@vellumai/assistant 0.6.0 → 0.6.2

package/src/memory/schema/conversations.ts

@@ -30,9 +30,11 @@ export const conversations = sqliteTable(
     forkParentMessageId: text("fork_parent_message_id"),
     isAutoTitle: integer("is_auto_title").notNull().default(1),
     scheduleJobId: text("schedule_job_id"),
+    lastMessageAt: integer("last_message_at"),
   },
   (table) => [
     index("idx_conversations_updated_at").on(table.updatedAt),
+    index("idx_conversations_last_message_at").on(table.lastMessageAt),
     index("idx_conversations_conversation_type").on(table.conversationType),
     index("idx_conversations_fork_parent_conversation_id").on(
       table.forkParentConversationId,
@@ -109,6 +111,18 @@ export const messageAttachments = sqliteTable("message_attachments", {
   createdAt: integer("created_at").notNull(),
 });
 
+export const conversationGraphMemoryState = sqliteTable(
+  "conversation_graph_memory_state",
+  {
+    conversationId: text("conversation_id")
+      .primaryKey()
+      .references(() => conversations.id, { onDelete: "cascade" }),
+    stateJson: text("state_json").notNull(),
+    createdAt: integer("created_at").notNull(),
+    updatedAt: integer("updated_at").notNull(),
+  },
+);
+
 export const channelInboundEvents = sqliteTable("channel_inbound_events", {
   id: text("id").primaryKey(),
   sourceChannel: text("source_channel").notNull(),

package/src/memory/schema/infrastructure.ts

@@ -25,6 +25,9 @@ export const cronJobs = sqliteTable("cron_jobs", {
   routingHintsJson: text("routing_hints_json").notNull().default("{}"),
   status: text("status").notNull().default("active"), // 'active' | 'firing' | 'fired' | 'cancelled'
   quiet: integer("quiet", { mode: "boolean" }).notNull().default(false), // suppress completion notifications
+  reuseConversation: integer("reuse_conversation", { mode: "boolean" })
+    .notNull()
+    .default(false), // reuse the same conversation across runs
   createdAt: integer("created_at").notNull(),
   updatedAt: integer("updated_at").notNull(),
 });
@@ -118,7 +121,10 @@ export const llmRequestLogs = sqliteTable(
     responsePayload: text("response_payload").notNull(),
     createdAt: integer("created_at").notNull(),
   },
-  (table) => [index("idx_llm_request_logs_message_id").on(table.messageId)],
+  (table) => [
+    index("idx_llm_request_logs_message_id").on(table.messageId),
+    index("idx_llm_request_logs_created_at").on(table.createdAt),
+  ],
 );
 
 export const memoryRecallLogs = sqliteTable(
@@ -144,6 +150,7 @@ export const memoryRecallLogs = sqliteTable(
     topCandidatesJson: text("top_candidates_json").notNull(),
     injectedText: text("injected_text"),
     reason: text("reason"),
+    queryContext: text("query_context"),
     createdAt: integer("created_at").notNull(),
   },
   (table) => [

package/src/memory/schema/memory-core.ts

@@ -2,7 +2,6 @@ import {
   blob,
   index,
   integer,
-  real,
   sqliteTable,
   text,
   uniqueIndex,
@@ -32,56 +31,6 @@ export const memorySegments = sqliteTable(
   (table) => [index("idx_memory_segments_scope_id").on(table.scopeId)],
 );
 
-export const memoryItems = sqliteTable(
-  "memory_items",
-  {
-    id: text("id").primaryKey(),
-    kind: text("kind").notNull(),
-    subject: text("subject").notNull(),
-    statement: text("statement").notNull(),
-    status: text("status").notNull(),
-    confidence: real("confidence").notNull(),
-    importance: real("importance"),
-    accessCount: integer("access_count").notNull().default(0),
-    fingerprint: text("fingerprint").notNull(),
-    verificationState: text("verification_state")
-      .notNull()
-      .default("assistant_inferred"),
-    scopeId: text("scope_id").notNull().default("default"),
-    firstSeenAt: integer("first_seen_at").notNull(),
-    lastSeenAt: integer("last_seen_at").notNull(),
-    lastUsedAt: integer("last_used_at"),
-    validFrom: integer("valid_from"),
-    invalidAt: integer("invalid_at"),
-    supersedes: text("supersedes"),
-    supersededBy: text("superseded_by"),
-    overrideConfidence: text("override_confidence").default("inferred"),
-    sourceType: text("source_type").notNull().default("extraction"),
-    sourceMessageRole: text("source_message_role"),
-  },
-  (table) => [
-    index("idx_memory_items_scope_id").on(table.scopeId),
-    index("idx_memory_items_fingerprint").on(table.fingerprint),
-  ],
-);
-
-export const memoryItemSources = sqliteTable(
-  "memory_item_sources",
-  {
-    memoryItemId: text("memory_item_id")
-      .notNull()
-      .references(() => memoryItems.id, { onDelete: "cascade" }),
-    messageId: text("message_id")
-      .notNull()
-      .references(() => messages.id, { onDelete: "cascade" }),
-    evidence: text("evidence"),
-    createdAt: integer("created_at").notNull(),
-  },
-  (table) => [
-    index("idx_memory_item_sources_memory_item_id").on(table.memoryItemId),
-  ],
-);
-
 export const memorySummaries = sqliteTable(
   "memory_summaries",
   {

package/src/memory/schema/memory-graph.ts

@@ -137,3 +137,18 @@ export const memoryGraphTriggers = sqliteTable(
     index("idx_graph_triggers_type").on(table.type),
   ],
 );
+
+export const memoryGraphNodeEdits = sqliteTable(
+  "memory_graph_node_edits",
+  {
+    id: text("id").primaryKey(),
+    nodeId: text("node_id")
+      .notNull()
+      .references(() => memoryGraphNodes.id, { onDelete: "cascade" }),
+    previousContent: text("previous_content").notNull(),
+    newContent: text("new_content").notNull(),
+    source: text("source").notNull(),
+    conversationId: text("conversation_id"),
+    created: integer("created").notNull(),
+  },
+);

package/src/memory/task-memory-cleanup.ts

@@ -9,16 +9,29 @@ const log = getLogger("task-memory-cleanup");
  * so the check survives daemon restarts.
  */
 export function isConversationFailed(conversationId: string): boolean {
+  // For reused schedule conversations the same conversation_id appears in
+  // multiple cron_runs. A single failed run should NOT mark the conversation
+  // as permanently failed — only the *most recent* run for that conversation
+  // matters. We therefore check whether the latest cron_run (by created_at,
+  // which is a monotonically increasing epoch timestamp) has an error status.
+  // Note: cron_runs.id is a UUID v4 (random), so we cannot use MAX(id).
   const row = rawGet<{ found: number }>(
     `SELECT 1 AS found
        FROM (
          SELECT 1 FROM task_runs WHERE conversation_id = ? AND status = 'failed'
          UNION ALL
-         SELECT 1 FROM cron_runs WHERE conversation_id = ? AND status = 'error'
+         SELECT 1 FROM cron_runs
+          WHERE conversation_id = ?
+            AND status = 'error'
+            AND id = (
+              SELECT id FROM cron_runs WHERE conversation_id = ?
+              ORDER BY created_at DESC LIMIT 1
+            )
        )
       LIMIT 1`,
     conversationId,
     conversationId,
+    conversationId,
   );
   return row != null;
 }
@@ -57,9 +70,17 @@ export function invalidateAssistantInferredItemsForConversation(
                   AND tr.status = 'failed'
              )
              AND NOT EXISTS (
+               -- Check only the most recent cron_run for each conversation
+               -- so reused conversations with historical errors but recent
+               -- successes are still treated as valid corroborators.
                SELECT 1 FROM cron_runs cr
                 WHERE cr.conversation_id = jc2.value
                   AND cr.status = 'error'
+                  AND cr.id = (
+                    SELECT cr2.id FROM cron_runs cr2
+                     WHERE cr2.conversation_id = jc2.value
+                     ORDER BY cr2.created_at DESC LIMIT 1
+                  )
              )
         )`,
     Date.now(),
@@ -79,9 +100,9 @@ export function invalidateAssistantInferredItemsForConversation(
 
 /**
  * Cancel all pending/running memory jobs referencing the given conversation.
- * Covers every job type: `extract_items`, `embed_attachment` (keyed by messageId),
+ * Covers every job type: `embed_attachment` (keyed by messageId),
  * `embed_segment` (keyed by segmentId via memory_segments),
- * `build_conversation_summary` (keyed by conversationId),
+ * `graph_extract`, `build_conversation_summary` (keyed by conversationId),
  * and `embed_graph_node` (keyed by nodeId sourced from the conversation).
  */
 export function cancelPendingJobsForConversation(
@@ -91,7 +112,7 @@ export function cancelPendingJobsForConversation(
   const now = Date.now();
   let total = 0;
 
-  // Jobs keyed by messageId: extract_items, embed_attachment
+  // Jobs keyed by messageId: embed_attachment
   total += rawRun(
     `UPDATE memory_jobs
         SET status = 'failed',
@@ -106,7 +127,7 @@ export function cancelPendingJobsForConversation(
     conversationId,
   );
 
-  // Jobs keyed by conversationId: build_conversation_summary
+  // Jobs keyed by conversationId: graph_extract, build_conversation_summary
   total += rawRun(
     `UPDATE memory_jobs
         SET status = 'failed',
@@ -162,8 +183,8 @@ export function cancelPendingJobsForConversation(
 }
 
 /**
- * Cancel only pending/running `extract_items` jobs for messages in the
- * given conversation. Used by the task-failure path where we want to
+ * Cancel only pending/running `graph_extract` jobs for the given
+ * conversation. Used by the task-failure path where we want to
  * stop new extractions but must NOT cancel `embed_graph_node` jobs —
  * those nodes may be multi-sourced and still valid.
  */
@@ -177,10 +198,8 @@ function cancelPendingExtractionJobsForConversation(
             last_error = 'conversation_failed',
             updated_at = ?
       WHERE status IN ('pending', 'running')
-        AND type = 'extract_items'
-        AND json_extract(payload, '$.messageId') IN (
-          SELECT id FROM messages WHERE conversation_id = ?
-        )`,
+        AND type = 'graph_extract'
+        AND json_extract(payload, '$.conversationId') = ?`,
     now,
     conversationId,
   );

package/src/messaging/provider.ts

@@ -25,7 +25,7 @@ export interface MessagingProvider {
   id: string;
   /** Human-readable name (e.g. 'Slack', 'Gmail'). */
   displayName: string;
-  /** Credential service name for token-manager (e.g. 'integration:slack'). */
+  /** Credential service name for token-manager (e.g. 'slack'). */
   credentialService: string;
 
   // ── Universal operations (every platform must implement) ──────────

package/src/notifications/broadcaster.ts

@@ -41,6 +41,10 @@ export interface ConversationCreatedInfo {
   sourceEventName: string;
   /** Present when the conversation is for a guardian-sensitive notification. */
   targetGuardianPrincipalId?: string;
+  /** Conversation group identifier from the signal producer (e.g. "system:scheduled"). */
+  groupId?: string;
+  /** Semantic source from the signal producer (e.g. "schedule", "reminder"). */
+  source?: string;
 }
 export type OnConversationCreatedFn = (info: ConversationCreatedInfo) => void;
 export interface BroadcastDecisionOptions {
@@ -238,6 +242,8 @@ export class NotificationBroadcaster {
           title: conversationTitle,
           sourceEventName: signal.sourceEventName,
           targetGuardianPrincipalId,
+          groupId: signal.conversationMetadata?.groupId,
+          source: signal.conversationMetadata?.source,
         };
 
         // The per-dispatch onConversationCreated callback fires whenever a vellum

package/src/notifications/conversation-pairing.ts

@@ -130,7 +130,9 @@ export async function pairDeliveryWithConversation(
       const targetId = conversationAction.conversationId;
       const existing = getConversation(targetId);
 
-      if (existing && existing.source === "notification") {
+      const effectiveSource =
+        signal.conversationMetadata?.source ?? "notification";
+      if (existing && existing.source === effectiveSource) {
         // Append the seed message to the existing conversation
         const message = await addMessage(
           existing.id,
@@ -186,7 +188,9 @@ export async function pairDeliveryWithConversation(
       const conversation = createConversation({
         title,
         conversationType,
-        source: "notification",
+        source: signal.conversationMetadata?.source ?? "notification",
+        groupId: signal.conversationMetadata?.groupId,
+        scheduleJobId: signal.conversationMetadata?.scheduleJobId,
       });
 
       const message = await addMessage(
@@ -241,7 +245,9 @@ export async function pairDeliveryWithConversation(
           existingBinding.conversationId,
         );
 
-        if (boundConversation && boundConversation.source === "notification") {
+        const effectiveSource =
+          signal.conversationMetadata?.source ?? "notification";
+        if (boundConversation && boundConversation.source === effectiveSource) {
           const message = await addMessage(
             boundConversation.id,
             "assistant",
@@ -299,7 +305,9 @@ export async function pairDeliveryWithConversation(
     const conversation = createConversation({
       title,
       conversationType,
-      source: "notification",
+      source: signal.conversationMetadata?.source ?? "notification",
+      groupId: signal.conversationMetadata?.groupId,
+      scheduleJobId: signal.conversationMetadata?.scheduleJobId,
     });
 
     // Skip memory indexing — notification audit messages are not conversational

package/src/notifications/copy-composer.ts

@@ -408,6 +408,92 @@ const TEMPLATES: Partial<Record<NotificationSourceEventName, CopyTemplate>> = {
     };
   },
 
+  "ingress.trusted_contact.guardian_decision": (payload) => {
+    const decision = str(payload.decision, "decided on");
+    const sourceChannel =
+      typeof payload.sourceChannel === "string"
+        ? payload.sourceChannel
+        : undefined;
+
+    const requesterDisplayName =
+      typeof payload.requesterDisplayName === "string" &&
+      payload.requesterDisplayName.length > 0
+        ? payload.requesterDisplayName
+        : undefined;
+    const requesterExternalUserId =
+      typeof payload.requesterExternalUserId === "string" &&
+      payload.requesterExternalUserId.length > 0
+        ? payload.requesterExternalUserId
+        : undefined;
+    const requesterLabel = sanitizeIdentityField(
+      requesterDisplayName ??
+        (sourceChannel === "slack" &&
+        requesterExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(requesterExternalUserId)
+          ? `<@${requesterExternalUserId}>`
+          : requesterExternalUserId) ??
+        "Someone",
+    );
+
+    const decidedByDisplayName =
+      typeof payload.decidedByDisplayName === "string" &&
+      payload.decidedByDisplayName.length > 0
+        ? payload.decidedByDisplayName
+        : undefined;
+    const decidedByExternalUserId =
+      typeof payload.decidedByExternalUserId === "string" &&
+      payload.decidedByExternalUserId.length > 0
+        ? payload.decidedByExternalUserId
+        : undefined;
+    const decidedByLabel = sanitizeIdentityField(
+      decidedByDisplayName ??
+        (sourceChannel === "slack" &&
+        decidedByExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(decidedByExternalUserId)
+          ? `<@${decidedByExternalUserId}>`
+          : decidedByExternalUserId) ??
+        "a guardian",
+    );
+
+    const verb = decision === "approved" ? "approved" : "denied";
+    return {
+      title: "Trusted Contact Decision",
+      body: `${requesterLabel}'s access request has been ${verb} by ${decidedByLabel}.`,
+    };
+  },
+
+  "ingress.trusted_contact.denied": (payload) => {
+    const sourceChannel =
+      typeof payload.sourceChannel === "string"
+        ? payload.sourceChannel
+        : undefined;
+
+    const requesterDisplayName =
+      typeof payload.requesterDisplayName === "string" &&
+      payload.requesterDisplayName.length > 0
+        ? payload.requesterDisplayName
+        : undefined;
+    const requesterExternalUserId =
+      typeof payload.requesterExternalUserId === "string" &&
+      payload.requesterExternalUserId.length > 0
+        ? payload.requesterExternalUserId
+        : undefined;
+    const requesterLabel = sanitizeIdentityField(
+      requesterDisplayName ??
+        (sourceChannel === "slack" &&
+        requesterExternalUserId &&
+        /^U[A-Z0-9]+$/i.test(requesterExternalUserId)
+          ? `<@${requesterExternalUserId}>`
+          : requesterExternalUserId) ??
+        "Someone",
+    );
+
+    return {
+      title: "Trusted Contact Denied",
+      body: `A trusted contact request from ${requesterLabel} has been denied.`,
+    };
+  },
+
   "ingress.escalation": (payload) => ({
     title: "Escalation",
     body:

package/src/notifications/decision-engine.ts

@@ -13,6 +13,7 @@ import { v4 as uuid } from "uuid";
 
 import { getDeliverableChannels } from "../channels/config.js";
 import { getConfig } from "../config/loader.js";
+import { listGuardianChannels } from "../contacts/contact-store.js";
 import { resolveGuardianPersona } from "../prompts/persona-resolver.js";
 import { buildCoreIdentityContext } from "../prompts/system-prompt.js";
 import {
@@ -73,6 +74,7 @@ function buildSystemPrompt(
   preferenceContext?: string,
   candidateContext?: string,
   identityContext?: string,
+  recipientNotes?: string,
 ): string {
   const sections: string[] = [
     `You are a notification routing engine. Given a signal describing an event, decide whether the user should be notified, on which channel(s), and compose the notification copy.`,
@@ -89,6 +91,16 @@ function buildSystemPrompt(
     );
   }
 
+  if (recipientNotes) {
+    sections.push(
+      ``,
+      `<recipient-context>`,
+      `The following are notes about the notification recipient. Use this context to tailor notification tone, formality, and content to the recipient's preferences.`,
+      recipientNotes,
+      `</recipient-context>`,
+    );
+  }
+
   if (identityContext) {
     sections.push(
       ``,
@@ -807,11 +819,34 @@ async function classifyWithLLM(
   const identityContext = rawIdentityContext
     ? truncate(rawIdentityContext, MAX_IDENTITY_CONTEXT_CHARS, "\n…[truncated]")
     : undefined;
+
+  // Resolve guardian contact notes for recipient context. Use the channel-
+  // agnostic guardian lookup so notes are available even when the only
+  // deliverable channel is "vellum" (which has no contact channel type).
+  let recipientNotes: string | undefined;
+  try {
+    const guardianResult = listGuardianChannels();
+    if (guardianResult?.contact.notes) {
+      recipientNotes = truncate(
+        guardianResult.contact.notes,
+        MAX_IDENTITY_CONTEXT_CHARS,
+        "\n…[truncated]",
+      );
+    }
+  } catch (err) {
+    const errMsg = err instanceof Error ? err.message : String(err);
+    log.warn(
+      { err: errMsg },
+      "Failed to resolve guardian contact notes, proceeding without recipient context",
+    );
+  }
+
   const systemPrompt = buildSystemPrompt(
     availableChannels,
     preferenceContext,
     candidateContext,
     identityContext,
+    recipientNotes,
   );
   const prompt = buildUserPrompt(signal);
   const tool = buildDecisionTool(availableChannels);

package/src/notifications/emit-signal.ts

@@ -79,6 +79,8 @@ function getBroadcaster(): NotificationBroadcaster {
           title: info.title,
           sourceEventName: info.sourceEventName,
           targetGuardianPrincipalId: info.targetGuardianPrincipalId,
+          groupId: info.groupId,
+          source: info.source,
         });
         log.info(
           {
@@ -176,6 +178,17 @@ export interface EmitSignalParams<TEventName extends string = string> {
    * Useful for direct user-invoked actions that must fail closed.
    */
   throwOnError?: boolean;
+  /**
+   * Optional metadata propagated to the conversation created by the notification
+   * pipeline. Allows signal producers (e.g. the scheduler) to set groupId,
+   * scheduleJobId, or override the default "notification" source on the
+   * resulting conversation so it appears in the correct folder on clients.
+   */
+  conversationMetadata?: {
+    groupId?: string;
+    scheduleJobId?: string;
+    source?: string;
+  };
 }
 
 export interface EmitSignalResult {
@@ -210,6 +223,7 @@ export async function emitNotificationSignal<TEventName extends string>(
     routingIntent: params.routingIntent,
     routingHints: params.routingHints,
     conversationAffinityHint: params.conversationAffinityHint,
+    conversationMetadata: params.conversationMetadata,
   };
 
   try {

package/src/notifications/signal.ts

@@ -200,4 +200,15 @@ export interface NotificationSignal<TEventName extends string = string> {
    * affinity within a call session.
    */
   conversationAffinityHint?: Partial<Record<string, string>>;
+  /**
+   * Optional metadata propagated to the conversation created by the notification
+   * pipeline. Allows signal producers (e.g. the scheduler) to set groupId,
+   * scheduleJobId, or override the default "notification" source on the
+   * resulting conversation so it appears in the correct folder on clients.
+   */
+  conversationMetadata?: {
+    groupId?: string;
+    scheduleJobId?: string;
+    source?: string;
+  };
 }

package/src/oauth/platform-connection.test.ts

@@ -27,7 +27,7 @@ function makeMockClient(
     fetch: mock(async (path: string, init?: RequestInit) => {
       const url = `https://platform.example.com${path}`;
       const headers = new Headers(init?.headers);
-      headers.set("Authorization", "Api-Key test-api-key");
+      headers.set("Authorization", "Bearer test-api-key");
       return mockFetchFn(url, { ...init, headers });
     }),
   } as unknown as VellumPlatformClient;
@@ -53,7 +53,7 @@ describe("PlatformOAuthConnection", () => {
         );
         expect(init?.method).toBe("POST");
         const headers = new Headers(init?.headers);
-        expect(headers.get("Authorization")).toBe("Api-Key test-api-key");
+        expect(headers.get("Authorization")).toBe("Bearer test-api-key");
         expect(headers.get("Content-Type")).toBe("application/json");
 
         const parsed = JSON.parse(init?.body as string);

package/src/oauth/seed-providers.ts

@@ -295,6 +295,7 @@ const PROVIDER_SEED_DATA: Record<
     },
     extraParams: { prompt: "consent" },
     loopbackPort: 17324,
+    managedServiceConfigKey: "linear-oauth",
     injectionTemplates: [
       {
         hostPattern: "api.linear.app",

package/src/permissions/checker.ts

@@ -3,6 +3,7 @@ import { homedir } from "node:os";
 import { dirname, join, resolve } from "node:path";
 
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
+import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
 import { loadSkillCatalog, resolveSkillSelector } from "../config/skills.js";
 import { indexCatalogById } from "../skills/include-graph.js";
@@ -677,7 +678,7 @@ export async function classifyRisk(
     }
   }
 
-  const result = await classifyRiskUncached(
+  let result = await classifyRiskUncached(
     toolName,
     input,
     workingDir,
@@ -685,6 +686,17 @@ export async function classifyRisk(
     manifestOverride,
   );
 
+  // Proxied bash commands route through the credential proxy which handles
+  // per-request approval separately. Cap the bash tool's own risk at Medium
+  // so trust rules can auto-allow the command execution.
+  if (
+    toolName === "bash" &&
+    input.network_mode === "proxied" &&
+    result === RiskLevel.High
+  ) {
+    result = RiskLevel.Medium;
+  }
+
   if (cacheKey) {
     if (riskCache.size >= RISK_CACHE_MAX) {
       const oldest = riskCache.keys().next().value;
@@ -1086,9 +1098,8 @@ export async function check(
     !matchedRule &&
     risk === RiskLevel.Low
   ) {
-    // When sandbox is disabled, bash runs on the host — don't auto-allow
-    const sandboxEnabled = getConfig().sandbox.enabled;
-    if (toolName === "bash" && !sandboxEnabled) {
+    // Outside a container, bash runs on the host — don't auto-allow
+    if (toolName === "bash" && !getIsContainerized()) {
       // Fall through to risk-based policy below
     } else if (isWorkspaceScopedInvocation(toolName, input, workingDir)) {
       return {

package/src/permissions/defaults.ts

@@ -1,5 +1,6 @@
 import { join } from "node:path";
 
+import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
 import { getBundledSkillsDir } from "../config/skills.js";
 import { getWorkspaceDir } from "../util/platform.js";
@@ -42,7 +43,6 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // Some test suites mock getConfig() with partial objects; treat missing
   // branches as defaults so rule generation remains deterministic.
   const config = getConfig() as {
-    sandbox?: { enabled?: boolean };
     skills?: { load?: { extraDirs?: unknown } };
   };
 
@@ -67,12 +67,11 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
     priority: 50,
   };
 
-  // Sandboxed bash commands run in an isolated container — auto-allow all of
-  // them (including high-risk) so the user is never prompted for sandbox work.
-  // Only emit this rule when the sandbox is actually enabled; otherwise bash
-  // commands execute on the host and must go through normal permission checks.
-  const sandboxEnabled = config.sandbox?.enabled !== false;
-  const sandboxShellRule: DefaultRuleTemplate | null = sandboxEnabled
+  // When running inside a container (IS_CONTAINERIZED=true), bash commands
+  // execute in an isolated environment — auto-allow all of them (including
+  // high-risk) so the user is never prompted.  Outside a container, bash
+  // commands run on the host and go through normal permission checks.
+  const bashShellRule: DefaultRuleTemplate | null = getIsContainerized()
     ? {
         id: "default:allow-bash-global",
         tool: "bash",
@@ -300,7 +299,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   return [
     ...hostFileRules,
     hostShellRule,
-    ...(sandboxShellRule ? [sandboxShellRule] : []),
+    ...(bashShellRule ? [bashShellRule] : []),
     ...computerUseRules,
     ...managedSkillRules,
     ...workspacePromptRules,