@vellumai/assistant 0.3.14 → 0.3.16

package/src/daemon/session-process.ts

@@ -14,14 +14,24 @@ import { getConfig } from '../config/loader.js';
 import * as conversationStore from '../memory/conversation-store.js';
 import { provenanceFromGuardianContext } from '../memory/conversation-store.js';
 import {
+  finalizeFollowup,
+  getExpiredDeliveryByConversation,
+  getFollowupDeliveryByConversation,
   getGuardianActionRequest,
   getPendingDeliveryByConversation,
+  progressFollowupState,
   resolveGuardianActionRequest,
+  startFollowupFromExpiredRequest,
 } from '../memory/guardian-action-store.js';
+import { processGuardianFollowUpTurn } from '../runtime/guardian-action-conversation-turn.js';
+import { executeFollowupAction } from '../runtime/guardian-action-followup-executor.js';
+import { composeGuardianActionMessageGenerative } from '../runtime/guardian-action-message-composer.js';
+import type { GuardianActionCopyGenerator, GuardianFollowUpConversationGenerator } from '../runtime/http-types.js';
 import { extractPreferences } from '../notifications/preference-extractor.js';
 import { createPreference } from '../notifications/preferences-store.js';
 import type { Message } from '../providers/types.js';
 import { getLogger } from '../util/logger.js';
+import { resolveGuardianVerificationIntent } from './guardian-verification-intent.js';
 import type { UsageStats } from './ipc-contract.js';
 import type { ServerMessage, UserMessageAttachment } from './ipc-protocol.js';
 import type { MessageQueue } from './session-queue-manager.js';
@@ -32,6 +42,25 @@ import type { TraceEmitter } from './trace-emitter.js';
 
 const log = getLogger('session-process');
 
+// ---------------------------------------------------------------------------
+// Module-level generator injection
+// ---------------------------------------------------------------------------
+// The daemon lifecycle creates the generator once and injects it here so the
+// mac/IPC channel path can classify follow-up replies without threading the
+// generator through Session / DaemonServer constructors.
+let _guardianFollowUpGenerator: GuardianFollowUpConversationGenerator | undefined;
+let _guardianActionCopyGenerator: GuardianActionCopyGenerator | undefined;
+
+/** Inject the guardian follow-up conversation generator (called from lifecycle.ts). */
+export function setGuardianFollowUpConversationGenerator(gen: GuardianFollowUpConversationGenerator): void {
+  _guardianFollowUpGenerator = gen;
+}
+
+/** Inject the guardian action copy generator (called from lifecycle.ts). */
+export function setGuardianActionCopyGenerator(gen: GuardianActionCopyGenerator): void {
+  _guardianActionCopyGenerator = gen;
+}
+
 /** Build a model_info event with fresh config data. */
 function buildModelInfoEvent(): ServerMessage {
   const config = getConfig();
@@ -75,12 +104,12 @@ export interface ProcessSessionContext {
   /** Assistant identity — used for scoping notification preferences. */
   readonly assistantId?: string;
   guardianContext?: GuardianRuntimeContext;
-  persistUserMessage(content: string, attachments: UserMessageAttachment[], requestId?: string, metadata?: Record<string, unknown>): string;
+  persistUserMessage(content: string, attachments: UserMessageAttachment[], requestId?: string, metadata?: Record<string, unknown>, displayContent?: string): Promise<string>;
   runAgentLoop(
     content: string,
     userMessageId: string,
     onEvent: (msg: ServerMessage) => void,
-    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean },
+    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; titleText?: string },
   ): Promise<void>;
   getTurnChannelContext(): TurnChannelContext | null;
   setTurnChannelContext(ctx: TurnChannelContext): void;
@@ -146,7 +175,7 @@ function buildSlashContext(session: ProcessSessionContext): SlashContext {
  * block, we must explicitly continue draining on failure — otherwise
  * remaining queued messages would be stranded.
  */
-export function drainQueue(session: ProcessSessionContext, reason: QueueDrainReason = 'loop_complete'): void {
+export async function drainQueue(session: ProcessSessionContext, reason: QueueDrainReason = 'loop_complete'): Promise<void> {
   const next = session.queue.shift();
   if (!next) return;
 
@@ -191,16 +220,22 @@ export function drainQueue(session: ProcessSessionContext, reason: QueueDrainRea
           : {}),
       };
       const userMsg = createUserMessage(next.content, next.attachments);
-      conversationStore.addMessage(
+      // When displayContent is provided (e.g. original text before recording
+      // intent stripping), persist that to DB so users see the full message.
+      // The in-memory userMessage (sent to the LLM) still uses the stripped content.
+      const contentToPersist = next.displayContent
+        ? JSON.stringify(createUserMessage(next.displayContent, next.attachments).content)
+        : JSON.stringify(userMsg.content);
+      await conversationStore.addMessage(
         session.conversationId,
         'user',
-        JSON.stringify(userMsg.content),
+        contentToPersist,
         drainChannelMeta,
       );
       session.messages.push(userMsg);
 
       const assistantMsg = createAssistantMessage(slashResult.message);
-      conversationStore.addMessage(
+      await conversationStore.addMessage(
         session.conversationId,
         'assistant',
         JSON.stringify(assistantMsg.content),
@@ -237,7 +272,7 @@ export function drainQueue(session: ProcessSessionContext, reason: QueueDrainRea
       next.onEvent({ type: 'error', message });
     }
     // Continue draining regardless of success/failure
-    drainQueue(session);
+    await drainQueue(session);
     return;
   }
 
@@ -248,13 +283,26 @@ export function drainQueue(session: ProcessSessionContext, reason: QueueDrainRea
     session.preactivatedSkillIds = [slashResult.skillId];
   }
 
+  // Guardian verification intent interception for queued messages.
+  // Preserve the original user content for persistence; only the agent
+  // loop receives the rewritten instruction.
+  let agentLoopContent = resolvedContent;
+  if (slashResult.kind === 'passthrough') {
+    const guardianIntent = resolveGuardianVerificationIntent(resolvedContent);
+    if (guardianIntent.kind === 'direct_setup') {
+      log.info({ conversationId: session.conversationId, channelHint: guardianIntent.channelHint }, 'Guardian verification intent intercepted in queue — forcing skill flow');
+      agentLoopContent = guardianIntent.rewrittenContent;
+      session.preactivatedSkillIds = ['guardian-verify-setup'];
+    }
+  }
+
   // Try to persist and run the dequeued message. If persistUserMessage
   // succeeds, runAgentLoop is called and its finally block will drain
   // the next message. If persistUserMessage fails, processMessage
   // resolves early (no runAgentLoop call), so we must continue draining.
   let userMessageId: string;
   try {
-    userMessageId = session.persistUserMessage(resolvedContent, next.attachments, next.requestId, next.metadata);
+    userMessageId = await session.persistUserMessage(resolvedContent, next.attachments, next.requestId, next.metadata, next.displayContent);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     log.error({ err, conversationId: session.conversationId, requestId: next.requestId }, 'Failed to persist queued message');
@@ -267,7 +315,7 @@ export function drainQueue(session: ProcessSessionContext, reason: QueueDrainRea
     // runAgentLoop never ran, so its finally block won't clear this
     session.preactivatedSkillIds = undefined;
     // Continue draining — don't strand remaining messages
-    drainQueue(session);
+    await drainQueue(session);
     return;
   }
 
@@ -301,8 +349,12 @@ export function drainQueue(session: ProcessSessionContext, reason: QueueDrainRea
   // Fire-and-forget: persistUserMessage set session.processing = true
   // so subsequent messages will still be enqueued.
   // runAgentLoop's finally block will call drainQueue when this run completes.
-  session.runAgentLoop(resolvedContent, userMessageId, next.onEvent,
-    next.isInteractive !== undefined ? { isInteractive: next.isInteractive } : undefined,
+  const drainLoopOptions: { isInteractive?: boolean; titleText?: string } = {};
+  if (next.isInteractive !== undefined) drainLoopOptions.isInteractive = next.isInteractive;
+  if (agentLoopContent !== resolvedContent) drainLoopOptions.titleText = resolvedContent;
+
+  session.runAgentLoop(agentLoopContent, userMessageId, next.onEvent,
+    Object.keys(drainLoopOptions).length > 0 ? drainLoopOptions : undefined,
   ).catch((err) => {
     const message = err instanceof Error ? err.message : String(err);
     log.error({ err, conversationId: session.conversationId, requestId: next.requestId }, 'Error processing queued message');
@@ -325,6 +377,7 @@ export async function processMessage(
   activeSurfaceId?: string,
   currentPage?: string,
   options?: { isInteractive?: boolean },
+  displayContent?: string,
 ): Promise<string> {
   session.currentActiveSurfaceId = activeSurfaceId;
   session.currentPage = currentPage;
@@ -339,7 +392,7 @@ export async function processMessage(
       const guardianIfCtx = session.getTurnInterfaceContext();
       const guardianChannelMeta = { userMessageChannel: 'vellum' as const, assistantMessageChannel: 'vellum' as const, userMessageInterface: guardianIfCtx?.userMessageInterface ?? 'vellum', assistantMessageInterface: guardianIfCtx?.assistantMessageInterface ?? 'vellum', provenanceActorRole: 'guardian' as const };
       const userMsg = createUserMessage(content, attachments);
-      const persisted = conversationStore.addMessage(
+      const persisted = await conversationStore.addMessage(
         session.conversationId,
         'user',
         JSON.stringify(userMsg.content),
@@ -357,9 +410,9 @@ export async function processMessage(
         const resolved = resolveGuardianActionRequest(guardianRequest.id, content, 'vellum');
         const replyText = resolved
           ? 'Your answer has been relayed to the call.'
-          : 'This question has already been answered from another channel.';
+          : await composeGuardianActionMessageGenerative({ scenario: 'guardian_stale_answered' }, {}, _guardianActionCopyGenerator);
         const replyMsg = createAssistantMessage(replyText);
-        conversationStore.addMessage(
+        await conversationStore.addMessage(
           session.conversationId,
           'assistant',
           JSON.stringify(replyMsg.content),
@@ -370,21 +423,176 @@ export async function processMessage(
       } else {
         const errorDetail = 'error' in answerResult ? answerResult.error : 'Unknown error';
         log.warn({ callSessionId: guardianRequest.callSessionId, error: errorDetail }, 'answerCall failed for mac guardian answer');
-        const failMsg = createAssistantMessage('Failed to deliver your answer to the call. Please try again.');
-        conversationStore.addMessage(
+        const failureText = await composeGuardianActionMessageGenerative(
+          { scenario: 'guardian_answer_delivery_failed' },
+          {},
+          _guardianActionCopyGenerator,
+        );
+        const failMsg = createAssistantMessage(failureText);
+        await conversationStore.addMessage(
           session.conversationId,
           'assistant',
           JSON.stringify(failMsg.content),
           guardianChannelMeta,
         );
         session.messages.push(failMsg);
-        onEvent({ type: 'assistant_text_delta', text: 'Failed to deliver your answer to the call. Please try again.' });
+        onEvent({ type: 'assistant_text_delta', text: failureText });
       }
       onEvent({ type: 'message_complete', sessionId: session.conversationId });
       return persisted.id;
     }
   }
 
+  // ── Expired guardian action late answer interception (mac channel) ──
+  // If no pending delivery was found, check for expired requests eligible
+  // for follow-up (status='expired', followup_state='none').
+  const expiredDelivery = getExpiredDeliveryByConversation(session.conversationId);
+  if (expiredDelivery) {
+    const expiredRequest = getGuardianActionRequest(expiredDelivery.requestId);
+    if (expiredRequest && expiredRequest.status === 'expired' && expiredRequest.followupState === 'none') {
+      const guardianIfCtx = session.getTurnInterfaceContext();
+      const guardianChannelMeta = { userMessageChannel: 'vellum' as const, assistantMessageChannel: 'vellum' as const, userMessageInterface: guardianIfCtx?.userMessageInterface ?? 'vellum', assistantMessageInterface: guardianIfCtx?.assistantMessageInterface ?? 'vellum', provenanceActorRole: 'guardian' as const };
+      const userMsg = createUserMessage(content, attachments);
+      const persisted = await conversationStore.addMessage(
+        session.conversationId,
+        'user',
+        JSON.stringify(userMsg.content),
+        guardianChannelMeta,
+      );
+      session.messages.push(userMsg);
+
+      const followupResult = startFollowupFromExpiredRequest(expiredRequest.id, content);
+      if (followupResult) {
+        const followupText = await composeGuardianActionMessageGenerative(
+          {
+            scenario: 'guardian_late_answer_followup',
+            questionText: expiredRequest.questionText,
+            lateAnswerText: content,
+          },
+          {},
+          _guardianActionCopyGenerator,
+        );
+        const replyMsg = createAssistantMessage(followupText);
+        await conversationStore.addMessage(
+          session.conversationId,
+          'assistant',
+          JSON.stringify(replyMsg.content),
+          guardianChannelMeta,
+        );
+        session.messages.push(replyMsg);
+        onEvent({ type: 'assistant_text_delta', text: followupText });
+      } else {
+        // Follow-up already started or conflict — send stale message
+        const staleText = await composeGuardianActionMessageGenerative(
+          { scenario: 'guardian_stale_expired' },
+          {},
+          _guardianActionCopyGenerator,
+        );
+        const staleMsg = createAssistantMessage(staleText);
+        await conversationStore.addMessage(
+          session.conversationId,
+          'assistant',
+          JSON.stringify(staleMsg.content),
+          guardianChannelMeta,
+        );
+        session.messages.push(staleMsg);
+        onEvent({ type: 'assistant_text_delta', text: staleText });
+      }
+      onEvent({ type: 'message_complete', sessionId: session.conversationId });
+      return persisted.id;
+    }
+  }
+
+  // ── Guardian follow-up conversation interception (mac channel) ──
+  // When a request is in `awaiting_guardian_choice` state, the guardian has
+  // already been asked "call back or send a message?". Their next message
+  // is the reply — route it through the conversation engine.
+  const followupDelivery = getFollowupDeliveryByConversation(session.conversationId);
+  if (followupDelivery) {
+    const followupRequest = getGuardianActionRequest(followupDelivery.requestId);
+    if (followupRequest && followupRequest.followupState === 'awaiting_guardian_choice') {
+      const guardianIfCtx = session.getTurnInterfaceContext();
+      const guardianChannelMeta = { userMessageChannel: 'vellum' as const, assistantMessageChannel: 'vellum' as const, userMessageInterface: guardianIfCtx?.userMessageInterface ?? 'vellum', assistantMessageInterface: guardianIfCtx?.assistantMessageInterface ?? 'vellum', provenanceActorRole: 'guardian' as const };
+      const userMsg = createUserMessage(content, attachments);
+      const persisted = await conversationStore.addMessage(
+        session.conversationId,
+        'user',
+        JSON.stringify(userMsg.content),
+        guardianChannelMeta,
+      );
+      session.messages.push(userMsg);
+
+      const turnResult = await processGuardianFollowUpTurn(
+        {
+          questionText: followupRequest.questionText,
+          lateAnswerText: followupRequest.lateAnswerText ?? '',
+          guardianReply: content,
+        },
+        _guardianFollowUpGenerator,
+      );
+
+      // Apply the disposition to the follow-up state machine.
+      // Both progressFollowupState and finalizeFollowup are compare-and-set:
+      // they return null when the transition was not applied (e.g. a concurrent
+      // reply already advanced the state). In that case we notify the guardian
+      // that the request was already resolved and skip action execution.
+      let stateApplied = true;
+      if (turnResult.disposition === 'call_back' || turnResult.disposition === 'message_back') {
+        stateApplied = progressFollowupState(followupRequest.id, 'dispatching', turnResult.disposition) !== null;
+      } else if (turnResult.disposition === 'decline') {
+        stateApplied = finalizeFollowup(followupRequest.id, 'declined') !== null;
+      }
+      // keep_pending: no state change — guardian can reply again
+
+      if (!stateApplied) {
+        log.warn({ requestId: followupRequest.id, disposition: turnResult.disposition }, 'Follow-up state transition failed (already resolved)');
+      }
+
+      const replyText = stateApplied
+        ? turnResult.replyText
+        : await composeGuardianActionMessageGenerative({ scenario: 'guardian_stale_followup' }, {}, _guardianActionCopyGenerator);
+      const replyMsg = createAssistantMessage(replyText);
+      await conversationStore.addMessage(
+        session.conversationId,
+        'assistant',
+        JSON.stringify(replyMsg.content),
+        guardianChannelMeta,
+      );
+      session.messages.push(replyMsg);
+      onEvent({ type: 'assistant_text_delta', text: replyText });
+      onEvent({ type: 'message_complete', sessionId: session.conversationId });
+
+      // Execute the action and send a completion/failure message (fire-and-forget).
+      // The initial reply above acknowledges the guardian's choice; the executor
+      // carries out the actual call_back or message_back and posts a second message.
+      if (stateApplied && (turnResult.disposition === 'call_back' || turnResult.disposition === 'message_back')) {
+        void (async () => {
+          try {
+            const execResult = await executeFollowupAction(
+              followupRequest.id,
+              turnResult.disposition as 'call_back' | 'message_back',
+              _guardianActionCopyGenerator,
+            );
+            const completionMsg = createAssistantMessage(execResult.guardianReplyText);
+            await conversationStore.addMessage(
+              session.conversationId,
+              'assistant',
+              JSON.stringify(completionMsg.content),
+              guardianChannelMeta,
+            );
+            session.messages.push(completionMsg);
+            onEvent({ type: 'assistant_text_delta', text: execResult.guardianReplyText });
+            onEvent({ type: 'message_complete', sessionId: session.conversationId });
+          } catch (execErr) {
+            log.error({ err: execErr, requestId: followupRequest.id }, 'Follow-up action execution or completion message failed');
+          }
+        })();
+      }
+
+      return persisted.id;
+    }
+  }
+
   // Resolve slash commands before persistence
   const slashResult = resolveSlash(content, buildSlashContext(session));
 
@@ -405,16 +613,22 @@ export async function processMessage(
         : {}),
     };
     const userMsg = createUserMessage(content, attachments);
-    const persisted = conversationStore.addMessage(
+    // When displayContent is provided (e.g. original text before recording
+    // intent stripping), persist that to DB so users see the full message.
+    // The in-memory userMessage (sent to the LLM) still uses the stripped content.
+    const contentToPersist = displayContent
+      ? JSON.stringify(createUserMessage(displayContent, attachments).content)
+      : JSON.stringify(userMsg.content);
+    const persisted = await conversationStore.addMessage(
       session.conversationId,
       'user',
-      JSON.stringify(userMsg.content),
+      contentToPersist,
       pmChannelMeta,
     );
     session.messages.push(userMsg);
 
     const assistantMsg = createAssistantMessage(slashResult.message);
-    conversationStore.addMessage(
+    await conversationStore.addMessage(
       session.conversationId,
       'assistant',
       JSON.stringify(assistantMsg.content),
@@ -450,9 +664,24 @@ export async function processMessage(
     session.preactivatedSkillIds = [slashResult.skillId];
   }
 
+  // Guardian verification intent interception — force direct guardian
+  // verification requests into the guardian-verify-setup skill flow on
+  // the first turn, avoiding conceptual preambles from the agent.
+  // We keep the original user content for persistence and use the
+  // rewritten content only for the agent loop instruction.
+  let agentLoopContent = resolvedContent;
+  if (slashResult.kind === 'passthrough') {
+    const guardianIntent = resolveGuardianVerificationIntent(resolvedContent);
+    if (guardianIntent.kind === 'direct_setup') {
+      log.info({ conversationId: session.conversationId, channelHint: guardianIntent.channelHint }, 'Guardian verification intent intercepted — forcing skill flow');
+      agentLoopContent = guardianIntent.rewrittenContent;
+      session.preactivatedSkillIds = ['guardian-verify-setup'];
+    }
+  }
+
   let userMessageId: string;
   try {
-    userMessageId = session.persistUserMessage(resolvedContent, attachments, requestId);
+    userMessageId = await session.persistUserMessage(resolvedContent, attachments, requestId, undefined, displayContent);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     onEvent({ type: 'error', message });
@@ -485,8 +714,12 @@ export async function processMessage(
       });
   }
 
-  await session.runAgentLoop(resolvedContent, userMessageId, onEvent,
-    options?.isInteractive !== undefined ? { isInteractive: options.isInteractive } : undefined,
+  const loopOptions: { isInteractive?: boolean; titleText?: string } = {};
+  if (options?.isInteractive !== undefined) loopOptions.isInteractive = options.isInteractive;
+  if (agentLoopContent !== resolvedContent) loopOptions.titleText = resolvedContent;
+
+  await session.runAgentLoop(agentLoopContent, userMessageId, onEvent,
+    Object.keys(loopOptions).length > 0 ? loopOptions : undefined,
   );
   return userMessageId;
 }

package/src/daemon/session-queue-manager.ts

@@ -25,6 +25,8 @@ export interface QueuedMessage {
   isInteractive?: boolean;
   /** Timestamp (ms) when the message was enqueued. */
   queuedAt: number;
+  /** Original user message text to persist to DB when recording intent stripping produced a different `content`. */
+  displayContent?: string;
 }
 
 export const MAX_QUEUE_DEPTH = 10;

package/src/daemon/session-runtime-assembly.ts

@@ -25,6 +25,10 @@ export interface ChannelCapabilities {
   supportsDynamicUi: boolean;
   /** Whether the channel supports voice/microphone input. */
   supportsVoiceInput: boolean;
+  /** Push-to-talk activation key (e.g. 'fn', 'ctrl', 'fn_shift', 'none'). Only present on desktop clients. */
+  pttActivationKey?: string;
+  /** Whether the client has been granted microphone permission by the OS. */
+  microphonePermissionGranted?: boolean;
 }
 
 /** Guardian identity/trust context for external chat channels. */
@@ -39,10 +43,26 @@ export interface GuardianRuntimeContext {
   denialReason?: 'no_binding' | 'no_identity';
 }
 
+/** Allowed push-to-talk activation key values. Used to validate client-provided keys before system-prompt injection. */
+const PTT_KEY_ALLOWLIST = new Set(['fn', 'ctrl', 'fn_shift', 'none']);
+
+/** Validate a PTT activation key against the allowlist. Returns the key if valid, 'unknown' otherwise. */
+export function sanitizePttActivationKey(key: string | undefined | null): string | undefined {
+  if (key == null) return undefined;
+  return PTT_KEY_ALLOWLIST.has(key) ? key : 'unknown';
+}
+
+/** Optional PTT metadata provided by the client alongside each message. */
+export interface PttMetadata {
+  pttActivationKey?: string;
+  microphonePermissionGranted?: boolean;
+}
+
 /** Derive channel capabilities from source channel + interface identifiers. */
 export function resolveChannelCapabilities(
   sourceChannel?: string | null,
   sourceInterface?: string | null,
+  pttMetadata?: PttMetadata | null,
 ): ChannelCapabilities {
   // Normalise legacy pseudo-channel IDs to canonical ChannelId values.
   let channel: string;
@@ -85,6 +105,8 @@ export function resolveChannelCapabilities(
         dashboardCapable: supportsDesktopUi,
         supportsDynamicUi: supportsDesktopUi,
         supportsVoiceInput: supportsDesktopUi,
+        pttActivationKey: sanitizePttActivationKey(pttMetadata?.pttActivationKey),
+        microphonePermissionGranted: pttMetadata?.microphonePermissionGranted,
       };
     }
     case 'telegram':
@@ -334,6 +356,23 @@ export function injectChannelCapabilityContext(message: Message, caps: ChannelCa
     lines.push('- Do NOT ask the user to use voice or microphone input.');
   }
 
+  // PTT state — only relevant on channels that support voice input
+  if (caps.supportsVoiceInput) {
+    if (caps.pttActivationKey && caps.pttActivationKey !== 'none') {
+      const keyLabel = caps.pttActivationKey === 'fn_shift' ? 'Fn+Shift' : caps.pttActivationKey === 'fn' ? 'Fn (Globe)' : caps.pttActivationKey;
+      lines.push(`ptt_activation_key: ${caps.pttActivationKey}`);
+      lines.push(`ptt_enabled: true`);
+      lines.push(`Push-to-talk is configured with the ${keyLabel} key. The user can hold ${keyLabel} to dictate text or start a voice conversation.`);
+    } else if (caps.pttActivationKey === 'none') {
+      lines.push(`ptt_activation_key: none`);
+      lines.push(`ptt_enabled: false`);
+      lines.push('Push-to-talk is disabled. You can offer to enable it for the user.');
+    }
+    if (caps.microphonePermissionGranted !== undefined) {
+      lines.push(`microphone_permission_granted: ${caps.microphonePermissionGranted}`);
+    }
+  }
+
   lines.push('</channel_capabilities>');
 
   const block = lines.join('\n');

package/src/daemon/session-skill-tools.ts

@@ -282,17 +282,18 @@ export function projectSkillTools(
     );
 
     if (tools.length > 0) {
+      let accepted = tools;
       const prevHash = prevActive.get(skillId);
       if (prevHash === undefined) {
         // Newly active skill — register for the first time
-        registerSkillTools(tools);
+        accepted = registerSkillTools(tools);
       } else if (prevHash !== currentHash) {
         // Hash changed — unregister stale tools, then re-register with new definitions
         log.info({ skillId, prevHash, currentHash }, 'Skill version changed, re-registering tools');
         unregisterSkillTools(skillId);
         alreadyUnregistered.add(skillId);
         try {
-          registerSkillTools(tools);
+          accepted = registerSkillTools(tools);
         } catch (err) {
           log.error({ err, skillId }, 'Failed to re-register skill tools after version change');
           // Don't add to successfulEntries — will be cleaned up as transiently-failed
@@ -306,12 +307,20 @@ export function projectSkillTools(
         if (existing && existing.ownerSkillBundled !== (skill.bundled ?? undefined)) {
           log.info({ skillId, bundled: skill.bundled }, 'Skill bundled status changed, re-registering tools');
           unregisterSkillTools(skillId);
-          registerSkillTools(tools);
+          accepted = registerSkillTools(tools);
+        } else {
+          // Filter to only tools that are actually registered for this skill.
+          // Some tools may have been skipped during initial registration due
+          // to core-name collisions — don't let them leak back in.
+          accepted = tools.filter((t) => {
+            const reg = getTool(t.name);
+            return reg !== undefined && reg.origin === 'skill' && reg.ownerSkillId === skillId;
+          });
         }
       }
 
       successfulEntries.set(skillId, currentHash);
-      for (const tool of tools) {
+      for (const tool of accepted) {
         allToolDefinitions.push(tool.getDefinition());
         allToolNames.add(tool.name);
       }

package/src/daemon/session-tool-setup.ts

@@ -25,8 +25,8 @@ import { requestComputerControlTool } from '../tools/computer-use/request-comput
 import type { ProxyApprovalCallback, ProxyApprovalRequest } from '../tools/network/script-proxy/index.js';
 import { getAllToolDefinitions } from '../tools/registry.js';
 import { allUiSurfaceTools } from '../tools/ui-surface/definitions.js';
-import { projectSkillTools, type SkillProjectionCache } from './session-skill-tools.js';
 import type { GuardianRuntimeContext } from './session-runtime-assembly.js';
+import { projectSkillTools, type SkillProjectionCache } from './session-skill-tools.js';
 import type { SurfaceSessionContext } from './session-surfaces.js';
 import {
   surfaceProxyResolver,
@@ -117,12 +117,11 @@ export function createToolExecutor(
       forcePromptSideEffects: ctx.memoryPolicy.strictSideEffects,
       onToolLifecycleEvent: handleToolLifecycleEvent,
       sendToClient: (msg) => {
-        const serverMsg = msg as unknown as ServerMessage;
-        ctx.sendToClient(serverMsg);
-        // Auto-track ui_surface_show for history persistence, mirroring what
-        // session-surfaces.ts does when sending surfaces through its own path.
-        if (serverMsg.type === 'ui_surface_show') {
-          const s = serverMsg as unknown as UiSurfaceShow;
+        // Tool context's sendToClient uses a loose { type: string; [key: string]: unknown }
+        // signature, but at runtime these are always ServerMessage instances.
+        ctx.sendToClient(msg as ServerMessage);
+        if (msg.type === 'ui_surface_show') {
+          const s = msg as unknown as UiSurfaceShow;
           ctx.currentTurnSurfaces.push({
             surfaceId: s.surfaceId,
             surfaceType: s.surfaceType,

package/src/daemon/session.ts

@@ -397,8 +397,9 @@ export class Session {
     currentPage?: string,
     metadata?: Record<string, unknown>,
     options?: { isInteractive?: boolean },
+    displayContent?: string,
   ): { queued: boolean; rejected?: boolean; requestId: string } {
-    return enqueueMessageImpl(this, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, metadata, options);
+    return enqueueMessageImpl(this, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, metadata, options, displayContent);
   }
 
   getQueueDepth(): number {
@@ -425,6 +426,14 @@ export class Session {
     return this.prompter.hasPendingRequest(requestId);
   }
 
+  hasAnyPendingConfirmation(): boolean {
+    return this.prompter.hasPending;
+  }
+
+  denyAllPendingConfirmations(): void {
+    this.prompter.denyAllPending();
+  }
+
   hasPendingSecret(requestId: string): boolean {
     return this.secretPrompter.hasPendingRequest(requestId);
   }
@@ -489,13 +498,14 @@ export class Session {
     return this.currentTurnInterfaceContext;
   }
 
-  persistUserMessage(
+  async persistUserMessage(
     content: string,
     attachments: UserMessageAttachment[],
     requestId?: string,
     metadata?: Record<string, unknown>,
-  ): string {
-    return persistUserMessageImpl(this, content, attachments, requestId, metadata);
+    displayContent?: string,
+  ): Promise<string> {
+    return persistUserMessageImpl(this, content, attachments, requestId, metadata, displayContent);
   }
 
   // ── Agent Loop ───────────────────────────────────────────────────
@@ -504,14 +514,14 @@ export class Session {
     content: string,
     userMessageId: string,
     onEvent: (msg: ServerMessage) => void,
-    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean },
+    options?: { skipPreMessageRollback?: boolean; isInteractive?: boolean; titleText?: string },
   ): Promise<void> {
     return runAgentLoopImpl(this, content, userMessageId, onEvent, options);
   }
 
 
-  drainQueue(reason: QueueDrainReason = 'loop_complete'): void {
-    drainQueueImpl(this as ProcessSessionContext, reason);
+  drainQueue(reason: QueueDrainReason = 'loop_complete'): Promise<void> {
+    return drainQueueImpl(this as ProcessSessionContext, reason);
   }
 
   async processMessage(
@@ -522,8 +532,9 @@ export class Session {
     activeSurfaceId?: string,
     currentPage?: string,
     options?: { isInteractive?: boolean },
+    displayContent?: string,
   ): Promise<string> {
-    return processMessageImpl(this as ProcessSessionContext, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, options);
+    return processMessageImpl(this as ProcessSessionContext, content, attachments, onEvent, requestId, activeSurfaceId, currentPage, options, displayContent);
   }
 
   // ── History ──────────────────────────────────────────────────────