@poncho-ai/harness 0.18.0 → 0.19.1

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @poncho-ai/harness@0.18.0 build /home/runner/work/poncho-ai/poncho-ai/packages/harness
+> @poncho-ai/harness@0.19.1 build /home/runner/work/poncho-ai/poncho-ai/packages/harness
 > tsup src/index.ts --format esm --dts
 
 CLI Building entry: src/index.ts
@@ -7,8 +7,8 @@
 CLI tsup v8.5.1
 CLI Target: es2022
 ESM Build start
-ESM dist/index.js 196.78 KB
-ESM ⚡️ Build success in 133ms
+ESM dist/index.js 199.42 KB
+ESM ⚡️ Build success in 125ms
 DTS Build start
-DTS ⚡️ Build success in 6813ms
-DTS dist/index.d.ts 24.01 KB
+DTS ⚡️ Build success in 7505ms
+DTS dist/index.d.ts 24.33 KB

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @poncho-ai/harness
 
+## 0.19.1
+
+### Patch Changes
+
+- [`470563b`](https://github.com/cesr/poncho-ai/commit/470563b96bbb5d2c6358a1c89dd3b52beb7799c8) Thanks [@cesr](https://github.com/cesr)! - Fix LocalUploadStore ENOENT on Vercel: use /tmp for uploads on serverless environments instead of the read-only working directory.
+
+## 0.19.0
+
+### Minor Changes
+
+- [`075b9ac`](https://github.com/cesr/poncho-ai/commit/075b9ac3556847af913bf2b58f030575c3b99852) Thanks [@cesr](https://github.com/cesr)! - Batch tool approvals, fix serverless session persistence and adapter init
+  - Batch tool approvals: all approval-requiring tool calls in a single step are now collected and presented together instead of one at a time.
+  - Fix messaging adapter route registration: routes are only registered after successful initialization, preventing "Adapter not initialised" errors on Vercel.
+  - Add stateless signed-cookie sessions so web UI auth survives serverless cold starts.
+
+### Patch Changes
+
+- Updated dependencies [[`075b9ac`](https://github.com/cesr/poncho-ai/commit/075b9ac3556847af913bf2b58f030575c3b99852)]:
+  - @poncho-ai/sdk@1.4.0
+
 ## 0.18.0
 
 ### Minor Changes

package/dist/index.d.ts

@@ -94,6 +94,7 @@ interface Conversation {
             name: string;
             input: Record<string, unknown>;
         }>;
+        decision?: "approved" | "denied";
     }>;
     ownerId: string;
     tenantId: string | null;
@@ -268,6 +269,8 @@ type BuiltInToolToggles = {
     list_directory?: boolean;
     read_file?: boolean;
     write_file?: boolean;
+    delete_file?: boolean;
+    delete_directory?: boolean;
 };
 interface MessagingChannelConfig {
     platform: "slack" | "resend";
@@ -276,6 +279,7 @@ interface MessagingChannelConfig {
     apiKeyEnv?: string;
     webhookSecretEnv?: string;
     fromEnv?: string;
+    replyToEnv?: string;
     allowedSenders?: string[];
     mode?: "auto-reply" | "tool";
     allowedRecipients?: string[];
@@ -359,6 +363,8 @@ declare const loadPonchoConfig: (workingDir: string) => Promise<PonchoConfig | u
 
 declare const createDefaultTools: (workingDir: string) => ToolDefinition[];
 declare const createWriteTool: (workingDir: string) => ToolDefinition;
+declare const createDeleteTool: (workingDir: string) => ToolDefinition;
+declare const createDeleteDirectoryTool: (workingDir: string) => ToolDefinition;
 
 declare const PONCHO_UPLOAD_SCHEME = "poncho-upload://";
 interface UploadStore {
@@ -681,4 +687,4 @@ declare class TelemetryEmitter {
 
 declare const createSubagentTools: (manager: SubagentManager, getConversationId: () => string | undefined, getOwnerId: () => string) => ToolDefinition[];
 
-export { type AgentFrontmatter, AgentHarness, type AgentIdentity, type AgentLimitsConfig, type AgentModelConfig, type BuiltInToolToggles, type Conversation, type ConversationState, type ConversationStore, type ConversationSummary, type CronJobConfig, type HarnessOptions, type HarnessRunOutput, InMemoryConversationStore, InMemoryStateStore, LatitudeCapture, type LatitudeCaptureConfig, LocalMcpBridge, LocalUploadStore, type MainMemory, type McpConfig, type MemoryConfig, type MemoryStore, type MessagingChannelConfig, type ModelProviderFactory, PONCHO_UPLOAD_SCHEME, type ParsedAgent, type PonchoConfig, type ProviderConfig, type RemoteMcpServerConfig, type RuntimeRenderContext, S3UploadStore, STORAGE_SCHEMA_VERSION, type SkillContextEntry, type SkillMetadata, type StateConfig, type StateProviderName, type StateStore, type StorageConfig, type SubagentManager, type SubagentResult, type SubagentSummary, type TelemetryConfig, TelemetryEmitter, type ToolAccess, type ToolCall, ToolDispatcher, type ToolExecutionResult, type UploadStore, type UploadsConfig, VercelBlobUploadStore, buildAgentDirectoryName, buildSkillContextWindow, createConversationStore, createDefaultTools, createMemoryStore, createMemoryTools, createModelProvider, createSkillTools, createStateStore, createSubagentTools, createUploadStore, createWriteTool, deriveUploadKey, ensureAgentIdentity, generateAgentId, getAgentStoreDirectory, getModelContextWindow, getPonchoStoreRoot, jsonSchemaToZod, loadPonchoConfig, loadSkillContext, loadSkillInstructions, loadSkillMetadata, normalizeScriptPolicyPath, parseAgentFile, parseAgentMarkdown, readSkillResource, renderAgentPrompt, resolveAgentIdentity, resolveMemoryConfig, resolveSkillDirs, resolveStateConfig, slugifyStorageComponent };
+export { type AgentFrontmatter, AgentHarness, type AgentIdentity, type AgentLimitsConfig, type AgentModelConfig, type BuiltInToolToggles, type Conversation, type ConversationState, type ConversationStore, type ConversationSummary, type CronJobConfig, type HarnessOptions, type HarnessRunOutput, InMemoryConversationStore, InMemoryStateStore, LatitudeCapture, type LatitudeCaptureConfig, LocalMcpBridge, LocalUploadStore, type MainMemory, type McpConfig, type MemoryConfig, type MemoryStore, type MessagingChannelConfig, type ModelProviderFactory, PONCHO_UPLOAD_SCHEME, type ParsedAgent, type PonchoConfig, type ProviderConfig, type RemoteMcpServerConfig, type RuntimeRenderContext, S3UploadStore, STORAGE_SCHEMA_VERSION, type SkillContextEntry, type SkillMetadata, type StateConfig, type StateProviderName, type StateStore, type StorageConfig, type SubagentManager, type SubagentResult, type SubagentSummary, type TelemetryConfig, TelemetryEmitter, type ToolAccess, type ToolCall, ToolDispatcher, type ToolExecutionResult, type UploadStore, type UploadsConfig, VercelBlobUploadStore, buildAgentDirectoryName, buildSkillContextWindow, createConversationStore, createDefaultTools, createDeleteDirectoryTool, createDeleteTool, createMemoryStore, createMemoryTools, createModelProvider, createSkillTools, createStateStore, createSubagentTools, createUploadStore, createWriteTool, deriveUploadKey, ensureAgentIdentity, generateAgentId, getAgentStoreDirectory, getModelContextWindow, getPonchoStoreRoot, jsonSchemaToZod, loadPonchoConfig, loadSkillContext, loadSkillInstructions, loadSkillMetadata, normalizeScriptPolicyPath, parseAgentFile, parseAgentMarkdown, readSkillResource, renderAgentPrompt, resolveAgentIdentity, resolveMemoryConfig, resolveSkillDirs, resolveStateConfig, slugifyStorageComponent };

package/dist/index.js

@@ -378,7 +378,7 @@ var loadPonchoConfig = async (workingDir) => {
 };
 
 // src/default-tools.ts
-import { mkdir, readdir, readFile as readFile3, writeFile as writeFile2 } from "fs/promises";
+import { mkdir, readdir, readFile as readFile3, rm, unlink, writeFile as writeFile2 } from "fs/promises";
 import { dirname, resolve as resolve4, sep } from "path";
 import { defineTool } from "@poncho-ai/sdk";
 var resolveSafePath = (workingDir, inputPath) => {
@@ -463,6 +463,52 @@ var createWriteTool = (workingDir) => defineTool({
     return { path, written: true };
   }
 });
+var createDeleteTool = (workingDir) => defineTool({
+  name: "delete_file",
+  description: "Delete a file at a path inside the working directory",
+  inputSchema: {
+    type: "object",
+    properties: {
+      path: {
+        type: "string",
+        description: "File path relative to working directory"
+      }
+    },
+    required: ["path"],
+    additionalProperties: false
+  },
+  handler: async (input) => {
+    const path = typeof input.path === "string" ? input.path : "";
+    const resolved = resolveSafePath(workingDir, path);
+    await unlink(resolved);
+    return { path, deleted: true };
+  }
+});
+var createDeleteDirectoryTool = (workingDir) => defineTool({
+  name: "delete_directory",
+  description: "Recursively delete a directory and all its contents inside the working directory",
+  inputSchema: {
+    type: "object",
+    properties: {
+      path: {
+        type: "string",
+        description: "Directory path relative to working directory"
+      }
+    },
+    required: ["path"],
+    additionalProperties: false
+  },
+  handler: async (input) => {
+    const path = typeof input.path === "string" ? input.path : "";
+    if (!path) throw new Error("Path must not be empty.");
+    const resolved = resolveSafePath(workingDir, path);
+    if (resolved === resolve4(workingDir)) {
+      throw new Error("Cannot delete the working directory root.");
+    }
+    await rm(resolved, { recursive: true });
+    return { path, deleted: true };
+  }
+});
 
 // src/harness.ts
 import { randomUUID as randomUUID3 } from "crypto";
@@ -470,8 +516,9 @@ import { getTextContent as getTextContent2 } from "@poncho-ai/sdk";
 
 // src/upload-store.ts
 import { createHash as createHash2 } from "crypto";
-import { mkdir as mkdir2, readFile as readFile4, writeFile as writeFile3, rm } from "fs/promises";
+import { mkdir as mkdir2, readFile as readFile4, writeFile as writeFile3, rm as rm2 } from "fs/promises";
 import { createRequire } from "module";
+import { homedir as homedir2 } from "os";
 import { resolve as resolve5 } from "path";
 var tryImport = async (mod, workingDir) => {
   try {
@@ -559,10 +606,15 @@ var MIME_EXT_MAP = {
   "audio/wav": ".wav"
 };
 var mimeToExt = (mediaType) => MIME_EXT_MAP[mediaType] ?? `.${mediaType.split("/").pop() ?? "bin"}`;
+var isServerlessEnv = () => {
+  const cwd = process.cwd();
+  const home = homedir2();
+  return process.env.VERCEL === "1" || process.env.VERCEL_ENV !== void 0 || process.env.VERCEL_URL !== void 0 || process.env.AWS_LAMBDA_FUNCTION_NAME !== void 0 || process.env.AWS_EXECUTION_ENV?.includes("AWS_Lambda") === true || process.env.LAMBDA_TASK_ROOT !== void 0 || process.env.NOW_REGION !== void 0 || cwd.startsWith("/var/task") || home.startsWith("/var/task") || process.env.SERVERLESS === "1";
+};
 var LocalUploadStore = class {
   uploadsDir;
   constructor(workingDir) {
-    this.uploadsDir = resolve5(workingDir, ".poncho", "uploads");
+    this.uploadsDir = isServerlessEnv() ? "/tmp/.poncho/uploads" : resolve5(workingDir, ".poncho", "uploads");
   }
   async put(_key, data, mediaType) {
     const key = deriveUploadKey(data, mediaType);
@@ -577,7 +629,7 @@ var LocalUploadStore = class {
   }
   async delete(urlOrKey) {
     const key = urlOrKey.startsWith(PONCHO_UPLOAD_SCHEME) ? urlOrKey.slice(PONCHO_UPLOAD_SCHEME.length) : urlOrKey;
-    await rm(resolve5(this.uploadsDir, key), { force: true });
+    await rm2(resolve5(this.uploadsDir, key), { force: true });
   }
 };
 var VercelBlobUploadStore = class {
@@ -2908,6 +2960,7 @@ The agent will respond in Slack threads when @mentioned. Each Slack thread maps
    RESEND_API_KEY=re_...
    RESEND_WEBHOOK_SECRET=whsec_...
    RESEND_FROM=Agent <agent@yourdomain.com>
+   RESEND_REPLY_TO=support@yourdomain.com   # optional
    \`\`\`
 5. Add to \`poncho.config.js\`:
    \`\`\`javascript
@@ -3080,7 +3133,7 @@ var AgentHarness = class {
   isToolEnabled(name) {
     const access3 = this.resolveToolAccess(name);
     if (access3 === false) return false;
-    if (name === "write_file") {
+    if (name === "write_file" || name === "delete_file" || name === "delete_directory") {
       return this.shouldEnableWriteTool();
     }
     return true;
@@ -3123,6 +3176,12 @@ var AgentHarness = class {
     if (this.isToolEnabled("write_file")) {
       this.registerIfMissing(createWriteTool(this.workingDir));
     }
+    if (this.isToolEnabled("delete_file")) {
+      this.registerIfMissing(createDeleteTool(this.workingDir));
+    }
+    if (this.isToolEnabled("delete_directory")) {
+      this.registerIfMissing(createDeleteDirectoryTool(this.workingDir));
+    }
   }
   shouldEnableWriteTool() {
     const override = process.env.PONCHO_FS_WRITE?.toLowerCase();
@@ -4242,6 +4301,7 @@ ${textContent}` };
         const toolResultsForModel = [];
         const richToolResults = [];
         const approvedCalls = [];
+        const approvalNeeded = [];
         for (const call of toolCalls) {
           if (isCancelled()) {
             yield emitCancellation();
@@ -4249,52 +4309,60 @@ ${textContent}` };
           }
           const runtimeToolName = exposedToolNames.get(call.name) ?? call.name;
           yield pushEvent({ type: "tool:started", tool: runtimeToolName, input: call.input });
-          const requiresApproval = this.requiresApprovalForToolCall(
-            runtimeToolName,
-            call.input
-          );
-          if (requiresApproval) {
-            const approvalId = `approval_${randomUUID3()}`;
-            yield pushEvent({
-              type: "tool:approval:required",
-              tool: runtimeToolName,
-              input: call.input,
-              approvalId
+          if (this.requiresApprovalForToolCall(runtimeToolName, call.input)) {
+            approvalNeeded.push({
+              approvalId: `approval_${randomUUID3()}`,
+              id: call.id,
+              name: runtimeToolName,
+              input: call.input
             });
-            const assistantContent2 = JSON.stringify({
-              text: fullText,
-              tool_calls: toolCalls.map((tc) => ({
-                id: tc.id,
-                name: exposedToolNames.get(tc.name) ?? tc.name,
-                input: tc.input
-              }))
+          } else {
+            approvedCalls.push({
+              id: call.id,
+              name: runtimeToolName,
+              input: call.input
             });
-            const assistantMsg = {
-              role: "assistant",
-              content: assistantContent2,
-              metadata: { timestamp: now(), id: randomUUID3(), step }
-            };
-            const deltaMessages = [...messages.slice(inputMessageCount), assistantMsg];
+          }
+        }
+        if (approvalNeeded.length > 0) {
+          for (const an of approvalNeeded) {
             yield pushEvent({
-              type: "tool:approval:checkpoint",
-              approvalId,
-              tool: runtimeToolName,
-              toolCallId: call.id,
-              input: call.input,
-              checkpointMessages: deltaMessages,
-              pendingToolCalls: toolCalls.map((tc) => ({
-                id: tc.id,
-                name: exposedToolNames.get(tc.name) ?? tc.name,
-                input: tc.input
-              }))
+              type: "tool:approval:required",
+              tool: an.name,
+              input: an.input,
+              approvalId: an.approvalId
             });
-            return;
           }
-          approvedCalls.push({
-            id: call.id,
-            name: runtimeToolName,
-            input: call.input
+          const assistantContent2 = JSON.stringify({
+            text: fullText,
+            tool_calls: toolCalls.map((tc) => ({
+              id: tc.id,
+              name: exposedToolNames.get(tc.name) ?? tc.name,
+              input: tc.input
+            }))
+          });
+          const assistantMsg = {
+            role: "assistant",
+            content: assistantContent2,
+            metadata: { timestamp: now(), id: randomUUID3(), step }
+          };
+          const deltaMessages = [...messages.slice(inputMessageCount), assistantMsg];
+          yield pushEvent({
+            type: "tool:approval:checkpoint",
+            approvals: approvalNeeded.map((an) => ({
+              approvalId: an.approvalId,
+              tool: an.name,
+              toolCallId: an.id,
+              input: an.input
+            })),
+            checkpointMessages: deltaMessages,
+            pendingToolCalls: toolCalls.map((tc) => ({
+              id: tc.id,
+              name: exposedToolNames.get(tc.name) ?? tc.name,
+              input: tc.input
+            }))
           });
+          return;
         }
         const batchStart = now();
         if (isCancelled()) {
@@ -4588,7 +4656,7 @@ var LatitudeCapture = class {
 
 // src/state.ts
 import { randomUUID as randomUUID4 } from "crypto";
-import { mkdir as mkdir4, readFile as readFile7, readdir as readdir4, rename as rename2, rm as rm2, writeFile as writeFile5 } from "fs/promises";
+import { mkdir as mkdir4, readFile as readFile7, readdir as readdir4, rename as rename2, rm as rm3, writeFile as writeFile5 } from "fs/promises";
 import { dirname as dirname4, resolve as resolve9 } from "path";
 var DEFAULT_OWNER = "local-owner";
 var LOCAL_STATE_FILE = "state.json";
@@ -4963,7 +5031,7 @@ var FileConversationStore = class {
     if (removed) {
       this.writing = this.writing.then(async () => {
         if (existing) {
-          await rm2(resolve9(conversationsDir, existing.fileName), { force: true });
+          await rm3(resolve9(conversationsDir, existing.fileName), { force: true });
         }
         await this.writeIndex();
       });
@@ -5711,6 +5779,8 @@ export {
   buildSkillContextWindow,
   createConversationStore,
   createDefaultTools,
+  createDeleteDirectoryTool,
+  createDeleteTool,
   createMemoryStore,
   createMemoryTools,
   createModelProvider,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poncho-ai/harness",
-  "version": "0.18.0",
+  "version": "0.19.1",
   "description": "Agent execution runtime - conversation loop, tool dispatch, streaming",
   "repository": {
     "type": "git",
@@ -31,7 +31,7 @@
     "redis": "^5.10.0",
     "yaml": "^2.4.0",
     "zod": "^3.22.0",
-    "@poncho-ai/sdk": "1.3.0"
+    "@poncho-ai/sdk": "1.4.0"
   },
   "devDependencies": {
     "@types/mustache": "^4.2.6",

package/src/config.ts

@@ -39,6 +39,8 @@ export type BuiltInToolToggles = {
   list_directory?: boolean;
   read_file?: boolean;
   write_file?: boolean;
+  delete_file?: boolean;
+  delete_directory?: boolean;
 };
 
 export interface MessagingChannelConfig {
@@ -50,6 +52,7 @@ export interface MessagingChannelConfig {
   apiKeyEnv?: string;
   webhookSecretEnv?: string;
   fromEnv?: string;
+  replyToEnv?: string;
   allowedSenders?: string[];
   mode?: "auto-reply" | "tool";
   allowedRecipients?: string[];

package/src/default-tools.ts

@@ -1,4 +1,4 @@
-import { mkdir, readdir, readFile, writeFile } from "node:fs/promises";
+import { mkdir, readdir, readFile, rm, unlink, writeFile } from "node:fs/promises";
 import { dirname, resolve, sep } from "node:path";
 import { defineTool, type ToolDefinition } from "@poncho-ai/sdk";
 
@@ -87,3 +87,53 @@ export const createWriteTool = (workingDir: string): ToolDefinition =>
       return { path, written: true };
     },
   });
+
+export const createDeleteTool = (workingDir: string): ToolDefinition =>
+  defineTool({
+    name: "delete_file",
+    description: "Delete a file at a path inside the working directory",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: {
+          type: "string",
+          description: "File path relative to working directory",
+        },
+      },
+      required: ["path"],
+      additionalProperties: false,
+    },
+    handler: async (input) => {
+      const path = typeof input.path === "string" ? input.path : "";
+      const resolved = resolveSafePath(workingDir, path);
+      await unlink(resolved);
+      return { path, deleted: true };
+    },
+  });
+
+export const createDeleteDirectoryTool = (workingDir: string): ToolDefinition =>
+  defineTool({
+    name: "delete_directory",
+    description: "Recursively delete a directory and all its contents inside the working directory",
+    inputSchema: {
+      type: "object",
+      properties: {
+        path: {
+          type: "string",
+          description: "Directory path relative to working directory",
+        },
+      },
+      required: ["path"],
+      additionalProperties: false,
+    },
+    handler: async (input) => {
+      const path = typeof input.path === "string" ? input.path : "";
+      if (!path) throw new Error("Path must not be empty.");
+      const resolved = resolveSafePath(workingDir, path);
+      if (resolved === resolve(workingDir)) {
+        throw new Error("Cannot delete the working directory root.");
+      }
+      await rm(resolved, { recursive: true });
+      return { path, deleted: true };
+    },
+  });

package/src/harness.ts

@@ -15,7 +15,7 @@ import type { UploadStore } from "./upload-store.js";
 import { PONCHO_UPLOAD_SCHEME, deriveUploadKey } from "./upload-store.js";
 import { parseAgentFile, renderAgentPrompt, type ParsedAgent, type AgentFrontmatter } from "./agent-parser.js";
 import { loadPonchoConfig, resolveMemoryConfig, type PonchoConfig, type ToolAccess, type BuiltInToolToggles } from "./config.js";
-import { createDefaultTools, createWriteTool } from "./default-tools.js";
+import { createDefaultTools, createDeleteDirectoryTool, createDeleteTool, createWriteTool } from "./default-tools.js";
 import {
   createMemoryStore,
   createMemoryTools,
@@ -324,6 +324,7 @@ The agent will respond in Slack threads when @mentioned. Each Slack thread maps
    RESEND_API_KEY=re_...
    RESEND_WEBHOOK_SECRET=whsec_...
    RESEND_FROM=Agent <agent@yourdomain.com>
+   RESEND_REPLY_TO=support@yourdomain.com   # optional
    \`\`\`
 5. Add to \`poncho.config.js\`:
    \`\`\`javascript
@@ -526,7 +527,7 @@ export class AgentHarness {
   private isToolEnabled(name: string): boolean {
     const access = this.resolveToolAccess(name);
     if (access === false) return false;
-    if (name === "write_file") {
+    if (name === "write_file" || name === "delete_file" || name === "delete_directory") {
       return this.shouldEnableWriteTool();
     }
     return true;
@@ -574,6 +575,12 @@ export class AgentHarness {
     if (this.isToolEnabled("write_file")) {
       this.registerIfMissing(createWriteTool(this.workingDir));
     }
+    if (this.isToolEnabled("delete_file")) {
+      this.registerIfMissing(createDeleteTool(this.workingDir));
+    }
+    if (this.isToolEnabled("delete_directory")) {
+      this.registerIfMissing(createDeleteDirectoryTool(this.workingDir));
+    }
   }
 
   private shouldEnableWriteTool(): boolean {
@@ -1906,7 +1913,14 @@ ${boundedMainMemory.trim()}`
         name: string;
         input: Record<string, unknown>;
       }> = [];
+      const approvalNeeded: Array<{
+        approvalId: string;
+        id: string;
+        name: string;
+        input: Record<string, unknown>;
+      }> = [];
 
+      // Phase 1: classify all tool calls
       for (const call of toolCalls) {
         if (isCancelled()) {
           yield emitCancellation();
@@ -1914,54 +1928,66 @@ ${boundedMainMemory.trim()}`
         }
         const runtimeToolName = exposedToolNames.get(call.name) ?? call.name;
         yield pushEvent({ type: "tool:started", tool: runtimeToolName, input: call.input });
-        const requiresApproval = this.requiresApprovalForToolCall(
-          runtimeToolName,
-          call.input,
-        );
-        if (requiresApproval) {
-          const approvalId = `approval_${randomUUID()}`;
-          yield pushEvent({
-            type: "tool:approval:required",
-            tool: runtimeToolName,
+        if (this.requiresApprovalForToolCall(runtimeToolName, call.input)) {
+          approvalNeeded.push({
+            approvalId: `approval_${randomUUID()}`,
+            id: call.id,
+            name: runtimeToolName,
             input: call.input,
-            approvalId,
           });
-
-          const assistantContent = JSON.stringify({
-            text: fullText,
-            tool_calls: toolCalls.map(tc => ({
-              id: tc.id,
-              name: exposedToolNames.get(tc.name) ?? tc.name,
-              input: tc.input,
-            })),
+        } else {
+          approvedCalls.push({
+            id: call.id,
+            name: runtimeToolName,
+            input: call.input,
           });
-          const assistantMsg: Message = {
-            role: "assistant",
-            content: assistantContent,
-            metadata: { timestamp: now(), id: randomUUID(), step },
-          };
-          const deltaMessages = [...messages.slice(inputMessageCount), assistantMsg];
+        }
+      }
+
+      // Phase 2a: if any tools need approval, emit events for ALL of them and checkpoint
+      if (approvalNeeded.length > 0) {
+        for (const an of approvalNeeded) {
           yield pushEvent({
-            type: "tool:approval:checkpoint",
-            approvalId,
-            tool: runtimeToolName,
-            toolCallId: call.id,
-            input: call.input,
-            checkpointMessages: deltaMessages,
-            pendingToolCalls: toolCalls.map(tc => ({
-              id: tc.id,
-              name: exposedToolNames.get(tc.name) ?? tc.name,
-              input: tc.input,
-            })),
+            type: "tool:approval:required",
+            tool: an.name,
+            input: an.input,
+            approvalId: an.approvalId,
           });
-          return;
         }
-        approvedCalls.push({
-          id: call.id,
-          name: runtimeToolName,
-          input: call.input,
+
+        const assistantContent = JSON.stringify({
+          text: fullText,
+          tool_calls: toolCalls.map(tc => ({
+            id: tc.id,
+            name: exposedToolNames.get(tc.name) ?? tc.name,
+            input: tc.input,
+          })),
+        });
+        const assistantMsg: Message = {
+          role: "assistant",
+          content: assistantContent,
+          metadata: { timestamp: now(), id: randomUUID(), step },
+        };
+        const deltaMessages = [...messages.slice(inputMessageCount), assistantMsg];
+        yield pushEvent({
+          type: "tool:approval:checkpoint",
+          approvals: approvalNeeded.map(an => ({
+            approvalId: an.approvalId,
+            tool: an.name,
+            toolCallId: an.id,
+            input: an.input,
+          })),
+          checkpointMessages: deltaMessages,
+          pendingToolCalls: toolCalls.map(tc => ({
+            id: tc.id,
+            name: exposedToolNames.get(tc.name) ?? tc.name,
+            input: tc.input,
+          })),
         });
+        return;
       }
+
+      // Phase 2b: no approvals needed — execute all auto-approved calls
       const batchStart = now();
       if (isCancelled()) {
         yield emitCancellation();

package/src/state.ts

@@ -35,6 +35,7 @@ export interface Conversation {
     checkpointMessages?: Message[];
     baseMessageCount?: number;
     pendingToolCalls?: Array<{ id: string; name: string; input: Record<string, unknown> }>;
+    decision?: "approved" | "denied";
   }>;
   ownerId: string;
   tenantId: string | null;

package/src/upload-store.ts

@@ -1,6 +1,7 @@
 import { createHash } from "node:crypto";
 import { mkdir, readFile, writeFile, rm } from "node:fs/promises";
 import { createRequire } from "node:module";
+import { homedir } from "node:os";
 import { resolve } from "node:path";
 import type { UploadsConfig } from "./config.js";
 
@@ -127,11 +128,30 @@ const mimeToExt = (mediaType: string): string =>
 // Local filesystem implementation
 // ---------------------------------------------------------------------------
 
+const isServerlessEnv = (): boolean => {
+  const cwd = process.cwd();
+  const home = homedir();
+  return (
+    process.env.VERCEL === "1" ||
+    process.env.VERCEL_ENV !== undefined ||
+    process.env.VERCEL_URL !== undefined ||
+    process.env.AWS_LAMBDA_FUNCTION_NAME !== undefined ||
+    process.env.AWS_EXECUTION_ENV?.includes("AWS_Lambda") === true ||
+    process.env.LAMBDA_TASK_ROOT !== undefined ||
+    process.env.NOW_REGION !== undefined ||
+    cwd.startsWith("/var/task") ||
+    home.startsWith("/var/task") ||
+    process.env.SERVERLESS === "1"
+  );
+};
+
 export class LocalUploadStore implements UploadStore {
   private readonly uploadsDir: string;
 
   constructor(workingDir: string) {
-    this.uploadsDir = resolve(workingDir, ".poncho", "uploads");
+    this.uploadsDir = isServerlessEnv()
+      ? "/tmp/.poncho/uploads"
+      : resolve(workingDir, ".poncho", "uploads");
   }
 
   async put(_key: string, data: Buffer, mediaType: string): Promise<string> {