[Feature] Add structured tool failure reasons for agent recovery

[Astro-Han]

What task are you trying to do?

We want PawWork agents to recover from tool failures instead of blindly retrying the same failing action. When a tool fails, the harness should make the failure layer clear enough for the model to choose the right next step: fix bad arguments, ask for permission, switch to a safer tool, stop after user cancellation, or report a provider/environment problem.

Which area would this change affect?

Model harness, prompts, tools, or session mechanics

What do you do today?

Loop diagnostics already record useful structure for repeated tool behavior, but ordinary tool failures often reach the model and export as a status plus an error string. That is enough for a human to inspect later in many cases, but it is not reliable enough for the agent to decide whether retrying makes sense or whether it should change strategy.

What would a good result look like?

Tool failures carry a small structured reason that is preserved in local session state and exports, and the model-facing failure result includes a short recovery hint. The first version should stay local and practical: no remote telemetry, no dashboard, no broad analytics platform.

Suggested initial categories:

• invalid_arguments: the model called the tool with malformed or invalid input.
• permission_denied: PawWork or the OS blocked the action.
• environment: the target path, command, working directory, or local setup was not available as expected.
• provider: an external model/API/search/provider failed.
• timeout: the tool exceeded its allowed time.
• user_aborted: the user canceled or interrupted the action.
• unknown: the harness could not classify the failure yet.

What would count as done?

• Tool error metadata includes a structured failure reason such as errorKind.
• Session export preserves the structured failure reason without uploading conversation or tool bodies remotely.
• The model-facing tool failure includes a short recovery hint matched to the reason.
• At least these paths are covered: invalid tool arguments, permission denial, user abort, timeout, provider/API failure, and environment failure.
• Unknown failures remain possible and are explicitly tagged as unknown so future issues can improve classification.
• Existing loop diagnostics continue to work and are not replaced by this feature.

What should stay out of scope?

• Remote telemetry by default.
• A metrics dashboard or alerting system.
• A broad dynamic-context rewrite.
• Semantic interpretation of every command output.
• Changing user-facing copy beyond concise recovery hints needed for the model and export diagnostics.

Which audience does this matter to most?

Both

Extra context

This comes from comparing PawWork's current harness against Cursor's public harness writing. Cursor treats tool failures as a first-class harness quality signal, but PawWork should take the smaller version first: classify local tool failures so the agent can recover and the export can explain what happened.

Refs #195.

[Astro-Han]

Implementation design draft

This is the proposed implementation boundary for #439 after checking the current issue text and the live code paths.

Goal

Ordinary tool failures should carry a small structured failure reason in local session state, session export, and model replay. The model should see the original error plus a concise recovery hint matched to the reason.

This is a harness/session contract change, not a UI wording change and not a telemetry/dashboard project.

Current code facts

• packages/opencode/src/session/processor.ts has the ordinary tool-error terminal boundary in failToolCall().
• That path currently stores state.error = errorMessage(error) and preserves loop diagnostics through SessionDiagnostics.mergeMetadata().
• packages/opencode/src/session/message-v2.ts allows optional ToolStateError.metadata, but model replay currently sends only part.state.error as output-error.errorText.
• packages/opencode/src/session/diagnostics.ts already owns session diagnostics and metadata merge behavior for loop diagnostics.
• packages/opencode/src/session/export.ts exports message parts, so stored tool-state metadata can flow into export, but sanitized export currently redacts tool-state metadata wholesale.
• packages/opencode/src/tool/sensitive.ts can also reduce sensitive tool metadata during raw export construction, so the safe failure fields must be preserved there too when possible.
• packages/opencode/src/permission/index.ts and packages/opencode/src/question/index.ts already expose error classes for permission rejection and user/question abort cases.
• Bash command timeout currently returns a completed tool result with <bash_metadata>, not a ToolStateError; this PR should not change that behavior unless a direct [Feature] Add structured tool failure reasons for agent recovery #439 repro proves it must.

Fix boundary

Lowest correct layer:

1. Classify failures once at the ordinary failToolCall() boundary.
2. Store the result under tool-state diagnostics metadata, for example:

metadata.diagnostics.failure = {
  errorKind: "invalid_arguments" | "permission_denied" | "environment" | "provider" | "timeout" | "user_aborted" | "unknown",
  recoveryHint: string,
}

3. Keep state.error unchanged so existing UI copy and old consumers do not change.
4. During model replay, append a short model-facing hint for real output-error tool results.
5. During export sanitization, preserve only safe failure fields: errorKind and the generic recoveryHint. Continue redacting tool input, output, raw error body, attachments, paths, diffs, and other metadata.

Classification shape

Add a small helper such as packages/opencode/src/session/tool-failure.ts:

• ToolFailureKind
• ToolFailureMetadata
• classifyToolFailure({ tool, error })
• formatToolFailureForModel(errorText, failure?)

Initial classifier rules:

• invalid_arguments: schema/decode errors from Tool.define, malformed tool input, invalid argument/timeout/value messages.
• permission_denied: Permission.RejectedError, Permission.CorrectedError, Permission.DeniedError, and OS permission codes like EACCES / EPERM.
• environment: missing path/cwd/command/setup codes or messages, especially ENOENT / ENOTDIR.
• provider: provider/API/auth/rate-limit/external service failures when the error shape or message clearly points there.
• timeout: timeout names/codes/messages from a tool-error path.
• user_aborted: Question.RejectedError, AbortError, canceled/interrupted/aborted action signals, after permission cases are checked.
• unknown: fallback when the layer is not clear.

Hints should be short, stable, and model-facing, not broad UI copy.

Suggested hint intent:

• invalid_arguments: fix arguments to match the schema before retrying.
• permission_denied: do not retry the same blocked call; ask the user or choose an allowed safer action.
• environment: check path, cwd, command availability, or local setup before retrying.
• provider: treat this as an external provider/API failure; retry later or report the provider issue.
• timeout: narrow the operation or increase timeout only when appropriate.
• user_aborted: stop this action; do not continue canceled work unless the user asks.
• unknown: identify the failure layer before retrying.

Minimal PR tasks

1. Add the failure helper and unit tests for all seven categories.
2. Extend SessionDiagnostics.Metadata with optional diagnostics.failure and verify mergeMetadata() preserves existing diagnostics.loop.
3. In ordinary failToolCall(), merge diagnostics.failure into tool-state metadata without touching the pending loop block/stop branch.
4. In toModelMessagesEffect(), use formatToolFailureForModel() only for output-error tool results. Do not change the interrupted partial-output branch.
5. In Export.sanitizeSnapshot(), preserve only safe failure metadata while keeping existing redaction behavior.
6. In tool/sensitive.ts, make sensitive raw export construction preserve safe diagnostics.failure fields instead of collapsing diagnostics to {}.
7. Add focused tests for classifier, message replay, export sanitization, sensitive metadata preservation, and loop metadata merge.

Explicit non-goals

• No remote telemetry, dashboard, alerting, or analytics platform.
• No UI tool-card copy change.
• No broad prompt rewrite or dynamic-context rewrite.
• No semantic parser for every command output.
• No provider retry/backoff policy.
• No replacement of loop diagnostics, loop gate, synthetic block, or synthetic stop.
• No Bash timeout behavior change unless separately proven required.
• No SDK generated type or external public API change in this PR.

Evidence still to verify during implementation

• Whether AI SDK tool-error events always preserve the original Error instance. The classifier must still work from name, message, code, and _tag fallbacks.
• Whether there is a straightforward processor integration test for invalid tool args. If not, the first PR can prove the contract with helper, message-v2, diagnostics, and export unit tests.
• Whether any provider/API failure can occur as an ordinary tool error in current code paths. If not, provider classification should remain unit-tested by error shape/message only, and assistant-level provider stream errors should stay out of scope.

Verification

Targeted automated checks:

bun --cwd packages/opencode test packages/opencode/test/session/tool-failure.test.ts packages/opencode/test/session/message-v2.test.ts packages/opencode/test/session/diagnostics.test.ts packages/opencode/test/session/export.test.ts
bun --cwd packages/opencode typecheck
git diff --check

Success criteria:

• Every initial category has deterministic unit coverage.
• Ordinary errored tool parts persist metadata.diagnostics.failure.errorKind.
• Model-facing tool error includes the original error plus a concise reason-matched hint.
• Raw and sanitized session exports preserve only the safe structured failure reason.
• Existing loop diagnostics continue to pass and are not replaced.

[Astro-Han]

Back-reference from #808.

This completed structured tool-failure work is a precedent for the Run Incident Framework. #808 generalizes the idea beyond tool failures so provider transport disconnects, lifecycle closes, watchdog timeouts, and recovery policy share one incident model.