fix(core,cli): close tool_use↔tool_result invariant across all failure paths

[wenshao]

Summary

Fixes an unrecoverable wedge on weak-network connections (e.g. on a train) when calling DeepSeek-V4-Pro (or any Anthropic-compatible backend) through the Anthropic protocol. Same wedge reproduces under three additional failure modes surfaced in review; all closed in this PR.

Symptom — the model 400s with:

unexpected messages.N.content.0: tool_use_id found in tool_result blocks:
call_00_xxx. Each tool_result block must have a corresponding tool_use
block in the previous message.

and pressing Ctrl+Y to retry yields the same error indefinitely. The chat session is permanently wedged.

Root cause — mid-stream tool_use drop

The Anthropic-compatible SSE emits tool_use content blocks as content_block_start → input_json_delta* → content_block_stop → message_delta → message_stop. In anthropicContentGenerator.processStream, the functionCall chunk is yielded at content_block_stop.

When the SSE drops between content_block_stop of a tool_use and the terminal message_stop (typical for flaky train/airplane WiFi):

1. The functionCall chunk has already been yielded → Turn.run registers a ToolCallRequest event → useGeminiStream schedules the tool after the for-await exits.
2. But processStreamResponse's this.history.push({role:'model'…}) never runs — the for-await throws before reaching it.
3. The tool finishes asynchronously → handleCompletedTools → submitQuery(…, ToolResult) → geminiChat.sendMessageStream pushes user:[functionResponse] into history.
4. History is now […, user:"query", user:[tool_result]]. The converter emits two consecutive user messages where the second carries tool_result blocks but the preceding message has no matching tool_use → 400.
5. stripOrphanedUserEntriesFromHistory only pops trailing user entries. The lost tool_use is unrecoverable, and the chat is wedged for the rest of the session.

Fixes

1. Persist partial assistant turn when stream errors mid tool_use

processStreamResponse (packages/core/src/core/geminiChat.ts) wraps its for-await in a try/catch. On stream error, if any functionCall chunk was already yielded (hasToolCall === true) and we accumulated parts, persist the partial assistant turn into history before re-throwing — so the eventual tool_result submission has its matching tool_use.

Plain-text partial turns (no functionCall) are intentionally not persisted: the Retry path pops the trailing user prompt and re-issues it; a stale partial-text model turn between them would either bias the retry or surface as duplicate output.

The shared processStreamResponse covers both Anthropic and OpenAI content generators, so the fix applies to all anthropic-compatible and openai-compatible providers — not just DeepSeek.

2. Close tool_use ↔ tool_result invariant at every failure point

Surfaced in @yiliang114's review: the partial-history push above relies on the React tool scheduler eventually producing a matching tool_result. Three races break that contract:

• Race A — Ctrl+Y while the in-flight tool hasn't finished. Trailing entry is model[tool_use], not user, so stripOrphanedUserEntriesFromHistory doesn't pop it. Retry pushes a fresh user turn after the orphan tool_use. Meanwhile the scheduler's onAllToolCallsComplete is single-shot AND gated on isResponding (useGeminiStream.ts:1971), so the eventual real tool_result is silently swallowed.
• Race B — process crash / OOM / SIGKILL between the partial-tool_use push and tool completion. The dangling model[tool_use] wedges the first API call after --resume.
• Race C — manual JSONL edits / external tooling leaving the same dangling shape.

Three pieces working together close every race:

1. repairOrphanedToolUseTurns(history) in geminiChat.ts — walks history left-to-right and synthesizes an error-typed functionResponse for every functionCall whose id isn't echoed back in the next user turn. Appends to an existing user turn when present, otherwise inserts a new one.
2. Wiring at two points:
   • client.startChat() after loading the transcript — covers Race B/C (--resume).
   • chat.sendMessageStream immediately after this.history.push(userContent) — covers Race A in-session. The user-supplied turn gets the first chance to close the pair before the synthesizer sees it as dangling, so a Retry of a previous ToolResult submission (lastPrompt is a functionResponse-parts array) lands the real functionResponse instead of a synthetic error.
3. History-based dedup in handleCompletedTools (useGeminiStream.ts) — before submitting tool results, scan chat.history for any functionResponse.id already present (planted by the repair pass) and drop those toolCalls' responseParts from the wire payload while still markToolsAsSubmitted so the UI/scheduler advances. The dedup runs before the isResponding early-return so the scheduler's single-shot onAllToolCallsComplete doesn't leave the tool stuck in completed-but-not-submitted when a Retry stream is in flight.

This is the qwen-code analogue of Claude Code's yieldMissingToolResultBlocks (query.ts:123-149), split across the core/cli boundary because our React scheduler runs out-of-band from the stream loop (upstream's in-band StreamingToolExecutor can atomically .discard() live tools at the synthesis point; we use history-dedup at handleCompletedTools instead to keep the in-flight scheduler's late real result from colliding with the synthesized error).

Test plan

• npx vitest run packages/core/src/core/geminiChat.test.ts — 90 tests pass (3 partial-history-push cases + 8 repair-helper unit cases + 2 chat.sendMessageStream integration cases)
• npx vitest run packages/core/src/core/client.test.ts — 131 tests pass (Retry path mocks updated for new method)
• npx vitest run packages/cli/src/ui/hooks/useGeminiStream.test.tsx — 92 tests pass (Race A end-to-end dedup integration test)
• npx vitest run --project '@qwen-code/qwen-code-core' — all 8186 core tests pass
• tsc --noEmit -p packages/core/tsconfig.json clean
• CI green on all four commits (Lint + Test×3 platforms + CodeQL)
• Manual: throttle network, trigger a tool_use response, kill the connection mid-stream, confirm the next user/tool_result submission succeeds instead of 400ing. Ctrl+Y mid-flight and --resume of a session crashed mid-flight.

Related

• Issue Add SSE stream idle watchdog to abort hung streams (weak-network hang) #4177 — SSE stream idle watchdog (independent follow-up; addresses the hang-forever symptom where the SSE goes silent without dropping)
• anthropics/claude-code#6836 — upstream "tool_use/tool_result block mismatch" meta-issue with the same fix shape (~155 duplicates, oncall label, OPEN)

Closes #4178

[github-actions]

📋 Review Summary

This PR fixes a critical unrecoverable wedge that occurs when streaming connections drop mid-tool_use on weak networks. The fix ensures partial assistant turns containing tool calls are persisted to history before re-throwing stream errors, maintaining the tool_use/tool_result pairing invariant required by Anthropic-compatible APIs. The implementation is well-reasoned with comprehensive tests and excellent documentation.

🔍 General Feedback

• Exceptional documentation: The code comments and PR description provide outstanding context about the root cause, including the specific Anthropic SSE emission pattern (content_block_start → input_json_delta* → content_block_stop → message_delta → message_stop)
• Targeted fix: The change is surgical—only persisting partial turns when hasToolCall === true, deliberately skipping text-only partials to avoid biasing retry behavior
• Shared code path benefit: The fix in processStreamResponse automatically covers both Anthropic and OpenAI content generators
• Test coverage: Two new test cases precisely validate both branches of the new error handling logic

🎯 Specific Feedback

🟡 High

• File: packages/core/src/core/geminiChat.ts:1320 - The streamError capture pattern is sound, but consider whether the caught error should be logged before re-throwing for debugging purposes. Weak-network issues are notoriously hard to reproduce, and having structured logs when this recovery path triggers would aid future debugging.

  Suggested fix:

    } catch (e) {
      streamError = e;
      // Log for debugging weak-network recovery path
      if (hasToolCall) {
        debugLogger.log('Persisting partial assistant turn due to stream error');
      }
    }

🟢 Medium

• File: packages/core/src/core/geminiChat.ts:1257-1268 - The comment explaining streamError is extremely detailed (which is good), but it's positioned before the variable is actually used. Consider moving this extensive explanation to the recovery branch at line 1383 where the actual decision logic lives, and keep a shorter note here.

  Suggested restructuring:

    let streamError: unknown = null;  // Captured mid-stream; see recovery logic below
  
    try {
      // ... loop unchanged ...
    } catch (e) {
      streamError = e;
    }
  
    // ... later, at the recovery branch ...
    /**
     * Mid-stream failure recovery: [full explanation currently at line 1257]
     */
    if (streamError !== null) { ... }

• File: packages/core/src/core/geminiChat.test.ts:702-760 - The test "persists partial assistant turn when stream throws after a tool_use chunk" is thorough but could benefit from explicitly asserting that the history length is exactly 2 (user + model) after the error, making the test's intent even clearer to future readers.

  Suggested addition (after line 758):

      expect(history.length).toBe(2);  // user turn + model turn with tool_use

🔵 Low

• File: packages/core/src/core/geminiChat.ts:1383 - The recovery comment block is ~20 lines. While the detail is valuable, consider extracting this into a private method like shouldPersistPartialTurn() with an inline JSDoc. This would make the main flow easier to scan and the recovery logic independently testable.

• File: packages/core/src/core/geminiChat.test.ts - Consider adding a test case that simulates the full retry flow (Ctrl+Y scenario) to verify that the persisted tool_use allows the subsequent ToolResult submission to succeed rather than 400ing. This would be an integration-style test complementing the current unit tests.

✅ Highlights

• Brilliant root cause analysis: The PR description's explanation of the Anthropic SSE emission pattern and how the drop between content_block_stop and message_stop causes the wedge is exemplary technical writing
• Discriminating fix: The deliberate choice to persist tool_use partials but NOT text-only partials shows deep understanding of the retry path's behavior and avoids introducing duplicate output issues
• Comprehensive test coverage: The two new test cases cover both branches of the new logic with realistic stream simulations
• Cross-provider benefit: Fixing the shared processStreamResponse method means Anthropic, OpenAI, and DeepSeek all benefit without duplicate changes
• Clear failure mode documentation: The comment explaining why stripOrphanedUserEntries can't recover from this scenario (it only strips trailing user entries, not resurrect lost tool_use blocks) is invaluable for future maintainers

[Copilot]

Pull request overview

Fixes a wedge state on weak networks where Anthropic-compatible streams (DeepSeek, Anthropic, etc.) drop after a tool_use content_block_stop but before message_stop. The yielded functionCall chunk causes downstream tool execution and a follow-up tool_result user turn, but no matching tool_use was ever pushed into history, leading to permanent 400s. The fix wraps the stream loop in processStreamResponse with try/catch and persists the partial assistant turn into history when a tool call has already been yielded before re-throwing.

Changes:

• Capture mid-stream errors in processStreamResponse instead of letting them abort post-loop processing.
• When hasToolCall is true on error, push the partial assistant turn (thinking + consolidated parts) into history before re-throwing, preserving tool_use/tool_result pairing.
• Add three vitest cases covering tool-only, thinking+tool, and text-only mid-stream failures.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
packages/core/src/core/geminiChat.ts	Adds try/catch around stream iteration and a recovery branch that conditionally persists the partial model turn before re-throwing.
packages/core/src/core/geminiChat.test.ts	Adds three new tests verifying partial-turn persistence with tool_use, with thinking+tool, and non-persistence for text-only failures.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[yiliang114]

Non-blocking follow-up.

This persists the partial tool_use and relies on handleCompletedTools to eventually push a matching tool_result. Two paths re-create the same wedge one layer down:

1. Ctrl+Y before the tool finishes — history is [user, model(tool_use)], no trailing user entry for stripOrphanedUserEntriesFromHistory to strip. The retry sends the orphan tool_use and 400s with the same error this PR is trying to escape.
2. Scheduler aborts / process killed before submitQuery(ToolResult) fires — the persisted tool_use becomes a permanent orphan. Same wedge.

The stronger invariant is to close the pair at the failure point itself: for every already-yielded tool_use, synthesize an is_error: true tool_result before re-throwing, instead of betting on a downstream consumer. anthropics/claude-code does this in src/query.ts (yieldMissingToolResultBlocks, ~L123) and calls it from both the stream-error and the user-abort paths — the pair is never out of sync.

Current fix recovers the common case, so not blocking. Worth a follow-up to also cover the retry race and the abort path symmetrically.

[wenshao]

Confirmed both paths reproduce — handleCompletedTools is gated on isResponding (useGeminiStream.ts:1971) and useReactToolScheduler.allToolCallsCompleteHandler is single-shot (useReactToolScheduler.ts:127-132), so a Ctrl+Y that lands between the partial-push and tool completion does silently swallow the eventual tool_result. The abort-before-submit path is the same shape.

(Worth noting: this race exists pre-#4176 too — any Ctrl+Y while a tool is still running on a normally-completed stream hits the same wedge. This PR moves the partial-tool_use case into the same race class, but doesn't widen it.)

On yieldMissingToolResultBlocks shape — straight port has a corner: if we synthesize is_error: true at the failure point AND the live scheduler later completes, handleCompletedTools submits a second tool_result with the same tool_use_id, producing two consecutive user turns (orphan tool_result in the trailing one). Upstream sidesteps this because their StreamingToolExecutor is owned by the same loop that does the synthesis — it can discard() in-flight tools atomically (query.ts:733). Qwen-code's React scheduler runs out-of-band, so the synthesis path needs to coordinate cancellation/dedup with it.

Folded both races + the cancel-coordination requirement into #4178 — that's where the closing-at-failure-point work belongs. Will tackle it as the next PR; #4176 stays minimal to ship the common-case recovery now.

[wenshao]

Folded both races + the cancel-coordination requirement into this PR in 3de3241a2 rather than splitting to #4178. Three pieces:

• repairOrphanedToolUseTurns(history) synthesizes error functionResponse for every dangling functionCall.id — close to upstream's yieldMissingToolResultBlocks shape.
• Wired into startChat() (Race B/C — --resume of a crashed session) and the sendMessageStream Retry branch after stripOrphanedUserEntriesFromHistory (Race A — Ctrl+Y mid-flight).
• handleCompletedTools dedupes against chat.history before submitting tool_results — that's the cross-layer coordination piece you flagged. Since our React scheduler runs out-of-band (vs. upstream's in-band StreamingToolExecutor that can .discard() atomically at synthesis), the synthesizer plants the synthetic functionResponse first and the scheduler drops its late real result when it sees a matching callId already in history. Same trade-off upstream's .discard() + yieldMissingToolResultBlocks makes — the model sees the synthetic error and can retry the tool if it still wants the result.

Tests: 8 new repair-helper cases in geminiChat.test.ts (Race A merge-into-existing-user-turn, Race B trailing-tool_use-only, parallel tool_use with partial responses, no-op on already-paired history, multiple non-adjacent dangling rounds, caller-supplied reason text, no-op on tool-free history). 131/131 client.test.ts and 91/91 useGeminiStream.test.tsx still passing.

#4178 will be closed once this PR merges (its scope is now this PR). #4177 (idle watchdog) stays as the independent follow-up.

[yiliang114]

The fix recovers the common SSE-drop case correctly. Left one non-blocking follow-up inline about closing the tool_use ↔ tool_result invariant at the failure point rather than handing off to the scheduler.

[wenshao]

For reviewers — this PR is the minimal, surgical fix. The broader weak-network resilience story has two follow-ups filed so they can be reviewed independently:

• Add SSE stream idle watchdog to abort hung streams (weak-network hang) #4177 — SSE stream idle watchdog (90s default). Addresses the hang-forever symptom, which fix(core,cli): close tool_use↔tool_result invariant across all failure paths #4176 alone doesn't fix (we still wait on streamResponse.next() indefinitely if the SSE goes silent without dropping). Modeled on claude-code/services/api/claude.ts:1868-1928.
• Close tool_use↔tool_result invariant at failure point (defense in depth) #4178 — Synthetic is_error: true tool_result repair pass at session-load and Retry. Defense-in-depth for residual paths where the scheduler contract doesn't hold (process crash, --resume of a crashed session, scheduler bugs). Modeled on claude-code/query.ts:123-149 (yieldMissingToolResultBlocks).

Together (#4176 + #4177 + #4178) qwen-code's behavior on weak networks would be comparable to upstream Claude Code, addressing the same class of bug as anthropics/claude-code#6836 (open meta-issue with ~155 duplicate reports, oncall label).

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[wenshao]

⚠️ Downgraded from Approve to Comment: self-PR.

Review Summary: 2 files, +270/-36. Fixes unrecoverable wedge when streaming drops between tool_use content_block_stop and message_stop. Core logic is correct; 606 tests pass; tsc + eslint clean.

No high-confidence Critical issues found. 5 low-confidence suggestions identified (not posted as inline comments — needs human review):

1. AbortSignal mid-tool_use persists partial turn — catch 块未区分 abort 与网络错误，取消后 history 含孤立 tool_use。建议加 守卫。
2. Zero logging on partial turn persistence — 静默修改 history，调试困难。建议加 。
3. recordAssistantTurn 在错误路径无条件调用 — 失败流的部分数据被记录为正常 turn。建议移入 块。
4. Missing thinking-only test — 推理模型场景（thought:true 无 functionCall）无回归覆盖。
5. Duplicate history.push 代码 — 错误/成功路径各一份相同实现，建议提取方法。

— DeepSeek/deepseek-v4-pro via Qwen Code /review

[wenshao]

⚠️ Downgraded from Request changes to Comment: self-PR.

[wenshao]

[Critical] This fixture does not structurally satisfy TrackedCompletedToolCall, and the changed-file typecheck fails here with TS2352. As written, the PR cannot pass tsc on the changed files.

Please update the mock object to match the real TrackedCompletedToolCall shape (or choose a narrower test type that actually reflects what this test needs) instead of forcing the incompatible object through a direct assertion.

— gpt-5.5 via Qwen Code /review

[wenshao]

[Critical] Appending the synthetic functionResponse after existing user parts means the Ctrl+Y retry shape becomes user: text, tool_result. The Anthropic converter preserves part order, so it serializes the retry prompt before the tool_result that is supposed to answer the immediately preceding tool_use. Anthropic-compatible backends require those tool_result blocks to come first in the following user message, so this can still reject the retry and leave the session wedged.

Insert the synthetic responses before the first non-functionResponse part when merging into an existing user turn, while preserving any real tool results that are already at the front.

Suggested change

	if (next?.role === 'user') {
	const existingParts = next.parts ?? [];
	const firstNonFunctionResponseIndex = existingParts.findIndex(
	(part) => !part.functionResponse,
	);
	const insertAt =
	firstNonFunctionResponseIndex === -1
	? existingParts.length
	: firstNonFunctionResponseIndex;
	next.parts = [
	...existingParts.slice(0, insertAt),
	...syntheticParts,
	...existingParts.slice(insertAt),
	];

— gpt-5.5 via Qwen Code /review

[wenshao]

[Suggestion] This new startChat() wiring is the only resume-time integration point that repairs a dangling model[functionCall] before the first resumed send, but the tests only cover the helper directly and mock this method in client.test.ts. A future refactor could remove or reorder this call while the helper tests still pass, regressing the --resume recovery path this PR is meant to protect.

Please add a client-level test that starts a chat with extraHistory ending in a model turn containing a functionCall, then asserts the initialized chat history contains the synthetic user[functionResponse] before any send occurs.

— gpt-5.5 via Qwen Code /review