@vellumai/assistant 0.6.1 → 0.6.3

package/src/oauth/seed-providers.ts

@@ -4,30 +4,36 @@ import { seedProviders } from "./oauth-store.js";
  * Protocol-level seed data for each well-known OAuth provider.
  *
  * These values are upserted into the `oauth_providers` SQLite table on
- * every startup. Only Vellum implementation fields (authUrl, tokenUrl,
- * tokenEndpointAuthMethod, userinfoUrl, extraParams,
- * pingUrl, pingMethod, pingHeaders, pingBody, managedServiceConfigKey,
+ * every startup. Only Vellum implementation fields (authorizeUrl, tokenExchangeUrl,
+ * refreshUrl, tokenEndpointAuthMethod, userinfoUrl, authorizeParams,
+ * pingUrl, pingMethod, pingHeaders, pingBody, revokeUrl, revokeBodyTemplate,
+ * managedServiceConfigKey,
  * loopbackPort, injectionTemplates, appType, setupNotes,
  * identityUrl, identityMethod, identityHeaders, identityBody,
- * identityResponsePaths, identityFormat, identityOkField, featureFlag)
- * and display metadata (displayName,
- * description, dashboardUrl, clientIdPlaceholder, requiresClientSecret)
+ * identityResponsePaths, identityFormat, identityOkField, featureFlag,
+ * scopeSeparator)
+ * and display metadata (displayLabel,
+ * description, dashboardUrl, clientIdPlaceholder, requiresClientSecret,
+ * logoUrl)
  * are overwritten on subsequent startups — user-customizable
  * fields (defaultScopes, scopePolicy) are only
  * written on initial insert and preserved across restarts.
  */
-const PROVIDER_SEED_DATA: Record<
+export const PROVIDER_SEED_DATA: Record<
   string,
   {
-    providerKey: string;
-    authUrl: string;
-    tokenUrl: string;
+    provider: string;
+    authorizeUrl: string;
+    tokenExchangeUrl: string;
+    refreshUrl?: string;
     tokenEndpointAuthMethod?: string;
     userinfoUrl?: string;
     pingUrl?: string;
     pingMethod?: string;
     pingHeaders?: Record<string, string>;
     pingBody?: unknown;
+    revokeUrl?: string;
+    revokeBodyTemplate?: Record<string, string>;
     baseUrl?: string;
     defaultScopes: string[];
     scopePolicy: {
@@ -35,9 +41,10 @@ const PROVIDER_SEED_DATA: Record<
       allowedOptionalScopes: string[];
       forbiddenScopes: string[];
     };
-    extraParams?: Record<string, string>;
+    scopeSeparator?: string;
+    authorizeParams?: Record<string, string>;
     managedServiceConfigKey?: string;
-    displayName: string;
+    displayLabel: string;
     description: string;
     dashboardUrl: string | null;
     clientIdPlaceholder: string | null;
@@ -59,19 +66,21 @@ const PROVIDER_SEED_DATA: Record<
     identityFormat?: string;
     identityOkField?: string;
     featureFlag?: string;
+    logoUrl?: string;
   }
 > = {
   google: {
-    providerKey: "google",
-    authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
-    tokenUrl: "https://oauth2.googleapis.com/token",
+    provider: "google",
+    authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenExchangeUrl: "https://oauth2.googleapis.com/token",
     userinfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
     pingUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
     baseUrl: "https://gmail.googleapis.com/gmail/v1/users/me",
-    displayName: "Google",
+    displayLabel: "Google",
     description: "Gmail, Calendar, and Contacts",
     dashboardUrl: "https://console.cloud.google.com/apis/credentials",
     clientIdPlaceholder: "123456789.apps.googleusercontent.com",
+    logoUrl: "https://cdn.simpleicons.org/google",
     defaultScopes: [
       "https://www.googleapis.com/auth/gmail.readonly",
       "https://www.googleapis.com/auth/gmail.modify",
@@ -89,7 +98,7 @@ const PROVIDER_SEED_DATA: Record<
       ],
       forbiddenScopes: [],
     },
-    extraParams: { access_type: "offline", prompt: "consent" },
+    authorizeParams: { access_type: "offline", prompt: "consent" },
     loopbackPort: 17321,
     managedServiceConfigKey: "google-oauth",
     injectionTemplates: [
@@ -112,21 +121,24 @@ const PROVIDER_SEED_DATA: Record<
         valuePrefix: "Bearer ",
       },
     ],
+    revokeUrl: "https://oauth2.googleapis.com/revoke",
+    revokeBodyTemplate: { token: "{access_token}" },
     appType: "Desktop app",
     identityUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
     identityResponsePaths: ["email"],
   },
 
   slack: {
-    providerKey: "slack",
-    authUrl: "https://slack.com/oauth/v2/authorize",
-    tokenUrl: "https://slack.com/api/oauth.v2.access",
+    provider: "slack",
+    authorizeUrl: "https://slack.com/oauth/v2/authorize",
+    tokenExchangeUrl: "https://slack.com/api/oauth.v2.access",
     pingUrl: "https://slack.com/api/auth.test",
     baseUrl: "https://slack.com/api",
-    displayName: "Slack",
+    displayLabel: "Slack",
     description: "Workspace messaging",
     dashboardUrl: "https://api.slack.com/apps",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/slack",
     defaultScopes: [
       "channels:read",
       "channels:history",
@@ -147,7 +159,7 @@ const PROVIDER_SEED_DATA: Record<
       allowedOptionalScopes: [],
       forbiddenScopes: [],
     },
-    extraParams: {
+    authorizeParams: {
       user_scope:
         "channels:read,channels:history,groups:read,groups:history,im:read,im:history,im:write,mpim:read,mpim:history,users:read,chat:write,search:read,reactions:write",
     },
@@ -168,23 +180,24 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   notion: {
-    providerKey: "notion",
-    authUrl: "https://api.notion.com/v1/oauth/authorize",
-    tokenUrl: "https://api.notion.com/v1/oauth/token",
+    provider: "notion",
+    authorizeUrl: "https://api.notion.com/v1/oauth/authorize",
+    tokenExchangeUrl: "https://api.notion.com/v1/oauth/token",
     pingUrl: "https://api.notion.com/v1/users/me",
     pingHeaders: { "Notion-Version": "2022-06-28" },
     baseUrl: "https://api.notion.com",
-    displayName: "Notion",
+    displayLabel: "Notion",
     description: "Pages and databases",
     dashboardUrl: "https://www.notion.so/my-integrations",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/notion",
     defaultScopes: [],
     scopePolicy: {
       allowAdditionalScopes: false,
       allowedOptionalScopes: [],
       forbiddenScopes: [],
     },
-    extraParams: { owner: "user" },
+    authorizeParams: { owner: "user" },
     tokenEndpointAuthMethod: "client_secret_basic",
     loopbackPort: 17323,
     injectionTemplates: [
@@ -202,15 +215,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   twitter: {
-    providerKey: "twitter",
-    authUrl: "https://twitter.com/i/oauth2/authorize",
-    tokenUrl: "https://api.x.com/2/oauth2/token",
+    provider: "twitter",
+    authorizeUrl: "https://twitter.com/i/oauth2/authorize",
+    tokenExchangeUrl: "https://api.x.com/2/oauth2/token",
     pingUrl: "https://api.x.com/2/users/me",
     baseUrl: "https://api.x.com",
-    displayName: "Twitter",
+    displayLabel: "Twitter",
     description: "Posts and direct messages",
     dashboardUrl: "https://developer.twitter.com/en/portal/dashboard",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/x",
     defaultScopes: [
       "tweet.read",
       "tweet.write",
@@ -232,6 +246,12 @@ const PROVIDER_SEED_DATA: Record<
         valuePrefix: "Bearer ",
       },
     ],
+    revokeUrl: "https://api.x.com/2/oauth2/revoke",
+    revokeBodyTemplate: {
+      token: "{access_token}",
+      token_type_hint: "access_token",
+      client_id: "{client_id}",
+    },
     appType: "App",
     identityUrl: "https://api.x.com/2/users/me",
     identityResponsePaths: ["data.username"],
@@ -239,15 +259,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   github: {
-    providerKey: "github",
-    authUrl: "https://github.com/login/oauth/authorize",
-    tokenUrl: "https://github.com/login/oauth/access_token",
+    provider: "github",
+    authorizeUrl: "https://github.com/login/oauth/authorize",
+    tokenExchangeUrl: "https://github.com/login/oauth/access_token",
     pingUrl: "https://api.github.com/user",
     baseUrl: "https://api.github.com",
-    displayName: "GitHub",
+    displayLabel: "GitHub",
     description: "Repositories and issues",
     dashboardUrl: "https://github.com/settings/developers",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/github",
     defaultScopes: ["repo", "read:user", "notifications"],
     scopePolicy: {
       allowAdditionalScopes: true,
@@ -259,6 +280,7 @@ const PROVIDER_SEED_DATA: Record<
       ],
       forbiddenScopes: ["delete_repo", "admin:org"],
     },
+    managedServiceConfigKey: "github-oauth",
     loopbackPort: 17332,
     injectionTemplates: [
       {
@@ -275,26 +297,29 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   linear: {
-    providerKey: "linear",
-    authUrl: "https://linear.app/oauth/authorize",
-    tokenUrl: "https://api.linear.app/oauth/token",
+    provider: "linear",
+    authorizeUrl: "https://linear.app/oauth/authorize",
+    tokenExchangeUrl: "https://api.linear.app/oauth/token",
     pingUrl: "https://api.linear.app/graphql",
     pingMethod: "POST",
     pingHeaders: { "Content-Type": "application/json" },
     pingBody: { query: "{ viewer { id name email } }" },
     baseUrl: "https://api.linear.app",
-    displayName: "Linear",
+    displayLabel: "Linear",
     description: "Issues and projects",
     dashboardUrl: "https://linear.app/settings/api",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/linear",
     defaultScopes: ["read", "write", "issues:create"],
     scopePolicy: {
       allowAdditionalScopes: false,
       allowedOptionalScopes: [],
       forbiddenScopes: [],
     },
-    extraParams: { prompt: "consent" },
+    scopeSeparator: ",",
+    authorizeParams: { prompt: "consent" },
     loopbackPort: 17324,
+    managedServiceConfigKey: "linear-oauth",
     injectionTemplates: [
       {
         hostPattern: "api.linear.app",
@@ -303,6 +328,8 @@ const PROVIDER_SEED_DATA: Record<
         valuePrefix: "Bearer ",
       },
     ],
+    revokeUrl: "https://api.linear.app/oauth/revoke",
+    revokeBodyTemplate: { token: "{access_token}" },
     appType: "OAuth application",
     identityUrl: "https://api.linear.app/graphql",
     identityMethod: "POST",
@@ -312,15 +339,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   spotify: {
-    providerKey: "spotify",
-    authUrl: "https://accounts.spotify.com/authorize",
-    tokenUrl: "https://accounts.spotify.com/api/token",
+    provider: "spotify",
+    authorizeUrl: "https://accounts.spotify.com/authorize",
+    tokenExchangeUrl: "https://accounts.spotify.com/api/token",
     pingUrl: "https://api.spotify.com/v1/me",
     baseUrl: "https://api.spotify.com/v1",
-    displayName: "Spotify",
+    displayLabel: "Spotify",
     description: "Music and playlists",
     dashboardUrl: "https://developer.spotify.com/dashboard",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/spotify",
     defaultScopes: [
       "user-read-playback-state",
       "user-modify-playback-state",
@@ -353,15 +381,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   todoist: {
-    providerKey: "todoist",
-    authUrl: "https://todoist.com/oauth/authorize",
-    tokenUrl: "https://todoist.com/oauth/access_token",
+    provider: "todoist",
+    authorizeUrl: "https://todoist.com/oauth/authorize",
+    tokenExchangeUrl: "https://todoist.com/oauth/access_token",
     pingUrl: "https://api.todoist.com/rest/v2/projects",
     baseUrl: "https://api.todoist.com/rest/v2",
-    displayName: "Todoist",
+    displayLabel: "Todoist",
     description: "Tasks and projects",
     dashboardUrl: "https://developer.todoist.com/appconsole.html",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/todoist",
     defaultScopes: ["data:read_write"],
     scopePolicy: {
       allowAdditionalScopes: false,
@@ -386,15 +415,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   discord: {
-    providerKey: "discord",
-    authUrl: "https://discord.com/oauth2/authorize",
-    tokenUrl: "https://discord.com/api/v10/oauth2/token",
+    provider: "discord",
+    authorizeUrl: "https://discord.com/oauth2/authorize",
+    tokenExchangeUrl: "https://discord.com/api/v10/oauth2/token",
     pingUrl: "https://discord.com/api/v10/users/@me",
     baseUrl: "https://discord.com/api/v10",
-    displayName: "Discord",
+    displayLabel: "Discord",
     description: "Servers and messages",
     dashboardUrl: "https://discord.com/developers/applications",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/discord",
     defaultScopes: [
       "identify",
       "guilds",
@@ -421,16 +451,17 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   dropbox: {
-    providerKey: "dropbox",
-    authUrl: "https://www.dropbox.com/oauth2/authorize",
-    tokenUrl: "https://api.dropboxapi.com/oauth2/token",
+    provider: "dropbox",
+    authorizeUrl: "https://www.dropbox.com/oauth2/authorize",
+    tokenExchangeUrl: "https://api.dropboxapi.com/oauth2/token",
     pingUrl: "https://api.dropboxapi.com/2/users/get_current_account",
     pingMethod: "POST",
     baseUrl: "https://api.dropboxapi.com/2",
-    displayName: "Dropbox",
+    displayLabel: "Dropbox",
     description: "Files and folders",
     dashboardUrl: "https://www.dropbox.com/developers/apps",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/dropbox",
     defaultScopes: [
       "files.metadata.read",
       "files.content.read",
@@ -442,7 +473,7 @@ const PROVIDER_SEED_DATA: Record<
       allowedOptionalScopes: [],
       forbiddenScopes: [],
     },
-    extraParams: { token_access_type: "offline" },
+    authorizeParams: { token_access_type: "offline" },
     loopbackPort: 17327,
     injectionTemplates: [
       {
@@ -465,15 +496,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   asana: {
-    providerKey: "asana",
-    authUrl: "https://app.asana.com/-/oauth_authorize",
-    tokenUrl: "https://app.asana.com/-/oauth_token",
+    provider: "asana",
+    authorizeUrl: "https://app.asana.com/-/oauth_authorize",
+    tokenExchangeUrl: "https://app.asana.com/-/oauth_token",
     pingUrl: "https://app.asana.com/api/1.0/users/me",
     baseUrl: "https://app.asana.com/api/1.0",
-    displayName: "Asana",
+    displayLabel: "Asana",
     description: "Tasks and projects",
     dashboardUrl: "https://app.asana.com/0/my-apps",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/asana",
     defaultScopes: ["default"],
     scopePolicy: {
       allowAdditionalScopes: false,
@@ -495,15 +527,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   airtable: {
-    providerKey: "airtable",
-    authUrl: "https://airtable.com/oauth2/v1/authorize",
-    tokenUrl: "https://airtable.com/oauth2/v1/token",
+    provider: "airtable",
+    authorizeUrl: "https://airtable.com/oauth2/v1/authorize",
+    tokenExchangeUrl: "https://airtable.com/oauth2/v1/token",
     pingUrl: "https://api.airtable.com/v0/meta/whoami",
     baseUrl: "https://api.airtable.com/v0",
-    displayName: "Airtable",
+    displayLabel: "Airtable",
     description: "Bases and records",
     dashboardUrl: "https://airtable.com/create/tokens",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/airtable",
     defaultScopes: [
       "data.records:read",
       "data.records:write",
@@ -530,15 +563,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   hubspot: {
-    providerKey: "hubspot",
-    authUrl: "https://app.hubspot.com/oauth/authorize",
-    tokenUrl: "https://api.hubapi.com/oauth/v1/token",
+    provider: "hubspot",
+    authorizeUrl: "https://app.hubspot.com/oauth/authorize",
+    tokenExchangeUrl: "https://api.hubapi.com/oauth/v1/token",
     pingUrl: "https://api.hubapi.com/crm/v3/objects/contacts?limit=1",
     baseUrl: "https://api.hubapi.com",
-    displayName: "HubSpot",
+    displayLabel: "HubSpot",
     description: "CRM contacts and deals",
     dashboardUrl: "https://developers.hubspot.com/",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/hubspot",
     defaultScopes: [
       "crm.objects.contacts.read",
       "crm.objects.contacts.write",
@@ -569,15 +603,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   figma: {
-    providerKey: "figma",
-    authUrl: "https://www.figma.com/oauth",
-    tokenUrl: "https://api.figma.com/v1/oauth/token",
+    provider: "figma",
+    authorizeUrl: "https://www.figma.com/oauth",
+    tokenExchangeUrl: "https://api.figma.com/v1/oauth/token",
     pingUrl: "https://api.figma.com/v1/me",
     baseUrl: "https://api.figma.com/v1",
-    displayName: "Figma",
+    displayLabel: "Figma",
     description: "Design files and comments",
     dashboardUrl: "https://www.figma.com/developers/apps",
     clientIdPlaceholder: null,
+    logoUrl: "https://cdn.simpleicons.org/figma",
     defaultScopes: ["files:read", "file_comments:write"],
     scopePolicy: {
       allowAdditionalScopes: false,
@@ -600,16 +635,19 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   outlook: {
-    providerKey: "outlook",
-    authUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
-    tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+    provider: "outlook",
+    authorizeUrl:
+      "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+    tokenExchangeUrl:
+      "https://login.microsoftonline.com/common/oauth2/v2.0/token",
     pingUrl: "https://graph.microsoft.com/v1.0/me",
     baseUrl: "https://graph.microsoft.com",
-    displayName: "Outlook / Microsoft",
+    displayLabel: "Outlook / Microsoft",
     description: "Email and calendar",
     dashboardUrl:
       "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade",
     clientIdPlaceholder: "Application (client) ID from Azure portal",
+    logoUrl: "https://cdn.simpleicons.org/microsoftoutlook",
     defaultScopes: [
       "openid",
       "profile",
@@ -627,7 +665,7 @@ const PROVIDER_SEED_DATA: Record<
       allowedOptionalScopes: ["Contacts.Read", "Files.Read", "Tasks.ReadWrite"],
       forbiddenScopes: [],
     },
-    extraParams: { prompt: "consent" },
+    authorizeParams: { prompt: "consent" },
     tokenEndpointAuthMethod: "client_secret_post",
     loopbackPort: 17334,
     managedServiceConfigKey: "outlook-oauth",
@@ -646,18 +684,19 @@ const PROVIDER_SEED_DATA: Record<
 
   // Manual-token providers: these don't use OAuth2 flows but need provider
   // rows so that oauth_app and oauth_connection FK chains can reference them.
-  // The authUrl/tokenUrl values are placeholders — never used at runtime.
+  // The authorizeUrl/tokenExchangeUrl values are placeholders — never used at runtime.
   slack_channel: {
-    providerKey: "slack_channel",
-    authUrl: "urn:manual-token",
-    tokenUrl: "urn:manual-token",
+    provider: "slack_channel",
+    authorizeUrl: "urn:manual-token",
+    tokenExchangeUrl: "urn:manual-token",
     pingUrl: "https://slack.com/api/auth.test",
     baseUrl: "https://slack.com/api",
-    displayName: "Slack Channel",
+    displayLabel: "Slack Channel",
     description: "Channel bot token",
     dashboardUrl: null,
     clientIdPlaceholder: null,
     requiresClientSecret: false,
+    logoUrl: "https://cdn.simpleicons.org/slack",
     defaultScopes: [],
     scopePolicy: {
       allowAdditionalScopes: false,
@@ -667,15 +706,16 @@ const PROVIDER_SEED_DATA: Record<
   },
 
   telegram: {
-    providerKey: "telegram",
-    authUrl: "urn:manual-token",
-    tokenUrl: "urn:manual-token",
+    provider: "telegram",
+    authorizeUrl: "urn:manual-token",
+    tokenExchangeUrl: "urn:manual-token",
     baseUrl: "https://api.telegram.org",
-    displayName: "Telegram",
+    displayLabel: "Telegram",
     description: "Bot messaging",
     dashboardUrl: null,
     clientIdPlaceholder: null,
     requiresClientSecret: false,
+    logoUrl: "https://cdn.simpleicons.org/telegram",
     defaultScopes: [],
     scopePolicy: {
       allowAdditionalScopes: false,

package/src/oauth/token-persistence.ts

@@ -188,7 +188,7 @@ export async function storeOAuth2Tokens(
   } else {
     const conn = createConnection({
       oauthAppId: app.id,
-      providerKey: service,
+      provider: service,
       accountInfo: resolvedAccountInfo,
       grantedScopes,
       expiresAt: expiresAt ?? undefined,

package/src/permissions/checker.ts

@@ -3,6 +3,7 @@ import { homedir } from "node:os";
 import { dirname, join, resolve } from "node:path";
 
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
+import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
 import { loadSkillCatalog, resolveSkillSelector } from "../config/skills.js";
 import { indexCatalogById } from "../skills/include-graph.js";
@@ -1097,9 +1098,8 @@ export async function check(
     !matchedRule &&
     risk === RiskLevel.Low
   ) {
-    // When sandbox is disabled, bash runs on the host — don't auto-allow
-    const sandboxEnabled = getConfig().sandbox.enabled;
-    if (toolName === "bash" && !sandboxEnabled) {
+    // Outside a container, bash runs on the host — don't auto-allow
+    if (toolName === "bash" && !getIsContainerized()) {
       // Fall through to risk-based policy below
     } else if (isWorkspaceScopedInvocation(toolName, input, workingDir)) {
       return {

package/src/permissions/defaults.ts

@@ -1,5 +1,6 @@
 import { join } from "node:path";
 
+import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
 import { getBundledSkillsDir } from "../config/skills.js";
 import { getWorkspaceDir } from "../util/platform.js";
@@ -42,7 +43,6 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   // Some test suites mock getConfig() with partial objects; treat missing
   // branches as defaults so rule generation remains deterministic.
   const config = getConfig() as {
-    sandbox?: { enabled?: boolean };
     skills?: { load?: { extraDirs?: unknown } };
   };
 
@@ -67,12 +67,11 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
     priority: 50,
   };
 
-  // Sandboxed bash commands run in an isolated container — auto-allow all of
-  // them (including high-risk) so the user is never prompted for sandbox work.
-  // Only emit this rule when the sandbox is actually enabled; otherwise bash
-  // commands execute on the host and must go through normal permission checks.
-  const sandboxEnabled = config.sandbox?.enabled !== false;
-  const sandboxShellRule: DefaultRuleTemplate | null = sandboxEnabled
+  // When running inside a container (IS_CONTAINERIZED=true), bash commands
+  // execute in an isolated environment — auto-allow all of them (including
+  // high-risk) so the user is never prompted.  Outside a container, bash
+  // commands run on the host and go through normal permission checks.
+  const bashShellRule: DefaultRuleTemplate | null = getIsContainerized()
     ? {
         id: "default:allow-bash-global",
         tool: "bash",
@@ -300,7 +299,7 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
   return [
     ...hostFileRules,
     hostShellRule,
-    ...(sandboxShellRule ? [sandboxShellRule] : []),
+    ...(bashShellRule ? [bashShellRule] : []),
     ...computerUseRules,
     ...managedSkillRules,
     ...workspacePromptRules,

package/src/permissions/permission-mode.ts

@@ -1,27 +1,20 @@
 import { z } from "zod";
 
 /**
- * Two-axis permission model:
- * - `askBeforeActing` — LLM behavior toggle: when true the assistant checks in
- *   with the user before taking actions.
- * - `hostAccess` — System-enforced gate: when true the assistant can execute
- *   commands on the host machine without prompting.
+ * Host-access permission state.
+ *
+ * The only remaining permission-mode axis is whether the assistant can
+ * execute commands on the host machine without prompting.
  */
 export type PermissionMode = {
-  askBeforeActing: boolean;
   hostAccess: boolean;
 };
 
 export const DEFAULT_PERMISSION_MODE: PermissionMode = {
-  askBeforeActing: true,
   hostAccess: false,
 };
 
 export const PermissionModeSchema = z.object({
-  askBeforeActing: z
-    .boolean({ error: "permissionMode.askBeforeActing must be a boolean" })
-    .default(true)
-    .describe("Whether the assistant should check in before taking actions"),
   hostAccess: z
     .boolean({ error: "permissionMode.hostAccess must be a boolean" })
     .default(false)