@vellumai/assistant 0.7.0 → 0.7.1

package/src/tools/browser/cdp-client/factory.ts

@@ -8,6 +8,7 @@ import {
   createLocalBackend,
 } from "../../../browser-session/index.js";
 import { getConfig } from "../../../config/loader.js";
+import { HostBrowserProxy } from "../../../daemon/host-browser-proxy.js";
 import { getLogger } from "../../../util/logger.js";
 import type { ToolContext } from "../../types.js";
 import { createCdpInspectClient } from "./cdp-inspect-client.js";
@@ -103,11 +104,10 @@ export interface GetCdpClientOptions {
  * invocation based on the ToolContext and config. Three backends are
  * considered in priority order:
  *
- *  1. **Extension** -- When `context.hostBrowserProxy` is set AND
- *     `hostBrowserProxy.isAvailable()` returns `true` (i.e. the
- *     proxy exists and the client is actually connected). This
- *     prevents selecting the extension transport when the proxy
- *     object exists but the underlying WebSocket is disconnected.
+ *  1. **Extension** -- When `HostBrowserProxy.instance` is available
+ *     and `isAvailable()` returns `true` (i.e. a chrome extension
+ *     connection exists in the registry). This prevents selecting
+ *     the extension transport when no extension is connected.
  *  2. **cdp-inspect** -- When `hostBrowser.cdpInspect.enabled` is
  *     `true` in config, construct a `CdpInspectClient` that attaches
  *     to an already-running Chrome via the DevTools JSON protocol.
@@ -183,17 +183,15 @@ export function buildPinnedCandidateList(
   context: ToolContext,
   mode: Exclude<BrowserMode, "auto">,
 ): BackendCandidate[] {
-  const { conversationId, hostBrowserProxy } = context;
+  const { conversationId } = context;
 
   switch (mode) {
     case "extension": {
-      if (!hostBrowserProxy || !hostBrowserProxy.isAvailable()) {
-        const reason = !hostBrowserProxy
-          ? "no host browser proxy provisioned for this conversation"
-          : "host browser proxy exists but is not connected";
+      const hostBrowserProxy = HostBrowserProxy.instance;
+      if (!hostBrowserProxy.isAvailable()) {
         throw new CdpError(
           "transport_error",
-          `Pinned mode "extension" unavailable: ${reason}`,
+          `Pinned mode "extension" unavailable: no active extension connection`,
           {
             attemptDiagnostics: [
               {
@@ -201,7 +199,7 @@ export function buildPinnedCandidateList(
                 inclusionReason: `pinned mode: extension`,
                 stage: "candidate_selection",
                 errorCode: "transport_error",
-                errorMessage: reason,
+                errorMessage: "no active extension connection",
               },
             ],
           },
@@ -289,18 +287,16 @@ export function buildPinnedCandidateList(
  * Exported for testing.
  */
 export function buildCandidateList(context: ToolContext): BackendCandidate[] {
-  const { conversationId, hostBrowserProxy } = context;
+  const { conversationId } = context;
   const candidates: BackendCandidate[] = [];
+  const hostBrowserProxy = HostBrowserProxy.instance;
 
-  // 1. Extension -- preferred when a chrome-extension is bound AND
-  //    the proxy reports it is connected. Checking isAvailable()
-  //    prevents selecting the extension transport when the proxy
-  //    object exists (e.g. it was provisioned at conversation start)
-  //    but the client has since disconnected.
-  if (hostBrowserProxy && hostBrowserProxy.isAvailable()) {
+  // 1. Extension -- preferred when the singleton proxy reports an active
+  //    extension connection is available.
+  if (hostBrowserProxy.isAvailable()) {
     candidates.push({
       kind: "extension",
-      reason: "hostBrowserProxy present and available",
+      reason: "extension connected via registry singleton",
       create() {
         const client = createExtensionCdpClient(
           hostBrowserProxy,
@@ -315,10 +311,10 @@ export function buildCandidateList(context: ToolContext): BackendCandidate[] {
         return { client, backend };
       },
     });
-  } else if (hostBrowserProxy) {
+  } else {
     log.debug(
       { conversationId },
-      "CDP factory: hostBrowserProxy present but not available, skipping extension candidate",
+      "CDP factory: no active extension connection, skipping extension candidate",
     );
   }
 
@@ -348,63 +344,39 @@ export function buildCandidateList(context: ToolContext): BackendCandidate[] {
     context.transportInterface === "macos" &&
     cdpInspectConfig.desktopAuto.enabled
   ) {
-    // macOS desktop-auto: include cdp-inspect as a candidate unless:
-    // (a) the hostBrowserProxy is registry-routed (extension-backed) and
-    //     temporarily unavailable — the extension transport was explicitly
-    //     expected and the disconnection is transient, so inserting
-    //     cdp-inspect would cause a silent takeover. Only applies when
-    //     `hostBrowserRegistryRouted` is true (set when
-    //     `hostBrowserSenderOverride` was wired at turn-start).
-    //     SSE-backed proxies (macOS without an extension connection) that
-    //     report unavailable (e.g. non-interactive turns where
-    //     clientConnected=false) should NOT suppress cdp-inspect — the
-    //     SSE proxy was never expected to service browser requests.
-    // (b) the cooldown from a recent failure is still active.
-    //
-    // When no hostBrowserProxy is present at all (extension not
-    // provisioned for this conversation), cdp-inspect remains available
-    // as a fallback per the desktop-auto contract.
-    if (
-      hostBrowserProxy &&
-      !hostBrowserProxy.isAvailable() &&
-      context.hostBrowserRegistryRouted
-    ) {
+    // macOS desktop-auto: include cdp-inspect as a candidate unless
+    // the cooldown from a recent failure is still active. The extension
+    // candidate is already first in the list, so it wins when connected.
+    const { cooldownMs } = cdpInspectConfig.desktopAuto;
+    if (isDesktopAutoCooldownActive(cooldownMs)) {
       log.debug(
-        { conversationId },
-        "CDP factory: desktop-auto cdp-inspect skipped (extension transport expected but temporarily unavailable)",
+        {
+          conversationId,
+          cooldownMs,
+          cooldownSince: _desktopAutoCooldownSince,
+        },
+        "CDP factory: desktop-auto cdp-inspect skipped (cooldown active)",
       );
     } else {
-      const { cooldownMs } = cdpInspectConfig.desktopAuto;
-      if (isDesktopAutoCooldownActive(cooldownMs)) {
-        log.debug(
-          {
-            conversationId,
-            cooldownMs,
-            cooldownSince: _desktopAutoCooldownSince,
-          },
-          "CDP factory: desktop-auto cdp-inspect skipped (cooldown active)",
-        );
-      } else {
-        candidates.push({
-          kind: "cdp-inspect",
-          reason: "desktopAuto: macOS turn, cdp-inspect auto-attempted",
-          create() {
-            const client = createCdpInspectClient(conversationId, {
-              host: cdpInspectConfig.host,
-              port: cdpInspectConfig.port,
-              discoveryTimeoutMs: cdpInspectConfig.probeTimeoutMs,
-              wsConnectTimeoutMs: cdpInspectConfig.probeTimeoutMs,
-            });
-            const backend = createCdpInspectBackend({
-              isAvailable: () => true,
-              sendCdp: (command, signal) =>
-                dispatchThroughClient(client, command, signal),
-              dispose: () => client.dispose(),
-            });
-            return { client, backend };
-          },
-        });
-      }
+      candidates.push({
+        kind: "cdp-inspect",
+        reason: "desktopAuto: macOS turn, cdp-inspect auto-attempted",
+        create() {
+          const client = createCdpInspectClient(conversationId, {
+            host: cdpInspectConfig.host,
+            port: cdpInspectConfig.port,
+            discoveryTimeoutMs: cdpInspectConfig.probeTimeoutMs,
+            wsConnectTimeoutMs: cdpInspectConfig.probeTimeoutMs,
+          });
+          const backend = createCdpInspectBackend({
+            isAvailable: () => true,
+            sendCdp: (command, signal) =>
+              dispatchThroughClient(client, command, signal),
+            dispose: () => client.dispose(),
+          });
+          return { client, backend };
+        },
+      });
     }
   }
 

package/src/tools/browser/cdp-client/index.ts

@@ -1,22 +1,9 @@
 export {
-  CdpInspectClient,
   type CdpInspectClientOptions,
   type CdpInspectHelpers,
-  createCdpInspectClient,
 } from "./cdp-inspect-client.js";
 export { CdpError, type CdpErrorCode } from "./errors.js";
-export {
-  createExtensionCdpClient,
-  ExtensionCdpClient,
-} from "./extension-cdp-client.js";
-export {
-  buildCandidateList,
-  buildChainedClient,
-  buildPinnedCandidateList,
-  getCdpClient,
-  type GetCdpClientOptions,
-} from "./factory.js";
-export { createLocalCdpClient, LocalCdpClient } from "./local-cdp-client.js";
+export { type GetCdpClientOptions } from "./factory.js";
 export type {
   AttemptDiagnostic,
   AttemptStage,

package/src/tools/executor.ts

@@ -22,7 +22,6 @@ import { getLogger } from "../util/logger.js";
 import { resolveExecutionTarget } from "./execution-target.js";
 import { executeWithTimeout, safeTimeoutMs } from "./execution-timeout.js";
 import { PermissionChecker } from "./permission-checker.js";
-import { SecretDetectionHandler } from "./secret-detection-handler.js";
 import { extractAndSanitize } from "./sensitive-output-placeholders.js";
 import { applyEdit } from "./shared/filesystem/edit-engine.js";
 import { sandboxPolicy } from "./shared/filesystem/path-policy.js";
@@ -39,13 +38,11 @@ const log = getLogger("tool-executor");
 export class ToolExecutor {
   private prompter: PermissionPrompter;
   private permissionChecker: PermissionChecker;
-  private secretDetectionHandler: SecretDetectionHandler;
   private approvalHandler: ToolApprovalHandler;
 
   constructor(prompter: PermissionPrompter) {
     this.prompter = prompter;
     this.permissionChecker = new PermissionChecker(prompter);
-    this.secretDetectionHandler = new SecretDetectionHandler(prompter);
     this.approvalHandler = new ToolApprovalHandler();
   }
 
@@ -105,6 +102,19 @@ export class ToolExecutor {
     const startTime = Date.now();
     let decision = "allow";
     let riskLevel: string = RiskLevel.Low;
+    let permRiskMeta:
+      | {
+          riskLevel: string;
+          riskReason: string;
+          riskScopeOptions: Array<{ pattern: string; label: string }>;
+          riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
+          isContainerized?: boolean;
+        }
+      | undefined;
+    let permMatchedTrustRuleId: string | undefined;
+    let permApprovalMode: string | undefined;
+    let permApprovalReason: string | undefined;
+    let permRiskThreshold: string | undefined;
     const executionTarget = resolveExecutionTarget(name);
 
     emitLifecycleEvent(context, {
@@ -167,15 +177,6 @@ export class ToolExecutor {
       // Exception: requireFreshApproval tools always go through the
       // permission check even when a grant was consumed - the grant does
       // not substitute for an interactive human review.
-      let permRiskMeta:
-        | {
-            riskLevel: string;
-            riskReason: string;
-            riskScopeOptions: Array<{ pattern: string; label: string }>;
-            riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
-            isContainerized?: boolean;
-          }
-        | undefined;
       if (!gateResult.grantConsumed || context.requireFreshApproval) {
         // Check permissions via the extracted PermissionChecker
         const permResult = await this.permissionChecker.checkPermission(
@@ -192,6 +193,10 @@ export class ToolExecutor {
         riskLevel = permResult.riskLevel;
         decision = permResult.decision;
         permRiskMeta = permResult.riskMeta;
+        permMatchedTrustRuleId = permResult.matchedTrustRuleId;
+        permApprovalMode = permResult.approvalMode;
+        permApprovalReason = permResult.approvalReason;
+        permRiskThreshold = permResult.riskThreshold;
 
         if (!permResult.allowed) {
           return {
@@ -202,12 +207,21 @@ export class ToolExecutor {
             riskScopeOptions: permRiskMeta?.riskScopeOptions,
             riskDirectoryScopeOptions: permRiskMeta?.riskDirectoryScopeOptions,
             isContainerized: permRiskMeta?.isContainerized,
+            matchedTrustRuleId: permMatchedTrustRuleId,
+            approvalMode: permApprovalMode,
+            approvalReason: permApprovalReason,
+            riskThreshold: permRiskThreshold,
           };
         }
 
         if (permResult.wasPrompted) {
           context.approvedViaPrompt = true;
         }
+      } else {
+        // Grant consumed — permission check was skipped. Set provenance explicitly
+        // so the record shows how this execution was authorized.
+        permApprovalMode = "auto";
+        permApprovalReason = "grant_scoped_consumed";
       }
 
       // Execute the tool - proxy tools delegate to an external resolver.
@@ -231,6 +245,7 @@ export class ToolExecutor {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
+            matchedTrustRuleId: permMatchedTrustRuleId,
             decision: "error",
             durationMs,
             errorMessage: msg,
@@ -268,6 +283,7 @@ export class ToolExecutor {
           conversationId: context.conversationId,
           requestId: context.requestId,
           riskLevel,
+          matchedTrustRuleId: permMatchedTrustRuleId,
           decision: "error",
           durationMs,
           errorMessage: msg,
@@ -334,6 +350,7 @@ export class ToolExecutor {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
+            matchedTrustRuleId: permMatchedTrustRuleId,
             decision: "deny",
             reason: denialReason,
             durationMs,
@@ -352,6 +369,7 @@ export class ToolExecutor {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
+            matchedTrustRuleId: permMatchedTrustRuleId,
             decision: "error",
             durationMs,
             errorMessage: errorMsg,
@@ -364,8 +382,6 @@ export class ToolExecutor {
 
       // Sensitive output extraction: strip directives, replace raw values
       // with placeholders, and attach bindings for agent-loop substitution.
-      // Runs before secret detection so that raw sensitive values are already
-      // replaced and won't trigger entropy-based redaction.
       const { sanitizedContent, bindings } = extractAndSanitize(
         execResult.content,
       );
@@ -377,23 +393,6 @@ export class ToolExecutor {
         };
       }
 
-      // Secret detection on tool output
-      const secretResult = await this.secretDetectionHandler.handle(
-        execResult,
-        name,
-        input,
-        context,
-        executionTarget,
-        riskLevel,
-        decision,
-        startTime,
-        emitLifecycleEvent,
-      );
-      if (secretResult.earlyReturn) {
-        return secretResult.result;
-      }
-      execResult = secretResult.result;
-
       const durationMs = Date.now() - startTime;
       // Strip sensitiveBindings from lifecycle event to prevent raw values leaking
       const { sensitiveBindings: _sb, ...safeResult } = execResult;
@@ -406,6 +405,7 @@ export class ToolExecutor {
         conversationId: context.conversationId,
         requestId: context.requestId,
         riskLevel,
+        matchedTrustRuleId: permMatchedTrustRuleId,
         decision,
         durationMs,
         result: safeResult,
@@ -424,6 +424,18 @@ export class ToolExecutor {
           isContainerized: permRiskMeta.isContainerized,
         };
       }
+      if (permMatchedTrustRuleId) {
+        execResult = { ...execResult, matchedTrustRuleId: permMatchedTrustRuleId };
+      }
+      if (permApprovalMode) {
+        execResult = { ...execResult, approvalMode: permApprovalMode };
+      }
+      if (permApprovalReason) {
+        execResult = { ...execResult, approvalReason: permApprovalReason };
+      }
+      if (permRiskThreshold) {
+        execResult = { ...execResult, riskThreshold: permRiskThreshold };
+      }
 
       return execResult;
     } catch (err) {
@@ -465,6 +477,7 @@ export class ToolExecutor {
         conversationId: context.conversationId,
         requestId: context.requestId,
         riskLevel,
+        matchedTrustRuleId: permMatchedTrustRuleId,
         decision: "error",
         durationMs,
         errorMessage: msg,

package/src/tools/host-filesystem/edit.ts

@@ -1,3 +1,4 @@
+import { HostFileProxy } from "../../daemon/host-file-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import { FileSystemOps } from "../shared/filesystem/file-ops-service.js";
@@ -85,8 +86,8 @@ class HostFileEditTool implements Tool {
 
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
-    if (context.hostFileProxy?.isAvailable()) {
-      return context.hostFileProxy.request(
+    if (HostFileProxy.instance.isAvailable()) {
+      return HostFileProxy.instance.request(
         {
           operation: "edit",
           path: rawPath,

package/src/tools/host-filesystem/read.ts

@@ -1,5 +1,6 @@
 import { extname } from "node:path";
 
+import { HostFileProxy } from "../../daemon/host-file-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import { FileSystemOps } from "../shared/filesystem/file-ops-service.js";
@@ -57,8 +58,8 @@ class HostFileReadTool implements Tool {
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode),
     // including image reads that need the host filesystem view.
-    if (context.hostFileProxy?.isAvailable()) {
-      return context.hostFileProxy.request(
+    if (HostFileProxy.instance.isAvailable()) {
+      return HostFileProxy.instance.request(
         {
           operation: "read",
           path: rawPath,

package/src/tools/host-filesystem/transfer.test.ts

@@ -1,14 +1,44 @@
 import { existsSync, mkdtempSync, realpathSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { afterEach, describe, expect, test } from "bun:test";
+import { afterEach, describe, expect, mock, test } from "bun:test";
 
 import type { ToolContext } from "../types.js";
-import { hostFileTransferTool } from "./transfer.js";
+
+// ---------------------------------------------------------------------------
+// Singleton mock — must precede the tool import so bun's module mock applies.
+// ---------------------------------------------------------------------------
+
+let mockProxyAvailable = false;
+const toSandboxCalls: Array<{ sourcePath: string; destPath: string }> = [];
+const toHostCalls: Array<{ sourcePath: string; destPath: string }> = [];
+
+mock.module("../../daemon/host-transfer-proxy.js", () => ({
+  HostTransferProxy: {
+    get instance() {
+      return {
+        isAvailable: () => mockProxyAvailable,
+        requestToSandbox: (args: { sourcePath: string; destPath: string; overwrite?: boolean; conversationId: string }) => {
+          toSandboxCalls.push({ sourcePath: args.sourcePath, destPath: args.destPath });
+          return Promise.resolve({ content: "ok", isError: false });
+        },
+        requestToHost: (args: { sourcePath: string; destPath: string; overwrite: boolean; conversationId: string }) => {
+          toHostCalls.push({ sourcePath: args.sourcePath, destPath: args.destPath });
+          return Promise.resolve({ content: "ok", isError: false });
+        },
+      };
+    },
+  },
+}));
+
+const { hostFileTransferTool } = await import("./transfer.js");
 
 const testDirs: string[] = [];
 
 afterEach(() => {
+  mockProxyAvailable = false;
+  toSandboxCalls.length = 0;
+  toHostCalls.length = 0;
   for (const dir of testDirs.splice(0)) {
     rmSync(dir, { recursive: true, force: true });
   }
@@ -25,7 +55,7 @@ function makeContext(workingDir: string): ToolContext {
 }
 
 // ---------------------------------------------------------------------------
-// Local-mode tests (no proxy; context.hostTransferProxy omitted)
+// Local-mode tests (proxy unavailable — falls back to local copy)
 // ---------------------------------------------------------------------------
 
 describe("host_file_transfer local mode", () => {
@@ -176,93 +206,66 @@ describe("host_file_transfer local mode to_host", () => {
 });
 
 // ---------------------------------------------------------------------------
-// Managed-mode tests (mock proxy via context.hostTransferProxy)
+// Managed-mode tests (singleton proxy available)
 // ---------------------------------------------------------------------------
 
 describe("host_file_transfer managed mode", () => {
   test("relative path is pre-resolved before proxy call", async () => {
+    mockProxyAvailable = true;
     const workingDir = makeTempDir();
     const srcDir = makeTempDir();
     const srcFile = join(srcDir, "source.txt");
     writeFileSync(srcFile, "content");
 
-    const calls: Array<{ destPath: string }> = [];
-    const mockProxy = {
-      isAvailable: () => true,
-      requestToSandbox: (args: { sourcePath: string; destPath: string; overwrite: boolean; conversationId: string }) => {
-        calls.push({ destPath: args.destPath });
-        return Promise.resolve({ content: "ok", isError: false });
-      },
-    };
-    const ctx = { ...makeContext(workingDir), hostTransferProxy: mockProxy as any };
-
     await hostFileTransferTool.execute(
       {
         source_path: srcFile,
         dest_path: "relative/file.txt",
         direction: "to_sandbox",
       },
-      ctx,
+      makeContext(workingDir),
     );
 
-    expect(calls.length).toBe(1);
-    expect(calls[0].destPath).toBe(join(workingDir, "relative", "file.txt"));
+    expect(toSandboxCalls.length).toBe(1);
+    expect(toSandboxCalls[0].destPath).toBe(join(workingDir, "relative", "file.txt"));
   });
 
   test("to_host relative source is pre-resolved before proxy call", async () => {
+    mockProxyAvailable = true;
     const workingDir = makeTempDir();
     writeFileSync(join(workingDir, "doc.md"), "content");
 
-    const calls: Array<{ sourcePath: string }> = [];
-    const mockProxy = {
-      isAvailable: () => true,
-      requestToHost: (args: { sourcePath: string; destPath: string; overwrite: boolean; conversationId: string }) => {
-        calls.push({ sourcePath: args.sourcePath });
-        return Promise.resolve({ content: "ok", isError: false });
-      },
-    };
-    const ctx = { ...makeContext(workingDir), hostTransferProxy: mockProxy as any };
-
     await hostFileTransferTool.execute(
       {
         source_path: "doc.md",
         dest_path: "/Users/someone/Desktop/doc.md",
         direction: "to_host",
       },
-      ctx,
+      makeContext(workingDir),
     );
 
-    expect(calls.length).toBe(1);
-    expect(calls[0].sourcePath).toBe(join(workingDir, "doc.md"));
+    expect(toHostCalls.length).toBe(1);
+    expect(toHostCalls[0].sourcePath).toBe(join(workingDir, "doc.md"));
   });
 
   test("out-of-bounds path rejected before proxy call", async () => {
+    mockProxyAvailable = true;
     const workingDir = makeTempDir();
     const srcDir = makeTempDir();
     const srcFile = join(srcDir, "source.txt");
     writeFileSync(srcFile, "content");
 
-    const calls: Array<{ destPath: string }> = [];
-    const mockProxy = {
-      isAvailable: () => true,
-      requestToSandbox: (args: { sourcePath: string; destPath: string; overwrite: boolean; conversationId: string }) => {
-        calls.push({ destPath: args.destPath });
-        return Promise.resolve({ content: "ok", isError: false });
-      },
-    };
-    const ctx = { ...makeContext(workingDir), hostTransferProxy: mockProxy as any };
-
     const result = await hostFileTransferTool.execute(
       {
         source_path: srcFile,
         dest_path: "/etc/passwd",
         direction: "to_sandbox",
       },
-      ctx,
+      makeContext(workingDir),
     );
 
     expect(result.isError).toBe(true);
     expect(result.content).toContain("Invalid destination path");
-    expect(calls.length).toBe(0);
+    expect(toSandboxCalls.length).toBe(0);
   });
 });

package/src/tools/host-filesystem/transfer.ts

@@ -2,6 +2,7 @@ import { constants } from "node:fs";
 import { copyFile, lstat, mkdir, realpath } from "node:fs/promises";
 import { dirname, isAbsolute } from "node:path";
 
+import { HostTransferProxy } from "../../daemon/host-transfer-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import { sandboxPolicy } from "../shared/filesystem/path-policy.js";
@@ -125,9 +126,9 @@ class HostFileTransferTool implements Tool {
     }
 
     // Managed mode: delegate to the host transfer proxy when available.
-    if (context.hostTransferProxy?.isAvailable()) {
+    if (HostTransferProxy.instance.isAvailable()) {
       if (direction === "to_host") {
-        return context.hostTransferProxy.requestToHost(
+        return HostTransferProxy.instance.requestToHost(
           {
             sourcePath: resolvedSourcePath,
             destPath,
@@ -137,7 +138,7 @@ class HostFileTransferTool implements Tool {
           context.signal,
         );
       }
-      return context.hostTransferProxy.requestToSandbox(
+      return HostTransferProxy.instance.requestToSandbox(
         {
           sourcePath,
           destPath: resolvedDestPath,

package/src/tools/host-filesystem/write.ts

@@ -1,3 +1,4 @@
+import { HostFileProxy } from "../../daemon/host-file-proxy.js";
 import { RiskLevel } from "../../permissions/types.js";
 import type { ToolDefinition } from "../../providers/types.js";
 import { FileSystemOps } from "../shared/filesystem/file-ops-service.js";
@@ -55,8 +56,8 @@ class HostFileWriteTool implements Tool {
 
     // Proxy to connected client for execution on the user's machine
     // when a capable client is available (managed/cloud-hosted mode).
-    if (context.hostFileProxy?.isAvailable()) {
-      return context.hostFileProxy.request(
+    if (HostFileProxy.instance.isAvailable()) {
+      return HostFileProxy.instance.request(
         {
           operation: "write",
           path: rawPath,