test: complete slice 3 runtime parity coverage

Author: Telli

docs/runtime.md

@@ -11,8 +11,8 @@ Registration: `RuntimeServiceCollectionExtensions.AddSharpClawRuntime`.
 
 **`DefaultTurnRunner`** is the **`ITurnRunner`** implementation used for prompt turns. It:
 
-1. Calls **`IPromptContextAssembler.AssembleAsync`** to build **`PromptContext`** (prompt text, metadata such as resolved **`model`**).
-2. Maps **`RunPromptRequest`** + session into **`AgentRunContext`** (session/turn ids, working directory, permission mode, output format, **`IToolExecutor`**, metadata).
+1. Calls **`IPromptContextAssembler.AssembleAsync`** to build **`PromptContext`** (prompt text, metadata such as resolved **`model`**, and prior-turn conversation history assembled from persisted runtime events).
+2. Maps **`RunPromptRequest`** + session into **`AgentRunContext`** (session/turn ids, working directory, permission mode, output format, **`IToolExecutor`**, metadata, and normalized caller interactivity).
 3. Invokes **`PrimaryCodingAgent.RunAsync`**.
 
 Before the agent runs, **`ConversationRuntime`** also layers in:
@@ -24,6 +24,17 @@ Before the agent runs, **`ConversationRuntime`** also layers in:
 
 The agent stack is described in [agents.md](agents.md).
 
+## Agent tool loop
+
+The current runtime supports provider-driven tool calling through the normal agent path.
+
+- **`AgentFrameworkBridge`** resolves the effective allowed-tool set from agent metadata.
+- It advertises only that filtered tool set to the provider.
+- **`ProviderBackedAgentKernel`** runs the provider loop, dispatches tool-use events through **`IToolExecutor`**, and feeds tool results back into the next provider iteration.
+- Tool execution still goes through the normal permission engine, so allowlists, approval requirements, plugin trust, MCP trust, and primary-mode mutation restrictions all apply consistently.
+
+This means the model-visible tool surface and the executor-visible tool surface are derived from the same resolved policy input.
+
 ## Lifecycle and state
 
 - **`IRuntimeStateMachine`** (`DefaultRuntimeStateMachine`) transitions **`ConversationSession.State`**.
@@ -35,8 +46,15 @@ The agent stack is described in [agents.md](agents.md).
 
 It also includes a compact diagnostics summary from **`IWorkspaceDiagnosticsService`**, which currently surfaces configured diagnostics sources and build-derived findings for .NET workspaces.
 
+Prompt references are resolved before provider execution. Outside-workspace file references are evaluated through the permission engine, and the approval path now respects the normalized caller interactivity mode:
+
+- interactive CLI and REPL callers can participate in approval prompts
+- non-interactive surfaces such as ACP and the embedded HTTP server cannot
+
 When the effective **`PrimaryMode`** is **`Spec`**, the assembler appends a structured output contract that requires the model to return machine-readable requirements, design, and task content.
 
+Conversation history is rebuilt from persisted session events and truncated by token budget before being attached to the next provider request. Assistant history prefers the persisted final turn output and only falls back to streamed provider deltas when needed.
+
 ## Spec workflow
 
 **`ISpecWorkflowService`** handles the post-processing path for **`spec`** mode:

tests/SharpClaw.Code.IntegrationTests/Runtime/AgentToolPolicyIntegrationTests.cs

@@ -5,6 +5,8 @@
 using SharpClaw.Code.Infrastructure.Models;
 using SharpClaw.Code.Permissions.Abstractions;
 using SharpClaw.Code.Permissions.Models;
+using SharpClaw.Code.Plugins.Abstractions;
+using SharpClaw.Code.Plugins.Models;
 using SharpClaw.Code.Protocol.Commands;
 using SharpClaw.Code.Protocol.Enums;
 using SharpClaw.Code.Protocol.Models;
@@ -52,6 +54,42 @@ await runtime.RunPromptAsync(
         provider.CapturedRequests[0].Tools!.Select(static tool => tool.Name).Should().Equal("read_file");
     }
 
+    /// <summary>
+    /// Ensures plugin-backed tools are filtered through the same explicit allow list as built-ins.
+    /// </summary>
+    [Fact]
+    public async Task RunPrompt_should_filter_plugin_tools_through_same_allow_list_path()
+    {
+        var workspacePath = CreateTemporaryWorkspace();
+        var provider = new CapturingToolPolicyProvider(ToolPolicyScenario.CaptureOnly);
+        using var serviceProvider = CreateServiceProvider(
+            provider,
+            pluginManager: new StubPluginManager([
+                new PluginToolDescriptor("plugin_echo", "Echo via plugin.", "Plugin payload.", ["plugin"]),
+            ]));
+        var runtime = serviceProvider.GetRequiredService<IConversationRuntime>();
+
+        await runtime.RunPromptAsync(
+            new RunPromptRequest(
+                Prompt: "list available tools",
+                SessionId: null,
+                WorkingDirectory: workspacePath,
+                PermissionMode: PermissionMode.WorkspaceWrite,
+                OutputFormat: OutputFormat.Text,
+                Metadata: new Dictionary<string, string>
+                {
+                    ["provider"] = TestProviderName,
+                    ["model"] = "tool-policy-model",
+                    [SharpClawWorkflowMetadataKeys.AgentAllowedToolsJson] = """["plugin_echo"]""",
+                    [ScenarioMetadataKey] = ToolPolicyScenario.CaptureOnly,
+                }),
+            CancellationToken.None);
+
+        provider.CapturedRequests.Should().NotBeEmpty();
+        provider.CapturedRequests[0].Tools.Should().NotBeNull();
+        provider.CapturedRequests[0].Tools!.Select(static tool => tool.Name).Should().Equal("plugin_echo");
+    }
+
     /// <summary>
     /// Ensures interactive agent tool calls can request approval and reach the shell executor when approved.
     /// </summary>
@@ -124,10 +162,49 @@ public async Task RunPrompt_should_deny_non_interactive_agent_tool_execution_bef
         shellExecutor.CallCount.Should().Be(0);
     }
 
+    /// <summary>
+    /// Ensures a tool requested outside the explicit allow list is denied even if the provider emits it.
+    /// </summary>
+    [Fact]
+    public async Task RunPrompt_should_deny_provider_requested_tool_that_is_not_in_allow_list()
+    {
+        var workspacePath = CreateTemporaryWorkspace();
+        var provider = new CapturingToolPolicyProvider(ToolPolicyScenario.ToolRoundTrip);
+        var approvalService = new RecordingApprovalService(approve: true);
+        var shellExecutor = new RecordingShellExecutor();
+        using var serviceProvider = CreateServiceProvider(provider, approvalService, shellExecutor);
+        var runtime = serviceProvider.GetRequiredService<IConversationRuntime>();
+
+        var result = await runtime.RunPromptAsync(
+            new RunPromptRequest(
+                Prompt: "run bash",
+                SessionId: null,
+                WorkingDirectory: workspacePath,
+                PermissionMode: PermissionMode.WorkspaceWrite,
+                OutputFormat: OutputFormat.Text,
+                Metadata: new Dictionary<string, string>
+                {
+                    ["provider"] = TestProviderName,
+                    ["model"] = "tool-policy-model",
+                    [SharpClawWorkflowMetadataKeys.AgentAllowedToolsJson] = """["read_file"]""",
+                    [ScenarioMetadataKey] = ToolPolicyScenario.ToolRoundTrip,
+                },
+                IsInteractive: true),
+            CancellationToken.None);
+
+        result.FinalOutput.Should().Contain("Tool result received");
+        result.ToolResults.Should().ContainSingle();
+        result.ToolResults[0].Succeeded.Should().BeFalse();
+        result.ToolResults[0].ErrorMessage.Should().Contain("allow list");
+        approvalService.Requests.Should().BeEmpty();
+        shellExecutor.CallCount.Should().Be(0);
+    }
+
     private static ServiceProvider CreateServiceProvider(
         CapturingToolPolicyProvider provider,
         RecordingApprovalService? approvalService = null,
-        RecordingShellExecutor? shellExecutor = null)
+        RecordingShellExecutor? shellExecutor = null,
+        IPluginManager? pluginManager = null)
     {
         var services = new ServiceCollection();
         services.AddSharpClawRuntime();
@@ -144,6 +221,12 @@ private static ServiceProvider CreateServiceProvider(
             services.AddSingleton<IShellExecutor>(shellExecutor);
         }
 
+        if (pluginManager is not null)
+        {
+            services.AddSingleton(pluginManager);
+            services.AddSingleton<IPluginManager>(pluginManager);
+        }
+
         return services.BuildServiceProvider();
     }
 
@@ -280,4 +363,31 @@ public Task<ProcessRunResult> ExecuteAsync(
             return Task.FromResult(new ProcessRunResult(0, "hi", string.Empty, now, now));
         }
     }
+
+    private sealed class StubPluginManager(IReadOnlyList<PluginToolDescriptor> descriptors) : IPluginManager
+    {
+        public Task<IReadOnlyList<LoadedPlugin>> ListAsync(string workspaceRoot, CancellationToken cancellationToken)
+            => Task.FromResult<IReadOnlyList<LoadedPlugin>>([]);
+
+        public Task<LoadedPlugin> InstallAsync(string workspaceRoot, PluginInstallRequest request, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+
+        public Task<LoadedPlugin> EnableAsync(string workspaceRoot, string pluginId, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+
+        public Task<LoadedPlugin> DisableAsync(string workspaceRoot, string pluginId, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+
+        public Task UninstallAsync(string workspaceRoot, string pluginId, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+
+        public Task<LoadedPlugin> UpdateAsync(string workspaceRoot, PluginInstallRequest request, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+
+        public Task<IReadOnlyList<PluginToolDescriptor>> ListToolDescriptorsAsync(string workspaceRoot, CancellationToken cancellationToken)
+            => Task.FromResult(descriptors);
+
+        public Task<ToolResult> ExecuteToolAsync(string workspaceRoot, string toolName, ToolExecutionRequest request, CancellationToken cancellationToken)
+            => Task.FromResult(new ToolResult(request.Id, toolName, true, OutputFormat.Text, "plugin", null, 0, null, null));
+    }
 }