lemura 1.5.1 → 1.5.3

package/CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.5.3] - 2026-05-30
+
+### Fixed
+
+- **Tool firewall `ask` decision could execute denied tools** (critical): when a `ToolFirewallConfig.onAsk` handler returned anything other than the exact string `'deny'` — including the boolean `false`, `undefined`, or by throwing — the tool was executed anyway. A user pressing "Stop"/deny could not actually stop the tool call. The `ask` path is now **fail-safe**: only an explicit accept signal (`'accept'` or `true`) allows execution; `'deny'`, `false`, `undefined`, `void`, and thrown errors all block the tool and inject a `Blocked by tool firewall` observation.
+  - `ToolFirewallConfig.onAsk` now accepts `'accept' | 'deny' | boolean | void` (and the `Promise` thereof) for ergonomics. The previous `'accept' | 'deny'` return remains valid.
+
+## [1.5.2] - 2026-05-30
+
+### Changed
+
+- **Namespaced XML delimiters for all runtime-injected blocks**: All blocks appended to the system prompt or user messages by the lemura runtime now use a consistent `lemura:` XML namespace, preventing collisions with user-supplied prompt content.
+  - `GoalInjector`: `[CURRENT GOAL]…[/CURRENT GOAL]` → `<lemura:goal>` with `<lemura:statement>`, `<lemura:criteria>`, `<lemura:subgoals status="pending|done">`
+  - `ContinuationPlanner`: `[CONTINUATION PLAN — Step X/Y]` (no closing tag) → `<lemura:plan step="X" total="Y">` with `<lemura:step id="…" tool="…" status="…">` children
+  - `SkillInjector`: `[Skill: name (Tier: tier)]` (no closing tag) → `<lemura:skill name="…" tier="…">…</lemura:skill>`
+  - `SessionManager` frozen-turn wrapper: `[System Guidance / Agent State]` (no closing tag) → `<lemura:agent-state>…</lemura:agent-state>`
+
 ## [1.5.1] - 2026-05-29
 
 ### Added

package/dist/{agent-BImCcYVg.d.ts → agent-Cd704J0J.d.ts}

@@ -126,7 +126,7 @@ declare class GoalInjector {
     private turnsSinceInjection;
     constructor(goal: Goal);
     /**
-     * Returns the formatted `[CURRENT GOAL]` block string — without caring about
+     * Returns the formatted `<lemura:goal>` block string — without caring about
      * where it will be placed. Callers decide whether to append to a system prompt
      * or push as a separate message.
      */
@@ -199,9 +199,14 @@ interface ToolFirewallConfig {
     rules?: ToolFirewallRule[];
     /**
      * Called when a tool hits the 'ask' decision.
-     * Return 'accept' or 'deny'. If omitted, 'ask' behaves like 'deny'.
+     *
+     * Return `'accept'` (or `true`) to allow the tool to run; return `'deny'`
+     * (or `false`) to block it. The decision is **fail-safe**: only an explicit
+     * accept signal allows execution — any other value (`'deny'`, `false`,
+     * `undefined`, `null`, a thrown error) blocks the tool. If `onAsk` is
+     * omitted entirely, an `'ask'` decision behaves like `'deny'`.
      */
-    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny'> | 'accept' | 'deny';
+    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny' | boolean | void> | 'accept' | 'deny' | boolean | void;
 }
 /**
  * Execution budget constraints for tool calls within a session.

package/dist/{agent-57E_Tvby.d.mts → agent-DFh31XIA.d.mts}

@@ -126,7 +126,7 @@ declare class GoalInjector {
     private turnsSinceInjection;
     constructor(goal: Goal);
     /**
-     * Returns the formatted `[CURRENT GOAL]` block string — without caring about
+     * Returns the formatted `<lemura:goal>` block string — without caring about
      * where it will be placed. Callers decide whether to append to a system prompt
      * or push as a separate message.
      */
@@ -199,9 +199,14 @@ interface ToolFirewallConfig {
     rules?: ToolFirewallRule[];
     /**
      * Called when a tool hits the 'ask' decision.
-     * Return 'accept' or 'deny'. If omitted, 'ask' behaves like 'deny'.
+     *
+     * Return `'accept'` (or `true`) to allow the tool to run; return `'deny'`
+     * (or `false`) to block it. The decision is **fail-safe**: only an explicit
+     * accept signal allows execution — any other value (`'deny'`, `false`,
+     * `undefined`, `null`, a thrown error) blocks the tool. If `onAsk` is
+     * omitted entirely, an `'ask'` decision behaves like `'deny'`.
      */
-    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny'> | 'accept' | 'deny';
+    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny' | boolean | void> | 'accept' | 'deny' | boolean | void;
 }
 /**
  * Execution budget constraints for tool calls within a session.

package/dist/index.d.mts

@@ -1,7 +1,7 @@
 import { a as IProviderAdapter, d as TranscriptionRequest, e as TranscriptionResponse, f as SynthesisRequest, A as AudioChunk, V as VisionRequest, g as VisionResponse, h as ImageGenRequest, i as ImageGenResponse, M as ModelInfo, C as ContextWindow, T as Turn, j as ContentBlock, I as IToolDefinition } from './adapters-DAzmrg4l.mjs';
 export { k as CompletionChunk, l as CompletionRequest, m as CompletionResponse, b as IContextStrategy, c as IScratchpadAdapter, n as IStorageAdapter, N as NormalizedMessage, o as STMItem, p as STMRegistryConfig, S as ShortTermMemoryRegistry, q as TokenUsage, r as ToolCall, s as ToolContext, t as ToolResult } from './adapters-DAzmrg4l.mjs';
-import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-57E_Tvby.mjs';
-export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-57E_Tvby.mjs';
+import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-DFh31XIA.mjs';
+export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-DFh31XIA.mjs';
 export { LemuraAdapterError, LemuraContextOverflowError, LemuraError, LemuraMCPConnectionError, LemuraMCPError, LemuraMCPTimeoutError, LemuraMaxIterationsError, LemuraSkillInjectionError, LemuraToolNotFoundError, LemuraToolTimeoutError, LemuraToolValidationError } from './types/index.mjs';
 import { I as ILogger } from './logger-DxvKliuk.mjs';
 export { L as LogLevel, a as LogMetadata, S as Severity } from './logger-DxvKliuk.mjs';

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 import { a as IProviderAdapter, d as TranscriptionRequest, e as TranscriptionResponse, f as SynthesisRequest, A as AudioChunk, V as VisionRequest, g as VisionResponse, h as ImageGenRequest, i as ImageGenResponse, M as ModelInfo, C as ContextWindow, T as Turn, j as ContentBlock, I as IToolDefinition } from './adapters-CIRkrCHl.js';
 export { k as CompletionChunk, l as CompletionRequest, m as CompletionResponse, b as IContextStrategy, c as IScratchpadAdapter, n as IStorageAdapter, N as NormalizedMessage, o as STMItem, p as STMRegistryConfig, S as ShortTermMemoryRegistry, q as TokenUsage, r as ToolCall, s as ToolContext, t as ToolResult } from './adapters-CIRkrCHl.js';
-import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-BImCcYVg.js';
-export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-BImCcYVg.js';
+import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-Cd704J0J.js';
+export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-Cd704J0J.js';
 export { LemuraAdapterError, LemuraContextOverflowError, LemuraError, LemuraMCPConnectionError, LemuraMCPError, LemuraMCPTimeoutError, LemuraMaxIterationsError, LemuraSkillInjectionError, LemuraToolNotFoundError, LemuraToolTimeoutError, LemuraToolValidationError } from './types/index.js';
 import { I as ILogger } from './logger-DxvKliuk.js';
 export { L as LogLevel, a as LogMetadata, S as Severity } from './logger-DxvKliuk.js';

package/dist/index.js

@@ -1315,8 +1315,9 @@ var SkillInjector = class {
       if (!content) continue;
       const tierLabel = skill.tier ?? "standard";
       const skillEntry = `
-[Skill: ${skill.name} (Tier: ${tierLabel})]
+<lemura:skill name="${skill.name}" tier="${tierLabel}">
 ${content}
+</lemura:skill>
 `;
       const skillTokens = Math.ceil(skillEntry.length / 4);
       if (tokenBudget !== void 0 && usedTokens + skillTokens > tokenBudget) {
@@ -1853,7 +1854,7 @@ var GoalInjector = class {
     };
   }
   /**
-   * Returns the formatted `[CURRENT GOAL]` block string — without caring about
+   * Returns the formatted `<lemura:goal>` block string — without caring about
    * where it will be placed. Callers decide whether to append to a system prompt
    * or push as a separate message.
    */
@@ -1861,27 +1862,28 @@ var GoalInjector = class {
     const { statement, successCriteria, decomposition, completedSubGoals = [] } = this.goal;
     const pending = decomposition.filter((sg) => !completedSubGoals.includes(sg));
     const completed = decomposition.filter((sg) => completedSubGoals.includes(sg));
-    let block = `[CURRENT GOAL]
-${statement}
+    let block = `<lemura:goal>
+<lemura:statement>${statement}</lemura:statement>
 `;
     if (successCriteria.length > 0) {
-      block += `
-Success criteria:
-${successCriteria.map((c) => `- ${c}`).join("\n")}`;
+      block += `<lemura:criteria>
+${successCriteria.map((c) => `- ${c}`).join("\n")}
+</lemura:criteria>
+`;
     }
     if (pending.length > 0) {
-      block += `
-
-Sub-goals remaining:
-${pending.map((sg) => `- ${sg} \u2190 pending`).join("\n")}`;
+      block += `<lemura:subgoals status="pending">
+${pending.map((sg) => `- ${sg}`).join("\n")}
+</lemura:subgoals>
+`;
     }
     if (completed.length > 0) {
-      block += `
-
-Sub-goals completed:
-${completed.map((sg) => `- \u2705 ${sg}`).join("\n")}`;
+      block += `<lemura:subgoals status="done">
+${completed.map((sg) => `- \u2705 ${sg}`).join("\n")}
+</lemura:subgoals>
+`;
     }
-    block += "\n[/CURRENT GOAL]";
+    block += "</lemura:goal>";
     return block;
   }
   /**
@@ -1970,14 +1972,17 @@ var ContinuationPlanner = class {
   }
   /** Returns a human-readable status string with icons (injected before each iteration) */
   getPlanStatusString() {
-    let result = `[CONTINUATION PLAN \u2014 Step ${this.plan.currentStepIndex + 1}/${this.plan.steps.length}]
+    const current = this.plan.currentStepIndex + 1;
+    const total = this.plan.steps.length;
+    let result = `<lemura:plan step="${current}" total="${total}">
 `;
     for (const step of this.plan.steps) {
       const icon = this._icon(step.status);
       const statusText = step.status === "pending" && step.dependsOn.length > 0 ? `Waiting on Step ${step.dependsOn.join(", ")}` : step.status.charAt(0).toUpperCase() + step.status.slice(1);
-      result += `${icon} Step ${step.stepId} (${step.toolName}): ${statusText}
+      result += `<lemura:step id="${step.stepId}" tool="${step.toolName}" status="${step.status}">${icon} ${statusText}</lemura:step>
 `;
     }
+    result += "</lemura:plan>";
     return result;
   }
   _icon(status) {
@@ -3105,8 +3110,9 @@ ${planStatus}`;
           }
           injectionBlock = blocks.length > 0 ? `
 
-[System Guidance / Agent State]
-${blocks.join("\n\n")}` : "";
+<lemura:agent-state>
+${blocks.join("\n\n")}
+</lemura:agent-state>` : "";
           this._turnInjections.set(i, injectionBlock);
           if (injectionBlock) {
             this.emitTrace("planning", "goal_injected", { position: "frozen_turn", turnIndex: i, iteration });
@@ -3254,8 +3260,17 @@ ${blocks.join("\n\n")}` : "";
     }
     if (firewall.decision === "ask") {
       if (this.config.toolFirewall?.onAsk) {
-        const userDecision = await this.config.toolFirewall.onAsk(toolName, argsJson);
-        if (userDecision === "deny") {
+        let accepted = false;
+        try {
+          const userDecision = await this.config.toolFirewall.onAsk(toolName, argsJson);
+          accepted = userDecision === "accept" || userDecision === true;
+        } catch (e) {
+          this.logger.warn(`Tool firewall onAsk handler threw \u2014 treating as deny: ${toolName}`, {
+            error: e instanceof Error ? e.message : String(e)
+          });
+          accepted = false;
+        }
+        if (!accepted) {
           this.logger.warn(`Tool blocked by firewall (ask \u2192 deny): ${toolName}`, { reason: firewall.reason });
           toolResults.push({ toolCallId, content: `Blocked by tool firewall: ${firewall.reason}` });
           return false;