@vellumai/assistant 0.6.2 → 0.6.3

package/src/runtime/routes/conversation-routes.ts

@@ -36,12 +36,13 @@ import {
 } from "../../daemon/first-greeting.js";
 import { renderHistoryContent } from "../../daemon/handlers/shared.js";
 import { HostBashProxy } from "../../daemon/host-bash-proxy.js";
+import { HostBrowserProxy } from "../../daemon/host-browser-proxy.js";
 import { HostCuProxy } from "../../daemon/host-cu-proxy.js";
 import { HostFileProxy } from "../../daemon/host-file-proxy.js";
 import type { ServerMessage } from "../../daemon/message-protocol.js";
 import type {
-  MacosTransportMetadata,
-  NonMacosTransportMetadata,
+  HostProxyTransportMetadata,
+  NonHostProxyTransportMetadata,
 } from "../../daemon/message-types/conversations.js";
 import type { HeartbeatService } from "../../heartbeat/heartbeat-service.js";
 import * as attachmentsStore from "../../memory/attachments-store.js";
@@ -77,6 +78,7 @@ import { silentlyWithLog } from "../../util/silently.js";
 import { buildAssistantEvent } from "../assistant-event.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
 import type { AuthContext } from "../auth/types.js";
+import { getChromeExtensionRegistry } from "../chrome-extension-registry.js";
 import { bridgeConfirmationRequestToGuardian } from "../confirmation-request-guardian-bridge.js";
 import { routeGuardianReply } from "../guardian-reply-router.js";
 import { healGuardianBindingDrift } from "../guardian-vellum-migration.js";
@@ -422,8 +424,18 @@ export function handleListMessages(
   // pendingToolUses map — otherwise they render as "Unknown" tool calls.
   const mergedMessages = mergeToolResultsIntoAssistantMessages(rawMessages);
 
+  // During streaming, all assistant turns within one agent loop accumulate
+  // on a single client-side ChatMessage (via currentAssistantMessageId).
+  // In the DB, each API turn is a separate assistant row because
+  // consolidation is deferred to compaction for prefix-cache stability.
+  // Merge consecutive assistant messages here at query time so
+  // renderHistoryContent produces the same contentOrder shape as streaming
+  // (consecutive tool refs grouped together).
+  const { messages: consolidatedMessages, mergedIdMap } =
+    mergeConsecutiveAssistantMessages(mergedMessages);
+
   // Parse content blocks and extract text + tool calls
-  const parsed = mergedMessages.map((msg) => {
+  const parsed = consolidatedMessages.map((msg) => {
     let content: unknown;
     try {
       content = JSON.parse(msg.content);
@@ -548,7 +560,13 @@ export function handleListMessages(
       // blobs for non-image attachments (documents, audio). Then
       // selectively fetch full data only for images so the client can
       // generate thumbnails for inline display on history restore.
-      const linked = attachmentsStore.getAttachmentMetadataForMessage(m.id);
+      // Also query attachments for any messages that were merged into
+      // this one (consecutive assistant merge), so their attachments
+      // aren't lost before DB compaction relinks them.
+      const idsToQuery = [m.id, ...(mergedIdMap.get(m.id) ?? [])];
+      const linked = idsToQuery.flatMap((id) =>
+        attachmentsStore.getAttachmentMetadataForMessage(id),
+      );
       if (linked.length > 0) {
         msgAttachments = linked.map((a) => {
           if (a.mimeType.startsWith("image/")) {
@@ -793,14 +811,158 @@ function mergeToolResultsIntoAssistantMessages(
   return result;
 }
 
+// ── Consecutive assistant message merging ────────────────────────────
+
+/** Parse a message's JSON content into an array of content blocks. */
+function parseContentBlocks(content: string): unknown[] {
+  try {
+    const parsed = JSON.parse(content);
+    return Array.isArray(parsed) ? parsed : [parsed];
+  } catch (err) {
+    log.warn(
+      { err },
+      "Failed to parse content blocks during assistant message merge",
+    );
+    return [];
+  }
+}
+
+/**
+ * Append content blocks from a donor message onto a target block array.
+ * Parses the donor's JSON content and pushes each block into `target`.
+ */
+function appendContentBlocks(target: unknown[], donorContent: string): void {
+  try {
+    const parsed = JSON.parse(donorContent);
+    if (Array.isArray(parsed)) {
+      target.push(...parsed);
+    } else {
+      target.push(parsed);
+    }
+  } catch (err) {
+    log.warn(
+      { err },
+      "Failed to parse donor content blocks during assistant message merge",
+    );
+  }
+}
+
+/**
+ * Promote metadata fields from a donor message to the surviving message
+ * when the survivor lacks them. Currently promotes `subagentNotification`.
+ * Returns a new MessageRow if promotion occurred, otherwise the original.
+ */
+function promoteMetadata(survivor: MessageRow, donor: MessageRow): MessageRow {
+  if (donor.metadata && survivor.metadata) {
+    try {
+      const survivorMeta = JSON.parse(survivor.metadata);
+      const donorMeta = JSON.parse(donor.metadata);
+      if (
+        !survivorMeta.subagentNotification &&
+        donorMeta.subagentNotification
+      ) {
+        survivorMeta.subagentNotification = donorMeta.subagentNotification;
+        return { ...survivor, metadata: JSON.stringify(survivorMeta) };
+      }
+    } catch (err) {
+      log.warn(
+        { err },
+        "Failed to parse metadata during assistant message merge",
+      );
+    }
+  } else if (donor.metadata && !survivor.metadata) {
+    return { ...survivor, metadata: donor.metadata };
+  }
+  return survivor;
+}
+
+/**
+ * Merge consecutive assistant messages into a single message at query time.
+ *
+ * During streaming, all assistant turns within one agent loop accumulate on
+ * a single client-side ChatMessage. In the DB, each API turn is stored as a
+ * separate assistant row (consolidation is deferred to compaction for
+ * prefix-cache stability). This produces N separate assistant messages that
+ * the client renders as N individual bubbles — each showing "Completed 1
+ * step" instead of one grouped "Completed N steps" accordion.
+ *
+ * This function concatenates the content block arrays of consecutive
+ * assistant messages (no intervening user messages after tool-result
+ * merging) into the first message of each run. The merged messages are
+ * removed from the output. This is query-time only — the DB is not
+ * modified.
+ *
+ * The first message in each run keeps its id, createdAt, and metadata so
+ * that attachment lookups, display timestamps, and subagent notifications
+ * continue to work. Metadata from later messages in the run (e.g.
+ * subagentNotification) is preserved by promoting it to the surviving
+ * message when the surviving message has no metadata of its own for that
+ * field.
+ */
+function mergeConsecutiveAssistantMessages(messages: MessageRow[]): {
+  messages: MessageRow[];
+  /** Maps each surviving message ID → all original message IDs merged into it. */
+  mergedIdMap: Map<string, string[]>;
+} {
+  const result: MessageRow[] = [];
+  // Key = index in `result`, value = accumulated content blocks.
+  const pendingMerges = new Map<number, unknown[]>();
+  // Key = index in `result`, value = IDs of messages merged into the target.
+  const mergedIds = new Map<number, string[]>();
+
+  for (const msg of messages) {
+    const lastIdx = result.length - 1;
+    const isConsecutiveAssistant =
+      msg.role === "assistant" &&
+      lastIdx >= 0 &&
+      result[lastIdx].role === "assistant";
+
+    if (!isConsecutiveAssistant) {
+      result.push(msg);
+      continue;
+    }
+
+    // Track the donor message ID.
+    let ids = mergedIds.get(lastIdx);
+    if (!ids) {
+      ids = [];
+      mergedIds.set(lastIdx, ids);
+    }
+    ids.push(msg.id);
+
+    // Lazily parse the target's content on first merge.
+    let targetContent = pendingMerges.get(lastIdx);
+    if (!targetContent) {
+      targetContent = parseContentBlocks(result[lastIdx].content);
+      pendingMerges.set(lastIdx, targetContent);
+    }
+
+    appendContentBlocks(targetContent, msg.content);
+    result[lastIdx] = promoteMetadata(result[lastIdx], msg);
+  }
+
+  // Write back merged content for any messages that were targets.
+  for (const [idx, content] of pendingMerges) {
+    result[idx] = { ...result[idx], content: JSON.stringify(content) };
+  }
+
+  // Build the merged ID map keyed by surviving message ID.
+  const mergedIdMap = new Map<string, string[]>();
+  for (const [idx, ids] of mergedIds) {
+    mergedIdMap.set(result[idx].id, ids);
+  }
+
+  return { messages: result, mergedIdMap };
+}
+
 /**
  * Build an `onEvent` callback that publishes every outbound event to the
  * assistant event hub, maintaining ordered delivery through a serial chain.
  *
  * Also registers pending interactions when confirmation_request,
- * secret_request, host_bash_request, or host_file_request events flow
- * through, so standalone approval/result endpoints can look up the conversation
- * by requestId.
+ * secret_request, host_bash_request, host_browser_request, host_file_request,
+ * or host_cu_request events flow through, so standalone approval/result
+ * endpoints can look up the conversation by requestId.
  */
 function makeHubPublisher(
   deps: SendMessageDeps,
@@ -892,6 +1054,12 @@ function makeHubPublisher(
         conversationId,
         kind: "host_bash",
       });
+    } else if (msg.type === "host_browser_request") {
+      pendingInteractions.register(msg.requestId, {
+        conversation,
+        conversationId,
+        kind: "host_browser",
+      });
     } else if (msg.type === "host_file_request") {
       pendingInteractions.register(msg.requestId, {
         conversation,
@@ -1058,18 +1226,21 @@ export async function handleSendMessage(
 
   // Build transport metadata from the request so the daemon can inject
   // host environment hints (home directory, username) into the LLM context.
-  const transport =
-    sourceInterface === "macos"
-      ? ({
-          channelId: sourceChannel,
-          interfaceId: "macos" as const,
-          hostHomeDir: body.hostHomeDir,
-          hostUsername: body.hostUsername,
-        } satisfies MacosTransportMetadata)
-      : ({
-          channelId: sourceChannel,
-          interfaceId: sourceInterface,
-        } satisfies NonMacosTransportMetadata);
+  // The `supportsHostProxy` type predicate narrows `sourceInterface` to
+  // `HostProxyInterfaceId` in the truthy branch, which is exactly the
+  // discriminant the `HostProxyTransportMetadata` variant expects — so the
+  // construction site stays in lock-step with the runtime capability gate.
+  const transport = supportsHostProxy(sourceInterface)
+    ? ({
+        channelId: sourceChannel,
+        interfaceId: sourceInterface,
+        hostHomeDir: body.hostHomeDir,
+        hostUsername: body.hostUsername,
+      } satisfies HostProxyTransportMetadata)
+    : ({
+        channelId: sourceChannel,
+        interfaceId: sourceInterface,
+      } satisfies NonHostProxyTransportMetadata);
 
   const conversation = await smDeps.getOrCreateConversation(
     mapping.conversationId,
@@ -1139,12 +1310,13 @@ export async function handleSendMessage(
     conversation,
   );
   const isInteractive = isInteractiveInterface(sourceInterface);
-  // Only create the host bash proxy for desktop client interfaces that can
-  // execute commands on the user's machine. Non-desktop conversations (CLI,
-  // channels, headless) fall back to local execution.
+  // Only create each host proxy for interfaces that support the matching
+  // capability. macOS supports all four; the chrome-extension interface only
+  // supports host_browser. Non-desktop conversations (CLI, channels, headless)
+  // fall back to local execution.
   // Set the proxy BEFORE updateClient so updateClient's call to
   // hostBashProxy.updateSender targets the correct (new) proxy.
-  if (supportsHostProxy(sourceInterface)) {
+  if (supportsHostProxy(sourceInterface, "host_bash")) {
     // Reuse the existing proxy if the conversation is actively processing a
     // host bash request to avoid orphaning in-flight requests.
     if (!conversation.isProcessing() || !conversation.hostBashProxy) {
@@ -1153,12 +1325,92 @@ export async function handleSendMessage(
       });
       conversation.setHostBashProxy(proxy);
     }
+  } else if (!conversation.isProcessing()) {
+    conversation.setHostBashProxy(undefined);
+  }
+  // For the chrome-extension interface we route host_browser_request /
+  // host_browser_cancel frames through the in-process ChromeExtensionRegistry
+  // to the WebSocket opened against /v1/browser-relay by the connected
+  // extension, instead of the SSE/onEvent hub used by macOS. The registry
+  // lookup is keyed by the JWT-derived actor principal id, which the
+  // runtime captured at WebSocket upgrade time.
+  //
+  // A single guardian may have multiple parallel extension installs
+  // connected at once (two Chrome profiles, two desktops). The registry
+  // tracks them under (guardianId, clientInstanceId) pairs and the
+  // default `send(guardianId, msg)` path routes to whichever instance
+  // has the most recent activity — typically the one the user is
+  // currently driving. Pinning to a specific instance can be done via
+  // `sendToInstance` if a caller ever needs it.
+  //
+  // macOS (and any other interface that supports host_browser in the
+  // future via the SSE hub) keeps using `onEvent` — see the else branch.
+  const browserProxySendToClient: (msg: ServerMessage) => void =
+    sourceInterface === "chrome-extension"
+      ? (msg) => {
+          // Resolve the guardian principal id at send time rather than
+          // capturing it from the POST-time authContext. This closure can be
+          // re-fired on queue drain — if a different actor's POST lands while
+          // the queue is still draining an earlier turn, a captured
+          // authContext.actorPrincipalId would mis-route the earlier turn's
+          // host_browser frames to the *new* actor. Preferring
+          // conversation.trustContext?.guardianPrincipalId makes the routing
+          // follow the conversation's bound guardian, which is stable across
+          // subsequent POSTs. Falls back to the per-POST authContext for
+          // turns that haven't been bound to a trust context yet.
+          const gid =
+            conversation.trustContext?.guardianPrincipalId ??
+            authContext.actorPrincipalId;
+          if (!gid) {
+            // No guardian identity on this turn — nothing to route to.
+            // The proxy will observe this via its try/catch and surface a
+            // transport error back to the caller.
+            throw new Error(
+              "chrome-extension host_browser send skipped: no guardianId on AuthContext",
+            );
+          }
+          const ok = getChromeExtensionRegistry().send(gid, msg);
+          if (!ok) {
+            throw new Error(
+              `chrome-extension host_browser send failed: no active connection for guardian ${gid}`,
+            );
+          }
+        }
+      : onEvent;
+  // Stash the registry-routed sender on the conversation so queue-drain
+  // restores (which run outside of conversation-routes.ts and only have
+  // access to `sendToClient`) can preserve it when calling
+  // `restoreBrowserProxyAvailability()`. For non-chrome-extension
+  // interfaces the override is cleared so the SSE hub sender is used.
+  if (sourceInterface === "chrome-extension") {
+    conversation.hostBrowserSenderOverride = browserProxySendToClient;
+  } else {
+    conversation.hostBrowserSenderOverride = undefined;
+  }
+  if (supportsHostProxy(sourceInterface, "host_browser")) {
+    if (!conversation.isProcessing() || !conversation.hostBrowserProxy) {
+      const browserProxy = new HostBrowserProxy(
+        browserProxySendToClient,
+        (requestId) => {
+          pendingInteractions.resolve(requestId);
+        },
+      );
+      conversation.setHostBrowserProxy(browserProxy);
+    }
+  } else if (!conversation.isProcessing()) {
+    conversation.setHostBrowserProxy(undefined);
+  }
+  if (supportsHostProxy(sourceInterface, "host_file")) {
     if (!conversation.isProcessing() || !conversation.hostFileProxy) {
       const fileProxy = new HostFileProxy(onEvent, (requestId) => {
         pendingInteractions.resolve(requestId);
       });
       conversation.setHostFileProxy(fileProxy);
     }
+  } else if (!conversation.isProcessing()) {
+    conversation.setHostFileProxy(undefined);
+  }
+  if (supportsHostProxy(sourceInterface, "host_cu")) {
     if (!conversation.isProcessing() || !conversation.hostCuProxy) {
       const cuProxy = new HostCuProxy(onEvent, (requestId) => {
         pendingInteractions.resolve(requestId);
@@ -1172,19 +1424,41 @@ export async function handleSendMessage(
       conversation.addPreactivatedSkillId("computer-use");
     }
   } else if (!conversation.isProcessing()) {
-    conversation.setHostBashProxy(undefined);
-    conversation.setHostFileProxy(undefined);
     conversation.setHostCuProxy(undefined);
   }
   // Wire sendToClient to the SSE hub so all subsystems can reach the HTTP client.
   // Called after setHostBashProxy so updateSender targets the current proxy.
   // When proxies are preserved during an active turn (non-desktop request while
-  // processing), skip updating proxy senders to avoid degrading them.
+  // processing), skip updating proxy senders to avoid degrading them. The gate
+  // matches the host_bash capability because the legacy "reject send during
+  // host bash" flow is what this is really protecting.
   const preservingProxies =
-    conversation.isProcessing() && !supportsHostProxy(sourceInterface);
+    conversation.isProcessing() &&
+    !supportsHostProxy(sourceInterface, "host_bash");
+  // hasNoClient must remain `!isInteractive` so downstream tool gating
+  // (`isToolActiveForContext` for HOST_TOOL_NAMES, `createToolExecutor`'s
+  // `isInteractive: !ctx.hasNoClient`) keeps host_bash/host_file/host_cu
+  // tools gated for non-desktop interfaces. The chrome-extension interface
+  // is non-interactive (no SSE prompter UI) but still has a connected client
+  // that can service host_browser_request events; we restore that single
+  // proxy explicitly below without relaxing `hasNoClient`.
   conversation.updateClient(onEvent, !isInteractive, {
     skipProxySenderUpdate: preservingProxies,
   });
+  // For non-interactive interfaces that DO support host_browser
+  // (chrome-extension), explicitly re-enable just the browser proxy. The
+  // helper bypasses the `hasNoClient` gate so the single-capability
+  // chrome-extension turn can drive the browser via CDP without leaking
+  // host_bash/host_file tool availability into tool gating.
+  //
+  // `restoreBrowserProxyAvailability()` reads `hostBrowserSenderOverride`
+  // (set above for chrome-extension) and applies the registry-routed
+  // sender, so the chrome-extension path gets the correct sender here
+  // — including after queue-drain restores run from conversation-process.ts,
+  // which only have access to the conversation instance.
+  if (supportsHostProxy(sourceInterface, "host_browser")) {
+    conversation.restoreBrowserProxyAvailability?.();
+  }
 
   // ── Canned first-greeting fast path ──
   // On a completely fresh workspace, skip LLM inference for the macOS

package/src/runtime/routes/conversation-starter-routes.ts

@@ -4,13 +4,17 @@
  * GET /v1/conversation-starters — list conversation starters (chips)
  */
 
-import { and, desc, eq, inArray, like } from "drizzle-orm";
+import { and, desc, eq, inArray, sql } from "drizzle-orm";
 import { z } from "zod";
 
 import { getDb } from "../../memory/db.js";
 import { enqueueMemoryJob } from "../../memory/jobs-store.js";
 import { rawGet } from "../../memory/raw-query.js";
-import { conversationStarters, memoryJobs } from "../../memory/schema.js";
+import {
+  conversationStarters,
+  memoryCheckpoints,
+  memoryJobs,
+} from "../../memory/schema.js";
 import type { RouteDefinition } from "../http-router.js";
 
 // ---------------------------------------------------------------------------
@@ -26,6 +30,39 @@ interface StarterItem {
   batch: number;
 }
 
+const CK_ITEM_COUNT = "conversation_starters:item_count_at_last_gen";
+const CK_LAST_GEN_AT = "conversation_starters:last_gen_at";
+export const CONVERSATION_STARTERS_STALE_TTL_MS = 24 * 60 * 60 * 1000;
+
+function checkpointKey(base: string, scopeId: string): string {
+  return `${base}:${scopeId}`;
+}
+
+function parseCheckpointInt(value: string | undefined): number | null {
+  if (!value) return null;
+  const parsed = Number.parseInt(value, 10);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+
+function hasActiveConversationStarterJob(
+  db: ReturnType<typeof getDb>,
+  scopeId: string,
+): boolean {
+  return (
+    db
+      .select({ id: memoryJobs.id })
+      .from(memoryJobs)
+      .where(
+        and(
+          eq(memoryJobs.type, "generate_conversation_starters"),
+          inArray(memoryJobs.status, ["pending", "running"]),
+          sql`json_extract(${memoryJobs.payload}, '$.scopeId') = ${scopeId}`,
+        ),
+      )
+      .get() != null
+  );
+}
+
 /**
  * Re-order starters so adjacent items have distinct categories wherever
  * possible. Within each category, preserve the original (batch-desc) order.
@@ -150,14 +187,47 @@ function handleListConversationStarters(url: URL): Response {
 
   const total = allItems.length;
 
-  // If starters exist, reorder for category diversity then paginate.
+  // If starters exist, return them immediately. If the batch is stale or
+  // the generation checkpoint is ahead of the current active memory count,
+  // kick off a background refresh but keep the existing chips visible.
   if (total > 0) {
+    const totalActive =
+      rawGet<{ c: number }>(
+        `SELECT COUNT(*) AS c FROM memory_graph_nodes WHERE fidelity != 'gone' AND scope_id = ?`,
+        scopeId,
+      )?.c ?? 0;
+    const lastCount = parseCheckpointInt(
+      db
+        .select({ value: memoryCheckpoints.value })
+        .from(memoryCheckpoints)
+        .where(eq(memoryCheckpoints.key, checkpointKey(CK_ITEM_COUNT, scopeId)))
+        .get()?.value,
+    );
+    const lastGenAt = parseCheckpointInt(
+      db
+        .select({ value: memoryCheckpoints.value })
+        .from(memoryCheckpoints)
+        .where(eq(memoryCheckpoints.key, checkpointKey(CK_LAST_GEN_AT, scopeId)))
+        .get()?.value,
+    );
+    const staleByAge =
+      lastGenAt == null ||
+      Date.now() - lastGenAt >= CONVERSATION_STARTERS_STALE_TTL_MS;
+    const checkpointAhead = lastCount != null && totalActive < lastCount;
+    let hasActiveJob = hasActiveConversationStarterJob(db, scopeId);
+    const shouldRefresh = staleByAge || checkpointAhead;
+
+    if (shouldRefresh && !hasActiveJob) {
+      enqueueMemoryJob("generate_conversation_starters", { scopeId });
+      hasActiveJob = true;
+    }
+
     const ordered = orderStrongestFirst(allItems);
     const page = ordered.slice(offsetParam, offsetParam + limitParam);
     return Response.json({
       starters: page,
       total,
-      status: "ready",
+      status: hasActiveJob ? "refreshing" : "ready",
     });
   }
 
@@ -172,17 +242,7 @@ function handleListConversationStarters(url: URL): Response {
   }
 
   // Memory items exist but no starters yet — ensure a generation job is queued.
-  const existing = db
-    .select({ id: memoryJobs.id })
-    .from(memoryJobs)
-    .where(
-      and(
-        eq(memoryJobs.type, "generate_conversation_starters"),
-        inArray(memoryJobs.status, ["pending", "running"]),
-        like(memoryJobs.payload, `%"scopeId":"${scopeId}"%`),
-      ),
-    )
-    .get();
+  const existing = hasActiveConversationStarterJob(db, scopeId);
 
   if (!existing) {
     enqueueMemoryJob("generate_conversation_starters", { scopeId });
@@ -227,7 +287,9 @@ export function conversationStarterRouteDefinitions(): RouteDefinition[] {
           .array(z.unknown())
           .describe("Ordered list of starter chips"),
         total: z.number().int().describe("Total number of available starters"),
-        status: z.string().describe("One of: ready, empty, generating"),
+        status: z
+          .enum(["ready", "refreshing", "empty", "generating"])
+          .describe("One of: ready, refreshing, empty, generating"),
       }),
     },
   ];

package/src/runtime/routes/guardian-action-routes.ts

@@ -19,13 +19,14 @@ import {
   type CanonicalGuardianRequest,
   listPendingRequestsByConversationScope,
 } from "../../memory/canonical-guardian-store.js";
+import { isPermissionControlsV2Enabled } from "../../permissions/v2-consent-policy.js";
 import { requireBoundGuardian } from "../auth/require-bound-guardian.js";
 import type { AuthContext } from "../auth/types.js";
 import { processGuardianDecision } from "../guardian-action-service.js";
 import type { GuardianDecisionPrompt } from "../guardian-decision-types.js";
 import {
   buildDecisionActions,
-  GUARDIAN_DECISION_ACTIONS,
+  buildOneTimeDecisionActions,
 } from "../guardian-decision-types.js";
 import { httpError } from "../http-errors.js";
 import type { RouteDefinition } from "../http-router.js";
@@ -98,6 +99,18 @@ export async function handleGuardianActionDecision(
     return httpError("BAD_REQUEST", "action is required", 400);
   }
 
+  if (
+    isPermissionControlsV2Enabled() &&
+    action !== "approve_once" &&
+    action !== "reject"
+  ) {
+    return httpError(
+      "FORBIDDEN",
+      "permission-controls-v2 only accepts approve_once or reject for guardian actions",
+      403,
+    );
+  }
+
   // Resolve the actor's guardian principal ID. For JWT-verified actors this
   // comes from the token claims. For dev bypass (HTTP auth disabled) the
   // synthetic "dev-bypass" principal won't match the real guardian binding,
@@ -193,15 +206,17 @@ export function listGuardianDecisionPrompts(params: {
  * Map a canonical guardian request to the client-facing prompt format.
  *
  * Generates kind-specific questionText and action sets:
- * - `tool_approval`: temporal modes (approve_once, approve_10m, approve_conversation) + reject
+ * - `tool_approval`: temporal modes (approve_once, approve_10m, approve_conversation) + reject in legacy mode,
+ *   approve_once + reject only under v2
  * - `pending_question`: approve_once + reject only
  * - `access_request`: approve_once + reject only, with text fallback instructions
  *   (request code + "open invite flow")
  * - `tool_grant_request`: approve_once + reject only
  *
- * Only `tool_approval` receives temporal modes because time-scoped grants
- * are meaningful only for tool execution. All other kinds get a simple
- * approve_once/reject pair.
+ * Under permission-controls-v2 we collapse all deterministic guardian action
+ * prompts to approve_once + reject only. Outside v2, only `tool_approval`
+ * receives temporal modes because time-scoped grants are meaningful only for
+ * tool execution.
  */
 function mapCanonicalRequestToPrompt(
   req: CanonicalGuardianRequest,
@@ -209,15 +224,11 @@ function mapCanonicalRequestToPrompt(
 ): GuardianDecisionPrompt {
   const questionText = buildKindAwareQuestionText(req);
 
-  // Only tool_approval gets temporal modes (approve_10m, approve_conversation);
-  // all other kinds get a simple approve_once + reject pair.
-  const actions =
-    req.kind === "tool_approval"
+  const actions = isPermissionControlsV2Enabled()
+    ? buildOneTimeDecisionActions()
+    : req.kind === "tool_approval"
       ? buildDecisionActions({ forGuardianOnBehalf: true })
-      : [
-          GUARDIAN_DECISION_ACTIONS.approve_once,
-          GUARDIAN_DECISION_ACTIONS.reject,
-        ];
+      : buildOneTimeDecisionActions();
 
   const expiresAt = req.expiresAt
     ? new Date(req.expiresAt).getTime()