@vellumai/assistant 0.5.13 → 0.5.15

package/src/__tests__/tool-input-summary.test.ts

@@ -0,0 +1,124 @@
+import { describe, expect, test } from "bun:test";
+
+import { summarizeToolInput } from "../tools/tool-input-summary.js";
+
+describe("summarizeToolInput", () => {
+  test("bash with short command returns full command", () => {
+    expect(summarizeToolInput("bash", { command: "ls -la" })).toBe("ls -la");
+  });
+
+  test("bash with long command truncates with ellipsis", () => {
+    const longCmd = "a".repeat(200);
+    const result = summarizeToolInput("bash", { command: longCmd });
+    expect(result.length).toBe(121); // 120 chars + ellipsis
+    expect(result.endsWith("…")).toBe(true);
+    expect(result.startsWith("a".repeat(120))).toBe(true);
+  });
+
+  test("terminal tool behaves like bash", () => {
+    expect(summarizeToolInput("terminal", { command: "echo hello" })).toBe(
+      "echo hello",
+    );
+  });
+
+  test("file_read returns file path", () => {
+    expect(
+      summarizeToolInput("file_read", { file_path: "/src/index.ts" }),
+    ).toBe("/src/index.ts");
+  });
+
+  test("file_write returns file path from path key", () => {
+    expect(summarizeToolInput("file_write", { path: "/src/main.ts" })).toBe(
+      "/src/main.ts",
+    );
+  });
+
+  test("file_edit prefers file_path over path", () => {
+    expect(
+      summarizeToolInput("file_edit", {
+        file_path: "/preferred.ts",
+        path: "/fallback.ts",
+      }),
+    ).toBe("/preferred.ts");
+  });
+
+  test("web_fetch returns URL truncated to 100 chars", () => {
+    const longUrl = `https://example.com/${"x".repeat(200)}`;
+    const result = summarizeToolInput("web_fetch", { url: longUrl });
+    expect(result.length).toBe(101); // 100 chars + ellipsis
+    expect(result.endsWith("…")).toBe(true);
+  });
+
+  test("web_fetch with short URL returns full URL", () => {
+    expect(
+      summarizeToolInput("web_fetch", { url: "https://example.com" }),
+    ).toBe("https://example.com");
+  });
+
+  test("network_request behaves like web_fetch", () => {
+    expect(
+      summarizeToolInput("network_request", { url: "https://api.test.com" }),
+    ).toBe("https://api.test.com");
+  });
+
+  test("empty input returns empty string", () => {
+    expect(summarizeToolInput("bash", {})).toBe("");
+    expect(summarizeToolInput("file_read", {})).toBe("");
+    expect(summarizeToolInput("web_fetch", {})).toBe("");
+    expect(summarizeToolInput("unknown_tool", {})).toBe("");
+  });
+
+  test("unknown tool with string input returns first string value", () => {
+    expect(
+      summarizeToolInput("custom_tool", {
+        query: "search for something",
+        count: 10,
+      }),
+    ).toBe("search for something");
+  });
+
+  test("unknown tool with long string truncates to 80 chars", () => {
+    const longVal = "b".repeat(150);
+    const result = summarizeToolInput("custom_tool", { data: longVal });
+    expect(result.length).toBe(81); // 80 chars + ellipsis
+    expect(result.endsWith("…")).toBe(true);
+  });
+
+  test("input with no string values returns empty string", () => {
+    expect(
+      summarizeToolInput("custom_tool", { count: 42, flag: true, obj: {} }),
+    ).toBe("");
+  });
+
+  test("whitespace-only string values are treated as empty", () => {
+    expect(summarizeToolInput("bash", { command: "   " })).toBe("");
+    expect(summarizeToolInput("custom_tool", { data: "  \n\t  " })).toBe("");
+  });
+
+  test("host_bash behaves like bash", () => {
+    expect(summarizeToolInput("host_bash", { command: "git status" })).toBe(
+      "git status",
+    );
+  });
+
+  test("host_file_read behaves like file_read", () => {
+    expect(
+      summarizeToolInput("host_file_read", { file_path: "/src/index.ts" }),
+    ).toBe("/src/index.ts");
+  });
+
+  test("host_file_write behaves like file_write", () => {
+    expect(
+      summarizeToolInput("host_file_write", { path: "/src/main.ts" }),
+    ).toBe("/src/main.ts");
+  });
+
+  test("host_file_edit behaves like file_edit", () => {
+    expect(
+      summarizeToolInput("host_file_edit", {
+        file_path: "/preferred.ts",
+        path: "/fallback.ts",
+      }),
+    ).toBe("/preferred.ts");
+  });
+});

package/src/__tests__/tool-preview-lifecycle.test.ts

@@ -8,12 +8,13 @@
  * - handleToolResult includes toolUseId in emitted tool_result
  * - Event ordering: tool_use_preview_start → input_json_delta → tool_use
  */
+import { join } from "node:path";
 import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 // ── Mock platform (must precede imports that read it) ─────────────────────────
 mock.module("../util/platform.js", () => ({
   getSessionTokenPath: () => "/tmp/test-token",
-  getRootDir: () => "/tmp/test",
+  getProtectedDir: () => join("/tmp/test", "protected"),
   getDataDir: () => "/tmp/test",
   getWorkspaceDir: () => "/tmp/test/workspace",
   getWorkspaceSkillsDir: () => "/tmp/test/skills",

package/src/__tests__/trust-store.test.ts

@@ -12,9 +12,15 @@ import { beforeEach, describe, expect, mock, test } from "bun:test";
 // Create a temp directory for the trust file
 const testDir = mkdtempSync(join(tmpdir(), "trust-store-test-"));
 
+// Point the file-based trust backend at the test temp dir so
+// getGatewaySecurityDir() (which checks this env var first) writes
+// trust.json under the test directory instead of ~/.vellum/protected.
+process.env.GATEWAY_SECURITY_DIR = join(testDir, "protected");
+
 // Mock platform module so trust-store writes to temp dir instead of ~/.vellum
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
+  getWorkspaceDir: () => join(testDir, "workspace"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/trusted-contact-inline-approval-integration.test.ts

@@ -30,7 +30,7 @@ const testDir = mkdtempSync(join(tmpdir(), "tc-inline-approval-integration-"));
 
 mock.module("../util/platform.js", () => ({
   getDataDir: () => testDir,
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",
   isWindows: () => process.platform === "win32",

package/src/__tests__/trusted-contact-lifecycle-notifications.test.ts

@@ -23,7 +23,7 @@ import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 const testDir = mkdtempSync(join(tmpdir(), "trusted-contact-lifecycle-notif-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/trusted-contact-multichannel.test.ts

@@ -18,7 +18,7 @@ import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 const testDir = mkdtempSync(join(tmpdir(), "trusted-contact-multichannel-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/trusted-contact-verification.test.ts

@@ -21,7 +21,7 @@ import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 const testDir = mkdtempSync(join(tmpdir(), "trusted-contact-verify-test-"));
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/turn-boundary-resolution.test.ts

@@ -10,7 +10,7 @@ const workspaceDir = join(testDir, ".vellum", "workspace");
 const conversationsDir = join(workspaceDir, "conversations");
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => join(testDir, ".vellum"),
+  getProtectedDir: () => join(join(testDir, ".vellum"), "protected"),
   getDataDir: () => join(workspaceDir, "data"),
   getWorkspaceDir: () => workspaceDir,
   getConversationsDir: () => conversationsDir,

package/src/__tests__/twilio-routes.test.ts

@@ -89,7 +89,7 @@ const testDir = realpathSync(
 );
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/update-bulletin.test.ts

@@ -44,7 +44,7 @@ let tempTemplateDir: string;
 mock.module("../util/platform.js", () => ({
   getWorkspacePromptPath: mock((file: string) => join(tempDir, file)),
   getWorkspaceDir: () => tempDir,
-  getRootDir: () => tempDir,
+  getProtectedDir: () => join(tempDir, "protected"),
   getDataDir: () => join(tempDir, "data"),
   getPlatformName: () => "darwin",
   isMacOS: () => false,

package/src/__tests__/vbundle-pax-and-symlink.test.ts

@@ -23,7 +23,7 @@ const testDir = realpathSync(
 );
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/vellum-self-knowledge-inline-command.test.ts

@@ -42,6 +42,7 @@ const SKILL_SRC_DIR = join(
 
 const platformOverrides: Record<string, (...args: unknown[]) => unknown> = {
   getRootDir: () => TEST_DIR,
+  getProtectedDir: () => join(TEST_DIR, "protected"),
   getDataDir: () => join(TEST_DIR, "data"),
   ensureDataDir: () => {},
   getPidPath: () => join(TEST_DIR, "vellum.pid"),

package/src/__tests__/voice-scoped-grant-consumer.test.ts

@@ -28,7 +28,7 @@ const testDir = mkdtempSync(
 // ── Platform + logger mocks (must come before any source imports) ────
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/voice-session-bridge.test.ts

@@ -21,7 +21,7 @@ let mockedConfig: {
 };
 
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
   getDataDir: () => testDir,
   isMacOS: () => process.platform === "darwin",
   isLinux: () => process.platform === "linux",

package/src/__tests__/workspace-migration-009-backfill-conversation-disk-view.test.ts

@@ -31,7 +31,7 @@ mock.module("../util/platform.js", () => ({
   getDbPath: () => join(testDir, "test.db"),
   getLogPath: () => join(testDir, "test.log"),
   ensureDataDir: () => {},
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
 }));
 
 mock.module("../util/logger.js", () => ({
@@ -252,9 +252,9 @@ describe("009-backfill-conversation-disk-view migration", () => {
 
     expect(existsSync(expectedNewDirPath)).toBe(false);
     expect(existsSync(legacyDirPath)).toBe(true);
-    expect(
-      JSON.parse(readFileSync(metaPath, "utf-8")).updatedAt,
-    ).toBe(new Date(conversationUpdatedAt).toISOString());
+    expect(JSON.parse(readFileSync(metaPath, "utf-8")).updatedAt).toBe(
+      new Date(conversationUpdatedAt).toISOString(),
+    );
     expect(readFileSync(messagesPath, "utf-8").trim().split("\n")).toHaveLength(
       1,
     );

package/src/__tests__/workspace-migration-013-repair-conversation-disk-view.test.ts

@@ -31,7 +31,7 @@ mock.module("../util/platform.js", () => ({
   getDbPath: () => join(testDir, "test.db"),
   getLogPath: () => join(testDir, "test.log"),
   ensureDataDir: () => {},
-  getRootDir: () => testDir,
+  getProtectedDir: () => join(testDir, "protected"),
 }));
 
 mock.module("../util/logger.js", () => ({

package/src/__tests__/workspace-migration-down-functions.test.ts

@@ -35,7 +35,7 @@ mock.module("../security/credential-key.js", () => ({
 // Mock getRootDir for 016-extract-feature-flags-to-protected
 let mockRootDir: string = "/tmp/mock-root";
 mock.module("../util/platform.js", () => ({
-  getRootDir: () => mockRootDir,
+  getProtectedDir: () => join(mockRootDir, "protected"),
   getDataDir: () => join(mockRootDir, "workspace", "data"),
   getWorkspaceDir: () => join(mockRootDir, "workspace"),
 }));
@@ -769,9 +769,21 @@ describe("014-migrate-to-workspace-volume down()", () => {
 // ---------------------------------------------------------------------------
 
 describe("016-extract-feature-flags-to-protected down()", () => {
+  let savedBaseDataDir: string | undefined;
+
   beforeEach(() => {
-    // Set up mock root dir for getRootDir() to point to our temp dir
-    mockRootDir = freshWorkspace();
+    // The migration has an inlined platform helpers that reads BASE_DATA_DIR,
+    // so we set that env var so the inlined function resolves to mockRootDir.
+    const baseDir = freshWorkspace();
+    mockRootDir = join(baseDir, ".vellum");
+    mkdirSync(mockRootDir, { recursive: true });
+    savedBaseDataDir = process.env.BASE_DATA_DIR;
+    process.env.BASE_DATA_DIR = baseDir;
+  });
+
+  afterEach(() => {
+    if (savedBaseDataDir === undefined) delete process.env.BASE_DATA_DIR;
+    else process.env.BASE_DATA_DIR = savedBaseDataDir;
   });
 
   test("moves feature flags from protected dir back to config.json", () => {

package/src/__tests__/workspace-migration-seed-device-id.test.ts

@@ -10,6 +10,7 @@ const writeFileSyncFn = mock(
   (_path: string, _data: string, _opts?: object) => {},
 );
 const mkdirSyncFn = mock((_path: string, _opts?: object) => {});
+const homedirFn = mock((): string => "/mock-home");
 const getDeviceIdBaseDirFn = mock((): string => "/mock-home");
 
 // ---------------------------------------------------------------------------
@@ -23,6 +24,10 @@ mock.module("node:fs", () => ({
   mkdirSync: mkdirSyncFn,
 }));
 
+mock.module("node:os", () => ({
+  homedir: homedirFn,
+}));
+
 mock.module("../util/device-id.js", () => ({
   getDeviceIdBaseDir: getDeviceIdBaseDirFn,
 }));
@@ -63,6 +68,7 @@ describe("003-seed-device-id migration", () => {
     readFileSyncFn.mockClear();
     writeFileSyncFn.mockClear();
     mkdirSyncFn.mockClear();
+    homedirFn.mockReturnValue("/mock-home");
     getDeviceIdBaseDirFn.mockReturnValue("/mock-home");
   });
 
@@ -265,16 +271,17 @@ describe("003-seed-device-id migration", () => {
     expect(parsed.deviceId).toBe("install-legacy");
   });
 
-  test("respects BASE_DATA_DIR override via getDeviceIdBaseDir", () => {
+  test("reads lockfile from homedir even when getDeviceIdBaseDir differs", () => {
     const customBase = "/custom-base";
     getDeviceIdBaseDirFn.mockReturnValue(customBase);
+    homedirFn.mockReturnValue("/mock-home");
 
-    const customLockPath = `${customBase}/.vellum.lock.json`;
     const customDevicePath = `${customBase}/.vellum/device.json`;
 
-    existsSyncFn.mockImplementation((path: string) => path === customLockPath);
+    // Lockfile is at homedir, NOT at customBase
+    existsSyncFn.mockImplementation((path: string) => path === LOCK_PATH);
     readFileSyncFn.mockImplementation((path: string, _enc: string) => {
-      if (path === customLockPath) {
+      if (path === LOCK_PATH) {
         return makeLockfile([
           {
             name: "custom",
@@ -294,11 +301,40 @@ describe("003-seed-device-id migration", () => {
       string,
       object,
     ];
+    // device.json is written under getDeviceIdBaseDir, not homedir
     expect(path).toBe(customDevicePath);
     const parsed = JSON.parse(data);
     expect(parsed.deviceId).toBe("install-custom");
   });
 
+  test("ignores lockfile under getDeviceIdBaseDir when it differs from homedir", () => {
+    const customBase = "/custom-base";
+    getDeviceIdBaseDirFn.mockReturnValue(customBase);
+    homedirFn.mockReturnValue("/mock-home");
+
+    // Only a lockfile under customBase exists — should be ignored since
+    // the migration always reads the lockfile from homedir().
+    const customLockPath = `${customBase}/.vellum.lock.json`;
+    existsSyncFn.mockImplementation((path: string) => path === customLockPath);
+    readFileSyncFn.mockImplementation((path: string, _enc: string) => {
+      if (path === customLockPath) {
+        return makeLockfile([
+          {
+            name: "custom",
+            installationId: "install-custom",
+            hatchedAt: "2025-01-01T00:00:00Z",
+          },
+        ]);
+      }
+      throw new Error(`ENOENT: ${path}`);
+    });
+
+    seedDeviceIdMigration.run(WORKSPACE_DIR);
+
+    // No lockfile found at homedir, so no device.json is written
+    expect(writeFileSyncFn).not.toHaveBeenCalled();
+  });
+
   test("entries without hatchedAt are treated as oldest", () => {
     setupFs({
       [LOCK_PATH]: makeLockfile([

package/src/agent/loop.ts

@@ -24,6 +24,7 @@ export interface AgentLoopConfig {
   maxInputTokens?: number; // context window size for tool result truncation
   thinking?: { enabled: boolean };
   effort: "low" | "medium" | "high" | "max";
+  speed?: "standard" | "fast";
   toolChoice?:
     | { type: "auto" }
     | { type: "any" }
@@ -246,6 +247,10 @@ export class AgentLoop {
           providerConfig.effort = this.config.effort;
         }
 
+        if (this.config.speed && this.config.speed !== "standard") {
+          providerConfig.speed = this.config.speed;
+        }
+
         if (this.config.toolChoice) {
           providerConfig.tool_choice = this.config.toolChoice;
         }
@@ -396,7 +401,7 @@ export class AgentLoop {
         );
 
         // Check if the assistant turn contained any visible text (used for
-        // both the empty-response nudge and the anti-repetition notice).
+        // the empty-response nudge).
         const hasTextBlock = response.content.some(
           (block) => block.type === "text" && block.text.trim().length > 0,
         );
@@ -601,14 +606,6 @@ export class AgentLoop {
           });
         }
 
-        // Remind the LLM not to repeat text it already streamed
-        if (hasTextBlock) {
-          resultBlocks.push({
-            type: "text",
-            text: '<system_notice>Your previous text was already shown to the user in real time. Do not repeat or rephrase it. Do not narrate retries or internal process chatter ("let me try", "that didn\'t work"). Keep working with tools silently unless you need user input, and only send user-facing text when you have concrete progress or final results.</system_notice>',
-          });
-        }
-
         // Add tool results as a user message and continue the loop
         history.push({ role: "user", content: resultBlocks });
 

package/src/approvals/guardian-decision-primitive.ts

@@ -5,7 +5,8 @@
  * legacy parser, requester self-cancel) call through this module instead of
  * inlining the decision-application logic.  This centralizes:
  *
- *   1. `approve_always` downgrade for guardian-on-behalf requests
+ *   1. `approve_always` downgrade for guardian-on-behalf requests (time-bounded
+ *      modes like `approve_10m` and `approve_conversation` are preserved)
  *   2. Identity validation (actor must match assigned guardian)
  *   3. Approval-info capture before the pending interaction is consumed
  *   4. Atomic decision application via `handleChannelDecision`
@@ -21,7 +22,9 @@
  *   - Decision authorization is purely principal-based:
  *     actor.guardianPrincipalId === request.guardianPrincipalId (strict equality)
  *   - Decisions are first-response-wins (CAS-like stale protection)
- *   - `approve_always` is rejected/downgraded for guardian-on-behalf requests
+ *   - `approve_always` is downgraded to `approve_once` for guardian-on-behalf
+ *     requests; time-bounded modes (`approve_10m`, `approve_conversation`) are
+ *     preserved since grants are scoped via `scopeMode: "tool_signature"`
  *   - Scoped grant minting only on explicit approve for requests with tool metadata
  */
 
@@ -61,6 +64,28 @@ const log = getLogger("guardian-decision-primitive");
 /** TTL for scoped approval grants minted on guardian approve_once decisions. */
 export const GRANT_TTL_MS = 5 * 60 * 1000;
 
+/** TTL for scoped approval grants minted on guardian approve_10m decisions. */
+export const GRANT_TTL_10M_MS = 10 * 60 * 1000;
+
+/**
+ * Compute the grant `expiresAt` timestamp for a given approval action.
+ *
+ * - `approve_10m` → 10 minutes from now
+ * - `approve_conversation` → no wall-clock expiry (far-future sentinel;
+ *   conversation lifecycle manages cleanup)
+ * - All others (`approve_once`, etc.) → 5 minutes from now (default)
+ */
+export function computeGrantExpiresAt(action: ApprovalAction): number {
+  switch (action) {
+    case "approve_10m":
+      return Date.now() + GRANT_TTL_10M_MS;
+    case "approve_conversation":
+      return Number.MAX_SAFE_INTEGER;
+    default:
+      return Date.now() + GRANT_TTL_MS;
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Scoped grant minting
 // ---------------------------------------------------------------------------
@@ -79,8 +104,9 @@ export function tryMintToolApprovalGrant(params: {
   approval: GuardianApprovalRequest;
   decisionChannel: ChannelId;
   guardianExternalUserId: string;
+  effectiveAction: ApprovalAction;
 }): void {
-  const { approvalInfo, approval, decisionChannel, guardianExternalUserId } =
+  const { approvalInfo, approval, decisionChannel, guardianExternalUserId, effectiveAction } =
     params;
 
   if (!approvalInfo.toolName) {
@@ -116,7 +142,7 @@ export function tryMintToolApprovalGrant(params: {
     callSessionId: null,
     guardianExternalUserId,
     requesterExternalUserId: approval.requesterExternalUserId,
-    expiresAt: Date.now() + GRANT_TTL_MS,
+    expiresAt: computeGrantExpiresAt(effectiveAction),
   });
 
   if (result.ok) {
@@ -166,7 +192,8 @@ export interface ApplyGuardianDecisionParams {
  * self-cancel paths:
  *
  *   1. Downgrade `approve_always` to `approve_once` (guardians cannot
- *      permanently allowlist tools on behalf of requesters)
+ *      permanently allowlist tools on behalf of requesters). Time-bounded
+ *      modes (`approve_10m`, `approve_conversation`) are preserved.
  *   2. Capture pending approval info before resolution
  *   3. Apply the decision atomically via `handleChannelDecision`
  *   4. Update the guardian approval record
@@ -186,11 +213,11 @@ export function applyGuardianDecision(
     decisionContext,
   } = params;
 
-  // Guardians cannot grant broad allow modes on behalf of requesters -- downgrade.
+  // Guardians cannot grant permanent allow modes on behalf of requesters.
+  // Time-bounded modes (approve_10m, approve_conversation) are safe because
+  // grants are scoped to the tool+input signature via scopeMode: "tool_signature".
   const effectiveDecision: ApprovalDecisionResult =
-    decision.action === "approve_always" ||
-    decision.action === "approve_10m" ||
-    decision.action === "approve_conversation"
+    decision.action === "approve_always"
       ? { ...decision, action: "approve_once" }
       : decision;
 
@@ -240,6 +267,7 @@ export function applyGuardianDecision(
       approval,
       decisionChannel: actorChannel,
       guardianExternalUserId: effectiveGuardianId,
+      effectiveAction: effectiveDecision.action,
     });
   }
 
@@ -267,8 +295,9 @@ export function mintCanonicalRequestGrant(params: {
   request: CanonicalGuardianRequest;
   actorChannel: string;
   guardianExternalUserId?: string;
+  effectiveAction: ApprovalAction;
 }): { minted: boolean } {
-  const { request, actorChannel, guardianExternalUserId } = params;
+  const { request, actorChannel, guardianExternalUserId, effectiveAction } = params;
 
   if (!request.toolName || !request.inputDigest) {
     return { minted: false };
@@ -285,7 +314,7 @@ export function mintCanonicalRequestGrant(params: {
     callSessionId: request.callSessionId ?? null,
     guardianExternalUserId: guardianExternalUserId ?? null,
     requesterExternalUserId: request.requesterExternalUserId ?? null,
-    expiresAt: Date.now() + GRANT_TTL_MS,
+    expiresAt: computeGrantExpiresAt(effectiveAction),
   });
 
   if (result.ok) {
@@ -371,7 +400,8 @@ export type CanonicalDecisionResult =
  * Steps:
  *   1. Look up the canonical request by ID
  *   2. Validate: exists, pending status, identity match, valid action
- *   3. Downgrade approve_always to approve_once (guardian-on-behalf invariant)
+ *   3. Downgrade `approve_always` to `approve_once` (guardian-on-behalf invariant;
+ *      time-bounded modes like `approve_10m`/`approve_conversation` are preserved)
  *   4. CAS resolve the canonical request atomically
  *   5. Dispatch to kind-specific resolver
  *   6. Mint grant if applicable
@@ -491,13 +521,10 @@ export async function applyCanonicalGuardianDecision(
     return { applied: false, reason: "expired" };
   }
 
-  // 3. Downgrade approve_always and temporary modes to approve_once for
-  // guardian-on-behalf requests. Guardians cannot grant broad allow modes
-  // (permanent, timed, or conversation-scoped) on behalf of requesters.
+  // 3. Downgrade approve_always to approve_once for guardian-on-behalf requests.
+  // Time-bounded modes (approve_10m, approve_conversation) are permitted.
   const effectiveAction: ApprovalAction =
-    action === "approve_always" ||
-    action === "approve_10m" ||
-    action === "approve_conversation"
+    action === "approve_always"
       ? "approve_once"
       : action;
 
@@ -578,6 +605,7 @@ export async function applyCanonicalGuardianDecision(
         actorContext.actorExternalUserId ??
         resolved.guardianExternalUserId ??
         undefined,
+      effectiveAction,
     });
     grantMinted = grantResult.minted;
   }

package/src/approvals/guardian-request-resolvers.ts

@@ -24,6 +24,7 @@ import {
   type NotificationSourceChannel,
 } from "../notifications/signal.js";
 import { addRule } from "../permissions/trust-store.js";
+import type { UserDecision } from "../permissions/types.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../runtime/assistant-scope.js";
 import { mintDaemonDeliveryToken } from "../runtime/auth/token-service.js";
 import type { ApprovalAction } from "../runtime/channel-approval-types.js";
@@ -231,8 +232,24 @@ const pendingInteractionResolver: GuardianRequestResolver = {
     }
 
     // Map action to the permission system's UserDecision type and notify session.
-    const userDecision =
-      decision.action === "reject" ? ("deny" as const) : ("allow" as const);
+    // Mirrors mapApprovalActionToUserDecision from channel-approvals.ts so
+    // temporal modes (approve_10m, approve_conversation) reach the session with
+    // the correct UserDecision instead of collapsing to plain "allow".
+    let userDecision: UserDecision;
+    switch (decision.action) {
+      case "reject":
+        userDecision = "deny";
+        break;
+      case "approve_10m":
+        userDecision = "allow_10m";
+        break;
+      case "approve_conversation":
+        userDecision = "allow_conversation";
+        break;
+      default:
+        userDecision = "allow";
+        break;
+    }
     resolved.conversation!.handleConfirmationResponse(
       request.id,
       userDecision,