@vellumai/assistant 0.7.2 → 0.8.0

package/src/permissions/gateway-threshold-reader.ts

@@ -44,6 +44,106 @@ const conversationThresholdCache = new Map<
 >();
 const CONVERSATION_CACHE_TTL_MS = 5_000;
 
+// ── Failure-coalescing log helper ────────────────────────────────────────────
+// When the gateway IPC socket is broken (e.g. the path was unlinked from
+// disk), every threshold lookup fails with ENOENT on the hot path. Without
+// coalescing the per-call WARN drowns the actual signal ("Strict-when-
+// Relaxed because the gateway lost its socket") in its own log spam.
+//
+// Each `op` (e.g. "conversation_threshold", "global_thresholds") emits at
+// most one WARN per {@link DEFAULT_FAILURE_WARN_INTERVAL_MS} window. The
+// first failure in a streak WARNs immediately so failures aren't lost. When
+// the IPC starts working again, an INFO records the streak duration and
+// how many calls were swallowed — that's the cue dashboards should alert
+// on.
+
+interface FailureState {
+  consecutiveFailures: number;
+  firstFailureAt: number;
+  lastWarnAt: number;
+}
+
+const DEFAULT_FAILURE_WARN_INTERVAL_MS = 30_000;
+let failureWarnIntervalMs = DEFAULT_FAILURE_WARN_INTERVAL_MS;
+const failureStateByOp = new Map<string, FailureState>();
+
+function noteFailure(
+  op: string,
+  fields: Record<string, unknown>,
+  message: string,
+): void {
+  const now = Date.now();
+  const state = failureStateByOp.get(op);
+  if (!state) {
+    failureStateByOp.set(op, {
+      consecutiveFailures: 1,
+      firstFailureAt: now,
+      lastWarnAt: now,
+    });
+    log.warn(
+      {
+        ...fields,
+        op,
+        consecutiveFailures: 1,
+        event: "ipc_threshold_failure",
+      },
+      message,
+    );
+    return;
+  }
+  state.consecutiveFailures += 1;
+  if (now - state.lastWarnAt >= failureWarnIntervalMs) {
+    log.warn(
+      {
+        ...fields,
+        op,
+        consecutiveFailures: state.consecutiveFailures,
+        streakDurationMs: now - state.firstFailureAt,
+        event: "ipc_threshold_failure",
+      },
+      message,
+    );
+    state.lastWarnAt = now;
+  }
+}
+
+function noteSuccess(op: string): void {
+  const state = failureStateByOp.get(op);
+  if (!state) return;
+  log.info(
+    {
+      op,
+      swallowedFailures: state.consecutiveFailures,
+      streakDurationMs: Date.now() - state.firstFailureAt,
+      event: "ipc_threshold_recovered",
+    },
+    "Gateway IPC threshold call recovered after failure streak",
+  );
+  failureStateByOp.delete(op);
+}
+
+/** Test-only: clear the failure-coalescing state. */
+export function _resetFailureCoalesceForTesting(): void {
+  failureStateByOp.clear();
+  failureWarnIntervalMs = DEFAULT_FAILURE_WARN_INTERVAL_MS;
+}
+
+/**
+ * Test-only: read a snapshot of the failure-coalescing state for a given
+ * op. Returns `undefined` when no streak is in progress.
+ */
+export function _getFailureStateForTesting(
+  op: string,
+): Readonly<FailureState> | undefined {
+  const state = failureStateByOp.get(op);
+  return state ? { ...state } : undefined;
+}
+
+/** Test-only: override the WARN cadence. Pass {@link DEFAULT_FAILURE_WARN_INTERVAL_MS} to reset. */
+export function _setFailureWarnIntervalForTesting(intervalMs: number): void {
+  failureWarnIntervalMs = intervalMs;
+}
+
 /**
  * Clear the global threshold cache. Exported for testing.
  */
@@ -112,18 +212,24 @@ export async function getAutoApproveThreshold(
       })) as ConversationThreshold | null | undefined;
 
       if (result === undefined) {
-        log.warn(
+        noteFailure(
+          "conversation_threshold",
           { conversationId },
           "IPC call failed for conversation threshold override, falling through to global",
         );
         // Fall through to global threshold fetch below.
-      } else if (result && isValidThreshold(result.threshold)) {
-        conversationThresholdCache.set(conversationId, {
-          threshold: result.threshold,
-          timestamp: Date.now(),
-        });
-        return result.threshold;
       } else {
+        // Any defined response (including a null "no override") is a
+        // successful round-trip — clear any in-progress failure streak so
+        // dashboards see the recovery.
+        noteSuccess("conversation_threshold");
+        if (result && isValidThreshold(result.threshold)) {
+          conversationThresholdCache.set(conversationId, {
+            threshold: result.threshold,
+            timestamp: Date.now(),
+          });
+          return result.threshold;
+        }
         // result === null (or an unexpected shape) — cache the negative result
         // and fall through to global defaults.
         conversationThresholdCache.set(conversationId, {
@@ -151,7 +257,8 @@ export async function getAutoApproveThreshold(
   } catch (err) {
     // Gateway unreachable — default to "none" (Strict) so no tools are
     // silently auto-approved when the gateway is down.
-    log.warn(
+    noteFailure(
+      "global_thresholds",
       { error: String(err) },
       "Failed to fetch global thresholds, defaulting to none",
     );
@@ -176,6 +283,7 @@ async function fetchGlobalThresholds(): Promise<GlobalThresholds> {
     throw new Error("Gateway IPC returned no result for global thresholds");
   }
 
+  noteSuccess("global_thresholds");
   cachedGlobalThresholds = result;
   cachedGlobalTimestamp = Date.now();
   return result;

package/src/permissions/prompter.ts

@@ -11,19 +11,14 @@ import type { AllowlistOption, ScopeOption, UserDecision } from "./types.js";
 
 const log = getLogger("permission-prompter");
 
-interface PendingPrompt {
-  resolve: (value: {
-    decision: UserDecision;
-    selectedPattern?: string;
-    selectedScope?: string;
-    decisionContext?: string;
-    wasTimeout?: boolean;
-    wasSystemCancel?: boolean;
-  }) => void;
-  reject: (reason: Error) => void;
-  timer: ReturnType<typeof setTimeout>;
-  toolUseId?: string;
-}
+type ConfirmResult = {
+  decision: UserDecision;
+  selectedPattern?: string;
+  selectedScope?: string;
+  decisionContext?: string;
+  wasTimeout?: boolean;
+  wasSystemCancel?: boolean;
+};
 
 export type ConfirmationStateCallback = (
   requestId: string,
@@ -33,7 +28,13 @@ export type ConfirmationStateCallback = (
 ) => void;
 
 export class PermissionPrompter {
-  private pending = new Map<string, PendingPrompt>();
+  /**
+   * Tracks which requestIds belong to this prompter instance so that
+   * denyAllPending / dispose can scope their cleanup to this conversation.
+   * The full per-request state (callbacks, timer, toolUseId) lives in
+   * pendingInteractions, matching the host proxy pattern.
+   */
+  private ownedIds = new Set<string>();
   private sendToClient: (msg: ServerMessage) => void;
   private onStateChanged?: ConfirmationStateCallback;
 
@@ -69,74 +70,68 @@ export class PermissionPrompter {
     riskReason?: string,
     isContainerized?: boolean,
     directoryScopeOptions?: readonly { scope: string; label: string }[],
-  ): Promise<{
-    decision: UserDecision;
-    selectedPattern?: string;
-    selectedScope?: string;
-    decisionContext?: string;
-    wasTimeout?: boolean;
-    wasSystemCancel?: boolean;
-    wasAbort?: boolean;
-  }> {
+  ): Promise<ConfirmResult & { wasAbort?: boolean }> {
     if (signal?.aborted) return { decision: "deny", wasAbort: true };
 
     const requestId = uuid();
 
-    // Self-register in pendingInteractions so /v1/confirm can route the
-    // response to this conversation without going through broadcastMessage.
-    if (conversationId) {
-      pendingInteractions.register(requestId, {
-        conversationId,
-        kind: "confirmation",
-        confirmationDetails: {
-          toolName,
-          input: redactSensitiveFields(input),
-          riskLevel,
-          executionTarget,
-          allowlistOptions: allowlistOptions.map((o) => ({
-            label: o.label,
-            description: o.description,
-            pattern: o.pattern,
-          })),
-          scopeOptions: scopeOptions.map((o) => ({
-            label: o.label,
-            scope: o.scope,
-          })),
-          persistentDecisionsAllowed: persistentDecisionsAllowed ?? true,
-        },
-      });
-    }
-
     return new Promise((resolve, reject) => {
       const timeoutMs = getConfig().timeouts.permissionTimeoutSec * 1000;
+
       const timer = setTimeout(() => {
-        this.pending.delete(requestId);
-        pendingInteractions.resolve(requestId);
+        const interaction = pendingInteractions.resolve(requestId);
+        this.ownedIds.delete(requestId);
         log.warn(
           { requestId, toolName },
           "Permission prompt timed out, defaulting to deny",
         );
         this.onStateChanged?.(requestId, "timed_out", "timeout", toolUseId);
-        resolve({
-          decision: "deny",
-          wasTimeout: true,
-          decisionContext: `The permission prompt for the "${toolName}" tool timed out. The user did not explicitly deny this request — they may have been away or busy. You may retry this tool call if it is still needed for the current task.`,
-        });
+        (interaction?.rpcResolve as ((v: ConfirmResult) => void) | undefined)?.(
+          {
+            decision: "deny",
+            wasTimeout: true,
+            decisionContext: `The permission prompt for the "${toolName}" tool timed out. The user did not explicitly deny this request — they may have been away or busy. You may retry this tool call if it is still needed for the current task.`,
+          },
+        );
       }, timeoutMs);
 
-      this.pending.set(requestId, {
-        resolve,
-        reject,
-        timer,
-        toolUseId,
-      });
+      // Register all lifecycle state in pendingInteractions — same pattern as
+      // host proxies. The prompter tracks ownership via ownedIds.
+      // Always register unconditionally so rpcResolve/rpcReject/timer
+      // are reachable by resolveConfirmation, denyAllPending, and the timeout
+      // handler even when conversationId is absent. Routes return 404 for
+      // interactions with an empty conversationId, which is correct behaviour.
+      pendingInteractions.register(requestId, {
+        conversationId: conversationId ?? "",
+        kind: "confirmation",
+          confirmationDetails: {
+            toolName,
+            input: redactSensitiveFields(input),
+            riskLevel,
+            executionTarget,
+            allowlistOptions: allowlistOptions.map((o) => ({
+              label: o.label,
+              description: o.description,
+              pattern: o.pattern,
+            })),
+            scopeOptions: scopeOptions.map((o) => ({
+              label: o.label,
+              scope: o.scope,
+            })),
+            persistentDecisionsAllowed: persistentDecisionsAllowed ?? true,
+          },
+          rpcResolve: resolve as (value: unknown) => void,
+          rpcReject: reject,
+          timer,
+          toolUseId,
+        });
+      this.ownedIds.add(requestId);
 
       if (signal) {
         const onAbort = () => {
-          if (this.pending.has(requestId)) {
-            clearTimeout(timer);
-            this.pending.delete(requestId);
+          if (this.ownedIds.has(requestId)) {
             pendingInteractions.resolve(requestId);
+            this.ownedIds.delete(requestId);
             resolve({ decision: "deny", wasAbort: true });
           }
         };
@@ -175,17 +170,17 @@ export class PermissionPrompter {
   }
 
   hasPendingRequest(requestId: string): boolean {
-    return this.pending.has(requestId);
+    return this.ownedIds.has(requestId);
   }
 
   /** Returns all currently pending request IDs. */
   getPendingRequestIds(): string[] {
-    return [...this.pending.keys()];
+    return [...this.ownedIds];
   }
 
   /** Returns the toolUseId associated with a pending request, if any. */
   getToolUseId(requestId: string): string | undefined {
-    return this.pending.get(requestId)?.toolUseId;
+    return pendingInteractions.get(requestId)?.toolUseId;
   }
 
   resolveConfirmation(
@@ -195,22 +190,17 @@ export class PermissionPrompter {
     selectedScope?: string,
     decisionContext?: string,
   ): void {
-    const pending = this.pending.get(requestId);
-    if (!pending) {
+    if (!this.ownedIds.has(requestId)) {
       log.warn({ requestId }, "No pending prompt for confirmation response");
       return;
     }
-    clearTimeout(pending.timer);
-    this.pending.delete(requestId);
-    // Idempotent — approval-routes already calls pendingInteractions.resolve()
-    // before routing here, but we call it defensively for non-route paths.
-    pendingInteractions.resolve(requestId);
-    pending.resolve({
-      decision,
-      selectedPattern,
-      selectedScope,
-      decisionContext,
-    });
+    // The prompter owns deregistration; all callers use get() to peek before
+    // routing to resolveConfirmation, which fires the rpcResolve callback.
+    const interaction = pendingInteractions.resolve(requestId);
+    this.ownedIds.delete(requestId);
+    (interaction?.rpcResolve as ((v: ConfirmResult) => void) | undefined)?.(
+      { decision, selectedPattern, selectedScope, decisionContext },
+    );
   }
 
   /**
@@ -219,31 +209,31 @@ export class PermissionPrompter {
    * see the denial and can re-request if still needed.
    */
   denyAllPending(): void {
-    for (const [requestId, pending] of this.pending) {
-      clearTimeout(pending.timer);
-      this.pending.delete(requestId);
-      pendingInteractions.resolve(requestId);
-      pending.resolve({
-        decision: "deny",
-        wasSystemCancel: true,
-        decisionContext:
-          "The user sent a new message instead of responding to this permission prompt. Stop what you are doing and respond to the user's new message. Do NOT retry this tool or request permission again until the user asks you to.",
-      });
+    for (const requestId of [...this.ownedIds]) {
+      const interaction = pendingInteractions.resolve(requestId);
+      this.ownedIds.delete(requestId);
+      (interaction?.rpcResolve as ((v: ConfirmResult) => void) | undefined)?.(
+        {
+          decision: "deny",
+          wasSystemCancel: true,
+          decisionContext:
+            "The user sent a new message instead of responding to this permission prompt. Stop what you are doing and respond to the user's new message. Do NOT retry this tool or request permission again until the user asks you to.",
+        },
+      );
     }
   }
 
   get hasPending(): boolean {
-    return this.pending.size > 0;
+    return this.ownedIds.size > 0;
   }
 
   dispose(): void {
-    for (const [requestId, pending] of this.pending) {
-      clearTimeout(pending.timer);
-      pendingInteractions.resolve(requestId);
-      pending.reject(
+    for (const requestId of [...this.ownedIds]) {
+      const interaction = pendingInteractions.resolve(requestId);
+      this.ownedIds.delete(requestId);
+      interaction?.rpcReject?.(
         new AssistantError("Prompter disposed", ErrorCode.INTERNAL_ERROR),
       );
     }
-    this.pending.clear();
   }
 }

package/src/permissions/secret-prompter.ts

@@ -20,12 +20,6 @@ export interface SecretPromptResult {
   error?: "unsupported_channel";
 }
 
-interface PendingSecretPrompt {
-  resolve: (result: SecretPromptResult) => void;
-  reject: (reason: Error) => void;
-  timer: ReturnType<typeof setTimeout>;
-}
-
 export interface SecretPrompterChannelContext {
   /** The channel the conversation was initiated from (e.g. "slack", "macos"). */
   channel?: string;
@@ -34,7 +28,13 @@ export interface SecretPrompterChannelContext {
 }
 
 export class SecretPrompter {
-  private pending = new Map<string, PendingSecretPrompt>();
+  /**
+   * Tracks which requestIds belong to this prompter instance so that
+   * dispose can scope its cleanup to this conversation.
+   * The full per-request state (callbacks, timer) lives in pendingInteractions,
+   * matching the host proxy and PermissionPrompter pattern.
+   */
+  private ownedIds = new Set<string>();
   private channelContext?: SecretPrompterChannelContext;
 
   setChannelContext(ctx: SecretPrompterChannelContext | undefined): void {
@@ -45,12 +45,9 @@ export class SecretPrompter {
    * Broadcast a secret_request to all connected clients and wait for a
    * response.
    *
-   * The request is always published to the SSE hub via
-   * {@link broadcastMessage} so any connected client (desktop, web) can
-   * display the secure prompt dialog.
-   *
-   * Pending interaction registration is handled by {@link broadcastMessage}
-   * when the secret_request event is published to the hub.
+   * Registers all lifecycle state (rpcResolve, rpcReject, timer) in
+   * pendingInteractions before broadcasting — identical to the host proxy
+   * and PermissionPrompter pattern.
    *
    * SECURITY: Logs only metadata (requestId, service, field) — never the
    * returned secret value. The timeout path also returns a null value
@@ -72,21 +69,24 @@ export class SecretPrompter {
 
     return new Promise((resolve, reject) => {
       const timeoutMs = getConfig().timeouts.permissionTimeoutSec * 1000;
+
       const timer = setTimeout(() => {
-        this.pending.delete(requestId);
         pendingInteractions.resolve(requestId);
+        this.ownedIds.delete(requestId);
         log.warn({ requestId, service, field }, "Secret prompt timed out");
         resolve({ value: null, delivery: "store" });
       }, timeoutMs);
 
-      this.pending.set(requestId, { resolve, reject, timer });
-
-      // Self-register in pendingInteractions so /v1/secret can route the
-      // response to this conversation without relying on broadcastMessage.
+      // Register all lifecycle state in pendingInteractions — same pattern as
+      // host proxies and PermissionPrompter. The prompter tracks ownership via ownedIds.
       pendingInteractions.register(requestId, {
         conversationId: effectiveConversationId,
         kind: "secret",
+        rpcResolve: resolve as (value: unknown) => void,
+        rpcReject: reject,
+        timer,
       });
+      this.ownedIds.add(requestId);
 
       const config = getConfig();
       const msg: SecretRequestMessage = {
@@ -109,7 +109,7 @@ export class SecretPrompter {
   }
 
   hasPendingRequest(requestId: string): boolean {
-    return this.pending.has(requestId);
+    return this.ownedIds.has(requestId);
   }
 
   /**
@@ -124,26 +124,26 @@ export class SecretPrompter {
     value?: string,
     delivery?: SecretDelivery,
   ): void {
-    const pending = this.pending.get(requestId);
-    if (!pending) {
+    if (!this.ownedIds.has(requestId)) {
       log.warn({ requestId }, "No pending prompt for secret response");
       return;
     }
-    clearTimeout(pending.timer);
-    this.pending.delete(requestId);
-    // Clean up the global map (may already be removed by approval-routes).
-    pendingInteractions.resolve(requestId);
-    pending.resolve({ value: value ?? null, delivery: delivery ?? "store" });
+    // approval-routes calls pendingInteractions.get() before routing here;
+    // the prompter owns deregistration so it fires the Promise callback cleanly.
+    const interaction = pendingInteractions.resolve(requestId);
+    this.ownedIds.delete(requestId);
+    (interaction?.rpcResolve as ((v: SecretPromptResult) => void) | undefined)?.(
+      { value: value ?? null, delivery: delivery ?? "store" },
+    );
   }
 
   dispose(): void {
-    for (const [requestId, pending] of this.pending) {
-      clearTimeout(pending.timer);
-      pendingInteractions.resolve(requestId);
-      pending.reject(
+    for (const requestId of [...this.ownedIds]) {
+      const interaction = pendingInteractions.resolve(requestId);
+      this.ownedIds.delete(requestId);
+      interaction?.rpcReject?.(
         new AssistantError("Prompter disposed", ErrorCode.INTERNAL_ERROR),
       );
     }
-    this.pending.clear();
   }
 }

package/src/plugins/defaults/injectors.ts

@@ -3,7 +3,7 @@
  * drives the per-turn injection sequence consumed by
  * `applyRuntimeInjections`.
  *
- * Each of the eight default injectors reads its per-turn inputs from
+ * Each default injector reads its per-turn inputs from
  * `ctx.injectionInputs` (see {@link TurnInjectionInputs}), runs its gating
  * conditions (injection mode, feature flags, channel type, null-input
  * short-circuits), and returns an {@link InjectionBlock} with a
@@ -12,6 +12,7 @@
  *
  * | name                     | order | placement               |
  * | ------------------------ | ----- | ----------------------- |
+ * | `disk-pressure-warning`  | 5     | prepend-user-tail       |
  * | `workspace-context`      | 10    | prepend-user-tail       |
  * | `unified-turn-context`   | 20    | prepend-user-tail       |
  * | `pkb-context`            | 30    | after-memory-prefix     |
@@ -45,10 +46,10 @@
 
 import { resolve } from "node:path";
 
+import { isAssistantFeatureFlagEnabled } from "../../config/assistant-feature-flags.js";
 import { getConfig } from "../../config/loader.js";
 import { getInContextPkbPaths } from "../../daemon/pkb-context-tracker.js";
 import { buildPkbReminder } from "../../daemon/pkb-reminder-builder.js";
-import { isMemoryV2ReadActive } from "../../memory/context-search/sources/memory-v2.js";
 import { searchPkbFiles } from "../../memory/pkb/pkb-search.js";
 import { getLogger } from "../../util/logger.js";
 import { registerPlugin } from "../registry.js";
@@ -74,7 +75,7 @@ const PKB_HINT_THRESHOLD = 0.5;
 const PKB_HINT_ARCHIVE_THRESHOLD = 0.7;
 
 /**
- * Fixed order values for the eight default injectors. Exported so tests —
+ * Fixed order values for the default injectors. Exported so tests —
  * and any future integration code — can assert ordering without re-deriving
  * the constants.
  *
@@ -83,6 +84,7 @@ const PKB_HINT_ARCHIVE_THRESHOLD = 0.7;
  * without renumbering the defaults.
  */
 export const DEFAULT_INJECTOR_ORDER = {
+  diskPressureWarning: 5,
   workspaceContext: 10,
   unifiedTurnContext: 20,
   pkbContext: 30,
@@ -98,6 +100,35 @@ function readInjectionInputs(ctx: TurnContext): TurnInjectionInputs {
   return ctx.injectionInputs ?? {};
 }
 
+export const DISK_PRESSURE_WARNING_PROMPT = `<disk_pressure_warning>
+Disk usage is critically low: this assistant is in storage cleanup mode because the workspace volume is at least 95% full.
+
+In your first paragraph, warn the user that storage is critically low and that normal work is suspended until space is freed.
+
+Then help the user clean up storage. Prefer safe inspection steps first, such as checking available space and finding large directories. Ask before deleting files or caches unless the user has already clearly approved the specific cleanup action.
+
+Do not work on unrelated tasks until disk usage drops below the critical threshold or the user explicitly overrides the lock. Background processes and messages from trusted contacts are blocked while this cleanup mode is active.
+</disk_pressure_warning>`;
+
+function isSafeStorageLimitsEnabled(): boolean {
+  return isAssistantFeatureFlagEnabled("safe-storage-limits", getConfig());
+}
+
+const diskPressureWarningInjector: Injector = {
+  name: "disk-pressure-warning",
+  order: DEFAULT_INJECTOR_ORDER.diskPressureWarning,
+  async produce(ctx: TurnContext): Promise<InjectionBlock | null> {
+    if (!isSafeStorageLimitsEnabled()) return null;
+    const inputs = readInjectionInputs(ctx);
+    if (!inputs.diskPressureContext?.cleanupModeActive) return null;
+    return {
+      id: "disk-pressure-warning",
+      text: DISK_PRESSURE_WARNING_PROMPT,
+      placement: "prepend-user-tail",
+    };
+  },
+};
+
 /**
  * v2 read-side cutover guard. The `pkb-context` injector silences itself
  * under v2 because the `<knowledge_base>` block surfaces PKB content the v2
@@ -107,7 +138,7 @@ function readInjectionInputs(ctx: TurnContext): TurnInjectionInputs {
  * state independent of PKB and fires unchanged.
  */
 function isPkbInjectionSilencedByV2(): boolean {
-  return isMemoryV2ReadActive(getConfig());
+  return getConfig().memory.v2.enabled;
 }
 
 /**
@@ -520,6 +551,7 @@ export const defaultInjectorsPlugin: Plugin = {
     },
   },
   injectors: [
+    diskPressureWarningInjector,
     workspaceContextInjector,
     unifiedTurnContextInjector,
     pkbContextInjector,

package/src/plugins/defaults/memory-retrieval.ts

@@ -72,12 +72,6 @@ export interface GraphMemoryPayload {
  * Passed as a second argument to {@link runDefaultMemoryRetrieval} rather
  * than threaded through {@link MemoryArgs} to keep the plugin-facing
  * pipeline surface minimal.
- *
- * The per-turn abort signal lives on {@link MemoryArgs.signal} instead of
- * here so the pipeline runner's `linkAbortSignal` can swap it for an
- * internally-linked signal — that way a plugin timeout actually cancels
- * the underlying `prepareMemory` work instead of letting it run after
- * `Promise.race` has already rejected.
  */
 export interface DefaultMemoryRetrievalDeps {
   /** Live message list for this turn (pre-injection). */
@@ -101,6 +95,11 @@ export interface DefaultMemoryRetrievalDeps {
  * trusted) or a single {@link GraphMemoryPayload} wrapping the graph
  * retriever's full output. The agent loop narrows via
  * {@link DEFAULT_MEMORY_GRAPH_KIND} to consume it.
+ *
+ * Memory retrieval blocks the turn — there is no soft timeout here. Memory
+ * is critical context, and silently dropping it produces a worse outcome
+ * than a slower turn. Cancellation still works via `args.signal`, which is
+ * threaded into `prepareMemory`.
  */
 export async function runDefaultMemoryRetrieval(
   args: MemoryArgs,

package/src/plugins/types.ts

@@ -784,6 +784,8 @@ export interface TurnInjectionInputs {
    * context (unified turn context, etc.). Drives per-injector gating.
    */
   readonly mode?: InjectionMode;
+  /** Disk-pressure cleanup-mode context or null to skip the warning. */
+  readonly diskPressureContext?: DiskPressureInjectionContext | null;
   /** Workspace top-level context text (`<workspace>...`) or null to skip. */
   readonly workspaceTopLevelContext?: string | null;
   /** Pre-built unified-turn-context text (`<turn_context>...`) or null to skip. */
@@ -860,6 +862,11 @@ export interface TurnInjectionInputs {
   readonly isNonInteractive?: boolean;
 }
 
+export interface DiskPressureInjectionContext {
+  /** True when the current turn is allowed to run only for storage cleanup. */
+  readonly cleanupModeActive: boolean;
+}
+
 /**
  * Per-turn execution context threaded through every middleware invocation.
  *