@vellumai/assistant 0.6.5 → 0.7.0

package/src/permissions/checker.ts

@@ -1,13 +1,14 @@
 import { createHash } from "node:crypto";
 import { homedir } from "node:os";
-import { dirname, resolve } from "node:path";
+import { dirname, join } from "node:path";
 
 import { isAssistantFeatureFlagEnabled } from "../config/assistant-feature-flags.js";
 import { getIsContainerized } from "../config/env-registry.js";
 import { getConfig } from "../config/loader.js";
 import { loadSkillCatalog, resolveSkillSelector } from "../config/skills.js";
+import { ipcClassifyRisk } from "../ipc/gateway-client.js";
 import { indexCatalogById } from "../skills/include-graph.js";
-import { normalizeFilePath } from "../skills/path-classifier.js";
+import { getSkillRoots } from "../skills/path-classifier.js";
 import { computeTransitiveSkillVersionHash } from "../skills/transitive-version-hash.js";
 import { computeSkillVersionHash } from "../skills/version-hash.js";
 import type { ManifestOverride } from "../tools/execution-target.js";
@@ -16,22 +17,18 @@ import {
   looksLikePathOnlyInput,
 } from "../tools/network/url-safety.js";
 import { getTool } from "../tools/registry.js";
+import {
+  getDeprecatedDir,
+  getProtectedDir,
+  getWorkspaceDir,
+  getWorkspaceHooksDir,
+} from "../util/platform.js";
 import {
   type ApprovalContext,
   DefaultApprovalPolicy,
-  resolveThreshold,
 } from "./approval-policy.js";
-import { bashRiskClassifier } from "./bash-risk-classifier.js";
-import { fileRiskClassifier } from "./file-risk-classifier.js";
-import { type RiskAssessment, riskToRiskLevel } from "./risk-types.js";
-import {
-  buildShellAllowlistOptions,
-  buildShellCommandCandidates,
-  cachedParse,
-  type ParsedCommand,
-} from "./shell-identity.js";
-import { skillLoadRiskClassifier } from "./skill-risk-classifier.js";
-import { findHighestPriorityRule, onRulesChanged } from "./trust-store.js";
+import { getAutoApproveThreshold } from "./gateway-threshold-reader.js";
+import type { RiskAssessment } from "./risk-types.js";
 import {
   type AllowlistOption,
   type PermissionCheckResult,
@@ -39,12 +36,11 @@ import {
   RiskLevel,
   type ScopeOption,
 } from "./types.js";
-import { webRiskClassifier } from "./web-risk-classifier.js";
 import { isWorkspaceScopedInvocation } from "./workspace-policy.js";
 
 // ── Risk classification cache ────────────────────────────────────────────────
-// classifyRisk() is called on every permission check and can invoke WASM
-// parsing for shell commands. Cache results keyed on
+// classifyRisk() is called on every permission check and delegates to the
+// gateway via IPC. Cache results keyed on
 // (toolName, inputHash, workingDir, manifestOverride).
 // Invalidated when trust rules change since risk classification for file tools
 // depends on skill source path checks which reference config, but the core
@@ -56,13 +52,29 @@ export interface RiskClassification {
   reason?: string;
 }
 
+/**
+ * Extended risk classification that includes gateway-provided metadata
+ * used by check() for command candidate building and sandbox auto-approve.
+ */
+interface RiskClassificationWithMeta extends RiskClassification {
+  /** Command candidates from the gateway for trust rule matching (bash tools). */
+  commandCandidates?: string[];
+  /** Action keys from the gateway for trust rule matching (bash tools). */
+  actionKeys?: string[];
+  /** Whether the command qualifies for sandbox auto-approve (bash tools). */
+  sandboxAutoApprove?: boolean;
+  /** Allowlist options from the gateway for generateAllowlistOptions(). */
+  allowlistOptions?: AllowlistOption[];
+  /** Resolved filesystem path arguments for directory-scoped rule matching. */
+  resolvedPaths?: string[];
+}
+
 const RISK_CACHE_MAX = 256;
-const riskCache = new Map<string, RiskClassification>();
-let riskCacheInvalidationHookRegistered = false;
+const riskCache = new Map<string, RiskClassificationWithMeta>();
 
 // ── Assessment cache ─────────────────────────────────────────────────────────
-// Stores the full RiskAssessment from classifier-backed tools so that
-// generateAllowlistOptions() can read classifier-produced allowlistOptions
+// Stores the full ClassificationResult from the gateway so that
+// generateAllowlistOptions() can read gateway-produced allowlistOptions
 // without re-classifying. Keyed on (toolName, inputHash) — a simpler key
 // than the full risk cache since generateAllowlistOptions() does not receive
 // workingDir or manifestOverride. Cleared alongside the risk cache.
@@ -99,20 +111,12 @@ function riskCacheKey(
   return `${toolName}\0${hash}`;
 }
 
-/** Clear the risk classification cache. Called when trust rules change. */
-function clearRiskCache(): void {
+/** Clear the risk classification cache. Called when trust rules change. Exported for test setup. */
+export function clearRiskCache(): void {
   riskCache.clear();
   assessmentCache.clear();
 }
 
-function ensureRiskCacheInvalidationHook(): void {
-  if (riskCacheInvalidationHookRegistered) return;
-  // Register lazily to avoid an ESM initialization cycle between checker and
-  // trust-store when a higher-level module imports both during startup.
-  riskCacheInvalidationHookRegistered = true;
-  onRulesChanged(clearRiskCache);
-}
-
 // ── Approval policy singleton ────────────────────────────────────────────────
 const defaultApprovalPolicy = new DefaultApprovalPolicy();
 
@@ -235,186 +239,76 @@ function escapeMinimatchLiteral(value: string): string {
   return value.replace(/([\\*?[\]{}()!+@|])/g, "\\$1");
 }
 
-async function buildCommandCandidates(
-  toolName: string,
-  input: Record<string, unknown>,
-  workingDir: string,
-  preParsed?: ParsedCommand,
-): Promise<string[]> {
-  if (toolName === "bash" || toolName === "host_bash") {
-    return buildShellCommandCandidates(
-      getStringField(input, "command"),
-      preParsed,
-    );
-  }
+// ── IPC param builders ───────────────────────────────────────────────────────
+// Build the ClassifyRiskParams for each tool family. These resolve
+// assistant-local context (file paths, skill metadata, etc.) before
+// forwarding to the gateway.
 
-  if (toolName === "skill_load") {
-    const rawSelector = getStringField(input, "skill").trim();
-    const targets: string[] = [];
-    if (!rawSelector) {
-      targets.push("");
-    } else {
-      const resolved = resolveSkillIdAndHash(rawSelector);
-
-      // When the resolved skill contains inline command expansions and the
-      // feature flag is on, emit skill_load_dynamic: candidates so the
-      // higher-priority default ask rule catches them instead of falling
-      // through to the permissive skill_load:* allow rule.
-      const config = getConfig();
-      const inlineEnabled = isAssistantFeatureFlagEnabled(
-        "inline-skill-commands",
-        config,
-      );
-
-      if (resolved && inlineEnabled && hasInlineExpansions(resolved.id)) {
-        const transitiveHash = computeTransitiveHashSafe(resolved.id);
-        if (transitiveHash) {
-          targets.push(`skill_load_dynamic:${resolved.id}@${transitiveHash}`);
-        }
-        targets.push(`skill_load_dynamic:${resolved.id}`);
-        // Don't fall through to skill_load:* — dynamic skills use their own
-        // candidate namespace so the default ask rule applies.
-      } else {
-        if (resolved && resolved.versionHash) {
-          // Version-specific candidate lets rules pin to an exact skill version
-          targets.push(`${resolved.id}@${resolved.versionHash}`);
-        }
-        targets.push(rawSelector);
-      }
-    }
-
-    // Dynamic candidates use skill_load_dynamic: prefix; normal ones use skill_load:
-    return [...new Set(targets)].map((target) => {
-      if (target.startsWith("skill_load_dynamic:")) return target;
-      return `${toolName}:${target}`;
-    });
-  }
-
-  if (
-    toolName === "scaffold_managed_skill" ||
-    toolName === "delete_managed_skill"
-  ) {
-    const skillId = getStringField(input, "skill_id").trim();
-    return [`${toolName}:${skillId}`];
-  }
+import type {
+  ClassifyRiskParams,
+  FileContext,
+  SkillMetadata,
+} from "./ipc-risk-types.js";
 
-  if (toolName === "web_fetch" || toolName === "network_request") {
-    const rawUrl = getStringField(input, "url").trim();
-    const candidates: string[] = [];
-
-    if (rawUrl) {
-      candidates.push(`${toolName}:${rawUrl}`);
-    }
-
-    const normalized = normalizeWebFetchUrl(rawUrl);
-    if (normalized) {
-      candidates.push(`${toolName}:${normalized.href}`);
-      candidates.push(`${toolName}:${normalized.origin}/*`);
-    }
+function buildFileContext(): FileContext {
+  const config = getConfig();
+  return {
+    protectedDir: getProtectedDir(),
+    deprecatedDir: getDeprecatedDir(),
+    hooksDir: getWorkspaceHooksDir(),
+    actorTokenSigningKeyPath: join(
+      getProtectedDir(),
+      "actor-token-signing-key",
+    ),
+    skillSourceDirs: getSkillRoots(config.skills.load.extraDirs),
+  };
+}
 
-    if (candidates.length === 0) {
-      candidates.push(`${toolName}:`);
-    }
+function resolveSkillMetadata(selector: string): SkillMetadata | undefined {
+  const resolved = resolveSkillIdAndHash(selector);
+  if (!resolved) return undefined;
 
-    return [...new Set(candidates)];
-  }
+  const config = getConfig();
+  const inlineEnabled = isAssistantFeatureFlagEnabled(
+    "inline-skill-commands",
+    config,
+  );
+  const inlineExpansions = hasInlineExpansions(resolved.id);
+  const isDynamic = inlineEnabled && inlineExpansions;
 
-  const fileTarget = getStringField(input, "path", "file_path");
-  if (
-    toolName === "host_file_read" ||
-    toolName === "host_file_write" ||
-    toolName === "host_file_edit"
-  ) {
-    const resolved = fileTarget ? resolve(fileTarget) : fileTarget;
-    const normalized =
-      resolved && process.platform === "win32"
-        ? resolved.replaceAll("\\", "/")
-        : resolved;
-    const candidates = [`${toolName}:${normalized}`];
-    if (normalized !== fileTarget) {
-      candidates.push(`${toolName}:${fileTarget}`);
-    }
-    // Include the canonical (symlink-resolved) form so rules written against
-    // real paths match even when the tool receives a symlinked path.
-    if (fileTarget) {
-      const canonical = normalizeFilePath(normalized);
-      if (canonical !== normalized && canonical !== fileTarget) {
-        candidates.push(`${toolName}:${canonical}`);
-      }
-    }
-    return [...new Set(candidates)];
-  }
-
-  const rawResolved = fileTarget ? resolve(workingDir, fileTarget) : fileTarget;
-  const resolved =
-    rawResolved && process.platform === "win32"
-      ? rawResolved.replaceAll("\\", "/")
-      : rawResolved;
-  const candidates = [`${toolName}:${resolved}`];
-  // Also include the raw path if it differs, so user-created rules with
-  // raw paths still match.
-  if (resolved !== fileTarget) {
-    candidates.push(`${toolName}:${fileTarget}`);
-  }
-  // Include the canonical (symlink-resolved) form so rules written against
-  // real paths match even when the tool receives a symlinked or relative path
-  // with redundant segments like `./foo/../bar`.
-  if (fileTarget) {
-    const canonical = normalizeFilePath(resolved);
-    if (canonical !== resolved && canonical !== fileTarget) {
-      candidates.push(`${toolName}:${canonical}`);
-    }
-  }
-  return [...new Set(candidates)];
+  return {
+    skillId: resolved.id,
+    selector,
+    versionHash: resolved.versionHash ?? "",
+    transitiveHash: isDynamic
+      ? computeTransitiveHashSafe(resolved.id)
+      : undefined,
+    hasInlineExpansions: inlineExpansions,
+    isDynamic,
+  };
 }
 
-export async function classifyRisk(
+function buildClassifyRiskParams(
   toolName: string,
   input: Record<string, unknown>,
   workingDir?: string,
-  preParsed?: ParsedCommand,
   manifestOverride?: ManifestOverride,
-  signal?: AbortSignal,
-): Promise<RiskClassification> {
-  signal?.throwIfAborted();
-  ensureRiskCacheInvalidationHook();
-
-  // Check cache first (skip when preParsed is provided since caller already
-  // parsed and we'd just be duplicating the key computation cost).
-  const cacheKey = preParsed
-    ? null
-    : riskCacheKey(toolName, input, workingDir, manifestOverride);
-  if (cacheKey) {
-    const cached = riskCache.get(cacheKey);
-    if (cached !== undefined) {
-      // LRU refresh
-      riskCache.delete(cacheKey);
-      riskCache.set(cacheKey, cached);
-      return cached;
-    }
-  }
-
-  // ── Bash/host_bash: delegate to the registry-driven BashRiskClassifier ────
-  let result: RiskClassification;
-  let classifierAssessment: RiskAssessment | undefined;
+): ClassifyRiskParams {
+  // ── Bash/host_bash ──
   if (toolName === "bash" || toolName === "host_bash") {
-    const command = ((input.command as string) ?? "").trim();
-    if (!command) {
-      result = { level: RiskLevel.Low };
-    } else {
-      const assessment = await bashRiskClassifier.classify({
-        command,
-        toolName: toolName as "bash" | "host_bash",
-      });
-      classifierAssessment = assessment;
-      result = {
-        level: riskToRiskLevel(assessment.riskLevel),
-        reason: assessment.reason,
-      };
-    }
+    return {
+      tool: toolName,
+      command: getStringField(input, "command"),
+      workingDir,
+      workspaceRoot: getWorkspaceDir(),
+      isContainerized: getIsContainerized(),
+      networkMode:
+        typeof input.network_mode === "string" ? input.network_mode : undefined,
+    };
   }
-  // ── File tools: delegate to FileRiskClassifier ──────────────────────────
-  else if (
+
+  // ── File tools ──
+  if (
     [
       "file_read",
       "file_write",
@@ -422,127 +316,172 @@ export async function classifyRisk(
       "host_file_read",
       "host_file_write",
       "host_file_edit",
+      "host_file_transfer",
     ].includes(toolName)
   ) {
-    const filePath = getStringField(input, "path", "file_path");
     const isHostTool = toolName.startsWith("host_");
-    const assessment = await fileRiskClassifier.classify({
-      toolName: toolName as
-        | "file_read"
-        | "file_write"
-        | "file_edit"
-        | "host_file_read"
-        | "host_file_write"
-        | "host_file_edit",
-      filePath,
+    let filePath: string;
+    if (toolName === "host_file_transfer") {
+      // For host_file_transfer the security-sensitive path is the host-side
+      // path: source_path when reading from the host (to_sandbox), dest_path
+      // when writing to the host (to_host).
+      const direction = getStringField(input, "direction");
+      filePath =
+        direction === "to_sandbox"
+          ? getStringField(input, "source_path")
+          : getStringField(input, "dest_path");
+    } else {
+      filePath = getStringField(input, "path", "file_path");
+    }
+    return {
+      tool: toolName,
+      path: filePath,
       workingDir: isHostTool ? "/" : (workingDir ?? process.cwd()),
-    });
-    classifierAssessment = assessment;
-    result = {
-      level: riskToRiskLevel(assessment.riskLevel),
-      reason: assessment.reason,
+      fileContext: buildFileContext(),
     };
   }
-  // ── Web tools: delegate to WebRiskClassifier ────────────────────────────
-  else if (["web_fetch", "network_request", "web_search"].includes(toolName)) {
-    const assessment = await webRiskClassifier.classify({
-      toolName: toolName as "web_fetch" | "network_request" | "web_search",
+
+  // ── Web tools ──
+  if (["web_fetch", "network_request", "web_search"].includes(toolName)) {
+    return {
+      tool: toolName,
       url: getStringField(input, "url"),
       allowPrivateNetwork: input.allow_private_network === true,
-    });
-    classifierAssessment = assessment;
-    result = {
-      level: riskToRiskLevel(assessment.riskLevel),
-      reason: assessment.reason,
     };
   }
-  // ── Skill tools: delegate to SkillLoadRiskClassifier ────────────────────
-  else if (
+
+  // ── Skill tools ──
+  if (
     ["skill_load", "scaffold_managed_skill", "delete_managed_skill"].includes(
       toolName,
     )
   ) {
-    const assessment = await skillLoadRiskClassifier.classify({
-      toolName: toolName as
-        | "skill_load"
-        | "scaffold_managed_skill"
-        | "delete_managed_skill",
-      skillSelector: getStringField(input, "skill", "skill_id").trim(),
-    });
-    classifierAssessment = assessment;
-    result = {
-      level: riskToRiskLevel(assessment.riskLevel),
-      reason: assessment.reason,
+    const selector = getStringField(input, "skill", "skill_id").trim();
+    return {
+      tool: toolName,
+      skill: selector,
+      skillMetadata: selector ? resolveSkillMetadata(selector) : undefined,
     };
   }
-  // ── Remaining tools: fall through to registry-based classification ──────
-  else {
-    result = {
-      level: await classifyRiskFromRegistry(
-        toolName,
-        input,
-        workingDir,
-        manifestOverride,
-      ),
+
+  // ── Schedule tools ──
+  if (toolName === "schedule_create" || toolName === "schedule_update") {
+    return {
+      tool: toolName,
+      mode: getStringField(input, "mode") || undefined,
+      script: getStringField(input, "script") || undefined,
     };
   }
 
-  // Proxied bash commands route through the credential proxy which handles
-  // per-request approval separately. Cap the bash tool's own risk at Medium
-  // so trust rules can auto-allow the command execution.
-  if (
-    toolName === "bash" &&
-    input.network_mode === "proxied" &&
-    result.level === RiskLevel.High
-  ) {
-    result = { level: RiskLevel.Medium, reason: result.reason };
-  }
+  // ── Unknown tools ──
+  // Forward the tool's registry default risk level so the gateway can use it
+  // instead of hardcoding medium for unknown tools. When the tool is not in the
+  // registry but a manifestOverride provides a risk, use that instead.
+  const tool = getTool(toolName);
+  let registryDefaultRisk: string | undefined;
+  if (tool) {
+    registryDefaultRisk =
+      tool.defaultRiskLevel === RiskLevel.Low
+        ? "low"
+        : tool.defaultRiskLevel === RiskLevel.High
+          ? "high"
+          : tool.defaultRiskLevel === RiskLevel.Medium
+            ? "medium"
+            : undefined;
+  } else if (manifestOverride?.risk) {
+    registryDefaultRisk = manifestOverride.risk;
+  }
+  return { tool: toolName, registryDefaultRisk };
+}
 
-  if (cacheKey) {
-    if (riskCache.size >= RISK_CACHE_MAX) {
-      const oldest = riskCache.keys().next().value;
-      if (oldest !== undefined) riskCache.delete(oldest);
-    }
-    riskCache.set(cacheKey, result);
-  }
+// ── Risk string → RiskLevel mapping ──────────────────────────────────────────
 
-  // Store the full assessment in a separate cache keyed on (toolName, input)
-  // so generateAllowlistOptions() can retrieve classifier-produced options.
-  if (classifierAssessment) {
-    const aKey = assessmentCacheKey(toolName, input);
-    if (assessmentCache.size >= RISK_CACHE_MAX) {
-      const oldest = assessmentCache.keys().next().value;
-      if (oldest !== undefined) assessmentCache.delete(oldest);
-    }
-    assessmentCache.set(aKey, classifierAssessment);
+function riskStringToLevel(risk: string): RiskLevel {
+  switch (risk) {
+    case "low":
+      return RiskLevel.Low;
+    case "medium":
+      return RiskLevel.Medium;
+    case "high":
+      return RiskLevel.High;
+    default:
+      return RiskLevel.Medium;
   }
-
-  return result;
 }
 
-async function classifyRiskFromRegistry(
+export async function classifyRisk(
   toolName: string,
-  _input: Record<string, unknown>,
-  _workingDir?: string,
+  input: Record<string, unknown>,
+  workingDir?: string,
+  _preParsed?: unknown,
   manifestOverride?: ManifestOverride,
-): Promise<RiskLevel> {
-  // Check the tool registry for a declared default risk level
-  const tool = getTool(toolName);
-  if (tool) return tool.defaultRiskLevel;
-
-  // Use manifest metadata for unregistered skill tools so the Permission
-  // Simulator shows accurate risk levels instead of defaulting to Medium.
-  if (manifestOverride) {
-    const riskMap: Record<string, RiskLevel> = {
-      low: RiskLevel.Low,
-      medium: RiskLevel.Medium,
-      high: RiskLevel.High,
-    };
-    return riskMap[manifestOverride.risk] ?? RiskLevel.Medium;
+  signal?: AbortSignal,
+): Promise<RiskClassificationWithMeta> {
+  signal?.throwIfAborted();
+
+  // Check cache first.
+  const cacheKey = riskCacheKey(toolName, input, workingDir, manifestOverride);
+  const cached = riskCache.get(cacheKey);
+  if (cached !== undefined) {
+    // LRU refresh
+    riskCache.delete(cacheKey);
+    riskCache.set(cacheKey, cached);
+    return cached;
+  }
+
+  // ── Delegate to gateway via IPC ────────────────────────────────────────────
+  const ipcParams = buildClassifyRiskParams(
+    toolName,
+    input,
+    workingDir,
+    manifestOverride,
+  );
+  const gatewayResult = await ipcClassifyRisk(ipcParams);
+
+  if (!gatewayResult) {
+    throw new Error(
+      `Gateway IPC classify_risk failed for tool "${toolName}" — gateway is unreachable or returned an invalid response`,
+    );
   }
 
-  // Unknown tool → Medium
-  return RiskLevel.Medium;
+  const result: RiskClassificationWithMeta = {
+    level: riskStringToLevel(gatewayResult.risk),
+    reason: gatewayResult.reason,
+    commandCandidates: gatewayResult.commandCandidates,
+    actionKeys: gatewayResult.actionKeys,
+    sandboxAutoApprove: gatewayResult.sandboxAutoApprove,
+    allowlistOptions: gatewayResult.allowlistOptions,
+    resolvedPaths: gatewayResult.resolvedPaths,
+  };
+
+  // Cache the result.
+  if (riskCache.size >= RISK_CACHE_MAX) {
+    const oldest = riskCache.keys().next().value;
+    if (oldest !== undefined) riskCache.delete(oldest);
+  }
+  riskCache.set(cacheKey, result);
+
+  // Store a RiskAssessment-shaped entry in the assessment cache so that
+  // generateAllowlistOptions() can retrieve gateway-produced allowlistOptions
+  // and permission-checker.ts can populate riskScopeOptions for the Rule
+  // Editor Modal via cachedAssessment.scopeOptions.
+  const assessment: RiskAssessment = {
+    riskLevel: gatewayResult.risk === "unknown" ? "medium" : gatewayResult.risk,
+    reason: gatewayResult.reason,
+    scopeOptions: gatewayResult.scopeOptions ?? [],
+    matchType: gatewayResult.matchType ?? "unknown",
+    allowlistOptions: gatewayResult.allowlistOptions,
+    directoryScopeOptions: gatewayResult.directoryScopeOptions,
+    resolvedPaths: gatewayResult.resolvedPaths,
+  };
+  const aKey = assessmentCacheKey(toolName, input);
+  if (assessmentCache.size >= RISK_CACHE_MAX) {
+    const oldest = assessmentCache.keys().next().value;
+    if (oldest !== undefined) assessmentCache.delete(oldest);
+  }
+  assessmentCache.set(aKey, assessment);
+
+  return result;
 }
 
 export async function check(
@@ -555,62 +494,44 @@ export async function check(
 ): Promise<PermissionCheckResult> {
   signal?.throwIfAborted();
 
-  // For shell tools, parse once and share the result to avoid duplicate tree-sitter work.
-  let shellParsed: ParsedCommand | undefined;
-  if (toolName === "bash" || toolName === "host_bash") {
-    const command = ((input.command as string) ?? "").trim();
-    if (command) {
-      shellParsed = await cachedParse(command);
-    }
-  }
-
-  const { level: risk, reason: riskReason } = await classifyRisk(
+  const classification = await classifyRisk(
     toolName,
     input,
     workingDir,
-    shellParsed,
+    undefined,
     manifestOverride,
     signal,
   );
 
-  // Build command string candidates for rule matching
-  const commandCandidates = await buildCommandCandidates(
-    toolName,
-    input,
-    workingDir,
-    shellParsed,
-  );
+  const { level: risk, reason: riskReason } = classification;
 
-  // Find the highest-priority matching rule across all candidates
-  const matchedRule = findHighestPriorityRule(
-    toolName,
-    commandCandidates,
-    workingDir,
-    policyContext,
-  );
+  // Use gateway-provided sandboxAutoApprove instead of evaluating locally.
+  const hasSandboxAutoApprove = classification.sandboxAutoApprove ?? false;
 
   // Build approval context from local variables
   const tool = getTool(toolName);
-  const config = getConfig();
-  const resolvedThreshold = resolveThreshold(
-    config.permissions.autoApproveUpTo,
+  const threshold = await getAutoApproveThreshold(
+    policyContext?.conversationId,
     policyContext?.executionContext,
   );
   const approvalContext: ApprovalContext = {
     riskLevel: risk,
     toolName,
-    matchedRule: matchedRule ?? undefined,
-    permissionsMode: config.permissions.mode,
     isContainerized: getIsContainerized(),
     isWorkspaceScoped:
       risk === RiskLevel.Low
         ? isWorkspaceScopedInvocation(toolName, input, workingDir)
         : false,
     toolOrigin:
-      tool?.origin === "skill" ? "skill" : tool ? "builtin" : undefined,
+      tool?.origin === "skill" || tool?.origin === "plugin"
+        ? "skill"
+        : tool
+          ? "builtin"
+          : undefined,
     isSkillBundled: tool?.ownerSkillBundled ?? false,
     hasManifestOverride: !!manifestOverride,
-    autoApproveUpTo: resolvedThreshold,
+    autoApproveUpTo: threshold,
+    hasSandboxAutoApprove,
   };
 
   // Delegate the allow/prompt/deny decision to the approval policy
@@ -647,6 +568,7 @@ const TOOL_DISPLAY_NAMES: Record<string, string> = {
   host_file_read: "host file reads",
   host_file_write: "host file writes",
   host_file_edit: "host file edits",
+  host_file_transfer: "host file transfers",
   web_fetch: "URL fetches",
   network_request: "network requests",
 };
@@ -670,23 +592,26 @@ type AllowlistStrategy = (
   input: Record<string, unknown>,
 ) => Promise<AllowlistOption[]> | AllowlistOption[];
 
-function shellAllowlistStrategy(
-  _toolName: string,
-  input: Record<string, unknown>,
-): Promise<AllowlistOption[]> {
-  const command = ((input.command as string) ?? "").trim();
-  // TODO(phase-3): Wire RiskAssessment.scopeOptions into permission prompts
-  // and retire buildShellAllowlistOptions + buildShellCommandCandidates from
-  // shell-identity.ts. The classifier's generateScopeOptions produces the
-  // canonical scope ladder; this legacy path should not diverge further.
-  return buildShellAllowlistOptions(command);
-}
-
 function fileAllowlistStrategy(
   toolName: string,
   input: Record<string, unknown>,
 ): AllowlistOption[] {
-  const filePath = (input.path as string) ?? (input.file_path as string) ?? "";
+  let filePath: string;
+  if (toolName === "host_file_transfer") {
+    // Use the host-side path: source_path for to_sandbox, dest_path for to_host.
+    const direction = (input.direction as string) ?? "";
+    filePath =
+      direction === "to_sandbox"
+        ? ((input.source_path as string) ?? "")
+        : ((input.dest_path as string) ?? "");
+  } else {
+    filePath =
+      (input.path as string) ??
+      (input.file_path as string) ??
+      (input.dest_path as string) ??
+      (input.source_path as string) ??
+      "";
+  }
   const toolLabel = TOOL_DISPLAY_NAMES[toolName] ?? toolName;
   const options: AllowlistOption[] = [];
 
@@ -851,14 +776,13 @@ function skillLoadAllowlistStrategy(
 }
 
 const ALLOWLIST_STRATEGIES: Record<string, AllowlistStrategy> = {
-  bash: shellAllowlistStrategy,
-  host_bash: shellAllowlistStrategy,
   file_read: fileAllowlistStrategy,
   file_write: fileAllowlistStrategy,
   file_edit: fileAllowlistStrategy,
   host_file_read: fileAllowlistStrategy,
   host_file_write: fileAllowlistStrategy,
   host_file_edit: fileAllowlistStrategy,
+  host_file_transfer: fileAllowlistStrategy,
   web_fetch: urlAllowlistStrategy,
   network_request: urlAllowlistStrategy,
   scaffold_managed_skill: managedSkillAllowlistStrategy,
@@ -873,10 +797,9 @@ export async function generateAllowlistOptions(
 ): Promise<AllowlistOption[]> {
   signal?.throwIfAborted();
 
-  // Check if a classifier already produced allowlist options during
-  // classifyRisk(). If so, return those directly — avoids duplicate
-  // computation and keeps scope option generation unified with risk
-  // classification.
+  // Use gateway-produced allowlist options from the assessment cache.
+  // For bash/host_bash tools, these are always provided by the gateway.
+  // For other tools that have classifier-produced options, use those too.
   const aKey = assessmentCacheKey(toolName, input);
   const cachedAssessment = assessmentCache.get(aKey);
   if (
@@ -886,9 +809,8 @@ export async function generateAllowlistOptions(
     return cachedAssessment.allowlistOptions;
   }
 
-  // Fall back to the per-tool strategy function for tools that don't have
-  // classifier-produced options (e.g. bash tools use the shell identity
-  // strategy, or when the cache was missed).
+  // Fall back to the per-tool strategy function for non-bash tools
+  // or when no cached assessment exists.
   if (Object.hasOwn(ALLOWLIST_STRATEGIES, toolName)) {
     return ALLOWLIST_STRATEGIES[toolName](toolName, input);
   }
@@ -896,6 +818,18 @@ export async function generateAllowlistOptions(
   return [{ label: "*", description: "Everything", pattern: "*" }];
 }
 
+/**
+ * Retrieve a cached RiskAssessment for a given tool invocation.
+ * Returns `undefined` when no classifier-backed assessment exists
+ * (e.g. MCP tools, unknown tools that fall through to registry defaults).
+ */
+export function getCachedAssessment(
+  toolName: string,
+  input: Record<string, unknown>,
+): RiskAssessment | undefined {
+  return assessmentCache.get(assessmentCacheKey(toolName, input));
+}
+
 // Directory-based scope only applies to filesystem and shell tools.
 // All other tools auto-use "everywhere" (the client handles this).
 export const SCOPE_AWARE_TOOLS = new Set([
@@ -907,6 +841,7 @@ export const SCOPE_AWARE_TOOLS = new Set([
   "host_file_read",
   "host_file_write",
   "host_file_edit",
+  "host_file_transfer",
 ]);
 
 export function generateScopeOptions(