fix: concatenate security block into last message instead of appending separate user message

Avoids consecutive same-role messages which violates the Anthropic
Messages API protocol. The security block is now appended to the last
User or Tool message content rather than pushed as a separate synthetic
User message. Simplifies Claude CLI provider helpers since they no
longer need to detect and extract the security block separately.

Author: yiwang

crates/core/src/agent/mod.rs

@@ -420,12 +420,16 @@ impl Agent {
     }
 
     /// Build the message array for an LLM API call, with the security
-    /// block injected as a trailing user message on every call.
+    /// block concatenated into the last user/tool message on every call.
     ///
     /// This ensures the security suffix always occupies the recency position
     /// (last content before generation), regardless of conversation length.
     /// The security block is synthetic — it is not persisted in session
     /// history and not included in compaction/summarization.
+    ///
+    /// We concatenate into the last message rather than appending a separate
+    /// user message to avoid consecutive same-role messages, which violates
+    /// the Anthropic Messages API protocol.
     fn messages_for_api_call(&self) -> Vec<Message> {
         let mut messages = self.session.messages_for_llm();
 
@@ -438,15 +442,29 @@ impl Agent {
 
         let security_block = crate::security::build_ending_security_block(policy, include_suffix);
 
-        // Only append if the block has content
         if !security_block.is_empty() {
-            messages.push(Message {
-                role: Role::User,
-                content: security_block,
-                tool_calls: None,
-                tool_call_id: None,
-                images: Vec::new(),
-            });
+            // Concatenate into the last User or Tool message to avoid
+            // consecutive same-role messages (Anthropic API requirement).
+            let appended = if let Some(last) = messages.last_mut() {
+                matches!(last.role, Role::User | Role::Tool)
+            } else {
+                false
+            };
+
+            if appended {
+                let last = messages.last_mut().unwrap();
+                last.content.push_str("\n\n");
+                last.content.push_str(&security_block);
+            } else {
+                // Fallback: no messages or last message is Assistant/System
+                messages.push(Message {
+                    role: Role::User,
+                    content: security_block,
+                    tool_calls: None,
+                    tool_call_id: None,
+                    images: Vec::new(),
+                });
+            }
         }
 
         messages

crates/core/src/agent/providers.rs

@@ -1894,47 +1894,26 @@ fn normalize_claude_model(model: &str) -> String {
     .to_string()
 }
 
-#[cfg(feature = "claude-cli")]
-/// Check if a message is the synthetic security block appended by `messages_for_api_call`.
-fn is_security_block(msg: &Message) -> bool {
-    msg.role == Role::User
-        && msg
-            .content
-            .contains(crate::security::HARDCODED_SECURITY_SUFFIX)
-}
-
 #[cfg(feature = "claude-cli")]
 fn build_prompt_from_messages(messages: &[Message]) -> String {
-    // Get the last *real* user message as the prompt, skipping the security block
+    // Get the last user message as the prompt.
+    // The security block is now concatenated into it by messages_for_api_call().
     messages
         .iter()
         .rev()
-        .find(|m| m.role == Role::User && !is_security_block(m))
+        .find(|m| m.role == Role::User)
         .map(|m| m.content.clone())
         .unwrap_or_default()
 }
 
 #[cfg(feature = "claude-cli")]
 fn extract_system_prompt(messages: &[Message]) -> Option<String> {
-    let system = messages
+    // The security block is now concatenated into the last user/tool message
+    // by messages_for_api_call(), so no need to fold it here.
+    messages
         .iter()
         .find(|m| m.role == Role::System)
-        .map(|m| m.content.clone());
-
-    // For Claude CLI, fold the security block into the system prompt
-    // since the CLI only accepts a single prompt + system prompt
-    let security = messages
-        .iter()
-        .rev()
-        .find(|m| is_security_block(m))
-        .map(|m| m.content.clone());
-
-    match (system, security) {
-        (Some(sys), Some(sec)) => Some(format!("{}\n\n{}", sys, sec)),
-        (Some(sys), None) => Some(sys),
-        (None, Some(sec)) => Some(sec),
-        (None, None) => None,
-    }
+        .map(|m| m.content.clone())
 }
 
 #[cfg(feature = "claude-cli")]