@vellumai/assistant 0.8.1 → 0.8.2

package/src/tools/ask-question/ask-question-tool.ts

@@ -0,0 +1,304 @@
+import { z } from "zod";
+
+import { QuestionPrompter } from "../../permissions/question-prompter.js";
+import { RiskLevel } from "../../permissions/types.js";
+import type { ToolDefinition } from "../../providers/types.js";
+import { broadcastMessage } from "../../runtime/assistant-event-hub.js";
+import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
+
+// ── Input schema ────────────────────────────────────────────────────
+// Runtime validation lives in Zod; the wire-level definition surfaced
+// to the LLM is the hand-written JSON Schema in getDefinition() below.
+// (The codebase does not currently use zod-to-json-schema for tool defs,
+// so the two are kept in sync manually.)
+
+const OptionSchema = z.object({
+  id: z.string().min(1),
+  label: z.string().min(1),
+  description: z.string().optional(),
+});
+
+// One question in a (possibly single-element) batch. Intentionally has no
+// `id` field — per-question ids are daemon-assigned (`q1`, `q2`, ...) inside
+// the prompter, never supplied by the LLM. This keeps the LLM-facing schema
+// smaller and removes a validation surface (no duplicate-id check, no
+// length cap on ids).
+const SingleQuestionSchema = z.object({
+  question: z.string().min(1),
+  description: z.string().optional(),
+  // 2–4 LLM-supplied options. The client renders a fixed 5th "Type
+  // something else" slot for free-text, so the model must keep the
+  // structured set to 4 or fewer.
+  options: z.array(OptionSchema).min(2).max(4),
+  freeTextPlaceholder: z.string().optional(),
+});
+
+// Cap at 5 questions per batch. Past that it starts to feel like a form,
+// not a clarification — the model should be implementing, not asking. Any
+// input with ≥6 entries is rejected with a clear Zod error.
+const MAX_QUESTIONS_PER_BATCH = 5;
+
+// Both the new batched shape (`questions[]`) and the legacy flat shape are
+// accepted. `execute()` normalizes legacy callers into a one-element
+// `questions` array before forwarding to the prompter.
+const InputSchema = z
+  .object({
+    questions: z
+      .array(SingleQuestionSchema)
+      .min(1)
+      .max(MAX_QUESTIONS_PER_BATCH, {
+        message: `At most ${MAX_QUESTIONS_PER_BATCH} questions per batch; split into multiple turns if you need more.`,
+      })
+      .optional(),
+    // Legacy flat fields. Optional so batched callers can omit them; when
+    // present and `questions` is absent, they are normalized into a
+    // one-element batch in `execute()`.
+    question: z.string().min(1).optional(),
+    description: z.string().optional(),
+    options: z.array(OptionSchema).min(2).max(4).optional(),
+    freeTextPlaceholder: z.string().optional(),
+  })
+  .refine(
+    (v) =>
+      v.questions !== undefined ||
+      (v.question !== undefined && v.options !== undefined),
+    {
+      message:
+        "Provide `questions` (preferred) or the legacy flat fields (`question` + `options`).",
+    },
+  );
+
+export type SingleQuestion = z.infer<typeof SingleQuestionSchema>;
+export type AskQuestionInput = z.infer<typeof InputSchema>;
+
+// ── Tool description ────────────────────────────────────────────────
+
+const DESCRIPTION = [
+  "Use this tool whenever a request is ambiguous and can be resolved",
+  "by 2–4 plausible interpretations or discrete choices. Prefer it over",
+  "plain-text clarification — structured options are faster to answer and",
+  "remove guessing.",
+  "",
+  "When in doubt between (a) asking inline and (b) calling ask_question with",
+  "structured options: call ask_question. The structured choices are better UX.",
+  "",
+  'Example: given a request like "schedule lunch with Alice next week" where there',
+  "are two plausible Alice contacts, ask which Alice with options like",
+  '`{id: "alice_work", label: "Alice (work)"}` and',
+  '`{id: "alice_personal", label: "Alice (personal)"}`.',
+  "",
+  "Batch related clarifications into one call by passing multiple entries in",
+  "`questions` (up to 5). Each question gets its own page with a Skip button.",
+  "",
+  "When NOT to use this tool:",
+  "- The answer is obvious from context or recent conversation.",
+  "- The question is genuinely open-ended (more than ~4 plausible answers) —",
+  "  fall back to plain text.",
+  "- You're about to take a low-stakes reversible action and can adjust based",
+  "  on feedback.",
+  "",
+  "If a question is skipped, proceed with reasonable defaults for that",
+  "question; if every question in the batch is skipped, stop interrupting",
+  "and use defaults across the board.",
+  "",
+  "Provide 2–4 options. A free-text fallback is always added by the UI — do not",
+  "include a 'something else' option yourself.",
+  "",
+  "Each option needs a stable `id` (the value the response carries back) and a",
+  "short human-readable `label`. Optional `description` adds one line of",
+  "context shown beneath the label.",
+].join("\n");
+
+// ── Tool ────────────────────────────────────────────────────────────
+
+export class AskQuestionTool implements Tool {
+  name = "ask_question";
+  description = DESCRIPTION;
+  category = "interaction";
+  defaultRiskLevel = RiskLevel.Low;
+
+  // Override hook for tests: lets a test replace the prompter factory
+  // without monkey-patching the module. Default factory wires the real
+  // broadcastMessage so the question reaches every connected client.
+  private prompterFactory: () => Pick<QuestionPrompter, "prompt">;
+
+  constructor(
+    prompterFactory: () => Pick<QuestionPrompter, "prompt"> = () =>
+      new QuestionPrompter({ broadcastMessage }),
+  ) {
+    this.prompterFactory = prompterFactory;
+  }
+
+  getDefinition(): ToolDefinition {
+    // Shared option-schema fragment used by both the batched `questions[]`
+    // shape and the legacy flat `options` field.
+    const optionItemsSchema = {
+      type: "object",
+      properties: {
+        id: {
+          type: "string",
+          description:
+            "Stable identifier for this option (returned verbatim in the response).",
+        },
+        label: {
+          type: "string",
+          description: "Short human-readable label.",
+        },
+        description: {
+          type: "string",
+          description: "Optional one-line context shown beneath the label.",
+        },
+      },
+      required: ["id", "label"],
+    } as const;
+
+    return {
+      name: this.name,
+      description: this.description,
+      input_schema: {
+        type: "object",
+        properties: {
+          // ── Recommended shape ─────────────────────────────────────
+          questions: {
+            type: "array",
+            minItems: 1,
+            maxItems: MAX_QUESTIONS_PER_BATCH,
+            description: `Recommended shape. 1–${MAX_QUESTIONS_PER_BATCH} clarifying questions to ask in a single turn. Use a batch when several independent ambiguities block progress; ask one at a time when they're sequentially dependent. Past ${MAX_QUESTIONS_PER_BATCH} questions you should be implementing, not asking.`,
+            items: {
+              type: "object",
+              properties: {
+                question: {
+                  type: "string",
+                  description: "The clarifying question to display.",
+                },
+                description: {
+                  type: "string",
+                  description:
+                    "Optional one-line context shown beneath the question.",
+                },
+                options: {
+                  type: "array",
+                  minItems: 2,
+                  maxItems: 4,
+                  description:
+                    "2–4 structured options. The UI always appends a free-text fallback slot, so do not include a 'something else' option here.",
+                  items: optionItemsSchema,
+                },
+                freeTextPlaceholder: {
+                  type: "string",
+                  description:
+                    "Optional placeholder text shown inside the free-text fallback input.",
+                },
+              },
+              required: ["question", "options"],
+            },
+          },
+          // ── Legacy single-question fields ─────────────────────────
+          // Kept optional so existing prompt caches and any single-question
+          // callers continue to work. New callers should use `questions`.
+          question: {
+            type: "string",
+            description:
+              "Legacy: the single clarifying question. Prefer `questions[]` for new code.",
+          },
+          description: {
+            type: "string",
+            description:
+              "Legacy: optional one-line context shown beneath the question. Prefer `questions[].description`.",
+          },
+          options: {
+            type: "array",
+            minItems: 2,
+            maxItems: 4,
+            description:
+              "Legacy: 2–4 structured options. Prefer `questions[].options`. The UI always appends a free-text fallback slot, so do not include a 'something else' option here.",
+            items: optionItemsSchema,
+          },
+          freeTextPlaceholder: {
+            type: "string",
+            description:
+              "Legacy: optional placeholder text for the free-text fallback input. Prefer `questions[].freeTextPlaceholder`.",
+          },
+        },
+        // No top-level `required` — caller must supply either `questions`
+        // or the legacy flat trio (`question` + `options`). Enforced in Zod.
+      },
+    };
+  }
+
+  async execute(
+    input: Record<string, unknown>,
+    context: ToolContext,
+  ): Promise<ToolExecutionResult> {
+    const parsed = InputSchema.safeParse(input);
+    if (!parsed.success) {
+      return {
+        content: `Invalid input: ${parsed.error.message}`,
+        isError: true,
+      };
+    }
+
+    // Normalize legacy flat input into a one-element `questions` batch so
+    // downstream code only has to deal with the batched shape. The refine
+    // above guarantees `question` and `options` are present whenever
+    // `questions` is absent.
+    const questions: SingleQuestion[] = parsed.data.questions ?? [
+      {
+        question: parsed.data.question!,
+        description: parsed.data.description,
+        options: parsed.data.options!,
+        freeTextPlaceholder: parsed.data.freeTextPlaceholder,
+      },
+    ];
+
+    const prompter = this.prompterFactory();
+    const result = await prompter.prompt({
+      conversationId: context.conversationId,
+      questions,
+      toolUseId: context.toolUseId,
+      signal: context.signal,
+    });
+
+    // Format the aggregated transcript. Each line is keyed by the original
+    // question text (not the daemon-assigned id) — the LLM never sees those
+    // ids, and human-readable labels read better in the result content.
+    const lines = result.entries.map((entry, i) => {
+      const q = questions[i]!;
+      const prefix = `Question "${q.question}" →`;
+      if (entry.decision === "option") {
+        const chosen = q.options.find((o) => o.id === entry.optionId);
+        const label = chosen?.label ?? "(unknown)";
+        return `${prefix} Option: ${entry.optionId} (${label})`;
+      }
+      if (entry.decision === "free_text") {
+        return `${prefix} Free text: ${entry.text ?? ""}`;
+      }
+      return `${prefix} Skipped`;
+    });
+
+    switch (result.overall) {
+      case "completed":
+        return { content: lines.join("\n"), isError: false };
+      case "closed": {
+        const summary =
+          "User closed the question card without answering. All questions skipped.";
+        return {
+          content: [summary, ...lines].join("\n"),
+          isError: false,
+        };
+      }
+      case "timed_out":
+        return {
+          content: "User did not respond within timeout",
+          isError: true,
+        };
+      case "aborted":
+        return {
+          content: "Question aborted",
+          isError: true,
+        };
+    }
+  }
+}
+
+export const askQuestionTool = new AskQuestionTool();

package/src/tools/browser/browser-execution.ts

@@ -90,7 +90,7 @@ const MODE_TRADEOFFS: Record<StatusCheckMode, string[]> = {
   [BROWSER_STATUS_MODE.EXTENSION]: [
     "This is the preferred approach for all things browser-use.",
     "On macOS, the host browser proxy is provisioned automatically via the desktop client's SSE bridge — no extension install required.",
-    "When the Chrome extension is also installed, it takes priority for direct WebSocket routing to the user's Chrome session.",
+    "When the Chrome extension is also installed, it takes priority for direct WebSocket routing to the active Chrome session.",
     "More secure than relying on Chrome's native remote debugging functionality.",
   ],
   [BROWSER_STATUS_MODE.CDP_INSPECT]: [
@@ -101,8 +101,8 @@ const MODE_TRADEOFFS: Record<StatusCheckMode, string[]> = {
   ],
   [BROWSER_STATUS_MODE.LOCAL]: [
     "The least-preferred approach for all things browser-use.",
-    "Considered a last-resort fallback if the user has not installed the Chrome Extension or enabled remote debugging in Chrome, and has indicated that they do not want to.",
-    "Does not use the user's existing browser profile, so sessions/cookies may differ.",
+    "Considered a last-resort fallback when the Chrome Extension is not installed, remote debugging in Chrome is not enabled, and neither will be enabled.",
+    "Does not use the existing browser profile, so sessions/cookies may differ.",
     "Requires that Playwright and Chromium are installed on the host machine,",
   ],
 };
@@ -392,8 +392,8 @@ function acquireCdpClientWithMode(
     targetClientId != null
       ? "extension"
       : browserMode === "auto" && rememberedKind !== null
-      ? rememberedKind
-      : browserMode;
+        ? rememberedKind
+        : browserMode;
 
   try {
     const raw = getCdpClient(context, { mode: effectiveMode, targetClientId });
@@ -406,7 +406,11 @@ function acquireCdpClientWithMode(
     // sticky preference doesn't surface as a hard failure.
     // Do not apply this fallback when target_client_id is set — a targeting
     // failure must surface as an error, not silently route elsewhere.
-    if (browserMode === "auto" && effectiveMode !== "auto" && targetClientId == null) {
+    if (
+      browserMode === "auto" &&
+      effectiveMode !== "auto" &&
+      targetClientId == null
+    ) {
       browserManager.clearPreferredBackendKind(context.conversationId);
       try {
         const raw = getCdpClient(context, { mode: "auto", targetClientId });
@@ -952,10 +956,10 @@ export async function executeBrowserNavigate(
                 "2. Use credential fill to enter email/password from credential_store",
               );
               lines.push(
-                "3. For email verification codes, use ui_show with a form to ask the user for the code mid-turn",
+                "3. For email verification codes, use ui_show with a form to request the code mid-turn",
               );
               lines.push(
-                "4. Do NOT give up or tell the user to sign in manually - handle the login flow yourself",
+                "4. Do NOT give up or suggest manual sign-in - handle the login flow yourself",
               );
             }
           } else {
@@ -964,7 +968,7 @@ export async function executeBrowserNavigate(
               "⚠️ CAPTCHA/Cloudflare verification detected on this page.",
             );
             lines.push(
-              "The user needs to solve this challenge manually. Please inform the user that the page requires human verification before the content can be accessed.",
+              "This challenge requires human verification. Surface this clearly: the page cannot be accessed until the verification is solved manually.",
             );
           }
         } else {
@@ -979,10 +983,10 @@ export async function executeBrowserNavigate(
             "2. Use credential fill to enter email/password from credential_store",
           );
           lines.push(
-            "3. For email verification codes, use ui_show with a form to ask the user for the code mid-turn",
+            "3. For email verification codes, use ui_show with a form to request the code mid-turn",
           );
           lines.push(
-            "4. Do NOT give up or tell the user to sign in manually - handle the login flow yourself",
+            "4. Do NOT give up or suggest manual sign-in - handle the login flow yourself",
           );
         }
       }

package/src/tools/computer-use/definitions.ts

@@ -374,7 +374,7 @@ export const computerUseOpenAppTool: Tool = {
 export const computerUseRunAppleScriptTool: Tool = {
   name: "computer_use_run_applescript",
   description:
-    "Run an AppleScript command. Prefer this over click/type when possible - it doesn't move the cursor or interrupt the user. Never use 'do shell script' inside AppleScript (blocked for security).",
+    "Run an AppleScript command. Prefer this over click/type when possible - it doesn't move the cursor or interrupt foreground activity. Never use 'do shell script' inside AppleScript (blocked for security).",
   category: "computer-use",
   defaultRiskLevel: RiskLevel.Low,
   executionMode: "proxy",
@@ -448,7 +448,7 @@ export const computerUseDoneTool: Tool = {
 export const computerUseRespondTool: Tool = {
   name: "computer_use_respond",
   description:
-    "Respond to the user with a text answer instead of performing computer actions. Use this when you can answer directly without interacting with the screen.",
+    "Reply with a text answer instead of performing computer actions. Use this when you can answer directly without interacting with the screen.",
   category: "computer-use",
   defaultRiskLevel: RiskLevel.Low,
   executionMode: "proxy",
@@ -462,7 +462,7 @@ export const computerUseRespondTool: Tool = {
         properties: {
           answer: {
             type: "string",
-            description: "The text answer to display to the user",
+            description: "The text answer to display",
           },
           reasoning: {
             type: "string",

package/src/tools/credentials/vault.ts

@@ -88,7 +88,7 @@ class CredentialStoreTool implements Tool {
             type: "string",
             enum: ["store", "list", "delete", "prompt"],
             description:
-              'The operation to perform. Use "prompt" to ask the user for a secret via secure UI - the value never enters the conversation.',
+              'The operation to perform. Use "prompt" to request a secret via secure UI - the value never enters the conversation.',
           },
           service: {
             type: "string",

package/src/tools/document/document-tool.ts

@@ -1,11 +1,40 @@
 import { randomUUID } from "node:crypto";
 
 import {
+  deleteDocument,
+  getDocumentById,
+  getDocumentsForConversation,
+  isDocumentAssociatedWithConversation,
   saveDocument,
+  searchDocumentsByTitle,
   updateDocumentContent,
 } from "../../documents/document-store.js";
 import type { ToolContext, ToolExecutionResult } from "../types.js";
 
+function isPrivilegedDocumentActor(context: ToolContext): boolean {
+  return (
+    context.trustClass === "guardian" || context.executionChannel === "vellum"
+  );
+}
+
+function documentNotFound(surfaceId: string): ToolExecutionResult {
+  return {
+    content: JSON.stringify({
+      success: false,
+      surface_id: surfaceId,
+      error: "Document not found",
+    }),
+    isError: true,
+  };
+}
+
+function canAccessDocument(surfaceId: string, context: ToolContext): boolean {
+  return (
+    isPrivilegedDocumentActor(context) ||
+    isDocumentAssociatedWithConversation(surfaceId, context.conversationId)
+  );
+}
+
 // ── Exported execute functions ──────────────────────────────────────
 
 export function executeDocumentCreate(
@@ -85,7 +114,21 @@ export function executeDocumentUpdate(
   const content = input.content as string;
   const mode = (input.mode as string | undefined) || "append";
 
-  updateDocumentContent(surfaceId, content, mode);
+  if (!canAccessDocument(surfaceId, context)) {
+    return documentNotFound(surfaceId);
+  }
+
+  const result = updateDocumentContent(surfaceId, content, mode);
+  if (!result.success) {
+    return {
+      content: JSON.stringify({
+        success: false,
+        surface_id: surfaceId,
+        error: result.error,
+      }),
+      isError: true,
+    };
+  }
 
   // Send document_editor_update message to update the built-in RTE
   if (context.sendToClient) {
@@ -117,3 +160,83 @@ export function executeDocumentUpdate(
     isError: true,
   };
 }
+
+export function executeDocumentRead(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): ToolExecutionResult {
+  const surfaceId = input.surface_id as string;
+  if (!canAccessDocument(surfaceId, context)) {
+    return documentNotFound(surfaceId);
+  }
+
+  const doc = getDocumentById(surfaceId);
+  if (!doc) {
+    return documentNotFound(surfaceId);
+  }
+  return {
+    content: JSON.stringify({
+      success: true,
+      surface_id: doc.surfaceId,
+      title: doc.title,
+      content: doc.content,
+      word_count: doc.wordCount,
+      updated_at: doc.updatedAt,
+    }),
+    isError: false,
+  };
+}
+
+export function executeDocumentList(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): ToolExecutionResult {
+  const query =
+    typeof input.query === "string" && input.query.trim().length > 0
+      ? input.query.trim()
+      : undefined;
+  const docs = query
+    ? searchDocumentsByTitle(
+        query,
+        isPrivilegedDocumentActor(context)
+          ? {}
+          : { conversationId: context.conversationId },
+      )
+    : getDocumentsForConversation(context.conversationId);
+  return {
+    content: JSON.stringify({
+      success: true,
+      documents: docs.map((d) => ({
+        surface_id: d.surfaceId,
+        title: d.title,
+        word_count: d.wordCount,
+        created_at: d.createdAt,
+        updated_at: d.updatedAt,
+      })),
+    }),
+    isError: false,
+  };
+}
+
+export function executeDocumentDelete(
+  input: Record<string, unknown>,
+  context: ToolContext,
+): ToolExecutionResult {
+  const surfaceId = input.surface_id as string;
+  if (!canAccessDocument(surfaceId, context)) {
+    return documentNotFound(surfaceId);
+  }
+
+  const deleted = deleteDocument(surfaceId);
+  if (!deleted) {
+    return documentNotFound(surfaceId);
+  }
+  return {
+    content: JSON.stringify({
+      success: true,
+      surface_id: surfaceId,
+      message: "Document deleted",
+    }),
+    isError: false,
+  };
+}

package/src/tools/filesystem/edit.ts

@@ -41,7 +41,7 @@ class FileEditTool implements Tool {
           activity: {
             type: "string",
             description:
-              "Brief non-technical explanation of what you are doing and why, shown to the user as a status update.",
+              "Brief non-technical explanation of what you are doing and why, shown as a status update.",
           },
         },
         required: ["path", "old_string", "new_string", "activity"],

package/src/tools/filesystem/list.ts

@@ -30,7 +30,7 @@ class FileListTool implements Tool {
           activity: {
             type: "string",
             description:
-              "Brief non-technical explanation of what you are doing and why, shown to the user as a status update.",
+              "Brief non-technical explanation of what you are doing and why, shown as a status update.",
           },
         },
         required: ["path", "activity"],

package/src/tools/filesystem/read.ts

@@ -41,7 +41,7 @@ class FileReadTool implements Tool {
           activity: {
             type: "string",
             description:
-              "Brief non-technical explanation of what you are doing and why, shown to the user as a status update.",
+              "Brief non-technical explanation of what you are doing and why, shown as a status update.",
           },
         },
         required: ["path", "activity"],

package/src/tools/filesystem/write.ts

@@ -56,7 +56,7 @@ class FileWriteTool implements Tool {
           activity: {
             type: "string",
             description:
-              "Brief non-technical explanation of what you are doing and why, shown to the user as a status update.",
+              "Brief non-technical explanation of what you are doing and why, shown as a status update.",
           },
         },
         required: ["path", "content", "activity"],
@@ -121,7 +121,10 @@ class FileWriteTool implements Tool {
       // Indexing `pkb/*.json` (or any other extension) here would produce
       // chunks the reconciler can't see, leading to orphaned vectors and
       // pointless embedding work.
-      if (filePath.toLowerCase().endsWith(".md") && isInsidePkbRoot(filePath, pkbRoot)) {
+      if (
+        filePath.toLowerCase().endsWith(".md") &&
+        isInsidePkbRoot(filePath, pkbRoot)
+      ) {
         enqueuePkbIndexJob({
           pkbRoot,
           absPath: filePath,

package/src/tools/host-filesystem/transfer.ts

@@ -13,7 +13,7 @@ import type { Tool, ToolContext, ToolExecutionResult } from "../types.js";
 class HostFileTransferTool implements Tool {
   name = "host_file_transfer";
   description =
-    "Copy a file between the assistant's workspace and the user's host machine. Set direction to 'to_host' to send a workspace file to the host, or 'to_sandbox' to pull a host file into the workspace. When multiple clients support host_file, specify which one to use with target_client_id.";
+    "Copy a file between the assistant's workspace and the host machine. Set direction to 'to_host' to send a workspace file to the host, or 'to_sandbox' to pull a host file into the workspace. When multiple clients support host_file, specify which one to use with target_client_id.";
   category = "host-filesystem";
   defaultRiskLevel = RiskLevel.Medium;
 

package/src/tools/host-terminal/host-shell.ts

@@ -95,7 +95,7 @@ function buildHostBashProxyEnv(
 class HostShellTool implements Tool {
   name = "host_bash";
   description =
-    "LAST RESORT — Execute a shell command directly on the user's host machine. You MUST strongly prefer the regular `bash` tool for all commands. Only use `host_bash` when you are absolutely certain the command MUST run on the user's host machine and CANNOT run in the workspace (e.g., managing host-level system services, accessing host-only peripherals, or interacting with host paths outside the workspace). If in doubt, use `bash` instead. Approval-gated: your user must allow each invocation. Do not use for commands that require injected credentials or secrets.";
+    "LAST RESORT — Execute a shell command directly on the host machine. You MUST strongly prefer the regular `bash` tool for all commands. Only use `host_bash` when you are absolutely certain the command MUST run on the host machine and CANNOT run in the workspace (e.g., managing host-level system services, accessing host-only peripherals, or interacting with host paths outside the workspace). If in doubt, use `bash` instead. Approval-gated: each invocation must be explicitly approved. Do not use for commands that require injected credentials or secrets.";
   category = "host-terminal";
   // host_bash is a weaker-tier escape hatch under CES lockdown. It remains
   // Medium risk by default but persistent approvals are disabled for

package/src/tools/permission-checker.ts

@@ -402,7 +402,7 @@ export class PermissionChecker {
           const denialMessage =
             contextualDenial.length > 0
               ? contextualDenial
-              : `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
+              : `Permission denied. The "${name}" tool was not allowed. Do NOT retry this tool call immediately. Instead, explain that the action was not performed because permission was denied, and ask whether to try again or take a different approach. Wait for an explicit response before retrying.`;
           const denialReason =
             contextualDenial.length > 0
               ? `Permission denied (${name}): contextual policy`