@superblocksteam/vite-plugin-file-sync 2.0.129 → 2.0.130-next.1

package/dist/ai-service/index.js

@@ -3,17 +3,20 @@ import os from "node:os";
 import path from "node:path";
 import { generateObject, hasToolCall, stepCountIs, streamText as aiStreamText, } from "ai";
 import { z } from "zod";
-import { AiMode, resolveAttachmentFileName, } from "@superblocksteam/library-shared/types";
-import { addTracingToMethods, classifyAttachmentDelivery, FactAccessType, FactCreatedSource, FactEntityScope, TracedEventEmitter, } from "@superblocksteam/shared";
+import { AiGenerationState, AiMode, resolveAttachmentFileName, } from "@superblocksteam/library-shared/types";
+import { addTracingToMethods, classifyAttachmentDelivery, FactAccessType, FactCreatedSource, FactEntityScope, TracedEventEmitter, getAiQuotaPaywallReasonFromMessage, } from "@superblocksteam/shared";
+import { npmRegistryEmitter } from "@superblocksteam/telemetry";
 import { buildTranslationPrompt } from "../migration/translation-prompt.js";
+import { POLICY_GATE_RUN_IN_PROGRESS_ERROR, policyGateRunRegistry, } from "../policy-gate-run-registry.js";
 import { getErrorMeta, getLogger, setDefaultLogger } from "../util/logger.js";
 import { composeSecurityAgentPrompt, } from "./agent/prompts/build-security-scan-prompt.js";
 import { getToolCallArguments, getToolErrorCode, getToolOutput, } from "./agent/tool-message-utils.js";
-import { buildSecurityScanTools, } from "./agent/tools.js";
+import { buildSecurityScanTools, isBackgroundTaskFrameworkEnabled, } from "./agent/tools.js";
 import { hasPendingEscalations, flushPendingEscalations, } from "./agent/tools/apis/api-validation-orchestrator.js";
 import { safeSampleJson } from "./agent/tools/apis/sample-json.js";
 import { resolveSdkApiEntryPoint } from "./agent/tools/apis/sdk-registry.js";
 import { readFile } from "./agent/tools/build-read-file.js";
+import { createDevDatabaseTaskTypes, wireDevDatabaseIntegrationPriming, } from "./agent/tools/databases/dev-database-tasks.js";
 import { debugCache } from "./agent/tools/debug-cache.js";
 import { buildReadFileToolFactory } from "./agent/tools/index.js";
 import { securityScanResultSchema, } from "./agent/tools/report-security-findings.js";
@@ -33,6 +36,8 @@ import { API_MIGRATION_ORIGINS, readPersistedChecklist, updateChecklistItem, } f
 import { downloadContextFromBucketeer, downloadLatestContextFromBucketeer, restoreContextFromCheckpoint, } from "./context-download.js";
 import { uploadContextToBucketeer } from "./context-upload.js";
 import { AppContextStore } from "./context/app-context.js";
+import { createDevDatabaseHttpTransport, DevDatabaseClient, } from "./dev-database-client.js";
+import { buildEnsureDevDatabaseFilesSynced, } from "./dev-database-file-sync.js";
 import { filterDisabledToolsForMigration } from "./filter-disabled-tools-for-migration.js";
 import { IntegrationStore } from "./integrations/store.js";
 import { JudgeService } from "./judge/judge-service.js";
@@ -49,11 +54,15 @@ import { traceLLM } from "./llmobs/helpers.js";
 import { getJwtTraceTags } from "./llmobs/helpers.js";
 import llmobs from "./llmobs/index.js";
 import { PlaywrightMcpServerManager } from "./mcp/playwright-server.js";
+import { policyGateStreamPartToAgentStep } from "./policy-gate-step.js";
 import { ClarkProfiler } from "./profiler/clark-profiler.js";
 import { explainEventHandlerCodePrompt } from "./prompts/explain-code.js";
 import { buildSummarizeApiUsagePrompt } from "./prompts/summarize-api-usage.js";
+import { checkAiQuota } from "./quota-client.js";
 import { RecordingManager, createRecordingFetch } from "./recording/index.js";
 import { RequestDeduplicator } from "./request-deduplicator.js";
+import { scanContentForSecrets } from "./security/secret-scanner-service.js";
+import { SecretRedactor } from "./security/secret-scanner.js";
 import { ClarkStateNames, Clark, SERVICE_STARTED_WITH_DRAFT, USER_ACCEPTED_DRAFT, USER_REJECTED_DRAFT, USER_SENT_PROMPT, USER_CANCELED, AGENT_CANCELED, } from "./state-machine/clark-fsm.js";
 import { doAgentPlanning } from "./state-machine/handlers/agent-planning.js";
 import { doAwaitingUser } from "./state-machine/handlers/awaiting-user.js";
@@ -64,13 +73,14 @@ import { doPostProcessing } from "./state-machine/handlers/post-processing.js";
 import { doRuntimeReviewing } from "./state-machine/handlers/runtime-reviewing.js";
 import { classificationHelper } from "./state-machine/helpers/classification.js";
 import { getContextId } from "./state-machine/helpers/context-id.js";
+import { sendUserGenerationStateChannel } from "./state-machine/helpers/peer.js";
 import { sendUserMessageChannel, clearPendingToolPermissionRequest, } from "./state-machine/helpers/peer.js";
 import { StablePeer } from "./state-machine/helpers/stable-peer.js";
 import { transitionFrom } from "./state-machine/helpers/transition.js";
+import { isTaskAccessibleTo, registerBackgroundTaskTypes, resyncActiveTaskStatusesToPeer, TaskStore, wireTaskStatusPushToPeer, } from "./tasks/index.js";
 import { TemplateRenderer } from "./template-renderer.js";
 import { createJsonStreamParser } from "./util/json-stream-parser.js";
 import { processLLMConfig } from "./util/llm-config-utils.js";
-import { buildModeMessage } from "./util/mode-message.js";
 import { parseJwt } from "./util/parse-jwt.js";
 import { getToolCallSignature } from "./util/tool-signature.js";
 export { AiServiceFeatureFlags } from "./features.js";
@@ -292,6 +302,14 @@ const mergePlanContexts = (existing, incoming) => {
         enableTesting: incoming?.enableTesting ?? existing?.enableTesting,
     };
 };
+const APP_CLARK_GENERATION_METADATA = {
+    origin: "app_clark_generation",
+    surface: "app",
+};
+const POLICY_GATE_USAGE_METADATA = {
+    origin: "policy_gate",
+    surface: "policy_gate",
+};
 export class AiService extends TracedEventEmitter {
     config;
     templateRenderer;
@@ -312,6 +330,19 @@ export class AiService extends TracedEventEmitter {
     requestDeduplicator = new RequestDeduplicator();
     entityPermissionStore = new SessionEntityPermissionStore();
     _onGenerationCompleteCallback;
+    /** JWT-derived userId of the currently-authenticated peer, set by
+     * `notifyAuthenticatedRpc` and cleared on disconnect / peer swap.
+     * Only trusted while `authenticatedPeerId` still matches the bound
+     * `stablePeer.peerId` (see `getAuthenticatedPeerUserId`). Used by
+     * `wireTaskStatusPushToPeer` to owner-filter live status pushes. */
+    authenticatedPeerUserId;
+    /** The `peerId` that `authenticatedPeerUserId` was authenticated for.
+     * `handleUserConnected` can bind a replacement peer before the
+     * previous peer's disconnect is processed; keying the identity to its
+     * peerId means a live push in that window is gated against `undefined`
+     * (suppressed) instead of the previous user, closing the cross-user
+     * leak from PR #19718 Comment 59. */
+    authenticatedPeerId;
     tokenManagerJwt;
     /**
      * Listener body for `tokenManager.on("tokenUpdated", ...)`. Defined as a
@@ -355,6 +386,7 @@ export class AiService extends TracedEventEmitter {
     _runtimeGitOperationLock;
     _onGitOperationComplete;
     _syncContextProvider;
+    taskStore;
     get appContext() {
         return this._appContext;
     }
@@ -506,21 +538,21 @@ export class AiService extends TracedEventEmitter {
             useSuperblocksAuthorizationHeader: config.providerSettings?.useSuperblocksAuthorizationHeader,
         };
         // Seed `tokenManagerJwt` synchronously from the manager's current
-        // value before any consumer that calls `getJwt()` is constructed. The
+        // value before the npm-registry client calls `getNpmRegistryJwt()`. The
         // `tokenUpdated` listener below covers FUTURE refreshes; this read
         // covers the cold-start case where the CLI (or any earlier code) has
         // already called `tokenManager.updateToken(...)` before this AiService
         // was constructed. Without it, the prior emission is lost — Node
         // `EventEmitter` has no replay — and `NpmRegistryClient.getJwt()`
-        // would time out via `waitForJwt(...)`, downgrading `syncHomeNpmrc`
+        // would time out via `waitForNpmRegistryJwt(...)`, downgrading `syncHomeNpmrc`
         // to `unreachable` and leaving `~/.npmrc` unwritten on cold boot.
         this.tokenManagerJwt = this.config.tokenManager?.getCurrentToken();
         // Resolve the npm registry client once and reuse across TemplateRenderer
         // and AppShell so both install paths share the same in-memory cache and
         // 401-refresh state. Explicit injection wins (tests); otherwise we
         // construct a default that reads the LD flag from `config.features` and
-        // routes JWT through the AiService's own `getJwt()` (which prefers the
-        // tokenManager token and falls back to clark.context.jwt). Empty
+        // routes JWT through the AiService's npm-registry JWT source (which
+        // prefers the tokenManager token and falls back to clark.context.jwt). Empty
         // tokens are refused upstream of `attempt()` so the server doesn't
         // see `Bearer ` and reply 400 (which the client would now treat as a
         // hard fail rather than a transient outage).
@@ -541,7 +573,7 @@ export class AiService extends TracedEventEmitter {
                 // `tokenUpdated` event rather than throwing immediately, so the
                 // first install in the shared template dir actually gets a
                 // `.npmrc` instead of silently downgrading to "not configured".
-                getJwt: () => this.waitForJwt(NPM_REGISTRY_JWT_WAIT_MS),
+                getJwt: () => this.waitForNpmRegistryJwt(NPM_REGISTRY_JWT_WAIT_MS),
                 // Push-based refresh hook: on 401, wait briefly for the next
                 // `tokenUpdated` event before re-reading the JWT. Without this,
                 // a 401 retry fires immediately with the same expired token and
@@ -556,6 +588,12 @@ export class AiService extends TracedEventEmitter {
                 }),
             });
         this.npmRegistryClient = npmRegistryClient;
+        // Kill-switch gauge (APPS-4378): `superblocks.npm.killswitch.enabled` reads
+        // `1` when the npm-registry feature is suppressed (LD flag off), `0`
+        // otherwise — one series per process. Registered here, the single place
+        // that owns the flag value, so on-call can answer "did anyone hit the
+        // kill-switch in the last 24h?" without reading logs.
+        npmRegistryEmitter.setKillswitch(() => config.features.npmRegistryEnabled !== true);
         // One process-lifetime `NpmPackageLookup` shared across every
         // `buildTools()` call. The `build_lookupNpmPackage` tool factory used
         // to construct a fresh instance per LLM turn; each construction
@@ -569,7 +607,11 @@ export class AiService extends TracedEventEmitter {
         // `npmRegistryClient` / `templateRenderer` / `appShell` — means the
         // gauge wires up exactly once and the 60s TTL cache stays warm across
         // turns instead of being thrown away.
-        this.npmPackageLookup = new NpmPackageLookup({ client: npmRegistryClient });
+        this.npmPackageLookup = new NpmPackageLookup({
+            client: npmRegistryClient,
+            // org_id rides on the `npm_registry.lookup_package` span only.
+            orgId: config.organizationId,
+        });
         this.templateRenderer =
             config.templateRenderer ??
                 new TemplateRenderer({
@@ -589,6 +631,24 @@ export class AiService extends TracedEventEmitter {
             draftInterface: config.draftInterface,
             templateRenderer: this.templateRenderer,
             npmRegistryClient,
+            // APPS-4191 / P6.3: ship blocked-install audit events to the server over
+            // the authenticated socket. Fire-and-forget — the server derives org,
+            // actor, AND app attribution from the authenticated connection
+            // (`ctx.jwtClaims.app_id` on the scoped JWT this socket carries), then
+            // throttles, sanitizes, and persists. A transport failure must never
+            // surface to (or break) the install. We intentionally do NOT spread the
+            // local `applicationId` into the payload — that would be client-
+            // controlled and forgeable by any authenticated socket caller.
+            reportNpmInstallBlocked: (report) => {
+                void this.config.rpcClient
+                    .call(async (client) => {
+                    const rpcClient = client;
+                    return await rpcClient.call.v1.audit.npmInstallBlocked(report);
+                })
+                    .catch((error) => {
+                    this.getLogger().debug("[ai-service] Failed to report npm-install-blocked audit event", getErrorMeta(error));
+                });
+            },
             virtualFileSystem: createDefaultVirtualFileSystem({
                 useSystemSkills: config.features.useSystemSkills,
                 knowledgeManager: this.knowledgeManager,
@@ -616,6 +676,68 @@ export class AiService extends TracedEventEmitter {
         });
         this.fileSystemInterface = new FileSystemInterface();
         this.integrationStore = new IntegrationStore(undefined, config.appRootDirPath, config.features.metadataCacheMaxTotalSizeMB, config.features.metadataCacheMaxSingleFileSizeMB, config.pluginExecutionVersions, config.superblocksBaseUrl, config.applicationId, () => this.clark?.context?.jwt);
+        // Background-task framework: per-session TaskStore + registered task
+        // types. Gated by `isBackgroundTaskFrameworkEnabled` — the same
+        // `managedNativeDbEnabled` rollout check that `agent/tools.ts`
+        // consults. When the gate is off, `taskStore` stays undefined and
+        // `agent/tools.ts` skips registering the start*/check*/wait*/cancel*/list*
+        // tools (those have an `&& services.taskStore` guard, plus the same
+        // flag check).
+        if (isBackgroundTaskFrameworkEnabled(config.features)) {
+            this.taskStore = new TaskStore();
+            // Heterogeneous list of task types funneled into
+            // `registerBackgroundTaskTypes` (which itself takes ReadonlyArray<TaskType<any, any, any>>),
+            // hence the `any` widening: `TaskType` is contravariant in `Input`.
+            const taskTypes = [];
+            {
+                // Dev-database lifecycle is unconditionally wired as a pair of
+                // background tasks (provision + applyMigrations) — the legacy
+                // blocking triplet (createDevDb / applyMigrations /
+                // getDevDbProgress) was removed in favor of this path. Gated only
+                // by the framework flag above.
+                const devDbTypes = createDevDatabaseTaskTypes({
+                    applicationId: config.applicationId,
+                    // The working-state SQL files in the user's local repo —
+                    // including drafts the LLM just wrote this turn — must be
+                    // flushed to the server before the lifecycle worker reads
+                    // them, otherwise migrations apply against stale content and
+                    // the new migration silently succeeds against an unchanged
+                    // schema. Matches master's `applyMigrationsToolFactory`
+                    // registration, which threaded `syncCurrentDirectoryWithDraftsNow`
+                    // — NOT the autosync drain `uploadDirectoryNowIfNeeded`.
+                    // `_runtimeSyncService` is injected by `setRuntimeGitServices`
+                    // AFTER this constructor runs, so the helper resolves it
+                    // lazily at task-start time.
+                    ensureFilesSynced: buildEnsureDevDatabaseFilesSynced(() => this._runtimeSyncService),
+                    getClient: () => {
+                        const jwt = this.clark?.context?.jwt;
+                        if (!jwt) {
+                            throw new Error("[devDatabase] cannot start background task: no JWT available on Clark context");
+                        }
+                        return new DevDatabaseClient({
+                            transport: createDevDatabaseHttpTransport({
+                                jwt,
+                                superblocksBaseUrl: config.superblocksBaseUrl,
+                            }),
+                        });
+                    },
+                });
+                taskTypes.push(devDbTypes.provisionDevDatabaseTaskType, devDbTypes.applyDevDatabaseMigrationsTaskType);
+                wireDevDatabaseIntegrationPriming(this.taskStore, this.integrationStore);
+            }
+            registerBackgroundTaskTypes(this.taskStore, taskTypes);
+            // Push every status transition (including the initial in-store
+            // snapshot after `start`) to the editor for the bottom-of-chat
+            // indicator. StablePeer handles disconnect buffering so the helper
+            // itself doesn't retry. The unsubscribe fn is intentionally not
+            // captured — the TaskStore is per-AiService and disposed alongside
+            // it, which clears all listeners.
+            wireTaskStatusPushToPeer(this.taskStore, {
+                getPeer: () => this.stablePeer,
+                getCallerUserId: () => this.getAuthenticatedPeerUserId(),
+                logger: this.getLogger(),
+            });
+        }
         this._appContext = new AppContextStore(this.fileSystemInterface);
         this.sessionId = `session_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
         this.chatSessionStore = new ChatSessionStore({
@@ -653,7 +775,7 @@ export class AiService extends TracedEventEmitter {
             unifiedProviderEnabled: config.features.unifiedProviderEnabled ?? false,
             organizationId: config.organizationId,
             applicationId: config.applicationId,
-            getJwt: () => this.getJwt(),
+            getJwt: () => this.requireInferenceJwt(),
             onUsageRecorded: (usage) => {
                 // Accumulate workflow-level metrics
                 this.clark.updateContext((context) => {
@@ -845,15 +967,7 @@ export class AiService extends TracedEventEmitter {
                     integrationStore: this.integrationStore,
                     knowledgeManager: this.knowledgeManager,
                     appContextStore: this.appContext,
-                    llmProvider: createLLMProvider(this.getLLMProviderSettings(clark.context.llmConfig), () => this.getJwt(), clark.context.llmConfig, () => ({
-                        prompt_id: clark.context.promptId,
-                        chatmessage_id: clark.context.chatmessageId,
-                        application_id: this.config.applicationId,
-                        session_id: this.sessionId,
-                        // Note: retry_count for LLM retries is added by orchestrator via providerOptions
-                        mode: clark.context.currentMode === AiMode.PLAN ? "plan" : "build",
-                        plan_size: clark.context.planSize,
-                    })),
+                    llmProvider: createLLMProvider(this.getLLMProviderSettings(clark.context.llmConfig), () => this.requireInferenceJwt(), clark.context.llmConfig, () => this.getLlmAiAttributes(clark)),
                     chatSessionStore: this.chatSessionStore,
                     clarkProfiler: this.clarkProfiler,
                     contextManagerV2: this.contextManagerV2,
@@ -867,6 +981,18 @@ export class AiService extends TracedEventEmitter {
                     syncService: this._runtimeSyncService,
                     gitOperationLock: this._runtimeGitOperationLock,
                     onGitOperationComplete: this._onGitOperationComplete,
+                    taskStore: this.taskStore,
+                    // Resolve `ownerUserId` from the *current* JWT at each call site
+                    // (kickoff / read / cancel). Reading lazily — instead of capturing
+                    // the JWT at handler construction — means the wired identity stays
+                    // correct across `updateClarkJwt` refreshes that happen mid-turn
+                    // when a user's token rotates. Tests pin this lazy contract.
+                    getCurrentOwnerId: () => {
+                        const jwt = clark.context.jwt;
+                        if (!jwt)
+                            return undefined;
+                        return parseJwt(jwt)?.userId;
+                    },
                 };
                 const clarkStateHandlers = Object.fromEntries(Object.entries(clarkStateHandlerFactories).map(([state, handlerFactory]) => [state, handlerFactory(clark, params)]));
                 const { from, to, event } = transition;
@@ -885,6 +1011,14 @@ export class AiService extends TracedEventEmitter {
                     // Trigger callback when Clark enters idle states (generation complete)
                     if (to === ClarkStateNames.Idle ||
                         to === ClarkStateNames.AwaitingUser) {
+                        // The turn is over: drop per-turn billing attribution so stray
+                        // LLM calls before the next prompt bill as default generation.
+                        if (clark.context.usageMetadata) {
+                            clark.updateContext((context) => ({
+                                ...context,
+                                usageMetadata: undefined,
+                            }));
+                        }
                         this.triggerGenerationComplete();
                     }
                 }
@@ -907,6 +1041,16 @@ export class AiService extends TracedEventEmitter {
             };
         };
     }
+    getInferenceJwt() {
+        return this.clark?.context?.jwt;
+    }
+    requireInferenceJwt() {
+        const jwt = this.getInferenceJwt();
+        if (!jwt) {
+            throw new Error("[ai-service] no Clark JWT available for AI inference");
+        }
+        return jwt;
+    }
     /**
      * Resolves the conversation context for a contextId that is not present
      * locally, by downloading it from Bucketeer. Wired into ContextManagerV2 as
@@ -925,7 +1069,7 @@ export class AiService extends TracedEventEmitter {
      * commitId — and GET by commit. The resolution is logged either way.
      */
     async remoteRestoreFallback(id) {
-        const jwt = this.getJwt();
+        const jwt = this.getInferenceJwt();
         const branchName = this._syncContextProvider?.getBranchName();
         if (!jwt || !branchName) {
             // A missing JWT is expected startup churn on a fresh pod (this runs
@@ -980,43 +1124,51 @@ export class AiService extends TracedEventEmitter {
             appRootDirPath: this.config.appRootDirPath,
         });
     }
-    getJwt() {
+    requireProvidedInferenceJwt(jwt, source) {
+        if (!jwt) {
+            throw new Error(`[ai-service] no JWT available for ${source} AI inference`);
+        }
+        return jwt;
+    }
+    getNpmRegistryJwt() {
         if (this.tokenManagerJwt) {
             return this.tokenManagerJwt;
         }
-        // fallback to clark context if no token manager is provided
+        // Fallback to Clark context if no token manager token is provided.
         return this.clark?.context?.jwt;
     }
     buildContextManagementForCurrentClark(llmConfig) {
-        const modeInstructions = this.clark.context.currentMode
-            ? `Preserve the following mode context in your summary: ${buildModeMessage(this.clark.context.currentMode, this.clark.context.planContext?.approved)}`
-            : undefined;
         return selectContextManagementStrategy({
             serverContextManagementEnabled: llmConfig?.serverContextManagement?.enabled,
-            modeInstructions,
             thresholds: llmConfig?.serverContextManagement,
-            summarizationModel: () => createLLMProvider(this.getLLMProviderSettings(llmConfig), () => this.getJwt(), llmConfig, () => ({
-                prompt_id: this.clark.context.promptId,
-                chatmessage_id: this.clark.context.chatmessageId,
-                application_id: this.config.applicationId,
-                session_id: this.sessionId,
-                mode: this.clark.context.currentMode === AiMode.PLAN ? "plan" : "build",
-                plan_size: this.clark.context.planSize,
-            })).modelForTask("summarizeMessages"),
+            summarizationModel: () => createLLMProvider(this.getLLMProviderSettings(llmConfig), () => this.getInferenceJwt(), llmConfig, () => this.getLlmAiAttributes(this.clark)).modelForTask("summarizeMessages"),
         });
     }
+    getLlmAiAttributes(clark) {
+        const usageMetadata = clark.context.usageMetadata ?? APP_CLARK_GENERATION_METADATA;
+        return {
+            prompt_id: clark.context.promptId,
+            chatmessage_id: clark.context.chatmessageId,
+            application_id: this.config.applicationId,
+            session_id: this.sessionId,
+            // Note: retry_count for LLM retries is added by orchestrator via providerOptions
+            mode: clark.context.currentMode === AiMode.PLAN ? "plan" : "build",
+            plan_size: clark.context.planSize,
+            metadata: usageMetadata,
+        };
+    }
     /**
      * Resolve a JWT for the npm-registry fetch, blocking briefly on the
      * first `tokenUpdated` event when no JWT is yet primed. The
      * `TemplateRenderer` prefetch fires during AiService construction —
      * before the `tokenManager` subscription has emitted — so a synchronous
-     * `getJwt()` would observe `undefined` and silently downgrade the
+     * `getNpmRegistryJwt()` would observe `undefined` and silently downgrade the
      * private-registry install to public npm. Blocking here is the
      * narrowest fix: callers that already have a primed JWT take the fast
      * path and never await.
      */
-    async waitForJwt(timeoutMs) {
-        const immediate = this.getJwt();
+    async waitForNpmRegistryJwt(timeoutMs) {
+        const immediate = this.getNpmRegistryJwt();
         if (immediate) {
             return immediate;
         }
@@ -1024,7 +1176,7 @@ export class AiService extends TracedEventEmitter {
             throw new Error("[npm-registry] no JWT available and no tokenManager wired to wait for one");
         }
         await this.waitForTokenUpdate(timeoutMs);
-        const after = this.getJwt();
+        const after = this.getNpmRegistryJwt();
         if (!after) {
             throw new Error("[npm-registry] no JWT available after waiting for tokenManager update");
         }
@@ -1038,7 +1190,7 @@ export class AiService extends TracedEventEmitter {
      *
      * Resolution only signals "a wait completed" — never that a JWT actually
      * changed. The constructor's `tokenUpdated` listener (above) is the only
-     * code that mutates `tokenManagerJwt`. Callers (`waitForJwt`, the
+     * code that mutates `tokenManagerJwt`. Callers (`waitForNpmRegistryJwt`, the
      * npm-registry `refreshJwt` adapter) must re-read the JWT after this
      * resolves and treat an unchanged value the same as a refresh that
      * never happened.
@@ -1071,20 +1223,6 @@ export class AiService extends TracedEventEmitter {
             });
         };
     }
-    async callServer({ jwt, path, }) {
-        const url = `${this.config.superblocksBaseUrl}/api/${path}`;
-        const response = await fetch(url, {
-            method: "GET",
-            headers: {
-                Authorization: `Bearer ${jwt}`,
-                "Content-Type": "application/json",
-            },
-        });
-        if (!response.ok) {
-            throw new Error(`Call to ${path} failed with status ${response.status}`);
-        }
-        return (await response.json());
-    }
     /**
      * Non-throwing AI quota check. Returns `{ allowed: true }` when the org is
      * within its limit, and also when the check itself can't run (no JWT, or the
@@ -1092,33 +1230,14 @@ export class AiService extends TracedEventEmitter {
      * blocks legitimate work. When the org is over limit, returns the reason and
      * a user-facing message instead of throwing, so callers that don't surface
      * exceptions (e.g. the background migration turn) can react.
+     * Logic lives in `quota-client.ts` (with the `quota.check` span).
      */
     async checkAiQuota(jwt) {
-        const token = jwt ?? this.getJwt();
-        if (!token) {
-            this.getLogger().warn("[ai-service] No JWT available for quota check, skipping");
-            return { allowed: true };
-        }
-        try {
-            const quota = await this.callServer({
-                jwt: token,
-                path: "v1/ai/quota",
-            });
-            if (!quota.allowed) {
-                const reason = quota.reason ?? "token_limit_exceeded";
-                const message = reason === "trial_expired"
-                    ? "Your AI trial period has ended."
-                    : reason === "no_seat_assigned"
-                        ? "You don't have an AI Builder license assigned. Ask your admin to assign a license."
-                        : "Your organization has reached its AI usage limit.";
-                return { allowed: false, reason, message };
-            }
-            return { allowed: true };
-        }
-        catch (error) {
-            this.getLogger().warn("[ai-service] Quota check failed, allowing request", getErrorMeta(error));
-            return { allowed: true };
-        }
+        return checkAiQuota({
+            superblocksBaseUrl: this.config.superblocksBaseUrl,
+            jwt: jwt ?? this.getInferenceJwt(),
+            logger: this.getLogger(),
+        });
     }
     async ensureAiQuotaAvailable(jwt) {
         const quota = await this.checkAiQuota(jwt);
@@ -1200,9 +1319,20 @@ export class AiService extends TracedEventEmitter {
             llmConfig: migrationLlmConfig,
             mode: AiMode.BUILD,
         };
+        const promptId = randomUUID();
+        const branchName = this._syncContextProvider?.getBranchName();
+        const migrationUsageMetadata = {
+            applicationId: this.config.applicationId,
+            branchName,
+            migrationSource: "superblocks_2_0",
+            origin: "app_migration",
+            pendingSeedApiCount,
+            retryMode: request.retryMode ?? "none",
+        };
         this.clark.updateContext((context) => ({
             ...context,
-            promptId: randomUUID(),
+            promptId,
+            usageMetadata: migrationUsageMetadata,
             llmConfig: migrationLlmConfig,
         }));
         const transitionTo = transitionFrom(this.clark);
@@ -1234,6 +1364,312 @@ export class AiService extends TracedEventEmitter {
         return result.config;
     }
     migrationTurnTriggered = false;
+    /**
+     * Rejects prompt submission while a policy gate run is executing against the
+     * current application so concurrent Clark activity cannot mutate the app
+     * mid-run (APPS-4466). Enforced here at the dev server, not only in the UI.
+     */
+    assertNoActivePolicyGateRun() {
+        if (policyGateRunRegistry.isRunning(this.config.applicationId)) {
+            this.getLogger().warn("[ai-service] Rejecting prompt while a policy gate run is in progress", { applicationId: this.config.applicationId });
+            throw new Error(POLICY_GATE_RUN_IN_PROGRESS_ERROR);
+        }
+    }
+    /**
+     * Run the pre-call quota check for an incoming user request. If quota is
+     * denied with a recognized paywall reason, persist the prompt + advice
+     * and open the modal via `handlePreCallPaywall`, and return `true` so
+     * the caller can short-circuit. Returns `false` if quota is fine.
+     * Non-paywall errors from the quota check are re-thrown unchanged.
+     *
+     * Shared between `handleAiGenerate` (the normal entry point) and
+     * `interruptAndContinue` (the interrupt-mid-generation entry point) so
+     * both surfaces produce the same user-visible behavior on quota denial —
+     * chat record + modal — instead of the interrupt path silently rejecting
+     * with no UI state. (APPS-4080)
+     */
+    async tryHandlePaywallForRequest(request) {
+        try {
+            await this.ensureAiQuotaAvailable(request.jwt);
+            return false;
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                const reason = getAiQuotaPaywallReasonFromMessage(error.message);
+                if (reason) {
+                    await this.handlePreCallPaywall(request, reason);
+                    return true;
+                }
+            }
+            throw error;
+        }
+    }
+    /**
+     * Persist the user's prompt + the "credits ran out" advice and open the
+     * paywall modal when the pre-call quota check denies the request. Mirrors
+     * what `idle.ts:AGENT_CANCELED` does for the mid-stream paywall path so
+     * both paths leave an identical chat record. Used only when
+     * `ensureAiQuotaAvailable` throws a paywall error in `handleAiGenerate`.
+     *
+     * - For organic user prompts (no `responseMetadata`), persists via
+     *   `recordUser`.
+     * - For widget responses (`multi_choice_response`, `plan_response`,
+     *   `confirm_response`, `searchable_dropdown_response`,
+     *   `remember_knowledge_draft_response`), persists via
+     *   `recordUserResponse` with the full metadata — without this, the
+     *   user's exact choice is silently dropped (they lose their selection
+     *   from chat history AND the resume turn's LLM has no record of what
+     *   they picked). Mirrors `agent-planning.ts:USER_SENT_PROMPT`.
+     * - `tool_permission_response` is intentionally NOT persisted — those
+     *   responses don't have a chat representation; the approval is just
+     *   side-effect state. On resume the user will see the permission
+     *   prompt again, which is acceptable UX.
+     * - Uses fire-and-forget peer pushes after each `await` on the store so
+     *   the chat is durable across refresh even if the live peer push drops.
+     */
+    async handlePreCallPaywall(request, paywallReason) {
+        this.getLogger().info(`[ai-service] Pre-call paywall denial; persisting prompt + advice for chat history`, { paywallReason });
+        // APPS-4080: pre-cache the CANCELLED + paywallReason snapshot into
+        // `lastGenerationState` BEFORE any chat-persistence await. Without
+        // this, a socket reconnect during the awaits in steps 1-2 below
+        // would replay the stale IDLE snapshot held over from before the
+        // request, and the UI saga (`paywallReason && state === CANCELLED`
+        // -> openAiQuotaPaywallModal) would never see the paywall payload —
+        // so the modal would not reopen on refresh. The full
+        // `sendUserGenerationStateChannel({...})` in step 3 below re-caches
+        // and pushes to the peer so the LIVE modal opens AFTER the advice
+        // is in chat. (Cursor PR-19341 review.)
+        this.clark.updateContext({
+            lastGenerationState: {
+                state: AiGenerationState.CANCELLED,
+                hasError: true,
+                paywallReason,
+            },
+        });
+        // 1. Persist + echo the user's prompt so the chat doesn't lose it.
+        const responseMetadata = request.responseMetadata;
+        if (!responseMetadata) {
+            try {
+                const chatmessageId = await this.chatSessionStore.recordUser(request.prompt, { attachments: request.promptContext?.attachments });
+                if (chatmessageId && this.clark.context.peer) {
+                    void this.clark.context.peer.call
+                        .aiPushMessage({
+                        role: "user",
+                        type: "text",
+                        content: request.prompt,
+                        id: chatmessageId,
+                        timestamp: Date.now(),
+                        attachments: request.promptContext?.attachments,
+                    })
+                        .catch((err) => {
+                        this.getLogger().warn("[ai-service] Failed to echo pre-call paywall user prompt", getErrorMeta(err));
+                    });
+                }
+            }
+            catch (err) {
+                this.getLogger().warn("[ai-service] Failed to persist pre-call paywall user prompt", getErrorMeta(err));
+            }
+        }
+        else if (responseMetadata.type !== "tool_permission_response") {
+            // 1b. Widget response (multi_choice_response, plan_response, etc.).
+            //     Persist via `recordUserResponse` with the same metadata mapping
+            //     `agent-planning.ts:USER_SENT_PROMPT` uses, so the user's exact
+            //     choice survives in chat history and is visible on the resume
+            //     turn. Without this branch, the user's selection is silently
+            //     dropped and they lose their selection from chat history.
+            //
+            //     `tool_permission_response` is intentionally skipped — those
+            //     don't have a persisted chat representation. The user will see
+            //     the permission prompt again on resume.
+            const metadata = responseMetadata.type === "multi_choice_response"
+                ? {
+                    responseToMessageId: responseMetadata.responseToMessageId,
+                    selectedChoiceIndices: responseMetadata.selectedChoiceIndices,
+                    selectedScopes: responseMetadata.selectedScopes,
+                }
+                : responseMetadata.type === "remember_knowledge_draft_response"
+                    ? {
+                        responseToMessageId: responseMetadata.responseToMessageId,
+                        selectedCandidateIndices: responseMetadata.selectedCandidateIndices,
+                        selectedScopes: responseMetadata.selectedScopes,
+                    }
+                    : responseMetadata.type === "confirm_response"
+                        ? {
+                            responseToMessageId: responseMetadata.responseToMessageId,
+                            approved: responseMetadata.approved,
+                            selectedScopes: responseMetadata.selectedScopes,
+                        }
+                        : responseMetadata.type === "searchable_dropdown_response"
+                            ? {
+                                responseToMessageId: responseMetadata.responseToMessageId,
+                                selectedValue: responseMetadata.selectedValue,
+                                selectedLabel: responseMetadata.selectedLabel,
+                            }
+                            : {
+                                responseToMessageId: responseMetadata.responseToMessageId,
+                                approved: responseMetadata.approved,
+                                enableTesting: responseMetadata.enableTesting,
+                            };
+            try {
+                const chatmessageId = await this.chatSessionStore.recordUserResponse(request.prompt, responseMetadata.type, metadata);
+                if (chatmessageId && this.clark.context.peer) {
+                    void this.clark.context.peer.call
+                        .aiPushMessage({
+                        role: "user",
+                        type: responseMetadata.type,
+                        content: request.prompt,
+                        id: chatmessageId,
+                        timestamp: Date.now(),
+                        responseToMessageId: responseMetadata.responseToMessageId,
+                    })
+                        .catch((err) => {
+                        this.getLogger().warn("[ai-service] Failed to echo pre-call paywall widget response", getErrorMeta(err));
+                    });
+                }
+            }
+            catch (err) {
+                this.getLogger().warn("[ai-service] Failed to persist pre-call paywall widget response", getErrorMeta(err));
+            }
+        }
+        // 2. Persist + echo the credit advice. Same canned text as
+        //    `agent-planning.ts:LLM_ERRORED` so users see consistent guidance
+        //    across pre-call and mid-stream paywall paths.
+        const advice = "I stopped because credits ran out. Add credits, then send any message to pick up from here.";
+        const adviceId = randomUUID();
+        try {
+            await this.chatSessionStore.recordAssistant({
+                role: "assistant",
+                type: "error",
+                content: advice,
+                id: adviceId,
+                timestamp: Date.now(),
+            });
+        }
+        catch (err) {
+            this.getLogger().warn("[ai-service] Failed to persist pre-call paywall advice", getErrorMeta(err));
+        }
+        if (this.clark.context.peer) {
+            void this.clark.context.peer.call
+                .aiPushMessage({
+                role: "assistant",
+                type: "error",
+                content: advice,
+                id: adviceId,
+                timestamp: Date.now(),
+            })
+                .catch((err) => {
+                this.getLogger().warn("[ai-service] Failed to echo pre-call paywall advice", getErrorMeta(err));
+            });
+        }
+        // 3. Open the paywall modal via the same generation-state event the
+        //    mid-stream path uses. The UI saga listens for
+        //    `paywallReason && state === CANCELLED` and opens the modal.
+        //    Route through `sendUserGenerationStateChannel` (NOT raw
+        //    `peer.call.aiSetGenerationState`) so the CANCELLED + hasError +
+        //    paywallReason payload is cached in `lastGenerationState`. On
+        //    socket reconnect, `handleUserConnected` replays that cached
+        //    state — without this, a refresh / reconnect after a pre-call
+        //    paywall would replay stale generation state and the modal
+        //    would not reopen. (APPS-4080)
+        void sendUserGenerationStateChannel(this.clark)({
+            state: AiGenerationState.CANCELLED,
+            hasError: true,
+            paywallReason,
+        }).catch((err) => {
+            this.getLogger().warn("[ai-service] Failed to send pre-call paywall generation state", getErrorMeta(err));
+        });
+        // 4. Mark this turn as paused-for-credits so the resume hint fires on
+        //    the next `USER_SENT_PROMPT` (same as the mid-stream LLM_ERRORED path
+        //    does in agent-planning.ts).
+        this.clark.updateContext({ pausedForCreditsReason: paywallReason });
+        // 5. Persist the failed prompt into ContextV2 so the LLM actually sees
+        //    it on the resume turn. ContextV2 is a per-turn context layer that
+        //    only grows when an LLM call runs (`ctx.startTurn(user)` +
+        //    `ctx.addResponse(...)` inside `streamText`). Pre-call paywall
+        //    throws BEFORE `transitionTo<$AgentPlanning>`, so `streamText`
+        //    never runs and the failed prompt is invisible to the LLM on the
+        //    next turn — recordUser above only writes to chat_message + the
+        //    live UI socket, not to ContextV2. Without this step the resume
+        //    LLM call has no memory of the failed task and (correctly!)
+        //    answers "I have no memory of prior tasks" because for *this*
+        //    context that's literally true. Add the failed prompt directly
+        //    so the resume turn sees it.
+        // Add the failed prompt/response text to ContextV2 for both organic
+        // user prompts AND widget responses (multi_choice, plan, etc.) so the
+        // resume turn's LLM sees what the user said. The only case we skip is
+        // tool_permission_response — those have no persisted chat
+        // representation; the approval is just side-effect state that gets
+        // re-prompted on resume.
+        if (request.responseMetadata?.type !== "tool_permission_response") {
+            try {
+                // `getContextId` reads `clark.context.jwt` for the userId, but the
+                // JWT is normally only stored into clark context by the
+                // AgentPlanning transition further down the flow — which we never
+                // reach on the pre-call paywall path. Always overwrite from
+                // `request.jwt` (the authoritative source for THIS turn) rather
+                // than reusing whatever happens to be in clark.context.jwt — a
+                // stale token left over from a prior peer/reconnect would resolve
+                // to the wrong userId and write this user's prompt into another
+                // user's ContextV2 history.
+                if (request.jwt) {
+                    this.clark.updateContext({ jwt: request.jwt });
+                }
+                const contextId = getContextId(this.clark, this.config);
+                const llmConfig = request.llmConfig;
+                if (contextId && llmConfig) {
+                    // Redact secrets from the prompt before adding to ContextV2.
+                    // The resume turn's safety pass uses `scope: "last"`, which only
+                    // covers the NEXT user message — so this replayed message is
+                    // outside the normal redaction window. Without this redact-on-
+                    // persist step, a user pasting a token into a quota-denied
+                    // prompt would still forward that token to the model provider
+                    // on resume. Mirrors the same scanContentForSecrets +
+                    // SecretRedactor pipeline `llm/client.ts:streamText` runs for
+                    // organic user prompts. Fail-open on scan errors (same as
+                    // mainline) so a flaky scanner doesn't break the resume path —
+                    // logged so we can audit if this ever fires in prod.
+                    let promptForContext = request.prompt;
+                    try {
+                        const scanResult = await scanContentForSecrets(request.prompt);
+                        if (scanResult.success && scanResult.hasSecrets) {
+                            this.getLogger().warn(`[secret-scan] Redacting ${scanResult.findings.length} secret(s) from pre-call paywall prompt before ContextV2 persist`, {
+                                findingCount: scanResult.findings.length,
+                                hasVerified: scanResult.hasVerifiedSecrets,
+                                detectorTypes: scanResult.findings.map((f) => f.detectorType),
+                            });
+                            const redactor = new SecretRedactor(scanResult.findings);
+                            promptForContext = redactor.redact(request.prompt);
+                        }
+                        else if (!scanResult.success) {
+                            // Do NOT log `scanResult.error` directly — it can contain
+                            // raw TruffleHog stdout/stderr payloads, which on some
+                            // failure paths include excerpts of the scanned prompt
+                            // (i.e. unredacted user secret material). Log only that the
+                            // scan failed; operators can correlate via timestamp +
+                            // peerId. (APPS-4080 security review)
+                            this.getLogger().warn("[secret-scan] Secret scan failed on pre-call paywall prompt; persisting unredacted (fail-open, matches mainline)");
+                        }
+                    }
+                    catch (scanErr) {
+                        // Same reason — don't pipe raw scanner error meta to logs.
+                        // `getErrorMeta` extracts message/stack which can include
+                        // unredacted prompt content from the scanner subprocess.
+                        this.getLogger().warn("[secret-scan] Secret scan threw on pre-call paywall prompt; persisting unredacted (fail-open, matches mainline)", {
+                            errorKind: scanErr instanceof Error ? scanErr.name : typeof scanErr,
+                        });
+                    }
+                    const ctx = await this.contextManagerV2.getOrCreateContext(contextId, llmConfig.contextOptionsV2);
+                    await ctx.addUserMessage({
+                        role: "user",
+                        content: promptForContext,
+                    });
+                }
+            }
+            catch (err) {
+                this.getLogger().warn("[ai-service] Failed to add pre-call paywall user prompt to ContextV2 (chat_message persistence unaffected)", getErrorMeta(err));
+            }
+        }
+    }
     async handleAiGenerate(request) {
         this.getLogger().info(`[ai-service] handleAiGenerate: peerId=${this.stablePeer.peerId ?? "unknown"}`);
         if (this.clark.state === ClarkStateNames.Dead) {
@@ -1244,11 +1680,24 @@ export class AiService extends TracedEventEmitter {
             this.getLogger().info("[ai-service] Ignoring duplicate aiGenerate re-send", { requestId: request.requestId });
             return;
         }
+        this.assertNoActivePolicyGateRun();
         if (this.isBusy()) {
             this.getLogger().warn("[ai-service] Service is busy. State:", this.clark.state);
             throw new Error("Service is busy");
         }
-        await this.ensureAiQuotaAvailable(request.jwt);
+        // Pre-call quota check. When denied, `ensureAiQuotaAvailable` throws so
+        // the UI gets a paywall reason and opens the modal. Without intervention
+        // the throw means we never reach `transitionTo<$AgentPlanning>` below,
+        // so `agent-planning.ts:USER_SENT_PROMPT` never records the user prompt
+        // and `idle.ts:AGENT_CANCELED` never persists the credit advice — the UI
+        // ends up with the optimistic user message removed (thunks.ts catch path)
+        // and no record of what the user tried. Catch it here, persist prompt +
+        // advice + open modal via the same `aiSetGenerationState(CANCELLED,
+        // paywallReason)` saga path the mid-stream paywall uses, then resolve
+        // the socket call so the UI's catch doesn't run. (APPS-4080)
+        if (await this.tryHandlePaywallForRequest(request)) {
+            return;
+        }
         if (request.requestId &&
             !this.requestDeduplicator.markIfNew(request.requestId)) {
             this.getLogger().warn("[ai-service] Ignoring duplicate aiGenerate re-send (lost dedup race)", { requestId: request.requestId });
@@ -1278,6 +1727,11 @@ export class AiService extends TracedEventEmitter {
                 return {
                     ...context,
                     promptId,
+                    // Third-party import turns are billed as app_migration; everything
+                    // else falls back to the default in-app Clark generation metadata.
+                    usageMetadata: request.importSource
+                        ? { origin: "app_migration", source: request.importSource }
+                        : undefined,
                     useMockGeneration: request.mockGeneration ?? false,
                     planContext: mergePlanContexts(context.planContext, request.planContext),
                     browserContext: request.browserContext,
@@ -1372,7 +1826,7 @@ export class AiService extends TracedEventEmitter {
                 promptId,
                 applicationId: this.config.applicationId,
             });
-            const llmProvider = createLLMProvider(llmProviderSettings, () => request.jwt, llmConfig, () => ({
+            const llmProvider = createLLMProvider(llmProviderSettings, () => this.requireProvidedInferenceJwt(request.jwt, "live-edit request"), llmConfig, () => ({
                 prompt_id: promptId,
                 application_id: this.config.applicationId,
                 session_id: this.sessionId,
@@ -1539,7 +1993,7 @@ export class AiService extends TracedEventEmitter {
             const llmProviderSettings = this.getLLMProviderSettings(llmConfig);
             const promptId = randomUUID();
             getLogger().info("[ai-service] Generated prompt_id for summarize api usage", { promptId, applicationId: this.config.applicationId });
-            const llmProvider = createLLMProvider(llmProviderSettings, () => request.jwt, llmConfig, () => ({
+            const llmProvider = createLLMProvider(llmProviderSettings, () => this.requireProvidedInferenceJwt(request.jwt, "live-edit request"), llmConfig, () => ({
                 prompt_id: promptId,
                 application_id: this.config.applicationId,
                 session_id: this.sessionId,
@@ -1655,7 +2109,7 @@ export class AiService extends TracedEventEmitter {
                 promptId,
                 applicationId: this.config.applicationId,
             });
-            const llmProvider = createLLMProvider(llmProviderSettings, () => request.jwt, llmConfig, () => ({
+            const llmProvider = createLLMProvider(llmProviderSettings, () => this.requireProvidedInferenceJwt(request.jwt, "live-edit request"), llmConfig, () => ({
                 prompt_id: promptId,
                 application_id: this.config.applicationId,
                 session_id: this.sessionId,
@@ -1749,7 +2203,7 @@ export class AiService extends TracedEventEmitter {
             promptId,
             applicationId: this.config.applicationId,
         });
-        const llmProvider = createLLMProvider(llmProviderSettings, () => request.jwt, llmConfig, () => ({
+        const llmProvider = createLLMProvider(llmProviderSettings, () => this.requireProvidedInferenceJwt(request.jwt, "live-edit request"), llmConfig, () => ({
             prompt_id: promptId,
             application_id: this.config.applicationId,
             session_id: this.sessionId,
@@ -1920,9 +2374,52 @@ export class AiService extends TracedEventEmitter {
         this.clark.updateContext((context) => ({
             ...context,
             promptId: undefined,
+            usageMetadata: undefined,
         }));
         void this.clark.send({ type: USER_CANCELED });
     }
+    /**
+     * UI-initiated cancellation of a background task. Delegates to
+     * `TaskStore.cancel`, which aborts the local poll loop and best-effort
+     * invokes the task type's `cancel` hook on the external system. The
+     * status listener wired in the constructor pushes the resulting
+     * `cancelled` summary to the UI; this method just returns whether a
+     * transition actually happened so the thunk can short-circuit retries.
+     *
+     * `callerUserId` is the JWT-derived identity of the RPC caller (the
+     * socket handler extracts it from `peerAuthorization`). When the
+     * target task has a recorded `ownerUserId` that does not match, we
+     * return the same `{ cancelled: false }` no-op as the unknown /
+     * already-terminal cases. This is intentional: surfacing a distinct
+     * "not your task" error would let a malicious caller probe the
+     * existence of other users' task IDs. See PR #19718 review feedback.
+     *
+     * Returns `{ cancelled: false }` when:
+     *   - the background-tasks framework is disabled
+     *   - the task is unknown or already terminal
+     *   - the caller is not the task's owner
+     */
+    async cancelBackgroundTask(taskId, callerUserId) {
+        if (!this.taskStore) {
+            this.getLogger().warn(`[ai-service] cancelBackgroundTask called but background-tasks framework is disabled; taskId=${taskId}`);
+            return { cancelled: false };
+        }
+        const before = this.taskStore.get(taskId);
+        if (!before || before.state !== "running") {
+            return { cancelled: false };
+        }
+        if (!isTaskAccessibleTo(before, callerUserId)) {
+            // Opaque deny: same shape as unknown/terminal so callers cannot
+            // distinguish "your task is not running" from "this is not your
+            // task". Log at warn so cross-user cancellation attempts are
+            // observable in ops without leaking to the client.
+            this.getLogger().warn(`[ai-service] cancelBackgroundTask denied: cross-owner attempt; taskId=${taskId}`);
+            return { cancelled: false };
+        }
+        await this.taskStore.cancel(taskId);
+        const after = this.taskStore.get(taskId);
+        return { cancelled: after?.state === "cancelled" };
+    }
     /**
      * Submit a prompt with interrupt behavior.
      * If not busy, starts immediately. Otherwise interrupts and continues.
@@ -1939,6 +2436,7 @@ export class AiService extends TracedEventEmitter {
             this.getLogger().info("[ai-service] Ignoring duplicate aiGenerateWithQueue re-send", { requestId: request.requestId, mode });
             return { status: "started" };
         }
+        this.assertNoActivePolicyGateRun();
         if (!this.isBusy()) {
             await this.handleAiGenerate(request);
             return { status: "started" };
@@ -1951,7 +2449,15 @@ export class AiService extends TracedEventEmitter {
      * The partial response is preserved in chat history for context.
      */
     async interruptAndContinue(request) {
-        await this.ensureAiQuotaAvailable(request.jwt);
+        // The user interrupted — abort the in-flight generation FIRST, before
+        // anything else. The caller (UI saga) signals `interrupted` immediately
+        // on this method's return, so the old run must actually be dead by
+        // then. An earlier version of this method checked quota before
+        // aborting, which let the old run keep producing tokens while the
+        // paywall UI was rendering — racing the paywall state on the wire.
+        // The right shape: abort -> wait -> install fresh AbortController ->
+        // persist any partial -> then decide whether to continue with a new
+        // generation (or paywall the new prompt). (APPS-4080)
         const partialResponse = this.clark.context.partialResponse?.text ?? "";
         const preservedContext = {
             jwt: this.clark.context.jwt,
@@ -1962,14 +2468,19 @@ export class AiService extends TracedEventEmitter {
         this.clark.updateContext({ isInterruptAbort: true });
         this.clark.context.abortController?.abort();
         await this.waitForAbortComplete();
+        // Note: `interruptedPreviousGeneration` and `interruptOriginalPrompt`
+        // are NOT set yet — they're set below, AFTER the paywall check, so
+        // they don't survive into the next turn on a paywall return. If we
+        // set them here and then the paywall path returned, `agent-planning.ts`
+        // would preferentially use the stale `interruptOriginalPrompt` over
+        // the user's actual follow-up message on the resume turn (it has a
+        // `clark.context.interruptOriginalPrompt ?? request.prompt` fallback).
         this.clark.updateContext({
             jwt: preservedContext.jwt,
             llmConfig: preservedContext.llmConfig,
             availableIntegrations: preservedContext.availableIntegrations,
             abortController: new AbortController(),
             partialResponse: undefined,
-            interruptedPreviousGeneration: true,
-            interruptOriginalPrompt: request.prompt,
         });
         if (partialResponse.trim().length > 10) {
             await this.chatSessionStore.recordAssistant({
@@ -1978,6 +2489,24 @@ export class AiService extends TracedEventEmitter {
                 type: "text",
             });
         }
+        // Now that the old run is reliably dead, check quota for the new
+        // prompt. If paywalled, persist + open modal + return — same flow as
+        // `handleAiGenerate`. The aborted run is NOT resumed; the user can
+        // start fresh once credits are restored via the same "send any
+        // message" affordance the standard paywall uses.
+        if (await this.tryHandlePaywallForRequest(request)) {
+            return;
+        }
+        // Only set the interrupt-state fields once we're committed to calling
+        // `handleAiGenerate` below — `agent-planning.ts` consumes
+        // `interruptOriginalPrompt` on the immediately-next `USER_SENT_PROMPT`
+        // and clears it. Setting them only on this happy path keeps them from
+        // leaking into a future unrelated turn if anything between here and
+        // the LLM call throws.
+        this.clark.updateContext({
+            interruptedPreviousGeneration: true,
+            interruptOriginalPrompt: request.prompt,
+        });
         const enhancedPrompt = `[The user interrupted the previous generation to say this. It may be an update/correction to what you were doing, or a new direction entirely - use your judgment based on the message:]\n\n${request.prompt}`;
         const enhancedRequest = {
             ...request,
@@ -2372,6 +2901,17 @@ export class AiService extends TracedEventEmitter {
         // disconnected flush in order as part of setInner.
         this.stablePeer.setInner({ peer, peerId });
         this.getLogger().info(`[ai-service] Peer set: ${peerId}`);
+        // A replacement (or freshly reconnecting) peer must re-prove its
+        // identity via `notifyAuthenticatedRpc` before live task pushes
+        // trust it. Drop any identity carried over from the peer we just
+        // replaced so the bound peerId and the authenticated identity can't
+        // disagree — otherwise a peer that binds before the previous peer's
+        // disconnect is processed would receive the previous user's task
+        // pushes (PR #19718 Comment 59).
+        if (this.authenticatedPeerId !== peerId) {
+            this.authenticatedPeerId = undefined;
+            this.authenticatedPeerUserId = undefined;
+        }
         // 1. Sync generation state if generation is in progress
         if (this.clark.context.lastGenerationState) {
             this.getLogger().info(`[ai-service] Syncing generation state on reconnect: ${this.clark.context.lastGenerationState.state}`);
@@ -2415,6 +2955,84 @@ export class AiService extends TracedEventEmitter {
                 this.getLogger().warn(`[ai-service] Failed to clear stale tool permission on reconnect`, error);
             });
         }
+        // 3. Defer the background-task summary resync until the peer
+        //    proves auth via its first authenticated RPC. The socket
+        //    upgrade path only validates `applicationId`; auth is enforced
+        //    by RPC middleware, which hasn't run yet at connect time. An
+        //    unauthenticated client that manages to open the socket would
+        //    otherwise receive the active task list. The resync drains
+        //    inside `notifyAuthenticatedRpc(peerId)`, called by the
+        //    auth middleware (see `socket-manager.ts`) on first success.
+        if (this.taskStore) {
+            this.pendingTaskResyncPeerIds.add(peerId);
+        }
+    }
+    /**
+     * Per-session set of peer IDs that connected since their last task
+     * resync drained. Populated by `handleUserConnected`, drained inside
+     * `notifyAuthenticatedRpc` exactly once per (connect, first auth
+     * success) pair — so a fresh tab gets the active task list as soon
+     * as auth is proven, but never before.
+     */
+    pendingTaskResyncPeerIds = new Set();
+    /**
+     * The authenticated peer's identity, but only while that same peer is
+     * still the bound `stablePeer`. `handleUserConnected` can swap in a
+     * replacement peer before the previous peer's disconnect is processed;
+     * keying the identity to its peerId means a live status push in that
+     * window is gated against `undefined` (suppressed) rather than the
+     * previous user — closing the cross-user leak in PR #19718 Comment 59.
+     * Returns `undefined` until the currently-bound peer proves auth via
+     * `notifyAuthenticatedRpc`, so owned-task pushes fail closed.
+     */
+    getAuthenticatedPeerUserId() {
+        return this.authenticatedPeerId === this.stablePeer.peerId
+            ? this.authenticatedPeerUserId
+            : undefined;
+    }
+    /**
+     * Hook for the socket-manager auth middleware to call after every
+     * successful authorization check. The first call per peer drains any
+     * deferred state pushes registered by `handleUserConnected` (today:
+     * the active background-task summary resync). Subsequent calls for
+     * the same connection are no-ops; the set is repopulated on the
+     * next connect/reconnect.
+     *
+     * `callerUserId` is the JWT-derived identity of the just-authenticated
+     * RPC caller. The resync filters by `isTaskAccessibleTo(task, callerUserId)`
+     * so user B reconnecting to an AiService that's running user A's task
+     * does not receive A's `taskId` / label / message. Tasks with no
+     * recorded `ownerUserId` (legacy/local-dev) remain visible to anyone,
+     * matching the LLM-facing `listTasks` semantics.
+     *
+     * NOTE: The legacy `aiSetGenerationState` / tool-permission pushes
+     * in `handleUserConnected` have the same pre-auth exposure but are
+     * out of scope for this gate — they were not introduced by the
+     * background-task framework. Move them here when tightening that
+     * threat surface (see PR #19718 review feedback).
+     */
+    notifyAuthenticatedRpc(peerId, callerUserId) {
+        // Track the authenticated peer's identity (keyed to its peerId) so
+        // `wireTaskStatusPushToPeer` can owner-filter live status
+        // transitions (Comment 57, PR #19718).
+        if (this.stablePeer.peerId === peerId) {
+            this.authenticatedPeerId = peerId;
+            this.authenticatedPeerUserId = callerUserId;
+        }
+        if (!this.pendingTaskResyncPeerIds.has(peerId))
+            return;
+        // Delete before invoking the push so concurrent middleware calls
+        // for the same peer don't double-fire.
+        this.pendingTaskResyncPeerIds.delete(peerId);
+        // Defense in depth: only push for the currently-bound peer. A
+        // late auth notification for a peer that's already been replaced
+        // shouldn't leak state to the now-current peer's history.
+        if (this.taskStore && this.stablePeer.peerId === peerId) {
+            resyncActiveTaskStatusesToPeer(this.taskStore, {
+                getPeer: () => this.stablePeer,
+                logger: this.getLogger(),
+            }, callerUserId);
+        }
     }
     handleUserDisconnected(peerId) {
         const currentPeerId = this.stablePeer.peerId;
@@ -2427,6 +3045,13 @@ export class AiService extends TracedEventEmitter {
             return; // Don't clear the current peer on stale disconnect
         }
         this.getLogger().info(`[ai-service] peer disconnecting: ${peerId}`);
+        // Drop any deferred state-push registration for this peer so a
+        // disconnect that races a never-arrived auth proof doesn't leave
+        // the entry around forever (the auth middleware never gets to
+        // drain it on a dead connection).
+        this.pendingTaskResyncPeerIds.delete(peerId);
+        this.authenticatedPeerUserId = undefined;
+        this.authenticatedPeerId = undefined;
         const contextId = this.getContextId();
         if (contextId) {
             this.contextManagerV2.clearContext(contextId);
@@ -2617,10 +3242,6 @@ export class AiService extends TracedEventEmitter {
      */
     async handleJudgeEvaluation(request) {
         this.getLogger().info(`[ai-service] Judge evaluation requested for promptId=${request.promptId}, appId=${request.appId}`);
-        // Temporarily set the JWT for this evaluation
-        const previousJwt = this.tokenManagerJwt;
-        this.tokenManagerJwt = request.jwt;
-        this.getLogger().info(`[ai-service] Set tokenManagerJwt for judge evaluation. hasJwt=${!!request.jwt}, jwtLength=${request.jwt?.length || 0}`);
         // Judge storage location is configurable via JUDGE_STORAGE_PATH env var
         // Supports both directory paths (writes to evaluations.csv) and full file paths
         // Default: <appRoot>/.superblocks/judge-evaluations/evaluations.csv
@@ -2651,7 +3272,7 @@ export class AiService extends TracedEventEmitter {
         this.config.logger.info(`[ai-service] Judge storage configured: ${path.join(storageDir, storageFilename)}`);
         // Create LLM provider for judge with JWT getter
         // Use getLLMProviderSettings to ensure proper configuration (including upstreamProvider)
-        const judgeLlmProvider = createLLMProvider(this.getLLMProviderSettings(request.llmConfig), () => this.getJwt(), request.llmConfig, undefined);
+        const judgeLlmProvider = createLLMProvider(this.getLLMProviderSettings(request.llmConfig), () => this.requireProvidedInferenceJwt(request.jwt, "judge evaluation"), request.llmConfig, undefined);
         const judgeService = new JudgeService({
             llmClient: this.llmClient,
             llmProvider: judgeLlmProvider,
@@ -2692,10 +3313,6 @@ export class AiService extends TracedEventEmitter {
             this.getLogger().error(`[ai-service] Judge evaluation failed: ${String(error)}`, getErrorMeta(error));
             throw error;
         }
-        finally {
-            // Restore previous JWT
-            this.tokenManagerJwt = previousJwt;
-        }
     }
     async handlePolicyGateExecution(request) {
         const logger = this.getLogger();
@@ -2703,9 +3320,10 @@ export class AiService extends TracedEventEmitter {
         const requestLlmConfig = request.llmConfig;
         const contextLlmConfig = this.clark.context.llmConfig;
         const llmConfig = requestLlmConfig ?? contextLlmConfig;
-        const llmProvider = createLLMProvider(this.getLLMProviderSettings(llmConfig), () => this.getJwt(), llmConfig, () => ({
+        const llmProvider = createLLMProvider(this.getLLMProviderSettings(llmConfig), () => this.requireProvidedInferenceJwt(request.jwt, "policy gate"), llmConfig, () => ({
             ai_agent_run_id: request.aiAgentRunId,
             application_id: request.applicationId,
+            metadata: POLICY_GATE_USAGE_METADATA,
             session_id: this.sessionId,
             trigger_type: "policy_gate",
         }));
@@ -2777,7 +3395,30 @@ export class AiService extends TracedEventEmitter {
             tools,
             stopWhen: stepCountIs(30),
         });
+        // Best-effort: surface the agent's latest tool/reasoning step in the editor
+        // so a running policy row shows live activity instead of an opaque spinner.
+        // Only meaningful when an editor session is connected; never blocks the run.
+        const peer = this.clark.context.peer;
+        const emitAgentStep = (part) => {
+            if (!this.hasConnectedPeer() || !peer) {
+                return;
+            }
+            const step = policyGateStreamPartToAgentStep(part);
+            if (!step) {
+                return;
+            }
+            void peer.call
+                .aiPushPolicyAgentStep({
+                applicationId: request.applicationId,
+                policyId: request.reviewPolicyId,
+                step,
+            })
+                .catch((error) => {
+                logger.warn("[ai-service] Failed to push policy agent step", getErrorMeta(error));
+            });
+        };
         for await (const part of result.fullStream) {
+            emitAgentStep(part);
             const partType = typeof part.type === "string"
                 ? part.type
                 : "unknown";
@@ -2915,13 +3556,21 @@ export class AiService extends TracedEventEmitter {
             pendingToolPermissionRequest: undefined,
         });
     }
+    /** Clears local LLM context so migration-era memory does not survive abort. */
+    async clearMigrationAbortLocalContext() {
+        const contextId = getContextId(this.clark, this.config);
+        await this.contextManagerV2.clearAllContexts();
+        if (contextId) {
+            await this.contextManagerV2.persistEmptyContext(contextId);
+        }
+    }
     /**
      * Upload the (now-empty) context to Bucketeer.
      * commitId is captured before newChat() clears the session.
      * Failures are logged but do not fail clear chat.
      */
     async uploadEmptyContextToBucketeer(userId, commitId) {
-        const jwt = this.getJwt();
+        const jwt = this.getInferenceJwt();
         const branchName = this._syncContextProvider?.getBranchName();
         if (!jwt || !commitId || !branchName) {
             return;