Entropic 2.3.8
Local-first agentic inference engine
Loading...
Searching...
No Matches
tool_executor.cpp
Go to the documentation of this file.
1// SPDX-License-Identifier: Apache-2.0
8#include <entropic/mcp/tool_executor.h>
9#include <entropic/mcp/tool_result_classify.h>
10#include <entropic/mcp/utf8_sanitize.h>
11#include <entropic/types/logging.h>
12
13#include <nlohmann/json.hpp>
14
15#include <algorithm>
16#include <chrono>
17#include <memory>
18#include <optional>
19
20static auto logger = entropic::log::get("mcp.tool_executor");
21
22namespace entropic {
23
33ToolExecutor::ToolExecutor(
34 ServerManager& server_manager,
35 const LoopConfig& loop_config,
36 EngineCallbacks& callbacks,
37 ToolExecutorHooks hooks)
38 : server_manager_(server_manager),
39 loop_config_(loop_config),
40 callbacks_(callbacks),
41 hooks_(hooks) {}
42
49void ToolExecutor::set_permission_persist(
50 const PermissionPersistInterface& persist) {
51 permission_persist_ = persist;
52}
53
62std::vector<Message> ToolExecutor::process_tool_calls(
63 LoopContext& ctx,
64 const std::vector<ToolCall>& tool_calls) {
65 logger->info("Processing {} tool calls", tool_calls.size());
66 ctx.state = AgentState::WAITING_TOOL;
67 fire_state_callback(ctx);
68
69 auto limited = sort_tool_calls(tool_calls);
70 int eff_limit = ctx.effective_max_tool_calls_per_turn >= 0
71 ? ctx.effective_max_tool_calls_per_turn
72 : loop_config_.max_tool_calls_per_turn;
73 truncate_to_limit(limited, eff_limit);
74
75 std::vector<Message> results;
76 for (const auto& call : limited) {
77 auto msgs = process_single_call(ctx, call);
78 for (auto& m : msgs) {
79 results.push_back(std::move(m));
80 }
81 if (should_stop_batch(ctx, results)) {
82 break;
83 }
84 }
85
86 ctx.consecutive_errors = 0;
87 return results;
88}
89
97std::vector<ToolCall> ToolExecutor::sort_tool_calls(
98 const std::vector<ToolCall>& calls) {
99 auto sorted = calls;
100 std::stable_sort(sorted.begin(), sorted.end(),
101 [](const ToolCall& a, const ToolCall& b) {
102 bool a_delegate = (a.name == "entropic.delegate");
103 bool b_delegate = (b.name == "entropic.delegate");
104 return !a_delegate && b_delegate;
105 });
106 return sorted;
107}
108
117std::string ToolExecutor::check_duplicate(
118 const LoopContext& ctx,
119 const ToolCall& call) const {
120 if (server_manager_.skip_duplicate_check(call.name)) {
121 return "";
122 }
123 auto key = tool_call_key(call);
124 auto it = ctx.recent_tool_calls.find(key);
125 if (it != ctx.recent_tool_calls.end()) {
126 return it->second;
127 }
128 return "";
129}
130
140Message ToolExecutor::handle_duplicate(
141 LoopContext& ctx,
142 const ToolCall& call,
143 const std::string& previous_result) {
144 ctx.consecutive_duplicate_attempts++;
145 logger->warn("Duplicate tool call #{}: {}",
146 ctx.consecutive_duplicate_attempts, call.name);
147
148 if (ctx.consecutive_duplicate_attempts >= 3) {
149 return create_circuit_breaker_message();
150 }
151 return create_duplicate_message(call, previous_result);
152}
153
161bool ToolExecutor::check_approval(const ToolCall& call) {
162 auto args_json = serialize_args(call);
163 bool auto_ok = loop_config_.auto_approve_tools
164 || server_manager_.is_explicitly_allowed(
165 call.name, args_json);
166
167 bool approved = auto_ok;
168 if (!approved && callbacks_.on_tool_call != nullptr) {
169 auto call_json = serialize_tool_call(call);
170 callbacks_.on_tool_call(call_json.c_str(),
171 callbacks_.user_data);
172 approved = true;
173 }
174
175 // Hook: ON_PERMISSION_CHECK — informational (v1.9.1)
176 if (hook_iface_.fire_info != nullptr) {
177 std::string perm = approved ? "allowed" : "denied";
178 std::string json = "{\"tool_name\":\""
179 + call.name + "\",\"permission\":\"" + perm + "\"}";
180 hook_iface_.fire_info(hook_iface_.registry,
181 ENTROPIC_HOOK_ON_PERMISSION_CHECK, json.c_str());
182 }
183
184 if (!approved) {
185 logger->warn("No approval callback — denying: {}", call.name);
186 }
187 return approved;
188}
189
198std::optional<Message> ToolExecutor::check_tier_allowed(
199 const LoopContext& ctx, const ToolCall& call) const {
200 // Tier allowlist enforcement is wired when the facade provides
201 // tier config. For now, pass through (no tier locked = no filter).
202 if (ctx.locked_tier.empty()) {
203 return std::nullopt;
204 }
205 // Actual tier allowlist lookup deferred to facade integration
206 return std::nullopt;
207}
208
217static std::string check_required_fields(
218 const nlohmann::json& schema,
219 const nlohmann::json& args)
220{
221 for (const auto& req : schema.value("required",
222 nlohmann::json::array())) {
223 if (!args.contains(req.get<std::string>())) {
224 return "Missing required argument: "
225 + req.get<std::string>();
226 }
227 }
228 return "";
229}
230
249static std::string check_enum(
250 const std::string& key,
251 const nlohmann::json& allowed,
252 const nlohmann::json& val)
253{
254 for (const auto& e : allowed) {
255 if (e == val) { return ""; }
256 }
257 return "Invalid value for '" + key + "': "
258 + val.dump() + ". Must be one of: " + allowed.dump();
259}
260
270static std::string check_type(
271 const std::string& key,
272 const std::string& type,
273 const nlohmann::json& val)
274{
275 bool ok = (type == "string" && val.is_string())
276 || (type == "integer" && val.is_number_integer())
277 || (type == "number" && val.is_number())
278 || (type == "boolean" && val.is_boolean())
279 || (type == "array" && val.is_array())
280 || (type == "object" && val.is_object());
281 return ok ? "" : "Type mismatch for '" + key
282 + "': expected " + type;
283}
284
294static std::string check_property_constraints(
295 const std::string& key,
296 const nlohmann::json& prop,
297 const nlohmann::json& val)
298{
299 if (prop.contains("enum")) {
300 auto err = check_enum(key, prop["enum"], val);
301 if (!err.empty()) { return err; }
302 }
303 if (!prop.contains("type")) { return ""; }
304 return check_type(key, prop["type"].get<std::string>(), val);
305}
306
319static std::string validate_tool_args(
320 const std::string& schema_json,
321 const nlohmann::json& args)
322{
323 auto schema = nlohmann::json::parse(schema_json, nullptr, false);
324 if (!schema.is_object()) { return ""; }
325
326 auto err = check_required_fields(schema, args);
327 auto props = schema.value("properties", nlohmann::json::object());
328 for (auto it = props.begin(); it != props.end() && err.empty(); ++it) {
329 if (args.contains(it.key())) {
330 err = check_property_constraints(
331 it.key(), it.value(), args[it.key()]);
332 }
333 }
334 return err;
335}
336
344static std::string parse_tool_result_text(const std::string& result_json) {
345 try {
346 auto j = nlohmann::json::parse(result_json);
347 return j.value("result", result_json);
348 } catch (...) {
349 return result_json;
350 }
351}
352
361std::pair<Message, std::string> ToolExecutor::execute_tool(
362 LoopContext& ctx, const ToolCall& call) {
363
364 auto args_json = serialize_args(call);
365
366 if (callbacks_.on_tool_start != nullptr) {
367 auto call_json = serialize_tool_call(call);
368 callbacks_.on_tool_start(call_json.c_str(),
369 callbacks_.user_data);
370 }
371
372 auto start = std::chrono::steady_clock::now();
373 // Inbound boundary from MCP server subprocess. v2.1.0 (#47) introduced
374 // this; v2.1.1 (#3) generalized it as one of several boundary-policy
375 // sanitize sites — see include/entropic/mcp/utf8_sanitize.h for the
376 // full policy. The earlier "trust downstream" assumption was wrong:
377 // bytes also enter via the model token stream and the audit-replay
378 // path; both now sanitize at their own boundaries.
379 auto result_json = mcp::sanitize_utf8(
380 server_manager_.execute(call.name, args_json));
381 auto end = std::chrono::steady_clock::now();
382 auto ms = std::chrono::duration_cast<
383 std::chrono::milliseconds>(end - start).count();
384
385 ctx.metrics.tool_calls++;
386
387 std::string result_text = parse_tool_result_text(result_json);
388
389 // P1-11 (2.0.6-rc16): stash into history ring buffer so the
390 // constitutional validator revision prompt (and diagnostic tools)
391 // can surface prior-iteration tool calls without re-reading
392 // messages[].
393 record_tool_history(call, args_json, result_text, ms,
394 ctx.metrics.iterations);
395
396 fire_tool_complete_callback(call, result_text, ms);
397
398 Message msg;
399 msg.role = "user";
400 msg.content = result_text;
401 msg.metadata["tool_call_id"] = call.id;
402 msg.metadata["tool_name"] = call.name;
403
404 return {std::move(msg), result_json};
405}
406
417void ToolExecutor::record_tool_history(const ToolCall& call,
418 const std::string& args_json,
419 const std::string& result_text,
420 long long ms, int iteration) {
421 ToolCallRecord rec;
422 rec.sequence = ++history_seq_;
423 rec.tool_name = call.name;
424 rec.params_summary = summarize_params(args_json);
425 rec.status = (result_text.rfind("error", 0) == 0)
426 ? "error" : "success";
427 rec.result_summary = truncate_result(result_text, 200);
428 rec.elapsed_ms = static_cast<double>(ms);
429 rec.iteration = iteration;
430 history_.record(rec);
431}
432
440std::string ToolExecutor::tool_call_key(const ToolCall& call) {
441 // Sort arguments for consistent key
442 nlohmann::json args;
443 for (const auto& [k, v] : call.arguments) {
444 args[k] = v;
445 }
446 return call.name + ":" + args.dump();
447}
448
457void ToolExecutor::record_tool_call(
458 LoopContext& ctx,
459 const ToolCall& call,
460 const std::string& result) {
461 // Extract result text from JSON envelope
462 std::string text = result;
463 try {
464 auto j = nlohmann::json::parse(result);
465 text = j.value("result", result);
466 } catch (...) {}
467
468 // Don't cache error results
469 if (text.find("Error:") == 0 || text.find("error:") == 0) {
470 return;
471 }
472 auto key = tool_call_key(call);
473 ctx.recent_tool_calls[key] = text;
474}
475
484Message ToolExecutor::create_denied_message(
485 const ToolCall& call,
486 const std::string& reason) {
487 Message msg;
488 msg.role = "user";
489 msg.content =
490 "Tool `" + call.name + "` was denied: " + reason + "\n\n"
491 "This tool is not available to you. Do NOT retry it. "
492 "Use a different approach to accomplish your task.";
493 return msg;
494}
495
504Message ToolExecutor::create_error_message(
505 const ToolCall& call,
506 const std::string& error) {
507 Message msg;
508 msg.role = "user";
509 msg.content =
510 "Tool `" + call.name + "` failed with error: " + error +
511 "\n\nRECOVERY:\n"
512 "- Check arguments are correct\n"
513 "- Try a different approach\n"
514 "- Do NOT retry with the same arguments";
515 return msg;
516}
517
518// ── Private helpers ──────────────────────────────────────
519
526void ToolExecutor::fire_state_callback(const LoopContext& ctx) {
527 if (callbacks_.on_state_change != nullptr) {
528 callbacks_.on_state_change(
529 static_cast<int>(ctx.state), callbacks_.user_data);
530 }
531}
532
540void ToolExecutor::truncate_to_limit(
541 std::vector<ToolCall>& calls,
542 int limit) const {
543 auto lim = static_cast<size_t>(limit);
544 if (calls.size() > lim) {
545 calls.resize(lim);
546 }
547}
548
557std::optional<Message> ToolExecutor::check_mcp_authorization(
558 const LoopContext& ctx,
559 const ToolCall& call) const {
560 if (auth_mgr_ == nullptr) {
561 return std::nullopt;
562 }
563 auto identity = ctx.locked_tier.empty()
564 ? "lead" : ctx.locked_tier;
565 auto required = server_manager_.get_required_access_level(
566 call.name);
567 if (!auth_mgr_->is_enforced(identity) ||
568 auth_mgr_->check_access(identity, call.name, required)) {
569 return std::nullopt;
570 }
571 auto level_str = mcp_access_level_name(required);
572 logger->warn("MCP key denied: {} requires {} for {}",
573 call.name, level_str, identity);
574 Message msg;
575 msg.role = "user";
576 msg.content =
577 "Tool `" + call.name + "` was denied: identity `"
578 + identity + "` lacks " + level_str
579 + " access.\n\n"
580 "Your MCP key set does not authorize this tool. "
581 "Use `entropic.delegate` to hand off to an identity "
582 "that has the required access.";
583 return msg;
584}
585
594std::optional<Message> ToolExecutor::check_dup_or_approval(
595 LoopContext& ctx, const ToolCall& call) {
596 auto dup_result = check_duplicate(ctx, call);
597 if (!dup_result.empty()) {
598 return handle_duplicate(ctx, call, dup_result);
599 }
600 ctx.consecutive_duplicate_attempts = 0;
601 return check_approval(call)
602 ? std::nullopt
603 : std::optional{create_denied_message(
604 call, "Permission denied")};
605}
606
622std::optional<Message> ToolExecutor::check_schema(
623 const ToolCall& call) {
624 auto schema = server_manager_.get_tool_schema(call.name);
625 if (schema.empty()) { return std::nullopt; }
626 auto args = nlohmann::json::parse(
627 serialize_args(call), nullptr, false);
628 auto err = args.is_discarded()
629 ? std::string{} : validate_tool_args(schema, args);
630 if (err.empty()) { return std::nullopt; }
631 logger->warn("Tool '{}' argument validation failed: {}",
632 call.name, err);
633 return create_denied_message(call, err);
634}
635
649PreconditionCheck ToolExecutor::check_call_preconditions(
650 LoopContext& ctx, const ToolCall& call) {
651 // Issue #14 (v2.1.4): anti-spiral hard block fires FIRST. Cheaper
652 // than schema/auth checks and short-circuits a tool that the
653 // engine has decided to refuse, regardless of whether the call
654 // would otherwise pass other preconditions.
655 PreconditionCheck pc = check_anti_spiral_hard_block(ctx, call);
656 if (pc.rejection.has_value()) {
657 return pc;
658 }
659 if (auto r = check_schema(call); r.has_value()) {
660 pc.rejection = std::move(r);
661 pc.kind = ToolResultKind::rejected_schema;
662 } else if (auto a = check_mcp_authorization(ctx, call);
663 a.has_value()) {
664 pc.rejection = std::move(a);
665 pc.kind = ToolResultKind::rejected_precondition;
666 } else if (auto t = check_tier_allowed(ctx, call); t.has_value()) {
667 pc.rejection = std::move(t);
668 pc.kind = ToolResultKind::rejected_precondition;
669 } else if (auto dup = check_duplicate(ctx, call); !dup.empty()) {
670 pc.rejection = handle_duplicate(ctx, call, dup);
671 pc.kind = ToolResultKind::rejected_duplicate;
672 } else {
673 pc = check_approval_pc(ctx, call);
674 }
675 return pc;
676}
677
687PreconditionCheck ToolExecutor::check_approval_pc(
688 LoopContext& ctx, const ToolCall& call) {
689 PreconditionCheck pc;
690 ctx.consecutive_duplicate_attempts = 0;
691 if (!check_approval(call)) {
692 pc.rejection = create_denied_message(
693 call, "Permission denied");
694 pc.kind = ToolResultKind::rejected_precondition;
695 }
696 return pc;
697}
698
711std::vector<Message> ToolExecutor::process_single_call(
712 LoopContext& ctx, const ToolCall& call) {
713 // Hook: PRE_TOOL_CALL first — fires for every attempt, including
714 // those that a precondition will reject. (E9, 2.0.6-rc19)
715 if (fire_pre_tool_hook(ctx, call)) {
716 auto msg = create_denied_message(call, "Cancelled by hook");
717 fire_post_tool_hook(ctx, call, "", 0.0,
718 ToolResultKind::rejected_precondition, msg);
719 return {std::move(msg)};
720 }
721
722 auto pc = check_call_preconditions(ctx, call);
723 if (pc.rejection.has_value()) {
724 logger->info("Tool '{}' rejected by precondition (kind={})",
725 call.name, result_kind_to_string(pc.kind));
726 fire_post_tool_hook(ctx, call, "", 0.0, pc.kind, *pc.rejection);
727 return {std::move(*pc.rejection)};
728 }
729
730 auto exec_start = std::chrono::steady_clock::now();
731 auto [msg, raw_result] = execute_tool(ctx, call);
732 auto exec_ms = std::chrono::duration<double, std::milli>(
733 std::chrono::steady_clock::now() - exec_start).count();
734
735 finalize_tool_call(ctx, call, msg, raw_result, exec_ms);
736
737 return {std::move(msg)};
738}
739
747static ToolResultKind classify_tool_result(const std::string& content) {
748 if (mcp::looks_like_tool_error(content)) {
749 return ToolResultKind::error;
750 }
751 if (mcp::is_effectively_empty(content)) {
752 return ToolResultKind::ok_empty;
753 }
754 return ToolResultKind::ok;
755}
756
767void ToolExecutor::log_tool_call(LoopContext& ctx, const ToolCall& call,
768 double exec_ms,
769 const std::string& raw_result,
770 ToolResultKind kind) {
771 auto args_log = serialize_args(call);
772 if (args_log.size() > 512) { args_log.resize(512); }
773 logger->info("[tool_call] iter={} tier={} tool={} args={} "
774 "elapsed_ms={:.0f} result_chars={} status={}",
775 ctx.metrics.iterations,
776 ctx.locked_tier.empty() ? "lead" : ctx.locked_tier,
777 call.name, args_log, exec_ms,
778 raw_result.size(), result_kind_to_string(kind));
779}
780
791void ToolExecutor::finalize_tool_call(LoopContext& ctx, const ToolCall& call,
792 Message& msg,
793 const std::string& raw_result,
794 double exec_ms) {
795 // #46 (v2.1.0): cap result content at LoopConfig.max_tool_result_bytes
796 // so a single runaway tool can't exhaust the context budget. Applied
797 // BEFORE classification so kind reflects the bounded form, and BEFORE
798 // record_tool_call so the duplicate cache stores what the model saw.
799 apply_result_size_cap(msg.content);
800 ctx.effective_tool_calls++;
801 msg.metadata["added_at_iteration"] =
802 std::to_string(ctx.metrics.iterations);
803 record_tool_call(ctx, call, raw_result);
804
805 // #44 (v2.1.0): honest byte-level signal — error trumps empty.
806 ToolResultKind kind = classify_tool_result(msg.content);
807 fire_post_tool_hook(ctx, call, raw_result, exec_ms, kind, msg);
808
809 // Demo ask #5 (v2.1.0): anti-spiral primitive. Track consecutive
810 // same-tool calls; at threshold, populate pending_anti_spiral_warning
811 // so the next turn's reminder tells the model to pivot or complete.
812 update_anti_spiral_tracking(ctx, call.name);
813
814 log_tool_call(ctx, call, exec_ms, raw_result, kind);
815
816 extract_and_process_directives(ctx, raw_result);
817 run_post_tool_hooks(ctx);
818}
819
828bool ToolExecutor::fire_pre_tool_hook(
829 const LoopContext& ctx, const ToolCall& call) {
830 if (hook_iface_.fire_pre == nullptr) { return false; }
831 auto json = build_pre_tool_json(call, ctx.locked_tier,
832 ctx.metrics.iterations);
833 char* mod = nullptr;
834 int rc = hook_iface_.fire_pre(hook_iface_.registry,
835 ENTROPIC_HOOK_PRE_TOOL_CALL, json.c_str(), &mod);
836 free(mod);
837 return rc != 0;
838}
839
848void ToolExecutor::apply_result_size_cap(std::string& content) const {
849 mcp::truncate_to_cap(content, loop_config_.max_tool_result_bytes);
850}
851
860void ToolExecutor::update_anti_spiral_tracking(
861 LoopContext& ctx, const std::string& tool_name) {
862 if (tool_name == ctx.last_tool_name) {
863 ++ctx.consecutive_same_tool_calls;
864 } else {
865 ctx.last_tool_name = tool_name;
866 ctx.consecutive_same_tool_calls = 1;
867 }
868 if (ctx.consecutive_same_tool_calls
869 >= loop_config_.max_consecutive_same_tool) {
870 ctx.pending_anti_spiral_warning =
871 tool_name + " has been called "
872 + std::to_string(ctx.consecutive_same_tool_calls)
873 + " times consecutively; pivot to a different tool or "
874 "complete the task next turn.";
875 }
876}
877
886int ToolExecutor::effective_hard_block_threshold() const {
887 int configured = loop_config_.max_consecutive_same_tool_hard_block;
888 if (configured < 0) {
889 configured = loop_config_.max_consecutive_same_tool + 2;
890 }
891 return configured;
892}
893
909PreconditionCheck ToolExecutor::check_anti_spiral_hard_block(
910 const LoopContext& ctx, const ToolCall& call) const {
911 PreconditionCheck pc;
912 int projected = (call.name == ctx.last_tool_name)
913 ? (ctx.consecutive_same_tool_calls + 1)
914 : 1;
915 int threshold = effective_hard_block_threshold();
916 if (projected >= threshold) {
917 std::string text =
918 "[anti-spiral] tool '" + call.name + "' blocked after "
919 + std::to_string(projected)
920 + " consecutive calls (threshold "
921 + std::to_string(threshold)
922 + "); pivot to a different tool or complete the task.";
923 pc.rejection = create_denied_message(call, text);
924 pc.kind = ToolResultKind::rejected_anti_spiral;
925 }
926 return pc;
927}
928
947void ToolExecutor::fire_post_tool_hook(
948 const LoopContext& ctx, const ToolCall& call,
949 const std::string& raw_result, double elapsed_ms,
950 ToolResultKind kind, Message& msg) {
951 if (hook_iface_.fire_post == nullptr) { return; }
952 auto json = build_post_tool_json(
953 call, raw_result, elapsed_ms, ctx.locked_tier,
954 ctx.metrics.iterations, kind);
955 char* out = nullptr;
956 hook_iface_.fire_post(hook_iface_.registry,
957 ENTROPIC_HOOK_POST_TOOL_CALL, json.c_str(), &out);
958 if (out != nullptr) {
959 msg.content = out;
960 free(out);
961 }
962}
963
972bool ToolExecutor::should_stop_batch(
973 const LoopContext& ctx,
974 const std::vector<Message>& /*results*/) const {
975 return ctx.state == AgentState::COMPLETE
976 || ctx.pending_delegation.has_value()
977 || ctx.pending_pipeline.has_value()
978 || ctx.consecutive_duplicate_attempts >= 3;
979}
980
987void ToolExecutor::run_post_tool_hooks(LoopContext& ctx) {
988 if (hooks_.after_tool != nullptr) {
989 hooks_.after_tool(ctx, hooks_.user_data);
990 }
991}
992
999Message ToolExecutor::create_circuit_breaker_message() {
1000 Message msg;
1001 msg.role = "user";
1002 msg.content =
1003 "STOP: You have called the same tool 3 times with "
1004 "identical arguments. This indicates you are stuck. "
1005 "Please try a completely different approach or respond "
1006 "to the user explaining what's blocking you.";
1007 logger->error("Circuit breaker triggered");
1008 return msg;
1009}
1010
1019Message ToolExecutor::create_duplicate_message(
1020 const ToolCall& call,
1021 const std::string& previous_result) {
1022 bool was_denied =
1023 previous_result.find("was denied") != std::string::npos
1024 || previous_result.find("not available") != std::string::npos;
1025
1026 Message msg;
1027 msg.role = "user";
1028
1029 if (was_denied) {
1030 msg.content =
1031 "Tool `" + call.name + "` is not available to you "
1032 "and retrying will not help. You MUST use a different "
1033 "approach. Do NOT call `" + call.name + "` again.";
1034 } else {
1035 msg.content =
1036 "Tool `" + call.name + "` was already called with "
1037 "the same arguments.\n\nPrevious result:\n" +
1038 previous_result +
1039 "\n\nDo NOT call this tool again. "
1040 "Use the previous result above.";
1041 }
1042 return msg;
1043}
1044
1057std::string ToolExecutor::serialize_args(const ToolCall& call) {
1058 if (!call.arguments_json.empty()) {
1059 return call.arguments_json;
1060 }
1061 nlohmann::json args;
1062 for (const auto& [k, v] : call.arguments) {
1063 args[k] = v;
1064 }
1065 return args.dump();
1066}
1067
1075std::string ToolExecutor::serialize_tool_call(const ToolCall& call) {
1076 nlohmann::json j;
1077 j["id"] = call.id;
1078 j["name"] = call.name;
1079 j["arguments"] = nlohmann::json::object();
1080 for (const auto& [k, v] : call.arguments) {
1081 j["arguments"][k] = v;
1082 }
1083 return j.dump();
1084}
1085
1094void ToolExecutor::fire_tool_complete_callback(
1095 const ToolCall& call,
1096 const std::string& result,
1097 long long ms) {
1098 if (callbacks_.on_tool_complete == nullptr) {
1099 return;
1100 }
1101 auto call_json = serialize_tool_call(call);
1102 callbacks_.on_tool_complete(
1103 call_json.c_str(), result.c_str(),
1104 static_cast<double>(ms), callbacks_.user_data);
1105}
1106
1119std::string ToolExecutor::build_post_tool_json(
1120 const ToolCall& call,
1121 const std::string& raw_result,
1122 double elapsed_ms,
1123 const std::string& tier,
1124 int iteration,
1125 ToolResultKind kind) {
1126 nlohmann::json ctx;
1127 ctx["tool_name"] = call.name;
1128 ctx["args"] = nlohmann::json::parse(serialize_args(call));
1129 ctx["elapsed_ms"] = elapsed_ms;
1130 ctx["tier"] = tier.empty() ? std::string{"lead"} : tier;
1131 ctx["iteration"] = iteration;
1132 ctx["result_kind"] = result_kind_to_string(kind);
1133 try {
1134 auto sr = nlohmann::json::parse(raw_result);
1135 ctx["result"] = sr.value("result", raw_result);
1136 ctx["directives"] = sr.value(
1137 "directives", nlohmann::json::array());
1138 } catch (...) {
1139 ctx["result"] = raw_result;
1140 ctx["directives"] = nlohmann::json::array();
1141 }
1142 return ctx.dump();
1143}
1144
1154std::string ToolExecutor::build_pre_tool_json(
1155 const ToolCall& call,
1156 const std::string& tier,
1157 int iteration) {
1158 nlohmann::json j;
1159 j["tool_name"] = call.name;
1160 j["args"] = nlohmann::json::parse(serialize_args(call));
1161 j["tier"] = tier.empty() ? std::string{"lead"} : tier;
1162 j["iteration"] = iteration;
1163 return j.dump();
1164}
1165
1185static std::vector<std::string> extract_pipeline_stages(
1186 const nlohmann::json& result_json) {
1187 std::vector<std::string> stages;
1188 if (!result_json.contains("stages")) { return stages; }
1189 for (const auto& s : result_json["stages"]) {
1190 stages.push_back(s.get<std::string>());
1191 }
1192 return stages;
1193}
1194
1215static std::unique_ptr<Directive> build_complete_directive(
1216 const nlohmann::json& result_json) {
1217 auto cd = std::make_unique<CompleteDirective>(
1218 result_json.value("summary", ""));
1219 cd->coverage_gap = result_json.value("coverage_gap", false);
1220 cd->gap_description = result_json.value("gap_description", "");
1221 if (result_json.contains("suggested_files")
1222 && result_json["suggested_files"].is_array()) {
1223 cd->suggested_files =
1224 result_json["suggested_files"].get<std::vector<std::string>>();
1225 }
1226 return cd;
1227}
1228
1234static std::unique_ptr<Directive> build_directive(
1235 const nlohmann::json& d, const nlohmann::json& result_json) {
1236 auto type_str = d.value("type", "");
1237 std::unique_ptr<Directive> result;
1238 if (type_str == "stop_processing") {
1239 result = std::make_unique<StopProcessingDirective>();
1240 } else if (type_str == "delegate") {
1241 // gh#32 (v2.1.6): resume_delegation emits action=resume_delegation
1242 // with delegation_id but no target. The directive's target is
1243 // resolved later by the engine after loading the original
1244 // delegation's tier from storage.
1245 result = std::make_unique<DelegateDirective>(
1246 result_json.value("target", ""),
1247 result_json.value("task", ""),
1248 result_json.value("max_turns", -1),
1249 result_json.value("delegation_id", ""));
1250 } else if (type_str == "complete") {
1251 result = build_complete_directive(result_json);
1252 } else if (type_str == "pipeline") {
1253 result = std::make_unique<PipelineDirective>(
1254 extract_pipeline_stages(result_json),
1255 result_json.value("task", ""));
1256 }
1257 return result;
1258}
1259
1268static std::optional<std::pair<nlohmann::json, nlohmann::json>>
1269extract_directive_array(const std::string& raw_result) {
1270 auto resp = nlohmann::json::parse(raw_result, nullptr, false);
1271 if (!resp.is_object() || !resp.contains("directives")) {
1272 return std::nullopt;
1273 }
1274 auto dirs = resp["directives"];
1275 if (!dirs.is_array() || dirs.empty()) { return std::nullopt; }
1276 return std::make_pair(std::move(resp), std::move(dirs));
1277}
1278
1286void ToolExecutor::extract_and_process_directives(
1287 LoopContext& ctx, const std::string& raw_result) {
1288 if (hooks_.process_directives == nullptr) { return; }
1289 auto extracted = extract_directive_array(raw_result);
1290 if (!extracted) { return; }
1291 auto& [resp, dirs] = *extracted;
1292
1293 auto result_json = nlohmann::json::parse(
1294 resp.value("result", "{}"), nullptr, false);
1295
1296 std::vector<std::unique_ptr<Directive>> owned;
1297 for (const auto& d : dirs) {
1298 auto directive = build_directive(d, result_json);
1299 if (directive) { owned.push_back(std::move(directive)); }
1300 }
1301 if (owned.empty()) { return; }
1302
1303 std::vector<const Directive*> ptrs;
1304 ptrs.reserve(owned.size());
1305 for (const auto& d : owned) { ptrs.push_back(d.get()); }
1306 logger->info("Processing {} directives from tool result", ptrs.size());
1307 hooks_.process_directives(ctx, ptrs, hooks_.user_data);
1308}
1309
1310} // namespace entropic
entropic::MCPAuthorizationManager::is_enforced
bool is_enforced(const std::string &identity_name) const
Check if an identity has authorization enforcement enabled.
Definition mcp_authorization.cpp:37
entropic::MCPAuthorizationManager::check_access
bool check_access(const std::string &identity_name, const std::string &tool_name, MCPAccessLevel required_level) const
Check if a tool call is authorized for an identity.
Definition mcp_authorization.cpp:94
entropic::ServerManager
Manages MCP server instances and routes tool calls.
Definition server_manager.h:56
entropic::ServerManager::get_required_access_level
MCPAccessLevel get_required_access_level(const std::string &tool_name) const
Get the required access level for a tool.
Definition server_manager.cpp:338
entropic::ServerManager::is_explicitly_allowed
bool is_explicitly_allowed(const std::string &tool_name, const std::string &args_json) const
Check if tool is explicitly allowed (skip prompting).
Definition server_manager.cpp:286
entropic::ServerManager::skip_duplicate_check
bool skip_duplicate_check(const std::string &tool_name) const
Check if tool should skip duplicate detection.
Definition server_manager.cpp:320
entropic::ServerManager::get_tool_schema
std::string get_tool_schema(const std::string &tool_name) const
Get the JSON Schema for a tool's input parameters.
Definition server_manager.cpp:206
entropic::ServerManager::execute
std::string execute(const std::string &tool_name, const std::string &args_json)
Execute a tool call via the appropriate server.
Definition server_manager.cpp:153
entropic::ToolCallHistory::record
void record(const ToolCallRecord &entry)
Record a completed tool call.
Definition tool_call_history.cpp:37
entropic::ToolExecutor::process_tool_calls
std::vector< Message > process_tool_calls(LoopContext &ctx, const std::vector< ToolCall > &tool_calls)
Process a batch of tool calls.
Definition tool_executor.cpp:62
entropic::ToolExecutor::ToolExecutor
ToolExecutor(ServerManager &server_manager, const LoopConfig &loop_config, EngineCallbacks &callbacks, ToolExecutorHooks hooks={})
Construct with shared dependencies.
Definition tool_executor.cpp:33
entropic::ToolExecutor::set_permission_persist
void set_permission_persist(const PermissionPersistInterface &persist)
Set permission persistence interface.
Definition tool_executor.cpp:49
ENTROPIC_HOOK_ON_PERMISSION_CHECK
@ ENTROPIC_HOOK_ON_PERMISSION_CHECK
15: Permission check evaluated
Definition hooks.h:51
ENTROPIC_HOOK_PRE_TOOL_CALL
@ ENTROPIC_HOOK_PRE_TOOL_CALL
3: Before tool execution
Definition hooks.h:39
ENTROPIC_HOOK_POST_TOOL_CALL
@ ENTROPIC_HOOK_POST_TOOL_CALL
4: After tool execution returns
Definition hooks.h:40
logging.h
spdlog initialization and logger access.
entropic::log::get
ENTROPIC_EXPORT std::shared_ptr< spdlog::logger > get(const std::string &name)
Get or create a named logger.
Definition logging.cpp:211
entropic::log::elapsed_ms
double elapsed_ms(std::chrono::steady_clock::time_point start, std::chrono::steady_clock::time_point end)
Compute elapsed milliseconds between two time points.
Definition logging.h:203
entropic
Activate model on GPU (WARM → ACTIVE).
Definition bundled_models.h:20
entropic::check_type
static std::string check_type(const std::string &key, const std::string &type, const nlohmann::json &val)
Check a single value against a type constraint.
Definition tool_executor.cpp:270
entropic::ToolResultKind
ToolResultKind
Categorical outcome of a single tool invocation.
Definition tool_result.h:31
entropic::ToolResultKind::ok
@ ok
Tool dispatched, returned non-empty content.
entropic::ToolResultKind::rejected_schema
@ rejected_schema
Precondition: argument schema violation.
entropic::ToolResultKind::rejected_anti_spiral
@ rejected_anti_spiral
Anti-spiral hard threshold crossed; tool blocked. (#14, v2.1.4)
entropic::ToolResultKind::rejected_duplicate
@ rejected_duplicate
Precondition: duplicate in recent history.
entropic::ToolResultKind::ok_empty
@ ok_empty
Tool dispatched cleanly but returned no content (v2.1.0, #44)
entropic::ToolResultKind::error
@ error
Tool server returned an error payload.
entropic::ToolResultKind::rejected_precondition
@ rejected_precondition
Any other precondition reject (auth, tier, hook-cancel)
entropic::parse_tool_result_text
static std::string parse_tool_result_text(const std::string &result_json)
Extract the "result" text from an MCP result JSON envelope.
Definition tool_executor.cpp:344
entropic::extract_pipeline_stages
static std::vector< std::string > extract_pipeline_stages(const nlohmann::json &result_json)
Extract directives from ServerResponse JSON and process them.
Definition tool_executor.cpp:1185
entropic::check_property_constraints
static std::string check_property_constraints(const std::string &key, const nlohmann::json &prop, const nlohmann::json &val)
Check one property's enum and type constraints.
Definition tool_executor.cpp:294
entropic::classify_tool_result
static ToolResultKind classify_tool_result(const std::string &content)
Classify a tool result by its content (error/empty/ok).
Definition tool_executor.cpp:747
entropic::mcp_access_level_name
const char * mcp_access_level_name(MCPAccessLevel level)
Convert MCPAccessLevel to string representation.
Definition config.cpp:21
entropic::build_directive
static std::unique_ptr< Directive > build_directive(const nlohmann::json &d, const nlohmann::json &result_json)
Build a Directive from a parsed directive + result JSON.
Definition tool_executor.cpp:1234
entropic::result_kind_to_string
const char * result_kind_to_string(ToolResultKind kind)
Serialize a ToolResultKind to its wire-stable string form.
Definition tool_result.h:49
entropic::build_complete_directive
static std::unique_ptr< Directive > build_complete_directive(const nlohmann::json &result_json)
Build a typed Directive from a directive-descriptor JSON.
Definition tool_executor.cpp:1215
entropic::extract_directive_array
static std::optional< std::pair< nlohmann::json, nlohmann::json > > extract_directive_array(const std::string &raw_result)
Pull the "directives" array out of a tool ServerResponse JSON.
Definition tool_executor.cpp:1269
entropic::truncate_result
std::string truncate_result(const std::string &text, size_t max_len)
Truncate a string to max_len characters with "..." suffix.
Definition tool_call_history.cpp:171
entropic::dup
static char * dup(const std::string &s)
Heap-allocate a C string copy.
Definition interface_factory.cpp:117
entropic::summarize_params
std::string summarize_params(const std::string &args_json)
Extract top-level JSON keys as a comma-separated summary.
Definition tool_call_history.cpp:144
entropic::validate_tool_args
static std::string validate_tool_args(const std::string &schema_json, const nlohmann::json &args)
Validate tool arguments against the tool's JSON Schema.
Definition tool_executor.cpp:319
entropic::check_enum
static std::string check_enum(const std::string &key, const nlohmann::json &allowed, const nlohmann::json &val)
Check one property's enum and type constraints.
Definition tool_executor.cpp:249
entropic::check_required_fields
static std::string check_required_fields(const nlohmann::json &schema, const nlohmann::json &args)
Check required fields are present.
Definition tool_executor.cpp:217
entropic::EngineCallbacks
Callback function pointer types for engine events.
Definition engine_types.h:300
entropic::EngineCallbacks::on_tool_call
void(* on_tool_call)(const char *json, void *ud)
Tool call request.
Definition engine_types.h:306
entropic::EngineCallbacks::on_tool_complete
void(* on_tool_complete)(const char *json, const char *result, double ms, void *ud)
Tool execution done.
Definition engine_types.h:308
entropic::EngineCallbacks::user_data
void * user_data
Opaque pointer passed to all callbacks.
Definition engine_types.h:324
entropic::EngineCallbacks::on_tool_start
void(* on_tool_start)(const char *json, void *ud)
Tool execution start.
Definition engine_types.h:307
entropic::EngineCallbacks::on_state_change
void(* on_state_change)(int state, void *ud)
AgentState as int.
Definition engine_types.h:301
entropic::LoopConfig
Configuration for the agentic loop.
Definition engine_types.h:74
entropic::LoopConfig::max_consecutive_same_tool
int max_consecutive_same_tool
Anti-spiral SOFT threshold: after N consecutive calls of the SAME tool (regardless of arg similarity,...
Definition engine_types.h:90
entropic::LoopConfig::max_consecutive_same_tool_hard_block
int max_consecutive_same_tool_hard_block
Anti-spiral HARD threshold: when consecutive same-tool calls exceed this, the engine blocks the call ...
Definition engine_types.h:98
entropic::LoopConfig::auto_approve_tools
bool auto_approve_tools
Skip tool approval (v1.8.5)
Definition engine_types.h:82
entropic::LoopConfig::max_tool_result_bytes
int max_tool_result_bytes
Maximum byte length for a single tool's result content before the engine truncates with a "[....
Definition engine_types.h:116
entropic::LoopConfig::max_tool_calls_per_turn
int max_tool_calls_per_turn
Tool calls per iteration (v1.8.5)
Definition engine_types.h:77
entropic::LoopContext
Mutable state carried through the agentic loop.
Definition engine_types.h:223
entropic::LoopContext::consecutive_errors
int consecutive_errors
Error streak counter.
Definition engine_types.h:228
entropic::LoopContext::effective_max_tool_calls_per_turn
int effective_max_tool_calls_per_turn
Per-identity override (-1 = LoopConfig, P3-18)
Definition engine_types.h:248
entropic::LoopContext::state
AgentState state
Current state.
Definition engine_types.h:226
entropic::PermissionPersistInterface
Permission persistence interface.
Definition engine_types.h:512
entropic::ToolCall
A tool call request parsed from model output.
Definition tool_call.h:31
entropic::ToolExecutorHooks
Engine-level hooks called during tool processing.
Definition engine_types.h:378
entropic::ToolExecutorHooks::after_tool
void(* after_tool)(LoopContext &ctx, void *user_data)
Called after each tool execution.
Definition engine_types.h:381
entropic::ToolExecutorHooks::process_directives
DirectiveResult(* process_directives)(LoopContext &ctx, const std::vector< const Directive * > &directives, void *user_data)
Process directives from tool results.
Definition engine_types.h:385
entropic::ToolExecutorHooks::user_data
void * user_data
Opaque pointer for hooks.
Definition engine_types.h:390
tool_executor.h
Processes tool calls from model output.
tool_result_classify.h
Byte-level classifiers for tool-result content (#44, v2.1.0).
utf8_sanitize.h
UTF-8 validation + replacement at every system boundary where bytes change ownership.