@vellumai/assistant 0.6.4 → 0.6.6

package/src/tools/registry.ts

@@ -16,6 +16,48 @@ const log = getLogger("tool-registry");
 
 const tools = new Map<string, Tool>();
 
+// ── External tool registry ───────────────────────────────────────────
+// Skills register their tools here at initialization time so the tool
+// manifest can include them without importing from `../skills/`.
+//
+// Each registration is stored as a provider closure. Closures are
+// resolved at `getExternalTools()` time (which `initializeTools()`
+// calls), not at registration time — this lets a skill defer its
+// feature-flag check until after the daemon has run
+// `mergeDefaultWorkspaceConfig()`, so skills see the merged config
+// instead of forcing an early `loadConfig()` against unmerged defaults.
+const externalToolProviders: Array<() => Tool[]> = [];
+
+/**
+ * Register tools provided by an external skill. Called during skill
+ * initialization (e.g. meet-join bootstrap).
+ *
+ * Accepts either a concrete `Tool[]` (resolved eagerly at the caller)
+ * or a `() => Tool[]` closure (resolved lazily inside
+ * `getExternalTools()`). Skills that perform feature-flag or config
+ * reads to decide which tools to surface must pass a closure so the
+ * read happens after daemon-startup config merging.
+ *
+ * Lives in registry.ts (not tool-manifest.ts) to avoid a circular
+ * dependency: skills/load.ts → … → meet-join/register.ts → tool-manifest.ts
+ * → skills/load.ts. Keeping it here lets external skill bootstraps import
+ * from registry.ts, which is already a leaf in the dependency graph.
+ */
+export function registerExternalTools(
+  toolsOrProvider: Tool[] | (() => Tool[]),
+): void {
+  const provider =
+    typeof toolsOrProvider === "function"
+      ? toolsOrProvider
+      : () => toolsOrProvider;
+  externalToolProviders.push(provider);
+}
+
+/** Return all externally registered tools. */
+export function getExternalTools(): Tool[] {
+  return externalToolProviders.flatMap((provider) => provider());
+}
+
 // Snapshot of core tools captured after initializeTools() completes.
 // Used by __resetRegistryForTesting() to restore eager tools that cannot
 // be re-registered because ESM import caching prevents side effects
@@ -26,6 +68,12 @@ let coreToolsSnapshot: Map<string, Tool> | null = null;
 // Tools are only removed from the global registry when this drops to 0.
 const skillRefCount = new Map<string, number>();
 
+// Plugin-tool refcount lives in its own namespace so plugin and skill IDs
+// cannot collide in the ref map even if a plugin's `manifest.name` happens to
+// match a skill id. Conflict detection on `tools` (keyed by tool name) is
+// separate and covers the case of two extensions choosing the same tool name.
+const pluginRefCount = new Map<string, number>();
+
 export function registerTool(tool: Tool): void {
   const existing = tools.get(tool.name);
   if (existing) {
@@ -66,10 +114,22 @@ export function registerSkillTools(newTools: Tool[]): Tool[] {
         );
         continue;
       }
-      // Existing is also a skill tool - only allow replacement from the same owner.
-      if (existing.ownerSkillId !== tool.ownerSkillId) {
+      // Existing is from a different origin (plugin/mcp) or a different
+      // skill — skill tools can only replace themselves (hot-reload).
+      if (
+        existing.origin !== "skill" ||
+        existing.ownerSkillId !== tool.ownerSkillId
+      ) {
+        const owner =
+          existing.origin === "skill"
+            ? `skill "${existing.ownerSkillId}"`
+            : existing.origin === "plugin"
+              ? `plugin "${existing.ownerPluginId}"`
+              : existing.origin === "mcp"
+                ? `MCP server "${existing.ownerMcpServerId}"`
+                : `${existing.origin ?? "unknown"}-origin tool`;
         throw new Error(
-          `Skill tool "${tool.name}" is already registered by skill "${existing.ownerSkillId}"`,
+          `Skill tool "${tool.name}" is already registered by ${owner}`,
         );
       }
     }
@@ -94,6 +154,111 @@ export function registerSkillTools(newTools: Tool[]): Tool[] {
   return accepted;
 }
 
+/**
+ * Register tools contributed by a plugin. Stamps `origin: "plugin"` and
+ * `ownerPluginId: pluginName` on every incoming tool so plugin ownership is
+ * tracked in a namespace disjoint from skill tools — if a plugin's
+ * `manifest.name` happens to match a skill id, the two do not share refcount
+ * state or conflict-detection paths.
+ *
+ * Conflict handling mirrors {@link registerSkillTools}: collisions with core
+ * tools log a warning and skip; collisions with tools owned by a different
+ * plugin, skill, or MCP server throw; re-registering the same plugin's own
+ * tool (hot reload) is allowed.
+ *
+ * The stamp is authoritative: any pre-existing `origin` / `ownerPluginId` /
+ * `ownerSkillId` / `ownerMcpServerId` fields on the incoming tools are
+ * overwritten so the bootstrap cannot be spoofed into claiming tools on
+ * behalf of an unrelated extension.
+ */
+export function registerPluginTools(
+  pluginName: string,
+  newTools: Tool[],
+): Tool[] {
+  const stamped: Tool[] = newTools.map((tool) => ({
+    ...tool,
+    origin: "plugin" as const,
+    ownerPluginId: pluginName,
+    ownerSkillId: undefined,
+    ownerMcpServerId: undefined,
+  }));
+
+  const accepted: Tool[] = [];
+  for (const tool of stamped) {
+    const existing = tools.get(tool.name);
+    if (existing) {
+      const existingIsCore = existing.origin === "core" || !existing.origin;
+      if (existingIsCore) {
+        log.warn(
+          { toolName: tool.name, pluginName },
+          `Plugin "${pluginName}" tried to register tool "${tool.name}" which conflicts with a core tool. Skipping.`,
+        );
+        continue;
+      }
+      if (existing.origin === "plugin") {
+        if (existing.ownerPluginId !== pluginName) {
+          throw new Error(
+            `Plugin tool "${tool.name}" is already registered by plugin "${existing.ownerPluginId}"`,
+          );
+        }
+        // Same plugin re-registering its own tool (hot reload) — allow.
+      } else {
+        // Conflict with a skill or MCP-owned tool.
+        throw new Error(
+          `Plugin "${pluginName}" tried to register tool "${tool.name}" which conflicts with a ${existing.origin}-origin tool`,
+        );
+      }
+    }
+    accepted.push(tool);
+  }
+
+  for (const tool of accepted) {
+    tools.set(tool.name, tool);
+    log.info(
+      { name: tool.name, ownerPluginId: tool.ownerPluginId },
+      "Plugin tool registered",
+    );
+  }
+
+  if (accepted.length > 0) {
+    pluginRefCount.set(pluginName, (pluginRefCount.get(pluginName) ?? 0) + 1);
+  }
+
+  return accepted;
+}
+
+/**
+ * Decrement the reference count for a plugin and remove its tools only when
+ * no more references remain. Safe to call when the plugin never contributed
+ * tools (no-op).
+ */
+export function unregisterPluginTools(pluginName: string): void {
+  const current = pluginRefCount.get(pluginName) ?? 0;
+  if (current > 1) {
+    pluginRefCount.set(pluginName, current - 1);
+    log.info(
+      { pluginName, remaining: current - 1 },
+      "Decremented plugin ref count, tools kept",
+    );
+    return;
+  }
+
+  pluginRefCount.delete(pluginName);
+  for (const [name, tool] of tools) {
+    if (tool.origin === "plugin" && tool.ownerPluginId === pluginName) {
+      tools.delete(name);
+      log.info({ name, pluginName }, "Plugin tool unregistered");
+    }
+  }
+}
+
+/**
+ * Return the current reference count for a plugin's tools. Exposed for testing.
+ */
+export function getPluginRefCount(pluginName: string): number {
+  return pluginRefCount.get(pluginName) ?? 0;
+}
+
 /**
  * Decrement the reference count for a skill and remove its tools only when
  * no more sessions reference them.
@@ -148,6 +313,17 @@ export function registerMcpTools(newTools: Tool[]): Tool[] {
         );
         continue;
       }
+      if (existing.origin === "plugin") {
+        log.warn(
+          {
+            toolName: tool.name,
+            serverId: tool.ownerMcpServerId,
+            pluginName: existing.ownerPluginId,
+          },
+          `MCP server "${tool.ownerMcpServerId}" tried to register tool "${tool.name}" which conflicts with plugin tool from "${existing.ownerPluginId}". Skipping.`,
+        );
+        continue;
+      }
       if (
         existing.origin === "mcp" &&
         existing.ownerMcpServerId !== tool.ownerMcpServerId
@@ -245,6 +421,15 @@ export async function initializeTools(): Promise<void> {
     registerTool(tool);
   }
 
+  // External skill tools — registered by skill bootstrap modules via
+  // `registerExternalTools()`. Called at init time (not spread into
+  // `explicitTools`) so registrations that happen between module-load
+  // and `initializeTools()` are picked up.
+  const extTools = getExternalTools();
+  for (const tool of extTools) {
+    registerTool(tool);
+  }
+
   // Host tools are registered explicitly so host access stays opt-in until
   // this point in startup, rather than as module side effects.
   const hostTools = [
@@ -272,13 +457,14 @@ export async function initializeTools(): Promise<void> {
   // arbitrary test tools that were registered before init.
   //
   // A pre-existing tool is included only if it is a known manifest tool
-  // (declared in eagerModuleToolNames, explicitTools, or hostTools).
-  // This handles ESM cache hits where eager-module tools are already in
-  // the registry before init ran.
+  // (declared in eagerModuleToolNames, explicitTools, hostTools, or any
+  // registered external skill tool).  This handles ESM cache hits where
+  // eager-module tools are already in the registry before init ran.
   if (!coreToolsSnapshot) {
     const manifestToolNames = new Set<string>([
       ...eagerModuleToolNames,
       ...explicitTools.map((t: Tool) => t.name),
+      ...extTools.map((t: Tool) => t.name),
       ...hostTools.map((t: Tool) => t.name),
       ...cesTools.map((t: Tool) => t.name),
       ...allComputerUseTools.map((t: Tool) => t.name),
@@ -289,6 +475,7 @@ export async function initializeTools(): Promise<void> {
     coreToolsSnapshot = new Map<string, Tool>();
     for (const [name, tool] of tools) {
       if (tool.origin === "skill") continue;
+      if (tool.origin === "plugin") continue;
       // Exclude pre-existing tools not declared in the manifest
       if (preExisting.has(name) && !manifestToolNames.has(name)) continue;
       coreToolsSnapshot.set(name, tool);
@@ -311,6 +498,7 @@ export async function initializeTools(): Promise<void> {
 export function __resetRegistryForTesting(): void {
   tools.clear();
   skillRefCount.clear();
+  pluginRefCount.clear();
 
   if (coreToolsSnapshot) {
     for (const [name, tool] of coreToolsSnapshot) {
@@ -327,4 +515,5 @@ export function __resetRegistryForTesting(): void {
 export function __clearRegistryForTesting(): void {
   tools.clear();
   skillRefCount.clear();
+  pluginRefCount.clear();
 }

package/src/tools/schedule/create.ts

@@ -13,7 +13,7 @@ import {
 } from "../../schedule/schedule-store.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
-const VALID_MODES: ScheduleMode[] = ["notify", "execute"];
+const VALID_MODES: ScheduleMode[] = ["notify", "execute", "script"];
 const VALID_ROUTING_INTENTS: RoutingIntent[] = [
   "single_channel",
   "multi_channel",
@@ -33,7 +33,8 @@ export async function executeScheduleCreate(
   }
   const name = input.name as string;
   const timezone = (input.timezone as string) ?? null;
-  const message = input.message as string;
+  const message = (input.message as string) ?? "";
+  const script = (input.script as string) ?? null;
   const enabled = (input.enabled as boolean) ?? true;
   const fireAt = input.fire_at as string | undefined;
   const mode = (input.mode as ScheduleMode | undefined) ?? "execute";
@@ -50,12 +51,6 @@ export async function executeScheduleCreate(
       isError: true,
     };
   }
-  if (!message || typeof message !== "string") {
-    return {
-      content: "Error: message is required and must be a string",
-      isError: true,
-    };
-  }
 
   // Validate mode
   if (!VALID_MODES.includes(mode)) {
@@ -65,6 +60,24 @@ export async function executeScheduleCreate(
     };
   }
 
+  // Mode-specific field validation
+  if (mode === "script") {
+    if (!script || typeof script !== "string") {
+      return {
+        content:
+          "Error: script is required for script mode and must be a non-empty string",
+        isError: true,
+      };
+    }
+  } else {
+    if (!message || typeof message !== "string") {
+      return {
+        content: "Error: message is required and must be a string",
+        isError: true,
+      };
+    }
+  }
+
   // Validate routing_intent
   if (
     routingIntent !== undefined &&
@@ -107,6 +120,7 @@ export async function executeScheduleCreate(
         cronExpression: null,
         timezone,
         message,
+        script,
         enabled,
         syntax: "cron",
         expression: null,
@@ -185,6 +199,7 @@ export async function executeScheduleCreate(
       cronExpression: resolved.expression,
       timezone,
       message,
+      script,
       enabled,
       syntax: resolved.syntax,
       expression: resolved.expression,

package/src/tools/schedule/update.ts

@@ -16,7 +16,7 @@ import {
 } from "../../schedule/schedule-store.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
-const VALID_MODES: ScheduleMode[] = ["notify", "execute"];
+const VALID_MODES: ScheduleMode[] = ["notify", "execute", "script"];
 const VALID_ROUTING_INTENTS: RoutingIntent[] = [
   "single_channel",
   "multi_channel",
@@ -66,6 +66,7 @@ export async function executeScheduleUpdate(
   if (input.name !== undefined) updates.name = input.name;
   if (input.timezone !== undefined) updates.timezone = input.timezone;
   if (input.message !== undefined) updates.message = input.message;
+  if (input.script !== undefined) updates.script = input.script;
   if (input.enabled !== undefined) updates.enabled = input.enabled;
 
   // Mode validation and pass-through
@@ -163,6 +164,7 @@ export async function executeScheduleUpdate(
         cronExpression?: string;
         timezone?: string | null;
         message?: string;
+        script?: string | null;
         enabled?: boolean;
         syntax?: ScheduleSyntax;
         expression?: string;

package/src/tools/secret-detection-handler.ts

@@ -1,5 +1,4 @@
 import { getConfig } from "../config/loader.js";
-import { getHookManager } from "../hooks/manager.js";
 import { PermissionPrompter } from "../permissions/prompter.js";
 import { RiskLevel } from "../permissions/types.js";
 import { isPermissionControlsV2Enabled } from "../permissions/v2-consent-policy.js";
@@ -46,10 +45,6 @@ export class SecretDetectionHandler {
       context: ToolContext,
       event: ToolLifecycleEvent,
     ) => void,
-    sanitizeToolInput: (
-      toolName: string,
-      input: Record<string, unknown>,
-    ) => Record<string, unknown>,
   ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
     const sdConfig = getConfig().secretDetection;
     if (!sdConfig.enabled || execResult.isError) {
@@ -108,7 +103,6 @@ export class SecretDetectionHandler {
         decision,
         startTime,
         emitLifecycleEvent,
-        sanitizeToolInput,
       );
     }
 
@@ -124,7 +118,6 @@ export class SecretDetectionHandler {
         decision,
         startTime,
         emitLifecycleEvent,
-        sanitizeToolInput,
       );
     }
 
@@ -210,10 +203,6 @@ export class SecretDetectionHandler {
       context: ToolContext,
       event: ToolLifecycleEvent,
     ) => void,
-    sanitizeToolInput: (
-      toolName: string,
-      input: Record<string, unknown>,
-    ) => Record<string, unknown>,
   ): { result: ToolExecutionResult; earlyReturn: boolean } {
     const types = [...new Set(allMatches.map((m) => m.type))].join(", ");
     const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). Configure secretDetection.action to "redact" or "prompt" to allow output.`;
@@ -237,15 +226,6 @@ export class SecretDetectionHandler {
       result: blockedResult,
     });
 
-    void getHookManager().trigger("post-tool-execute", {
-      toolName: name,
-      input: sanitizeToolInput(name, input),
-      riskLevel,
-      isError: true,
-      durationMs,
-      conversationId: context.conversationId,
-    });
-
     return { result: blockedResult, earlyReturn: true };
   }
 
@@ -263,10 +243,6 @@ export class SecretDetectionHandler {
       context: ToolContext,
       event: ToolLifecycleEvent,
     ) => void,
-    sanitizeToolInput: (
-      toolName: string,
-      input: Record<string, unknown>,
-    ) => Record<string, unknown>,
   ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
     const types = [...new Set(allMatches.map((m) => m.type))].join(", ");
 
@@ -288,15 +264,6 @@ export class SecretDetectionHandler {
         durationMs,
       });
 
-      void getHookManager().trigger("post-tool-execute", {
-        toolName: name,
-        input: sanitizeToolInput(name, input),
-        riskLevel,
-        isError: true,
-        durationMs,
-        conversationId: context.conversationId,
-      });
-
       return {
         result: { content: blockedContent, isError: true },
         earlyReturn: true,
@@ -322,15 +289,6 @@ export class SecretDetectionHandler {
         durationMs,
       });
 
-      void getHookManager().trigger("post-tool-execute", {
-        toolName: name,
-        input: sanitizeToolInput(name, input),
-        riskLevel,
-        isError: true,
-        durationMs,
-        conversationId: context.conversationId,
-      });
-
       return {
         result: { content: blockedContent, isError: true },
         earlyReturn: true,
@@ -389,15 +347,6 @@ export class SecretDetectionHandler {
         durationMs,
       });
 
-      void getHookManager().trigger("post-tool-execute", {
-        toolName: name,
-        input: sanitizeToolInput(name, input),
-        riskLevel,
-        isError: true,
-        durationMs,
-        conversationId: context.conversationId,
-      });
-
       return {
         result: { content: blockedContent, isError: true },
         earlyReturn: true,

package/src/tools/side-effects.ts

@@ -12,17 +12,6 @@ const SIDE_EFFECT_TOOLS: ReadonlySet<string> = new Set([
   "bash",
   "host_bash",
   "web_fetch",
-  "browser_navigate",
-  "browser_click",
-  "browser_type",
-  "browser_press_key",
-  "browser_scroll",
-  "browser_select_option",
-  "browser_hover",
-  "browser_close",
-  "browser_attach",
-  "browser_detach",
-  "browser_fill_credential",
   "document_create",
   "document_update",
   "schedule_create",

package/src/tools/skills/execute.ts

@@ -6,7 +6,7 @@ import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 export class SkillExecuteTool implements Tool {
   name = "skill_execute";
   description =
-    "Execute a tool provided by a loaded skill. Use this instead of calling skill tools directly. The skill's instructions (from skill_load) describe available tools and their parameters.";
+    "Execute a tool provided by a loaded skill. Use this instead of calling skill tools directly. The skill's instructions (from skill_load) describe available tools and their parameters. For browser automation, use the `assistant browser` CLI commands instead.";
   category = "skills";
   defaultRiskLevel = RiskLevel.Low;
 
@@ -20,7 +20,7 @@ export class SkillExecuteTool implements Tool {
           tool: {
             type: "string",
             description:
-              "The skill tool name to execute (e.g. 'browser_navigate', 'task_create')",
+              "The skill tool name to execute (e.g. 'task_create', 'deploy_run')",
           },
           input: {
             type: "object",

package/src/tools/skills/sandbox-runner.ts

@@ -152,6 +152,7 @@ function spawnRunner(
       workingDir: context.workingDir,
       conversationId: context.conversationId,
     });
+    env.__CONVERSATION_ID = context.conversationId;
 
     const child = spawn(wrapped.command, wrapped.args, {
       cwd: runDir,
@@ -219,7 +220,8 @@ function spawnRunner(
       if (code !== 0) {
         const truncatedStderr =
           stderr.length > MAX_OUTPUT_CHARS
-            ? safeStringSlice(stderr, 0, MAX_OUTPUT_CHARS) + "\n[stderr truncated]"
+            ? safeStringSlice(stderr, 0, MAX_OUTPUT_CHARS) +
+              "\n[stderr truncated]"
             : stderr;
         resolve({
           content: `Skill tool script "${executorPath}" exited with code ${code}:\n${truncatedStderr}`,
@@ -230,7 +232,8 @@ function spawnRunner(
 
       const truncatedStdout =
         stdout.length > MAX_OUTPUT_CHARS
-          ? safeStringSlice(stdout, 0, MAX_OUTPUT_CHARS) + "\n[stdout truncated]"
+          ? safeStringSlice(stdout, 0, MAX_OUTPUT_CHARS) +
+            "\n[stdout truncated]"
           : stdout;
       resolve({ content: truncatedStdout, isError: false });
     });

package/src/tools/system/avatar-generator.ts

@@ -3,7 +3,6 @@ import { mkdirSync, renameSync, writeFileSync } from "node:fs";
 import { dirname } from "node:path";
 
 import { generateAvatar } from "../../media/avatar-router.js";
-import { mapGeminiError } from "../../media/gemini-image-service.js";
 import { getLogger } from "../../util/logger.js";
 import { getAvatarImagePath } from "../../util/platform.js";
 
@@ -69,7 +68,12 @@ export async function generateAndSaveAvatar(
       isError: false,
     };
   } catch (error) {
-    const message = mapGeminiError(error);
+    // avatar-router already throws with a provider-aware, user-friendly
+    // message — just surface error.message directly.
+    const message =
+      error instanceof Error
+        ? error.message
+        : "An unexpected error occurred during image generation.";
     log.error({ error: message }, "Avatar generation failed");
     return {
       content: `Avatar generation failed: ${message}`,

package/src/tools/terminal/backends/native.ts

@@ -12,6 +12,35 @@ const log = getLogger("sandbox");
 
 const HASH_DISPLAY_LENGTH = 12;
 
+/**
+ * macOS TCC-protected directories that trigger permission prompts when accessed.
+ * Unconditionally denied in the SBPL sandbox profile to prevent the assistant
+ * from triggering Photos, Contacts, Calendar, etc. dialogs during filesystem
+ * traversal (e.g. `find ~ -name .git`).
+ *
+ * Paths are relative to $HOME. Includes both TCC-protected directories that
+ * trigger prompts for all apps and directories like ~/Desktop and ~/Documents
+ * that are TCC-protected under App Sandbox or Full Disk Access checks.
+ */
+export const MACOS_TCC_PROTECTED_PATHS = [
+  "Desktop",
+  "Documents",
+  "Pictures/Photos Library.photoslibrary",
+  "Library/Photos",
+  "Library/Calendars",
+  "Library/Reminders",
+  "Library/Application Support/AddressBook",
+  "Library/Messages",
+  "Library/Mail",
+  "Library/Safari",
+  "Library/Cookies",
+  "Library/HomeKit",
+  "Library/IdentityServices",
+  "Library/Metadata/CoreSpotlight",
+  "Library/PersonalizationPortrait",
+  "Library/Suggestions",
+];
+
 /**
  * Build a macOS sandbox-exec SBPL profile.
  *
@@ -34,6 +63,18 @@ function buildSandboxProfile(
     ? ";; Allow network access (proxied mode - needed to reach the credential proxy)\n(allow network*)"
     : ";; Block network access\n(deny network*)";
 
+  // Block macOS TCC-protected directories to prevent permission prompts
+  // during filesystem traversal. Placed AFTER (allow file-read*) because
+  // SBPL uses last-match-wins semantics.
+  const home = process.env.HOME ?? "";
+  const tccDenyRules = home
+    ? "\n;; Block macOS TCC-protected directories to prevent permission prompts\n" +
+      MACOS_TCC_PROTECTED_PATHS.map(
+        (rel) =>
+          `(deny file-read* (subpath "${escapeSBPL(join(home, rel))}") (with no-log))`,
+      ).join("\n")
+    : "";
+
   // Build deny-read rules for protected paths (CES shell lockdown).
   // These are placed AFTER the allow file-read* rule because SBPL uses
   // last-match-wins semantics - the more specific deny overrides the
@@ -55,6 +96,13 @@ function buildSandboxProfile(
 
 ;; Allow read access to the filesystem (tools, libraries, etc.)
 (allow file-read*)
+${tccDenyRules}
+
+;; Re-allow reads for the working directory even if it falls under a TCC-denied
+;; subtree (e.g. ~/Desktop/my-project). SBPL is last-match-wins, so this
+;; override must come after the TCC deny rules above but BEFORE the CES
+;; deny-read rules below — credential isolation always takes precedence.
+(allow file-read* (subpath "__WORKING_DIR__"))
 ${denyReadRules}
 
 ;; Allow write access to the working directory and its children
@@ -120,12 +168,13 @@ function getProfilePath(
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true });
   }
-  // Include the network flag and deny-read paths in the hash so profiles
-  // with different configurations don't collide.
+  // Include the network flag, deny-read paths, and HOME in the hash so
+  // profiles with different configurations don't collide.
   let hashInput = allowNetwork ? `${workingDir}:proxied` : workingDir;
   if (denyReadPaths && denyReadPaths.length > 0) {
     hashInput += `:deny-read:${denyReadPaths.sort().join(",")}`;
   }
+  hashInput += `:home:${process.env.HOME ?? ""}`;
   const hash = createHash("sha256")
     .update(hashInput)
     .digest("hex")

package/src/tools/terminal/safe-env.ts

@@ -30,9 +30,11 @@ export const SAFE_ENV_VARS = [
   "VELLUM_DEV",
   "VELLUM_DEBUG",
   "VELLUM_ENVIRONMENT",
+  "BASE_DATA_DIR",
   "VELLUM_WORKSPACE_DIR",
   "CES_BOOTSTRAP_SOCKET_DIR",
   "GATEWAY_INTERNAL_URL",
+  "GATEWAY_SECURITY_DIR",
   "VELLUM_PLATFORM_URL",
   "VELLUM_ASSISTANT_PLATFORM_URL",
   "VELLUM_DOCS_BASE_URL",
@@ -82,8 +84,7 @@ export function buildSanitizedEnv(): Record<string, string> {
   // Ensure UTF-8 locale so multi-byte characters (em dashes, curly quotes,
   // arrows, etc.) survive piping through tools like pbcopy without corruption.
   // macOS (Darwin) does not provide C.UTF-8, so use en_US.UTF-8 there.
-  const utf8Locale =
-    process.platform === "darwin" ? "en_US.UTF-8" : "C.UTF-8";
+  const utf8Locale = process.platform === "darwin" ? "en_US.UTF-8" : "C.UTF-8";
   if (!env.LANG) env.LANG = utf8Locale;
   if (!env.LC_ALL) env.LC_ALL = utf8Locale;
   return env;

package/src/tools/terminal/shell.ts

@@ -306,6 +306,7 @@ class ShellTool implements Tool {
     }
 
     const env = buildSanitizedEnv();
+    env.__CONVERSATION_ID = context.conversationId;
     if (proxyEnv) {
       Object.assign(env, proxyEnv);
     }