@vellumai/assistant 0.10.1 → 0.10.2-dev.202606241651.2d2b40d

package/src/contacts/contacts-write.ts

@@ -30,6 +30,9 @@ import type {
  * Returns true when a guardian channel was found and revoked, false otherwise.
  */
 export function revokeGuardianBinding(channel: string): boolean {
+  // Local-store read, not the gateway: this read selects the row that the
+  // updateChannelStatus write below mutates, so it must stay transactionally
+  // consistent with that write. Leave for Combo 11 / gateway-bootstrap-binding.
   const guardian = findGuardianForChannel(channel);
   if (!guardian) return false;
 

package/src/contacts/guardian-delivery-reader.ts

@@ -0,0 +1,223 @@
+/**
+ * Gateway-backed guardian binding + delivery reader.
+ *
+ * Resolves the active guardian binding(s) and their per-channel delivery
+ * endpoints from the gateway via the `resolve_guardian_delivery` IPC route,
+ * validating the response against {@link ResolveGuardianDeliveryResponseSchema}.
+ *
+ * Guardian binding is near-static — it only changes on guardian onboarding /
+ * verification or revocation — yet this reader sits on many hot paths. To keep
+ * those paths off the IPC, results are cached behind a minutes-scale TTL and
+ * coalesced single-flight so a cold cache storms the gateway at most once.
+ *
+ * Freshness comes from two sources: the {@link invalidateGuardianDeliveryCache}
+ * subscription to `onContactChange` (contact mutations clear the cache), and
+ * {@link getGuardianDeliveryFresh} reads on existence guards (gateway-side
+ * binding writes don't invalidate the daemon cache, so those paths read fresh).
+ *
+ * Returns `null` on ANY failure (transport failure, malformed shape, timeout,
+ * or thrown error); failures are NOT cached, so a recovered gateway is retried
+ * on the next call.
+ */
+
+import {
+  type GuardianDelivery,
+  ResolveGuardianDeliveryResponseSchema,
+} from "@vellumai/gateway-client";
+
+import { ipcCall } from "../ipc/gateway-client.js";
+import { onContactChange } from "./contact-events.js";
+
+// Short IPC timeout so the read resolves promptly rather than stalling a hot
+// path on a gateway that accepts the socket but hangs.
+const GUARDIAN_DELIVERY_IPC_TIMEOUT_MS = 2_000;
+
+// Guardian binding is near-static, so a minutes-scale TTL is safe; freshness is
+// driven primarily by event-based invalidation, not by this backstop expiry.
+const GUARDIAN_DELIVERY_CACHE_TTL_MS = 300_000;
+
+interface CacheEntry {
+  guardians: GuardianDelivery[];
+  fetchedAt: number;
+}
+
+const cache = new Map<string, CacheEntry>();
+// Tracks whether the in-flight fetch was a force-refresh, so a fresh read never
+// coalesces with an older non-force fetch that may predate a gateway-side write.
+const inFlight = new Map<
+  string,
+  { promise: Promise<GuardianDelivery[] | null>; fresh: boolean }
+>();
+
+// Bumped on every invalidation. A fetch captures the generation when it starts
+// and only writes its result to the cache if the generation is unchanged on
+// resolve, so an invalidation mid-flight can't repopulate a stale pre-change
+// result and mask a guardian-binding change.
+let cacheGeneration = 0;
+
+function cacheKey(channelTypes?: string[]): string {
+  if (!channelTypes || channelTypes.length === 0) return "ALL";
+  return [...channelTypes].sort().join(",");
+}
+
+async function fetchGuardianDelivery(
+  input: { channelTypes?: string[] },
+): Promise<GuardianDelivery[] | null> {
+  try {
+    const result = await ipcCall(
+      "resolve_guardian_delivery",
+      input,
+      GUARDIAN_DELIVERY_IPC_TIMEOUT_MS,
+    );
+    if (!result) return null;
+
+    const parsed = ResolveGuardianDeliveryResponseSchema.safeParse(result);
+    return parsed.success ? parsed.data.guardians : null;
+  } catch {
+    return null;
+  }
+}
+
+// Shared fetch path for both the cached and fresh public surfaces. When
+// `forceRefresh` is set the cached entry is bypassed; the read is still
+// single-flight and still populates the cache with the fresh result.
+async function readGuardianDelivery(
+  input: { channelTypes?: string[]; forceRefresh?: boolean },
+): Promise<GuardianDelivery[] | null> {
+  const key = cacheKey(input.channelTypes);
+
+  if (!input.forceRefresh) {
+    const cached = cache.get(key);
+    if (
+      cached &&
+      Date.now() - cached.fetchedAt < GUARDIAN_DELIVERY_CACHE_TTL_MS
+    ) {
+      return cached.guardians;
+    }
+  }
+
+  // A non-force read may coalesce with any in-flight fetch. A force read may
+  // only coalesce with another force fetch — never with a non-force fetch that
+  // could have started before a gateway-side binding write and resolve stale.
+  const pending = inFlight.get(key);
+  if (pending && (!input.forceRefresh || pending.fresh)) return pending.promise;
+
+  const startGen = cacheGeneration;
+  const promise = fetchGuardianDelivery({ channelTypes: input.channelTypes })
+    .then((guardians) => {
+      // Skip the write if an invalidation fired during the fetch: the result
+      // may predate the change. Return it to this caller (freshest it has) but
+      // leave the cache empty so the next call re-fetches.
+      if (guardians && cacheGeneration === startGen) {
+        cache.set(key, { guardians, fetchedAt: Date.now() });
+      }
+      return guardians;
+    })
+    .finally(() => {
+      // Only clear the slot if it still holds this fetch — a concurrent force
+      // read may have replaced a non-force entry (or vice versa).
+      if (inFlight.get(key)?.promise === promise) inFlight.delete(key);
+    });
+
+  inFlight.set(key, { promise, fresh: !!input.forceRefresh });
+  return promise;
+}
+
+/**
+ * Resolve active guardian deliveries, optionally filtered by channel type.
+ * Returns the cached list when fresh, otherwise fetches (single-flight) and
+ * caches on success. Returns `null` on failure without caching.
+ *
+ * To force an uncached read, call {@link getGuardianDeliveryFresh} — the only
+ * public fresh-read entry point.
+ */
+export async function getGuardianDelivery(
+  input?: { channelTypes?: string[] },
+): Promise<GuardianDelivery[] | null> {
+  return readGuardianDelivery({ channelTypes: input?.channelTypes });
+}
+
+/**
+ * Synchronous read of the already-cached guardian deliveries, without any IO.
+ *
+ * Returns the fresh cached list for the given channel filter, or `undefined`
+ * when the cache is cold or expired. Used by sync hot paths (SSE subscribe)
+ * that cannot await {@link getGuardianDelivery} but must resolve the SAME
+ * gateway-owned principal the async paths land on. A cold/expired return lets
+ * the caller fall back to the local store as before.
+ */
+export function peekCachedGuardianDelivery(
+  input?: { channelTypes?: string[] },
+): GuardianDelivery[] | undefined {
+  const cached = cache.get(cacheKey(input?.channelTypes));
+  if (!cached) return undefined;
+  if (Date.now() - cached.fetchedAt >= GUARDIAN_DELIVERY_CACHE_TTL_MS) {
+    return undefined;
+  }
+  return cached.guardians;
+}
+
+/**
+ * Fresh (uncached) variant of {@link getGuardianDelivery}. Existence guards read
+ * fresh because gateway-side binding writes don't invalidate the daemon cache.
+ * Still single-flight, and still populates the cache with the fresh result.
+ */
+export async function getGuardianDeliveryFresh(
+  input?: { channelTypes?: string[] },
+): Promise<GuardianDelivery[] | null> {
+  return readGuardianDelivery({
+    channelTypes: input?.channelTypes,
+    forceRefresh: true,
+  });
+}
+
+/**
+ * Clear ALL cached guardian deliveries. Subscribed to `onContactChange` so
+ * contact mutations refetch on the next read; also exported for any caller that
+ * wants to invalidate explicitly.
+ */
+export function invalidateGuardianDeliveryCache(): void {
+  cacheGeneration += 1;
+  cache.clear();
+  inFlight.clear();
+}
+
+onContactChange(invalidateGuardianDeliveryCache);
+
+/** First active guardian delivery for the given channel type, if any. */
+export function guardianForChannel(
+  list: GuardianDelivery[],
+  channelType: string,
+): GuardianDelivery | undefined {
+  return list.find(
+    (g) => g.channelType === channelType && g.status === "active",
+  );
+}
+
+/** First guardian delivery overall — the `listGuardianChannels` fallback. */
+export function anyGuardian(
+  list: GuardianDelivery[],
+): GuardianDelivery | undefined {
+  return list[0];
+}
+
+/**
+ * Resolve a guardian displayName for voice surfaces: prefer the phone-channel
+ * guardian, falling back to any guardian. Returns `undefined` when the list is
+ * absent or no guardian carries a displayName.
+ */
+export function voiceGuardianDisplayName(
+  list: GuardianDelivery[] | null,
+): string | undefined {
+  const guardian = list
+    ? (guardianForChannel(list, "phone") ?? anyGuardian(list))
+    : undefined;
+  return guardian?.displayName ?? undefined;
+}
+
+/** Test-only: reset cache + in-flight state for deterministic test runs. */
+export function __resetGuardianDeliveryCacheForTest(): void {
+  cache.clear();
+  inFlight.clear();
+  cacheGeneration = 0;
+}

package/src/daemon/conversation-agent-loop.ts

@@ -480,6 +480,11 @@ export async function runAgentLoopImpl(
   // resolved once here and threaded into every re-injection — including the
   // post-compaction hook — rather than re-read per assembly call.
   const isNonInteractive = !isInteractiveResolved;
+  // Expose the resolved turn-level interactivity to tool execution so tools
+  // (e.g. ask_question) see whether a human is present to answer, rather than
+  // re-deriving it from live client state that misclassifies a scheduled turn
+  // running on a client-attached conversation.
+  ctx.currentTurnIsNonInteractive = isNonInteractive;
   const diskPressureDecision = classifyDiskPressureTurnPolicy(
     getDiskPressureStatus(),
     {
@@ -1515,6 +1520,10 @@ export async function runAgentLoopImpl(
     ctx.diskPressureCleanupModeActive = false;
     ctx.preactivatedSkillIds = undefined;
     ctx.currentTurnOverrideProfile = undefined;
+    // Turn-scoped interactivity. Clear it so paths that bypass this loop (e.g.
+    // opportunity wakes calling `agentLoop.run` directly) don't inherit a stale
+    // value and instead fall back to live client state in the tool context.
+    ctx.currentTurnIsNonInteractive = undefined;
     // Channel command intents (e.g. Telegram /start) are single-turn metadata.
     // Clear at turn end so they never leak into subsequent unrelated messages.
     ctx.commandIntent = undefined;

package/src/daemon/conversation-process.ts

@@ -60,6 +60,21 @@ import { resolveVerificationSessionIntent } from "./verification-session-intent.
 
 const log = getLogger("conversation-process");
 
+/**
+ * Daemon-injected subagent lifecycle notifications carry `subagentNotification`
+ * metadata. They are persisted into the parent conversation so the orchestrator
+ * wakes and reads the subagent's result, but they are internal scaffolding — the
+ * user sees subagent activity through the inline progress card, not a chat turn.
+ * Skip the `user_message_echo` broadcast for these so they never render as a live
+ * user bubble; the persisted row is filtered from the rendered transcript on the
+ * client.
+ */
+function isSubagentNotificationMessage(
+  metadata: Record<string, unknown> | undefined,
+): boolean {
+  return metadata?.subagentNotification != null;
+}
+
 /** Format the result of a forced compaction into a user-facing message. */
 export function formatCompactResult(result: ContextWindowResult): string {
   const fmt = (n: number | undefined) => (n ?? 0).toLocaleString("en-US");
@@ -853,14 +868,16 @@ async function drainSingleMessage(
 
   // Broadcast the user message to all hub subscribers so passive devices
   // see the user turn before the assistant reply starts streaming.
-  next.onEvent({
-    type: "user_message_echo",
-    text: resolvedContent,
-    conversationId: conversation.conversationId,
-    messageId: userMessageId,
-    requestId: next.requestId,
-    clientMessageId: next.clientMessageId,
-  });
+  if (!isSubagentNotificationMessage(next.metadata)) {
+    next.onEvent({
+      type: "user_message_echo",
+      text: resolvedContent,
+      conversationId: conversation.conversationId,
+      messageId: userMessageId,
+      requestId: next.requestId,
+      clientMessageId: next.clientMessageId,
+    });
+  }
   publishConversationMessagesChanged(conversation.conversationId);
 
   // Set the active surface for the dequeued message so runAgentLoop can inject context
@@ -1204,14 +1221,16 @@ async function drainBatch(
 
     // Broadcast the user message to all hub subscribers so passive devices
     // see each batched user turn before the assistant reply starts streaming.
-    qm.onEvent({
-      type: "user_message_echo",
-      text: qmContent,
-      conversationId: conversation.conversationId,
-      messageId: lastUserMessageId,
-      requestId: qm.requestId,
-      clientMessageId: qm.clientMessageId,
-    });
+    if (!isSubagentNotificationMessage(qm.metadata)) {
+      qm.onEvent({
+        type: "user_message_echo",
+        text: qmContent,
+        conversationId: conversation.conversationId,
+        messageId: lastUserMessageId,
+        requestId: qm.requestId,
+        clientMessageId: qm.clientMessageId,
+      });
+    }
     publishConversationMessagesChanged(conversation.conversationId);
 
     // Persist succeeded. Update last-successful markers so a later tail
@@ -1367,6 +1386,8 @@ export interface ProcessMessageOptions {
    */
   overrideProfile?: string;
   displayContent?: string;
+  /** JWT-verified committer principal for turn-scoped host-proxy authorization. */
+  sourceActorPrincipalId?: string;
 }
 
 // ── processMessage ───────────────────────────────────────────────────
@@ -1390,6 +1411,7 @@ export async function processMessage(
     callSite,
     overrideProfile,
     displayContent,
+    sourceActorPrincipalId,
   } = options;
   await conversation.ensureActorScopedHistory();
   // Snapshot persona context at turn start so later tool turns can't pick up
@@ -1397,7 +1419,7 @@ export async function processMessage(
   conversation.currentTurnTrustContext = conversation.trustContext;
   conversation.currentTurnAuthContext = conversation.authContext;
   conversation.currentTurnSourceActorPrincipalId =
-    conversation.authContext?.actorPrincipalId;
+    sourceActorPrincipalId ?? conversation.authContext?.actorPrincipalId;
   conversation.currentTurnChannelCapabilities =
     conversation.channelCapabilities;
   conversation.currentActiveSurfaceId = activeSurfaceId;

package/src/daemon/conversation-surfaces.ts

@@ -1695,6 +1695,10 @@ export async function handleSurfaceAction(
   surfaceId: string,
   actionId: string,
   data?: Record<string, unknown>,
+  // JWT-verified committer principal; threaded so enqueued turns can
+  // reconstruct the same-user binding for host proxies (CU / app-control),
+  // mirroring the normal message path.
+  sourceActorPrincipalId?: string,
 ): Promise<SurfaceActionResult> {
   // ── Standalone surface interception ──────────────────────────────
   // Daemon-driven surfaces (from `requestInteractiveUi`) register a
@@ -1987,6 +1991,7 @@ export async function handleSurfaceAction(
       requestId,
       activeSurfaceId: surfaceId,
       displayContent,
+      sourceActorPrincipalId,
     });
 
     if (result.rejected) {
@@ -2043,6 +2048,7 @@ export async function handleSurfaceAction(
         requestId,
         activeSurfaceId: surfaceId,
         displayContent,
+        sourceActorPrincipalId,
       })
       .catch((err) => {
         const message = err instanceof Error ? err.message : String(err);
@@ -2233,6 +2239,7 @@ export async function handleSurfaceAction(
     requestId,
     activeSurfaceId: surfaceId,
     displayContent,
+    sourceActorPrincipalId,
   });
   if (result.rejected) {
     ctx.surfaceActionRequestIds.delete(requestId);
@@ -2336,6 +2343,7 @@ export async function handleSurfaceAction(
       requestId,
       activeSurfaceId: surfaceId,
       displayContent,
+      sourceActorPrincipalId,
     })
     .catch((err) => {
       const message = err instanceof Error ? err.message : String(err);

package/src/daemon/conversation-tool-setup.ts

@@ -22,7 +22,12 @@ import type { Message, ToolDefinition } from "../providers/types.js";
 import { assistantEventHub } from "../runtime/assistant-event-hub.js";
 import { registerConversationSender } from "../tools/browser/browser-screencast.js";
 import type { ToolExecutor } from "../tools/executor.js";
-import { getMcpToolDefinitions, getTool } from "../tools/registry.js";
+import {
+  getMcpToolDefinitions,
+  getTool,
+  getWorkspaceToolDefinitions,
+  getWorkspaceToolNames,
+} from "../tools/registry.js";
 import {
   ACTIVITY_SKIP_SET,
   injectActivityField,
@@ -41,6 +46,7 @@ import {
   type ToolExecutionResult,
   type ToolLifecycleEventHandler,
 } from "../tools/types.js";
+import { loadWorkspaceTools } from "../tools/workspace-tools/loader.js";
 import {
   resolveUsageAttribution,
   type UsageAttributionSnapshot,
@@ -238,7 +244,10 @@ export function createToolExecutor(
           });
         }
       },
-      isInteractive: !ctx.hasNoClient && !ctx.headlessLock,
+      isInteractive:
+        ctx.currentTurnIsNonInteractive !== undefined
+          ? !ctx.currentTurnIsNonInteractive
+          : !ctx.hasNoClient && !ctx.headlessLock,
       proxyToolResolver: (
         toolName: string,
         proxyInput: Record<string, unknown>,
@@ -650,11 +659,13 @@ export function isToolActiveForContext(
  * allowedToolNames so newly-activated skill tools aren't blocked by
  * the executor's stale gate.
  *
- * Core (non-MCP) tool definitions are captured at conversation creation and
- * reused on each turn. MCP tool definitions are re-read from the global
- * registry on each turn so that tools registered after conversation creation
- * (e.g. via `vellum mcp reload`) are automatically picked up without
- * requiring conversation disposal or app restart.
+ * Core (non-MCP, non-workspace) tool definitions are captured at conversation
+ * creation and reused on each turn. MCP and workspace tool definitions are
+ * re-read from the global registry on each turn so that tools registered or
+ * changed after conversation creation are automatically picked up without
+ * requiring conversation disposal or app restart — MCP via `vellum mcp
+ * reload`, workspace tools via edits under `<workspaceDir>/tools/` that the
+ * per-turn reconcile (kicked below) folds into the registry.
  */
 export function createResolveToolsCallback(
   toolDefs: ToolDefinition[],
@@ -662,16 +673,21 @@ export function createResolveToolsCallback(
 ): ((history: Message[]) => ToolDefinition[]) | undefined {
   if (toolDefs.length === 0) return undefined;
 
-  // Separate the initial tool defs into core (stable) and MCP (dynamic).
-  // We keep core tools from the snapshot and re-read MCP tools each turn.
+  // Separate the initial tool defs into core (stable) and the two dynamic
+  // categories (MCP, workspace). We keep core tools from the snapshot and
+  // re-read MCP + workspace tools from the registry each turn.
   const initialMcpDefs = getMcpToolDefinitions();
   const initialMcpNames = new Set(initialMcpDefs.map((d) => d.name));
-  const coreToolDefs = toolDefs.filter((d) => !initialMcpNames.has(d.name));
+  const initialWorkspaceNames = new Set(getWorkspaceToolNames());
+  const coreToolDefs = toolDefs.filter(
+    (d) => !initialMcpNames.has(d.name) && !initialWorkspaceNames.has(d.name),
+  );
   log.debug(
     {
       coreCount: coreToolDefs.length,
       mcpCount: initialMcpDefs.length,
       mcpTools: initialMcpDefs.map((d) => d.name),
+      workspaceCount: initialWorkspaceNames.size,
     },
     "Conversation tool resolver initialized",
   );
@@ -685,6 +701,13 @@ export function createResolveToolsCallback(
       return [];
     }
 
+    // Reconcile workspace tool overrides under `<workspaceDir>/tools/` into
+    // the registry, then re-read them below — the on-read replacement for a
+    // filesystem watcher. Fire-and-forget: the reconcile is idempotent,
+    // mtime-cached (a no-op costs one readdir + a stat per file) and
+    // serialized, so the registry settles for a subsequent turn to read.
+    void loadWorkspaceTools();
+
     // Filter core tools based on current conversation context so that tools
     // irrelevant to this turn (e.g. UI tools when no client is connected)
     // are omitted from the definitions sent to the provider.
@@ -705,24 +728,34 @@ export function createResolveToolsCallback(
       ? filteredCoreDefs.filter((d) => wireAllowlist.has(d.name))
       : filteredCoreDefs;
 
-    // Re-read MCP tool definitions from the registry each turn so conversations
-    // automatically pick up tools added/removed by `vellum mcp reload`.
+    // Re-read MCP and workspace tool definitions from the registry each turn
+    // so conversations automatically pick up tools added/removed by `vellum
+    // mcp reload` and workspace-tool edits reconciled from disk, without
+    // recreating the conversation.
     const currentMcpDefs = getMcpToolDefinitions();
+    const currentWorkspaceDefs = getWorkspaceToolDefinitions();
     log.debug(
       {
         coreCount: scopedCoreDefs.length,
         mcpCount: currentMcpDefs.length,
         mcpTools: currentMcpDefs.map((d) => d.name),
+        workspaceCount: currentWorkspaceDefs.length,
+        workspaceTools: currentWorkspaceDefs.map((d) => d.name),
       },
-      "MCP tools resolved for turn",
+      "MCP and workspace tools resolved for turn",
     );
     const scopedMcpDefs = wireAllowlist
       ? currentMcpDefs.filter((d) => wireAllowlist.has(d.name))
       : currentMcpDefs;
+    const scopedWorkspaceDefs = wireAllowlist
+      ? currentWorkspaceDefs.filter((d) => wireAllowlist.has(d.name))
+      : currentWorkspaceDefs;
     const excluded = new Set(getConfig().tools.exclude);
-    const allBaseDefs = [...scopedCoreDefs, ...scopedMcpDefs].filter(
-      (d) => !excluded.has(d.name),
-    );
+    const allBaseDefs = [
+      ...scopedCoreDefs,
+      ...scopedWorkspaceDefs,
+      ...scopedMcpDefs,
+    ].filter((d) => !excluded.has(d.name));
 
     const effectivePreactivated = [
       ...DEFAULT_PREACTIVATED_SKILL_IDS,

package/src/daemon/conversation.ts

@@ -50,6 +50,7 @@ import {
   getMessages,
   resolveOverrideProfile,
   setConversationHistoryStrippedAt,
+  setConversationProcessingStartedAt,
 } from "../memory/conversation-crud.js";
 import { getResolvedConversationDirPath } from "../memory/conversation-directories.js";
 import { ConversationGraphMemory } from "../memory/graph/conversation-graph-memory.js";
@@ -91,7 +92,7 @@ import {
   isActivationMomentParam,
 } from "../telemetry/activation-funnel.js";
 import { ToolExecutor } from "../tools/executor.js";
-import { getAllToolDefinitions } from "../tools/registry.js";
+import { getAllToolDefinitions, getTool } from "../tools/registry.js";
 import type { ToolLifecycleEvent } from "../tools/types.js";
 import type { OnboardingContext } from "../types/onboarding-context.js";
 import type { AbortReason } from "../util/abort-reasons.js";
@@ -376,6 +377,7 @@ export class Conversation {
    */
   wakePersonaOverride?: SystemPromptPersonaOverride;
   /** @internal */ currentTurnOverrideProfile?: string;
+  /** @internal */ currentTurnIsNonInteractive?: boolean;
   /** @internal */ authContext?: AuthContext;
   /** @internal */ currentTurnAuthContext?: AuthContext;
   /** @internal */ currentTurnSourceActorPrincipalId?: string;
@@ -701,6 +703,9 @@ export class Conversation {
       tools: toolDefs.length > 0 ? toolDefs : undefined,
       toolExecutor: toolDefs.length > 0 ? toolExecutor : undefined,
       resolveTools,
+      // A tool the registry marks exclusive (e.g. `advisor`) runs alone in its
+      // turn; the loop defers any sibling calls until the next turn.
+      isExclusiveTool: (name) => getTool(name)?.exclusive === true,
       resolveConversationDir: () => {
         const conv = getConversation(this.conversationId);
         if (!conv) return null;
@@ -1335,6 +1340,13 @@ export class Conversation {
   setProcessing(value: boolean): void {
     const wasProcessing = this._processing;
     this._processing = value;
+    // Persist the cross-process source of truth so out-of-process callers
+    // (retrospective CLI, future detached workers) can detect mid-turn state
+    // by reading the conversations row directly.
+    setConversationProcessingStartedAt(
+      this.conversationId,
+      value ? Date.now() : null,
+    );
     if (wasProcessing && !value) {
       void publishSyncInvalidation([
         conversationMetadataSyncTag(this.conversationId),
@@ -2048,8 +2060,15 @@ export class Conversation {
     surfaceId: string,
     actionId: string,
     data?: Record<string, unknown>,
+    sourceActorPrincipalId?: string,
   ): Promise<SurfaceActionResult> {
-    return handleSurfaceActionImpl(this, surfaceId, actionId, data);
+    return handleSurfaceActionImpl(
+      this,
+      surfaceId,
+      actionId,
+      data,
+      sourceActorPrincipalId,
+    );
   }
 
   handleSurfaceUndo(surfaceId: string): void {

package/src/daemon/disk-pressure-guard.ts

@@ -24,6 +24,12 @@ export const DISK_PRESSURE_CLEAR_THRESHOLD_PERCENT = 90;
 // clears the warning state, which discards the banner's (state-scoped) dismissal
 // so it re-appears the moment usage ticks back up.
 export const DISK_PRESSURE_WARNING_CLEAR_THRESHOLD_PERCENT = 77;
+// Absolute free-space floor (MiB). Regardless of usage percentage, never enter
+// the warning or critical state while at least this much space remains free. A
+// high usage percentage on a large disk can still leave many gigabytes
+// available, where locking is pointless. Small volumes (where a high percentage
+// genuinely means near-full) drop below the floor and remain protected.
+export const DISK_PRESSURE_MIN_FREE_FLOOR_MB = 2048;
 export const DISK_PRESSURE_CHECK_INTERVAL_MS = 60_000;
 export const DISK_PRESSURE_OVERRIDE_CONFIRMATION = "I understand the risks";
 export const DISK_PRESSURE_BLOCKED_CAPABILITIES = [
@@ -219,7 +225,10 @@ export function evaluateDiskPressureNow(): DiskPressureStatus {
   const criticalThreshold = state.status.locked
     ? DISK_PRESSURE_CLEAR_THRESHOLD_PERCENT
     : DISK_PRESSURE_THRESHOLD_PERCENT;
-  const isCritical = usagePercent >= criticalThreshold;
+  // Absolute free-space floor overrides the percentage thresholds: while ample
+  // space remains free, report "ok" no matter how full the volume is by percent.
+  const hasAmpleFreeSpace = usageInfo.freeMb >= DISK_PRESSURE_MIN_FREE_FLOOR_MB;
+  const isCritical = !hasAmpleFreeSpace && usagePercent >= criticalThreshold;
   // Mirror the critical deadband for the warning band: once in an active
   // pressure state (warning or critical), hold warning until usage clears the
   // lower warning-clear threshold. Treating "critical" as active here matters
@@ -235,7 +244,8 @@ export function evaluateDiskPressureNow(): DiskPressureStatus {
   const warningThreshold = inActivePressureState
     ? DISK_PRESSURE_WARNING_CLEAR_THRESHOLD_PERCENT
     : DISK_PRESSURE_WARNING_THRESHOLD_PERCENT;
-  const isWarning = !isCritical && usagePercent >= warningThreshold;
+  const isWarning =
+    !hasAmpleFreeSpace && !isCritical && usagePercent >= warningThreshold;
   const lastCheckedAt = new Date().toISOString();
 
   if (!isCritical && !isWarning) {