@vellumai/assistant 0.7.0 → 0.7.2

package/src/tools/permission-checker.ts

@@ -1,4 +1,5 @@
 import { getIsContainerized } from "../config/env-registry.js";
+import { mapApprovalProvenance } from "../permissions/approval-provenance.js";
 import {
   check,
   classifyRisk,
@@ -8,6 +9,7 @@ import {
 } from "../permissions/checker.js";
 import { getAutoApproveThreshold } from "../permissions/gateway-threshold-reader.js";
 import type { PermissionPrompter } from "../permissions/prompter.js";
+import type { ApprovalMode, ApprovalReason, RiskThreshold } from "../permissions/types.js";
 import { RiskLevel } from "../permissions/types.js";
 import { getLogger } from "../util/logger.js";
 import { buildPolicyContext } from "./policy-context.js";
@@ -23,6 +25,8 @@ export type PermissionDecision =
       decision: string;
       riskLevel: string;
       wasPrompted?: boolean;
+      /** ID of the trust rule that matched this invocation (if any). Always set when a rule matched, even for non-classifier tools where riskMeta is absent. */
+      matchedTrustRuleId?: string;
       /** Risk metadata from the classifier assessment cache (when available). */
       riskMeta?: {
         riskLevel: string;
@@ -31,12 +35,17 @@ export type PermissionDecision =
         riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
         isContainerized?: boolean;
       };
+      approvalMode?: ApprovalMode;
+      approvalReason?: ApprovalReason;
+      riskThreshold?: RiskThreshold;
     }
   | {
       allowed: false;
       decision: string;
       riskLevel: string;
       content: string;
+      /** ID of the trust rule that matched this invocation (if any). Always set when a rule matched, even for non-classifier tools where riskMeta is absent. */
+      matchedTrustRuleId?: string;
       /** Risk metadata from the classifier assessment cache (when available). */
       riskMeta?: {
         riskLevel: string;
@@ -45,6 +54,9 @@ export type PermissionDecision =
         riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
         isContainerized?: boolean;
       };
+      approvalMode?: ApprovalMode;
+      approvalReason?: ApprovalReason;
+      riskThreshold?: RiskThreshold;
     };
 
 export class PermissionChecker {
@@ -120,6 +132,19 @@ export class PermissionChecker {
         context.signal,
       );
 
+      // Extract the matched rule ID for propagation. Returned as a top-level
+      // field on PermissionDecision so it reaches the executor even when
+      // riskMeta is absent (non-classifier tools like MCP don't populate it).
+      const matchedTrustRuleId = result.matchedRule?.id;
+
+      // Resolved threshold snapshot for provenance. getAutoApproveThreshold
+      // returns from cache (populated by check() above), so this is free.
+      const conversationThreshold = await getAutoApproveThreshold(
+        policyContext.conversationId,
+        policyContext.executionContext,
+      );
+      const riskThreshold = conversationThreshold as RiskThreshold;
+
       // Some callers force prompting for side-effect tools even when a
       // trust/allow rule would auto-allow. Deny decisions are preserved -
       // only allow → prompt promotion happens here.
@@ -155,16 +180,21 @@ export class PermissionChecker {
           requestId: context.requestId,
           riskLevel,
           riskReason,
+          matchedTrustRuleId,
           decision: "deny",
           reason: result.reason,
           durationMs,
         });
+        const provenance = mapApprovalProvenance("denied", { matchedTrustRuleId });
         return {
           allowed: false,
           decision: "denied",
           riskLevel,
           content: result.reason,
+          matchedTrustRuleId,
           riskMeta,
+          ...provenance,
+          riskThreshold,
         };
       }
 
@@ -189,7 +219,10 @@ export class PermissionChecker {
           allowed: true,
           decision: "platform_auto_approve",
           riskLevel,
+          matchedTrustRuleId,
           riskMeta,
+          ...mapApprovalProvenance("platform_auto_approve", {}),
+          riskThreshold,
         };
       }
 
@@ -245,7 +278,10 @@ export class PermissionChecker {
               allowed: true,
               decision: "guardian_auto_approve",
               riskLevel,
+              matchedTrustRuleId,
               riskMeta,
+              ...mapApprovalProvenance("guardian_auto_approve", {}),
+              riskThreshold: bgThreshold as RiskThreshold,
             };
           }
         }
@@ -268,6 +304,7 @@ export class PermissionChecker {
             requestId: context.requestId,
             riskLevel,
             riskReason,
+            matchedTrustRuleId,
             decision: "deny",
             reason: "Non-interactive session: no client to approve prompt",
             durationMs,
@@ -277,7 +314,13 @@ export class PermissionChecker {
             decision: "denied",
             riskLevel,
             content: `Permission denied: tool "${name}" requires user approval but no interactive client is connected. The tool was not executed. To allow this tool in non-interactive sessions, add a trust rule via permission settings.`,
+            matchedTrustRuleId,
             riskMeta,
+            // Do not pass matchedTrustRuleId here: an ask-rule match put us in
+            // the prompt path, but the *reason* for denial is no interactive
+            // client, not a deny rule. Always emit no_interactive_client.
+            ...mapApprovalProvenance("denied", {}),
+            riskThreshold,
           };
         }
 
@@ -352,6 +395,7 @@ export class PermissionChecker {
             requestId: context.requestId,
             riskLevel,
             riskReason,
+            matchedTrustRuleId,
             decision: "deny",
             reason: denialReason,
             durationMs,
@@ -361,7 +405,14 @@ export class PermissionChecker {
             decision,
             riskLevel,
             content: denialMessage,
+            matchedTrustRuleId,
             riskMeta,
+            ...mapApprovalProvenance(decision, {
+              wasTimeout: response.wasTimeout,
+              wasSystemCancel: response.wasSystemCancel,
+              wasAbort: response.wasAbort,
+            }),
+            riskThreshold,
           };
         }
 
@@ -370,12 +421,26 @@ export class PermissionChecker {
           decision,
           riskLevel,
           wasPrompted: true,
+          matchedTrustRuleId,
           riskMeta,
+          ...mapApprovalProvenance(decision, { wasPrompted: true }),
+          riskThreshold,
         };
       }
 
       // result.decision === 'allow'
-      return { allowed: true, decision: "allow", riskLevel, riskMeta };
+      return {
+        allowed: true,
+        decision: "allow",
+        riskLevel,
+        matchedTrustRuleId,
+        riskMeta,
+        ...mapApprovalProvenance("allow", {
+          hasSandboxAutoApprove: result.hasSandboxAutoApprove,
+          matchedTrustRuleId,
+        }),
+        riskThreshold,
+      };
     } catch (err) {
       if (err instanceof Error) {
         (err as Error & { riskLevel?: string }).riskLevel = riskLevel;

package/src/tools/schedule/create.ts

@@ -44,6 +44,8 @@ export async function executeScheduleCreate(
     | undefined;
   const quiet = (input.quiet as boolean) ?? false;
   const reuseConversation = (input.reuse_conversation as boolean) ?? false;
+  const maxRetries = input.max_retries as number | undefined;
+  const retryBackoffMs = input.retry_backoff_ms as number | undefined;
 
   if (!name || typeof name !== "string") {
     return {
@@ -130,6 +132,8 @@ export async function executeScheduleCreate(
         routingHints,
         quiet,
         reuseConversation,
+        maxRetries,
+        retryBackoffMs,
       });
 
       const fireDate = formatLocalDate(job.nextRunAt);
@@ -208,6 +212,8 @@ export async function executeScheduleCreate(
       routingHints,
       quiet,
       reuseConversation,
+      maxRetries,
+      retryBackoffMs,
     });
 
     const scheduleDescription =

package/src/tools/schedule/list.ts

@@ -77,6 +77,8 @@ export async function executeScheduleList(
       `  Last run: ${job.lastRunAt ? formatLocalDate(job.lastRunAt) : "never"}`,
       `  Last status: ${job.lastStatus ?? "n/a"}`,
       `  Retry count: ${job.retryCount}`,
+      `  Max retries: ${job.maxRetries}`,
+      `  Retry backoff: ${job.retryBackoffMs}ms`,
       `  Created: ${formatLocalDate(job.createdAt)}`,
     );
 

package/src/tools/schedule/update.ts

@@ -108,6 +108,14 @@ export async function executeScheduleUpdate(
     updates.reuseConversation = input.reuse_conversation;
   }
 
+  // Retry policy
+  if (input.max_retries !== undefined) {
+    updates.maxRetries = input.max_retries;
+  }
+  if (input.retry_backoff_ms !== undefined) {
+    updates.retryBackoffMs = input.retry_backoff_ms;
+  }
+
   // Auto-detect syntax when expression changes without explicit syntax
   if (input.expression !== undefined || input.syntax !== undefined) {
     const resolved = normalizeScheduleSyntax({
@@ -173,6 +181,8 @@ export async function executeScheduleUpdate(
         routingHints?: Record<string, unknown>;
         quiet?: boolean;
         reuseConversation?: boolean;
+        maxRetries?: number;
+        retryBackoffMs?: number;
       },
     );
 

package/src/tools/shared/filesystem/file-ops-service.ts

@@ -52,6 +52,8 @@ function pathError(
       return Err.pathNotAbsolute(path);
     case "out_of_bounds":
       return { code: "PATH_OUT_OF_BOUNDS", message: detail, path };
+    case "denied":
+      return { code: "PATH_OUT_OF_BOUNDS", message: detail, path };
   }
 }
 

package/src/tools/shared/filesystem/path-policy.ts

@@ -11,7 +11,14 @@ import {
 /**
  * Result type shared by both sandbox and host path policies.
  */
-export type PathFailureReason = "not_absolute" | "out_of_bounds";
+export type PathFailureReason = "not_absolute" | "out_of_bounds" | "denied";
+
+/**
+ * Basenames that must never be read or written by the assistant, regardless
+ * of where they resolve. Defense-in-depth: even if a key file is accidentally
+ * placed inside the workspace boundary, the assistant cannot access it.
+ */
+const DENIED_BASENAMES = new Set([".backup.key", "backup.key"]);
 
 export type PathResult =
   | { ok: true; resolved: string }
@@ -106,6 +113,16 @@ export function sandboxPolicy(
     };
   }
 
+  // Check both the logical path and the symlink-resolved path so a symlink
+  // with a non-denied name pointing at a denied file is still caught.
+  if (DENIED_BASENAMES.has(basename(resolved)) || DENIED_BASENAMES.has(basename(realResolved))) {
+    return {
+      ok: false,
+      reason: "denied",
+      error: `Access to "${basename(resolved)}" is denied`,
+    };
+  }
+
   return { ok: true, resolved };
 }
 
@@ -125,5 +142,12 @@ export function hostPolicy(rawPath: string): PathResult {
       error: `path must be absolute for host file access: ${rawPath}`,
     };
   }
+  if (DENIED_BASENAMES.has(basename(rawPath))) {
+    return {
+      ok: false,
+      reason: "denied",
+      error: `Access to "${basename(rawPath)}" is denied`,
+    };
+  }
   return { ok: true, resolved: rawPath };
 }

package/src/tools/skills/load.ts

@@ -29,9 +29,6 @@ import { getWorkspaceDirDisplay } from "../../util/platform.js";
 import { registerTool } from "../registry.js";
 import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 
-/** Canonical feature flag key for inline skill command expansion. */
-const INLINE_COMMANDS_FLAG_KEY = "inline-skill-commands";
-
 /** Skill sources eligible for inline command expansion in v1. */
 const INLINE_COMMAND_ELIGIBLE_SOURCES = new Set([
   "bundled",
@@ -300,20 +297,6 @@ export class SkillLoadTool implements Tool {
       skill.inlineCommandExpansions && skill.inlineCommandExpansions.length > 0;
 
     if (hasInlineCommands) {
-      const inlineFlagEnabled = isAssistantFeatureFlagEnabled(
-        INLINE_COMMANDS_FLAG_KEY,
-        config,
-      );
-
-      if (!inlineFlagEnabled) {
-        // Feature flag is off: fail closed instead of leaving live tokens in
-        // the prompt that the LLM might try to interpret.
-        return {
-          content: `Error: skill "${skill.id}" contains inline command expansions but the inline-skill-commands feature flag is disabled. Enable the flag to use this skill.`,
-          isError: true,
-        };
-      }
-
       if (skill.source === "extra") {
         // Third-party extra roots are out of scope for inline command
         // expansion in v1. Reject explicitly so the failure is clear.
@@ -391,21 +374,6 @@ export class SkillLoadTool implements Tool {
             childLoaded.skill.inlineCommandExpansions.length > 0;
 
           if (childHasInlineCommands) {
-            const childInlineFlagEnabled = isAssistantFeatureFlagEnabled(
-              INLINE_COMMANDS_FLAG_KEY,
-              config,
-            );
-
-            // Fail closed: if the flag is off, reject the entire skill_load
-            // just like we do for root skills. Leaving raw !`...` tokens in
-            // the prompt would violate the documented fail-closed contract.
-            if (!childInlineFlagEnabled) {
-              return {
-                content: `Error: included skill "${childId}" contains inline command expansions but the inline-skill-commands feature flag is disabled. Enable the flag to use skill "${skill.id}".`,
-                isError: true,
-              };
-            }
-
             if (childLoaded.skill.source === "extra") {
               return {
                 content: `Error: included skill "${childId}" contains inline command expansions but inline commands are not supported for third-party (extra) skill sources.`,

package/src/tools/skills/sandbox-runner.ts

@@ -6,7 +6,6 @@ import { join, resolve } from "node:path";
 import { computeSkillVersionHash } from "../../skills/version-hash.js";
 import { safeStringSlice } from "../../util/unicode.js";
 import { buildSanitizedEnv } from "../terminal/safe-env.js";
-import { wrapCommand } from "../terminal/sandbox.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
 const DEFAULT_TIMEOUT_MS = 30_000;
@@ -138,12 +137,8 @@ function spawnRunner(
     const stderrChunks: Buffer[] = [];
     let timedOut = false;
 
-    // The assistant runs exclusively in Docker or platform-managed
-    // environments where the container provides isolation.
-    const sandboxConfig = { enabled: false } as const;
-
     const bunRunCmd = "bun run __skill_runner.ts";
-    const wrapped = wrapCommand(bunRunCmd, runDir, sandboxConfig);
+    const wrapped = { command: "bash", args: ["-c", "--", bunRunCmd] };
 
     const env = buildSanitizedEnv();
     env.__SKILL_INPUT_JSON = JSON.stringify(input);

package/src/tools/skills/skill-tool-factory.ts

@@ -15,6 +15,31 @@ const riskMap: Record<SkillToolEntry["risk"], RiskLevel> = {
   high: RiskLevel.High,
 };
 
+/**
+ * Validate that all keys in `input` are declared in the tool's input_schema
+ * properties. Returns an error result listing unknown parameters, or undefined
+ * if validation passes.
+ */
+function validateNoUnknownParams(
+  toolName: string,
+  input: Record<string, unknown>,
+  schema: SkillToolEntry["input_schema"],
+): ToolExecutionResult | undefined {
+  const properties = schema?.properties;
+  if (!properties) return undefined;
+
+  const knownKeys = new Set(Object.keys(properties));
+  const unknownKeys = Object.keys(input).filter((k) => !knownKeys.has(k));
+  if (unknownKeys.length === 0) return undefined;
+
+  const listed = unknownKeys.map((k) => `"${k}"`).join(", ");
+  const supported = [...knownKeys].map((k) => `"${k}"`).join(", ");
+  return {
+    content: `Unknown parameter${unknownKeys.length > 1 ? "s" : ""} ${listed} for tool "${toolName}". Supported parameters: ${supported}. Remove unsupported parameters and retry.`,
+    isError: true,
+  };
+}
+
 /**
  * Create a runtime Tool object from a manifest entry.
  * Maps SkillToolEntry metadata to the Tool interface and routes execution
@@ -50,6 +75,13 @@ export function createSkillTool(
       input: Record<string, unknown>,
       context: ToolContext,
     ): Promise<ToolExecutionResult> {
+      const validationError = validateNoUnknownParams(
+        entry.name,
+        input,
+        entry.input_schema,
+      );
+      if (validationError) return validationError;
+
       return runSkillToolScript(skillDir, entry.executor, input, context, {
         target: entry.execution_target,
         expectedSkillVersionHash: versionHash,

package/src/tools/terminal/safe-env.ts

@@ -54,6 +54,7 @@ export const SAFE_ENV_VARS = [
   "VELLUM_PROFILER_MIN_FREE_MB",
   "VELLUM_MEMORY_LIMIT",
   "VELLUM_CPU_LIMIT",
+  "VELLUM_MINIKUBE_STORAGE_SIZE",
   "VELLUM_BACKUP_DIR",
   "VELLUM_BACKUP_KEY_PATH",
 ] as const;

package/src/tools/terminal/shell.ts

@@ -1,7 +1,5 @@
 import type { ChildProcess } from "node:child_process";
 import { spawn } from "node:child_process";
-import { homedir } from "node:os";
-import { dirname, join } from "node:path";
 
 import { getConfig } from "../../config/loader.js";
 import { isCesShellLockdownEnabled } from "../../credential-execution/feature-gates.js";
@@ -11,11 +9,7 @@ import { isUntrustedTrustClass } from "../../runtime/actor-trust-resolver.js";
 import { wakeAgentForOpportunity } from "../../runtime/agent-wake.js";
 import { redactSecrets } from "../../security/secret-scanner.js";
 import { getLogger } from "../../util/logger.js";
-import {
-  getDataDir,
-  getProtectedDir,
-  getWorkspaceDir,
-} from "../../util/platform.js";
+import { getDataDir } from "../../util/platform.js";
 import {
   generateBackgroundToolId,
   isBackgroundToolLimitReached,
@@ -37,7 +31,6 @@ import type {
   ToolExecutionResult,
 } from "../types.js";
 import { buildSanitizedEnv } from "./safe-env.js";
-import { wrapCommand } from "./sandbox.js";
 
 /** Build a credential ref resolution trace for diagnostic logging. */
 function buildCredentialRefTrace(
@@ -48,62 +41,6 @@ function buildCredentialRefTrace(
   return { rawRefs, resolvedIds, unresolvedRefs };
 }
 
-/**
- * Build the list of absolute paths that should be blocked from read access
- * inside the sandbox when CES shell lockdown is active.
- *
- * Blocked paths include:
- * - Gateway security directory (credential store secrets, CES data)
- * - ~/.vellum/workspace/data/db/ - database files that may contain credential metadata
- * - CES bootstrap socket directory (/run/ces-bootstrap/ or CES_BOOTSTRAP_SOCKET_DIR)
- * - CES managed-mode data root (CES_DATA_DIR, or /ces-data when CES_MANAGED_MODE is set)
- */
-function buildCesProtectedPaths(): string[] {
-  const protectedDirs = process.env.GATEWAY_SECURITY_DIR
-    ? [process.env.GATEWAY_SECURITY_DIR]
-    : Array.from(
-        new Set([join(homedir(), ".vellum", "protected"), getProtectedDir()]),
-      );
-  const paths = [...protectedDirs, join(getWorkspaceDir(), "data", "db")];
-
-  // CES bootstrap socket directory - block access to the Unix socket that
-  // accepts RPC commands from the assistant process.
-  const bootstrapSocketDir =
-    process.env["CES_BOOTSTRAP_SOCKET_DIR"] || "/run/ces-bootstrap";
-  paths.push(bootstrapSocketDir);
-
-  // IPC socket directories - block access to the shared emptyDir volumes
-  // used for gateway↔daemon IPC in containerized deployments.
-  const gatewayIpcSocketDir =
-    process.env["GATEWAY_IPC_SOCKET_DIR"] || "/run/gateway-ipc";
-  paths.push(gatewayIpcSocketDir);
-
-  const assistantIpcSocketDir =
-    process.env["ASSISTANT_IPC_SOCKET_DIR"] || "/run/assistant-ipc";
-  paths.push(assistantIpcSocketDir);
-
-  // If a full socket path override is set (without the dir env var), block
-  // its parent directory as well.
-  if (
-    !process.env["CES_BOOTSTRAP_SOCKET_DIR"] &&
-    process.env["CES_BOOTSTRAP_SOCKET"]
-  ) {
-    paths.push(dirname(process.env["CES_BOOTSTRAP_SOCKET"]));
-  }
-
-  // CES managed-mode private data root - in managed deployments the CES
-  // data lives outside the Vellum root, so it isn't covered by the
-  // gateway security directory entry above.
-  const cesDataDir = process.env["CES_DATA_DIR"];
-  if (cesDataDir) {
-    paths.push(cesDataDir);
-  } else if (process.env["CES_MANAGED_MODE"]) {
-    paths.push("/ces-data");
-  }
-
-  return paths;
-}
-
 const log = getLogger("shell-tool");
 
 class ShellTool implements Tool {
@@ -292,10 +229,6 @@ class ShellTool implements Tool {
       "Executing shell command",
     );
 
-    // The assistant runs exclusively in Docker or platform-managed
-    // environments where the container provides isolation.
-    const sandboxConfig = { enabled: false } as const;
-
     // Acquire proxy session if proxied mode is requested.
     // `getOrStartSession` serializes per-conversation so concurrent proxied
     // commands share a single session instead of each creating one.
@@ -337,16 +270,7 @@ class ShellTool implements Tool {
       env.VELLUM_UNTRUSTED_SHELL = "1";
     }
 
-    // CES shell lockdown: build deny-read paths for protected credential
-    // data, the protected dir, and data sub-dirs that contain secrets.
-    const denyReadPaths: string[] | undefined = shellLockdownActive
-      ? buildCesProtectedPaths()
-      : undefined;
-
-    const wrapped = wrapCommand(command, context.workingDir, sandboxConfig, {
-      networkMode,
-      denyReadPaths,
-    });
+    const wrapped = { command: "bash", args: ["-c", "--", command] };
 
     // -----------------------------------------------------------------------
     // Background mode: spawn and return immediately. The process output is

package/src/tools/tool-approval-handler.ts

@@ -292,11 +292,7 @@ export class ToolApprovalHandler {
       executionTarget,
     );
 
-    if (
-      isUntrustedTrustClass(context.trustClass) &&
-      guardianApprovalRequired &&
-      context.trustClass !== "trusted_contact"
-    ) {
+    if (isUntrustedTrustClass(context.trustClass) && guardianApprovalRequired) {
       const inputDigest = computeToolApprovalDigest(name, input);
       needsGrantConsumption = true;
       deferredConsumeParams = {

package/src/tools/types.ts

@@ -10,15 +10,10 @@ import type {
   ToolExecutionStartEvent,
   ToolPermissionDeniedEvent,
   ToolPermissionPromptEvent,
-  ToolSecretDetectedEvent,
 } from "@vellumai/skill-host-contracts";
 
 import type { InterfaceId } from "../channels/types.js";
 import type { CesClient } from "../credential-execution/client.js";
-import type { HostBashProxy } from "../daemon/host-bash-proxy.js";
-import type { HostBrowserProxy } from "../daemon/host-browser-proxy.js";
-import type { HostFileProxy } from "../daemon/host-file-proxy.js";
-import type { HostTransferProxy } from "../daemon/host-transfer-proxy.js";
 import type { SecretPromptResult } from "../permissions/secret-prompter.js";
 import type { ContentBlock } from "../providers/types.js";
 import type { TrustClass } from "../runtime/actor-trust-resolver.js";
@@ -59,7 +54,6 @@ export type {
   ToolExecutionStartEvent,
   ToolPermissionDeniedEvent,
   ToolPermissionPromptEvent,
-  ToolSecretDetectedEvent,
 } from "@vellumai/skill-host-contracts";
 export { RiskLevel } from "@vellumai/skill-host-contracts";
 
@@ -97,6 +91,14 @@ export interface ToolExecutionResult {
   riskLevel?: string;
   /** Human-readable reason for the risk classification. */
   riskReason?: string;
+  /** ID of the trust rule that matched this invocation (if any). */
+  matchedTrustRuleId?: string;
+  /** How the decision was reached: prompted, auto, blocked, or unknown (legacy). */
+  approvalMode?: string;
+  /** Why the decision was reached (stable enum for client display). */
+  approvalReason?: string;
+  /** Snapshot of the auto-approve threshold at the time of execution. */
+  riskThreshold?: string;
   /** Whether the daemon is running in a containerized (Docker) environment. */
   isContainerized?: boolean;
   /** Scope options ladder for the rule editor (narrowest to broadest). */
@@ -134,6 +136,12 @@ export interface ToolExecutedEvent {
   requestId?: string;
   executionTarget?: ExecutionTarget;
   riskLevel: string;
+  /** ID of the trust rule that matched this invocation (if any). */
+  matchedTrustRuleId?: string;
+  /** How the approval decision was reached. Copied from PermissionDecision for analytics consumers. */
+  approvalMode?: string;
+  /** Why the approval decision was reached (stable enum). Copied from PermissionDecision for analytics consumers. */
+  approvalReason?: string;
   decision: string;
   durationMs: number;
   result: ToolExecutionResult;
@@ -144,8 +152,7 @@ export type ToolLifecycleEvent =
   | ToolPermissionPromptEvent
   | ToolPermissionDeniedEvent
   | ToolExecutedEvent
-  | ToolExecutionErrorEvent
-  | ToolSecretDetectedEvent;
+  | ToolExecutionErrorEvent;
 
 export type ToolLifecycleEventHandler = (
   event: ToolLifecycleEvent,
@@ -164,7 +171,7 @@ export interface ToolContext {
   onOutput?: (chunk: string) => void;
   /** Abort signal for cooperative cancellation. Tools should check this periodically. */
   signal?: AbortSignal;
-  /** Optional callback for tool lifecycle events (start/prompt/deny/execute/error/secret_detected). */
+  /** Optional callback for tool lifecycle events (start/prompt/deny/execute/error). */
   onToolLifecycleEvent?: ToolLifecycleEventHandler;
   /** Optional resolver for proxy tools - delegates execution to an external client. */
   proxyToolResolver?: ProxyToolResolver;
@@ -239,14 +246,6 @@ export interface ToolContext {
   channelPermissionChannelId?: string;
   /** The tool_use block ID from the LLM response, used to correlate confirmation prompts with specific tool invocations. */
   toolUseId?: string;
-  /** Optional proxy for delegating host_bash execution to a connected client (managed/cloud-hosted mode). */
-  hostBashProxy?: HostBashProxy;
-  /** Optional proxy for delegating CDP commands to a connected client (managed/cloud-hosted mode). */
-  hostBrowserProxy?: HostBrowserProxy;
-  /** Optional proxy for delegating host_file_read/write/edit execution to a connected client (managed/cloud-hosted mode). */
-  hostFileProxy?: HostFileProxy;
-  /** Optional proxy for delegating bidirectional file transfers between sandbox and host (managed/cloud-hosted mode). */
-  hostTransferProxy?: HostTransferProxy;
   /** True when the assistant is running as a platform-managed remote instance. Used to auto-approve sandboxed bash tools. */
   isPlatformHosted?: boolean;
   /** CES RPC client for credential execution operations. When present, the executor can bridge CES approval flows. */
@@ -259,28 +258,6 @@ export interface ToolContext {
    * to cdp-inspect or local Playwright.
    */
   transportInterface?: InterfaceId;
-  /**
-   * True when the host browser proxy's sender was overridden by a
-   * registry-routed extension connection (ChromeExtensionRegistry WebSocket).
-   * The CDP factory uses this to distinguish between an SSE-backed proxy
-   * (macOS, no extension) and an extension-backed proxy: only the latter
-   * should suppress desktop-auto cdp-inspect when temporarily unavailable,
-   * because the extension transport was explicitly expected and the
-   * disconnection is transient. An SSE-backed proxy that reports
-   * unavailable (e.g. non-interactive turn) should NOT suppress
-   * cdp-inspect — the proxy was never expected to service browser requests.
-   */
-  hostBrowserRegistryRouted?: boolean;
-  /**
-   * Connected clients that support the `host_browser` capability, populated
-   * from the ClientRegistry. Used by `browser status` to report accurate
-   * extension availability even when no proxy is bound to the current
-   * conversation (e.g. when called from the CLI without a conversation ID).
-   */
-  connectedBrowserClients?: Array<{
-    clientId: string;
-    interfaceId: string;
-  }>;
   /**
    * The per-turn inference-profile override the agent loop is currently
    * running under, propagated through tool context so subagent-spawn tools