[Feature] Detect low-yield repeated probing on the same investigation target

[Astro-Han]

What task are you trying to do?

We want PawWork to recognize when an agent has moved from a legitimate retry or fallback into low-yield repeated probing of the same investigation target, then summarize the blocker and ask the user instead of continuing to spin.

What do you do today?

The current loop diagnostics added in PR #204 correctly detect repeated identical tool inputs and repeated identical tool error classes, and inject a one-time reminder after the third repeat. That worked for a recent session at the start: three webfetch calls hit the same GitHub Pages 404 and the error_repeat reminder was injected.

However, the model then escaped the current detector by changing tool family and slightly changing the command each time. In the same session, it switched into a long run of read-only bash probes against the same target, for example repeated curl plus different grep variants against https://datawhalechina.github.io/. These calls were technically successful and the command strings differed, so they no longer matched the current repeated-input or repeated-error heuristics, even though user-visible progress had effectively stalled.

What would a good result look like?

PawWork tracks investigation progress at the target level, not only at the exact command or exact error level. When the agent keeps probing the same page, domain, repo, or resource family with low information gain across multiple turns or tool families, the harness should treat that as suspected stuck behavior.

A good result should:

• distinguish legitimate exploration from low-yield probing on the same target
• survive tool-family changes such as webfetch to bash when the underlying target is unchanged
• persist the stuck suspicion beyond a single one-shot reminder when behavior does not improve
• trigger a summarize-and-ask path when high-confidence stuck behavior is detected
• avoid forcing early interruption when the agent is still discovering genuinely new targets or evidence

Which audience does this matter to most?

Both

Extra context

A recent session showed the current boundary clearly: PR #204 did fire once on repeated webfetch 404s, so the problem is not that diagnostics were absent. The gap is that the model then switched to many slightly different bash reads on the same URL and continued for a long time until provider quota stopped the run.

This issue should stay practical and product-facing. It is not a request for a complex agent scheduler, broad model-specific patching, or a full harness rewrite. The smallest useful direction is likely some combination of:

• target-level investigation grouping
• low-information-progress signals for read-only probing
• a persistent suspected-stuck state instead of a one-time reminder only
• a stronger summarize-and-ask escalation path once the model has already ignored the earlier warning

Positive and negative examples

Positive example, should NOT be treated as stuck:
A GLM-5.1 session asked how https://datawhalechina.github.io/ was implemented. It saw two direct webfetch 404s on the GitHub Pages URL, then quickly pivoted to genuinely new targets and evidence: the GitHub organization page, the candidate Pages repo, the site headers, and finally https://www.datawhale.cn. After that it summarized the finding that the GitHub Pages URL was no longer the real site, explained the likely implementation options, asked one clarifying question, and finished normally. This is a good example of legitimate fallback and target expansion after an initial 404.

Negative example, SHOULD be treated as suspected stuck:
A Kimi K2.6 session on the same user task also hit repeated webfetch 404s, which correctly triggered the current PR #204 reminder. But after that reminder it escaped the detector by switching tool family and issuing a large number of read-only bash probes against the same underlying target, such as repeated curl plus different grep variants over the GitHub Pages 404 HTML. The exact command strings changed and many calls technically succeeded, but user-visible progress did not. This is the failure mode we want to catch.

Acceptance criteria

• The harness can recognize repeated low-yield probing on the same investigation target even when exact commands differ.
• Detection can span more than one tool family when the underlying target is the same.
• The design distinguishes low-yield probing from real progress that introduces new targets or meaningful new evidence.
• The user sees a summarize-and-ask outcome instead of a long silent spin once high-confidence stuck behavior is reached.
• The implementation remains lightweight, local-first, and explainable during session debugging.

[Astro-Han]

Adding another concrete session sample for this issue.

This one is a simpler and stronger failure case than the earlier tool-family-switching example. PR #204 did detect the loop and injected the error_repeat reminder at the third repeated webfetch 404, but the model still continued repeating the same two missing GitHub files until the user manually interrupted it.

Evidence from the exported session:

• model: qwen3.6-plus
• repeated tool family: webfetch
• repeated targets:
  • https://github.com/jackwener/opencli/blob/main/skills/opencli-oneshot/SKILL.md
  • https://github.com/jackwener/opencli/blob/main/skills/opencli-explorer/SKILL.md
• both returned GitHub 404
• PR fix: add session loop diagnostics #204 reminder was injected once at errorRepeatCount=3
• the run continued to inputRepeatCount=65 and errorRepeatCount=130
• the user finally had to interrupt with 你进入死循环了

This suggests the escalation rule should cover not only target-level probing that changes tool family or command shape, but also the simpler case where the same repeated-error detector has already fired and the model keeps repeating afterward.

Possible acceptance-criteria refinement:

• After a loop reminder has been injected, continued repeats on the same input, target, or error fingerprint should escalate from model-facing reminder to summarize-and-ask, instead of allowing silent spinning indefinitely.

[Astro-Han]

Adding one more impact note from local monitoring.

This failure mode is not only a conversation-quality issue. It can also become a desktop resource issue.

In the exported session, the repeated webfetch loop produced a long sequence of failed tool parts. After the user interrupted the loop, PawWork still had to render a large conversation with many repeated failed tool cards. Local process sampling showed the Electron renderer staying around 23% to 60% CPU after the task had already ended, while memory stayed roughly flat around 580 MB to 585 MB.

So the impact has two layers:

• backend/session layer: repeated model turns and repeated tool calls waste time, tokens, network requests, and provider quota
• renderer/UI layer: the accumulated repeated tool parts can keep the desktop UI expensive to render even after the agent stops

This strengthens the case for escalating after a loop reminder has already fired. The desired behavior should be summarize-and-ask, or otherwise stop the loop, before the session grows into a resource-heavy UI state.

[Astro-Han]

Design proposal after comparing Qwen Code / Gemini CLI / Kimi Code and reviewing the recent session export.

The direction should be to enhance the existing PR #204 SessionDiagnostics path, not introduce a parallel loop system. PR #204 already gives us the right foundation: per-tool loop metadata, normalized input/target/error fingerprints, and one model-facing reminder after the third repeat. The missing piece is escalation. Once the harness has high-confidence evidence that the same loop continues after the reminder, PawWork should automatically recover or stop instead of relying on the model to obey a one-shot reminder.

Product behavior

The user experience should stay quiet and reassuring. PawWork should not show a modal, should not ask the user to choose continue/stop, and should not switch to another model automatically. Recovery should use the same model. The only visible signal during recovery should be a lightweight aggregate status in the existing thinking/status area, for example 正在调整重复操作.... If recovery succeeds, the chat transcript does not need an extra explanation. If recovery fails, PawWork should stop the current turn with one concise user-readable sentence explaining the blocker.

Detector scope for v1

Keep the first blocking version deterministic. The harness should block only high-confidence repeated signatures:

• same_input: same parentID + tool + inputHash
• same_error: same parentID + tool + errorFingerprint
• same_target_failure: same parentID + tool + targetHash + errorFingerprint, such as the same URL repeatedly returning 404

Qwen-style weaker-model signals are still useful, but should start in shadow mode only:

• read_churn_shadow: repeated read-only probing in a short window
• action_stagnation_shadow: same tool family repeatedly called with low apparent progress

Do not add thought_repeat in v1 because PawWork does not currently have a stable structured thought signal to evaluate.

State machine

Use a small state machine inside SessionDiagnostics metadata:

observe
  -> count 3: recover
  -> count 5: block + auto_resume
  -> recurring after auto_resume: stop

observe records metadata only. recover injects a synthetic internal reminder before the next model request. block + auto_resume prevents the exact same repeated action from executing again, writes a synthetic blocked tool result so the model can see the harness decision, then automatically resumes once with the same model. stop ends the turn if the same loop family and signature recur after auto-resume.

Recovery prompt

The existing reminder should evolve from a generic nudge into a structured recovery instruction, still synthetic and not shown as user-authored text:

<system-reminder>
The last tool action is repeating without progress.

Loop type: same_target_failure
Repeated count: 3
Blocked signature: webfetch:url:https://github.com/...
Last failure: 404 Not Found

Do not call the same signature again in this turn.
Use a different source, change the query, or summarize the blocker.
</system-reminder>

The important difference from PR #204 is that this is paired with a short-lived blocklist. After recovery starts, the model cannot execute the exact same signature again in the same user turn. The blocklist should be narrow: block the same URL, file, command target, or normalized input signature, not the entire tool.

Block and auto-resume

When count reaches 5, PawWork should not execute the repeated tool call again. It should synthesize a tool result like:

blocked: repeated_same_signature
reason: this exact action has already failed 5 times

Then the prompt loop should automatically continue once with the same model and recovery context. This gives the model a clear, model-visible reason to change strategy while keeping the user out of the loop.

If the auto-resume hits the same loop family and signature again, PawWork should stop the turn and produce a concise final message, for example:

我在同一个失败操作上重复了多次，已停止继续尝试。当前卡点是：GitHub 返回 404，目标 URL 是 ...

Do not expose internal counts or detector details in the final user message unless the user asks for debugging details.

Data shape

Extend SessionDiagnostics.LoopMetadata rather than adding a new subsystem. A possible shape:

type LoopType =
  | "same_input"
  | "same_error"
  | "same_target_failure"
  | "read_churn_shadow"
  | "action_stagnation_shadow"

type LoopAction = "observe" | "recover" | "block" | "stop"

type LoopIntervention = {
  id: string
  type: LoopType
  action: LoopAction
  signature: string
  count: number
  createdAt: number
  recoveryAttempt?: number
  status: "pending" | "applied"
}

Keep the old reminders fields compatible during migration. Internally, the old reminder can be treated as a recover intervention.

Export diagnostics

Use the diagnostics: {} extension point from PR #234 only for a summary. Do not duplicate every event into the top-level export field. Full evidence already lives in message/tool part metadata. A good export summary is enough:

{
  "diagnostics": {
    "loop": {
      "interventions": {
        "observed": 12,
        "recovered": 3,
        "blocked": 1,
        "stopped": 0
      },
      "shadow": {
        "read_churn": 4,
        "action_stagnation": 2
      },
      "last": {
        "type": "same_target_failure",
        "action": "block",
        "tool": "webfetch",
        "count": 5
      }
    }
  }
}

This keeps the local session export useful for debugging without turning it into a second logging platform.

Suggested implementation order

1. Extend SessionDiagnostics types and pure function tests.
2. Have processor.ts write interventions into tool metadata while preserving existing reminder behavior.
3. Have prompt.ts consume recover interventions and generate the structured synthetic reminder.
4. Add a turn-local blocklist and synthetic blocked tool result for block interventions.
5. Add one automatic same-model resume after block.
6. Add recurrence stop when the same loop family and signature recur after auto-resume.
7. Add the lightweight thinking/status summary.
8. Add top-level loop summary to session export diagnostics.

Non-goals

• Do not change model automatically.
• Do not add a user modal or confirmation choice.
• Do not only stop without a recovery attempt.
• Do not add an LLM-based loop judge in v1.
• Do not make Qwen-style read churn or action stagnation blocking by default in v1.
• Do not turn export diagnostics into a full event log.

This satisfies the three-question filter: it reuses the least possible existing mechanism from PR #204, it is good enough to stop the exported webfetch 404 loop, and it is reassuring because the behavior is deterministic, same-model, quiet, explainable, and visible in session export for debugging.

[Astro-Han]

Spec for issue #229 v1, revised through three crosscheck rounds. The escalation shape is unchanged from the original Q&A pass; the schema and gate algorithm have been hardened against unreachable states, missing data paths, and ambiguous function signatures. v1 is deterministic escalation for repeated signatures, not the complete solution for all target-level low-yield probing in the original issue. Per-signature gate state lives in a single parentID-scoped container (ParentLoopState) so the pre-execution gate has one authoritative read site.

Scope clarification

v1 blocks only high-confidence repeated signatures:

• same_input: same normalized tool input has already failed at least 5 times in the current parentID. The 6th matching attempt is blocked pre-execution, once the 5th attempt has completed and failed (the counter advances only on the error path).
• same_target: same target identified by findTarget has already failed at least 5 times in the current parentID, regardless of error class. The signature does not include errorFingerprint; v1 treats "the same URL failed 5 times" as block-worthy whether the failures are 404, 5xx, timeout, or DNS. This avoids the unreachable contract of pre-executing a candidate whose error fingerprint is unknown until after the call runs.

same_error is not a v1 signal of any kind. errorFingerprint is still computed and written into per-tool-part metadata for diagnostics, but does not contribute to any block, recover, or stop decision in v1. Two different URLs returning the same error class is legitimate exploration.

same_target is asserted only when findTarget actually identified a target on the original tool input. If findTarget did not hit and targetSummary falls back to ${tool}:input:${inputHash} (see diagnostics.ts:74-78), no target signature is emitted for that call; the call may still contribute to a same_input signature. Enforced via an explicit targetHashIsFallback boolean on the call record so the fallback case is machine-checkable.

This v1 directly solves the exported webfetch 404 loop where the same missing GitHub files repeated until errorRepeatCount=130. The broader webfetch -> bash curl | grep ... target-level probing case (case B in the original issue) is out of v1 scope and tracked in a separate follow-up issue covering URL/domain extraction for shell commands and tool-family-spanning detection. v1 partially closes the issue's acceptance criteria; the issue stays open until the follow-up lands.

Cuts from prior drafts

• Shadow LoopType entries (read_churn_shadow, action_stagnation_shadow) are removed; instrumentation without a tested detector is premature.
• The 正在调整重复操作... lightweight status text is dropped; quiet recovery means recover/block/auto-resume are fully invisible.
• Export diagnostics summary keeps only last; counts and shadow blocks are removed.
• errorFingerprint is removed from v1 signature keys and decision paths; stays in metadata for diagnostics only.
• targetDisplay and errorMessage persisted display fields are not added; the stop renderer reads lastInput / lastError from the live ParentLoopState.
• LoopAction does not include recover. Reminder firing is a side effect of observeToolError (mutating per-tool-part reminders[]), not a returned action. Gate returns only observe, block, or stop.

{
  "diagnostics": {
    "loop": {
      "last": {
        "parentID": "msg_abc123",
        "type": "same_target",
        "action": "block",
        "tool": "webfetch",
        "completedFailures": 5
      }
    }
  }
}

Decisions locked

Parameter	Decision
Count semantics	completedFailures = count of already-finished failed attempts for a signature in the current parentID. Advances only in observeToolError. Successful calls do not increment any counter. The 6th matching attempt is blocked pre-execution, conditional on the 5th having already completed and failed.
Recover threshold	completedFailures >= 3 causes a synthetic recovery reminder to be marked pending on the offending tool part, fired exactly once per signature per parentID via a recoverEmitted flag in ParentLoopState. Reminder firing happens in observeToolError. The reminder lifecycle (pending → injected) and storage location continue to use PR #204's per-tool-part reminders[] array; only the trigger location changes.
Block gate	Block fires when completedFailures >= 5 AND recoverEmitted is true for the signature. The gate is "recover emitted" not "recover injected" so a same-step burst still passes the gate; the synthetic blocked tool result itself acts as a strategy-switch signal even before the reminder text is delivered to the model.
Block threshold	completedFailures >= 5 plus blockEmitted fired-once flag prevents both missed firing on parallel-batch jumps and duplicate firing within the same step.
Auto-resume budget	Single boolean autoResumeSpent scoped to parentID, shared across all signatures. Flipped false → true only by the prompt-side wrapper at the moment it synthesizes the blocked tool result. Once spent, any subsequent qualifying block in the same parentID returns stop.
Blocked tool channel	Synthetic blocked tool result via the tool error channel. Error message: blocked by PawWork: this signature has already failed N times in this turn. Synthetic blocked results are not fed back into observeToolError; the wrapper writes them directly into the tool-part stream and skips the diagnostics path so they do not double-count or overwrite lastError.
Stop user text source	Rendered at stop time by a prompt-side renderer that reads lastInput and lastError from ParentLoopState.signatures[sigKey]. No display copies persisted in LoopMetadata. v1 ships a webfetch renderer and a generic fallback for other tools.
URL normalization	None. targetHash is computed as hash("kind:" + hash(value.trim())) over the value returned by findTarget, exactly as PR #204 does today.
Signature key shape	same_input = input:${tool}:${inputHash}. same_target = target:${tool}:${targetHash}, emitted only when targetHashIsFallback === false. parentID is implicit (the ParentLoopState container is already keyed by parentID); not duplicated in the sigKey string.
Gate iteration precedence	When both inputKey and targetKey cross threshold, the gate evaluates targetKey first. The target signature is more specific (a real URL/path identified by findTarget) than the input signature, so loop.last.type reflects the more informative match when both fire.
Cross-turn state	None. ParentLoopState is keyed by parentID; a new user message is a fresh parentID and resets the gate state entirely.
Same-batch behavior	Within one assistant step, sibling tool calls in-flight do not contribute to completedFailures until they complete (the counter advances on the error path). Same-batch burst of 5+ identical failing calls: the gate may transition recover → block between adjacent post-completion queries, accepted under the quiet-recovery policy because the model would not have seen the reminder text either way.

Schema

The gate's authoritative state lives in a parentID-scoped container, not in per-tool-part metadata. Per-tool-part LoopMetadata is descriptive only (for export and diagnostics).

type SignatureKind = "input" | "target"
type LoopAction = "observe" | "block" | "stop"

type SignatureState = {
  kind: SignatureKind
  completedFailures: number       // advances only in observeToolError
  recoverEmitted: boolean          // fired-once at completedFailures >= 3
  blockEmitted: boolean            // fired-once at completedFailures >= 5
  lastInput?: unknown              // raw, for renderer; truncated on store (see Truncation)
  lastError?: unknown              // raw, for renderer; truncated on store
}

type ParentLoopState = {
  autoResumeSpent: boolean
  signatures: Record<string, SignatureState>  // keyed by sigKey (no parentID prefix)
}

ParentLoopState is stored under the user message scope — the same parentID-keyed session structure that holds reminder records today, extended. Single writers: autoResumeSpent is written only by the prompt-side wrapper; signatures entries are written only by observeToolError.

LoopMetadata (per-tool-part, descriptive only):

type LoopMetadata = {
  // ...existing fields from PR #204 (inputHash, targetHash, targetSummary, reminders[], etc.)...
  loopAction?: LoopAction              // gate decision for this call: "observe" | "block" | "stop"
  loopType?: SignatureKind             // which signature family the gate matched (when not "observe")
  loopCompletedFailures?: number       // snapshot at gate time; written by the wrapper after queryGateAction
  loopSigKey?: string                  // matching sigKey at gate time; for export and debugging
  targetHashIsFallback?: boolean       // true when findTarget did not hit on the original input
}

The wrapper, not observeToolCall, writes loopAction / loopType / loopCompletedFailures / loopSigKey into the per-tool-part metadata after calling queryGateAction. observeToolCall continues to write the existing PR #204 fields (inputHash, targetHash, targetSummary, etc.).

ToolErrorRecord is extended so the error path can locate the matching signatures without re-running findTarget:

type ToolErrorRecord = {
  sessionID: SessionID
  parentID: MessageID
  tool: string
  inputHash: string                // copied from the in-flight tool part
  targetHash?: string              // copied from the in-flight tool part; absent when fallback
  errorFingerprint: string         // diagnostics only in v1
  metadata: Metadata
}

The wrapper holds the in-flight tool part identity during execute() and passes it to observeToolError along with the original input and the error object. observeToolError reads inputHash / targetHash from the part's LoopMetadata (the same metadata observeToolCall wrote on call). If the part metadata is missing (transport drop, stream race), observeToolError falls back to recomputing inputHash from the original input via normalizeInput and skips targetHash; this preserves same_input accounting and degrades same_target for that one error gracefully.

Implementation contract

1. Pre-execution gate via pure query

diagnostics.ts exposes:

type GateDecision = {
  action: LoopAction              // "observe" | "block" | "stop"
  sigKey?: string                 // present when action !== "observe"
  kind?: SignatureKind            // present when action !== "observe"
  completedFailures?: number      // present when action !== "observe"
}

function queryGateAction(input: {
  parentLoopState: ParentLoopState
  tool: string
  inputHash: string
  targetHash?: string             // absent when findTarget did not hit
}): GateDecision

Pure: no side effects, no I/O, no time. The wrapper calls this immediately before item.execute(args, ctx). If decision.action !== "observe", the wrapper does not call execute. processor.ts keeps recording stream events and merging metadata after execution; it does not gate.

Provider-executed tools are out of scope unless a safe pre-execution interception point exists for them.

2. Gate algorithm

queryGateAction(state, tool, inputHash, targetHash):
  inputKey  = "input:"  + tool + ":" + inputHash
  targetKey = targetHash ? "target:" + tool + ":" + targetHash : null

  // Target-first precedence: more specific match wins.
  for sigKey in [targetKey, inputKey] (skip null):
    s = state.signatures[sigKey]
    if not s: continue
    if s.completedFailures >= 5 and s.recoverEmitted:
      if state.autoResumeSpent:
        return { action: "stop",  sigKey, kind: s.kind, completedFailures: s.completedFailures }
      return   { action: "block", sigKey, kind: s.kind, completedFailures: s.completedFailures }

  return { action: "observe" }

Notes:

• recoverEmitted and blockEmitted are fired-once flags. They turn false → true exactly once per signature per parentID (recoverEmitted in observeToolError; blockEmitted in the wrapper after a block decision) and never flip back.
• The gate never returns recover. Reminder firing is a side effect of observeToolError. LoopAction is "observe" | "block" | "stop".
• After autoResumeSpent is true, the next qualifying gate query returns stop regardless of which signature triggered it; checking blockEmitted separately is unnecessary because autoResumeSpent is set in the same wrapper path that sets blockEmitted.
• same_target is checked only when the candidate's targetHash is present. Calls without a target only match same_input.

3. Failure recording on the error path

observeToolError is the only place completedFailures advances and the only place recoverEmitted flips:

observeToolError(parentLoopState, parentID, tool, inputHash, targetHash, originalInput, error):
  candidates = [
    { sigKey: "input:"  + tool + ":" + inputHash,  kind: "input"  },
    targetHash ? { sigKey: "target:" + tool + ":" + targetHash, kind: "target" } : null
  ] (skip null)

  for { sigKey, kind } in candidates:
    s = parentLoopState.signatures[sigKey]
    if not s:
      s = { kind, completedFailures: 0, recoverEmitted: false, blockEmitted: false }
      parentLoopState.signatures[sigKey] = s
    s.completedFailures += 1
    s.lastInput = truncateForRenderer(originalInput)
    s.lastError = truncateForRenderer(error)
    if s.completedFailures >= 3 and not s.recoverEmitted:
      s.recoverEmitted = true
      mark a "pending" reminder on the in-flight tool part's reminders[] array
      (entry shape unchanged from PR #204; consumeReminders flips pending → injected
       when the next assistant message is built)

observeToolCall does not update signatures. It still writes per-tool-part LoopMetadata for export and diagnostics (inputHash, targetHash, targetSummary, targetHashIsFallback, etc.) but does not own gate state. The wrapper layers loopAction / loopType / loopCompletedFailures / loopSigKey on top after calling queryGateAction.

kind is bound by the candidate iteration above (each candidate carries its own kind); it is not derived after the fact from sigKey string parsing.

Synthetic blocked tool results produced by the wrapper do not flow through observeToolError. The wrapper writes them directly into the tool-part stream and bypasses the diagnostics error path so they do not increment completedFailures or overwrite lastError.

4. Block synthesis and auto-resume

When queryGateAction returns { action: "block", sigKey, ... }:

1. Wrapper synthesizes a tool error result with the message stated in Decisions locked.
2. Wrapper sets parentLoopState.signatures[sigKey].blockEmitted = true.
3. Wrapper sets parentLoopState.autoResumeSpent = true.
4. Wrapper appends the synthetic error to the assistant message and continues the prompt loop normally; the next model turn proceeds.

When queryGateAction returns { action: "stop", sigKey, ... }:

1. Wrapper does not synthesize a tool result.
2. Wrapper invokes the stop renderer with the candidate input and parentLoopState.signatures[sigKey].
3. Wrapper writes the rendered text as a normal assistant text part and finishes the assistant message.
4. The turn ends.

5. Stop rendering

The renderer takes (candidateInput, signatureState) and dispatches by tool family. v1 ships:

• webfetch renderer (for same_input matches and same_target matches on webfetch calls)
• generic fallback renderer (for same_input matches on any other tool that ever crosses threshold)

webfetch templates:

• same_input match: 我重复调用了相同的请求 N 次没成功，已停止。请求：webfetch <truncatedURL>
• same_target match: 我重复抓取同一个目标 N 次都失败，已停止。目标：<truncatedURL> 错误：<rawErrorFirstLine>

Generic fallback template (only same_input reaches here in v1, since only webfetch produces same_target keys when findTarget hits):

• 我重复调用了 <tool> N 次都失败，已停止。最近一次错误：<rawErrorFirstLine>

Renderer rules:

• <truncatedURL> is read from lastInput by the renderer: lastInput.url ?? lastInput.href, then truncated.
• <rawErrorFirstLine> is read from lastError: first non-empty line of the message, no normalization (the renderer does its own raw extraction; it does not reuse errorFingerprint).
• If lastError is missing (e.g., metadata recovery degraded path), the second/third templates degrade by omitting the error line rather than fabricating one.
• All template variable values pass through codepoint-safe truncation (see Truncation).

6. Truncation

truncateForRenderer(value) and <truncatedURL> truncation share the same primitive:

truncateForRenderer(value):
  s = typeof value === "string" ? value : JSON.stringify(value)
  if byteLength(s) <= 1024: return s
  // Walk back from byte 1024 to the previous codepoint boundary;
  // additionally, if the cut would land inside a percent-encoded sequence
  // (a `%` within the last 2 bytes), step back to before the `%`.
  cut = safeBoundary(s, 1024)
  return s.slice(0, cut) + "…"

This is the single truncation strategy for all renderer-bound strings. <truncatedURL> uses the same primitive on the URL string after extraction.

7. Export diagnostics

loop.last is written to the snapshot's diagnostics.loop field. Required keys: parentID, type, action, tool, completedFailures. Persisted via the existing snapshot type (currently an empty diagnostics placeholder; tests must explicitly cover the new fields). No UI status surface in v1.

Migration note vs PR #204

Recovery reminder firing moves from observeToolCall (where PR #204 fires input_repeat on the third matching call) to observeToolError (where v1 fires on completedFailures >= 3). Effects:

• A successful repeated call no longer counts toward recover (PR fix: add session loop diagnostics #204 counted it).
• Recovery reminder text is unchanged from PR fix: add session loop diagnostics #204; only the trigger condition changes.
• The reminder lifecycle (pending → injected via consumeReminders) is unchanged; the reminder still lives on the per-tool-part reminders[] array.
• error_repeat reminders in PR fix: add session loop diagnostics #204 are subsumed by the new same_input / same_target recover firing; v1 does not emit a separate error_repeat reminder type.

Acceptance criteria

• After recoverEmitted is true for a signature, the same signature does not execute again past completedFailures >= 5 within the same parentID. The 6th matching attempt is blocked pre-execution once the 5th has completed and failed.
• A signature whose targetHash is absent (because findTarget did not hit on the original input, marked by targetHashIsFallback === true) only contributes to same_input; same_target is never asserted for it.
• The pre-execution gate is a pure query into diagnostics.ts against ParentLoopState. Post-hoc processor observation does not gate execution.
• Auto-resume is at most one per parentID (autoResumeSpent flips once, written only by the wrapper). A subsequent qualifying block in the same parentID returns stop.
• The stop assistant message is a rendered text part, not a raw error state. The renderer pulls raw lastInput / lastError from ParentLoopState.signatures[sigKey]; nothing is fabricated.
• Synthetic blocked tool results go through the tool error channel and explicitly cite PawWork as the blocker, and do not flow back into observeToolError.
• For a same-step burst of identical failing calls, recovery and block fire deterministically without duplication and without missing the threshold (>= plus fired-once flags).
• Sibling calls already in-flight when a block is decided are allowed to complete; only the next pre-execution query observes the updated state. Counters advance only on observeToolError.
• targetHash is computed unchanged from PR fix: add session loop diagnostics #204 (hash("kind:" + hash(value.trim()))); no URL query/fragment normalization in v1. targetHashIsFallback is set explicitly so downstream code distinguishes real-target hashes from fallback hashes without parsing.
• All v1 signatures include tool. Signature shapes: input:${tool}:${inputHash} and target:${tool}:${targetHash}. parentID is implicit via the ParentLoopState container.
• Gate iteration precedence is target-first; loop.last.type reflects target when both signatures cross threshold.
• ParentLoopState is parentID-scoped; a new user message resets the gate state entirely.
• ToolErrorRecord carries inputHash and (when applicable) targetHash; the data path from in-flight tool part to error-side state advance is tested, including the metadata-missing degraded path.
• Reminder firing moves from observeToolCall to observeToolError. The reminders[] lifecycle and storage location are unchanged from PR fix: add session loop diagnostics #204. error_repeat reminder type is removed (subsumed by the new recover firing).
• LoopAction is "observe" | "block" | "stop"; reminder firing is a side effect of observeToolError, not a returned action.
• queryGateAction returns { action, sigKey?, kind?, completedFailures? }; sigKey is present whenever action !== "observe", so the wrapper does not re-derive which signature matched.
• loopAction / loopType / loopCompletedFailures / loopSigKey in per-tool-part LoopMetadata are written by the wrapper after queryGateAction, not by observeToolCall.
• Truncation for renderer-bound values uses a single shared primitive, codepoint-safe and percent-encoding-safe.
• Export loop.last writes parentID, type, action, tool, completedFailures; snapshot type and tests are explicitly updated.
• v1 partially closes [Feature] Detect low-yield repeated probing on the same investigation target #229. Cross-tool-family target detection (case B) is tracked in a separate follow-up issue and is not in scope here.