import type { AgentTool, AgentToolResult } from "@mariozechner/pi-agent-core"; import { codingTools, createEditTool, createReadTool, createWriteTool, readTool, } from "@mariozechner/pi-coding-agent"; import type { ClawdbotConfig } from "../config/config.js"; import { detectMime } from "../media/mime.js"; import { isSubagentSessionKey } from "../routing/session-key.js"; import { resolveGatewayMessageProvider } from "../utils/message-provider.js"; import { resolveAgentConfig, resolveAgentIdFromSessionKey, } from "./agent-scope.js"; import { createApplyPatchTool } from "./apply-patch.js"; import { createExecTool, createProcessTool, type ExecToolDefaults, type ProcessToolDefaults, } from "./bash-tools.js"; import { createClawdbotTools } from "./clawdbot-tools.js"; import type { ModelAuthMode } from "./model-auth.js"; import { listProviderAgentTools } from "./provider-tools.js"; import type { SandboxContext, SandboxToolPolicy } from "./sandbox.js"; import { assertSandboxPath } from "./sandbox-paths.js"; import { cleanSchemaForGemini } from "./schema/clean-for-gemini.js"; import { sanitizeToolResultImages } from "./tool-images.js"; // NOTE(steipete): Upstream read now does file-magic MIME detection; we keep the wrapper // to normalize payloads and sanitize oversized images before they hit providers. type ToolContentBlock = AgentToolResult["content"][number]; type ImageContentBlock = Extract; type TextContentBlock = Extract; async function sniffMimeFromBase64( base64: string, ): Promise { const trimmed = base64.trim(); if (!trimmed) return undefined; const take = Math.min(256, trimmed.length); const sliceLen = take - (take % 4); if (sliceLen < 8) return undefined; try { const head = Buffer.from(trimmed.slice(0, sliceLen), "base64"); return await detectMime({ buffer: head }); } catch { return undefined; } } function rewriteReadImageHeader(text: string, mimeType: string): string { // pi-coding-agent uses: "Read image file [image/png]" if (text.startsWith("Read image file [") && text.endsWith("]")) { return `Read image file [${mimeType}]`; } return text; } async function normalizeReadImageResult( result: AgentToolResult, filePath: string, ): Promise> { const content = Array.isArray(result.content) ? result.content : []; const image = content.find( (b): b is ImageContentBlock => !!b && typeof b === "object" && (b as { type?: unknown }).type === "image" && typeof (b as { data?: unknown }).data === "string" && typeof (b as { mimeType?: unknown }).mimeType === "string", ); if (!image) return result; if (!image.data.trim()) { throw new Error(`read: image payload is empty (${filePath})`); } const sniffed = await sniffMimeFromBase64(image.data); if (!sniffed) return result; if (!sniffed.startsWith("image/")) { throw new Error( `read: file looks like ${sniffed} but was treated as ${image.mimeType} (${filePath})`, ); } if (sniffed === image.mimeType) return result; const nextContent = content.map((block) => { if ( block && typeof block === "object" && (block as { type?: unknown }).type === "image" ) { const b = block as ImageContentBlock & { mimeType: string }; return { ...b, mimeType: sniffed } satisfies ImageContentBlock; } if ( block && typeof block === "object" && (block as { type?: unknown }).type === "text" && typeof (block as { text?: unknown }).text === "string" ) { const b = block as TextContentBlock & { text: string }; return { ...b, text: rewriteReadImageHeader(b.text, sniffed), } satisfies TextContentBlock; } return block; }); return { ...result, content: nextContent }; } // biome-ignore lint/suspicious/noExplicitAny: TypeBox schema type from pi-agent-core uses a different module instance. type AnyAgentTool = AgentTool; function extractEnumValues(schema: unknown): unknown[] | undefined { if (!schema || typeof schema !== "object") return undefined; const record = schema as Record; if (Array.isArray(record.enum)) return record.enum; if ("const" in record) return [record.const]; const variants = Array.isArray(record.anyOf) ? record.anyOf : Array.isArray(record.oneOf) ? record.oneOf : null; if (variants) { const values = variants.flatMap((variant) => { const extracted = extractEnumValues(variant); return extracted ?? []; }); return values.length > 0 ? values : undefined; } return undefined; } function mergePropertySchemas(existing: unknown, incoming: unknown): unknown { if (!existing) return incoming; if (!incoming) return existing; const existingEnum = extractEnumValues(existing); const incomingEnum = extractEnumValues(incoming); if (existingEnum || incomingEnum) { const values = Array.from( new Set([...(existingEnum ?? []), ...(incomingEnum ?? [])]), ); const merged: Record = {}; for (const source of [existing, incoming]) { if (!source || typeof source !== "object") continue; const record = source as Record; for (const key of ["title", "description", "default"]) { if (!(key in merged) && key in record) merged[key] = record[key]; } } const types = new Set(values.map((value) => typeof value)); if (types.size === 1) merged.type = Array.from(types)[0]; merged.enum = values; return merged; } return existing; } function normalizeToolParameters(tool: AnyAgentTool): AnyAgentTool { const schema = tool.parameters && typeof tool.parameters === "object" ? (tool.parameters as Record) : undefined; if (!schema) return tool; // Provider quirks: // - Gemini rejects several JSON Schema keywords, so we scrub those. // - OpenAI rejects function tool schemas unless the *top-level* is `type: "object"`. // (TypeBox root unions compile to `{ anyOf: [...] }` without `type`). // // Normalize once here so callers can always pass `tools` through unchanged. // If schema already has type + properties (no top-level anyOf to merge), // still clean it for Gemini compatibility if ( "type" in schema && "properties" in schema && !Array.isArray(schema.anyOf) ) { return { ...tool, parameters: cleanSchemaForGemini(schema), }; } // Some tool schemas (esp. unions) may omit `type` at the top-level. If we see // object-ish fields, force `type: "object"` so OpenAI accepts the schema. if ( !("type" in schema) && (typeof schema.properties === "object" || Array.isArray(schema.required)) && !Array.isArray(schema.anyOf) && !Array.isArray(schema.oneOf) ) { return { ...tool, parameters: cleanSchemaForGemini({ ...schema, type: "object" }), }; } const variantKey = Array.isArray(schema.anyOf) ? "anyOf" : Array.isArray(schema.oneOf) ? "oneOf" : null; if (!variantKey) return tool; const variants = schema[variantKey] as unknown[]; const mergedProperties: Record = {}; const requiredCounts = new Map(); let objectVariants = 0; for (const entry of variants) { if (!entry || typeof entry !== "object") continue; const props = (entry as { properties?: unknown }).properties; if (!props || typeof props !== "object") continue; objectVariants += 1; for (const [key, value] of Object.entries( props as Record, )) { if (!(key in mergedProperties)) { mergedProperties[key] = value; continue; } mergedProperties[key] = mergePropertySchemas( mergedProperties[key], value, ); } const required = Array.isArray((entry as { required?: unknown }).required) ? (entry as { required: unknown[] }).required : []; for (const key of required) { if (typeof key !== "string") continue; requiredCounts.set(key, (requiredCounts.get(key) ?? 0) + 1); } } const baseRequired = Array.isArray(schema.required) ? schema.required.filter((key) => typeof key === "string") : undefined; const mergedRequired = baseRequired && baseRequired.length > 0 ? baseRequired : objectVariants > 0 ? Array.from(requiredCounts.entries()) .filter(([, count]) => count === objectVariants) .map(([key]) => key) : undefined; const nextSchema: Record = { ...schema }; return { ...tool, // Flatten union schemas into a single object schema: // - Gemini doesn't allow top-level `type` together with `anyOf`. // - OpenAI rejects schemas without top-level `type: "object"`. // Merging properties preserves useful enums like `action` while keeping schemas portable. parameters: cleanSchemaForGemini({ type: "object", ...(typeof nextSchema.title === "string" ? { title: nextSchema.title } : {}), ...(typeof nextSchema.description === "string" ? { description: nextSchema.description } : {}), properties: Object.keys(mergedProperties).length > 0 ? mergedProperties : (schema.properties ?? {}), ...(mergedRequired && mergedRequired.length > 0 ? { required: mergedRequired } : {}), additionalProperties: "additionalProperties" in schema ? schema.additionalProperties : true, }), }; } function cleanToolSchemaForGemini(schema: Record): unknown { return cleanSchemaForGemini(schema); } const TOOL_NAME_ALIASES: Record = { bash: "exec", "apply-patch": "apply_patch", }; function normalizeToolName(name: string) { const normalized = name.trim().toLowerCase(); return TOOL_NAME_ALIASES[normalized] ?? normalized; } function normalizeToolNames(list?: string[]) { if (!list) return []; return list.map(normalizeToolName).filter(Boolean); } function isOpenAIProvider(provider?: string) { const normalized = provider?.trim().toLowerCase(); return normalized === "openai" || normalized === "openai-codex"; } function isApplyPatchAllowedForModel(params: { modelProvider?: string; modelId?: string; allowModels?: string[]; }) { const allowModels = Array.isArray(params.allowModels) ? params.allowModels : []; if (allowModels.length === 0) return true; const modelId = params.modelId?.trim(); if (!modelId) return false; const normalizedModelId = modelId.toLowerCase(); const provider = params.modelProvider?.trim().toLowerCase(); const normalizedFull = provider && !normalizedModelId.includes("/") ? `${provider}/${normalizedModelId}` : normalizedModelId; return allowModels.some((entry) => { const normalized = entry.trim().toLowerCase(); if (!normalized) return false; return normalized === normalizedModelId || normalized === normalizedFull; }); } const DEFAULT_SUBAGENT_TOOL_DENY = [ "sessions_list", "sessions_history", "sessions_send", "sessions_spawn", ]; function resolveSubagentToolPolicy(cfg?: ClawdbotConfig): SandboxToolPolicy { const configured = cfg?.tools?.subagents?.tools; const deny = [ ...DEFAULT_SUBAGENT_TOOL_DENY, ...(Array.isArray(configured?.deny) ? configured.deny : []), ]; const allow = Array.isArray(configured?.allow) ? configured.allow : undefined; return { allow, deny }; } function isToolAllowedByPolicyName( name: string, policy?: SandboxToolPolicy, ): boolean { if (!policy) return true; const deny = new Set(normalizeToolNames(policy.deny)); const allowRaw = normalizeToolNames(policy.allow); const allow = allowRaw.length > 0 ? new Set(allowRaw) : null; const normalized = normalizeToolName(name); if (deny.has(normalized)) return false; if (allow) { if (allow.has(normalized)) return true; if (normalized === "apply_patch" && allow.has("exec")) return true; return false; } return true; } function filterToolsByPolicy( tools: AnyAgentTool[], policy?: SandboxToolPolicy, ) { if (!policy) return tools; return tools.filter((tool) => isToolAllowedByPolicyName(tool.name, policy)); } function resolveEffectiveToolPolicy(params: { config?: ClawdbotConfig; sessionKey?: string; }) { const agentId = params.sessionKey ? resolveAgentIdFromSessionKey(params.sessionKey) : undefined; const agentConfig = params.config && agentId ? resolveAgentConfig(params.config, agentId) : undefined; const agentTools = agentConfig?.tools; const hasAgentToolPolicy = Array.isArray(agentTools?.allow) || Array.isArray(agentTools?.deny); const globalTools = params.config?.tools; return { agentId, policy: hasAgentToolPolicy ? agentTools : globalTools, }; } function isToolAllowedByPolicy(name: string, policy?: SandboxToolPolicy) { return isToolAllowedByPolicyName(name, policy); } function isToolAllowedByPolicies( name: string, policies: Array, ) { return policies.every((policy) => isToolAllowedByPolicy(name, policy)); } function wrapSandboxPathGuard(tool: AnyAgentTool, root: string): AnyAgentTool { return { ...tool, execute: async (toolCallId, args, signal, onUpdate) => { const normalized = normalizeToolParams(args); const record = normalized ?? (args && typeof args === "object" ? (args as Record) : undefined); const filePath = record?.path; if (typeof filePath === "string" && filePath.trim()) { await assertSandboxPath({ filePath, cwd: root, root }); } return tool.execute(toolCallId, normalized ?? args, signal, onUpdate); }, }; } type RequiredParamGroup = { keys: readonly string[]; allowEmpty?: boolean; label?: string; }; const CLAUDE_PARAM_GROUPS = { read: [{ keys: ["path", "file_path"], label: "path (path or file_path)" }], write: [{ keys: ["path", "file_path"], label: "path (path or file_path)" }], edit: [ { keys: ["path", "file_path"], label: "path (path or file_path)" }, { keys: ["oldText", "old_string"], label: "oldText (oldText or old_string)", }, { keys: ["newText", "new_string"], label: "newText (newText or new_string)", }, ], } as const; function patchToolSchemaForClaudeCompatibility( tool: AnyAgentTool, ): AnyAgentTool { const schema = tool.parameters && typeof tool.parameters === "object" ? (tool.parameters as Record) : undefined; if (!schema || !schema.properties || typeof schema.properties !== "object") { return tool; } const properties = { ...(schema.properties as Record) }; const required = Array.isArray(schema.required) ? schema.required.filter((key): key is string => typeof key === "string") : []; let changed = false; const aliasPairs: Array<{ original: string; alias: string }> = [ { original: "path", alias: "file_path" }, { original: "oldText", alias: "old_string" }, { original: "newText", alias: "new_string" }, ]; for (const { original, alias } of aliasPairs) { if (!(original in properties)) continue; if (!(alias in properties)) { properties[alias] = properties[original]; changed = true; } const idx = required.indexOf(original); if (idx !== -1) { required.splice(idx, 1); changed = true; } } if (!changed) return tool; return { ...tool, parameters: { ...schema, properties, ...(required.length > 0 ? { required } : {}), }, }; } function assertRequiredParams( record: Record | undefined, groups: readonly RequiredParamGroup[], toolName: string, ): void { if (!record || typeof record !== "object") { throw new Error(`Missing parameters for ${toolName}`); } for (const group of groups) { const satisfied = group.keys.some((key) => { if (!(key in record)) return false; const value = record[key]; if (typeof value !== "string") return false; if (group.allowEmpty) return true; return value.trim().length > 0; }); if (!satisfied) { const label = group.label ?? group.keys.join(" or "); throw new Error(`Missing required parameter: ${label}`); } } } function createSandboxedReadTool(root: string) { const base = createReadTool(root); return wrapSandboxPathGuard(createClawdbotReadTool(base), root); } function createSandboxedWriteTool(root: string) { const base = createWriteTool(root); return wrapSandboxPathGuard( wrapToolParamNormalization(base, CLAUDE_PARAM_GROUPS.write), root, ); } function createSandboxedEditTool(root: string) { const base = createEditTool(root); return wrapSandboxPathGuard( wrapToolParamNormalization(base, CLAUDE_PARAM_GROUPS.edit), root, ); } // Normalize tool parameters from Claude Code conventions to pi-coding-agent conventions. // Claude Code uses file_path/old_string/new_string while pi-coding-agent uses path/oldText/newText. // This prevents models trained on Claude Code from getting stuck in tool-call loops. function normalizeToolParams( params: unknown, ): Record | undefined { if (!params || typeof params !== "object") return undefined; const record = params as Record; const normalized = { ...record }; // file_path → path (read, write, edit) if ("file_path" in normalized && !("path" in normalized)) { normalized.path = normalized.file_path; delete normalized.file_path; } // old_string → oldText (edit) if ("old_string" in normalized && !("oldText" in normalized)) { normalized.oldText = normalized.old_string; delete normalized.old_string; } // new_string → newText (edit) if ("new_string" in normalized && !("newText" in normalized)) { normalized.newText = normalized.new_string; delete normalized.new_string; } return normalized; } // Generic wrapper to normalize parameters for any tool function wrapToolParamNormalization( tool: AnyAgentTool, requiredParamGroups?: readonly RequiredParamGroup[], ): AnyAgentTool { const patched = patchToolSchemaForClaudeCompatibility(tool); return { ...patched, execute: async (toolCallId, params, signal, onUpdate) => { const normalized = normalizeToolParams(params); const record = normalized ?? (params && typeof params === "object" ? (params as Record) : undefined); if (requiredParamGroups?.length) { assertRequiredParams(record, requiredParamGroups, tool.name); } return tool.execute(toolCallId, normalized ?? params, signal, onUpdate); }, }; } function createClawdbotReadTool(base: AnyAgentTool): AnyAgentTool { const patched = patchToolSchemaForClaudeCompatibility(base); return { ...patched, execute: async (toolCallId, params, signal) => { const normalized = normalizeToolParams(params); const record = normalized ?? (params && typeof params === "object" ? (params as Record) : undefined); assertRequiredParams(record, CLAUDE_PARAM_GROUPS.read, base.name); const result = (await base.execute( toolCallId, normalized ?? params, signal, )) as AgentToolResult; const filePath = typeof record?.path === "string" ? String(record.path) : ""; const normalizedResult = await normalizeReadImageResult(result, filePath); return sanitizeToolResultImages(normalizedResult, `read:${filePath}`); }, }; } export const __testing = { cleanToolSchemaForGemini, normalizeToolParams, patchToolSchemaForClaudeCompatibility, wrapToolParamNormalization, assertRequiredParams, } as const; function throwAbortError(): never { const err = new Error("Aborted"); err.name = "AbortError"; throw err; } function combineAbortSignals( a?: AbortSignal, b?: AbortSignal, ): AbortSignal | undefined { if (!a && !b) return undefined; if (a && !b) return a; if (b && !a) return b; if (a?.aborted) return a; if (b?.aborted) return b; if (typeof AbortSignal.any === "function") { return AbortSignal.any([a as AbortSignal, b as AbortSignal]); } const controller = new AbortController(); const onAbort = () => controller.abort(); a?.addEventListener("abort", onAbort, { once: true }); b?.addEventListener("abort", onAbort, { once: true }); return controller.signal; } function wrapToolWithAbortSignal( tool: AnyAgentTool, abortSignal?: AbortSignal, ): AnyAgentTool { if (!abortSignal) return tool; const execute = tool.execute; if (!execute) return tool; return { ...tool, execute: async (toolCallId, params, signal, onUpdate) => { const combined = combineAbortSignals(signal, abortSignal); if (combined?.aborted) throwAbortError(); return await execute(toolCallId, params, combined, onUpdate); }, }; } export function createClawdbotCodingTools(options?: { exec?: ExecToolDefaults & ProcessToolDefaults; messageProvider?: string; agentAccountId?: string; sandbox?: SandboxContext | null; sessionKey?: string; agentDir?: string; workspaceDir?: string; config?: ClawdbotConfig; abortSignal?: AbortSignal; /** * Provider of the currently selected model (used for provider-specific tool quirks). * Example: "anthropic", "openai", "google", "openai-codex". */ modelProvider?: string; /** Model id for the current provider (used for model-specific tool gating). */ modelId?: string; /** * Auth mode for the current provider. We only need this for Anthropic OAuth * tool-name blocking quirks. */ modelAuthMode?: ModelAuthMode; /** Current channel ID for auto-threading (Slack). */ currentChannelId?: string; /** Current thread timestamp for auto-threading (Slack). */ currentThreadTs?: string; /** Reply-to mode for Slack auto-threading. */ replyToMode?: "off" | "first" | "all"; /** Mutable ref to track if a reply was sent (for "first" mode). */ hasRepliedRef?: { value: boolean }; }): AnyAgentTool[] { const execToolName = "exec"; const sandbox = options?.sandbox?.enabled ? options.sandbox : undefined; const { agentId, policy: effectiveToolsPolicy } = resolveEffectiveToolPolicy({ config: options?.config, sessionKey: options?.sessionKey, }); const scopeKey = options?.exec?.scopeKey ?? (agentId ? `agent:${agentId}` : undefined); const subagentPolicy = isSubagentSessionKey(options?.sessionKey) && options?.sessionKey ? resolveSubagentToolPolicy(options.config) : undefined; const allowBackground = isToolAllowedByPolicies("process", [ effectiveToolsPolicy, sandbox?.tools, subagentPolicy, ]); const sandboxRoot = sandbox?.workspaceDir; const allowWorkspaceWrites = sandbox?.workspaceAccess !== "ro"; const workspaceRoot = options?.workspaceDir ?? process.cwd(); const applyPatchConfig = options?.config?.tools?.exec?.applyPatch; const applyPatchEnabled = !!applyPatchConfig?.enabled && isOpenAIProvider(options?.modelProvider) && isApplyPatchAllowedForModel({ modelProvider: options?.modelProvider, modelId: options?.modelId, allowModels: applyPatchConfig?.allowModels, }); const base = (codingTools as unknown as AnyAgentTool[]).flatMap((tool) => { if (tool.name === readTool.name) { if (sandboxRoot) { return [createSandboxedReadTool(sandboxRoot)]; } const freshReadTool = createReadTool(workspaceRoot); return [createClawdbotReadTool(freshReadTool)]; } if (tool.name === "bash" || tool.name === execToolName) return []; if (tool.name === "write") { if (sandboxRoot) return []; // Wrap with param normalization for Claude Code compatibility return [ wrapToolParamNormalization( createWriteTool(workspaceRoot), CLAUDE_PARAM_GROUPS.write, ), ]; } if (tool.name === "edit") { if (sandboxRoot) return []; // Wrap with param normalization for Claude Code compatibility return [ wrapToolParamNormalization( createEditTool(workspaceRoot), CLAUDE_PARAM_GROUPS.edit, ), ]; } return [tool as AnyAgentTool]; }); const execTool = createExecTool({ ...options?.exec, cwd: options?.workspaceDir, allowBackground, scopeKey, sandbox: sandbox ? { containerName: sandbox.containerName, workspaceDir: sandbox.workspaceDir, containerWorkdir: sandbox.containerWorkdir, env: sandbox.docker.env, } : undefined, }); const bashTool = { ...(execTool as unknown as AnyAgentTool), name: "bash", label: "bash", } satisfies AnyAgentTool; const processTool = createProcessTool({ cleanupMs: options?.exec?.cleanupMs, scopeKey, }); const applyPatchTool = !applyPatchEnabled || (sandboxRoot && !allowWorkspaceWrites) ? null : createApplyPatchTool({ cwd: sandboxRoot ?? workspaceRoot, sandboxRoot: sandboxRoot && allowWorkspaceWrites ? sandboxRoot : undefined, }); const tools: AnyAgentTool[] = [ ...base, ...(sandboxRoot ? allowWorkspaceWrites ? [ createSandboxedEditTool(sandboxRoot), createSandboxedWriteTool(sandboxRoot), ] : [] : []), ...(applyPatchTool ? [applyPatchTool as unknown as AnyAgentTool] : []), execTool as unknown as AnyAgentTool, bashTool, processTool as unknown as AnyAgentTool, // Provider docking: include provider-defined agent tools (login, etc.). ...listProviderAgentTools({ cfg: options?.config }), ...createClawdbotTools({ browserControlUrl: sandbox?.browser?.controlUrl, allowHostBrowserControl: sandbox ? sandbox.browserAllowHostControl : true, allowedControlUrls: sandbox?.browserAllowedControlUrls, allowedControlHosts: sandbox?.browserAllowedControlHosts, allowedControlPorts: sandbox?.browserAllowedControlPorts, agentSessionKey: options?.sessionKey, agentProvider: resolveGatewayMessageProvider(options?.messageProvider), agentAccountId: options?.agentAccountId, agentDir: options?.agentDir, sandboxRoot, workspaceDir: options?.workspaceDir, sandboxed: !!sandbox, config: options?.config, currentChannelId: options?.currentChannelId, currentThreadTs: options?.currentThreadTs, replyToMode: options?.replyToMode, hasRepliedRef: options?.hasRepliedRef, }), ]; const toolsFiltered = effectiveToolsPolicy ? filterToolsByPolicy(tools, effectiveToolsPolicy) : tools; const sandboxed = sandbox ? filterToolsByPolicy(toolsFiltered, sandbox.tools) : toolsFiltered; const subagentFiltered = subagentPolicy ? filterToolsByPolicy(sandboxed, subagentPolicy) : sandboxed; // Always normalize tool JSON Schemas before handing them to pi-agent/pi-ai. // Without this, some providers (notably OpenAI) will reject root-level union schemas. const normalized = subagentFiltered.map(normalizeToolParameters); const withAbort = options?.abortSignal ? normalized.map((tool) => wrapToolWithAbortSignal(tool, options.abortSignal), ) : normalized; // NOTE: Keep canonical (lowercase) tool names here. // pi-ai's Anthropic OAuth transport remaps tool names to Claude Code-style names // on the wire and maps them back for tool dispatch. return withAbort; }