npm - agim-cli - Versions diffs - 1.2.144 → 1.2.147 - Mend

agim-cli 1.2.144 → 1.2.147

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (266) hide show

package/dist/plugins/agents/native/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/plugins/agents/native/index.ts"],"names":[],"mappings":"AAyCA,OAAO,KAAK,EACV,YAAY,EAGb,MAAM,wBAAwB,CAAA;AAG/B,OAAO,~~EAOL~~,KAAK,WAAW,~~EAEjB~~,MAAM,4BAA4B,CAAA;~~AAKnC~~,OAAO,EAIL,KAAK,wBAAwB,EAC9B,MAAM,2CAA2C,CAAA;~~AAyClD~~;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,WAAW,EACrB,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,EACX,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,~~CAoLR;AAED;;;;;;;+DAO~~+D;~~AAC/D~~,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,~~CAmBpD~~;~~AA+LD~~;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE;IACJ,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE;QACN,SAAS,EAAE,aAAa,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,OAAO,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;QAC9E,UAAU,EAAE,MAAM,CAAA;KACnB,CAAA;IACD,QAAQ,EAAE,WAAW,CAAA;IACrB,IAAI,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,GAAG,WAAW,CAAA;IACvD,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,WAAW,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;CAClB,GACA,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GAAG,IAAI,CAAC,CAwG1D;AAwED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,aAAa,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,wBAAwB,CAgE1E;AAWD;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAExD;~~AA8ED~~;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAkCvF;~~AAmlBD~~,eAAO,MAAM,kBAAkB,EAAE,YAAuC,CAAA;AAExE;;cAEc;AACd,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/plugins/agents/native/index.ts"],"names":[],"mappings":"AAyCA,OAAO,KAAK,EACV,YAAY,EAGb,MAAM,wBAAwB,CAAA;AAG/B,OAAO,EAIL,KAAK,WAAW,EACjB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAIL,KAAK,wBAAwB,EAC9B,MAAM,2CAA2C,CAAA;AAoDlD;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,OAAO,CAM5C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,WAAW,EACrB,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,EACX,SAAS,CAAC,EAAE,MAAM,GACjB,MAAM,CA+NR;AAmDD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAiBpD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,kBAAkB,IAAI,OAAO,CAG5C;AA4OD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE;IACJ,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE;QACN,SAAS,EAAE,aAAa,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,OAAO,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;QAC9E,UAAU,EAAE,MAAM,CAAA;KACnB,CAAA;IACD,QAAQ,EAAE,WAAW,CAAA;IACrB,IAAI,EAAE,OAAO,GAAG,UAAU,GAAG,YAAY,GAAG,WAAW,CAAA;IACvD,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,WAAW,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;CAClB,GACA,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GAAG,IAAI,CAAC,CAwG1D;AAwED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,aAAa,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,wBAAwB,CAgE1E;AAWD;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAExD;AAoDD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAkCvF;AA2kBD,eAAO,MAAM,kBAAkB,EAAE,YAAuC,CAAA;AAExE;;cAEc;AACd,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C"}

package/dist/plugins/agents/native/index.js CHANGED Viewed

@@ -40,16 +40,14 @@
 //     persistence across turns)
 import { logger as rootLogger } from '../../../core/logger.js';
 import { logInvocation } from '../../../core/audit-log.js';
-import { runAgentLoop, buildMcpDispatcher, combineDispatchers, getProvider, getAllMcpTools, } from '../../../core/llm/index.js';
-import { buildBuiltinDispatcher, getBuiltinTools, } from '../../../core/llm/builtin-dispatcher.js';
+import { runAgentLoop, getProvider, } from '../../../core/llm/index.js';
 import { buildPolicyApprovalGate, describePolicy, } from '../../../core/llm/policy-approval-gate.js';
-import { buildImhubDispatcher, getImhubTools, } from '../../../core/llm/imhub-dispatcher.js';
-import { buildFsDispatcher, getFsTools, } from '../../../core/llm/fs-dispatcher.js';
-import { buildWebDispatcher, getWebTools, } from '../../../core/llm/web-dispatcher.js';
-import { buildExecDispatcher, getExecTools, } from '../../../core/llm/exec-dispatcher.js';
-import { buildTodoDispatcher, getTodoTools, } from '../../../core/llm/todo-dispatcher.js';
-import { buildPlanExitDispatcher, getPlanExitTools, } from '../../../core/llm/plan-exit-dispatcher.js';
-import { listSkills } from '../../../core/skills/loader.js';
+// Tool assembly (defs + dispatch + per-call concurrency classifier) moved
+// into tool-registry.ts (#86); the per-dispatcher builder imports live there
+// now. MAX_INJECTED_SKILLS is still needed here for the system-prompt skills
+// cap (#85/T3).
+import { assembleNativeTools } from './tool-registry.js';
+import { listSkills, MAX_INJECTED_SKILLS } from '../../../core/skills/loader.js';
 import { describeRegistry as describeMcpRegistry } from '../../../core/llm/mcp-registry.js';
 import { resolveAgentCwd, defaultAgentCwd } from '../../../core/agent-cwd.js';
 import { handlePushOp } from '../../../core/push-rpc.js';
@@ -61,6 +59,50 @@ import { existsSync as fsExistsSync, statSync as fsStatSync, readFileSync as fsR
 import { resolve as pathResolve, sep as pathSep, join as pathJoin } from 'node:path';
 import { sanitizeForInjection, scanForInjectionAttempts } from '../../../core/prompt-injection-guard.js';
 const log = rootLogger.child({ component: 'native-agent' });
+/**
+ * v1.2.147 — framework-level tool-call discipline injected into EVERY
+ * native turn's system prompt. Sits at the top, before the operator
+ * role definition, so it dominates any persona-level rules the user
+ * authors. Pure prompt — paired with the runtime hallucination
+ * detector (`detectHallucinatedToolCall`) that catches the failure
+ * mode if the model ignores the rule.
+ *
+ * Why this is hard-coded, not optional:
+ *   - The failure (model narrates a tool call without emitting it) is
+ *     LLM-side and silent; we cannot fully prevent it. But almost every
+ *     instance we've seen would have been deterred by an explicit
+ *     "do not narrate, just emit" rule.
+ *   - Leaving this to operator AGENTS.md means every fresh install
+ *     reproduces the same harm before the operator notices.
+ *   - Escape hatch: IMHUB_NATIVE_TOOL_DISCIPLINE=off (or 0/false/no/
+ *     disable) lets advanced operators drop the block, e.g. when
+ *     measuring whether the prompt itself is hurting tool-call recall.
+ */
+const TOOL_CALL_DISCIPLINE_PROMPT = [
+    '## 工具调用纪律（agim 框架级硬约束）',
+    '',
+    '- 禁止用文本"描述/演练"工具调用。例如不可输出 `我现在调用 native_write_file: \\`\\`\\`python ...\\`\\`\\`` —— 想用工具就直接发 `toolCalls`，不要先用纯文本预告。',
+    '- 工具调用必须真的发生：如果当轮没真正发出 `toolCalls`，就不要输出"已经写好 / 已经存好 / 已经调了 X"这类口径，更不要承诺"下一步直接写"。',
+    '- 不确定是否该调用，用 `native_todo_write` 把意图留为 todo 让用户审，不要假装调用了又没调。',
+    '- 用户追问"做了吗 / 写好了吗 / 又没消息了"，先回顾本轮 `toolCalls` 历史；没有就直接坦白"没调成"，禁止编造"这次直接写""不废话了"等空承诺——空承诺没有任何代价但会摧毁信任。',
+    '- write / edit / exec 类副作用工具一次性写完整调用，不要分两步"先承诺再调用"。',
+    '',
+    '（运行时会有 hallucination 检测器在末轮抓"narrate without emit"，触发会用复盘卡替换原回复。）',
+].join('\n');
+/**
+ * Read the IMHUB_NATIVE_TOOL_DISCIPLINE kill-switch. Default ON.
+ * Recognized OFF values: 'off' / '0' / 'false' / 'no' / 'disable'.
+ * Pairs with isHallucinationDetectorOn (hallucination-detector.ts): the
+ * detector still fires when discipline is off, by design — discipline
+ * removed is a prompting test, not a license to ship lies.
+ */
+export function isToolDisciplineOn() {
+    const raw = (process.env.IMHUB_NATIVE_TOOL_DISCIPLINE ?? '').toLowerCase().trim();
+    if (raw === 'off' || raw === '0' || raw === 'false' || raw === 'no' || raw === 'disable') {
+        return false;
+    }
+    return true;
+}
 /**
  * v1.2.47 — system prompt is rebuilt per IM turn so the model sees:
  *   - which LLM backend + role it's actually running on
@@ -76,9 +118,26 @@ const log = rootLogger.child({ component: 'native-agent' });
  * field surfaced here is operator-configured and non-sensitive.
  */
 export function buildSystemPrompt(provider, role, cwd, threadKey) {
-    const skills = listSkills();
-    const skillsBlock = skills.length
-        ? skills.map((s) => `  - ${s.name}: ${s.description}`).join('\n')
+    // T3 (context-as-budget): bound the tier-1 skills listing. listSkills()
+    // already caps each description at MAX_DESCRIPTION_CHARS; here we also cap
+    // the COUNT to MAX_INJECTED_SKILLS (the same ceiling buildSkillsSummary
+    // uses) so a large catalog can't blow the per-turn system-prompt budget.
+    // Sorted for stable ordering; overflow collapses into a "+N more" hint
+    // that points the model at the on-demand read_skill / /skill list path.
+    // (Previously this re-rolled an UNCAPPED `name: desc` line per skill.)
+    const allSkills = listSkills().slice().sort((a, b) => a.name.localeCompare(b.name));
+    const visibleSkills = allSkills.slice(0, MAX_INJECTED_SKILLS);
+    const skillsBlock = visibleSkills.length
+        ? visibleSkills
+            .map((s) => {
+            const desc = (s.description || '').trim() || '(no description; read body via mcp__imhub__read_skill)';
+            const mark = s.available ? '' : ` (unavailable: ${s.unavailableReason ?? 'requires not met'})`;
+            return `  - ${s.name}: ${desc}${mark}`;
+        })
+            .join('\n')
+            + (allSkills.length > visibleSkills.length
+                ? `\n  … and ${allSkills.length - visibleSkills.length} more (use /skill list; read any with mcp__imhub__read_skill)`
+                : '')
         : '  (no skill cards loaded; see docs/skills.md to add one)';
     const mcpReg = describeMcpRegistry();
     const externalMcp = mcpReg.servers.length
@@ -87,6 +146,16 @@ export function buildSystemPrompt(provider, role, cwd, threadKey) {
             .join('\n')
         : '  (none configured)';
     const lines = [];
+    // v1.2.147 — framework-level tool-call discipline. Prepended BEFORE
+    // the operator role so it dominates persona-level rules. Hard-coded
+    // (not derived from a file) so every fresh agim install gets it, no
+    // per-user setup. Pairs with the runtime hallucination detector.
+    if (isToolDisciplineOn()) {
+        lines.push('[agim framework rule — tool-call discipline]');
+        lines.push(TOOL_CALL_DISCIPLINE_PROMPT);
+        lines.push('[/agim framework rule]');
+        lines.push('');
+    }
     // Operator-supplied role definition. Reads <cwd>/AGENTS.md (seeded by
     // bootstrapAgentWorkspaces) and prepends it as a role block. Lets
     // operators customise the agent's identity, tone, and house rules
@@ -108,32 +177,37 @@ export function buildSystemPrompt(provider, role, cwd, threadKey) {
     if (isPlanModeOn(threadKey)) {
         lines.push(`⚠ Plan mode is ACTIVE`, `  - You MUST produce a read-only plan; native_write_file and native_exec are HARD-BLOCKED.`, `  - Use read tools freely: native_read_file / native_list_dir / native_glob / native_grep / native_web_fetch / native_web_search.`, `  - Exit handshake (v1.2.131): when the plan is ready, call`, `      native_exit_plan_mode({ plan: '<markdown of the steps>' })`, `    The user will see an Approve/Reject card. On approve you regain full write access and proceed immediately. On reject you stay in Plan Mode with the user's feedback in the tool result — revise and call again.`, `  - DO NOT just describe the plan in prose and stop — the user expects the exit handshake. Skip it only if the user explicitly asks for "no exit" / "just brainstorm".`, ``);
     }
-    lines.push(`Tools available beyond the four native built-ins (echo / now / sleep / random_uuid):`, `  - agim built-in MCP tools (mcp__imhub__*): read_skill, list_skills, save_memo, search_memos, update_memo, delete_memo, push_message, ask_user, call_agent, long_task, complete_goal`, `  - native filesystem tools: native_read_file, native_write_file, native_list_dir, native_glob, native_grep — constrained to your workspace cwd unless IMHUB_NATIVE_FS_RESTRICT=0`, `  - native web tools: native_web_fetch (r.jina.ai reader by default), native_web_search (duckduckgo → metaso fallback). Private IPs blocked.`, `  - native_exec(command, timeout_ms?, cwd?): run shell commands. Always approval-gated; bwrap sandbox when IMHUB_EXEC_SANDBOX=bwrap.`, `  - External MCP servers configured by the operator:`, externalMcp, ``, `Available skill cards (call mcp__imhub__read_skill('<name>') for the full body):`, skillsBlock, ``, `Guidance:`, `  - Be terse; avoid filler. Prefer tool use over guessing.`, `  - When uncertain, call mcp__imhub__ask_user(question, choices[]) instead of free-form back-and-forth.`, `  - When the user references something they told the bot before, search memos via mcp__imhub__search_memos.`, ``, `Tool selection priority (HARD RULE — v1.2.59):`, `  - For "read this file / list this dir / search this content / fetch this URL", you MUST FIRST try`, `    your own native tools: native_read_file, native_list_dir, native_glob, native_grep,`, `    native_web_fetch (if available). Do NOT delegate these to call_agent.`, `  - call_agent is reserved for tasks that genuinely need a CLI agent's specialised capabilities`, `    (writing/editing source code in a real repo → claude-code; long-running plans → codex; etc).`, `  - You have a per-turn call_agent cap (default 2). Burning it on file reads will leave you`, `    unable to delegate later when you actually need to.`, ``, `When to USE call_agent (v1.2.139 positive framing — pair with the HARD RULE above):`, `  - The task needs sustained source-code editing in a real repo → call_agent('claude-code', …)`, `    or call_agent('codex', …). Don't try to mimic them with native_write_file when the work is`, `    multi-file refactors or feature builds.`, `  - You need a second pair of eyes / cross-checking on your own conclusion → call_agent('codex',`, `    'audit my findings: …'). Useful before committing or reporting.`, `  - The task is large enough that parallel research helps (e.g. survey 3 independent areas of`, `    a codebase) → fan-out via call_agent('native', …) so each sub-agent's context is fresh.`, `  - Tip: write the sub-agent prompt as a self-contained brief — they don't see this conversation.`, ``, `Web tool routing (HARD RULE — v1.2.64):`, `  - If the user provided a SPECIFIC URL (http://… or https://…) → native_web_fetch.`, `  - If the user wants to FIND / DISCOVER something by keywords ("查找最新 X" / "search for Y" /`, `    "find docs on Z" / "今天 / 最近的 W") → native_web_search FIRST. Don't guess a URL.`, `  - Common pattern: native_web_search(query) → pick a result → native_web_fetch(that.url).`, `  - NEVER call native_web_fetch with a URL you fabricated from the user's keywords.`, ``, `Short-input rule:`, `  - If the user's message is ONLY a slash command alias for an agent name (e.g. "/native", "/llm",`, `    "/na", "/cc", "/oc") and you are already that agent, respond with ONE short line confirming`, `    your identity (e.g. "我是 native，正在听。"). Do NOT call any tool. The slash router handles`, `    actual agent switching; if it didn't switch, the user is already on this agent.`, ``, `Plan tracking (v1.2.124 — native_todo_write):`, `  - When the user gives you a task with ≥ 3 distinct steps, FIRST call native_todo_write({items}) to`, `    write out your plan, then update statuses as you complete each step.`, `    Status values: pending | in_progress | completed. Keep exactly one item in_progress at a time.`, `  - The tool result is a rendered markdown checklist; the user sees your progress.`, `  - Don't call native_todo_write for trivial one-step tasks — overhead.`, `  - Example sequence:`, `    1) native_todo_write([{c:"Fetch market data",s:"in_progress"}, {c:"Analyse",s:"pending"}, {c:"Reply",s:"pending"}])`, `    2) … do fetch via native_web_fetch …`, `    3) native_todo_write([{c:"Fetch market data",s:"completed"}, {c:"Analyse",s:"in_progress"}, {c:"Reply",s:"pending"}])`, `    4) … analysis …`, `    5) write final answer to user`, ``, `Closure rule (v1.2.94 — HARD RULE):`, `  - When you finish a tool chain (read_file / web_fetch / native_exec / search_memos / etc.) you`, `    MUST write a short Chinese summary BEFORE stopping. The tool output by itself is not a`, `    user-facing answer — the user can't see the raw JSON / shell stdout. Always close with at`, `    least one sentence stating the finding / conclusion.`, `  - Do NOT end a turn with empty assistant text when you've just called tools. If you genuinely`, `    have nothing to add, say so explicitly ("已查完，未发现 X").`, ``, `Proactive memory rule (v1.2.96 — borrowed from Hermes Agent's "agent-curated memory"):`, `  - Before ending a substantive turn, scan the conversation for facts that should outlive the`, `    current chat. Persist them yourself via mcp__imhub__save_memo — don't wait for the user to`, `    ask you to remember.`, `  - Worth saving (call save_memo for each):`, `      · personal preferences ("我不喝咖啡" / "我用 vim"),`, `      · holdings or portfolio codes ("我持有 600519"),`, `      · recurring people / places ("我家在朝阳" / "爸爸生日 5月8日"),`, `      · stable identifiers (账号 / 邮箱 / API base / 配置路径),`, `      · explicit "记一下" / "remember this" instructions.`, `  - NOT worth saving: one-off questions, transient debugging context, tool outputs that are`, `    already cached elsewhere (memos point AT data, they're not a cache of data).`, `  - Each save_memo call is cheap. Two short memos beat one long one — small atomic facts`, `    search better. Add a 1-line user-facing acknowledgement so the user knows you remembered`, `    (e.g. "已记下 600519 是你的持仓").`, ``, `Long-task SOP (v1.2.93 — for any work you estimate will run > 10 minutes):`, `  - You CANNOT keep a long synchronous turn alive: the IM bridge times out around 30 min, and`, `    most useful work past the 10-min mark loses intermediate state if it crashes mid-flight.`, `  - Instead, use native_exec to invoke the agim bgjob wrapper, which spawns a detached worker`, `    that survives independent of this conversation:`, `      native_exec("/root/.claude/scripts/bgjob start <slug> -- /usr/bin/python3 /path/to/script.py [args]")`, `    Substitute python3 for the runtime you actually need. The wrapper returns a job_id; relay it`, `    to the user verbatim and tell them how to check back: \`bgjob status <id>\` / \`bgjob tail <id> -f\`.`, `  - When the user follows up asking about the job, native_exec calls like \`bgjob status <id>\` or`, `    \`bgjob tail <id> -n 100\` give you the current state + recent log lines.`, `  - The bwrap sandbox (when configured) is bypassed for this specific wrapper path so the`, `    setsid-detached worker actually survives. Any OTHER native_exec command remains sandboxed.`, `  - DO NOT use \`nohup ... &\` or backgrounded shell pipelines for long work — those die with the`, `    parent shell. bgjob is the only correct path on this platform.`, ``, `Python-RPC bridge (v1.2.97 — when a task means MANY similar tool calls):`, `  - When you would otherwise call mcp__imhub__* dozens of times in this chat turn (saving 30`, `    facts, fetching 50 stocks, scoring 100 candidates), DO NOT do it inline — that wastes the`, `    iteration budget and is likely to trip the stuck-loop detector. Write ONE Python script,`, `    run it in bgjob, and let it loop locally while calling back to agim's tool surface via the`, `    local RPC bridge agim sets up automatically for every native_exec child.`, `  - The Python sidecar lives at \`<npm install dir>/bin/agim_rpc.py\` (typically`, `    /usr/local/lib/node_modules/agim-cli/bin/agim_rpc.py — find it with`, `    \`node -e "console.log(require.resolve('agim-cli'))"\`). Import it and instantiate the client:`, `      from agim_rpc import client`, `      rpc = client()                                 # reads env, validates token, no args needed`, `      memos = rpc.search_memos(query="茅台", k=10)`, `      for m in memos.get("rows", []):`, `          ...`, `      rpc.push_message(text="后台跑完了，结果是 X")`, `  - Available tools through the bridge (whitelist): search_memos, save_memo, read_skill,`, `    list_skills, push_message. Everything else (native_exec, fs writes, call_agent, long_task,`, `    ask_user) is NOT exposed — the worker already has a shell + filesystem.`, `  - The token is automatically injected via env (IMHUB_RPC_SOCKET + IMHUB_RPC_TOKEN), bound`, `    to THIS IM thread, valid for 24 h. The worker can only drive this thread; it cannot`, `    push_message into someone else's chat.`, `  - End the worker with rpc.push_message(text="…done…") so the user sees the result come back`, `    asynchronously. Don't expect the user to poll \`bgjob tail\` themselves.`);
+    lines.push(`Tools available beyond the four native built-ins (echo / now / sleep / random_uuid):`, `  - agim built-in MCP tools (mcp__imhub__*): read_skill, list_skills, save_memo, search_memos, update_memo, delete_memo, push_message, ask_user, call_agent, long_task, complete_goal`, `  - native filesystem tools: native_read_file, native_write_file, native_list_dir, native_glob, native_grep — constrained to your workspace cwd unless IMHUB_NATIVE_FS_RESTRICT=0`, `  - native web tools: native_web_fetch (r.jina.ai reader by default), native_web_search (duckduckgo → metaso fallback). Private IPs blocked.`, `  - native_exec(command, timeout_ms?, cwd?): run shell commands. Always approval-gated; bwrap sandbox when IMHUB_EXEC_SANDBOX=bwrap.`, `  - External MCP servers configured by the operator:`, externalMcp, ``, `Available skill cards (call mcp__imhub__read_skill('<name>') for the full body):`, skillsBlock, ``, `Guidance:`, `  - Be terse; avoid filler. Prefer tool use over guessing.`, `  - When uncertain, call mcp__imhub__ask_user(question, choices[]) instead of free-form back-and-forth.`, `  - When the user references something they told the bot before, search memos via mcp__imhub__search_memos.`, ``, `Tool selection priority (HARD RULE — v1.2.59):`, `  - For "read this file / list this dir / search this content / fetch this URL", you MUST FIRST try`, `    your own native tools: native_read_file, native_list_dir, native_glob, native_grep,`, `    native_web_fetch (if available). Do NOT delegate these to call_agent.`, `  - call_agent is reserved for tasks that genuinely need a CLI agent's specialised capabilities`, `    (writing/editing source code in a real repo → claude-code; long-running plans → codex; etc).`, `  - You have a per-turn call_agent cap (default 2). Burning it on file reads will leave you`, `    unable to delegate later when you actually need to.`, ``, `When to USE call_agent (v1.2.139 positive framing — pair with the HARD RULE above):`, `  - The task needs sustained source-code editing in a real repo → call_agent('claude-code', …)`, `    or call_agent('codex', …). Don't try to mimic them with native_write_file when the work is`, `    multi-file refactors or feature builds.`, `  - You need a second pair of eyes / cross-checking on your own conclusion → call_agent('codex',`, `    'audit my findings: …'). Useful before committing or reporting.`, `  - The task is large enough that parallel research helps (e.g. survey 3 independent areas of`, `    a codebase) → fan-out via call_agent('native', …) so each sub-agent's context is fresh.`, `  - Tip: write the sub-agent prompt as a self-contained brief — they don't see this conversation.`, ``, `Verification subagent (T5 — harness pattern, the most reliably useful multi-agent move):`, `  - After you produce a SUBSTANTIVE result (a multi-step conclusion, a refactor, a data`, `    analysis, anything you're about to report or commit), spin up a FRESH subagent whose sole`, `    job is to verify it independently:`, `      call_agent('codex', 'Verify the result below against <source / acceptance criteria>.`, `                 Report ONLY discrepancies or risks; if it checks out, say so. <paste result>')`, `    Use 'codex' for code/logic review, 'native' for a fresh-eyes fact/consistency check.`, `  - Give the verifier a SELF-CONTAINED brief: restate the claim AND how to check it, and paste`, `    the artifact. It does NOT see this conversation — "verify my findings" with nothing attached`, `    is useless.`, `  - Synthesize, don't delegate understanding: digest what you learned into a PRECISE spec before`, `    delegating implementation or verification. "Based on your findings, fix it" is an anti-pattern`, `    — you (the coordinator) must state exactly what to do, not hand off the thinking.`, `  - Don't over-verify: skip the verifier for trivial / low-stakes turns (it costs a call_agent hop).`, ``, `Web tool routing (HARD RULE — v1.2.64):`, `  - If the user provided a SPECIFIC URL (http://… or https://…) → native_web_fetch.`, `  - If the user wants to FIND / DISCOVER something by keywords ("查找最新 X" / "search for Y" /`, `    "find docs on Z" / "今天 / 最近的 W") → native_web_search FIRST. Don't guess a URL.`, `  - Common pattern: native_web_search(query) → pick a result → native_web_fetch(that.url).`, `  - NEVER call native_web_fetch with a URL you fabricated from the user's keywords.`, ``, `Short-input rule:`, `  - If the user's message is ONLY a slash command alias for an agent name (e.g. "/native", "/llm",`, `    "/na", "/cc", "/oc") and you are already that agent, respond with ONE short line confirming`, `    your identity (e.g. "我是 native，正在听。"). Do NOT call any tool. The slash router handles`, `    actual agent switching; if it didn't switch, the user is already on this agent.`, ``, `Plan tracking (v1.2.124 — native_todo_write):`, `  - When the user gives you a task with ≥ 3 distinct steps, FIRST call native_todo_write({items}) to`, `    write out your plan, then update statuses as you complete each step.`, `    Status values: pending | in_progress | completed. Keep exactly one item in_progress at a time.`, `  - The tool result is a rendered markdown checklist; the user sees your progress.`, `  - Don't call native_todo_write for trivial one-step tasks — overhead.`, `  - Example sequence:`, `    1) native_todo_write([{c:"Fetch market data",s:"in_progress"}, {c:"Analyse",s:"pending"}, {c:"Reply",s:"pending"}])`, `    2) … do fetch via native_web_fetch …`, `    3) native_todo_write([{c:"Fetch market data",s:"completed"}, {c:"Analyse",s:"in_progress"}, {c:"Reply",s:"pending"}])`, `    4) … analysis …`, `    5) write final answer to user`, ``, `Closure rule (v1.2.94 — HARD RULE):`, `  - When you finish a tool chain (read_file / web_fetch / native_exec / search_memos / etc.) you`, `    MUST write a short Chinese summary BEFORE stopping. The tool output by itself is not a`, `    user-facing answer — the user can't see the raw JSON / shell stdout. Always close with at`, `    least one sentence stating the finding / conclusion.`, `  - Do NOT end a turn with empty assistant text when you've just called tools. If you genuinely`, `    have nothing to add, say so explicitly ("已查完，未发现 X").`, ``, `Proactive memory rule (v1.2.96 — borrowed from Hermes Agent's "agent-curated memory"):`, `  - Before ending a substantive turn, scan the conversation for facts that should outlive the`, `    current chat. Persist them yourself via mcp__imhub__save_memo — don't wait for the user to`, `    ask you to remember.`, `  - Worth saving (call save_memo for each):`, `      · personal preferences ("我不喝咖啡" / "我用 vim"),`, `      · holdings or portfolio codes ("我持有 600519"),`, `      · recurring people / places ("我家在朝阳" / "爸爸生日 5月8日"),`, `      · stable identifiers (账号 / 邮箱 / API base / 配置路径),`, `      · explicit "记一下" / "remember this" instructions.`, `  - NOT worth saving: one-off questions, transient debugging context, tool outputs that are`, `    already cached elsewhere (memos point AT data, they're not a cache of data).`, `  - Each save_memo call is cheap. Two short memos beat one long one — small atomic facts`, `    search better. Add a 1-line user-facing acknowledgement so the user knows you remembered`, `    (e.g. "已记下 600519 是你的持仓").`, ``, `Long-task SOP (v1.2.93 — for any work you estimate will run > 10 minutes):`, `  - You CANNOT keep a long synchronous turn alive: the IM bridge times out around 30 min, and`, `    most useful work past the 10-min mark loses intermediate state if it crashes mid-flight.`, `  - Instead, use native_exec to invoke the agim bgjob wrapper, which spawns a detached worker`, `    that survives independent of this conversation:`, `      native_exec("/root/.claude/scripts/bgjob start <slug> -- /usr/bin/python3 /path/to/script.py [args]")`, `    Substitute python3 for the runtime you actually need. The wrapper returns a job_id; relay it`, `    to the user verbatim and tell them how to check back: \`bgjob status <id>\` / \`bgjob tail <id> -f\`.`, `  - When the user follows up asking about the job, native_exec calls like \`bgjob status <id>\` or`, `    \`bgjob tail <id> -n 100\` give you the current state + recent log lines.`, `  - The bwrap sandbox (when configured) is bypassed for this specific wrapper path so the`, `    setsid-detached worker actually survives. Any OTHER native_exec command remains sandboxed.`, `  - DO NOT use \`nohup ... &\` or backgrounded shell pipelines for long work — those die with the`, `    parent shell. bgjob is the only correct path on this platform.`, ``, `Python-RPC bridge (v1.2.97 — when a task means MANY similar tool calls):`, `  - When you would otherwise call mcp__imhub__* dozens of times in this chat turn (saving 30`, `    facts, fetching 50 stocks, scoring 100 candidates), DO NOT do it inline — that wastes the`, `    iteration budget and is likely to trip the stuck-loop detector. Write ONE Python script,`, `    run it in bgjob, and let it loop locally while calling back to agim's tool surface via the`, `    local RPC bridge agim sets up automatically for every native_exec child.`, `  - The Python sidecar lives at \`<npm install dir>/bin/agim_rpc.py\` (typically`, `    /usr/local/lib/node_modules/agim-cli/bin/agim_rpc.py — find it with`, `    \`node -e "console.log(require.resolve('agim-cli'))"\`). Import it and instantiate the client:`, `      from agim_rpc import client`, `      rpc = client()                                 # reads env, validates token, no args needed`, `      memos = rpc.search_memos(query="茅台", k=10)`, `      for m in memos.get("rows", []):`, `          ...`, `      rpc.push_message(text="后台跑完了，结果是 X")`, `  - Available tools through the bridge (whitelist): search_memos, save_memo, read_skill,`, `    list_skills, push_message. Everything else (native_exec, fs writes, call_agent, long_task,`, `    ask_user) is NOT exposed — the worker already has a shell + filesystem.`, `  - The token is automatically injected via env (IMHUB_RPC_SOCKET + IMHUB_RPC_TOKEN), bound`, `    to THIS IM thread, valid for 24 h. The worker can only drive this thread; it cannot`, `    push_message into someone else's chat.`, `  - End the worker with rpc.push_message(text="…done…") so the user sees the result come back`, `    asynchronously. Don't expect the user to poll \`bgjob tail\` themselves.`);
     return lines.join('\n');
 }
-/** Read <cwd>/AGENTS.md (if present) and prepare it for injection into
- *  the system prompt. Returns '' on missing file / read failure / empty
- *  content. Sanitises text length (8000 char cap) and scans for the
- *  classic prompt-injection signals ("ignore previous instructions",
- *  "always allow", etc.); when matches are found we still inject (the
- *  operator likely wrote them deliberately) but log a warn + audit
- *  hit so post-incident forensics can correlate. Honours
- *  IMHUB_NATIVE_AGENT_ROLE_FILE for a non-default location. */
-export function readOperatorRole(cwd) {
-    const override = process.env.IMHUB_NATIVE_AGENT_ROLE_FILE;
-    const path = override && override.length > 0 ? override : pathJoin(cwd, 'AGENTS.md');
-    if (!fsExistsSync(path))
+const _operatorRoleCache = new Map();
+function readRoleFile(path) {
+    let st;
+    try {
+        st = fsStatSync(path);
+    }
+    catch {
+        // Missing / unreadable → no role block; drop any stale cache entry.
+        _operatorRoleCache.delete(path);
         return '';
+    }
+    const cached = _operatorRoleCache.get(path);
+    if (cached && cached.mtimeMs === st.mtimeMs && cached.size === st.size) {
+        return cached.content;
+    }
     let raw = '';
     try {
         raw = fsReadFileSync(path, 'utf-8');
     }
     catch {
+        _operatorRoleCache.delete(path);
         return '';
     }
     const trimmed = raw.trim();
-    if (!trimmed)
+    if (!trimmed) {
+        _operatorRoleCache.set(path, { mtimeMs: st.mtimeMs, size: st.size, content: '' });
         return '';
+    }
     try {
         const scan = scanForInjectionAttempts(trimmed);
         if (scan.suspicious) {
@@ -145,7 +219,70 @@ export function readOperatorRole(cwd) {
         }
     }
     catch { /* scan is best-effort */ }
-    return sanitizeForInjection(trimmed, 8000);
+    const content = sanitizeForInjection(trimmed, 8000);
+    _operatorRoleCache.set(path, { mtimeMs: st.mtimeMs, size: st.size, content });
+    return content;
+}
+/**
+ * Resolve the operator role definition injected into native's system prompt.
+ *
+ * T4 (instruction hierarchy, distilled from the agentic-harness Memory
+ * pattern's "local overrides win — always"). Instead of a single
+ * `<cwd>/AGENTS.md`, discover a layered stack within the native workspace
+ * and concatenate in ASCENDING priority so the most-local block appears last
+ * and gets the most model attention. LOCAL WINS:
+ *
+ *   1. project — <cwd>/AGENTS.md         (the shared native-workspace role)
+ *   2. local   — <cwd>/AGENTS.local.md   (private override, not version-ctl'd)
+ *
+ * Both layers live under the native workspace cwd, so the stack is
+ * self-contained (no dependency on a global ~/.agim file — native has a
+ * single workspace, so "project" already IS the operator-global role; a
+ * cross-workspace user layer can be added later if that changes).
+ *
+ * IMHUB_NATIVE_AGENT_ROLE_FILE still forces a single explicit file (operators
+ * who pin one path bypass discovery entirely). Each layer is independently
+ * memoized + injection-scanned + capped at 8000 chars by readRoleFile.
+ */
+export function readOperatorRole(cwd) {
+    const override = process.env.IMHUB_NATIVE_AGENT_ROLE_FILE;
+    if (override && override.length > 0) {
+        // An explicit pin is operator-chosen → trusted regardless of the gate.
+        return readRoleFile(override);
+    }
+    // T6 — workspace trust gate. Discovered workspace files are skipped wholesale
+    // when the workspace is marked untrusted (see isWorkspaceTrusted).
+    if (!isWorkspaceTrusted()) {
+        return '';
+    }
+    const parts = [];
+    for (const p of [pathJoin(cwd, 'AGENTS.md'), pathJoin(cwd, 'AGENTS.local.md')]) {
+        const c = readRoleFile(p);
+        if (c)
+            parts.push(c);
+    }
+    return parts.join('\n\n');
+}
+/**
+ * T6 — workspace trust gate (distilled from the agentic-harness Lifecycle
+ * pattern's "trust is all-or-nothing; an untrusted workspace disables the
+ * whole extension surface, not just suspicious parts").
+ *
+ * agim treats `<cwd>/AGENTS.md` + `AGENTS.local.md` as an operator-authored
+ * role definition injected into the system prompt — a privileged surface. In
+ * multi-tenant / A2A setups the native cwd can point at a directory whose
+ * contents are NOT fully operator-controlled, where an attacker-planted
+ * AGENTS.md is a prompt-injection vector. Setting
+ * `IMHUB_NATIVE_TRUST_WORKSPACE=off` (or 0/false/no) makes readOperatorRole
+ * skip ALL workspace-discovered role files at once. Default is trusted
+ * (on) for backward compatibility — operators opt into the stricter posture.
+ *
+ * An explicit `IMHUB_NATIVE_AGENT_ROLE_FILE` bypasses the gate: the operator
+ * pinned that exact file deliberately, so it stays trusted.
+ */
+export function isWorkspaceTrusted() {
+    const raw = (process.env.IMHUB_NATIVE_TRUST_WORKSPACE ?? '').toLowerCase().trim();
+    return !(raw === 'off' || raw === '0' || raw === 'false' || raw === 'no');
 }
 /** Role priority for picking which LLM backend powers the native chat
  *  turn. First found wins. Operators can override the role via
@@ -328,6 +465,44 @@ function composeOffTrackRecap(result, reason, redirect) {
     lines.push('  · 或 /cc / /oc / /cs 切到别的智能体接手');
     return lines.join('\n');
 }
+/**
+ * v1.2.147 — recap for the "hallucinated tool-call" failure mode.
+ *
+ * Trigger: agent-loop detected the model's final text narrates a
+ * native_* tool invocation (e.g. "我现在调用 native_write_file:
+ * ```python ...```" or "let me invoke native_exec") but the response
+ * carried zero real toolCalls. The model promised an action it did not
+ * take. Without this branch the lie would get shipped to the user as a
+ * normal reply.
+ *
+ * Distinct from the empty / max-iter / stuck-loop recaps because the
+ * fail-mode is model-side rather than budget-side: the model is fine,
+ * just not in a tool-calling mood. The recap points the user at a
+ * backend swap as the most reliable next step, since prompt tweaking
+ * has limited leverage when the model has already drifted out of the
+ * function-calling schema. Pure formatting; no LLM call.
+ */
+function composeHallucinatedToolRecap(result, backend) {
+    const lines = [];
+    lines.push('🧐 模型说要调用工具，但实际上没真的发起调用。');
+    lines.push('为了不让你看到空承诺，已经把这次回复挡下。');
+    lines.push('');
+    lines.push(`当前 native-chat 后端：${backend}`);
+    if (result.toolCalls.length > 0) {
+        lines.push(`本轮在此之前已真正完成了 ${result.toolCalls.length} 次工具调用，那部分有效。`);
+    }
+    else {
+        lines.push('本轮没有任何真实工具调用产出。');
+    }
+    lines.push('');
+    lines.push('怎么继续：');
+    lines.push('  · 直接回「重试」让我重新跑一遍这一步');
+    lines.push('  · 或在 /settings/llm 把 native-chat 角色换成工具调用更稳定的后端（Claude / GPT 系列）');
+    lines.push('  · 或 /cc / /oc / /cs 切到别的智能体接手这一步');
+    lines.push('');
+    lines.push('（检测器可用 IMHUB_NATIVE_HALLUCINATION_DETECT=off 关掉）');
+    return lines.join('\n');
+}
 /**
  * v1.2.142 — Stage-report retry. Replaces v1.2.94's empty-only auto-
  * summary with a single helper used by all four "unhappy ending"
@@ -613,31 +788,6 @@ const PLAN_MODE_DENY_TOOLS = [
 export function isPlanModeOn(threadKey) {
     return effectivePlanModeOn(threadKey);
 }
-/**
- * v1.2.109 — names of native tools that are safe to dispatch in parallel
- * within a single iteration. Strict opt-in: only tools with no side
- * effects, no shared mutable state, and order-independent semantics.
- * MCP tools beyond explicit read-only ones are NOT listed because they
- * share session state with the agent loop's mcp-client and have caused
- * races in the past (see comment near agent-loop's old serial-only
- * note). Pure/read-only entries:
- *   - native_{echo,now,random_uuid}: pure
- *   - native_{read_file,list_dir,glob,grep}: read-only fs
- *   - native_{web_fetch,web_search}: read-only network (SSRF-checked)
- *   - mcp__imhub__{read_skill,list_skills,search_memos}: read-only
- *   - mcp__imhub__memory_{list,query}: read-only memory
- * Everything else (native_exec, native_write_file, save/update/delete
- * memo, push_message, ask_user, call_agent, long_task, complete_goal,
- * other MCP) remains serial.
- */
-const NATIVE_PARALLEL_SAFE_TOOLS = new Set([
-    'native_echo', 'native_now', 'native_random_uuid',
-    'native_read_file', 'native_list_dir', 'native_glob', 'native_grep',
-    'native_web_fetch', 'native_web_search',
-    'mcp__imhub__read_skill', 'mcp__imhub__list_skills',
-    'mcp__imhub__search_memos',
-    'mcp__imhub__memory_list', 'mcp__imhub__memory_query',
-]);
 /**
  * v1.2.60 — bridge native's policy gate to the approval-bus so tools
  * that the gate would otherwise silently deny instead surface an IM
@@ -903,13 +1053,15 @@ class NativeAgentAdapter {
         // the per-thread workspace subtree. Was previously resolved AFTER
         // dispatch composition; moved up so fs tools see the right root.
         const cwd = resolveAgentCwd('native', opts) || defaultAgentCwd('native');
-        const dispatch = combineDispatchers(buildBuiltinDispatcher(), buildFsDispatcher({ cwd }), buildWebDispatcher(), buildExecDispatcher({
+        // T2 (single tool registry): assemble the advertised tool list, the
+        // dispatch chain, AND the per-call concurrency classifier from ONE
+        // source-of-truth (see tool-registry.ts). This replaced three
+        // hand-maintained parallel lists (tools[] / combineDispatchers / the
+        // static parallelSafeTools Set) that silently drifted when a tool was
+        // added. The plan-exit dispatcher is always wired (it self-refuses off
+        // plan mode); its tool is advertised only when plan mode is on.
+        const assembled = assembleNativeTools({
             cwd,
-            // v1.2.97 — when this thread has a usable RunContext, hand it
-            // to exec-dispatcher so every spawned child inherits a fresh
-            // RPC token bound to the thread. Enables the Python-RPC bridge
-            // (bgjob worker → agim parent → memo/skill/push). Tokens are
-            // per-spawn, expire in 24h, and only authorise THIS thread.
             rpcCtx: opts.platform && opts.threadId
                 ? {
                     platform: opts.platform,
@@ -918,45 +1070,20 @@ class NativeAgentAdapter {
                     userId: opts.userId ?? '',
                 }
                 : undefined,
-        }),
-        // v1.2.124 — TodoWrite-style per-thread plan tracker. Sits
-        // before imhub so a stray tool name collision (none today) would
-        // be caught early. Uses the same composite thread key the PlanMode
-        // resolver does so users can find their list in audit.
-        buildTodoDispatcher(planThreadKey ?? `native:${sessionId}`),
-        // v1.2.131 — ExitPlanMode handshake. Always wired; the dispatcher
-        // itself refuses calls when the thread is NOT in plan mode, so
-        // the model can't accidentally exit something it didn't enter.
-        buildPlanExitDispatcher({
-            threadKey: planThreadKey ?? `native:${sessionId}`,
-            runId: sessionId,
-            platform: opts.platform,
-            channelId: opts.channelId,
-            threadId: opts.threadId,
-            userId: opts.userId,
-        }), buildImhubDispatcher(imhubCtx), buildMcpDispatcher());
-        // Compose tool list the same way (built-in → fs → web → exec → todo → imhub → external MCP).
-        // Provider tool roster wins on duplicate names via "later
-        // definition wins" semantics inside the provider, but our naming
-        // is namespaced (`native_*`, `mcp__imhub__*`, `mcp_<server>_*`)
-        // so collisions are not expected in practice.
-        const tools = [
-            ...getBuiltinTools(),
-            ...getFsTools(),
-            ...getWebTools(),
-            ...getExecTools(),
-            ...getTodoTools(),
-            ...getImhubTools(),
-            ...getAllMcpTools(),
-        ];
-        // v1.2.131 — when this thread is in Plan Mode, advertise the
-        // dedicated exit tool so the model knows the handshake exists. We
-        // don't always advertise it: a model in normal mode shouldn't be
-        // tempted to call it (the dispatcher would refuse anyway, but
-        // keeping the roster honest is cleaner).
-        if (planThreadKey && effectivePlanModeOn(planThreadKey)) {
-            tools.push(...getPlanExitTools());
-        }
+            todoThreadKey: planThreadKey ?? `native:${sessionId}`,
+            planExitCtx: {
+                threadKey: planThreadKey ?? `native:${sessionId}`,
+                runId: sessionId,
+                platform: opts.platform,
+                channelId: opts.channelId,
+                threadId: opts.threadId,
+                userId: opts.userId,
+            },
+            advertisePlanExit: !!(planThreadKey && effectivePlanModeOn(planThreadKey)),
+            imhubCtx,
+        });
+        const tools = assembled.tools;
+        const dispatch = assembled.dispatch;
         const policy = resolvePolicy(planThreadKey);
         // v1.2.60 — when the policy would silently deny a tool call,
         // escalate to the user via an IM approval card instead. Only
@@ -989,7 +1116,12 @@ class NativeAgentAdapter {
         // Was previously resolved here — that was fine before native had
         // fs tools, but fs-dispatcher now needs the value at dispatch
         // build time.
-        const traceId = `native-${sessionId}-${Date.now()}`;
+        // ADR-0002 — prefer the inbound turn's trace id (plumbed via opts.traceId
+        // from the router) so the native iteration / turn audit rows correlate
+        // back to the originating IM message in SIEM joins. Fall back to a
+        // self-minted id only for entry points that don't carry one (e.g. an A2A
+        // in-process spawn or a direct CLI/smoke invocation).
+        const traceId = opts.traceId || `native-${sessionId}-${Date.now()}`;
         // Wall-clock cap for the agent loop. agim's IM-layer enforces a 30-
         // minute hard ceiling per turn (DEFAULT_TIMEOUT_MS in agent-base.ts);
         // we set the inner loop a hair below so the loop's own abort fires
@@ -1064,11 +1196,12 @@ class NativeAgentAdapter {
                     traceId,
                 },
                 hooks: heartbeats.hooks,
-                // v1.2.109 — declare read-only / pure tools parallel-safe so
+                // v1.2.109 / T2 — declare read-only / pure tools parallel-safe so
                 // multi-call iterations (e.g. "read these 3 files") run
-                // concurrently. Conservative allowlist; see the constant for
-                // what's in / out and why.
-                parallelSafeTools: NATIVE_PARALLEL_SAFE_TOOLS,
+                // concurrently. Now a PER-CALL classifier owned by the tool
+                // registry (fail-closed: unknown / throwing → serial), replacing
+                // the static per-name set.
+                parallelSafeClassifier: assembled.isParallelSafe,
                 // v1.2.112 — stream provider responses so partial assistant
                 // text survives the IM 30-min hard timeout. Env-gated kill
                 // switch (`IMHUB_NATIVE_STREAM_PARTIAL=off` + global
@@ -1222,6 +1355,24 @@ class NativeAgentAdapter {
         else if (result.finishReason === 'aborted') {
             body = '⏹ native agent aborted before completion.';
         }
+        else if (result.finishReason === 'hallucinated_tools') {
+            // v1.2.147 — agent-loop detected the model narrated a tool
+            // invocation ("我现在调用 native_write_file: ```python …```")
+            // without actually emitting toolCalls. Surface a recap that
+            // names the failure mode + suggests a backend switch, instead
+            // of shipping the lie as a normal reply.
+            log.warn({
+                event: 'native.turn.hallucinated_tools',
+                sessionId,
+                backend: usedProvider.name,
+                role: usedRole,
+                iterations: result.iterations,
+                toolCallCount: result.toolCalls.length,
+                textLen: (result.text || '').length,
+                elapsedMs: Date.now() - startedAt,
+            }, `native turn ended with hallucinated tool-call narration (no real toolCalls emitted)`);
+            body = composeHallucinatedToolRecap(result, usedProvider.name);
+        }
         else if (!body) {
             // Normal `stop` finish but the model didn't write anything. Most
             // often the model completed a tool chain and forgot to close