@vellumai/assistant 0.7.3 → 0.8.0

package/src/config/bundled-skills/app-builder/SKILL.md

@@ -6,8 +6,6 @@ metadata:
   emoji: "🏗️"
   vellum:
     display-name: "App Builder"
-    includes:
-      - "frontend-design"
     activation-hints:
       - "User asks to build an app, landing page, website, dashboard, tool, calculator, game, tracker, or interactive page"
       - "User asks to visualize data or says 'let's visualize this' — use the app sandbox to build interactive visualizations"
@@ -20,7 +18,7 @@ You are an expert app builder and visual designer. When the user asks you to cre
 
 **Your default behavior:** Build immediately. The user types "build me a habit tracker" and you deliver a complete, polished app with a domain-matched color palette, atmospheric background, and thoughtful interactions. Don't ask what colors they want. Don't show wireframes. Just build something stunning and let them refine from there.
 
-**Design quality is delegated to the `frontend-design` skill.** That skill defines your aesthetic principles: typography, color strategy, motion, spatial composition, and visual detail. Follow it completely for every build. This skill (app-builder) handles the technical infrastructure: sandbox constraints, data bridge, widget API, app lifecycle, and interaction patterns.
+**Design quality is delegated to the `frontend-design` skill, so you must also load/install that before proceeding.** That skill defines your aesthetic principles: typography, color strategy, motion, spatial composition, and visual detail. Follow it completely for every build. This skill (app-builder) handles the technical infrastructure: sandbox constraints, data bridge, widget API, app lifecycle, and interaction patterns.
 
 ## Filesystem Layout
 

package/src/config/feature-flag-registry.json

@@ -249,14 +249,6 @@
       "description": "Enable disk pressure protection flows that block background work and remote actors while storage is critically low.",
       "defaultEnabled": false
     },
-    {
-      "id": "memory-v2-enabled",
-      "scope": "assistant",
-      "key": "memory-v2-enabled",
-      "label": "Memory v2 (concept-page activation model)",
-      "description": "Enables the v2 memory subsystem: prose concept pages with bidirectional edges, activation-based retrieval, and hourly LLM-driven consolidation. When on, v1 graph extraction/maintenance and PKB filing are suppressed; flipping the flag back off re-engages the full v1 pipeline.",
-      "defaultEnabled": true
-    },
     {
       "id": "account-deletion",
       "scope": "client",
@@ -286,15 +278,7 @@
       "scope": "assistant",
       "key": "pro-plan-adjust",
       "label": "Pro Plan Adjust",
-      "description": "Show the rich Plan card (current plan, features, Manage/Upgrade CTA) at the top of the macOS Settings → Billing tab. The 'Configure Auto Top Ups' CTA is gated separately on `auto-credit-topup`.",
-      "defaultEnabled": false
-    },
-    {
-      "id": "auto-credit-topup",
-      "scope": "assistant",
-      "key": "auto-credit-topup",
-      "label": "Auto Credit Top-Up",
-      "description": "Show the 'Configure Auto Top Ups' CTA in the macOS Settings → Billing tab. Mirrors the platform web flag of the same name that gates the auto-reload card and /v1/organizations/billing/auto-top-up/ API.",
+      "description": "Show the rich Plan card (current plan, features, Manage/Upgrade CTA) at the top of the macOS Settings → Billing tab.",
       "defaultEnabled": false
     }
   ]

package/src/config/loader.ts

@@ -108,14 +108,16 @@ function cloneDefaultConfig(): AssistantConfig {
 
 /**
  * Returns deployment-context-aware config defaults that override schema
- * defaults for platform-managed assistants. Only applied when initializing
- * a fresh config (config.json does not yet exist).
+ * defaults for platform-managed assistants. Applied to every `loadConfig()`
+ * call as a fill-only pass — they only fill keys that are absent from the
+ * raw config on disk, so an explicit user choice (e.g. saving "your-own"
+ * via the macOS Models & Services UI) always wins.
  *
  * IS_PLATFORM is set by the Vellum platform launcher for all hosted
  * assistant deployments. Local, Docker, and bare-metal assistants are
  * unaffected.
  */
-function getDeploymentContextDefaults(): Record<string, unknown> {
+export function getDeploymentContextDefaults(): Record<string, unknown> {
   if (process.env.IS_PLATFORM !== "true" && process.env.IS_PLATFORM !== "1") {
     return {};
   }
@@ -138,6 +140,49 @@ function getDeploymentContextDefaults(): Record<string, unknown> {
   };
 }
 
+/**
+ * Apply `contextDefaults` to `target` for any leaf keys that are absent from
+ * `fileConfig` (the raw config-on-disk payload). Mutates `target` in place.
+ *
+ * "Absent" is checked at the leaf level by walking the `contextDefaults`
+ * shape: nested objects recurse so a partial override on disk (e.g.
+ * `{services: {inference: {model: "x"}}}` with no explicit `mode`) lets the
+ * context default for `mode` win while leaving the user's `model` untouched.
+ *
+ * Pre-condition: `target` has already been passed through `validateWithSchema`
+ * so every nested object in `contextDefaults` has a corresponding object in
+ * `target`. The defensive whole-subtree assignment in the `!targetChild`
+ * branch only fires for malformed inputs.
+ */
+export function fillContextDefaultsForMissingKeys(
+  target: Record<string, unknown>,
+  fileConfig: Record<string, unknown>,
+  contextDefaults: Record<string, unknown>,
+): void {
+  for (const [key, value] of Object.entries(contextDefaults)) {
+    const fileVal = fileConfig[key];
+    if (
+      value !== null &&
+      typeof value === "object" &&
+      !Array.isArray(value)
+    ) {
+      const targetChild = readPlainObject(target[key]);
+      const fileChild = readPlainObject(fileVal);
+      if (targetChild) {
+        fillContextDefaultsForMissingKeys(
+          targetChild,
+          fileChild ?? {},
+          value as Record<string, unknown>,
+        );
+      } else {
+        target[key] = structuredClone(value);
+      }
+    } else if (fileVal === undefined) {
+      target[key] = value;
+    }
+  }
+}
+
 /**
  * Build a filesystem-safe ISO-8601 timestamp for use in quarantine filenames.
  * Replaces `:` (invalid on Windows, confusing on macOS Finder) with `-` so the
@@ -665,11 +710,31 @@ export function loadConfig(): AssistantConfig {
       }
     }
 
+    // Layer deployment-context defaults (e.g. IS_PLATFORM=true → all service
+    // modes = "managed") onto the in-memory config for any leaves that aren't
+    // explicitly set in `fileConfig`. This runs on every load — not just the
+    // first — because the workspace config file is written by upstream
+    // lifecycle steps (`mergeDefaultWorkspaceConfig`, `seedInferenceProfiles`)
+    // before `loadConfig()` is reached. Gating on `!configFileExisted` would
+    // make the context defaults dead code on platform-managed daemons whose
+    // config.json was created by those earlier steps without service-mode
+    // entries. Explicit user choices on disk are preserved because the helper
+    // only fills missing keys.
+    const contextDefaults = getDeploymentContextDefaults();
+    if (Object.keys(contextDefaults).length > 0) {
+      fillContextDefaultsForMissingKeys(
+        config as unknown as Record<string, unknown>,
+        fileConfig,
+        contextDefaults,
+      );
+    }
+
     // First-launch seed only: when config.json does not exist, write the full
-    // schema defaults to disk so users can discover and edit all available
-    // options. When the file already exists, leave it alone — disk represents
-    // user intent, while the in-memory `cached: AssistantConfig` (above) has
-    // all schema defaults applied via `applyNestedDefaults`/`validateWithSchema`,
+    // schema defaults (with any deployment-context overrides already applied
+    // above) to disk so users can discover and edit all available options.
+    // When the file already exists, leave it alone — disk represents user
+    // intent, while the in-memory `cached: AssistantConfig` (above) has all
+    // schema defaults applied via `applyNestedDefaults`/`validateWithSchema`,
     // so consumers calling `getConfig().memory.v2.bm25_b` continue to receive
     // the schema default whenever the field is absent on disk.
     //
@@ -687,18 +752,6 @@ export function loadConfig(): AssistantConfig {
         }
         // Strip dataDir (runtime-derived) from the persisted config
         const { dataDir: _, ...persistable } = config;
-
-        // Layer deployment context defaults on top of schema defaults.
-        // These are overrides the daemon derives from its environment (e.g.
-        // IS_PLATFORM → all service modes = "managed"). Schema defaults
-        // remain the fallback for non-platform deployments.
-        const contextDefaults = getDeploymentContextDefaults();
-        if (Object.keys(contextDefaults).length > 0) {
-          deepMergeOverwrite(
-            persistable as Record<string, unknown>,
-            contextDefaults,
-          );
-        }
         writeFileSync(configPath, JSON.stringify(persistable, null, 2) + "\n");
         log.info("Wrote default config to %s", configPath);
       } catch (err) {

package/src/config/schemas/memory-v2.ts

@@ -50,7 +50,7 @@ export const MemoryV2ConfigSchema = z
       .boolean({ error: "memory.v2.enabled must be a boolean" })
       .default(true)
       .describe(
-        "Whether the v2 memory subsystem (concept-page activation model) is enabled. Independent of the memory-v2-enabled feature flag — both must be true for v2 to run.",
+        "Whether the v2 memory subsystem (concept-page activation model) is enabled.",
       ),
     sweep_enabled: z
       .boolean({ error: "memory.v2.sweep_enabled must be a boolean" })

package/src/daemon/__tests__/conversation-lifecycle-auto-analyze.test.ts

@@ -56,6 +56,16 @@ let autoAnalyzeEnabled = true;
 // `disposeConversation` must skip the `graph_extract` enqueue.
 const autoAnalysisConversations = new Set<string>();
 
+// Toggles the `memory.v2.enabled` flag the disposal code reads via
+// `getConfig()`. Defaults to false so the bulk of the suite — which asserts
+// v1 graph_extract still fires — keeps its semantics. The dedicated v2 cases
+// flip this to true.
+let v2Enabled = false;
+
+mock.module("../../config/loader.js", () => ({
+  getConfig: () => ({ memory: { v2: { enabled: v2Enabled } } }),
+}));
+
 mock.module("../../memory/auto-analysis-guard.js", () => ({
   AUTO_ANALYSIS_SOURCE: "auto-analysis",
   isAutoAnalysisConversation: (conversationId: string) =>
@@ -160,6 +170,7 @@ describe("disposeConversation — auto-analysis enqueue", () => {
     autoAnalyzeCalls.length = 0;
     autoAnalyzeEnabled = true;
     autoAnalysisConversations.clear();
+    v2Enabled = false;
   });
 
   test("guardian conversation with auto-analyze ON — enqueues both graph_extract and conversation_analyze (via helper)", () => {
@@ -313,4 +324,25 @@ describe("disposeConversation — auto-analysis enqueue", () => {
     }));
     autoAnalyzeEnabled = originalEnabled;
   });
+
+  test("memory v2 enabled — graph_extract enqueue is suppressed (auto-analysis still runs)", () => {
+    // Under memory v2, the v1 graph has no readers (retrieval is bypassed at
+    // conversation-graph-memory.ts), so producing extraction jobs just fills
+    // the queue with stale work. Auto-analysis is orthogonal and must keep
+    // running.
+    v2Enabled = true;
+    const ctx = makeDisposeContext({
+      conversationId: "conv-v2-on",
+      trustClass: "guardian",
+    });
+
+    disposeConversation(ctx);
+
+    expect(memoryJobCalls).toHaveLength(0);
+    expect(autoAnalyzeCalls).toHaveLength(1);
+    expect(autoAnalyzeCalls[0]).toEqual({
+      conversationId: "conv-v2-on",
+      trigger: "lifecycle",
+    });
+  });
 });

package/src/daemon/conversation-agent-loop-handlers.ts

@@ -170,6 +170,16 @@ export interface EventHandlerState {
       approvalMode?: string;
       approvalReason?: string;
       riskThreshold?: string;
+      /** Display-only regex ladder for the rule editor (narrowest → broadest). */
+      riskScopeOptions?: Array<{ pattern: string; label: string }>;
+      /** Minimatch save patterns for the rule editor (narrowest → broadest). */
+      riskAllowlistOptions?: Array<{
+        label: string;
+        description: string;
+        pattern: string;
+      }>;
+      /** Directory scope ladder for the rule editor. */
+      riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
     }
   >;
   /** tool_use_ids emitted in the current turn (populated in handleToolUse, cleared after annotation). */
@@ -554,6 +564,14 @@ export function handleToolResult(
       approvalMode: event.approvalMode,
       approvalReason: event.approvalReason,
       riskThreshold: event.riskThreshold,
+      // Capture the 3 risk-option arrays so the persisted tool_use block
+      // carries the same chip ladder as the live tool_result event. Without
+      // these, hydrated chips from chat history fall back to the synthesized
+      // `*` allowlist and an empty scope ladder (see the comment on
+      // `synthesizeFallbackOption` in web's RuleEditorModal).
+      riskScopeOptions: event.riskScopeOptions,
+      riskAllowlistOptions: event.riskAllowlistOptions,
+      riskDirectoryScopeOptions: event.riskDirectoryScopeOptions,
     });
   }
 
@@ -633,6 +651,7 @@ export function handleToolResult(
     matchedTrustRuleId: event.matchedTrustRuleId,
     isContainerized: event.isContainerized,
     riskScopeOptions: event.riskScopeOptions,
+    riskAllowlistOptions: event.riskAllowlistOptions,
     riskDirectoryScopeOptions: event.riskDirectoryScopeOptions,
     approvalMode: event.approvalMode,
     approvalReason: event.approvalReason,
@@ -694,6 +713,19 @@ function annotatePersistedAssistantMessage(
         if (risk.approvalMode) rec._approvalMode = risk.approvalMode;
         if (risk.approvalReason) rec._approvalReason = risk.approvalReason;
         if (risk.riskThreshold) rec._riskThreshold = risk.riskThreshold;
+        // Persist the 3 risk-option arrays so the rule editor's chip ladder
+        // survives chat-history reload. These mirror the same-named fields
+        // on the live `tool_result` event; clients should read them back via
+        // `shared.ts` and treat them identically to the live values.
+        if (risk.riskScopeOptions && risk.riskScopeOptions.length > 0)
+          rec._riskScopeOptions = risk.riskScopeOptions;
+        if (risk.riskAllowlistOptions && risk.riskAllowlistOptions.length > 0)
+          rec._riskAllowlistOptions = risk.riskAllowlistOptions;
+        if (
+          risk.riskDirectoryScopeOptions &&
+          risk.riskDirectoryScopeOptions.length > 0
+        )
+          rec._riskDirectoryScopeOptions = risk.riskDirectoryScopeOptions;
         modified = true;
       }
     }

package/src/daemon/conversation-agent-loop.ts

@@ -986,7 +986,7 @@ export async function runAgentLoopImpl(
         compactableStartIndex: 1,
       };
     };
-    const applySuccessfulCompaction = (
+    const applySuccessfulCompaction = async (
       result: Awaited<ReturnType<typeof ctx.contextWindowManager.maybeCompact>>,
       compactedBasis?: Message[],
     ) => {
@@ -1000,7 +1000,7 @@ export async function runAgentLoopImpl(
         provenanceContext,
         result.compactedMessages,
       );
-      applyCompactionResult(ctx, result, onEvent, reqId, {
+      await applyCompactionResult(ctx, result, onEvent, reqId, {
         slackContextCompactionWatermarkTs: slackWatermarkTs,
       });
       currentSlackContextSummary = result.summaryText;
@@ -1087,7 +1087,10 @@ export async function runAgentLoopImpl(
       await trackCompactionOutcome(ctx, compacted.summaryFailed, onEvent);
     }
     if (compacted?.compacted) {
-      applySuccessfulCompaction(compacted, messagesForStartOfTurnCompaction);
+      await applySuccessfulCompaction(
+        compacted,
+        messagesForStartOfTurnCompaction,
+      );
       shouldInjectWorkspace = true;
       if (compacted.compactedPersistedMessages > 0) {
         compactedThisTurn = true;
@@ -1790,7 +1793,7 @@ export async function runAgentLoopImpl(
             await trackCompactionOutcome(ctx, result.summaryFailed, onEvent);
           }
           if (result.compacted) {
-            applySuccessfulCompaction(result, compactedBasis);
+            await applySuccessfulCompaction(result, compactedBasis);
             shouldInjectWorkspace = true;
           }
         },
@@ -2119,7 +2122,7 @@ export async function runAgentLoopImpl(
         );
       }
       if (midLoopCompact.compacted) {
-        applySuccessfulCompaction(midLoopCompact, rawHistory);
+        await applySuccessfulCompaction(midLoopCompact, rawHistory);
         reducerCompacted = true;
         shouldInjectWorkspace = true;
       }
@@ -2371,7 +2374,7 @@ export async function runAgentLoopImpl(
         }
 
         if (step.compactionResult?.compacted) {
-          applySuccessfulCompaction(
+          await applySuccessfulCompaction(
             step.compactionResult,
             convergenceCompactionBasis,
           );
@@ -2537,7 +2540,7 @@ export async function runAgentLoopImpl(
             );
           }
           if (emergencyCompact?.compacted) {
-            applySuccessfulCompaction(emergencyCompact, ctx.messages);
+            await applySuccessfulCompaction(emergencyCompact, ctx.messages);
             reducerCompacted = true;
             shouldInjectWorkspace = true;
           }
@@ -3223,7 +3226,7 @@ export interface CompactionApplyContext {
  * truth for the UI indicator after compaction. Emitting both caused a
  * redundant SwiftUI invalidation on every compaction.
  */
-export function applyCompactionResult(
+export async function applyCompactionResult(
   ctx: CompactionApplyContext,
   result: {
     messages: Message[];
@@ -3249,12 +3252,12 @@ export function applyCompactionResult(
   options: {
     slackContextCompactionWatermarkTs?: string | null;
   } = {},
-): void {
+): Promise<void> {
   ctx.messages = result.messages;
   ctx.contextCompactedMessageCount += result.compactedPersistedMessages;
   const compactedAt = Date.now();
   ctx.contextCompactedAt = compactedAt;
-  ctx.graphMemory.onCompacted(result.compactedPersistedMessages);
+  await ctx.graphMemory.onCompacted(result.compactedPersistedMessages);
   updateConversationContextWindow(
     ctx.conversationId,
     result.summaryText,

package/src/daemon/conversation-lifecycle.ts

@@ -4,6 +4,7 @@
  * can delegate without exposing its full surface.
  */
 
+import { getConfig } from "../config/loader.js";
 import { createContextSummaryMessage } from "../context/window-manager.js";
 import type { EventBus } from "../events/bus.js";
 import type { AssistantDomainEvents } from "../events/domain-events.js";
@@ -373,16 +374,29 @@ export function disposeConversation(ctx: DisposeContext): void {
       // Best-effort — don't block conversation disposal
     }
     if (!isAutoAnalysis) {
+      // Suppress v1 graph extraction when memory v2 is active — v2 reads
+      // from buffer.md and concept pages, so the v1 graph would be stale
+      // data nobody consumes. Mirrors the gate applied in `indexer.ts`
+      // for the per-message indexing path. Fail open to v1 if config
+      // can't load, since the worker handler also short-circuits.
+      let v2Enabled = false;
       try {
-        enqueueMemoryJob("graph_extract", {
-          conversationId: ctx.conversationId,
-          scopeId: "default",
-          ...(ctx.activeContextNodeIds?.length
-            ? { activeContextNodeIds: ctx.activeContextNodeIds }
-            : {}),
-        });
+        v2Enabled = getConfig().memory.v2.enabled;
       } catch {
-        // Best-effort — don't block conversation disposal
+        // Best-effort — fall through to legacy v1 enqueue
+      }
+      if (!v2Enabled) {
+        try {
+          enqueueMemoryJob("graph_extract", {
+            conversationId: ctx.conversationId,
+            scopeId: "default",
+            ...(ctx.activeContextNodeIds?.length
+              ? { activeContextNodeIds: ctx.activeContextNodeIds }
+              : {}),
+          });
+        } catch {
+          // Best-effort — don't block conversation disposal
+        }
       }
     }
 

package/src/daemon/conversation-surfaces.ts

@@ -1159,6 +1159,7 @@ export async function handleSurfaceAction(
       summary,
       submittedData: data,
     });
+    markSurfaceCompleted(ctx, surfaceId, summary);
 
     // Cleanup and resolve — order matters: cleanup clears the timer
     // before resolve() unblocks the caller.
@@ -1505,20 +1506,6 @@ export async function handleSurfaceAction(
     surfaceData,
   );
 
-  // Forms are one-shot surfaces — auto-complete immediately so the client
-  // transitions from the "Submitting…" spinner to a completion chip without
-  // requiring the LLM to call ui_dismiss.
-  if (pending.surfaceType === "form") {
-    broadcastMessage({
-      type: "ui_surface_complete",
-      conversationId: ctx.conversationId,
-      surfaceId,
-      summary,
-      submittedData: mergedData,
-    });
-    markSurfaceCompleted(ctx, surfaceId, summary);
-  }
-
   // Extract file attachments from action data so they are sent as proper
   // image/file content blocks instead of dumping base64 into the text.
   let pendingAttachments: UserMessageAttachment[] = [];
@@ -1648,6 +1635,21 @@ export async function handleSurfaceAction(
     return;
   }
 
+  // One-shot interactive surfaces — auto-complete now that the message has
+  // been accepted. Deferred until after rejection check so the surface stays
+  // active and retryable if the queue was full.
+  const ONE_SHOT_SURFACE_TYPES = ["form", "confirmation", "file_upload"];
+  if (ONE_SHOT_SURFACE_TYPES.includes(pending.surfaceType)) {
+    broadcastMessage({
+      type: "ui_surface_complete",
+      conversationId: ctx.conversationId,
+      surfaceId,
+      summary,
+      submittedData: mergedDataForText,
+    });
+    markSurfaceCompleted(ctx, surfaceId, summary);
+  }
+
   // One-shot: clear accumulated state now that the message has been accepted.
   // Deferred until after rejection check so state is preserved for retry on rejection.
   if (accumulatedState && Object.keys(accumulatedState).length > 0) {

package/src/daemon/conversation-tool-setup.ts

@@ -30,6 +30,7 @@ import {
   ACTIVITY_SKIP_SET,
   injectActivityField,
 } from "../tools/schema-transforms.js";
+import { resolveToolNameAlias } from "../tools/tool-name-aliases.js";
 import {
   isDiskPressureCleanupToolName,
   type ProxyApprovalCallback,
@@ -122,7 +123,9 @@ export function createToolExecutor(
     toolUseId?: string,
     turnContext?: import("../plugins/types.js").TurnContext,
   ) => {
-    if (isDoordashCommand(name, input)) {
+    const executionName = resolveToolNameAlias(name, ctx.allowedToolNames);
+
+    if (isDoordashCommand(executionName, input)) {
       markDoordashStepInProgress(ctx, input);
     }
 
@@ -208,8 +211,9 @@ export function createToolExecutor(
     // route through the full executor pipeline so the underlying tool's
     // risk level, permission checks, hooks, and lifecycle events all fire
     // with the real tool name.
-    if (name === "skill_execute") {
-      const toolName = typeof input.tool === "string" ? input.tool : "";
+    if (executionName === "skill_execute") {
+      const rawToolName = typeof input.tool === "string" ? input.tool : "";
+      const toolName = resolveToolNameAlias(rawToolName, ctx.allowedToolNames);
       const rawToolInput =
         input.input != null && typeof input.input === "object"
           ? (input.input as Record<string, unknown>)
@@ -242,7 +246,7 @@ export function createToolExecutor(
     }
 
     const result = await executor.execute(
-      name,
+      executionName,
       input,
       toolContext,
       turnContext,
@@ -251,7 +255,7 @@ export function createToolExecutor(
       ctx.approvedViaPromptThisTurn = true;
     }
 
-    runPostExecutionSideEffects(name, input, result, { ctx });
+    runPostExecutionSideEffects(executionName, input, result, { ctx });
 
     return result;
   };

package/src/daemon/conversation.ts

@@ -1052,7 +1052,7 @@ export class Conversation {
       );
     }
     if (result.compacted) {
-      applyCompactionResult(this, result, this.sendToClient, null, {
+      await applyCompactionResult(this, result, this.sendToClient, null, {
         slackContextCompactionWatermarkTs: getSlackCompactionWatermarkForPrefix(
           slackChronologicalContext,
           result.compactedMessages,

package/src/daemon/handlers/shared.ts

@@ -63,6 +63,20 @@ export interface HistoryToolCall {
   approvalReason?: string;
   /** Snapshot of the auto-approve threshold at execution time. */
   riskThreshold?: string;
+  /**
+   * Display-only regex ladder for the rule editor (narrowest → broadest).
+   * Persisted on tool_use blocks by `annotatePersistedAssistantMessage` so
+   * historical chips render the same ladder as live tool_result events.
+   */
+  riskScopeOptions?: Array<{ pattern: string; label: string }>;
+  /** Minimatch save patterns for the rule editor (narrowest → broadest). */
+  riskAllowlistOptions?: Array<{
+    label: string;
+    description: string;
+    pattern: string;
+  }>;
+  /** Directory scope ladder for the rule editor. */
+  riskDirectoryScopeOptions?: Array<{ scope: string; label: string }>;
 }
 
 export interface HistorySurface {
@@ -368,6 +382,18 @@ export function renderHistoryContent(content: unknown): RenderedHistoryContent {
         entry.approvalReason = block._approvalReason;
       if (typeof block._riskThreshold === "string")
         entry.riskThreshold = block._riskThreshold;
+      // Read back the 3 risk-option arrays persisted by
+      // `annotatePersistedAssistantMessage`. Validate the array shape only
+      // — element shapes are best-effort (we trust our own writer).
+      if (Array.isArray(block._riskScopeOptions))
+        entry.riskScopeOptions =
+          block._riskScopeOptions as HistoryToolCall["riskScopeOptions"];
+      if (Array.isArray(block._riskAllowlistOptions))
+        entry.riskAllowlistOptions =
+          block._riskAllowlistOptions as HistoryToolCall["riskAllowlistOptions"];
+      if (Array.isArray(block._riskDirectoryScopeOptions))
+        entry.riskDirectoryScopeOptions =
+          block._riskDirectoryScopeOptions as HistoryToolCall["riskDirectoryScopeOptions"];
       toolCalls.push(entry);
       if (id) pendingToolUses.set(id, entry);
       contentOrder.push(`tool:${toolCalls.length - 1}`);

package/src/daemon/host-bash-proxy.ts

@@ -166,7 +166,7 @@ export class HostBashProxy {
       pendingInteractions.register(requestId, {
         conversationId,
         kind: "host_bash",
-        rpcResolve: resolve,
+        rpcResolve: resolve as (v: unknown) => void,
         rpcReject: reject,
         timer,
         detachAbort,

package/src/daemon/host-browser-proxy.ts

@@ -135,7 +135,7 @@ export class HostBrowserProxy {
       pendingInteractions.register(requestId, {
         conversationId,
         kind: "host_browser",
-        rpcResolve: resolve,
+        rpcResolve: resolve as (v: unknown) => void,
         rpcReject: reject,
         timer,
         detachAbort,

package/src/daemon/host-cu-proxy.ts

@@ -239,7 +239,7 @@ export class HostCuProxy {
           targetClientId != null
             ? assistantEventHub.getActorPrincipalIdForClient(targetClientId)
             : undefined,
-        rpcResolve: resolve,
+        rpcResolve: resolve as (v: unknown) => void,
         rpcReject: reject,
         timer,
         detachAbort,

package/src/daemon/host-file-proxy.ts

@@ -186,7 +186,7 @@ export class HostFileProxy {
                 resolvedTargetClientId,
               )
             : undefined,
-        rpcResolve: resolve,
+        rpcResolve: resolve as (v: unknown) => void,
         rpcReject: reject,
         timer,
         detachAbort,

package/src/daemon/host-transfer-proxy.ts

@@ -273,7 +273,7 @@ export class HostTransferProxy {
                     resolvedTargetClientId,
                   )
                 : undefined,
-            rpcResolve: resolve,
+            rpcResolve: resolve as (v: unknown) => void,
             rpcReject: reject,
             timer,
             detachAbort,
@@ -462,7 +462,7 @@ export class HostTransferProxy {
                 resolvedTargetClientId,
               )
             : undefined,
-        rpcResolve: resolve,
+        rpcResolve: resolve as (v: unknown) => void,
         rpcReject: reject,
         timer,
         detachAbort,