🤖 feat: Programmatic Tool Calling (PTC) via QuickJS sandbox #1212
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ethanndickson
force-pushed
the
ethan/programmatic-tool-calling
branch
from
59751b5 to
050e8a2
Compare
Member
Author
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Member
Author
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Member
Author
|
@codex review |
ethanndickson
force-pushed
the
ethan/programmatic-tool-calling
branch
from
833f747 to
f7fdb69
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Programmatic Tool Calling (PTC) infrastructure for executing JavaScript code in a sandboxed QuickJS environment with access to Mux tools. Phases completed: - Phase 1: Experiment flag (PROGRAMMATIC_TOOL_CALLING) - Phase 2: Runtime abstraction (IJSRuntime interface) - Phase 3: QuickJS implementation with Asyncify - Phase 4: Tool bridge exposing tools under mux.* namespace - Phase 4.5: Static analysis (syntax, forbidden patterns, AST-based globals) - Phase 5: code_execution tool definition - Phase 5.5: TypeScript type generation & validation from Zod schemas - Phase 5.6: Cleanup fixes (JSDoc, cache unification, test improvements) Key features: - Sandboxed execution with 64MB memory / 5min timeout limits - TypeScript type checking before execution (blocking errors) - Partial results on failure for debugging - Event streaming for nested tool calls - Abort signal support for cancellation 131 tests passing, make static-check passes. --- _Generated with `mux` • Model: `anthropic:claude-opus-4-5` • Thinking: `high`_
Adds code_execution tool that enables AI models to execute multiple tool calls in a single inference round-trip via JavaScript code in a sandboxed QuickJS environment. Key features: - QuickJS-emscripten runtime with Asyncify for async host functions - Tool bridge exposing all Mux tools under mux.* namespace - Static analysis: syntax validation, forbidden patterns, unavailable globals - TypeScript type generation from Zod schemas for model guidance - Real-time streaming of nested tool calls to UI - Partial results on failure for debuggability - Resource limits: 64MB memory, 5-minute timeout UI components: - CodeExecutionToolCall with collapsible code/console sections - NestedToolRenderer routing to specialized tool components - ConsoleOutput for log/warn/error display - Storybook stories for all states Gated behind PROGRAMMATIC_TOOL_CALLING experiment flag with optional PROGRAMMATIC_TOOL_CALLING_EXCLUSIVE mode for PTC-only tool availability. 136 tests passing across runtime, static analysis, type generation, streaming aggregator, and tool execution.
- Move typescript from devDependencies to dependencies (needed at runtime for PTC static analysis) - Lazy-load PTC modules in aiService.ts using dynamic import() - Only load code_execution, quickjsRuntime, and toolBridge when PTC experiments are enabled This fixes two CI failures: 1. Integration tests failing due to prettier's dynamic imports requiring --experimental-vm-modules 2. Smoke tests failing because typescript wasn't in production bundle The import chain (aiService → code_execution → staticAnalysis/typeGenerator → typescript/prettier) now only executes when PTC is actually used.
- Move muxTypes after agent code in typeValidator so error positions match - Return TypeValidationError objects with message, line, column instead of strings - Update staticAnalysis to propagate line/column from type errors - Add tests for line number reporting in code_execution.test.ts and typeValidator.test.ts
- Extract lineNumber directly from QuickJS error object instead of regex parsing - Add bounds checking to only report lines within agent code - Display column numbers for type errors (line N, col M) - Simplify typeValidator line number logic with clearer comments - Add tests for line numbers on first/last lines and column display
Previously the type cache only hashed tool names, so schema changes (e.g., updated MCP server, different workspace with same tool names) wouldn't invalidate cached types. Now hashes names + schemas + descriptions.
The sandbox's 5-minute timeout only interrupted QuickJS execution via the interrupt handler, but that handler doesn't fire during async suspension (when waiting for host functions like mux.bash()). Changes: - Add setTimeout timer that fires independently of QuickJS execution - Tools now use runtime.getAbortSignal() instead of AI SDK's signal - This signal is aborted both by timeout AND external abort requests - Add abortRequested flag to handle abort() before eval() starts - Fix edge case where addEventListener on already-aborted signal is a no-op When timeout fires during a tool call: 1. setTimeout aborts the runtime's AbortController 2. Tool sees aborted signal and can cancel (if it respects abort) 3. When tool returns, interrupt handler also stops QuickJS Note: JavaScript cannot preemptively cancel Promises - this is cooperative cancellation. Tools that check their abort signal will cancel; pure async operations complete but subsequent calls fail fast.
The sandbox bridge was built from allTools before applyToolPolicy ran, so the mux.* API inside code_execution ignored allow/deny filters. Now the policy is applied first, and policyFilteredTools is passed to ToolBridge, ensuring the sandbox only exposes policy-allowed tools.
ethanndickson
force-pushed
the
ethan/programmatic-tool-calling
branch
from
c43b02c to
2ff0e02
Compare
Member
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. 🚀 ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
ethanndickson
force-pushed
the
ethan/programmatic-tool-calling
branch
from
11b7d8e to
758ce5b
Compare
Changed border-white/20 to border-border so the fieldset border is visible in light mode. Also updated inner containers to use bg-code-bg and border-border/50 for theme consistency.
ethanndickson
force-pushed
the
ethan/programmatic-tool-calling
branch
from
758ce5b to
125b755
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Implements Programmatic Tool Calling (PTC) - a
code_executiontool that enables AI models to orchestrate multi-tool workflows via JavaScript code in a sandboxed QuickJS environment. Instead of N inference round-trips for N tool calls, the model writes code that executes all tools in a single round-trip.Gated behind experiment flags (disabled by default):
PROGRAMMATIC_TOOL_CALLING- Addscode_executionalongside existing toolsPROGRAMMATIC_TOOL_CALLING_EXCLUSIVE- Replaces all tools not available withincode_executionwith justcode_executionArchitecture
Key Components
IJSRuntimeptc/runtime.tsQuickJSRuntimeptc/quickjsRuntime.tsToolBridgeptc/toolBridge.tsmux.*namespacestaticAnalysisptc/staticAnalysis.tstypeGeneratorptc/typeGenerator.ts.d.tsfrom Zod schemascode_executiontools/code_execution.tsStreaming Flow
Nested tool calls stream to the UI in real-time:
The
StreamingMessageAggregatorhandlesparentToolCallIdto nest calls within the parent tool part.UI Components
Security & Resource Limits
Excluded from bridge:
code_execution(prevents recursion),ask_user_question,propose_plan,todo_*,status_set(UI-specific), provider-native tools (noexecutefunction)Test Coverage
136 tests across:
.d.tsconversion, cachingKnown Limitations
Promise.all()runs sequentially due to Asyncify single-stack limitationGenerated with
mux• Model:anthropic:claude-opus-4-5• Thinking:high