fix(ai): strip deepseek xml tags from chat history & secure git tools

This commit addresses the issue where DeepSeek's raw XML markup (like <tool_calls> and <think>) was leaking into chat history, causing hallucinations in subsequent turns. It also patches a vulnerability in the git commit tool where arbitrary shell injection was possible. Additionally, it includes UX copy and color contrast adjustments for the marketing homepage breadcrumbs.
2026-05-14 11:34:42 -07:00
parent 5968b98aa7
commit c51c3c21b3
22 changed files with 4559 additions and 667 deletions
--- a/vibn-frontend/lib/ai/openai-compatible-chat.ts
+++ b/vibn-frontend/lib/ai/openai-compatible-chat.ts
@@ -210,11 +210,18 @@ function parseAssistantMessage(message: Record<string, unknown> | undefined): {
      : typeof (message as { reasoning?: string })?.reasoning === "string"
        ? (message as { reasoning: string }).reasoning
        : "";
+
+  const stripTags = (s: string) =>
+    s
+      .replace(/<tool_calls>[\s\S]*?<\/tool_calls>/g, "")
+      .replace(/<think>[\s\S]*?<\/think>/g, "")
+      .trim();
+
  // DeepSeek separates thinking from speaking — during tool loops it
  // often puts everything in reasoning_content and leaves content empty.
  // When that happens, surface the reasoning as the user-visible text
  // so the user isn't staring at silent tool pills.
-  const text = rawText || thoughts;
+  const text = stripTags(rawText || thoughts);
  const toolCalls: ToolCall[] = [];
  const rawCalls = message?.tool_calls;
  if (Array.isArray(rawCalls)) {