bonecode 1.4.1 → 1.4.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bonecode",
-  "version": "1.4.1",
+  "version": "1.4.2",
   "private": false,
   "description": "BoneCode — a production-grade AI coding agent with BoneScript-generated backend and pgvector RAG",
   "keywords": [

package/scripts/debug_extract.js

@@ -0,0 +1,40 @@
+"use strict";
+const fs = require("fs");
+const path = require("path");
+
+const src = fs.readFileSync(path.resolve(__dirname, "..", "src", "engine", "session", "prompt.ts"), "utf-8");
+
+function extractFunc(name) {
+  const re = new RegExp(`(?:export\\s+)?function ${name}(?:<[^>]+>)?\\s*\\(`);
+  const m = src.match(re);
+  if (!m) return null;
+  const start = m.index + (m[0].startsWith("export") ? "export ".length : 0);
+  let depth = 0, inStr = false, strChar = "", inTpl = false, inRegex = false;
+  let inLine = false, inBlock = false, escape = false;
+  let i = src.indexOf("{", start);
+  let prev = " ";
+  for (; i < src.length; i++) {
+    const ch = src[i], next = src[i + 1];
+    if (escape) { escape = false; prev = ch; continue; }
+    if (ch === "\\") { escape = true; prev = ch; continue; }
+    if (inLine) { if (ch === "\n") inLine = false; prev = ch; continue; }
+    if (inBlock) { if (ch === "*" && next === "/") { inBlock = false; i++; } prev = ch; continue; }
+    if (inStr) { if (ch === strChar) inStr = false; prev = ch; continue; }
+    if (inTpl) { if (ch === "`") inTpl = false; prev = ch; continue; }
+    if (inRegex) { if (ch === "/" && prev !== "\\") inRegex = false; prev = ch; continue; }
+    if (ch === "/" && next === "/") { inLine = true; i++; prev = ch; continue; }
+    if (ch === "/" && next === "*") { inBlock = true; i++; prev = ch; continue; }
+    if (ch === "/" && /[=({,;!&|?:\s]/.test(prev)) { inRegex = true; prev = ch; continue; }
+    if (ch === '"' || ch === "'") { inStr = true; strChar = ch; prev = ch; continue; }
+    if (ch === "`") { inTpl = true; prev = ch; continue; }
+    if (ch === "{") depth++;
+    else if (ch === "}") { depth--; if (depth === 0) return src.slice(start, i + 1); }
+    prev = ch;
+  }
+  return null;
+}
+
+console.log("--- parseKwargs ---");
+console.log(extractFunc("parseKwargs"));
+console.log("\n\n--- parseLooseObject ---");
+console.log(extractFunc("parseLooseObject"));

package/scripts/test_leaked_tool_call.js

@@ -0,0 +1,269 @@
+#!/usr/bin/env node
+/**
+ * Tests for the leaked tool-call parser. Loads the compiled module directly
+ * so tests run against the same code that ships.
+ *
+ * Patterns tested are taken from real model outputs:
+ *   - gemma:  <|tool_call>call:edit{file_path:<|"|>foo.bone<|"|>}<tool_call|>
+ *   - qwen:   <tool_call>{"name":"write","arguments":{"path":"x"}}</tool_call>
+ *   - llama3: <|python_tag|>write({"path":"x"})<|/python_tag|>
+ *   - openai-style fenced: ```tool_code\nname(arg=val)\n```
+ *
+ * Also re-tests isBuildPrompt against the prompts that previously slipped
+ * through (e.g. "using BoneScript as the backend, write a python ...").
+ */
+
+"use strict";
+const fs = require("fs");
+const path = require("path");
+
+const G = "\x1b[32m"; const R = "\x1b[31m"; const C = "\x1b[36m";
+const B = "\x1b[1m"; const D = "\x1b[2m"; const N = "\x1b[0m";
+
+let passed = 0;
+let failed = 0;
+const failures = [];
+
+function ok(name, info = "") {
+  passed++;
+  console.log(`  ${G}✓${N} ${name}${info ? `  ${D}${info}${N}` : ""}`);
+}
+function fail(name, msg) {
+  failed++;
+  failures.push(`${name}: ${msg}`);
+  console.log(`  ${R}✗${N} ${name}  ${R}${msg}${N}`);
+}
+function header(s) { console.log(`\n${C}${B}${s}${N}`); }
+
+const ROOT = path.resolve(__dirname, "..");
+const modulePath = path.join(ROOT, "dist", "src", "engine", "session", "leaked_tool_call.js");
+
+if (!fs.existsSync(modulePath)) {
+  console.error(`${R}Compiled module not found at ${modulePath}.${N}`);
+  console.error(`Run \`npm run build\` first.`);
+  process.exit(1);
+}
+
+const {
+  extractLeakedToolCall,
+  parseLeakedBody,
+  parseKwargs,
+  parseLooseObject,
+} = require(modulePath);
+
+// ─── Tests: gemma-style markers ───────────────────────────────────────────────
+
+header("[1] Gemma-style leaked calls (the user's exact bug)");
+
+(() => {
+  const text = `I'll create the file.\n<|tool_call>call:edit{file_path:<|"|>medieval_market.bone<|"|>}<tool_call|>\nDone.`;
+  const r = extractLeakedToolCall(text);
+  if (r && r.toolName === "edit" && r.toolInput.file_path === "medieval_market.bone") {
+    ok("gemma <|tool_call>call:name{...}<tool_call|>", `→ edit(file_path="${r.toolInput.file_path}")`);
+  } else {
+    fail("gemma exact bug", JSON.stringify(r));
+  }
+})();
+
+(() => {
+  const text = `<|tool_call|>{"name":"write","arguments":{"path":"foo.ts","content":"hello"}}<|/tool_call|>`;
+  const r = extractLeakedToolCall(text);
+  if (r && r.toolName === "write" && r.toolInput.path === "foo.ts" && r.toolInput.content === "hello") {
+    ok("gemma <|tool_call|>{json}<|/tool_call|>");
+  } else {
+    fail("gemma JSON form", JSON.stringify(r));
+  }
+})();
+
+// ─── Tests: qwen-style markers ────────────────────────────────────────────────
+
+header("[2] Qwen-style leaked calls");
+
+(() => {
+  const text = `<tool_call>{"name":"bash","arguments":{"command":"ls -la"}}</tool_call>`;
+  const r = extractLeakedToolCall(text);
+  if (r && r.toolName === "bash" && r.toolInput.command === "ls -la") {
+    ok("<tool_call>{json}</tool_call>");
+  } else {
+    fail("qwen", JSON.stringify(r));
+  }
+})();
+
+(() => {
+  const text = `<tool_call>{"tool":"read","args":{"path":"src/main.ts"}}</tool_call>`;
+  const r = extractLeakedToolCall(text);
+  if (r && r.toolName === "read" && r.toolInput.path === "src/main.ts") {
+    ok("<tool_call>{tool: ..., args: ...}</tool_call>");
+  } else {
+    fail("qwen alt keys", JSON.stringify(r));
+  }
+})();
+
+// ─── Tests: llama3-style python_tag ───────────────────────────────────────────
+
+header("[3] llama3-style <|python_tag|>");
+
+(() => {
+  const text = `<|python_tag|>write({"path":"x.txt","content":"y"})<|/python_tag|>`;
+  const r = extractLeakedToolCall(text);
+  if (r && r.toolName === "write" && r.toolInput.path === "x.txt" && r.toolInput.content === "y") {
+    ok("llama3 python_tag with JSON arg");
+  } else {
+    fail("llama3", JSON.stringify(r));
+  }
+})();
+
+// ─── Tests: function-call kwargs ──────────────────────────────────────────────
+
+header("[4] Function-call kwargs syntax");
+
+(() => {
+  const args = parseKwargs(`path="foo.ts", content="hello world"`);
+  if (args && args.path === "foo.ts" && args.content === "hello world") ok("string kwargs");
+  else fail("string kwargs", JSON.stringify(args));
+})();
+
+(() => {
+  const args = parseKwargs(`count=42, ratio=3.14, enabled=true, missing=null`);
+  if (args && args.count === 42 && args.ratio === 3.14 && args.enabled === true && args.missing === null) {
+    ok("typed kwargs (number, float, bool, null)");
+  } else {
+    fail("typed kwargs", JSON.stringify(args));
+  }
+})();
+
+(() => {
+  const args = parseKwargs(`file_path=<|"|>medieval_market.bone<|"|>`);
+  if (args && args.file_path === "medieval_market.bone") ok(`<|"|> escapes are stripped`);
+  else fail("escape markers", JSON.stringify(args));
+})();
+
+// ─── Tests: loose-object form ─────────────────────────────────────────────────
+
+header("[5] Loose-object form (pseudo-JSON)");
+
+(() => {
+  const o = parseLooseObject(`file_path:"foo.bone", count:3`);
+  if (o && o.file_path === "foo.bone" && o.count === 3) ok("colon-separated loose object");
+  else fail("loose object", JSON.stringify(o));
+})();
+
+// ─── Tests: fenced tool_code ──────────────────────────────────────────────────
+
+header("[6] Fenced tool_code blocks");
+
+(() => {
+  const text = "Some prose\n```tool_code\nwrite(path=\"x\", content=\"y\")\n```\nMore prose.";
+  const r = extractLeakedToolCall(text);
+  if (r && r.toolName === "write" && r.toolInput.path === "x" && r.toolInput.content === "y") {
+    ok("```tool_code\\nname(args)\\n```");
+  } else {
+    fail("fenced tool_code", JSON.stringify(r));
+  }
+})();
+
+// ─── Tests: false-positives ───────────────────────────────────────────────────
+
+header("[7] No false-positives on plain text");
+
+const cleanCases = [
+  "I'll create a file called foo.bone now.",
+  "Use the `write` tool to save the file.",
+  "Here's how you'd do it: write(path, content) — but that's pseudocode.",
+  "<not_a_tool_call>just text</not_a_tool_call>",
+  "",
+  "<tool_call></tool_call>",
+];
+for (const c of cleanCases) {
+  const r = extractLeakedToolCall(c);
+  if (r === null) ok(`clean: "${c.slice(0, 50)}..."`);
+  else fail(`false positive`, `"${c}" → ${JSON.stringify(r)}`);
+}
+
+// ─── Tests: stripping positions ───────────────────────────────────────────────
+
+header("[8] startIndex/endIndex enable text stripping");
+
+(() => {
+  const text = `Before <|tool_call|>{"name":"write","arguments":{}}<|/tool_call|> after`;
+  const r = extractLeakedToolCall(text);
+  if (!r) {
+    fail("strip positions", "no match");
+  } else {
+    const stripped = text.slice(0, r.startIndex) + text.slice(r.endIndex);
+    if (stripped === "Before  after") ok("text stripped cleanly", `"${stripped}"`);
+    else fail("strip", `got "${stripped}"`);
+  }
+})();
+
+// ─── Tests: build mode trigger detection ──────────────────────────────────────
+
+header("[9] isBuildPrompt covers the previously-missed prompts");
+
+const bmModulePath = path.join(ROOT, "dist", "src", "engine", "session", "build_mode.js");
+if (!fs.existsSync(bmModulePath)) {
+  fail("build_mode module", "compiled file missing");
+} else {
+  const { isBuildPrompt } = require(bmModulePath);
+
+  const newCases = [
+    // The exact prompt that previously failed in the user's session
+    "using BoneScript as the backend, write a python 2d mideveal copper silver gold platinum transaction market simulation",
+    "with bonescript, build a chat app",
+    "in BoneScript, design a multi-tenant CRM",
+    "BoneScript backend for a music streaming service",
+    "write me a REST API for a todo list",
+    "develop a graphql api for users",
+    "scaffold a web application with auth",
+  ];
+  for (const p of newCases) {
+    if (isBuildPrompt(p)) ok(`triggers: "${p.slice(0, 60)}..."`);
+    else fail(`missed`, p);
+  }
+
+  const negative = [
+    "what does this function do",
+    "explain the difference between let and const",
+    "fix the typo on line 5",
+  ];
+  for (const p of negative) {
+    if (!isBuildPrompt(p)) ok(`not triggered: "${p}"`);
+    else fail(`over-matched`, p);
+  }
+}
+
+// ─── Tests: parseLeakedBody handles edge cases ────────────────────────────────
+
+header("[10] parseLeakedBody edge cases");
+
+(() => {
+  const r = parseLeakedBody("");
+  if (r === null) ok("empty body returns null");
+  else fail("empty", JSON.stringify(r));
+})();
+
+(() => {
+  const r = parseLeakedBody("not a tool call at all");
+  if (r === null) ok("garbage body returns null");
+  else fail("garbage", JSON.stringify(r));
+})();
+
+(() => {
+  // Function call with JSON arg
+  const r = parseLeakedBody('write({"path": "a.txt", "content": "b"})');
+  if (r && r.toolName === "write" && r.toolInput.path === "a.txt" && r.toolInput.content === "b") {
+    ok("function with JSON arg");
+  } else {
+    fail("function JSON arg", JSON.stringify(r));
+  }
+})();
+
+console.log();
+if (failed === 0) {
+  console.log(`${G}${B}✓ All ${passed} tests passed${N}`);
+  process.exit(0);
+} else {
+  console.log(`${R}${B}✗ ${failed} failed, ${passed} passed${N}`);
+  for (const f of failures) console.log(`  ${R}- ${f}${N}`);
+  process.exit(1);
+}

package/src/engine/session/build_mode.ts

@@ -887,9 +887,20 @@ export function isBuildPrompt(prompt: string): boolean {
     /\bmake\s+(?:a|an|the)\s+(?:full|complete|whole|new)\b/,
     /\bproject\s+(?:from\s+scratch|to)\b/,
     /\bsimulation\s+(?:with|using|of)\b/,
-    /\bbackend\s+(?:for|with|using)\b/,
+    /\bbackend\s+(?:for|with|using|service)\b/,
     /\bspec(?:ification)?\s+(?:for|of)\b/,
     /\bend[- ]to[- ]end\b/,
+    // Verb-led "write/build/code/develop" requests with a noun follow
+    /\b(?:write|code|develop|generate|scaffold)\s+(?:me\s+)?(?:a|an|the)\s+\w+/,
+    // BoneScript-specific phrases — if they say bonescript at all, treat as build
+    /\busing\s+bonescript\b/,
+    /\bwith\s+bonescript\b/,
+    /\bin\s+bonescript\b/,
+    /\bbonescript\s+(?:as|for|backend)\b/,
+    // Generic "<adjective> <noun-app>" patterns indicating a system request
+    /\b(?:rest|graphql)\s+api\b/,
+    /\bweb\s+app(?:lication)?\b/,
+    /\bgame\s+(?:simulation|engine|server)\b/,
   ];
   return triggers.some((re) => re.test(p));
 }

package/src/engine/session/leaked_tool_call.ts

@@ -0,0 +1,166 @@
+/**
+ * Pure, side-effect-free parser for leaked tool-call markers.
+ *
+ * Some local models (gemma, qwen, llama variants) emit their internal
+ * tool-call markers as raw text instead of producing structured tool_call
+ * events. The AI SDK's parser misses these, so the model's prose appears in
+ * the output but no tool ever runs.
+ *
+ * This module recovers the intended call by pattern-matching the leaked text.
+ * No DB, no network, no global state — pure functions only, fully testable.
+ *
+ * Patterns recognized (across multiple template formats):
+ *   <|tool_call|>{"name":"write","arguments":{...}}<|/tool_call|>
+ *   <|tool_call>name:write{...args...}<tool_call|>
+ *   <tool_call>{"name":"write","arguments":{...}}</tool_call>
+ *   <function_call>{"name":"write","arguments":{...}}</function_call>
+ *   ```tool_code\nwrite(path="x", content="y")\n```
+ *   <|python_tag|>write({"path": "x"})<|/python_tag|>
+ */
+
+export interface LeakedToolCall {
+  toolName: string;
+  toolInput: Record<string, any>;
+  startIndex: number;
+  endIndex: number;
+}
+
+export function extractLeakedToolCall(text: string): LeakedToolCall | null {
+  // Pattern 1: <|tool_call|>...<|/tool_call|> or <tool_call>...</tool_call>
+  const blockPatterns = [
+    /<\|tool_call\|?>([\s\S]*?)<\|?\/?tool_call\|?>/i,
+    /<tool_call>([\s\S]*?)<\/?tool_call>/i,
+    /<function_call>([\s\S]*?)<\/?function_call>/i,
+    /<\|python_tag\|>([\s\S]*?)<\|?\/?python_tag\|?>/i,
+  ];
+  for (const re of blockPatterns) {
+    const m = text.match(re);
+    if (!m || m.index === undefined) continue;
+    const body = m[1];
+    const parsed = parseLeakedBody(body);
+    if (parsed) {
+      return { ...parsed, startIndex: m.index, endIndex: m.index + m[0].length };
+    }
+  }
+
+  // Pattern 2: ```tool_code ... ```
+  const codeBlock = text.match(/```(?:tool_code|tool_call|function|python)\s*\n([\s\S]*?)\n```/i);
+  if (codeBlock && codeBlock.index !== undefined) {
+    const parsed = parseLeakedBody(codeBlock[1]);
+    if (parsed) {
+      return { ...parsed, startIndex: codeBlock.index, endIndex: codeBlock.index + codeBlock[0].length };
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Parse the body of a leaked tool-call block. Tries multiple formats:
+ *   - JSON: {"name": "write", "arguments": {...}} or {"tool":"write","args":{...}}
+ *   - Function-call style: write(path="x", content="y")
+ *   - Pseudo-syntax: call:write{path:"x"}
+ */
+export function parseLeakedBody(body: string): { toolName: string; toolInput: Record<string, any> } | null {
+  if (!body) return null;
+  const trimmed = body.trim();
+
+  // Try JSON first
+  try {
+    const json = JSON.parse(trimmed);
+    if (json && typeof json === "object") {
+      const name = json.name || json.tool || json.tool_name || json.function;
+      const args = json.arguments || json.args || json.parameters || json.input || {};
+      if (typeof name === "string" && name.length > 0) {
+        const parsedArgs = typeof args === "string" ? safeParseJson(args) : args;
+        return { toolName: name, toolInput: parsedArgs ?? {} };
+      }
+    }
+  } catch {}
+
+  // Try function-call style: name(arg1=val1, arg2="val2")
+  const fnMatch = trimmed.match(/^([a-zA-Z_][\w]*)\s*\(([\s\S]*)\)\s*$/);
+  if (fnMatch) {
+    const toolName = fnMatch[1];
+    const argsStr = fnMatch[2];
+    // Try JSON-shaped arg first: write({"path": "x"})
+    const innerJson = safeParseJson(argsStr);
+    if (innerJson && typeof innerJson === "object" && !Array.isArray(innerJson)) {
+      return { toolName, toolInput: innerJson };
+    }
+    const toolInput = parseKwargs(argsStr);
+    if (toolInput) return { toolName, toolInput };
+  }
+
+  // Try pseudo-syntax: call:name{key:"val", ...} or name:foo{...}
+  const callMatch = trimmed.match(/(?:call:|name:|tool:|function:)([a-zA-Z_][\w]*)\s*\{([\s\S]*)\}\s*/i);
+  if (callMatch) {
+    const toolName = callMatch[1];
+    const innerJson = "{" + callMatch[2] + "}";
+    const toolInput = safeParseJson(innerJson) || parseLooseObject(callMatch[2]);
+    if (toolInput) return { toolName, toolInput };
+  }
+
+  return null;
+}
+
+export function safeParseJson(s: string): any | null {
+  try {
+    return JSON.parse(s);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Parse Python-style kwargs from a function-call body:
+ *   path="x", content="y", count=42
+ * Strips `<|"|>` style escape markers some templates inject.
+ */
+export function parseKwargs(s: string): Record<string, any> | null {
+  if (!s.trim()) return {};
+  const cleaned = s.replace(/<\|"\|>/g, '"').replace(/<\|'\|>/g, "'");
+  const result: Record<string, any> = {};
+  const re = /([a-zA-Z_][\w]*)\s*=\s*("([^"\\]|\\.)*"|'([^'\\]|\\.)*'|-?\d+(?:\.\d+)?|true|false|null)/g;
+  let m: RegExpExecArray | null;
+  let matched = false;
+  while ((m = re.exec(cleaned)) !== null) {
+    matched = true;
+    const key = m[1];
+    const raw = m[2];
+    let value: any = raw;
+    if (raw === "true") value = true;
+    else if (raw === "false") value = false;
+    else if (raw === "null") value = null;
+    else if (/^-?\d/.test(raw)) value = parseFloat(raw);
+    else value = raw.slice(1, -1).replace(/\\(.)/g, "$1");
+    result[key] = value;
+  }
+  return matched ? result : null;
+}
+
+/**
+ * Parse a loose key:value object body (no surrounding braces, no enforced
+ * JSON quoting). Used for pseudo-syntax fallbacks like:
+ *   file_path:<|"|>medieval_market.bone<|"|>
+ */
+export function parseLooseObject(s: string): Record<string, any> | null {
+  const cleaned = s.replace(/<\|"\|>/g, '"').replace(/<\|'\|>/g, "'");
+  const result: Record<string, any> = {};
+  const re = /([a-zA-Z_][\w]*)\s*[:=]\s*("([^"\\]|\\.)*"|'([^'\\]|\\.)*'|-?\d+(?:\.\d+)?|true|false|null|[^\s,}]+)/g;
+  let m: RegExpExecArray | null;
+  let matched = false;
+  while ((m = re.exec(cleaned)) !== null) {
+    matched = true;
+    const key = m[1];
+    const raw = m[2];
+    let value: any = raw;
+    if (raw === "true") value = true;
+    else if (raw === "false") value = false;
+    else if (raw === "null") value = null;
+    else if (/^-?\d/.test(raw)) value = parseFloat(raw);
+    else if (raw.startsWith('"') || raw.startsWith("'")) value = raw.slice(1, -1).replace(/\\(.)/g, "$1");
+    result[key] = value;
+  }
+  return matched ? result : null;
+}

package/src/engine/session/prompt.ts

@@ -42,6 +42,7 @@ import { buildCompactionSummary } from "./compaction_logic";
 import { getSystemPrompt } from "./system_prompt";
 import { loadInstructionFiles } from "./instruction_loader";
 import { buildToolRegistry } from "./tool_registry";
+import { extractLeakedToolCall } from "./leaked_tool_call";
 
 // ─── Types ────────────────────────────────────────────────────────────────────
 
@@ -349,6 +350,36 @@ async function streamOnce(ctx: {
         }
 
         currentTextContent += text;
+
+        // Detect models leaking their internal tool-call markers as raw text
+        // (gemma, qwen, llama variants do this when the tokenizer template
+        // doesn't match the AI SDK's expected format). When we find a complete
+        // leaked call, synthesize a real tool execution.
+        const leak = extractLeakedToolCall(currentTextContent);
+        if (leak) {
+          // Strip the leaked markers from the displayed text part
+          currentTextContent = currentTextContent.slice(0, leak.startIndex) +
+            currentTextContent.slice(leak.endIndex);
+          await pool.query(
+            `UPDATE parts SET data = $2, updated_at = NOW() WHERE id = $1`,
+            [currentTextPartId, JSON.stringify({ text: currentTextContent })]
+          );
+
+          // Execute the synthesized tool call directly via the registry
+          await executeSynthesizedToolCall({
+            session_id,
+            agentId: ctx.agentId,
+            assistantMsgId,
+            toolName: leak.toolName,
+            toolInput: leak.toolInput,
+            tools,
+          });
+
+          // Mark the turn as having tool calls so the loop continues
+          hasToolCalls = true;
+          break;
+        }
+
         // Broadcast delta to WebSocket part_stream for live streaming
         broadcastToChannel("part_stream", {
           type: "part.delta",
@@ -837,3 +868,122 @@ function supportsTools(model_id: string): boolean {
   // Default: try with tools, fall back gracefully on error
   return true;
 }
+
+// ─── Synthesized tool-call execution ──────────────────────────────────────────
+
+/**
+ * Execute a synthesized tool call when we detect a leak. Mirrors the work the
+ * AI SDK would normally do: insert a tool_invocation part, broadcast events,
+ * run the registered tool's execute() function.
+ */
+async function executeSynthesizedToolCall(input: {
+  session_id: string;
+  agentId: string;
+  assistantMsgId: string;
+  toolName: string;
+  toolInput: Record<string, any>;
+  tools: Record<string, any>;
+}): Promise<void> {
+  const { session_id, agentId, assistantMsgId, toolName, toolInput, tools } = input;
+
+  // Map common aliases (write_file → write, edit_file → edit, etc.)
+  const aliases: Record<string, string> = {
+    write_file: "write",
+    edit_file: "edit",
+    read_file: "read",
+    run_command: "bash",
+    shell: "bash",
+    search_files: "grep",
+  };
+  const resolvedName = aliases[toolName] || toolName;
+  const tool = tools[resolvedName];
+  if (!tool || !tool.execute) {
+    logger.warn("synthesized_tool_unknown", { event: "leak", metadata: { toolName, resolvedName } });
+    return;
+  }
+
+  const callId = uuid();
+  // Persist the tool call record
+  try {
+    await pool.query(
+      `INSERT INTO tool_calls (id, session_id, agent_id, tool_name, tool_input, state) VALUES ($1, $2, $3, $4, $5, 'running')`,
+      [callId, session_id, agentId, resolvedName, JSON.stringify(toolInput)]
+    );
+  } catch {}
+
+  // Broadcast tool.requested so the TUI shows "← Edit foo.bone"
+  broadcastToChannel("part_stream", {
+    type: "tool.requested",
+    session_id,
+    tool_call_id: callId,
+    tool_name: resolvedName,
+    tool_input: toolInput,
+  });
+
+  // Persist as a tool_invocation part on the assistant message
+  const partId = uuid();
+  await pool.query(
+    `INSERT INTO parts (id, message_id, session_id, part_type, data, order_index) VALUES ($1, $2, $3, 'tool_invocation', $4, 0)`,
+    [partId, assistantMsgId, session_id, JSON.stringify({ tool_call_id: callId, tool_name: resolvedName, args: toolInput, state: "running" })]
+  );
+
+  // Run the actual tool — emit ToolCallRequested so the same machinery as a
+  // real tool call kicks in.
+  await eventBus.publish("ToolCallRequested", {
+    tool_call_id: callId,
+    session_id,
+    agent_id: agentId,
+    tool_name: resolvedName,
+    tool_input: toolInput,
+    requested_at: new Date().toISOString(),
+  }, "AgentLoop").catch(() => {});
+
+  const startMs = Date.now();
+  let success = true;
+  let output = "";
+  try {
+    const result = await tool.execute(toolInput, { toolCallId: callId });
+    output = typeof result === "string" ? result : (result?.output || "");
+  } catch (e: any) {
+    success = false;
+    output = e?.message || "tool execution failed";
+  }
+
+  // Update the part with the result
+  const durationMs = Date.now() - startMs;
+  try {
+    await pool.query(
+      `UPDATE parts SET data = $2, updated_at = NOW() WHERE id = $1`,
+      [partId, JSON.stringify({
+        tool_call_id: callId,
+        tool_name: resolvedName,
+        args: toolInput,
+        state: success ? "done" : "failed",
+        output,
+      })]
+    );
+    await pool.query(
+      `UPDATE tool_calls SET state = $2, tool_output = $3, duration_ms = $4, updated_at = NOW() WHERE id = $1`,
+      [callId, success ? "done" : "failed", JSON.stringify({ output }), durationMs]
+    );
+  } catch {}
+
+  // Broadcast completion
+  broadcastToChannel("part_stream", {
+    type: success ? "tool.completed" : "tool.failed",
+    session_id,
+    tool_call_id: callId,
+    tool_name: resolvedName,
+    tool_input: toolInput,
+    duration_ms: durationMs,
+    ...(success ? {} : { error: output }),
+  });
+
+  await eventBus.publish("ToolCallCompleted", {
+    tool_call_id: callId,
+    session_id,
+    tool_name: resolvedName,
+    duration_ms: durationMs,
+    completed_at: new Date().toISOString(),
+  }, "AgentLoop").catch(() => {});
+}