@vellumai/assistant 0.6.2 → 0.6.3

package/src/daemon/conversation-surfaces.ts

@@ -4,9 +4,9 @@ import {
   getApp,
   getAppDirPath,
   getAppPreview,
-  inlineDistAssets,
   isMultifileApp,
   resolveAppDir,
+  resolveEffectiveAppHtml,
   updateApp,
 } from "../memory/app-store.js";
 import {
@@ -65,32 +65,36 @@ export function markSurfaceCompleted(
   }
 
   // Persist to DB.
-  const rows = getMessages(ctx.conversationId);
-  for (let r = rows.length - 1; r >= 0; r--) {
-    let parsed: unknown[];
-    try {
-      const result = JSON.parse(rows[r].content);
-      if (!Array.isArray(result)) continue;
-      parsed = result;
-    } catch {
-      // Some rows store plain text content (e.g. notification seeding) —
-      // skip them and keep scanning.
-      continue;
-    }
-    let found = false;
-    for (const pb of parsed) {
-      const rb = pb as Record<string, unknown>;
-      if (rb.type === "ui_surface" && rb.surfaceId === surfaceId) {
-        rb.completed = true;
-        rb.completionSummary = summary;
-        found = true;
-        break;
+  try {
+    const rows = getMessages(ctx.conversationId);
+    for (let r = rows.length - 1; r >= 0; r--) {
+      let parsed: unknown[];
+      try {
+        const result = JSON.parse(rows[r].content);
+        if (!Array.isArray(result)) continue;
+        parsed = result;
+      } catch {
+        // Some rows store plain text content (e.g. notification seeding) —
+        // skip them and keep scanning.
+        continue;
+      }
+      let found = false;
+      for (const pb of parsed) {
+        const rb = pb as Record<string, unknown>;
+        if (rb.type === "ui_surface" && rb.surfaceId === surfaceId) {
+          rb.completed = true;
+          rb.completionSummary = summary;
+          found = true;
+          break;
+        }
+      }
+      if (found) {
+        updateMessageContent(rows[r].id, JSON.stringify(parsed));
+        return;
       }
     }
-    if (found) {
-      updateMessageContent(rows[r].id, JSON.stringify(parsed));
-      return;
-    }
+  } catch (err) {
+    log.warn({ err, surfaceId }, "Failed to persist surface completion to DB");
   }
 }
 const TASK_PROGRESS_TEMPLATE_FIELDS = ["title", "status", "steps"] as const;
@@ -1146,10 +1150,12 @@ export function refreshSurfacesForApp(
     // Push current HTML onto the undo stack before overwriting
     pushUndoState(ctx.surfaceUndoStacks, surfaceId, data.html);
 
-    // Update in-memory surface state so the next refinement gets fresh HTML
+    // Update in-memory surface state so the next refinement gets fresh HTML.
+    // For multifile apps, resolve the compiled dist/index.html with inlined
+    // assets rather than the empty root index.html (app.htmlDefinition).
     const updatedData: DynamicPageSurfaceData = {
       ...data,
-      html: app.htmlDefinition,
+      html: resolveEffectiveAppHtml(app),
       ...(opts?.fileChange
         ? { reloadGeneration: (data.reloadGeneration ?? 0) + 1 }
         : {}),
@@ -1539,11 +1545,10 @@ export async function surfaceProxyResolver(
     const storedPreview = getAppPreview(app.id);
     const { dirName } = resolveAppDir(app.id);
 
-    // For multifile TSX apps, resolve HTML from compiled dist/index.html
-    // rather than the root index.html (which is empty for formatVersion 2).
-    let html = app.htmlDefinition;
+    // For multifile TSX apps, auto-compile if dist is missing, then
+    // resolve HTML from compiled dist/index.html with inlined assets.
     if (isMultifileApp(app)) {
-      const { existsSync, readFileSync } = await import("node:fs");
+      const { existsSync } = await import("node:fs");
       const { join } = await import("node:path");
       const appDir = getAppDirPath(app.id);
       const distIndex = join(appDir, "dist", "index.html");
@@ -1557,12 +1562,8 @@ export async function surfaceProxyResolver(
           );
         }
       }
-      if (existsSync(distIndex)) {
-        html = inlineDistAssets(appDir, readFileSync(distIndex, "utf-8"));
-      } else {
-        html = `<p>App compilation failed. Edit a source file to trigger a rebuild.</p>`;
-      }
     }
+    const html = resolveEffectiveAppHtml(app);
 
     const surfaceData: DynamicPageSurfaceData = {
       html,

package/src/daemon/conversation-tool-setup.ts

@@ -6,6 +6,11 @@
  * keeping the constructor body focused on wiring.
  */
 
+import {
+  type HostProxyCapability,
+  type InterfaceId,
+  supportsHostProxy,
+} from "../channels/types.js";
 import { isHttpAuthDisabled } from "../config/env.js";
 import { getIsPlatform } from "../config/env-registry.js";
 import type { CesClient } from "../credential-execution/client.js";
@@ -22,6 +27,7 @@ import {
   findHighestPriorityRule,
 } from "../permissions/trust-store.js";
 import { isAllowDecision } from "../permissions/types.js";
+import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
 import type { Message, ToolDefinition } from "../providers/types.js";
 import type { TrustClass } from "../runtime/actor-trust-resolver.js";
 import { coreAppProxyTools } from "../tools/apps/definitions.js";
@@ -106,6 +112,8 @@ export interface ToolSetupContext extends SurfaceConversationContext {
   callSessionId?: string;
   /** Optional proxy for delegating host_bash execution to a connected client. */
   hostBashProxy?: import("./host-bash-proxy.js").HostBashProxy;
+  /** Optional proxy for delegating CDP commands to a connected client (managed/cloud-hosted mode). */
+  hostBrowserProxy?: import("./host-browser-proxy.js").HostBrowserProxy;
   /** Optional proxy for delegating host_file_read/write/edit execution to a connected client. */
   hostFileProxy?: import("./host-file-proxy.js").HostFileProxy;
   /** CES RPC client for credential execution operations. Injected when CES tools are enabled and the CES process is available. */
@@ -190,6 +198,7 @@ export function createToolExecutor(
       forcePromptSideEffects: ctx.memoryPolicy.strictSideEffects,
       toolUseId,
       hostBashProxy: ctx.hostBashProxy,
+      hostBrowserProxy: ctx.hostBrowserProxy,
       hostFileProxy: ctx.hostFileProxy,
       isPlatformHosted: getIsPlatform(),
       cesClient: ctx.cesClient,
@@ -312,6 +321,13 @@ export function createProxyApprovalCallback(
     const { scheme } = decision.target;
     const url = `${scheme}://${hostname}${port ? ":" + port : ""}${path}`;
 
+    if (isPermissionControlsV2Enabled()) {
+      // Under v2 we suppress deterministic network approval cards entirely.
+      // Proxied asks should follow the same non-host auto-allow contract as
+      // regular network_request invocations instead of turning into hard blocks.
+      return true;
+    }
+
     const input: Record<string, unknown> = {
       url,
       proxy_session_id: request.sessionId,
@@ -456,17 +472,49 @@ export interface SkillProjectionContext {
   subagentAllowedTools?: Set<string>;
   /** True when this conversation belongs to a subagent spawned by SubagentManager. */
   readonly isSubagent?: boolean;
+  /**
+   * The interface id of the connected client driving the current turn (e.g.
+   * "macos", "chrome-extension"). Used to gate host tools by per-capability
+   * `supportsHostProxy(transport, capability)` so that interfaces which only
+   * support a subset of the host proxy set (e.g. chrome-extension supports
+   * `host_browser` but not `host_bash`/`host_file`) do not leak unsupported
+   * host tools into the LLM tool definitions.
+   */
+  readonly transportInterface?: InterfaceId;
 }
 
 // ── Conditional tool sets ────────────────────────────────────────────
 
 const UI_SURFACE_TOOL_NAMES = new Set(["ui_show", "ui_update", "ui_dismiss"]);
-const HOST_TOOL_NAMES = new Set([
-  "host_file_read",
-  "host_file_write",
-  "host_file_edit",
-  "host_bash",
+/**
+ * Single source of truth for which tools are host tools and the capability
+ * each one requires from the connected client interface. Adding a tool here
+ * automatically adds it to `HOST_TOOL_NAMES` below, so the two collections
+ * cannot drift apart: if a new host tool is added without a capability
+ * mapping, `isToolActiveForContext` cannot accidentally return `true` for
+ * chrome-extension (or any other partial-capability transport) because
+ * `HOST_TOOL_NAMES` wouldn't contain it either.
+ *
+ * `isToolActiveForContext` uses this map to gate each host tool individually
+ * so that partial-capability transports (e.g. chrome-extension only supports
+ * `host_browser`) only see the host tools their interface can actually
+ * service.
+ *
+ * Note: there is no `host_cu` tool exposed via the tool gating layer today;
+ * computer-use is preactivated as a skill and projected through the skill
+ * tools path. Only host tools that flow through the per-capability gate
+ * need entries here.
+ */
+export const HOST_TOOL_TO_CAPABILITY = new Map<string, HostProxyCapability>([
+  ["host_bash", "host_bash"],
+  ["host_file_read", "host_file"],
+  ["host_file_write", "host_file"],
+  ["host_file_edit", "host_file"],
+  ["host_browser", "host_browser"],
 ]);
+// Derived from HOST_TOOL_TO_CAPABILITY so the invariant "every host tool has
+// a capability mapping" is a structural fact — no runtime assertion needed.
+export const HOST_TOOL_NAMES = new Set(HOST_TOOL_TO_CAPABILITY.keys());
 const CLIENT_CAPABILITY_TOOL_NAMES = new Set(["app_open"]);
 const PLATFORM_TOOL_NAMES = new Set(["request_system_permission"]);
 
@@ -495,9 +543,27 @@ export function isToolActiveForContext(
     return ctx.channelCapabilities?.supportsDynamicUi ?? !ctx.hasNoClient;
   }
   if (HOST_TOOL_NAMES.has(name)) {
-    // Host tools require a connected client — without one, there is no human
-    // to approve execution and the guardian auto-approve path would allow
-    // unchecked host command execution on the daemon host.
+    const capability = HOST_TOOL_TO_CAPABILITY.get(name);
+    const transport = ctx.transportInterface;
+
+    // Per-capability check is authoritative for structural support: if the
+    // transport cannot service this capability, the tool is filtered out.
+    if (transport && capability && !supportsHostProxy(transport, capability)) {
+      return false;
+    }
+
+    // chrome-extension is its own executor — the extension's popup gates
+    // commands via its own UI, and the transport does not use an SSE-level
+    // interactive approval channel. hasNoClient is intentionally `true` for
+    // chrome-extension turns (chrome-extension is not in INTERACTIVE_INTERFACES)
+    // and must not gate host_browser. Trust the per-capability check.
+    if (transport === "chrome-extension") {
+      return true;
+    }
+
+    // For transports that surface approvals over SSE (macos, backwards-compat
+    // fallback), deny when no client is present so the guardian auto-approve
+    // path cannot execute host commands unattended.
     return !ctx.hasNoClient;
   }
   if (CLIENT_CAPABILITY_TOOL_NAMES.has(name)) {

package/src/daemon/conversation-workspace.ts

@@ -13,6 +13,16 @@ export interface WorkspaceConversationContext {
   workingDir: string;
   workspaceTopLevelContext: string | null;
   workspaceTopLevelDirty: boolean;
+  /**
+   * Client-reported host home directory, populated from host-proxy
+   * transport metadata (see `supportsHostProxy` / `HostProxyInterfaceId`).
+   * Used to render the `<workspace>` block correctly for platform-managed
+   * daemons where `os.homedir()` would return the container's home instead
+   * of the user's actual client-side home.
+   */
+  hostHomeDir?: string;
+  /** Client-reported host username. See `hostHomeDir`. */
+  hostUsername?: string;
 }
 
 /** Refresh workspace top-level directory context if needed. */
@@ -36,6 +46,8 @@ export function refreshWorkspaceTopLevelContextIfNeeded(
     conversationAttachmentsPath: currentConversationPath
       ? `${currentConversationPath}attachments/`
       : null,
+    hostHomeDir: ctx.hostHomeDir,
+    hostUsername: ctx.hostUsername,
   });
   ctx.workspaceTopLevelDirty = false;
 }

package/src/daemon/conversation.ts

@@ -18,6 +18,7 @@
 import type { ResolvedSystemPrompt } from "../agent/loop.js";
 import { AgentLoop } from "../agent/loop.js";
 import type {
+  InterfaceId,
   TurnChannelContext,
   TurnInterfaceContext,
 } from "../channels/types.js";
@@ -43,12 +44,20 @@ import {
 import { registerToolTraceListener } from "../events/tool-trace-listener.js";
 import { getHookManager } from "../hooks/manager.js";
 import { resolveCanonicalGuardianRequest } from "../memory/canonical-guardian-store.js";
-import { updateConversationContextWindow } from "../memory/conversation-crud.js";
+import {
+  updateConversationContextWindow,
+  updateConversationHostAccess,
+} from "../memory/conversation-crud.js";
 import { ConversationGraphMemory } from "../memory/graph/conversation-graph-memory.js";
 import { PermissionPrompter } from "../permissions/prompter.js";
 import { SecretPrompter } from "../permissions/secret-prompter.js";
 import { patternMatchesCandidate } from "../permissions/trust-store.js";
 import type { UserDecision } from "../permissions/types.js";
+import {
+  isConversationHostAccessDecision,
+  isConversationHostAccessEnabled,
+  isConversationHostAccessEnablePrompt,
+} from "../permissions/v2-consent-policy.js";
 import { resolvePersonaContext } from "../prompts/persona-resolver.js";
 import { buildSystemPrompt } from "../prompts/system-prompt.js";
 import type { Message } from "../providers/types.js";
@@ -104,6 +113,7 @@ import {
 } from "./conversation-tool-setup.js";
 import { refreshWorkspaceTopLevelContextIfNeeded as refreshWorkspaceImpl } from "./conversation-workspace.js";
 import { HostBashProxy } from "./host-bash-proxy.js";
+import { HostBrowserProxy } from "./host-browser-proxy.js";
 import type { CuObservationResult } from "./host-cu-proxy.js";
 import { HostCuProxy } from "./host-cu-proxy.js";
 import { HostFileProxy } from "./host-file-proxy.js";
@@ -115,6 +125,7 @@ import type {
   UserMessageAttachment,
 } from "./message-protocol.js";
 import type { ConversationTransportMetadata } from "./message-types/conversations.js";
+import { isHostProxyTransport } from "./message-types/conversations.js";
 import type {
   AssistantActivityState,
   ConfirmationStateChanged,
@@ -180,8 +191,22 @@ export class Conversation {
   /** @internal */ taskRunId?: string;
   /** @internal */ callSessionId?: string;
   /** @internal */ hostBashProxy?: HostBashProxy;
+  /** @internal */ hostBrowserProxy?: HostBrowserProxy;
   /** @internal */ hostCuProxy?: HostCuProxy;
   /** @internal */ hostFileProxy?: HostFileProxy;
+  /**
+   * Optional override sender used by `restoreBrowserProxyAvailability` so
+   * non-SSE transports (e.g. chrome-extension, whose host_browser_request
+   * frames flow through the ChromeExtensionRegistry WebSocket rather than
+   * the SSE hub) can preserve their registry-routed sender across drain
+   * queue restores. When set, `restoreBrowserProxyAvailability()` uses this
+   * function instead of `sendToClient` so the drain-queue path doesn't
+   * clobber the chrome-extension sender with the SSE hub emitter.
+   *
+   * Populated by the POST /messages handler for chrome-extension turns and
+   * cleared when an unrelated interface takes over (see `updateClient`).
+   */
+  /** @internal */ hostBrowserSenderOverride?: (msg: ServerMessage) => void;
   /** @internal */ cesClient?: CesClient;
   /** @internal */ readonly queue = new MessageQueue();
   /** @internal */ currentActiveSurfaceId?: string;
@@ -246,8 +271,24 @@ export class Conversation {
   }> = [];
   /** @internal */ workspaceTopLevelContext: string | null = null;
   /** @internal */ workspaceTopLevelDirty = true;
+  /**
+   * Host home directory reported by the client (e.g. macOS
+   * `NSHomeDirectory()`). Populated from `HostProxyTransportMetadata` when
+   * a message arrives from an interface that supports host-proxy tools
+   * (see `supportsHostProxy`). Consumed by the `<workspace>` block renderer
+   * so platform-managed (containerized) daemons show the user's actual
+   * client-side home dir instead of the container's `os.homedir()`.
+   * @internal
+   */
+  hostHomeDir?: string;
+  /**
+   * Host username reported by the client (e.g. macOS `NSUserName()`).
+   * See `hostHomeDir`.
+   * @internal
+   */
+  hostUsername?: string;
   public readonly traceEmitter: TraceEmitter;
-  public readonly hasSystemPromptOverride: boolean;
+  /** @internal */ hasSystemPromptOverride: boolean;
   public memoryPolicy: ConversationMemoryPolicy;
   /** @internal */ readonly graphMemory: ConversationGraphMemory;
   /** @internal */ activeContextNodeIds?: string[];
@@ -387,7 +428,7 @@ export class Conversation {
       _history: import("../providers/types.js").Message[],
     ): ResolvedSystemPrompt => {
       const resolved = {
-        systemPrompt: hasSystemPromptOverride
+        systemPrompt: this.hasSystemPromptOverride
           ? systemPrompt
           : (() => {
               const persona = resolvePersonaContext(
@@ -501,6 +542,7 @@ export class Conversation {
     this.traceEmitter.updateSender(sendToClient);
     if (!opts?.skipProxySenderUpdate) {
       this.hostBashProxy?.updateSender(sendToClient, !hasNoClient);
+      this.hostBrowserProxy?.updateSender(sendToClient, !hasNoClient);
       this.hostCuProxy?.updateSender(sendToClient, !hasNoClient);
       this.hostFileProxy?.updateSender(sendToClient, !hasNoClient);
     }
@@ -527,6 +569,7 @@ export class Conversation {
   /** Mark host proxies as unavailable so tool execution uses local fallback. */
   clearProxyAvailability(): void {
     this.hostBashProxy?.updateSender(this.sendToClient, false);
+    this.hostBrowserProxy?.updateSender(this.sendToClient, false);
     this.hostCuProxy?.updateSender(this.sendToClient, false);
     this.hostFileProxy?.updateSender(this.sendToClient, false);
   }
@@ -535,11 +578,43 @@ export class Conversation {
   restoreProxyAvailability(): void {
     if (!this.hasNoClient) {
       this.hostBashProxy?.updateSender(this.sendToClient, true);
+      this.hostBrowserProxy?.updateSender(this.sendToClient, true);
       this.hostCuProxy?.updateSender(this.sendToClient, true);
       this.hostFileProxy?.updateSender(this.sendToClient, true);
     }
   }
 
+  /**
+   * Restore host browser proxy availability only. Used for non-desktop
+   * interfaces (e.g. chrome-extension) that support host_browser but not
+   * the full desktop proxy set, so calling restoreProxyAvailability() would
+   * incorrectly re-enable bash/file/CU proxies that should stay disabled.
+   *
+   * Unlike `restoreProxyAvailability()`, this helper does NOT gate on
+   * `hasNoClient`. The chrome-extension interface is non-interactive (so
+   * `hasNoClient === true`), but it DOES have a connected client that can
+   * service `host_browser_request` events. Gating on `hasNoClient` would
+   * leave the just-constructed proxy unavailable and the only way to make
+   * it available would be to flip `hasNoClient` false, which would
+   * incorrectly enable host_bash/host_file/host_cu tool gating downstream.
+   *
+   * When `hostBrowserSenderOverride` is set, that function is used as the
+   * sender instead of `sendToClient`. This is required for the
+   * chrome-extension interface whose host_browser frames route through the
+   * ChromeExtensionRegistry WebSocket rather than the SSE hub: if the
+   * queue-drain path called this helper with `sendToClient`, the
+   * registry-routed sender established at turn-start would be clobbered by
+   * the SSE hub emitter and host_browser_request frames would stop
+   * reaching the extension.
+   *
+   * Callers must only invoke this when they know the current interface
+   * supports host_browser (see `supportsHostProxy(id, "host_browser")`).
+   */
+  restoreBrowserProxyAvailability(): void {
+    const sender = this.hostBrowserSenderOverride ?? this.sendToClient;
+    this.hostBrowserProxy?.updateSender(sender, true);
+  }
+
   setSubagentAllowedTools(tools: Set<string> | undefined): void {
     this.subagentAllowedTools = tools;
   }
@@ -548,6 +623,35 @@ export class Conversation {
     this.isSubagent = value;
   }
 
+  /**
+   * Prepend inherited parent messages into the in-memory message array so that
+   * the AgentLoop includes them in provider calls (enabling KV cache sharing).
+   *
+   * These messages are NOT persisted to the database — they exist only in
+   * memory. When the conversation is later read from DB via getMessages(),
+   * only the conversation's own persisted messages appear.
+   *
+   * Must be called before the first persistUserMessage() call — i.e. while
+   * `this.messages` is still empty.
+   */
+  injectInheritedContext(messages: Message[]): void {
+    if (this.messages.length !== 0) {
+      throw new Error(
+        "injectInheritedContext must be called before any messages have been added",
+      );
+    }
+    this.messages = [...messages];
+    this.contextWindowManager.nonPersistedPrefixCount = messages.length;
+  }
+
+  /**
+   * Return the system prompt string set at construction time (or its override).
+   * Fork consumers use this to pass the parent's system prompt to the fork.
+   */
+  getCurrentSystemPrompt(): string {
+    return this.systemPrompt;
+  }
+
   isProcessing(): boolean {
     return this.processing;
   }
@@ -570,6 +674,7 @@ export class Conversation {
   dispose(): void {
     approvalOverrides.clearMode(this.conversationId);
     this.hostBashProxy?.dispose();
+    this.hostBrowserProxy?.dispose();
     this.hostCuProxy?.dispose();
     this.hostFileProxy?.dispose();
     // CES client is owned by DaemonServer — just drop the reference.
@@ -672,12 +777,35 @@ export class Conversation {
       return;
     }
 
+    const hostAccessEnablePrompt =
+      this.prompter.isHostAccessEnablePrompt(requestId) ||
+      isConversationHostAccessEnablePrompt(
+        pendingInteractions.get(requestId)?.confirmationDetails,
+      );
+    const effectiveDecision =
+      hostAccessEnablePrompt && !isConversationHostAccessDecision(decision)
+        ? "deny"
+        : decision;
+
+    if (
+      hostAccessEnablePrompt &&
+      effectiveDecision === "allow" &&
+      !isConversationHostAccessEnabled(this.conversationId)
+    ) {
+      updateConversationHostAccess(this.conversationId, true);
+      this.sendToClient({
+        type: "conversation_host_access_updated",
+        conversationId: this.conversationId,
+        hostAccess: true,
+      });
+    }
+
     // Capture toolUseId before resolving (resolution deletes the pending entry)
     const toolUseId = this.prompter.getToolUseId(requestId);
 
     this.prompter.resolveConfirmation(
       requestId,
-      decision,
+      effectiveDecision,
       selectedPattern,
       selectedScope,
       decisionContext,
@@ -691,7 +819,7 @@ export class Conversation {
     // so ALL callers (HTTP handlers, /v1/confirm, channel bridges) get
     // consistent events without duplicating emission logic.
     const resolvedState =
-      decision === "deny" || decision === "always_deny"
+      effectiveDecision === "deny" || effectiveDecision === "always_deny"
         ? ("denied" as const)
         : ("approved" as const);
     this.emitConfirmationStateChanged({
@@ -735,7 +863,12 @@ export class Conversation {
     }
 
     // Cascade to other pending confirmations that match this decision
-    this.cascadePendingApprovals(requestId, decision, selectedPattern);
+    this.cascadePendingApprovals(
+      requestId,
+      effectiveDecision,
+      selectedPattern,
+      hostAccessEnablePrompt,
+    );
   }
 
   /**
@@ -751,9 +884,14 @@ export class Conversation {
     primaryRequestId: string,
     decision: UserDecision,
     selectedPattern?: string,
+    hostAccessEnablePrompt = false,
   ): void {
     // Single-action decisions don't cascade
-    if (decision === "allow" || decision === "deny") return;
+    if (decision === "allow" || decision === "deny") {
+      if (!hostAccessEnablePrompt || decision !== "allow") {
+        return;
+      }
+    }
 
     const pendingRequestIds = this.prompter.getPendingRequestIds();
     if (pendingRequestIds.length === 0) return;
@@ -766,6 +904,28 @@ export class Conversation {
       if (interaction.conversationId !== this.conversationId) continue;
       if (interaction.kind !== "confirmation") continue;
 
+      if (
+        hostAccessEnablePrompt &&
+        (this.prompter.isHostAccessEnablePrompt(candidateId) ||
+          isConversationHostAccessEnablePrompt(interaction.confirmationDetails))
+      ) {
+        // Enabling computer access is conversation-scoped, so sibling host
+        // prompts should resolve immediately once the first approval lands.
+        pendingInteractions.resolve(candidateId);
+        this.handleConfirmationResponse(
+          candidateId,
+          "allow",
+          undefined,
+          undefined,
+          undefined,
+          {
+            source: "system",
+            causedByRequestId: primaryRequestId,
+          },
+        );
+        continue;
+      }
+
       const cascadeResult = this.shouldCascade(
         decision,
         selectedPattern,
@@ -868,9 +1028,23 @@ export class Conversation {
     this.hostBashProxy = proxy;
   }
 
-  resolveHostFile(
+  resolveHostBrowser(
     requestId: string,
     response: { content: string; isError: boolean },
+  ): void {
+    this.hostBrowserProxy?.resolve(requestId, response);
+  }
+
+  setHostBrowserProxy(proxy: HostBrowserProxy | undefined): void {
+    if (this.hostBrowserProxy && this.hostBrowserProxy !== proxy) {
+      this.hostBrowserProxy.dispose();
+    }
+    this.hostBrowserProxy = proxy;
+  }
+
+  resolveHostFile(
+    requestId: string,
+    response: { content: string; isError: boolean; imageData?: string },
   ): void {
     this.hostFileProxy?.resolve(requestId, response);
   }
@@ -984,6 +1158,40 @@ export class Conversation {
     this.transportHints = hints;
   }
 
+  /**
+   * Apply client-reported host environment (home dir, username) from
+   * transport metadata onto the conversation. Only interfaces whose
+   * interfaceId passes `supportsHostProxy()` contribute values — all other
+   * interfaces (CLI, channels, iOS, chrome-extension) clear any previously
+   * stored values so a conversation reused across interfaces doesn't leak
+   * stale paths into later `<workspace>` blocks.
+   *
+   * Gating on `supportsHostProxy` (rather than a specific interface name)
+   * keeps this in lock-step with the capability set defined in
+   * `HostProxyInterfaceId` — adding a new host-capable client only requires
+   * extending those two, not touching this method.
+   *
+   * Invalidates the cached workspace top-level block when values change so
+   * the next render picks up the new host env.
+   */
+  applyHostEnvFromTransport(transport: ConversationTransportMetadata): void {
+    const prevHomeDir = this.hostHomeDir;
+    const prevUsername = this.hostUsername;
+    if (isHostProxyTransport(transport)) {
+      this.hostHomeDir = transport.hostHomeDir;
+      this.hostUsername = transport.hostUsername;
+    } else {
+      this.hostHomeDir = undefined;
+      this.hostUsername = undefined;
+    }
+    if (
+      prevHomeDir !== this.hostHomeDir ||
+      prevUsername !== this.hostUsername
+    ) {
+      this.workspaceTopLevelDirty = true;
+    }
+  }
+
   setAssistantId(assistantId: string | null): void {
     this.assistantId = assistantId ?? undefined;
   }
@@ -1026,6 +1234,16 @@ export class Conversation {
     return this.currentTurnInterfaceContext;
   }
 
+  /**
+   * Implements the `transportInterface` field of `SkillProjectionContext` so
+   * that `isToolActiveForContext` can gate host tools by per-capability
+   * `supportsHostProxy(transport, capability)`. Derived from the live turn
+   * interface context so it tracks the connected client across turns.
+   */
+  get transportInterface(): InterfaceId | undefined {
+    return this.currentTurnInterfaceContext?.userMessageInterface;
+  }
+
   async persistUserMessage(
     content: string,
     attachments: UserMessageAttachment[],