@vellumai/assistant 0.3.3 → 0.3.4

package/src/tools/browser/browser-manager.ts

@@ -191,74 +191,80 @@ class BrowserManager {
     if (this.contextCreating) return this.contextCreating;
 
     this.contextCreating = (async () => {
-      // Try to detect or negotiate CDP before falling back to headless.
-      // This auto-detects an existing Chrome with --remote-debugging-port,
-      // or asks the client to restart Chrome with CDP enabled.
-      let useCdp = this._browserMode === 'cdp';
-      const sender = invokingSessionId ? this.sessionSenders.get(invokingSessionId) : undefined;
-      if (!useCdp) {
-        const cdpAvailable = await this.detectCDP();
-        if (cdpAvailable) {
-          useCdp = true;
-        } else if (invokingSessionId && sender) {
-          log.info({ sessionId: invokingSessionId }, 'Requesting CDP from client');
-          const accepted = await this.requestCDPFromClient(invokingSessionId, sender);
-          if (accepted) {
-            const nowAvailable = await this.detectCDP();
-            if (nowAvailable) {
-              useCdp = true;
+      // Deterministic test mode: when launch is injected via setLaunchFn,
+      // bypass ambient CDP probing/negotiation and use the injected launcher.
+      const hasInjectedLaunchFn = launchPersistentContext !== null;
+
+      if (!hasInjectedLaunchFn) {
+        // Try to detect or negotiate CDP before falling back to headless.
+        // This auto-detects an existing Chrome with --remote-debugging-port,
+        // or asks the client to restart Chrome with CDP enabled.
+        let useCdp = this._browserMode === 'cdp';
+        const sender = invokingSessionId ? this.sessionSenders.get(invokingSessionId) : undefined;
+        if (!useCdp) {
+          const cdpAvailable = await this.detectCDP();
+          if (cdpAvailable) {
+            useCdp = true;
+          } else if (invokingSessionId && sender) {
+            log.info({ sessionId: invokingSessionId }, 'Requesting CDP from client');
+            const accepted = await this.requestCDPFromClient(invokingSessionId, sender);
+            if (accepted) {
+              const nowAvailable = await this.detectCDP();
+              if (nowAvailable) {
+                useCdp = true;
+              } else {
+                log.warn('Client accepted CDP request but CDP not detected');
+              }
             } else {
-              log.warn('Client accepted CDP request but CDP not detected');
+              log.info('Client declined CDP request');
             }
-          } else {
-            log.info('Client declined CDP request');
           }
         }
-      }
 
-      if (useCdp) {
-        try {
-          const pw = await import('playwright');
-          const browser = await pw.chromium.connectOverCDP(this.cdpUrl, { timeout: 10_000 });
-          this.cdpBrowser = browser;
-          this._browserLaunched = false;
-          const contexts = browser.contexts();
-          const ctx = contexts[0] || await browser.newContext();
-          this.setBrowserMode('cdp');
-          await this.initBrowserCdpSession();
-          log.info({ cdpUrl: this.cdpUrl }, 'Connected to Chrome via CDP');
-          return ctx as unknown as BrowserContext;
-        } catch (err) {
-          log.warn({ err }, 'CDP connectOverCDP failed');
-          this._browserMode = 'headless';
+        if (useCdp) {
+          try {
+            const pw = await import('playwright');
+            const browser = await pw.chromium.connectOverCDP(this.cdpUrl, { timeout: 10_000 });
+            this.cdpBrowser = browser;
+            this._browserLaunched = false;
+            const contexts = browser.contexts();
+            const ctx = contexts[0] || await browser.newContext();
+            this.setBrowserMode('cdp');
+            await this.initBrowserCdpSession();
+            log.info({ cdpUrl: this.cdpUrl }, 'Connected to Chrome via CDP');
+            return ctx as unknown as BrowserContext;
+          } catch (err) {
+            log.warn({ err }, 'CDP connectOverCDP failed');
+            this._browserMode = 'headless';
+          }
         }
-      }
 
-      // If a client is connected, launch headed Chromium (minimized) so the user
-      // can interact directly when handoff triggers (e.g. CAPTCHAs).
-      // The window stays offscreen until bringToFront() is called during handoff.
-      const hasSender = !!(invokingSessionId && this.sessionSenders.get(invokingSessionId));
-      if (hasSender && this._browserMode === 'headless') {
-        try {
-          const pw2 = await import('playwright');
-          const headedBrowser = await pw2.chromium.launch({
-            channel: 'chrome',
-            headless: false,
-            args: [
-              '--window-position=-32000,-32000',
-              '--window-size=1,1',
-              '--disable-blink-features=AutomationControlled',
-            ],
-          });
-          const ctx = headedBrowser.contexts()[0] || await headedBrowser.newContext();
-          this.cdpBrowser = headedBrowser as unknown as typeof this.cdpBrowser;
-          this._browserLaunched = true;
-          this.setBrowserMode('cdp');
-          await this.initBrowserCdpSession();
-          log.info('Launched headed Chromium (minimized) for interactive handoff support');
-          return ctx as unknown as BrowserContext;
-        } catch (err2) {
-          log.warn({ err: err2 }, 'Headed Chromium launch failed, falling back to headless');
+        // If a client is connected, launch headed Chromium (minimized) so the user
+        // can interact directly when handoff triggers (e.g. CAPTCHAs).
+        // The window stays offscreen until bringToFront() is called during handoff.
+        const hasSender = !!(invokingSessionId && this.sessionSenders.get(invokingSessionId));
+        if (hasSender && this._browserMode === 'headless') {
+          try {
+            const pw2 = await import('playwright');
+            const headedBrowser = await pw2.chromium.launch({
+              channel: 'chrome',
+              headless: false,
+              args: [
+                '--window-position=-32000,-32000',
+                '--window-size=1,1',
+                '--disable-blink-features=AutomationControlled',
+              ],
+            });
+            const ctx = headedBrowser.contexts()[0] || await headedBrowser.newContext();
+            this.cdpBrowser = headedBrowser as unknown as typeof this.cdpBrowser;
+            this._browserLaunched = true;
+            this.setBrowserMode('cdp');
+            await this.initBrowserCdpSession();
+            log.info('Launched headed Chromium (minimized) for interactive handoff support');
+            return ctx as unknown as BrowserContext;
+          } catch (err2) {
+            log.warn({ err: err2 }, 'Headed Chromium launch failed, falling back to headless');
+          }
         }
       }
 

package/src/tools/claude-code/claude-code.ts

@@ -6,6 +6,7 @@ import { getLogger } from '../../util/logger.js';
 import { truncate } from '../../util/truncate.js';
 import { getProfilePolicy } from '../../swarm/worker-backend.js';
 import type { WorkerProfile } from '../../swarm/worker-backend.js';
+import { getCCCommand, loadCCCommandTemplate } from '../../commands/cc-command-registry.js';
 
 const log = getLogger('claude-code-tool');
 
@@ -62,7 +63,15 @@ export const claudeCodeTool: Tool = {
         properties: {
           prompt: {
             type: 'string',
-            description: 'The coding task or question for Claude Code to work on',
+            description: 'The coding task or question for Claude Code to work on. Use this for free-form tasks. Mutually exclusive with command.',
+          },
+          command: {
+            type: 'string',
+            description: 'Name of a .claude/commands/*.md command template to execute. The template will be loaded and $ARGUMENTS substituted before execution. Use this instead of prompt when invoking a named CC command.',
+          },
+          arguments: {
+            type: 'string',
+            description: 'Arguments to substitute into the command template ($ARGUMENTS placeholder). Only used with the command input.',
           },
           working_dir: {
             type: 'string',
@@ -82,7 +91,6 @@ export const claudeCodeTool: Tool = {
             description: 'Worker profile that scopes tool access. Defaults to general (backward compatible).',
           },
         },
-        required: ['prompt'],
       },
     };
   },
@@ -92,8 +100,52 @@ export const claudeCodeTool: Tool = {
       return { content: 'Cancelled', isError: true };
     }
 
-    const prompt = input.prompt as string;
     const workingDir = (input.working_dir as string) || context.workingDir;
+
+    // Resolve prompt: either from direct prompt input or by loading a CC command template
+    let prompt: string;
+    if (input.command != null && typeof input.command !== 'string') {
+      return {
+        content: `Error: "command" must be a string, got ${typeof input.command}`,
+        isError: true,
+      };
+    }
+    const commandName = input.command as string | undefined;
+    if (commandName) {
+      // Command-template execution path: load .claude/commands/<command>.md,
+      // apply $ARGUMENTS substitution, and use the result as the prompt.
+      const entry = getCCCommand(workingDir, commandName);
+      if (!entry) {
+        return {
+          content: `Error: CC command "${commandName}" not found. Looked for .claude/commands/${commandName}.md in ${workingDir} and parent directories.`,
+          isError: true,
+        };
+      }
+
+      let template: string;
+      try {
+        template = loadCCCommandTemplate(entry);
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+          content: `Error: Failed to load CC command template "${commandName}": ${message}`,
+          isError: true,
+        };
+      }
+
+      // Substitute $ARGUMENTS placeholder with the provided arguments
+      const args = (input.arguments as string) ?? '';
+      prompt = template.replace(/\$ARGUMENTS/g, args);
+
+      log.info({ command: commandName, templatePath: entry.filePath, hasArgs: !!args }, 'Loaded CC command template');
+    } else if (typeof input.prompt === 'string') {
+      prompt = input.prompt;
+    } else {
+      return {
+        content: 'Error: Either "prompt" or "command" must be provided.',
+        isError: true,
+      };
+    }
     const resumeSessionId = input.resume as string | undefined;
     const model = (input.model as string) || 'claude-sonnet-4-6';
     const profileName = (input.profile as WorkerProfile | undefined) ?? 'general';

package/src/tools/executor.ts

@@ -268,7 +268,15 @@ export class ToolExecutor {
         });
 
         if (response.decision === 'deny') {
-          const denialMessage = `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
+          const contextualDenial = typeof response.decisionContext === 'string'
+            ? response.decisionContext.trim()
+            : '';
+          const denialMessage = contextualDenial.length > 0
+            ? contextualDenial
+            : `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
+          const denialReason = contextualDenial.length > 0
+            ? `Permission denied (${name}): contextual policy`
+            : 'Permission denied by user';
           const durationMs = Date.now() - startTime;
           emitLifecycleEvent(context, {
             type: 'permission_denied',
@@ -281,7 +289,7 @@ export class ToolExecutor {
             requestId: context.requestId,
             riskLevel,
             decision: 'deny',
-            reason: 'Permission denied by user',
+            reason: denialReason,
             durationMs,
           });
           return { content: denialMessage, isError: true };

package/src/tools/skills/vellum-catalog.ts

@@ -1,20 +1,10 @@
-import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
-import { basename, join } from 'node:path';
-
 import { RiskLevel } from '../../permissions/types.js';
 import type { ToolDefinition } from '../../providers/types.js';
+import { parseFrontmatterFields } from '../../skills/frontmatter.js';
 import { createManagedSkill } from '../../skills/managed-store.js';
-import { getLogger } from '../../util/logger.js';
+import { fetchCatalogEntries, fetchSkillContent, checkVellumSkill } from '../../skills/vellum-catalog-remote.js';
 import type { Tool, ToolContext, ToolExecutionResult } from '../types.js';
 
-const log = getLogger('vellum-skills-catalog');
-
-const FRONTMATTER_REGEX = /^---\r?\n([\s\S]*?)\r?\n---(?:\r?\n|$)/;
-
-function getVellumSkillsDir(): string {
-  return join(import.meta.dir, '..', '..', 'config', 'vellum-skills');
-}
-
 export interface CatalogEntry {
   id: string;
   name: string;
@@ -23,123 +13,75 @@ export interface CatalogEntry {
   includes?: string[];
 }
 
-function parseCatalogEntry(directory: string): CatalogEntry | null {
-  const skillFilePath = join(directory, 'SKILL.md');
-  if (!existsSync(skillFilePath)) return null;
-
-  try {
-    const stat = statSync(skillFilePath);
-    if (!stat.isFile()) return null;
-
-    const content = readFileSync(skillFilePath, 'utf-8');
-    const match = content.match(FRONTMATTER_REGEX);
-    if (!match) return null;
-
-    const fields: Record<string, string> = {};
-    for (const line of match[1].split(/\r?\n/)) {
-      const trimmed = line.trim();
-      if (!trimmed || trimmed.startsWith('#')) continue;
-      const separatorIndex = trimmed.indexOf(':');
-      if (separatorIndex === -1) continue;
-
-      const key = trimmed.slice(0, separatorIndex).trim();
-      let value = trimmed.slice(separatorIndex + 1).trim();
-      if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
-        value = value.slice(1, -1);
-      }
-      fields[key] = value;
-    }
-
-    const name = fields.name?.trim();
-    const description = fields.description?.trim();
-    if (!name || !description) return null;
+export { fetchCatalogEntries as listCatalogEntries, checkVellumSkill };
 
-    let emoji: string | undefined;
-    const metadataRaw = fields.metadata?.trim();
-    if (metadataRaw) {
-      try {
-        const parsed = JSON.parse(metadataRaw);
-        if (parsed?.vellum?.emoji) {
-          emoji = parsed.vellum.emoji as string;
-        }
-      } catch {
-        // ignore malformed metadata
-      }
-    }
-
-    let includes: string[] | undefined;
-    const includesRaw = fields.includes?.trim();
-    if (includesRaw) {
-      try {
-        const parsed = JSON.parse(includesRaw);
-        if (Array.isArray(parsed) && parsed.every((item: unknown) => typeof item === 'string')) {
-          const filtered = (parsed as string[]).map((s) => s.trim()).filter((s) => s.length > 0);
-          if (filtered.length > 0) includes = filtered;
-        }
-      } catch {
-        // ignore malformed includes
-      }
-    }
+/**
+ * Install a skill from the vellum-skills catalog by ID.
+ * Fetches SKILL.md from GitHub (with bundled fallback) and creates a managed skill.
+ * Returns { success, skillName, error }.
+ */
+export async function installFromVellumCatalog(skillId: string, options?: { overwrite?: boolean }): Promise<{ success: boolean; skillName?: string; error?: string }> {
+  const trimmedId = skillId.trim();
 
-    return { id: basename(directory), name, description, emoji, includes };
-  } catch (err) {
-    log.warn({ err, directory }, 'Failed to read catalog entry');
-    return null;
+  // Verify skill exists in catalog
+  const exists = await checkVellumSkill(trimmedId);
+  if (!exists) {
+    return { success: false, error: `Skill "${trimmedId}" not found in the Vellum catalog` };
   }
-}
-
-export function listCatalogEntries(): CatalogEntry[] {
-  const catalogDir = getVellumSkillsDir();
-  if (!existsSync(catalogDir)) return [];
 
-  const entries: CatalogEntry[] = [];
-  try {
-    const dirEntries = readdirSync(catalogDir, { withFileTypes: true });
-    for (const entry of dirEntries) {
-      if (!entry.isDirectory()) continue;
-      const parsed = parseCatalogEntry(join(catalogDir, entry.name));
-      if (parsed) entries.push(parsed);
-    }
-  } catch (err) {
-    log.warn({ err, catalogDir }, 'Failed to list catalog entries');
+  // Fetch SKILL.md content (remote with bundled fallback)
+  const content = await fetchSkillContent(trimmedId);
+  if (!content) {
+    return { success: false, error: `Skill "${trimmedId}" SKILL.md not found` };
   }
 
-  return entries.sort((a, b) => a.id.localeCompare(b.id));
-}
+  const parsed = parseFrontmatterFields(content);
+  if (!parsed) {
+    return { success: false, error: `Skill "${trimmedId}" has invalid SKILL.md` };
+  }
 
-/**
- * Install a skill from the vellum-skills catalog by ID.
- * Returns { success, skillName, error }.
- */
-export function installFromVellumCatalog(skillId: string): { success: boolean; skillName?: string; error?: string } {
-  const catalogDir = getVellumSkillsDir();
-  const skillDir = join(catalogDir, skillId.trim());
-  const skillFilePath = join(skillDir, 'SKILL.md');
+  const { fields, body: bodyMarkdown } = parsed;
 
-  if (!existsSync(skillFilePath)) {
-    return { success: false, error: `Skill "${skillId}" not found in the Vellum catalog` };
+  const name = fields.name?.trim();
+  const description = fields.description?.trim();
+  if (!name || !description) {
+    return { success: false, error: `Skill "${trimmedId}" has invalid SKILL.md (missing name or description)` };
   }
 
-  const content = readFileSync(skillFilePath, 'utf-8');
-  const match = content.match(FRONTMATTER_REGEX);
-  if (!match) {
-    return { success: false, error: `Skill "${skillId}" has invalid SKILL.md` };
+  let emoji: string | undefined;
+  const metadataRaw = fields.metadata?.trim();
+  if (metadataRaw) {
+    try {
+      const metaObj = JSON.parse(metadataRaw);
+      if (metaObj?.vellum?.emoji) {
+        emoji = metaObj.vellum.emoji as string;
+      }
+    } catch {
+      // ignore malformed metadata
+    }
   }
 
-  const entry = parseCatalogEntry(skillDir);
-  if (!entry) {
-    return { success: false, error: `Skill "${skillId}" has invalid SKILL.md` };
+  let includes: string[] | undefined;
+  const includesRaw = fields.includes?.trim();
+  if (includesRaw) {
+    try {
+      const includesObj = JSON.parse(includesRaw);
+      if (Array.isArray(includesObj) && includesObj.every((item: unknown) => typeof item === 'string')) {
+        const filtered = (includesObj as string[]).map((s) => s.trim()).filter((s) => s.length > 0);
+        if (filtered.length > 0) includes = filtered;
+      }
+    } catch {
+      // ignore malformed includes
+    }
   }
-
-  const bodyMarkdown = content.slice(match[0].length);
   const result = createManagedSkill({
-    id: entry.id,
-    name: entry.name,
-    description: entry.description,
+    id: trimmedId,
+    name,
+    description,
     bodyMarkdown,
-    emoji: entry.emoji,
-    includes: entry.includes,
-    overwrite: true,
+    emoji,
+    includes,
+    overwrite: options?.overwrite ?? true,
     addToIndex: true,
   });
 
@@ -147,7 +89,7 @@ export function installFromVellumCatalog(skillId: string): { success: boolean; s
     return { success: false, error: result.error };
   }
 
-  return { success: true, skillName: entry.id };
+  return { success: true, skillName: trimmedId };
 }
 
 class VellumSkillsCatalogTool implements Tool {
@@ -187,7 +129,7 @@ class VellumSkillsCatalogTool implements Tool {
 
     switch (action) {
       case 'list': {
-        const entries = listCatalogEntries();
+        const entries = await fetchCatalogEntries();
         if (entries.length === 0) {
           return { content: 'No Vellum-provided skills available in the catalog.', isError: false };
         }
@@ -200,52 +142,15 @@ class VellumSkillsCatalogTool implements Tool {
           return { content: 'Error: skill_id is required for install action', isError: true };
         }
 
-        const catalogDir = getVellumSkillsDir();
-        const skillDir = join(catalogDir, skillId.trim());
-        const skillFilePath = join(skillDir, 'SKILL.md');
-
-        if (!existsSync(skillFilePath)) {
-          const available = listCatalogEntries().map((e) => e.id);
-          return {
-            content: `Error: skill "${skillId}" not found in the Vellum catalog. Available: ${available.join(', ') || 'none'}`,
-            isError: true,
-          };
-        }
-
-        const content = readFileSync(skillFilePath, 'utf-8');
-        const match = content.match(FRONTMATTER_REGEX);
-        if (!match) {
-          return { content: `Error: skill "${skillId}" has invalid SKILL.md (missing frontmatter)`, isError: true };
-        }
-
-        const entry = parseCatalogEntry(skillDir);
-        if (!entry) {
-          return { content: `Error: skill "${skillId}" has invalid SKILL.md`, isError: true };
-        }
-
-        const bodyMarkdown = content.slice(match[0].length);
-
-        const result = createManagedSkill({
-          id: entry.id,
-          name: entry.name,
-          description: entry.description,
-          bodyMarkdown,
-          emoji: entry.emoji,
-          includes: entry.includes,
-          overwrite: input.overwrite === true,
-          addToIndex: true,
-        });
-
-        if (!result.created) {
+        const result = await installFromVellumCatalog(skillId, { overwrite: input.overwrite === true });
+        if (!result.success) {
           return { content: `Error: ${result.error}`, isError: true };
         }
 
         return {
           content: JSON.stringify({
             installed: true,
-            skill_id: entry.id,
-            name: entry.name,
-            path: result.path,
+            skill_id: result.skillName,
           }),
           isError: false,
         };

package/src/tools/terminal/parser.ts

@@ -36,7 +36,7 @@ export interface ParsedCommand {
 }
 
 const SHELL_PROGRAMS = new Set(['sh', 'bash', 'zsh', 'dash', 'ksh', 'fish']);
-const OPAQUE_PROGRAMS = new Set(['eval', 'source']);
+const OPAQUE_PROGRAMS = new Set(['eval', 'source', 'alias']);
 const DANGEROUS_ENV_VARS = new Set([
   'LD_PRELOAD', 'LD_LIBRARY_PATH',
   'DYLD_INSERT_LIBRARIES', 'DYLD_LIBRARY_PATH', 'DYLD_FRAMEWORK_PATH',
@@ -89,17 +89,33 @@ const initGuard = new PromiseGuard<void>();
  */
 function findWasmPath(pkg: string, file: string): string {
   const dir = import.meta.dirname ?? __dirname;
-  const sourcePath = join(dir, '..', '..', '..', 'node_modules', pkg, file);
 
-  if (!existsSync(sourcePath) && dir.startsWith('/$bunfs/')) {
+  // In compiled Bun binaries, import.meta.dirname points into the virtual
+  // /$bunfs/ filesystem.  Prefer bundled WASM assets shipped alongside the
+  // executable before falling back to process.cwd(), so we never accidentally
+  // pick up a mismatched version from the working directory.
+  if (dir.startsWith('/$bunfs/')) {
     const execDir = dirname(process.execPath);
     // macOS .app bundle: binary is in Contents/MacOS/, resources in Contents/Resources/
     const resourcesPath = join(execDir, '..', 'Resources', file);
     if (existsSync(resourcesPath)) return resourcesPath;
-    // Fallback: next to the binary itself (non-app-bundle deployments)
-    return join(execDir, file);
+    // Next to the binary itself (non-app-bundle deployments)
+    const execDirPath = join(execDir, file);
+    if (existsSync(execDirPath)) return execDirPath;
+    // Last resort: resolve from process.cwd() (the assistant/ directory)
+    const cwdPath = join(process.cwd(), 'node_modules', pkg, file);
+    if (existsSync(cwdPath)) return cwdPath;
+    return execDirPath;
   }
 
+  const sourcePath = join(dir, '..', '..', '..', 'node_modules', pkg, file);
+
+  if (existsSync(sourcePath)) return sourcePath;
+
+  // Fallback: resolve from process.cwd() (the assistant/ directory).
+  const cwdPath = join(process.cwd(), 'node_modules', pkg, file);
+  if (existsSync(cwdPath)) return cwdPath;
+
   return sourcePath;
 }
 

package/src/util/platform.ts

@@ -1,4 +1,4 @@
-import { mkdirSync, existsSync, statSync, unlinkSync, renameSync, readFileSync, writeFileSync, readdirSync } from 'node:fs';
+import { mkdirSync, existsSync, statSync, unlinkSync, renameSync, readFileSync, writeFileSync, readdirSync, chmodSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 /**
@@ -565,6 +565,13 @@ export function ensureDataDir(): void {
       mkdirSync(dir, { recursive: true });
     }
   }
+  // Lock down the root directory so only the owner can traverse it.
+  // Runtime files (socket, session token, PID) live directly under root.
+  try {
+    chmodSync(root, 0o700);
+  } catch {
+    // Non-fatal: some filesystems don't support Unix permissions
+  }
 }
 
 /**

package/src/util/retry.ts

@@ -58,10 +58,10 @@ export function getHttpRetryDelay(
     const parsed = parseRetryAfterMs(retryAfter);
     if (parsed !== undefined) return parsed;
   }
-  // Enforce a minimum floor of baseDelayMs when Retry-After is missing.
-  // computeRetryDelay uses equal jitter (cap/2 + random*cap/2) which can
-  // dip to ~500ms on attempt 0 — too aggressive for 429 rate limits.
-  return Math.max(baseDelayMs, computeRetryDelay(attempt, baseDelayMs));
+  // For attempt 0, double the base so jitter range [baseDelayMs, 2*baseDelayMs) stays above the floor.
+  // For attempt >= 1, use the original base — jitter is already above baseDelayMs.
+  const effectiveBase = attempt === 0 ? baseDelayMs * 2 : baseDelayMs;
+  return Math.max(baseDelayMs, computeRetryDelay(attempt, effectiveBase));
 }
 
 /**