAgentEventRaw(evt) {
     // Codex app-server projects every tool/command call onto BOTH the standard `tool` stream
     // (carrying args + the real result) AND a redundant `item` event (kind:"tool"/"command"),
     // and core flags that item `suppressChannelProgress: true` ("do not surface in channel
-    // progress"). Forwarding the suppressed item anyway double-renders every non-exec tool in
-    // the app — the `tool`-stream row plus a second `item kind:tool` row, with the result landing
-    // only on the first. Honor the flag and drop suppressed items; the `tool` stream (and, for
-    // exec, the synthesized `command_output`) already carries everything the app renders. Codex
-    // reasoning items (preamble/analysis) are NOT suppressed, so this never touches thinking.
-    if (evt.stream === "item" && evt.data.suppressChannelProgress === true) {
+    // progress"). Forwarding the suppressed *tool* item double-renders every non-exec tool in the
+    // app — the `tool`-stream row plus a second `item kind:tool` row, with the result landing only
+    // on the first. So drop ONLY suppressed `kind:"tool"` items.
+    //
+    // BUT keep suppressed `kind:"command"`/`"process"` items: the `tool` stream's exec result is
+    // just {exitCode,duration} (no stdout), and the app bootstraps its command-terminal row from
+    // the `item kind:command` event — that row is what the synthesized `command_output` end event
+    // then attaches the real stdout to. Dropping it left exec tools with a command line and no
+    // output in the trace. (Reasoning items preamble/analysis are never suppressed.)
+    if (evt.stream === "item" &&
+        evt.data.suppressChannelProgress === true &&
+        evt.data.kind === "tool") {
         return;
     }
     // Register sessionKey → runId so we can resolve parentRunId

package/dist/src/history/normalize-message.js

@@ -91,6 +91,21 @@ function parseContent(content) {
                 }
                 break;
             }
+            case "toolResult":
+            case "tool_result": {
+                // Codex (app-server backend) persists an exec/bash tool's STDOUT in a content
+                // block whose `type` is "toolResult" (not "text") — the output lives in the
+                // block's `text`/`content`. The native/Anthropic path uses plain "text" blocks,
+                // so this case was never hit and the command output was silently dropped from
+                // history (`parsed.text` stayed ""), leaving the app's trace tool row with no
+                // result. ControlUI shows it because its projection reads these blocks.
+                const t = readString(block.text) || readString(block.content);
+                if (t) {
+                    textParts.push(t);
+                    out.images.push(...extractMediaMarkers(t));
+                }
+                break;
+            }
             case "thinking": {
                 const t = readString(block.thinking);
                 if (t)

package/dist/src/http/handlers/cancel.js

@@ -1,4 +1,5 @@
 import { abortRunForSessionKey } from "../../agent/abort-run.js";
+import { markUserAbort } from "../../agent/recent-aborts.js";
 import { getRunRoute } from "../../run-metadata.js";
 import { sseEmitter } from "../../sse/emitter.js";
 import { readJsonBody } from "../middleware/body.js";
@@ -31,7 +32,11 @@ export async function handleCancel(req, res) {
     }
     const result = sessionKey
         ? await abortRunForSessionKey(sessionKey)
-        : { aborted: false, drained: false };
+        : { aborted: false };
+    // Record the user stop so abort-induced error deliveries are suppressed for a short window
+    // (the aborted run's own failover, or a generic failure on the immediate next turn).
+    if (sessionKey)
+        markUserAbort(sessionKey);
     if (runId)
         sseEmitter.untrackRun(runId);
     res.statusCode = 200;

package/dist/src/http/handlers/messages.js

@@ -11,6 +11,7 @@
  */
 import crypto from "node:crypto";
 import { resolveFridayNextConfig } from "../../config.js";
+import { wasRecentlyUserAborted } from "../../agent/recent-aborts.js";
 import { getHostOpenClawConfigSnapshot } from "../../host-config.js";
 import { getFridayNextRuntime } from "../../runtime.js";
 import { resolveAgentDefaults, setSessionSettings, splitModelRef, toSessionStoreKey, } from "../../session/session-manager.js";
@@ -429,6 +430,13 @@ export async function handleMessages(req, res) {
                             }
                         }
                         const payload = translateDeliverPayload(pl, info.kind, meta);
+                        const deliverIsError = payload?.isError || pl?.isError;
+                        // Drop error deliveries that are a direct consequence of a user stop (the aborted
+                        // run's own failover, e.g. "LLM request failed."). The user already chose to stop;
+                        // surfacing it as an error toast is abort-noise, not a real failure.
+                        if (deliverIsError && wasRecentlyUserAborted(baseSessionKey)) {
+                            return;
+                        }
                         log("EVENT_SENT", normalizedDeviceId, runId, `deliver kind=${info.kind}`);
                         sseEmitter.broadcastToRun(runId, {
                             type: "deliver",
@@ -449,6 +457,9 @@ export async function handleMessages(req, res) {
                         }
                     },
                     onError: (err) => {
+                        if (wasRecentlyUserAborted(baseSessionKey)) {
+                            return;
+                        }
                         log("RUN_ERROR", normalizedDeviceId, runId, String(err), "error");
                         sseEmitter.broadcastToRun(runId, {
                             type: "outbound",

package/index.ts

@@ -30,8 +30,6 @@ const hookLogger = createFridayNextLogger("hook");
 export { fridayNextChannelPlugin } from "./src/channel.js";
 export { setFridayNextRuntime } from "./src/runtime.js";
 
-/** `api.on` returns void — register tool hooks at most once per process. */
-let fridayNextToolHooksRegistered = false;
 let disposeAgentEventListener: (() => void) | null = null;
 /**
  * Track the last `api` instance on which HTTP routes were registered.
@@ -163,10 +161,17 @@ export default defineChannelPluginEntry({
       );
     });
 
-    if (fridayNextToolHooksRegistered) {
+    // Tool hooks (subagent_delivery_target / before_tool_call / after_tool_call) must follow the
+    // SAME re-registration discipline as the HTTP routes and onAgentEvent listener above. When the
+    // health-monitor restarts the plugin, `registerFull` receives a fresh `api` and the host
+    // dispatches hooks on THAT api; hooks left bound to the first api go silent for the rest of the
+    // process. The old one-time boolean guard bound them to whichever api arrived first — which is
+    // exactly why Codex `command_output` (the A3 after_tool_call stdout synthesis) fired on some
+    // gateway processes and not others. Re-register on every genuinely-new api; skip only a repeat
+    // call with the same api (matching the `!sameApi` gate the routes use).
+    if (sameApi) {
       return;
     }
-    fridayNextToolHooksRegistered = true;
 
     // Make Codex (ChatGPT/OAuth) models emit reasoning summary text so the app can stream
     // "thinking". OpenClaw never sets this; we assert it on the plugin side. Best-effort.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@syengup/friday-channel-next",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "OpenClaw Friday Next Apple channel plugin",
   "license": "MIT",
   "type": "module",

package/src/agent/abort-run.test.ts

@@ -0,0 +1,39 @@
+import { describe, expect, it, vi } from "vitest";
+import { abortRunForSessionKey } from "./abort-run.js";
+
+describe("abortRunForSessionKey", () => {
+  it("resolves sessionKey → sessionId then fires a PLAIN abort (canonical clean stop)", async () => {
+    const abortAgentHarnessRun = vi.fn().mockReturnValue(true);
+    const resolveActiveEmbeddedRunSessionId = vi.fn().mockReturnValue("sid-9");
+
+    const result = await abortRunForSessionKey("sk-9", {
+      resolveActiveEmbeddedRunSessionId,
+      abortAgentHarnessRun,
+    });
+
+    expect(resolveActiveEmbeddedRunSessionId).toHaveBeenCalledWith("sk-9");
+    // Plain abort by internal sessionId — fires handle.abort(), no drain/forceClear.
+    expect(abortAgentHarnessRun).toHaveBeenCalledWith("sid-9");
+    expect(result).toEqual({ aborted: true });
+  });
+
+  it("returns a no-op without aborting when there is no active run for the sessionKey", async () => {
+    const abortAgentHarnessRun = vi.fn();
+    const result = await abortRunForSessionKey("sk-x", {
+      resolveActiveEmbeddedRunSessionId: () => undefined,
+      abortAgentHarnessRun,
+    });
+    expect(abortAgentHarnessRun).not.toHaveBeenCalled();
+    expect(result).toEqual({ aborted: false });
+  });
+
+  it("returns a no-op for an empty sessionKey", async () => {
+    const abortAgentHarnessRun = vi.fn();
+    const result = await abortRunForSessionKey("   ", {
+      resolveActiveEmbeddedRunSessionId: () => "sid",
+      abortAgentHarnessRun,
+    });
+    expect(abortAgentHarnessRun).not.toHaveBeenCalled();
+    expect(result).toEqual({ aborted: false });
+  });
+});

package/src/agent/abort-run.ts

@@ -1,25 +1,55 @@
-export type AbortRunResult = { aborted: boolean; drained: boolean };
+export type AbortRunResult = { aborted: boolean };
+
+export type AbortRunDeps = {
+  resolveActiveEmbeddedRunSessionId: (sessionKey: string) => string | undefined;
+  abortAgentHarnessRun: (sessionId: string) => boolean;
+};
+
+const NO_OP: AbortRunResult = { aborted: false };
+
+async function loadAbortRunDeps(): Promise<AbortRunDeps | null> {
+  // The SDK is optional at runtime and unavailable/unmockable under Vitest; tests
+  // inject `deps` directly to exercise the real abort path.
+  if (process.env.VITEST === "true") return null;
+  try {
+    return await import("openclaw/plugin-sdk/agent-harness");
+  } catch {
+    return null;
+  }
+}
 
 /**
- * Abort the active run for a channel `sessionKey`.
+ * Abort the active run for a channel `sessionKey` — the CANONICAL OpenClaw stop.
+ *
+ * Mirrors how ControlUI (`chat.abort` → `abortChatRunById`) and the voice/`/compact`/
+ * steer paths stop a run: resolve sessionKey → internal sessionId (active runs are keyed
+ * by sessionId, not the channel runId), then fire a PLAIN abort (`abortAgentHarnessRun`
+ * = `abortEmbeddedAgentRun` → `handle.abort()`). That sets the run's `externalAbort` flag
+ * so it unwinds to a clean `"aborted_by_user"` terminal — a SILENT reply plus a
+ * `status:"cancelled"` lifecycle — with NO error event.
  *
- * A session has at most one active run at a time, and the SDK keys active runs by
- * their internal `sessionId` (not the channel runId). So resolve sessionKey → sessionId
- * first, then abort-and-drain so the caller learns whether the run actually settled.
+ * Deliberately NOT abort-and-drain with `forceClear`: `forceClear` force-fails the reply
+ * operation (`operation.fail("run_failed", new Error("Embedded run force-cleared by …"))`)
+ * and never fires the abort signal, so (a) the failed operation surfaces as a spurious
+ * `dispatch_error`, and (b) without `externalAbort` the interrupted LLM call is classified
+ * as a real failure → `"LLM request failed."`. Both show up as an error toast in the app.
+ * `forceClear` is OpenClaw's stuck/cron-timeout recovery hammer, not a user-initiated stop.
  */
-export async function abortRunForSessionKey(sessionKey: string): Promise<AbortRunResult> {
-  if (process.env.VITEST === "true") return { aborted: false, drained: false };
+export async function abortRunForSessionKey(
+  sessionKey: string,
+  deps?: AbortRunDeps,
+): Promise<AbortRunResult> {
   const key = sessionKey.trim();
-  if (!key) return { aborted: false, drained: false };
+  if (!key) return NO_OP;
+  const resolved = deps ?? (await loadAbortRunDeps());
+  if (!resolved) return NO_OP;
   try {
-    const { resolveActiveEmbeddedRunSessionId, abortAndDrainAgentHarnessRun } =
-      await import("openclaw/plugin-sdk/agent-harness");
-    const sessionId = resolveActiveEmbeddedRunSessionId(key);
-    if (!sessionId) return { aborted: false, drained: false };
-    const result = await abortAndDrainAgentHarnessRun({ sessionId, sessionKey: key });
-    return { aborted: result.aborted, drained: result.drained };
+    const sessionId = resolved.resolveActiveEmbeddedRunSessionId(key);
+    if (!sessionId) return NO_OP;
+    const aborted = resolved.abortAgentHarnessRun(sessionId);
+    return { aborted };
   } catch {
     // optional at runtime
-    return { aborted: false, drained: false };
+    return NO_OP;
   }
 }

package/src/agent/recent-aborts.test.ts

@@ -0,0 +1,29 @@
+import { afterEach, describe, expect, it } from "vitest";
+import {
+  clearRecentAborts,
+  markUserAbort,
+  RECENT_ABORT_SUPPRESSION_MS,
+  wasRecentlyUserAborted,
+} from "./recent-aborts.js";
+
+afterEach(() => clearRecentAborts());
+
+describe("recent-aborts", () => {
+  it("reports a sessionKey as recently aborted within the window", () => {
+    markUserAbort("sk-1", 1_000);
+    expect(wasRecentlyUserAborted("sk-1", 1_000)).toBe(true);
+    expect(wasRecentlyUserAborted("sk-1", 1_000 + RECENT_ABORT_SUPPRESSION_MS)).toBe(true);
+  });
+
+  it("expires after the window", () => {
+    markUserAbort("sk-2", 1_000);
+    expect(wasRecentlyUserAborted("sk-2", 1_000 + RECENT_ABORT_SUPPRESSION_MS + 1)).toBe(false);
+  });
+
+  it("is false for an unknown or empty sessionKey", () => {
+    expect(wasRecentlyUserAborted("never", 1_000)).toBe(false);
+    expect(wasRecentlyUserAborted("   ", 1_000)).toBe(false);
+    markUserAbort("   ", 1_000);
+    expect(wasRecentlyUserAborted("   ", 1_000)).toBe(false);
+  });
+});

package/src/agent/recent-aborts.ts

@@ -0,0 +1,36 @@
+/**
+ * Tracks recent user-initiated aborts per channel sessionKey.
+ *
+ * When the user stops a run, OpenClaw's embedded runner / Codex backend can still surface an
+ * error as a consequence of the interruption — the aborted run's own failover ("LLM request
+ * failed.") or a generic failure on the very next turn ("Something went wrong …"). Those are
+ * abort-noise, not real failures the user should see as an error toast. The channel records the
+ * abort here so the deliver/error forwarders can drop `isError` payloads that land within a short
+ * window of a stop the user explicitly requested.
+ */
+const recentAbortAtMs = new Map<string, number>();
+
+/** How long after a user stop to treat surfaced errors as abort-noise. */
+export const RECENT_ABORT_SUPPRESSION_MS = 20_000;
+
+export function markUserAbort(sessionKey: string, nowMs: number = Date.now()): void {
+  const key = sessionKey.trim();
+  if (key) recentAbortAtMs.set(key, nowMs);
+}
+
+export function wasRecentlyUserAborted(sessionKey: string, nowMs: number = Date.now()): boolean {
+  const key = sessionKey.trim();
+  if (!key) return false;
+  const at = recentAbortAtMs.get(key);
+  if (at === undefined) return false;
+  if (nowMs - at > RECENT_ABORT_SUPPRESSION_MS) {
+    recentAbortAtMs.delete(key);
+    return false;
+  }
+  return true;
+}
+
+/** Test/maintenance hook. */
+export function clearRecentAborts(): void {
+  recentAbortAtMs.clear();
+}

package/src/friday-session.forward-agent.test.ts

@@ -195,6 +195,27 @@ describe("forwardAgentEventRaw (thinking delta rewrite)", () => {
     expect(sseEmitter.broadcastToRun).not.toHaveBeenCalled();
   });
 
+  it("KEEPS suppressed item kind:command (exec row the command_output stdout attaches to)", () => {
+    // The `tool`-stream exec result is just {exitCode,duration}; the real stdout arrives on the
+    // synthesized `command_output` end event, which the app attaches to the command-terminal row
+    // bootstrapped from THIS `item kind:command`. Dropping it (as the old broad filter did) left
+    // exec tools with a command line and no output in the trace.
+    forwardAgentEventRaw({
+      runId,
+      seq: 1,
+      stream: "item",
+      sessionKey,
+      data: {
+        itemId: "call_exec1",
+        kind: "command",
+        phase: "start",
+        name: "bash",
+        suppressChannelProgress: true,
+      },
+    });
+    expect(sseEmitter.broadcastToRun).toHaveBeenCalledTimes(1);
+  });
+
   it("forwards item events that are not suppressed (e.g. reasoning analysis markers)", () => {
     forwardAgentEventRaw({
       runId,

package/src/friday-session.ts

@@ -401,12 +401,20 @@ export function forwardAgentEventRaw(evt: ForwardAgentEventArgs): void {
   // Codex app-server projects every tool/command call onto BOTH the standard `tool` stream
   // (carrying args + the real result) AND a redundant `item` event (kind:"tool"/"command"),
   // and core flags that item `suppressChannelProgress: true` ("do not surface in channel
-  // progress"). Forwarding the suppressed item anyway double-renders every non-exec tool in
-  // the app — the `tool`-stream row plus a second `item kind:tool` row, with the result landing
-  // only on the first. Honor the flag and drop suppressed items; the `tool` stream (and, for
-  // exec, the synthesized `command_output`) already carries everything the app renders. Codex
-  // reasoning items (preamble/analysis) are NOT suppressed, so this never touches thinking.
-  if (evt.stream === "item" && evt.data.suppressChannelProgress === true) {
+  // progress"). Forwarding the suppressed *tool* item double-renders every non-exec tool in the
+  // app — the `tool`-stream row plus a second `item kind:tool` row, with the result landing only
+  // on the first. So drop ONLY suppressed `kind:"tool"` items.
+  //
+  // BUT keep suppressed `kind:"command"`/`"process"` items: the `tool` stream's exec result is
+  // just {exitCode,duration} (no stdout), and the app bootstraps its command-terminal row from
+  // the `item kind:command` event — that row is what the synthesized `command_output` end event
+  // then attaches the real stdout to. Dropping it left exec tools with a command line and no
+  // output in the trace. (Reasoning items preamble/analysis are never suppressed.)
+  if (
+    evt.stream === "item" &&
+    evt.data.suppressChannelProgress === true &&
+    evt.data.kind === "tool"
+  ) {
     return;
   }
 

package/src/history/normalize-message.test.ts

@@ -185,6 +185,33 @@ describe("normalizeHistoryMessage", () => {
     expect(plain?.mediaPaths).toBeUndefined();
   });
 
+  it("extracts Codex exec stdout from a `toolResult`-typed content block", () => {
+    // Codex (app-server) persists bash/exec stdout in a content block whose `type` is
+    // "toolResult" (not "text"); the native path only ever emits "text" blocks. Before the
+    // fix this fell through `default` and the command output was dropped (text="").
+    const out = normalizeHistoryMessage(
+      {
+        role: "toolResult",
+        toolCallId: "call_GSu3",
+        toolName: "bash",
+        content: [
+          {
+            type: "toolResult",
+            toolCallId: "call_GSu3",
+            name: "bash",
+            content: "Applications\nDesktop\nDocuments",
+            text: "Applications\nDesktop\nDocuments",
+          },
+        ],
+        ...meta("tr-1", 3),
+      },
+      0,
+    );
+    expect(out?.role).toBe("toolResult");
+    expect(out?.toolResult?.text).toBe("Applications\nDesktop\nDocuments");
+    expect(out?.toolResult?.toolCallId).toBe("call_GSu3");
+  });
+
   it("flags compaction records via __openclaw.kind", () => {
     const out = normalizeHistoryMessage(
       {

package/src/history/normalize-message.ts

@@ -158,6 +158,21 @@ function parseContent(content: unknown): ParsedContent {
         }
         break;
       }
+      case "toolResult":
+      case "tool_result": {
+        // Codex (app-server backend) persists an exec/bash tool's STDOUT in a content
+        // block whose `type` is "toolResult" (not "text") — the output lives in the
+        // block's `text`/`content`. The native/Anthropic path uses plain "text" blocks,
+        // so this case was never hit and the command output was silently dropped from
+        // history (`parsed.text` stayed ""), leaving the app's trace tool row with no
+        // result. ControlUI shows it because its projection reads these blocks.
+        const t = readString(block.text) || readString(block.content);
+        if (t) {
+          textParts.push(t);
+          out.images.push(...extractMediaMarkers(t));
+        }
+        break;
+      }
       case "thinking": {
         const t = readString(block.thinking);
         if (t) thinkingParts.push(t);

package/src/http/handlers/cancel.ts

@@ -1,5 +1,6 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { abortRunForSessionKey } from "../../agent/abort-run.js";
+import { markUserAbort } from "../../agent/recent-aborts.js";
 import { getRunRoute } from "../../run-metadata.js";
 import { sseEmitter } from "../../sse/emitter.js";
 import { readJsonBody } from "../middleware/body.js";
@@ -34,7 +35,10 @@ export async function handleCancel(req: IncomingMessage, res: ServerResponse): P
   }
   const result = sessionKey
     ? await abortRunForSessionKey(sessionKey)
-    : { aborted: false, drained: false };
+    : { aborted: false };
+  // Record the user stop so abort-induced error deliveries are suppressed for a short window
+  // (the aborted run's own failover, or a generic failure on the immediate next turn).
+  if (sessionKey) markUserAbort(sessionKey);
   if (runId) sseEmitter.untrackRun(runId);
   res.statusCode = 200;
   res.setHeader("Content-Type", "application/json");

package/src/http/handlers/messages.ts

@@ -25,6 +25,7 @@ export type FridayReplyPayload = {
   channelData?: unknown;
 };
 import { resolveFridayNextConfig } from "../../config.js";
+import { wasRecentlyUserAborted } from "../../agent/recent-aborts.js";
 import { getHostOpenClawConfigSnapshot } from "../../host-config.js";
 import { getFridayNextRuntime } from "../../runtime.js";
 import {
@@ -589,6 +590,14 @@ export async function handleMessages(req: IncomingMessage, res: ServerResponse):
               }
             }
             const payload = translateDeliverPayload(pl, info.kind, meta);
+            const deliverIsError =
+              (payload as { isError?: boolean })?.isError || (pl as { isError?: boolean })?.isError;
+            // Drop error deliveries that are a direct consequence of a user stop (the aborted
+            // run's own failover, e.g. "LLM request failed."). The user already chose to stop;
+            // surfacing it as an error toast is abort-noise, not a real failure.
+            if (deliverIsError && wasRecentlyUserAborted(baseSessionKey)) {
+              return;
+            }
             log("EVENT_SENT", normalizedDeviceId, runId, `deliver kind=${info.kind}`);
             sseEmitter.broadcastToRun(
               runId,
@@ -613,6 +622,9 @@ export async function handleMessages(req: IncomingMessage, res: ServerResponse):
             }
           },
           onError: (err: unknown) => {
+            if (wasRecentlyUserAborted(baseSessionKey)) {
+              return;
+            }
             log("RUN_ERROR", normalizedDeviceId, runId, String(err), "error");
             sseEmitter.broadcastToRun(
               runId,