agent-loop: encrypt tool_calls.function.{name,arguments} under E2EE

PR #144 follow-up: Pierre flagged that with E2EE active but without
X-Encrypt-All-Fields, the model-generated search query was still
leaking plaintext via the upstream tool_calls[].function.arguments
chunks. Same privacy class as the user's E2EE-decrypted prompt — must
not be on the wire in the clear.

Fix: in routes/chat.rs's agent-loop branch, force
`encrypt_all_fields = true` on the EncryptionContext used to build the
loop's chunk_transform. This only affects the agent-loop path — the
regular chat path below still honors the client's X-Encrypt-All-Fields
choice, so existing E2EE clients are unaffected.

Why not require X-Encrypt-All-Fields instead: this path is opt-in via
the namespaced tool type; clients that opt into it don't need to
remember a separate header to get the full privacy guarantee.

Test: extended e2ee_without_encrypt_all_fields_encrypts_tool_result to
also assert tool_calls[0].function.arguments (the model-generated query)
and tool_calls[0].function.name are ciphertext on the wire and decrypt
back to {"query":"rust"} and "web_context_search" respectively. The
synthetic nearai_tool_result envelope legitimately keeps `name` as
plaintext metadata identifying which server-side tool ran; only the
envelope's `output` is sensitive and that remains encrypted.

Author: Evrard-Nil

src/routes/chat.rs

@@ -73,10 +73,18 @@ pub async fn chat_completions(
             ));
         }
 
-        // Build chunk transform if E2EE is active; the loop emits synthetic
-        // `nearai_tool_result` chunks that the transform encrypts alongside
-        // the model's deltas.
-        let chunk_transform = enc_ctx.map(|ctx| {
+        // Build chunk transform if E2EE is active. The agent loop is the
+        // privacy-critical path — both our synthetic `nearai_tool_result`
+        // chunks AND the model's own `tool_calls[].function.{name,arguments}`
+        // (which contain the search query the model just generated from the
+        // user's E2EE-decrypted prompt) must travel encrypted. Force
+        // `encrypt_all_fields: true` on the context used to build this
+        // transform so clients don't need to remember to send
+        // `X-Encrypt-All-Fields: true` to get the full privacy guarantee.
+        // This only affects the agent-loop path; the regular chat path
+        // below still honors the client's `X-Encrypt-All-Fields` choice.
+        let chunk_transform = enc_ctx.map(|mut ctx| {
+            ctx.encrypt_all_fields = true;
             encryption::make_chunk_transform(Endpoint::ChatCompletions, ctx, state.signing.clone())
         });
         return agent_loop::run_chat_completion(

tests/agent_loop.rs

@@ -940,7 +940,8 @@ async fn e2ee_without_encrypt_all_fields_encrypts_tool_result() {
     assert_eq!(response.status(), StatusCode::OK);
 
     let body = body_to_string(response).await;
-    // Locate the nearai_tool_result chunk.
+
+    // ── nearai_tool_result.output must be encrypted ──────────────────
     let tool_result_chunk = body
         .lines()
         .find(|l| l.contains("nearai_tool_result"))
@@ -952,16 +953,72 @@ async fn e2ee_without_encrypt_all_fields_encrypts_tool_result() {
     let output = parsed["choices"][0]["delta"]["nearai_tool_result"]["output"]
         .as_str()
         .expect("output field is a string");
-
-    // The plaintext "Example A" / "First snippet" must NOT appear on the
-    // wire — the output should be encrypted (NaCl box hex blob).
     assert!(
         !output.contains("Example A") && !output.contains("First snippet"),
         "tool result output was sent plaintext under E2EE: {output}"
     );
-    // And the encrypted output should round-trip back to plaintext for the client.
-    let decrypted =
+    let decrypted_output =
         encryption::decrypt_string(output, &dec_for_response, &client_pair).expect("decrypt");
-    assert!(decrypted.contains("Example A"));
-    assert!(decrypted.contains("First snippet"));
+    assert!(decrypted_output.contains("Example A"));
+    assert!(decrypted_output.contains("First snippet"));
+
+    // ── tool_calls[].function.{name,arguments} must also be encrypted
+    // even though the client never sent X-Encrypt-All-Fields. The
+    // arguments field holds the model-generated search query, which is the
+    // same privacy class as the user's original prompt.
+    //
+    // (Note: the synthetic `nearai_tool_result` envelope legitimately
+    // contains a plaintext `name` field identifying which server-side tool
+    // ran. That's metadata, not user data — its value is a fixed string
+    // controlled by the proxy. Sensitive fields on the envelope —
+    // `output` — are encrypted, checked above.)
+
+    // Find a chunk carrying the assembled tool_call function args. The
+    // upstream emits the args delta on its own chunk; the encrypt path
+    // replaces the string in-place so the chunk still has the field shape
+    // but its value is ciphertext.
+    let chunks: Vec<serde_json::Value> = body
+        .lines()
+        .filter_map(|l| l.strip_prefix("data: "))
+        .filter(|s| *s != "[DONE]")
+        .filter_map(|s| serde_json::from_str::<serde_json::Value>(s).ok())
+        .collect();
+
+    let args_ciphertext = chunks
+        .iter()
+        .find_map(|chunk| {
+            chunk["choices"][0]["delta"]["tool_calls"][0]["function"]["arguments"]
+                .as_str()
+                .map(|s| s.to_string())
+                .filter(|s| !s.is_empty())
+        })
+        .expect("expected a tool_calls function.arguments chunk");
+    assert!(
+        !args_ciphertext.contains("query") && !args_ciphertext.contains("rust"),
+        "function.arguments was sent plaintext under E2EE: {args_ciphertext}"
+    );
+    let decrypted_args =
+        encryption::decrypt_string(&args_ciphertext, &dec_for_response, &client_pair)
+            .expect("decrypt arguments");
+    assert!(
+        decrypted_args.contains(r#""query":"rust""#),
+        "decrypted args did not match expected query: {decrypted_args}"
+    );
+
+    // function.name on the model-generated tool_call should also be
+    // ciphertext (round-trips to "web_context_search").
+    let name_ciphertext = chunks
+        .iter()
+        .find_map(|chunk| {
+            chunk["choices"][0]["delta"]["tool_calls"][0]["function"]["name"]
+                .as_str()
+                .map(|s| s.to_string())
+                .filter(|s| !s.is_empty())
+        })
+        .expect("expected a tool_calls function.name chunk");
+    assert_ne!(name_ciphertext, "web_context_search");
+    let decrypted_name =
+        encryption::decrypt_string(&name_ciphertext, &dec_for_response, &client_pair)
+            .expect("decrypt name");
+    assert_eq!(decrypted_name, "web_context_search");
 }