phase2 amend: __ separator (Bedrock-safe) + post_sse error diagnostics

Phase 7 verify finding from TC #26 against :model cloud:
  HTTP 400 from openrouter→Amazon Bedrock:
  "tools.0.custom.name: String should match pattern
   '^[a-zA-Z0-9_-]{1,128}$'"

Anthropic via Bedrock validates tool names against that regex and
rejects dots. PHASE2 originally chose "." as the namespace separator
("boltzmann.list_dir"); OpenAI tolerated it, Bedrock does not.

Separator switched to "__" (two underscores) everywhere — internal
API matches on-wire shape, no transformation layer:

  - repl.lua:
    - tools_schema builds "alias__name"
    - dispatch_tool_call splits via "^(.-)__(.+)$" (non-greedy → leftmost __)
    - :mcp tool parser uses same split
    - :mcp tools formatter prints "alias__name"
    - HELP block shows <alias__name>
  - safety.lua confirm_tool_call: alias.* glob → alias__* glob
  - config.lua example block: keys rewritten
  - docs/PHASE2.md: amendment header added; §1, §2 row, §3 config.lua
    row, §5 wire-shape JSON examples, §6 auto_approve schema, §7
    meta-cmd table, §12 plan all updated. Original "." references
    preserved in commit history.

Constraint: aliases must not themselves contain "__" so the parse
stays unambiguous. Tool names from MCP servers may have underscores
freely.

Second fix bundled — uninformative broker error:
  Previously "broker error: transport: HTTP response code said error"
  Now      "broker error: transport: HTTP 400: {full body snippet}"

ffi/curl.lua M.post_sse changes:
  - FAILONERROR no longer set (was hiding the response body).
  - raw_body accumulator added alongside the SSE buffer; captures
    every byte regardless of SSE shape.
  - After perform, check status_code via curl_easy_getinfo. On >=400,
    return (nil, "HTTP <code>: <body[:400]>"). 2xx unchanged.
  - End-of-stream SSE flush only runs on 2xx (no false event on
    error bodies that aren't SSE-shaped).
  - Phase 1 callers reading just first return slot stay correct.

End-to-end verified:
  - :model cloud + tools=[boltzmann__read_file ...] +
    "Use boltzmann__read_file with path=/etc/hostname" →
    Claude emits tool_call with name="boltzmann__read_file",
    args='{"path": "/etc/hostname"}'. ok=true, transport clean.
  - Force-bad tool name "bad.name.with.dots" → err string carries
    the full bedrock 400 with the regex-pattern message visible.

TC #26 (sub-loop end-to-end) is now testable against cloud — the
error that blocked it is resolved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

safety.lua

@@ -25,14 +25,16 @@ end
 
 -- Ask the user whether tool `name` may be called with `args`, consulting
 -- `cfg.mcp.auto_approve` first. Policy keys:
---   "<alias>.<tool>"  → exact-match auto-approve
---   "<alias>.*"       → whole-server auto-approve
+--   "<alias>__<tool>"  → exact-match auto-approve
+--   "<alias>__*"       → whole-server auto-approve
 -- Anything else falls back to a [y/N] prompt; empty / non-"y" answer rejects.
+-- The separator switched from "." to "__" 2026-05-12 because Anthropic via
+-- Bedrock rejects dots in tool names (regex ^[a-zA-Z0-9_-]{1,128}$).
 function M.confirm_tool_call(name, args, cfg)
     local policy = (cfg and cfg.mcp and cfg.mcp.auto_approve) or {}
     if policy[name] then return true end
-    local alias = name:match("^([^.]+)%.")
-    if alias and policy[alias .. ".*"] then return true end
+    local alias = name:match("^(.-)__")
+    if alias and alias ~= "" and policy[alias .. "__*"] then return true end
 
     local prompt = ("call '%s'? [y/N] "):format(pretty_call(name, args))
     local ans = rl.readline(prompt) or ""