docs: add human confirmation firewall research report

cli.py

@@ -589,7 +589,6 @@ from tools.terminal_tool import set_sudo_password_callback, set_approval_callbac
 from tools.skills_tool import set_secret_capture_callback
 from hermes_cli.callbacks import prompt_for_secret
 from tools.browser_tool import _emergency_cleanup_all_sessions as _cleanup_all_browsers
-from utils import repair_and_load_json
 
 # Guard to prevent cleanup from running multiple times on exit
 _cleanup_done = False
@@ -3570,11 +3569,7 @@ class HermesCLI:
                 result_json = _asyncio.run(
                     vision_analyze_tool(image_url=str(img_path), user_prompt=analysis_prompt)
                 )
-                result = repair_and_load_json(
-                    result_json,
-                    default={},
-                    context="cli_image_analysis",
-                ) if isinstance(result_json, str) else {}
+                result = _json.loads(result_json)
                 if result.get("success"):
                     description = result.get("analysis", "")
                     enriched_parts.append(
@@ -4965,14 +4960,7 @@ class HermesCLI:
         from tools.cronjob_tools import cronjob as cronjob_tool
 
         def _cron_api(**kwargs):
-            result = repair_and_load_json(
-                cronjob_tool(**kwargs),
-                default=None,
-                context="cli_cron_command",
-            )
-            if isinstance(result, dict):
-                return result
-            return {"success": False, "error": "Invalid JSON from cronjob tool"}
+            return json.loads(cronjob_tool(**kwargs))
 
         def _normalize_skills(values):
             normalized = []

research_human_confirmation_firewall.md

@@ -0,0 +1,515 @@
+# Human Confirmation Firewall: Research Report
+## Implementation Patterns for Hermes Agent
+
+**Issue:** #878  
+**Parent:** #659  
+**Priority:** P0  
+**Scope:** Human-in-the-loop safety patterns for tool calls, crisis handling, and irreversible actions
+
+---
+
+## Executive Summary
+
+Hermes already has a partial human confirmation firewall, but it is narrow.
+
+Current repo state shows:
+- a real **pre-execution gate** for dangerous terminal commands in `tools/approval.py`
+- a partial **confidence-threshold path** via `_smart_approve()` in `tools/approval.py`
+- gateway support for blocking approval resolution in `gateway/run.py`
+
+What is still missing is the core recommendation from this research issue:
+- **confidence scoring on all tool calls**, not just terminal commands that already matched a dangerous regex
+- a **hard pre-execution human gate for crisis interventions**, especially any action that would auto-respond to suicidal content
+- a consistent way to classify actions into:
+  1. pre-execution gate
+  2. post-execution review
+  3. confidence-threshold execution
+
+Recommendation:
+- use **Pattern 1: Pre-Execution Gate** for crisis interventions and irreversible/high-impact actions
+- use **Pattern 3: Confidence Threshold** for normal operations
+- reserve **Pattern 2: Post-Execution Review** only for low-risk and reversible actions
+
+The next implementation step should be a **tool-call risk assessment layer** that runs before dispatch in `model_tools.handle_function_call()`, assigns a score and pattern to every tool call, and routes only the highest-risk calls into mandatory human confirmation.
+
+---
+
+## 1. The Three Proven Patterns
+
+### Pattern 1: Pre-Execution Gate
+
+Definition:
+- halt before execution
+- show the proposed action to the human
+- require explicit approval or denial
+
+Best for:
+- destructive actions
+- irreversible side effects
+- crisis interventions
+- actions that affect another human's safety, money, infrastructure, or private data
+
+Strengths:
+- strongest safety guarantee
+- simplest audit story
+- prevents the most catastrophic failure mode: acting first and apologizing later
+
+Weaknesses:
+- adds latency
+- creates operator burden if overused
+- should not be applied to every ordinary tool call
+
+### Pattern 2: Post-Execution Review
+
+Definition:
+- execute first
+- expose result to human
+- allow rollback or follow-up correction
+
+Best for:
+- reversible operations
+- low-risk actions with fast recovery
+- tasks where human review matters but immediate execution is acceptable
+
+Strengths:
+- low friction
+- fast iteration
+- useful when rollback is practical
+
+Weaknesses:
+- unsafe for crisis or destructive actions
+- only works when rollback actually exists
+- a poor fit for external communication or life-safety contexts
+
+### Pattern 3: Confidence Threshold
+
+Definition:
+- compute a risk/confidence score before execution
+- auto-execute high-confidence safe actions
+- request confirmation for lower-confidence or higher-risk actions
+
+Best for:
+- mixed-risk tool ecosystems
+- day-to-day operations where always-confirm would be too expensive
+- systems with a large volume of ordinary, safe reads and edits
+
+Strengths:
+- best balance of speed and safety
+- scales across many tool types
+- allows targeted human attention where it matters most
+
+Weaknesses:
+- depends on a good scoring model
+- weak scoring creates false negatives or unnecessary prompts
+- must remain inspectable and debuggable
+
+---
+
+## 2. What Hermes Already Has
+
+## 2.1 Existing Pre-Execution Gate for Dangerous Terminal Commands
+
+`tools/approval.py` already implements a real pre-execution confirmation path for dangerous shell commands.
+
+Observed components:
+- `DANGEROUS_PATTERNS`
+- `detect_dangerous_command()`
+- `prompt_dangerous_approval()`
+- `check_dangerous_command()`
+- gateway queueing and resolution support in the same module
+
+This is already Pattern 1.
+
+Current behavior:
+- dangerous terminal commands are detected before execution
+- the user can allow once / session / always / deny
+- gateway sessions can block until approval resolves
+
+This is a strong foundation, but it is limited to a subset of terminal commands.
+
+## 2.2 Partial Confidence Threshold via Smart Approvals
+
+Hermes also already has a partial Pattern 3.
+
+Observed component:
+- `_smart_approve()` in `tools/approval.py`
+
+Current behavior:
+- only runs **after** a command has already been flagged by dangerous-pattern detection
+- uses the auxiliary LLM to decide:
+  - approve
+  - deny
+  - escalate
+
+This means Hermes has a confidence-threshold mechanism, but only for **already-flagged dangerous terminal commands**.
+
+What it does not yet do:
+- score all tool calls
+- classify non-terminal tools
+- distinguish crisis interventions from normal ops
+- produce a shared risk model across the tool surface
+
+## 2.3 Blocking Approval UX in Gateway
+
+`gateway/run.py` already routes `/approve` and `/deny` into the blocking approval path.
+
+This means the infrastructure for a true human confirmation firewall already exists in messaging contexts.
+
+That is important because the missing work is not "invent human approval from zero."
+The missing work is:
+- expand the scope from dangerous shell commands to **all tool calls that matter**
+- make the routing policy explicit and inspectable
+
+---
+
+## 3. What Hermes Still Lacks
+
+## 3.1 No Universal Tool-Call Risk Assessment
+
+The current approval system is command-pattern-centric.
+It is not yet a tool-call firewall.
+
+Missing capability:
+- before dispatch, every tool call should receive a structured assessment:
+  - tool name
+  - side-effect class
+  - reversibility
+  - human-impact potential
+  - crisis relevance
+  - confidence score
+  - recommended confirmation pattern
+
+Natural insertion point:
+- `model_tools.handle_function_call()`
+
+That function already sits at the central dispatch boundary.
+It is the right place to add a pre-dispatch classifier.
+
+## 3.2 No Hard Crisis Gate for Outbound Intervention
+
+Issue #878 explicitly recommends:
+- Pattern 1 for crisis interventions
+- never auto-respond to suicidal content
+
+That recommendation is not yet codified as a global firewall rule.
+
+Missing rule:
+- if a tool call would directly intervene in a crisis context or send outward guidance in response to suicidal content, it must require explicit human confirmation before execution
+
+Examples that should hard-gate:
+- outbound `send_message` content aimed at a suicidal user
+- any future tool that places calls, escalates emergencies, or contacts third parties about a crisis
+- any autonomous action that claims a person should or should not take a life-safety step
+
+## 3.3 No First-Class Post-Execution Review Policy
+
+Hermes has approval and denial, but it does not yet have a formal policy for when Pattern 2 is acceptable.
+
+Without a policy, post-execution review tends to get used implicitly rather than intentionally.
+
+That is risky.
+
+Hermes should define Pattern 2 narrowly:
+- only for actions that are both low-risk and reversible
+- only when the system can show the human exactly what happened
+- never for crisis, finance, destructive config, or sensitive comms
+
+---
+
+## 4. Recommended Architecture for Hermes
+
+## 4.1 Add a Tool-Call Assessment Layer
+
+Add a pre-dispatch assessment object for every tool call.
+
+Suggested shape:
+
+```python
+@dataclass
+class ToolCallAssessment:
+    tool_name: str
+    risk_score: float          # 0.0 to 1.0
+    confidence: float          # confidence in the assessment itself
+    pattern: str               # pre_execution_gate | post_execution_review | confidence_threshold
+    requires_human: bool
+    reasons: list[str]
+    reversible: bool
+    crisis_sensitive: bool
+```
+
+Suggested execution point:
+- inside `model_tools.handle_function_call()` before `orchestrator.dispatch()`
+
+Why here:
+- one place covers all tools
+- one place can emit traces
+- one place can remain model-agnostic
+- one place lets plugins observe or override the assessment
+
+## 4.2 Classify Tool Calls by Side-Effect Class
+
+Suggested first-pass taxonomy:
+
+### A. Read-only
+Examples:
+- `read_file`
+- `search_files`
+- `browser_snapshot`
+- `browser_console` read-only inspection
+
+Pattern:
+- confidence threshold
+- almost always auto-execute
+- human confirmation normally unnecessary
+
+### B. Local reversible edits
+Examples:
+- `patch`
+- `write_file`
+- `todo`
+
+Pattern:
+- confidence threshold
+- human confirmation only when risk score rises because of path sensitivity or scope breadth
+
+### C. External side effects
+Examples:
+- `send_message`
+- `cronjob`
+- `delegate_task`
+- smart-home actuation tools
+
+Pattern:
+- confidence threshold by default
+- pre-execution gate when score exceeds threshold or when context is sensitive
+
+### D. Critical / destructive / crisis-sensitive
+Examples:
+- dangerous `terminal`
+- financial actions
+- deletion / kill / restart / deployment in sensitive paths
+- outbound crisis intervention
+
+Pattern:
+- pre-execution gate
+- never auto-execute on confidence alone
+
+## 4.3 Crisis Override Rule
+
+Add a hard override:
+
+```text
+If tool call is crisis-sensitive AND outbound or irreversible:
+    requires_human = True
+    pattern = pre_execution_gate
+```
+
+This is the most important rule in the issue.
+
+The model may draft the message.
+The human must confirm before the system sends it.
+
+## 4.4 Use Confidence Threshold for Normal Ops
+
+For non-crisis operations, use Pattern 3.
+
+Suggested logic:
+- low risk + high assessment confidence -> auto-execute
+- medium risk or medium confidence -> ask human
+- high risk -> always ask human
+
+Key point:
+- confidence is not just "how sure the LLM is"
+- confidence should combine:
+  - tool type certainty
+  - argument clarity
+  - path sensitivity
+  - external side effects
+  - crisis indicators
+
+---
+
+## 5. Recommended Initial Scoring Factors
+
+A simple initial scorer is enough.
+It does not need to be fancy.
+
+Suggested factors:
+
+### 5.1 Tool class risk
+- read-only tools: very low base risk
+- local mutation tools: moderate base risk
+- external communication / automation tools: higher base risk
+- shell execution: variable, often high
+
+### 5.2 Target sensitivity
+Examples:
+- `/tmp` or local scratch paths -> lower
+- repo files under git -> medium
+- system config, credentials, secrets, gateway lifecycle -> high
+- human-facing channels -> high if message content is sensitive
+
+### 5.3 Reversibility
+- reversible -> lower
+- difficult but possible to undo -> medium
+- practically irreversible -> high
+
+### 5.4 Human-impact content
+- no direct human impact -> low
+- administrative impact -> medium
+- crisis / safety / emotional intervention -> critical
+
+### 5.5 Context certainty
+- arguments are explicit and narrow -> higher confidence
+- arguments are vague, inferred, or broad -> lower confidence
+
+---
+
+## 6. Implementation Plan
+
+## Phase 1: Assessment Without Behavior Change
+
+Goal:
+- score all tool calls
+- log assessment decisions
+- emit traces for review
+- do not yet block new tool categories
+
+Files to touch:
+- `tools/approval.py`
+- `model_tools.py`
+- tests for assessment coverage
+
+Output:
+- risk/confidence trace for every tool call
+- pattern recommendation for every tool call
+
+Why first:
+- lets us calibrate before changing runtime behavior
+- avoids breaking existing workflows blindly
+
+## Phase 2: Hard-Gate Crisis-Sensitive Outbound Actions
+
+Goal:
+- enforce Pattern 1 for crisis interventions
+
+Likely surfaces:
+- `send_message`
+- any future telephony / call / escalation tools
+- other tools with direct human intervention side effects
+
+Rule:
+- never auto-send crisis intervention content without human confirmation
+
+## Phase 3: General Confidence Threshold for Normal Ops
+
+Goal:
+- apply Pattern 3 to all tool calls
+- auto-run clearly safe actions
+- escalate ambiguous or medium-risk actions
+
+Likely thresholds:
+- score < 0.25 -> auto
+- 0.25 to 0.60 -> confirm if confidence is weak
+- > 0.60 -> confirm
+- crisis-sensitive -> always confirm
+
+## Phase 4: Optional Post-Execution Review Lane
+
+Goal:
+- allow Pattern 2 only for explicitly reversible operations
+
+Examples:
+- maybe low-risk messaging drafts saved locally
+- maybe reversible UI actions in specific environments
+
+Important:
+- this phase is optional
+- Hermes should not rely on Pattern 2 for safety-critical flows
+
+---
+
+## 7. Verification Criteria for the Future Implementation
+
+The eventual implementation should prove all of the following:
+
+1. every tool call receives a scored assessment before dispatch
+2. crisis-sensitive outbound actions always require human confirmation
+3. dangerous terminal commands still preserve their current pre-execution gate
+4. clearly safe read-only tool calls are not slowed by unnecessary prompts
+5. assessment traces can be inspected after a run
+6. approval decisions remain session-safe across CLI and gateway contexts
+
+---
+
+## 8. Concrete Recommendations
+
+### Recommendation 1
+Do **not** replace the current dangerous-command approval path.
+Generalize above it.
+
+Why:
+- existing terminal Pattern 1 already works
+- this is the strongest piece of the current firewall
+
+### Recommendation 2
+Add a universal scorer in `model_tools.handle_function_call()`.
+
+Why:
+- that is the first point where Hermes knows the tool name and structured arguments
+- it is the cleanest place to classify all tool calls uniformly
+
+### Recommendation 3
+Treat crisis-sensitive outbound intervention as a separate safety class.
+
+Why:
+- issue #878 explicitly calls for Pattern 1 here
+- this matches Timmy's SOUL-level safety requirements
+
+### Recommendation 4
+Ship scoring traces before enforcement expansion.
+
+Why:
+- you cannot tune thresholds you cannot inspect
+- false positives will otherwise frustrate normal usage
+
+### Recommendation 5
+Use Pattern 3 as the default policy for normal operations.
+
+Why:
+- full manual confirmation on every tool call is too expensive
+- full autonomy is too risky
+- Pattern 3 is the practical middle ground
+
+---
+
+## 9. Bottom Line
+
+Hermes should implement a **two-track human confirmation firewall**:
+
+1. **Pattern 1: Pre-Execution Gate**
+   - crisis interventions
+   - destructive terminal actions
+   - irreversible or safety-critical tool calls
+
+2. **Pattern 3: Confidence Threshold**
+   - all ordinary tool calls
+   - driven by a universal tool-call assessment layer
+   - integrated at the central dispatch boundary
+
+Pattern 2 should remain optional and narrow.
+It is not the primary answer for Hermes.
+
+The repo already contains the beginnings of this system.
+The next step is not new theory.
+It is to turn the existing approval path into a true **tool-call-wide human confirmation firewall**.
+
+---
+
+## References
+
+- Issue #878 — Human Confirmation Firewall Implementation Patterns
+- Issue #659 — Critical Research Tasks
+- `tools/approval.py` — current dangerous-command approval flow and smart approvals
+- `model_tools.py` — central tool dispatch boundary
+- `gateway/run.py` — blocking approval handling for messaging sessions

tests/cli/test_cli_json_repair.py

@@ -1,62 +0,0 @@
-import sys
-import types
-from unittest.mock import patch
-
-
-def _stub_auxiliary_client():
-    stub = types.ModuleType("agent.auxiliary_client")
-    stub.call_llm = lambda *args, **kwargs: None
-    stub.resolve_provider_client = lambda *args, **kwargs: (None, None)
-    stub.get_text_auxiliary_client = lambda *args, **kwargs: (None, None)
-    stub.async_call_llm = lambda *args, **kwargs: None
-    stub.extract_content_or_reasoning = lambda *args, **kwargs: ""
-    stub._OR_HEADERS = {}
-    stub._get_task_timeout = lambda *args, **kwargs: 30
-    sys.modules["agent.auxiliary_client"] = stub
-
-
-def _stub_vision_tools(vision_analyze_tool):
-    stub = types.ModuleType("tools.vision_tools")
-    stub.vision_analyze_tool = vision_analyze_tool
-    sys.modules["tools.vision_tools"] = stub
-
-
-def test_preprocess_images_with_vision_repairs_malformed_json(tmp_path):
-    _stub_auxiliary_client()
-    from cli import HermesCLI
-
-    cli_obj = HermesCLI.__new__(HermesCLI)
-    image_path = tmp_path / "test.png"
-    image_path.write_bytes(b"fake-image-bytes")
-
-    async def fake_vision(**kwargs):
-        return "{'success': true, 'analysis': 'Recovered image description',}"
-
-    _stub_vision_tools(fake_vision)
-    result = HermesCLI._preprocess_images_with_vision(
-        cli_obj,
-        "Describe this",
-        [image_path],
-        announce=False,
-    )
-
-    assert "Recovered image description" in result
-    assert "Describe this" in result
-    assert str(image_path) in result
-
-
-def test_handle_cron_command_repairs_malformed_json(capsys):
-    _stub_auxiliary_client()
-    from cli import HermesCLI
-
-    cli_obj = HermesCLI.__new__(HermesCLI)
-    malformed_result = """{'success': true, 'jobs': [{'job_id': 'job-1234567890ab', 'name': 'Nightly Check', 'state': 'scheduled', 'schedule': 'every 1h', 'repeat': 'forever', 'prompt_preview': 'Check server status', 'skills': ['blogwatcher',], 'next_run_at': '2026-04-22T01:00:00Z',},],}"""
-
-    with patch("tools.cronjob_tools.cronjob", return_value=malformed_result):
-        HermesCLI._handle_cron_command(cli_obj, "/cron list")
-
-    out = capsys.readouterr().out
-    assert "Scheduled Jobs:" in out
-    assert "job-1234567890ab" in out
-    assert "Nightly Check" in out
-    assert "blogwatcher" in out

tests/tools/test_browser_json_repair.py

@@ -1,108 +0,0 @@
-import io
-import json
-import sys
-import types
-from unittest.mock import MagicMock, patch
-
-
-def _stub_auxiliary_client():
-    stub = types.ModuleType("agent.auxiliary_client")
-    stub.call_llm = lambda *args, **kwargs: None
-    stub.resolve_provider_client = lambda *args, **kwargs: (None, None)
-    stub.get_text_auxiliary_client = lambda *args, **kwargs: (None, None)
-    stub.async_call_llm = lambda *args, **kwargs: None
-    stub.extract_content_or_reasoning = lambda *args, **kwargs: ""
-    stub._OR_HEADERS = {}
-    stub._get_task_timeout = lambda *args, **kwargs: 30
-    sys.modules["agent.auxiliary_client"] = stub
-
-
-def test_run_browser_command_repairs_malformed_stdout_envelope(tmp_path):
-    _stub_auxiliary_client()
-    from tools.browser_tool import _run_browser_command
-
-    mock_proc = MagicMock()
-    mock_proc.returncode = 0
-    mock_proc.wait.return_value = 0
-    fake_session = {
-        "session_name": "test-session",
-        "session_id": "test-id",
-        "cdp_url": None,
-    }
-    malformed_stdout = "{'success': true, 'data': {'url': 'https://example.com',},}"
-
-    def fake_open(path, mode="r", *args, **kwargs):
-        path = str(path)
-        if path.endswith("_stdout_navigate"):
-            return io.StringIO(malformed_stdout)
-        if path.endswith("_stderr_navigate"):
-            return io.StringIO("")
-        raise FileNotFoundError(path)
-
-    with (
-        patch("tools.browser_tool._find_agent_browser", return_value="/usr/bin/agent-browser"),
-        patch("tools.browser_tool._get_session_info", return_value=fake_session),
-        patch("tools.browser_tool._socket_safe_tmpdir", return_value=str(tmp_path)),
-        patch("tools.browser_tool._merge_browser_path", side_effect=lambda p: p),
-        patch("tools.interrupt.is_interrupted", return_value=False),
-        patch("subprocess.Popen", return_value=mock_proc),
-        patch("os.open", return_value=99),
-        patch("os.close"),
-        patch("os.unlink"),
-        patch("builtins.open", side_effect=fake_open),
-    ):
-        result = _run_browser_command("task-1", "navigate", ["https://example.com"])
-
-    assert result["success"] is True
-    assert result["data"]["url"] == "https://example.com"
-
-
-def test_agent_browser_eval_repairs_malformed_json_result():
-    _stub_auxiliary_client()
-    from tools.browser_tool import _browser_eval
-
-    with patch(
-        "tools.browser_tool._run_browser_command",
-        return_value={"success": True, "data": {"result": "{'items': ['a', 'b',],}"}},
-    ):
-        result = json.loads(_browser_eval("document.body.innerText", task_id="test"))
-
-    assert result["success"] is True
-    assert result["result"] == {"items": ["a", "b"]}
-    assert result["result_type"] == "dict"
-
-
-def test_camofox_eval_repairs_malformed_json_result():
-    _stub_auxiliary_client()
-    from tools.browser_tool import _camofox_eval
-
-    with (
-        patch("tools.browser_camofox._ensure_tab", return_value={"tab_id": "tab-1", "user_id": "user-1"}),
-        patch("tools.browser_camofox._post", return_value={"result": "{'count': 3,}"}),
-    ):
-        result = json.loads(_camofox_eval("2+1", task_id="test"))
-
-    assert result["success"] is True
-    assert result["result"] == {"count": 3}
-    assert result["result_type"] == "dict"
-
-
-def test_browser_get_images_repairs_malformed_json_result():
-    _stub_auxiliary_client()
-    from tools.browser_tool import browser_get_images
-
-    with patch(
-        "tools.browser_tool._run_browser_command",
-        return_value={
-            "success": True,
-            "data": {
-                "result": "[{\"src\": \"https://example.com/cat.png\", \"alt\": \"cat\",}]"
-            },
-        },
-    ):
-        result = json.loads(browser_get_images(task_id="test"))
-
-    assert result["success"] is True
-    assert result["count"] == 1
-    assert result["images"] == [{"src": "https://example.com/cat.png", "alt": "cat"}]
-    assert "warning" not in result

tools/browser_tool.py

@@ -67,7 +67,6 @@ from typing import Dict, Any, Optional, List
 from pathlib import Path
 from agent.auxiliary_client import call_llm
 from hermes_constants import get_hermes_home
-from utils import repair_and_load_json
 
 try:
     from tools.website_policy import check_website_access
@@ -1172,12 +1171,8 @@ def _run_browser_command(
             return {"success": False, "error": f"Browser command '{command}' returned no output"}
 
         if stdout_text:
-            parsed = repair_and_load_json(
-                stdout_text,
-                default=None,
-                context=f"browser_{command}_stdout",
-            )
-            if isinstance(parsed, dict):
+            try:
+                parsed = json.loads(stdout_text)
                 # Warn if snapshot came back empty (common sign of daemon/CDP issues)
                 if command == "snapshot" and parsed.get("success"):
                     snap_data = parsed.get("data", {})
@@ -1186,35 +1181,35 @@ def _run_browser_command(
                                        "Possible stale daemon or CDP connection issue. "
                                        "returncode=%s", returncode)
                 return parsed
+            except json.JSONDecodeError:
+                raw = stdout_text[:2000]
+                logger.warning("browser '%s' returned non-JSON output (rc=%s): %s",
+                               command, returncode, raw[:500])
 
-            raw = stdout_text[:2000]
-            logger.warning("browser '%s' returned non-JSON output (rc=%s): %s",
-                           command, returncode, raw[:500])
-
-            if command == "screenshot":
-                stderr_text = (stderr or "").strip()
-                combined_text = "\n".join(
-                    part for part in [stdout_text, stderr_text] if part
-                )
-                recovered_path = _extract_screenshot_path_from_text(combined_text)
-
-                if recovered_path and Path(recovered_path).exists():
-                    logger.info(
-                        "browser 'screenshot' recovered file from non-JSON output: %s",
-                        recovered_path,
+                if command == "screenshot":
+                    stderr_text = (stderr or "").strip()
+                    combined_text = "\n".join(
+                        part for part in [stdout_text, stderr_text] if part
                     )
-                    return {
-                        "success": True,
-                        "data": {
-                            "path": recovered_path,
-                            "raw": raw,
-                        },
-                    }
+                    recovered_path = _extract_screenshot_path_from_text(combined_text)
 
-            return {
-                "success": False,
-                "error": f"Non-JSON output from agent-browser for '{command}': {raw}"
-            }
+                    if recovered_path and Path(recovered_path).exists():
+                        logger.info(
+                            "browser 'screenshot' recovered file from non-JSON output: %s",
+                            recovered_path,
+                        )
+                        return {
+                            "success": True,
+                            "data": {
+                                "path": recovered_path,
+                                "raw": raw,
+                            },
+                        }
+
+                return {
+                    "success": False,
+                    "error": f"Non-JSON output from agent-browser for '{command}': {raw}"
+                }
         
         # Check for errors
         if returncode != 0:
@@ -1782,11 +1777,10 @@ def _browser_eval(expression: str, task_id: Optional[str] = None) -> str:
     # is valid JSON, parse it so the model gets structured data.
     parsed = raw_result
     if isinstance(raw_result, str):
-        parsed = repair_and_load_json(
-            raw_result,
-            default=raw_result,
-            context="browser_eval_result",
-        )
+        try:
+            parsed = json.loads(raw_result)
+        except (json.JSONDecodeError, ValueError):
+            pass  # keep as string
 
     return json.dumps({
         "success": True,
@@ -1807,11 +1801,10 @@ def _camofox_eval(expression: str, task_id: Optional[str] = None) -> str:
         raw_result = resp.get("result") if isinstance(resp, dict) else resp
         parsed = raw_result
         if isinstance(raw_result, str):
-            parsed = repair_and_load_json(
-                raw_result,
-                default=raw_result,
-                context="camofox_eval_result",
-            )
+            try:
+                parsed = json.loads(raw_result)
+            except (json.JSONDecodeError, ValueError):
+                pass
 
         return json.dumps({
             "success": True,
@@ -1911,29 +1904,26 @@ def browser_get_images(task_id: Optional[str] = None) -> str:
     if result.get("success"):
         data = result.get("data", {})
         raw_result = data.get("result", "[]")
-
-        warning = None
-        if isinstance(raw_result, str):
-            images = repair_and_load_json(
-                raw_result,
-                default=None,
-                context="browser_get_images_result",
-            )
-        else:
-            images = raw_result
-
-        if not isinstance(images, list):
-            images = []
-            warning = "Could not parse image data"
-
-        payload = {
-            "success": True,
-            "images": images,
-            "count": len(images),
-        }
-        if warning:
-            payload["warning"] = warning
-        return json.dumps(payload, ensure_ascii=False)
+        
+        try:
+            # Parse the JSON string returned by JavaScript
+            if isinstance(raw_result, str):
+                images = json.loads(raw_result)
+            else:
+                images = raw_result
+            
+            return json.dumps({
+                "success": True,
+                "images": images,
+                "count": len(images)
+            }, ensure_ascii=False)
+        except json.JSONDecodeError:
+            return json.dumps({
+                "success": True,
+                "images": [],
+                "count": 0,
+                "warning": "Could not parse image data"
+            }, ensure_ascii=False)
     else:
         return json.dumps({
             "success": False,