create-walle 0.9.21 → 0.9.22

package/template/claude-task-manager/session-integrity.js

@@ -1277,12 +1277,16 @@ function repairSafeRelinkSwaps(db, auditResult = null) {
         const projectA = rowA.project_path || stA.cwd || ctmRowA.cwd || '';
         const projectB = rowB.project_path || stB.cwd || ctmRowB.cwd || '';
         _updateColumns(db, 'startup_tasks', 'ctm_session_id', ctmA, {
+          agent_session_id: desiredA,
+          claude_session_id: desiredA,
           agent_project_dir: _dirForJsonl(rowA.jsonl_path),
           claude_project_dir: _dirForJsonl(rowA.jsonl_path),
           cwd: projectA,
           worktree_path: /\/\.(?:claude|walle)\/worktrees\//.test(projectA) ? projectA : null,
         });
         _updateColumns(db, 'startup_tasks', 'ctm_session_id', ctmB, {
+          agent_session_id: desiredB,
+          claude_session_id: desiredB,
           agent_project_dir: _dirForJsonl(rowB.jsonl_path),
           claude_project_dir: _dirForJsonl(rowB.jsonl_path),
           cwd: projectB,

package/template/docs/designs/2026-05-17-portkey-gateway-provider-ux.md

@@ -1,7 +1,8 @@
 # Portkey Gateway Provider UX
 
 Date: 2026-05-17
-Status: implemented
+Updated: 2026-05-20
+Status: revised and implemented
 
 ## Context
 
@@ -14,16 +15,46 @@ Wall-E already has two separate ideas that should not be collapsed:
 
 Portkey belongs on a third axis: **connection / transport**. A provider instance can be "OpenAI via Portkey" or "Anthropic via Portkey" while still using the OpenAI or Anthropic runtime adapter.
 
-## UX Model
+## Research Notes
+
+Portkey's current public docs support the implementation shape:
+
+- The OpenAI-compatible setup is still "change base URL to `https://api.portkey.ai/v1` and use a Portkey API key".
+- The universal API supports OpenAI Chat Completions, OpenAI Responses, and Anthropic Messages against the gateway, so Portkey should be modeled as transport rather than as a standalone upstream provider.
+- The model listing endpoint is `GET /v1/models`, requires `x-portkey-api-key`, and can filter by `provider`/`ai_service`. Its response includes provider-qualified ids such as `@ai-provider-slug/gpt-5`, which CTM must preserve instead of filtering through the built-in catalog.
+
+## Revised UX Model
 
 The `#models` page should use this vocabulary:
 
-- **Provider**: upstream API/runtime family. Examples: OpenAI, Anthropic, Google Gemini.
+- **Provider**: upstream API/runtime family. Examples: OpenAI, Anthropic, Google Gemini. Provider cards are the primary overview because CTM has few provider families.
 - **Connection**: how requests reach the provider. Examples: Direct API key, Portkey gateway, Claude CLI subscription, Codex CLI subscription, OAuth proxy.
 - **Route**: a concrete model plus provider instance. Examples: `gpt-5.5 · OpenAI · Direct`, `gpt-5.5 · OpenAI · Portkey prod`.
+- **Gateway**: shared transport/account configuration that can be enabled per provider family. Portkey is the first gateway.
+- **Model Catalog**: the long model inventory underneath provider cards. It is collapsed by default because the provider view is the decision surface.
 
 This keeps the user from seeing Portkey as a competing "model provider" next to OpenAI and Anthropic. It also explains why a Claude model can be reachable through Portkey while Claude CLI remains a separate subscription-backed route.
 
+## 2026-05-20 Product Decision
+
+Portkey is enabled and disabled at the **provider** level, not the individual model level.
+
+The provider card owns the access policy:
+
+- `Auto`: prefer direct provider API when configured, otherwise use Portkey if the provider is gateway-only.
+- `Prefer Direct`: use direct provider API when available; fall back to Portkey only when direct access is absent.
+- `Prefer Portkey`: use the Portkey connection for that provider when available; fall back to direct only when no Portkey route exists.
+
+The Gateway section owns account-level operations:
+
+- connect/add a Portkey route
+- sync all Portkey model catalogs
+- apply Portkey to all providers with Portkey routes
+- disable Portkey as the default by returning provider policies to `Auto`
+- remove all Portkey gateway connections
+
+The Model Catalog remains an inspection surface. It shows imported/discovered models, capabilities, pricing, source, and verification status, but the default access decision belongs on provider cards.
+
 ## `#models` Page Behavior
 
 ### Provider Cards
@@ -53,6 +84,32 @@ Each saved provider instance should display a compact connection chip:
 
 The chip is metadata, not the provider type.
 
+Each cloud provider card also exposes an **Access Route** control:
+
+- `Use Portkey` when a Portkey route exists for that provider.
+- `Prefer Direct` for direct-first routing.
+- `Auto` for direct-first with gateway fallback.
+- `Enable Portkey` when the provider has no Portkey route yet.
+
+This gives users a discoverable per-provider control without forcing route choices across hundreds of model rows.
+
+### Gateway Section
+
+The Models page includes a first-class **Gateways** section above provider cards.
+
+The Portkey gateway card displays:
+
+- configured provider route count
+- imported model count
+- last successful sync or last sync error
+- `Connect Portkey` / `Add Route`
+- `Sync now`
+- `Apply to all providers`
+- `Disable as default`
+- `Remove`
+
+Portkey model discovery runs hourly in the Wall-E daemon, runs on startup after the daemon is listening, and can be triggered manually from `Sync now`. Sync must import raw Portkey model ids, including model ids not present in CTM's built-in supported-model catalog.
+
 ### Add Provider Dialog
 
 The dialog should ask for upstream first, then connection:
@@ -72,6 +129,8 @@ Advanced custom headers can still exist, but common Portkey fields should not re
 
 ### Model List
 
+The Model Catalog section is collapsed by default. Searching models expands the catalog so search results remain visible.
+
 The model list should show duplicate model ids as separate routes only when necessary:
 
 - If a model exists once, show `GPT-5.5` with a subtle `OpenAI · Direct` chip.
@@ -81,13 +140,23 @@ The model list should show duplicate model ids as separate routes only when nece
 
 The saved value should prefer `model_registry.id`, not only the bare model id.
 
+Gateway-discovered model rows use:
+
+- `source = portkey`
+- `gateway_type = portkey`
+- `verification_status = verified` only when CTM's built-in catalog recognizes the model id; otherwise `unverified`
+- `last_seen_at` from the latest Portkey sync
+
+Catalog pruning must not delete gateway-discovered rows just because CTM's built-in catalog does not know the id yet.
+
 ## Conflict Rules
 
 1. Exact `model_registry.id` wins.
-2. Provider-instance defaults win over provider-type defaults.
-3. If a bare model id maps to exactly one enabled route, it is safe to resolve.
-4. If a bare model id maps to multiple enabled routes, use the explicit default route if one exists; otherwise return an ambiguity error that names the available routes.
-5. Never select the newest provider row as a silent tie-breaker when direct and Portkey routes share the same model id.
+2. Explicit task/model defaults win over provider route policy.
+3. Provider route policy resolves duplicate direct and Portkey rows for the same provider family.
+4. If a bare model id maps to exactly one enabled route, it is safe to resolve.
+5. If a bare model id maps to multiple enabled routes and provider route policy cannot disambiguate, return an ambiguity error that names the available routes.
+6. Never select the newest provider row as a silent tie-breaker when direct and Portkey routes share the same model id.
 
 ## Implementation Phases
 
@@ -117,38 +186,20 @@ Document the UX and routing model, including the `#models` page behavior and dup
 
 ## Verification Results
 
-Phase 4 used an isolated CTM instance instead of the existing primary server on port 3456:
-
-- CTM: `https://localhost:3466/?token=...#models`
-- Wall-E: `127.0.0.1:3467`
-- Data dir: `/tmp/ctm-portkey-test`
-- Mock Portkey gateway: `http://127.0.0.1:4577/v1`
-
-The seeded real-life scenario used two OpenAI connections with the same model id:
-
-- `openai-default:gpt-4o-mini` as direct OpenAI.
-- `openai-portkey-prod:gpt-4o-mini` as OpenAI via Portkey.
-
-The CTM `test-connection` route sent a live `GET /v1/models` request through Wall-E's OpenAI adapter to the mock gateway. The mock observed:
-
-- `Authorization: Bearer unit-portkey-key`
-- `x-portkey-config: cfg-prod`
-- `x-portkey-provider: openai`
-
-The browser verification captured desktop and mobile screenshots in `/tmp/portkey-models-desktop.png` and `/tmp/portkey-models-mobile.png`. It checked:
-
-- Duplicate direct and Portkey OpenAI routes render as separate connections.
-- Portkey route details show `config cfg-prod`.
-- Header `+ Add Provider` keeps the Provider selector visible.
-- Portkey mode exposes gateway fields and labels the key as `Portkey API Key`.
-- Anthropic defaults to `https://api.portkey.ai`; OpenAI defaults to `https://api.portkey.ai/v1`.
-- The Portkey provider-slug placeholder follows the selected provider.
-- The Portkey dialog itself fits a 390px mobile viewport.
+The implemented provider-level gateway path is covered by:
 
-The mobile pass also observed an existing `#models` page horizontal overflow before the dialog opens, caused by the top bar and tier matrix. That is separate from the Portkey dialog and should be handled as a follow-up page-wide mobile layout pass.
+- Portkey sync tests that import unknown gateway model ids, mark CTM-known ids as `verified`, mark unknown ids as `unverified`, and prove catalog pruning preserves `source = portkey` rows.
+- Provider route-policy tests that prefer Portkey or direct connections per provider and fall back when the requested route is unavailable.
+- Chat routing tests that resolve duplicate direct/Portkey bare model ids using the provider policy instead of raising avoidable ambiguity.
+- Model admin HTTP tests for gateway summaries and provider route policy updates.
+- Static UI tests for the Gateway section, provider Access Route controls, and collapsed-by-default Model Catalog.
+- Playwright render tests for the Models page gateway card, provider route buttons, collapsed catalog expansion, and provider policy POST behavior.
+- Full CTM regression tests.
 
 ## References
 
 - https://portkey.ai/docs/integrations/libraries/openai-compatible
+- https://portkey.ai/docs/api-reference/inference-api/models/models
+- https://portkey.ai/docs/product/ai-gateway/universal-api
 - https://portkey.ai/docs/integrations/libraries/claude-code
 - https://portkey.ai/docs/integrations/libraries/codex

package/template/package.json

@@ -1,6 +1,6 @@
 {
   "name": "walle",
-  "version": "0.9.21",
+  "version": "0.9.22",
   "private": true,
   "description": "Wall-E — your personal digital twin",
   "scripts": {

package/template/wall-e/api-walle.js

@@ -1430,8 +1430,19 @@ function handleWalleApi(req, res, url) {
   if (p === '/api/wall-e/alerts' && m === 'GET') {
     try {
       const { getServiceAlerts } = require('./skills/skill-planner');
+      const { buildServiceHealth } = require('./lib/service-health');
       const alerts = getServiceAlerts({ includeVersionUpdate: true });
-      return jsonResponse(res, { alerts }), true;
+      let activeProvider = process.env.WALLE_PROVIDER || '';
+      let activeModel = process.env.WALLE_MODEL || '';
+      try {
+        activeProvider = brain?.getKv?.('walle_provider') || activeProvider;
+        activeModel = brain?.getKv?.('walle_model') || activeModel;
+      } catch {}
+      const summary = buildServiceHealth(alerts, {
+        activeProvider,
+        activeModel,
+      });
+      return jsonResponse(res, { alerts, summary }), true;
     } catch (e) {
       return jsonResponse(res, { alerts: [], error: e.message }), true;
     }
@@ -2323,9 +2334,15 @@ function handleWalleApi(req, res, url) {
     if (!hasApiKey && (walleProvider === 'ollama' || walleProvider === 'mlx')) hasApiKey = true;
 
     let serviceAlerts = [];
+    let serviceAlertSummary = null;
     try {
       const { getServiceAlerts } = require('./skills/skill-planner');
+      const { buildServiceHealth } = require('./lib/service-health');
       serviceAlerts = getServiceAlerts({ includeVersionUpdate: true });
+      serviceAlertSummary = buildServiceHealth(serviceAlerts, {
+        activeProvider: walleProvider,
+        activeModel: walleModel,
+      });
     } catch {}
 
     let slackSocketMode = null;
@@ -2350,6 +2367,7 @@ function handleWalleApi(req, res, url) {
         walle_model: walleModel,
         has_api_key: hasApiKey,
         service_alerts: serviceAlerts,
+        service_alert_summary: serviceAlertSummary,
         slack_socket_mode: slackSocketMode,
       }
     }), true;

package/template/wall-e/brain.js

@@ -9,6 +9,7 @@ const { createWriteAuditLog } = require('./db/write-audit');
 const { inferProviderFromModel, normalizeEvalProvider } = require('./eval/provider-normalizer');
 const { capabilitiesForOllamaModel } = require('./llm/ollama');
 const { findSupportedModel, supportedModelIdsForProvider } = require('./llm/supported-models');
+const { isPortkeyProviderConfig } = require('./llm/portkey');
 const _brainEvents = new EventEmitter();
 _brainEvents.setMaxListeners(20);
 let _stripNoise;
@@ -37,7 +38,7 @@ let currentDbPath = null;
 let _daemonOwned = false; // When true, closeDb() is a no-op (daemon manages lifecycle)
 
 // --- Schema versioning via PRAGMA user_version ---
-const SCHEMA_VERSION = 14; // Bump on every migration addition
+const SCHEMA_VERSION = 15; // Bump on every migration addition
 
 const MIGRATIONS = {
   1: (d) => {
@@ -365,6 +366,19 @@ const MIGRATIONS = {
         ON channel_message_events(delivery_id);
     `);
   },
+  15: (d) => {
+    const addCol = (table, col, type) => {
+      try { d.prepare(`SELECT ${col} FROM ${table} LIMIT 0`).run(); } catch (_) {
+        d.prepare(`ALTER TABLE ${table} ADD COLUMN ${col} ${type}`).run();
+      }
+    };
+    addCol('model_registry', 'source', "TEXT DEFAULT 'catalog'");
+    addCol('model_registry', 'verification_status', "TEXT DEFAULT 'verified'");
+    addCol('model_registry', 'last_seen_at', 'TEXT');
+    addCol('model_registry', 'gateway_type', 'TEXT');
+    d.prepare("UPDATE model_registry SET source = 'catalog' WHERE source IS NULL OR source = ''").run();
+    d.prepare("UPDATE model_registry SET verification_status = 'verified' WHERE verification_status IS NULL OR verification_status = ''").run();
+  },
 };
 
 // Schema invariants — columns/tables that MUST exist after the named migration.
@@ -382,6 +396,7 @@ const SCHEMA_INVARIANTS = [
   { migration: 9, table: 'agent_runner_evaluations', column: 'runner_id' },
   { migration: 10, table: 'eval_benchmark_runs', column: 'dataset_version' },
   { migration: 14, table: 'channel_message_events', column: 'channel' },
+  { migration: 15, table: 'model_registry', column: 'source' },
 ];
 
 function _columnExists(d, table, column) {
@@ -1071,6 +1086,10 @@ function createTables() {
       speed_tier INTEGER DEFAULT 3,
       enabled INTEGER DEFAULT 1,
       is_fine_tuned INTEGER DEFAULT 0,
+      source TEXT DEFAULT 'catalog',
+      verification_status TEXT DEFAULT 'verified',
+      last_seen_at TEXT,
+      gateway_type TEXT,
       UNIQUE(provider_id, model_id)
     );
 
@@ -3104,6 +3123,90 @@ function pruneSlackInboundEvents(ttlMs = 48 * 60 * 60 * 1000) {
 
 // -- Model Provider CRUD --
 
+const VALID_PROVIDER_ROUTE_POLICIES = new Set(['auto', 'direct', 'portkey']);
+
+function _modelProviderRoutePolicyKey(type) {
+  return `model_provider_route_policy:${String(type || '').trim().toLowerCase()}`;
+}
+
+function _modelProviderConnectionKind(row = {}) {
+  if (row.auth_method && row.auth_method !== 'api_key') return row.auth_method;
+  return isPortkeyProviderConfig({
+    baseUrl: row.base_url || row.baseUrl,
+    customHeaders: row.custom_headers || row.customHeaders,
+  }) ? 'portkey' : 'direct';
+}
+
+function _modelProviderHasCredential(row = {}) {
+  const type = row.type || row.provider_type;
+  if (!row) return false;
+  if (type === 'ollama' || type === 'mlx') return true;
+  if (row.auth_method && row.auth_method !== 'api_key') return true;
+  if (row.api_key_encrypted) return true;
+  if (type === 'anthropic' && process.env.ANTHROPIC_API_KEY) return true;
+  if (type === 'openai' && process.env.OPENAI_API_KEY) return true;
+  if (type === 'google' && (process.env.GOOGLE_API_KEY || process.env.GEMINI_API_KEY)) return true;
+  if (type === 'deepseek' && process.env.DEEPSEEK_API_KEY) return true;
+  if (type === 'moonshot' && process.env.MOONSHOT_API_KEY) return true;
+  return false;
+}
+
+function _modelProviderRouteRank(row = {}, policy = 'auto') {
+  const kind = _modelProviderConnectionKind(row);
+  const isPortkey = kind === 'portkey';
+  const hasCredential = _modelProviderHasCredential(row);
+  let policyRank = 50;
+  if (policy === 'portkey') policyRank = isPortkey ? 0 : 10;
+  else if (policy === 'direct') policyRank = isPortkey ? 10 : 0;
+  else policyRank = isPortkey ? 10 : 0;
+  const credentialRank = hasCredential ? 0 : 20;
+  const defaultRank = /-(default|auto)$/.test(String(row.id || '')) ? 0 : 2;
+  return policyRank + credentialRank + defaultRank;
+}
+
+function sortModelProvidersByRoutePolicy(rows = [], policy = 'auto') {
+  const normalizedPolicy = VALID_PROVIDER_ROUTE_POLICIES.has(policy) ? policy : 'auto';
+  return [...(rows || [])].sort((a, b) => {
+    const ar = _modelProviderRouteRank(a, normalizedPolicy);
+    const br = _modelProviderRouteRank(b, normalizedPolicy);
+    if (ar !== br) return ar - br;
+    const au = Date.parse(a.updated_at || '') || 0;
+    const bu = Date.parse(b.updated_at || '') || 0;
+    if (bu !== au) return bu - au;
+    return String(a.name || a.id || '').localeCompare(String(b.name || b.id || ''));
+  });
+}
+
+function setProviderRoutePolicy({ type, policy }) {
+  const providerType = String(type || '').trim().toLowerCase();
+  const routePolicy = String(policy || 'auto').trim().toLowerCase();
+  if (!providerType) throw new Error('Provider type required');
+  if (!VALID_PROVIDER_ROUTE_POLICIES.has(routePolicy)) {
+    throw new Error(`Invalid provider route policy: ${routePolicy}`);
+  }
+  setKv(_modelProviderRoutePolicyKey(providerType), routePolicy);
+  return { type: providerType, policy: routePolicy };
+}
+
+function getProviderRoutePolicy(type) {
+  const providerType = String(type || '').trim().toLowerCase();
+  if (!providerType) return 'auto';
+  const policy = getKv(_modelProviderRoutePolicyKey(providerType));
+  return VALID_PROVIDER_ROUTE_POLICIES.has(policy) ? policy : 'auto';
+}
+
+function getPreferredModelProviderForType(type) {
+  const providerType = String(type || '').trim().toLowerCase();
+  if (!providerType) return null;
+  const rows = getDb().prepare(`
+    SELECT *
+    FROM model_providers
+    WHERE type = ? AND enabled = 1
+  `).all(providerType);
+  if (!rows.length) return null;
+  return sortModelProvidersByRoutePolicy(rows, getProviderRoutePolicy(providerType))[0] || null;
+}
+
 function upsertModelProvider({ id, name, type, baseUrl, apiKeyEncrypted, customHeaders, enabled }) {
   if (!id || !name || !type) throw new Error('Provider requires id, name, type');
   getDb().prepare(`
@@ -3294,14 +3397,31 @@ function disableModelProviderByType(type) {
 
 // -- Model Registry CRUD --
 
-function upsertModelRegistryEntry({ id, providerId, modelId, displayName, capabilities, costPer1mInput, costPer1mOutput, maxContextTokens, maxOutputTokens, speedTier, enabled, isFineTuned }) {
+function upsertModelRegistryEntry({
+  id,
+  providerId,
+  modelId,
+  displayName,
+  capabilities,
+  costPer1mInput,
+  costPer1mOutput,
+  maxContextTokens,
+  maxOutputTokens,
+  speedTier,
+  enabled,
+  isFineTuned,
+  source,
+  verificationStatus,
+  lastSeenAt,
+  gatewayType,
+}) {
   if (!id || !providerId || !modelId || !displayName) throw new Error('Registry entry requires id, providerId, modelId, displayName');
   const caps = (Array.isArray(capabilities) || (capabilities && typeof capabilities === 'object'))
     ? JSON.stringify(capabilities)
     : (capabilities || '[]');
   getDb().prepare(`
-    INSERT INTO model_registry (id, provider_id, model_id, display_name, capabilities, cost_per_1m_input, cost_per_1m_output, max_context_tokens, max_output_tokens, speed_tier, enabled, is_fine_tuned)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    INSERT INTO model_registry (id, provider_id, model_id, display_name, capabilities, cost_per_1m_input, cost_per_1m_output, max_context_tokens, max_output_tokens, speed_tier, enabled, is_fine_tuned, source, verification_status, last_seen_at, gateway_type)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
     ON CONFLICT(id) DO UPDATE SET
       provider_id = excluded.provider_id,
       model_id = excluded.model_id,
@@ -3313,8 +3433,29 @@ function upsertModelRegistryEntry({ id, providerId, modelId, displayName, capabi
       max_output_tokens = excluded.max_output_tokens,
       speed_tier = excluded.speed_tier,
       enabled = excluded.enabled,
-      is_fine_tuned = excluded.is_fine_tuned
-  `).run(id, providerId, modelId, displayName, caps, costPer1mInput || null, costPer1mOutput || null, maxContextTokens || null, maxOutputTokens || null, speedTier || 3, enabled !== undefined ? (enabled ? 1 : 0) : 1, isFineTuned ? 1 : 0);
+      is_fine_tuned = excluded.is_fine_tuned,
+      source = COALESCE(excluded.source, model_registry.source, 'catalog'),
+      verification_status = COALESCE(excluded.verification_status, model_registry.verification_status, 'verified'),
+      last_seen_at = COALESCE(excluded.last_seen_at, model_registry.last_seen_at),
+      gateway_type = COALESCE(excluded.gateway_type, model_registry.gateway_type)
+  `).run(
+    id,
+    providerId,
+    modelId,
+    displayName,
+    caps,
+    costPer1mInput || null,
+    costPer1mOutput || null,
+    maxContextTokens || null,
+    maxOutputTokens || null,
+    speedTier || 3,
+    enabled !== undefined ? (enabled ? 1 : 0) : 1,
+    isFineTuned ? 1 : 0,
+    source || null,
+    verificationStatus || null,
+    lastSeenAt || null,
+    gatewayType || null,
+  );
 }
 
 function getModelRegistryEntry(id) {
@@ -3684,6 +3825,7 @@ function pruneUnsupportedCloudModelRegistryRowsForDb(d, { dryRun = false } = {})
     JOIN model_providers mp ON mr.provider_id = mp.id
     WHERE mp.type IN ('anthropic', 'openai', 'google', 'deepseek', 'moonshot')
       AND COALESCE(mr.is_fine_tuned, 0) = 0
+      AND COALESCE(mr.source, 'catalog') IN ('catalog', 'builtin')
   `).all();
   const stale = rows.filter((row) => {
     const allowed = allowedByType.get(row.provider_type);
@@ -4626,6 +4768,10 @@ module.exports = {
   listModelProviders,
   listEnabledProviders,
   getProviderByType,
+  setProviderRoutePolicy,
+  getProviderRoutePolicy,
+  getPreferredModelProviderForType,
+  sortModelProvidersByRoutePolicy,
   setProviderAuthMethod,
   getProviderAuthMethod,
   saveSetupProvider,

package/template/wall-e/chat.js

@@ -112,6 +112,32 @@ function looksLikePrematureToolFollowupReply(text) {
   return concise && progressCue && (sequenceCue || executionVerb);
 }
 
+function _chatToolCallHistoryForActionGuard(toolCalls = []) {
+  return (toolCalls || [])
+    .map((call) => {
+      const name = call?.name || call?.tool || '';
+      if (!name) return null;
+      let inputHash = '';
+      try {
+        inputHash = JSON.stringify(call.input || call.args || {}).slice(0, 500);
+      } catch {
+        inputHash = String(call.input || call.args || '').slice(0, 500);
+      }
+      return { name, inputHash };
+    })
+    .filter(Boolean);
+}
+
+function _chatNoActionContinuation(args) {
+  try {
+    const { getNoActionContinuation } = require('./coding-orchestrator');
+    return getNoActionContinuation(args);
+  } catch (err) {
+    console.warn('[chat] Action completion guard unavailable:', err.message);
+    return null;
+  }
+}
+
 function _hasExplicitWeatherLocation(message) {
   const text = String(message || '').trim();
   if (!text) return false;
@@ -734,6 +760,20 @@ function _ambiguousModelRoute(input, rows, explicitProvider) {
   };
 }
 
+function _preferredRouteRowForBareModel(rows = [], explicitProvider) {
+  if (!rows.length) return null;
+  const type = explicitProvider || rows[0].provider_type;
+  const policy = (type && typeof brain.getProviderRoutePolicy === 'function')
+    ? brain.getProviderRoutePolicy(type)
+    : 'auto';
+  if (typeof brain.sortModelProvidersByRoutePolicy !== 'function') return null;
+  const sorted = brain.sortModelProvidersByRoutePolicy(
+    rows.map((row) => ({ ...row, type: row.provider_type || row.type })),
+    policy,
+  );
+  return sorted[0] || null;
+}
+
 function _createChatProvider(type, config = {}, opts = {}) {
   if (typeof opts.providerFactory === 'function') return opts.providerFactory(type, config);
   return createClient(type, config);
@@ -1462,6 +1502,8 @@ function resolveModelSelection(model, explicitProvider) {
       const defaultRegistryId = (brain.getKv?.('walle_model_registry_id') || (explicitProvider ? brain.getKv?.(`walle_model_registry_${explicitProvider}`) : null) || '').trim();
       const defaultRow = defaultRegistryId ? rows.find((row) => row.id === defaultRegistryId) : null;
       if (defaultRow) return _registryRouteFromRow(defaultRow, raw, explicitProvider);
+      const preferredRow = _preferredRouteRowForBareModel(rows, explicitProvider);
+      if (preferredRow) return _registryRouteFromRow(preferredRow, raw, explicitProvider);
       return _ambiguousModelRoute(raw, rows, explicitProvider);
     }
   } catch {}
@@ -2868,6 +2910,7 @@ async function chat(message, opts = {}) {
     let forceFinalNoTools = false;
     let toolLimitNoticeSent = false;
     let postToolProgressContinuationCount = 0;
+    let actionCompletionContinuationCount = 0;
 
     // Adaptive limits based on intent classification
     const INTENT_LIMITS = {
@@ -3266,6 +3309,48 @@ async function chat(message, opts = {}) {
           console.log('[chat] Premature post-tool progress text — continuing tool loop');
           continue;
         }
+
+        if ((wallECodingMode || isCodingActionRequest()) && !forceFinalNoTools) {
+          let hasTurnBudgetForActionContinuation = turn + 1 < allowedTurns;
+          if (!hasTurnBudgetForActionContinuation) {
+            hasTurnBudgetForActionContinuation = extendCodingTurnBudget('action completion guard');
+          }
+          const toolsAvailableForActionContinuation = Array.isArray(toolsForTurn)
+            && toolsForTurn.length > 0
+            && toolCallCount < MAX_TOOL_CALLS
+            && hasTurnBudgetForActionContinuation;
+          const actionContinuation = _chatNoActionContinuation({
+            prompt: routingMessage || message,
+            content: finalText,
+            toolCallHistory: _chatToolCallHistoryForActionGuard(allToolCalls),
+            toolsAvailable: toolsAvailableForActionContinuation,
+            nudges: actionCompletionContinuationCount,
+            maxNudges: wallECodingMode ? 3 : 1,
+            cwd: effectiveCwd || opts.cwd || process.cwd(),
+          });
+          if (actionContinuation?.action === 'continue') {
+            actionCompletionContinuationCount += 1;
+            const assistantHistoryContent = [];
+            if (response.reasoningContent && typeof response.reasoningContent === 'string') {
+              assistantHistoryContent.push({ type: 'reasoning', text: response.reasoningContent });
+            }
+            if (finalText) assistantHistoryContent.push({ type: 'text', text: finalText });
+            messages.push({
+              role: 'assistant',
+              content: assistantHistoryContent.length > 0 ? assistantHistoryContent : finalText,
+            });
+            messages.push({
+              role: 'user',
+              content: `${actionContinuation.message}\n` +
+                'If the target project is outside the current working directory, do not run broad filesystem scans. Use start_coding with cwd set to the explicit target project directory, or use project-scoped file tools against that directory. For website/UI/UX requests, finish only after concrete edits and verification evidence.',
+            });
+            console.log('[chat] Action completion guard — continuing tool loop:', actionContinuation.reason);
+            continue;
+          }
+          if (actionContinuation?.action === 'fail') {
+            finalText = `I could not complete the requested code change: ${actionContinuation.reason}`;
+          }
+        }
         finalResponseMeta = {
           model: response.model || selectedModel,
           provider: response.provider || usedProvider || targetProviderType,