@vellumai/assistant 0.7.1 → 0.7.2

package/src/providers/speech-to-text/provider-catalog.ts

@@ -34,7 +34,7 @@ import type {
  *   Twilio. A `<Stream>` media-stream is opened and the daemon transcribes
  *   audio server-side via the provider's batch API.
  */
-export type TelephonyStrategyKind =
+type TelephonyStrategyKind =
   | "conversation-relay-native"
   | "media-stream-custom";
 
@@ -51,7 +51,7 @@ export type TwilioNativeProvider = "Deepgram" | "Google";
  * ConversationRelay. Only present when `strategyKind` is
  * `"conversation-relay-native"`.
  */
-export interface TwilioNativeMapping {
+interface TwilioNativeMapping {
   /** Twilio-native provider name for the TwiML `transcriptionProvider` attribute. */
   readonly provider: TwilioNativeProvider;
   /**
@@ -69,7 +69,7 @@ export interface TwilioNativeMapping {
  * The telephony routing resolver reads these fields from the catalog
  * instead of maintaining its own hardcoded maps.
  */
-export interface TelephonyRouting {
+interface TelephonyRouting {
   /** Which Twilio call-setup strategy this provider uses. */
   readonly strategyKind: TelephonyStrategyKind;
   /**
@@ -84,10 +84,10 @@ export interface TelephonyRouting {
 // ---------------------------------------------------------------------------
 
 /** How the provider's credentials are configured by the user. */
-export type SttSetupMode = "api-key" | "cli";
+type SttSetupMode = "api-key" | "cli";
 
 /** Guide for obtaining API credentials from a provider. */
-export interface SttCredentialsGuide {
+interface SttCredentialsGuide {
   readonly description: string;
   readonly url: string;
   readonly linkLabel: string;
@@ -100,7 +100,7 @@ export interface SttCredentialsGuide {
 /**
  * Metadata for a single STT provider.
  */
-export interface SttProviderEntry {
+interface SttProviderEntry {
   /** Canonical provider identifier (must match an {@link SttProviderId} variant). */
   readonly id: SttProviderId;
 
@@ -262,8 +262,7 @@ const CATALOG: ReadonlyMap<SttProviderId, SttProviderEntry> = new Map<
       subtitle:
         "High-accuracy speech-to-text powered by OpenAI Whisper. Requires an OpenAI API key.",
       setupMode: "api-key",
-      setupHint:
-        "Enter your OpenAI API key to enable Whisper transcription.",
+      setupHint: "Enter your OpenAI API key to enable Whisper transcription.",
       credentialProvider: "openai",
       supportedBoundaries: new Set<SttBoundaryId>([
         "daemon-batch",

package/src/runtime/assistant-event-hub.ts

@@ -14,6 +14,31 @@
 
 import type { HostProxyCapability, InterfaceId } from "../channels/types.js";
 import type { ServerMessage } from "../daemon/message-protocol.js";
+
+// ---------------------------------------------------------------------------
+// Message type → capability inference
+// ---------------------------------------------------------------------------
+
+const HOST_PREFIX_TO_CAPABILITY: Record<string, HostProxyCapability> = {
+  host_bash: "host_bash",
+  host_file: "host_file",
+  host_transfer: "host_file", // transfers piggyback on host_file capability
+  host_cu: "host_cu",
+  host_browser: "host_browser",
+  host_app_control: "host_app_control",
+};
+
+/**
+ * Infer the {@link HostProxyCapability} a message should be targeted at based
+ * on its `type` field.  Returns `undefined` for message types that are not
+ * host-proxy messages (i.e. they should broadcast to all subscribers).
+ */
+export function capabilityForMessageType(
+  type: string,
+): HostProxyCapability | undefined {
+  const stem = type.replace(/_(request|cancel)$/, "");
+  return HOST_PREFIX_TO_CAPABILITY[stem];
+}
 import { emitFeedEvent } from "../home/emit-feed-event.js";
 import { rewriteCommandPreview } from "../home/rewrite-command-preview.js";
 import { redactSecrets } from "../security/secret-scanner.js";
@@ -22,7 +47,6 @@ import { summarizeToolInput } from "../tools/tool-input-summary.js";
 import { getLogger } from "../util/logger.js";
 import type { AssistantEvent } from "./assistant-event.js";
 import { buildAssistantEvent } from "./assistant-event.js";
-import * as pendingInteractions from "./pending-interactions.js";
 
 const log = getLogger("assistant-event-hub");
 
@@ -61,6 +85,7 @@ export interface ClientEntry extends BaseSubscriberEntry {
   clientId: string;
   interfaceId: InterfaceId;
   capabilities: HostProxyCapability[];
+  machineName?: string;
 }
 
 export interface ProcessEntry extends BaseSubscriberEntry {
@@ -216,7 +241,12 @@ export class AssistantEventHub {
    * Publish an event to all matching subscribers.
    *
    * Matching rules:
-   * - if `filter.conversationId` is set, `event.conversationId` must equal it
+   * - if `targetClientId` is set, deliver only to the subscriber with that
+   *   clientId, bypassing the conversation-id filter entirely (the web-origin
+   *   event's conversationId differs from the macOS client's subscribed
+   *   conversation).
+   * - if `filter.conversationId` is set (and `targetClientId` is not), the
+   *   `event.conversationId` must equal it
    * - if `targetCapability` is set, only subscribers whose capabilities include
    *   it receive the event; untargeted events go to all
    *
@@ -225,7 +255,7 @@ export class AssistantEventHub {
    */
   async publish(
     event: AssistantEvent,
-    options?: { targetCapability?: HostProxyCapability },
+    options?: { targetCapability?: HostProxyCapability; targetClientId?: string },
   ): Promise<void> {
     if (event.conversationId) {
       try {
@@ -236,29 +266,40 @@ export class AssistantEventHub {
     }
 
     const targetCapability = options?.targetCapability;
+    const targetClientId = options?.targetClientId;
     const snapshot = Array.from(this.subscribers);
     const errors: unknown[] = [];
 
     for (const entry of snapshot) {
       if (!entry.active) continue;
 
-      // Conversation scoping: scoped events skip subscribers filtering on a
-      // different conversation.
-      if (
-        event.conversationId != null &&
-        entry.filter.conversationId != null &&
-        entry.filter.conversationId !== event.conversationId
-      )
-        continue;
-
-      // Capability targeting: targeted events only go to subscribers that
-      // declare the required capability.
-      if (targetCapability != null) {
+      if (targetClientId != null) {
+        // Targeted: bypass conversation filter, deliver only to the named client.
+        if (entry.type !== "client" || entry.clientId !== targetClientId)
+          continue;
         if (
-          entry.type !== "client" ||
+          targetCapability != null &&
           !entry.capabilities.includes(targetCapability)
         )
           continue;
+      } else {
+        // Untargeted: existing conversation-scoped + capability logic.
+        if (
+          event.conversationId != null &&
+          entry.filter.conversationId != null &&
+          entry.filter.conversationId !== event.conversationId
+        )
+          continue;
+
+        // Capability targeting: targeted events only go to subscribers that
+        // declare the required capability.
+        if (targetCapability != null) {
+          if (
+            entry.type !== "client" ||
+            !entry.capabilities.includes(targetCapability)
+          )
+            continue;
+        }
       }
 
       try {
@@ -276,6 +317,18 @@ export class AssistantEventHub {
     }
   }
 
+  /**
+   * Return the active client subscriber with the given clientId, or
+   * `undefined` if no such subscriber exists.
+   */
+  getClientById(clientId: string): ClientEntry | undefined {
+    for (const entry of this.subscribers) {
+      if (entry.active && entry.type === "client" && entry.clientId === clientId)
+        return entry;
+    }
+    return undefined;
+  }
+
   /**
    * Returns true when at least one active subscriber would receive the given
    * event based on the same conversation matching rules as publish().
@@ -338,6 +391,35 @@ export class AssistantEventHub {
     return this.listClientsByCapability(capability)[0];
   }
 
+  /**
+   * Return the best client for the given capability using an explicit
+   * interface preference order. Among clients that support `capability`,
+   * the one whose `interfaceId` appears earliest in `interfacePreference`
+   * wins. Within the same interface tier, `lastActiveAt` is the tiebreaker
+   * (most recent first). Clients not in the preference list are considered last.
+   *
+   * Used by {@link HostBrowserProxy} to prefer the Chrome Extension
+   * (`chrome-extension`) over the macOS SSE bridge (`macos`) when both are
+   * connected, so `chrome.debugger` is used ahead of the localhost:9222 path.
+   */
+  getPreferredClientByCapability(
+    capability: HostProxyCapability,
+    interfacePreference: InterfaceId[],
+  ): ClientEntry | undefined {
+    const clients = this.listClientsByCapability(capability);
+    if (clients.length === 0) return undefined;
+    // listClientsByCapability returns clients sorted by lastActiveAt desc
+    // (most recent first). A stable sort by preference index preserves that
+    // ordering within each interface tier.
+    return clients.sort((a, b) => {
+      const ai = interfacePreference.indexOf(a.interfaceId);
+      const bi = interfacePreference.indexOf(b.interfaceId);
+      const ea = ai === -1 ? interfacePreference.length : ai;
+      const eb = bi === -1 ? interfacePreference.length : bi;
+      return ea - eb;
+    })[0];
+  }
+
   /**
    * Return all client subscribers with the given interface type,
    * sorted by `lastActiveAt` descending.
@@ -372,10 +454,7 @@ export class AssistantEventHub {
   disposeClient(clientId: string): number {
     const targets: SubscriberEntry[] = [];
     for (const entry of this.subscribers) {
-      if (
-        entry.type === "client" &&
-        entry.clientId === clientId
-      ) {
+      if (entry.type === "client" && entry.clientId === clientId) {
         targets.push(entry);
       }
     }
@@ -432,25 +511,27 @@ let _hubChain = Promise.resolve();
  * When `conversationId` is omitted, it is auto-extracted from the message
  * payload (if present).
  *
+ * Target capability is inferred automatically from the message type — callers
+ * never need to specify it.  Host-proxy messages (`host_bash_*`,
+ * `host_file_*`, `host_transfer_*`, `host_cu_*`, `host_browser_*`) are routed
+ * only to subscribers that declare the matching capability; all other messages
+ * broadcast to every subscriber.
+ *
  * This is the primary entrypoint for emitting events — handlers, routes, and
  * services should call this directly instead of threading a broadcast callback.
  */
 export function broadcastMessage(
   msg: ServerMessage,
   conversationId?: string,
-  options?: { targetCapability?: HostProxyCapability },
+  options?: { targetClientId?: string },
 ): void {
   const resolvedConversationId = conversationId ?? extractConversationId(msg);
+  const targetClientId = options?.targetClientId;
 
-  // Register pending interactions so approval/host prompts are tracked
-  // regardless of which path triggered the broadcast.
-  if (resolvedConversationId) {
-    registerPendingInteraction(msg, resolvedConversationId);
-  }
-
-  // Emit feed events for confirmation requests (tool approval prompts).
+  // Confirmation-request side effects: feed event + canonical guardian request.
   if (msg.type === "confirmation_request" && resolvedConversationId) {
     void emitConfirmationFeedEvent(msg, resolvedConversationId);
+    void createCanonicalRequestForConfirmation(msg, resolvedConversationId);
   }
 
   // `conversation_list_invalidated` is a list-level system event — publish
@@ -460,8 +541,13 @@ export function broadcastMessage(
       ? undefined
       : resolvedConversationId;
   const event = buildAssistantEvent(msg, scopedConversationId);
+  const targetCapability = capabilityForMessageType(msg.type);
+  const publishOptions =
+    targetCapability != null || targetClientId != null
+      ? { targetCapability, targetClientId }
+      : undefined;
   _hubChain = _hubChain
-    .then(() => assistantEventHub.publish(event, options))
+    .then(() => assistantEventHub.publish(event, publishOptions))
     .then(() => {
       // When a conversation title changes, also broadcast an unscoped
       // `conversation_list_invalidated` so every connected client's sidebar
@@ -495,7 +581,7 @@ function extractConversationId(msg: ServerMessage): string | undefined {
   return undefined;
 }
 
-// ── Pending interaction registration ──────────────────────────────────────────
+// ── Canonical guardian request ────────────────────────────────────────────────
 
 function resolveCanonicalRequestSourceType(
   sourceChannel: string,
@@ -505,74 +591,10 @@ function resolveCanonicalRequestSourceType(
   return "channel";
 }
 
-/**
- * Register pending interactions for request-type messages so approval and
- * host prompts are tracked regardless of which code path broadcasts them.
- *
- * Heavy dependencies (conversation-store, canonical-guardian-store, etc.) are
- * imported lazily so that loading this module during tests doesn't trigger
- * config/data-dir side effects.
- */
-function registerPendingInteraction(
-  msg: ServerMessage,
-  conversationId: string,
-): void {
-  if (msg.type === "confirmation_request") {
-    pendingInteractions.register(msg.requestId, {
-      conversationId,
-      kind: "confirmation",
-      confirmationDetails: {
-        toolName: msg.toolName,
-        input: msg.input,
-        riskLevel: msg.riskLevel,
-        executionTarget: msg.executionTarget,
-        allowlistOptions: msg.allowlistOptions,
-        scopeOptions: msg.scopeOptions,
-        persistentDecisionsAllowed: msg.persistentDecisionsAllowed,
-      },
-    });
-
-    // Create canonical guardian request asynchronously — heavy deps are
-    // imported lazily to avoid pulling in conversation-store (and
-    // transitively config/loader → ensureDataDir) at module-load time.
-    void createCanonicalRequestForConfirmation(msg, conversationId);
-  } else if (msg.type === "secret_request") {
-    pendingInteractions.register(msg.requestId, {
-      conversationId,
-      kind: "secret",
-    });
-  } else if (msg.type === "host_bash_request") {
-    pendingInteractions.register(msg.requestId, {
-      conversationId,
-      kind: "host_bash",
-    });
-  } else if (msg.type === "host_browser_request") {
-    pendingInteractions.register(msg.requestId, {
-      conversationId,
-      kind: "host_browser",
-    });
-  } else if (msg.type === "host_file_request") {
-    pendingInteractions.register(msg.requestId, {
-      conversationId,
-      kind: "host_file",
-    });
-  } else if (msg.type === "host_cu_request") {
-    pendingInteractions.register(msg.requestId, {
-      conversationId,
-      kind: "host_cu",
-    });
-  } else if (msg.type === "host_transfer_request") {
-    pendingInteractions.register(msg.requestId, {
-      conversationId,
-      kind: "host_transfer",
-    });
-  }
-}
-
 /**
  * Lazily load heavy dependencies and create a canonical guardian request +
- * bridge for a confirmation_request message. Runs fire-and-forget from
- * registerPendingInteraction.
+ * bridge for a confirmation_request message. Called fire-and-forget from
+ * broadcastMessage.
  */
 async function createCanonicalRequestForConfirmation(
   msg: ServerMessage & { type: "confirmation_request" },

package/src/runtime/assistant-event.ts

@@ -16,6 +16,7 @@ import type { ServerMessage } from "../daemon/message-protocol.js";
 export {
   formatSseFrame,
   formatSseHeartbeat,
+  formatSseHeartbeatWithData,
 } from "@vellumai/skill-host-contracts";
 
 /** Daemon-side specialization of the generic event envelope. */

package/src/runtime/auth/__tests__/middleware.test.ts

@@ -35,12 +35,6 @@ mock.module("../../../config/env.js", () => ({
 
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../../assistant-scope.js";
 import {
-  mintHostBrowserCapability,
-  resetCapabilityTokenSecretForTests,
-  setCapabilityTokenSecretForTests,
-} from "../../capability-tokens.js";
-import {
-  authenticateHostBrowserResultRequest,
   authenticateRequest,
 } from "../middleware.js";
 import { initAuthSigningKey, mintToken } from "../token-service.js";
@@ -272,55 +266,20 @@ describe("authenticateRequest", () => {
 });
 
 // ---------------------------------------------------------------------------
-// authenticateHostBrowserResultRequest — capability-token-aware auth for the
-// /v1/host-browser-result POST route. Verifies that both the capability-token
-// and JWT paths are accepted, and that a garbage bearer falls through to the
-// JWT path and emits a 401 like any other invalid token.
+// /v1/host-browser-result auth — exercises authenticateRequest with the
+// same request shape the chrome extension sends. Validates that standard
+// JWT auth applies after the capability-token system was removed.
 // ---------------------------------------------------------------------------
 
-describe("authenticateHostBrowserResultRequest", () => {
-  const CAPABILITY_SECRET = Buffer.alloc(32, 7);
-
-  beforeEach(() => {
-    // Pin the capability-token HMAC secret so mint/verify agree across
-    // the test run. The module-level secret cache is reset between
-    // tests so dev-bypass flipping doesn't leak stale state.
-    setCapabilityTokenSecretForTests(CAPABILITY_SECRET);
-  });
-
-  afterAll(() => {
-    resetCapabilityTokenSecretForTests();
-  });
-
-  test("accepts a valid capability token and synthesizes an actor AuthContext", async () => {
-    const { token } = mintHostBrowserCapability("guardian-cap-happy");
-    const req = new Request("http://localhost/v1/host-browser-result", {
-      method: "POST",
-      headers: { Authorization: `Bearer ${token}` },
-    });
-
-    const result = await authenticateHostBrowserResultRequest(req);
-    expect(result.ok).toBe(true);
-    if (result.ok) {
-      expect(result.context.principalType).toBe("actor");
-      expect(result.context.assistantId).toBe(DAEMON_INTERNAL_ASSISTANT_ID);
-      expect(result.context.actorPrincipalId).toBe("guardian-cap-happy");
-      expect(result.context.scopeProfile).toBe("actor_client_v1");
-      // The synthetic context must carry the scopes the route policy
-      // requires — otherwise the router would 403 the POST even though
-      // auth succeeded.
-      expect(result.context.scopes.has("approval.write")).toBe(true);
-    }
-  });
-
-  test("accepts a valid daemon-audience JWT (regression for the legacy path)", async () => {
+describe("authenticateRequest for /v1/host-browser-result", () => {
+  test("accepts a valid daemon-audience JWT", async () => {
     const token = mintValidToken({ sub: "actor:self:jwt-principal" });
     const req = new Request("http://localhost/v1/host-browser-result", {
       method: "POST",
       headers: { Authorization: `Bearer ${token}` },
     });
 
-    const result = await authenticateHostBrowserResultRequest(req);
+    const result = await authenticateRequest(req);
     expect(result.ok).toBe(true);
     if (result.ok) {
       expect(result.context.principalType).toBe("actor");
@@ -334,25 +293,21 @@ describe("authenticateHostBrowserResultRequest", () => {
       method: "POST",
     });
 
-    const result = await authenticateHostBrowserResultRequest(req);
+    const result = await authenticateRequest(req);
     expect(result.ok).toBe(false);
     if (!result.ok) {
       expect(result.response.status).toBe(401);
     }
   });
 
-  test("malformed bearer falls through to JWT path and 401s", async () => {
-    // A bearer that is neither a valid capability token (bad HMAC) nor a
-    // parseable JWT must fail the JWT path and return 401. This is the
-    // primary regression guard against someone accidentally making the
-    // capability-token branch "allow-anything" by swallowing
-    // verification failures.
+  test("malformed bearer returns 401", async () => {
+    // A bearer that is not a parseable JWT must return 401.
     const req = new Request("http://localhost/v1/host-browser-result", {
       method: "POST",
       headers: { Authorization: "Bearer not-a-token.xxxxxxxxxxxxx" },
     });
 
-    const result = await authenticateHostBrowserResultRequest(req);
+    const result = await authenticateRequest(req);
     expect(result.ok).toBe(false);
     if (!result.ok) {
       expect(result.response.status).toBe(401);
@@ -366,7 +321,7 @@ describe("authenticateHostBrowserResultRequest", () => {
       method: "POST",
     });
 
-    const result = await authenticateHostBrowserResultRequest(req);
+    const result = await authenticateRequest(req);
     expect(result.ok).toBe(true);
     if (result.ok) {
       // Same synthetic context shape as authenticateRequest's dev

package/src/runtime/auth/middleware.ts

@@ -25,7 +25,6 @@
 import { isHttpAuthDisabled } from "../../config/env.js";
 import { getLogger } from "../../util/logger.js";
 import { DAEMON_INTERNAL_ASSISTANT_ID } from "../assistant-scope.js";
-import { verifyHostBrowserCapability } from "../capability-tokens.js";
 import { extractBearerToken } from "../middleware/auth.js";
 import { buildAuthContext } from "./context.js";
 import { resolveScopeProfile } from "./scopes.js";
@@ -188,99 +187,4 @@ export function authenticateRequest(req: Request): AuthenticateResult {
   return { ok: true, context: contextResult.context };
 }
 
-// ---------------------------------------------------------------------------
-// Capability-token-aware auth for /v1/host-browser-result
-// ---------------------------------------------------------------------------
 
-/**
- * Build a synthetic AuthContext from a verified host_browser capability
- * claim. The resulting context is shaped to look like an
- * `actor_client_v1` actor so downstream route policy (which requires
- * `approval.write`) and `requireBoundGuardian` (which compares
- * `actorPrincipalId` against the bound guardian) both accept it.
- *
- * The capability token already carries its own HMAC-checked expiry, so
- * there is no policy-epoch gate to apply here — we pin `policyEpoch` to
- * `Number.MAX_SAFE_INTEGER` the same way the dev-bypass context does.
- */
-function buildCapabilityAuthContext(guardianId: string): AuthContext {
-  return {
-    subject: `actor:${DAEMON_INTERNAL_ASSISTANT_ID}:${guardianId}`,
-    principalType: "actor",
-    assistantId: DAEMON_INTERNAL_ASSISTANT_ID,
-    actorPrincipalId: guardianId,
-    scopeProfile: "actor_client_v1",
-    scopes: resolveScopeProfile("actor_client_v1"),
-    policyEpoch: Number.MAX_SAFE_INTEGER,
-  };
-}
-
-/**
- * Authenticate a request that is allowed to present either a JWT or a
- * host_browser capability token. This is the auth entry point for
- * `/v1/host-browser-result` POST specifically — the chrome extension
- * stores a capability token (minted by the
- * `/v1/browser-extension-pair` flow) rather than a daemon JWT, so the
- * POST fallback used when the `/v1/browser-relay` WebSocket is
- * unavailable would otherwise 401 through the JWT-only
- * `authenticateRequest` path.
- *
- * Order of operations (mirrors `handleBrowserRelayUpgrade`):
- *   1. Extract the bearer token. Missing header → 401.
- *   2. Try `verifyHostBrowserCapability(token)` first. If it succeeds,
- *      derive `guardianId` from the capability claims and synthesize an
- *      AuthContext.
- *   3. Otherwise fall through to the standard JWT path so daemon-minted
- *      JWTs (gateway-proxied or direct) continue to work as a
- *      regression-safe compatibility path.
- *
- * Dev bypass (`isHttpAuthDisabled()`) is honored the same way as
- * `authenticateRequest` — we delegate to it directly to pick up the
- * shared synthetic dev-bypass context.
- */
-export async function authenticateHostBrowserResultRequest(
-  req: Request,
-): Promise<AuthenticateResult> {
-  if (isHttpAuthDisabled()) {
-    return { ok: true, context: buildDevBypassContext() };
-  }
-
-  const rawToken = extractBearerToken(req);
-  if (!rawToken) {
-    log.warn(
-      { reason: "missing_token", path: "/v1/host-browser-result" },
-      "Host browser result auth denied: missing Authorization header",
-    );
-    return {
-      ok: false,
-      response: Response.json(
-        {
-          error: {
-            code: "UNAUTHORIZED",
-            message: "Missing Authorization header",
-          },
-        },
-        { status: 401 },
-      ),
-    };
-  }
-
-  // 1) Capability-token path (self-hosted default). The chrome
-  //    extension presents the token it received from the native
-  //    messaging pair flow. We derive `actorPrincipalId` from the
-  //    capability claims directly — the claims are HMAC-signed by the
-  //    same daemon so there is no cross-tenant risk.
-  const capabilityClaims = await verifyHostBrowserCapability(rawToken);
-  if (capabilityClaims) {
-    return {
-      ok: true,
-      context: buildCapabilityAuthContext(capabilityClaims.guardianId),
-    };
-  }
-
-  // 2) JWT compatibility path. Fall back to the existing daemon/gateway
-  //    JWT verification so cloud callers and any legacy self-hosted
-  //    clients still holding a daemon JWT continue to work. Any 401
-  //    emitted here already includes the JWT-specific reason.
-  return authenticateRequest(req);
-}

package/src/runtime/auth/route-policy.ts

@@ -151,8 +151,11 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "confirm", scopes: ["approval.write"] },
   { endpoint: "secret", scopes: ["approval.write"] },
   { endpoint: "trust-rules", scopes: ["approval.write"] },
+  { endpoint: "host-app-control-result", scopes: ["approval.write"] },
   { endpoint: "host-bash-result", scopes: ["approval.write"] },
   { endpoint: "host-browser-result", scopes: ["approval.write"] },
+  { endpoint: "host-browser-event", scopes: ["approval.write"] },
+  { endpoint: "host-browser-session-invalidated", scopes: ["approval.write"] },
   { endpoint: "host-cu-result", scopes: ["approval.write"] },
   { endpoint: "host-file-result", scopes: ["approval.write"] },
   { endpoint: "host-transfer-result", scopes: ["approval.write"] },
@@ -204,6 +207,8 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "contacts/invites:POST", scopes: ["settings.write"] },
   { endpoint: "contacts/invites/redeem", scopes: ["settings.write"] },
   { endpoint: "contacts/invites:DELETE", scopes: ["settings.write"] },
+  { endpoint: "contacts/prompt:POST", scopes: ["settings.write"] },
+  { endpoint: "resolve_contact_prompt:POST", scopes: ["settings.write"] },
   { endpoint: "integrations/telegram/config", scopes: ["settings.read"] },
   { endpoint: "integrations/telegram/config:POST", scopes: ["settings.write"] },
   {
@@ -422,7 +427,15 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "memory-items:DELETE", scopes: ["settings.write"] },
   { endpoint: "memory/v2/backfill:POST", scopes: ["settings.write"] },
   { endpoint: "memory/v2/validate:POST", scopes: ["settings.read"] },
+  { endpoint: "memory/v2/concept-page:POST", scopes: ["settings.read"] },
   { endpoint: "memory/v2/reembed-skills:POST", scopes: ["settings.write"] },
+  { endpoint: "memory/v2/explain-similarity:POST", scopes: ["settings.read"] },
+  { endpoint: "memory/v2/fit-anisotropy:POST", scopes: ["settings.write"] },
+  {
+    endpoint: "memory/v2/rebuild-corpus-stats:POST",
+    scopes: ["settings.write"],
+  },
+  { endpoint: "memory/v2/fit-anisotropy:POST", scopes: ["settings.write"] },
 
   // Trust rule listing
   { endpoint: "trust-rules/manage:GET", scopes: ["settings.read"] },
@@ -490,6 +503,9 @@ const ACTOR_ENDPOINTS: Array<{ endpoint: string; scopes: Scope[] }> = [
   { endpoint: "consolidation", scopes: ["settings.read"] },
   { endpoint: "consolidation:POST", scopes: ["settings.write"] },
 
+  // Gateway log proxy
+  { endpoint: "gateway/logs/tail", scopes: ["settings.read"] },
+
   // Heartbeat (config, runs, checklist — all share the "heartbeat" policyKey)
   { endpoint: "heartbeat:GET", scopes: ["settings.read"] },
   { endpoint: "heartbeat", scopes: ["settings.write"] },
@@ -563,6 +579,9 @@ const INTERNAL_ENDPOINTS = [
   "internal/twilio/status",
   "internal/twilio/connect-action",
   "internal/oauth/callback",
+  "internal/mcp/auth/start",
+  "internal/mcp/auth/status",
+  "internal/mcp/reload",  // ← new
 ];
 for (const endpoint of INTERNAL_ENDPOINTS) {
   registerPolicy(endpoint, {