docs: add human confirmation firewall research report

research_human_confirmation_firewall.md

@@ -0,0 +1,515 @@
+# Human Confirmation Firewall: Research Report
+## Implementation Patterns for Hermes Agent
+
+**Issue:** #878  
+**Parent:** #659  
+**Priority:** P0  
+**Scope:** Human-in-the-loop safety patterns for tool calls, crisis handling, and irreversible actions
+
+---
+
+## Executive Summary
+
+Hermes already has a partial human confirmation firewall, but it is narrow.
+
+Current repo state shows:
+- a real **pre-execution gate** for dangerous terminal commands in `tools/approval.py`
+- a partial **confidence-threshold path** via `_smart_approve()` in `tools/approval.py`
+- gateway support for blocking approval resolution in `gateway/run.py`
+
+What is still missing is the core recommendation from this research issue:
+- **confidence scoring on all tool calls**, not just terminal commands that already matched a dangerous regex
+- a **hard pre-execution human gate for crisis interventions**, especially any action that would auto-respond to suicidal content
+- a consistent way to classify actions into:
+  1. pre-execution gate
+  2. post-execution review
+  3. confidence-threshold execution
+
+Recommendation:
+- use **Pattern 1: Pre-Execution Gate** for crisis interventions and irreversible/high-impact actions
+- use **Pattern 3: Confidence Threshold** for normal operations
+- reserve **Pattern 2: Post-Execution Review** only for low-risk and reversible actions
+
+The next implementation step should be a **tool-call risk assessment layer** that runs before dispatch in `model_tools.handle_function_call()`, assigns a score and pattern to every tool call, and routes only the highest-risk calls into mandatory human confirmation.
+
+---
+
+## 1. The Three Proven Patterns
+
+### Pattern 1: Pre-Execution Gate
+
+Definition:
+- halt before execution
+- show the proposed action to the human
+- require explicit approval or denial
+
+Best for:
+- destructive actions
+- irreversible side effects
+- crisis interventions
+- actions that affect another human's safety, money, infrastructure, or private data
+
+Strengths:
+- strongest safety guarantee
+- simplest audit story
+- prevents the most catastrophic failure mode: acting first and apologizing later
+
+Weaknesses:
+- adds latency
+- creates operator burden if overused
+- should not be applied to every ordinary tool call
+
+### Pattern 2: Post-Execution Review
+
+Definition:
+- execute first
+- expose result to human
+- allow rollback or follow-up correction
+
+Best for:
+- reversible operations
+- low-risk actions with fast recovery
+- tasks where human review matters but immediate execution is acceptable
+
+Strengths:
+- low friction
+- fast iteration
+- useful when rollback is practical
+
+Weaknesses:
+- unsafe for crisis or destructive actions
+- only works when rollback actually exists
+- a poor fit for external communication or life-safety contexts
+
+### Pattern 3: Confidence Threshold
+
+Definition:
+- compute a risk/confidence score before execution
+- auto-execute high-confidence safe actions
+- request confirmation for lower-confidence or higher-risk actions
+
+Best for:
+- mixed-risk tool ecosystems
+- day-to-day operations where always-confirm would be too expensive
+- systems with a large volume of ordinary, safe reads and edits
+
+Strengths:
+- best balance of speed and safety
+- scales across many tool types
+- allows targeted human attention where it matters most
+
+Weaknesses:
+- depends on a good scoring model
+- weak scoring creates false negatives or unnecessary prompts
+- must remain inspectable and debuggable
+
+---
+
+## 2. What Hermes Already Has
+
+## 2.1 Existing Pre-Execution Gate for Dangerous Terminal Commands
+
+`tools/approval.py` already implements a real pre-execution confirmation path for dangerous shell commands.
+
+Observed components:
+- `DANGEROUS_PATTERNS`
+- `detect_dangerous_command()`
+- `prompt_dangerous_approval()`
+- `check_dangerous_command()`
+- gateway queueing and resolution support in the same module
+
+This is already Pattern 1.
+
+Current behavior:
+- dangerous terminal commands are detected before execution
+- the user can allow once / session / always / deny
+- gateway sessions can block until approval resolves
+
+This is a strong foundation, but it is limited to a subset of terminal commands.
+
+## 2.2 Partial Confidence Threshold via Smart Approvals
+
+Hermes also already has a partial Pattern 3.
+
+Observed component:
+- `_smart_approve()` in `tools/approval.py`
+
+Current behavior:
+- only runs **after** a command has already been flagged by dangerous-pattern detection
+- uses the auxiliary LLM to decide:
+  - approve
+  - deny
+  - escalate
+
+This means Hermes has a confidence-threshold mechanism, but only for **already-flagged dangerous terminal commands**.
+
+What it does not yet do:
+- score all tool calls
+- classify non-terminal tools
+- distinguish crisis interventions from normal ops
+- produce a shared risk model across the tool surface
+
+## 2.3 Blocking Approval UX in Gateway
+
+`gateway/run.py` already routes `/approve` and `/deny` into the blocking approval path.
+
+This means the infrastructure for a true human confirmation firewall already exists in messaging contexts.
+
+That is important because the missing work is not "invent human approval from zero."
+The missing work is:
+- expand the scope from dangerous shell commands to **all tool calls that matter**
+- make the routing policy explicit and inspectable
+
+---
+
+## 3. What Hermes Still Lacks
+
+## 3.1 No Universal Tool-Call Risk Assessment
+
+The current approval system is command-pattern-centric.
+It is not yet a tool-call firewall.
+
+Missing capability:
+- before dispatch, every tool call should receive a structured assessment:
+  - tool name
+  - side-effect class
+  - reversibility
+  - human-impact potential
+  - crisis relevance
+  - confidence score
+  - recommended confirmation pattern
+
+Natural insertion point:
+- `model_tools.handle_function_call()`
+
+That function already sits at the central dispatch boundary.
+It is the right place to add a pre-dispatch classifier.
+
+## 3.2 No Hard Crisis Gate for Outbound Intervention
+
+Issue #878 explicitly recommends:
+- Pattern 1 for crisis interventions
+- never auto-respond to suicidal content
+
+That recommendation is not yet codified as a global firewall rule.
+
+Missing rule:
+- if a tool call would directly intervene in a crisis context or send outward guidance in response to suicidal content, it must require explicit human confirmation before execution
+
+Examples that should hard-gate:
+- outbound `send_message` content aimed at a suicidal user
+- any future tool that places calls, escalates emergencies, or contacts third parties about a crisis
+- any autonomous action that claims a person should or should not take a life-safety step
+
+## 3.3 No First-Class Post-Execution Review Policy
+
+Hermes has approval and denial, but it does not yet have a formal policy for when Pattern 2 is acceptable.
+
+Without a policy, post-execution review tends to get used implicitly rather than intentionally.
+
+That is risky.
+
+Hermes should define Pattern 2 narrowly:
+- only for actions that are both low-risk and reversible
+- only when the system can show the human exactly what happened
+- never for crisis, finance, destructive config, or sensitive comms
+
+---
+
+## 4. Recommended Architecture for Hermes
+
+## 4.1 Add a Tool-Call Assessment Layer
+
+Add a pre-dispatch assessment object for every tool call.
+
+Suggested shape:
+
+```python
+@dataclass
+class ToolCallAssessment:
+    tool_name: str
+    risk_score: float          # 0.0 to 1.0
+    confidence: float          # confidence in the assessment itself
+    pattern: str               # pre_execution_gate | post_execution_review | confidence_threshold
+    requires_human: bool
+    reasons: list[str]
+    reversible: bool
+    crisis_sensitive: bool
+```
+
+Suggested execution point:
+- inside `model_tools.handle_function_call()` before `orchestrator.dispatch()`
+
+Why here:
+- one place covers all tools
+- one place can emit traces
+- one place can remain model-agnostic
+- one place lets plugins observe or override the assessment
+
+## 4.2 Classify Tool Calls by Side-Effect Class
+
+Suggested first-pass taxonomy:
+
+### A. Read-only
+Examples:
+- `read_file`
+- `search_files`
+- `browser_snapshot`
+- `browser_console` read-only inspection
+
+Pattern:
+- confidence threshold
+- almost always auto-execute
+- human confirmation normally unnecessary
+
+### B. Local reversible edits
+Examples:
+- `patch`
+- `write_file`
+- `todo`
+
+Pattern:
+- confidence threshold
+- human confirmation only when risk score rises because of path sensitivity or scope breadth
+
+### C. External side effects
+Examples:
+- `send_message`
+- `cronjob`
+- `delegate_task`
+- smart-home actuation tools
+
+Pattern:
+- confidence threshold by default
+- pre-execution gate when score exceeds threshold or when context is sensitive
+
+### D. Critical / destructive / crisis-sensitive
+Examples:
+- dangerous `terminal`
+- financial actions
+- deletion / kill / restart / deployment in sensitive paths
+- outbound crisis intervention
+
+Pattern:
+- pre-execution gate
+- never auto-execute on confidence alone
+
+## 4.3 Crisis Override Rule
+
+Add a hard override:
+
+```text
+If tool call is crisis-sensitive AND outbound or irreversible:
+    requires_human = True
+    pattern = pre_execution_gate
+```
+
+This is the most important rule in the issue.
+
+The model may draft the message.
+The human must confirm before the system sends it.
+
+## 4.4 Use Confidence Threshold for Normal Ops
+
+For non-crisis operations, use Pattern 3.
+
+Suggested logic:
+- low risk + high assessment confidence -> auto-execute
+- medium risk or medium confidence -> ask human
+- high risk -> always ask human
+
+Key point:
+- confidence is not just "how sure the LLM is"
+- confidence should combine:
+  - tool type certainty
+  - argument clarity
+  - path sensitivity
+  - external side effects
+  - crisis indicators
+
+---
+
+## 5. Recommended Initial Scoring Factors
+
+A simple initial scorer is enough.
+It does not need to be fancy.
+
+Suggested factors:
+
+### 5.1 Tool class risk
+- read-only tools: very low base risk
+- local mutation tools: moderate base risk
+- external communication / automation tools: higher base risk
+- shell execution: variable, often high
+
+### 5.2 Target sensitivity
+Examples:
+- `/tmp` or local scratch paths -> lower
+- repo files under git -> medium
+- system config, credentials, secrets, gateway lifecycle -> high
+- human-facing channels -> high if message content is sensitive
+
+### 5.3 Reversibility
+- reversible -> lower
+- difficult but possible to undo -> medium
+- practically irreversible -> high
+
+### 5.4 Human-impact content
+- no direct human impact -> low
+- administrative impact -> medium
+- crisis / safety / emotional intervention -> critical
+
+### 5.5 Context certainty
+- arguments are explicit and narrow -> higher confidence
+- arguments are vague, inferred, or broad -> lower confidence
+
+---
+
+## 6. Implementation Plan
+
+## Phase 1: Assessment Without Behavior Change
+
+Goal:
+- score all tool calls
+- log assessment decisions
+- emit traces for review
+- do not yet block new tool categories
+
+Files to touch:
+- `tools/approval.py`
+- `model_tools.py`
+- tests for assessment coverage
+
+Output:
+- risk/confidence trace for every tool call
+- pattern recommendation for every tool call
+
+Why first:
+- lets us calibrate before changing runtime behavior
+- avoids breaking existing workflows blindly
+
+## Phase 2: Hard-Gate Crisis-Sensitive Outbound Actions
+
+Goal:
+- enforce Pattern 1 for crisis interventions
+
+Likely surfaces:
+- `send_message`
+- any future telephony / call / escalation tools
+- other tools with direct human intervention side effects
+
+Rule:
+- never auto-send crisis intervention content without human confirmation
+
+## Phase 3: General Confidence Threshold for Normal Ops
+
+Goal:
+- apply Pattern 3 to all tool calls
+- auto-run clearly safe actions
+- escalate ambiguous or medium-risk actions
+
+Likely thresholds:
+- score < 0.25 -> auto
+- 0.25 to 0.60 -> confirm if confidence is weak
+- > 0.60 -> confirm
+- crisis-sensitive -> always confirm
+
+## Phase 4: Optional Post-Execution Review Lane
+
+Goal:
+- allow Pattern 2 only for explicitly reversible operations
+
+Examples:
+- maybe low-risk messaging drafts saved locally
+- maybe reversible UI actions in specific environments
+
+Important:
+- this phase is optional
+- Hermes should not rely on Pattern 2 for safety-critical flows
+
+---
+
+## 7. Verification Criteria for the Future Implementation
+
+The eventual implementation should prove all of the following:
+
+1. every tool call receives a scored assessment before dispatch
+2. crisis-sensitive outbound actions always require human confirmation
+3. dangerous terminal commands still preserve their current pre-execution gate
+4. clearly safe read-only tool calls are not slowed by unnecessary prompts
+5. assessment traces can be inspected after a run
+6. approval decisions remain session-safe across CLI and gateway contexts
+
+---
+
+## 8. Concrete Recommendations
+
+### Recommendation 1
+Do **not** replace the current dangerous-command approval path.
+Generalize above it.
+
+Why:
+- existing terminal Pattern 1 already works
+- this is the strongest piece of the current firewall
+
+### Recommendation 2
+Add a universal scorer in `model_tools.handle_function_call()`.
+
+Why:
+- that is the first point where Hermes knows the tool name and structured arguments
+- it is the cleanest place to classify all tool calls uniformly
+
+### Recommendation 3
+Treat crisis-sensitive outbound intervention as a separate safety class.
+
+Why:
+- issue #878 explicitly calls for Pattern 1 here
+- this matches Timmy's SOUL-level safety requirements
+
+### Recommendation 4
+Ship scoring traces before enforcement expansion.
+
+Why:
+- you cannot tune thresholds you cannot inspect
+- false positives will otherwise frustrate normal usage
+
+### Recommendation 5
+Use Pattern 3 as the default policy for normal operations.
+
+Why:
+- full manual confirmation on every tool call is too expensive
+- full autonomy is too risky
+- Pattern 3 is the practical middle ground
+
+---
+
+## 9. Bottom Line
+
+Hermes should implement a **two-track human confirmation firewall**:
+
+1. **Pattern 1: Pre-Execution Gate**
+   - crisis interventions
+   - destructive terminal actions
+   - irreversible or safety-critical tool calls
+
+2. **Pattern 3: Confidence Threshold**
+   - all ordinary tool calls
+   - driven by a universal tool-call assessment layer
+   - integrated at the central dispatch boundary
+
+Pattern 2 should remain optional and narrow.
+It is not the primary answer for Hermes.
+
+The repo already contains the beginnings of this system.
+The next step is not new theory.
+It is to turn the existing approval path into a true **tool-call-wide human confirmation firewall**.
+
+---
+
+## References
+
+- Issue #878 — Human Confirmation Firewall Implementation Patterns
+- Issue #659 — Critical Research Tasks
+- `tools/approval.py` — current dangerous-command approval flow and smart approvals
+- `model_tools.py` — central tool dispatch boundary
+- `gateway/run.py` — blocking approval handling for messaging sessions

run_agent.py

@@ -20,7 +20,6 @@ Usage:
     response = agent.run_conversation("Tell me about the latest Python updates")
 """
 
-import ast
 import asyncio
 import base64
 import concurrent.futures
@@ -3329,119 +3328,6 @@ class AIAgent:
 
     _VALID_API_ROLES = frozenset({"system", "user", "assistant", "tool", "function", "developer"})
 
-    @staticmethod
-    def _normalize_tool_call_arguments(arguments: Any) -> tuple[str, bool]:
-        """Return ``(normalized_text, is_complete)`` for tool-call arguments.
-
-        Conservative by design: repairs harmless formatting quirks common in
-        Gemma 4 / Ollama output (whitespace, trailing commas, Python-style
-        single-quoted dicts, bare key/value pairs) but does NOT auto-close
-        truncated JSON objects. Truly incomplete fragments must remain marked
-        incomplete so the agent can retry instead of silently dropping fields.
-        """
-        if isinstance(arguments, (dict, list)):
-            return json.dumps(arguments, ensure_ascii=False, separators=(",", ":")), True
-        if arguments is None:
-            return "{}", True
-        if not isinstance(arguments, str):
-            arguments = str(arguments)
-
-        text = arguments.strip()
-        if not text:
-            return "{}", True
-
-        def _parse_candidate(candidate: str):
-            try:
-                return json.loads(candidate)
-            except (json.JSONDecodeError, TypeError, ValueError):
-                pass
-            try:
-                return ast.literal_eval(candidate)
-            except (SyntaxError, ValueError):
-                return None
-
-        candidates: list[str] = [text]
-
-        trimmed_trailing_commas = re.sub(r",\s*([}\]])", r"\1", text)
-        if trimmed_trailing_commas != text:
-            candidates.append(trimmed_trailing_commas)
-
-        if ":" in text and not text.startswith(("{", "[")):
-            wrapped = "{" + text + "}"
-            candidates.append(wrapped)
-            quoted_keys = re.sub(
-                r'([\{,]\s*)([A-Za-z_][A-Za-z0-9_\-]*)(\s*:)',
-                r'\1"\2"\3',
-                wrapped,
-            )
-            if quoted_keys != wrapped:
-                candidates.append(quoted_keys)
-                trimmed_quoted_keys = re.sub(r",\s*([}\]])", r"\1", quoted_keys)
-                if trimmed_quoted_keys != quoted_keys:
-                    candidates.append(trimmed_quoted_keys)
-
-        seen: set[str] = set()
-        for candidate in candidates:
-            if candidate in seen:
-                continue
-            seen.add(candidate)
-            parsed = _parse_candidate(candidate)
-            if isinstance(parsed, (dict, list)):
-                return json.dumps(parsed, ensure_ascii=False, separators=(",", ":")), True
-
-        return text, False
-
-    @staticmethod
-    def _merge_consecutive_assistant_tool_call_messages(messages: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
-        """Merge adjacent assistant messages that each carry tool_calls.
-
-        Some providers emit parallel tool calls as multiple consecutive assistant
-        messages instead of a single assistant message with multiple tool calls.
-        Merge only adjacent assistant/tool-call messages; any non-assistant
-        boundary flushes the current batch.
-        """
-        merged: List[Dict[str, Any]] = []
-        pending: Optional[Dict[str, Any]] = None
-
-        def _flush_pending() -> None:
-            nonlocal pending
-            if pending is not None:
-                merged.append(pending)
-                pending = None
-
-        for msg in messages:
-            if not isinstance(msg, dict):
-                _flush_pending()
-                merged.append(msg)
-                continue
-
-            role = msg.get("role")
-            tool_calls = msg.get("tool_calls")
-            if role == "assistant" and isinstance(tool_calls, list) and tool_calls:
-                if pending is None:
-                    pending = copy.deepcopy(msg)
-                    continue
-
-                pending_tool_calls = pending.get("tool_calls")
-                if not isinstance(pending_tool_calls, list):
-                    pending_tool_calls = []
-                    pending["tool_calls"] = pending_tool_calls
-                pending_tool_calls.extend(copy.deepcopy(tool_calls))
-
-                pending_content = pending.get("content") or ""
-                current_content = msg.get("content") or ""
-                if pending_content and current_content:
-                    pending["content"] = pending_content + "\n" + current_content
-                elif current_content:
-                    pending["content"] = current_content
-                continue
-
-            _flush_pending()
-            merged.append(msg)
-
-        _flush_pending()
-        return merged
-
     @staticmethod
     def _sanitize_api_messages(messages: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
         """Fix orphaned tool_call / tool_result pairs before every LLM call.
@@ -3461,7 +3347,7 @@ class AIAgent:
                 )
                 continue
             filtered.append(msg)
-        messages = AIAgent._merge_consecutive_assistant_tool_call_messages(filtered)
+        messages = filtered
 
         surviving_call_ids: set = set()
         for msg in messages:
@@ -5368,9 +5254,12 @@ class AIAgent:
                 mock_tool_calls = []
                 for idx in sorted(tool_calls_acc):
                     tc = tool_calls_acc[idx]
-                    arguments, is_complete = self._normalize_tool_call_arguments(tc["function"]["arguments"])
-                    if not is_complete:
-                        has_truncated_tool_args = True
+                    arguments = tc["function"]["arguments"]
+                    if arguments and arguments.strip():
+                        try:
+                            json.loads(arguments)
+                        except json.JSONDecodeError:
+                            has_truncated_tool_args = True
                     mock_tool_calls.append(SimpleNamespace(
                         id=tc["id"],
                         type=tc["type"],
@@ -6674,7 +6563,6 @@ class AIAgent:
                     response_item_id if isinstance(response_item_id, str) else None,
                 )
 
-                normalized_args, _ = self._normalize_tool_call_arguments(tool_call.function.arguments)
                 tc_dict = {
                     "id": call_id,
                     "call_id": call_id,
@@ -6682,7 +6570,7 @@ class AIAgent:
                     "type": tool_call.type,
                     "function": {
                         "name": tool_call.function.name,
-                        "arguments": normalized_args,
+                        "arguments": tool_call.function.arguments
                     },
                 }
                 # Preserve extra_content (e.g. Gemini thought_signature) so it
@@ -10143,15 +10031,21 @@ class AIAgent:
                     # Handle empty strings as empty objects (common model quirk)
                     invalid_json_args = []
                     for tc in assistant_message.tool_calls:
-                        normalized_args, is_complete = self._normalize_tool_call_arguments(tc.function.arguments)
-                        tc.function.arguments = normalized_args
-                        if not is_complete:
-                            try:
-                                json.loads(normalized_args)
-                            except json.JSONDecodeError as e:
-                                invalid_json_args.append((tc.function.name, str(e)))
-                            except Exception as e:
-                                invalid_json_args.append((tc.function.name, str(e)))
+                        args = tc.function.arguments
+                        if isinstance(args, (dict, list)):
+                            tc.function.arguments = json.dumps(args)
+                            continue
+                        if args is not None and not isinstance(args, str):
+                            tc.function.arguments = str(args)
+                            args = tc.function.arguments
+                        # Treat empty/whitespace strings as empty object
+                        if not args or not args.strip():
+                            tc.function.arguments = "{}"
+                            continue
+                        try:
+                            json.loads(args)
+                        except json.JSONDecodeError as e:
+                            invalid_json_args.append((tc.function.name, str(e)))
                     
                     if invalid_json_args:
                         # Check if the invalid JSON is due to truncation rather

tests/run_agent/test_run_agent.py

@@ -1037,138 +1037,6 @@ class TestBuildAssistantMessage:
         result = agent._build_assistant_message(msg, "tool_calls")
         assert "extra_content" not in result["tool_calls"][0]
 
-    def test_tool_call_arguments_normalized_from_gemma4_whitespace(self, agent):
-        tc = _mock_tool_call(
-            name="read_file",
-            arguments='  \n  {"path": "README.md"}  \n  ',
-            call_id="c4",
-        )
-        msg = _mock_assistant_msg(content="", tool_calls=[tc])
-        result = agent._build_assistant_message(msg, "tool_calls")
-        assert result["tool_calls"][0]["function"]["arguments"] == '{"path":"README.md"}'
-
-    def test_tool_call_arguments_normalized_from_single_quotes_and_trailing_comma(self, agent):
-        tc = _mock_tool_call(
-            name="read_file",
-            arguments="{'path': 'README.md',}",
-            call_id="c5",
-        )
-        msg = _mock_assistant_msg(content="", tool_calls=[tc])
-        result = agent._build_assistant_message(msg, "tool_calls")
-        assert result["tool_calls"][0]["function"]["arguments"] == '{"path":"README.md"}'
-
-
-class TestNormalizeToolCallArguments:
-    @pytest.mark.parametrize(
-        ("raw_args", "expected"),
-        [
-            ('{"q":"test"}', '{"q":"test"}'),
-            ('  \n  {"q": "test"}  \n  ', '{"q":"test"}'),
-            ('{"q": "test",}', '{"q":"test"}'),
-            ("{'q': 'test'}", '{"q":"test"}'),
-            ("{'path': 'README.md', 'mode': 'read'}", '{"path":"README.md","mode":"read"}'),
-            ('"path": "README.md"', '{"path":"README.md"}'),
-            ('path: "README.md"', '{"path":"README.md"}'),
-            ('path: "README.md", mode: "read"', '{"path":"README.md","mode":"read"}'),
-            ({"path": "README.md"}, '{"path":"README.md"}'),
-            (["README.md", "docs.md"], '["README.md","docs.md"]'),
-            ('\t\n  ', '{}'),
-            ('{"nested": {"path": "README.md"}}', '{"nested":{"path":"README.md"}}'),
-        ],
-    )
-    def test_complete_args_are_normalized(self, raw_args, expected):
-        normalized, is_complete = AIAgent._normalize_tool_call_arguments(raw_args)
-        assert is_complete is True
-        assert normalized == expected
-
-    @pytest.mark.parametrize(
-        "raw_args",
-        [
-            '{"path": "README.md"',
-            '{"a": 1, "b"',
-            '{"path": [1, 2}',
-            "{'path': 'README.md'",
-            'path: "README.md", mode:',
-            '{"command": "echo hello",',
-        ],
-    )
-    def test_incomplete_args_are_not_marked_complete(self, raw_args):
-        normalized, is_complete = AIAgent._normalize_tool_call_arguments(raw_args)
-        assert is_complete is False
-        assert isinstance(normalized, str)
-        assert normalized == raw_args.strip()
-
-
-class TestSanitizeApiMessages:
-    def test_merges_consecutive_assistant_tool_call_messages(self):
-        messages = [
-            {
-                "role": "assistant",
-                "content": "first",
-                "tool_calls": [{"id": "c1", "type": "function", "function": {"name": "read_file", "arguments": '{"path":"a.py"}'}}],
-            },
-            {
-                "role": "assistant",
-                "content": "second",
-                "tool_calls": [{"id": "c2", "type": "function", "function": {"name": "search_files", "arguments": '{"pattern":"TODO"}'}}],
-            },
-            {"role": "tool", "tool_call_id": "c1", "content": "a.py"},
-            {"role": "tool", "tool_call_id": "c2", "content": "matches"},
-        ]
-
-        sanitized = AIAgent._sanitize_api_messages(messages)
-
-        assert len(sanitized) == 3
-        assert sanitized[0]["role"] == "assistant"
-        assert [tc["id"] for tc in sanitized[0]["tool_calls"]] == ["c1", "c2"]
-        assert sanitized[0]["content"] == "first\nsecond"
-
-    def test_does_not_merge_assistant_tool_call_messages_across_non_assistant_boundary(self):
-        messages = [
-            {
-                "role": "assistant",
-                "content": "",
-                "tool_calls": [{"id": "c1", "type": "function", "function": {"name": "read_file", "arguments": '{"path":"a.py"}'}}],
-            },
-            {"role": "tool", "tool_call_id": "c1", "content": "a.py"},
-            {
-                "role": "assistant",
-                "content": "",
-                "tool_calls": [{"id": "c2", "type": "function", "function": {"name": "read_file", "arguments": '{"path":"b.py"}'}}],
-            },
-            {"role": "tool", "tool_call_id": "c2", "content": "b.py"},
-        ]
-
-        sanitized = AIAgent._sanitize_api_messages(messages)
-
-        assistant_msgs = [m for m in sanitized if m.get("role") == "assistant"]
-        assert len(assistant_msgs) == 2
-        assert assistant_msgs[0]["tool_calls"][0]["id"] == "c1"
-        assert assistant_msgs[1]["tool_calls"][0]["id"] == "c2"
-
-    def test_merge_preserves_tool_call_order(self):
-        messages = [
-            {
-                "role": "assistant",
-                "content": "",
-                "tool_calls": [{"id": "c1", "type": "function", "function": {"name": "read_file", "arguments": '{"path":"a.py"}'}}],
-            },
-            {
-                "role": "assistant",
-                "content": "",
-                "tool_calls": [{"id": "c2", "type": "function", "function": {"name": "read_file", "arguments": '{"path":"b.py"}'}}],
-            },
-            {
-                "role": "assistant",
-                "content": "",
-                "tool_calls": [{"id": "c3", "type": "function", "function": {"name": "read_file", "arguments": '{"path":"c.py"}'}}],
-            },
-        ]
-
-        sanitized = AIAgent._sanitize_api_messages(messages)
-
-        assert [tc["id"] for tc in sanitized[0]["tool_calls"]] == ["c1", "c2", "c3"]
-
 
 class TestFormatToolsForSystemMessage:
     def test_no_tools_returns_empty_array(self, agent):
@@ -3599,59 +3467,6 @@ class TestStreamingApiCall:
         assert tc[0].function.arguments == '{"path":"x.txt","content":"hel'
         assert resp.choices[0].finish_reason == "length"
 
-    @pytest.mark.parametrize(
-        ("raw_arguments", "expected"),
-        [
-            ('  \n  {"path": "x.txt"}  \n  ', '{"path":"x.txt"}'),
-            ("{'path': 'x.txt',}", '{"path":"x.txt"}'),
-            ('path: "x.txt", mode: "read"', '{"path":"x.txt","mode":"read"}'),
-        ],
-    )
-    def test_repairable_tool_call_args_do_not_upgrade_finish_reason_to_length(self, agent, raw_arguments, expected):
-        chunks = [
-            _make_chunk(tool_calls=[_make_tc_delta(0, "call_1", "read_file", raw_arguments)]),
-            _make_chunk(finish_reason="tool_calls"),
-        ]
-        agent.client.chat.completions.create.return_value = iter(chunks)
-
-        resp = agent._interruptible_streaming_api_call({"messages": []})
-
-        tc = resp.choices[0].message.tool_calls
-        assert len(tc) == 1
-        assert tc[0].function.name == "read_file"
-        assert tc[0].function.arguments == expected
-        assert resp.choices[0].finish_reason == "tool_calls"
-
-    def test_streamed_tool_call_args_single_quotes_across_chunks_normalized(self, agent):
-        chunks = [
-            _make_chunk(tool_calls=[_make_tc_delta(0, "call_1", "read_file", "{'path':")]),
-            _make_chunk(tool_calls=[_make_tc_delta(0, None, None, " 'x.txt',}")]),
-            _make_chunk(finish_reason="tool_calls"),
-        ]
-        agent.client.chat.completions.create.return_value = iter(chunks)
-
-        resp = agent._interruptible_streaming_api_call({"messages": []})
-
-        tc = resp.choices[0].message.tool_calls
-        assert len(tc) == 1
-        assert tc[0].function.arguments == '{"path":"x.txt"}'
-        assert resp.choices[0].finish_reason == "tool_calls"
-
-    def test_streamed_split_json_chunks_still_reassemble(self, agent):
-        chunks = [
-            _make_chunk(tool_calls=[_make_tc_delta(0, "call_1", "read_file", '{"path":')]),
-            _make_chunk(tool_calls=[_make_tc_delta(0, None, None, ' "x.txt"}')]),
-            _make_chunk(finish_reason="tool_calls"),
-        ]
-        agent.client.chat.completions.create.return_value = iter(chunks)
-
-        resp = agent._interruptible_streaming_api_call({"messages": []})
-
-        tc = resp.choices[0].message.tool_calls
-        assert len(tc) == 1
-        assert tc[0].function.arguments == '{"path":"x.txt"}'
-        assert resp.choices[0].finish_reason == "tool_calls"
-
     def test_ollama_reused_index_separate_tool_calls(self, agent):
         """Ollama sends every tool call at index 0 with different ids.