@vellumai/assistant 0.3.19 → 0.3.21

package/src/__tests__/thread-seed-composer.test.ts

@@ -175,6 +175,24 @@ describe('composeThreadSeed', () => {
       expect(seed).toContain('Action required');
     });
 
+    test('does not duplicate "Action required" when copy already includes it', () => {
+      const signal = makeSignal({
+        attentionHints: {
+          requiresAction: true,
+          urgency: 'high',
+          isAsyncBackground: false,
+          visibleInSourceNow: false,
+        },
+      });
+      const copy = makeCopy({
+        title: 'Guardian Question',
+        body: 'Action required: What is the gate code?',
+      });
+      const seed = composeThreadSeed(signal, 'vellum' as NotificationChannel, copy);
+      const markerCount = (seed.match(/action required/gi) ?? []).length;
+      expect(markerCount).toBe(1);
+    });
+
     test('omits "Notification" generic title', () => {
       const signal = makeSignal();
       const copy = makeCopy({ title: 'Notification', body: 'Something new.' });

package/src/__tests__/tool-approval-handler.test.ts

@@ -0,0 +1,350 @@
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+
+const testDir = mkdtempSync(join(tmpdir(), 'tool-approval-handler-test-'));
+
+mock.module('../util/platform.js', () => ({
+  getDataDir: () => testDir,
+  isMacOS: () => process.platform === 'darwin',
+  isLinux: () => process.platform === 'linux',
+  isWindows: () => process.platform === 'win32',
+  getSocketPath: () => join(testDir, 'test.sock'),
+  getPidPath: () => join(testDir, 'test.pid'),
+  getDbPath: () => join(testDir, 'test.db'),
+  getLogPath: () => join(testDir, 'test.log'),
+  ensureDataDir: () => {},
+  migrateToDataLayout: () => {},
+  migrateToWorkspaceLayout: () => {},
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+  isDebug: () => false,
+  truncateForLog: (value: string) => value,
+}));
+
+// Mock parental controls — no tools blocked by default
+mock.module('../security/parental-control-store.js', () => ({
+  isToolBlocked: () => false,
+}));
+
+// Mock guardian control-plane policy — not targeting control-plane by default
+mock.module('../tools/guardian-control-plane-policy.js', () => ({
+  enforceGuardianOnlyPolicy: () => ({ denied: false }),
+}));
+
+// Mock task run rules — no task run rules by default
+mock.module('../tasks/ephemeral-permissions.js', () => ({
+  getTaskRunRules: () => [],
+}));
+
+// Mock tool registry — return a fake tool for 'bash'
+const fakeTool = {
+  name: 'bash',
+  description: 'Run a shell command',
+  category: 'shell',
+  defaultRiskLevel: 'high',
+  getDefinition: () => ({ name: 'bash', description: 'Run a shell command', input_schema: {} }),
+  execute: async () => ({ content: 'ok', isError: false }),
+};
+
+mock.module('../tools/registry.js', () => ({
+  getTool: (name: string) => (name === 'bash' ? fakeTool : undefined),
+  getAllTools: () => [fakeTool],
+}));
+
+import { mintGrantFromDecision, type MintGrantParams } from '../approvals/approval-primitive.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { scopedApprovalGrants } from '../memory/schema.js';
+import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
+import { ToolApprovalHandler } from '../tools/tool-approval-handler.js';
+import type { ToolContext, ToolLifecycleEvent } from '../tools/types.js';
+
+initializeDb();
+
+function clearTables(): void {
+  const db = getDb();
+  db.delete(scopedApprovalGrants).run();
+}
+
+afterAll(() => {
+  resetDb();
+  try {
+    rmSync(testDir, { recursive: true });
+  } catch {
+    /* best effort */
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function mintParams(overrides: Partial<MintGrantParams> = {}): MintGrantParams {
+  const futureExpiry = new Date(Date.now() + 60_000).toISOString();
+  return {
+    assistantId: 'self',
+    scopeMode: 'tool_signature',
+    requestChannel: 'telegram',
+    decisionChannel: 'telegram',
+    expiresAt: futureExpiry,
+    ...overrides,
+  };
+}
+
+function makeContext(overrides: Partial<ToolContext> = {}): ToolContext {
+  return {
+    workingDir: testDir,
+    sessionId: 'session-1',
+    conversationId: 'conv-1',
+    assistantId: 'self',
+    requestId: 'req-1',
+    guardianActorRole: 'non-guardian',
+    ...overrides,
+  };
+}
+
+// ===========================================================================
+// TESTS
+// ===========================================================================
+
+describe('ToolApprovalHandler / pre-exec gate grant check', () => {
+  const handler = new ToolApprovalHandler();
+  const events: ToolLifecycleEvent[] = [];
+  const emitLifecycleEvent = (event: ToolLifecycleEvent) => { events.push(event); };
+
+  beforeEach(() => {
+    clearTables();
+    events.length = 0;
+  });
+
+  test('untrusted actor + matching tool_signature grant -> allow', async () => {
+    const toolName = 'bash';
+    const input = { command: 'ls -la' };
+    const digest = computeToolApprovalDigest(toolName, input);
+
+    // Mint a grant that matches the invocation
+    const mintResult = mintGrantFromDecision(
+      mintParams({
+        scopeMode: 'tool_signature',
+        toolName,
+        inputDigest: digest,
+      }),
+    );
+    expect(mintResult.ok).toBe(true);
+
+    const context = makeContext({ guardianActorRole: 'non-guardian' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(true);
+    // No permission_denied events should have been emitted
+    const deniedEvents = events.filter((e) => e.type === 'permission_denied');
+    expect(deniedEvents.length).toBe(0);
+  });
+
+  test('untrusted actor + no matching grant -> deny with guardian_approval_required', async () => {
+    const toolName = 'bash';
+    const input = { command: 'rm -rf /' };
+
+    const context = makeContext({ guardianActorRole: 'non-guardian' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(false);
+    if (result.allowed) return;
+    expect(result.result.isError).toBe(true);
+    expect(result.result.content).toContain('guardian approval');
+
+    // A permission_denied event should have been emitted
+    const deniedEvents = events.filter((e) => e.type === 'permission_denied');
+    expect(deniedEvents.length).toBe(1);
+  });
+
+  test('unverified_channel actor + matching grant -> allow', async () => {
+    const toolName = 'bash';
+    const input = { command: 'echo hello' };
+    const digest = computeToolApprovalDigest(toolName, input);
+
+    mintGrantFromDecision(
+      mintParams({
+        scopeMode: 'tool_signature',
+        toolName,
+        inputDigest: digest,
+      }),
+    );
+
+    const context = makeContext({ guardianActorRole: 'unverified_channel' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(true);
+  });
+
+  test('unverified_channel actor + no grant -> deny', async () => {
+    const toolName = 'bash';
+    const input = { command: 'deploy' };
+
+    const context = makeContext({ guardianActorRole: 'unverified_channel' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(false);
+    if (result.allowed) return;
+    expect(result.result.content).toContain('verified channel identity');
+  });
+
+  test('grant is one-time: second invocation with same input denied', async () => {
+    const toolName = 'bash';
+    const input = { command: 'ls' };
+    const digest = computeToolApprovalDigest(toolName, input);
+
+    mintGrantFromDecision(
+      mintParams({
+        scopeMode: 'tool_signature',
+        toolName,
+        inputDigest: digest,
+      }),
+    );
+
+    const context = makeContext({ guardianActorRole: 'non-guardian' });
+
+    // First invocation — should consume the grant and allow
+    const first = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+    expect(first.allowed).toBe(true);
+
+    // Second invocation — grant already consumed, should deny
+    const second = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+    expect(second.allowed).toBe(false);
+  });
+
+  test('grant with mismatched input digest -> deny', async () => {
+    const toolName = 'bash';
+    const grantInput = { command: 'ls' };
+    const invokeInput = { command: 'rm -rf /' };
+    const grantDigest = computeToolApprovalDigest(toolName, grantInput);
+
+    mintGrantFromDecision(
+      mintParams({
+        scopeMode: 'tool_signature',
+        toolName,
+        inputDigest: grantDigest,
+      }),
+    );
+
+    const context = makeContext({ guardianActorRole: 'non-guardian' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, invokeInput, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(false);
+  });
+
+  test('expired grant -> deny', async () => {
+    const toolName = 'bash';
+    const input = { command: 'ls' };
+    const digest = computeToolApprovalDigest(toolName, input);
+    const pastExpiry = new Date(Date.now() - 60_000).toISOString();
+
+    mintGrantFromDecision(
+      mintParams({
+        scopeMode: 'tool_signature',
+        toolName,
+        inputDigest: digest,
+        expiresAt: pastExpiry,
+      }),
+    );
+
+    const context = makeContext({ guardianActorRole: 'non-guardian' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(false);
+  });
+
+  test('guardian actor bypasses grant check entirely (no grant needed)', async () => {
+    const toolName = 'bash';
+    const input = { command: 'deploy' };
+
+    // No grants minted at all
+    const context = makeContext({ guardianActorRole: 'guardian' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    // Guardian should pass through — the untrusted gate is not triggered
+    expect(result.allowed).toBe(true);
+  });
+
+  test('undefined actor role (desktop/trusted) bypasses grant check', async () => {
+    const toolName = 'bash';
+    const input = { command: 'deploy' };
+
+    const context = makeContext({ guardianActorRole: undefined });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(true);
+  });
+
+  test('grant with matching request_id scope -> allow', async () => {
+    const toolName = 'bash';
+    const input = { command: 'ls' };
+
+    mintGrantFromDecision(
+      mintParams({
+        scopeMode: 'request_id',
+        requestId: 'req-1',
+      }),
+    );
+
+    const context = makeContext({ guardianActorRole: 'non-guardian', requestId: 'req-1' });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(true);
+  });
+
+  test('grant with context fields (conversationId) must match', async () => {
+    const toolName = 'bash';
+    const input = { command: 'ls' };
+    const digest = computeToolApprovalDigest(toolName, input);
+
+    mintGrantFromDecision(
+      mintParams({
+        scopeMode: 'tool_signature',
+        toolName,
+        inputDigest: digest,
+        conversationId: 'conv-other',
+      }),
+    );
+
+    // Context conversationId does not match the grant's conversationId
+    const context = makeContext({
+      guardianActorRole: 'non-guardian',
+      conversationId: 'conv-1',
+    });
+    const result = await handler.checkPreExecutionGates(
+      toolName, input, context, 'host', 'high', Date.now(), emitLifecycleEvent,
+    );
+
+    expect(result.allowed).toBe(false);
+  });
+});

package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts

@@ -276,7 +276,9 @@ describe('trusted contact lifecycle notification signals', () => {
 
     await handleChannelInbound(guardianReq, undefined, TEST_BEARER_TOKEN);
 
-    // Should emit guardian_decision (approved) and verification_sent signals
+    // guardian_decision should NOT fire at approval time when verification
+    // is still pending — it would cause the notification pipeline to send a
+    // premature "approved" message to the guardian's chat.
     const guardianDecisionSignals = emitSignalCalls.filter(
       (c) => c.sourceEventName === 'ingress.trusted_contact.guardian_decision',
     );
@@ -284,19 +286,15 @@ describe('trusted contact lifecycle notification signals', () => {
       (c) => c.sourceEventName === 'ingress.trusted_contact.verification_sent',
     );
 
-    expect(guardianDecisionSignals.length).toBe(1);
+    expect(guardianDecisionSignals.length).toBe(0);
     expect(verificationSentSignals.length).toBe(1);
 
-    // Verify guardian_decision payload
-    const gdPayload = guardianDecisionSignals[0].contextPayload as Record<string, unknown>;
-    expect(gdPayload.decision).toBe('approved');
-    expect(gdPayload.requesterExternalUserId).toBe('requester-user-456');
-    expect(gdPayload.decidedByExternalUserId).toBe('guardian-user-789');
-
-    // Verify verification_sent payload
-    const vsPayload = verificationSentSignals[0].contextPayload as Record<string, unknown>;
+    // Verify verification_sent payload and that it's suppressed from delivery
+    const vsSignal = verificationSentSignals[0];
+    const vsPayload = vsSignal.contextPayload as Record<string, unknown>;
     expect(vsPayload.requesterExternalUserId).toBe('requester-user-456');
     expect(vsPayload.verificationSessionId).toBeDefined();
+    expect((vsSignal.attentionHints as Record<string, unknown>).visibleInSourceNow).toBe(true);
 
     // Should NOT emit denied signal
     const deniedSignals = emitSignalCalls.filter(

package/src/__tests__/voice-scoped-grant-consumer.test.ts

@@ -1,20 +1,26 @@
 /**
- * Tests for M4: voice consumer checks scoped grants before auto-denying
- * non-guardian confirmation requests.
+ * Tests that the voice bridge consumes scoped approval grants via the
+ * unified approval primitive before auto-denying non-guardian callers.
+ *
+ * Some confirmation_request events originate from proxy/network paths
+ * (e.g. PermissionPrompter in createProxyApprovalCallback) that bypass
+ * the pre-exec gate. The bridge must check for a matching scoped grant
+ * and allow the confirmation if one exists.
  *
  * Verifies:
- *   1. A matching grant allows a non-guardian voice confirmation (exactly once).
- *   2. No grant or mismatched grant still auto-denies.
+ *   1. Non-guardian confirmation requests are auto-allowed when a
+ *      matching grant exists (bridge consumes it via the primitive).
+ *   2. Non-guardian confirmation requests are auto-denied when no
+ *      matching grant exists.
  *   3. Guardian auto-allow path remains unchanged.
  *   4. Grants are revoked on call end (controller.destroy).
- *   5. Second identical invocation after consume is denied (one-time use).
  */
 
 import { mkdtempSync, rmSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 
-import { afterAll, beforeEach, describe, expect, type Mock, mock, test } from 'bun:test';
+import { afterAll, beforeEach, describe, expect, mock, test } from 'bun:test';
 
 const testDir = mkdtempSync(join(tmpdir(), 'voice-scoped-grant-consumer-test-'));
 
@@ -98,17 +104,19 @@ mock.module('../daemon/session-runtime-assembly.js', () => ({
 
 import { and, eq } from 'drizzle-orm';
 
+import { setVoiceBridgeDeps, startVoiceTurn } from '../calls/voice-session-bridge.js';
+import type { ServerMessage } from '../daemon/ipc-protocol.js';
+import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
+import { getDb, initializeDb, resetDb } from '../memory/db.js';
+import { scopedApprovalGrants } from '../memory/schema.js';
 import {
-  createScopedApprovalGrant,
+  _internal,
   type CreateScopedApprovalGrantParams,
   revokeScopedApprovalGrantsForContext,
 } from '../memory/scoped-approval-grants.js';
-import { getDb, initializeDb, resetDb } from '../memory/db.js';
-import { conversations, scopedApprovalGrants } from '../memory/schema.js';
+
+const { createScopedApprovalGrant } = _internal;
 import { computeToolApprovalDigest } from '../security/tool-approval-digest.js';
-import type { ServerMessage } from '../daemon/ipc-protocol.js';
-import { setVoiceBridgeDeps, startVoiceTurn } from '../calls/voice-session-bridge.js';
-import type { GuardianRuntimeContext } from '../daemon/session-runtime-assembly.js';
 
 initializeDb();
 
@@ -243,13 +251,14 @@ function grantParams(overrides: Partial<CreateScopedApprovalGrantParams> = {}):
 // Tests
 // ===========================================================================
 
-describe('voice scoped grant consumer', () => {
+describe('voice bridge confirmation handling (grant consumption via primitive)', () => {
   beforeEach(() => {
     clearTables();
   });
 
-  test('non-guardian with matching grant: consumed and allowed', async () => {
-    // Create a matching grant
+  test('non-guardian with matching grant: auto-allowed (bridge consumes grant via primitive)', async () => {
+    // A matching grant should be consumed and the confirmation allowed.
+    // This covers proxy/network confirmation requests that bypass the pre-exec gate.
     createScopedApprovalGrant(grantParams());
 
     const mockData = createMockSession();
@@ -261,7 +270,7 @@ describe('voice scoped grant consumer', () => {
       requesterExternalUserId: 'caller-123',
     };
 
-    const handle = await startVoiceTurn({
+    await startVoiceTurn({
       conversationId: CONVERSATION_ID,
       callSessionId: CALL_SESSION_ID,
       content: 'test utterance',
@@ -279,7 +288,15 @@ describe('voice scoped grant consumer', () => {
     const decision = mockData.getConfirmationDecision();
     expect(decision).not.toBeNull();
     expect(decision!.decision).toBe('allow');
-    expect(decision!.reason).toContain('scoped grant');
+    expect(decision!.reason).toContain('guardian pre-approved via scoped grant');
+
+    // The grant should be consumed (no longer active)
+    const db = getDb();
+    const activeGrants = db.select()
+      .from(scopedApprovalGrants)
+      .where(eq(scopedApprovalGrants.status, 'active'))
+      .all();
+    expect(activeGrants.length).toBe(0);
   });
 
   test('non-guardian without grant: auto-denied', async () => {
@@ -294,7 +311,7 @@ describe('voice scoped grant consumer', () => {
       requesterExternalUserId: 'caller-123',
     };
 
-    const handle = await startVoiceTurn({
+    await startVoiceTurn({
       conversationId: CONVERSATION_ID,
       callSessionId: CALL_SESSION_ID,
       content: 'test utterance',
@@ -379,13 +396,14 @@ describe('voice scoped grant consumer', () => {
     expect(decision!.reason).toContain('guardian voice call');
   });
 
-  test('one-time use: second identical invocation after consume is denied', async () => {
-    // Create a single grant
-    createScopedApprovalGrant(grantParams());
+  test('non-guardian with grant for different assistantId: auto-denied', async () => {
+    // Create a grant scoped to a different assistant
+    createScopedApprovalGrant(grantParams({
+      assistantId: 'other-assistant',
+    }));
 
-    // First invocation — should consume the grant and allow
-    const mockData1 = createMockSession({ confirmationRequestId: 'req-first' });
-    setupBridgeDeps(() => mockData1.session);
+    const mockData = createMockSession();
+    setupBridgeDeps(() => mockData.session);
 
     const guardianContext: GuardianRuntimeContext = {
       sourceChannel: 'voice',
@@ -396,29 +414,7 @@ describe('voice scoped grant consumer', () => {
     await startVoiceTurn({
       conversationId: CONVERSATION_ID,
       callSessionId: CALL_SESSION_ID,
-      content: 'first utterance',
-      assistantId: ASSISTANT_ID,
-      guardianContext,
-      isInbound: true,
-      onTextDelta: () => {},
-      onComplete: () => {},
-      onError: () => {},
-    });
-
-    await new Promise(resolve => setTimeout(resolve, 100));
-
-    const decision1 = mockData1.getConfirmationDecision();
-    expect(decision1).not.toBeNull();
-    expect(decision1!.decision).toBe('allow');
-
-    // Second invocation — grant already consumed, should deny
-    const mockData2 = createMockSession({ confirmationRequestId: 'req-second' });
-    setupBridgeDeps(() => mockData2.session);
-
-    await startVoiceTurn({
-      conversationId: CONVERSATION_ID,
-      callSessionId: CALL_SESSION_ID,
-      content: 'second utterance',
+      content: 'test utterance',
       assistantId: ASSISTANT_ID,
       guardianContext,
       isInbound: true,
@@ -429,9 +425,9 @@ describe('voice scoped grant consumer', () => {
 
     await new Promise(resolve => setTimeout(resolve, 100));
 
-    const decision2 = mockData2.getConfirmationDecision();
-    expect(decision2).not.toBeNull();
-    expect(decision2!.decision).toBe('deny');
+    const decision = mockData.getConfirmationDecision();
+    expect(decision).not.toBeNull();
+    expect(decision!.decision).toBe('deny');
   });
 
   test('grants revoked when revokeScopedApprovalGrantsForContext is called with callSessionId', () => {
@@ -534,38 +530,4 @@ describe('voice scoped grant consumer', () => {
       .all();
     expect(otherActive.length).toBe(1);
   });
-
-  test('non-guardian with grant for different assistantId: auto-denied', async () => {
-    // Create a grant scoped to a different assistant
-    createScopedApprovalGrant(grantParams({
-      assistantId: 'other-assistant',
-    }));
-
-    const mockData = createMockSession();
-    setupBridgeDeps(() => mockData.session);
-
-    const guardianContext: GuardianRuntimeContext = {
-      sourceChannel: 'voice',
-      actorRole: 'non-guardian',
-      requesterExternalUserId: 'caller-123',
-    };
-
-    await startVoiceTurn({
-      conversationId: CONVERSATION_ID,
-      callSessionId: CALL_SESSION_ID,
-      content: 'test utterance',
-      assistantId: ASSISTANT_ID,
-      guardianContext,
-      isInbound: true,
-      onTextDelta: () => {},
-      onComplete: () => {},
-      onError: () => {},
-    });
-
-    await new Promise(resolve => setTimeout(resolve, 100));
-
-    const decision = mockData.getConfirmationDecision();
-    expect(decision).not.toBeNull();
-    expect(decision!.decision).toBe('deny');
-  });
 });

package/src/agent/loop.ts

@@ -312,6 +312,31 @@ export class AgentLoop {
           break;
         }
 
+        // Guard against dual-control-mode conflicts in a single turn.
+        // If the model escalates to foreground computer control, browser_* tools
+        // in the same response create competing browser sessions/windows and can
+        // thrash renderer CPU. Reject browser_* calls in that turn.
+        const hasComputerUseEscalation = toolUseBlocks.some(
+          (toolUse) => toolUse.name === 'computer_use_request_control',
+        );
+        const blockedBrowserToolIds = hasComputerUseEscalation
+          ? new Set(
+              toolUseBlocks
+                .filter((toolUse) => toolUse.name.startsWith('browser_'))
+                .map((toolUse) => toolUse.id),
+            )
+          : new Set<string>();
+
+        if (blockedBrowserToolIds.size > 0) {
+          log.warn(
+            {
+              blockedBrowserToolCount: blockedBrowserToolIds.size,
+              toolNames: toolUseBlocks.map((toolUse) => toolUse.name),
+            },
+            'Blocking browser_* tools: computer_use_request_control was requested in same turn',
+          );
+        }
+
         // Execute all tools concurrently for reduced latency.
         // Race against the abort signal so cancellation isn't blocked by
         // stuck tools (e.g. a hung browser navigation).
@@ -319,6 +344,16 @@ export class AgentLoop {
           toolUseBlocks.map(async (toolUse) => {
             const toolStart = Date.now();
 
+            if (blockedBrowserToolIds.has(toolUse.id)) {
+              return {
+                toolUse,
+                result: {
+                  content: 'Error: browser_* tools cannot run in the same turn as computer_use_request_control. Continue using the foreground computer-use session only.',
+                  isError: true,
+                },
+              };
+            }
+
             const result = await this.toolExecutor!(toolUse.name, toolUse.input, (chunk) => {
               onEvent({ type: 'tool_output_chunk', toolUseId: toolUse.id, chunk });
             });
@@ -431,7 +466,7 @@ export class AgentLoop {
         if (hasTextBlock) {
           resultBlocks.push({
             type: 'text',
-            text: '<system_notice>Your previous text was already displayed to the user in real-time as you generated it. Continue naturally from where you left off — do not repeat or rephrase what you already said above.</system_notice>',
+            text: '<system_notice>Your previous text was already shown to the user in real time. Do not repeat or rephrase it. Do not narrate retries or internal process chatter ("let me try", "that didn\'t work"). Keep working with tools silently unless you need user input, and only send user-facing text when you have concrete progress or final results.</system_notice>',
           });
         }