@vellumai/assistant 0.7.2 → 0.8.0

package/src/daemon/conversation-runtime-assembly.ts

@@ -33,6 +33,7 @@ import {
 } from "../messaging/providers/slack/render-transcript.js";
 import { getInjectors } from "../plugins/registry.js";
 import type {
+  DiskPressureInjectionContext,
   InjectionBlock,
   InjectionPlacement,
   TurnContext,
@@ -788,6 +789,9 @@ export interface UnifiedTurnContextOptions {
   interfaceName?: string;
   channelName?: string;
   actorContext?: InboundActorContext | null;
+  configuredUserTimezone?: string | null;
+  clientTimezone?: string | null;
+  detectedTimezone?: string | null;
   /**
    * Human-readable duration since the previous user message (e.g. "14h ago",
    * "yesterday", "3d ago"). Only populated when the gap exceeds 12 hours so
@@ -830,6 +834,25 @@ export function buildUnifiedTurnContextBlock(
 
   const lines: string[] = ["<turn_context>"];
   lines.push(`current_time: ${options.timestamp}`);
+  const configuredUserTimezone = options.configuredUserTimezone ?? null;
+  const clientDeviceTimezone =
+    options.clientTimezone ?? options.detectedTimezone ?? null;
+  const hasTimezoneMismatch =
+    configuredUserTimezone !== null &&
+    clientDeviceTimezone !== null &&
+    configuredUserTimezone !== clientDeviceTimezone;
+  if (hasTimezoneMismatch) {
+    const sanitizedConfiguredTimezone = sanitizeInlineContextValue(
+      configuredUserTimezone,
+    );
+    const sanitizedClientDeviceTimezone =
+      sanitizeInlineContextValue(clientDeviceTimezone);
+    lines.push(`configured_user_timezone: ${sanitizedConfiguredTimezone}`);
+    lines.push(`client_device_timezone: ${sanitizedClientDeviceTimezone}`);
+    lines.push(
+      `timezone_update_available: after explicit user confirmation, persist client_device_timezone with \`assistant config set ui.userTimezone "${sanitizedClientDeviceTimezone}"\``,
+    );
+  }
   if (options.timeSinceLastMessage) {
     lines.push(`time_since_last_message: ${options.timeSinceLastMessage}`);
   }
@@ -1609,6 +1632,7 @@ export function loadSlackActiveThreadFocusBlock(
 const RUNTIME_INJECTION_PREFIXES = [
   "<channel_capabilities>",
   "<channel_command_context>",
+  "<disk_pressure_warning>",
   "<channel_turn_context>", // backward-compat: strip legacy separate channel blocks
   "<guardian_context>",
   "<inbound_actor_context>", // backward-compat: strip legacy separate actor blocks
@@ -1872,6 +1896,7 @@ function applyInjectionBlock(
  * plugin-overridable default injectors.
  */
 export interface RuntimeInjectionOptions {
+  diskPressureContext?: DiskPressureInjectionContext | null;
   /**
    * Active dashboard-surface context (read from `<active_workspace>`). Kept
    * on the options bag rather than an injector because it is a
@@ -1990,6 +2015,7 @@ function buildTurnInjectionInputs(
 ): TurnInjectionInputs {
   return {
     mode: options.mode,
+    diskPressureContext: options.diskPressureContext,
     workspaceTopLevelContext: options.workspaceTopLevelContext,
     unifiedTurnContext: options.unifiedTurnContext,
     pkbContext: options.pkbContext,

package/src/daemon/conversation-store.ts

@@ -22,7 +22,7 @@ import { RateLimitProvider } from "../providers/ratelimit.js";
 import { getProvider } from "../providers/registry.js";
 import { getSubagentManager } from "../subagent/index.js";
 import { getSandboxWorkingDir } from "../util/platform.js";
-import { Conversation, DEFAULT_MEMORY_POLICY } from "./conversation.js";
+import { Conversation } from "./conversation.js";
 import type { ConversationEvictor } from "./conversation-evictor.js";
 import type { ConversationCreateOptions } from "./handlers/shared.js";
 import { buildTransportHints } from "./transport-hints.js";
@@ -180,6 +180,7 @@ function applyTransportMetadata(
   if (!transport) return;
   conversation.setTransportHints(buildTransportHints(transport));
   conversation.applyHostEnvFromTransport(transport);
+  conversation.applyClientTimezoneFromTransport(transport);
 }
 
 /**
@@ -253,7 +254,6 @@ export async function getOrCreateConversation(
         maxTokens,
         sendToClient,
         workingDir,
-        DEFAULT_MEMORY_POLICY,
         sharedCesClient,
         storedOptions?.speed,
         undefined,

package/src/daemon/conversation-surfaces.ts

@@ -18,6 +18,7 @@ import {
   assistantEventHub,
   broadcastMessage,
 } from "../runtime/assistant-event-hub.js";
+import { enforceSameActorOrErrorResult } from "../runtime/auth/same-actor.js";
 import type {
   InteractiveUiRequest,
   InteractiveUiResult,
@@ -53,6 +54,148 @@ const log = getLogger("conversation-surfaces");
 
 const MAX_UNDO_DEPTH = 10;
 
+/**
+ * Debounce window for persisting `ui_surface_update` data back to the
+ * message row. Surfaces typically receive bursts of updates (e.g. a
+ * Workspace Health Check ticking off items rapidly) — collapsing them
+ * to a single DB write avoids hammering SQLite while still bounding the
+ * "lost work on crash" window to ~half a second.
+ */
+const SURFACE_PERSIST_DEBOUNCE_MS = 500;
+
+/**
+ * In-flight debounced persist timers keyed by `surfaceId`. Surface IDs
+ * are UUIDs and globally unique, so a module-level map is safe across
+ * conversations. Each entry holds the latest data snapshot — newer
+ * updates clobber older ones since the persisted row carries the full
+ * merged state, not a delta.
+ */
+const pendingSurfacePersists = new Map<
+  string,
+  {
+    timer: ReturnType<typeof setTimeout>;
+    conversationId: string;
+    data: SurfaceData;
+  }
+>();
+
+/**
+ * Persist the latest `data` for a `ui_surface` content block by
+ * scanning the conversation's messages for one containing the given
+ * `surfaceId` and patching its `data` field. Mirrors the scan-and-patch
+ * pattern in `markSurfaceCompleted`.
+ *
+ * Safe to call before the assistant message has been persisted (mid-stream):
+ * the scan simply finds nothing and bails. The next update after
+ * `handleMessageComplete` runs will pick up the now-persisted row.
+ */
+function persistSurfaceData(
+  conversationId: string,
+  surfaceId: string,
+  data: SurfaceData,
+): void {
+  try {
+    const rows = getMessages(conversationId);
+    for (let r = rows.length - 1; r >= 0; r--) {
+      let parsed: unknown[];
+      try {
+        const result = JSON.parse(rows[r].content);
+        if (!Array.isArray(result)) continue;
+        parsed = result;
+      } catch {
+        // Plain-text content rows — skip and keep scanning.
+        continue;
+      }
+      let found = false;
+      for (const pb of parsed) {
+        const rb = pb as Record<string, unknown>;
+        if (rb.type === "ui_surface" && rb.surfaceId === surfaceId) {
+          rb.data = data;
+          found = true;
+          break;
+        }
+      }
+      if (found) {
+        updateMessageContent(rows[r].id, JSON.stringify(parsed));
+        return;
+      }
+    }
+  } catch (err) {
+    log.debug(
+      { err, surfaceId, conversationId },
+      "Failed to persist surface data update",
+    );
+  }
+}
+
+/**
+ * Schedule a debounced write of the merged surface data back to the
+ * persisted message row. Repeated calls within the debounce window
+ * collapse to a single write carrying the latest data.
+ */
+export function scheduleSurfaceDataPersist(
+  conversationId: string,
+  surfaceId: string,
+  data: SurfaceData,
+): void {
+  const existing = pendingSurfacePersists.get(surfaceId);
+  if (existing) {
+    clearTimeout(existing.timer);
+  }
+  const timer = setTimeout(() => {
+    pendingSurfacePersists.delete(surfaceId);
+    persistSurfaceData(conversationId, surfaceId, data);
+  }, SURFACE_PERSIST_DEBOUNCE_MS);
+  pendingSurfacePersists.set(surfaceId, { timer, conversationId, data });
+}
+
+/**
+ * Force-flush any pending debounced persist for `surfaceId`. Called on
+ * surface completion so the final state is durable before the surface
+ * record transitions to `completed`.
+ */
+export function flushSurfaceDataPersist(surfaceId: string): void {
+  const pending = pendingSurfacePersists.get(surfaceId);
+  if (!pending) return;
+  clearTimeout(pending.timer);
+  pendingSurfacePersists.delete(surfaceId);
+  persistSurfaceData(pending.conversationId, surfaceId, pending.data);
+}
+
+/**
+ * Cancel all pending debounced persists. Called on conversation
+ * teardown to avoid timers firing against torn-down state.
+ *
+ * Use `flushPendingSurfaceDataPersists` instead on a clean shutdown
+ * path where the latest in-flight surface state should still be
+ * written before teardown.
+ */
+export function cancelPendingSurfaceDataPersists(
+  conversationId?: string,
+): void {
+  for (const [surfaceId, pending] of pendingSurfacePersists) {
+    if (conversationId && pending.conversationId !== conversationId) continue;
+    clearTimeout(pending.timer);
+    pendingSurfacePersists.delete(surfaceId);
+  }
+}
+
+/**
+ * Synchronously flush all pending debounced persists, optionally scoped
+ * to a single conversation. Called on clean conversation teardown so an
+ * update that arrived inside the 500ms debounce window still lands in
+ * the DB before the conversation goes away. Each entry is removed from
+ * the pending map after its write fires.
+ */
+export function flushPendingSurfaceDataPersists(conversationId?: string): void {
+  for (const [surfaceId, pending] of pendingSurfacePersists) {
+    if (conversationId && pending.conversationId !== conversationId) continue;
+    clearTimeout(pending.timer);
+    pendingSurfacePersists.delete(surfaceId);
+    persistSurfaceData(pending.conversationId, surfaceId, pending.data);
+  }
+}
+
 /**
  * Mark a `ui_surface` content block as completed in the database so that
  * history reconstruction preserves the completion state.  Also updates
@@ -63,6 +206,10 @@ export function markSurfaceCompleted(
   surfaceId: string,
   summary: string,
 ): void {
+  // Force-flush any pending debounced data persist so the completion
+  // patch lands on top of the latest data instead of racing with it.
+  flushSurfaceDataPersist(surfaceId);
+
   // Update in-memory messages when available so subsequent reads within
   // this session see the change without waiting for DB.
   if (ctx.messages) {
@@ -1012,6 +1159,7 @@ export async function handleSurfaceAction(
       summary,
       submittedData: data,
     });
+    markSurfaceCompleted(ctx, surfaceId, summary);
 
     // Cleanup and resolve — order matters: cleanup clears the timer
     // before resolve() unblocks the caller.
@@ -1358,20 +1506,6 @@ export async function handleSurfaceAction(
     surfaceData,
   );
 
-  // Forms are one-shot surfaces — auto-complete immediately so the client
-  // transitions from the "Submitting…" spinner to a completion chip without
-  // requiring the LLM to call ui_dismiss.
-  if (pending.surfaceType === "form") {
-    broadcastMessage({
-      type: "ui_surface_complete",
-      conversationId: ctx.conversationId,
-      surfaceId,
-      summary,
-      submittedData: mergedData,
-    });
-    markSurfaceCompleted(ctx, surfaceId, summary);
-  }
-
   // Extract file attachments from action data so they are sent as proper
   // image/file content blocks instead of dumping base64 into the text.
   let pendingAttachments: UserMessageAttachment[] = [];
@@ -1501,6 +1635,21 @@ export async function handleSurfaceAction(
     return;
   }
 
+  // One-shot interactive surfaces — auto-complete now that the message has
+  // been accepted. Deferred until after rejection check so the surface stays
+  // active and retryable if the queue was full.
+  const ONE_SHOT_SURFACE_TYPES = ["form", "confirmation", "file_upload"];
+  if (ONE_SHOT_SURFACE_TYPES.includes(pending.surfaceType)) {
+    broadcastMessage({
+      type: "ui_surface_complete",
+      conversationId: ctx.conversationId,
+      surfaceId,
+      summary,
+      submittedData: mergedDataForText,
+    });
+    markSurfaceCompleted(ctx, surfaceId, summary);
+  }
+
   // One-shot: clear accumulated state now that the message has been accepted.
   // Deferred until after rejection check so state is preserved for retry on rejection.
   if (accumulatedState && Object.keys(accumulatedState).length > 0) {
@@ -1783,15 +1932,19 @@ export async function surfaceProxyResolver(
     // Record the action and proxy to the connected desktop client
     const reasoning =
       typeof input.reasoning === "string" ? input.reasoning : undefined;
-    const targetClientId =
-      typeof input.target_client_id === "string" && input.target_client_id !== ""
+    let targetClientId: string | undefined =
+      typeof input.target_client_id === "string" &&
+      input.target_client_id !== ""
         ? input.target_client_id
         : undefined;
 
-    // Validate targetClientId before recordAction so an invalid ID does not
-    // burn a step or pollute action history. (HostBashProxy / HostFileProxy
-    // both validate at the tool-resolution layer before incrementing any
-    // state; this mirrors that behaviour for CU.)
+    // Validate targetClientId existence, capability, and same-user binding
+    // before recordAction so an invalid or cross-user ID does not burn a
+    // step or pollute action history. HostBashProxy / HostFileProxy
+    // validate at the tool-resolution layer for the same reason. The proxy
+    // re-checks same-user (single authoritative gate); using the shared
+    // helper keeps log payload and error wording identical at both layers.
+    const sourceActorPrincipalId = ctx.trustContext?.guardianPrincipalId;
     if (targetClientId != null) {
       const client = assistantEventHub.getClientById(targetClientId);
       if (!client) {
@@ -1806,14 +1959,24 @@ export async function surfaceProxyResolver(
           isError: true,
         };
       }
+      const rejection = enforceSameActorOrErrorResult({
+        hub: assistantEventHub,
+        sourceActorPrincipalId,
+        targetClientId,
+        op: "host_cu",
+      });
+      if (rejection) return rejection;
     }
 
-    // Guard: require explicit targeting when multiple CU-capable clients are
-    // connected. The tool schemas document target_client_id as "required when
-    // multiple clients support host_cu" but nothing enforced it at runtime
-    // until now. Without this guard, the request would broadcast to all
-    // capable clients simultaneously, causing the same CU action to execute
-    // on multiple machines.
+    // Guard: require explicit targeting when multiple same-user CU-capable
+    // clients are connected. The tool schemas document target_client_id as
+    // "required when multiple clients support host_cu" but nothing enforced
+    // it at runtime until now. Without this guard, the request would
+    // broadcast to all capable clients simultaneously, causing the same CU
+    // action to execute on multiple machines. The filter mirrors
+    // HostFileProxy's auto-resolve: only same-user clients participate, so
+    // a cross-user client connected to the same daemon does not falsely
+    // trigger this ambiguity error.
     //
     // Asymmetry with host_bash / host_file (host-shell.ts): the bash/file
     // guard additionally checks `transportInterface != null &&
@@ -1824,13 +1987,25 @@ export async function surfaceProxyResolver(
     // host_cu-capable transport for which auto-routing-to-self would be
     // appropriate. We therefore fire whenever there is genuine ambiguity.
     if (targetClientId == null) {
-      const cuClients = assistantEventHub.listClientsByCapability("host_cu");
-      if (cuClients.length > 1) {
+      const allCuClients = assistantEventHub.listClientsByCapability("host_cu");
+      const sameUserCuClients = allCuClients.filter(
+        (c) => c.actorPrincipalId === sourceActorPrincipalId,
+      );
+      if (sameUserCuClients.length > 1) {
         return {
           content: `Error: multiple clients support host_cu. Specify which client to target with \`target_client_id\`. Run \`assistant clients list --capability host_cu\` to see client IDs and labels.`,
           isError: true,
         };
       }
+      // When cross-user host_cu clients are connected, we MUST auto-resolve
+      // to the unique same-user client (or fail explicitly) — otherwise the
+      // proxy would broadcast untargeted and the CU action would reach the
+      // cross-user client too. Setting targetClientId here forces the proxy
+      // to deliver only to that client, with the same-user check below as
+      // belt-and-suspenders.
+      if (sameUserCuClients.length === 1 && allCuClients.length > 1) {
+        targetClientId = sameUserCuClients[0].clientId;
+      }
     }
 
     ctx.hostCuProxy.recordAction(toolName, input, reasoning);
@@ -1842,6 +2017,7 @@ export async function surfaceProxyResolver(
       reasoning,
       signal,
       targetClientId,
+      sourceActorPrincipalId,
     );
   }
 
@@ -1876,7 +2052,7 @@ export async function surfaceProxyResolver(
     // union on `tool` ("start" | "observe" | "press" | …). The agent's raw
     // tool input only carries the action-specific payload (app, x/y, text,
     // …) — the discriminator is implied by `toolName` (`app_control_<tool>`).
-    // Inject it here so the proxy's singleton-lock guard (`input.tool ===
+    // Inject it here so the proxy's session-lock guard (`input.tool ===
     // "start"`) and the Swift client's discriminated-union decoder both see
     // the field they require.
     const tool = toolName.slice("app_control_".length);
@@ -2077,6 +2253,12 @@ export async function surfaceProxyResolver(
       ctx.currentTurnSurfaces[idx].data = mergedData;
     }
 
+    // Persist the merged data back to the assistant message's
+    // `ui_surface` content block so a refresh / restart shows the
+    // current state instead of the original creation-time snapshot.
+    // Debounced to coalesce bursts of rapid updates.
+    scheduleSurfaceDataPersist(ctx.conversationId, surfaceId, mergedData);
+
     return { content: "Surface updated", isError: false };
   }
 

package/src/daemon/conversation-tool-setup.ts

@@ -30,12 +30,14 @@ import {
   ACTIVITY_SKIP_SET,
   injectActivityField,
 } from "../tools/schema-transforms.js";
-import type {
-  ProxyApprovalCallback,
-  ProxyApprovalRequest,
-  ToolContext,
-  ToolExecutionResult,
-  ToolLifecycleEventHandler,
+import { resolveToolNameAlias } from "../tools/tool-name-aliases.js";
+import {
+  isDiskPressureCleanupToolName,
+  type ProxyApprovalCallback,
+  type ProxyApprovalRequest,
+  type ToolContext,
+  type ToolExecutionResult,
+  type ToolLifecycleEventHandler,
 } from "../tools/types.js";
 import { allUiSurfaceTools } from "../tools/ui-surface/definitions.js";
 import { getLogger } from "../util/logger.js";
@@ -121,7 +123,9 @@ export function createToolExecutor(
     toolUseId?: string,
     turnContext?: import("../plugins/types.js").TurnContext,
   ) => {
-    if (isDoordashCommand(name, input)) {
+    const executionName = resolveToolNameAlias(name, ctx.allowedToolNames);
+
+    if (isDoordashCommand(executionName, input)) {
       markDoordashStepInProgress(ctx, input);
     }
 
@@ -135,6 +139,7 @@ export function createToolExecutor(
       taskRunId: ctx.taskRunId,
       trustClass: resolveTrustClass(ctx.trustContext),
       executionChannel: ctx.trustContext?.sourceChannel,
+      sourceActorPrincipalId: ctx.trustContext?.guardianPrincipalId,
       callSessionId: ctx.callSessionId,
       triggeredBySurfaceAction:
         ctx.surfaceActionRequestIds?.has(ctx.currentRequestId ?? "") ?? false,
@@ -151,7 +156,7 @@ export function createToolExecutor(
       onOutput,
       signal: ctx.abortController?.signal,
       allowedToolNames: ctx.allowedToolNames,
-      memoryScopeId: ctx.memoryPolicy.scopeId,
+      diskPressureCleanupModeActive: ctx.diskPressureCleanupModeActive,
       toolUseId,
       isPlatformHosted: getIsPlatform(),
       cesClient: ctx.cesClient,
@@ -206,8 +211,9 @@ export function createToolExecutor(
     // route through the full executor pipeline so the underlying tool's
     // risk level, permission checks, hooks, and lifecycle events all fire
     // with the real tool name.
-    if (name === "skill_execute") {
-      const toolName = typeof input.tool === "string" ? input.tool : "";
+    if (executionName === "skill_execute") {
+      const rawToolName = typeof input.tool === "string" ? input.tool : "";
+      const toolName = resolveToolNameAlias(rawToolName, ctx.allowedToolNames);
       const rawToolInput =
         input.input != null && typeof input.input === "object"
           ? (input.input as Record<string, unknown>)
@@ -240,7 +246,7 @@ export function createToolExecutor(
     }
 
     const result = await executor.execute(
-      name,
+      executionName,
       input,
       toolContext,
       turnContext,
@@ -249,7 +255,7 @@ export function createToolExecutor(
       ctx.approvedViaPromptThisTurn = true;
     }
 
-    runPostExecutionSideEffects(name, input, result, { ctx });
+    runPostExecutionSideEffects(executionName, input, result, { ctx });
 
     return result;
   };
@@ -305,6 +311,8 @@ export interface SkillProjectionContext {
   readonly hasNoClient?: boolean;
   /** When set, only tools in this set are included in the resolved tool list (subagent delegation). */
   subagentAllowedTools?: Set<string>;
+  /** True when the current turn is restricted to disk-pressure cleanup-safe tools. */
+  diskPressureCleanupModeActive?: boolean;
   /** True when this conversation belongs to a subagent spawned by SubagentManager. */
   readonly isSubagent?: boolean;
   /**
@@ -351,6 +359,29 @@ export const HOST_TOOL_TO_CAPABILITY = new Map<string, HostProxyCapability>([
 // Derived from HOST_TOOL_TO_CAPABILITY so the invariant "every host tool has
 // a capability mapping" is a structural fact — no runtime assertion needed.
 export const HOST_TOOL_NAMES = new Set(HOST_TOOL_TO_CAPABILITY.keys());
+/**
+ * Capabilities eligible for cross-client exposure on non-host-proxy
+ * transports (e.g. web, ios routing to a connected macOS client).
+ * Adding a capability here exposes ALL tools that map to it (per
+ * HOST_TOOL_TO_CAPABILITY) on non-host-proxy transports — the daemon then
+ * routes the actual invocation to the connected capable client via the
+ * proxy's targetClientId path.
+ *
+ * Inclusions:
+ * - host_bash (Phase 1, PR #29322)
+ * - host_file (Phases 2 & 3, PRs #29398 + #29440)
+ *
+ * Exclusions:
+ * - host_browser: chrome-extension is its own executor; web turns don't
+ *   have a CDP target model. Re-evaluate when host browser via macOS
+ *   host proxy ships (PR #27489).
+ * - host_app_control, host_cu: not in HOST_TOOL_TO_CAPABILITY
+ *   (skill-routed).
+ */
+const CROSS_CLIENT_EXPOSED_CAPABILITIES = new Set<HostProxyCapability>([
+  "host_bash",
+  "host_file",
+]);
 const CLIENT_CAPABILITY_TOOL_NAMES = new Set(["app_open"]);
 const PLATFORM_TOOL_NAMES = new Set(["request_system_permission"]);
 
@@ -385,16 +416,22 @@ export function isToolActiveForContext(
     // Per-capability check is authoritative for structural support: if the
     // transport cannot service this capability, the tool is filtered out.
     if (transport && capability && !supportsHostProxy(transport, capability)) {
-      // Cross-client exception: allow host_bash for non-host-proxy interfaces when
-      // at least one capable client is connected via the event hub.
-      // Only applies to host_bash (not host_file, host_cu, host_browser — Phase 2).
-      // Excludes chrome-extension (security boundary: extension only gets host_browser)
-      // and hasNoClient turns (no interactive approval UI available).
+      // Cross-client exception: allow host tools whose capabilities have
+      // cross-client routing infrastructure (Phases 1–3) to be exposed for
+      // non-host-proxy transports (e.g. "web", "ios") when at least one
+      // capable client is connected via the event hub. Members of
+      // CROSS_CLIENT_EXPOSED_CAPABILITIES (host_bash, host_file) qualify;
+      // host_browser is intentionally excluded (chrome-extension is its
+      // own executor and web turns don't have a CDP target model).
+      // chrome-extension transport is excluded as a security boundary
+      // (extension only gets host_browser); hasNoClient turns are excluded
+      // (no interactive approval UI available).
       if (
-        capability === "host_bash" &&
+        capability &&
+        CROSS_CLIENT_EXPOSED_CAPABILITIES.has(capability) &&
         transport !== "chrome-extension" &&
         !ctx.hasNoClient &&
-        assistantEventHub.listClientsByCapability("host_bash").length > 0
+        assistantEventHub.listClientsByCapability(capability).length > 0
       ) {
         return true;
       }
@@ -516,6 +553,16 @@ export function createResolveToolsCallback(
       }
       turnAllowed.add(name);
     }
+    if (ctx.diskPressureCleanupModeActive === true) {
+      const cleanupDefs = allBaseDefs.filter((d) =>
+        isDiskPressureCleanupToolName(d.name),
+      );
+      ctx.allowedToolNames = new Set(
+        Array.from(turnAllowed).filter(isDiskPressureCleanupToolName),
+      );
+      return injectActivityField(cleanupDefs, ACTIVITY_SKIP_SET);
+    }
+
     ctx.allowedToolNames = turnAllowed;
     return injectActivityField(allBaseDefs, ACTIVITY_SKIP_SET);
   };