Merge branch 'master' into fix-mcp-routing-openai-strict

ericdallo · web-flow · commit be7de2ea1cdc · 2026-05-12T17:24:21.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,19 @@
 - Bugfix: OpenAI Responses tool calls now opt out of strict schema normalization so optional tool parameters remain optional.
 - Bugfix: MCP tool calls now route to the selected server when multiple servers expose the same tool name.
 
+## 0.133.6
+
+- Bugfix: `network.caCertFile` (and `clientCert`/`clientKey`/`clientKeyPassphrase`) set via `config.json` were silently ignored due to a key-case mismatch between config normalization and the network reader; only the env-var fallbacks worked. #457
+
+## 0.133.5
+
+- Improve CPU usage while streaming tool-call arguments by reusing the prompt's tool list.
+- Improve connection error messages from LLM providers. #457
+
+## 0.133.4
+
+- Bugfix: stop the infinite "Cannot run program 'kill'" liveness-probe log loop for sandboxed environments.
+
 ## 0.133.3
 
 - Add unit and integration tests covering parent↔subagent end-to-end communication so regressions like the v0.133.1 spawn-agent breakage are caught automatically.
diff --git a/resources/ECA_VERSION b/resources/ECA_VERSION
@@ -1 +1 @@
-0.133.3
+0.133.6
diff --git a/src/eca/features/chat.clj b/src/eca/features/chat.clj
@@ -828,8 +828,7 @@
                                                      (lifecycle/finish-chat-prompt! :idle chat-ctx)))))
                 :on-prepare-tool-call (fn [{:keys [id full-name arguments-text]}]
                                         (lifecycle/assert-chat-not-stopped! chat-ctx)
-                                        (let [all-tools (f.tools/all-tools chat-id agent @db* config)
-                                              tool (f.tools/resolve-tool full-name all-tools)
+                                        (let [tool (f.tools/resolve-tool full-name all-tools)
                                               resolved-full-name (or (:full-name tool) full-name)]
                                           (when-not tool
                                             (logger/warn logger-tag "Tool not found for prepare"
diff --git a/src/eca/llm_providers/anthropic.clj b/src/eca/llm_providers/anthropic.clj
@@ -161,7 +161,7 @@
 
                       :else
                       (on-error {:exception e
-                                 :message (format "Connection error: %s" (or (ex-message e) (.getName (class e))))}))))
+                                 :message (llm-util/connection-error-message e)}))))
                 (finally
                   (stop-fn))))
             (do
@@ -170,7 +170,7 @@
                       {:output-text (:text (last (:content body)))})))))
       (catch Exception e
         (on-error {:exception e
-                   :message (format "Connection error: %s" (or (ex-message e) (.getName (class e))))})))
+                   :message (llm-util/connection-error-message e)})))
     @response*))
 
 (defn ^:private normalize-messages [past-messages supports-image?]
diff --git a/src/eca/llm_providers/ollama.clj b/src/eca/llm_providers/ollama.clj
@@ -90,7 +90,7 @@
                       {:output-text (:content (:message body))})))))
       (catch Exception e
         (on-error {:exception e
-                   :message (format "Connection error: %s" (or (ex-message e) (.getName (class e))))})))
+                   :message (llm-util/connection-error-message e)})))
     @response*))
 
 (defn ^:private ->tools [tools]
diff --git a/src/eca/llm_providers/openai.clj b/src/eca/llm_providers/openai.clj
@@ -96,10 +96,10 @@
               (llm-util/log-response logger-tag rid "response" body)
               (response-body->result body)))))
       (catch Exception e
-        (let [msg (or (ex-message e) (.getName (class e)))
-              prefix (if (ex-data e) "Internal error" "Connection error")]
-          (on-error {:exception e
-                     :message (format "%s: %s" prefix msg)}))))))
+        (on-error {:exception e
+                   :message (if (ex-data e)
+                              (format "Internal error: %s" (or (ex-message e) (.getName (class e))))
+                              (llm-util/connection-error-message e))})))))
 
 (defn ^:private normalize-messages [messages supports-image?]
   ;; Each history entry maps to one or more provider messages. Switched from
diff --git a/src/eca/llm_providers/openai_chat.clj b/src/eca/llm_providers/openai_chat.clj
@@ -154,7 +154,7 @@
               (response-body->result body on-tools-called-wrapper)))))
       (catch Exception e
         (on-error {:exception e
-                   :message (format "Connection error: %s" (or (ex-message e) (.getName (class e))))})))))
+                   :message (llm-util/connection-error-message e)})))))
 
 (defn ^:private transform-message
   "Transform a single ECA message to OpenAI format. Returns nil for unsupported roles.
diff --git a/src/eca/llm_util.clj b/src/eca/llm_util.clj
@@ -8,7 +8,10 @@
    [eca.secrets :as secrets]
    [eca.shared :as shared])
   (:import
-   [java.io BufferedReader Closeable]))
+   [java.io BufferedReader Closeable]
+   [java.net ConnectException SocketTimeoutException UnknownHostException]
+   [java.net.http HttpConnectTimeoutException]
+   [javax.net.ssl SSLException]))
 
 (set! *warn-on-reflection* true)
 
@@ -156,3 +159,76 @@
               (some-> (get-in config [:providers (name provider) :urlEnv]) config/get-env)) ;; legacy
           shared/normalize-api-url
           not-empty))
+
+(defn ^:private cause-chain
+  "Returns a seq of `e` followed by every nested cause."
+  [^Throwable e]
+  (->> (iterate (fn [^Throwable t] (.getCause t)) e)
+       (take-while some?)))
+
+(defn ^:private root-message [^Throwable e]
+  (or (ex-message e) (.getName (class e))))
+
+(defn classify-connection-exception
+  "Walks the cause chain of `e` and classifies common HTTP/TLS failures
+   into a user-friendly map: {:kind <keyword> :message <string>}.
+
+   Recognized kinds:
+   - :tls-untrusted   - PKIX path building failed (private/corporate CA not trusted)
+   - :tls-other       - other TLS/SSL handshake errors
+   - :dns             - UnknownHostException
+   - :connect-refused - ConnectException (connection refused, etc.)
+   - :timeout         - connection/socket timeouts
+   - :unknown         - fallback; keeps the historical 'Connection error: ...' format"
+  [^Throwable e]
+  (let [msg (root-message e)
+        causes (cause-chain e)
+        pkix? (some (fn [^Throwable c]
+                      (some-> (ex-message c)
+                              (string/includes? "PKIX path building failed")))
+                    causes)
+        ssl?  (some #(instance? SSLException %) causes)
+        dns?  (some #(instance? UnknownHostException %) causes)
+        connect-refused? (some #(instance? ConnectException %) causes)
+        timeout? (some #(or (instance? HttpConnectTimeoutException %)
+                            (instance? SocketTimeoutException %))
+                       causes)]
+    (cond
+      pkix?
+      {:kind :tls-untrusted
+       :message (str "TLS certificate not trusted: PKIX path building failed. "
+                     "The server's certificate is signed by a CA not in the JVM truststore "
+                     "(common with private/corporate CAs). "
+                     "Fix: set `network.caCertFile` in your ECA config or the `SSL_CERT_FILE` "
+                     "env var to a PEM bundle containing the missing CA. "
+                     "See docs/config/network.md for details. Original error: " msg)}
+
+      ssl?
+      {:kind :tls-other
+       :message (str "TLS error: " msg
+                     ". See docs/config/network.md for trust and mTLS configuration.")}
+
+      dns?
+      {:kind :dns
+       :message (str "DNS resolution failed: " msg
+                     ". Check the provider URL and your network/proxy settings.")}
+
+      connect-refused?
+      {:kind :connect-refused
+       :message (str "Could not connect: " msg
+                     ". Check the provider URL and whether the server is reachable. "
+                     "Corporate networks may require HTTP_PROXY / HTTPS_PROXY env vars.")}
+
+      timeout?
+      {:kind :timeout
+       :message (str "Connection timed out: " msg ".")}
+
+      :else
+      {:kind :unknown
+       :message (format "Connection error: %s" msg)})))
+
+(defn connection-error-message
+  "Returns a user-friendly message describing a connection-level exception.
+   Always non-nil. See `classify-connection-exception` for recognized error kinds."
+  [^Throwable e]
+  (:message (classify-connection-exception e)))
diff --git a/src/eca/network.clj b/src/eca/network.clj
@@ -112,11 +112,15 @@
   "Reads network TLS configuration from the config `network` section
   (when available) and falls back to well-known environment variables.
 
-  Config values (camelCase as from JSON):
-    :caCertFile          - path to a PEM CA certificate bundle
-    :clientCert          - path to a PEM client certificate for mTLS
-    :clientKey           - path to a PEM client private key for mTLS
-    :clientKeyPassphrase - passphrase for an encrypted client key
+  The JSON config uses camelCase (`caCertFile`, `clientCert`, ...), but
+  `eca.config` normalizes keys under `:network` to kebab-case before
+  this function is called, so we look up kebab-cased keys here.
+
+  Config values (kebab-case after normalization):
+    :ca-cert-file          - path to a PEM CA certificate bundle
+    :client-cert           - path to a PEM client certificate for mTLS
+    :client-key            - path to a PEM client private key for mTLS
+    :client-key-passphrase - passphrase for an encrypted client key
 
   Environment variable fallbacks (lowest priority):
     SSL_CERT_FILE / NODE_EXTRA_CA_CERTS  -> :ca-cert-file
@@ -125,14 +129,14 @@
     ECA_CLIENT_KEY_PASSPHRASE            -> :client-key-passphrase"
   [file-config]
   (let [net (:network file-config)]
-    {:ca-cert-file (or (non-blank (:caCertFile net))
+    {:ca-cert-file (or (non-blank (:ca-cert-file net))
                        (non-blank (config/get-env "SSL_CERT_FILE"))
                        (non-blank (config/get-env "NODE_EXTRA_CA_CERTS")))
-     :client-cert (or (non-blank (:clientCert net))
+     :client-cert (or (non-blank (:client-cert net))
                       (non-blank (config/get-env "ECA_CLIENT_CERT")))
-     :client-key (or (non-blank (:clientKey net))
+     :client-key (or (non-blank (:client-key net))
                      (non-blank (config/get-env "ECA_CLIENT_KEY")))
-     :client-key-passphrase (or (non-blank (:clientKeyPassphrase net))
+     :client-key-passphrase (or (non-blank (:client-key-passphrase net))
                                 (non-blank (config/get-env "ECA_CLIENT_KEY_PASSPHRASE")))}))
 
 (defn load-pem-certificates
@@ -279,13 +283,20 @@
   custom CA or mTLS settings are present, and stores it in
   `*ssl-context*`."
   [file-config]
-  (let [net-cfg (read-network-config file-config)]
+  (let [net-cfg (read-network-config file-config)
+        configured? (boolean (:network file-config))]
+    (logger/debug logger-tag "Resolved network config:" net-cfg)
     (try
-      (when-let [ctx (build-ssl-context net-cfg)]
-        (logger/info logger-tag "Custom SSL context configured"
-                     (cond-> {}
-                       (:ca-cert-file net-cfg) (assoc :ca-cert-file (:ca-cert-file net-cfg))
-                       (:client-cert net-cfg) (assoc :client-cert (:client-cert net-cfg))))
-        (alter-var-root #'*ssl-context* (constantly ctx)))
+      (if-let [ctx (build-ssl-context net-cfg)]
+        (do
+          (logger/info logger-tag "Custom SSL context configured"
+                       (cond-> {}
+                         (:ca-cert-file net-cfg) (assoc :ca-cert-file (:ca-cert-file net-cfg))
+                         (:client-cert net-cfg) (assoc :client-cert (:client-cert net-cfg))))
+          (alter-var-root #'*ssl-context* (constantly ctx)))
+        (when configured?
+          (logger/warn logger-tag
+                       (str "`network` config present but no TLS settings were resolved; "
+                            "using JVM defaults. Check caCertFile/clientCert/clientKey paths."))))
       (catch Exception e
         (logger/error logger-tag "Failed to build SSL context:" (.getMessage e))))))
diff --git a/src/eca/server.clj b/src/eca/server.clj
@@ -13,9 +13,13 @@
    [eca.remote.server :as remote.server]
    [eca.shared :as shared :refer [assoc-some]]
    [jsonrpc4clj.io-server :as io-server]
-   [jsonrpc4clj.liveness-probe :as liveness-probe]
    [jsonrpc4clj.server :as jsonrpc.server]
-   [promesa.core :as p]))
+   [promesa.core :as p])
+  (:import
+   [java.lang ProcessHandle]
+   [java.util Optional]
+   [java.util.concurrent CompletableFuture]
+   [java.util.function BiConsumer]))
 
 (set! *warn-on-reflection* true)
 
@@ -56,9 +60,39 @@
        (catch Throwable e#
          (logger/error e# "[server] Error in async notification handler")))))
 
+(defn ^:private start-liveness-probe!
+  "Monitor parent process `ppid`; invoke `on-exit` once when the parent
+  disappears. Event-driven via `ProcessHandle.onExit` so we don't shell out
+  to `kill -0` (which loops forever when the binary is missing)."
+  [ppid on-exit]
+  (let [fire! (fn []
+                (try (on-exit)
+                     (catch Throwable t
+                       (logger/error t "[server] Liveness probe - on-exit threw"))))]
+    (try
+      (let [opt ^Optional (ProcessHandle/of (long ppid))]
+        (if (.isPresent opt)
+          (let [^ProcessHandle handle (.get opt)
+                ^CompletableFuture fut (.onExit handle)]
+            (.whenComplete fut
+                           (reify BiConsumer
+                             (accept [_ _result ex]
+                               (if (some? ex)
+                                 (logger/warn ex "[server] Liveness probe - failed waiting for parent" ppid "- monitor disabled")
+                                 (do
+                                   (logger/info "[server] Liveness probe - parent" ppid "exited - exiting server")
+                                   (fire!))))))
+            nil)
+          (do
+            (logger/info "[server] Liveness probe - parent" ppid "is not running - exiting server")
+            (fire!))))
+      (catch Throwable t
+        (logger/error t "[server] Liveness probe - failed to start; parent monitoring disabled")
+        nil))))
+
 (defmethod jsonrpc.server/receive-request "initialize" [_ {:keys [server] :as components} params]
   (when-let [parent-process-id (:process-id params)]
-    (liveness-probe/start! parent-process-id log-wrapper-fn #(exit server)))
+    (start-liveness-probe! parent-process-id #(exit server)))
   (handlers/initialize components params))
 
 (defmethod jsonrpc.server/receive-notification "initialized" [_ components _params]
diff --git a/test/eca/llm_util_test.clj b/test/eca/llm_util_test.clj
@@ -7,7 +7,9 @@
    [eca.secrets :as secrets]
    [matcher-combinators.test :refer [match?]])
   (:import
-   [java.io ByteArrayInputStream]))
+   [java.io ByteArrayInputStream]
+   [java.net ConnectException SocketTimeoutException UnknownHostException]
+   [javax.net.ssl SSLException SSLHandshakeException]))
 
 (deftest event-data-seq-test
   (testing "when there is a event line and another data line"
@@ -185,4 +187,69 @@
 
   (testing "returns nil for blank url"
     (with-redefs [config/get-env (constantly nil)]
-      (is (nil? (llm-util/provider-api-url "openai" {:providers {"openai" {:url "   "}}})))))) 
+      (is (nil? (llm-util/provider-api-url "openai" {:providers {"openai" {:url "   "}}}))))))
+
+(deftest classify-connection-exception-test
+  (testing "PKIX path building failed -> :tls-untrusted with actionable hint"
+    (let [e (SSLHandshakeException. "PKIX path building failed: unable to find valid certification path to requested target")
+          {:keys [kind message]} (llm-util/classify-connection-exception e)]
+      (is (= :tls-untrusted kind))
+      (is (re-find #"TLS certificate not trusted" message))
+      (is (re-find #"network\.caCertFile" message))
+      (is (re-find #"SSL_CERT_FILE" message))
+      (is (re-find #"docs/config/network\.md" message))))
+
+  (testing "PKIX detected even when wrapped in a non-SSL outer exception"
+    (let [root (Exception. "PKIX path building failed: unable to find valid certification path to requested target")
+          wrapped (RuntimeException. "wrapper" root)
+          {:keys [kind message]} (llm-util/classify-connection-exception wrapped)]
+      (is (= :tls-untrusted kind))
+      (is (re-find #"network\.caCertFile" message))))
+
+  (testing "Generic SSLException (no PKIX) -> :tls-other"
+    (let [e (SSLException. "handshake_failure")
+          {:keys [kind message]} (llm-util/classify-connection-exception e)]
+      (is (= :tls-other kind))
+      (is (re-find #"TLS error" message))
+      (is (re-find #"docs/config/network\.md" message))))
+
+  (testing "UnknownHostException -> :dns"
+    (let [e (UnknownHostException. "no-such-host.example")
+          {:keys [kind message]} (llm-util/classify-connection-exception e)]
+      (is (= :dns kind))
+      (is (re-find #"DNS resolution failed" message))))
+
+  (testing "ConnectException (e.g. Connection refused) -> :connect-refused"
+    (let [e (ConnectException. "Connection refused")
+          {:keys [kind message]} (llm-util/classify-connection-exception e)]
+      (is (= :connect-refused kind))
+      (is (re-find #"Could not connect" message))
+      (is (re-find #"HTTP_PROXY" message))))
+
+  (testing "SocketTimeoutException -> :timeout"
+    (let [e (SocketTimeoutException. "Read timed out")
+          {:keys [kind message]} (llm-util/classify-connection-exception e)]
+      (is (= :timeout kind))
+      (is (re-find #"Connection timed out" message))))
+
+  (testing "Unknown exception falls back to legacy 'Connection error:' format"
+    (let [e (Exception. "boom")
+          {:keys [kind message]} (llm-util/classify-connection-exception e)]
+      (is (= :unknown kind))
+      (is (= "Connection error: boom" message))))
+
+  (testing "Exception with nil message uses class name as fallback"
+    (let [e (Exception.)
+          {:keys [kind message]} (llm-util/classify-connection-exception e)]
+      (is (= :unknown kind))
+      (is (re-find #"Connection error: java\.lang\.Exception" message)))))
+
+(deftest connection-error-message-test
+  (testing "returns the :message from classify-connection-exception"
+    (is (re-find #"TLS certificate not trusted"
+                 (llm-util/connection-error-message
+                  (SSLHandshakeException. "PKIX path building failed: ...")))))
+  (testing "is non-nil for any exception"
+    (is (string? (llm-util/connection-error-message (Exception. "x"))))
+    (is (string? (llm-util/connection-error-message (Exception.))))))
+
diff --git a/test/eca/network_test.clj b/test/eca/network_test.clj
diff --git a/test/eca/server_test.clj b/test/eca/server_test.clj
