@vellumai/assistant 0.4.37 → 0.4.41

package/src/runtime/routes/twilio-routes.ts

@@ -22,6 +22,7 @@ import {
   getPhoneNumberSid,
   getTollFreeVerificationBySid,
   getTollFreeVerificationStatus,
+  getTwilioCredentials,
   hasTwilioCredentials,
   listIncomingPhoneNumbers,
   provisionPhoneNumber,
@@ -37,9 +38,9 @@ import { getReadinessService } from "../../daemon/handlers/config-channels.js";
 import { syncTwilioWebhooks } from "../../daemon/handlers/config-ingress.js";
 import type { IngressConfig } from "../../inbound/public-ingress-urls.js";
 import {
-  deleteSecureKey,
+  deleteSecureKeyAsync,
   getSecureKey,
-  setSecureKey,
+  setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import {
   deleteCredentialMetadata,
@@ -149,7 +150,7 @@ function pruneAssistantPhoneNumbers(
 export function handleGetTwilioConfig(): Response {
   const hasCredentials = hasTwilioCredentials();
   const accountSid = hasCredentials
-    ? getSecureKey("credential:twilio:account_sid")
+    ? getTwilioCredentials().accountSid
     : undefined;
   const raw = loadRawConfig();
   const sms = (raw?.sms ?? {}) as Record<string, unknown>;
@@ -213,8 +214,8 @@ export async function handleSetTwilioCredentials(
     });
   }
 
-  // Store credentials securely
-  const sidStored = setSecureKey(
+  // Store credentials securely (async — writes broker + encrypted store)
+  const sidStored = await setSecureKeyAsync(
     "credential:twilio:account_sid",
     body.accountSid,
   );
@@ -226,12 +227,12 @@ export async function handleSetTwilioCredentials(
     });
   }
 
-  const tokenStored = setSecureKey(
+  const tokenStored = await setSecureKeyAsync(
     "credential:twilio:auth_token",
     body.authToken,
   );
   if (!tokenStored) {
-    deleteSecureKey("credential:twilio:account_sid");
+    await deleteSecureKeyAsync("credential:twilio:account_sid");
     return Response.json({
       success: false,
       hasCredentials: false,
@@ -239,6 +240,11 @@ export async function handleSetTwilioCredentials(
     });
   }
 
+  const raw = loadRawConfig();
+  const twilio = (raw?.twilio ?? {}) as Record<string, unknown>;
+  twilio.accountSid = body.accountSid;
+  saveRawConfig({ ...raw, twilio });
+
   upsertCredentialMetadata("twilio", "account_sid", {
     injectionTemplates: [
       {
@@ -275,9 +281,25 @@ export async function handleSetTwilioCredentials(
 /**
  * DELETE /v1/integrations/twilio/credentials
  */
-export function handleClearTwilioCredentials(): Response {
-  deleteSecureKey("credential:twilio:account_sid");
-  deleteSecureKey("credential:twilio:auth_token");
+export async function handleClearTwilioCredentials(): Promise<Response> {
+  const r1 = await deleteSecureKeyAsync("credential:twilio:account_sid");
+  const r2 = await deleteSecureKeyAsync("credential:twilio:auth_token");
+
+  if (r1 === "error" || r2 === "error") {
+    return Response.json(
+      {
+        success: false,
+        error: "Failed to delete Twilio credentials from secure storage",
+      },
+      { status: 500 },
+    );
+  }
+
+  const raw = loadRawConfig();
+  const twilio = (raw?.twilio ?? {}) as Record<string, unknown>;
+  delete twilio.accountSid;
+  saveRawConfig({ ...raw, twilio });
+
   deleteCredentialMetadata("twilio", "account_sid");
   deleteCredentialMetadata("twilio", "auth_token");
 
@@ -296,8 +318,7 @@ export async function handleListTwilioNumbers(): Promise<Response> {
     });
   }
 
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
   const numbers = await listIncomingPhoneNumbers(accountSid, authToken);
 
   return Response.json({ success: true, hasCredentials: true, numbers });
@@ -323,8 +344,7 @@ export async function handleProvisionTwilioNumber(
     country?: string;
     areaCode?: string;
   };
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
   const country = body.country ?? "US";
 
   const available = await searchAvailableNumbers(
@@ -347,7 +367,7 @@ export async function handleProvisionTwilioNumber(
     available[0].phoneNumber,
   );
 
-  const phoneStored = setSecureKey(
+  const phoneStored = await setSecureKeyAsync(
     "credential:twilio:phone_number",
     purchased.phoneNumber,
   );
@@ -403,7 +423,7 @@ export async function handleAssignTwilioNumber(
     );
   }
 
-  const phoneStored = setSecureKey(
+  const phoneStored = await setSecureKeyAsync(
     "credential:twilio:phone_number",
     body.phoneNumber,
   );
@@ -424,8 +444,8 @@ export async function handleAssignTwilioNumber(
   // Best-effort webhook configuration when credentials are available
   let webhookWarning: string | undefined;
   if (hasTwilioCredentials()) {
-    const acctSid = getSecureKey("credential:twilio:account_sid")!;
-    const acctToken = getSecureKey("credential:twilio:auth_token")!;
+    const { accountSid: acctSid, authToken: acctToken } =
+      getTwilioCredentials();
     const webhookResult = await syncTwilioWebhooks(
       body.phoneNumber,
       acctSid,
@@ -473,8 +493,7 @@ export async function handleReleaseTwilioNumber(
     });
   }
 
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
 
   await releasePhoneNumber(accountSid, authToken, phoneNumber);
 
@@ -486,7 +505,7 @@ export async function handleReleaseTwilioNumber(
 
   const storedPhone = getSecureKey("credential:twilio:phone_number");
   if (storedPhone === phoneNumber) {
-    deleteSecureKey("credential:twilio:phone_number");
+    await deleteSecureKeyAsync("credential:twilio:phone_number");
   }
 
   return Response.json({
@@ -521,8 +540,7 @@ export async function handleGetSmsCompliance(): Promise<Response> {
     });
   }
 
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
 
   const tollFreePrefixes = [
     "+1800",
@@ -691,8 +709,7 @@ export async function handleSubmitTollfreeVerification(
     );
   }
 
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
 
   const submitParams: TollFreeVerificationSubmitParams = {
     tollfreePhoneNumberSid: vp.tollfreePhoneNumberSid as string,
@@ -743,8 +760,7 @@ export async function handleUpdateTollfreeVerification(
     });
   }
 
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
 
   const currentVerification = await getTollFreeVerificationBySid(
     accountSid,
@@ -827,8 +843,7 @@ export async function handleDeleteTollfreeVerification(
     });
   }
 
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
 
   await deleteTollFreeVerification(accountSid, authToken, verificationSid);
 
@@ -885,8 +900,7 @@ export async function handleSmsSendTest(req: Request): Promise<Response> {
     });
   }
 
-  const accountSid = getSecureKey("credential:twilio:account_sid")!;
-  const authToken = getSecureKey("credential:twilio:auth_token")!;
+  const { accountSid, authToken } = getTwilioCredentials();
   const text = body.text || "Test SMS from your Vellum assistant";
 
   // Send via gateway's /deliver/sms endpoint
@@ -1001,8 +1015,7 @@ export async function handleSmsDoctor(): Promise<Response> {
         getSecureKey("credential:twilio:phone_number") ||
         "";
       if (phoneNumber) {
-        const accountSid = getSecureKey("credential:twilio:account_sid")!;
-        const authToken = getSecureKey("credential:twilio:auth_token")!;
+        const { accountSid, authToken } = getTwilioCredentials();
         const isTollFree =
           phoneNumber.startsWith("+1") &&
           ["800", "888", "877", "866", "855", "844", "833"].some((p) =>
@@ -1178,7 +1191,7 @@ export function twilioRouteDefinitions(): RouteDefinition[] {
     {
       endpoint: "integrations/twilio/credentials",
       method: "DELETE",
-      handler: () => handleClearTwilioCredentials(),
+      handler: async () => handleClearTwilioCredentials(),
     },
     {
       endpoint: "integrations/twilio/numbers",

package/src/schedule/integration-status.ts

@@ -1,3 +1,4 @@
+import { hasTwilioCredentials } from "../calls/twilio-rest.js";
 import { getSecureKey } from "../security/secure-keys.js";
 
 interface IntegrationProbe {
@@ -29,9 +30,7 @@ const INTEGRATION_PROBES: IntegrationProbe[] = [
   {
     name: "SMS",
     category: "messaging",
-    isConnected: () =>
-      !!getSecureKey("credential:twilio:account_sid") &&
-      !!getSecureKey("credential:twilio:auth_token"),
+    isConnected: () => hasTwilioCredentials(),
   },
   {
     name: "Telegram",

package/src/security/token-manager.ts

@@ -12,7 +12,7 @@ import {
 } from "../tools/credentials/metadata-store.js";
 import { getLogger } from "../util/logger.js";
 import { refreshOAuth2Token, type TokenEndpointAuthMethod } from "./oauth2.js";
-import { getSecureKey, setSecureKey } from "./secure-keys.js";
+import { getSecureKey, setSecureKeyAsync } from "./secure-keys.js";
 
 const log = getLogger("token-manager");
 
@@ -217,7 +217,12 @@ async function doRefresh(service: string): Promise<string> {
     throw err;
   }
 
-  if (!setSecureKey(`credential:${service}:access_token`, result.accessToken)) {
+  if (
+    !(await setSecureKeyAsync(
+      `credential:${service}:access_token`,
+      result.accessToken,
+    ))
+  ) {
     throw new TokenExpiredError(
       service,
       `Failed to store refreshed access token for "${service}".`,
@@ -226,7 +231,10 @@ async function doRefresh(service: string): Promise<string> {
 
   if (result.refreshToken) {
     if (
-      !setSecureKey(`credential:${service}:refresh_token`, result.refreshToken)
+      !(await setSecureKeyAsync(
+        `credential:${service}:refresh_token`,
+        result.refreshToken,
+      ))
     ) {
       throw new TokenExpiredError(
         service,

package/src/tools/apps/executors.ts

@@ -8,10 +8,14 @@
  * ToolDefinition or ToolContext types.
  */
 
+import { compileApp } from "../../bundler/app-compiler.js";
 import { setHomeBaseAppLink } from "../../home-base/app-link-store.js";
 import { generateAppIcon } from "../../media/app-icon-generator.js";
-import type { AppDefinition } from "../../memory/app-store.js";
-import type { EditEngineResult } from "../../memory/app-store.js";
+import type {
+  AppDefinition,
+  EditEngineResult,
+} from "../../memory/app-store.js";
+import { getAppsDir, isMultifileApp } from "../../memory/app-store.js";
 
 // ---------------------------------------------------------------------------
 // Shared result type
@@ -45,6 +49,7 @@ export interface AppStoreWriter {
     schemaJson: string;
     htmlDefinition: string;
     pages?: Record<string, string>;
+    formatVersion?: number;
   }): AppDefinition;
   updateApp(
     id: string,
@@ -77,6 +82,28 @@ export type ProxyResolver = (
   input: Record<string, unknown>,
 ) => Promise<ExecutorResult>;
 
+// ---------------------------------------------------------------------------
+// Path resolution — multifile apps default to src/ for file operations
+// ---------------------------------------------------------------------------
+
+/**
+ * For multifile (formatVersion 2) apps, prepend `src/` to paths that don't
+ * already target a known top-level directory (src/, dist/, records/).
+ * Legacy apps pass through unchanged.
+ */
+export function resolveAppFilePath(app: AppDefinition, path: string): string {
+  if (!isMultifileApp(app)) return path;
+  const normalized = path.replace(/\\/g, "/").replace(/^\.\//, "");
+  if (
+    normalized.startsWith("src/") ||
+    normalized.startsWith("dist/") ||
+    normalized.startsWith("records/")
+  ) {
+    return normalized;
+  }
+  return `src/${normalized}`;
+}
+
 // ---------------------------------------------------------------------------
 // app_create
 // ---------------------------------------------------------------------------
@@ -90,6 +117,8 @@ export interface AppCreateInput {
   auto_open?: boolean;
   set_as_home_base?: boolean;
   preview?: Record<string, unknown>;
+  /** When provided, controls multifile scaffold behavior. */
+  featureFlags?: { multifileEnabled: boolean };
 }
 
 export async function executeAppCreate(
@@ -146,15 +175,71 @@ export async function executeAppCreate(
   const rawIcon = preview?.icon as string | undefined;
   const icon = rawIcon && !rawIcon.startsWith("http") ? rawIcon : undefined;
 
+  const multifileEnabled = input.featureFlags?.multifileEnabled === true;
+
   const app = store.createApp({
     name,
     description,
     icon,
     schemaJson,
-    htmlDefinition,
-    pages,
+    htmlDefinition: multifileEnabled ? "" : htmlDefinition,
+    pages: multifileEnabled ? undefined : pages,
+    formatVersion: multifileEnabled ? 2 : undefined,
   });
 
+  // Scaffold multifile app with src/ files and compile to dist/
+  if (multifileEnabled) {
+    const htmlSafeName = name
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/"/g, "&quot;");
+    const jsxSafeName = name.replace(/[<>{}&"']/g, "");
+
+    const indexHtml =
+      typeof input.html === "string"
+        ? input.html
+        : `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${htmlSafeName}</title>
+</head>
+<body>
+  <div id="app"></div>
+</body>
+</html>`;
+
+    const mainTsx = `import { render } from 'preact';
+
+function App() {
+  return <div>{"Hello, ${jsxSafeName}!"}</div>;
+}
+
+render(<App />, document.getElementById('app')!);
+`;
+
+    store.writeAppFile(app.id, "src/index.html", indexHtml);
+    store.writeAppFile(app.id, "src/main.tsx", mainTsx);
+
+    // Compile src/ → dist/
+    const { join } = await import("node:path");
+    const appDir = join(getAppsDir(), app.id);
+    const compileResult = await compileApp(appDir);
+    if (!compileResult.ok) {
+      return {
+        content: JSON.stringify({
+          ...app,
+          compile_errors: compileResult.errors,
+          compile_warnings: compileResult.warnings,
+          compile_duration_ms: compileResult.durationMs,
+        }),
+        isError: false,
+      };
+    }
+  }
+
   if (input.set_as_home_base) {
     setHomeBaseAppLink(app.id, "personalized");
   }
@@ -305,6 +390,23 @@ export function executeAppFileList(
   store: AppStoreReader,
 ): ExecutorResult {
   const files = store.listAppFiles(input.app_id);
+  const app = store.getApp(input.app_id);
+
+  if (app && isMultifileApp(app)) {
+    // Separate build output paths from source paths without mutating the
+    // file path strings — consumers need clean paths for subsequent tool calls.
+    const buildOutputPaths = files.filter((f) =>
+      f.replace(/\\/g, "/").startsWith("dist/"),
+    );
+    return {
+      content: JSON.stringify({
+        files,
+        buildOutput: buildOutputPaths,
+      }),
+      isError: false,
+    };
+  }
+
   return { content: JSON.stringify(files), isError: false };
 }
 
@@ -326,7 +428,9 @@ export function executeAppFileRead(
   const offset = input.offset ?? 1;
   const limit = input.limit;
 
-  const raw = store.readAppFile(input.app_id, input.path);
+  const app = store.getApp(input.app_id);
+  const resolvedPath = app ? resolveAppFilePath(app, input.path) : input.path;
+  const raw = store.readAppFile(input.app_id, resolvedPath);
   const allLines = raw.split("\n");
   const startIndex = Math.max(0, offset - 1);
   const sliced =
@@ -368,10 +472,13 @@ export function executeAppFileEdit(
     };
   }
 
+  const app = store.getApp(input.app_id);
+  const resolvedPath = app ? resolveAppFilePath(app, input.path) : input.path;
+
   const replaceAll = input.replace_all ?? false;
   const result = store.editAppFile(
     input.app_id,
-    input.path,
+    resolvedPath,
     input.old_string,
     input.new_string,
     replaceAll,
@@ -406,9 +513,10 @@ export function executeAppFileWrite(
     };
   }
 
-  store.writeAppFile(input.app_id, input.path, input.content);
+  const resolvedPath = resolveAppFilePath(app, input.path);
+  store.writeAppFile(input.app_id, resolvedPath, input.content);
   return {
-    content: JSON.stringify({ written: true, path: input.path }),
+    content: JSON.stringify({ written: true, path: resolvedPath }),
     isError: false,
     status: input.status,
   };

package/src/tools/browser/browser-manager.ts

@@ -25,6 +25,30 @@ function getDownloadsDir(): string {
   return dir;
 }
 
+/** Wraps a promise with a timeout to prevent indefinite hangs. */
+export function withTimeout<T>(
+  promise: Promise<T>,
+  ms: number,
+  label: string,
+): Promise<T> {
+  return new Promise<T>((resolve, reject) => {
+    const timer = setTimeout(
+      () => reject(new Error(`${label} timed out after ${ms}ms`)),
+      ms,
+    );
+    promise.then(
+      (val) => {
+        clearTimeout(timer);
+        resolve(val);
+      },
+      (err) => {
+        clearTimeout(timer);
+        reject(err);
+      },
+    );
+  });
+}
+
 export type DownloadInfo = { path: string; filename: string };
 
 type BrowserContext = {
@@ -679,7 +703,7 @@ class BrowserManager {
       try {
         const filename = dl.suggestedFilename();
         const destPath = join(getDownloadsDir(), `${Date.now()}-${filename}`);
-        await dl.saveAs(destPath);
+        await withTimeout(dl.saveAs(destPath), 120_000, "Download save");
         const info: DownloadInfo = { path: destPath, filename };
 
         // Resolve a pending waiter if one exists, otherwise store for later retrieval
@@ -696,7 +720,11 @@ class BrowserManager {
 
         log.info({ sessionId, filename, path: destPath }, "Download completed");
       } catch (err) {
-        const failure = await dl.failure();
+        const failure = await withTimeout(
+          dl.failure(),
+          5_000,
+          "Download failure check",
+        ).catch(() => null);
         log.warn({ err, failure, sessionId }, "Download failed");
 
         // Reject any pending waiters

package/src/tools/browser/chrome-cdp.ts

@@ -7,7 +7,7 @@
  * make cleanup decisions (e.g. only kill Chrome if *we* launched it).
  */
 
-import { spawn as spawnChild } from "node:child_process";
+import { execSync, spawn as spawnChild } from "node:child_process";
 import { homedir } from "node:os";
 import { join as pathJoin } from "node:path";
 
@@ -51,14 +51,23 @@ export interface EnsureChromeOptions {
 // ---------------------------------------------------------------------------
 
 /**
- * Returns `true` when a CDP endpoint is responding at the given base URL.
+ * Returns `true` when a CDP endpoint is responding at the given base URL
+ * and has at least one open page tab. A CDP endpoint with zero tabs is
+ * stale and unusable — callers should treat it as not ready.
  */
 export async function isCdpReady(
   cdpBase: string = DEFAULT_CDP_BASE,
 ): Promise<boolean> {
   try {
     const res = await fetch(`${cdpBase}/json/version`);
-    return res.ok;
+    if (!res.ok) return false;
+
+    // Verify there's at least one page tab — a CDP endpoint with no tabs
+    // is a stale Chrome process that should be relaunched.
+    const listRes = await fetch(`${cdpBase}/json/list`);
+    if (!listRes.ok) return false;
+    const targets = (await listRes.json()) as Array<{ type: string }>;
+    return targets.some((t) => t.type === "page");
   } catch {
     return false;
   }
@@ -86,6 +95,25 @@ export async function ensureChromeWithCdp(
     return { baseUrl, launchedByUs: false, userDataDir };
   }
 
+  // If CDP is responding but has no tabs (stale), kill the process holding the port.
+  try {
+    const versionRes = await fetch(`${baseUrl}/json/version`);
+    if (versionRes.ok) {
+      // Stale Chrome — CDP up but no tabs. Kill it so we can relaunch.
+      try {
+        execSync(`lsof -ti :${port} | xargs kill -9 2>/dev/null`, {
+          stdio: "ignore",
+        });
+      } catch {
+        // Ignore — process may have already exited.
+      }
+      // Brief wait for port to clear.
+      await new Promise((r) => setTimeout(r, 500));
+    }
+  } catch {
+    // CDP not responding at all — port is free, proceed to launch.
+  }
+
   const args = [
     `--remote-debugging-port=${port}`,
     `--force-renderer-accessibility`,

package/src/tools/credentials/vault.ts

@@ -9,10 +9,10 @@ import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import type { TokenEndpointAuthMethod } from "../../security/oauth2.js";
 import {
-  deleteSecureKey,
+  deleteSecureKeyAsync,
   getSecureKey,
   listSecureKeys,
-  setSecureKey,
+  setSecureKeyAsync,
 } from "../../security/secure-keys.js";
 import { getLogger } from "../../util/logger.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
@@ -381,7 +381,7 @@ class CredentialStoreTool implements Tool {
         }
 
         const key = `credential:${service}:${field}`;
-        const ok = setSecureKey(key, value);
+        const ok = await setSecureKeyAsync(key, value);
         if (!ok) {
           return {
             content: "Error: failed to store credential",
@@ -494,7 +494,7 @@ class CredentialStoreTool implements Tool {
         }
 
         const key = `credential:${service}:${field}`;
-        const result = deleteSecureKey(key);
+        const result = await deleteSecureKeyAsync(key);
         if (result === "error") {
           return {
             content: `Error: failed to delete credential ${service}/${field} from secure storage`,
@@ -564,7 +564,9 @@ class CredentialStoreTool implements Tool {
         const promptPolicy = toPolicyFromInput(promptPolicyInput);
 
         // Parse and validate injection templates (same logic as store action)
-        const promptRawTemplates = input.injection_templates as unknown[] | undefined;
+        const promptRawTemplates = input.injection_templates as
+          | unknown[]
+          | undefined;
         let promptInjectionTemplates: CredentialInjectionTemplate[] | undefined;
         if (promptRawTemplates !== undefined) {
           if (!Array.isArray(promptRawTemplates)) {
@@ -732,7 +734,7 @@ class CredentialStoreTool implements Tool {
 
         // Default: persist to keychain
         const key = `credential:${service}:${field}`;
-        const ok = setSecureKey(key, result.value);
+        const ok = await setSecureKeyAsync(key, result.value);
         if (!ok) {
           return {
             content: "Error: failed to store credential",
@@ -752,7 +754,7 @@ class CredentialStoreTool implements Tool {
             "metadata write failed after storing credential",
           );
         }
-      const promptMeta = getCredentialMetadata(service, field);
+        const promptMeta = getCredentialMetadata(service, field);
         const promptCredIdSuffix = promptMeta
           ? ` (credential_id: ${promptMeta.credentialId})`
           : "";

package/src/tools/executor.ts

@@ -155,6 +155,10 @@ export class ToolExecutor {
         );
         // Buffer so the shell's own timeout fires first and handles cleanup
         toolTimeoutMs = (shellTimeoutSec + 5) * 1000;
+      } else if (name === "claude_code") {
+        // Claude Code spawns a subprocess that manages its own turn limits
+        // (maxTurns). Give it a generous timeout so it isn't killed mid-task.
+        toolTimeoutMs = 10 * 60 * 1000; // 10 minutes
       } else {
         const rawTimeoutSec = getConfig().timeouts.toolExecutionTimeoutSec;
         toolTimeoutMs = safeTimeoutMs(rawTimeoutSec);