Merge pull request #163 from CJackHwang/dev

docs: update API documentation, deployment guides, and README with new admin endpoints, compatibility notes, and build instructions

.env.example

@@ -10,6 +10,8 @@ DS2API_ADMIN_KEY=change-me
 DS2API_CONFIG_PATH=/app/config.json
 # 2) inline JSON or Base64 JSON
 # DS2API_CONFIG_JSON=
+# 3) legacy compatibility alias
+# CONFIG_JSON=
 
 # Optional: static admin assets path
 # DS2API_STATIC_ADMIN_DIR=/app/static/admin

API.en.md

@@ -46,6 +46,7 @@ Use it per deployment mode:
 
 - Local run: read `config.json` directly
 - Docker / Vercel: generate Base64 from `config.json`, then set `DS2API_CONFIG_JSON`
+- Compatibility note: `DS2API_CONFIG_JSON` may also contain raw JSON directly; `CONFIG_JSON` is the legacy fallback variable
 
 ```bash
 DS2API_CONFIG_JSON="$(base64 < config.json | tr -d '\n')"
@@ -65,6 +66,7 @@ Two header formats accepted:
 | --- | --- |
 | Bearer Token | `Authorization: Bearer <token>` |
 | API Key Header | `x-api-key: <token>` (no `Bearer` prefix) |
+| Gemini-compatible | `x-goog-api-key: <token>` or `?key=<token>` / `?api_key=<token>` |
 
 **Auth behavior**:
 
@@ -72,6 +74,7 @@ Two header formats accepted:
 - Token is not in `config.keys` → **Direct token mode**: treated as a DeepSeek token directly
 
 **Optional header**: `X-Ds2-Target-Account: <email_or_mobile>` — Pin a specific managed account.
+Gemini-compatible clients can also send `x-goog-api-key`, `?key=`, or `?api_key=` as the caller credential source.
 
 ### Admin Endpoints (`/admin/*`)
 
@@ -124,13 +127,16 @@ Two header formats accepted:
 | GET | `/admin/queue/status` | Admin | Account queue status |
 | POST | `/admin/accounts/test` | Admin | Test one account |
 | POST | `/admin/accounts/test-all` | Admin | Test all accounts |
+| POST | `/admin/accounts/sessions/delete-all` | Admin | Delete all sessions for one account |
 | POST | `/admin/import` | Admin | Batch import keys/accounts |
 | POST | `/admin/test` | Admin | Test API through service |
 | POST | `/admin/vercel/sync` | Admin | Sync config to Vercel |
 | GET | `/admin/vercel/status` | Admin | Vercel sync status |
+| POST | `/admin/vercel/status` | Admin | Vercel sync status / draft compare |
 | GET | `/admin/export` | Admin | Export config JSON/Base64 |
 | GET | `/admin/dev/captures` | Admin | Read local packet-capture entries |
 | DELETE | `/admin/dev/captures` | Admin | Clear local packet-capture entries |
+| GET | `/admin/version` | Admin | Check current version and latest Release |
 
 ---
 
@@ -580,6 +586,7 @@ Returns sanitized config.
 ```json
 {
   "keys": ["k1", "k2"],
+  "env_backed": false,
   "accounts": [
     {
       "identifier": "user@example.com",
@@ -599,7 +606,7 @@ Returns sanitized config.
 
 ### `POST /admin/config`
 
-Updatable fields: `keys`, `accounts`, `claude_mapping`.
+Only updates `keys`, `accounts`, and `claude_mapping`.
 
 **Request**:
 
@@ -620,7 +627,8 @@ Updatable fields: `keys`, `accounts`, `claude_mapping`.
 
 Reads runtime settings and status, including:
 
-- `admin` (JWT expiry, default-password warning, etc.)
+- `success`
+- `admin` (`has_password_hash`, `jwt_expire_hours`, `jwt_valid_after_unix`, `default_password_warning`)
 - `runtime` (`account_max_inflight`, `account_max_queue`, `global_max_inflight`)
 - `toolcall` / `responses` / `embeddings`
 - `auto_delete` (`sessions`)
@@ -650,6 +658,8 @@ Request example:
 {"new_password":"your-new-password"}
 ```
 
+It also accepts `{"password":"your-new-password"}`.
+
 ### `POST /admin/config/import`
 
 Imports full config with:
@@ -658,6 +668,8 @@ Imports full config with:
 - `mode=replace`
 
 The request can send config directly, or wrapped as `{"config": {...}, "mode":"merge"}`.
+Query params `?mode=merge` / `?mode=replace` are also supported.
+Import accepts `keys`, `accounts`, `claude_mapping` / `claude_model_mapping`, `model_aliases`, `admin`, `runtime`, `toolcall`, `responses`, `embeddings`, and `auto_delete`.
 
 ### `GET /admin/config/export`
 
@@ -683,6 +695,7 @@ Exports full config in three forms: `config`, `json`, and `base64`.
 | --- | --- | --- |
 | `page` | `1` | ≥ 1 |
 | `page_size` | `10` | 1–100 |
+| `q` | empty | Filter by identifier / email / mobile |
 
 **Response**:
 
@@ -695,7 +708,8 @@ Exports full config in three forms: `config`, `json`, and `base64`.
       "mobile": "",
       "has_password": true,
       "has_token": true,
-      "token_preview": "abc..."
+      "token_preview": "abc...",
+      "test_status": "ok"
     }
   ],
   "total": 25,
@@ -705,6 +719,8 @@ Exports full config in three forms: `config`, `json`, and `base64`.
 }
 ```
 
+Returned items also include `test_status`, usually `ok` or `failed`.
+
 ### `POST /admin/accounts`
 
 ```json
@@ -757,10 +773,14 @@ Exports full config in three forms: `config`, `json`, and `base64`.
   "success": true,
   "response_time": 1240,
   "message": "API test successful (session creation only)",
-  "model": "deepseek-chat"
+  "model": "deepseek-chat",
+  "session_count": 0,
+  "config_writable": true
 }
 ```
 
+If a `message` is provided, `thinking` may also be included when the upstream response carries reasoning text.
+
 ### `POST /admin/accounts/test-all`
 
 Optional request field: `model`.
@@ -774,6 +794,25 @@ Optional request field: `model`.
 }
 ```
 
+The internal concurrency limit is currently fixed at 5.
+
+### `POST /admin/accounts/sessions/delete-all`
+
+Deletes all DeepSeek sessions for a specific account. Request example:
+
+```json
+{"identifier":"user@example.com"}
+```
+
+Response:
+
+```json
+{"success": true, "message": "删除成功"}
+```
+
+If the account is missing or deletion fails, `success` becomes `false` and `message` contains the error.
+The current handler returns the Chinese literal `删除成功` on success.
+
 ### `POST /admin/import`
 
 Batch import keys and accounts.
@@ -851,16 +890,25 @@ Or manual deploy required:
 }
 ```
 
+Failed account checks are returned in `failed_accounts`, and any saved Vercel credentials are returned in `saved_credentials`.
+
 ### `GET /admin/vercel/status`
 
 ```json
 {
   "synced": true,
   "last_sync_time": 1738400000,
-  "has_synced_before": true
+  "has_synced_before": true,
+  "env_backed": false,
+  "config_hash": "....",
+  "last_synced_hash": "....",
+  "draft_hash": "....",
+  "draft_differs": false
 }
 ```
 
+`POST /admin/vercel/status` can also accept `config_override` to compare a draft config against the current synced config.
+
 ### `GET /admin/export`
 
 ```json
@@ -870,6 +918,29 @@ Or manual deploy required:
 }
 ```
 
+This is the same payload as `GET /admin/config/export`, just with a shorter path.
+
+### `GET /admin/version`
+
+Checks the current build version and the latest GitHub Release:
+
+```json
+{
+  "success": true,
+  "current_version": "2.3.5",
+  "current_tag": "v2.3.5",
+  "source": "file:VERSION",
+  "checked_at": "2026-03-29T00:00:00Z",
+  "latest_tag": "v2.3.6",
+  "latest_version": "2.3.6",
+  "release_url": "https://github.com/CJackHwang/ds2api/releases/tag/v2.3.6",
+  "published_at": "2026-03-28T12:00:00Z",
+  "has_update": true
+}
+```
+
+If GitHub API access fails, the response includes `check_error` while still returning HTTP 200.
+
 ### `GET /admin/dev/captures`
 
 Reads local packet-capture status and recent entries (Admin auth required):

API.md

@@ -46,6 +46,7 @@ cp config.example.json config.json
 
 - 本地运行：直接读取 `config.json`
 - Docker / Vercel：从 `config.json` 生成 Base64，填入 `DS2API_CONFIG_JSON`
+- 兼容写法：`DS2API_CONFIG_JSON` 也可直接填原始 JSON；`CONFIG_JSON` 是旧版兼容回退变量
 
 ```bash
 DS2API_CONFIG_JSON="$(base64 < config.json | tr -d '\n')"
@@ -65,6 +66,7 @@ Vercel 一键部署可先只填 `DS2API_ADMIN_KEY`，部署后在 `/admin` 导
 | --- | --- |
 | Bearer Token | `Authorization: Bearer <token>` |
 | API Key Header | `x-api-key: <token>`（无 `Bearer` 前缀） |
+| Gemini 兼容 | `x-goog-api-key: <token>` 或 `?key=<token>` / `?api_key=<token>` |
 
 **鉴权行为**：
 
@@ -72,6 +74,7 @@ Vercel 一键部署可先只填 `DS2API_ADMIN_KEY`，部署后在 `/admin` 导
 - token 不在 `config.keys` 中 → **直通 token 模式**，直接作为 DeepSeek token 使用
 
 **可选请求头**：`X-Ds2-Target-Account: <email_or_mobile>` — 指定使用某个托管账号。
+Gemini 兼容客户端还可以使用 `x-goog-api-key`、`?key=` 或 `?api_key=` 作为凭据来源。
 
 ### Admin 接口（`/admin/*`）
 
@@ -124,13 +127,16 @@ Vercel 一键部署可先只填 `DS2API_ADMIN_KEY`，部署后在 `/admin` 导
 | GET | `/admin/queue/status` | Admin | 账号队列状态 |
 | POST | `/admin/accounts/test` | Admin | 测试单个账号 |
 | POST | `/admin/accounts/test-all` | Admin | 测试全部账号 |
+| POST | `/admin/accounts/sessions/delete-all` | Admin | 删除某账号的全部会话 |
 | POST | `/admin/import` | Admin | 批量导入 keys/accounts |
 | POST | `/admin/test` | Admin | 测试当前 API 可用性 |
 | POST | `/admin/vercel/sync` | Admin | 同步配置到 Vercel |
 | GET | `/admin/vercel/status` | Admin | Vercel 同步状态 |
+| POST | `/admin/vercel/status` | Admin | Vercel 同步状态 / 草稿对比 |
 | GET | `/admin/export` | Admin | 导出配置 JSON/Base64 |
 | GET | `/admin/dev/captures` | Admin | 查看本地抓包记录 |
 | DELETE | `/admin/dev/captures` | Admin | 清空本地抓包记录 |
+| GET | `/admin/version` | Admin | 查询当前版本与最新 Release |
 
 ---
 
@@ -286,7 +292,8 @@ data: [DONE]
 
 补充说明：
 
-- **非代码块上下文**下，工具 JSON 即使与普通文本混合，也会按特征识别并产出可执行 tool call（前后普通文本仍可透传）。
+- **非代码块上下文**下，工具负载即使与普通文本混合，也会按特征识别并产出可执行 tool call（前后普通文本仍可透传）。
+- 解析器以 XML/Markup 为最高优先级，并兼容 JSON、ANTML、text-kv 等格式输入；最终按客户端协议转译为对应 tool call 结构（OpenAI/Claude/Gemini）。
 - Markdown fenced code block（例如 ```json ... ```）中的 `tool_calls` 仅视为示例文本，不会被执行。
 
 ---
@@ -346,7 +353,8 @@ data: [DONE]
 ```
 
 流式场景下若 `tool_choice=required` 违规，会返回 `response.failed` 后结束（不再发送 `response.completed`）。
-未在 `tools` 声明中的工具名会被严格拒绝，不会作为有效 tool call 下发。
+
+> 当前版本说明：解析层默认“尽量提取结构化 tool call”，未启用基于 `tools` allow-list 的硬拒绝；是否执行仍应由你的工具执行器做白名单校验。
 
 ### `GET /v1/responses/{response_id}`
 
@@ -492,6 +500,8 @@ data: {"type":"message_stop"}
 }
 ```
 
+返回项还会包含 `test_status`，当前值通常为 `ok` 或 `failed`。
+
 ---
 
 ## Gemini 兼容接口
@@ -585,6 +595,7 @@ data: {"type":"message_stop"}
 ```json
 {
   "keys": ["k1", "k2"],
+  "env_backed": false,
   "accounts": [
     {
       "identifier": "user@example.com",
@@ -604,7 +615,7 @@ data: {"type":"message_stop"}
 
 ### `POST /admin/config`
 
-可更新 `keys`、`accounts`、`claude_mapping`。
+只更新 `keys`、`accounts`、`claude_mapping`。
 
 **请求**：
 
@@ -625,7 +636,8 @@ data: {"type":"message_stop"}
 
 读取运行时设置与状态，返回：
 
-- `admin`（JWT 过期、默认密码告警等）
+- `success`
+- `admin`（`has_password_hash`、`jwt_expire_hours`、`jwt_valid_after_unix`、`default_password_warning`）
 - `runtime`（`account_max_inflight`、`account_max_queue`、`global_max_inflight`）
 - `toolcall` / `responses` / `embeddings`
 - `auto_delete`（`sessions`）
@@ -655,6 +667,8 @@ data: {"type":"message_stop"}
 {"new_password":"your-new-password"}
 ```
 
+也兼容 `{"password":"your-new-password"}`。
+
 ### `POST /admin/config/import`
 
 导入完整配置，支持：
@@ -663,6 +677,8 @@ data: {"type":"message_stop"}
 - `mode=replace`
 
 请求可直接传配置对象，或使用 `{"config": {...}, "mode":"merge"}` 包裹格式。
+也支持在查询参数里传 `?mode=merge` / `?mode=replace`。
+导入时会接受 `keys`、`accounts`、`claude_mapping` / `claude_model_mapping`、`model_aliases`、`admin`、`runtime`、`toolcall`、`responses`、`embeddings`、`auto_delete` 等字段。
 
 ### `GET /admin/config/export`
 
@@ -688,6 +704,7 @@ data: {"type":"message_stop"}
 | --- | --- | --- |
 | `page` | `1` | ≥ 1 |
 | `page_size` | `10` | 1–100 |
+| `q` | 空 | 按 identifier / email / mobile 过滤 |
 
 **响应**：
 
@@ -700,7 +717,8 @@ data: {"type":"message_stop"}
       "mobile": "",
       "has_password": true,
       "has_token": true,
-      "token_preview": "abc..."
+      "token_preview": "abc...",
+      "test_status": "ok"
     }
   ],
   "total": 25,
@@ -762,10 +780,14 @@ data: {"type":"message_stop"}
   "success": true,
   "response_time": 1240,
   "message": "API 测试成功（仅会话创建）",
-  "model": "deepseek-chat"
+  "model": "deepseek-chat",
+  "session_count": 0,
+  "config_writable": true
 }
 ```
 
+如果传入 `message`，还会附带 `thinking`（当上游返回思考内容时）。
+
 ### `POST /admin/accounts/test-all`
 
 可选请求字段：`model`
@@ -779,6 +801,24 @@ data: {"type":"message_stop"}
 }
 ```
 
+内部并发上限当前固定为 5。
+
+### `POST /admin/accounts/sessions/delete-all`
+
+清空指定账号的所有 DeepSeek 会话。请求体示例：
+
+```json
+{"identifier":"user@example.com"}
+```
+
+响应：
+
+```json
+{"success": true, "message": "删除成功"}
+```
+
+如果账号不存在或删除失败，`success` 会是 `false`，`message` 会返回错误原因。
+
 ### `POST /admin/import`
 
 批量导入 keys 与 accounts。
@@ -856,16 +896,25 @@ data: {"type":"message_stop"}
 }
 ```
 
+失败校验的账号会通过 `failed_accounts` 返回；成功保存到 Vercel 的凭据会通过 `saved_credentials` 返回。
+
 ### `GET /admin/vercel/status`
 
 ```json
 {
   "synced": true,
   "last_sync_time": 1738400000,
-  "has_synced_before": true
+  "has_synced_before": true,
+  "env_backed": false,
+  "config_hash": "....",
+  "last_synced_hash": "....",
+  "draft_hash": "....",
+  "draft_differs": false
 }
 ```
 
+`POST /admin/vercel/status` 还可以携带 `config_override`，用于对比“草稿配置”和当前已同步配置。
+
 ### `GET /admin/export`
 
 ```json
@@ -875,6 +924,29 @@ data: {"type":"message_stop"}
 }
 ```
 
+该接口与 `GET /admin/config/export` 返回相同内容，只是路径更短。
+
+### `GET /admin/version`
+
+查询当前构建版本与 GitHub 最新 Release：
+
+```json
+{
+  "success": true,
+  "current_version": "2.3.5",
+  "current_tag": "v2.3.5",
+  "source": "file:VERSION",
+  "checked_at": "2026-03-29T00:00:00Z",
+  "latest_tag": "v2.3.6",
+  "latest_version": "2.3.6",
+  "release_url": "https://github.com/CJackHwang/ds2api/releases/tag/v2.3.6",
+  "published_at": "2026-03-28T12:00:00Z",
+  "has_update": true
+}
+```
+
+如果 GitHub API 不可用，响应里会额外包含 `check_error`，但 HTTP 状态仍为 200。
+
 ### `GET /admin/dev/captures`
 
 查看本地抓包状态与最近记录（需 Admin 鉴权）：

CONTRIBUTING.en.md

@@ -70,6 +70,7 @@ docker-compose -f docker-compose.dev.yml up
 5. Open a Pull Request
 
 > 💡 If you modify files under `webui/`, no manual build is needed — CI handles it automatically.
+> If you want to verify the generated `static/admin/` assets locally, you can still run `./scripts/build-webui.sh`.
 
 ## Build WebUI
 
@@ -129,6 +130,8 @@ ds2api/
 │       ├── components/      # Shared components
 │       └── locales/         # Language packs
 ├── scripts/                 # Build and test scripts
+├── tests/                   # Unit tests, Node tests, and end-to-end tests
+├── plans/                   # Plans, gates, and manual smoke-test records
 ├── static/admin/            # WebUI build output (not committed)
 ├── Dockerfile               # Multi-stage build
 ├── docker-compose.yml       # Production

CONTRIBUTING.md

@@ -70,6 +70,7 @@ docker-compose -f docker-compose.dev.yml up
 5. 发起 Pull Request
 
 > 💡 如果修改了 `webui/` 目录下的文件，无需手动构建——CI 会自动处理。
+> 但如果你本地想验证 `static/admin/` 产物，还是可以手动运行 `./scripts/build-webui.sh`。
 
 ## WebUI 构建
 
@@ -129,6 +130,8 @@ ds2api/
 │       ├── components/      # 通用组件
 │       └── locales/         # 语言包
 ├── scripts/                 # 构建与测试脚本
+├── tests/                   # 单元测试、Node 测试与端到端测试
+├── plans/                   # 计划、门禁和手工烟测记录
 ├── static/admin/            # WebUI 构建产物（不提交）
 ├── Dockerfile               # 多阶段构建
 ├── docker-compose.yml       # 生产环境

DEPLOY.en.md

@@ -32,6 +32,7 @@ Config source (choose one):
 
 - **File**: `config.json` (recommended for local/Docker)
 - **Environment variable**: `DS2API_CONFIG_JSON` (recommended for Vercel; supports raw JSON or Base64)
+- Compatibility note: `CONFIG_JSON` is the legacy fallback variable; `DS2API_CONFIG_JSON` may also contain raw JSON directly
 
 Unified recommendation (best practice):
 
@@ -69,7 +70,7 @@ Default address: `http://0.0.0.0:5001` (override with `PORT`).
 
 ### 1.2 WebUI Build
 
-On first local startup, if `static/admin/` is missing, DS2API will automatically attempt to build the WebUI (requires Node.js/npm).
+On first local startup, if `static/admin/` is missing, DS2API will automatically attempt to build the WebUI (requires Node.js/npm; when dependencies are missing it runs `npm ci` first, then `npm run build -- --outDir static/admin --emptyOutDir`).
 
 Manual build:
 
@@ -123,6 +124,8 @@ docker-compose up -d
 docker-compose logs -f
 ```
 
+The default `docker-compose.yml` maps host port `6011` to container port `5001`. If you want `5001` exposed directly, adjust the `ports` mapping.
+
 ### 2.2 Update
 
 ```bash

DEPLOY.md

@@ -32,6 +32,7 @@
 
 - **文件方式**：`config.json`（推荐本地/Docker 使用）
 - **环境变量方式**：`DS2API_CONFIG_JSON`（推荐 Vercel 使用，支持 JSON 字符串或 Base64 编码）
+- 兼容写法：`CONFIG_JSON` 是旧版回退变量；`DS2API_CONFIG_JSON` 也可以直接写原始 JSON
 
 统一建议（最优实践）：
 
@@ -69,7 +70,7 @@ go run ./cmd/ds2api
 
 ### 1.2 WebUI 构建
 
-本地首次启动时，若 `static/admin/` 不存在，服务会自动尝试构建 WebUI（需要 Node.js/npm）。
+本地首次启动时，若 `static/admin/` 不存在，服务会自动尝试构建 WebUI（需要 Node.js/npm；缺依赖时会先执行 `npm ci`，再执行 `npm run build -- --outDir static/admin --emptyOutDir`）。
 
 你也可以手动构建：
 
@@ -123,6 +124,8 @@ docker-compose up -d
 docker-compose logs -f
 ```
 
+默认 `docker-compose.yml` 会把宿主机 `6011` 映射到容器内的 `5001`。如果你希望直接对外暴露 `5001`，请调整 `ports` 配置。
+
 ### 2.2 更新
 
 ```bash

README.MD

@@ -16,6 +16,14 @@
 
 将 DeepSeek Web 对话能力转换为 OpenAI、Claude 与 Gemini 兼容 API。后端为 **Go 全量实现**，前端为 React WebUI 管理台（源码在 `webui/`，部署时自动构建到 `static/admin`）。
 
+> **重要免责声明**
+>
+> 本仓库仅供学习、研究、个人实验和内部验证使用，不提供任何形式的商业授权、适用性保证或结果保证。
+>
+> 作者及仓库维护者不对因使用、修改、分发、部署或依赖本项目而产生的任何直接或间接损失、账号封禁、数据丢失、法律风险或第三方索赔负责。
+>
+> 请勿将本项目用于违反服务条款、协议、法律法规或平台规则的场景。商业使用前请自行确认 `LICENSE`、相关协议以及你是否获得了作者的书面许可。
+
 ## 架构概览
 
 ```mermaid
@@ -68,7 +76,7 @@ flowchart LR
 | 并发队列控制 | 每账号 in-flight 上限 + 等待队列，动态计算建议并发值 |
 | DeepSeek PoW | WASM 计算（`wazero`），无需外部 Node.js 依赖 |
 | Tool Calling | 防泄漏处理：非代码块高置信特征识别、`delta.tool_calls` 早发、结构化增量输出 |
-| Admin API | 配置管理、运行时设置热更新、账号测试 / 批量测试、导入导出、Vercel 同步 |
+| Admin API | 配置管理、运行时设置热更新、账号测试 / 批量测试、会话清理、导入导出、Vercel 同步、版本检查 |
 | WebUI 管理台 | `/admin` 单页应用（中英文双语、深色模式） |
 | 运维探针 | `GET /healthz`（存活）、`GET /readyz`（就绪） |
 
@@ -132,6 +140,7 @@ cp config.example.json config.json
 后续部署建议：
 - 本地运行：直接读取 `config.json`
 - Docker / Vercel：由 `config.json` 生成 `DS2API_CONFIG_JSON`（Base64）注入环境变量
+- 兼容写法：`DS2API_CONFIG_JSON` 也可以直接写原始 JSON；`CONFIG_JSON` 是旧版回退变量
 
 ### 方式一：本地运行
 
@@ -152,7 +161,7 @@ go run ./cmd/ds2api
 
 默认监听地址：`http://localhost:5001`
 
-> **WebUI 自动构建**：本地首次启动时，若 `static/admin` 不存在，会自动尝试执行 `npm install && npm run build`（需要本机有 Node.js）。你也可以手动构建：`./scripts/build-webui.sh`
+> **WebUI 自动构建**：本地首次启动时，若 `static/admin` 不存在，会自动尝试执行 `npm ci`（仅在缺少依赖时）和 `npm run build -- --outDir static/admin --emptyOutDir`（需要本机有 Node.js）。你也可以手动构建：`./scripts/build-webui.sh`
 
 ### 方式二：Docker 运行
 
@@ -170,6 +179,8 @@ docker-compose up -d
 docker-compose logs -f
 ```
 
+默认 `docker-compose.yml` 会把宿主机 `6011` 映射到容器内的 `5001`。如果你希望直接对外暴露 `5001`，请调整 `ports` 配置。
+
 更新镜像：`docker-compose up -d --build`
 
 #### Zeabur 一键部署（Dockerfile）
@@ -311,9 +322,13 @@ cp opencode.json.example opencode.json
 | `DS2API_JWT_EXPIRE_HOURS` | Admin JWT 过期小时数 | `24` |
 | `DS2API_CONFIG_PATH` | 配置文件路径 | `config.json` |
 | `DS2API_CONFIG_JSON` | 直接注入配置（JSON 或 Base64） | — |
+| `CONFIG_JSON` | 旧版兼容配置注入 | — |
 | `DS2API_WASM_PATH` | PoW WASM 文件路径 | 自动查找 |
 | `DS2API_STATIC_ADMIN_DIR` | 管理台静态文件目录 | `static/admin` |
 | `DS2API_AUTO_BUILD_WEBUI` | 启动时自动构建 WebUI | 本地开启，Vercel 关闭 |
+| `DS2API_DEV_PACKET_CAPTURE` | 本地开发抓包开关（记录最近会话请求/响应体） | 本地非 Vercel 默认开启 |
+| `DS2API_DEV_PACKET_CAPTURE_LIMIT` | 本地抓包保留条数（超出自动淘汰） | `5` |
+| `DS2API_DEV_PACKET_CAPTURE_MAX_BODY_BYTES` | 单条响应体最大记录字节数 | `2097152` |
 | `DS2API_ACCOUNT_MAX_INFLIGHT` | 每账号最大并发 in-flight 请求数 | `2` |
 | `DS2API_ACCOUNT_CONCURRENCY` | 同上（兼容旧名） | — |
 | `DS2API_ACCOUNT_MAX_QUEUE` | 等待队列上限 | `recommended_concurrency` |
@@ -340,6 +355,7 @@ cp opencode.json.example opencode.json
 | **直通 token 模式** | 传入 token 不在 `config.keys` 中时，直接作为 DeepSeek token 使用 |
 
 可选请求头 `X-Ds2-Target-Account`：指定使用某个托管账号（值为 email 或 mobile）。
+Gemini 路由还可以使用 `x-goog-api-key`，或在没有认证头时使用 `?key=` / `?api_key=` 作为调用方凭据。
 
 ## 并发模型
 
@@ -356,13 +372,17 @@ cp opencode.json.example opencode.json
 
 ## Tool Call 适配
 
-当请求中带 `tools` 时，DS2API 会做防泄漏处理：
+当请求中带 `tools` 时，DS2API 会做防泄漏处理与结构化转译：
 
-1. 只在**非代码块上下文**启用 toolcall 特征识别（代码块示例不会触发）
-2. `responses` 流式严格使用官方 item 生命周期事件（`response.output_item.*`、`response.content_part.*`、`response.function_call_arguments.*`）
-3. 未在 `tools` 声明中的工具名会被严格拒绝，不会下发为有效 tool call
+1. 只在**非代码块上下文**启用执行型 toolcall 识别（代码块示例默认不触发）
+2. 解析层以 XML/Markup 为最高优先级，同时兼容 JSON / ANTML / invoke / text-kv，并统一归一到内部工具调用结构
+3. `responses` 流式严格使用官方 item 生命周期事件（`response.output_item.*`、`response.content_part.*`、`response.function_call_arguments.*`）
 4. `responses` 支持并执行 `tool_choice`（`auto`/`none`/`required`/强制函数）；`required` 违规时非流式返回 `422`，流式返回 `response.failed`
-5. 仅在通过策略校验后才会发出有效工具调用事件，避免错误工具名进入客户端执行链
+5. 客户端请求哪种协议，就按该协议返回工具调用（OpenAI/Claude/Gemini 各自原生结构）；模型侧优先约束输出规范 XML，再由兼容层转译
+
+> 说明：当前版本在 parser 层仍以“尽量解析成功”为优先，未启用基于 allow-list 的工具名硬拒绝。
+>
+> 想评估“把工具调用封装成 XML 再输入模型”的方案，可参考：`docs/toolcall-semantics.md`。
 
 ## 本地开发抓包工具
 
@@ -507,4 +527,7 @@ go test -v -run 'TestParseToolCalls|TestRepair' ./internal/util/
 
 ## 免责声明
 
-本项目基于逆向方式实现，仅供学习与研究使用。稳定性和可用性不作保证，请勿用于违反服务条款或法律法规的场景。
+本项目基于逆向方式实现，仅供学习、研究、个人实验和内部验证使用，不提供任何商业授权、稳定性保证或可用性保证。
+作者及仓库维护者不对因使用、修改、分发、部署或依赖本项目而产生的任何直接或间接损失、账号封禁、数据丢失、法律风险或第三方索赔负责。
+
+请勿将本项目用于违反服务条款、协议、法律法规或平台规则的场景。商业使用前请自行确认 `LICENSE`、相关协议以及你是否获得了作者的书面许可。

README.en.md

@@ -16,6 +16,14 @@ Language: [中文](README.MD) | [English](README.en.md)
 
 DS2API converts DeepSeek Web chat capability into OpenAI-compatible, Claude-compatible, and Gemini-compatible APIs. The backend is a **pure Go implementation**, with a React WebUI admin panel (source in `webui/`, build output auto-generated to `static/admin` during deployment).
 
+> **Important Disclaimer**
+>
+> This repository is provided for learning, research, personal experimentation, and internal validation only. It does not grant any commercial authorization and comes with no warranty of fitness, stability, or results.
+>
+> The author and repository maintainers are not responsible for any direct or indirect loss, account suspension, data loss, legal risk, or third-party claims arising from use, modification, distribution, deployment, or reliance on this project.
+>
+> Do not use this project in ways that violate service terms, agreements, laws, or platform rules. Before any commercial use, review the `LICENSE`, the relevant terms, and confirm that you have the author's written permission.
+
 ## Architecture Overview
 
 ```mermaid
@@ -68,7 +76,7 @@ flowchart LR
 | Concurrency control | Per-account in-flight limit + waiting queue, dynamic recommended concurrency |
 | DeepSeek PoW | WASM solving via `wazero`, no external Node.js dependency |
 | Tool Calling | Anti-leak handling: non-code-block feature match, early `delta.tool_calls`, structured incremental output |
-| Admin API | Config management, runtime settings hot-reload, account testing/batch test, import/export, Vercel sync |
+| Admin API | Config management, runtime settings hot-reload, account testing/batch test, session cleanup, import/export, Vercel sync, version check |
 | WebUI Admin Panel | SPA at `/admin` (bilingual Chinese/English, dark mode) |
 | Health Probes | `GET /healthz` (liveness), `GET /readyz` (readiness) |
 
@@ -132,6 +140,7 @@ cp config.example.json config.json
 Recommended per deployment mode:
 - Local run: read `config.json` directly
 - Docker / Vercel: generate Base64 from `config.json` and inject as `DS2API_CONFIG_JSON`
+- Compatibility note: `DS2API_CONFIG_JSON` may also contain raw JSON directly; `CONFIG_JSON` is the legacy fallback variable
 
 ### Option 1: Local Run
 
@@ -152,7 +161,7 @@ go run ./cmd/ds2api
 
 Default URL: `http://localhost:5001`
 
-> **WebUI auto-build**: On first local startup, if `static/admin` is missing, DS2API will auto-run `npm install && npm run build` (requires Node.js). You can also build manually: `./scripts/build-webui.sh`
+> **WebUI auto-build**: On first local startup, if `static/admin` is missing, DS2API will auto-run `npm ci` (only when dependencies are missing) and `npm run build -- --outDir static/admin --emptyOutDir` (requires Node.js). You can also build manually: `./scripts/build-webui.sh`
 
 ### Option 2: Docker
 
@@ -170,6 +179,8 @@ docker-compose up -d
 docker-compose logs -f
 ```
 
+The default `docker-compose.yml` maps host port `6011` to container port `5001`. If you want `5001` exposed directly, adjust the `ports` mapping.
+
 Rebuild after updates: `docker-compose up -d --build`
 
 #### Zeabur One-Click (Dockerfile)
@@ -311,6 +322,7 @@ cp opencode.json.example opencode.json
 | `DS2API_JWT_EXPIRE_HOURS` | Admin JWT TTL in hours | `24` |
 | `DS2API_CONFIG_PATH` | Config file path | `config.json` |
 | `DS2API_CONFIG_JSON` | Inline config (JSON or Base64) | — |
+| `CONFIG_JSON` | Legacy compatibility config input | — |
 | `DS2API_WASM_PATH` | PoW WASM file path | Auto-detect |
 | `DS2API_STATIC_ADMIN_DIR` | Admin static assets dir | `static/admin` |
 | `DS2API_AUTO_BUILD_WEBUI` | Auto-build WebUI on startup | Enabled locally, disabled on Vercel |
@@ -340,6 +352,7 @@ For business endpoints (`/v1/*`, `/anthropic/*`, Gemini routes), DS2API supports
 | **Direct token** | If the token is not in `config.keys`, DS2API treats it as a DeepSeek token directly |
 
 Optional header `X-Ds2-Target-Account`: Pin a specific managed account (value is email or mobile).
+Gemini routes also accept `x-goog-api-key`, or `?key=` / `?api_key=` when no auth header is present.
 
 ## Concurrency Model
 
@@ -491,4 +504,7 @@ Workflow: `.github/workflows/release-artifacts.yml`
 
 ## Disclaimer
 
-This project is built through reverse engineering and is provided for learning and research only. Stability is not guaranteed. Do not use it in scenarios that violate terms of service or laws.
+This project is built through reverse engineering and is provided for learning, research, personal experimentation, and internal validation only. No commercial authorization is granted, and no warranty of stability, fitness, or results is provided.
+The author and repository maintainers are not responsible for any direct or indirect loss, account suspension, data loss, legal risk, or third-party claims arising from use, modification, distribution, deployment, or reliance on this project.
+
+Do not use this project in ways that violate service terms, agreements, laws, or platform rules. Before any commercial use, review the `LICENSE`, the relevant terms, and confirm that you have the author's written permission.

TESTING.md

@@ -1,6 +1,6 @@
 # DS2API 测试指南
 
-语言 / Language: [中文 + English](TESTING.md)
+语言 / Language: 中文 + English（同页）
 
 ## 概述 | Overview
 
@@ -14,6 +14,7 @@ DS2API 提供两个层级的测试：
 | 端到端测试 | `./tests/scripts/run-live.sh` | 使用真实账号执行全链路测试 |
 
 端到端测试集会录制完整的请求/响应日志，用于故障排查。
+Node 单元测试脚本会先做 `node --check` 语法门禁，再以 `--test-concurrency=1` 串行执行测试文件，减少模块级共享状态带来的干扰。
 
 ---
 
@@ -66,6 +67,8 @@ DS2API 提供两个层级的测试：
 
 4. **结果收集**：继续执行所有用例（不中断），写入最终汇总
 
+如果你只想跳过这些 preflight 检查，可以直接运行 `go run ./cmd/ds2api-tests --no-preflight`。
+
 ---
 
 ## CLI 参数 | CLI Flags

docs/toolcall-semantics.md

@@ -1,41 +1,72 @@
-# Tool call parsing semantics (Go canonical spec)
+# Tool call parsing semantics（Go/Node 统一语义）
 
-This document defines the cross-runtime contract for `ParseToolCallsDetailed` / `parseToolCallsDetailed`.
+本文档描述当前代码中 `ParseToolCallsDetailed` / `parseToolCallsDetailed` 的**实际行为**，用于对齐 Go 与 Node Runtime。
 
-## Output contract
+## 1) 输出结构（当前实现）
 
-- `calls`: accepted tool calls with normalized tool names.
-- `sawToolCallSyntax`: true when tool-call-like syntax is detected (`tool_calls`, `<tool_call>`, `<function_call>`, `<invoke>`) or a valid call is parsed.
-- `rejectedByPolicy`: true when parser extracted call syntax but all calls are rejected by allow-list policy.
-- `rejectedToolNames`: de-duplicated rejected tool names in first-seen order.
+- `calls`：解析得到的工具调用列表（`name` + `input`）。
+- `sawToolCallSyntax`：检测到工具调用语法特征时为 `true`（例如 `tool_calls`、`<tool_call>`、`<function_call>`、`<invoke>`、`function.name:`）。
+- `rejectedByPolicy`：当前实现固定为 `false`（预留字段，尚未启用 allow-list 拒绝）。
+- `rejectedToolNames`：当前实现固定为空数组（预留字段）。
 
-## Parse pipeline
+> 说明：`filterToolCallsDetailed` 当前仅做结构清洗，不做工具名策略拒绝。
 
-1. Strip fenced code blocks for non-standalone parsing.
-2. Build candidates from:
-   - full text,
-   - fenced JSON snippets,
-   - extracted JSON objects around `tool_calls`,
-   - first `{` to last `}` object slice.
-3. Parse each candidate in order:
-   - JSON payload parser (`tool_calls`, list, single call object),
-   - XML/Markup parser (`<tool_call>`, `<function_call>`, `<invoke>`; supports attributes + nested fields),
-   - Text KV fallback parser (`function.name: <name>` ... `function.arguments: {json}`).
-4. Stop at first candidate that yields at least one call.
+## 2) 解析管线
 
-## Name normalization policy
+1. **示例保护**：若判定为 fenced code block 示例上下文，则跳过执行型解析。
+2. **候选片段构建**：从完整文本中构建候选（原文、围绕 `tool_calls` 的 JSON 片段、首尾大括号切片等）。
+3. **按序尝试解析（命中即停）**：
+   - 对“明显 JSON 工具载荷候选”（以 `{`/`[` 开头且包含 `tool_calls`/`\"function\"`）先走 JSON 解析，避免 JSON 字符串内偶发 XML 片段误命中；
+   - 其余候选优先 XML 解析（`<tool_call>` / `<function_call>` / `<invoke>` / `tool_use` / `antml:function_call` 等）；
+   - JSON 解析（`{"tool_calls": [...]}`、列表、单对象）；
+   - Markup 解析；
+   - Text-KV 回退（如 `function.name:` + `function.arguments:`）。
+4. **兜底**：候选全部失败后，再对全文做 XML / Text-KV 回退。
 
-When matching parsed names against configured tools:
+## 3) XML 能力边界（当前）
 
-1. exact match,
-2. case-insensitive match,
-3. namespace tail match (`a.b.c` => `c`),
-4. loose alnum match (remove non `[a-z0-9]`, compare).
+当前已支持输入端的“多 XML/标记风格”解析，包括但不限于：
 
-## Standalone mode
+- `<tool_call><tool_name>...</tool_name><parameters>...</parameters></tool_call>`
+- `<function_call>tool</function_call><function parameter name="x">...</function parameter>`
+- `<invoke name="tool"><parameter name="x">...</parameter></invoke>`
+- `antml:function_call` / `antml:argument` / `antml:parameters`
+- `tool_use` 家族标签
 
-Standalone mode (`ParseStandaloneToolCallsDetailed`) parses the whole input directly (no candidate slicing), while still applying:
+但**输出端仍统一转换为 OpenAI 兼容 JSON 事件/对象**（`message.tool_calls`、`delta.tool_calls`、`response.function_call_arguments.*`）。
 
-- example-context guard,
-- JSON then markup fallback,
-- the same allow-list normalization policy.
+## 4) 关于“是否可以封装成 XML 再喂给模型”
+
+结论：**可以做，而且当前解析器已经能兼容 XML 作为输入格式之一**，但代码里并没有 `toolcall.prefer_xml_output` 这个开关。现有可调配置只有：
+
+- `toolcall.mode`：`feature_match` / `off`
+- `toolcall.early_emit_confidence`：`high` / `low` / `off`
+
+推荐思路仍然是“输入兼容层 + 输出按客户端协议渲染”：
+
+1. **Prompt 约束层**：如果你要尝试 XML-first，可以在系统提示词里约束模型输出规范 XML tool block（例如 `<tool_calls><tool_call>...</tool_call></tool_calls>`）。
+2. **解析兼容层**：继续在 parser 中同时接受 JSON / XML / ANTML / invoke / text-kv。
+3. **协议归一层**：无论模型输出什么格式，统一落到内部 `ParsedToolCall`。
+4. **对外渲染层**：根据客户端请求协议渲染（OpenAI / Claude / Gemini 各自格式）。
+
+这样可以同时获得：
+
+- 减少模型端 JSON 转义/引号错误；
+- 不破坏现有 SDK / 客户端生态；
+- 逐步灰度（按模型、按租户、按请求开关）。
+
+## 5) 落地建议（低风险迭代）
+
+- 继续使用现有的 `toolcall.mode=feature_match` 和 `toolcall.early_emit_confidence=high` 作为默认策略。
+- 如果要试 XML-first，把它放在 prompt 层或上游模板层，不要假设代码里已有专门的 XML 输出开关。
+- 增加观测指标：
+  - `toolcall_parse_source`（json/xml/markup/textkv）；
+  - `toolcall_parse_success_rate`；
+  - `toolcall_malformed_rate`；
+  - `toolcall_repair_rate`。
+- 先在 `responses` 链路灰度，再扩展 `chat.completions`。
+
+## 6) 兼容性提醒
+
+- 上游模型若输出混合文本 + XML，仍可能出现“半结构化”噪声，需要依赖现有 sieve 增量消费策略。
+- XML 不等于安全：仍需做 tool 名、参数 schema、执行权限的服务端校验。

internal/adapter/claude/handler_util_test.go

@@ -248,14 +248,14 @@ func TestBuildClaudeToolPromptSingleTool(t *testing.T) {
 	if !containsStr(prompt, "Search the web") {
 		t.Fatalf("expected description in prompt")
 	}
-	if !containsStr(prompt, "tool_use") {
-		t.Fatalf("expected tool_use instruction in prompt")
+	if !containsStr(prompt, "<tool_calls>") {
+		t.Fatalf("expected XML tool_calls format in prompt")
 	}
 	if containsStr(prompt, "TOOL_CALL_HISTORY") || containsStr(prompt, "TOOL_RESULT_HISTORY") {
 		t.Fatalf("expected legacy tool history markers removed from prompt")
 	}
-	if !containsStr(prompt, "Do not print tool-call JSON in text") {
-		t.Fatalf("expected prompt to keep no tool-call-json instruction")
+	if !containsStr(prompt, "TOOL CALL FORMAT") {
+		t.Fatalf("expected tool call format header in prompt")
 	}
 }
 
@@ -301,12 +301,9 @@ func TestBuildClaudeToolPromptSupportsOpenAIStyleFunctionTool(t *testing.T) {
 func TestBuildClaudeToolPromptSkipsNonMap(t *testing.T) {
 	tools := []any{"not a map"}
 	prompt := buildClaudeToolPrompt(tools)
-	if prompt == "" {
-		t.Fatal("expected non-empty prompt even with invalid tools")
-	}
-	// Should still contain the intro and instruction
-	if !containsStr(prompt, "You are Claude") {
-		t.Fatalf("expected intro in prompt")
+	// No valid tools → empty prompt
+	if prompt != "" {
+		t.Fatalf("expected empty prompt for non-map tools, got: %q", prompt)
 	}
 }
 

internal/adapter/claude/handler_utils.go

@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"strings"
+
+	"ds2api/internal/util"
 )
 
 func normalizeClaudeMessages(messages []any) []any {
@@ -70,22 +72,27 @@ func normalizeClaudeMessages(messages []any) []any {
 }
 
 func buildClaudeToolPrompt(tools []any) string {
-	parts := []string{"You are Claude, a helpful AI assistant. You have access to these tools:"}
+	toolSchemas := make([]string, 0, len(tools))
+	names := make([]string, 0, len(tools))
 	for _, t := range tools {
 		m, ok := t.(map[string]any)
 		if !ok {
 			continue
 		}
 		name, desc, schemaObj := extractClaudeToolMeta(m)
+		if name == "" {
+			continue
+		}
+		names = append(names, name)
 		schema, _ := json.Marshal(schemaObj)
-		parts = append(parts, fmt.Sprintf("Tool: %s\nDescription: %s\nParameters: %s", name, desc, schema))
+		toolSchemas = append(toolSchemas, fmt.Sprintf("Tool: %s\nDescription: %s\nParameters: %s", name, desc, schema))
 	}
-	parts = append(parts,
-		"When you need a tool, respond with Claude-native tool use (tool_use) using the provided tool schema. Do not print tool-call JSON in text.",
-		"Tool roundtrip context is included directly in the conversation messages (assistant tool_use/tool_calls and tool results).",
-		"After receiving a valid tool result, continue with final answer instead of repeating the same call unless required fields are still missing.",
-	)
-	return strings.Join(parts, "\n\n")
+	if len(toolSchemas) == 0 {
+		return ""
+	}
+	return "You have access to these tools:\n\n" +
+		strings.Join(toolSchemas, "\n\n") + "\n\n" +
+		util.BuildToolCallInstructions(names)
 }
 
 func formatClaudeToolResultForPrompt(block map[string]any) string {

internal/adapter/claude/stream_runtime_finalize.go

@@ -1,6 +1,7 @@
 package claude
 
 import (
+	"encoding/json"
 	"fmt"
 	"time"
 
@@ -60,9 +61,20 @@ func (s *claudeStreamRuntime) finalize(stopReason string) {
 						"type":  "tool_use",
 						"id":    fmt.Sprintf("toolu_%d_%d", time.Now().Unix(), idx),
 						"name":  tc.Name,
-						"input": tc.Input,
+						"input": map[string]any{},
 					},
 				})
+				
+				inputBytes, _ := json.Marshal(tc.Input)
+				s.send("content_block_delta", map[string]any{
+					"type":  "content_block_delta",
+					"index": idx,
+					"delta": map[string]any{
+						"type":         "input_json_delta",
+						"partial_json": string(inputBytes),
+					},
+				})
+
 				s.send("content_block_stop", map[string]any{
 					"type":  "content_block_stop",
 					"index": idx,

internal/adapter/openai/handler_toolcall_format.go

@@ -53,7 +53,7 @@ func injectToolPrompt(messages []map[string]any, tools []any, policy util.ToolCh
 	if len(toolSchemas) == 0 {
 		return messages, names
 	}
-	toolPrompt := "You have access to these tools:\n\n" + strings.Join(toolSchemas, "\n\n") + "\n\nWhen you need to use tools, output ONLY this JSON object format:\n{\"tool_calls\": [{\"name\": \"tool_name\", \"input\": {\"param\": \"value\"}}]}\n\n【EXAMPLE】\nUser: Please check the weather in Beijing and Shanghai, and update my todo list.\nAssistant:\n{\"tool_calls\": [\n  {\"name\": \"get_weather\", \"input\": {\"city\": \"Beijing\"}},\n  {\"name\": \"get_weather\", \"input\": {\"city\": \"Shanghai\"}},\n  {\"name\": \"update_todo\", \"input\": {\"todos\": [{\"content\": \"Buy milk\"}, {\"content\": \"Write report\"}]}}\n]}\n\nIMPORTANT:\n1) If calling tools, output ONLY the JSON object above. Do NOT include any extra text.\n2) Do NOT wrap tool-call JSON in markdown/code fences (for example, do not use triple backticks).\n3) After receiving a tool result, you MUST use it to produce the final answer.\n4) Only call another tool when the previous result is missing required data or returned an error.\n5) JSON SYNTAX STRICTLY REQUIRED: All property names MUST be enclosed in double quotes (e.g., \"name\", not name).\n6) ARRAY FORMAT: If providing a list of items, you MUST enclose them in square brackets `[]` (e.g., \"todos\": [{\"item\": \"a\"}, {\"item\": \"b\"}]). DO NOT output comma-separated objects without brackets."
+	toolPrompt := "You have access to these tools:\n\n" + strings.Join(toolSchemas, "\n\n") + "\n\n" + buildToolCallInstructions(names)
 	if policy.Mode == util.ToolChoiceRequired {
 		toolPrompt += "\n7) For this response, you MUST call at least one tool from the allowed list."
 	}
@@ -73,6 +73,11 @@ func injectToolPrompt(messages []map[string]any, tools []any, policy util.ToolCh
 	return messages, names
 }
 
+// buildToolCallInstructions delegates to the shared util implementation.
+func buildToolCallInstructions(toolNames []string) string {
+	return util.BuildToolCallInstructions(toolNames)
+}
+
 func formatIncrementalStreamToolCallDeltas(deltas []toolCallDelta, ids map[int]string) []map[string]any {
 	if len(deltas) == 0 {
 		return nil

internal/adapter/openai/prompt_build_test.go

@@ -71,16 +71,19 @@ func TestBuildOpenAIFinalPrompt_VercelPreparePathKeepsFinalAnswerInstruction(t *
 	}
 
 	finalPrompt, _ := buildOpenAIFinalPrompt(messages, tools, "")
-	if !strings.Contains(finalPrompt, "After receiving a tool result, you MUST use it to produce the final answer.") {
+	if !strings.Contains(finalPrompt, "After receiving a tool result, use it directly.") {
 		t.Fatalf("vercel prepare finalPrompt missing final-answer instruction: %q", finalPrompt)
 	}
-	if !strings.Contains(finalPrompt, "Only call another tool when the previous result is missing required data or returned an error.") {
+	if !strings.Contains(finalPrompt, "Only call another tool if the result is insufficient.") {
 		t.Fatalf("vercel prepare finalPrompt missing retry guard instruction: %q", finalPrompt)
 	}
-	if !strings.Contains(finalPrompt, "Do NOT wrap tool-call JSON in markdown/code fences") {
-		t.Fatalf("vercel prepare finalPrompt missing no-fence instruction: %q", finalPrompt)
+	if !strings.Contains(finalPrompt, "TOOL CALL FORMAT") {
+		t.Fatalf("vercel prepare finalPrompt missing xml format instruction: %q", finalPrompt)
+	}
+	if !strings.Contains(finalPrompt, "Do NOT wrap the XML in markdown code fences") {
+		t.Fatalf("vercel prepare finalPrompt missing no-fence xml instruction: %q", finalPrompt)
 	}
 	if strings.Contains(finalPrompt, "```json") {
-		t.Fatalf("vercel prepare finalPrompt should not require fenced json tool calls: %q", finalPrompt)
+		t.Fatalf("vercel prepare finalPrompt should not require fenced tool calls: %q", finalPrompt)
 	}
 }

internal/adapter/openai/tool_history_sanitize.go

@@ -8,7 +8,15 @@ var leakedToolHistoryPattern = regexp.MustCompile(`(?is)\[TOOL_CALL_HISTORY\][\s
 var emptyJSONFencePattern = regexp.MustCompile("(?is)```json\\s*```")
 var leakedToolCallArrayPattern = regexp.MustCompile(`(?is)\[\{\s*"function"\s*:\s*\{[\s\S]*?\}\s*,\s*"id"\s*:\s*"call[^"]*"\s*,\s*"type"\s*:\s*"function"\s*}\]`)
 var leakedToolResultBlobPattern = regexp.MustCompile(`(?is)<\s*\|\s*tool\s*\|\s*>\s*\{[\s\S]*?"tool_call_id"\s*:\s*"call[^"]*"\s*}`)
-var leakedMetaMarkerPattern = regexp.MustCompile(`(?is)<\s*\|\s*(?:assistant|tool|end_of_sentence|end_of_thinking)\s*\|\s*>`)
+
+// leakedMetaMarkerPattern matches DeepSeek special tokens in BOTH forms:
+//   - ASCII underscore: <｜end_of_sentence｜>
+//   - U+2581 variant:   <｜end▁of▁sentence｜>  (used in some DeepSeek outputs)
+var leakedMetaMarkerPattern = regexp.MustCompile(`(?i)<[｜\|]\s*(?:assistant|tool|end[_▁]of[_▁]sentence|end[_▁]of[_▁]thinking)\s*[｜\|]>`)
+
+// leakedAgentXMLPattern catches agent-style XML tags that leak through when
+// the sieve fails to capture them (e.g. incomplete blocks at stream end).
+var leakedAgentXMLPattern = regexp.MustCompile(`(?is)</?(?:attempt_completion|ask_followup_question|new_task|result)>`)
 
 func sanitizeLeakedToolHistory(text string) string {
 	if text == "" {
@@ -19,5 +27,6 @@ func sanitizeLeakedToolHistory(text string) string {
 	out = leakedToolCallArrayPattern.ReplaceAllString(out, "")
 	out = leakedToolResultBlobPattern.ReplaceAllString(out, "")
 	out = leakedMetaMarkerPattern.ReplaceAllString(out, "")
+	out = leakedAgentXMLPattern.ReplaceAllString(out, "")
 	return out
 }

internal/adapter/openai/tool_history_sanitize_test.go

@@ -86,13 +86,21 @@ func TestSanitizeLeakedToolHistoryRemovesLeakedWireToolCallAndResult(t *testing.
 }
 
 func TestSanitizeLeakedToolHistoryRemovesStandaloneMetaMarkers(t *testing.T) {
-	raw := "A<| end_of_sentence |><| Assistant |>B<| end_of_thinking |>C"
+	raw := "A<| end_of_sentence |><| Assistant |>B<| end_of_thinking |>C<｜end▁of▁thinking｜>D<｜end▁of▁sentence｜>E"
 	got := sanitizeLeakedToolHistory(raw)
-	if got != "ABC" {
+	if got != "ABCDE" {
 		t.Fatalf("unexpected sanitize result for meta markers: %q", got)
 	}
 }
 
+func TestSanitizeLeakedToolHistoryRemovesAgentXMLLeaks(t *testing.T) {
+	raw := "Done.<attempt_completion><result>Some final answer</result></attempt_completion>"
+	got := sanitizeLeakedToolHistory(raw)
+	if got != "Done.Some final answer" {
+		t.Fatalf("unexpected sanitize result for agent XML leak: %q", got)
+	}
+}
+
 func TestProcessToolSieveChunkSplitsResultHistoryBoundary(t *testing.T) {
 	var state toolStreamSieveState
 	parts := []string{

internal/adapter/openai/tool_sieve_core.go

@@ -114,8 +114,14 @@ func flushToolSieve(state *toolStreamSieveState, toolNames []string) []toolStrea
 		} else {
 			content := state.capture.String()
 			if content != "" {
-				state.noteText(content)
-				events = append(events, toolStreamEvent{Content: content})
+				// If the captured text looks like an incomplete XML tool call block,
+				// swallow it to prevent leaking raw XML tags to the client.
+				if hasOpenXMLToolTag(content) {
+					// Drop it silently — incomplete tool call.
+				} else {
+					state.noteText(content)
+					events = append(events, toolStreamEvent{Content: content})
+				}
 			}
 		}
 		state.capture.Reset()
@@ -124,8 +130,14 @@ func flushToolSieve(state *toolStreamSieveState, toolNames []string) []toolStrea
 	}
 	if state.pending.Len() > 0 {
 		content := state.pending.String()
-		state.noteText(content)
-		events = append(events, toolStreamEvent{Content: content})
+		// Safety: if pending contains XML tool tag fragments (e.g. "tool_calls>"
+		// from a split closing tag), swallow them instead of leaking.
+		if hasOpenXMLToolTag(content) || looksLikeXMLToolTagFragment(content) {
+			// Drop it — likely an incomplete tool call fragment.
+		} else {
+			state.noteText(content)
+			events = append(events, toolStreamEvent{Content: content})
+		}
 		state.pending.Reset()
 	}
 	return events
@@ -159,6 +171,10 @@ func findSuspiciousPrefixStart(s string) int {
 			start = idx
 		}
 	}
+	// Also check for partial XML tool tag at end of string.
+	if xmlIdx := findPartialXMLToolTagStart(s); xmlIdx >= 0 && xmlIdx > start {
+		start = xmlIdx
+	}
 	return start
 }
 
@@ -175,13 +191,32 @@ func findToolSegmentStart(s string) int {
 			bestKeyIdx = idx
 		}
 	}
+	// Also detect XML tool call tags.
+	for _, tag := range xmlToolTagsToDetect {
+		idx := strings.Index(lower, tag)
+		if idx >= 0 && (bestKeyIdx < 0 || idx < bestKeyIdx) {
+			bestKeyIdx = idx
+		}
+	}
 	if bestKeyIdx < 0 {
 		return -1
 	}
+	// For XML tags, the '<' is itself the segment start.
+	if bestKeyIdx < len(s) && s[bestKeyIdx] == '<' {
+		if fenceStart, ok := openFenceStartBefore(s, bestKeyIdx); ok {
+			return fenceStart
+		}
+		return bestKeyIdx
+	}
 	start := strings.LastIndex(s[:bestKeyIdx], "{")
 	if start < 0 {
 		start = bestKeyIdx
 	}
+	// If the keyword matched inside an XML tag (e.g. "tool_calls" in "<tool_calls>"),
+	// back up past the '<' to capture the full tag.
+	if start > 0 && s[start-1] == '<' {
+		start--
+	}
 	if fenceStart, ok := openFenceStartBefore(s, start); ok {
 		return fenceStart
 	}
@@ -193,6 +228,16 @@ func consumeToolCapture(state *toolStreamSieveState, toolNames []string) (prefix
 	if captured == "" {
 		return "", nil, "", false
 	}
+
+	// Try XML tool call extraction first.
+	if xmlPrefix, xmlCalls, xmlSuffix, xmlReady := consumeXMLToolCapture(captured, toolNames); xmlReady {
+		return xmlPrefix, xmlCalls, xmlSuffix, true
+	}
+	// If XML tags are present but block is incomplete, keep buffering.
+	if hasOpenXMLToolTag(captured) {
+		return "", nil, "", false
+	}
+
 	lower := strings.ToLower(captured)
 	keyIdx := -1
 	keywords := []string{"tool_calls", "\"function\"", "function.name:", "[tool_call_history]", "[tool_result_history]"}
@@ -234,67 +279,3 @@ func consumeToolCapture(state *toolStreamSieveState, toolNames []string) (prefix
 	prefixPart, suffixPart = trimWrappingJSONFence(prefixPart, suffixPart)
 	return prefixPart, parsed.Calls, suffixPart, true
 }
-
-func extractToolHistoryBlock(captured string, keyIdx int) (start int, end int, ok bool) {
-	if keyIdx < 0 || keyIdx >= len(captured) {
-		return 0, 0, false
-	}
-	rest := strings.ToLower(captured[keyIdx:])
-	switch {
-	case strings.HasPrefix(rest, "[tool_call_history]"):
-		closeTag := "[/tool_call_history]"
-		closeIdx := strings.Index(rest, closeTag)
-		if closeIdx < 0 {
-			return 0, 0, false
-		}
-		return keyIdx, keyIdx + closeIdx + len(closeTag), true
-	case strings.HasPrefix(rest, "[tool_result_history]"):
-		closeTag := "[/tool_result_history]"
-		closeIdx := strings.Index(rest, closeTag)
-		if closeIdx < 0 {
-			return 0, 0, false
-		}
-		return keyIdx, keyIdx + closeIdx + len(closeTag), true
-	default:
-		return 0, 0, false
-	}
-}
-
-func trimWrappingJSONFence(prefix, suffix string) (string, string) {
-	trimmedPrefix := strings.TrimRight(prefix, " \t\r\n")
-	fenceIdx := strings.LastIndex(trimmedPrefix, "```")
-	if fenceIdx < 0 {
-		return prefix, suffix
-	}
-	// Only strip when the trailing fence in prefix behaves like an opening fence.
-	// A legitimate closing fence before a standalone tool JSON must be preserved.
-	if strings.Count(trimmedPrefix[:fenceIdx+3], "```")%2 == 0 {
-		return prefix, suffix
-	}
-	fenceHeader := strings.TrimSpace(trimmedPrefix[fenceIdx+3:])
-	if fenceHeader != "" && !strings.EqualFold(fenceHeader, "json") {
-		return prefix, suffix
-	}
-
-	trimmedSuffix := strings.TrimLeft(suffix, " \t\r\n")
-	if !strings.HasPrefix(trimmedSuffix, "```") {
-		return prefix, suffix
-	}
-	consumedLeading := len(suffix) - len(trimmedSuffix)
-	return trimmedPrefix[:fenceIdx], suffix[consumedLeading+3:]
-}
-
-func openFenceStartBefore(s string, pos int) (int, bool) {
-	if pos <= 0 || pos > len(s) {
-		return -1, false
-	}
-	segment := s[:pos]
-	lastFence := strings.LastIndex(segment, "```")
-	if lastFence < 0 {
-		return -1, false
-	}
-	if strings.Count(segment, "```")%2 == 1 {
-		return lastFence, true
-	}
-	return -1, false
-}

internal/adapter/openai/tool_sieve_jsonscan.go

@@ -1,5 +1,7 @@
 package openai
 
+import "strings"
+
 func extractJSONObjectFrom(text string, start int) (string, int, bool) {
 	if start < 0 || start >= len(text) || text[start] != '{' {
 		return "", 0, false
@@ -41,3 +43,67 @@ func extractJSONObjectFrom(text string, start int) (string, int, bool) {
 	}
 	return "", 0, false
 }
+
+func extractToolHistoryBlock(captured string, keyIdx int) (start int, end int, ok bool) {
+	if keyIdx < 0 || keyIdx >= len(captured) {
+		return 0, 0, false
+	}
+	rest := strings.ToLower(captured[keyIdx:])
+	switch {
+	case strings.HasPrefix(rest, "[tool_call_history]"):
+		closeTag := "[/tool_call_history]"
+		closeIdx := strings.Index(rest, closeTag)
+		if closeIdx < 0 {
+			return 0, 0, false
+		}
+		return keyIdx, keyIdx + closeIdx + len(closeTag), true
+	case strings.HasPrefix(rest, "[tool_result_history]"):
+		closeTag := "[/tool_result_history]"
+		closeIdx := strings.Index(rest, closeTag)
+		if closeIdx < 0 {
+			return 0, 0, false
+		}
+		return keyIdx, keyIdx + closeIdx + len(closeTag), true
+	default:
+		return 0, 0, false
+	}
+}
+
+func trimWrappingJSONFence(prefix, suffix string) (string, string) {
+	trimmedPrefix := strings.TrimRight(prefix, " \t\r\n")
+	fenceIdx := strings.LastIndex(trimmedPrefix, "```")
+	if fenceIdx < 0 {
+		return prefix, suffix
+	}
+	// Only strip when the trailing fence in prefix behaves like an opening fence.
+	// A legitimate closing fence before a standalone tool JSON must be preserved.
+	if strings.Count(trimmedPrefix[:fenceIdx+3], "```")%2 == 0 {
+		return prefix, suffix
+	}
+	fenceHeader := strings.TrimSpace(trimmedPrefix[fenceIdx+3:])
+	if fenceHeader != "" && !strings.EqualFold(fenceHeader, "json") {
+		return prefix, suffix
+	}
+
+	trimmedSuffix := strings.TrimLeft(suffix, " \t\r\n")
+	if !strings.HasPrefix(trimmedSuffix, "```") {
+		return prefix, suffix
+	}
+	consumedLeading := len(suffix) - len(trimmedSuffix)
+	return trimmedPrefix[:fenceIdx], suffix[consumedLeading+3:]
+}
+
+func openFenceStartBefore(s string, pos int) (int, bool) {
+	if pos <= 0 || pos > len(s) {
+		return -1, false
+	}
+	segment := s[:pos]
+	lastFence := strings.LastIndex(segment, "```")
+	if lastFence < 0 {
+		return -1, false
+	}
+	if strings.Count(segment, "```")%2 == 1 {
+		return lastFence, true
+	}
+	return -1, false
+}

internal/adapter/openai/tool_sieve_xml.go

@@ -0,0 +1,147 @@
+package openai
+
+import (
+	"regexp"
+	"strings"
+
+	"ds2api/internal/util"
+)
+
+// --- XML tool call support for the streaming sieve ---
+
+var xmlToolCallClosingTags = []string{"</tool_calls>", "</tool_call>", "</invoke>", "</function_call>", "</function_calls>", "</tool_use>",
+	// Agent-style XML tags (Roo Code, Cline, etc.)
+	"</attempt_completion>", "</ask_followup_question>", "</new_task>", "</result>"}
+var xmlToolCallOpeningTags = []string{"<tool_calls", "<tool_call", "<invoke", "<function_call", "<function_calls", "<tool_use",
+	// Agent-style XML tags
+	"<attempt_completion", "<ask_followup_question", "<new_task", "<result"}
+
+// xmlToolCallTagPairs maps each opening tag to its expected closing tag.
+// Order matters: longer/wrapper tags must be checked first.
+var xmlToolCallTagPairs = []struct{ open, close string }{
+	{"<tool_calls", "</tool_calls>"},
+	{"<tool_call", "</tool_call>"},
+	{"<function_calls", "</function_calls>"},
+	{"<function_call", "</function_call>"},
+	{"<invoke", "</invoke>"},
+	{"<tool_use", "</tool_use>"},
+	// Agent-style: these are XML "tool call" patterns from coding agents.
+	// They get captured → parsed. If parsing fails, the block is consumed
+	// (swallowed) to prevent raw XML from leaking to the client.
+	{"<attempt_completion", "</attempt_completion>"},
+	{"<ask_followup_question", "</ask_followup_question>"},
+	{"<new_task", "</new_task>"},
+}
+
+// xmlToolCallBlockPattern matches a complete XML tool call block (wrapper or standalone).
+var xmlToolCallBlockPattern = regexp.MustCompile(`(?is)(<tool_calls>\s*(?:.*?)\s*</tool_calls>|<tool_call>\s*(?:.*?)\s*</tool_call>|<invoke\b[^>]*>(?:.*?)</invoke>|<function_calls?\b[^>]*>(?:.*?)</function_calls?>|<tool_use>(?:.*?)</tool_use>|<attempt_completion>(?:.*?)</attempt_completion>|<ask_followup_question>(?:.*?)</ask_followup_question>|<new_task>(?:.*?)</new_task>)`)
+
+// xmlToolTagsToDetect is the set of XML tag prefixes used by findToolSegmentStart.
+var xmlToolTagsToDetect = []string{"<tool_calls>", "<tool_calls\n", "<tool_call>", "<tool_call\n",
+	"<invoke ", "<invoke>", "<function_call", "<function_calls", "<tool_use>",
+	// Agent-style tags
+	"<attempt_completion>", "<ask_followup_question>", "<new_task>"}
+
+// consumeXMLToolCapture tries to extract complete XML tool call blocks from captured text.
+func consumeXMLToolCapture(captured string, toolNames []string) (prefix string, calls []util.ParsedToolCall, suffix string, ready bool) {
+	lower := strings.ToLower(captured)
+	// Find the FIRST matching open/close pair, preferring wrapper tags.
+	// Tag pairs are ordered longest-first (e.g. <tool_calls before <tool_call)
+	// so wrapper tags are checked before inner tags.
+	for _, pair := range xmlToolCallTagPairs {
+		openIdx := strings.Index(lower, pair.open)
+		if openIdx < 0 {
+			continue
+		}
+		// Find the LAST occurrence of the specific closing tag to get the outermost block.
+		closeIdx := strings.LastIndex(lower, pair.close)
+		if closeIdx < openIdx {
+			// Opening tag is present but its specific closing tag hasn't arrived.
+			// Return not-ready so we keep buffering — do NOT fall through to
+			// try inner pairs (e.g. <tool_call inside <tool_calls).
+			return "", nil, "", false
+		}
+		closeEnd := closeIdx + len(pair.close)
+
+		xmlBlock := captured[openIdx:closeEnd]
+		prefixPart := captured[:openIdx]
+		suffixPart := captured[closeEnd:]
+		parsed := util.ParseToolCalls(xmlBlock, toolNames)
+		if len(parsed) > 0 {
+			prefixPart, suffixPart = trimWrappingJSONFence(prefixPart, suffixPart)
+			return prefixPart, parsed, suffixPart, true
+		}
+		// Looks like XML tool syntax but failed to parse — consume it to avoid leak.
+		return prefixPart, nil, suffixPart, true
+	}
+	return "", nil, "", false
+}
+
+// hasOpenXMLToolTag returns true if captured text contains an XML tool opening tag
+// whose SPECIFIC closing tag has not appeared yet.
+func hasOpenXMLToolTag(captured string) bool {
+	lower := strings.ToLower(captured)
+	for _, pair := range xmlToolCallTagPairs {
+		if strings.Contains(lower, pair.open) {
+			if !strings.Contains(lower, pair.close) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// findPartialXMLToolTagStart checks if the string ends with a partial XML tool tag
+// (e.g., "<tool_ca" or "<inv") and returns the position of the '<'.
+func findPartialXMLToolTagStart(s string) int {
+	lastLT := strings.LastIndex(s, "<")
+	if lastLT < 0 {
+		return -1
+	}
+	tail := s[lastLT:]
+	// If there's a '>' in the tail, the tag is closed — not partial.
+	if strings.Contains(tail, ">") {
+		return -1
+	}
+	lowerTail := strings.ToLower(tail)
+	// Check if the tail is a prefix of any known XML tool tag.
+	for _, tag := range xmlToolCallOpeningTags {
+		tagWithLT := tag
+		if !strings.HasPrefix(tagWithLT, "<") {
+			tagWithLT = "<" + tagWithLT
+		}
+		if strings.HasPrefix(tagWithLT, lowerTail) {
+			return lastLT
+		}
+	}
+	return -1
+}
+
+// looksLikeXMLToolTagFragment returns true if s looks like a fragment from a
+// split XML tool call tag — for example "tool_calls>" or "/tool_call>\n".
+// These fragments arise when '<' was consumed separately and the tail remains.
+func looksLikeXMLToolTagFragment(s string) bool {
+	trimmed := strings.TrimSpace(s)
+	if trimmed == "" {
+		return false
+	}
+	lower := strings.ToLower(trimmed)
+	// Check for closing tag tails like "tool_calls>" or "/tool_calls>"
+	fragments := []string{
+		"tool_calls>", "tool_call>", "/tool_calls>", "/tool_call>",
+		"function_calls>", "function_call>", "/function_calls>", "/function_call>",
+		"invoke>", "/invoke>", "tool_use>", "/tool_use>",
+		"tool_name>", "/tool_name>", "parameters>", "/parameters>",
+		// Agent-style tag fragments
+		"attempt_completion>", "/attempt_completion>",
+		"ask_followup_question>", "/ask_followup_question>",
+		"new_task>", "/new_task>",
+		"result>", "/result>",
+	}
+	for _, f := range fragments {
+		if strings.Contains(lower, f) {
+			return true
+		}
+	}
+	return false
+}

internal/adapter/openai/tool_sieve_xml_test.go

@@ -0,0 +1,319 @@
+package openai
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestProcessToolSieveInterceptsXMLToolCallWithoutLeak(t *testing.T) {
+	var state toolStreamSieveState
+	// Simulate a model producing XML tool call output chunk by chunk.
+	chunks := []string{
+		"<tool_calls>\n",
+		"  <tool_call>\n",
+		"    <tool_name>read_file</tool_name>\n",
+		`    <parameters>{"path":"README.MD"}</parameters>` + "\n",
+		"  </tool_call>\n",
+		"</tool_calls>",
+	}
+	var events []toolStreamEvent
+	for _, c := range chunks {
+		events = append(events, processToolSieveChunk(&state, c, []string{"read_file"})...)
+	}
+	events = append(events, flushToolSieve(&state, []string{"read_file"})...)
+
+	var textContent string
+	var toolCalls int
+	for _, evt := range events {
+		if evt.Content != "" {
+			textContent += evt.Content
+		}
+		toolCalls += len(evt.ToolCalls)
+	}
+
+	if strings.Contains(textContent, "<tool_call") {
+		t.Fatalf("XML tool call content leaked to text: %q", textContent)
+	}
+	if strings.Contains(textContent, "read_file") {
+		t.Fatalf("tool name leaked to text: %q", textContent)
+	}
+	if toolCalls == 0 {
+		t.Fatal("expected tool calls to be extracted, got none")
+	}
+}
+
+func TestProcessToolSieveXMLWithLeadingText(t *testing.T) {
+	var state toolStreamSieveState
+	// Model outputs some prose then an XML tool call.
+	chunks := []string{
+		"Let me check the file.\n",
+		"<tool_calls>\n  <tool_call>\n    <tool_name>read_file</tool_name>\n",
+		`    <parameters>{"path":"go.mod"}</parameters>` + "\n  </tool_call>\n</tool_calls>",
+	}
+	var events []toolStreamEvent
+	for _, c := range chunks {
+		events = append(events, processToolSieveChunk(&state, c, []string{"read_file"})...)
+	}
+	events = append(events, flushToolSieve(&state, []string{"read_file"})...)
+
+	var textContent string
+	var toolCalls int
+	for _, evt := range events {
+		if evt.Content != "" {
+			textContent += evt.Content
+		}
+		toolCalls += len(evt.ToolCalls)
+	}
+
+	// Leading text should be emitted.
+	if !strings.Contains(textContent, "Let me check the file.") {
+		t.Fatalf("expected leading text to be emitted, got %q", textContent)
+	}
+	// The XML itself should NOT leak.
+	if strings.Contains(textContent, "<tool_call") {
+		t.Fatalf("XML tool call content leaked to text: %q", textContent)
+	}
+	if toolCalls == 0 {
+		t.Fatal("expected tool calls to be extracted, got none")
+	}
+}
+
+func TestProcessToolSievePartialXMLTagHeldBack(t *testing.T) {
+	var state toolStreamSieveState
+	// Chunk ends with a partial XML tool tag.
+	events := processToolSieveChunk(&state, "Hello <tool_ca", []string{"read_file"})
+
+	var textContent string
+	for _, evt := range events {
+		textContent += evt.Content
+	}
+
+	// "Hello " should be emitted, but "<tool_ca" should be held back.
+	if strings.Contains(textContent, "<tool_ca") {
+		t.Fatalf("partial XML tag should not be emitted, got %q", textContent)
+	}
+	if !strings.Contains(textContent, "Hello") {
+		t.Fatalf("expected 'Hello' text to be emitted, got %q", textContent)
+	}
+}
+
+func TestFindToolSegmentStartDetectsXMLToolCalls(t *testing.T) {
+	cases := []struct {
+		name  string
+		input string
+		want  int
+	}{
+		{"tool_calls_tag", "some text <tool_calls>\n", 10},
+		{"tool_call_tag", "prefix <tool_call>\n", 7},
+		{"invoke_tag", "text <invoke name=\"foo\">body</invoke>", 5},
+		{"function_call_tag", "<function_call name=\"foo\">body</function_call>", 0},
+		{"no_xml", "just plain text", -1},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := findToolSegmentStart(tc.input)
+			if got != tc.want {
+				t.Fatalf("findToolSegmentStart(%q) = %d, want %d", tc.input, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestFindPartialXMLToolTagStart(t *testing.T) {
+	cases := []struct {
+		name  string
+		input string
+		want  int
+	}{
+		{"partial_tool_call", "Hello <tool_ca", 6},
+		{"partial_invoke", "Prefix <inv", 7},
+		{"partial_lt_only", "Text <", 5},
+		{"complete_tag", "Text <tool_call>done", -1},
+		{"no_lt", "plain text", -1},
+		{"closed_lt", "a < b > c", -1},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := findPartialXMLToolTagStart(tc.input)
+			if got != tc.want {
+				t.Fatalf("findPartialXMLToolTagStart(%q) = %d, want %d", tc.input, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestHasOpenXMLToolTag(t *testing.T) {
+	if !hasOpenXMLToolTag("<tool_call>\n<tool_name>foo</tool_name>") {
+		t.Fatal("should detect open XML tool tag without closing tag")
+	}
+	if hasOpenXMLToolTag("<tool_call>\n<tool_name>foo</tool_name></tool_call>") {
+		t.Fatal("should return false when closing tag is present")
+	}
+	if hasOpenXMLToolTag("plain text without any XML") {
+		t.Fatal("should return false for plain text")
+	}
+}
+
+// Test the EXACT scenario the user reports: token-by-token streaming where
+// <tool_calls> tag arrives in small pieces.
+func TestProcessToolSieveTokenByTokenXMLNoLeak(t *testing.T) {
+	var state toolStreamSieveState
+	// Simulate DeepSeek model generating tokens one at a time.
+	chunks := []string{
+		"<",
+		"tool",
+		"_calls",
+		">\n",
+		"  <",
+		"tool",
+		"_call",
+		">\n",
+		"    <",
+		"tool",
+		"_name",
+		">",
+		"read",
+		"_file",
+		"</",
+		"tool",
+		"_name",
+		">\n",
+		"    <",
+		"parameters",
+		">",
+		`{"path"`,
+		`: "README.MD"`,
+		`}`,
+		"</",
+		"parameters",
+		">\n",
+		"  </",
+		"tool",
+		"_call",
+		">\n",
+		"</",
+		"tool",
+		"_calls",
+		">",
+	}
+	var events []toolStreamEvent
+	for _, c := range chunks {
+		events = append(events, processToolSieveChunk(&state, c, []string{"read_file"})...)
+	}
+	events = append(events, flushToolSieve(&state, []string{"read_file"})...)
+
+	var textContent string
+	var toolCalls int
+	for _, evt := range events {
+		if evt.Content != "" {
+			textContent += evt.Content
+		}
+		toolCalls += len(evt.ToolCalls)
+	}
+
+	if strings.Contains(textContent, "<tool_call") {
+		t.Fatalf("XML tool call content leaked to text in token-by-token mode: %q", textContent)
+	}
+	if strings.Contains(textContent, "tool_calls>") {
+		t.Fatalf("closing tag fragment leaked to text: %q", textContent)
+	}
+	if strings.Contains(textContent, "read_file") {
+		t.Fatalf("tool name leaked to text: %q", textContent)
+	}
+	if toolCalls == 0 {
+		t.Fatal("expected tool calls to be extracted, got none")
+	}
+}
+
+// Test that flushToolSieve on incomplete XML does NOT leak the raw XML content.
+func TestFlushToolSieveIncompleteXMLDoesNotLeak(t *testing.T) {
+	var state toolStreamSieveState
+	// XML block starts but stream ends before completion.
+	chunks := []string{
+		"<tool_calls>\n",
+		"  <tool_call>\n",
+		"    <tool_name>read_file</tool_name>\n",
+	}
+	var events []toolStreamEvent
+	for _, c := range chunks {
+		events = append(events, processToolSieveChunk(&state, c, []string{"read_file"})...)
+	}
+	// Stream ends abruptly - flush should NOT dump raw XML.
+	events = append(events, flushToolSieve(&state, []string{"read_file"})...)
+
+	var textContent string
+	for _, evt := range events {
+		if evt.Content != "" {
+			textContent += evt.Content
+		}
+	}
+
+	if strings.Contains(textContent, "<tool_call") {
+		t.Fatalf("incomplete XML leaked on flush: %q", textContent)
+	}
+}
+
+// Test that the opening tag "<tool_calls>\n  " is NOT emitted as text content.
+func TestOpeningXMLTagNotLeakedAsContent(t *testing.T) {
+	var state toolStreamSieveState
+	// First chunk is the opening tag - should be held, not emitted.
+	evts1 := processToolSieveChunk(&state, "<tool_calls>\n  ", []string{"read_file"})
+	for _, evt := range evts1 {
+		if strings.Contains(evt.Content, "<tool_calls>") {
+			t.Fatalf("opening tag leaked on first chunk: %q", evt.Content)
+		}
+	}
+
+	// Remaining content arrives.
+	evts2 := processToolSieveChunk(&state, "<tool_call>\n    <tool_name>read_file</tool_name>\n    <parameters>{\"path\":\"README.MD\"}</parameters>\n  </tool_call>\n</tool_calls>", []string{"read_file"})
+	evts2 = append(evts2, flushToolSieve(&state, []string{"read_file"})...)
+
+	var textContent string
+	var toolCalls int
+	allEvents := append(evts1, evts2...)
+	for _, evt := range allEvents {
+		if evt.Content != "" {
+			textContent += evt.Content
+		}
+		toolCalls += len(evt.ToolCalls)
+	}
+
+	if strings.Contains(textContent, "<tool_call") {
+		t.Fatalf("XML content leaked: %q", textContent)
+	}
+	if toolCalls == 0 {
+		t.Fatal("expected tool calls to be extracted")
+	}
+}
+
+func TestProcessToolSieveInterceptsAttemptCompletionLeak(t *testing.T) {
+	var state toolStreamSieveState
+	// Simulate an agent outputting attempt_completion XML tag 
+	// which shouldn't leak to text output, even if it fails to parse as a valid tool.
+	chunks := []string{
+		"Done with task.\n",
+		"<attempt_completion>\n",
+		"  <result>Here is the answer</result>\n",
+		"</attempt_completion>",
+	}
+	var events []toolStreamEvent
+	for _, c := range chunks {
+		events = append(events, processToolSieveChunk(&state, c, []string{"attempt_completion"})...)
+	}
+	events = append(events, flushToolSieve(&state, []string{"attempt_completion"})...)
+
+	var textContent string
+	for _, evt := range events {
+		if evt.Content != "" {
+			textContent += evt.Content
+		}
+	}
+
+	if !strings.Contains(textContent, "Done with task.\n") {
+		t.Fatalf("expected leading text to be emitted, got %q", textContent)
+	}
+
+	if strings.Contains(textContent, "<attempt_completion>") || strings.Contains(textContent, "result>") {
+		t.Fatalf("agent XML tag content leaked to text: %q", textContent)
+	}
+}

internal/js/helpers/stream-tool-sieve/jsonscan.js

@@ -140,9 +140,58 @@ function extractJSONObjectFrom(text, start) {
   return { ok: false, end: 0 };
 }
 
+function extractToolHistoryBlock(captured, keyIdx) {
+  if (typeof captured !== 'string' || keyIdx < 0 || keyIdx >= captured.length) {
+    return { ok: false, start: 0, end: 0 };
+  }
+  const rest = captured.slice(keyIdx).toLowerCase();
+  if (rest.startsWith('[tool_call_history]')) {
+    const closeTag = '[/tool_call_history]';
+    const closeIdx = rest.indexOf(closeTag);
+    if (closeIdx < 0) {
+      return { ok: false, start: 0, end: 0 };
+    }
+    return { ok: true, start: keyIdx, end: keyIdx + closeIdx + closeTag.length };
+  }
+  if (rest.startsWith('[tool_result_history]')) {
+    const closeTag = '[/tool_result_history]';
+    const closeIdx = rest.indexOf(closeTag);
+    if (closeIdx < 0) {
+      return { ok: false, start: 0, end: 0 };
+    }
+    return { ok: true, start: keyIdx, end: keyIdx + closeIdx + closeTag.length };
+  }
+  return { ok: false, start: 0, end: 0 };
+}
+
+function trimWrappingJSONFence(prefix, suffix) {
+  const rightTrimmedPrefix = (prefix || '').replace(/[ \t\r\n]+$/g, '');
+  const fenceIdx = rightTrimmedPrefix.lastIndexOf('```');
+  if (fenceIdx < 0) return { prefix, suffix };
+  const fenceCount = (rightTrimmedPrefix.slice(0, fenceIdx + 3).match(/```/g) || []).length;
+  if (fenceCount % 2 === 0) {
+    return { prefix, suffix };
+  }
+  const header = rightTrimmedPrefix.slice(fenceIdx + 3).trim().toLowerCase();
+  if (header && header !== 'json') {
+    return { prefix, suffix };
+  }
+  const leftTrimmedSuffix = (suffix || '').replace(/^[ \t\r\n]+/g, '');
+  if (!leftTrimmedSuffix.startsWith('```')) {
+    return { prefix, suffix };
+  }
+  const consumed = (suffix || '').length - leftTrimmedSuffix.length;
+  return {
+    prefix: rightTrimmedPrefix.slice(0, fenceIdx),
+    suffix: (suffix || '').slice(consumed + 3),
+  };
+}
+
 module.exports = {
   findObjectFieldValueStart,
   parseJSONStringLiteral,
   skipSpaces,
   extractJSONObjectFrom,
+  extractToolHistoryBlock,
+  trimWrappingJSONFence,
 };

internal/js/helpers/stream-tool-sieve/parse.js

@@ -52,11 +52,26 @@ function parseToolCallsDetailed(text, toolNames) {
   }
 
   const candidates = buildToolCallCandidates(normalized);
+  for (const c of candidates) {
+    if (!isLikelyJSONToolPayloadCandidate(c)) {
+      continue;
+    }
+    const jsonParsed = parseToolCallsPayload(c);
+    if (jsonParsed.length === 0) {
+      continue;
+    }
+    result.sawToolCallSyntax = true;
+    const filteredJSON = filterToolCallsDetailed(jsonParsed, toolNames);
+    result.calls = filteredJSON.calls;
+    result.rejectedToolNames = filteredJSON.rejectedToolNames;
+    result.rejectedByPolicy = filteredJSON.rejectedToolNames.length > 0 && filteredJSON.calls.length === 0;
+    return result;
+  }
   let parsed = [];
   for (const c of candidates) {
-    parsed = parseToolCallsPayload(c);
+    parsed = parseMarkupToolCalls(c);
     if (parsed.length === 0) {
-      parsed = parseMarkupToolCalls(c);
+      parsed = parseToolCallsPayload(c);
     }
     if (parsed.length === 0) {
       parsed = parseTextKVToolCalls(c);
@@ -101,9 +116,24 @@ function parseStandaloneToolCallsDetailed(text, toolNames) {
   const candidates = buildToolCallCandidates(trimmed);
   let parsed = [];
   for (const c of candidates) {
+    if (!isLikelyJSONToolPayloadCandidate(c)) {
+      continue;
+    }
     parsed = parseToolCallsPayload(c);
     if (parsed.length === 0) {
-      parsed = parseMarkupToolCalls(c);
+      continue;
+    }
+    result.sawToolCallSyntax = true;
+    const filteredJSON = filterToolCallsDetailed(parsed, toolNames);
+    result.calls = filteredJSON.calls;
+    result.rejectedToolNames = filteredJSON.rejectedToolNames;
+    result.rejectedByPolicy = filteredJSON.rejectedToolNames.length > 0 && filteredJSON.calls.length === 0;
+    return result;
+  }
+  for (const c of candidates) {
+    parsed = parseMarkupToolCalls(c);
+    if (parsed.length === 0) {
+      parsed = parseToolCallsPayload(c);
     }
     if (parsed.length === 0) {
       parsed = parseTextKVToolCalls(c);
@@ -198,6 +228,18 @@ function shouldSkipToolCallParsingForCodeFenceExample(text) {
   return !looksLikeToolCallSyntax(stripped);
 }
 
+function isLikelyJSONToolPayloadCandidate(text) {
+  const trimmed = toStringSafe(text).trim();
+  if (!trimmed) {
+    return false;
+  }
+  if (!(trimmed.startsWith('{') || trimmed.startsWith('['))) {
+    return false;
+  }
+  const lower = trimmed.toLowerCase();
+  return lower.includes('tool_calls') || lower.includes('"function"');
+}
+
 module.exports = {
   extractToolNames,
   parseToolCalls,

internal/js/helpers/stream-tool-sieve/parse_payload.js

@@ -6,6 +6,8 @@ const TOOL_CALL_MARKUP_SELFCLOSE_PATTERN = /<(?:[a-z0-9_:-]+:)?invoke\b([^>]*)\/
 const TOOL_CALL_MARKUP_KV_PATTERN = /<(?:[a-z0-9_:-]+:)?([a-z0-9_.-]+)\b[^>]*>([\s\S]*?)<\/(?:[a-z0-9_:-]+:)?\1>/gi;
 const TOOL_CALL_MARKUP_ATTR_PATTERN = /(name|function|tool)\s*=\s*"([^"]+)"/i;
 const TOOL_CALL_MARKUP_NAME_PATTERNS = [
+  /<(?:[a-z0-9_:-]+:)?tool_name\b[^>]*>([\s\S]*?)<\/(?:[a-z0-9_:-]+:)?tool_name>/i,
+  /<(?:[a-z0-9_:-]+:)?function_name\b[^>]*>([\s\S]*?)<\/(?:[a-z0-9_:-]+:)?function_name>/i,
   /<(?:[a-z0-9_:-]+:)?name\b[^>]*>([\s\S]*?)<\/(?:[a-z0-9_:-]+:)?name>/i,
   /<(?:[a-z0-9_:-]+:)?function\b[^>]*>([\s\S]*?)<\/(?:[a-z0-9_:-]+:)?function>/i,
 ];

internal/js/helpers/stream-tool-sieve/sieve-xml.js

@@ -0,0 +1,100 @@
+'use strict';
+const { parseToolCalls } = require('./parse');
+
+// Tag pairs ordered longest-first: wrapper tags checked before inner tags.
+const XML_TOOL_TAG_PAIRS = [
+  { open: '<tool_calls', close: '</tool_calls>' },
+  { open: '<tool_call', close: '</tool_call>' },
+  { open: '<function_calls', close: '</function_calls>' },
+  { open: '<function_call', close: '</function_call>' },
+  { open: '<invoke', close: '</invoke>' },
+  { open: '<tool_use', close: '</tool_use>' },
+];
+
+const XML_TOOL_OPENING_TAGS = XML_TOOL_TAG_PAIRS.map(p => p.open);
+
+function consumeXMLToolCapture(captured, toolNames, trimWrappingJSONFence) {
+  const lower = captured.toLowerCase();
+  // Find the FIRST matching open/close pair, preferring wrapper tags.
+  for (const pair of XML_TOOL_TAG_PAIRS) {
+    const openIdx = lower.indexOf(pair.open);
+    if (openIdx < 0) {
+      continue;
+    }
+    // Find the LAST occurrence of the specific closing tag.
+    const closeIdx = lower.lastIndexOf(pair.close);
+    if (closeIdx < openIdx) {
+      // Opening tag present but specific closing tag hasn't arrived.
+      // Return not-ready — do NOT fall through to inner pairs.
+      return { ready: false, prefix: '', calls: [], suffix: '' };
+    }
+    const closeEnd = closeIdx + pair.close.length;
+    const xmlBlock = captured.slice(openIdx, closeEnd);
+    let prefixPart = captured.slice(0, openIdx);
+    let suffixPart = captured.slice(closeEnd);
+    const parsed = parseToolCalls(xmlBlock, toolNames);
+    if (Array.isArray(parsed) && parsed.length > 0) {
+      const trimmedFence = trimWrappingJSONFence(prefixPart, suffixPart);
+      return {
+        ready: true,
+        prefix: trimmedFence.prefix,
+        calls: parsed,
+        suffix: trimmedFence.suffix,
+      };
+    }
+    // XML tool syntax but failed to parse — consume to avoid leak.
+    return { ready: true, prefix: prefixPart, calls: [], suffix: suffixPart };
+  }
+  return { ready: false, prefix: '', calls: [], suffix: '' };
+}
+
+function hasOpenXMLToolTag(captured) {
+  const lower = captured.toLowerCase();
+  for (const pair of XML_TOOL_TAG_PAIRS) {
+    if (lower.includes(pair.open)) {
+      if (!lower.includes(pair.close)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+function findPartialXMLToolTagStart(s) {
+  const lastLT = s.lastIndexOf('<');
+  if (lastLT < 0) {
+    return -1;
+  }
+  const tail = s.slice(lastLT);
+  if (tail.includes('>')) {
+    return -1;
+  }
+  const lowerTail = tail.toLowerCase();
+  for (const tag of XML_TOOL_OPENING_TAGS) {
+    const tagWithLT = tag.startsWith('<') ? tag : '<' + tag;
+    if (tagWithLT.startsWith(lowerTail)) {
+      return lastLT;
+    }
+  }
+  return -1;
+}
+
+function looksLikeXMLToolTagFragment(s) {
+  const trimmed = (s || '').trim();
+  if (!trimmed) return false;
+  const lower = trimmed.toLowerCase();
+  const fragments = [
+    'tool_calls>', 'tool_call>', '/tool_calls>', '/tool_call>',
+    'function_calls>', 'function_call>', '/function_calls>', '/function_call>',
+    'invoke>', '/invoke>', 'tool_use>', '/tool_use>',
+    'tool_name>', '/tool_name>', 'parameters>', '/parameters>',
+  ];
+  return fragments.some(f => lower.includes(f));
+}
+
+module.exports = {
+  consumeXMLToolCapture,
+  hasOpenXMLToolTag,
+  findPartialXMLToolTagStart,
+  looksLikeXMLToolTagFragment,
+};

internal/js/helpers/stream-tool-sieve/sieve.js

@@ -5,8 +5,18 @@ const {
   insideCodeFenceWithState,
 } = require('./state');
 const { parseStandaloneToolCallsDetailed } = require('./parse');
-const { extractJSONObjectFrom } = require('./jsonscan');
-const { TOOL_SEGMENT_KEYWORDS, earliestKeywordIndex } = require('./tool-keywords');
+const { extractJSONObjectFrom, extractToolHistoryBlock, trimWrappingJSONFence } = require('./jsonscan');
+const {
+  TOOL_SEGMENT_KEYWORDS,
+  XML_TOOL_SEGMENT_TAGS,
+  earliestKeywordIndex,
+} = require('./tool-keywords');
+const {
+  consumeXMLToolCapture: consumeXMLToolCaptureImpl,
+  hasOpenXMLToolTag,
+  findPartialXMLToolTagStart,
+  looksLikeXMLToolTagFragment,
+} = require('./sieve-xml');
 function processToolSieveChunk(state, chunk, toolNames) {
   if (!state) {
     return [];
@@ -106,16 +116,21 @@ function flushToolSieve(state, toolNames) {
         events.push({ type: 'text', text: consumed.suffix });
       }
     } else if (state.capture) {
-      noteText(state, state.capture);
-      events.push({ type: 'text', text: state.capture });
+      const content = state.capture;
+      if (!hasOpenXMLToolTag(content) && !looksLikeXMLToolTagFragment(content)) {
+        noteText(state, content);
+        events.push({ type: 'text', text: content });
+      }
     }
     state.capture = '';
     state.capturing = false;
     resetIncrementalToolState(state);
   }
   if (state.pending) {
-    noteText(state, state.pending);
-    events.push({ type: 'text', text: state.pending });
+    if (!hasOpenXMLToolTag(state.pending) && !looksLikeXMLToolTagFragment(state.pending)) {
+      noteText(state, state.pending);
+      events.push({ type: 'text', text: state.pending });
+    }
     state.pending = '';
   }
   return events;
@@ -144,6 +159,11 @@ function findSuspiciousPrefixStart(s) {
       start = idx;
     }
   }
+  // Also check for partial XML tool tag at end of string.
+  const xmlIdx = findPartialXMLToolTagStart(s);
+  if (xmlIdx >= 0 && xmlIdx > start) {
+    start = xmlIdx;
+  }
   return start;
 }
 
@@ -154,13 +174,35 @@ function findToolSegmentStart(state, s) {
   const lower = s.toLowerCase();
   let offset = 0;
   while (true) {
-    const { index: bestKeyIdx, keyword: matchedKeyword } = earliestKeywordIndex(lower, TOOL_SEGMENT_KEYWORDS, offset);
+    // Check JSON keywords.
+    let { index: bestKeyIdx, keyword: matchedKeyword } = earliestKeywordIndex(lower, TOOL_SEGMENT_KEYWORDS, offset);
+    // Also check XML tool tags.
+    for (const tag of XML_TOOL_SEGMENT_TAGS) {
+      const idx = lower.indexOf(tag, offset);
+      if (idx >= 0 && (bestKeyIdx < 0 || idx < bestKeyIdx)) {
+        bestKeyIdx = idx;
+        matchedKeyword = tag;
+      }
+    }
     if (bestKeyIdx < 0) {
       return -1;
     }
+    // For XML tags, the '<' is itself the segment start.
+    if (s[bestKeyIdx] === '<') {
+      if (!insideCodeFenceWithState(state, s.slice(0, bestKeyIdx))) {
+        return bestKeyIdx;
+      }
+      offset = bestKeyIdx + matchedKeyword.length;
+      continue;
+    }
     const keyIdx = bestKeyIdx;
     const start = s.slice(0, keyIdx).lastIndexOf('{');
-    const candidateStart = start >= 0 ? start : keyIdx;
+    let candidateStart = start >= 0 ? start : keyIdx;
+    // If the keyword matched inside an XML tag (e.g. "tool_calls" in "<tool_calls>"),
+    // back up past the '<' to capture the full tag.
+    if (candidateStart > 0 && s[candidateStart - 1] === '<') {
+      candidateStart--;
+    }
     if (!insideCodeFenceWithState(state, s.slice(0, candidateStart))) {
       return candidateStart;
     }
@@ -173,6 +215,17 @@ function consumeToolCapture(state, toolNames) {
   if (!captured) {
     return { ready: false, prefix: '', calls: [], suffix: '' };
   }
+
+  // Try XML tool call extraction first.
+  const xmlResult = consumeXMLToolCaptureImpl(captured, toolNames, trimWrappingJSONFence);
+  if (xmlResult.ready) {
+    return xmlResult;
+  }
+  // If XML tags are present but block is incomplete, keep buffering.
+  if (hasOpenXMLToolTag(captured)) {
+    return { ready: false, prefix: '', calls: [], suffix: '' };
+  }
+
   const lower = captured.toLowerCase();
   const { index: keyIdx } = earliestKeywordIndex(lower, TOOL_SEGMENT_KEYWORDS);
   if (keyIdx < 0) {
@@ -231,52 +284,6 @@ function consumeToolCapture(state, toolNames) {
   };
 }
 
-function extractToolHistoryBlock(captured, keyIdx) {
-  if (typeof captured !== 'string' || keyIdx < 0 || keyIdx >= captured.length) {
-    return { ok: false, start: 0, end: 0 };
-  }
-  const rest = captured.slice(keyIdx).toLowerCase();
-  if (rest.startsWith('[tool_call_history]')) {
-    const closeTag = '[/tool_call_history]';
-    const closeIdx = rest.indexOf(closeTag);
-    if (closeIdx < 0) {
-      return { ok: false, start: 0, end: 0 };
-    }
-    return { ok: true, start: keyIdx, end: keyIdx + closeIdx + closeTag.length };
-  }
-  if (rest.startsWith('[tool_result_history]')) {
-    const closeTag = '[/tool_result_history]';
-    const closeIdx = rest.indexOf(closeTag);
-    if (closeIdx < 0) {
-      return { ok: false, start: 0, end: 0 };
-    }
-    return { ok: true, start: keyIdx, end: keyIdx + closeIdx + closeTag.length };
-  }
-  return { ok: false, start: 0, end: 0 };
-}
-
-function trimWrappingJSONFence(prefix, suffix) {
-  const rightTrimmedPrefix = (prefix || '').replace(/[ \t\r\n]+$/g, '');
-  const fenceIdx = rightTrimmedPrefix.lastIndexOf('```');
-  if (fenceIdx < 0) return { prefix, suffix };
-  const fenceCount = (rightTrimmedPrefix.slice(0, fenceIdx + 3).match(/```/g) || []).length;
-  if (fenceCount % 2 === 0) {
-    return { prefix, suffix };
-  }
-  const header = rightTrimmedPrefix.slice(fenceIdx + 3).trim().toLowerCase();
-  if (header && header !== 'json') {
-    return { prefix, suffix };
-  }
-  const leftTrimmedSuffix = (suffix || '').replace(/^[ \t\r\n]+/g, '');
-  if (!leftTrimmedSuffix.startsWith('```')) {
-    return { prefix, suffix };
-  }
-  const consumed = (suffix || '').length - leftTrimmedSuffix.length;
-  return {
-    prefix: rightTrimmedPrefix.slice(0, fenceIdx),
-    suffix: (suffix || '').slice(consumed + 3),
-  };
-}
 module.exports = {
   processToolSieveChunk,
   flushToolSieve,

internal/js/helpers/stream-tool-sieve/tool-keywords.js

@@ -8,6 +8,19 @@ const TOOL_SEGMENT_KEYWORDS = [
   '[tool_result_history]',
 ];
 
+const XML_TOOL_SEGMENT_TAGS = [
+  '<tool_calls>', '<tool_calls\n', '<tool_call>', '<tool_call\n',
+  '<invoke ', '<invoke>', '<function_call', '<function_calls', '<tool_use>',
+];
+
+const XML_TOOL_OPENING_TAGS = [
+  '<tool_calls', '<tool_call', '<invoke', '<function_call', '<function_calls', '<tool_use',
+];
+
+const XML_TOOL_CLOSING_TAGS = [
+  '</tool_calls>', '</tool_call>', '</invoke>', '</function_call>', '</function_calls>', '</tool_use>',
+];
+
 function earliestKeywordIndex(text, keywords = TOOL_SEGMENT_KEYWORDS, offset = 0) {
   if (!text) {
     return { index: -1, keyword: '' };
@@ -26,5 +39,8 @@ function earliestKeywordIndex(text, keywords = TOOL_SEGMENT_KEYWORDS, offset = 0
 
 module.exports = {
   TOOL_SEGMENT_KEYWORDS,
+  XML_TOOL_SEGMENT_TAGS,
+  XML_TOOL_OPENING_TAGS,
+  XML_TOOL_CLOSING_TAGS,
   earliestKeywordIndex,
 };

internal/prompt/messages.go

@@ -42,12 +42,15 @@ func MessagesPrepare(messages []map[string]any) string {
 			} else {
 				parts = append(parts, m.Text)
 			}
-		case "user", "system":
-			if i > 0 {
-				parts = append(parts, "<｜User｜>"+m.Text)
-			} else {
-				parts = append(parts, m.Text)
+		case "system":
+			// Clear system boundary improves R1 and V3 context understanding significantly
+			if strings.TrimSpace(m.Text) != "" {
+				parts = append(parts, "<system_instructions>\n"+strings.TrimSpace(m.Text)+"\n</system_instructions>\n\n")
 			}
+		case "user":
+			// Always prepend <｜User｜> to user messages. DeepSeek R1 reasoning triggers best
+			// and aligns context perfectly when the user turn is explicitly marked.
+			parts = append(parts, "<｜User｜>"+m.Text)
 		default:
 			parts = append(parts, m.Text)
 		}

internal/util/messages_test.go

@@ -12,7 +12,7 @@ func TestMessagesPrepareBasic(t *testing.T) {
 	if got == "" {
 		t.Fatal("expected non-empty prompt")
 	}
-	if got != "Hello" {
+	if got != "<｜User｜>Hello" {
 		t.Fatalf("unexpected prompt: %q", got)
 	}
 }
@@ -55,7 +55,7 @@ func TestMessagesPrepareArrayTextVariants(t *testing.T) {
 		},
 	}
 	got := MessagesPrepare(messages)
-	if got != "line1\nline2" {
+	if got != "<｜User｜>line1\nline2" {
 		t.Fatalf("unexpected content from text variants: %q", got)
 	}
 }

internal/util/tool_prompt.go

@@ -0,0 +1,99 @@
+package util
+
+// BuildToolCallInstructions generates the unified tool-calling instruction block
+// used by all adapters (OpenAI, Claude, Gemini). It uses attention-optimized
+// structure: rules → negative examples → positive examples → anchor.
+//
+// The toolNames slice should contain the actual tool names available in the
+// current request; the function picks real names for examples.
+func BuildToolCallInstructions(toolNames []string) string {
+	// Pick real tool names for examples; fall back to generic names.
+	ex1 := "read_file"
+	ex2 := "write_to_file"
+	ex3 := "ask_followup_question"
+	used := map[string]bool{}
+	for _, n := range toolNames {
+		switch {
+		// Read/query-type tools
+		case !used["ex1"] && matchAny(n, "read_file", "list_files", "search_files", "Read", "Glob"):
+			ex1 = n
+			used["ex1"] = true
+		// Write/execute-type tools
+		case !used["ex2"] && matchAny(n, "write_to_file", "apply_diff", "execute_command", "Write", "Edit", "MultiEdit", "Bash"):
+			ex2 = n
+			used["ex2"] = true
+		// Interactive/meta tools
+		case !used["ex3"] && matchAny(n, "ask_followup_question", "attempt_completion", "update_todo_list", "Task"):
+			ex3 = n
+			used["ex3"] = true
+		}
+	}
+
+	return `TOOL CALL FORMAT — FOLLOW EXACTLY:
+
+When calling tools, emit ONLY raw XML. No text before, no text after, no markdown fences.
+
+<tool_calls>
+  <tool_call>
+    <tool_name>TOOL_NAME_HERE</tool_name>
+    <parameters>{"key":"value"}</parameters>
+  </tool_call>
+</tool_calls>
+
+RULES:
+1) Output ONLY the XML above when calling tools. Do NOT mix tool XML with regular text.
+2) <parameters> MUST contain a strict JSON object. All JSON keys and strings use double quotes.
+3) Multiple tools → multiple <tool_call> blocks inside ONE <tool_calls> root.
+4) Do NOT wrap the XML in markdown code fences (no triple backticks).
+5) After receiving a tool result, use it directly. Only call another tool if the result is insufficient.
+6) If you want to say something AND call a tool, output text first, then the XML block on its own.
+
+❌ WRONG — Do NOT do these:
+Wrong 1 — mixed text and XML:
+  I'll read the file for you. <tool_calls><tool_call>...
+Wrong 2 — describing tool calls in text:
+  [调用 Bash] {"command": "ls"}
+Wrong 3 — missing <tool_calls> wrapper:
+  <tool_call><tool_name>` + ex1 + `</tool_name><parameters>{}</parameters></tool_call>
+
+✅ CORRECT EXAMPLES:
+
+Example A — Single tool:
+<tool_calls>
+  <tool_call>
+    <tool_name>` + ex1 + `</tool_name>
+    <parameters>{"path":"src/main.go"}</parameters>
+  </tool_call>
+</tool_calls>
+
+Example B — Two tools in parallel:
+<tool_calls>
+  <tool_call>
+    <tool_name>` + ex1 + `</tool_name>
+    <parameters>{"path":"config.json"}</parameters>
+  </tool_call>
+  <tool_call>
+    <tool_name>` + ex2 + `</tool_name>
+    <parameters>{"path":"output.txt","content":"Hello world"}</parameters>
+  </tool_call>
+</tool_calls>
+
+Example C — Tool with complex nested JSON parameters:
+<tool_calls>
+  <tool_call>
+    <tool_name>` + ex3 + `</tool_name>
+    <parameters>{"question":"Which approach do you prefer?","follow_up":[{"text":"Option A"},{"text":"Option B"}]}</parameters>
+  </tool_call>
+</tool_calls>
+
+Remember: Output ONLY the <tool_calls>...</tool_calls> XML block when calling tools.`
+}
+
+func matchAny(name string, candidates ...string) bool {
+	for _, c := range candidates {
+		if name == c {
+			return true
+		}
+	}
+	return false
+}

internal/util/toolcalls_parse.go

@@ -32,15 +32,31 @@ func ParseToolCallsDetailed(text string, availableToolNames []string) ToolCallPa
 	}
 
 	candidates := buildToolCallCandidates(text)
-	var parsed []ParsedToolCall
 	for _, candidate := range candidates {
+		if !isLikelyJSONToolPayloadCandidate(candidate) {
+			continue
+		}
 		tc := parseToolCallsPayload(candidate)
 		if len(tc) == 0 {
-			tc = parseXMLToolCalls(candidate)
+			continue
 		}
+		parsed := tc
+		calls, rejectedNames := filterToolCallsDetailed(parsed, availableToolNames)
+		result.Calls = calls
+		result.RejectedToolNames = rejectedNames
+		result.RejectedByPolicy = len(rejectedNames) > 0 && len(calls) == 0
+		result.SawToolCallSyntax = true
+		return result
+	}
+	var parsed []ParsedToolCall
+	for _, candidate := range candidates {
+		tc := parseXMLToolCalls(candidate)
 		if len(tc) == 0 {
 			tc = parseMarkupToolCalls(candidate)
 		}
+		if len(tc) == 0 {
+			tc = parseToolCallsPayload(candidate)
+		}
 		if len(tc) == 0 {
 			tc = parseTextKVToolCalls(candidate)
 		}
@@ -84,17 +100,32 @@ func ParseStandaloneToolCallsDetailed(text string, availableToolNames []string)
 	candidates := buildToolCallCandidates(trimmed)
 	var parsed []ParsedToolCall
 	for _, candidate := range candidates {
-		candidate = strings.TrimSpace(candidate)
-		if candidate == "" {
+		if !isLikelyJSONToolPayloadCandidate(candidate) {
 			continue
 		}
 		parsed = parseToolCallsPayload(candidate)
 		if len(parsed) == 0 {
-			parsed = parseXMLToolCalls(candidate)
+			continue
 		}
+		result.SawToolCallSyntax = true
+		calls, rejectedNames := filterToolCallsDetailed(parsed, availableToolNames)
+		result.Calls = calls
+		result.RejectedToolNames = rejectedNames
+		result.RejectedByPolicy = len(rejectedNames) > 0 && len(calls) == 0
+		return result
+	}
+	for _, candidate := range candidates {
+		candidate = strings.TrimSpace(candidate)
+		if candidate == "" {
+			continue
+		}
+		parsed = parseXMLToolCalls(candidate)
 		if len(parsed) == 0 {
 			parsed = parseMarkupToolCalls(candidate)
 		}
+		if len(parsed) == 0 {
+			parsed = parseToolCallsPayload(candidate)
+		}
 		if len(parsed) == 0 {
 			parsed = parseTextKVToolCalls(candidate)
 		}
@@ -165,6 +196,18 @@ func parseToolCallsPayload(payload string) []ParsedToolCall {
 	return nil
 }
 
+func isLikelyJSONToolPayloadCandidate(candidate string) bool {
+	trimmed := strings.TrimSpace(candidate)
+	if trimmed == "" {
+		return false
+	}
+	if !(strings.HasPrefix(trimmed, "{") || strings.HasPrefix(trimmed, "[")) {
+		return false
+	}
+	lower := strings.ToLower(trimmed)
+	return strings.Contains(lower, "tool_calls") || strings.Contains(lower, "\"function\"")
+}
+
 func isLikelyChatMessageEnvelope(v map[string]any) bool {
 	if v == nil {
 		return false

internal/util/toolcalls_parse_markup.go

@@ -104,6 +104,34 @@ func parseSingleXMLToolCall(block string) (ParsedToolCall, bool) {
 				}
 			case "parameters":
 				inParams = true
+				var node struct {
+					Inner string `xml:",innerxml"`
+				}
+				if err := dec.DecodeElement(&node, &t); err == nil {
+					inner := strings.TrimSpace(node.Inner)
+					if inner != "" {
+						if parsed := parseToolCallInput(inner); len(parsed) > 0 {
+							if len(parsed) == 1 {
+								if _, onlyRaw := parsed["_raw"]; onlyRaw {
+									if kv := parseMarkupKVObject(inner); len(kv) > 0 {
+										for k, vv := range kv {
+											params[k] = vv
+										}
+										break
+									}
+								}
+							}
+							for k, vv := range parsed {
+								params[k] = vv
+							}
+						} else if kv := parseMarkupKVObject(inner); len(kv) > 0 {
+							for k, vv := range kv {
+								params[k] = vv
+							}
+						}
+					}
+				}
+				inParams = false
 			case "tool_name", "name":
 				var v string
 				if err := dec.DecodeElement(&v, &t); err == nil && strings.TrimSpace(v) != "" {

internal/util/toolcalls_test.go

@@ -162,6 +162,34 @@ func TestParseToolCallsSupportsClaudeXMLToolCall(t *testing.T) {
 	}
 }
 
+func TestParseToolCallsSupportsCanonicalXMLParametersJSON(t *testing.T) {
+	text := `<tool_call><tool_name>get_weather</tool_name><parameters>{"city":"beijing","unit":"c"}</parameters></tool_call>`
+	calls := ParseToolCalls(text, []string{"get_weather"})
+	if len(calls) != 1 {
+		t.Fatalf("expected 1 call, got %#v", calls)
+	}
+	if calls[0].Name != "get_weather" {
+		t.Fatalf("expected tool name get_weather, got %q", calls[0].Name)
+	}
+	if calls[0].Input["city"] != "beijing" || calls[0].Input["unit"] != "c" {
+		t.Fatalf("expected parsed json parameters, got %#v", calls[0].Input)
+	}
+}
+
+func TestParseToolCallsPrefersJSONPayloadOverIncidentalXMLInString(t *testing.T) {
+	text := `{"tool_calls":[{"name":"search","input":{"q":"latest <tool_call><tool_name>wrong</tool_name><parameters>{\"x\":1}</parameters></tool_call>"}}]}`
+	calls := ParseToolCallsDetailed(text, []string{"search"}).Calls
+	if len(calls) != 1 {
+		t.Fatalf("expected 1 call, got %#v", calls)
+	}
+	if calls[0].Name != "search" {
+		t.Fatalf("expected tool name search, got %q", calls[0].Name)
+	}
+	if calls[0].Input["q"] == nil {
+		t.Fatalf("expected q argument from json payload, got %#v", calls[0].Input)
+	}
+}
+
 func TestParseToolCallsDetailedMarksXMLToolCallSyntax(t *testing.T) {
 	text := `<tool_call><tool_name>Bash</tool_name><parameters><command>pwd</command></parameters></tool_call>`
 	res := ParseToolCallsDetailed(text, []string{"bash"})

internal/util/util_edge_test.go

@@ -162,13 +162,16 @@ func TestMessagesPrepareMergesConsecutiveSameRole(t *testing.T) {
 		{"role": "user", "content": "World"},
 	}
 	got := MessagesPrepare(messages)
+	if !strings.HasPrefix(got, "<｜User｜>") {
+		t.Fatalf("expected user marker at the start, got %q", got)
+	}
 	if !strings.Contains(got, "Hello") || !strings.Contains(got, "World") {
 		t.Fatalf("expected both messages, got %q", got)
 	}
-	// Should be merged without <｜User｜> between them
+	// Should be merged into a single user turn with one marker at the start.
 	count := strings.Count(got, "<｜User｜>")
-	if count != 0 {
-		t.Fatalf("expected no User marker for first message pair, got %d occurrences", count)
+	if count != 1 {
+		t.Fatalf("expected one User marker for the merged pair, got %d occurrences", count)
 	}
 }
 

plans/node-syntax-gate-targets.txt

@@ -16,6 +16,8 @@ internal/js/helpers/stream-tool-sieve.js
 internal/js/helpers/stream-tool-sieve/index.js
 internal/js/helpers/stream-tool-sieve/state.js
 internal/js/helpers/stream-tool-sieve/sieve.js
+internal/js/helpers/stream-tool-sieve/sieve-xml.js
 internal/js/helpers/stream-tool-sieve/jsonscan.js
 internal/js/helpers/stream-tool-sieve/parse.js
 internal/js/helpers/stream-tool-sieve/format.js
+internal/js/helpers/stream-tool-sieve/tool-keywords.js

plans/refactor-line-gate-targets.txt

@@ -53,6 +53,7 @@ internal/adapter/openai/responses_stream_runtime_events.go
 internal/adapter/openai/responses_stream_runtime_toolcalls.go
 internal/adapter/openai/tool_sieve_state.go
 internal/adapter/openai/tool_sieve_core.go
+internal/adapter/openai/tool_sieve_xml.go
 internal/adapter/openai/tool_sieve_jsonscan.go
 
 internal/util/toolcalls_parse.go
@@ -106,6 +107,7 @@ internal/js/helpers/stream-tool-sieve.js
 internal/js/helpers/stream-tool-sieve/index.js
 internal/js/helpers/stream-tool-sieve/state.js
 internal/js/helpers/stream-tool-sieve/sieve.js
+internal/js/helpers/stream-tool-sieve/sieve-xml.js
 internal/js/helpers/stream-tool-sieve/jsonscan.js
 internal/js/helpers/stream-tool-sieve/parse.js
 internal/js/helpers/stream-tool-sieve/format.js

tests/compat/expected/toolcalls_json_payload_with_incidental_xml_text.json

@@ -0,0 +1,13 @@
+{
+  "calls": [
+    {
+      "name": "search",
+      "input": {
+        "q": "latest <tool_call><tool_name>wrong</tool_name><parameters>{\"x\":1}</parameters></tool_call>"
+      }
+    }
+  ],
+  "sawToolCallSyntax": true,
+  "rejectedByPolicy": false,
+  "rejectedToolNames": []
+}

tests/compat/expected/toolcalls_xml_tool_name_parameters_json.json

@@ -0,0 +1,14 @@
+{
+  "calls": [
+    {
+      "name": "get_weather",
+      "input": {
+        "city": "beijing",
+        "unit": "c"
+      }
+    }
+  ],
+  "sawToolCallSyntax": true,
+  "rejectedByPolicy": false,
+  "rejectedToolNames": []
+}

tests/compat/fixtures/toolcalls/json_payload_with_incidental_xml_text.json

@@ -0,0 +1,6 @@
+{
+  "text": "{\"tool_calls\":[{\"name\":\"search\",\"input\":{\"q\":\"latest <tool_call><tool_name>wrong</tool_name><parameters>{\\\"x\\\":1}</parameters></tool_call>\"}}]}",
+  "tool_names": [
+    "search"
+  ]
+}

tests/compat/fixtures/toolcalls/xml_tool_name_parameters_json.json

@@ -0,0 +1,6 @@
+{
+  "text": "<tool_call><tool_name>get_weather</tool_name><parameters>{\"city\":\"beijing\",\"unit\":\"c\"}</parameters></tool_call>",
+  "tool_names": [
+    "get_weather"
+  ]
+}

tests/node/stream-tool-sieve.test.js

@@ -213,6 +213,22 @@ test('sieve flushes incomplete captured tool json as text on stream finalize', (
   assert.equal(leakedText.includes('{'), true);
 });
 
+test('sieve flushes incomplete captured XML tool blocks without leaking raw tags', () => {
+  const events = runSieve(
+    [
+      '前置正文G。',
+      '<tool_calls>\n',
+      '  <tool_call>\n',
+      '    <tool_name>read_file</tool_name>\n',
+    ],
+    ['read_file'],
+  );
+  const leakedText = collectText(events);
+  assert.equal(leakedText.includes('前置正文G。'), true);
+  assert.equal(leakedText.toLowerCase().includes('tool_calls'), false);
+  assert.equal(leakedText.includes('<tool_call'), false);
+});
+
 test('sieve still intercepts large tool json payloads over previous capture limit', () => {
   const large = 'a'.repeat(9000);
   const payload = `{"tool_calls":[{"name":"read_file","input":{"path":"${large}"}}]}`;