@vellumai/assistant 0.4.30 → 0.4.32

package/ARCHITECTURE.md

@@ -883,7 +883,7 @@ graph LR
         C5["user_message<br/>text, attachments"]
         C6["confirmation_response<br/>decision"]
         C7["cancel / undo"]
-        C8["model_get / model_set<br/>sandbox_set (deprecated no-op)"]
+        C8["model_get / model_set"]
         C9["ping"]
         C10["ipc_blob_probe<br/>probeId, nonceSha256"]
         C11["work_items_list / work_item_get<br/>work_item_create / work_item_update<br/>work_item_complete / work_item_run_task<br/>(planned)"]

package/Dockerfile

@@ -16,16 +16,21 @@ RUN apt-get update && apt-get install -y \
 RUN curl -fsSL https://bun.sh/install | bash
 ENV PATH="/root/.bun/bin:${PATH}"
 
-# Copy package files
-COPY package.json bun.lock ./
+# Install assistant and CLI dependencies first for cache reuse
+COPY assistant/package.json assistant/bun.lock ./assistant/
+RUN cd /app/assistant && bun install --frozen-lockfile
 
-# Install dependencies
-RUN bun install --frozen-lockfile
+COPY cli/package.json cli/bun.lock ./cli/
+RUN cd /app/cli && bun install --frozen-lockfile
+
+# Copy source
+COPY assistant ./assistant
+COPY cli ./cli
 
 # Final stage
 FROM debian:trixie@sha256:3615a749858a1cba49b408fb49c37093db813321355a9ab7c1f9f4836341e9db AS runner
 
-WORKDIR /app
+WORKDIR /app/assistant
 
 # Install runtime dependencies for Playwright and tree-sitter
 RUN apt-get update && apt-get install -y \
@@ -47,6 +52,10 @@ RUN apt-get update && apt-get install -y \
 COPY --from=builder /root/.bun/bin/bun /usr/local/bin/bun
 RUN ln -sf /usr/local/bin/bun /usr/local/bin/bunx
 
+# Install a vellum CLI launcher backed by the bundled local cli package
+RUN printf '#!/usr/bin/env sh\nexec bun run /app/cli/src/index.ts "$@"\n' > /usr/local/bin/vellum && \
+    chmod +x /usr/local/bin/vellum
+
 # Create non-root user that also has sudo access so it can like install stuff
 RUN groupadd --system --gid 1001 assistant && \
     useradd --system --uid 1001 --gid assistant --create-home --shell /bin/bash assistant && \
@@ -95,8 +104,5 @@ ENV IS_CONTAINERIZED=true
 # Copy from builder
 COPY --from=builder /app /app
 
-# Copy source
-COPY . .
-
 # Run the daemon + http server
 CMD ["bun", "run", "src/daemon/main.ts"]

package/README.md

@@ -481,7 +481,7 @@ bun run db:push       # Apply migrations
 
 ```bash
 # Build production image
-docker build -t vellum-assistant:local assistant
+docker build -f assistant/Dockerfile -t vellum-assistant:local .
 
 # Run
 docker run --rm -p 3001:3001 \
@@ -489,7 +489,7 @@ docker run --rm -p 3001:3001 \
   vellum-assistant:local
 ```
 
-The image runs as non-root user `assistant` (uid 1001) and exposes port `3001`.
+The image exposes port `3001` and bundles the `vellum` CLI binary.
 
 ## Troubleshooting
 

package/docs/architecture/memory.md

@@ -41,7 +41,7 @@ graph TB
 
     subgraph "Read Path (Memory Recall)"
         QUERY["Recall Query Builder<br/>User request + compacted context summary"]
-        CONFLICT_GATE["Soft Conflict Gate<br/>dismiss non-actionable conflicts (kind + statement policy)<br/>resolve pending conflicts from user turn<br/>relevance + cooldown + configurable ask behavior"]
+        CONFLICT_GATE["Soft Conflict Gate<br/>dismiss non-actionable conflicts (kind + statement + provenance policy)<br/>attempt internal resolution from user turn<br/>relevance-based; never produces user-facing prompts"]
         PROFILE_BUILD["Dynamic Profile Compiler<br/>active trusted profile memories<br/>user_confirmed > user_reported > assistant_inferred"]
         PROFILE_INJECT["Inject profile context block<br/>into runtime user tail<br/>(strict token cap)"]
         BUDGET["Dynamic Recall Budget<br/>computeRecallBudget()<br/>from prompt headroom"]
@@ -158,28 +158,26 @@ The key distinction: normal compaction is a cost-optimized background process th
 
 ### Memory Retrieval Config Knobs (Defaults)
 
-| Config key                                                |                                                           Default | Purpose                                                                                                                                                |
-| --------------------------------------------------------- | ----------------------------------------------------------------: | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `memory.retrieval.dynamicBudget.enabled`                  |                                                            `true` | Toggle per-turn recall budget calculation from live prompt headroom.                                                                                   |
-| `memory.retrieval.dynamicBudget.minInjectTokens`          |                                                            `1200` | Lower clamp for computed recall injection budget.                                                                                                      |
-| `memory.retrieval.dynamicBudget.maxInjectTokens`          |                                                           `10000` | Upper clamp for computed recall injection budget.                                                                                                      |
-| `memory.retrieval.dynamicBudget.targetHeadroomTokens`     |                                                           `10000` | Reserved headroom to keep free for response generation/tool traces.                                                                                    |
-| `memory.entity.extractRelations.enabled`                  |                                                            `true` | Enable relation edge extraction and persistence in `memory_entity_relations`.                                                                          |
-| `memory.entity.extractRelations.backfillBatchSize`        |                                                             `200` | Batch size for checkpointed `backfill_entity_relations` jobs.                                                                                          |
-| `memory.entity.relationRetrieval.enabled`                 |                                                            `true` | Enable one-hop relation expansion from matched seed entities at recall time.                                                                           |
-| `memory.entity.relationRetrieval.maxSeedEntities`         |                                                               `8` | Maximum matched seed entities from the query.                                                                                                          |
-| `memory.entity.relationRetrieval.maxNeighborEntities`     |                                                              `20` | Maximum unique neighbor entities expanded from relation edges.                                                                                         |
-| `memory.entity.relationRetrieval.maxEdges`                |                                                              `40` | Maximum relation edges traversed during expansion.                                                                                                     |
-| `memory.entity.relationRetrieval.neighborScoreMultiplier` |                                                             `0.7` | Downweight multiplier for relation-expanded candidates vs direct entity hits.                                                                          |
-| `memory.conflicts.enabled`                                |                                                            `true` | Enable soft conflict gate for unresolved `memory_item_conflicts`.                                                                                      |
-| `memory.conflicts.reaskCooldownTurns`                     |                                                               `3` | Minimum turn distance before re-asking the same conflict clarification.                                                                                |
-| `memory.conflicts.resolverLlmTimeoutMs`                   |                                                           `12000` | Timeout bound for clarification resolver LLM fallback.                                                                                                 |
-| `memory.conflicts.relevanceThreshold`                     |                                                             `0.3` | Similarity threshold for deciding whether a pending conflict is relevant to the current request.                                                       |
-| `memory.conflicts.gateMode`                               |                                                          `'soft'` | Conflict gate strategy. Currently only `'soft'` is supported (asks the user inline).                                                                   |
-| `memory.conflicts.askOnIrrelevantTurns`                   |                                                           `false` | When `true`, soft-inject irrelevant conflict clarifications into every turn. When `false` (default), only ask when the conflict is topically relevant. |
-| `memory.conflicts.conflictableKinds`                      | `['preference', 'profile', 'constraint', 'instruction', 'style']` | Memory item kinds eligible for conflict detection. Items with kinds outside this list are auto-dismissed.                                              |
-| `memory.profile.enabled`                                  |                                                            `true` | Enable dynamic profile compilation from active trusted profile/preference/constraint/instruction memories.                                             |
-| `memory.profile.maxInjectTokens`                          |                                                             `800` | Hard token cap enforced by `ProfileCompiler` when generating the runtime profile block.                                                                |
+| Config key                                                |                                                           Default | Purpose                                                                                                            |
+| --------------------------------------------------------- | ----------------------------------------------------------------: | ------------------------------------------------------------------------------------------------------------------ |
+| `memory.retrieval.dynamicBudget.enabled`                  |                                                            `true` | Toggle per-turn recall budget calculation from live prompt headroom.                                               |
+| `memory.retrieval.dynamicBudget.minInjectTokens`          |                                                            `1200` | Lower clamp for computed recall injection budget.                                                                  |
+| `memory.retrieval.dynamicBudget.maxInjectTokens`          |                                                           `10000` | Upper clamp for computed recall injection budget.                                                                  |
+| `memory.retrieval.dynamicBudget.targetHeadroomTokens`     |                                                           `10000` | Reserved headroom to keep free for response generation/tool traces.                                                |
+| `memory.entity.extractRelations.enabled`                  |                                                            `true` | Enable relation edge extraction and persistence in `memory_entity_relations`.                                      |
+| `memory.entity.extractRelations.backfillBatchSize`        |                                                             `200` | Batch size for checkpointed `backfill_entity_relations` jobs.                                                      |
+| `memory.entity.relationRetrieval.enabled`                 |                                                            `true` | Enable one-hop relation expansion from matched seed entities at recall time.                                       |
+| `memory.entity.relationRetrieval.maxSeedEntities`         |                                                               `8` | Maximum matched seed entities from the query.                                                                      |
+| `memory.entity.relationRetrieval.maxNeighborEntities`     |                                                              `20` | Maximum unique neighbor entities expanded from relation edges.                                                     |
+| `memory.entity.relationRetrieval.maxEdges`                |                                                              `40` | Maximum relation edges traversed during expansion.                                                                 |
+| `memory.entity.relationRetrieval.neighborScoreMultiplier` |                                                             `0.7` | Downweight multiplier for relation-expanded candidates vs direct entity hits.                                      |
+| `memory.conflicts.enabled`                                |                                                            `true` | Enable soft conflict gate for unresolved `memory_item_conflicts`.                                                  |
+| `memory.conflicts.resolverLlmTimeoutMs`                   |                                                           `12000` | Timeout bound for clarification resolver LLM fallback.                                                             |
+| `memory.conflicts.relevanceThreshold`                     |                                                             `0.3` | Similarity threshold for deciding whether a pending conflict is relevant to the current request.                   |
+| `memory.conflicts.gateMode`                               |                                                          `'soft'` | Conflict gate strategy. Currently only `'soft'` is supported (resolves conflicts internally without user prompts). |
+| `memory.conflicts.conflictableKinds`                      | `['preference', 'profile', 'constraint', 'instruction', 'style']` | Memory item kinds eligible for conflict detection. Items with kinds outside this list are auto-dismissed.          |
+| `memory.profile.enabled`                                  |                                                            `true` | Enable dynamic profile compilation from active trusted profile/preference/constraint/instruction memories.         |
+| `memory.profile.maxInjectTokens`                          |                                                             `800` | Hard token cap enforced by `ProfileCompiler` when generating the runtime profile block.                            |
 
 ### Memory Recall Debugging Playbook
 
@@ -211,7 +209,7 @@ The key distinction: normal compaction is a cost-optimized background process th
 stateDiagram-v2
     [*] --> ActiveItems : extract_items/check_contradictions
     ActiveItems --> PendingConflict : ambiguous_contradiction\n(candidate -> pending_clarification)
-    PendingConflict --> PendingConflict : soft gate ask\n(reask cooldown + relevance + askOnIrrelevantTurns)
+    PendingConflict --> PendingConflict : internal evaluation\n(relevance check, no user prompt)
     PendingConflict --> Dismissed : non-actionable\n(kind policy + transient statement filter)
     PendingConflict --> ResolvedKeepExisting : clarification resolver\n+ applyConflictResolution
     PendingConflict --> ResolvedKeepCandidate : clarification resolver\n+ applyConflictResolution
@@ -224,6 +222,10 @@ stateDiagram-v2
     SupersededItems --> CleanupItems : cleanup_stale_superseded_items
 ```
 
+### Internal-Only Conflict Handling
+
+Memory conflict resolution is entirely internal and non-interruptive. The conflict gate evaluates pending conflicts on each turn, dismisses non-actionable ones (based on kind policy, statement eligibility, coherence, and provenance), and attempts resolution when user input looks like a natural clarification. At no point does the conflict system produce user-facing clarification prompts, inject conflict instructions into the assistant's response, or block the user's request. The user is never aware that a conflict exists; the runtime response path always continues answering the user's actual request. This invariant is enforced across the conflict gate (`session-conflict-gate.ts`), session memory (`session-memory.ts`), session agent loop (`session-agent-loop.ts`), and runtime assembly (`session-runtime-assembly.ts`).
+
 Runtime profile flow (per turn):
 
 1. `ProfileCompiler` builds a trusted profile block from active `profile` / `preference` / `constraint` / `instruction` items under strict token cap.
@@ -238,7 +240,7 @@ Two trust gates enforce trust-class-based access control over the memory pipelin
 
 - **Write gate** (`indexer.ts`): The `extract_items` and `resolve_conflicts` jobs only run for messages from trusted actors (guardian or undefined provenance). Messages from untrusted actors (`trusted_contact`, `unknown`) are still segmented and embedded — so they appear in conversation context — but no profile extraction or conflict resolution is triggered. This prevents untrusted channels from injecting or mutating long-term memory items.
 
-- **Read gate** (`session-memory.ts`): When the current session's actor is untrusted, the memory recall pipeline returns a no-op context — no recall injection, no dynamic profile, no conflict clarification prompts. This ensures untrusted actors cannot surface or exploit previously extracted memory.
+- **Read gate** (`session-memory.ts`): When the current session's actor is untrusted, the memory recall pipeline returns a no-op context — no recall injection, no dynamic profile, no conflict resolution. This ensures untrusted actors cannot surface or exploit previously extracted memory.
 
 Trust policy is **cross-channel and trust-class-based**: decisions use `trustContext.trustClass`, not the channel string. Desktop/IPC sessions default to `trustClass: 'guardian'`. External channels (Telegram, SMS, WhatsApp, voice) provide explicit trust context via the resolver. Messages without provenance metadata are treated as trusted (guardian); all new messages carry provenance.
 
@@ -381,7 +383,7 @@ graph TB
 - **Prepend, not append**: The workspace block is prepended to the user message content so that Anthropic cache breakpoints continue to land on the trailing user text block, preserving prompt cache efficiency.
 - **Runtime-only**: The injected `<workspace_top_level>` block is stripped from `this.messages` after the agent loop completes. It never persists in conversation history or the database.
 - **Dirty-refresh**: The scanner runs once on the first turn, then only re-runs after a successful mutation tool (`file_edit`, `file_write`, `bash`). Failed tool results do not trigger a refresh.
-- **Injection ordering**: Workspace context is injected after other runtime injections (soft conflict instruction, active surface) via `applyRuntimeInjections`, but because it is **prepended** to content blocks, it appears first in the final message.
+- **Injection ordering**: Workspace context is injected after other runtime injections (active surface, etc.) via `applyRuntimeInjections`, but because it is **prepended** to content blocks, it appears first in the final message.
 
 ### Cache compatibility
 
@@ -506,7 +508,6 @@ graph TB
 10. **Provider-aware commit message generation (optional)**: When `workspaceGit.commitMessageLLM.enabled` is `true`, turn-boundary commits attempt to generate a descriptive commit message using the configured LLM provider before falling back to deterministic messages. The feature ships disabled by default and is designed to never degrade turn completion guarantees.
 
     **Commit message LLM fallback chain**: The generator runs a sequence of pre-flight checks before calling the LLM. Each check that fails produces a machine-readable `llmFallbackReason` in the structured log output and immediately returns a deterministic message. The checks, in order:
-
     1. `disabled` — `commitMessageLLM.enabled` is `false` or `useConfiguredProvider` is `false`
     2. `missing_provider_api_key` — the configured provider's API key is not set in `config.apiKeys` (skipped for keyless providers like Ollama that run without an API key)
     3. `breaker_open` — the generator's internal circuit breaker is open after consecutive LLM failures (exponential backoff)
@@ -516,11 +517,9 @@ graph TB
     7. `timeout` — the LLM call exceeded `timeoutMs` (AbortController fires)
     8. `provider_error` — the provider threw an exception during the LLM call
     9. `invalid_output` — the LLM returned empty text, the literal string "FALLBACK", or total output > 500 chars
-
     - **Subject line capping**: If the LLM subject line exceeds 72 chars it is deterministically truncated to 72 chars. This is NOT treated as a failure (no breaker penalty, no deterministic fallback).
 
     **Fast model resolution**: The LLM call uses a small/fast model to minimize latency and cost. The model is resolved **before** any provider call as a pre-flight check:
-
     - If `commitMessageLLM.providerFastModelOverrides[provider]` is set, that model is used.
     - Otherwise, a built-in default is used: `anthropic` -> `claude-haiku-4-5-20251001`, `openai` -> `gpt-4o-mini`, `gemini` -> `gemini-2.0-flash`.
     - If the configured provider has no override and no built-in default (e.g., `ollama`, `fireworks`, `openrouter`), the generator returns a deterministic fallback with reason `missing_fast_model` and the provider is never called. To enable LLM commit messages for such providers, set `providerFastModelOverrides[provider]` to the desired model.

package/docs/runbook-trusted-contacts.md

@@ -62,10 +62,7 @@ Response shape:
     {
       "id": "uuid",
       "displayName": "Alice",
-      "relationship": "friend",
-      "importance": 0.5,
-      "responseExpectation": null,
-      "preferredTone": null,
+      "notes": null,
       "lastInteraction": 1700000000000,
       "interactionCount": 12,
       "createdAt": 1699000000000,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/assistant",
-  "version": "0.4.30",
+  "version": "0.4.32",
   "type": "module",
   "bin": {
     "vellum": "./src/index.ts"

package/src/__tests__/__snapshots__/ipc-snapshot.test.ts.snap

@@ -145,13 +145,6 @@ exports[`IPC message snapshots ClientMessage types usage_request serializes to e
 }
 `;
 
-exports[`IPC message snapshots ClientMessage types sandbox_set serializes to expected JSON 1`] = `
-{
-  "enabled": true,
-  "type": "sandbox_set",
-}
-`;
-
 exports[`IPC message snapshots ClientMessage types cu_session_create serializes to expected JSON 1`] = `
 {
   "screenHeight": 1080,

package/src/__tests__/anthropic-provider.test.ts

@@ -8,6 +8,7 @@ import type { Message, ToolDefinition } from "../providers/types.js";
 
 let lastStreamParams: Record<string, unknown> | null = null;
 let _lastStreamOptions: Record<string, unknown> | null = null;
+let lastConstructorArgs: Record<string, unknown> | null = null;
 
 const fakeResponse = {
   content: [{ type: "text", text: "Hello" }],
@@ -33,7 +34,9 @@ class FakeAPIError extends Error {
 mock.module("@anthropic-ai/sdk", () => ({
   default: class MockAnthropic {
     static APIError = FakeAPIError;
-    constructor() {}
+    constructor(args: Record<string, unknown>) {
+      lastConstructorArgs = { ...args };
+    }
     messages = {
       stream: (
         params: Record<string, unknown>,
@@ -127,6 +130,7 @@ describe("AnthropicProvider — Cache-Control Characterization", () => {
   beforeEach(() => {
     lastStreamParams = null;
     _lastStreamOptions = null;
+    lastConstructorArgs = null;
     provider = new AnthropicProvider("sk-ant-test", "claude-sonnet-4-6");
   });
 
@@ -935,3 +939,84 @@ describe("AnthropicProvider — Cache-Control Characterization", () => {
     expect(userMsgs[2].content[1].cache_control).toEqual({ type: "ephemeral" });
   });
 });
+
+// ---------------------------------------------------------------------------
+// Tests — Managed Proxy Fallback
+// ---------------------------------------------------------------------------
+
+describe("AnthropicProvider — Managed Proxy Fallback", () => {
+  beforeEach(() => {
+    lastStreamParams = null;
+    _lastStreamOptions = null;
+    lastConstructorArgs = null;
+  });
+
+  test("constructor passes baseURL to Anthropic SDK when provided", () => {
+    new AnthropicProvider("managed-key", "claude-sonnet-4-6", {
+      baseURL: "https://platform.example.com/v1/runtime-proxy/anthropic",
+    });
+
+    expect(lastConstructorArgs).not.toBeNull();
+    expect(lastConstructorArgs!.apiKey).toBe("managed-key");
+    expect(lastConstructorArgs!.baseURL).toBe(
+      "https://platform.example.com/v1/runtime-proxy/anthropic",
+    );
+  });
+
+  test("constructor does not set baseURL when option is omitted", () => {
+    new AnthropicProvider("sk-ant-user-key", "claude-sonnet-4-6");
+
+    expect(lastConstructorArgs).not.toBeNull();
+    expect(lastConstructorArgs!.apiKey).toBe("sk-ant-user-key");
+    expect(lastConstructorArgs!.baseURL).toBeUndefined();
+  });
+
+  test("managed mode provider preserves tool-pairing behavior", async () => {
+    const provider = new AnthropicProvider("managed-key", "claude-sonnet-4-6", {
+      baseURL: "https://platform.example.com/v1/runtime-proxy/anthropic",
+    });
+
+    const messages: Message[] = [
+      userMsg("Read file"),
+      toolUseMsg("tu_1", "file_read"),
+      toolResultMsg("tu_1", "file contents"),
+    ];
+    await provider.sendMessage(messages);
+
+    const sent = lastStreamParams!.messages as Array<{
+      role: string;
+      content: Array<{ type: string; tool_use_id?: string }>;
+    }>;
+
+    expect(sent).toHaveLength(3);
+    const toolResults = sent[2].content.filter((b) => b.type === "tool_result");
+    expect(toolResults).toHaveLength(1);
+    expect(toolResults[0].tool_use_id).toBe("tu_1");
+  });
+
+  test("managed mode provider preserves cache-control behavior", async () => {
+    const provider = new AnthropicProvider("managed-key", "claude-sonnet-4-6", {
+      baseURL: "https://platform.example.com/v1/runtime-proxy/anthropic",
+    });
+
+    await provider.sendMessage(
+      [userMsg("Hi")],
+      sampleTools,
+      "You are helpful.",
+    );
+
+    // System prompt cache control
+    const system = lastStreamParams!.system as Array<{
+      cache_control?: { type: string };
+    }>;
+    expect(system[0].cache_control).toEqual({ type: "ephemeral" });
+
+    // Last tool cache control
+    const tools = lastStreamParams!.tools as Array<{
+      cache_control?: { type: string };
+    }>;
+    expect(tools[tools.length - 1].cache_control).toEqual({
+      type: "ephemeral",
+    });
+  });
+});

package/src/__tests__/assistant-feature-flags-integration.test.ts

@@ -241,8 +241,8 @@ describe("buildSystemPrompt assistant feature flag filtering", () => {
 
     const result = buildSystemPrompt();
 
-    // browser is declared in the registry with defaultEnabled: false
-    expect(result).not.toContain('id="browser"');
+    // browser is declared in the registry with defaultEnabled: true
+    expect(result).toContain('id="browser"');
   });
 });
 

package/src/__tests__/checker.test.ts

@@ -55,16 +55,16 @@ mock.module("../util/logger.js", () => ({
 }));
 
 // Mutable config object so tests can switch permissions.mode between
-// 'legacy', 'strict', and 'workspace' without re-registering the mock.
+// 'strict' and 'workspace' without re-registering the mock.
 interface TestConfig {
-  permissions: { mode: "legacy" | "strict" | "workspace" };
+  permissions: { mode: "strict" | "workspace" };
   skills: { load: { extraDirs: string[] } };
   sandbox: { enabled: boolean };
   [key: string]: unknown;
 }
 
 const testConfig: TestConfig = {
-  permissions: { mode: "legacy" },
+  permissions: { mode: "workspace" },
   skills: { load: { extraDirs: [] } },
   sandbox: { enabled: true },
 };
@@ -81,7 +81,6 @@ mock.module("../config/loader.js", () => ({
 }));
 
 import {
-  _resetLegacyDeprecationWarning,
   check,
   classifyRisk,
   generateAllowlistOptions,
@@ -169,11 +168,9 @@ describe("Permission Checker", () => {
   beforeEach(() => {
     // Reset trust-store state between tests
     clearCache();
-    // Reset permissions mode to legacy so existing tests are not affected
-    testConfig.permissions = { mode: "legacy" };
+    // Reset permissions mode to workspace (default) so existing tests are not affected
+    testConfig.permissions = { mode: "workspace" };
     testConfig.skills = { load: { extraDirs: [] } };
-    // Reset the one-time legacy deprecation warning flag and captured log calls
-    _resetLegacyDeprecationWarning();
     loggerWarnCalls.length = 0;
     try {
       rmSync(join(checkerTestDir, "protected", "trust.json"));
@@ -684,12 +681,22 @@ describe("Permission Checker", () => {
       expect(result.decision).toBe("allow");
     });
 
-    test("file_write with no rule → prompt", async () => {
+    test("file_write within workspace with no rule → auto-allowed in workspace mode", async () => {
       const result = await check(
         "file_write",
         { path: "/tmp/file.txt" },
         "/tmp",
       );
+      expect(result.decision).toBe("allow");
+      expect(result.reason).toContain("workspace-scoped");
+    });
+
+    test("file_write outside workspace with no rule → prompt", async () => {
+      const result = await check(
+        "file_write",
+        { path: "/etc/some-file.txt" },
+        "/tmp",
+      );
       expect(result.decision).toBe("prompt");
     });
 
@@ -1354,12 +1361,10 @@ describe("Permission Checker", () => {
     });
 
     test("core tool (no origin) still follows risk-based fallback", async () => {
-      // file_read is a core tool with Low risk → should auto-allow as before
-      const result = await check(
-        "file_read",
-        { path: "/tmp/test.txt" },
-        "/tmp",
-      );
+      // file_read is a core tool with Low risk — in workspace mode,
+      // workspace-scoped invocations are auto-allowed before risk fallback.
+      // Use a path outside the workspace to test the risk-based fallback.
+      const result = await check("file_read", { path: "/etc/hosts" }, "/tmp");
       expect(result.decision).toBe("allow");
       expect(result.reason).toContain("Low risk");
     });
@@ -1488,7 +1493,8 @@ describe("Permission Checker", () => {
 
     test("file_write of non-workspace file is not auto-allowed", async () => {
       const otherPath = join(checkerTestDir, "workspace", "OTHER.md");
-      const result = await check("file_write", { path: otherPath }, "/tmp");
+      // Use a workingDir that doesn't contain the path so it's not workspace-scoped
+      const result = await check("file_write", { path: otherPath }, "/home");
       // Medium risk with no matching allow rule → prompt
       expect(result.decision).toBe("prompt");
     });
@@ -2565,7 +2571,7 @@ describe("Permission Checker", () => {
       });
 
       test("legacy mode: file_write to skill source still prompts as High risk", async () => {
-        testConfig.permissions.mode = "legacy";
+        testConfig.permissions.mode = "workspace";
         ensureSkillsDir();
         const skillPath = join(
           checkerTestDir,
@@ -3327,7 +3333,7 @@ describe("Permission Checker", () => {
     });
 
     test("skill_load auto-allows in legacy mode (backward compat)", async () => {
-      testConfig.permissions.mode = "legacy";
+      testConfig.permissions.mode = "workspace";
       const result = await check("skill_load", { skill: "any-skill" }, "/tmp");
       expect(result.decision).toBe("allow");
       // The default allow rule matches before the Low risk fallback
@@ -3850,7 +3856,7 @@ describe("Permission Checker", () => {
 
     describe("Invariant 6: user can set broad rules if they choose", () => {
       test("wildcard allow rule matches any command in legacy mode", async () => {
-        testConfig.permissions.mode = "legacy";
+        testConfig.permissions.mode = "workspace";
         addRule("bash", "*", "everywhere");
         const result = await check(
           "bash",
@@ -4203,7 +4209,7 @@ describe("Permission Checker", () => {
     }
 
     test("browser tools are auto-allowed in legacy mode", async () => {
-      testConfig.permissions = { mode: "legacy" };
+      testConfig.permissions = { mode: "workspace" };
       for (const toolName of browserToolNames) {
         const result = await check(toolName, {}, "/tmp");
         expect(result.decision).toBe("allow");
@@ -4218,7 +4224,7 @@ describe("Permission Checker", () => {
           expect(result.decision).toBe("allow");
         }
       } finally {
-        testConfig.permissions = { mode: "legacy" };
+        testConfig.permissions = { mode: "workspace" };
       }
     });
   });
@@ -4295,7 +4301,7 @@ describe("Permission Checker", () => {
 describe("bash network_mode=proxied — no special-casing", () => {
   beforeEach(() => {
     clearCache();
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
     testConfig.skills = { load: { extraDirs: [] } };
   });
 
@@ -4416,7 +4422,7 @@ describe("computer-use tool permission defaults", () => {
 describe("scope matching behavior", () => {
   beforeEach(() => {
     clearCache();
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
     try {
       rmSync(join(checkerTestDir, "protected", "trust.json"));
     } catch {
@@ -4456,6 +4462,8 @@ describe("scope matching behavior", () => {
   });
 
   test("project-scoped rule does NOT match invocations from sibling directory", async () => {
+    // Use strict mode to test rule-matching isolation without workspace auto-allow
+    testConfig.permissions.mode = "strict";
     const projectDir = "/home/user/my-project";
     // Use a broad pattern that matches any file, scoped to the project
     addRule("file_write", "file_write:*", projectDir);
@@ -4470,6 +4478,8 @@ describe("scope matching behavior", () => {
   });
 
   test("project-scoped rule does NOT match invocations from parent directory", async () => {
+    // Use strict mode to test rule-matching isolation without workspace auto-allow
+    testConfig.permissions.mode = "strict";
     const projectDir = "/home/user/my-project";
     addRule("file_write", "file_write:*", projectDir);
 
@@ -4483,6 +4493,8 @@ describe("scope matching behavior", () => {
   });
 
   test("project-scoped rule does NOT match directory with shared prefix", async () => {
+    // Use strict mode to test rule-matching isolation without workspace auto-allow
+    testConfig.permissions.mode = "strict";
     // A rule for /home/user/project should NOT match /home/user/project-evil
     // (directory-boundary enforcement in matchesScope)
     const projectDir = "/home/user/project";
@@ -4562,7 +4574,7 @@ describe("workspace mode — auto-allow workspace-scoped operations", () => {
   });
 
   afterEach(() => {
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
   });
 
   // ── workspace-scoped file operations auto-allow ──────────────────
@@ -4771,79 +4783,6 @@ describe("workspace mode — auto-allow workspace-scoped operations", () => {
   });
 });
 
-// ── legacy mode deprecation warning ─────────────────────────────────────
-
-describe("legacy mode — deprecation warning", () => {
-  beforeEach(() => {
-    clearCache();
-    _resetLegacyDeprecationWarning();
-    loggerWarnCalls.length = 0;
-    testConfig.permissions = { mode: "legacy" };
-    testConfig.skills = { load: { extraDirs: [] } };
-    try {
-      rmSync(join(checkerTestDir, "protected", "trust.json"));
-    } catch {
-      /* may not exist */
-    }
-  });
-
-  afterEach(() => {
-    testConfig.permissions = { mode: "legacy" };
-  });
-
-  test("emits deprecation warning on first check() call in legacy mode", async () => {
-    await check("file_read", { file_path: "/tmp/test.txt" }, "/tmp");
-    expect(loggerWarnCalls.some((m) => m.includes("deprecated"))).toBe(true);
-    expect(loggerWarnCalls.some((m) => m.includes("legacy"))).toBe(true);
-  });
-
-  test("deprecation warning fires only once per process", async () => {
-    await check("file_read", { file_path: "/tmp/a.txt" }, "/tmp");
-    const firstCount = loggerWarnCalls.filter((m) =>
-      m.includes("deprecated"),
-    ).length;
-    expect(firstCount).toBe(1);
-
-    await check("file_read", { file_path: "/tmp/b.txt" }, "/tmp");
-    const secondCount = loggerWarnCalls.filter((m) =>
-      m.includes("deprecated"),
-    ).length;
-    expect(secondCount).toBe(1);
-  });
-
-  test("no deprecation warning in workspace mode", async () => {
-    testConfig.permissions = { mode: "workspace" };
-    await check("file_read", { file_path: "/tmp/test.txt" }, "/tmp");
-    expect(loggerWarnCalls.some((m) => m.includes("deprecated"))).toBe(false);
-  });
-
-  test("no deprecation warning in strict mode", async () => {
-    testConfig.permissions = { mode: "strict" };
-    await check("file_read", { file_path: "/tmp/test.txt" }, "/tmp");
-    expect(loggerWarnCalls.some((m) => m.includes("deprecated"))).toBe(false);
-  });
-
-  test("legacy mode still produces correct decisions (low risk auto-allowed)", async () => {
-    const result = await check(
-      "file_read",
-      { file_path: "/tmp/test.txt" },
-      "/tmp",
-    );
-    expect(result.decision).toBe("allow");
-    expect(result.reason).toContain("Low risk");
-  });
-
-  test("legacy mode still prompts for medium risk", async () => {
-    const result = await check(
-      "file_write",
-      { file_path: "/tmp/test.txt" },
-      "/tmp",
-    );
-    expect(result.decision).toBe("prompt");
-    expect(result.reason).toContain("risk");
-  });
-});
-
 describe("shell command candidates wiring (PR 04)", () => {
   test("existing raw shell rule still matches", async () => {
     clearCache();
@@ -4896,7 +4835,7 @@ describe("integration regressions (PR 11)", () => {
       /* may not exist */
     }
     clearCache();
-    testConfig.permissions = { mode: "legacy" };
+    testConfig.permissions = { mode: "workspace" };
     testConfig.sandbox = { enabled: true };
   });