@vellumai/assistant 0.6.1 → 0.6.2

package/src/config/assistant-feature-flags.ts

@@ -20,7 +20,6 @@ import { existsSync, readFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { dirname, join } from "node:path";
 
-import { getIsContainerized } from "./env-registry.js";
 import type { AssistantConfig } from "./schema.js";
 
 // ---------------------------------------------------------------------------
@@ -173,61 +172,49 @@ function loadOverridesFromFile(): Record<string, boolean> {
 }
 
 /**
- * Load override values from the gateway via synchronous HTTP call.
+ * Fetch override values from the gateway via async HTTP.
  *
- * Follows the trust-client pattern: uses `Bun.spawnSync` + `curl` to make
- * a blocking GET request to the gateway's feature-flags endpoint. The
- * gateway returns `{ flags: Array<{ key, enabled, ... }> }` and we extract
- * just the key → enabled map.
+ * Returns the gateway's merged feature flag map (persisted > remote >
+ * registry), or an empty record on any failure (network, auth, parse).
  */
-function loadOverridesFromGateway(): Record<string, boolean> {
+async function fetchOverridesFromGateway(): Promise<Record<string, boolean>> {
   try {
     // Lazy-import to avoid circular dependency and keep this module
     // importable from bootstrap code when not in containerized mode.
     const { getGatewayInternalBaseUrl } =
       // eslint-disable-next-line @typescript-eslint/no-require-imports
       require("./env.js") as typeof import("./env.js");
-    const { mintEdgeRelayToken } =
+    const {
+      mintEdgeRelayToken,
+      isSigningKeyInitialized,
+      initAuthSigningKey,
+      resolveSigningKey,
+    } =
       // eslint-disable-next-line @typescript-eslint/no-require-imports
       require("../runtime/auth/token-service.js") as typeof import("../runtime/auth/token-service.js");
 
+    // CLI subprocesses don't run daemon startup, so the signing key
+    // may not be initialized yet. Initialize it now so mintEdgeRelayToken
+    // can produce a valid JWT for the gateway request.
+    if (!isSigningKeyInitialized()) {
+      initAuthSigningKey(resolveSigningKey());
+    }
+
     const url = `${getGatewayInternalBaseUrl()}/v1/feature-flags`;
     const token = mintEdgeRelayToken();
 
-    const proc = Bun.spawnSync(
-      [
-        "curl",
-        "-s",
-        "-S",
-        "-X",
-        "GET",
-        "--max-time",
-        "10",
-        "-H",
-        `Authorization: Bearer ${token}`,
-        "-H",
-        "Accept: application/json",
-        "-w",
-        "\n%{http_code}",
-        url,
-      ],
-      { stdout: "pipe", stderr: "pipe" },
-    );
-
-    if (proc.exitCode !== 0) return {};
-
-    const output = proc.stdout.toString().trim();
-    const lastNewline = output.lastIndexOf("\n");
-    const responseBody = lastNewline >= 0 ? output.slice(0, lastNewline) : "";
-    const statusCode = parseInt(
-      lastNewline >= 0 ? output.slice(lastNewline + 1) : output,
-      10,
-    );
-
-    if (statusCode < 200 || statusCode >= 300) return {};
-    if (!responseBody) return {};
-
-    const parsed = JSON.parse(responseBody) as {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json",
+      },
+      signal: AbortSignal.timeout(10_000),
+    });
+
+    if (!response.ok) return {};
+
+    const parsed = (await response.json()) as {
       flags?: Array<{ key: string; enabled: boolean }>;
     };
     if (!Array.isArray(parsed.flags)) return {};
@@ -245,25 +232,42 @@ function loadOverridesFromGateway(): Record<string, boolean> {
 }
 
 /**
- * Load overrides, preferring the gateway HTTP API.
+ * Pre-populate the override cache from the gateway (async).
  *
- * In containerized mode, always uses the gateway. In local mode, tries
- * the gateway first and falls back to `loadOverridesFromFile()` when
- * the gateway is not yet available (startup race).
+ * Call this once during startup (daemon or CLI entry) before any sync
+ * `isAssistantFeatureFlagEnabled` calls. In containerized mode, always
+ * uses the gateway. In local mode, falls back to the local file when
+ * the gateway is unreachable.
  *
- * Results are cached at module level.
+ * On failure, the cache is left unset so subsequent sync calls fall
+ * through to the file-based fallback rather than caching an empty map
+ * that masks all overrides for the process lifetime.
  */
-function loadOverrides(): Record<string, boolean> {
-  if (cachedOverrides != null) return cachedOverrides;
-
-  const gatewayOverrides = loadOverridesFromGateway();
-  if (Object.keys(gatewayOverrides).length > 0 || getIsContainerized()) {
+export async function initFeatureFlagOverrides(): Promise<void> {
+  const gatewayOverrides = await fetchOverridesFromGateway();
+  if (Object.keys(gatewayOverrides).length > 0) {
     cachedOverrides = gatewayOverrides;
-    return cachedOverrides;
+    return;
   }
 
-  // Graceful fallback: in local mode, if the gateway hasn't started yet
-  // (empty response), read overrides from file as a temporary measure.
+  // Gateway returned empty or failed. Leave the cache unset so
+  // loadOverrides() falls through to file on the next sync read,
+  // regardless of containerized vs local mode.
+}
+
+/**
+ * Read cached overrides synchronously.
+ *
+ * If `initFeatureFlagOverrides()` was called at startup, this returns the
+ * pre-populated cache. Otherwise falls back to the local file — this
+ * ensures the resolver never blocks on a network call.
+ */
+function loadOverrides(): Record<string, boolean> {
+  if (cachedOverrides != null) return cachedOverrides;
+
+  // Cache not yet populated (initFeatureFlagOverrides wasn't called or
+  // hasn't finished). Fall back to the local file so the resolver still
+  // works, just without gateway data.
   cachedOverrides = loadOverridesFromFile();
   return cachedOverrides;
 }

package/src/config/bundled-skills/app-builder/SKILL.md

@@ -448,9 +448,91 @@ Important:
 - All operations are async - use `async/await`
 - Wrap all calls in `try/catch`
 
+#### Custom route handlers (user-defined routes)
+
+When the app needs server-side persistence, custom API logic, or workspace file access, use **user-defined routes**. Route handlers are TypeScript or JavaScript files that live in the workspace `routes/` directory and are served under the `/v1/x/` URL path.
+
+**Common use cases:** CRUD storage, file-based persistence, search/aggregation, external API proxying, webhook receivers.
+
+**Handler file convention:**
+
+Each handler file exports named functions for the HTTP methods it supports (`GET`, `POST`, `PUT`, `PATCH`, `DELETE`). Handlers use the standard Web API `Request`/`Response` signature.
+
+```
+{workspaceDir}/routes/
+  items.ts               # Handles /v1/x/items
+  items/
+    [id].ts              # Not supported — use query params instead
+    index.ts             # Also handles /v1/x/items (index convention)
+```
+
+**Example handler — JSON file persistence:**
+
+```typescript
+// routes/items.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "node:fs";
+import { join } from "node:path";
+
+export const description = "Item CRUD — stores records as a JSON file";
+
+const DATA_DIR = join(process.env.VELLUM_WORKSPACE_DIR!, "data");
+const DATA_FILE = join(DATA_DIR, "items.json");
+
+function loadItems(): Array<Record<string, unknown>> {
+  mkdirSync(DATA_DIR, { recursive: true });
+  if (!existsSync(DATA_FILE)) return [];
+  return JSON.parse(readFileSync(DATA_FILE, "utf-8"));
+}
+
+function saveItems(items: Array<Record<string, unknown>>): void {
+  mkdirSync(DATA_DIR, { recursive: true });
+  writeFileSync(DATA_FILE, JSON.stringify(items, null, 2));
+}
+
+export function GET(): Response {
+  return Response.json(loadItems());
+}
+
+export async function POST(request: Request): Promise<Response> {
+  const body = await request.json();
+  const items = loadItems();
+  const item = { id: crypto.randomUUID(), ...body, createdAt: new Date().toISOString() };
+  items.push(item);
+  saveItems(items);
+  return Response.json(item, { status: 201 });
+}
+```
+
+**Calling routes from the app frontend:**
+
+Apps call custom routes via `fetch()` using the `/v1/x/` prefix. The assistant's runtime HTTP server requires the `/v1/` namespace for all API requests.
+
+```typescript
+// In a TSX component or HTML script
+const res = await fetch("/v1/x/items");
+const items = await res.json();
+
+// Create a new item
+await fetch("/v1/x/items", {
+  method: "POST",
+  headers: { "Content-Type": "application/json" },
+  body: JSON.stringify({ name: "New item", status: "active" }),
+});
+```
+
+**Key rules:**
+
+- Always create the route handler files via `file_write` before calling `app_refresh`
+- Export an optional `description` string for CLI discoverability (`assistant routes list`)
+- Handlers have full Node.js API access — `fs`, `path`, `crypto`, etc.
+- Handlers get a 30-second timeout per request
+- Files are hot-reloaded on change (mtime-based cache)
+- Use `.ts` (preferred) or `.js` extensions
+- Route resolution: `routes/foo.ts` → `/v1/x/foo`, `routes/bar/index.ts` → `/v1/x/bar`
+
 #### Client-side state management
 
-`localStorage` and `sessionStorage` are available for ephemeral UI state (filters, view modes, collapsed state, preferences, form drafts). Use `window.vellum.data` for persistent app records, `localStorage` for UI preferences.
+`localStorage` and `sessionStorage` are available for ephemeral UI state (filters, view modes, collapsed state, preferences, form drafts). Use custom routes for persistent app records, `localStorage` for UI preferences.
 
 <!-- feature:app-builder-multifile:alt -->
 
@@ -467,7 +549,8 @@ let allRecords = [];
 
 async function loadRecords() {
   try {
-    allRecords = await window.vellum.data.query();
+    const res = await fetch("/v1/x/records");
+    allRecords = await res.json();
     render();
   } catch (err) {
     console.error("Failed to load:", err);
@@ -556,7 +639,7 @@ Every app must meet these baselines:
 
 ## Presentation Slide Design
 
-Slides are a different domain from apps. Skip app-specific patterns (contextual headers, search/filter, toast notifications, form validation, data bridge). Slides are static content — build navigation and layouts with custom HTML/CSS.
+Slides are a different domain from apps. Skip app-specific patterns (contextual headers, search/filter, toast notifications, form validation, custom routes). Slides are static content — build navigation and layouts with custom HTML/CSS.
 
 **Key principles:**
 
@@ -569,7 +652,7 @@ Slides are a different domain from apps. Skip app-specific patterns (contextual
 
 ## Error Handling
 
-- All `window.vellum.data` calls must be wrapped in `try/catch` with user-friendly feedback.
+- All `fetch()` calls to custom routes must be wrapped in `try/catch` with user-friendly feedback.
 - Never let a failed operation silently pass - always show a toast or inline error.
 - If the page loads with no data, show a designed empty state (`.v-empty-state`).
 - For forms, show validation errors inline next to the relevant field.

package/src/config/bundled-skills/gmail/SKILL.md

@@ -110,22 +110,27 @@ When a user asks to declutter, clean up, or organize their email - start scannin
 
 ### Workflow
 
-1. **Scan**: Call `gmail_sender_digest`. Default query targets promotions from the last 90 days.
+1. **Scan**: Call `gmail_sender_digest`. Default query targets promotions currently in the inbox from the last 90 days (`in:inbox category:promotions newer_than:90d`). Counts shown in the table reflect only what is currently in the inbox — these are the emails that will be archived.
 2. **Present**: Show results as a `ui_show` table with `selectionMode: "multiple"`:
    - **Columns (exactly 3)**: Sender, Emails Found, Unsub?
      - **Unsub? cell values**: Use rich cell format: `{ "text": "Yes", "icon": "checkmark.circle.fill", "iconColor": "success" }` when `has_unsubscribe` is true, `{ "text": "No", "icon": "minus.circle", "iconColor": "muted" }` when false.
    - **Pre-select all rows** (`selected: true`) - users deselect what they want to keep
    - **Caption**: Include two parts separated by a newline: (1) data scope, e.g. "Newsletters, notifications, and outreach from last 90 days. Deselect anything you want to keep." (adjusted to match the query used), and (2) the Unsub? column legend: "Unsub? - \"Yes\" means these emails contain an unsubscribe link, so I can opt you out automatically. \"No\" means no unsubscribe link was found - these will be archived but you may continue receiving them."
    - **Action buttons (exactly 2)**: "Archive & Unsubscribe" (primary), "Archive Only" (secondary). **NEVER offer Delete, Trash, or any destructive action.**
-3. **Wait for user action**: Stop and wait. Do NOT proceed to archiving or unsubscribing until the user clicks one of the action buttons on the table. When the user clicks an action button:
+3. **Embed scan_id in button data**: When constructing the action buttons in `ui_show`, include the `scan_id` from the `gmail_sender_digest` result in each button's `data` field. This ensures `scan_id` is forwarded automatically when the user clicks — the LLM does not need to recall it from earlier context:
+   ```json
+   { "id": "archive_unsubscribe", "label": "Archive & Unsubscribe", "style": "primary", "data": { "scan_id": "<scan_id value here>" } }
+   ```
+4. **Wait for user action**: Stop and wait. Do NOT proceed to archiving or unsubscribing until the user clicks one of the action buttons on the table. When the user clicks an action button you will receive a surface action message containing `action data: { scan_id, selectedIds }`:
+   - `selectedIds` are **sender IDs** (the `id` values from the scan result rows, base64-encoded email addresses) — NOT Gmail message IDs. Always use them as `sender_ids` with `scan_id`, never as `message_ids`.
    - **Dismiss the table immediately** with `ui_dismiss` - it collapses to a completion chip
    - **Show a `task_progress` card** with steps for each phase (e.g., "Archiving 89 senders (2,400 emails)", "Unsubscribing from 72 senders"). Update each step from `in_progress` → `completed` as each phase finishes.
    - When all senders are processed, set the progress card's `status: "completed"`.
-4. **Act on selection** - batch, don't loop:
-   - **Archive all at once**: Call `gmail_archive` **once** with `scan_id` + **all** selected senders' `id` values in the `sender_ids` array. The tool resolves message IDs server-side and batches the Gmail API calls internally - never loop sender-by-sender.
+5. **Act on selection** - batch, don't loop:
+   - **Archive all at once**: Call `gmail_archive` **once** with `scan_id` (from action data) + `sender_ids` set to all `selectedIds` from the action data. The tool resolves message IDs server-side and batches the Gmail API calls internally - never loop sender-by-sender. **Never** pass `selectedIds` as `message_ids` — they are sender IDs, not Gmail message IDs.
    - **Unsubscribe in bulk**: If the action is "Archive & Unsubscribe", call `gmail_unsubscribe` for each sender that has `has_unsubscribe: true` - but emit **all** unsubscribe tool calls in a **single assistant response** (parallel tool use) rather than one-at-a-time across separate turns.
-5. **Accurate summary**: The scan counts are exact - the `message_count` shown in the table matches the number of messages archived. Format: "Cleaned up [total_archived] emails from [sender_count] senders. Unsubscribed from [unsub_count]."
-6. **Ongoing protection offer**: After reporting results, offer auto-archive filters:
+6. **Accurate summary**: The scan counts are exact - the `message_count` shown in the table matches the number of messages archived. Format: "Cleaned up [total_archived] emails from [sender_count] senders. Unsubscribed from [unsub_count]."
+7. **Ongoing protection offer**: After reporting results, offer auto-archive filters:
    - "Want me to set up auto-archive filters so future emails from these senders skip your inbox?"
    - If yes, call `gmail_filters` with `action: "create"` for each sender with `from` set to the sender's email and `remove_label_ids: ["INBOX"]`.
    - Then offer a recurring declutter schedule: "Want me to scan for new clutter monthly?" If yes, use `schedule_create` to set up a monthly declutter check.

package/src/config/bundled-skills/gmail/TOOLS.json

@@ -490,7 +490,7 @@
         "properties": {
           "query": {
             "type": "string",
-            "description": "Gmail search query (default 'category:promotions newer_than:90d')"
+            "description": "Gmail search query (default 'in:inbox category:promotions newer_than:90d')"
           },
           "max_messages": {
             "type": "number",

package/src/config/bundled-skills/gmail/tools/gmail-sender-digest.ts

@@ -49,7 +49,8 @@ export async function run(
   _context: ToolContext,
 ): Promise<ToolExecutionResult> {
   const account = input.account as string | undefined;
-  const query = (input.query as string) ?? "category:promotions newer_than:90d";
+  const query =
+    (input.query as string) ?? "in:inbox category:promotions newer_than:90d";
   const maxMessages = Math.min(
     (input.max_messages as number) ?? 5000,
     MAX_MESSAGES_CAP,

package/src/config/bundled-skills/settings/TOOLS.json

@@ -72,7 +72,7 @@
               "Sounds",
               "Permissions & Privacy",
               "Billing",
-              "Archived Conversations",
+              "Archive",
               "Schedules",
               "Developer"
             ],

package/src/config/bundled-skills/settings/tools/navigate-settings-tab.ts

@@ -10,21 +10,26 @@ const SETTINGS_TABS = [
   "Sounds",
   "Permissions & Privacy",
   "Billing",
-  "Archived Conversations",
+  "Archive",
   "Schedules",
   "Developer",
 ] as const;
 
 type SettingsTab = (typeof SETTINGS_TABS)[number];
 
+const LEGACY_TAB_ALIASES: Record<string, SettingsTab> = {
+  "Archived Conversations": "Archive",
+};
+
 export async function run(
   input: Record<string, unknown>,
   context: ToolContext,
 ): Promise<ToolExecutionResult> {
-  const tab = input.tab as string;
+  const rawTab = input.tab as string;
+  const tab = LEGACY_TAB_ALIASES[rawTab] ?? rawTab;
   if (!SETTINGS_TABS.includes(tab as SettingsTab)) {
     return {
-      content: `Error: unknown tab "${tab}". Valid tabs: ${SETTINGS_TABS.join(
+      content: `Error: unknown tab "${rawTab}". Valid tabs: ${SETTINGS_TABS.join(
         ", ",
       )}`,
       isError: true,

package/src/config/feature-flag-registry.json

@@ -126,8 +126,8 @@
       "scope": "macos",
       "key": "referral-codes",
       "label": "Referral Codes",
-      "description": "Show the referral invite link and stats panel on the Billing tab in Settings",
-      "defaultEnabled": false
+      "description": "Surface the Earn Credits referral entry points (sidebar drawer row and Billing tab button) that open the referral modal",
+      "defaultEnabled": true
     },
     {
       "id": "managed-sign-in",

package/src/config/schemas/services.ts

@@ -56,6 +56,11 @@ export const OutlookOAuthServiceSchema = BaseServiceSchema.extend({
 });
 export type OutlookOAuthService = z.infer<typeof OutlookOAuthServiceSchema>;
 
+export const LinearOAuthServiceSchema = BaseServiceSchema.extend({
+  mode: ServiceModeSchema.default("your-own"),
+});
+export type LinearOAuthService = z.infer<typeof LinearOAuthServiceSchema>;
+
 export const ServicesSchema = z.object({
   inference: InferenceServiceSchema.default(InferenceServiceSchema.parse({})),
   "image-generation": ImageGenerationServiceSchema.default(
@@ -70,5 +75,8 @@ export const ServicesSchema = z.object({
   "outlook-oauth": OutlookOAuthServiceSchema.default(
     OutlookOAuthServiceSchema.parse({}),
   ),
+  "linear-oauth": LinearOAuthServiceSchema.default(
+    LinearOAuthServiceSchema.parse({}),
+  ),
 });
 export type Services = z.infer<typeof ServicesSchema>;

package/src/credential-execution/approval-bridge.ts

@@ -220,7 +220,6 @@ export async function bridgeCesApproval(
     [], // No allowlist options — CES manages its own grant patterns
     [], // No scope options — CES manages scope internally
     undefined, // No file diff
-    undefined, // Not sandboxed
     options?.conversationId,
     "host", // CES operations target the host
     false, // Persistent decisions are managed by CES, not trust.json

package/src/credential-execution/managed-catalog.ts

@@ -130,16 +130,12 @@ export async function fetchManagedCatalog(): Promise<FetchManagedCatalogResult>
 
     return { ok: true, descriptors };
   } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    const safeMessage = message.replace(
-      /Api-Key\s+\S+/gi,
-      "Api-Key [REDACTED]",
-    );
-    log.warn(`Failed to fetch managed CES catalog: ${safeMessage}`);
+    const errorName = err instanceof Error ? err.constructor.name : "Unknown";
+    log.warn(`Failed to fetch managed CES catalog (${errorName})`);
     return {
       ok: false,
       descriptors: [],
-      error: `Failed to fetch managed CES catalog: ${safeMessage}`,
+      error: `Failed to fetch managed CES catalog (${errorName})`,
     };
   }
 }

package/src/daemon/config-watcher.ts

@@ -118,6 +118,8 @@ export class ConfigWatcher {
     onIdentityChanged?: () => void,
     onSoundsConfigChanged?: () => void,
     onAvatarChanged?: () => void,
+    onConfigChanged?: () => void,
+    onFeatureFlagsChanged?: () => void,
   ): void {
     const workspaceDir = getWorkspaceDir();
 
@@ -130,6 +132,7 @@ export class ConfigWatcher {
           const changed = await this.refreshConfigFromSources();
           if (changed) {
             onConversationEvict();
+            onConfigChanged?.();
             const newConfig = getConfig();
             const newMcpFingerprint = JSON.stringify(newConfig.mcp ?? {});
             if (newMcpFingerprint !== prevMcpFingerprint) {
@@ -190,7 +193,7 @@ export class ConfigWatcher {
       this.startAvatarWatcher(onAvatarChanged);
     }
 
-    this.startFeatureFlagsWatcher();
+    this.startFeatureFlagsWatcher(onFeatureFlagsChanged);
     this.startSignalsWatcher();
     this.startSkillsWatchers(onConversationEvict);
   }
@@ -266,7 +269,7 @@ export class ConfigWatcher {
     }
   }
 
-  private startFeatureFlagsWatcher(): void {
+  private startFeatureFlagsWatcher(onFeatureFlagsChanged?: () => void): void {
     const protectedDir = process.env.GATEWAY_SECURITY_DIR
       ? process.env.GATEWAY_SECURITY_DIR
       : join(homedir(), ".vellum", "protected");
@@ -297,6 +300,7 @@ export class ConfigWatcher {
               "Feature flags file changed, invalidating cache",
             );
             clearFeatureFlagOverridesCache();
+            onFeatureFlagsChanged?.();
           },
           500,
         );

package/src/daemon/context-overflow-approval.ts

@@ -39,7 +39,6 @@ export async function requestCompressionApproval(
     undefined,
     undefined,
     undefined,
-    undefined,
     false,
     opts?.signal,
   );

package/src/daemon/conversation-agent-loop.ts

@@ -102,6 +102,7 @@ import {
   applyRuntimeInjections,
   buildUnifiedTurnContextBlock,
   findLastInjectedNowContent,
+  findLastInjectedPkbContent,
   inboundActorContextFromTrust,
   inboundActorContextFromTrustContext,
   readNowScratchpad,
@@ -109,6 +110,7 @@ import {
   stripInjectionsForCompaction,
 } from "./conversation-runtime-assembly.js";
 import type { SkillProjectionCache } from "./conversation-skill-tools.js";
+import { markSurfaceCompleted } from "./conversation-surfaces.js";
 import { resolveTrustClass } from "./conversation-tool-setup.js";
 import { recordUsage } from "./conversation-usage.js";
 import { formatTurnTimestamp } from "./date-context.js";
@@ -438,6 +440,7 @@ export async function runAgentLoopImpl(
           surfaceId,
           summary: "Dismissed",
         });
+        markSurfaceCompleted(ctx, surfaceId, "Dismissed");
         ctx.pendingSurfaceActions.delete(surfaceId);
       }
     }
@@ -784,8 +787,16 @@ export async function runAgentLoopImpl(
     const nowScratchpad =
       currentNowContent !== lastInjectedNow ? currentNowContent : null;
 
-    // Read PKB always-loaded files (INDEX, essentials, threads, buffer)
+    // Only inject PKB if it changed since the last injection in the
+    // conversation.  Keeping the previous injection in place avoids mutating
+    // historical user messages and preserves the cached prefix.
+    // Note: injectPkbContext escapes </pkb> sequences before writing to history,
+    // so we must apply the same escaping before comparing to avoid false mismatches.
     const currentPkbContent = readPkbContext();
+    const lastInjectedPkb = findLastInjectedPkbContent(ctx.messages);
+    const escapedCurrentPkb = currentPkbContent?.replace(/<\/pkb\s*>/gi, "&lt;/pkb&gt;") ?? null;
+    const pkbContext =
+      escapedCurrentPkb !== lastInjectedPkb ? currentPkbContent : null;
 
     // Shared injection options — reused whenever we need to re-inject after reduction.
     const injectionOpts = {
@@ -796,7 +807,7 @@ export async function runAgentLoopImpl(
       channelCapabilities: ctx.channelCapabilities ?? null,
       channelCommandContext: ctx.commandIntent ?? null,
       unifiedTurnContext: unifiedTurnContextStr,
-      pkbContext: currentPkbContent,
+      pkbContext,
       nowScratchpad,
       voiceCallControlPrompt: ctx.voiceCallControlPrompt ?? null,
       transportHints: ctx.transportHints ?? null,
@@ -922,7 +933,7 @@ export async function runAgentLoopImpl(
         // value from injectionOpts to avoid duplicate injection.
         runMessages = applyRuntimeInjections(ctx.messages, {
           ...injectionOpts,
-          pkbContext: currentPkbContent,
+          ...(step.compactionResult?.compacted && { pkbContext: currentPkbContent }),
           ...(step.compactionResult?.compacted && { nowScratchpad: currentNowContent }),
           workspaceTopLevelContext: shouldInjectWorkspace
             ? ctx.workspaceTopLevelContext
@@ -1202,8 +1213,16 @@ export async function runAgentLoopImpl(
     // limit), incorporate those new messages into ctx.messages so the
     // convergence loop operates on the full (larger) history.
     if (state.contextTooLargeDetected) {
+      // Track whether ctx.messages was actually stripped so we know if
+      // NOW.md (and other injections) need to be re-injected.  When the
+      // provider rejects before adding any messages, the strip is skipped
+      // and ctx.messages still contains the previous injection — blindly
+      // re-injecting would duplicate the NOW.md block.
+      let convergenceStripped = false;
+
       if (updatedHistory.length > preRunHistoryLength) {
         ctx.messages = stripInjectionsForCompaction(updatedHistory);
+        convergenceStripped = true;
         preRepairMessages = updatedHistory;
         preRunHistoryLength = updatedHistory.length;
       }
@@ -1326,12 +1345,13 @@ export async function runAgentLoopImpl(
           shouldInjectWorkspace = true;
         }
 
-        // ctx.messages has been stripped (line 1206/1373) so NOW.md must
-        // always be re-injected regardless of whether compaction ran.
+        // Only re-inject NOW.md when ctx.messages was actually stripped;
+        // otherwise the existing NOW.md block is still present and
+        // re-injecting would duplicate it.
         runMessages = applyRuntimeInjections(ctx.messages, {
           ...injectionOpts,
           pkbContext: currentPkbContent,
-          nowScratchpad: currentNowContent,
+          nowScratchpad: convergenceStripped ? currentNowContent : null,
           workspaceTopLevelContext: shouldInjectWorkspace
             ? ctx.workspaceTopLevelContext
             : null,
@@ -1373,6 +1393,7 @@ export async function runAgentLoopImpl(
           // pre-rerun messages.
           if (updatedHistory.length > preRunHistoryLength) {
             ctx.messages = stripInjectionsForCompaction(updatedHistory);
+            convergenceStripped = true;
             preRepairMessages = updatedHistory;
             preRunHistoryLength = updatedHistory.length;
           }
@@ -1448,12 +1469,12 @@ export async function runAgentLoopImpl(
               shouldInjectWorkspace = true;
             }
 
-            // ctx.messages was already stripped before the convergence
-            // loop, so NOW.md must always be re-injected here.
+            // Only re-inject NOW.md when ctx.messages was actually stripped;
+            // otherwise the existing block is still present.
             runMessages = applyRuntimeInjections(ctx.messages, {
               ...injectionOpts,
               pkbContext: currentPkbContent,
-              nowScratchpad: currentNowContent,
+              nowScratchpad: convergenceStripped ? currentNowContent : null,
               workspaceTopLevelContext: shouldInjectWorkspace
                 ? ctx.workspaceTopLevelContext
                 : null,
@@ -1568,12 +1589,12 @@ export async function runAgentLoopImpl(
             shouldInjectWorkspace = true;
           }
 
-          // ctx.messages was already stripped before the convergence
-          // loop, so NOW.md must always be re-injected here.
+          // Only re-inject NOW.md when ctx.messages was actually stripped;
+          // otherwise the existing block is still present.
           runMessages = applyRuntimeInjections(ctx.messages, {
             ...injectionOpts,
             pkbContext: currentPkbContent,
-            nowScratchpad: currentNowContent,
+            nowScratchpad: convergenceStripped ? currentNowContent : null,
             workspaceTopLevelContext: shouldInjectWorkspace
               ? ctx.workspaceTopLevelContext
               : null,

package/src/daemon/conversation-attachments.ts

@@ -71,7 +71,6 @@ export async function approveHostAttachmentRead(
     await generateAllowlistOptions(toolName, input),
     generateScopeOptions(workingDir, toolName),
     undefined,
-    undefined,
     conversationId,
     "host",
   );